This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
•1. Digital Forensics Terminology•2. What is a digital evidence?•3. Client contact - Interviews•4. Things NOT to do when gathering digital evidence•5. Basic Questions at Crime Scenes•6. Best Practices when handling digital evidence•7. Following Digital Forensics Protocol •8. Logical vs. Physical Capture•9. Performing a Forensics Digital Exam
Allocated SpaceAllocated space is composed of “Clusters,” they may be full or partially filled with digital media that are tracked by the file system. (Allocated Unit Size)
When data is loaded onto a hard drive, it is loaded into clusters. Once the cluster is full, the data is then loaded into another cluster until all of the data is loaded onto the hard drive.
Note that when the last block of data is loaded into a cluster, if the cluster is not filled (which is almost always the case), then the remaining space in that cluster is empty and will NOT be available for data to be loaded into that remaining space.
The empty space at the end of the cluster becomes the “Slack Space.”
Files are created in varying lengths depending on their content. Rarely do file sizes exactly match the size of a single cluster.
“The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called Slack Space”
When a file is written to the cluster, the data over-flows into the next cluster (NOT necessarily in sequence) .
The file system chains these clusters together to form the file.
Slack Space
•9•9
Metadata (meta-data)
•Data about data… ( Properties )
•For forensic purposes, documentation inside of the document which may include items such as:
•Time stamps, create date, modified date and time•Author of the document •Userid, Computer Name, Printer information•Other unique user information valuable to forensics.•Owner Security ID (SID) info.•.exif information from a camera (GPS, type of camera)
Data Carving is a process of locating files and artifacts that have been deleted or that are embedded in other files.
If the artifact has a valid file header and footer, the custom carvers can be built to perform the analysis on those specific artifacts.
Examples of custom carvers would be items associated with Social Media, Facebook, Gmail, Yahoo, web mail artifacts, and other artifacts that may be located in both allocated, unallocated, and slack space.
•Logical acquisition•Does NOT contain deleted file•Does NOT contain “Unallocated” or “Slack” space items•View of items from a “file system” prospective.•Only contains items in “Allocated Space”
•Physical acquisition•Contents of Allocated Space – (file system)•Contents of previously deleted files and ambient data.•Contents of Unallocated and Slack Space are present.•Most comprehensive type of acquisition.
•Volatile Memory acquisition•Is the acquisition of the “contents in memory” of a “running / live” computer.
Types of acquisitions
•12
What is Digital Evidence ?
Digital Evidence is any information stored or transmitted in a digital form that could be a party to any litigation efforts that may used by either the prosecution or defense at trial.
•North Carolina Statutes•Chapter 15A Criminal Procedure ActSub chapter II Law-Enforcement and Investigative ProceduresArticle 16 Electronic SurveillanceCurrent through 2009 Legislative Session
§ 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited.
(a)Except as otherwise specifically provided in this Article, a person is guilty of a Class H felony if the person:
(1)Manufactures, assembles, possesses, purchases, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or
(2) Places in any newspaper, magazine, handbill, or other publication, any advertisement of:a. Any electronic, mechanical, or other device knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; orb. Any other electronic, mechanical, or other device where the advertisement promotes the use of the device for the purpose of the surreptitious interception of wire, oral, or electronic communications.
(b) It is not unlawful under this section for the following persons to manufacture, assemble, possess, purchase, or sell any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications:
(1)A communications common carrier or an officer, agent, or employee of, or a person under contract with, a communications common carrier, acting in the normal course of the communications common carrier's business, or
(2) An officer, agent, or employee of, or a person under contract with, the State, acting in the course of the activities of the State, and with the written authorization of the Attorney General.
(c) An officer, agent, or employee of, or a person whose normal and customary business is to design, manufacture, assemble, advertise and sell electronic, mechanical and other devices primarily useful for the purpose of the surreptitious interceptions of wire, oral, or electronic communications, exclusively for and restricted to State and federal investigative or law enforcement agencies and departments. (1995, c. 407, s. 1.)
Do NOT boot up and start the OS (power up) the computer.
•28
•If you did start up the system, you changed important registry keys that could have tied the last start up to a specific person.
Check time stamps for “folders” in C:\>windows\system32\config\SAMSecuritySoftwareSystem
These FOLDERS will reflect the last Startup/ last written time
Besides these files, you changed time stamps in start up files, Dll’s, and hundreds of other OS file system and applications files.
•29
Registry keys reveal (subset)
Startup locations at Boot UPLast person (profile) who signed onto the deviceAutomatically Launched Programs at StartupSystem Launched DLL’s at StartupProcesses that were used at startupLINK (.lnk) file Data
If you did, you may have changed important metadata and times stamps that could have been of value to the
case.
Depending upon the Operating System , some files last access time will change just by looking at the file. Other “last written” times will change just by Booting up the system.
If any of the time stamps were changed “after” the time the examiner took possession of the device, then it can be argued that the digital evidence has been tainted.
The reasonable argument could be “the examiner” changed the items and the may “NOT” be in their “original” state…
If there was NOT a auto-wiping utility set to run on start-up, there could have been a auto-wiping utility set for Shut-down.
(example of a registry key edit)[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0]"Script"="C:\\script.bat" "Parameters"="" "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
The utility could have deleted/or wiped valuable information from important files, unallocated space, internet system cache, Internet cache, page files, and numerous other locations.
The next slide reveals a popular wiping program that is set to run at “Start-up” automatically.
Name Ext MD5 IMG_0001.JPG jpg 402558E5FCB9E96B393464C7BB160C29Created Date - 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)Accessed Date - 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)Modified Date - 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)
IMG_0001.JPG jpg 402558E5FCB9E96B393464C7BB160C29Created Date - 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)Accessed Date - 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)Modified Date - 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)
Metadata After viewing the same object with a graphic viewer
The photo’s original Create/Accessed/Modified time is:11/28/2011 at 5:14:02 PM
On 1/24/2013 at 04:09:45PM the image was copied from a USB Flash Drive to the computer HD. The copy function caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered.
On 1/26/2013 at 11:13:51AM, the image was viewed using a graphics application. The graphic application caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered.
On the Stand….’if you booted up the original hard drive and reviewed the files on the hard drive’
•Attorney: Mr. Thomas, When you booted up the computer, and started looking at thefiles, did you change any time stamps or original digital data on this computer?
•Mr. Thomas :Yes I did.
•Attorney: Mr. Thomas, When performing a digital examination, Is it correct protocolto perform the exam on the “original hard drive” without first imaging it?
•Attorney: Mr. Thomas, Do you realize that you changed information on this hard drive, thus making any of the information on this hard drive“Questionable” to the court?
•Mr. Thomas :No, the correct protocol is to image the media first.
Answering these “BASIC” questions from any Crime Scene….
•When did the crime take place? (time & date, IP address, GPS Tags, .exif, ISP authentication records, Mail & Social Media authentication records, metadata artifacts (properties)
• Who did the crime? (SID, Profile, Email, Message Post, Social Post), authentication records
• What evidence do you have? (Deleted, Allocated, Unallocated, Slack)
• Were there any finger prints? (HASH Values MD5/SHA1/SHA256, GPS Location Data), authentication records
“WHAT If” you exam evidence hinged on a “specific time frame”?
•49
•50
“WHAT If” the opposing attorney was able show the times in the digital examination werenot in sync with actual events because thetime stamps in the exam were not correct?
•Event Viewer Items (Start Run EventVWR)•Windows Logs
•System•EventID = 1•Source = Kernal-General
•“The system time has changed…”
Review WEB logs, temporary internet files, e-mail file headers and see if the (imbedded) time in the artifacts is equal to the time on the Access, Created , and Modified time metadata.
* (IMPORTANT) Carved items, File Slack items, Unallocated Space items WILL NOT ALWAYS contain time stamps. (Most of the time not) This depends upon if the artifact was carved from deleted or imbedded.
The challenge with these items is to find imbedded time stampswithin the block of data or the artifact.
More times than not, the “Smoking Gun” will be found in unallocated, slack space, or carved items.
The components of the SID are:Component Description
S A SID always begins with the letter ‘S’1 Revision level of the SID structure, in this case ‘revision
1’5 The authority that issued the SID – ‘5’ is the NT Authority21 The String of numbers up to 500 is the domain identifier2777932499 The relative identifier which is the account or group928484944-28449932064-1006 The last four characters is the ‘specific’ user in
the SAM file i.e.: 10062849932064-1000 Another specific user on this same computer i.e.: 1000
This is a screen shot of a Digital Forensic application (FTK) File List Pane.
Notice the “Owner SID” is appended to each record. Using the SID and Time Stamps, the forensics examiner can build a road map of what was done during a specific time.
This is a “Filtered” view of all graphics associated with the SID ending in 1006 – which is the SID for the User “Brother’s Stuff”There were a total of “652” graphics associated with this SID
Today, Artifacts can be compared using these HASH values.
The Questions are:
If two (or more) documents, graphics, (artifacts) look similar when viewed , but when Hashed, their HASH values are different, then are they identical?
They are “within a shadow of a doubt” different.
The National Institute Of Standards and Technology (NIST) says they are different.
But will the courts “still say” they are “ A reasonable representation of each other?”
HASH Value Dilemma!
In this screen shot are examples of five HASHED text messages
•Text1 is the simple “the quick brown fox jumped over the lazy dogs back”•Text2 same text in “UPPER CASE”•Text3 same text with extra “spaces” at the end of the text•Text4 same text with the first letter of the first word in “Upper Case”•Text4 renamed same text as Text4 but the “file name” is changed
Many of the key word “hits” resulting in the digital exam are NOT in common files such as word documents, spread-sheets, Adobe PDF files, and e-mail files.
Most are in Internet Cache, unallocated space, slack space, and carved items.
“A set of established, investigative protocols and techniques used to analyze digital media.”
Seizure and preservation can make the difference in the Seizure and preservation can make the difference in the digital evidence being admissible or inadmissible in courtdigital evidence being admissible or inadmissible in court
•A digital forensic investigation may be initiated for many reasons.A digital forensic investigation may be initiated for many reasons.In respect to civil, or criminal investigations, digital forensics In respect to civil, or criminal investigations, digital forensics investigations may be of value in a wide range of situations.investigations may be of value in a wide range of situations. •Ability to “Ability to “re-trace”re-trace” digital foot printsdigital foot prints, such as , such as whenwhen, , wherewhere, , howhow and and whywhy individuals (suspects) do what they do. individuals (suspects) do what they do.
•With the advent of With the advent of social web sitessocial web sites and people’s ability to share and people’s ability to share information, information, it is not uncommon for people to divulge private it is not uncommon for people to divulge private information to others electronically. Including via cell phones.information to others electronically. Including via cell phones.
•Digital forensics may reveal Digital forensics may reveal peoples emotionspeoples emotions, , reactionsreactions, or , or motivesmotives..
•They may also be able to provide “They may also be able to provide “time lines”time lines”, (, (time stampedtime stamped) to reveal ) to reveal a person’s a person’s innocenceinnocence, , guiltguilt, or , or participationparticipation associated with specific associated with specific events.events.
On the Internet, select the following URL, then select The item FTK Imager. At the drop-down, select the most current version. Download, save and Install the AccessData FTK Imager Utility.
(it is free)
With the FTK Imager software, and a “write blocker device” you may MOUNT the Digital Image (DD) onto a computer and view the files as they would be see in Windows File Manager.
NOTE: Don’t forget to use a write blocked device or software write-blocker when connecting the DD image to a computer. There is a “BLOCK– Read Only” option in Imager but the write-blocker is just another safeguard for keeping the Image safe.