Overview of Digital Forensics - NCSTL Litigators Conf 2012 Giglia.pdf · What is Digital Forensics Science for the examination and analysis of digital trace evidence Typically conducted

Overview of Digital Forensics

©2012 Digital Intelligence, Inc. All rights reserved.

NCSTL Training

Charles M. Giglia - Digital Intelligence

August 2012

What is Digital Forensics

� Science for the examination and analysis of digital trace evidence

� Typically conducted “Post

Mortem”


Mortem”

� Live and Network forensic collections/exams more accepted

� Fragility and longevity of digital evidence

Digital Forensics

� Autopsy of the computer

� Not only the what and wherebut the who, how and why


but the who, how and why

� Scientific approach

� Defensible process

� Results in opinion/expert testimony

� Controlled scope

Digital Forensics

� Identification

� Preservation

� Recovery


� Recovery

� Reconstruction

� Analysis / Interpretation

Digital Evidence

� Digital evidence likely present in every case

� Computers

� Cell Phone - Smart Phones - iStuff


� Telephones

� Automobiles

� Copy Machines

� Refrigerator

� Etc.

Forensic Methods

� Matches other forensic

disciplines

� Allows exact duplication of

the original evidence


the original evidence

� Involves both data recovery

and analysis

� Governed by valid laboratory

principles

Seizing Digital Evidence

� Limit access

� Protect the original

� Duplicate to create


� Duplicate to create

“forensic safety net”

� Live forensic analysis a

reasonable option –

when necessary

Other Forensic Evidence

Recognize that other

forms of evidence such

as latent prints,

Questioned


Questioned

Documents, DNA or

trace evidence may be

present and must be

preserved.

When to involve a Specialist

� What makes a specialist?

� Earlier is better

� Contaminating the evidence


� Contaminating the evidence

� Fighting the “fear factor”

� Live evidence

� Network forensics

� Recovering from errors

Processing Digital Evidence

� Examine known files

�Data elimination/reduction

� Recover erased/deleted files


� Recover erased/deleted files

� Examine slack, unallocated, swap space

� Examine the nature of how the computer was being used

� Linking removable media back to the computer

Data Recovery

� Depending on the type of case, the evidence will be found in


will be found in different areas on the drive

� May require manual reconstruction

Analyzing Digital Evidence

� What does it all mean?

� Written report of findings

� Articulation


� Facts vs. Opinion

Current Cases

� Serial Killers

� Identity Theft

� Cyber stalking


� Cyber stalking

� Child pornography

� Wireless theft

� Economic crimes

Case Application


Cyber Stalking

� 3.4 million cases of stalking per year

�13% of female college students report stalking


�Approx. 25% of all harassment/stalking cases

involve cyber component

� Social Networks, chat rooms, emails, and GPS devices

Cyber Stalking

� Cellphone GPS tracking

� Listening devices

� Vehicle tracking


� Vehicle tracking

� Spyware software

Child Pornography


http://www.familysafemedia.com/pornography_statistics.html

Child Pornography


http://www.familysafemedia.com/pornography_statistics.html

Social Networks

� Facebook

� MySpace

� Twitter


� Twitter

� Craigslist

� Pinterist

� Xanga

� Bebo

Social Networks


Specific Tools?

Computer Evidence

Where the

Evidence is


Evidence is

Other Media

� Thumb/Flash drives

� CD/DVD/Blu-Ray

� Attached storage (wired and wireless)


� Attached storage (wired and wireless)

� Unattached Storage – “Cloud”

� iPhones and Smart phones

� GPS

� Copiers

� Digital Cameras

� Portable – Tablets, ipod/pad, Mp3 players

Types of Evidence

� Constant change in the evidence

�Unlike most other physical evidence

� New Technologies make it difficult to


� New Technologies make it difficult to identify evidence

� Including unique adaptors and connectors for

drives and media

Types of Evidence


Types of Evidence


Initial Analysis

� Review active user files

� Review system generated files

�Log files


�Log files

� Review Internet activity

�History

�Cache

�Bookmarks

Active File Issues

� File Location

�Common Locations

� My Documents

Desktop


� Desktop

� Link files

� Encryption

� Metadata

� Internal

�External

Metadata

� Data about the file

� External: Path, Name, OS dates

� Internal: Dates, Author(s), Title,


� Internal: Dates, Author(s), Title,

�Not all files have internal data

�MS Office – Most common

�EXIF


Metadata

� MS Word


Internet Cache

� Internet activity

�Downloaded Content

�History


�History

�Bookmarks

�Passwords

� Web based email

� Online chats

Unallocated Space

� Area of the drive not allocated to active or system files

�500 GB drive – 250 GB of files = ~250 GB


�500 GB drive – 250 GB of files = ~250 GB

unallocated space

� When a file is deleted the space becomes part of unallocated space

� Previously deleted files can be “carved” out

Unallocated Drive Space� Raw data


Registry Analysis

� System/software configurations/events

� User preferences / history

�USB Device History


�USB Device History

�Usernames and Passwords

Hard drive connected via USB


Challenges in the Field

� Types of evidence

� Volume of evidence

� Changing laws


� Changing laws

� Training and certifications

�Tool vs. foundational

Questions

Charles M. GigliaDigital Intelligence, Inc.17165 W Glendale DrNew Berlin, WI 53151


email: [email protected] : 262.782.3332www.digitalintelligence.com