Digital Evidence Locations and Computer Forensics ... Digital Evidence Locations and... · Portable...
Transcript of Digital Evidence Locations and Computer Forensics ... Digital Evidence Locations and... · Portable...
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 1
Digital Evidence Locations Digital Evidence Locations &&
Introduction to Introduction to Computer ForensicsComputer Forensicspp
Don MasonDon MasonAssociate DirectorAssociate Director
ObjectivesObjectivesAfter this session, you will be able to:After this session, you will be able to:
Define “digital evidence” and identify typesDefine “digital evidence” and identify typesDescribe how digital evidence is stored in Describe how digital evidence is stored in computerscomputerscomputerscomputersIdentify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be foundDefine basic computer and digital forensicsDefine basic computer and digital forensicsIdentify and describe the essential principles, Identify and describe the essential principles, tools, and trends in digital forensicstools, and trends in digital forensics
Special AcknowledgmentsSpecial Acknowledgments
Justin T. FitzsimmonsJustin T. FitzsimmonsSenior Attorney, NSenior Attorney, NDAA National Center for Prosecution of Child Abuse
S t J h M liSergeant Josh MoulinCommander, Southern Oregon High-Tech Crimes Task Force
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 2
Advancing TechnologyAdvancing Technology
Computer / Digital TechnologyComputer / Digital Technology
Personal computers, at work and at homePersonal computers, at work and at homeDigital camerasDigital camerasWeb camsWeb camsCamera and video cam cell phonesCamera and video cam cell phonesDocument and image scannersDocument and image scannersDigital recording and duplicating devicesDigital recording and duplicating devicesLarge digital storage capacities Large digital storage capacities Portable mediaPortable media
How Digital Evidence is How Digital Evidence is StoredStored
Data is written in binary code Data is written in binary code ---- 1’s and 0’s1’s and 0’s
These 1’s and 0’s are grouped together in These 1’s and 0’s are grouped together in blocks of 8, called “bytes.”blocks of 8, called “bytes.”yy
For example, the sequence “For example, the sequence “1000111110001111” ” represents the letter “O”.represents the letter “O”.
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 3
How Data is StoredHow Data is Stored
TrackTrack
SectorSector
ClustersClusters are groups of sectors
Digital EvidenceDigital EvidenceInformation of probative value that is Information of probative value that is stored or transmitted in binary form and stored or transmitted in binary form and may be relied upon in courtmay be relied upon in court
Digital EvidenceDigital EvidenceInformation stored in binary format but Information stored in binary format but convertible toconvertible to–– ee--mail, chat logs, documentsmail, chat logs, documents
photographs (including video)photographs (including video)–– photographs (including video)photographs (including video)–– user shortcuts, filenamesuser shortcuts, filenames–– web activity logsweb activity logs
Easily modified, corrupted, or erasedEasily modified, corrupted, or erasedCorrectly made copies indistinguishable Correctly made copies indistinguishable from originalfrom original
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 4
The Internet
The InternetThe Internet
World Wide Web (the Web)World Wide Web (the Web)EE--mailmailInstant messaging (IM) Instant messaging (IM) Webcam/ Internet Telephone (VoIP)Webcam/ Internet Telephone (VoIP)PeerPeer--toto--peer (P2P) networkspeer (P2P) networksLegacy SystemsLegacy Systems•• NewsgroupsNewsgroups•• Telnet and File transfer (FTP) sitesTelnet and File transfer (FTP) sites•• Internet Relay Chat (IRC)Internet Relay Chat (IRC)•• Bulletin boardsBulletin boards
Web 2.0
Interactive Internet communitiesSocial networksBlogs“Wikis”Video or photo sharing sitesOnline role-playing gamesVirtual worlds
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 5
Cloud Computing
Cloud ComputingCloud Computing
Basically, obtaining computing resources Basically, obtaining computing resources from someplace outside your own four from someplace outside your own four walls, and paying only for what you usewalls, and paying only for what you use
ProcessingProcessing–– ProcessingProcessing–– StorageStorage–– MessagingMessaging–– DatabasesDatabases–– etc.etc.
Ex: Google docs
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 6
What Kinds of ComputersWhat Kinds of ComputersCan Be on the Internet?Can Be on the Internet?
Mainframes Laptops
Personal computers
Personaldigital devices
Cell Phones
Internet ConnectivityInternet ConnectivityInternet ServiceProvider (ISP)
HomePCs
Telephonedialin line NetworkNetwork
High-speeddata link
Network
Network
DSL line
Cable modemconnection
Network
Network
Internet AddressingInternet AddressingEvery Every network / host network / host (and each (and each home home computer connected to the computer connected to the Internet) Internet) has a has a unique numeric unique numeric Internet protocolInternet protocol (IP) (IP) addressaddress num1 num2 num3 num4num1 num2 num3 num4address address num1.num2.num3.num4num1.num2.num3.num4
e.g., 172.20.53.229e.g., 172.20.53.229
Nearly Nearly all hosts and networks all hosts and networks also have also have corresponding corresponding domain domain namesnames that that are are easier for humans to remember and easier for humans to remember and useuse
e.g., e.g., www.ncjrl.org www.ncjrl.org oror oag.state.gov.usoag.state.gov.us
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 7
Why Addressing MattersWhy Addressing MattersThe Internet is a The Internet is a packetpacket--switchedswitched networknetworkThe component parts of a communication The component parts of a communication (i.e., the packets) sent to another host may (i.e., the packets) sent to another host may travel by different pathstravel by different pathstravel by different pathstravel by different pathsEach packet makes one or more “hops” Each packet makes one or more “hops” along the network on the way to its along the network on the way to its destinationdestination
What’s in a Packet?What’s in a Packet?An IP data packet An IP data packet includes includes –– routing information (where it routing information (where it
came from, where it’s came from, where it’s going)going)
172.31.208.99
10.135.6.23g g)g g)–– the data to be transmittedthe data to be transmitted
Replies from the receiving Replies from the receiving host go to the packet’s host go to the packet’s source address source address –– here, 172.31.208.99here, 172.31.208.99
011100101010101110110110001001010100...
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 8
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 9
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99
AGENCY.GOV, a/k/a 10.135.6.23
Computer & Internet UsesComputer & Internet UsesRemote Computing Remote Computing
ResearchResearch
CommerceCommerceCommerceCommerce
RecreationRecreation
CommunicationCommunication
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 10
Why It Matters How Why It Matters How Computers, Networks, Computers, Networks, and and the Internet Workthe Internet Work
Immense amount of digital data created, Immense amount of digital data created, g ,g ,transmitted, storedtransmitted, stored
Some created by humansSome created by humans
A lot necessarily created by machines “in A lot necessarily created by machines “in the background”the background”
Digital EvidenceDigital EvidenceUserUser--createdcreated–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)–– Address booksAddress books
BookmarksBookmarks–– BookmarksBookmarks–– DatabasesDatabases–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)–– Video and sound filesVideo and sound files–– Web pagesWeb pages–– Service provider account subscriber recordsService provider account subscriber records
ComputerComputer--createdcreated–– Dialing, routing, addressing, signaling infoDialing, routing, addressing, signaling info–– Email headersEmail headers–– MetadataMetadata
Digital EvidenceDigital Evidence
–– Logs, logs, logsLogs, logs, logs–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 11
Forms of evidenceForms of evidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, email, etc.)(doc’s, spreadsheets, images, email, etc.)–– Archive Archive (including as backups)(including as backups)–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)–– Temporary Temporary (cache, print records, Internet usage records, etc.)(cache, print records, Internet usage records, etc.)–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted
Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords
Sources of EvidenceSources of Evidence
Offender’s computerOffender’s computer–– accessed and downloaded imagesaccessed and downloaded images–– user log filesuser log files–– Internet connection logsInternet connection logsgg–– browser history and cache filesbrowser history and cache files–– email and chat logsemail and chat logs
HandHand--held devicesheld devices (embedded computer systems)(embedded computer systems)–– digital camerasdigital cameras–– PDAsPDAs–– mobile phonesmobile phones
More Sources of EvidenceMore Sources of Evidence
ServersServers–– ISP authentication user logsISP authentication user logs–– FTP and Web server access logsFTP and Web server access logs
Email server user logsEmail server user logs–– Email server user logsEmail server user logs–– LAN server logsLAN server logs
Online activityOnline activity–– IP addresses of chat room contributorsIP addresses of chat room contributors
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 12
Digital Devices / Digital Devices / Locations Where DigitalLocations Where DigitalLocations Where Digital Locations Where Digital Evidence May be FoundEvidence May be Found
Mainframes, Desktops, LaptopsMainframes, Desktops, Laptops
Hard DrivesHard Drives
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 13
Solid State DrivesSolid State Drives
Removable MediaRemovable Media
USB Storage DevicesUSB Storage Devices
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 14
Digital CamerasDigital Cameras
Convergent DevicesConvergent Devices
More Digital DevicesMore Digital Devices
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 15
And Still MoreAnd Still More
MoreMore
MoreMore
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 16
MoreMore
MoreMore
MoreMore
Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders–– Sensing and diagnostic Sensing and diagnostic
modulesmodulesmodules modules –– Data loggersData loggers
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 17
MoreMore
Infiniti G35Infiniti G359.5 GB hard drive9.5 GB hard drive
Cadillac CTS40 GB hard drive
MoreMore
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 18
MoreMore
MoreMore
Evidence Containers?Evidence Containers?
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 19
More ContainersMore Containers
Room in virtual worldRoom in virtual world
Cell Site Location Data Cell Site Location Data
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 20
“True GPS”“True GPS”
“Handset solution”“Handset solution”–– The data is “inside the box”The data is “inside the box”–– Involves search of the deviceInvolves search of the device
GPS devicesGPS devices
Computer ForensicsComputer Forensics
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 21
Computer ForensicsComputer Forensics“preservation, identification, extraction, “preservation, identification, extraction, documentation, and interpretation of documentation, and interpretation of computer media for evidentiary and/or root computer media for evidentiary and/or root cause analysis”cause analysis”
Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered
Was largely “postWas largely “post--mortem” but is evolvingmortem” but is evolving
Computer/Digital ForensicsComputer/Digital ForensicsSub branches / activities / stepsSub branches / activities / steps–– Computer forensicsComputer forensics–– Network forensicsNetwork forensics–– Live forensicsLive forensics–– Software forensicsSoftware forensics–– Mobile device forensicsMobile device forensics–– “Browser” forensics“Browser” forensics–– “Triage” forensics“Triage” forensics
SeizingSeizing computer evidencebagging & tagging
ImagingImaging seized materials
BasicBasic Computer ForensicsComputer Forensics
g gg g
SearchingSearching the image for evidence
PresentingPresenting digital evidencein court
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 22
Myth v. FactMyth v. FactMythMyth–– A computer forensic A computer forensic
analyst can recover analyst can recover any file that was ever any file that was ever deleted on a computerdeleted on a computer
FactFact–– The analyst can The analyst can
recover a deleted file, recover a deleted file, or parts of it, from or parts of it, from unallocated file spaceunallocated file spacedeleted on a computer deleted on a computer
since it was built.since it was built.unallocated file space unallocated file space until the file system until the file system writes a new file or writes a new file or data over it.data over it.
Myth v. FactMyth v. FactMythMyth–– Metadata (“data about Metadata (“data about
data”) is the all data”) is the all knowing, all seeing, knowing, all seeing, end all piece of info onend all piece of info on
FactFact–– Metadata does contain Metadata does contain
useful information useful information about a file but it is about a file but it is limitedlimitedend all piece of info on end all piece of info on
a file.a file.limited.limited.
E.g.:E.g.:–– AuthorAuthor–– MAC timesMAC times–– File name, size, File name, size,
locationlocation–– File propertiesFile properties
MightMight contain revisions, contain revisions, comments, etc.comments, etc.
Metadata Metadata –– basic examplesbasic examples
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 23
Metadata Metadata –– Track changesTrack changes
Metadata Metadata –– CommentsComments
EXIF dataEXIF dataExchangeable Image File FormatEmbeds data into images containing camera information, date and time, and more
69
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 24
Basic steps Basic steps –– 3 A’s3 A’sAAcquiringcquiring evidence without altering or evidence without altering or
damaging originaldamaging original
AAuthenticatinguthenticating acquired evidence by acquired evidence by ggshowing it’s identical to data showing it’s identical to data originally seizedoriginally seized
AAnalyzingnalyzing the evidence without the evidence without modifying itmodifying it
Acquiring the evidenceAcquiring the evidenceSeizing the computer: Seizing the computer: Bag and TagBag and TagHandling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collectionEvidence collection
Evidence identificationEvidence identification–– Evidence identificationEvidence identification–– TransportationTransportation–– StorageStorage
Making at least two images of each evidence Making at least two images of each evidence containercontainer–– Perhaps third in criminal case Perhaps third in criminal case –– for discoveryfor discovery
Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting
Preserving digital evidencePreserving digital evidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”
A virtual “snapshot” of the entire driveEvery bit & byte “Erased” & reformatted dataData in “slack” & unallocated spaceVirtual memory data
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 25
Write Blockers
Hard drives areHard drives are imaged using hardware write blockers
73
Authenticating the evidenceAuthenticating the evidence
Proving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind
Readable text and pictures don’t magicallyReadable text and pictures don’t magically–– Readable text and pictures don t magically Readable text and pictures don t magically appear at randomappear at random
–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates
MD5 MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)
SHA SHA (Secure Hash Algorithm) (NSA/NIST)(Secure Hash Algorithm) (NSA/NIST)
What is a Hash Value?An MD5 Hash is a 32 character string that looks
like:Acquisition Hash:
3FDSJO90U43JIVJU904FRBEWHVerification Hash:Verification Hash:
3FDSJO90U43JIVJU904FRBEWH
The Chances of two different inputs producing the same MD5 Hash is greater than :
1 in 340 “Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,00
0,000
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 26
Hashing Tools – Examples
http://www.miraclesalad.com/webtools/md5.phphttp://www.fileformat.info/tool/md5sum.htmhtt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm
Also, AccessData’s FTK Imager can be downloaded free at
http://www.accessdata.com/downloads.html
MD5 HashMD5 Hash
128128--bit (16bit (16--byte) byte) message digest message digest ––a sequence of 32 charactersa sequence of 32 characters
“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy d ”d ”dog”dog”
9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”
e4d909c290d0fb1ca068ffaddf22cbd0 e4d909c290d0fb1ca068ffaddf22cbd0 http://www.miraclesalad.com/webtools/md5.php
More Examples ofMore Examples ofHash ValuesHash ValuesHash ValuesHash Values
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 27
File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02 06:40:56PM.The computer system clock read: 02/21/02 06:40:56PM.
Evidence acquired under DOS 7.10 using version 3.19.
File Integrity:Completely Verified, 0 Errors.Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFECVerification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC
Drive Geometry:Total Size 12.7GB (26,712,000 sectors)Cylinders: 28,266Heads: 15Sectors: 63
Partitions:Code Type Start Sector Total Sectors Size0C FAT32X 0 26700030 12.7GB
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 28
What happens when you fil ?rename a file?
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 29
Or Rename The Extension
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 30
“Hashing” an image“Hashing” an image
MD5MD5021509c96bc7a6a47718950e78e7a371 021509c96bc7a6a47718950e78e7a371
SHA177fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386
MD5ea8450e5e8cf1a1c17c6effccd95b484
SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc
(single pixel changed using Paint program)
Analyzing the evidenceAnalyzing the evidenceWorking on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence
Two backups of the evidenceTwo backups of the evidence–– Two backups of the evidenceTwo backups of the evidenceOne to work onOne to work onOne to copy from if working copy alteredOne to copy from if working copy altered
Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files
seemingly unrelatedseemingly unrelated
Popular Automated ToolsPopular Automated Tools
EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-
ediscovery-software-digital-evidence.htm
Forensic Tool Kit (FTK)Access Data
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 31
Validation of Computer Forensics Tools
Subjecting EnCase to Daubert analysis1. Subject to testing criteria
- NIST 2004 study http://www.ojp.usdoj.gov/nij/pubs-sum/200031 htmsum/200031.htm- Lab-specific testing
2. Subject to peer review and publication- Featured in a number of articles and forensics/incident response books
3. High known or potential rate of error?
Validation of Computer Forensics Tools
4. General acceptance within the scientific community
Case law/judicial notice of prior Dauberth i i th j i di tihearings in other jurisdictions
Sanders v. State, 191 S.W.3d 272 (2006)Williford v. State, 127 S.W.3d 309 (2004)
Use in law enforcement and corporate/private sectorsTaught in academic institutions
EnCase and Legal Challenges
State v. Cook, 777 N.E.2d 882 (Ohio App. 2002)Williford v. State, 127 S.W.3d 309 (Tex. App 2004)App. 2004)Taylor v. State, 93 S.W.3d 487 (Tex. App. 2002)
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 32
Analysis (cont.)Analysis (cont.)
Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden
Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with σσ in place of first in place of first
letterletter“taxes.xls” appears as ““taxes.xls” appears as “σσaxes.xls”axes.xls”
Free SpaceFree SpaceSlack SpaceSlack SpaceSwap SpaceSwap Space
Free SpaceFree Space
Currently unoccupied, or “unallocated” Currently unoccupied, or “unallocated” spacespaceMay have held information beforeMay have held information beforeV l bl f d tV l bl f d tValuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted–– Files that have been moved during Files that have been moved during
defragmentationdefragmentation–– Old virtual memoryOld virtual memory
Slack SpaceSlack SpaceSpace not occupied by an active file, but not Space not occupied by an active file, but not available for use by the operating systemavailable for use by the operating system
Every file in a computer fills a minimum amount Every file in a computer fills a minimum amount of spaceof space–– In some old computers, this is one kilobyte, or 1,024 In some old computers, this is one kilobyte, or 1,024
bytes. In most new computers, this is 32 kilobytes, or bytes. In most new computers, this is 32 kilobytes, or 32,768 bytes32,768 bytes
–– If you have a file 2,000 bytes long, everything after the If you have a file 2,000 bytes long, everything after the 20002000thth byte is slack spacebyte is slack space
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 33
File A(In Memory)
File Asaved to disk,
on top of File B
File A over-writes File B,
creating
File A(Now On
Disk)
File A
How “Slack” Is GeneratedHow “Slack” Is Generated
File B(On Disk)
File B creating slack
Remains of File B (slack)
Slack space: the area between the end of the file and the end of the storage unit
Recall how data is storedRecall how data is stored
Browser cache, history, cookies
Residual chat data
Other sources mined for Other sources mined for Transient DataTransient Data
Find the Golden Nuggets
Residual chat data
Activity logs
Registry & registry backup files
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 34
Sources of Digital GoldSources of Digital GoldInternet HistoryInternet HistoryTemp Files (cache, cookies etc…)Temp Files (cache, cookies etc…)Slack/Unallocated spaceSlack/Unallocated spaceBuddy Lists, chat room records, personal profiles, etc…Buddy Lists, chat room records, personal profiles, etc…News Groups, club listings, postingsNews Groups, club listings, postingsSettings, file names, storage datesSettings, file names, storage datesMetadata (email header information)Metadata (email header information)Software/Hardware addedSoftware/Hardware addedFile Sharing abilityFile Sharing abilityEmailEmail
Selected “Trends” in Digital Forensicsg
“Browser” Forensics
“Triage” Forensics
Browser ForensicsBrowser Forensics
Web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox, Safari, Opera) p , , , p )maintain histories of recent activity, even if not web related
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 35
Internet HistoryInternet History
Computers store Internet history in a number of locations including:
T I t t fil– Temporary Internet files– Windows Registry– Browser / Search Term history– CookiesThis information is browser specific
103
Temporary Internet FilesTemporary Internet Files
Typed URL’sTyped URL’s
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 36
Internet Navigation
Search StringsSearch Strings
HistoryHistory
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 37
CookiesCookies
“Triage” Forensics
Also occasionally referred to as “rolling” forensics, or “on-site preview”Image scanE i ll f l i “k k & t lk” tEspecially useful in “knock & talk” consent situations or in screening multiple computers to determine which to seizeCaveat: Not all agencies are equipped or trained yet to do this.
“Triage” Forensics - Steps
Attach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:
.doc
.jpg (.jpeg)
.mpg (.mpeg)
.avi
.wmv
.bmp
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 38
“Triage” Forensics - Steps
Pull up thumbnail views - 10-96 images at a time
Right click on image, save to CD or separate drive.Determine file structure or file path.
“Triage” Forensics
Increasingly important, as the number and storage capacities of devices rapidly grow.But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.
Resources
https://blogs.sans.org/computer-forensics/http://www.e-evidence.info/biblio.html
http://craigball.com/p g– E.g., What Judges Should Know About
Computer Forensics (2008)
Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved Page 39
Questions?Questions?
662662--915915--68986898
[email protected]@olemiss.edu
www.ncjrl.orgwww.ncjrl.org