Digital Evidence Locations and Computer Forensics ... Digital Evidence Locations and... · Portable...

Digital Evidence Locations; Computer Forensics Introduction Handling Child Pornography Cases, February 4-5, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved

Digital Evidence Locations Digital Evidence Locations &&

Introduction to Introduction to Computer ForensicsComputer Forensicspp

Don MasonDon MasonAssociate DirectorAssociate Director

ObjectivesObjectivesAfter this session, you will be able to:After this session, you will be able to:

Define “digital evidence” and identify typesDefine “digital evidence” and identify typesDescribe how digital evidence is stored in Describe how digital evidence is stored in computerscomputerscomputerscomputersIdentify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be foundDefine basic computer and digital forensicsDefine basic computer and digital forensicsIdentify and describe the essential principles, Identify and describe the essential principles, tools, and trends in digital forensicstools, and trends in digital forensics

Special AcknowledgmentsSpecial Acknowledgments

Justin T. FitzsimmonsJustin T. FitzsimmonsSenior Attorney, NSenior Attorney, NDAA National Center for Prosecution of Child Abuse

S t J h M liSergeant Josh MoulinCommander, Southern Oregon High-Tech Crimes Task Force


Advancing TechnologyAdvancing Technology

Computer / Digital TechnologyComputer / Digital Technology

Personal computers, at work and at homePersonal computers, at work and at homeDigital camerasDigital camerasWeb camsWeb camsCamera and video cam cell phonesCamera and video cam cell phonesDocument and image scannersDocument and image scannersDigital recording and duplicating devicesDigital recording and duplicating devicesLarge digital storage capacities Large digital storage capacities Portable mediaPortable media

How Digital Evidence is How Digital Evidence is StoredStored

Data is written in binary code Data is written in binary code ---- 1’s and 0’s1’s and 0’s

These 1’s and 0’s are grouped together in These 1’s and 0’s are grouped together in blocks of 8, called “bytes.”blocks of 8, called “bytes.”yy

For example, the sequence “For example, the sequence “1000111110001111” ” represents the letter “O”.represents the letter “O”.


How Data is StoredHow Data is Stored

TrackTrack

SectorSector

ClustersClusters are groups of sectors

Digital EvidenceDigital EvidenceInformation of probative value that is Information of probative value that is stored or transmitted in binary form and stored or transmitted in binary form and may be relied upon in courtmay be relied upon in court

Digital EvidenceDigital EvidenceInformation stored in binary format but Information stored in binary format but convertible toconvertible to–– ee--mail, chat logs, documentsmail, chat logs, documents

photographs (including video)photographs (including video)–– photographs (including video)photographs (including video)–– user shortcuts, filenamesuser shortcuts, filenames–– web activity logsweb activity logs

Easily modified, corrupted, or erasedEasily modified, corrupted, or erasedCorrectly made copies indistinguishable Correctly made copies indistinguishable from originalfrom original


The Internet

The InternetThe Internet

World Wide Web (the Web)World Wide Web (the Web)EE--mailmailInstant messaging (IM) Instant messaging (IM) Webcam/ Internet Telephone (VoIP)Webcam/ Internet Telephone (VoIP)PeerPeer--toto--peer (P2P) networkspeer (P2P) networksLegacy SystemsLegacy Systems•• NewsgroupsNewsgroups•• Telnet and File transfer (FTP) sitesTelnet and File transfer (FTP) sites•• Internet Relay Chat (IRC)Internet Relay Chat (IRC)•• Bulletin boardsBulletin boards

Web 2.0

Interactive Internet communitiesSocial networksBlogs“Wikis”Video or photo sharing sitesOnline role-playing gamesVirtual worlds


Cloud Computing

Cloud ComputingCloud Computing

Basically, obtaining computing resources Basically, obtaining computing resources from someplace outside your own four from someplace outside your own four walls, and paying only for what you usewalls, and paying only for what you use

ProcessingProcessing–– ProcessingProcessing–– StorageStorage–– MessagingMessaging–– DatabasesDatabases–– etc.etc.

Ex: Google docs


What Kinds of ComputersWhat Kinds of ComputersCan Be on the Internet?Can Be on the Internet?

Mainframes Laptops

Personal computers

Personaldigital devices

Cell Phones

Internet ConnectivityInternet ConnectivityInternet ServiceProvider (ISP)

HomePCs

Telephonedialin line NetworkNetwork

High-speeddata link

Network

Network

DSL line

Cable modemconnection

Network

Network

Internet AddressingInternet AddressingEvery Every network / host network / host (and each (and each home home computer connected to the computer connected to the Internet) Internet) has a has a unique numeric unique numeric Internet protocolInternet protocol (IP) (IP) addressaddress num1 num2 num3 num4num1 num2 num3 num4address address num1.num2.num3.num4num1.num2.num3.num4

e.g., 172.20.53.229e.g., 172.20.53.229

Nearly Nearly all hosts and networks all hosts and networks also have also have corresponding corresponding domain domain namesnames that that are are easier for humans to remember and easier for humans to remember and useuse

e.g., e.g., www.ncjrl.org www.ncjrl.org oror oag.state.gov.usoag.state.gov.us


Why Addressing MattersWhy Addressing MattersThe Internet is a The Internet is a packetpacket--switchedswitched networknetworkThe component parts of a communication The component parts of a communication (i.e., the packets) sent to another host may (i.e., the packets) sent to another host may travel by different pathstravel by different pathstravel by different pathstravel by different pathsEach packet makes one or more “hops” Each packet makes one or more “hops” along the network on the way to its along the network on the way to its destinationdestination

What’s in a Packet?What’s in a Packet?An IP data packet An IP data packet includes includes –– routing information (where it routing information (where it

came from, where it’s came from, where it’s going)going)

172.31.208.99

10.135.6.23g g)g g)–– the data to be transmittedthe data to be transmitted

Replies from the receiving Replies from the receiving host go to the packet’s host go to the packet’s source address source address –– here, 172.31.208.99here, 172.31.208.99

011100101010101110110110001001010100...

Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99

AGENCY.GOV, a/k/a 10.135.6.23






Computer & Internet UsesComputer & Internet UsesRemote Computing Remote Computing

ResearchResearch

CommerceCommerceCommerceCommerce

RecreationRecreation

CommunicationCommunication


Why It Matters How Why It Matters How Computers, Networks, Computers, Networks, and and the Internet Workthe Internet Work

Immense amount of digital data created, Immense amount of digital data created, g ,g ,transmitted, storedtransmitted, stored

Some created by humansSome created by humans

A lot necessarily created by machines “in A lot necessarily created by machines “in the background”the background”

Digital EvidenceDigital EvidenceUserUser--createdcreated–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)–– Address booksAddress books

BookmarksBookmarks–– BookmarksBookmarks–– DatabasesDatabases–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)–– Video and sound filesVideo and sound files–– Web pagesWeb pages–– Service provider account subscriber recordsService provider account subscriber records

ComputerComputer--createdcreated–– Dialing, routing, addressing, signaling infoDialing, routing, addressing, signaling info–– Email headersEmail headers–– MetadataMetadata

Digital EvidenceDigital Evidence

–– Logs, logs, logsLogs, logs, logs–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings


Forms of evidenceForms of evidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, email, etc.)(doc’s, spreadsheets, images, email, etc.)–– Archive Archive (including as backups)(including as backups)–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)–– Temporary Temporary (cache, print records, Internet usage records, etc.)(cache, print records, Internet usage records, etc.)–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords

Sources of EvidenceSources of Evidence

Offender’s computerOffender’s computer–– accessed and downloaded imagesaccessed and downloaded images–– user log filesuser log files–– Internet connection logsInternet connection logsgg–– browser history and cache filesbrowser history and cache files–– email and chat logsemail and chat logs

HandHand--held devicesheld devices (embedded computer systems)(embedded computer systems)–– digital camerasdigital cameras–– PDAsPDAs–– mobile phonesmobile phones

More Sources of EvidenceMore Sources of Evidence

ServersServers–– ISP authentication user logsISP authentication user logs–– FTP and Web server access logsFTP and Web server access logs

Email server user logsEmail server user logs–– Email server user logsEmail server user logs–– LAN server logsLAN server logs

Online activityOnline activity–– IP addresses of chat room contributorsIP addresses of chat room contributors


Digital Devices / Digital Devices / Locations Where DigitalLocations Where DigitalLocations Where Digital Locations Where Digital Evidence May be FoundEvidence May be Found

Mainframes, Desktops, LaptopsMainframes, Desktops, Laptops

Hard DrivesHard Drives


Solid State DrivesSolid State Drives

Removable MediaRemovable Media

USB Storage DevicesUSB Storage Devices


Digital CamerasDigital Cameras

Convergent DevicesConvergent Devices

More Digital DevicesMore Digital Devices


And Still MoreAnd Still More

MoreMore

MoreMore


MoreMore

MoreMore

MoreMore

Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders–– Sensing and diagnostic Sensing and diagnostic

modulesmodulesmodules modules –– Data loggersData loggers


MoreMore

Infiniti G35Infiniti G359.5 GB hard drive9.5 GB hard drive

Cadillac CTS40 GB hard drive

MoreMore


MoreMore

MoreMore

Evidence Containers?Evidence Containers?


More ContainersMore Containers

Room in virtual worldRoom in virtual world

Cell Site Location Data Cell Site Location Data


“True GPS”“True GPS”

“Handset solution”“Handset solution”–– The data is “inside the box”The data is “inside the box”–– Involves search of the deviceInvolves search of the device

GPS devicesGPS devices

Computer ForensicsComputer Forensics


Computer ForensicsComputer Forensics“preservation, identification, extraction, “preservation, identification, extraction, documentation, and interpretation of documentation, and interpretation of computer media for evidentiary and/or root computer media for evidentiary and/or root cause analysis”cause analysis”

Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered

Was largely “postWas largely “post--mortem” but is evolvingmortem” but is evolving

Computer/Digital ForensicsComputer/Digital ForensicsSub branches / activities / stepsSub branches / activities / steps–– Computer forensicsComputer forensics–– Network forensicsNetwork forensics–– Live forensicsLive forensics–– Software forensicsSoftware forensics–– Mobile device forensicsMobile device forensics–– “Browser” forensics“Browser” forensics–– “Triage” forensics“Triage” forensics

SeizingSeizing computer evidencebagging & tagging

ImagingImaging seized materials

BasicBasic Computer ForensicsComputer Forensics

g gg g

SearchingSearching the image for evidence

PresentingPresenting digital evidencein court


Myth v. FactMyth v. FactMythMyth–– A computer forensic A computer forensic

analyst can recover analyst can recover any file that was ever any file that was ever deleted on a computerdeleted on a computer

FactFact–– The analyst can The analyst can

recover a deleted file, recover a deleted file, or parts of it, from or parts of it, from unallocated file spaceunallocated file spacedeleted on a computer deleted on a computer

since it was built.since it was built.unallocated file space unallocated file space until the file system until the file system writes a new file or writes a new file or data over it.data over it.

Myth v. FactMyth v. FactMythMyth–– Metadata (“data about Metadata (“data about

data”) is the all data”) is the all knowing, all seeing, knowing, all seeing, end all piece of info onend all piece of info on

FactFact–– Metadata does contain Metadata does contain

useful information useful information about a file but it is about a file but it is limitedlimitedend all piece of info on end all piece of info on

a file.a file.limited.limited.

E.g.:E.g.:–– AuthorAuthor–– MAC timesMAC times–– File name, size, File name, size,

locationlocation–– File propertiesFile properties

MightMight contain revisions, contain revisions, comments, etc.comments, etc.

Metadata Metadata –– basic examplesbasic examples


Metadata Metadata –– Track changesTrack changes

Metadata Metadata –– CommentsComments

EXIF dataEXIF dataExchangeable Image File FormatEmbeds data into images containing camera information, date and time, and more

69


Basic steps Basic steps –– 3 A’s3 A’sAAcquiringcquiring evidence without altering or evidence without altering or

damaging originaldamaging original

AAuthenticatinguthenticating acquired evidence by acquired evidence by ggshowing it’s identical to data showing it’s identical to data originally seizedoriginally seized

AAnalyzingnalyzing the evidence without the evidence without modifying itmodifying it

Acquiring the evidenceAcquiring the evidenceSeizing the computer: Seizing the computer: Bag and TagBag and TagHandling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collectionEvidence collection

Evidence identificationEvidence identification–– Evidence identificationEvidence identification–– TransportationTransportation–– StorageStorage

Making at least two images of each evidence Making at least two images of each evidence containercontainer–– Perhaps third in criminal case Perhaps third in criminal case –– for discoveryfor discovery

Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting

Preserving digital evidencePreserving digital evidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”

A virtual “snapshot” of the entire driveEvery bit & byte “Erased” & reformatted dataData in “slack” & unallocated spaceVirtual memory data


Write Blockers

Hard drives areHard drives are imaged using hardware write blockers

73

Authenticating the evidenceAuthenticating the evidence

Proving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind

Readable text and pictures don’t magicallyReadable text and pictures don’t magically–– Readable text and pictures don t magically Readable text and pictures don t magically appear at randomappear at random

–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates

MD5 MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)

SHA SHA (Secure Hash Algorithm) (NSA/NIST)(Secure Hash Algorithm) (NSA/NIST)

What is a Hash Value?An MD5 Hash is a 32 character string that looks

like:Acquisition Hash:

3FDSJO90U43JIVJU904FRBEWHVerification Hash:Verification Hash:

3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producing the same MD5 Hash is greater than :

1 in 340 “Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,00

0,000


Hashing Tools – Examples

http://www.miraclesalad.com/webtools/md5.phphttp://www.fileformat.info/tool/md5sum.htmhtt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessData’s FTK Imager can be downloaded free at

http://www.accessdata.com/downloads.html

MD5 HashMD5 Hash

128128--bit (16bit (16--byte) byte) message digest message digest ––a sequence of 32 charactersa sequence of 32 characters

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy d ”d ”dog”dog”

9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”

e4d909c290d0fb1ca068ffaddf22cbd0 e4d909c290d0fb1ca068ffaddf22cbd0 http://www.miraclesalad.com/webtools/md5.php

More Examples ofMore Examples ofHash ValuesHash ValuesHash ValuesHash Values


File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02 06:40:56PM.The computer system clock read: 02/21/02 06:40:56PM.

Evidence acquired under DOS 7.10 using version 3.19.

File Integrity:Completely Verified, 0 Errors.Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFECVerification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC

Drive Geometry:Total Size 12.7GB (26,712,000 sectors)Cylinders: 28,266Heads: 15Sectors: 63

Partitions:Code Type Start Sector Total Sectors Size0C FAT32X 0 26700030 12.7GB


What happens when you fil ?rename a file?


Or Rename The Extension


“Hashing” an image“Hashing” an image

MD5MD5021509c96bc7a6a47718950e78e7a371 021509c96bc7a6a47718950e78e7a371

SHA177fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

(single pixel changed using Paint program)

Analyzing the evidenceAnalyzing the evidenceWorking on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence

Two backups of the evidenceTwo backups of the evidence–– Two backups of the evidenceTwo backups of the evidenceOne to work onOne to work onOne to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files

seemingly unrelatedseemingly unrelated

Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data


Validation of Computer Forensics Tools

Subjecting EnCase to Daubert analysis1. Subject to testing criteria

- NIST 2004 study http://www.ojp.usdoj.gov/nij/pubs-sum/200031 htmsum/200031.htm- Lab-specific testing

2. Subject to peer review and publication- Featured in a number of articles and forensics/incident response books

3. High known or potential rate of error?

Validation of Computer Forensics Tools

4. General acceptance within the scientific community

Case law/judicial notice of prior Dauberth i i th j i di tihearings in other jurisdictions

Sanders v. State, 191 S.W.3d 272 (2006)Williford v. State, 127 S.W.3d 309 (2004)

Use in law enforcement and corporate/private sectorsTaught in academic institutions

EnCase and Legal Challenges

State v. Cook, 777 N.E.2d 882 (Ohio App. 2002)Williford v. State, 127 S.W.3d 309 (Tex. App 2004)App. 2004)Taylor v. State, 93 S.W.3d 487 (Tex. App. 2002)


Analysis (cont.)Analysis (cont.)

Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden

Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with σσ in place of first in place of first

letterletter“taxes.xls” appears as ““taxes.xls” appears as “σσaxes.xls”axes.xls”

Free SpaceFree SpaceSlack SpaceSlack SpaceSwap SpaceSwap Space

Free SpaceFree Space

Currently unoccupied, or “unallocated” Currently unoccupied, or “unallocated” spacespaceMay have held information beforeMay have held information beforeV l bl f d tV l bl f d tValuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted–– Files that have been moved during Files that have been moved during

defragmentationdefragmentation–– Old virtual memoryOld virtual memory

Slack SpaceSlack SpaceSpace not occupied by an active file, but not Space not occupied by an active file, but not available for use by the operating systemavailable for use by the operating system

Every file in a computer fills a minimum amount Every file in a computer fills a minimum amount of spaceof space–– In some old computers, this is one kilobyte, or 1,024 In some old computers, this is one kilobyte, or 1,024

bytes. In most new computers, this is 32 kilobytes, or bytes. In most new computers, this is 32 kilobytes, or 32,768 bytes32,768 bytes

–– If you have a file 2,000 bytes long, everything after the If you have a file 2,000 bytes long, everything after the 20002000thth byte is slack spacebyte is slack space


File A(In Memory)

File Asaved to disk,

on top of File B

File A over-writes File B,

creating

File A(Now On

Disk)

File A

How “Slack” Is GeneratedHow “Slack” Is Generated

File B(On Disk)

File B creating slack

Remains of File B (slack)

Slack space: the area between the end of the file and the end of the storage unit

Recall how data is storedRecall how data is stored

Browser cache, history, cookies

Residual chat data

Other sources mined for Other sources mined for Transient DataTransient Data

Find the Golden Nuggets

Residual chat data

Activity logs

Registry & registry backup files


Sources of Digital GoldSources of Digital GoldInternet HistoryInternet HistoryTemp Files (cache, cookies etc…)Temp Files (cache, cookies etc…)Slack/Unallocated spaceSlack/Unallocated spaceBuddy Lists, chat room records, personal profiles, etc…Buddy Lists, chat room records, personal profiles, etc…News Groups, club listings, postingsNews Groups, club listings, postingsSettings, file names, storage datesSettings, file names, storage datesMetadata (email header information)Metadata (email header information)Software/Hardware addedSoftware/Hardware addedFile Sharing abilityFile Sharing abilityEmailEmail

Selected “Trends” in Digital Forensicsg

“Browser” Forensics

“Triage” Forensics

Browser ForensicsBrowser Forensics

Web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox, Safari, Opera) p , , , p )maintain histories of recent activity, even if not web related


Internet HistoryInternet History

Computers store Internet history in a number of locations including:

T I t t fil– Temporary Internet files– Windows Registry– Browser / Search Term history– CookiesThis information is browser specific

103

Temporary Internet FilesTemporary Internet Files

Typed URL’sTyped URL’s


Internet Navigation

Search StringsSearch Strings

HistoryHistory


CookiesCookies


Also occasionally referred to as “rolling” forensics, or “on-site preview”Image scanE i ll f l i “k k & t lk” tEspecially useful in “knock & talk” consent situations or in screening multiple computers to determine which to seizeCaveat: Not all agencies are equipped or trained yet to do this.

“Triage” Forensics - Steps

Attach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:

.doc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp


“Triage” Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separate drive.Determine file structure or file path.


Increasingly important, as the number and storage capacities of devices rapidly grow.But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.

Resources

https://blogs.sans.org/computer-forensics/http://www.e-evidence.info/biblio.html

http://craigball.com/p g– E.g., What Judges Should Know About

Computer Forensics (2008)


Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

Digital Evidence Locations and Computer Forensics ... Digital Evidence Locations and... · Portable...

Documents

Transcript of Digital Evidence Locations and Computer Forensics ... Digital Evidence Locations and... · Portable...