DIGITAL FORENSICS:CLUES IN THE HARD DRIVE

BY: PAMELA KING

COMPUTER SCIENCE & INFORMATION TECHNOLOGY DEPARTMENT

DIGITAL FORENSICS & CYBERSECURITY PROGRAM

CHESTNUT HILL COLLEGE

WHAT IS DIGITAL FORENSICS• Intersection of Law and Digital Technology

LAW and LEGAL SYSTEM

(Policy, Regulatory)

COMPUTER SCIENCE& TECHNOLOGY

Private Industry

Incident Response

Internal Investigations

Law Firms

Litigation Support

E-Discovery

Government

Law Enforcement

Regulatory

Infrastructure Protection

DIGITAL FORENSICS JOB SECTORS

DIGITAL FORENSICS

•There are six steps:• Collect • Acquire• Verify• Analyze• Report• Testify

ANALYSIS – CLUES IN THE HARD DRIVE

•Useful Artifacts

•Some overlooked

•Case Scenarios

•Technical

TOPICS

•Disk Logical Serial Numbers

•Windows Registry

•Hardware Log Events

•Search literals and strings

HARD DISK – LOGICAL SERIAL NUMBERS

•Hard drives have hardware serial numbers.

•Found in System Area/Partition Table • MBR – creates a disk serial number

• Signature is written by Windows Operating System

• GPT – Disk GUID

• Also Each partition has a GUID assigned when created.

LOGICAL SERIAL NUMBER

MBR – SECTOR 0 GPT – SECTOR 1 (HEADER)

SCENARIO

• Employees quit.

• Start new company.

• Solicit clients.

• Marketing materials/engineering diagrams.

• Claimed they “invented” them.

• Files had been “wiped”

• Hashes of the two drives were different.

• But…serial numbers were the same (among other evidence).

WINDOWS REGISTRY

• Moved Keys

• ntuser.dat to usrclass.dat

• New keys

• More data in usrclass.dat

• Backup copies

• Tools• Paraben Registry Analyzer

• AccessData Registry Viewer

• Magnet Axiom

• TZworks Sbag.exe

VSS & WINDOWS REGISTRY

SCENARIO

•Employees left for competitor

•Took proprietary data

•Company laptop analyzed

•Archived copies of registry showed•Attached to competitor’s wifi

•Attached 250GB external hard drive

•Dated prior to exiting company

GHOST IN THE MACHINE?

• Homicide Case

• Victim found murdered

• Coroner establish time of death between 6pm and 7pm June 7th.

• Defense argues that there was computer activity after that and until 11:30pm on June 8th - so time of death is wrong. Dead men don’t type…

• Software

• Applications

• System

• Firewall

• And more...

• Information/Warning/Error

• Power on/off

• Change date/time

• Update Software

• Backups

• And more...

WINDOWS HAS LOGGING

SO MUCH MORE

• RAM Analysis• Private Browsing Mode

• Attached Devices• Setupapi.log & MTP entries

• Time Line Analysis• Using $MFT/Directory

• Malware Analysis• keyloggers

• Prefetch Analysis

• Software use

• Lnk File Analysis

• File use

4TH ANNUAL CYBER SECURITY & FORENSICS CONFERENCE

• Sponsored by CHC and HTCIA.

• October is National Cyber Security Month!

• October 26 at Chestnut Hill College

THANK YOU!

Pamela King

Chestnut Hill College

Computer Science & Information Technology

Digital Forensics & Cyber Security B.S.Degrees

kingp@chc.edu

215-248-7145

www.chc.edu