Digital ForensicsandDemonstration of Basic Forensic Techniques

Jim Gordon MSc MBCSWorcester University 12th Nov 2012Digital Infrastructure

Format of the PresentationFormat of the Presentation

One hour presentation

Examples

Followed by two hours ‘Hands On’

Review/Wash up

Basic PrinciplesBasic Principles

Association of Chief Police Officers (ACPO) Guidelines on Computer Evidence.

Establish the basic principles of acquiring evidence from computer systems.

These principles accepted by the courts in the United Kingdom.

ACPO Principle 1ACPO Principle 1

No action taken by the Police or their agents should change the data held on a computer or other media.

Where possible computer data must be ‘copied’ and the copy examined.

ACPO Principle 2ACPO Principle 2

• In exceptional circumstances it maybe

necessary to access the original data held on a

target computer.

• However it is imperative

that the person doing so

is competent and can

account for their actions.

ACPO Principles 3ACPO Principles 3

An audit trail must exist to show all the processes undertaken when examining computer data

Many forensic tools record logs of processes performed and results obtained

ACPO Principle 4ACPO Principle 4

The onus rests with the person in charge of the case to show that a computer has been correctly examined in accordance with the law and accepted practice

Forensic Imaging ProcessForensic Imaging Process

Make a bit wise image of the contents of digital media

Store the original media and carry out forensic analysis using the copy image

If necessary to switch on suspect machine;

Restore image to another drive and install it in suspects machine

Or mount and start in a Virtual Machine

Retrieve evidence in a readable form

Image Hard DiskImage Hard Disk

Check BIOS SettingsCheck BIOS Settings

Disconnect hard drive(s) and switch on

Check BIOS date and time

Check machine specific settings

Image all other Storage Media

Mobile Phone and PDA ForensicsMobile Phone and PDA ForensicsHandset, Memory Card and SIM Card Examinations

Handset ExaminationLogical Dump

File System Dump

Physical Dump

JTAG Dump

Chip OFF

In certain cases, SIM Cloning a requirement

Global Positioning SystemsGlobal Positioning Systems

Previous DestinationsSometimes a Route or Way Points

Favourite Destinations

Link to mobile phone - Bluetooth

ContactsAddresses

Phone numbers

Owner Details - Home Address

Unallocated - Previous Owners

Forensic Examination ProcessForensic Examination Process

Decide on best forensic tool(s) for the job

Expand ALL compound files

Hash ALL File Streams

Perform File Signature Analysis

Perform Entropy Test

Generate Index and/or Thumbnails of Graphics

Carve Data

Carve Meta Data

Forensic ToolsForensic Tools

Accepted by the court and validated in case law

Non-invasive computer forensic investigative tools

Cater for large volumes of data.

Read FAT, NTFS, HFS, UNIX and LINUX - Proprietary Phone Systems

Integrated environment allows users to perform all functions of a forensic analysis

FTKFTK

EnCaseEnCase

X-WaysX-Ways

CellebriteCellebrite

XRYXRY

OxgyenOxgyen

FTKFTK

EnCaseEnCase

X-WaysX-Ways

CellebriteCellebrite

XRYXRY

OxgyenOxgyen

Expand All Compound FilesExpand All Compound Files

Archive FilesZIP

RAR

Complex FilesOLE (Object Linking and Embedding)

Mail BoxesOutlook.pst

Inbox.dbx

Operating System Files

Thumbs Caches

Internet History

Hash All File StreamsHash All File Streams

MD5 (Message Digest 5)Generates a unique 128 Bit value for each file

or data stream: Example MD5 HashesMD5 = a08a8cf89436f18ea8084817357a59c1MD5 = 271979ddf56c38805b7562046984fe40An MD5 Hash can be used to:Identify Files to be ignored (OS Files).

Identify Files of importance (Contraband Files).

“This is a small text file.”

“This is a small text file.”

“This is a small text file”“This is a small text file”

File Signature AnalysisFile Signature Analysis

Check file header to determine if file has the correct extension

Highlight files with mismatch for manual checkingHighlight files with mismatch for manual checking

Header Extension Type Result

4d 5a 90 ....exe .dll .co

mExecutable Match

ff d8 ff e0 ... .vxd JPEG Mismatch

**** .txt TEXT Unknown

Entropy TestEntropy Test

Can identify files that may be encrypted or compressed

An automated frequency analysis algorithm is used to determine if file content is encrypted

Files identified are then exported from the image and transferred to specialist decryption software

Generate IndexGenerate Index

Generate an index of all strings of characters in the disk image

Speed up subsequent searches of suspect image

Index can be used as a dictionary for password cracking

GREP (General Regular Expressions)GREP (General Regular Expressions)

GREP can be utilised for ‘fuzzy’ searching or pattern matching

Above expression will find credit card numbers

\<[456]\d\d\d([\- ]?\d\d\d\d){3}\>

Optical Character RecognitionOptical Character Recognition

Making Text in Pictures Searchable

Generate ThumbnailsGenerate ThumbnailsPre-generation of thumbnail images assists in graphics based cases when large numbers of suspect images exist

Data CarveData CarveSearch through all allocated and unallocated data streams for known headers and recreate pointers to files

Meta CarveMeta Carve

Search unallocated clusters for folder/sub-directory entries and rebuild if found

What happens when a file is deleted?What happens when a file is deleted?

The Windows operating system tracks files (user data) using either a File Allocation Table or a Master File Table. 

In simple terms, the FAT or MFT tells the computer where the file begins and ends.   

Macintosh uses a similar system known as Nodes.

What happens when a file is deleted?What happens when a file is deleted?

When a file is deleted, the operating system deletes the pointers to the file and in the FAT or MFT the space occupied by the file is mark as available. 

The computer does not delete the actual data that was contained in the file. 

Recycle Bin ForensicsRecycle Bin Forensics

Hidden System Folder

Win 95/98 called Recycled

Win2K, NT/XP/2003 called Recycler

Hidden system file named INFO2

INFO2 contains Original Filename, Deleted Date & Time

Vista/Win7 $Recycle.bin

Original Filename, Deleted Date & Time contained in separate files for each deleted record

Examination of the Recycle BinExamination of the Recycle Bin

Most forensic tools will parse the data from the INFO2 file

FDISKFDISK

What happens when someone FDisks drive to remove a Partition?

The 16 bytes for the partition entry within the MBR are zeroed

The actual partition including its data are untouched

FDISKFDISK

Partition recovery is simple

Locate VBR

Forensic Software will recover the Partition including directory structure

ReFormatReFormat

What happens when you reformat a drive to delete data?

Digital ForensicsandDemonstration of Basic Forensic Techniques

Jim Gordon MSc MBCSWorcester University 12th Nov 2012Digital Infrastructure