Principles and Practices - California State Polytechnic ...carich/classes/cs499/201001/notes/computer_forensics.pdfComputer Forensics Principles and Practices by Volonino, Anzaldua,

Computer Forensics Principles and Practices

by Volonino, Anzaldua, and Godwin

Chapter 7: Investigating Windows, Linux, and Graphics Files

© Pearson Education Computer Forensics: Principles and Practices 2

Objectives

  Conduct efficient and effective investigations of Windows systems

  Find user data and profiles in Windows folders

  Locate system artifacts in Windows systems   Examine the contents of Linux folders


Objectives (Cont.)

  Identify graphic files by file extensions and file signatures

  Identify what computer forensics graphic tools and techniques can reveal and recover


Introduction

In many cases you may have gigabytes or even terabytes of data that must be searched for evidence. This chapter helps maximize efficiency of the search by showing default locations of file storage and hiding techniques of wrongdoers.


Investigating Windows Systems

  Activities of the user result in user data   User profiles   Program files   Temporary files (temp files)   Special application-level files


Investigating Windows Systems (Cont.)   System data and artifacts are generated by

the operating system   Metadata   Windows system registry   Event logs or log files   Swap files   Printer spool   Recycle Bin


Hidden Files

  Files that do not appear by default are hidden files

  These can be viewed through the following steps:   Open Windows Explorer   Go to Tools > Folder Options > View > Hidden

files and folders   Select Show hidden files and folders   Click OK


Investigating Windows Systems (Cont.)   Data and user authentication weaknesses of

FAT   Userids are not required   Only attributes are associated with files or folders

  Data and user authentication improvements in NTFS   Separation of duties   Anonymity of the user


Investigating Windows Systems (Cont.)   Identify the operating systems of a target

hard drive by:   Operating system folder names   The folder for the Recycle Bin   The construction of the user root folders because

of the differences in the way user data is kept


Finding User Data and Profiles in Windows Folders   Documents and Settings folder

  Contains a user root folder for each user account created on the computer

  Windows NT and above automatically install   Administrator   All users   Default user (hidden)


Finding User Data and Profiles in Windows Folders (Cont.)   Data stored in the user root folder:

  Desktop settings, such as wallpaper, screensavers, color schemes, and themes

  Internet customizations, such as the homepage, favorites, and history

  Application parameters and data, such as e-mail and upgrades

  Personal files and folders, such as My Documents, My Pictures, and so on


Finding User Data and Profiles in Windows Folders (Cont.)   Some of the subfolders in the user root folder

include:   Application data (hidden)   Cookies   Desktop   Favorites   Local Settings (hidden)   My Documents   NetHood (hidden)


Location of User Root Folders

Operating System (Platform) User Root Folder Location

Windows 9x <partition>:\WINDOWS\Profiles\userid USER.DAT file

Windows NT <partition>:\WINNT\Profiles\userid NTUSER.DAT file

Windows 2000 and Windows XP

<partition>:\Documents and Settings\userid

NTUSER.DAT file


In Practice: Temp Internet Files Provide Valuable E-Evidence   Data stored in the Temporary Internet Files

folder can be valuable supporting evidence, even if deleted

  Statute 18 U.S.C. §2256(8) rules as pornography any data stored on computer disk that can be converted into a visual image


Investigating System Artifacts

  Types of metadata   Descriptive: describes a resource for purposes

such as discovery and identification   Structural: indicates how compound objects are

put together   Administrative: provides information to help

manage a resource, such as when it was created, last accessed, and modified

  Be alert for alternate data streams (ADS)


In Practice: Searching for Evidence

  Do not use the suspect system itself to carry out a search for evidence

  Using Windows to search and open files can change the file’s metadata

  Such changes may cause evidence to be disallowed in court


Investigating System Artifacts (Cont.)   Registry

  Can reveal current and past applications, as well as programs that start automatically at bootup

  Viewing the registry requires a registry editor   Event logs track system events

  Application log tracks application events   Security log shows logon attempts   System log tracks events such as driver failures


Investigating System Artifacts (Cont.)   Swap file/page file

  Used by the system as virtual memory   Can provide the investigator with a snapshot of

volatile memory   Print spool

  May contain enhanced metafiles of print jobs   Recycle Bin/Recycler

  Stores files the user has deleted


“Shredding” Data

  Third-party software packages can be used to delete data and actually overwrite the information, essentially shredding the data


Investigating Linux Systems

  Windows can have many users with administrator access, but Linux has only one administrative account, called root

  Root account has complete control of the system

  In Linux, all devices, partitions, and folders are seen as a unified file system

  A typical installation creates three partitions: the root, boot, and swap partitions


Investigating Linux Systems (Cont.)

  The Linux file system includes the data structure as well as the processes that manage the files in the partition

  Linux’s virtual file system provides a common set of data structures:   Superblock   Inode   Dentry   Data block



  Seven different file types available in Linux:   Normal files   Directories   Links   Named pipes   Sockets   Block devices   Character devices



  Default Linux installations generally include system directories such as the following:   /boot   /dev   /etc   /home   /lib   /lost+found   /mnt

  /proc   /root   /sbin   /tmp   /usr   /var



  Key Linux files and directories to investigate:   /etc/passwd   /etc/shadow   /etc/hosts   /etc/sysconfig/   /etc/syslog.conf



  Deleted files   Check the Trash can for each login user for

deleted files that can be recovered   Using grep to search file contents

  Grep allows for sophisticated character-based data searches

  Compressed files   Some Linux applications such as OpenOffice

automatically compress data files


Graphic File Forensics

  The investigator can use file signatures to determine where data starts and ends and the file type   File extension (such as .jpg) one way to identify a

graphic file   A user can easily change the file extension, but

the data header does not change   Forensic tools can resolve conflicts between file

extensions and file types


Graphic File Forensics (Cont.)

  The process of retrieving all relevant pieces of a file is called data carving or data salvaging

  An investigator may have to reconstruct the data header using file signature information

  Layered graphic files (such as Photoshop or Corel) can hide information behind layers

  Graphics saved as JPEG, TIFF, GIF, or BMP do not have layers



  Steganography is a form of data hiding in which a message is hidden within another file   Data to be hidden is the carrier medium   The file in which the data is hidden is the

steganographic medium   Both parties communicating via

steganography must use the same stego application



  Steganography is difficult to detect; the following clues may indicate stego use   Technical capabilities or sophistication of the

computer’s owner   Software clues on the computer   Other program files that indicate familiarity with

data-hiding methods   Multimedia files   Type of crime being investigated


In Practice: Child Pornography

  Hiding criminal content within “innocent” files can allow perpetrators such as child pornographers to exchange information

  A scenario is described by which child pornographers can easily pass information to others in the ring


Summary

  Search times can be reduced through the use of default folders and operating system artifacts

  The skill level of the user will determine whether this is an effective use of time in the case


Summary (Cont.)

  A savvy user can hide data through:   Nonstandard file folders   Renaming file types   Using layered graphics   Masquerading data with steganographic

techniques