digital evidence locations - university of mississippi 20-21 2011... · acquiring the evidence...

1/24/2011

Digital Evidence Locations and Computer ForensicsCopyright © 2011 National Center for Justice and the Rule of Law – All Rights Reserved

Digital Evidence LocationsDigital Evidence Locations

andand

Computer ForensicsComputer Forensicspp

Don MasonDon MasonAssociate DirectorAssociate Director

Copyright © 2011 National Center for Justice and the Rule of Law – All Rights Reserved

ObjectivesObjectives

After this session, you will be able to:After this session, you will be able to:

Define and describe “digital evidence”Define and describe “digital evidence”

Identify devices and locations where digitalIdentify devices and locations where digitalIdentify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be found

Define “computer forensics” and describe Define “computer forensics” and describe the basic practices, principles, and tools the basic practices, principles, and tools used in digital forensicsused in digital forensics

Advancing TechnologyAdvancing Technology

1/24/2011


Mainframes, Desktops, LaptopsMainframes, Desktops, Laptops

Digital CamerasDigital Cameras

Convergent, “Smart” DevicesConvergent, “Smart” Devices

1/24/2011


Always Something New

Computers Are Digital Devices

A computer is like a light switchSwitch Computer Binary Symbol

ON signal present 1

OFF no signal present 0OFF no signal present 0

Each 0 or 1 is a BIT (for BINARY DIGIT)0 0 0 0 0 0 0 1 = 10 0 0 0 0 0 1 0 = 2 (2+0)0 0 0 0 0 0 1 1 = 3 (2+1)

An 8-bit sequence = 1 byte = a keystroke

Inside a Hard Drive

1/24/2011


Diagram of a Hard Drive or Floppy

FAT

How Data Is StoredHow Data Is Stored

TrackTrack

SectorSector

ClustersClusters are groups of sectors

Digital EvidenceDigital Evidence

Information of probative value that is Information of probative value that is

stored or transmitted in binary form and stored or transmitted in binary form and

may be relied upon in courtmay be relied upon in court

1/24/2011



Information stored in binary code but Information stored in binary code but convertible to, for example:convertible to, for example:–– ee--mail, chat logs, documentsmail, chat logs, documents

photographs (including video)photographs (including video)–– photographs (including video)photographs (including video)

–– user shortcuts, filenamesuser shortcuts, filenames

–– web activity logsweb activity logs

Easily modified, corrupted, or erasedEasily modified, corrupted, or erased

But correctly made copies are But correctly made copies are indistinguishable from the originalindistinguishable from the original


UserUser--createdcreated

–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)

–– Address booksAddress books

BookmarksBookmarks–– BookmarksBookmarks

–– DatabasesDatabases

–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)

–– Video and sound filesVideo and sound files

–– Web pagesWeb pages

–– Service provider account subscriber recordsService provider account subscriber records

ComputerComputer--createdcreated–– Dialing, routing, addressing, signaling infoDialing, routing, addressing, signaling info–– Email headersEmail headers–– MetadataMetadata

Logs logs logsLogs logs logs


–– Logs, logs, logsLogs, logs, logs–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings

1/24/2011


Data Generated in 2006Data Generated in 2006

161 billion gigabytes 161 billion gigabytes (161 exabytes)(161 exabytes)

12 stacks of books each reaching 12 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun

3 million times all the books ever 3 million times all the books ever writtenwritten

Would need more than 2 billion Would need more than 2 billion iPods to hold itiPods to hold it

Projections for 2006Projections for 2006--20102010

Six fold annual information growthSix fold annual information growth

In 2010: 988 In 2010: 988 exabytesexabytes to be created to be created and copiedand copied–– More than 73 stacks of books taller than More than 73 stacks of books taller than

93 million miles!93 million miles!

Compound annual growth rate: 57%Compound annual growth rate: 57%

Data Generated in 2010Data Generated in 2010

1200 trillion gigabytes 1200 trillion gigabytes (1.2 (1.2 zettabytes))

89 stacks of books each reaching 89 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun

22 million times all the books ever 22 million times all the books ever writtenwritten

Would need more than 750 million Would need more than 750 million iPods to hold itiPods to hold it

90 trillion emails sent in 200990 trillion emails sent in 2009

1/24/2011


Projections for 2006Projections for 2006--20102010

Six fold annual information growthSix fold annual information growth

In 2020: 35 In 2020: 35 zettabyteszettabytes will be will be producedproduced–– All words ever spoken by human beings, All words ever spoken by human beings,

written 7 timeswritten 7 times

Compound annual growth rate: 57%Compound annual growth rate: 57%

Forms of EvidenceForms of EvidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, (doc’s, spreadsheets, images,

email, etc.)email, etc.)–– Archive Archive (including as backups)(including as backups)

–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)

–– TemporaryTemporary (cache, print records, Internet usage(cache, print records, Internet usageTemporary Temporary (cache, print records, Internet usage (cache, print records, Internet usage records, etc.)records, etc.)

–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords

Digital Devices / Digital Devices / Locations Where DigitalLocations Where DigitalLocations Where Digital Locations Where Digital Evidence May be FoundEvidence May be Found

1/24/2011


Monitor

PrinterZip Drive Hard

Drive

Monitor

Computer HardwareComputer Hardware

Laptop Computer

Digital Camera

Tape Drive

Disks

Cd-Rom Drive Computer

Printer Monitor

Computer HardwareComputer Hardware

Computer

ChallengesChallenges

Increasing ubiquity Increasing ubiquity and convergence of and convergence of digital devicesdigital devices

I i d tI i d tIncreasing data Increasing data storage capacitystorage capacity

Shrinking devices Shrinking devices and mediaand mediaGrowing use of solid Growing use of solid state devicesstate devices

1/24/2011


Internal DrivesInternal Drives

Removable MediaRemovable Media

USB Storage DevicesUSB Storage Devices

1/24/2011


More Digital DevicesMore Digital Devices

And Still MoreAnd Still More

1/24/2011


MoreMore

MoreMore

MoreMore

Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders

–– Sensing and diagnostic Sensing and diagnostic modulesmodulesmodules modules

–– Data loggersData loggers

1/24/2011


MoreMore

MoreMore

1/24/2011


MoreMore

GPS devicesGPS devices

Evidence ContainersEvidence Containers

1/24/2011


More ContainersMore Containers

Digital SurveillanceDigital Surveillance

Chicago’s 911 NetworkChicago’s 911 Network

1/24/2011


Room in Virtual WorldRoom in Virtual World

Ex: Ex: Second LifeSecond LifeEx: Ex: Second LifeSecond Life

1/24/2011


Cell Site Location Data Cell Site Location Data

Computer ForensicsComputer Forensics

Computer ForensicsComputer Forensics

“preservation, identification, extraction, “preservation, identification, extraction, documentation, and interpretation of documentation, and interpretation of computer media for evidentiary and/or root computer media for evidentiary and/or root cause analysis”cause analysis”

Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered

Was largely “postWas largely “post--mortem” but is evolvingmortem” but is evolving

1/24/2011


Computer / Digital ForensicsComputer / Digital ForensicsSub branches / activities / stepsSub branches / activities / steps

–– Computer forensicsComputer forensics

–– Network forensicsNetwork forensics

Li f iLi f i–– Live forensicsLive forensics

–– Software forensicsSoftware forensics

–– Mobile device forensicsMobile device forensics

–– “Browser” forensics“Browser” forensics

–– “Triage” forensics“Triage” forensics

SeizingSeizing computer evidence

Bagging & tagging

ImagingImaging seized materials

BasicBasic Computer ForensicsComputer Forensics

ImagingImaging seized materials

SearchingSearching the image

for evidence

PresentingPresenting digital evidencein court

Myth v. FactMyth v. FactMythMyth–– A computer A computer

forensic analyst forensic analyst can recover any can recover any

FactFact–– The analyst can The analyst can

recover a deleted recover a deleted file, or parts of it, file, or parts of it, yy

file that was file that was ever deleted on ever deleted on a computer a computer since it was since it was built.built.

, p ,, p ,from unallocated from unallocated file space until the file space until the file system writes a file system writes a new file or data new file or data over it.over it.

1/24/2011


Myth v. FactMyth v. FactMythMyth–– Metadata Metadata

(“data about (“data about data”) is the all data”) is the all

FactFact–– Metadata does contain Metadata does contain

useful information about a useful information about a file but it is limited.file but it is limited.))

knowing, all knowing, all seeing, end all seeing, end all piece of info on piece of info on a file.a file.

E.g.:E.g.:–– AuthorAuthor

–– MAC timesMAC times

–– File name, size, locationFile name, size, location

–– File propertiesFile properties

MightMight contain revisions, contain revisions, comments, etc.comments, etc.

Metadata Metadata –– Basic ExamplesBasic Examples

Metadata Metadata –– Track ChangesTrack Changes

1/24/2011


Metadata Metadata –– CommentsComments

EXIF DataEXIF Data

Exchangeable Image File Format

Embeds dataEmbeds data into images containing camera information, date and time, and more

Basic StepsBasic Steps

AAcquiringcquiring evidence without evidence without altering or damaging originalaltering or damaging original

AAuthenticatinguthenticating acquired evidence acquired evidence gg qqby showing it’s identical to data by showing it’s identical to data originally seizedoriginally seized

AAnalyzingnalyzing the evidence without the evidence without modifying itmodifying it

1/24/2011


Acquiring the EvidenceAcquiring the EvidenceSeizing the computer: Bag and TagSeizing the computer: Bag and TagHandling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collectionEvidence collection–– Evidence identificationEvidence identificationEvidence identificationEvidence identification–– TransportationTransportation–– StorageStorage

Making at least two images of each evidence Making at least two images of each evidence containercontainer–– Perhaps 3rd in criminal case Perhaps 3rd in criminal case –– for discoveryfor discovery

Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting

Preserving Digital EvidencePreserving Digital EvidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”

A virtual “clone” of the entire drive

Every bit & byte

“Erased” & reformatted data

Data in “slack” & unallocated space

Virtual memory data

Write Blockers

Hard drives are imaged using hardware write blockers

1/24/2011


Authenticating the EvidenceAuthenticating the EvidenceProving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind

–– Readable text and pictures don’t Readable text and pictures don’t i ll t di ll t dmagically appear at randommagically appear at random

–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates

MD5MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)

SHASHA (Secure Hash Algorithm) (Secure Hash Algorithm) ((NSANSA//NISTNIST))

What Is a Hash Value?

An MD5 Hash is a 32 character string that looks like:

Acquisition Hash:3FDSJO90U43JIVJU904FRBEWH

Verification Hash:Verification Hash:3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producing the same MD5 Hash is greater than:

1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000

1/24/2011


File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02 06:40:56PM.The computer system clock read: 02/21/02 06:40:56PM.

Evidence acquired under DOS 7.10 using version 3.19.

File Integrity:Completely Verified, 0 Errors.Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFECVerification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC

Drive Geometry:Total Size 12.7GB (26,712,000 sectors)Cylinders: 28,266Heads: 15Sectors: 63

Partitions:Code Type Start Sector Total Sectors Size0C FAT32X 0 26700030 12.7GB

Hashing Tools – Examples

http://www.miraclesalad.com/webtools/md5.php

http://www.fileformat.info/tool/md5sum.htm

htt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessData’s FTK Imager can be downloaded free at

http://www.accessdata.com/downloads.html

MD5MD5 HashHash128128--bit (16bit (16--byte) byte) message digest message digest ––

a sequence of 32 charactersa sequence of 32 characters

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog”dog”

9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”

e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0

http://www.miraclesalad.com/webtools/md5.php

1/24/2011


1/24/2011


What happens when you rename a file?you rename a file?

Or rename the extension?extension?

1/24/2011


“Hashing” an Image“Hashing” an Image

MD5MD5

021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371

SHA1

77fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

(single pixel changed using Paint program)

Analyzing the EvidenceAnalyzing the EvidenceWorking on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence

–– Two backups of the evidenceTwo backups of the evidenceppOne to work onOne to work on

One to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files

seemingly unrelatedseemingly unrelated

1/24/2011


Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data

Analysis (cont.)Analysis (cont.)Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden

Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with in place in place

of first letterof first letter“taxes.xls” appears as ““taxes.xls” appears as “axes.xls”axes.xls”

Free SpaceFree Space

Slack SpaceSlack Space

Swap SpaceSwap Space

Free SpaceFree Space

Currently unoccupied, or Currently unoccupied, or “unallocated” space“unallocated” space

May have held information beforeMay have held information before

Valuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted

–– Files that have been moved during Files that have been moved during defragmentationdefragmentation

–– Old virtual memoryOld virtual memory

1/24/2011


Slack SpaceSlack SpaceSpace not occupied by an active file, but Space not occupied by an active file, but not available for use by the operating not available for use by the operating systemsystem

Every file in a computer fills a minimum Every file in a computer fills a minimum y py pamount of spaceamount of space

–– In some old computers, this is one kilobyte, or In some old computers, this is one kilobyte, or 1,024 bytes. In most new computers, this is 32 1,024 bytes. In most new computers, this is 32 kilobytes, or 32,768 byteskilobytes, or 32,768 bytes

–– If you have a file 2,000 bytes long, everything If you have a file 2,000 bytes long, everything after the 2000after the 2000thth byte is slack spacebyte is slack space

File A(In RAM)

File Asaved to disk,

t

File A over-writes Fil B

File A(SavedTo Disk)

How “Slack” Is GeneratedHow “Slack” Is Generated

File A(Now On

Disk)

File B(“Erased,”On Disk)

on top of File

B

File B, creating

slack

Remains of File B (Slack)

Slack space: The area between the end of the file and the end of the storage unit

Ways of Trying to Hide DataWays of Trying to Hide Data

Password protection schemes

Encryption

Steganography

Anonymous remailers

Proxy servers

1/24/2011


Password ProtectionPassword Protection

Ex: Secrethelper

EncryptionEncryptionEncryptionEncryption

Sometimes used as security measure to prevent others from accessing file data. g– Example: "Pretty Good Privacy“

Scrambles file data so that it is unusable.

begin cindy.jpgM_]C_X``02D9)1@`!`0```0`!``#_VP!#``X*"PT+"0X-#`T0#PX1%B07%A04M%BP@(1HD-"XW-C,N,C(Z05-&.CU./C(R2&))3E9875Y=.$5F;65:;%-;75G_MVP!#`0\0$!83%BH7%RI9.S([65E965E965E965E965E965E965E965E965E9M65E965E965E965E965E965E965E965G_P``1"`#P`,D#`2(``A$!`Q$!_\0`M'P```04!`0$!`0$```````````$"`P0%!@<("0H+_\0`M1```@$#`P($`P4%M!`0```%]`0(#``01!1(A,4$&$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*M%A<8&1HE)B<H*2HT-38W.#DZ0T1%1D=(24I35%565UA96F-D969G:&EJ<W1UM=G=X>7J#A(6&AXB)BI*3E)66EYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&MQ\C)RM+3U-76U]C9VN'BX^3EYN?HZ>KQ\O/T]?;W^/GZ_\0`'P$``P$!`0$!M`0$!`0````````$"`P0%!@<("0H+_\0`M1$``@$"!`0#!`<%!`0``0)W``$"

\

Encoded Decoded

M`Q$$!2$Q!A)!40=A<1,B,H$(%$*1H;'!"2,S4O`58G+1"A8D-.$E\1<8&1HFM)R@I*[email protected]$149'2$E*4U155E=865IC9&5F9VAI:G-T=79W>'EZ@H.$MA8:'B(F*DI.4E9:7F)F:HJ.DI::GJ*FJLK.TM;:WN+FZPL/$Q<;'R,G*TM/4MU=;7V-G:XN/DY>;GZ.GJ\O/T]?;W^/GZ_]H`#`,!``(1`Q$`/P#NBN1D$^]&MT>_YTX=**!B;1[_G2;1[_G3J0T`)M^OYTFT>I_.GYIIXH`:0/4U6N+N"W_ULMRIZ9:L+7_$L=CNAM]KR]R3PM><7^JSW<S,TKNQ/KQ2N.W<]4FUFW1OEF!_X%M4+:Y"@8F1B`,C:V:\LCEN&1@R%D[D]J1+ITR%)'MGM2U'H>@3^+?(92C>8".M5.>*SV\:SDL9)`B@8"HO7\:XV:8R?,#@559B318&T=5<>-=2=L0,$7W8D_SIMB>-M848,RGZK7+9I:9-SNK#QM=.ZBZ.Y>Y0X-=I8:K!?0AH9=QP.">:\361EM(.:V-*U9[>92K8(I:HI69Z^96!Z_I0)6/\1_*N;TKQ#'<JJ3D*_K6\K@KE2"M*=Q-6+&]CW-.WGBH%>G[A0(FSQUH_$_G3%>G!Q0`['N>*7!]:12*7-``0?6HM/LG_`$UD_P"_C?XU8'K2_E3`4=**!THH`*0BEHH`:36#XEUJ/3K5XT8&9E]?MNBM+4[G[-:NP.#BO+]3CGU#4&MX\LY.Y\G]/PI-E)=3&NKF:_N,#+;V^51WKM7L]*2!55L-._?TK5T_0$L[?S#\UPPY/I5O[$8XS)@ESWJ6RDNYB:K#':V)C0MY9N`.Y-9#:88H!+-)M?/*XZ5U`L&:X%Q./NCY%]/>N=U^YW7.Q>,=10@DEN9M<G"*.O>HJ<S$@?2FU9F%`&312]![T"`^@I`2#D444`:%I?NA"L:Z[1O$+1XCMF8M'T![K7!#FIH;AX6!&:EHM2[GLL,ZS)O1LJ>>*F5P1Q7GNA:\;=PDA_=']M*[:WNTE0,A!4\B@=C0#8IX:H$D4X.*F4@TR212>*=GG%,`QQFG+C-`$BTN3_

1/24/2011


SteganographySteganography

StenographyRecovered.png (200 × 200 pixels, file size: 19 KB)

StenographyOriginal.png (200 × 200 pixels, file size: 88 KB)

Another exampleAnother example

What do you see?What do you see?

FF--22s22s

What else?What else?–– Embedded 121Embedded 121--page extract of a terrorist page extract of a terrorist

training man altraining man altraining manualtraining manual

–– The FThe F--22 image, the “carrier” file, is 2.25MB 22 image, the “carrier” file, is 2.25MB bitmap file (.bmp).bitmap file (.bmp).

–– The “payload,” the training manual extract, is The “payload,” the training manual extract, is a text file (.txt) that is only 227KB. So the a text file (.txt) that is only 227KB. So the payload easily fits in.payload easily fits in.

1/24/2011


And another exampleAnd another example

The seemingly innocuous image of the train contains this 39,958 byte simulated child pornography image.

- Hidden using InPlainView, an application that employs the Least Significant Bit (LSB) Image Encoding technique.

What do you see?What do you see?

- Technique manipulates the least significant bits, or smallest units, of the color components of selected bytes that represent the color of each pixel in image.

- Technique works because the change in color of each pixel is so slight it cannot be detected by the human eye.

www.sarc‐[email protected]

Recent ExampleRecent Example

1/24/2011


Selected “Trend”

“Triage” Forensics


“Rolling” forensics, or “on-site preview”

Image scan

Especially useful in “knock & talk” t it ti i lti lconsent situations, screening multiple

computers to determine which to seize, or probation or parole monitoring

Not all agencies equipped or trained yet to do this.


Increasingly important, as the number and storage capacities of devices rapidly grow.

But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.

“When is enough enough?”“When is enough enough?”

1/24/2011


Evolving ToolsEvolving Tools

“Triage” Forensics - Steps

Attach/Install write-blocking equipment

Turn on target device

Scan for file extensions, such as:.docdoc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

“Triage” Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separate drive.

Determine file structure or file path.

1/24/2011


Resources

https://blogs.sans.org/computer-forensics/

http://www.e-evidence.info/biblio.html

http://craigball.com/p g

– E.g., What Judges Should Know About Computer Forensics (2008)

Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

digital evidence locations - university of mississippi 20-21 2011... · acquiring the evidence...

Documents