digital forensics overview
TRANSCRIPT
Digital Forensics Overview
Prepared by: Mathew J. Shelby
• Question: What types of technology do you use?–Laptop / Desktop Computers–Tablets–Smart Phones–GPS Navigation devices– Ipod / Ipod Touch–Email–Texting– Internet–Routers/Modems
• Question: How do you use technology?• Sending and receiving email• Calling friends, family, and coworkers• Texting friends, family, and coworkers• Listen to music• Watching online videos• Uploading and downloading on the
Internet• Internet searches using Google or
Yahoo• Facebook, Instagram, Twitter, Skype• Using GPS navigation to find your way
around town• Online banking
What is Computer Forensics?• Computer forensics is the –Identification–Preservation–Extraction–Interpretation &–Presentation of computer-related evidence
What is Digital Evidence?
•Digital evidence is defined as information and data of value to an investigation that is stored on, received, or transmitted by an electronic device
Cardinal Rules of Computer Forensics• Admissibility must guide
actions: document everything that is done
• Acquire the evidence without altering or damaging the original
• Authenticate your copy to be certain it is identical to the source data
• Analyze the data while retaining its integrity
• Anticipate the unexpected!
Why is this Important?• Think about this:
–95% of the world’s information is being generated and stored in digital form and more than ½ of business documents created today never become paper records. They never get printed out. They never leave the digital domain. They may never find their way into the files produced to you in response for a request for production.
How much data are we talking about?• Many consumer computers come with
1 terabyte hard drives (or more) installed.
• One megabyte (1mb)= 1000 -1400 printed pages
• One gigabyte (1GB)= 100,000-140,000 printed pages
• One terabyte (1TB)= 100,000,000 – 140,000,000 printed pages
That’s a lot of paper for lawyers and judges to review in discovery!
Harsh Realities• As a legal professional, are you
getting the “whole picture” when you receive discovery from your opponent?
• Are you comfortable telling your client or the Judge that “nothing else was found” if you fail to examine computer evidence?
How Examiners Can Make Your Job Easier
• Most electronic devices store information about user activities.
• Forensic examiners search for these “digital breadcrumbs” to determine what a defendant was doing in the hours, days or months that precipitated a criminal act.
A Digital Treasure Hunt
• Examiners are looking for electronic evidence, which is evidence that contains any probative information stored or transmitted in digital form that a party to a court case may use at trial.– Today, fewer communications and records
are kept in paper form, so it is more likely than ever that your “smoking gun” is stored on someone’s hard drive.
– Especially since people are more relaxed when communicating via email as opposed to drafting formal written communications.
Let’s Get Started…• The process starts with an examiner creating
an image of a hard drive, which converts all the files, folders and other data on the computer into a single searchable file.
• It preserves live data on the system as well as information trapped in the slack space and other hiding places
• This is similar to a card catalog at the library where you can find things quickly without having to look through the entire filing cabinet. • The title of the book is contained in the File
Allocation Table• The book is the File itself• To find a book, look up the name in the card
catalog, which then points to the book's location.
Word of Caution!!• When dealing with evidence in any
legal case, examiners must carefully handle the evidence so that it isn’t compromised, and you have to keep the evidence under control at all times to be able to verify that no one has tampered with it. Think chain of custody. This is also true in computer forensics where hash values are created before/after examinations.
Hash Values Explained• A hash values is a unique numerical
identifier that can be assigned to a file, a group of files, or a portion of a file, based on a standard mathematical algorithm applied to the characteristics of the data set.
• It guarantee the authenticity of an original data set and can be used as a digital equivalent of the Bates stamp in paper document production. Common hash values are SHA and MD5. The scientific possibility of two different objects having the same MD5 hash value is more than 1 in 340 undecillion. This is a higher level of certainty than even DNA enjoys!
Guaranteeing Integrity with Hash Values
• A hash value will be taken of the original hard drive. An image is made of the original. The image is used during the forensic examination to preserve the integrity of the original. A hash value is taken of the imaged copy before any examination.
• If the values are the same, then the copy is treated the same as the original. If the values are different, then the integrity of the copy is called into question.
• At the end of the forensic examination, a third value is commonly taken. The three hash values (original hard drive, imaged hard drive before the examination, and imaged hard drive after the examination) must match.
How Data is Stored on Physical Disk• Before we can analyze data, we need to
understand how it is stored on a hard drive.
• When you save a file on a hard disk, where does it go? How do you retrieve it?
• A hard disk is a rigid non-removable magnetic disk with a large data storage capacity.
• Data is saved in the form of “trillions upon trillions of faint and impossibly tiny magnetic charges that coat the surface of a rapidly spinning disk”
• A read/write head interacts with the spinning disk and imparts a magnetic charge or reads what is already there.
Hard Disk Example
Source
• A hard disk contains round, flat discs called platters, coated on both sides with a special material able to store data as magnetic patterns.
• The platters are like records stacked on top of one another on a record player. They spin at 5400, 7200 or 10,000 rotations per minute (depending on the drive speed)
• The read/write heads are mounted onto sliders andused to write data to the disk or read data from it.
Digging Deeper• Each platter is divided into tens of
thousands of tracks, or the circular path on the surface of a disk or diskette on which information is magnetically recorded and from which recorded information is read
• Visually, they would look like the growth rings on the world’s oldest tree but they are so small you would need a microscope to view them
• Tracks are further divided into sectors, which are the smallest individually addressable unit of information on a disk.
How Data is Stored “Logically”
• Let’s imagine you are planning a wedding party and you reserve ten adjoining rooms. When you rent a room, you get a room number and a key or key card to access the room. You may request that all of your rooms be next to each other, but there is a possibility that someone else may already have rented the room next to yours so you can either:– Rent the next adjoining room – Move to a different area of the hotel so your party can remain together.
How Data is Stored• Similar to the wedding party example, a hard
drive is divided up into several small blocks (typically 512-byte sectors) where data can be stored, and each location has an address.
• Data is deposited into each of these blocks, and if you have lots of data, it may span multiple (contiguous or non-contiguous blocks). The larger your wedding party is, the more hotel rooms you will need.
• If each room is reserved for two adults and two children and only two people check in, the room is not at full capacity. This is similar to the hard disk example where a file only takes up a portion of the space allocated and there is some space left over (RAM Slack)
How Data is Stored• Like a hotel, a hard drive is divided into disk
sectors, or small fixed blocks (typically containing 512 bytes) where data can be stored, and each location has an address, similar to how a hotel has many floors with rooms which are numbered.
• A file on a hard drive can take up all the rooms (sectors) in a row or the rooms (sectors) can be spread throughout the hotel (disk).
• Sectors are further organized into clusters to make it easier for the disk to save and retrieve information. A cluster is the smallest amount of disk space that can be allocated to hold a file.
• The different floors in the hotel (clusters) would be comprised of many rooms (sectors)
Bits and Bytes• All data is stored as a series of ones and zeroes, or “on”
and “off”. A bit, short for binary digit, is the basic unit of information in computing & is represented as 0 or 1.
• A byte is a series of 8 bits. Computers translate letters, numbers, and symbols into a series of bytes and bits.
• For example, my name “Matt” is read by a computer as:01001101 01100001 01110100 01110100
• This is similar to turning the lights on or off in your home and leaving them that way so family members know which lights are on/off. Computers store data similar to how people communicated in Morse code years ago but on a level that now allows for the transmission of huge amounts of data in seconds.
• This allows a computer to read entire an entire encyclopedia volume in seconds; think of how long it would take a human to do the same task!
Allocated and Unallocated Space• Allocated space, or active space, is simply defined as the area or space on the hard drive the contains the operating system and user data (files) that are easily accessible to the computer user.
• Unallocated space is simply defined as the area or space on the hard drive of the computer that is available to write data to– If this area has been previously used, and
not "wiped," it will contain remnants from that prior use. Deleted, temporary and backup files may be found in unallocated space.
File Slack & Slack Space• File slack occurs when there is
space left over after saving a file to a disk because more space was reserved then needed.
• File Slack may or may not contain data
• If your wedding party only needs 6 rooms instead of 10 rooms because you have fewer guests than expected, the remaining rooms would be analogous to a disk cluster where there is file slack.
Activity• To better understand slack space, let’s
create a text file in Notepad with the word “hello”. Save the file as hello.txt
• Go to your desktop where you saved the file and right click on it and select “properties”.
• The size of the file is small (5 bytes), however the computer has allocated 4096 bytes for our file so the remaining allocated space is slack space, or leftover space at the end of the file
Focus of Computer Forensics• Active Data: These are the current files on the
computer, still visible in directories and available to applications.
• Active data would be similar to interviewing all the witnesses present at a crime scene when officers arrive
• Active data can be password protected or encrypted requiring further forensic analysis
• In this case, some crime scene witnesses may be unwilling or unforthcoming and it may take longer to get their statement.
• Active data includes system data found in the recycle bin, history files, temporary internet directory, “cookie jar”, and system registry files.
• While at the crime scene, detectives can find clues that are left in plain sight and are easily retrievable.
Three Types of Data
The System (Computer/Network) is the Crime Scene!
Focus of Computer Forensics
• Latent Data: (also called “ambient data”) are deleted files and other data, including memory “dumps” that have “lodged in the digital cracks” but can still be retrieved. Latent data also includes: – swap files: a file on a hard disk used to provide
space for programs that have been transferred from the processor's memory
– temporary files: files created to temporarily contain information while a new file is being made
– printer spool files: an image file created every time a document is printed
– metadata: provides information about who, what, where, when and how regarding a file’s creation, modification or deletion.
• Finding latent data at a crime scene would not be possible without the use of a crime scene technician. Similarly, specialized computer forensics examiners use software tools to obtain this information from a suspect’s hard drive.
Three Types of Data
Focus of Computer Forensics
• Archival Data: This is data that’s been transferred or backed up to peripheral media, like tapes, CDs, ZIP disks, floppy disks, network servers or the Internet
• In the crime scene scenario, archival data would be the surveillance video removed from the store’s security camera and taken during the robbery.
• Detectives would need to examine the active and latent data available at the scene to determine what archival data had left the scene. It could also be the getaway car used in the robbery which took the information (stolen goods) away when it sped away from the scene
• In computer forensics we can identify archival data by examining the target hard drive to determine files that have been copied off the hard disk, even getting the make, model and serial number of the device used to remove or copy data off the computer.
Three Types of Data
File Systems• We need an efficient way to manage all of
the data we create, view, and use on a regular basis. A file system refers to logical structures and software routines used to control access to the storage on a hard disk system and the overall structure in which files are named, stored and organized
• File systems have grown more complex to manage more data; it is easier to manage a library with 30 books than 30 million!
Operating Systems• An operating system is software that
manages computer hardware and software and provides common services for computer programs to operate. It also provides for the operation of peripheral devices like keyboards, mice, speakers and printers
• In the case of Microsoft Windows Operating System, it provides us with a graphical user interface (GUI), or visual way, to interact with the file system.
• The operating system is the Ferrari and the file system is it’s engine. We cannot drive a car without an engine!
ExamplesOperating Systems
• Microsoft Windows• Max OS X• Linux• Android • iOS
File Systems• FAT (FAT12, FAT16,
FAT32)• exFAT• NTFS• ext2, ext3, ext4• ZFS
File Allocation Table• used by the FAT file system• The File Allocation Table (FAT) can be
compared to a library card catalog that refers to the location of books within the library.
• Called the Master File Table in subsequent Operating Systems but broadly serves the same purpose (essentially a Table of Contents)
• The title of the book is contained in the Allocation Table, and the book is the File itself.
• To find a book, one looks up the name in the card catalog, which then points to the book's location in the library.
Don’t Despair!• A criminal may try to delete files and
information on his computer if he thinks that authorities are closing in on him.
• Files that are moved to the recycle bin (on PCs) or the trash bin (on Macs) remain there until the user empties the recycle bin or trash can
• Once they have been deleted from those folders, they are still located on the hard drive and can be retrieved with specialized computer forensics software
When Files Are Deleted• In the card catalog example, when a book (file) is
deleted, the library card referring to that book is replaced with one containing the book's name, minus the first character, and no reference information to the location of the book.
• On the FAT, the first character of the file's name is replaced with a sigma or "s“ (hex byte code E5h). For example, a file named Childporn.jpg would become shildporn.jpg. This effectively makes it impossible to find the file simply by searching for it under its title. However, the book (file) itself is not touched until the space it occupies on the shelf is reused by another book.
• Prior to that, recovering the deleted book is a matter of finding the replaced card, and re-referencing it to the location of the original book, which can then be read in its entirety.
Recovering Deleted Files• Deleted files are files whose reference has
been removed from the file system, and the area of the electronic media they occupy is released for reuse.
• Until overwritten with new characters, these files may be recovered.
• Deleting a file can be analogized to putting household garbage in a garbage bag, but keeping the bag in the house. While the garbage has, technically, been thrown away, it can still be readily retrieved.
• Therefore, finding a deleted file is simply a matter of finding the file that remains in the FAT, but with a different first character.
Wiping/Formatting a Hard Disk• A criminal may try to format his hard drive if
he thinks that authorities are closing in on him. • Formatting, or the process of preparing a disk
to be used by an operating system by deleting data and setting up a new file system, erases less than 1/10th of one percent of the data on the disk, such that anyone with basic computer forensic skills can recover your private, privileged and confidential data.
• If it’s not overwritten or physically destroyed, it’s not gone. This is why deleting a file is a misnomer:
• It is similar to locking your door when leaving the house, but leaving the windows open. A burglar can still get in and access your valuables (data)!
RAM & RAM Slack• RAM stands for Random Access Memory because
the computer can access it randomly.• It is a form of temporary data storage and is
VOLATILE because the data will be lost when power is removed; similar to how some car radios lose their radio stations when the battery is disconnected
• What if there was a way to access information that the criminal never intentionally stored on the hard drive, but perhaps had viewed a file off a USB drive, a stored password that was entered on the keyboard or an online search query?
• Examiners may find treasures in the RAM slack, the space between the end of the stored file and the last 512 byte sector, because the computer puts information from RAM into this space randomly
Why It’s Important• Is always less than 512 bytes of space• Can give insight into the user’s activities on
the computer• Enough room to hold:
– Passwords – Encryption and Decryption keys– Paragraph of text– Username– Address– Phone numbers– Instant Messaging (IM) chat name– GPS coordinates
Other Places to Look• Swap files are used in conjunction with RAM by
the computer to store frequently accessed information. Visually, its like a giant digital legal pad
• Log files, are a log of system activity and are a means to reconstruct aspects of computer usage
• Temporary (.TMP) and Backup (.BAK) files, are files created by software programs to save your work in the event of a system failure, however they generally do not go away when your work is completed.
• Printer Spool files are images of your print jobs that are saved to the hard disk by the operating system for the purpose of faster performance and background printing so you can move on to other tasks
Other Places to Look• Windows Registry is the central storage
repository for system configuration information (Think of a will which gives information about what to do in the event of your passing) Contains:– Computer’s registered user– Usage history data– Program installation information– Hardware information– File Associations– Serial Numbers– Some password data– Recently visited websites– Recently created documents– Recently inserted USB devices
Other Places to Look• Cookies are small text files saved in a folder on
the computer by a website visited by the user. It allows the website to store information about the user so that the information can be retrieved during a subsequent visit.
• Allows for a personal user experience or a quicker means of logging in with a registered username and password. This allows shopping websites to track your searches so that they can offer you a discount on an item you are interested in during your next visit.
• Visually, they are like electronic Post-It notes that are beneficial to the user and the website operator.
• User Email can recover deleted and sent emails• Recycle Bin can recover files intended for
deletion
Other Places to Look• Metadata is data about data. It is hidden information
embedded in a file that can give you insight into who created the document, who edited the document, distribution history and more– The metadata can reveal whether the lawyer created the motion
themselves or “borrowed” a copy from a colleague!
• Hidden/Encrypted files: files may be hidden or encrypted with a specific file attribute, or they can even renamed to something they are not, as in the example of a child porn image being renamed to something inconspicuous like air.txt
• Temporary Internet Files, are files that are saved to the hard disk when you visit a website to enable the website to load quick for subsequent visits
• Browser History, Bookmarks & Favorites can reveal information about a criminal’s activity on the Internet
Takeaway Points
• In cases where computer forensics is appropriate, get in early before potentially incriminating evidence can be intentionally or unintentionally destroyed
• Operating systems access and change hundreds of files each time it boots, if you do nothing, it is tantamount to allowing evidence to be destroyed.
Internet Protocol (IP) Tracing• Imagine that the Internet is like a telephone
network• IP Addresses are used to identify the
locations of computers on the Internet• DNS, or Domain Name Servers, are similar to
a phonebook in that they contain listings for websites and how to contact (call) them on the Internet
• DNS lookup would be like calling 411 or Directory Assistance if you wanted help in finding a particular website.
• They contain “tables” which translate the IP address into the domain name
Internet Protocol (IP) Tracing• Let’s suppose want to identify who owns IP Address
132.170.219.161. • We enter the IP Address in a Reverse IP Lookup
website such as http://reverseip.domaintools.com/
• A reverse DNS lookup would be like doing a reverse lookup on a phone number to identify who owns it.
• In the computer realm, we conduct reverse DNS lookups when we want to identify a domain name or subscriber associated with a given IP address.
Digging Deeper…
We can learn quite a bit of information about the domain name (ucf.edu) associated with a given IP address 132.170.219.161, including owner, contact information, servers and length of existence
How it Worksin Criminal
Cases• During a child porn file sharing investigation, we identify an offender whose screen name is BadDude and IP address is 70.127.255.255
• Detectives conduct a “browse host” request and determine all files the offender is sharing
• To identify the offender, we must enter the IP address in a “who is” search engine such as: http://whois.urih.com/
• We can then subpoena the provider records of Time Warner Cable Internet LLC using the screen name and offense dates to pinpoint the exact subscriber
Wireless Networks Explained• Wireless network: a type of computer
network where communication or data exchange among various devices on the network are carried out without cables– Similar to using a cell phone instead of a land
line to make a phone call; calls (data) can be transferred from one device to another. Cell phones (wireless) can even make calls (send data) to landlines (wired clients)
– The connection and exchange of data between computers & other devices in a particular network is made possible by radio signal frequency (RF) or electromagnetic waves in the atmosphere instead of cables.
Wireless Networks Explained• Clients are connected to a wireless network through a
wireless access point (AP)/wireless router instead of an Ethernet switch. – Each client uses a wireless adapter to gain access to
the network through a wireless device such as a wireless router or access point
– Once connected to the network, wireless clients can access network resources just as if they were wired to the network.
Benefits of Wireless Networking
• Convenience Access your network resources from any location within your wireless network's coverage area or from any Wi-Fi hotspot.
• Mobility You're no longer tied to your desk, as you were with a wired connection. You and your employees can go online in conference room meetings, for example.
• Productivity Wireless access to the Internet and to your company's key applications and resources helps your staff get the job done and encourages collaboration.
• Easy setup You don't have to string cables, so installation can be quick and cost-effective.
• Expandable You can easily expand wireless networks with existing equipment, while a wired network might require additional wiring.
• Security Advances in wireless networks provide robust security protections.
• Cost Because wireless networks eliminate or reduce wiring costs, they can cost less to operate than wired networks.
Wireless Security• Wireless security is the prevention of unauthorized
access or damage to computers using wireless networks– Open Access/No Encryption Extremely Vulnerable and
Insecure!– Wired Equivalent Privacy (WEP) (1999)Weak and Vulnerable!– Wi-Fi Protected Access (WPA/WPA2) (2003-Current)
• Not having proper encryption means that that person has security clearance to enter a building but may not be able to get into all areas. In order to do that, he needs to "upgrade his security clearance status" (adjust the encryption).
• Using no encryption is like leaving all the doors and windows open in your home so that anyone can get in
• Using weak encryption or passwords is like locking the front door but leaving the windows open so that anyone can get in
• It is best to use authentication and encryption to identify users allowed on your network
Terms to Know• 802.11 is the WiFi standard set by the IEEE for
WLANs.– 802.11b (2.4GHz, max data rate 11Mbit/s)– 802.11g.(2.4GHz, max data rate 54Mbit/s) – 802.11a (5Ghz, max data rate 54Mbit/s)– 802.11n (5 GHz and/or 2.4 GHz, 74-600Mbits/s)– 802.11ac (5 GHz, 500Mbits/s-1 GB/s)
• Media Access Control (MAC) is the address is your computer’s unique hardware number– Your computer’s MAC address is like the house number if
your network was the street. It identifies yourself separately from your neighbors and allows you to send and receive mail (data)
– Example: 00:0d:83:b1:c0:8e– On wireless networks, a process called MAC filtering is a
security measure to prevent unwanted network access by hackers and intruders. The router is configured to accept traffic only from specific MAC addresses
Scenario…• After “BadDude” was arrested from the IP Tracing
scenario, his attorney argues that because his residence was equipped with an “open” wireless router, another person could have been linked into the IP address from which the child porn was shared. He further argued that anyone in range of the wireless router could connect to the network without a password. (example)– As a prosecutor, defense attorney, or Judge what
else would you consider given this situation?– Federal cases have uniformly rejected the claim
that the use of an unsecured wireless network vitiates the probable cause that would otherwise exist to search the home of an Internet subscriber whose IP address is used to access child pornography.
• If the investigation revealed that network was encrypted with a password or WEP/WPA/WPA2 encryption it may be less likely that the offender could use the “it was someone driving by that accessed my network and downloaded child porn” defense.
• Encrypted networks can reduce the number of potential suspects since, by nature, access is restricted. Investigators may also look through logs to determine the specific MAC address that shared the contraband images. • Tech-savvy criminal may use MAC spoofing, or the
process of masking/changing the MAC address to conceal their illicit activity
• Investigators must still determine everyone that could have access to the network regardless during the course of the investigation.
Impact on Investigations
Conclusion• Thank you for taking the time to view
my presentation. Please send your feedback to [email protected]