1.

Introduction
 Topics
• What is Forensic Science?
• What is Digital Forensics?
• Uses of Digital Forensics
• Role in the Judicial System
What is Digital
Forensics?
 Digital Evidence
• Computers record evidence of everything
you do, and also
o Cell phones
o ATM machines
o Web servers
o Email servers
o SMS systems
o etc.
 Slow to Change
• Attorneys and judges often know little
about digital evidence
• Digital forensic scientists must therefore
be teachers as well as technical experts
 Forensic Science
• Forensics
o Application of science to solve a legal problem
• Digital Forensics
o Application of computer science and investigative procedures
o Analysis of digital evidence
o Search authority
o Chain of custody
o Validation with mathematics
o Use of validated tools
o Repeatability
o Reporting
o Expert presentation
 Items to Examine
• Laptop and desktop computers
• Mobile devices
• Networks
• Cloud systems
• Video, audio, and images
o Authenticity, comparison, enhancement
 Uses of Digital Forensics
• Criminal investigations
o Child pornography
o Identity theft
o Homocide, sexual assault, robbery, burglary…
o Almost every criminal investigation
• Civil litigation
• Intelligence
• Administrative matters
 Forensics Backlog
• "…there were
massive
backlogs
within all
police forces,
to the point
where it was
six months
to two years
before some
computers
could be
examined"
 Law Enforcement
Paradigm
• Police need to think of and seek out digital
evidence
• Seize
o Cell phones
o Gaming consoles

o Cameras
o Etc.
Bind. Torture. Kill.
• Dennis Rader
o Respected citizen
o Also a serial killer
o Murdered ten people in Kansas from 1974 to
1991
• He confessed in an anonymous letter to a
newspaper
• He offered to send police a floppy disk
o Police said it couldn't be traced
Metadata
• Metadata on the RTF file he sent contained
o Dates
o Title: "Christ Lutheran Church"
o "Last Saved By:" Dennis
• Christ Lutheran Church Wichita website showed
Dennis Rader as President of Congregation
Council
 John Mcaffee
• Fugitive from
Belize police
• Posed for a
photo in
Guatemala
• Published on the
Internet with
GPS location
metadata
• Link Ch 1c
 Civil Litigation
• eDiscovery is a $780 million business
• Hiring in San Francisco now
• eDiscovery definition
o "any process in which electronic data is sought,
located, secured, and searched with the intent
of using it as evidence in a civil or criminal legel
case"
• Both parties are entitled to examine
evidence
o This process is called "Discovery"
Google's Billion Dollar eDiscovery Error

• This email was

marked
"Confidential" on
some copies but
not on others
• Accidentally
revealed as
evidence
• (Google didn't
actually lose the
$1 billion)
 Intelligence
• Terrorists and foreign governments use
digital tools and the Internet
• US Military uses documents and media
in the DOCEX and DOMEX processes
 DOMEX
• DOCEX (Document Exploitation)
o "Procedures used by the United States Armed
Forces to discover, categorize, and use
documents seized in combat operations"
o "Documents" includes
digital media
• DOMEX (Document and Media
Exploitation)
o Use of documents by
various agencies after
collection
 Real Aid to the Enemy
• "…a real-world example from 2007.
When a new fleet of helicopters
arrived … in Iraq, some Soldiers took
pictures ... From the photos that were
uploaded to the Internet, the enemy
was able to determine the exact
location of the helicopters inside the
compound and conduct a mortar
attack, destroying four of the AH-64
Apaches."
 Administrative Matters
• Digital evidence is used to detect
policy violations
o Accessing forbidden websites at work
• SEC Office of the Inspector General
o Firewall logs showed officials surfed porn at work
 Locard's Exchange Principle
• When perps enter or leave a crime
scene, they will leave something
behind or take something with them
o Such as DNA, fingerprints, hair, fibers, etc.
• Also true of digital forensics
o Registry keys, log files, etc.
 Scientific Method
• Forensic science is new and
procedures are still being developed
• A scientist is normally regarded as
objective, neutral, dealing only with
facts
• BUT forensic experts are hired by both
prosecution and defense, and state
expert opinions as well as facts
 Role of the Forensic Examiner
in the Judicial System
• Expert witness
o Qualified to render an opinion
o Must be effective communicators
o Must be teachers
• Must be without bias
o Follow the evidence wherever it leads
2. Key Technical
Concepts
 Topics
• Basic Computer Operation
• Bits & Bytes
• File Extensions & File Signatures
• How Computers Store Data
• RAM: Random Access Memory
• Volatility of Data
 Topics
• The Difference Between Computer
Environments
• Active, Latent, and Archival Data
• Allocated and Unallocated Space
• Computer File Systems
Bits & Bytes
 Bits & Bytes

• A Bit is 0 or 1
• 8 bits is a byte
o 00000000 to 11111111
o 256 possible bytes
o Can be written as a number 0 to 255
o In Hexadecimal, 00 to FF

• Binary Games
 ASCII Text

• One byte per character

• 7 bits encode character, one parity bit
• 94 printable characters
• Originally used for English
• Adapted to other languages
 ASCII file in Hexadecimal

• 20 hex = 32 decimal = SPACE

• 0D 0A = 13 10 = CR LF
 ASCII

• From Wikipedia (Link Ch 2a)

 Unicode

• Encodes all "commercially significant" languages

• Two bytes per character
• FF FE at the start is a Byte Order Mark
o Link Ch 2c
File Headers & File Carving
GIF Image (13x16 pixels)
 GIF File Header

• GIF89a – Version of GIF

• 0D 00 0A 00 – 13 pixels x 16 pixels
 GIF Specification

• Link Ch 2d
 GIF Specification

• Link Ch 2d
 File Carving
• Rebuilding files by assembling blobs of
data found on a disk
• Relies on file headers and footers
• Done automatically by all-purpose
forensic suites like FTK and EnCase
• Many other tools exist to carve files
Project X1: Identifying File Types
File Extensions & File
Signatures
 File Extensions

• Usually three letters long

• Appear at the end of a file name,
after a dot
• Hidden in Windows by default
• Used to specify the file type, icon,
and default application
Hide File Extensions
Incorrect File Extension
 Wrong Default Application

• Any stream of bytes can be

interpreted as ASCII
Open With…
How Computers Store Data
 Storage Methods
• Electromagnetism
o Hard disks and floppy disks
• Microscopic Electrical Transistors
o SSDs, USB flash drives, SD cards, etc.
• Reflecting Light
o CDs, DVDs, Blu-ray
• They are all nonvolatile – they
retain data without power
 Magnetic Disks
• Platter spins at 7,000
rpm to 15,000 rpm
• Spindle is the axis
• Read/write head is
an electromagnet
mounted to an
actuator arm
o Image from textbook
 Disk Controller Card
• Stores and retrieves data from the platters
• Controlled by firmware stored in the Host
Protected Area
o Image from http://static.ddmcdn.com/gif/ide-
controller2.jpg
 Flash Memory

• Made of transistors
• Solid State Devices (SSDs)
o Faster than hard disks
o Use less power
o More expensive
 Optical Storage
• Microscopic pits
encode bits
• Area between pits are
called lands
• There is one long spiral
track for the whole
disk
• Data is read with laser
light
o See Link Ch 2e
o Image from
http://www.backgroundsy.com/file/large/
blu-ray-disc-isolated.jpg
Volatile v. Nonvolatile Memory

• Memory is short-term storage

• Storage devices (hard disks, SSDs,
and optical disks) are
nonvolatile—data is retained
without power
• RAM is main system memory
o RAM is volatile—data is lost when power
goes off
 Volatility of RAM

5 sec 30 sec 60 sec 5 min

• From Princeton (Link Ch 2f)

 RAM Forensics
• RAM contains important evidence
that is not normally written to the
hard disk
o Instant messages
o Network connections
o Running processes
• BUT there are no time-stamps on RAM
contents
o It can be misleading
Computing Environments
 Four Categories

• Stand-alone
• Networked
• Mainframe
• Cloud
 Stand-Alone

• A computer not connected to

any other computer
o Such as a laptop not connected to Wi-Fi
or cellular data
o BUT networks are everywhere now, even
in BART or on airplanes
 Networked

• A computer connected to at least

one other computer
• Evidence might be on servers and
network devices as well as the
local computer
• Almost every computer is
networked now
 Mainframe
• A powerful
computer used at a
business, or shared
by many users
• Located in a data
center or colocation
center
o Image from
http://danialsharifudin.blogspot.com/2
012/08/classification-of-computer.html
Cloud Computing
 Examples of Cloud Computing

• Gmail
• Facebook
• Twitter
• Amazon Web Services
• CloudFlare
 Cloud Services
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
• From Wikipedia (Link Ch 2m)
 IaaS
• The most basic cloud service
• Outsources hardware needs
o Servers, storage, routers, switches…
• Examples
o Amazon EC2
o Windows Azure Virtual Machines
o Google Compute Engine
o Rackspace Cloud
• Link Ch 2m
 PaaS
• Provides a computing platform
o OS, programming language execution,
database, and Web server
• Examples
o AWS Elastic Beanstalk
o Heroku
o Google App Engine
o Windows Azure Compute
• Link Ch 2m
 SaaS
• Providers install and operate
application software in the cloud
• Users access the software from cloud
clients
• Examples
o Google Apps
o Microsoft Office 365
• Link Ch 2m
 IaaS
• Outsource hardware needs
o Servers, storage, routers, switches…
• Examples
o Amazon EC2
o Windows Azure
o Google Compute Engine
• Link Ch 2m
• From link Ch 2g
• From link Ch 2g
 Instagram
• Online photo-sharing site
• In Dec. 2012, Instagram changed its
terms of service
o Perpetual rights to all photos
o Right to sell photos to advertisers without
payment or notice to the user
• Instagram lost half its daily users in
a month
o Links Ch 2h, Ch 2i
 AWS Outage
• Dec. 24, 2012
• Netflix was down, because they rely on
AWS (Link Ch 2j)
• Amazon has had several other major
outages (Link Ch 2k)
• From 2011 (Link Ch 2l)
Cloudflare Growth
2. Key Technical Concepts
Part 2
Active, Latent, and Archival
Data
 Active Data

• Data the operating system can

"see" and use
• Files and folders that appear in
Windows Explorer
• Reside in allocated space
• Can be acquired by copying files
 Latent Data

• Data that has been deleted or

partially overwritten
• Invisible to OS
• Does not appear in Windows
Explorer
• A bitstream or forensic image is
required to acquire this data
 Archival Data

• Also called Backups

• Commonly stored on
o External hard drives
o DVDs
o Magnetic tapes
o Cloud backup services like Iron Mountain
or Symform
 Legacy Archival Data
• Made with software or hardware
that is no longer in production
• To acquire the data, you need to
get old devices
o User's groups
o eBay
• Image: PDP-11 at
Defcon 17
o Link Ch 2n
Computer File Systems
 File System

• Keeps track of used and free

sectors
• Location of each file
• Filename
• Last modified date
• Permissions
 FAT (File Allocation Table)
• Oldest and simplest file system
• FAT12 (for floppy disks)
• FAT16 (2 GB max. partition size)
o 4 GB on Win 2000 (link Ch 2p)
• FAT32 (Common on USB drives)
o Not used on Windows XP or later
• FATX for the X-Box
• exFAT used for Windows CE
o Link Ch 2o
 NTFS (New Technology File System)

• Used by Win XP, 7, and Server

• Advantages
o Journaling (recovers from errors)
o Encryption
o Permissions
o Uses B-Trees for fast searches
 HFS+ (Hierarchical File
System)
• Used by Apple products
• Also uses B-Trees
• Related versions
o HFS
o HFSX
 B-Tree

• An way of storing objects so they can

be searched quickly
o Image From Wikipedia
 Virtual File System (VFS)
• is programming that forms an interface between
an operating system's kernel and a more
concrete file system.
• serves as an abstraction layer that gives
applications access to different types of file
systems and local and network storage devices.
• also be known as a virtual file system switch.
• manages the data storage and retrieval between
the operating system and the storage sub-system.
• maintains a cache of directory lookups to enable
easy location of frequently accessed directories.
Virtual File System (VFS)
Allocated and Unallocated
Space
 Space on a Hard Drive

• Allocated
o Active data
o In use
o Can be seen by OS
• Unallocated
o No longer in use
o Slack space (Drive slack)
o Invisible to OS
 Space on a Hard Drive

• Host Protected Area and Device

Configuration Overlays
o Hidden area on a hard drive
o Difficult to detect
o Not used by OS
o Stores device firmware and data
o Accessed by firmware update routines,
which can be reverse engineered
 Data Persistence

• Old Data is Left in Slack Space

o Unallocated clusters
o Remains on drive until overwritten
o Can be years
• Even an Overwrite may not get it
all
o If the new file doesn't use all the sectors
Project 2
 Magnetic Drive Storage

• Sector = 512 bytes

o All data is read and written a sector at a
time
• Cluster
o Varies, often 4096 bytes = 8 sectors
o OS can only use space a cluster at a time
 Example

• BIG file: 4000 bytes

o Written onto disk
o Nearly fills 8 sectors = 1 cluster
• Delete BIG file
• Save SMALL file on same cluster
o SMALL file: 1000 bytes
o Only uses 2 clusters
 Drive Slack
Sector Before After
------ ------ ------
200 BIG SMALL
201 BIG SMALL
202 BIG BIG
203 BIG BIG
204 BIG BIG
205 BIG BIG
206 BIG BIG
207 BIG BIG
 Error in Textbook
• Discussion from Fig. 2.5 through 2.8 is wrong
• Book says a 780 byte file only overwrites 780
bytes on disk, when it actually overwrites
1024 bytes
 Page File (Swap Space)
• Used for virtual memory
o Temporary storage when your
computer runs out of available RAM
o Windows puts data here even when
RAM is not full
o It also loads old data from swap
back into RAM
o I once found something years old in
my RAM
 Potential Page File Contents

• Passwords
• Fragments of images or
documents
• Anything else from RAM
• BUT there is no timestamp, so it will
be hard to connect to a specific
user or event
 Hiberfil.sys
• Contains entire RAM contents
o Filled when a computer hibernates
 Whole Disk Encryption
• Because of the Page file and the
Hiberfil
o You can never be sure where your data is
• Whole Disk Encryption
o The only way to be sure all your data is
protected
o Microsoft BitLocker
o Apple FileVault
o TrueCrypt (Open Source)
Project 8: NTFS Data Runs
3. Labs and Tools
 Topics

• Forensic Laboratories
• Policies and Procedures
• Quality Assurance
• Hardware and Software
• Accreditation v. Certification
Forensic Laboratories
 Forensic Labs
• Most are run by law enforcement agencies
• FBI's crime lab in Quantico, VA is largest in
the world
• Regional Computer Forensic Laboratory
(RCFL)
o FBI Program
o 16 facilities throughout US
o They process smartphones, hard drives,
GPS units, and flash drives
 Virtual Labs
Drive
• Evidence repository images
separate from the on server

examiner
• This is how the FBI does it
• Saves money, increases
access to resources Examiner
• Role-based access connects
remotely
o Examiners and management get
full access
o Investigators, prosecutors, and
attorneys get restricted access
 Concerns with Virtual Labs

• Security
o Must retain integrity or evidence will be
inadmissible in court
• Performance
o High-speed connectivity required
• Cost
 Lab Security
• Physical security
o Keep unauthorized people out of critical areas
• Examination stations
• Evidence storage
o Keys, swipe cards, access codes
o Digital access control is better than keys
• Keeps an audit trail to support chain of
custody
o Protection from fire, flood. etc.
 Chain of Custody
• Evidence must be signed in and out of
storage
• Evidence log must be complete
 Work in Isolation
• Forensic examination computer should not
be connected to the Internet
• This avoids arguments over contamination
by malware
• Evidence drives may contain malware
o Scan them with antivirus software
 Evidence Storage
• Data safe
o Protects evidence from tampering
o Fireproof and waterproof
• Evidence log
o Must record who entered, when, and what they
removed or returned
• Data storage lockers must be kept
locked
Policies and Procedures
 Standard Operating
Procedures (SOPs)
• Documents that detail evidence
collection, examinations, etc.
• These ensure consistency and reliability
• Very important to handle questions in
court
• Unusual situations will often require
special handling
 Best Practices for Evidence Collection
• For proper evidence preservation, follow these procedures in order
(Do not use the computer or search for evidence)

1. Photograph the computer and scene

2. If the computer is off do not turn it on
3. If the computer is on photograph the screen
4. Collect live data - start with RAM image (Live Response locally or
remotely via F-Response) and then collect other live data "as
required" such as network connection state, logged on users,
currently executing processes etc.
5. If hard disk encryption detected (using a tool like Zero-View) such
as full disk encryption i.e. PGP Disk — collect "logical image" of hard
disk using dd.exe, Helix - locally or remotely via F-Response
6. Unplug the power cord from the back of the tower - If the
computer is a laptop and does not shut down when the cord is
removed then remove the battery
 Best Practices for Evidence Collection

7. Diagram and label all cords

8. Document all device model numbers and serial numbers
9. Disconnect all cords and devices
10. Check for HPA then image hard drives using a write blocker,
Helix or a hardware imager
11. Package all components (using anti-static evidence bags)
12. Seize all additional storage media (create respective images
and place original devices in anti-static evidence bags)
13. Keep all media away from magnets, radio transmitters and
other potentially damaging elements
14. Collect instruction manuals, documentation and notes
15. Document all steps used in the seizure
o From link Ch 3a
Quality Assurance
 Quality Assurance
• A well-documented system of
protocols used to assure accuracy
and reliability
• Peer reviews of reports
• Evidence handling
• Case documentation
• Training of lab personnel
 Reviews
• Technical review
o Focuses on results and conclusions
o Are the results reported supported by the
evidence?
• Administrative review
o Ensures all paperwork is present and completed
correctly
 Proficiency Testing
• Examiner's competency must be
confirmed and documented
• Open test
o Examiner is aware they are being tested
• Blind test
o Examiner is not aware they are being tested
• Internal test
o Conducted by agency itself
• External test
o Conducted by independent agency
• Results must be documented
• West Virginia State Police forensics expert
who testified in hundreds of criminal
cases
• Very persuasive in court
• …became something of a forensics "star,"
sought after by prosecutors who wanted
to win convictions in difficult cases
 Lies
• Falsified his own credentials
• Fabricated and altered evidence
• Convicted an innocent man of sex
crimes in 1997
o He was freed when DNA evidence proved he
was innocent
o Sued State of West VA
o That exposed Fred Zain
• Real rapist was caught 24 years later
o Link Ch 3b
 Tool Validation
• Each tool, software or hardware, must
be tested before use on an actual
case
• Paper records are necessary to prove
this
 Documentation
• Case File
o Case submission forms
o Requests for assistance
o Chain of custody reports
o Examiner's notes
o Crime scene reports
o Examiner's final reports
o Copy of search authorizatity
o All collected in a case file
• Preprinted forms help maintain uniformity
 Examiner Notes
• Must be detailed enough to enable
another examiner to duplicate the
process
o Discussions with key players including
prosecutors and investigators
o Irregularities found and actions taken
o OS versions & patches
o Passwords
o Changes made to the system by lab
personnel and law enforcement
• It may be years before trial, and you
will need to understand your notes
 Examiner's Final Report
• Formal document delivered to
prosecutors. investigators, opposing
counsel, etc.
• Remember the audience is
nontechnical
• Avoid jargon, acronyms, and
unnecessary details
 Examiner's Final Report Contents

• Identity of the reporting agency

• Case ID #
• Identity of the submitting person and case
investigator
• Dates of receipt and report
• Detailed description of the evidence items
submitted
o Serial numbers, makes, models, etc.
• Identity of the examiner
• Description of the steps taken during the
examination process
• Results and conclusions
 Examiner's Final Report Sections

• Summary
o Brief description of the results
• Detailed findings
o Files pertaining to the request
o Files that support the findings
o Email, Web cache, chat logs, etc.
o Keyword searches
o Evidence of ownership of the device
• Glossary
Digital Forensic
Tools
 Digital Forensic Tools
• NIST's Forensic Tool Testing Project
o Link Ch 3c
Sample Report
 Hardware Tools
• Cloning devices
• Cell phone acquisition devices
• Write blockers
• Portable storage devices
• Adapters
• Cables
• Much more
• From textbook
Computer Recommendations
• Multiple multicore processors
• As much RAM as possible
• Large, fast hard drives
• FTK 4 recommends:
o 64-bit processor, Quad core
o 8 GB RAM
o A dedicated 150 GB hard disk for the
PostgreSQL database; SSD or RAID preferred
o 1 GB network
o Link Ch 3d
 Non-PC Hardware
• Cellebrite's UFED
o Supports over 3,000 phones (Link Ch 3e)
• Link Ch 3f
 Paraben
• Competes
with
Cellebrite
• Supports
more than
4,000
phones,
PDAs, and
GPS units
 Cloners and Kits
• Hardware Cloners
o Faster, can clone multiple drives at once
o Provide write protection, hash authentication,
drive wiping, audit trail…
• Crime scene kits
o Preloaded with supplies to collect digital
evidence
o Pens, digital camera, forensically clean storage
media, evidence bags, evidence tape, report
forms, markers…
 Software: Open-Source
• SIFT: SANS Investigative Forensic Toolkit
• SIFT Workstation is free, based on
Ubuntu
• Link Ch 3g
 SIFT Capabilities
• File carving • Windows
• Analyzing file (MSDOS FAT,
systems VFAT, NTFS)
• Web history • Mac (HFS)
• Recycle bin
• Solaris (USF)
• Memory
• Linux (ext2/3/4)
• Timeline
 SIFT Capabilities
• Evidence Image Support
o Expert Witness (E01)
o RAW (dd)
o Advanced Forensic Format (AFF)
 SIFT Capabilities
• The Sleuth Kit (File system Analysis Tools)
• log2timeline (Timeline Generation Tool)
• ssdeep & md5deep (Hashing Tools)
• Foremost/Scalpel (File Carving)
• WireShark (Network Forensics)
• Vinetto (thumbs.db examination)
• Pasco (IE Web History examination)
• Rifiuti (Recycle Bin examination)
• Volatility Framework (Memory Analysis)
• DFLabs PTK (GUI Front-End for Sleuthkit)
• Autopsy (GUI Front-End for Sleuthkit)
• PyFLAG (GUI Log/Disk Examination)
 Commercial Tools
• EnCase & FTK have similar
capabilities
o Searching
o E-mail ananysis
o Sorting
o Reporting
o Password cracking
 EnCase & FTK
• Search tools
o E-mail addresses
o Names
o Phone numbers
o Keywords
o Web addresses
o File types
o Date ranges
 Don't Trust Tools
• Using a tool without understanding
what it's doing is a trap
• Verify all findings with a second
tool, like a simple hex editor
• You must figure out how the data
got on the system and what it
means
Other Multipurpose Tools
• Acquisition, verification, searching,
reporting, wiping, etc.)
o SMART
o ProDiscover
o X-Ways Forensics
o Helix (Linux-based)
o Raptor (Linux-based)
 Other Tools
• Mac Tools
o Softblock
o Macquisition
o Blacklight
o BlackBag
o Mac Marshall
 Other Tools
• Dossier from LogiCube
o Hardware acquisition
• Tableau
o Write-blockers
• Weibetech
o Write-blockers
Accreditation v. Certification
 Accreditation
• Endorsement of a crime lab's
policies and procedures
o ASCLD/LAB does this
• Very burdensome to achieve
• Not possible for every lab
o ASTM also accredits labs
 Certification
• Applies to examiners, not the lab
o SWGDE Core Competencies for Forensic Practitioner
Certification
• Pre-examination procedures and legal issues
• Media assessment and analysis
• Data recovery
• Specific analysis of recovered data
• Documentation and reporting
• Presentation of findings
o Link Ch 1h
4. Collecting Evidence
 Topics
• Crime scenes
• Documenting
• Chain of Custody
• Forensic cloning
• Live and Dead Systems
• Hashing
• Final Report
 Crime Scenes and
Collecting Evidence
 Securing the Scene
• Unnecessary people
must be kept out
• Network connections
place data at risk
• Once it is assured that
volatile data won't be
lost, disconnect
network cables
• Isolate seized phoned
from network
o Image from
crimescenecleanupdetroit.com
 Removable Media
• Memory cards can be tiny
• Hidden in books, wallets, hat bands, etc.
• Also DVDs, external hard drives, thumb
drives, memory cards
• Examine books and manuals to determine
the skill level of the target
o Are they using encryption?
 Cell Phones
• Valuable evidence
o Text messages, email, call logs, contacts
• Interacting with the phone can change
data
o Apple's "Find My iPhone" app can be used to remotely
wipe the phone
 Isolating Cell Phones
• Turn the phone off
o BUT it may require a password when turned back
on
• Shielded container
o Paint can, Faraday bag
• Power
o Provide external battery pack to keep phone alive
o Seize power cables if phone is off, so it can be charged for
examination
 Questions at the Scene
• After scene is secured, ask these questions
o What kinds of devices are present?
o How many device?
o Are the devices running?
o What tools are needed?
o Do we have the necessary expertise?
 Order of Volatility
• Gather most volatile evidence first
o CPU, cache and registers
o Routing table, ARP cache, processes
o RAM
o Temp files/swap space
o Hard disk
o Remotely logged data
o Archival media
 Documenting the Scene
If you don't write it down, it didn't happen
 Types of Documentation
• Photographs
• Written notes
• Video
• Record precise details
o Type, make, model, serial number
o Whether a device is on or off
o Network connections
o Peripheral connections like printers
o Document and label cables
 Photography
• Walk through the scene to find devices
and see what will be needed
• Then photograph entire scene before
anything is disturbed
• Broad perspective, then each item of
evidence in its original position
o Add a ruler in a second photo for perspective
• Photos don't replace notes
 Notes
• No set standard
• Chronological is common
• Those notes will guide you in court later
• Notes can be discoverable and may
be seen by other side
o Don't draw conclusions or speculate
Chain of Custody
 Marking Evidence
• Initials, dates, case numbers
• Permanent markers
• Sealed in evidence anti-static bag
• Tamper-resistant evidence tape
Forensic cloning
 Cloning
• Exact copy of a hard drive, bit for bit
• Gathers unallocated space and Master File
Table
• Time-consuming process
• Usually done at the lab, not on the scene\
• In civil cases, you may lack legal
authorization to remove the computer
o Must clone it on-scene
 Purpose of Cloning
• Examine a copy, not the original
o Unless there are exigent circumstances,
like a missing child
• You can recover from mistakes
• A properly authenticated forensic clone is as
good as the original in court
 The Cloning Process
• Copy one hard drive to another, larger
hard drive
• Source drive normally removed from
computer
• Critical to use a write-blocker
o Hardware or software
• Forensically clean destination drive first
• Proof of that goes in the case file
Forensically Clean Media
• Can be proven devoid of data
• "Sterile"
• Overwrite entire drive with a pattern of
data
o Such as 00000000
 Forensic Image Formats
• Proprietary
o EnCase (.E01) – Actually "Expert Witness"
o AccessData Custom Content Image (.AD1)
• Open
o Advanced Forensics Format (AFF)
• Open format, see link Ch 4a
o Raw (.dd or .001)
• Direct uncompressed disk image
 Risks and Challenges
• Biggest Risk: Writing to the evidence drive
• Bad sectors
• Damaged or malfunctioning drives
• Corrupt boot sector
• Antiforensics measures (theoretical, not
practical risk)
 eDiscovery
• Gathering and presenting electronically
stored information (ESI) for legal cases
• Cloning preserves evidence best
o Can be expensive and impractical
• du Pont v. Kolon
o Kolon lost and was hit with
o $920 million judgement
o 20-year ban from competing with du Pont
• Links Ch 4b, 4c
Spoilation
4. Collecting Evidence
Part 2
 Topics

• Live and Dead Systems

• Hashing
• Final Report
Live and Dead Systems
Old School: Pull the Plug
• Loses RAM data
• May render encrypted files
unavailable
• May corrupt data on the disk
when power goes off
• May lose some evidence that
doesn't get properly written to disk
 Now: Live Acquisition
• Modern tools being marketed to first
responders
o Non-technical people
• Live acquisition is important if RAM is
important
o Malware -> RAM is important
o Possession of child porn -> RAM unimportant
• Examiner needs proper skills and tools
 Principles of Live Collection
• Least invasive procedure possible
• RAM may contain
o Running processes
o Executed console commands
o Passwords in cleartext
o Unencrypted data
o Instant messages
o IP Addresses
o Trojans
 Conducting and Documenting a Live
Collection

• Work without interruptions

• Every interaction with the computer must be noted
• I did this…the computer did that
• Make desktop visible by moving the mouse
o Or press a key (and record which)
• Note date and time
• Note icons and taskbar buttons of running programs
• Open Task Manager & record processes
• Capture RAM with a forensic RAM imager
• Perform proper shutdown
 Task Manager
• Show processes from all
users
• Record all processes
 Hashing Algorithms
• Even a single changed bit in the input file
completely changes the hash
• If the hash of two files match, the files can be
regarded as identical
• MD5 is most common
• SHA-1 is better
• In practice, either will do
• Hash value must accompany all evidence images
o So copies can be verified
 Final Report
• Consider the audience
• Many reports are too technical & confusing
• Avoid jargon and code
• The report generated by FTK or EnCase should be
included, but it's not readable enough alone
• Add a detailed narrative of all actions taken by the
examiner
• Add a summary written in plain English
5. Windows System Artifacts
Part 1
 Topics

• Deleted data
• Hibernation Files
• Registry
Deleted Data
 Recovering Deleted Data
• File Carving
• Allocated space contains active data
• Deleted files are in unallocated space
• Useful tools
o ProDiscover
o FTK or EnCase
o Foremost
o Recuva
o Photorec
Hibernation File
Shutdown Options
• Sleep – data kept in RAM
o Power still on
o Documents lost if power fails
• Hibernate – RAM copied to Hiberfil.sys
o Power off
o Documents never lost
• Hybrid Sleep
o Default for Windows 7 desktops
o Puts open documents and programs on disk
o Keeps them in RAM as well for fast wakeup
o Documents not lost if power fails
 Enabling Hibernation
• Link Ch 5i
 Registry
Not in book, but may be on quizzes and
Final Exam
 Understanding the
Structure of the Registry
• The registry consists of five root keys
o HKey_Classes_Root
o HKey_Current_User
o HKey_Local_Machine
o HKey_Users
o HKey_Current_Config
• Or HKCR, HKCU,
HKLM, HKU,
and HKCC
 Subkeys
• Root keys (sometimes called predefined keys),
contain subkeys
o Subkeys look like folders in Regedit
• HKCU has these top-level subkeys: AppEvents,
Console, Control Panel, …
o A root key and
its subkeys
form a path
o HKCU\Console
 Values
• Every Subkey contains at least one value
o But it may show (value not set)
• The default value (often undefined)
• Values have name, data type, and data
 Hives
• A key with all its subkeys and values is
called a hive
• The registry is stored on disk as several
separate hive files
• Hive files are read into memory when the
operating system starts (or when a new user
logs on)
 HiveList
• HKLM\System\CurrentControlSet\
Control\HiveList
 Hardware Hive
• \Registry\Machine\Hardware has no associated disk
file
• Windows 7 creates it fresh each time you turn your
system on
 HKCR and HKCU
• These keys are links to items contained in other root
keys
o HKey_Classes_Root (HKCR)
• Merged from keys within HKLM\Software\Classes
and HKU\sid_Classes
o sid is the security identifier of the currently
logged on user
o HKey_Current_User (HKCU)
• HKU\sid
 Purpose of Registry
• Database for configuration files
• Registry artifacts are very valuable for forensics
o Search terms
o Programs run or installed
o Web addresses
o Files recently opened
o USB devices connected
 Acquiring the Registry
• FTK Imager
Acquired Files
 Reference

• Link Ch 5c
 Important Registry Data
• Control Set
• Time Zone
• User Assist
• USB Store
 Control Set
• A live Registry has an
important key named
HKLM\System\CurrentCo
ntrolSet
• Contains Time Zone,
USBSTOR, and other
information
 Control Set
• Acquired image doesn't contain CurrentControlSet
• It's ephemeral data—not stored in the hive files
• To determine which ControlSet is current, look in
• System\Select
• In this case, ControlSet001 is Current
o Link Ch 5a
 Time Zone
• System\ControlSet001\Control\TimeZoneInformatio
n
o Assuming that ControlSet001 is Current
 UserAssist
• Shows objects the user has accessed
• To see it, open Users\Username\NTUSER.DAT
• Navigate to
Software\Microsoft\Windows\CurrentVersion\Explo
rer\UserAssist
UserAssist Decoded in
Lower Left Pane
 RegRipper

• Link Ch 5k
Ripped Registry
 USBSTOR
• System\ControlSet001\Enum\USBSTOR
o Assuming Current Control Set is 1
5. Windows System Artifacts
Part 2
 Topics
• Attribution
• Recycle Bin
• Metadata
• Thumbnail Images
• Most Recently Used Lists
• Restore Points and Shadow Copies
• Prefetch and Link Files
 Attribution
• Evidence of an action is easy to find
o Search terms
o images
o Web pages viewed
• Attribution is more difficult
o Who was using the computer when the action
took place?
• One machine may have multiple accounts
• Win XP starts with Administrator and Guest
o Both disabled by default in Windows 7
SID (Security Identifier)
SIDs in the Registry
 Well-Known SIDs
• Link Ch 5o
 External Drives
• USBSTOR shows exactly which USB devices have
been attached to a computer
• Helpful in attributing evidence found on removable
devices
 Print Spooling
• When a document is printed, two files are created
o Enhanced Meta File (EMF) contains an image of
the document to be printed
o Spool File contains information about the print
job
• They are normally deleted after printing finishes, but
may be retained on some systems
Recycle Bin
 Recycle Bin Operation
• Not everything
deleted goes into
the Recycle Bin
• Shift+Delete will
bypass the Recycle
Bin, so will "Delete"
from a command
prompt
• A user can disable
the Recycle bin in
Recycle Bin
Properties
 NukeOnDelete
Registry Key

• Win XP
• (Link Ch 5p)

• Win 7
• (Link Ch 5q)
Metadata
 Metadata
• Data about data
• File system metadata
o Timestamps (Created, Modified, Accessed)
o Permissions, owner

• Application metadata
o Author's name
o GPS coordinates
o Software owner's name
Timestamps
• WARNING: These all
depend on the
system clock, which
can be reset
• Created
• Modified
• Accessed
o Even if the file
was not opened,
but just scanned
by antivirus
 MACR Times
• Sleuthkit will show these four timestamps
o Link Ch 5r
 Timestamp Principles
• Be very careful
• Perform experiments on similar systems to verify
conclusions
• Use multiple tools
• Watch out for system clock changes
Demo: John McAfee's
Photo

• Exif Viewer
o Link Ch 5t
• Link Ch 5u
 Removing Metadata
• Microsoft Office
Document
Inspector
o Link Ch 5v
• Other tools
o Link Ch 5w
Thumbnail
Cache
 Windows XP Thumbnails
• Thumbs.db
• Hidden file in
same folder as
images
o Image from
link Ch 5x
 Windows 7 Thumbnails

• To view these, see tool at link Ch 5x

Most Recently Used
• Right-click taskbar button
in Windows 7
• Click File icon In Paint
• Many, many, other places
System Restore
 Restore Points
• Win 7 creates a restore
point every 7 days by
default
o XP and Vista did it
every day
• They are created by a
Shadow Copy service,
which can copy files
even when they are in
use
 When Restore Points Are Created
• An application is installed with a compatible Vista
or Win 7 installer
• Windows Updates
• System Restore is performed
o A Restore Point is made first so the System Restore
can be reversed
• Windows Backup
o A Restore Point is created as part of the backup
process
 Restore Settings
• Click Configure
• Choose whether to
monitor system settings
or just files
• "System Settings"
includes the Registry
and many other system
file types
 System Restore Files
• In C:\System Volume Information
o You can't open this folder, or even take
ownership of it
o It's only intended for System access
Previous Versions

• Image from
microsoft.com
 PreFetch
• To make a Windows machine run faster
• A shortcut to programs you commonly open is
saved in the Prefetch folder
• There are Prefetch Viewers to help read the files
• The format is different in Win XP and Win 7/Vista
o Links Ch 5y, 5z
PreFetch in Win XP
PreFetch in Win 7
 Link Files
• Shortcuts to programs and other files
• They have time and date stamps
• Links in the "Recent Files" folder to network shares
even contain the MAC address of the server!
 Recent Files Viewer
• Works on Win XP & Win 7
• Link Ch 5z1
 Installed Programs
• Give information about the user's activities
• Recently uninstalled programs may also be
important evidence of guilt
• Traces of uninstalled programs may be found in
o Programs folder
o Links
o Prefetch files
6. Antiforensics
 Topics

• Encryption
• Breaking Encryption
• Hiding and Destroying Data
 Antiforensics
• Techniques to manipulate, erase, or
obfuscate digital data to make its
examination difficult, time-consuming,
or virtually impossible
Private Browsing
 Simple Privacy Methods
• Weak, relatively ineffective
o Delete cookies
o Clear temporary internet files
o Clear history
o Changing filenames and extensions
o Burying files in unrelated directories
• Real obstacles to forensic examiners
o Hiding files within other files (steganography)
o Encryption
Encryption
 Protecting Secrets
• We all need encryption for
o Credit card #s
o Passwords
o Medical data
• Without encryption, the Web would be
much less useful
 Encryption Defined
• Encryption converts data from plaintext
(readable) to ciphertext (scrambled)
• Algorithm is the mathematical process to
encrypt and decrypt the message
• Key is a value needed to encrypt and
decrypt the data, usually a long random
series of bits, sometimes derived from a
password or passphrase
 Caesar Cipher
• Shift each letter forward one character
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• BCDEFGHIJKLMNOPQRSTUVWXYZA
• CCSF --> DDTG
 ROT13
• Shift each letter forward 13 characters
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• NOPQRSTUVWXYZABCDEFGHIJKLM
• CCSF --> PPFS  CCSF
• Encrypting with ROT13 twice returns you to plaintext
• Decryption algorithm = Encryption algorithm
• Very weak—obfuscation, not encryption
• Used in TypedURLS registry key, and for passwords in
an early version of Netscape (Link Ch 6a)
 Symmetric Cryptography
One key encrypts and decrypts data

Cleartext with Key makes Ciphertext

Winning Lotto #s: aWDHOP#@-w9

Ciphertext with Key makes Cleartext

aWDHOP#@-w9 Winning Lotto #s:

11
 Asymmetric Cryptography Algorithms

• Use two keys that are mathematically related

o Data encrypted with one key can be decrypted only with the
other key
• Another name for asymmetric key cryptography is
public key cryptography

o Public key: known by the public

o Private key: known only by owner

12
 Asymmetric Cryptography

Cleartext with Public Key makes Ciphertext

Winning Lotto #s: aWDHOP#@-w9

Ciphertext with Private Key makes Cleartext

aWDHOP#@-w9 Winning Lotto #s:

13
 Popular Algorithms
• Symmetric Encryption
o DES, 3DES, AES, Blowfish
• Asymmetric Encryption
o RSA, ECC, ElGamal
• The most secure algorithms are open-
source
o Proprietary, secret algorithms are almost
always insecure
 Keys
• A sequence of random bits
o The range of allowable values is called a keyspace
• The larger the keyspace, the more secure the
key
o 8-bit key has 28 = 256 values in keyspace
o 24-bit key has 224 = 16 million values
o 56-bit key has 256 = 7 x 1016 values
o 128-bit key has 2128 = 3 x 1038 values

15
 Brute Force Attack
• In 1997 a 56-bit key was broken by brute
force
o Testing all possible 56-bit keys
o Used 14,000 machines organized via the
Internet
o It took 3 months
o See link Ch 12d

16
 How Many Bits Do You Need?
• How many keys could all the computers on Earth test in
a year?
o Pentium 4 processor: 109 cycles per second
o One year = 3 x 107 seconds
o There are less than 1010 computers on Earth
• One per person
o 109 x 3 x 107 x 1010 = 3 x 1026 calculations
o 128 bits should be enough (3 x 1038 values)
• Unless computers get much faster, or someone breaks the
algorithm

17
 Practical Key Lengths
• Private keys of 128 bits or longer are
practically unbreakable at the
moment
• Public keys must be much longer
o 2048 bits is the minimum recommended
key size for RSA (length Ch 6b)
 Common Encryption Products
• Windows 7: BitLocker and EFS
• Apple: FileVault
• Linux: TrueCrypt

• Full Disk Encryption

o Much safer
o Does not encrypt a "boot partition"
• File and Folder encryption
 Encrypting File System (EFS)
• In File Properties in Windows
• Easy to use
• Uses password to make a key
• Part of the NTFS file system
 BitLocker
• Encrypts entire system partition
• BitLocker To Go encrypts USB sticks
• Requires Windows 7 Ultimate
o But it's available in all versions of Windows 8
• Uses Trusted Platform Module chip
• Best forensic method: seize the running,
logged-in machine
o BitLocker is decrypted at that point
 Apple FileVault
• 128 bit AES
• Can encrypt whole drive
• Keys can be backed up with Apple
 TrueCrypt
• Free open-source software
• Runs on Linux, Mac, or Windows
• Can encrypt part or all of a disk
• Can use AES, Serpent,or Twofish
• 256-bit keys
Breaking Encryption
 Breaking Passwords
• Ask the user for it
• Brute force attack
o Use every possible combination of characters
• Dictionary attack
o Use passwords from a dictionary of common
passwords
• Reset Passwords
o Possible with administrator privileges or a hacking
tool like UBCD
o Won't get you into EFS-encrypted files
 Custom Dictionary
• Acquire the hard disk (and RAM, if possible) of the
evidence machine
• Extract all strings
• Use that as the password dictionary
 Password Cracking Tools
• Password Recovery Toolkit (PRTK) from
AccessData
• John the Ripper
• Cain
• Ophcrack
• Hashcat (in Backtrack)
PRTK's Biographical Dictionary
Generator
 Breaking BitLocker
o Cold Boot Attack
• Freeze the RAM and recover the key
o Dissolve the TPM chip and recover the key
with a microelectrode
• Both are exotic, impractical attacks
• User may have backed up the key in a
Microsoft account (Ch 7c)
Steganography
 Steganography
• Hiding a
payload file
inside another
carrier file
• Used by
Osama Bin
Laden and
Russian spies
(link Ch 6d)
 Stegan0graphy Detection Tools

• Link Ch 6e
Hiding and Destroying Data
 Data Destruction
• Drive Wiping
o Darik's Boot and Nuke (DBAN)
o Window Washer
o Evidence Eliminator
o Mac OS X Secure Erase
• Many others
• Some erase whole disk, some only erase files or
unused blocks, others erase only header & footer
• Presence of these tools may be treated as
evidence of guilt in court
o Especially if they were used just before evidence seizure
 Some Wipers use Repeating Patterns
• This is a sign of disk erasure
 Defragmentation
• Moves clusters to tidy up disk
• Makes files open faster
• Causes some sectors to be overwritten
• Automatically performed weekly in Windows
7