Raw format image files don't contain metadata such as hashes!

o You must validate them manually to ensure integrity

o Tools such as ProDiscovereve filescontain metadata that includeshash value
o If the Auto Verify Image Checksum and the hashes in the .eve file's metadata don't
match
ProDiscoverwill notifythat the acquisition is corrupt and can't be considered
reliable evidence

Addressing data-hiding techniques

• Data hiding - changing or manipulating a file to conceal information

Techniques
O Hiding entire partitions
O Changing file extensions
O Setting file attributes to hidden
O Bit-shifting
O Using encryption
O Setting up password protection

Hiding files by using the OS

One of the first techniquesto hide data

o Changing file extensions
Advanced digital forenslcs tools check file headers and would flag this
Another hiding technique
o Select the hiddenattribute in a file's propertiesdialog box
Also not very successful unless hiding things form investigator

Hiding partitions

By using the Windows diskpart remove letter command

o You can unassign the partition's letter,which hides it from view in File Explorer
o Of course, it's not hidden from drive management tools, so investigatorswould
check for this
Another known reason for knowing drive total size!

Marking Bad Clusters

• A data-hidingtechnique used in FAT file systems is placing sensitiveor incriminatingdata in

free or slack space on disk partition clusters
o Involvesusing old utilitiessuch as Norton DiskEdit
Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable
o Only way they can be accessed from the OS is by changing them to good clusters
with a disk editors

Bit-shifting

Some users use a lowlevel encryption program that changes the order of binary data
o Makes altereddata unreadable To secure a file, users run an assembler program
(also called a "macro") to scramble bits
 O Run another program to restore the scrambled bits to their original order
Bit shifting changes data from readable code to data that looks like binary executable code
WinHex includes a feature for shifting bits

Understanding Steganalysis Methods

Steganography - comes from the Greek word for "hidden writing"

o Hiding messages in such a way that only the intended recipient knows the message is
there
Steganalysis - term for detecting and analysing steganography files
Digitalwatermarking - developed as a way to protect file ownership
o Usually not visible when used for steganography

Examining Encrypted Files

To decode an encrypted file

O Users supply a password or passphase
Many encryption programs use a technology called "key escrow"
o Designed to recover encrypted data if users forget their passphrases or if the user
key is corrupted after a system failure
Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with current
technology

Recovering Passwords

Password-cracking tools are available for handling password protected data or system
o Some are integrated into digital forensics tools
Stand-alone tools:
0 Last Bit
o AccessData PRTK
0 Ophcrack
0 John the Ripper
0 Passware
Brute-force attacks
o Use every possible letter, number and character found on a keyboard
o This method can require a lot of time and processing power
Dictionary attack
o Uses common words found in the dictionary and tries them as passwords
o Most use a variety of languages

Understanding the importance of reports

Communicate the results of your investigation

o Including expert opinion
Forensic reports can
o Provide justification for collecting more evidence
o Be used at a probable cause hearing
o Communicate expert opinion
Many courts require expert witnesses to submit written reports