Computer Forensics

- Preliminary Concepts and techniques -

 Concepts
• Bits, bytes and numbering schemes
• Hexadecimal (prefix 0x)

• Binary to text
• ASCII (128 characters / 94 printable)

• UNICODE (all possible characters)

• File Carving
• File carving requires to locate and mine out files from amorphous blobs
of data (e.g., unallocated space) The first step in the file carving process
is to identify the potential file (normally from the header, if it has one).
Once the footer is found, the file can be extracted through a simple
copy and paste as long as it is continuous.

• Fragmented files are more difficult to recover.

 Digital Forensics Lab Digital Forensic Too

FIGURE 3.1
One of the workstations in the West Virginia State Police Digital Forensics Lab located at the Marshall
University Forensic Science Center. (Courtesy of Cpl. Bob Boggs).
Hardware & Software in a digital forensics Lab
Table 3.2 Some hardware and software tools that may be found in a digital
forensics laboratory
Tool Use URL
Forensic Toolkit Multipurpose tool (acquisition, http://accessdata.com
Access Data Group, LLC verification, searching,
reporting, wiping, etc.)
EnCase Multipurpose tool (acquisition, http://www.guidancesoftware.com
Guidance Software, Inc. verification, searching,
reporting, wiping, etc.)
SMART & SMART for Linux Multipurpose tool (acquisition, http://www.asrdata.com/forensic-
ASR Data, Data Acquisition verification, searching, software/
and Analysis, LLC reporting, wiping, etc.)
X-Ways Forensics Multipurpose tool (acquisition, http://www.x-ways.net/forensics/
X-Ways Software verification, searching,
Technology AG reporting, wiping, etc.)
Helix3 Pro Multipurpose tool (acquisition, http://www.e-fense.com/products.php
e-fense, Inc. verification, searching,
reporting, wiping, etc.)
Softblock, Macquisition, Multiple Macintosh forensic https://www.blackbagtech.com/
Blacklight tools forensics.html
BlackBag Technologies, Inc.
Mac Marshall Multiple Macintosh forensic http://www.macmarshal.com/
Architecture Technology tools
Corporation
Raptor Linux-based acquisition and http://www.forwarddiscovery.com/
Forward Discovery, Inc. preview tool Raptor
Dossier Hardware acquisition http://www.logicube.com/
Logicube, Inc.
Forensic hardware tools Write blockers, bridges, http://www.tableau.com/
Tableau storage, acquisition
Wiebetech Storage, write blockers, etc. http://www.wiebetech.com/home.php
Preparing a Computer Investigation
• Your role as a computer forensics professional is to
gather evidence from a suspect’s computer and
determine whether the suspect committed a crime or
violated a company policy.
• You need to follow a well-defined methodology to
prepare the case
• By approaching each case methodically, you can evaluate the
evidence thoroughly and document the chain of evidence, or
chain of custody, which is the route the evidence takes from
the time you find it until the case is closed or goes to court.
 Sample Crime Scene
• The police raided a suspected drug dealer’s home and found a
computer, several floppy disks and USB drives, a personal digital
assistant (PDA), and a cell phone in a bedroom.

• The computer was “bagged and tagged,” meaning it was placed

in evidence bags along with the storage media and then labeled
with tags as part of the search and seizure.
Preparing a Computer Investigation 29

2
 Systematic Approach
• Make an initial assessment about the type of case you’re investigating
• Determine a preliminary design or approach to the case
• Create a detailed checklist (estimate amount of time for each step)
• Determine the resources you need
• Obtain and (forensics) copy an evidence drive
• Identify the risks
• Mitigate or minimize the risks
• Test the design (e.g., check that media are correctly copied)
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case (i.e., self-evaluation)
 Case assessment
• Outline the case details systematically, including the nature of
the case, the type of evidence available, and the location of
the evidence
• Sample case (Company Policy Violation):
• Manager Steve Billings has been receiving complaints from customers
about the job performance of one of his sales representatives, George
Montgomery. George has worked as a representative for several years.
He’s been absent from work for two days but hasn’t called in sick or told
anyone why he wouldn’t be at work. Another employee, Martha, is also
missing and hasn’t informed anyone of the reason for her absence. Steve
asks the IT Department to confiscate George’s hard drive and all storage
media in his work area. He wants to know whether there’s any
information on George’s computer and storage media that might offer a
clue to George’s whereabouts and job performance concerns.
 Sample assessment (con’t)
• Steve Billings had the IT Department confiscate all of George’s storage media that might contain
information about his whereabouts. After talking to George’s co-workers, Steve learned that
George has been conducting a personal business on the side using company computers.
Therefore, the focus of the case has changed from a missing person to a possible employee
abuse of corporate resources.
• Preliminary Assessment:
• Situation—Employee abuse case.

• Nature of the case—Side business conducted on the employer’s computer.

• Specifics of the case—The employee is reportedly conducting a side business on his employer’s
computer that involves registering domain names for clients and setting up their Web sites at local ISPs.
Co-workers have complained that he’s been spending too much time on his own business and not
performing his assigned work duties. Company policy states that all company-owned computing assets
are subject to inspection by company management at any time. Employees have no expectation of
privacy when operating company computer systems.

• Type of evidence—Small-capacity USB drive.

• Operating system—Microsoft Windows XP.

• Known disk format—FAT16.

• Location of evidence—One USB drive recovered from the employee’s assigned computer.
 Assessment (con’t)
• Case requirements:
• You now know that the nature of the case involves employee abuse of company
assets, and you’re looking for evidence that an employee was conducting a side
business using his employer’s computers. On the USB drive retrieved from
George’s computer, you’re looking for any information related to Web sites,
ISPs, or domain names. You know that the computer OS is Windows XP, and the
USB drive uses the FAT16 file system. To duplicate the USB drive and find
deleted and hidden files, you need a reliable computer forensics tool. Because
the USB drive has already been retrieved, you don’t need to seize the drive
yourself

• This is case the Domain Name case. Your task is to gather data from the storage
media seized to confirm or deny the allegation that George is conducting a side
business on company time and computers.

• Remember that he’s suspected only of asset abuse, and the evidence you obtain
might be exculpatory—meaning it could prove his innocence. You must always
maintain an unbiased perspective and be objective in your fact-findings.
 Planning the Investigation
• You have already determined the kind of evidence you need; now
you can identify the specific steps to gather the evidence, establish a
chain of custody, and perform the forensic analysis.
• Acquire the USB drive from George’s manager.

• Complete an evidence form and establish a chain of custody.

• Transport the evidence to your computer forensics lab.

• Place the evidence in an approved secure container.

• Prepare your forensic workstation.

• Retrieve the evidence from the secure container.

• Make a forensic copy of the evidence drive (in this case, the USB drive).

• Return the evidence drive to the secure container.

• Process the copied evidence drive with your computer forensics tools.
 Evidence Custody Form
• 34
Case number—The number your organization assigns when an investigation is initiated. Chapter 2
• Investigating organization—The name of your organization..

• Investigator—The name of the investigator assigned to the case. If many investigators are
assigned, specify the lead investigator’s name.

• Nature of case—A short description of the case. For example, in a corporate environment,
it might be “Data recovery for corporate litigation” or “Employee policy violation case.”

• Location evidence was obtained—The exact location where the evidence was collected. If
you’re using multi-evidence forms, a new form should be created for each location.

• Description of evidence—A list of the evidence items, such as “hard drive, 20 GB” or
“one USB drive, 128 MB.” On a multi-evidence form, write a description for each item of
evidence you acquire.

• Vendor name—The name of the manufacturer of the computer evidence. List a 20 GB

hard drive, for example, as a Western Digital 20 GB hard drive.

• Model number and/or serial number—List the model number or serial number (if
available) of the computer component. Many computer components, including hard drives,
memory chips, and expansion slot cards, have model numbers but not serial numbers.

• Evidence recovered by—The name of the investigator who recovered the evidence. The
chain of custody for evidence starts with this information. If you insert your name, for
example, you’re declaring that you have taken control of the evidence. It’s now your
responsibility to ensure that nothing damages the evidence and no one tampers with it. The
person placing his or her name on this line is responsible for preserving, transporting, and
securing the evidence.

• Date and time—The date and time the evidence was taken into custody. This information
establishes exactly when the chain of custody starts.

• Evidence placed in locker—Specifies which approved secure container is used to store

evidence and when the evidence was placed in the container.

• Item #/Evidence processed by/Disposition of evidence/Date/Time—When you or

another authorized investigator retrieves evidence from the evidence locker for processing
and analysis, list the item number and your name, and then describe what was done to the
evidence.

• Page—The forms used to catalog all evidence for each location should have page numbers. Figure 2-2 A sample multi-evidence form used in a corporate environme
List the page number, and indicate the total number of pages for this group of evidence.
 Securing Evidence
• To secure and catalog the evidence contained in large computer components,
you can use large evidence bags, tape, tags, labels, and other products available
from police supply vendors or office supply stores.
• Be cautious when handling any computer component to avoid damaging the component or
coming into contact with static electricity, which can destroy digital data. (anti-static bags,
antistatic pad with an attached wrist strap).
• Be sure to place computer evidence in a well-padded container. Padding prevents damage to
the evidence as you transport it to your secure evidence locker, evidence room, or computer
lab.
• If the computer component is large and contained in its own casing, such as a CPU cabinet, you
can use evidence tape to seal all openings on the cabinet. Placing evidence tape over drive
bays, insertion slots for power supply cords and USB cables, and any other openings ensures
the security of evidence.
• As a standard practice, you should write your initials on the tape before applying it to the evidence. This
practice makes it possible to prove later in court that the evidence hasn’t been tampered with because the
casing couldn’t have been opened nor could power have been sup- plied to the closed casing with this
tape in place

• REMEMBER! Computer components require specific temperature and humidity ranges. If it’s
too cold, hot, or wet, computer components and magnetic media can be damaged.
 Sample Formal Procedures
Internet Abuse Investigation: Misuse of an Organization’s internal private network
• Elements to consider:
• The organization’s Internet proxy server logs
• Suspect computer’s IP address obtained from your organization’s network administrator

• Suspect computer’s disk drive

• Computer forensics analysis tool

• Recommended processing:
• Use standard forensic analysis techniques and procedures for the disk drive examination.

• Use specific tools such as DataLifter or Forensic Toolkit’s Internet keyword search option, extract all Web page URL
information.
• Contact the network firewall administrator and request a proxy server log, if it’s available, of the suspect computer’s
network device name or IP address for the dates of interest. Consult with your organization’s network administrator to
confirm that these logs are maintained and how long the time to live (TTL) is set for the network’s
• IP address assignments in case of Dynamic Host Configuration Protocol (DHCP) use.
• Compare the data recovered from forensic analysis to the proxy server log data to confirm that they match.

• If the URL data matches the proxy server log and the forensic disk examination, continue analyzing the suspect
computer’s drive data, and collect any relevant downloaded inappropriate pictures or Web pages that support the
allegation.
• If there are no matches between the proxy server logs, and the forensic examination shows no con- tributing evidence,
report that the allegation is unsubstantiated.
 Sample Formal Procedures
E-mail Abuse Investigation: spam, inappropriate message content (harassment, threats)
• Elements to consider:
• An electronic copy of the offending e-mail that contains message header data

• If available, e-mail server log records

• For e-mail systems that store users’ messages on a central server, access to the server

• For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file, for example,
access to the computer so that you can perform a forensic analysis on it

• Computer forensics analysis tools

• Recommended processing:
• For computer-based e-mail data files, such as Outlook .pst or .ost files, use the standard forensic analysis
techniques and procedures for hard drive examination.

• For server-based e-mail data files, contact the e-mail server administrator and obtain an electronic copy
of the suspect and victim’s e-mail folder or data.

• For Web-based e-mail investigations, such as Yahoo or Gmail, use tools such as Forensic Toolkit’s Internet
keyword search option to extract all related e-mail address information.

• Examine header data of all messages of interest to the investigation.

 Sample Formal Procedures
Media Leak Investigation: organization sensitive data sent to a news reporter
• Elements needed:
• Examine e-mail, both the organization’s e-mail servers and private e-mail accounts (Hotmail, Yahoo!, Gmail, and so on), on company-owned computers.

• Examine Internet message boards, and search the Internet for any information about the company or product. Use Internet search engines to run
keyword searches related to the company, product, or leaked information.

• Examine proxy server logs to check for log activities that might show use of free e-mail services, such as Gmail. Track back to the specific workstations
where these messages originated and perform a forensic analysis on the drives to help determine what was communicated.

• Examine known suspects’ workstations, perform computer forensics examinations on persons of interest, and develop other leads on possible
associates.

• Examine all company phone records for any calls to known media organizations.

• Recommended processing:
• Interview management privately to get a list of employees who have direct knowledge of the sensitive data.

• Identify the media source that published the information.

• Review company phone records to see who might have had contact with the news service.

• Obtain a list of keywords related to the media leak.

• Perform keyword searches on proxy and e-mail servers.

• Discreetly conduct forensic disk acquisitions and analysis of employees of interest.

• From the forensic disk examinations, analyze all e-mail correspondence and trace any sensitive messages to other people who haven’t been listed as
having direct knowledge of the sensitive data.

• Expand the discreet forensic disk acquisition and analysis for any new persons of interest.

• Consolidate and review your findings periodically to see whether new clues can be discovered.

• Report findings to management routinely, and discuss how much further to continue the investigation.
 Sample Formal Procedures
Industrial Espionage: beware with cases involving foreign countries! [treated as criminal investigations]
• Elements to consider:
• Determine whether this investigation involves a possible industrial espionage incident, and then determine whether it falls under
specific local regulations.

• Consult with corporate attorneys and upper management if the investigations must be conducted discreetly.

• Determine what information is needed to substantiate the allegation of industrial espionage.

• Generate a list of keywords for disk forensics and network monitoring.

• List and collect resources needed for the investigation.

• Determine the goal and scope of the investigation; consult with management and the company’s attorneys on how much work you
should do.

• Initiate the investigation after approval from management, and make regular reports of your activities and findings.

• Recommended processing:
• Examine all e-mail of suspected employees, both company-provided e-mail and free Web-based services.

• Search Internet newsgroups or message boards for any postings related to the incident.

• Initiate physical surveillance with cameras on people or things of interest to the investigation.

• If available, examine all facility physical access logs for sensitive areas, which might include secure areas where smart badges or video
surveillance recordings are used.

• If there’s a suspect, determine his or her location in relation to the vulnerable asset that was compromised.

• Study the suspect’s work habits.

• Collect all incoming and outgoing phone logs to see whether any unique or unusual places were called.
Interviews and Interrogation
• An interrogation is different from an interview. An interview is usually conducted to collect
information from a witness or suspect about specific facts related to an investigation. An
interrogation is the process of trying to get a suspect to confess to a specific incident or crime.
• If you’re asked to assist in an interview or interrogation, prepare yourself by answering the
following questions:
• What questions do I need to ask the suspect to get the vital information about the case?

• Do I know what I’m talking about, or will I have to research the topic or technology related to the
investigation?

• Do I need additional questions to cover other indirect issues related to the investigation?

• Make sure you don’t run out of conversation topics; you need to keep the conversation friendly
to gain the suspect’s confidence.
• Avoid doubting your own skills, which might show the suspect you lack confidence in your ability.
• Ingredients for a successful interview:
• Be patient
• Repeat or rephrase questions on specific facts

• Be tenacious
Workstation for Computer Forensics
• Workstation running the most appropriate OS
• Write-blocker device
• Computer forensics acquisition tool
• Computer forensics analysis tool
• Target drive(s) with enough storage capacity
• Spare HD ports (e.g., SATA)
• USB ports
• Additional useful components:
• Network interface card (NIC)

• Extra USB ports

• FireWire ports

• SCSI card

• Disk editor tool

• Text editor tool

• Graphics viewer program

• Other specialized viewing tools