Scribd
Upload
71 views41 pages

Chapter 09

The document discusses analyzing digital evidence in investigations. It covers determining what data to analyze, common investigation approaches, and tools used, including Autopsy and hexadecimal editors. Maintaining data integrity is also discussed.

Uploaded by

Bebetski Huerto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
71 views41 pages

Chapter 09

The document discusses analyzing digital evidence in investigations. It covers determining what data to analyze, common investigation approaches, and tools used, including Autopsy and hexadecimal editors. Maintaining data integrity is also discussed.

Uploaded by

Bebetski Huerto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

Guide to Computer Forensics

and Investigations
Sixth Edition

Chapter 9
Digital Forensics Analysis and Investigation

1
Objectives

• Determine what data to analyze in a digital forensics investigation


• Explain tools used to validate data
• Explain common data-hiding techniques

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 2
classroom use.
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence depend on the nature of the
investigation
• And the amount of data to process
• Scope creep - when an investigation expands beyond the original description
• Because of unexpected evidence found
• Attorneys may ask investigators to examine other areas to recover more evidence
• Increases the time and resources needed to extract, analyze, and present evidence

• Scope creep has become more common


• Criminal investigations require more detailed examination of evidence just before trial
• To help prosecutors fend off attacks from defense attorneys
• New evidence often isn’t revealed to prosecution
• It’s become more important for prosecution teams to ensure they have analyzed the
evidence exhaustively before trial

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 3
classroom use.
Approaching Digital Forensics Cases (1 of
3)
• Begin a case by creating an investigation plan that defines the:
• Goal and scope of investigation
• Materials needed
• Tasks to perform
• The approach you take depends largely on the type of case you’re investigating
• Corporate, civil, or criminal

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 4
classroom use.
Approaching Digital Forensics Cases (2 of
3)
• Follow these basic steps for all digital forensics' investigations:
• 1. For target drives, use recently wiped media that have been reformatted
and inspected for viruses
• 2. Inventory the hardware on the suspect’s computer and note the condition
of seized computer
• 3. For static acquisitions, remove the original drive and check the date and
time values in the system’s CMOS
• 4. Record how you acquired data from the suspect drive
• 5. Process drive’s contents methodically and logically
• 6. List all folders and files on the image or drive
• 7. Examine the contents of all data files in all folders
• 8. Recover file contents for all password-protected files
• 9. Identify the function of every executable file that doesn’t match hash
values
• 10. Maintain control of all evidence and findings
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 5
classroom use.
Approaching Digital Forensics Cases (3 of
3)
• Refining and Modifying the Investigation Plan
• Even if initial plan is sound, at times you may need to deviate from it and follow
evidence
• Knowing the types of data to look for helps you make the best use of your time
• The key is to start with a plan but remain flexible in the face of new evidence

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 6
classroom use.
Using Autopsy to Analyze Data (1 of 6)

• Autopsy can perform forensics analysis on the following file systems:


• Microsoft FAT, NTFS, ExFAT, UFS1, and UFS2
• ISO 9660 and YAFFS2
• Mac HFS+ and HFSX
• Linux Ext2fs, Ext3fs, and Ext4fs
• Autopsy can analyze data from several sources
• Including image files from other vendors

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 7
classroom use.
Using Autopsy to Analyze Data (2 of 6)

• Autopsy can handle many formats, including:


• Raw, Expert Witness, and virtual machine image files (.vdi and .vhd)
• Has an indexed version of the NIST National Software Reference Library (NSRL)
of MD5 hashes
• Installing NSRL Hashes in Autopsy
• Need to download the latest version

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 8
classroom use.
Using Autopsy to Analyze Data (3 of 6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 9
classroom use.
Using Autopsy to Analyze Data (4 of 6)

• Collecting Hash Values in Autopsy


• Create a hash database of known files of interest

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 10
classroom use.
Using Autopsy to Analyze Data (5 of 6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 11
classroom use.
Using Autopsy to Analyze Data (6 of 6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 12
classroom use.
Validating Forensic Data

• Ensuring the integrity of data collected is essential for presenting evidence in


court
• Most forensic tools offer hashing of image files
• Using advanced hexadecimal editors ensures data integrity

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 13
classroom use.
Validating with Hexadecimal Editors (1 of
6)
• Advanced hexadecimal editors offer features not available in digital forensics
tools, such as:
• Hashing specific files or sectors
• With the hash value in hand
• You can use a forensics tool to search for a suspicious file that might have had its
name changed to look like an innocuous file
• WinHex provides MD5 and SHA-1 hashing algorithms

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 14
classroom use.
Validating with Hexadecimal Editors (2 of
6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 15
classroom use.
Validating with Hexadecimal Editors (3 of
6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 16
classroom use.
Validating with Hexadecimal Editors (4 of
6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 17
classroom use.
Validating with Hexadecimal Editors (5 of
6)
• Advantage of recording hash values
• You can determine whether data has changed
• Block-wise hashing
• A process that builds a data set of hashes of sectors from the original file
• Then examines sectors on the suspect’s drive to see whether any other sectors match
• If an identical hash value is found, you have confirmed that the file was stored on the
suspect’s drive

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 18
classroom use.
Validating with Hexadecimal Editors (6 of
6)
• Using Hash Values to Discriminate Data
• AccessData has its own hashing database, Known File Filter (KFF)
• KFF filters known program files, such as winword.exe, fromview and contains has
values of known illegal files
• It compares known file hash values with files on your evidence drive to see whether
they contain suspicious data
• Other digital forensics tools can import the NSRL database and run hash comparisons

Periodically, AccessData updates these known hash values and posts an updated
KFF. The NIST National Software Reference Library maintains a national
database of updated file hash values for a variety of OSs, applications, and
images; however, it doesn’t list hash values of known illegal files.

Other digital forensics tools, such as X-Ways Forensics, OSForensics, and


Forensic Explorer, can import the NSRL database and run hash comparisons.

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 19
classroom use.
Validating with Digital Forensics Tools (1
of 3)
• In AccessData FTK Imager, when selecting the Expert Witness (.e01) or SMART
(.s01) format:
• Additional options for hashing all the data are available
• Validation report lists MD5 and SHA-1 hash values
• Follow steps starting on page 393 to see how to use WinHex to hash an image
file and then compare it with the original hash value FTK Imager calculated

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 20
classroom use.
Validating with Digital Forensics Tools (2
of 3)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 21
classroom use.
Validating with Digital Forensics Tools (3
of 3)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 22
classroom use.
Addressing Data-Hiding Techniques

• Data hiding - changing or manipulating a file to conceal information


• Techniques:
• Hiding entire partitions
• Changing file extensions
• Setting file attributes to hidden
• Bit-shifting
• Using encryption
• Setting up password protection

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 23
classroom use.
Hiding Files by Using the OS

• One of the first techniques to hide data:


• Changing file extensions
• Advanced digital forensics tools check file headers
• Compare the file extension to verify that it’s correct
• If there’s a discrepancy, the tool flags the file as a possible altered file
• Another hiding technique
• Selecting the Hidden attribute in a file’s Properties dialog box

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 24
classroom use.
Hiding Partitions (1 of 4)

• By using the Windows diskpart remove letter command


• You can unassign the partition’s letter, which hides it from view in File Explorer
• To unhide, use the diskpart assign letter command
• Other disk management tools:
• IM-Magic, EaseUS Partition Master, and Linux Grand Unified Bootloader (GRUB)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 25
classroom use.
Hiding Partitions (2 of 4)

• To detect whether a partition has been hidden


• Account for all disk space when examining an evidence drive
• Analyze any disk areas containing space you can’t account for
• Many digital forensics tools can detect and view a hidden partition

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 26
classroom use.
Hiding Partitions (3 of 4)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 27
classroom use.
Hiding Partitions (4 of 4)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 28
classroom use.
Marking Bad Clusters

• A data-hiding technique used in FAT file systems is placing sensitive or


incriminating data in free or slack space on disk partition clusters
• Involves using old utilities such as Norton DiskEdit
• Can mark good clusters as bad clusters in the FAT table so the OS considers
them unusable
• Only way they can be accessed from the OS is by changing them to good clusters with
a disk editor
• DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 29
classroom use.
Bit-Shifting (1 of 4)

• Some users use a low-level encryption program that changes the order of
binary data
• Makes altered data unreadable to secure a file, users run an assembler program (also
called a “macro”) to scramble bits
• Run another program to restore the scrambled bits to their original order
• Bit shifting changes data from readable code to data that looks like binary
executable code
• WinHex and Hex Workshop includes a feature for shifting bits

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 30
classroom use.
Bit-Shifting (2 of 4)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 31
classroom use.
Bit-Shifting (3 of 4)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 32
classroom use.
Bit-Shifting (4 of 4)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 33
classroom use.
Understanding Steganalysis Methods (1 of
3)
• Steganography - comes from the Greek word for “hidden writing”
• Hiding messages in such a way that only the intended recipient knows the message is
there
• Steganalysis - term for detecting and analyzing steganography files
• Digital watermarking - developed as a way to protect file ownership
• Usually not visible when used for steganography

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 34
classroom use.
Understanding Steganalysis Methods (2 of
3)
• A way to hide data is to use steganography tools
• Many are freeware or shareware
• Insert information into a variety of files
• If you encrypt a plaintext file with PGP and insert the encrypted text into a
steganography file
• Cracking the encrypted message is extremely difficult

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 35
classroom use.
Understanding Steganalysis Methods (3 of
3)
• Steganalysis methods
• Stego-only attack
- Used when only the file containing the possible steganography content is available
for analysis.
• Known cover attack
- Used when the cover-media, the original file with no hidden message, and the
stego-media, the converted cover-media file that stores the hidden message, are
available for analysis.
• Known message attack
- Used when the hidden message is revealed later, allowing further analysis of new
messages.
• Chosen stego attack
- Used when a steganography tool and stego-media were used to hide the message
content.
• Chosen message attack
- Used to identify corresponding patterns used in stego-media.

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 36
classroom use.
Examining Encrypted Files

• To decode an encrypted file


• Users supply a password or passphrase
• Many encryption programs use a technology called “key escrow”
• Designed to recover encrypted data if users forget their passphrases or if the user key
is corrupted after a system failure
• Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with
current technology

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 37
classroom use.
Recovering Passwords (1 of 4)

• Password-cracking tools are available for handling password-protected data or


systems
• Some are integrated into digital forensics tools
• Stand-alone tools:
• Last Bit
• AccessData PRTK
• ophcrack
• John the Ripper
• Passware

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 38
classroom use.
Recovering Passwords (2 of 4)

• Brute-force attacks
• Use every possible letter, number, and character found on a keyboard
• This method can require a lot of time and processing power
• Dictionary attack
• Uses common words found in the dictionary and tries them as passwords
• Most use a variety of languages

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 39
classroom use.
Recovering Passwords (3 of 4)

• With many programs, you can build profiles of a suspect to help determine his
or her password
• Many password-protected OSs and application store passwords in the form of
MD5 or SHA hash values
• A brute-force attack requires converting a dictionary password from plaintext to
a hash value
• Requires additional CPU cycle time

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 40
classroom use.
Recovering Passwords (4 of 4)

• Rainbow table
• A file containing the hash values for every possible password that can be generated
from a computer’s keyboard
• No conversion necessary, so it is faster than a brute-force or dictionary attack
• Salting passwords
• Alters hash values and makes cracking passwords more difficult

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 41
classroom use.

You might also like