Guide to Computer Forensics

and Investigations
Sixth Edition Digital Forensics Analysis and
Investigation
Chapter 9

1
 Determine what data to
analyze in a digital forensics'
investigation

Objective Explain tools used to

validate data
s

Explain common data-

hiding techniques

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use. 2
 • Begin a case by creating an investigation
Approachin plan that defines the:
g Digital • Goal and scope of investigation
• Materials needed
Forensics • Tasks to perform
Cases (1 of • The approach you take depends largely
on the type of case you’re investigating
4) • Corporate, civil, or criminal

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

3
 • Follow these basic steps for all digital
forensics' investigations:
• 1. For target drives, use recently wiped
Approachin media that have been reformatted and
inspected for viruses,
g Digital • 2. Inventory the hardware on the suspect’s
Forensics computer, and note condition of seized
computer (whether on, off etc),
Cases (2 of • 3. For static acquisitions, remove original
4) drive and check the date and time values in
system’s CMOS,
• 4. Record how you acquired data from the
suspect drive,

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

4
 • 5. Process drive’s contents methodically and
logically,
• 6. List all folders and files on the image or
Approachin drive,
• 7. Examine contents of all data files in all
g Digital folders,
Forensics • 8. Recover file contents for all password-
protected files,
Cases (3 of • 9. Identify function of every executable file
4) that doesn’t match hash values,
• 10. Maintain control of all evidence and
findings,

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

5
 • In previous chapters we used Autopsy for
windows to perform forensics analysis for the
following file systems:
• MS FAT, NTFS ExFAT

Using • But did not do the MC and Linux files ( illustrated

in Chapter 7)

Autopsy • In addition to all Autopsy can analyze data from

several sources, include image files from other

to Validate vendors. Autopsy can handle many formats,

including raw, Expert Witness and virtual machine
image files ( .vdi and vhd).
Data • To enhance this process Autopsy has an indexed
version of NIST-National Software Reference
Library (NSRL) of MD5 hashes and you can import
NSRL reference hashes into Autopsy.

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

6
 • Do the following Activities from the
Using textbook:

Autopsy • Installing NSRL Hashes in Autopsy:

- pages 381-383
to Validate • Collecting Hash Values in Autopsy:
- Pages 383-388
Data

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

7
 • Ensuring the integrity of data collected is
essential for presenting evidence in court
• Most forensic tools offer hashing of image
files (the concept and procedure that you
Validating used in Lab2: imaging )
• Using advanced hexadecimal editors
Forensic ensures data integrity

Data • Common hashing algorithms are MD5 and

SHA1
• AccessData has its own hashing database,
Known File Filter (KFF)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

8
Validating with
Hexadecimal
Editors (3 of 6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service
or otherwise on a password-protected website for classroom use. 9
Validating with Hexadecimal Editors (4 of 6)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for 10
use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
 • In AccessData FTK Imager, when
selecting the Expert Witness (.e01) or
Validating SMART (.s01) format:

with • Additional options for hashing all the

data are available.

Digital • Validation report lists MD5 and SHA-1

hash values.
Forensics • Follow steps starting on
• page 383-393
Tools (1 • to see how to use WinHex to hash an
of 3) image file and then compare it with the
original hash value FTK Imager
calculated.

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

11
 Validating with
Digital Forensics
Tools (2 of 3)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service
or otherwise on a password-protected website for classroom use. 12
Validating with Digital Forensics Tools (3 of 3)

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for 13
use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
 • Data hiding - changing or manipulating a
file to conceal information
Addressing • Techniques:
Data- • Hiding entire partitions

Hiding • Changing file extensions (.png to .doc)

• Setting file attributes to hidden
Techniques • Using encryption
• Setting up password protection

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

14
 • One of the first techniques to hide data:
• Changing file extensions (changing .png to
.doc to avoid detection say in a child
pornography case )
Hiding • Advanced digital forensics tools check file
Files by headers
• Compare the file extension to verify that
Using the it’s correct
• If there’s a discrepancy, the tool flags the
OS file as a possible altered file
• Another hiding technique
• Selecting the Hidden attribute in a file’s
Properties dialog box

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

15
 • To detect whether a partition has been
hidden
Hiding • Account for all disk space when
examining an evidence drive
Partitions • Analyze any disk areas containing space
you can’t account for
(2 of 4) • Many digital forensics tools can detect and
view a hidden partition

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

16
 • Steganography - comes from the Greek
word for “hidden writing”
• Hiding messages in such a way that only
Understanding the intended recipient knows the
message is there
Steganalysis • Steganalysis - term for detecting and
Methods (1 of analyzing steganography files
3) • Digital watermarking - developed as a way
to protect file ownership
• Usually not visible when used for
steganography

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

17
 • A way to hide data is to use steganography
tools
Understanding • Many are freeware or shareware
• Insert information into a variety of files
Steganalysis
• If you encrypt a plaintext file with PGP and
Methods (2 of insert the encrypted text into a
3) steganography file
• Cracking the encrypted message is
extremely difficult

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

18
 • To decode an encrypted file
• Users supply a password or
passphrase
Examinin • Many encryption programs use a
g technology called “key escrow”
• Designed to recover encrypted data if
Encrypted users forget their passphrases or if the
user key is corrupted after a system
Files failure
• Key sizes of 128 bits to 4096 bits make
breaking them nearly impossible with
current technology

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

19
 • Password-cracking tools are available for
handling password-protected data or
Recovering systems
• Some are integrated into digital
Passwords forensics tools

(1 of 4) • Stand-alone tools:
• AccessData PRTK
• Passware

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

20
 • Brute-force attacks
• Use every possible letter, number, and
character found on a keyboard
Recovering • This method can require a lot of time
Passwords and processing power
• Dictionary attack
(2 of 4) • Uses common words found in the
dictionary and tries them as passwords
• Most use a variety of languages

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

21
 • With many programs, you can build
profiles of a suspect to help determine his
or her password
Recovering • Many password-protected OSs and
application store passwords in the form of
Passwords MD5 or SHA hash values

(3 of 4) • A brute-force attack requires converting a

dictionary password from plaintext to a
hash value
• Requires additional CPU cycle time

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

22
 • Rainbow table
• A file containing the hash values for
Recovering every possible password that can be
generated from a computer’s keyboard
Passwords • No conversion necessary, so it is faster
than a brute-force or dictionary attack
(4 of 4) • Salting passwords
• Alters hash values and makes cracking
passwords more difficult

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.

23