Lecture 3- Digital Forensics Analysis and

Validation
Unit codes: MN624

Acknowledgement: B. Nelson, A. Phillips, C. Steuart, Guide to Computer Forensics

and Investigations, Cengage Learning, 5th Ed., 2018

July 20204 Copyright © Melbourne Institution of Technology 1

 Review of Lecture 2

• Explain the rules for controlling digital evidence

• Describe how to collect evidence at private-sector incident scenes
• Explain guidelines for processing law enforcement crime scenes
• List the steps in preparing for an evidence search
• Describe how to secure a computer incident or crime scene
• Explain guidelines for seizing digital evidence at the scene
• List procedures for storing digital evidence
• Explain how to obtain a digital hash
• Review a case to identify requirements and plan your investigation

July 20204 Copyright © Melbourne Institution of Technology 2

 Overview of Lecture 2

• Determine what data to analyze in a digital forensics

investigation
• Explain tools used to validate data
• Explain common data-hiding techniques

July 20204 Copyright © Melbourne Institution of Technology 3

 Determining What Data to Collect
and Analyze

• Examining and analyzing digital evidence depend on

the nature of the investigation
– And the amount of data to process
• Scope creep - when an investigation expands beyond
the original description
– Because of unexpected evidence found
– Attorneys may ask investigators to examine other areas to
recover more evidence
– Increases the time and resources needed to extract,
analyze, and present evidence

July 20204 Copyright © Melbourne Institution of Technology 4

 Determining What Data to Collect
and Analyze

• Scope creep has become more common

– Criminal investigations require more detailed examination
of evidence just before trial
– To help prosecutors fend off attacks from defense
attorneys
• New evidence often isn’t revealed to prosecution
– It’s become more important for prosecution teams to
ensure they have analyzed the evidence exhaustively
before trial

July 20204 Copyright © Melbourne Institution of Technology 5

 Approaching Digital Forensics
Cases

• Begin a case by creating an investigation plan that

defines the:
– Goal and scope of investigation
– Materials needed
– Tasks to perform
• The approach you take depends largely on the type
of case you’re investigating
– Corporate, civil, or criminal

July 20204 Copyright © Melbourne Institution of Technology 6

 Approaching Digital Forensics
Cases

• Follow these basic steps for all digital forensics

investigations:
– 1. For target drives, use recently wiped media that have
been reformatted and inspected for viruses
– 2. Inventory the hardware on the suspect’s computer, and
note condition of seized computer
– 3. For static acquisitions, remove original drive and check
the date and time values in system’s CMOS
– 4. Record how you acquired data from the suspect drive

July 20204 Copyright © Melbourne Institution of Technology 7

 Approaching Digital Forensics Cases

• Follow these basic steps for all digital forensics

investigations (cont’d):
– 5. Process drive’s contents methodically and logically
– 6. List all folders and files on the image or drive
– 7. Examine contents of all data files in all folders
– 8. Recover file contents for all password-protected files
– 9. Identify function of every executable file that doesn’t
match hash values
– 10. Maintain control of all evidence and findings

July 20204 Copyright © Melbourne Institution of Technology 8

 Approaching Digital Forensics
Cases

• Refining and Modifying the Investigation Plan

– Even if initial plan is sound, at times you may need to
deviate from it and follow evidence
– Knowing the types of data to look for helps you make the
best use of your time
– The key is to start with a plan but remain flexible in the
face of new evidence

July 20204 Copyright © Melbourne Institution of Technology 9

 Using OSForensics to Analyze
Data

• OSForensics can perform forensics analysis on the

following file systems:
– Microsoft FAT12, FAT16, and FAT32
– Microsoft NTFS
– Mac HFS+ and HFSX
– Linux Ext2fs, and Ext4fs
• OSForensics can analyze data from several sources
– Including image files from other vendors

July 20204 Copyright © Melbourne Institution of Technology 10

 Using OSForensics to Analyze
Data

• Includes OSFMount utility which can access many

formats, including:
– Raw, Expert Witness, and Advanced Forensics Format
(AFF)
– Can also mount and examine VMware images (.vmdk),
SMART images (.s01), and VHD images (.vhd)
• Can use the NIST National Software Reference
Library (NSRL)
– Enables you to mount the NSRL ISO image

July 20204 Copyright © Melbourne Institution of Technology 11

 Using OSForensics to Analyze
Data

• Using the Index Feature in OS Forensics

– OSForensics indexes text data so that you can perform
searches immediately
– Follow steps starting on page 5 to learn how to index a
case

July 20204 Copyright © Melbourne Institution of Technology 12

 Validating Forensic Data

• Ensuring the integrity of data collected is essential

for presenting evidence in court
• Most forensic tools offer hashing of image files
• Example - when ProDiscover loads an image file:
– It runs a hash and compares the value with the original
hash calculated when the image was first acquired
• Using advanced hexadecimal editors ensures data
integrity

July 20204 Copyright © Melbourne Institution of Technology 13

 Validating with Hexadecimal
Editors

• Advanced hex editors offer features not available in

digital forensics tools, such as:
– Hashing specific files or sectors
• With the hash value in hand
– You can use a forensics tool to search for a suspicious file
that might have had its name changed to look like an
innocuous file
• WinHex provides MD5 and SHA-1 hashing algorithms

July 20204 Copyright © Melbourne Institution of Technology 14

 Validating with Hexadecimal
Editors

• Advantage of recording hash values

– You can determine whether data has changed
• Block-wise hashing
– A process that builds a data set of hashes of sectors from
the original file
– Then examines sectors on the suspect’s drive to see
whether any other sectors match
– If an identical hash value is found, you have confirmed
that the file was stored on the suspect’s drive

July 20204 Copyright © Melbourne Institution of Technology 15

 Validating with Hexadecimal
Editors

• Using Hash Values to Discriminate Data

– AccessData has its own hashing database, Known File
Filter (KFF)
– KFF filters known program files from view and contains has
values of known illegal files
– It compares known file hash values with files on your
evidence drive to see if they contain suspicious data
– Other digital forensics tools can import the (National
Software Reference Library) NSRL database and run hash
comparisons

July 20204 Copyright © Melbourne Institution of Technology 16

 Validating with Digital Forensics
Tools

• ProDiscover
– .eve files contain metadata that includes hash value
– Has a preference you can enable for using the Auto Verify
Image Checksum feature when image files are loaded
– If the Auto Verify Image Checksum and the hashes in
the .eve file’s metadata don’t match
• ProDiscover will notify that the acquisition is corrupt and can’t be
considered reliable evidence

July 20204 Copyright © Melbourne Institution of Technology 17

 Addressing Data-Hiding
Techniques

• Data hiding - changing or manipulating a file to

conceal information
• Techniques:
– Hiding entire partitions
– Changing file extensions
– Setting file attributes to hidden
– Bit-shifting
– Using encryption
– Setting up password protection

July 20204 Copyright © Melbourne Institution of Technology 18

 Hiding Files by Using the OS

• One of the first techniques to hide data:

– Changing file extensions
• Advanced digital forensics tools check file headers
– Compare the file extension to verify that it’s correct
– If there’s a discrepancy, the tool flags the file as a possible
altered file
• Another hiding technique
– Selecting the Hidden attribute in a file’s Properties dialog
box

July 20204 Copyright © Melbourne Institution of Technology 19

 Hiding Partitions

• By using the Windows diskpart remove

letter command
– You can unassign the partition’s letter, which hides it from
view in File Explorer
• To unhide, use the diskpart assign letter
command
• Other disk management tools:
– Partition Magic, Partition Master, and Linux Grand Unified
Bootloader (GRUB)

July 20204 Copyright © Melbourne Institution of Technology 20

 Hiding Partitions

• To detect whether a partition has been hidden

– Account for all disk space when examining an evidence
drive
– Analyze any disk areas containing space you can’t account
for
• In ProDiscover, a hidden partition appears as the
highest available drive letter set in the BIOS
– Other forensics tools have their own methods of assigning
drive letters to hidden partitions

July 20204 Copyright © Melbourne Institution of Technology 21

 Hiding Partitions

July 20204 Copyright © Melbourne Institution of Technology 22

 Hiding Partitions

July 20204 Copyright © Melbourne Institution of Technology 23

 Marking Bad Clusters

• A data-hiding technique used in FAT file systems is

placing sensitive or incriminating data in free or slack
space on disk partition clusters
– Involves using old utilities such as Norton DiskEdit
• Can mark good clusters as bad clusters in the FAT
table so the OS considers them unusable
– Only way they can be accessed from the OS is by changing
them to good clusters with a disk editor
• DiskEdit runs only in MS-DOS and can access only
FAT-formatted disk media
July 20204 Copyright © Melbourne Institution of Technology 24
 Bit-Shifting

• Some users use a low-level encryption program that

changes the order of binary data
– Makes altered data unreadable To secure a file, users run
an assembler program (also called a “macro”) to scramble
bits
– Run another program to restore the scrambled bits to
their original order
• Bit shifting changes data from readable code to data
that looks like binary executable code
• WinHex includes a feature for shifting bits

July 20204 Copyright © Melbourne Institution of Technology 25

 Bit-Shifting

July 20204 Copyright © Melbourne Institution of Technology 26

 Bit-Shifting

July 20204 Copyright © Melbourne Institution of Technology 27

 Bit-Shifting

July 20204 Copyright © Melbourne Institution of Technology 28

 Understanding Steganalysis
Methods

• Steganography - comes from the Greek word for

“hidden writing”
– Hiding messages in such a way that only the intended
recipient knows the message is there
• Steganalysis - term for detecting and analyzing
steganography files
• Digital watermarking - developed as a way to protect
file ownership
– Usually not visible when used for steganography

July 20204 Copyright © Melbourne Institution of Technology 29

 Understanding Steganalysis
Methods

• A way to hide data is to use steganography tools

– Many are freeware or shareware
– Insert information into a variety of files
• If you encrypt a plaintext file with PGP and insert the
encrypted text into a steganography file
– Cracking the encrypted message is extremely difficult

July 20204 Copyright © Melbourne Institution of Technology 30

 Understanding Steganalysis
Methods

• Steganalysis methods
– Stego-only attack
– Known cover attack
– Known message attack
– Chosen stego attack
– Chosen message attack

July 20204 Copyright © Melbourne Institution of Technology 31

 Examining Encrypted Files

• To decode an encrypted file

– Users supply a password or passphrase
• Many encryption programs use a technology called
“key escrow”
– Designed to recover encrypted data if users forget their
passphrases or if the user key is corrupted after a system
failure
• Key sizes of 128 bits to 4096 bits make breaking
them nearly impossible with current technology

July 20204 Copyright © Melbourne Institution of Technology 32

 Recovering Passwords

• Password-cracking tools are available for handling

password-protected data or systems
– Some are integrated into digital forensics tools
• Stand-alone tools:
– Last Bit
– AccessData PRTK
– ophcrack
– John the Ripper
– Passware

July 20204 Copyright © Melbourne Institution of Technology 33

 Recovering Passwords

• Brute-force attacks
– Use every possible letter, number, and character found on
a keyboard
– This method can require a lot of time and processing
power
• Dictionary attack
– Uses common words found in the dictionary and tries
them as passwords
– Most use a variety of languages

July 20204 Copyright © Melbourne Institution of Technology 34

 Recovering Passwords

• With many programs, you can build profiles of a

suspect to help determine his or her password
• Many password-protected OSs and application store
passwords in the form of MD5 or SHA hash values
• A brute-force attack requires converting a dictionary
password from plaintext to a hash value
– Requires additional CPU cycle time

July 20204 Copyright © Melbourne Institution of Technology 35

 Recovering Passwords

• Rainbow table
– A file containing the hash values for every possible
password that can be generated from a computer’s
keyboard
– No conversion necessary, so it is faster than a brute-force
or dictionary attack
• Salting passwords
– Alters hash values and makes cracking passwords more
difficult

July 20204 Copyright © Melbourne Institution of Technology 36

 Summary

• Examining and analyzing digital evidence depend on

the nature of the investigation and the amount of
data to process
• General procedures:
– Wipe and prepare target drives, document all hardware
components on the suspect’s computer, check date and
time values in the suspect’s computer’s CMOS, acquire
data and document steps, list all folders and files,
attempt to open password-protected files, determine
function of executable files, and document steps

July 20204 Copyright © Melbourne Institution of Technology 37

 Summary

• Advanced digital forensics tools have features such as indexing

text data, making keyword searches faster
• A critical aspect of digital forensics is validating digital evidence
– ensuring the integrity of data you collect is essential for presenting
evidence in court
• Data hiding involves changing or manipulating a file to conceal
information
• Three ways to recover passwords:
– Dictionary attacks
– Brute-force attacks
– Rainbows tables

July 20204 Copyright © Melbourne Institution of Technology 38

 Lecture 3 Case Study
Case Project 1
As a part of the duties of a digital forensics examiner, creating an
investigation plan is a standard practice. Write a paper that describes
how you would organize an investigation for a potential fraud case. In
addition, list methods you plan to use to validate the date collected
from drives and files, such as Word and Excel, with hashes. Specify the
hash algorithm you plan to use, such as MD5 or SHA1.
Case Project 2
Several graphics files were transmitted via email from an unknown
source to a suspect in an ongoing investigation. The lead investigator
gives you these graphics files and tells you that at least four messages
should be embedded in them. Use your problem-solving and
brainstorming skills to determine a procedure to follow. Write a short
report outlining what to do.
.
July 20204 Copyright © Melbourne Institution of Technology 39
 Lecture 3 Case Study (Cont.)

Case Project 3
A drive you’re investigating contains several password-protected
files and other files with headers that don’t match the extension.
Write a report describing the procedures for retrieving the
evidence with some of the forensics tools and hexadecimal
editors discussed in this chapter and chapter 8. Explain how to
identify he files header and determine how their extensions are
mismatched. Then discussed what techniques and tools you can
use for recovering password from the protected files

July 20204 Copyright © Melbourne Institution of Technology 40

 Questions

• FTK Imager can calculate only MD5 hash values. True or False?
•FTK Imager can find files in hidden partitions and slack space. True or False?
•What’s the file size of the LFG.pdf file without slack space?
•FTK Imager can’t be used to edit hex values. True or False?
•WinHex can calculate only SHA-1 and MD5 hash values. True or False?
•WinHex can edit hex values in file headers. True or False?

July 20204 Copyright © Melbourne Institution of Technology 41