DIGITAL FORENSICS TECHNOLOGY AND

PRACTICES

MODULE- 1
ABOUT COURSE COVERAGE
&
INTRODUCTION TO DIGITAL FORENSIC

Mr. Maher Alwaqdani

 ABOUT COURSE COVERAGE
Topics to be covered
1) Introduction to digital forensic
2) Digital forensic process
3) Digital forensic tools
4) Investigative methodology
5) Digital investigations
6) Electronic Discovery
7) Intrusion Investigation
8) Anti-forensics
9) Windows Forensic Analysis
10)Embedded Systems Analysis
11)Network Evidence and Investigations
 Learning Objectives
At the end of this presentation, you will be
able to:
 Explain What is Digital Forensics?
 Explain Uses of Digital Forensics
 Describe Problems with Digital Data
 Describe the Role of the Forensic Examiner in
the Judicial System
 Explain Principal Targets of Computer Forensics
 List Forensic Procedure for Securing Disk Data
for Analysis
Definition
■ What is Computer Forensics??
– Computer forensics involves the preservation, identification,
extraction, documentation, and interpretation of computer
media for evidentiary and/or root cause analysis.
– Evidence might be required for a wide range of computer crimes
and misuses
– Multiple methods of
■ Discovering data on computer system
■ Recovering deleted, encrypted, or damaged file information
■ Monitoring live activity
■ Detecting violations of corporate policy
– Information collected assists in arrests, prosecution, termination
of employment, and preventing future illegal activity
Definition (cont)
■ What Constitutes Digital Evidence?
– Any information being subject to human intervention or not, that
can be extracted from a computer.
– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.
■ Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system
Reasons For Evidence
■ Wide range of computer crimes and misuses
– Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes
relating to:
■ Theft of trade secrets
■ Fraud
■ Extortion
■ Industrial espionage
■ Position of pornography
■ SPAM investigations
■ Virus/Trojan distribution
■ Homicide investigations
■ Intellectual property breaches
■ Unauthorized use of personal information
■ Forgery
■ Perjury
Reasons For Evidence (cont)
■ Computer related crime and violations
include a range of activities including:
– Business Environment:
■ Theft of or destruction of intellectual property
■ Unauthorized activity
■ Tracking internet browsing habits
■ Reconstructing Events
■ Inferring intentions
■ Selling company bandwidth
■ Wrongful dismissal claims
■ Sexual harassment
■ Software Piracy
Who Uses Computer
Forensics?
■ Criminal Prosecutors
– Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
■ Civil Litigations
– Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases
■ Insurance Companies
– Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
■ Private Corporations
– Obtained evidence from employee computers can

be used as evidence in harassment, fraud, and

embezzlement cases
Who Uses Computer
Forensics? (cont)
■ Law Enforcement Officials
– Rely on computer forensics to backup search
warrants and post-seizure handling
■ Individual/Private Citizens
– Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination
from employment
Steps Of Computer Forensics
■ According to many professionals,
Computer Forensics is a four (4) step
process
– Acquisition
■ Physically or remotely obtaining possession of
the computer, all network mappings from the
system, and external physical storage devices
– Identification
■ This step involves identifying what data could
be recovered and electronically retrieving it by
running various Computer Forensic tools and
software
suites
– Evaluation
■ Evaluating the information/data recovered to
determine if and how it could be used again the

suspect for employment termination or

prosecution
Steps Of Computer Forensics
(cont)
– Presentation
■ This step involves the presentation of evidence
discovered in a manner which is understood by
lawyers, non-technically staff/management,
and suitable as evidence as determined by
United States and internal laws
Handling Evidence
■ Admissibility of Evidence
– Legal rules which determine whether potential
evidence can be considered by a court
– Must be obtained in a manner which ensures the
authenticity and validity and that no tampering
had taken place
■ No possible evidence is damaged,
destroyed, or otherwise compromised by
the procedures used to search the computer
■ Preventing viruses from being introduced to
a computer during the analysis process
■ Extracted / relevant evidence is properly
handled and protected from later
mechanical
or electromagnetic damage
Handling Evidence (cont)

■ Establishing and maintaining a continuing

chain of custody
■ Limiting the amount of time business
operations are affected
■ Not divulging and respecting any ethically
[and legally] client-attorney information
that is inadvertently acquired during a
forensic exploration
Initiating An Investigation
■ DO NOT begin by exploring files on
system randomly
■ Establish evidence custodian - start a
detailed journal with the date and time
and date/information discovered
■ If possible, designate suspected
equipment as “off-limits” to normal
activity. This includes back-ups, remotely
or locally scheduled
house-keeping, and configuration
changes
■ Collect email, DNS, and other network
service logs
Initiating An Investigation (cont)

■ Capture exhaustive external TCP and UDP

port scans of the host
– Could present a problem if TCP is wrapped
■ Contact security personnel [CERT],
management, Federal and local
enforcement, as well as affected sites or
persons
Incidence Response
■ Identify, designate, or become evidence
custodian
■ Review any existing journal of what has
been done to system already and/or how
intrusion was detected
■ Begin new or maintain existing journal
■ Install monitoring tools (sniffers, port
detectors, etc.)
■ Without rebooting or affecting running
processes, perform a copy of physical disk
■ Capture network information
Incidence Response (cont)

■ Capture processes and files in use (e.g.

dll, exe)
■ Capture config information
■ Receipt and signing of data
Handling Information
■ Information and data being sought after
and collected in the investigation must be
properly handled
■ Volatile Information
– Network Information
■ Communication between system and the
network
– Active Processes
■ Programs and daemons currently active on the
system
– Logged-on Users
■ Users/employees currently using system
– Open Files
■ Libraries in use; hidden files; Trojans (rootkit)
loaded in system
Handling Information (cont)

■ Non-Volatile Information
– This includes information, configuration
settings, system files and registry settings
that are available after reboot
– Accessed through drive mappings from
system
– This information should investigated and
reviewed from a backup copy
Computer Forensic
Requirements
■ Hardware
– Familiarity with all internal and external
devices/components of a computer
– Thorough understanding of hard drives and
settings
– Understanding motherboards and the various
chipsets used
– Power connections
– Memory
■ BIOS
– Understanding how the BIOS works
– Familiarity with the various settings and
limitations of the BIOS
Computer Forensic
Requirements (cont)
■ Operation Systems
– Windows 3.1/95/98/ME/NT/2000/2003/XP
– DOS
– UNIX
– LINUX
– VAX/VMS
■ Software
– Familiarity with most popular software
packages
such as Office
■ Forensic Tools
– Familiarity with computer forensic techniques
and the software packages that could be used
Anti-Forensics
■ Software that limits and/or corrupts
evidence that could be collected by an
investigator
■ Performs data hiding and distortion
■ Exploits limitations of known and used
forensic tools
■ Works both on Windows and LINUX based
systems
■ In place prior to or post system
acquisition
Evidence Processing
Guidelines
■ New Technologies Inc. recommends
following 16 steps in processing evidence
■ They offer training on properly handling
each step
– Step 1: Shut down the computer
■ Considerations must be given to volatile
information
■ Prevents remote access to machine and
destruction of evidence (manual or ant-forensic
software)
– Step 2: Document the Hardware Configuration

of The System
■ Note everything about the computer
configuration
prior to re-locating
Evidence Processing
Guidelines (cont)
– Step 3: Transport the Computer System to A
Secure Location
■ Do not leave the computer unattended unless it
is locked in a secure location
– Step 4: Make Bit Stream Backups of Hard
Disks and Floppy Disks
– Step 5: Mathematically Authenticate Data on
All Storage Devices
■ Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File
Evidence Processing
Guidelines (cont)
– Step 9: Evaluate File Slack
■ File slack is a data storage area of which most
computer users are unaware; a source of
significant security leakage.
– Step 10: Evaluate Unallocated Space (Erased
Files)
– Step 11: Search Files, File Slack and
Unallocated Space for Key Words
– Step 12: Document File Names, Dates and
Times
– Step 13: Identify File, Program and Storage
Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document Your Findings
– Step 16: Retain Copies of Software Used
Methods Of Hiding Data
■ Covert Channels – Hiding in Transmission
– Take advantage of timing or shared storage to
pass data through unsuspected channel

■ EXAMPLE: IP datagram – Header

Redundancy
– Known Maximum Transfer Unit (MTU)
■ A datagram (IP) is encapsulated into frame (header,
datagram, trailer). MTU is the max total size of this
datagram.
■ To make IP independent of physical network, MTU =
65,535 bytes to give it more efficiency.
■ If the physical layer doesn’t support that MTU, the
datagram must be fragmented
Methods Of Hiding Data (cont)
• EXAMPLE: Continued…
– Flags: 3 bits
• 1st bit: reserved (always 0)
• 2nd bit: Do not fragment (DF): if 1, can’t be
fragmented. If it is too large to pass through any
available physical network, it is discarded
• 3rd bit: More fragment (MF): if 1, the datagram is
not the last fragment of the original datagram, if 0,
it is last one or there is only 1 fragment (the
original datagram)
Methods Of Hiding Data (cont)
• EXAMPLE – TCP/IP Continued…
– An un-fragmented datagram has all 0’s in the flag fields
• Redundancy condition: the DF bit can be 1 or 0 if no
fragment
• From network perspective: Datagram 1 is not allowed to
fragment (1 bit), datagram 2 is allowed but does not because
it is under the maximum MTU size.
Methods Of Hiding Data (cont)

■ To human eyes, data usually contains

known forms, like images, e-mail, sounds,
and text. Most Internet data naturally
includes gratuitous headers, too. These
are media exploited using new
controversial logical encodings:
steganography and marking.
■ Steganography: The art of storing
information in such a way that the
existence of the information is hidden.
Methods Of Hiding Data (cont)

■ To human eyes, data usually contains

known forms, like images, e-mail,
sounds, and text. Most Internet data
naturally includes gratuitous headers,
too. These are media exploited using
new controversial logical encodings:
steganography and marking.

■ The duck flies at midnight. Tame

uncle Sam
– Simple but effective when done well
Methods Of Hiding Data (cont)

■ Watermarking: Hiding data within data

– Information can be hidden in almost any file
format.
– File formats with more room for compression
are best
■ Image files (JPEG, GIF)
■ Sound files (MP3, WAV)
■ Video files (MPG, AVI)
– The hidden information may be encrypted, but
not necessarily
– Numerous software applications will do this for
you: Many are freely available online
Methods Of Hiding Data (cont)
• Hard Drive/File System manipulation
– Slack Space is the space between the logical end and
the physical end of file and is called the file slack. The
logical end of a file comes before the physical end of
the cluster in which it is stored. The remaining bytes in
the cluster are remnants of previous files or directories
stored in that cluster.
• Slack space can be accessed and written to directly
using a hex editor.
• This does not add any “used space” information to the
drive
– Partition waste space is the rest of the unused track
which the boot sector is stored on – usually 10s,
possibly 100s of sectors skipped
• After the boot sector, the rest of the track is left empty
Methods Of Hiding Data (cont)
• Hard Drive/File System manipulation cont…
– Hidden drive space is non-partitioned space in-
between partitions
• The File Allocation Table (FAT) is modified to remove any
reference to the non-partitioned space
• The address of the sectors must be known in order to
read/write information to them
– Bad sectors occur when the OS attempts to read info
from a sector unsuccessfully. After a (specified) # of
unsuccessful tries, it copies (if possible) the
information to another sector and marks (flags) the
sector as bad so it is not read from/written to again
• users can control the flagging of bad sectors
• Flagged sectors can be read to /written from with direct
reads and writes using a hex editor
Methods Of Hiding Data (cont)
• Hard Drive/File System manipulation cont…
– Extra Tracks: most hard disks have more than the
rated # of tracks to make up for flaws in manufacturing
(to keep from being thrown away because failure to
meet minimum #).
• Usually not required or used, but with direct (hex editor)
reads and writes, they can be used to hide/read data
– Change file names and extensions – i.e. rename
a .doc file to a .dll file
Methods Of Hiding Data (cont)
• Other Methods
– Manipulating HTTP requests by changing
(unconstrained) order of elements
• The order of elements can be preset as a 1 or 0 bit
• No public software is available for use yet, but the
government uses this method for its agents who wish to
transfer sensitive information online
• Undetectable because there is no standard for the order
of elements and it is, in essence, just normal web
browsing
– Encryption: The problem with this is that existence of
data is not hidden, instead it draws attention to itself.
• With strong enough encryption, it doesn’t matter if its
existence is known
Methods Of Detecting/Recovering Data
• Steganalysis - the art of detecting and
decoding hidden data
– Hiding information within electronic media requires
alterations of the media properties that may introduce
some form of degradation or unusual characteristics
– The pattern of degradation or the unusual
characteristic of a specific type of steganography
method is called a signature
– Steganalysis software can be trained to look for a
signature
Methods Of Detecting/Recovering Data (cont)
• Steganalysis Methods - Detection
– Human Observation
• Opening a text document in a common word processor
may show appended spaces and “invisible” characters
• Images and sound/video clips can be viewed or listened
to and distortions may be found
– Generally, this only occurs if the amount of data hidden
inside the media is too large to be successfully hidden
within the media (15% rule)
– Software analysis
• Even small amounts of processing can filter out echoes
and shadow noise within an audio file to search for
hidden information
• If the original media file is available, hash values can
easily detect modifications
Methods Of Detecting/Recovering Data (cont)
• Steganalysis Methods – Detection cont...
– Disk analysis utilities can search the hard drive for
hidden tracks/sectors/data
– RAM slack is the space from the end of the file to the
end of the containing sector. Before a sector is written
to disk, it is stored in a buffer somewhere in RAM. If
the buffer is only partially filled with information before
being committed to disk, remnants from the end of the
buffer will be written to disk. In this way, information
that was never "saved" can be found in RAM slack on
disk.
– Firewall/Routing filters can be applied to search for
hidden or invalid data in IP datagram headers
Methods Of Detecting/Recovering Data (cont)
• Steganalysis Methods – Detection cont...
– Statistical Analysis
• Most steganographic algorithms that work on images
assume that the Least Significant Bit (LSB) is random
• If a filter is applied to an image, the LSB bits will produce
a recognizable image, so the assumption is wrong
• After inserting hidden information into an image, the LSB
is no longer non-random (especially with encrypted
data). If you apply the same filter, it will no longer
produce a recognizable image
• Statistical analysis of the LSB will tell you if the LSB bits
are random or not
• Can be applied to audio files as well (using LSB)
– Frequency scanning
• Software can search for high, inaudible frequencies
Methods Of Detecting/Recovering Data (cont)
• Steganalysis Methods – Recovery
– Recovery of watermarked data is extremely hard
• Currently, there are very few methods to recover hidden,
encrypted data.
– Data hidden on disk is much easier to find. Once
found, if unencrypted, it is already recovered
– Deleted data can be reconstructed (even on hard
drives that have been magnetically wiped)
– Check swap files for passwords and encryption keys
which are stored in the clear (unencrypted)
– Software Tools
• Scan for and reconstruct deleted data
• Break encryption
• Destroy hidden information (overwrite)
Windows Forensics

Windows forensics;
 Covers the different types of volatile and nonvolatile
information an investigator can collect from a
Windows system
 Discusses collecting and analyzing data in memory,
the registry, and files in detail
Network Forensics

■ Explain network intrusions and unauthorized access

■ Describe standard procedures in network forensics and
network-monitoring tools

 Data security: protecting private data on the public Internet

 Encryption & authentication  Virtual Private Network (VPN)
 Access security: deciding who can access what
 TCP/IP firewall or application firewall
 System security: protecting system resources from
hackers
 Intrusion detection and prevention
Module 1: Introduction to digital forensic
 Module 1
■ What is Forensic Science?
■ What is Digital Forensics?
■ Uses of Digital Forensics
■ Principal Targets of Computer Forensics
■ Forensic Procedure for Securing Disk Data for Analysis
■ Computer Forensic Software
■ Credibility of Digital Data
■ Problems with Digital Data
■ Role of the Forensic Examiner in the Judicial System
WHAT IS FORENSIC SCIENCE?
■ Forensics is the application of science to solve a legal problem.
■ In forensics, the law and science are forever integrated.

Definition
Forensic:
“…a characteristic of evidence that satisfies its suitability for admission as
fact and its ability to persuade based upon proof (or high statistical
confidence).”

The aim of forensic science is:

“…to demonstrate how digital evidence can be used to reconstruct a crime
or incident, identify suspects, apprehend the guilty, defend the innocent, and
understand criminal motivations.”

Ref: Casey, “Digital Evidence and Computer Crime”

Digital Forensics is processes of analysing
and evaluating digital data as evidence

The science of locating, extracting and

analysing different types of data from different
devices, which specialists then interpret to
server as legal evidence (Marcella, Menendez
2008)
scientifically derived and
The practice of
proven technical methods and tools toward
the preservation, collection, validation,
identification, analysis, interpretation,
documentation and presentation of after-the-fact
digital information derived from digital sources for
the purpose of facilitating or furthering the
reconstruction of events as forensic evidence
(Willassen, Mjolsnes 2005)
WHAT IS DIGITAL FORENSICS?

In Forensic Magazine, Ken Zatyko defined digital

forensics this way:
■ “The application of computer science and
investigative procedures for a legal purpose
involving the analysis of digital evidence after
proper search authority,chain of custody, validation
with mathematics, use of validated tools,
repeatability,reporting, and possible expert
presentation” (Zatyko, 2007).
Computer forensics

 Computer forensics is simply the application

of computer investigation and analysis
techniques in the interests of determining
potential legal evidence.
- Judd Robins, “An Explanation of Computer Forensics”
 Computer Forensics vs Digital
Forensics
“Computer forensics is simply the
application of computer investigation
and analysis
techniques in the interests of
determining potential legal evidence.
Evidence might be sought in a wide
range of computer crime or misuse,
including but not limited to theft of
trade secrets, theft of or destruction
of intellectual property, and fraud.”
Robbins, Judd , PC Software Forensics
The use of scientifically derived and
proven methods towards the
preservation, collection, validation,
identification, analysis, interpretation,
documentation, and presentation of digital
evidence derived from the digital sources
for the purpose of facilitation or furthering
the reconstruction of events found to be
criminal, or helping to anticipate
unauthorized actions shown to be
disruptive to planned operations.
Digital Forensics Research Workshop
After 40 years of history, Digital
Forensics is heading towards a crisis
Early years „Golden years“ Era of crisis
(1970s-1990s) (1990s-2000s) (2010s-...)
• Hardware, • The widespread • Growing size of
software, and use of Microsoft storage devices
application Windows, and • Increasing
diversity specifically prevalence of
• A proliferation of Windows XP embedded flash
data file formats • Relatively few file storage
• Heavy reliance formats of • Proliferation of
on time-sharing forensic interest hardware
and centralized • Examinations interfaces
computing largely confined • Proliferation of
facilities to a single operating
• Absence of computer system systems and file
formal process, belonging to the formats
tools, and subject of the • Pervasive
training investigation encryption
• Storage devices • Use of the
equipped with “cloud” for
standard remote
interfaces (IDE/ processing and
ATA) storage, splitting
a single data
Source: Garfinkel, SimsonL., „Digital Forensics Research: The Next 10 years“, 2010 structure into
elements
Application of Computer Forensics

■ Securing evidence in criminal and civil

litigation
– Terrorism
– Child Pornography
– Industrial Espionage
■ Documenting/Investigating a breach of
network security
■ Recovering inadvertently deleted data
History of Computer/Digital
Forensics
1970s
Electronic crimes were increasing, especially in the financial sector.
Most law enforcement officers didn’t know enough about computers to ask the
right questions or to preserve evidence for trial.

1980s
PCs gained popularity and different OSs emerged.
Disk Operating System (DOS) was available.
Forensics tools were simple, and most were generated by government
agencies.

Mid-1980s
Xtree Gold appeared on the market able to recognize file types and retrieve
lost or deleted files.
Norton DiskEdit soon followed and became the best tool for finding deleted
files.
History of Computer/Digital
Forensics
1984
Scotland Yard: Computer Crime Unit
FBI computer forensics departments

Early 1990s
Tools for computer forensics were available
International Association of Computer Investigative Specialists (IACIS)
Training on software for forensics investigations
IRS created search-warrant programs
ExpertWitness for the Macintosh
First commercial GUI software for computer forensics Created by ASR
Data. Recovers deleted files and fragments of deleted files

1990
Computer Misuse Act (CMA)
USES OF DIGITAL FORENSICS
Digital forensics can be used in a variety of
settings, including
■criminal investigations,
■civil litigation,
■intelligence, and
■administrative matters.
Criminal investigation

■ In today’s digital world, electronic evidence can be found in almost any

criminal
investigation. Homicide, sexual assault, robbery, and burglary are just a few of
the
many examples of “analog” crimes that can leave digital evidence.

■ Bind, torture, kill

The case of Dennis Rader, better known as the BTK killer, is a great example of the critical role digital
forensics can play in a criminal investigation. This case had national attention and, thanks to digital
forensics, was solved 30 years later after it occurred. To all who knew him before his arrest, Dennis Rader
was a family man, church member, and dedicated public servant. What they didn’t know was that he was
also an accomplished serial killer. Dennis Rader, known as Bind, Torture, Kill

(BTK), murdered ten people in Kansas from 1974 to 1991. Rader managed to avoid capture for more than
30 years until technology betrayed him.

After years of silence, Rader sent a letter to the Wichita Eagle newspaper declaring that he was
responsible for the 1986 killing of a young mother. The letter was received by the Eagle on March 19, 2004.
After conferring with the FBI’s Behavioral Analysis Unit, the police decided to attempt to communicate with
BTK through the media. In January 2005, Rader left a note for police, hidden in a cereal box in the back of a
pickup truck belonging to a Home Depot employee. In the note, he said:

“Can I communicate with Floppy and not be traced to a computer. Be honest. Under Miscellaneous Section,
494, (Rex, it will be OK), run it for a few days in

case I’m out of town-etc. I will try a floppy for a test run some time in the near future-February or March.”
CIVIL LITIGATION

■ The use of digital forensics in civil cases is big business. In 2011, the
estimated total worth of the electronic discovery market was somewhere
north of (780 million (Global EDD Group). As part of a process known as
electronic discovery (eDiscovery), digital forensics has become a major
component of much high-dollar litigation.
■ eDiscovery “refers to any process in which electronic data is sought,
located, secured, and searched with the intent of using it as evidence in a
civil or criminal legal case” (TechTarget, 2005).
■ In a civil case, both parties are generally entitled to examine the evidence
that will be used against them before trial. This legal process is known as
“discovery.”
■ Previously, discovery was largely a paper-based exercise, with each party
exchanging reports, letters, and memos; however, the introduction of
digital forensics and eDiscovery has greatly changed this practice.
■ Digital evidence can quickly become the focal point of a case, no matter
what kind of legal proceeding it’s used in. The legal system and all its
players are struggling to deal with this new reality.
INTELLIGENCE

■ Terrorists and foreign governments, the purview of our

intelligence agencies, have also joined the digital age.
Terrorists have been using information technology to
communicate, recruit, and plan attacks. In Iraq and
Afghanistan, our armed forces are exploiting intelligence
collected from digital devices brought straight from the
battlefield.
■ This process is known as Document and Media
Exploitation (DOMEX).
■ DOMEX is paying large dividends by providing actionable
intelligence to support the soldiers on the ground (U.S.
Army).
Moussaoui and 9-11
■ It’s well documented that the 9-11 hijackers sought out and received flight
training to facilitate the deadliest terrorist attack ever on U.S. soil. Digital
forensics played a role in the investigation of this aspect of the attack.
■ On August 16, 2001, Zacarias Moussaoui was arrested by INS agents in
Eagan, Minnesota, for overstaying his visa. Agents also seized a laptop and
floppy disk.
■ After obtaining a search warrant, the FBI searched these two items on
September 11, 2001. During the analysis, they found evidence of a Hotmail
account (pilotz123@ hotmail.com) used by Moussaoui. He used this For those
not familiar with Hotmail, it’s a free e-mail service offered by Microsoft, similar to
Yahoo( and Gmail. Hotmail addresses are quite easy to get and only require basic
subscriber information. This information is essentially meaningless, because none
of the information is verified. During the examination of Moussaoui’s e-mail, agents
were also able to analyze the Internet protocol (IP) connection logs.
■ One of the IP addresses identified was assigned to “PC11” in a computer lab at the
University of Oklahoma.
Moussaoui and 9-11 cont….
■ The investigation further showed that Moussaoui and the rest of the
nineteen 9-11 hijackers made extensive use of computers at a variety
of Kinko’s store locations in other cities. Agents arrived at the Kinko’s
in Eagan hoping to uncover evidence. They were disappointed to
learn that this specific Kinko’s makes a practice of erasing the drives
on its rental computers every day. At 44 days after Moussaoui’s visit,
the agents felt the odds of recovering any evidence would be
somewhere between slim and none. They didn’t bother examining
the Kinko’s computer. The Eagan store isn’t alone. Other locations
make a routine practice of erasing or reimaging the rental computers
as well. This is done periodically, some as soon as every 24 hours,
others as long as every 30 days. The drives are erased to improve the
performance and reliability of the computers, as well as to protect the
privacy of customers (Lawler, 2002).
 ADMINISTRATIVE MATTERS

■ Digital evidence can also be valuable for incidents other

than litigation and matters of national security. Violations of
policy and procedure often involve some type of
electronically stored information; for example, an employee
operating a personal side business, using company
computers while on company time. That may not constitute
a violation of the law, but it may warrant an investigation
by the company.
Securities and Exchange Commission
■ In 2008, while the economy was in the beginning of its historic
downward spiral, the Securities and Exchange Commission (SEC) should
have been policing Wall Street.
■ Instead, many of its staffers were spending hours of their days watching
pornography.
■ Computer forensics played heavily in this administrative investigation.
■ In August 2007, the SEC’s Office of the Inspector General (OIG) officially
opened an investigation into the potential misuse of governmental
computers. The OIG was alerted to a potential problem after firewall
logs identified several users who had received access denials for
Internet pornography. The SEC firewall was configured to block and log
this kind of traffic. The logs showed that this employee attempted to
visit sites such as www.thefetishvault.com, www.bondagetemple.com,
www.rape-cartoons.com, and www.pornobaron.com.
High-profile Computer Forensics Cases

Dismissal of U.S. attorneys controversy

– Lost emails
■ Some official e-mails have potentially been lost and
that is a mistake the White House is aggressively
working to correct." - Scott Stanzel, Whitehouse
spokesman
■ Forged Email
– Larry Ellison loses sexual harassment case
against former employee
– Employee later shown to have been the forger
of incriminating email that appeared to be
confirming Ellison’s role in her firing. (She was
later convicted of perjury.)
Investigative Context

Primary Secondary Environment

Objectives Objectives

Law
Prosecution Post-Mortem
Enforcement

Continuity of Real-Time/Post-
Military IW Ops Prosecution
Operations Mortem

Business and Continuity of Real-Time/Post-

Prosecution
Industry Service Mortem
Digital Investigation

A digital investigation is a process where we develop and test

hypotheses that answer questions about digital events. This is done
using the scientific method where we develop a hypothesis using
evidence that we find and then test the hypothesis by looking for
additional evidence that shows the hypothesis is impossible.

Digital Evidence is a digital object that contains reliable information

that supports or refutes a hypothesis.

- B. Carrier, 2006
File System Forensic Analysis,
Characteristics of Evidence

1. Data can be viewed at different levels of abstraction

2. Data requires interpretation
3. Data is Fragile
4. Data is Voluminous
5. Data is difficult to associate with reality
Characteristics of Evidence

1. Data can be viewed at different levels of abstraction

2. Data requires interpretation
3. Data is Fragile
4. Data is Voluminous
5. Data is difficult to associate with reality
Characteristics of Evidence

1. Data can be viewed at different levels of abstraction

2. Data requires interpretation
3. Data is Fragile
4. Data is Voluminous
5. Data is difficult to associate with reality
Characteristics of Evidence

1. Data can be viewed at different levels of abstraction

2. Data requires interpretation
3. Data is Fragile
4. Data is Voluminous
5. Data is difficult to associate with reality
Characteristics of Evidence

1. Data can be viewed at different levels of abstraction

2. Data requires interpretation
3. Data is Fragile
4. Data is Voluminous
5. Data is difficult to associate with reality
Investigation Process

According to many professionals, Computer Forensics is a

four (4) step process:

Acquisition
Physically or remotely obtaining possession of the computer, all network
mappings from the system, and external physical storage devices

Identification
This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools
and software suites
Investigation Process

According to many professionals, Computer Forensics is a

four (4) step process:

Evaluation
Evaluating the information/data recovered to determine if and how it
could be used again the suspect for employment termination or
prosecution in court

Presentation
This step involves the presentation of evidence discovered in a manner
which is understood by lawyers, non-technically staff/management, and
suitable as evidence as determined by United States and internal laws
Tool Requirements
Usability - Present data at a layer of abstraction that is useful to an investigator

Comprehensive - Present all data to investigator so that both inculpatory and

exculpatory evidence can be identified

Accuracy - Tool output must be able to be verified and a margin of error must be
given

Deterministic - A tool must produce the same output when given the same rule
set and input data.

Verifiable - To ensure accuracy, one must be able to verify the output by having
access to the layer inputs and outputs. Verification can be done by hand or a
second tool set.

Brian Carrier, 2003, Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers
Challenges
 Size of storage devices
 Embedded flash devices
 Proliferation of operating systems and file formats
 Multi-device analysis
 Pervasive Encryption
 Cloud computing
 RAM-only Malware
 Legal Challenges decreasing the scope of forensic investigations

Research Challenges facing the investigation community

• S.L. Garfinkel, Digital forensics research: The next 10 years,
Digital Investigation, vol. 1, no. 7, pp. 64-73, 2010
• “The coming Digital Forensics Crisis”
Principal Targets of Computer
Forensics
■ Hard Disk Drives
■ USB Drives, floppy disks
■ SD memory, Compact Flash, and other static memory
■ RAM (Random Access Memory)
Basic Computer Architecture

■ Central Processing Unit (CPU)

■ Main Memory
– (RAM) (volatile memory)
■ Turn-off the computer and it forgets
■ Disk Drive
– non-volatile (persistent) memory
■ Maintains data across shutdowns
– Data Files
– Temporary Files
– Registry Entries
– Unallocated Space
– Swap Space
– Log Files
– Email
Disk Geometry
Disk Sectors and Clusters
 Sectors are physical areas of
the disk that typically represent
the smallest addressable units
of storage. When a disk drive
reads or writes data, it typically
does so in complete sectors.

 Clusters are logical entities

consisting of one or more
sectors. Clusters are the
smallest addressable unit of
storage used by a file system.
How Clusters are Allocated to Files
■ Initially, the disk drive consists of a large number of
unallocated clusters
■ When a file is stored, the number of clusters needed to
store the data are allocated to that file.
■ A File Allocation Table keeps track of which clusters are
allocated to which files
Files Stored on a Disk
The diagram shows the data for
two files stored on the disk. One
file has been allocated
contiguous clusters (shown in
green). The other file has been
allocated noncontiguous clusters
(shown in blue)

The file allocation table keeps

track of
The clusters allocated to each
table.
When the file is deleted, the file
allocation table is modified to
show that the clusters are now
available for reuse, but no
modification is made to the data
in the clusters.
Foolproof methods for rendering
previously stored data unreadable
■ Using a sledge hammer to reduce the disk platters to dust
■ Overwrite every sector on the disk

■ Store at least one irreplaceable file on it, for which you have no
backup (Unproven, but with strong anecdotal evidence)
Deleting Disk Data
■ “Wiping” a file consists of deleting the file
and overwriting the contents of the
associated clusters
– Random data
– All ones and/or all zeros
– Multiple overwrites
■ Single overwrite seems to be adequate for
modern disk drives
http://www.springerlink.com/content/408263ql11460147/
■ Remnants of the file may still exist in other
parts of the system (e.g., swapfile,
temporary files, registry entries, etc). If so,
data from wiped files can still be recovered.
Protection of evidence is critical

■ Ensure that:
■ no possible evidence is damaged, destroyed, or otherwise
compromised by the procedures used to investigate the computer.
■ no possible computer virus is introduced to a subject computer
during the analysis process.
■ extracted and possibly relevant evidence is properly handled and
protected from later mechanical or electromagnetic damage.
■ a continuing chain of custody is established and maintained.
■ business operations are affected for a limited amount of time, if at
all.
■ any client-attorney information that is inadvertently acquired
during a forensic exploration is ethically and legally respected and
not divulged.

* Bullet points from Judd Robbins :

http://www.computerforensics.net/forensics.htm
Forensic Procedure for Securing Disk Data for
Analysis

■ Extreme care must be taken to ensure that the

data does not become modified as a side-effect
of forensic analysis

■ Turn the computer off if it is on

– Remove the disk from the computer
– Write-protect the drive
– Use forensic software to create an “image file”
■ Image files contain a byte for byte copy of the sectors
contained on the disk
– Secure the original disk
– All further analysis must be performed on the image
file.
Computer Forensic Software

■ Many software tools exist to recover deleted files and find keywords
and other data of interest
■ EnCase is one of the more popular and powerful tools available
■ http://www.youtube.com/watch?v=O4ce74q2zqM
E-mail – The most frequently
smoking gun
■ “You can't erase e-mails, not today…They've gone through too many
servers. Those e-mails are there –”
– Senator Patrick Leahy
Finding lost Emails
■ Emails can be recovered from a number of
different locations
– Local user files
■ POP3 email client protocols copy all email data to the
local disk
– Under many email clients (including Outlook) deleted
emails exist in the local archive even after they are
purged from the deleted mail folder.
■ IMAP email client protocols leave the email on the
server, but local copies are likely to exist in
temporary or swap files
– Servers
■ Mail servers will maintain email records
– Backups
■ Backups of both client and server machines can
provide copies of deleted emails
Encryption/Decryption
■ Data is encrypted before it is stored on the disk
– Without the key, the data cannot be understood
– Deleted file are unreadable
■ Data in memory is not encrypted
– Such data might still be referenced in swap files,
system logs, and registry entries
String Search Techniques

■ String search algorithms

– Search for “regular expression”
■ CS[1-3][0-9][0-9][ ]*[rR][iI][bB][lL][eE][rR]
■ Index the entire disk
– Make a list of all the places on the disk each keyword
appears
■ Indexes can be very large
■ Very fast response to keyword queries
■ Indexes are generally created in a “batch” mode, and interactive
investigation proceeds after the index generation is complete
Princeton Encryption Hack

■ http://www.youtube.com/watch?v=JDaicPIgn9U
Implications of the Princeton
Encryption Hack
■ Perhaps computer forensic investigation will no include investigation
of RAM images. The same techniques used for disks can be applied.l
■ Many encryption
Steganography

■ steganography http://en.wikipedia.org/wiki/Steganography
Credibility of Digital Data

■ Unlike other forensic evidence, digital data on a

computer can be modified without physical access
to the computer.
■ How do we know that incriminating evidence has
not been planted?
■ Recent case of files in Windows Options directory
http://news.bbc.co.uk/1/hi/scotland/tayside_and_c
entral/6968663.stm
Problems with Digital Data

■ Meta data, such as file access/creation times, file ownership ccan be

changed easily
■ Emails and any other data can be fabricated
■ Given a blank disk, we can create any image we like
ROLE OF THE FORENSIC EXAMINER IN THE JUDICIAL SYSTEM

The digital forensics practitioner most often plays the role of an expert witness.
What makes this different from nonexpert witnesses?
Other witnesses can only testify to what they did or saw.
They are generally limited to those areas and not permitted to render opinions. Experts, by
contrast, can and often do give their opinion.
What makes someone an “expert”?
In the legal sense, it’s someone who can assist the judge or jury to understand and interpret
evidence they may be unfamiliar with. To be considered an expert in a court of law, one doesn’t
have to possess an advanced academic degree.
An expert simply must know more about a particular subject than the average layperson.
Under the legal definition, a doctor, scientist, baker, or garbage collector could be qualified as
an expert witness in a court of law.
Individuals are qualified as experts by the court based on their training, experience, education,
and so on (Saferstein, 2011).
What separates a qualified expert from a truly effective one? It is the ability to
communicate with the judge and jury. Experts must be effective teachers. The vast
majority of society lacks technical understanding to fully grasp this kind of testimony
without at least some explanation.
Digital forensic examiners must carry out their duties without bias. Lastly, a digital forensics
References
■ John Sammons - The Basics of Digital Forensics, Second Edition_ The
Primer for Getting Started in Digital Forensics (2014, Syngress)
■ Eoghan Casey - Handbook of Computer Crime Investigation_ Forensic
Tools & Technology (2001)