Computer Forensics Analysis and

Validation
 Objectives

• Determine what data to analyze in a computer

forensics investigation
• Explain tools used to validate data
• Explain common data-hiding techniques
• Describe methods of performing a remote
acquisition
Determining What Data to Collect
and Analyze
Determining What Data to Collect and
Analyze
• Examining and analyzing digital evidence depends
on:
– Nature of the case
– Amount of data to process
– Search warrants(an official written statement) and
court orders
– Company policies
• Scope creep
– Investigation expands beyond the original description
 Approaching Computer Forensics
Cases

• Some basic principles apply to almost all computer

forensics cases
– The approach you take depends largely on the
specific type of case you’re investigating
• Basic steps for all computer forensics
investigations
– For target drives, use only recently wiped media that
have been reformatted and inspected for computer
viruses
 Approaching Computer Forensics
Cases (continued)

• Basic steps for all computer forensics

investigations (continued)
– Inventory the hardware on the suspect’s computer
and note the condition of the computer when seized
– Remove the original drive from the computer
• Check date and time values in the system’s CMOS
– Record how you acquired data from the suspect
drive
– Process the data methodically and logically
 Approaching Computer Forensics
Cases (continued)

• Basic steps for all computer forensics

investigations (continued)
– List all folders and files on the image or drive
– If possible, examine the contents of all data files in
all folders
• Starting at the root directory of the volume partition
– For all password-protected files that might be related
to the investigation
• Make your best effort to recover file contents
 Approaching Computer Forensics
Cases (continued)

• Basic steps for all computer forensics

investigations (continued)
– Identify the function of every executable (binary
or .exe) file that doesn’t match known hash values
– Maintain control of all evidence and findings, and
document everything as you progress through your
examination
 Refining and Modifying the
Investigation Plan

• Considerations
– Determine the scope of the investigation
– Determine what the case requires
– Whether you should collect all information
– What to do in case of scope creep
• The key is to start with a plan but remain flexible in
the face of new evidence
 Using AccessData Forensic Toolkit to
Analyze Data
• Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs
• FTK can analyze data from several sources, including image files
from other vendors
• FTK produces a case log file(record of events)
• Searching for keywords
– Indexed search - allows for fast searching based on keywords.
FTK automatically indexes your evidence while the case is being
processed.
– Live search-This is a time consuming process involving an item-
by-item comparison with the search term.
• Supports options and advanced searching techniques, such as
stemming(finds variations on endings, like: applies, applied, apply.
applied applying in a search for apply applies)
Indexed Search
Index search options
Live search
Using AccessData Forensic Toolkit to
Analyze Data (continued)
• Analyzes compressed files
• You can generate reports
– Using bookmarks(can do quick access)
Using AccessData Forensic Toolkit to
Analyze Data (continued)
Validating Forensic Data
 validation and verification

• Validation is the process of checking whether the

specification captures the customer's needs, while
verification is the process of checking that the
software meets the specification.
• Validation uses methods like black box (functional)
testing, gray box testing, and white box
(structural) testing etc. Verification is to check
whether the soft
Verification: Are we building the product right?
Validation: Are we building the right product?
 According to the Capability Maturity
Model(CMM)
Capability Maturity Model

• Software Validation: The process of evaluating

software during or at the end of the development
process to determine whether it satisfies specified
requirements.
• Software Verification: The process of evaluating
software to determine whether the products of a
given development phase satisfy the conditions
imposed at the start of that phase.
 Validating Forensic Data
• One of the most critical aspects of computer
forensics
• Ensuring the integrity of data you collect is
essential for presenting evidence in court.
• Most computer forensic tools provide automated
hashing of image files
• Computer forensics tools have some limitations in
performing hashing(process of converting a given
key into another value)
• Hashing is the process of converting a given key
into another value. A hash function is used to
generate the new value according to a
mathematical algorithm. The result of a hash
function is known as a hash value or simply, a
hash.
 Validating with Hexadecimal Editors

• Advanced hexadecimal editors offer many features

not available in computer forensics tools
– Such as hashing specific files or sectors
• Hex Workshop provides several hashing algorithms
– Such as MD5 and SHA-1
• Hex Workshop also generates the hash value of
selected data sets in a file or sector
Validating with Hexadecimal Editors
(continued)
Validating with Hexadecimal Editors
(continued)
Validating with Hexadecimal Editors
(continued)
 Validating with Hexadecimal Editors
(continued)

• Using hash values to discriminate data

– AccessData has a separate database, the Known
File Filter (KFF)
• Filters known program files from view, such as
MSWord.exe, and identifies known illegal files, such
as child pornography
– KFF compares known file hash values to files on
your evidence drive or image files Periodically
– AccessData updates these known file hash values
and posts an updated KFF
 Validating with Computer Forensics
Programs
• Commercial computer forensics programs have built-in
validation features
• ProDiscover’s .eve(EmbeddedVectorEditor) files
contain metadata that includes the hash value
– Validation is done automatically
• Raw format image files (.dd extension) don’t contain
metadata
– So you must validate raw format image files manually to
ensure the integrity of data
Note: .eve files are general application for drawing vector
diagrams
Addressing Data-hiding
Techniques
 Addressing Data-hiding Techniques

• File manipulation
– Filenames and extensions
– Hidden property
• Disk manipulation
– Hidden partitions
– Bad clusters
• Encryption
– Bit shifting
– Steganography
 Hiding Partitions

• We can create a partition and then hide it using a

disk editor.
• We can get access to hidden partitions using tools
such as:
– Gdisk(Ghost’s disk)
– PartitionMagic
– System Commander
– LILO(Linux Loader)
Hiding Partitions (continued)
Hiding Partitions (continued)
 Marking Bad Clusters

• Common with FAT systems

• Place sensitive information on free space
• Use a disk editor to mark space as a bad cluster
• To mark a good cluster as bad using Norton Disk
Edit
– Type B in the FAT entry corresponding to that cluster
 Bit-shifting

• Old technique
• Shift bit patterns to alter byte values of data
• Make files look like binary executable code
• Tool
– Hex Workshop
Bit-shifting (continued)
Bit-shifting (continued)
Bit-shifting (continued)
 Using Steganography to Hide Data

• Greek for “hidden writing”

• Steganography tools were created to protect
copyrighted material
– By inserting digital watermarks into a file
• Suspect can hide information on image or text
document files
– Most steganography programs can insert only small
amounts of data into a file
• Very hard to spot without prior knowledge
• Tools: S-Tools, DPEnvelope, jpgx, and tte
 Examining Encrypted Files
• Prevent unauthorized access
– Employ a password or passphrase
• Recovering data is difficult without password
– Key escrow
• Designed to recover encrypted data if users forget
their passphrases or if the user key is corrupted after
a system failure
– Cracking password
• Expert and powerful computers
– Persuade suspect to reveal password
 Recovering Passwords
• Techniques
– Dictionary attack(A dictionary attack is a method of breaking into a password-
protected computer or server by systematically entering every word in a dictionary
as a password.)
– Brute-force attack (cryptographic hack that relies on guessing possible combinations
of a targeted password until the correct password is discovered. )
– Password guessing based on suspect’s profile(Password guessing is an online
technique that involves attempting to authenticate a particular user to the system. )
• Tools
– AccessData PRTK
– Advanced Password Recovery Software Toolkit
– John the Ripper

Note: Password cracking refers to an offline technique in which the attacker has
gained access to the password hashes or database
 Recovering Passwords (continued)

• Using AccessData tools with passworded and

encrypted files
– AccessData offers a tool called Password Recovery
Toolkit (PRTK)
• Can create possible password lists from many
sources
– Can create your own custom dictionary based on
facts in the case
– Can create a suspect profile and use biographical
information to generate likely passwords
 Word List

• FTK finds all

stings in the
data and
makes a Word
List from them
Recovering Passwords (continued)
Recovering Passwords (continued)
 Recovering Passwords (continued)

• Using AccessData tools with passworded and

encrypted files (continued)
– FTK can identify known encrypted files and those
that seem to be encrypted
• And export them
– You can then import these files into PRTK and
attempt to crack them
Recovering Passwords (continued)
Performing Remote Acquisitions
 Performing Remote Acquisitions

• Remote acquisitions are handy when you need to

image the drive of a computer far away from your
location
– Or when you don’t want a suspect to be aware of an
ongoing investigation
 Remote Acquisitions with Runtime
Software

• Runtime Software offers the following shareware

programs for remote acquisitions:
– DiskExplorer for FAT
– DiskExplorer for NTFS
– HDHOST
• Preparing DiskExplorer and HDHOST for remote
acquisitions
– Requires the Runtime Software, a portable media
device (USB thumb drive or floppy disk), and two
networked computers
 Remote Acquisitions with Runtime
Software (continued)

• Making a remote connection with DiskExplorer

– Requires running HDHOST on a suspect’s computer
– To establish a connection with HDHOST, the
suspect’s computer must be:
• Connected to the network
• Powered on
• Logged on to any user account with permission to run
noninstalled applications
– HDHOST can’t be run surreptitiously
Remote Acquisitions with Runtime
Software (continued)
Remote Acquisitions with Runtime
Software (continued)
Remote Acquisitions with Runtime
Software (continued)
Remote Acquisitions with Runtime
Software (continued)
Remote Acquisitions with Runtime
Software (continued)
Remote Acquisitions with Runtime
Software (continued)
 Remote Acquisitions with Runtime
Software (continued)

• Making a remote acquisition with DiskExplorer

– After you have established a connection with
DiskExplorer from the acquisition workstation
• You can navigate through the suspect computer’s files
and folders or copy data
– The Runtime tools don’t generate a hash for
acquisitions
Remote Acquisitions with Runtime
Software (continued)