WIXLIB

Guide to Computer Forensicsand InvestigationsFourth EditionChapter 9Computer Forensics Analysis andValidation

Objectives Determine what data to analyze in a computerforensics investigation Explain tools used to validate data Explain common data-hiding techniques Describe methods of performing a remoteacquisitionGuide to Computer Forensics and Investigations2

Determining What Data to Collect andAnalyze Examining and analyzing digital evidence dependson:––––Nature of the caseAmount of data to processSearch warrants and court ordersCompany policies Scope creep– Investigation expands beyond the original description Right of full discovery of digital evidenceGuide to Computer Forensics and Investigations3

Approaching Computer ForensicsCases Some basic principles apply to almost all computerforensics cases– The approach you take depends largely on thespecific type of case you’re investigating Basic steps for all computer forensicsinvestigations– For target drives, use only recently wiped media thathave been reformatted And inspected for computer virusesGuide to Computer Forensics and Investigations4

Approaching Computer ForensicsCases (continued) Basic steps for all computer forensicsinvestigations (continued)– Inventory the hardware on the suspect’s computerand note the condition of the computer when seized– Remove the original drive from the computer Check date and time values in the system’s CMOS– Record how you acquired data from the suspectdrive– Process the data methodically and logicallyGuide to Computer Forensics and Investigations5

Approaching Computer ForensicsCases (continued) Basic steps for all computer forensicsinvestigations (continued)– List all folders and files on the image or drive– If possible, examine the contents of all data files inall folders Starting at the root directory of the volume partition– For all password-protected files that might be relatedto the investigation Make your best effort to recover file contentsGuide to Computer Forensics and Investigations6

Approaching Computer ForensicsCases (continued) Basic steps for all computer forensicsinvestigations (continued)– Identify the function of every executable (binary or.exe) file that doesn’t match known hash values– Maintain control of all evidence and findings, anddocument everything as you progress through yourexaminationGuide to Computer Forensics and Investigations7

Refining and Modifying theInvestigation Plan Considerations––––Determine the scope of the investigationDetermine what the case requiresWhether you should collect all informationWhat to do in case of scope creep The key is to start with a plan but remain flexible inthe face of new evidenceGuide to Computer Forensics and Investigations8

Using AccessData Forensic Toolkit toAnalyze Data Supported file systems: FAT12/16/32, NTFS,Ext2fs, and Ext3fs FTK can analyze data from several sources,including image files from other vendors FTK produces a case log file Searching for keywords– Indexed search– Live search– Supports options and advanced searchingtechniques, such as stemmingGuide to Computer Forensics and Investigations9

Using AccessData Forensic Toolkit toAnalyze Data (continued)Guide to Computer Forensics and Investigations10

Using AccessData Forensic Toolkit toAnalyze Data (continued)Guide to Computer Forensics and Investigations11

Using AccessData Forensic Toolkit toAnalyze Data (continued) Analyzes compressed files You can generate reports– Using bookmarksGuide to Computer Forensics and Investigations12

Using AccessData Forensic Toolkit toAnalyze Data (continued)Guide to Computer Forensics and Investigations13

Validating Forensic Data One of the most critical aspects of computerforensics Ensuring the integrity of data you collect isessential for presenting evidence in court Most computer forensic tools provide automatedhashing of image files Computer forensics tools have some limitations inperforming hashing– Learning how to use advanced hexadecimal editorsis necessary to ensure data integrityGuide to Computer Forensics and Investigations14

Validating with Hexadecimal Editors Advanced hexadecimal editors offer many featuresnot available in computer forensics tools– Such as hashing specific files or sectors Hex Workshop provides several hashing algorithms– Such as MD5 and SHA-1– See Figures 9-4 through 9-6 Hex Workshop also generates the hash value ofselected data sets in a file or sectorGuide to Computer Forensics and Investigations15

Validating with Hexadecimal Editors(continued)Guide to Computer Forensics and Investigations16

Validating with Hexadecimal Editors(continued)Guide to Computer Forensics and Investigations17

Validating with Hexadecimal Editors(continued)Guide to Computer Forensics and Investigations18

Validating with Hexadecimal Editors(continued) Using hash values to discriminate data– AccessData has a separate database, the KnownFile Filter (KFF) Filters known program files from view, such asMSWord.exe, and identifies known illegal files, suchas child pornography– KFF compares known file hash values to files onyour evidence drive or image files– Periodically, AccessData updates these known filehash values and posts an updated KFFGuide to Computer Forensics and Investigations19

Validating with Computer ForensicsPrograms Commercial computer forensics programs havebuilt-in validation features ProDiscover’s .eve files contain metadata thatincludes the hash value– Validation is done automatically Raw format image files (.dd extension) don’tcontain metadata– So you must validate raw format image filesmanually to ensure the integrity of dataGuide to Computer Forensics and Investigations20

Validating with Computer ForensicsPrograms (continued) In AccessData FTK Imager– When you select the Expert Witness (.e01) or theSMART (.s01) format Additional options for validating the acquisition aredisplayed– Validation report lists MD5 and SHA-1 hash values Figure 9-7 shows how ProDiscover’s built-invalidation feature worksGuide to Computer Forensics and Investigations21

Validating with Computer ForensicsPrograms (continued)Guide to Computer Forensics and Investigations22

Addressing Data-hiding Techniques File manipulation– Filenames and extensions– Hidden property Disk manipulation– Hidden partitions– Bad clusters Encryption– Bit shifting– SteganographyGuide to Computer Forensics and Investigations23

Hiding Partitions Delete references to a partition using a disk editor– Re-create links for accessing it Use disk-partitioning utilities––––GDiskPartitionMagicSystem CommanderLILO Account for all disk space when analyzing a diskGuide to Computer Forensics and Investigations24

Hiding Partitions (continued)Guide to Computer Forensics and Investigations25

Hiding Partitions (continued)Guide to Computer Forensics and Investigations26

Marking Bad Clusters Common with FAT systemsPlace sensitive information on free spaceUse a disk editor to mark space as a bad clusterTo mark a good cluster as bad using Norton DiskEdit– Type B in the FAT entry corresponding to that clusterGuide to Computer Forensics and Investigations27

Bit-shifting Old techniqueShift bit patterns to alter byte values of dataMake files look like binary executable codeTool– Hex WorkshopGuide to Computer Forensics and Investigations28

Bit-shifting (continued)Guide to Computer Forensics and Investigations29

Bit-shifting (continued)Guide to Computer Forensics and Investigations30

Bit-shifting (continued)Guide to Computer Forensics and Investigations31

Using Steganography to Hide Data Greek for “hidden writing” Steganography tools were created to protectcopyrighted material– By inserting digital watermarks into a file Suspect can hide information on image or textdocument files– Most steganography programs can insert only smallamounts of data into a file Very hard to spot without prior knowledge Tools: S-Tools, DPEnvelope, jpgx, and tteGuide to Computer Forensics and Investigations32

Examining Encrypted Files Prevent unauthorized access– Employ a password or passphrase Recovering data is difficult without password– Key escrow Designed to recover encrypted data if users forgettheir passphrases or if the user key is corrupted aftera system failure– Cracking password Expert and powerful computers– Persuade suspect to reveal passwordGuide to Computer Forensics and Investigations33

Recovering Passwords Techniques– Dictionary attack– Brute-force attack– Password guessing based on suspect’s profile Tools– AccessData PRTK– Advanced Password Recovery Software Toolkit– John the RipperGuide to Computer Forensics and Investigations34

Recovering Passwords (continued) Using AccessData tools with passworded andencrypted files– AccessData offers a tool called Password RecoveryToolkit (PRTK) Can create possible password lists from manysources– Can create your own custom dictionary based onfacts in the case– Can create a suspect profile and use biographicalinformation to generate likely passwordsGuide to Computer Forensics and Investigations35

Recovering Passwords (continued)Guide to Computer Forensics and Investigations36

Recovering Passwords (continued)Guide to Computer Forensics and Investigations37

Recovering Passwords (continued)Guide to Computer Forensics and Investigations38

Recovering Passwords (continued) Using AccessData tools with passworded andencrypted files (continued)– FTK can identify known encrypted files and thosethat seem to be encrypted And export them– You can then import these files into PRTK andattempt to crack themGuide to Computer Forensics and Investigations39

Guide to Computer Forensics and Investigations40

Recovering Passwords (continued)Guide to Computer Forensics and Investigations41

Performing Remote Acquisitions Remote acquisitions are handy when you need toimage the drive of a computer far away from yourlocation– Or when you don’t want a suspect to be aware of anongoing investigationGuide to Computer Forensics and Investigations42

Remote Acquisitions with RuntimeSoftware Runtime Software offers the following sharewareprograms for remote acquisitions:– DiskExplorer for FAT– DiskExplorer for NTFS– HDHOST Preparing DiskExplorer and HDHOST for remoteacquisitions– Requires the Runtime Software, a portable mediadevice (USB thumb drive or floppy disk), and twonetworked computersGuide to Computer Forensics and Investigations43

Remote Acquisitions with RuntimeSoftware (continued) Making a remote connection with DiskExplorer– Requires running HDHOST on a suspect’s computer– To establish a connection with HDHOST, thesuspect’s computer must be: Connected to the network Powered on Logged on to any user account with permission to runnoninstalled applications– HDHOST can’t be run surreptitiously– See Figures 9-18 through 9-24Guide to Computer Forensics and Investigations44

Guide to Computer Forensics and Investigations45

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations46

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations47

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations48

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations49

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations50

Remote Acquisitions with RuntimeSoftware (continued)Guide to Computer Forensics and Investigations51

Remote Acquisitions with RuntimeSoftware (continued) Making a remote acquisition with DiskExplorer– After you have established a connection withDiskExplorer from the acquisition workstation You can navigate through the suspect computer’s filesand folders or copy data– The Runtime tools don’t generate a hash foracquisitionsGuide to Computer Forensics and Investigations52