Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
THE NATIONAL CENTER FOR JUSTICE AND THE RULE OF LAW
AND THE NATIONAL JUDICIAL COLLEGE
SI: TECHNOLOGY ASSISTED CRIMES AGAINST CHILDREN: COMPUTER SEARCHES & SEIZURES & OTHER PRETRIAL ISSUES
WB/KZ
MAY 3-4, 2012 RENO, NV
DIGITAL EVIDENCE LOCATIONS & COMPUTER FORENSICS
DIVIDER 2
Professor Donald R. Mason OBJECTIVES: After this session, you will be able to:
1. Define and describe “digital evidence”;
2. Identify devices and locations where digital evidence may be found;
3. Identify and describe the basic practices, principles, and tools of digital forensics; and
4. Describe selected trends and challenges in computer forensics.
REQUIRED READING: PAGE Donald R. Mason, Digital Evidence & Computer Forensics (Apr. 2012) [NCJRL PowerPoint] .......................................................................................................................1
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Digital EvidenceDigital Evidence
and and
Computer ForensicsComputer Forensics
Don MasonDon MasonAssociate DirectorAssociate Director
Copyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
ObjectivesObjectives
After this session, you will be able to:After this session, you will be able to:
Define and describe “digital evidence”Define and describe “digital evidence”
Identify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be foundevidence may be foundevidence may be found
Identify and describe the basic principles, Identify and describe the basic principles, practices, and tools of digital forensicspractices, and tools of digital forensics
Describe selected trends and Describe selected trends and challenges in challenges in computer forensicscomputer forensics
From the “old days” to …From the “old days” to …
1
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Evolving technology in …Evolving technology in …
The “Digital age” with …The “Digital age” with …
Convergent, “Smart” DevicesConvergent, “Smart” Devices
2
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
“Post-PC Era” ?
Cellular phone a “computer”?Cellular phone a “computer”?
Yes, as defined in Computer Fraud and Yes, as defined in Computer Fraud and Abuse ActAbuse Act–– U.S. v. KramerU.S. v. Kramer, 631 F.3d 900 (Feb 8, 2011), 631 F.3d 900 (Feb 8, 2011)
Ultimately, does it make any difference Ultimately, does it make any difference whether a device capable of storing digital whether a device capable of storing digital evidence is deemed to be a “computer”?evidence is deemed to be a “computer”?
Computers = Digital Devices
A computer is like a light switchSwitch Computer Binary Symbol
ON signal present 1
OFF no signal present 0
Each 0 or 1 is a BIT (for BINARY DIGIT)0 0 0 0 0 0 0 1 = 10 0 0 0 0 0 1 0 = 2 (2+0)0 0 0 0 0 0 1 1 = 3 (2+1)
An 8-bit sequence = 1 byte = a keystroke
3
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Printer Monitor
Digital DevicesDigital Devices
Computer
The Investigative Future is HereThe Investigative Future is Here
Criminal Connectivity:Criminal Connectivity:
iPadsiPads
KindlesKindles
iTouchesiTouchesiTouchesiTouches
EE--ReadersReaders
Appliances! Appliances!
From homes, offices, From homes, offices, coffee shops, airplanes, coffee shops, airplanes, cars, buses, trains, … cars, buses, trains, … almost anywherealmost anywhere
Always Something New
4
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
And Yet NewerAnd Yet Newer
Or Even Or Even NNewerewer
Computer as Computer as TargetTarget•• Unauthorized access, damage, theftUnauthorized access, damage, theft•• Spam, viruses, wormsSpam, viruses, worms•• Denial of service attacksDenial of service attacks
C tC t T lT l
Roles of Digital DevicesRoles of Digital Devices
Computer as Computer as ToolTool•• Fraud Fraud •• Threats, harassmentThreats, harassment•• Child pornographyChild pornography
Computer asComputer as ContainerContainer•• From drug dealer records to how to commit From drug dealer records to how to commit
murdermurder
5
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Digital EvidenceDigital Evidence
Information of probative value that is Information of probative value that is
stored or transmitted in binary form and stored or transmitted in binary form and
may be relied upon in courtmay be relied upon in court
Two typesTwo types
Digital EvidenceDigital Evidence
UserUser--createdcreated
–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)
–– Address booksAddress books
BookmarksBookmarks–– BookmarksBookmarks
–– DatabasesDatabases
–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)
–– Video and sound filesVideo and sound files
–– Web pagesWeb pages
–– Service provider account subscriber recordsService provider account subscriber records
Computer/NetworkComputer/Network--createdcreated–– Email headersEmail headers–– MetadataMetadata–– Activity logsActivity logs
Digital EvidenceDigital Evidence
–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings
6
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Forms of EvidenceForms of EvidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, (doc’s, spreadsheets, images,
email, etc.)email, etc.)–– Archive Archive (including as backups)(including as backups)
–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)
–– TemporaryTemporary (cache, print records, Internet usage(cache, print records, Internet usageTemporary Temporary (cache, print records, Internet usage (cache, print records, Internet usage records, etc.)records, etc.)
–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted
Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords
How Much Data?How Much Data?
1 Byte 1 Byte (8 bits): (8 bits): A single characterA single character
1 Kilobyte 1 Kilobyte (1,000 bytes): (1,000 bytes): A paragraphA paragraph
1 Megabyte 1 Megabyte (1,000 KB): (1,000 KB): A small bookA small book
1 Gigabyte1 Gigabyte (1,000 MB): (1,000 MB): 10 yards of shelved books10 yards of shelved books
1 Terabyte 1 Terabyte (1,000 GB): (1,000 GB): 1,000 copies of Encyclopedia1,000 copies of Encyclopediae abytee abyte ( ,000 G )( ,000 G ) ,000 cop es o cyc oped a,000 cop es o cyc oped a
1 1 PetabytePetabyte (1,000 TB): (1,000 TB): 20 million four20 million four--door filing cabinets door filing cabinets of text of text
1 Exabyte 1 Exabyte (1,000 PB): (1,000 PB): 5 EB = All words ever spoken by 5 EB = All words ever spoken by humanshumans
1 1 ZettabyteZettabyte (1,000 EB, or 1 billion TB) (1,000 EB, or 1 billion TB) = = 250 billion DVDs, 36 million years of HD video, or the volume of the Great Wall of China
Data Generated in 2010Data Generated in 2010
1200 trillion gigabytes 1200 trillion gigabytes (1.2 (1.2 zettabytes))
89 stacks of books each reaching 89 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun
22 million times all the books ever 22 million times all the books ever writtenwritten
Would need more than 750 million Would need more than 750 million iPods to hold itiPods to hold it
107 trillion emails sent in 2010107 trillion emails sent in 2010
7
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
ProjectionProjection
In 2020: 35 In 2020: 35 zettabyteszettabytes will be will be producedproduced
–– All words ever spoken by human beingsAll words ever spoken by human beings–– All words ever spoken by human beings, All words ever spoken by human beings, written 7 timeswritten 7 times
How Much in Real Cases?How Much in Real Cases?
One recent example:One recent example:–– 17 terabytes17 terabytes
–– 24+ million images24+ million images
17 000 movies17 000 movies–– 17,000 movies17,000 movies
–– 4600+ CVIP hits (known CP images)4600+ CVIP hits (known CP images)
Sources of EvidenceSources of Evidence
Offender’s computerOffender’s computer–– accessed and downloaded imagesaccessed and downloaded images
–– documentsdocuments
–– chat sessionschat sessionschat sessionschat sessions
–– user log filesuser log files
–– Internet connection logsInternet connection logs
–– browser history and cache filesbrowser history and cache files
–– email and chat logsemail and chat logs
–– passwords & encryption keyspasswords & encryption keys
8
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Sources of EvidenceSources of Evidence
ServersServers–– Internet Protocol addresses Internet Protocol addresses
–– ISP authentication user logsISP authentication user logs
–– FTP and Web server access logsFTP and Web server access logsFTP and Web server access logsFTP and Web server access logs
–– Email server user logsEmail server user logs
–– Subscriber account informationSubscriber account information
–– LAN server logsLAN server logs
–– “Cloud” storage“Cloud” storage
–– Web pagesWeb pages
–– Social mediaSocial media
Sources of EvidenceSources of Evidence
Online activityOnline activity–– Internet Protocol addresses Internet Protocol addresses
–– Router logsRouter logs
–– Third party service providersThird party service providersThird party service providersThird party service providers
"inside the box, outside the "inside the box, outside the box"box"
The Box Outside the box:network investigations
9
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Inside the Box
Computer’s hard drive and other memory– Documents
– Pictures
What the computer owner actually has possession of
– Outlook Emails
– Internet Cache
CD’s and floppy disks
iPods
Cell Phones
External Hard Drives
Inside the BoxWhat the computer owner actually has possession of
Outside the Box
Online Email Accounts (Gmail and Yahoo)
Internet Shopping Accounts
Social Networking Accounts
B k f t t
What is not stored on the owner’s computer
Backups of text messages
Cell Site Location Data
Using Pen/Trap for Internet “DRAS” informationUsing Pen/Trap for Internet “DRAS” information
Subscriber account recordsSubscriber account records
Contents of WebsitesContents of Websites
10
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Outside the BoxWhat is not stored on the owner’s computer
Variety of “Boxes”Variety of “Boxes”Variety of BoxesVariety of Boxes
Monitor
PrinterZip Drive Hard
Drive
Monitor
Computer HardwareComputer Hardware
Laptop Computer
Digital Camera
Tape Drive
Disks
Cd-Rom Drive Computer
11
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
ChallengesChallenges
Increasing ubiquity Increasing ubiquity and convergence of and convergence of digital devicesdigital devices
I i d tI i d tIncreasing data Increasing data storage capacitystorage capacity
Shrinking devices Shrinking devices and mediaand mediaGrowing use of solid Growing use of solid state devicesstate devices
Internal DrivesInternal Drives
Removable MediaRemovable Media
12
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
USB Storage DevicesUSB Storage Devices
More Digital DevicesMore Digital Devices
13
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
And Still MoreAnd Still More
Remember this news item?Remember this news item?
MoreMore
14
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
MoreMore
MoreMore
Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders
–– Sensing and diagnostic Sensing and diagnostic modulesmodulesmodules modules
–– Data loggersData loggers
15
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
MoreMore
MoreMore
16
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
MoreMore
GPS devicesGPS devices
What next?What next?
17
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Computer ForensicsComputer Forensics
Computer ForensicsComputer Forensics
Obtaining,Obtaining,
Processing,Processing,
Authenticating, andAuthenticating, and
ProducingProducing
digital data/records for legal proceedings.digital data/records for legal proceedings.
Computer ForensicsComputer Forensics
Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered
Was largely “postWas largely “post--mortem”mortem”Was largely postWas largely post mortemmortem–– “What’s on the hard drive?”“What’s on the hard drive?”
Rapidly evolvingRapidly evolving–– Ex: Ex:
From “Pull the plug”From “Pull the plug”toto
“Don’t power down before you know what’s on it”“Don’t power down before you know what’s on it”
18
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Terms, Branches, TrendsTerms, Branches, TrendsComputer forensicsComputer forensics
Network forensicsNetwork forensics
“Live” forensics“Live” forensics
Software forensicsSoftware forensicsSoftware forensicsSoftware forensics
Image forensicsImage forensics
Mobile device forensicsMobile device forensics
“Browser” forensics“Browser” forensics
“Triage” forensics“Triage” forensics
“Distributed” forensics
DigitalDigital Knowledge Knowledge and Intent Evidenceand Intent Evidence
Evidence that the CP files were purposely collectedEvidence that the CP files were purposely collected–– CP found in computer’s allocated space? CP found in computer’s allocated space? –– In folders assigned to particular “user” of the computer? In folders assigned to particular “user” of the computer? –– Files organized, given relevant folder/file titles?Files organized, given relevant folder/file titles?–– Default settings of the computer’s software changed?Default settings of the computer’s software changed?
E id th t CP bt i d i W b b iE id th t CP bt i d i W b b iEvidence that CP was obtained via Web browsingEvidence that CP was obtained via Web browsing–– Evidence in the Index.dat files of web searches for CP?Evidence in the Index.dat files of web searches for CP?–– CP found in the Temporary Internet Files?CP found in the Temporary Internet Files?–– Any CPAny CP--related Bookmarks/Favorites saved?related Bookmarks/Favorites saved?
Evidence that the CP was viewed by a userEvidence that the CP was viewed by a user–– Any Recent Files/Link Files to the CP?Any Recent Files/Link Files to the CP?–– Windows Registry list other devices (scanners, thumb drives, etc.) Windows Registry list other devices (scanners, thumb drives, etc.)
recently connected to the computer?recently connected to the computer?–– Any Any Thumbs.dbThumbs.db files containing CP?files containing CP?–– Any CP videos listed in Windows Media Player/Real Player histories?Any CP videos listed in Windows Media Player/Real Player histories?56
Basic StepsBasic Steps
AAcquiringcquiring (and preserving) (and preserving) evidence without altering or evidence without altering or damaging original datadamaging original data
AA th ti tith ti ti i d idi d idAAuthenticatinguthenticating acquired evidence acquired evidence by showing it’s identical to data by showing it’s identical to data originally seizedoriginally seized
AAnalyzingnalyzing (searching for) the (searching for) the evidence without modifying itevidence without modifying it
19
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Popular Automated ToolsPopular Automated Tools
EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-
ediscovery-software-digital-evidence.htm
Forensic Tool Kit (FTK)Access Data
Skills / Expertise RequiredSkills / Expertise Required
TechnicalTechnical–– Data processing and productionData processing and production
InvestigativeInvestigativeU d t di t idU d t di t id–– Understanding computer evidenceUnderstanding computer evidence
–– Building a caseBuilding a case
LegalLegal–– Maintaining chain of custodyMaintaining chain of custody
–– Managing digital evidence per the rulesManaging digital evidence per the rules
CertificationsCertifications
Various offered Various offered –– IACIS’s “CFCE”IACIS’s “CFCE”
–– Guidance Software’s “Encase CE”Guidance Software’s “Encase CE”
ISFCE’s “CCE”ISFCE’s “CCE”–– ISFCE s CCEISFCE s CCE
Some states require P.I. licensesSome states require P.I. licenses
Growing number of schools offering Growing number of schools offering certificate and degree programscertificate and degree programs
But no uniform, accepted standardsBut no uniform, accepted standards
20
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Acquiring the EvidenceAcquiring the EvidenceSeizing computer (“bag and tag”)Seizing computer (“bag and tag”)Handling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collection (including volatile memory)Evidence collection (including volatile memory)–– Evidence identificationEvidence identification–– TransportationTransportation–– StorageStorage
Making at least two images of each containerMaking at least two images of each container–– Perhaps 3rd in criminal casePerhaps 3rd in criminal case
Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting
Preserving Digital EvidencePreserving Digital EvidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”
A virtual “clone” of the entire drive
Every bit & byte
“Erased” & reformatted data
Data in “slack” & unallocated space
Virtual memory data
Authenticating the EvidenceAuthenticating the Evidence
Proving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind–– Readable text and pictures don’t magically Readable text and pictures don’t magically p g yp g y
appear at randomappear at random
–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates
MD5MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)
SHASHA (Secure Hash Algorithm) (Secure Hash Algorithm) ((NSANSA//NISTNIST))
21
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
What Is a Hash Value?
An MD5 Hash is a 32 character string that looks like:
Acquisition Hash:3FDSJO90U43JIVJU904FRBEWH
Verification Hash:Verification Hash:3FDSJO90U43JIVJU904FRBEWH
The Chances of two different inputs producing the same MD5 Hash is greater than:
1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000
Hashing Tools – Examples
http://www.miraclesalad.com/webtools/md5.php
http://www.fileformat.info/tool/md5sum.htm
htt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm
Also, AccessData’s FTK Imager can be downloaded free at
http://www.accessdata.com/downloads.html
22
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
MD5MD5 HashHash128128--bit (16bit (16--byte) byte) message digest message digest ––
a sequence of 32 charactersa sequence of 32 characters
“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog”dog”
9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6
“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”
e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0
http://www.miraclesalad.com/webtools/md5.php
“Hashing” an Image“Hashing” an Image
MD5MD5
021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371
SHA1
77fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386
MD5ea8450e5e8cf1a1c17c6effccd95b484
SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc
Analyzing the EvidenceAnalyzing the Evidence
Working on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence
–– Two backups of the evidenceTwo backups of the evidenceppOne to work onOne to work on
One to copy from if working copy alteredOne to copy from if working copy altered
Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files
seemingly unrelatedseemingly unrelated
23
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Analysis (cont’d)Analysis (cont’d)
Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden
Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with in place in place
of first letterof first letter“taxes.xls” appears as ““taxes.xls” appears as “axes.xls”axes.xls”
Free SpaceFree Space
Slack SpaceSlack Space
Sources of Digital GoldSources of Digital GoldInternet historyInternet history
Temp files (cache, cookies etc…)Temp files (cache, cookies etc…)
Slack/unallocated spaceSlack/unallocated space
Buddy lists, chat room records, personal profiles, etc.Buddy lists, chat room records, personal profiles, etc.
News groups, club listings, postingsNews groups, club listings, postings
Settings, file names, storage datesSettings, file names, storage dates
Metadata (email header information)Metadata (email header information)
Software/hardware addedSoftware/hardware added
File sharing abilityFile sharing ability
EmailEmail
How Data Is StoredHow Data Is Stored
TrackTrack
SectorSector
ClustersClusters are groups of sectors
24
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
How Data Is StoredHow Data Is Stored
Files are written to ClustersClusters
Each file may occupy Each file may occupy more or less than full more or less than full
clustersclusters________
May write to nonMay write to non--contiguous clusterscontiguous clusters
Every file in a computer fills a Every file in a computer fills a minimum amount of spaceminimum amount of space
–– In some old computers, one kilobyte In some old computers, one kilobyte (1 024 b t ) I t(1 024 b t ) I t
How Data Is StoredHow Data Is Stored
(1,024 bytes). In newer computers, (1,024 bytes). In newer computers, 32 KB (32,768 bytes).32 KB (32,768 bytes).
–– If file is 2,000 bytes long, everything If file is 2,000 bytes long, everything after the 2000after the 2000thth byte is slack space.byte is slack space.
Free SpaceFree Space
Currently unoccupied, or Currently unoccupied, or “unallocated” space“unallocated” space
May have held information beforeMay have held information before
Valuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted
–– Files that have been moved during Files that have been moved during defragmentationdefragmentation
–– Old virtual memoryOld virtual memory
25
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Pop QuizPop Quiz
How can you reliably “destroy” data?How can you reliably “destroy” data?
JackhammerJackhammer hard drive shredderhard drive shredder
Slack SpaceSlack Space
Space not occupied by an active Space not occupied by an active file, but not available for use by the file, but not available for use by the operating systemoperating system
File B(Draft
in RAM)
File Bsaved to disk,
t
File B over-writes
t f
File B(Savedto disk)
How “Slack” Is GeneratedHow “Slack” Is Generated
File B(Now
on disk))
File A(“Erased,”on disk)
on top of File A
part of File A,
creating slack
Remains of File A (Slack)
Slack space: The area between the end of the file and the end of the storage unit
26
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Selected Developmentsin Digital Forensics
“Browser” Forensics
“Triage” Forensics
“Browser” Forensics“Browser” Forensics
Web browsers (e.g. Microsoft Internet
Explorer, Mozilla Firefox, Safari, Opera) p , , , p )
maintain histories of recent activity,
even if not web related
Internet HistoryInternet History
Computers store Internet history in a number of locations including:
– Temporary Internet filesTemporary Internet files
– Windows Registry
– Browser / Search Term history
– Cookies
This information is browser specific
81
27
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
“Triage” Forensics
“Rolling” forensics, or on-site “preview”
Image scan
Especially useful in “knock & talk” t it ti i lti lconsent situations, screening multiple
computers to determine which to seize, or probation or parole monitoring
Not all agencies equipped or trained yet to do this
“Triage” Forensics
Increasingly important, as the number and storage capacities of devices rapidly grow.
But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.
“When is enough “When is enough enoughenough?”?”
“Triage” Forensics - StepsAttach/Install write-blocking equipment
Turn on target device
Scan for file extensions, such as:.docdoc
.jpg (.jpeg)
.mpg (.mpeg)
.avi
.wmv
.bmp
28
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
“Triage” Forensics - Steps
Pull up thumbnail views - 10-96 images at a time
Right click on image, save to CD or separate drive.
Determine file structure or file path.
Tool Example: Tool Example: osTriageosTriage
“Live response tool”“Live response tool”
Developed by F.B.I. SA in SLCDeveloped by F.B.I. SA in SLC
Free to U.S. law enforcementFree to U.S. law enforcement
Validated by F.B.I. November 2011Validated by F.B.I. November 2011
43 MB software package43 MB software package
Run from USB storage (e.g., thumb drive Run from USB storage (e.g., thumb drive or external hard drive)or external hard drive)
osTriageosTriage –– Reasons to UseReasons to Use
Increasing use and ease of “virtualization”Increasing use and ease of “virtualization”–– May be multiple additional “computers” May be multiple additional “computers”
Increasing use of free & low cost encryptionIncreasing use of free & low cost encryption
Loss of valuable info when computer is Loss of valuable info when computer is rebootedrebooted
Loss of visibility of network storageLoss of visibility of network storage
Saves timeSaves time
29
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
osTriageosTriage –– CapabilitiesCapabilities
Display comprehensive detailsDisplay comprehensive details–– User accountsUser accounts
–– Physical and logical hard drivesPhysical and logical hard drives
Mapped networked drivesMapped networked drives–– Mapped networked drivesMapped networked drives
–– NIC informationNIC information
–– Every USB device ever inserted into machineEvery USB device ever inserted into machine
–– Browser historyBrowser history
–– “Flash cookies”“Flash cookies”
–– Applications running (e.g., P2P or encryption)Applications running (e.g., P2P or encryption)
osTriageosTriage –– CapabilitiesCapabilities
Searches drives, finds images/videos, Searches drives, finds images/videos, displays thumbnailsdisplays thumbnails
Allows easy copying of contraband Allows easy copying of contraband images videos to USB storage deviceimages videos to USB storage deviceimages, videos to USB storage deviceimages, videos to USB storage device
Compares images/videos to SHAsCompares images/videos to SHAs
Checks files names against keyword listChecks files names against keyword list
Has builtHas built--in image viewerin image viewer
Supports viewing any EXIF data and Supports viewing any EXIF data and thumbs.dbthumbs.db
osTriageosTriage –– CapabilitiesCapabilities
Extracts saved passwordsExtracts saved passwords
Extracts list of recently opened filesExtracts list of recently opened files
Writes nothing to computer being scannedWrites nothing to computer being scanned
Allows for custom searchesAllows for custom searches
Looks inside archives for key word Looks inside archives for key word filenamesfilenames
Gathers and saves volatile data before Gathers and saves volatile data before shutdownshutdown
30
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
osTriageosTriage -- LimitationsLimitations
Cannot find and display data no longer Cannot find and display data no longer there (e.g., cleared browser history)there (e.g., cleared browser history)
Doesn’t look for deleted filesDoesn’t look for deleted files
D ’t l k t fil h d t id tifD ’t l k t fil h d t id tifDoesn’t look at file headers to identify Doesn’t look at file headers to identify images or videosimages or videos
Does Does notnot substitute for full, forensically substitute for full, forensically sound examination of device, if neededsound examination of device, if needed
Ways of Trying to Hide DataWays of Trying to Hide Data
Password protection schemes
Encryption
Steganography
Anonymous remailers
Proxy servers
Changing File Extensions
Password ProtectionPassword Protection
Computer/BIOS PasswordsComputer/BIOS Passwords
Encryption ProgramsEncryption Programs
Archive PasswordsArchive Passwords
Document PasswordsDocument PasswordsDocument PasswordsDocument Passwords
31
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Changing File ExtensionsChanging File Extensions
EncryptionEncryptionEncryptionEncryption
Sometimes used as security measure to prevent others from accessing file data. – Examples: "Pretty Good Privacy” and
“Truecrypt”Scrambles file data so that it is unusable.
begin cindy.jpgM_]C_X``02D9)1@`!`0```0`!``#_VP!#``X*"PT+"0X-#`T0#PX1%B07%A04M%BP@(1HD-"XW-C,N,C(Z05-&.CU./C(R2&))3E9875Y=.$5F;65:;%-;75G_MVP!#`0\0$!83%BH7%RI9.S([65E965E965E965E965E965E965E965E965E9M65E965E965E965E965E965E965E965G_P``1"`#P`,D#`2(``A$!`Q$!_\0`M'P```04!`0$!`0$```````````$"`P0%!@<("0H+_\0`M1```@$#`P($`P4%M!`0```%]`0(#``01!1(A,4$&$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*M%A<8&1HE)B<H*2HT-38W.#DZ0T1%1D=(24I35%565UA96F-D969G:&EJ<W1UM=G=X>7J#A(6&AXB)BI*3E)66EYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&MQ\C)RM+3U-76U]C9VN'BX^3EYN?HZ>KQ\O/T]?;W^/GZ_\0`'P$``P$!`0$!M`0$!`0````````$"`P0%!@<("0H+_\0`M1$``@$"!`0#!`<%!`0``0)W``$"
Encoded Decoded
M`Q$$!2$Q!A)!40=A<1,B,H$(%$*1H;'!"2,S4O`58G+1"A8D-.$E\1<8&1HFM)R@I*[email protected]$149'2$E*4U155E=865IC9&5F9VAI:G-T=79W>'EZ@H.$MA8:'B(F*DI.4E9:7F)F:HJ.DI::GJ*FJLK.TM;:WN+FZPL/$Q<;'R,G*TM/4MU=;7V-G:XN/DY>;GZ.GJ\O/T]?;W^/GZ_]H`#`,!``(1`Q$`/P#NBN1D$^]&MT>_YTX=**!B;1[_G2;1[_G3J0T`)M^OYTFT>I_.GYIIXH`:0/4U6N+N"W_ULMRIZ9:L+7_$L=CNAM]KR]R3PM><7^JSW<S,TKNQ/KQ2N.W<]4FUFW1OEF!_X%M4+:Y"@8F1B`,C:V:\LCEN&1@R%D[D]J1+ITR%)'MGM2U'H>@3^+?(92C>8".M5.>*SV\:SDL9)`B@8"HO7\:XV:8R?,#@559B318&T=5<>-=2=L0,$7W8D_SIMB>-M848,RGZK7+9I:9-SNK#QM=.ZBZ.Y>Y0X-=I8:K!?0AH9=QP.">:\361EM(.:V-*U9[>92K8(I:HI69Z^96!Z_I0)6/\1_*N;TKQ#'<JJ3D*_K6\K@KE2"M*=Q-6+&]CW-.WGBH%>G[A0(FSQUH_$_G3%>G!Q0`['N>*7!]:12*7-``0?6HM/LG_`$UD_P"_C?XU8'K2_E3`4=**!THH`*0BEHH`:36#XEUJ/3K5XT8&9E]?MNBM+4[G[-:NP.#BO+]3CGU#4&MX\LY.Y\G]/PI-E)=3&NKF:_N,#+;V^51WKM7L]*2!55L-._?TK5T_0$L[?S#\UPPY/I5O[$8XS)@ESWJ6RDNYB:K#':V)C0MY9N`.Y-9#:88H!+-)M?/*XZ5U`L&:X%Q./NCY%]/>N=U^YW7.Q>,=10@DEN9M<G"*.O>HJ<S$@?2FU9F%`&312]![T"`^@I`2#D444`:%I?NA"L:Z[1O$+1XCMF8M'T![K7!#FIH;AX6!&:EHM2[GLL,ZS)O1LJ>>*F5P1Q7GNA:\;=PDA_=']M*[:WNTE0,A!4\B@=C0#8IX:H$D4X.*F4@TR212>*=GG%,`QQFG+C-`$BTN3_
32
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
Steganography Steganography –– ExampleExample
StenographyRecovered.png (200 × 200 pixels, file size: 19 KB)
StenographyOriginal.png (200 × 200 pixels, file size: 88 KB)
Another exampleAnother example
What do you see?What do you see?
FF--22s22s
What else?What else?–– Embedded 121Embedded 121--page extract of a terrorist page extract of a terrorist
training man altraining man altraining manualtraining manual
–– The FThe F--22 image, the “carrier” file, is 2.25MB 22 image, the “carrier” file, is 2.25MB bitmap file (.bmp).bitmap file (.bmp).
–– The “payload,” the training manual extract, is The “payload,” the training manual extract, is a text file (.txt) that is only 227KB. So the a text file (.txt) that is only 227KB. So the payload easily fits in.payload easily fits in.
33
Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved
And Remember the CloudAnd Remember the CloudAnd Remember the CloudAnd Remember the Cloud
Questions?Questions?
662662--915915--68986898
[email protected]@olemiss.edu
www.ncjrl.orgwww.ncjrl.org
34