DIGITAL EVIDENCE LOCATIONS & DIVIDER 2 COMPUTER … · the national center for justice and the rule of law and the national judicial college si: technology assisted crimes against

THE NATIONAL CENTER FOR JUSTICE AND THE RULE OF LAW

AND THE NATIONAL JUDICIAL COLLEGE

SI: TECHNOLOGY ASSISTED CRIMES AGAINST CHILDREN: COMPUTER SEARCHES & SEIZURES & OTHER PRETRIAL ISSUES

WB/KZ

MAY 3-4, 2012 RENO, NV

DIGITAL EVIDENCE LOCATIONS & COMPUTER FORENSICS

DIVIDER 2

Professor Donald R. Mason OBJECTIVES: After this session, you will be able to:

1. Define and describe “digital evidence”;

2. Identify devices and locations where digital evidence may be found;

3. Identify and describe the basic practices, principles, and tools of digital forensics; and

4. Describe selected trends and challenges in computer forensics.

REQUIRED READING: PAGE Donald R. Mason, Digital Evidence & Computer Forensics (Apr. 2012) [NCJRL PowerPoint] .......................................................................................................................1

Digital Evidence and Computer ForensicsCopyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved

Digital EvidenceDigital Evidence

and and

Computer ForensicsComputer Forensics

Don MasonDon MasonAssociate DirectorAssociate Director

Copyright © 2012 National Center for Justice and the Rule of Law – All Rights Reserved

ObjectivesObjectives

After this session, you will be able to:After this session, you will be able to:

Define and describe “digital evidence”Define and describe “digital evidence”

Identify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be foundevidence may be foundevidence may be found

Identify and describe the basic principles, Identify and describe the basic principles, practices, and tools of digital forensicspractices, and tools of digital forensics

Describe selected trends and Describe selected trends and challenges in challenges in computer forensicscomputer forensics

From the “old days” to …From the “old days” to …

1


Evolving technology in …Evolving technology in …

The “Digital age” with …The “Digital age” with …

Convergent, “Smart” DevicesConvergent, “Smart” Devices

2


“Post-PC Era” ?

Cellular phone a “computer”?Cellular phone a “computer”?

Yes, as defined in Computer Fraud and Yes, as defined in Computer Fraud and Abuse ActAbuse Act–– U.S. v. KramerU.S. v. Kramer, 631 F.3d 900 (Feb 8, 2011), 631 F.3d 900 (Feb 8, 2011)

Ultimately, does it make any difference Ultimately, does it make any difference whether a device capable of storing digital whether a device capable of storing digital evidence is deemed to be a “computer”?evidence is deemed to be a “computer”?

Computers = Digital Devices

A computer is like a light switchSwitch Computer Binary Symbol

ON signal present 1

OFF no signal present 0

Each 0 or 1 is a BIT (for BINARY DIGIT)0 0 0 0 0 0 0 1 = 10 0 0 0 0 0 1 0 = 2 (2+0)0 0 0 0 0 0 1 1 = 3 (2+1)

An 8-bit sequence = 1 byte = a keystroke

3


Printer Monitor

Digital DevicesDigital Devices

Computer

The Investigative Future is HereThe Investigative Future is Here

Criminal Connectivity:Criminal Connectivity:

iPadsiPads

KindlesKindles

iTouchesiTouchesiTouchesiTouches

EE--ReadersReaders

Appliances! Appliances!

From homes, offices, From homes, offices, coffee shops, airplanes, coffee shops, airplanes, cars, buses, trains, … cars, buses, trains, … almost anywherealmost anywhere

Always Something New

4


And Yet NewerAnd Yet Newer

Or Even Or Even NNewerewer

Computer as Computer as TargetTarget•• Unauthorized access, damage, theftUnauthorized access, damage, theft•• Spam, viruses, wormsSpam, viruses, worms•• Denial of service attacksDenial of service attacks

C tC t T lT l

Roles of Digital DevicesRoles of Digital Devices

Computer as Computer as ToolTool•• Fraud Fraud •• Threats, harassmentThreats, harassment•• Child pornographyChild pornography

Computer asComputer as ContainerContainer•• From drug dealer records to how to commit From drug dealer records to how to commit

murdermurder

5



Information of probative value that is Information of probative value that is

stored or transmitted in binary form and stored or transmitted in binary form and

may be relied upon in courtmay be relied upon in court

Two typesTwo types


UserUser--createdcreated

–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)

–– Address booksAddress books

BookmarksBookmarks–– BookmarksBookmarks

–– DatabasesDatabases

–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)

–– Video and sound filesVideo and sound files

–– Web pagesWeb pages

–– Service provider account subscriber recordsService provider account subscriber records

Computer/NetworkComputer/Network--createdcreated–– Email headersEmail headers–– MetadataMetadata–– Activity logsActivity logs


–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings

6


Forms of EvidenceForms of EvidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, (doc’s, spreadsheets, images,

email, etc.)email, etc.)–– Archive Archive (including as backups)(including as backups)

–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)

–– TemporaryTemporary (cache, print records, Internet usage(cache, print records, Internet usageTemporary Temporary (cache, print records, Internet usage (cache, print records, Internet usage records, etc.)records, etc.)

–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords

How Much Data?How Much Data?

1 Byte 1 Byte (8 bits): (8 bits): A single characterA single character

1 Kilobyte 1 Kilobyte (1,000 bytes): (1,000 bytes): A paragraphA paragraph

1 Megabyte 1 Megabyte (1,000 KB): (1,000 KB): A small bookA small book

1 Gigabyte1 Gigabyte (1,000 MB): (1,000 MB): 10 yards of shelved books10 yards of shelved books

1 Terabyte 1 Terabyte (1,000 GB): (1,000 GB): 1,000 copies of Encyclopedia1,000 copies of Encyclopediae abytee abyte ( ,000 G )( ,000 G ) ,000 cop es o cyc oped a,000 cop es o cyc oped a

1 1 PetabytePetabyte (1,000 TB): (1,000 TB): 20 million four20 million four--door filing cabinets door filing cabinets of text of text

1 Exabyte 1 Exabyte (1,000 PB): (1,000 PB): 5 EB = All words ever spoken by 5 EB = All words ever spoken by humanshumans

1 1 ZettabyteZettabyte (1,000 EB, or 1 billion TB) (1,000 EB, or 1 billion TB) = = 250 billion DVDs, 36 million years of HD video, or the volume of the Great Wall of China

Data Generated in 2010Data Generated in 2010

1200 trillion gigabytes 1200 trillion gigabytes (1.2 (1.2 zettabytes))

89 stacks of books each reaching 89 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun

22 million times all the books ever 22 million times all the books ever writtenwritten

Would need more than 750 million Would need more than 750 million iPods to hold itiPods to hold it

107 trillion emails sent in 2010107 trillion emails sent in 2010

7


ProjectionProjection

In 2020: 35 In 2020: 35 zettabyteszettabytes will be will be producedproduced

–– All words ever spoken by human beingsAll words ever spoken by human beings–– All words ever spoken by human beings, All words ever spoken by human beings, written 7 timeswritten 7 times

How Much in Real Cases?How Much in Real Cases?

One recent example:One recent example:–– 17 terabytes17 terabytes

–– 24+ million images24+ million images

17 000 movies17 000 movies–– 17,000 movies17,000 movies

–– 4600+ CVIP hits (known CP images)4600+ CVIP hits (known CP images)

Sources of EvidenceSources of Evidence

Offender’s computerOffender’s computer–– accessed and downloaded imagesaccessed and downloaded images

–– documentsdocuments

–– chat sessionschat sessionschat sessionschat sessions

–– user log filesuser log files

–– Internet connection logsInternet connection logs

–– browser history and cache filesbrowser history and cache files

–– email and chat logsemail and chat logs

–– passwords & encryption keyspasswords & encryption keys

8



ServersServers–– Internet Protocol addresses Internet Protocol addresses

–– ISP authentication user logsISP authentication user logs

–– FTP and Web server access logsFTP and Web server access logsFTP and Web server access logsFTP and Web server access logs

–– Email server user logsEmail server user logs

–– Subscriber account informationSubscriber account information

–– LAN server logsLAN server logs

–– “Cloud” storage“Cloud” storage

–– Web pagesWeb pages

–– Social mediaSocial media


Online activityOnline activity–– Internet Protocol addresses Internet Protocol addresses

–– Router logsRouter logs

–– Third party service providersThird party service providersThird party service providersThird party service providers

"inside the box, outside the "inside the box, outside the box"box"

The Box Outside the box:network investigations

9


Inside the Box

Computer’s hard drive and other memory– Documents

– Pictures

What the computer owner actually has possession of

– Outlook Emails

– Internet Cache

CD’s and floppy disks

iPods

Cell Phones

External Hard Drives

Inside the BoxWhat the computer owner actually has possession of

Outside the Box

Online Email Accounts (Gmail and Yahoo)

Internet Shopping Accounts

Social Networking Accounts

B k f t t

What is not stored on the owner’s computer

Backups of text messages

Cell Site Location Data

Using Pen/Trap for Internet “DRAS” informationUsing Pen/Trap for Internet “DRAS” information

Subscriber account recordsSubscriber account records

Contents of WebsitesContents of Websites

10


Outside the BoxWhat is not stored on the owner’s computer

Variety of “Boxes”Variety of “Boxes”Variety of BoxesVariety of Boxes

Monitor

PrinterZip Drive Hard

Drive

Monitor

Computer HardwareComputer Hardware

Laptop Computer

Digital Camera

Tape Drive

Disks

Cd-Rom Drive Computer

11


ChallengesChallenges

Increasing ubiquity Increasing ubiquity and convergence of and convergence of digital devicesdigital devices

I i d tI i d tIncreasing data Increasing data storage capacitystorage capacity

Shrinking devices Shrinking devices and mediaand mediaGrowing use of solid Growing use of solid state devicesstate devices

Internal DrivesInternal Drives

Removable MediaRemovable Media

12


USB Storage DevicesUSB Storage Devices

More Digital DevicesMore Digital Devices

13


And Still MoreAnd Still More

Remember this news item?Remember this news item?

MoreMore

14


MoreMore

MoreMore

Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders

–– Sensing and diagnostic Sensing and diagnostic modulesmodulesmodules modules

–– Data loggersData loggers

15


MoreMore

MoreMore

16


MoreMore

GPS devicesGPS devices

What next?What next?

17




Obtaining,Obtaining,

Processing,Processing,

Authenticating, andAuthenticating, and

ProducingProducing

digital data/records for legal proceedings.digital data/records for legal proceedings.


Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered

Was largely “postWas largely “post--mortem”mortem”Was largely postWas largely post mortemmortem–– “What’s on the hard drive?”“What’s on the hard drive?”

Rapidly evolvingRapidly evolving–– Ex: Ex:

From “Pull the plug”From “Pull the plug”toto

“Don’t power down before you know what’s on it”“Don’t power down before you know what’s on it”

18


Terms, Branches, TrendsTerms, Branches, TrendsComputer forensicsComputer forensics

Network forensicsNetwork forensics

“Live” forensics“Live” forensics

Software forensicsSoftware forensicsSoftware forensicsSoftware forensics

Image forensicsImage forensics

Mobile device forensicsMobile device forensics

“Browser” forensics“Browser” forensics

“Triage” forensics“Triage” forensics

“Distributed” forensics

DigitalDigital Knowledge Knowledge and Intent Evidenceand Intent Evidence

Evidence that the CP files were purposely collectedEvidence that the CP files were purposely collected–– CP found in computer’s allocated space? CP found in computer’s allocated space? –– In folders assigned to particular “user” of the computer? In folders assigned to particular “user” of the computer? –– Files organized, given relevant folder/file titles?Files organized, given relevant folder/file titles?–– Default settings of the computer’s software changed?Default settings of the computer’s software changed?

E id th t CP bt i d i W b b iE id th t CP bt i d i W b b iEvidence that CP was obtained via Web browsingEvidence that CP was obtained via Web browsing–– Evidence in the Index.dat files of web searches for CP?Evidence in the Index.dat files of web searches for CP?–– CP found in the Temporary Internet Files?CP found in the Temporary Internet Files?–– Any CPAny CP--related Bookmarks/Favorites saved?related Bookmarks/Favorites saved?

Evidence that the CP was viewed by a userEvidence that the CP was viewed by a user–– Any Recent Files/Link Files to the CP?Any Recent Files/Link Files to the CP?–– Windows Registry list other devices (scanners, thumb drives, etc.) Windows Registry list other devices (scanners, thumb drives, etc.)

recently connected to the computer?recently connected to the computer?–– Any Any Thumbs.dbThumbs.db files containing CP?files containing CP?–– Any CP videos listed in Windows Media Player/Real Player histories?Any CP videos listed in Windows Media Player/Real Player histories?56

Basic StepsBasic Steps

AAcquiringcquiring (and preserving) (and preserving) evidence without altering or evidence without altering or damaging original datadamaging original data

AA th ti tith ti ti i d idi d idAAuthenticatinguthenticating acquired evidence acquired evidence by showing it’s identical to data by showing it’s identical to data originally seizedoriginally seized

AAnalyzingnalyzing (searching for) the (searching for) the evidence without modifying itevidence without modifying it

19


Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data

Skills / Expertise RequiredSkills / Expertise Required

TechnicalTechnical–– Data processing and productionData processing and production

InvestigativeInvestigativeU d t di t idU d t di t id–– Understanding computer evidenceUnderstanding computer evidence

–– Building a caseBuilding a case

LegalLegal–– Maintaining chain of custodyMaintaining chain of custody

–– Managing digital evidence per the rulesManaging digital evidence per the rules

CertificationsCertifications

Various offered Various offered –– IACIS’s “CFCE”IACIS’s “CFCE”

–– Guidance Software’s “Encase CE”Guidance Software’s “Encase CE”

ISFCE’s “CCE”ISFCE’s “CCE”–– ISFCE s CCEISFCE s CCE

Some states require P.I. licensesSome states require P.I. licenses

Growing number of schools offering Growing number of schools offering certificate and degree programscertificate and degree programs

But no uniform, accepted standardsBut no uniform, accepted standards

20


Acquiring the EvidenceAcquiring the EvidenceSeizing computer (“bag and tag”)Seizing computer (“bag and tag”)Handling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collection (including volatile memory)Evidence collection (including volatile memory)–– Evidence identificationEvidence identification–– TransportationTransportation–– StorageStorage

Making at least two images of each containerMaking at least two images of each container–– Perhaps 3rd in criminal casePerhaps 3rd in criminal case

Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting

Preserving Digital EvidencePreserving Digital EvidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”

A virtual “clone” of the entire drive

Every bit & byte

“Erased” & reformatted data

Data in “slack” & unallocated space

Virtual memory data

Authenticating the EvidenceAuthenticating the Evidence

Proving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind–– Readable text and pictures don’t magically Readable text and pictures don’t magically p g yp g y

appear at randomappear at random

–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates

MD5MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)

SHASHA (Secure Hash Algorithm) (Secure Hash Algorithm) ((NSANSA//NISTNIST))

21


What Is a Hash Value?

An MD5 Hash is a 32 character string that looks like:

Acquisition Hash:3FDSJO90U43JIVJU904FRBEWH

Verification Hash:Verification Hash:3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producing the same MD5 Hash is greater than:

1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000

Hashing Tools – Examples

http://www.miraclesalad.com/webtools/md5.php

http://www.fileformat.info/tool/md5sum.htm

htt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessData’s FTK Imager can be downloaded free at

http://www.accessdata.com/downloads.html

22


MD5MD5 HashHash128128--bit (16bit (16--byte) byte) message digest message digest ––

a sequence of 32 charactersa sequence of 32 characters

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog”dog”

9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”

e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0

http://www.miraclesalad.com/webtools/md5.php

“Hashing” an Image“Hashing” an Image

MD5MD5

021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371

SHA1

77fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

Analyzing the EvidenceAnalyzing the Evidence

Working on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence

–– Two backups of the evidenceTwo backups of the evidenceppOne to work onOne to work on

One to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files

seemingly unrelatedseemingly unrelated

23


Analysis (cont’d)Analysis (cont’d)

Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden

Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with in place in place

of first letterof first letter“taxes.xls” appears as ““taxes.xls” appears as “axes.xls”axes.xls”

Free SpaceFree Space

Slack SpaceSlack Space

Sources of Digital GoldSources of Digital GoldInternet historyInternet history

Temp files (cache, cookies etc…)Temp files (cache, cookies etc…)

Slack/unallocated spaceSlack/unallocated space

Buddy lists, chat room records, personal profiles, etc.Buddy lists, chat room records, personal profiles, etc.

News groups, club listings, postingsNews groups, club listings, postings

Settings, file names, storage datesSettings, file names, storage dates

Metadata (email header information)Metadata (email header information)

Software/hardware addedSoftware/hardware added

File sharing abilityFile sharing ability

EmailEmail

How Data Is StoredHow Data Is Stored

TrackTrack

SectorSector

ClustersClusters are groups of sectors

24



Files are written to ClustersClusters

Each file may occupy Each file may occupy more or less than full more or less than full

clustersclusters________

May write to nonMay write to non--contiguous clusterscontiguous clusters

Every file in a computer fills a Every file in a computer fills a minimum amount of spaceminimum amount of space

–– In some old computers, one kilobyte In some old computers, one kilobyte (1 024 b t ) I t(1 024 b t ) I t


(1,024 bytes). In newer computers, (1,024 bytes). In newer computers, 32 KB (32,768 bytes).32 KB (32,768 bytes).

–– If file is 2,000 bytes long, everything If file is 2,000 bytes long, everything after the 2000after the 2000thth byte is slack space.byte is slack space.

Free SpaceFree Space

Currently unoccupied, or Currently unoccupied, or “unallocated” space“unallocated” space

May have held information beforeMay have held information before

Valuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted

–– Files that have been moved during Files that have been moved during defragmentationdefragmentation

–– Old virtual memoryOld virtual memory

25


Pop QuizPop Quiz

How can you reliably “destroy” data?How can you reliably “destroy” data?

JackhammerJackhammer hard drive shredderhard drive shredder

Slack SpaceSlack Space

Space not occupied by an active Space not occupied by an active file, but not available for use by the file, but not available for use by the operating systemoperating system

File B(Draft

in RAM)

File Bsaved to disk,

t

File B over-writes

t f

File B(Savedto disk)

How “Slack” Is GeneratedHow “Slack” Is Generated

File B(Now

on disk))

File A(“Erased,”on disk)

on top of File A

part of File A,

creating slack

Remains of File A (Slack)

Slack space: The area between the end of the file and the end of the storage unit

26


Selected Developmentsin Digital Forensics

“Browser” Forensics

“Triage” Forensics

“Browser” Forensics“Browser” Forensics

Web browsers (e.g. Microsoft Internet

Explorer, Mozilla Firefox, Safari, Opera) p , , , p )

maintain histories of recent activity,

even if not web related

Internet HistoryInternet History

Computers store Internet history in a number of locations including:

– Temporary Internet filesTemporary Internet files

– Windows Registry

– Browser / Search Term history

– Cookies

This information is browser specific

81

27



“Rolling” forensics, or on-site “preview”

Image scan

Especially useful in “knock & talk” t it ti i lti lconsent situations, screening multiple

computers to determine which to seize, or probation or parole monitoring

Not all agencies equipped or trained yet to do this


Increasingly important, as the number and storage capacities of devices rapidly grow.

But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.

“When is enough “When is enough enoughenough?”?”

“Triage” Forensics - StepsAttach/Install write-blocking equipment

Turn on target device

Scan for file extensions, such as:.docdoc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

28


“Triage” Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separate drive.

Determine file structure or file path.

Tool Example: Tool Example: osTriageosTriage

“Live response tool”“Live response tool”

Developed by F.B.I. SA in SLCDeveloped by F.B.I. SA in SLC

Free to U.S. law enforcementFree to U.S. law enforcement

Validated by F.B.I. November 2011Validated by F.B.I. November 2011

43 MB software package43 MB software package

Run from USB storage (e.g., thumb drive Run from USB storage (e.g., thumb drive or external hard drive)or external hard drive)

osTriageosTriage –– Reasons to UseReasons to Use

Increasing use and ease of “virtualization”Increasing use and ease of “virtualization”–– May be multiple additional “computers” May be multiple additional “computers”

Increasing use of free & low cost encryptionIncreasing use of free & low cost encryption

Loss of valuable info when computer is Loss of valuable info when computer is rebootedrebooted

Loss of visibility of network storageLoss of visibility of network storage

Saves timeSaves time

29


osTriageosTriage –– CapabilitiesCapabilities

Display comprehensive detailsDisplay comprehensive details–– User accountsUser accounts

–– Physical and logical hard drivesPhysical and logical hard drives

Mapped networked drivesMapped networked drives–– Mapped networked drivesMapped networked drives

–– NIC informationNIC information

–– Every USB device ever inserted into machineEvery USB device ever inserted into machine

–– Browser historyBrowser history

–– “Flash cookies”“Flash cookies”

–– Applications running (e.g., P2P or encryption)Applications running (e.g., P2P or encryption)


Searches drives, finds images/videos, Searches drives, finds images/videos, displays thumbnailsdisplays thumbnails

Allows easy copying of contraband Allows easy copying of contraband images videos to USB storage deviceimages videos to USB storage deviceimages, videos to USB storage deviceimages, videos to USB storage device

Compares images/videos to SHAsCompares images/videos to SHAs

Checks files names against keyword listChecks files names against keyword list

Has builtHas built--in image viewerin image viewer

Supports viewing any EXIF data and Supports viewing any EXIF data and thumbs.dbthumbs.db


Extracts saved passwordsExtracts saved passwords

Extracts list of recently opened filesExtracts list of recently opened files

Writes nothing to computer being scannedWrites nothing to computer being scanned

Allows for custom searchesAllows for custom searches

Looks inside archives for key word Looks inside archives for key word filenamesfilenames

Gathers and saves volatile data before Gathers and saves volatile data before shutdownshutdown

30


osTriageosTriage -- LimitationsLimitations

Cannot find and display data no longer Cannot find and display data no longer there (e.g., cleared browser history)there (e.g., cleared browser history)

Doesn’t look for deleted filesDoesn’t look for deleted files

D ’t l k t fil h d t id tifD ’t l k t fil h d t id tifDoesn’t look at file headers to identify Doesn’t look at file headers to identify images or videosimages or videos

Does Does notnot substitute for full, forensically substitute for full, forensically sound examination of device, if neededsound examination of device, if needed

Ways of Trying to Hide DataWays of Trying to Hide Data

Password protection schemes

Encryption

Steganography

Anonymous remailers

Proxy servers

Changing File Extensions

Password ProtectionPassword Protection

Computer/BIOS PasswordsComputer/BIOS Passwords

Encryption ProgramsEncryption Programs

Archive PasswordsArchive Passwords

Document PasswordsDocument PasswordsDocument PasswordsDocument Passwords

31


Changing File ExtensionsChanging File Extensions

EncryptionEncryptionEncryptionEncryption

Sometimes used as security measure to prevent others from accessing file data. – Examples: "Pretty Good Privacy” and

“Truecrypt”Scrambles file data so that it is unusable.

begin cindy.jpgM_]C_X``02D9)1@`!`0```0`!``#_VP!#``X*"PT+"0X-#`T0#PX1%B07%A04M%BP@(1HD-"XW-C,N,C(Z05-&.CU./C(R2&))3E9875Y=.$5F;65:;%-;75G_MVP!#`0\0$!83%BH7%RI9.S([65E965E965E965E965E965E965E965E965E9M65E965E965E965E965E965E965E965G_P``1"`#P`,D#`2(``A$!`Q$!_\0`M'P```04!`0$!`0$```````````$"`P0%!@<("0H+_\0`M1```@$#`P($`P4%M!`0```%]`0(#``01!1(A,4$&$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*M%A<8&1HE)B<H*2HT-38W.#DZ0T1%1D=(24I35%565UA96F-D969G:&EJ<W1UM=G=X>7J#A(6&AXB)BI*3E)66EYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&MQ\C)RM+3U-76U]C9VN'BX^3EYN?HZ>KQ\O/T]?;W^/GZ_\0`'P$``P$!`0$!M`0$!`0````````$"`P0%!@<("0H+_\0`M1$``@$"!`0#!`<%!`0``0)W``$"

Encoded Decoded

M`Q$$!2$Q!A)!40=A<1,B,H$(%$*1H;'!"2,S4O`58G+1"A8D-.$E\1<8&1HFM)R@I*[email protected]$149'2$E*4U155E=865IC9&5F9VAI:G-T=79W>'EZ@H.$MA8:'B(F*DI.4E9:7F)F:HJ.DI::GJ*FJLK.TM;:WN+FZPL/$Q<;'R,G*TM/4MU=;7V-G:XN/DY>;GZ.GJ\O/T]?;W^/GZ_]H`#`,!``(1`Q$`/P#NBN1D$^]&MT>_YTX=**!B;1[_G2;1[_G3J0T`)M^OYTFT>I_.GYIIXH`:0/4U6N+N"W_ULMRIZ9:L+7_$L=CNAM]KR]R3PM><7^JSW<S,TKNQ/KQ2N.W<]4FUFW1OEF!_X%M4+:Y"@8F1B`,C:V:\LCEN&1@R%D[D]J1+ITR%)'MGM2U'H>@3^+?(92C>8".M5.>*SV\:SDL9)`B@8"HO7\:XV:8R?,#@559B318&T=5<>-=2=L0,$7W8D_SIMB>-M848,RGZK7+9I:9-SNK#QM=.ZBZ.Y>Y0X-=I8:K!?0AH9=QP.">:\361EM(.:V-*U9[>92K8(I:HI69Z^96!Z_I0)6/\1_*N;TKQ#'<JJ3D*_K6\K@KE2"M*=Q-6+&]CW-.WGBH%>G[A0(FSQUH_$_G3%>G!Q0`['N>*7!]:12*7-``0?6HM/LG_`$UD_P"_C?XU8'K2_E3`4=**!THH`*0BEHH`:36#XEUJ/3K5XT8&9E]?MNBM+4[G[-:NP.#BO+]3CGU#4&MX\LY.Y\G]/PI-E)=3&NKF:_N,#+;V^51WKM7L]*2!55L-._?TK5T_0$L[?S#\UPPY/I5O[$8XS)@ESWJ6RDNYB:K#':V)C0MY9N`.Y-9#:88H!+-)M?/*XZ5U`L&:X%Q./NCY%]/>N=U^YW7.Q>,=10@DEN9M<G"*.O>HJ<S$@?2FU9F%`&312]![T"`^@I`2#D444`:%I?NA"L:Z[1O$+1XCMF8M'T![K7!#FIH;AX6!&:EHM2[GLL,ZS)O1LJ>>*F5P1Q7GNA:\;=PDA_=']M*[:WNTE0,A!4\B@=C0#8IX:H$D4X.*F4@TR212>*=GG%,`QQFG+C-`$BTN3_

32


Steganography Steganography –– ExampleExample

StenographyRecovered.png (200 × 200 pixels, file size: 19 KB)

StenographyOriginal.png (200 × 200 pixels, file size: 88 KB)

Another exampleAnother example

What do you see?What do you see?

FF--22s22s

What else?What else?–– Embedded 121Embedded 121--page extract of a terrorist page extract of a terrorist

training man altraining man altraining manualtraining manual

–– The FThe F--22 image, the “carrier” file, is 2.25MB 22 image, the “carrier” file, is 2.25MB bitmap file (.bmp).bitmap file (.bmp).

–– The “payload,” the training manual extract, is The “payload,” the training manual extract, is a text file (.txt) that is only 227KB. So the a text file (.txt) that is only 227KB. So the payload easily fits in.payload easily fits in.

33


And Remember the CloudAnd Remember the CloudAnd Remember the CloudAnd Remember the Cloud

Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

34