Intro to Digital Forensics
What are the five major categories performed by digital forensics tools?
1. Acquisition. 2. Validation and Verification. 3. Extraction. 4. Reconstruction. 5. Reporting.
Three Rules for Forensic Hashes
You can't predict the hash value of a file or device. No two hash values can be the same. If anything changes in the file or device, the hash value must change.
SMART
Designed to be installed on numerous Linux versions. Can analyze a variety of file systems with SMART. Many plug-in utilities are included with SMART. Another useful option in SMART is its hex viewer.
Raw Format Advantages
Fast data transfers. Ignores minor data read errors on source drive. Most computer forensics tools can read raw format.
Considerations
Flexibility Reliability Future expandability Cost Maintenance & Support
Kali Linux
Formerly known as BackTrack. Includes a variety of tools and has an easy-to-use KDE interface.
Acquisition Tools for Windows Advantages
Make acquiring evidence from a suspect drive more convenient. (Especially when used with hot-swappable devices.) Most common OS in the market.
Raw Format
Makes it possible to write bit-stream data to files.
Acquisition
Making a copy of the original drive.
Computer Forensics Tool Testing (CFTT)
Manages research on computer forensics software.
Password Dictionary Attack
Many password recovery tools have a feature for generating potential password lists.
Verification
Proves that two sets of data are identical by calculating hash values or using another similar method. A related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data.
Advanced Forensics Format
Provide compressed or uncompressed image files. No size restriction for disk-to-image files. Provide space in the image file or segmented files for metadata. Simple design with extensibility. Open source for multiple platforms and Oss. Internal consistency checks for self-authentication.
Hardware Forensic Tools
Range from single-purpose components to complete computer systems and servers.
Reconstruction
Re-create a suspect drive to show what happened during a crime or an incident. Re-create a victim drive to return property and minimize inconvenience or re-victimization (except illegal contraband).
Extraction
Recovery task in a digital investigation. Most challenging of all tasks to master. Recovering data is the first step in analyzing an investigation's data.
Loseless Compression
Reduces file size without removing data. Based on Huffman or Lempel-Ziv-Welch coding (For redundant bits of data). Utilities: WinZip, PKZip, StuffIt, and FreeZip.
Raw File Format
Referred to as a digital negative. Typically found on many higher-end digital cameras.
Substitution
Replaces bits of the host file with other bits of data. Usually change the last two LSBs (least significant bit). Detected with steganalysis tools.
Raw Format Disadvantages
Requires as much storage as original disk or data. Tools might not collect marginal (bad) sectors.
What does a Keyword Search do?
Speeds up analysis for investigators.
SleuthKit
A Linux forensics tool.
Secure Hash Algorithm version 1 (SHA-1)
A newer hashing algorithm. Developed by the NIST.
Validation
A way to confirm that a tool is functioning as intended.
Raster Images
Also collection of pixels, but pixels are stored in rows and better for printing.
Vector Graphics
Based on mathematical instructions. Uses lines stead of dots. Store only the calculations for drawing lines and shapes. Smaller than bitmap files, preserve quality when image is enlarged. CorelDraw, Adobe illustrator.
Creating an Investigation Plan
Beginning a case by defining the: Goal and Scope of investigation, Materials and Resources needed, Tasks to perform, and reporting.
Sub-Functions of Reporting
Bookmarking or tagging Log reports Report generator
GUI Forensic Tools
Can simplify digital forensics investigations. Have also simplified training for beginning examiners. Most of them are put together as suites of tools.
Logical Acquisition
Captures only specific files of interest to the case.
Data Hiding
Changing or manipulating a file to conceal information.
Data Compression
Coding data from a larger to a smaller from.
Bitmap Images
Collection of dots. Grids of individual pixels.
Sparse Acquisition
Collects fragments of unallocated (deleted) data.
Metafile Graphics
Combination of bitmap and vector. Combine raster and vector graphics. Example Scanned photo (bitmap) with text (vector). Share advantages and disadvantages of both types When enlarged, bitmap part loses quality
Exchangeable Image File (EXIF)
Commonly used to store digital pictures. Developed by JEITA as a standard for storing metadata in JPEG and TIF files.
How do you re-create an image of a suspect drive?
Copy an image to another location, such as a partition, a physical disk, or a virtual machine Simplest method is to use a tool that makes a direct disk-to-image copy.
Four Methods of Data Collection
Creating a disk-to-image file. Creating a disk-to-disk. Creating a logical disk-to-disk or disk-to-data file. Creating a sparse data copy of a file or folder.
Extraction Sub-functions
Data viewing, keyword searching, decompressing or uncompressing, carving, decrypting, and bookmarking or tagging.
Screen Resolution
Determines amount of detail.
Methods of Reconstruction
Disk-to disk copy, Partition-to-partition copy, Image-to-disk copy, Image-to-partition copy, rebuilding files from data runs and carving.
GUI Forensic Tools Advantages
Easy to use, multitasking, no need for learning older OSs.
Examples of Disk-to-Image Copy Tools.
EnCase FTK ProDiscover Linux DD
FTK Imager Outputs Image files into four different formats:
EnCase files (E01) Raw files (DD) SMART files (S01) Sleuth Kit (AFF)
EnCase outputs Evidence Image files into two different types (formats):
Ex01 (Current) E01 (Legacy)
GUI Forensic Tools Disadvantages
Excessive resource requirements. Produce inconsistent results amongst other tools. Create tool dependencies. Investigators' may want to use only one tool. Should be familiar with more than one type of tool.
Validation and Verification Sub-functions
Hashing (CRC-32, MD5, SHA-1 SECURE HASHING ALGORITHMS). Filtering- based on hash value sets. Analyzing file headers- discriminate files based on their types.
Insertion
Hidden data is not displayed when viewing host file in its associated program. You need to analyze the data structure carefully. Example: Web page.
Steganography
Hides information inside image files (an ancient technique). Two forms are insertion and substitution.
Data Hiding Techniques
Hiding entire partitions. Changing file extensions. Setting file attributes to hidden. Bit-shifting. Using encryption. Setting up password protection.
When can you run a Brute-force attack?
If a password dictionary attack fails.
Proprietary Format Disadvantages
Inability to share an image between different tools. File size limitation for each segmented volume.
Cyclic Redundancy Check (CRC)
Mathematical algorithm that determines whether a file's contents have changed. Not considered a forensic hashing algorithm.
Message Digest 5 (MD5)
Mathematical formula that translates a file into a hexadecimal code value, or a hash value. If a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive that has not been tampered with.
Creating a Disk-to-Image File
Most common method and offers most flexibility. Can make more than one copy. Copies are bit-for-bit replications of the original drive. Most forensic tools have this capability.
Proprietary Formats
Most forensics tools have their own formats.
Acquisition Tools for Windows Disadvantages
Must protect acquired data with a well-tested write-blocking hardware device. Tools can't acquire data from a disk's host protected area.
Helix 3
One of the easiest suites to begin with. You can load it on a live Windows system. Loads as a bootable Linux OS from a cold boot. **Some international courts have not accepted live acquisitions as a valid forensics practice.
Norton DiskEdit
One of the first MS-DOS tools used for computer investigations. Command-line tools require few system resources. Designed to run in minimal configurations. Current programs are more powerful and have many more capabilities.
Proprietary Format Advantages
Option to compress or not compress image files. Can split an image into smaller segmented files. Can integrate metadata into the image file.
Lossy Compression
Permanently discards bits of information. Vector quantization (VQ). Determines what data to discard based on vectors in the graphics file. Utility: Lzip.
Acquisition Sub-functions
Physical data copy, logical data copy, data acquisition format, command-line acquisition, GUI acquisition, and remote, live and memory acquisitions.
Static Acquisition
Post mortem/device off.
Live Acquisition
Powered-on device
Write-blocker
Prevents data writes to a hard disk.
Demosaicing
Process of converting raw picture data to another format.
Autopsy
The GUI browser interface used to access Sleuth Kit's tools.
Reporting
To perform a forensics disk analysis and examination, you need to create a report.
Software Forensic Tools
Types: Command-line applications and GUI applications. Commonly used to copy data from a suspect's disk drive to an image file.
Scope Creep
When an investigation expands beyond the original description Because of unexpected evidence found attorneys may ask investigators to examine other areas to recover more evidence. Increases the time and resources needed to extract, analyze, and present evidence
Creating a Disk-to-Disk
When disk-to-image copy is not possible. Tools can adjust disk's geometry configuration. Some forensic tools have this capability.