Forensics Midterm - Chapter Summaries

Computer forensics investigators must maintain professional conduct to protect their credibility.

...

Warning banners should be used to remind employees and visitors of company policy on computer, e-mail, and Internet use.

Companies should define and limit the number of authorized requesters who can start an investigation.

New Technology File System (NTFS) is more versatile because it uses the Master File Table (MFT) to track file information. Approximately the first 512 bytes of data for small files (called resident files) are stored in the MFT. Data for larger files (called nonresident files) is stored outside the MFT and linked by using cluster addresses.

Records in the MFT contain attribute IDs that store metadata about files.

CDs and DVDs are optical media used to store large amounts of data. They adhere to standards defined by ISO 9660 and ISO 13346, respectively. A unit of storage is called a frame, which contains 24 17-bit symbols.

SCSI connectors are used for a variety of peripheral devices. They pose unique chal- lenges to a forensics investigation, such as finding the correct device drivers and interfaces.

In HFS, a file consists of two parts: a data fork and a resource fork. The resource fork contains a resource map and resource header information for each file, window locations, and icons. The data fork contains data the user creates.

A volume is any storage medium used to store files. Volumes have allocation blocks and logical blocks. A logical block is a collection of data that can't exceed 512 bytes. An allocation block is a group of consecutive logical blocks. When you save a file, File Manager assigns the file to an allocation block.

Always take pictures or use a video camera to document the scene. Prevent professional curiosity from contaminating evidence by limiting who enters the scene.

As you collect digital evidence, guard against physically destroying or contaminating it. Take precautions to prevent static electricity discharge to electronic devices. If possible, bag or box digital evidence and any hardware you collect from the scene. As you collect hardware, sketch the equipment, including exact markings of where components are located. Tag and number each cable, port, and other connection and record its number and description in a log.

In NTFS, data streams can obscure information that might be of evidentiary value to an investigation.

File slack, random access memory (RAM) slack (in older Windows OSs), and drive slack are areas in which valuable information, such as downloaded files, swap files, passwords, and logon IDs, can reside on a drive.

Selecting a medium for storing digital evidence usually depends on how long you need to keep the evidence. The ideal storage media are CD-Rs or DVDs. You can also use magnetic tape, such as 4-mm DAT and DLT magnetic tapes.

Forensic hash values are used to verify that data or storage media have not been altered. The two most common hashing algorithms for forensics purposes are cur- rently MD5 and SHA-1, although both are being replaced slowly as more research is done. A forensic hash can't be predicted, no two files can have the same hash value, and if the file changes, the hash value must change.

To boot a Macintosh with a Macintosh-bootable CD, press and hold the C key when powering on the computer. To boot to a Macintosh-configured FireWire drive, press and hold the T key when powering on the computer.

If a write-blocker isn't available, in Mac OS X 10.3 and later, you can disable write capability with Disk Arbitration. This feature prevents a drive from being mounted when it's connected to a computer.

HFS files are assigned allocation blocks, which are made of up of one or more logical blocks of 512 bytes each. In allocation blocks, a file has a logical EOF that's the actual end of a file, and the end of allocated blocks is the physical EOF. 8

In older Macintosh OSs, the first two logical blocks on each volume (or disk) are the boot blocks, which contain information about system startup. The boot blocks also contain information about system configuration and can store optional executable code for the system file. Typically, system startup instructions are stored in the HFS system file rather than the boot blocks.

To be an effective computer forensics investigator, you need to maintain a library of older OSs and applications.

NTFS uses 16-bit Unicode for character code representation instead of the 8-bit con- figuration that ASCII uses.

Companies should publish policies stating that they reserve the right to inspect computing assets at will; otherwise, employees' expectation of privacy prevents an employer from legally conducting an intrusive investigation or covert surveillance. A well-defined corporate policy states that an employer has the right to examine, inspect, or access any company-owned computing asset.

Proper procedure needs to be followed even in private-sector investigations because civil cases can easily become criminal cases. If an internal corporate case is turned over to law enforcement because of criminal activity, the corporate investigator must avoid becoming an agent of law enforcement.

Ext3fs is a journaling version of Ext2fs that reduces file recovery time after a crash.

The Linux file structure is made up of metadata and data. Metadata includes items such as the user ID (UID), group ID (GID), size, and permissions for each file. An inode contains the modification/access/creation (MAC) times, not a filename. An inode is assigned a number that's linked with the filename in the directory file. Pairing the inode number with the filename is how Linux keeps track of files and data. The data portion of the Linux file structure contains the file's contents.

You should access a suspect computer's BIOS to configure the computer to boot to a floppy disk or CD first.

The Master Boot Record (MBR) stores information about partitions on a disk.

User information in Windows is stored in User.dat for Windows 9x/Me and Ntuser.dat for Windows 2000 and later. Every user with an account on a Windows computer has his or her own User.dat or Ntuser.dat file.

Virtualization software enables you to run other OSs on a host computer. Virtual machines are beneficial if, for example, you need to run a previous OS to test old software that won't run on newer OSs.

...

When booting a suspect's computer, using boot media, such as forensic boot floppies or CDs, is important to ensure that disk evidence isn't altered.

When preparing for a case, describe the nature of the case, identify the type of OS, determine whether you can seize the computer, and obtain a description of the location.

When dealing with a hazardous materials (HAZMAT) situation, you might need to obtain HAZMAT certification or have someone else with that certification collect the evidence.

IDE/EIDE drives are other physical drives you might run across in investigations. You need to keep older drives in your lab in case you need to restore items from IDE/EIDE drives.

...

Digital evidence is anything stored or transmitted on electronic or optical media. It's extremely fragile and easily altered.

In the private sector, an incident scene is often a place of work, such as a contained office or manufacturing area. Because everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority, investigating and controlling the scene are easier than at a crime scene.

Computer forensics applies forensics procedures to digital evidence. This process involves systematically accumulating and analyzing digital information for use as evidence in civil, criminal, or administrative cases. Computer forensics differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective.

Laws relating to digital evidence were established in the 1970s.

To be a successful computer forensics investigator, you must be familiar with more than one computing platform. To supplement your knowledge, develop and maintain contact with computer, network, and investigative professionals.

Public and private computer investigations differ, in that public investigations typically require a search warrant before seizing digital evidence. The Fourth Amendment to the U.S. Constitution and similar legislation in other countries apply to govern- mental search and seizure. During public investigations, you search for evidence to support criminal allegations. During private investigations, you search for evidence to support allegations of abuse of assets and, in some cases, criminal complaints.

After you determine that an incident scene has digital evidence, identify the digital information or artifacts that can be used as evidence. Next, catalog or document the evidence you find. Your goal is to preserve evidence integrity, which means you must not modify the evidence as you collect and catalog it. An incident scene should be photographed and sketched, and then each item labeled and put in an evidence bag. Collect, preserve, document, analyze, identify, and organize the evidence. Then rebuild evidence or repeat a situation to verify that you get the same results every time.

The Macintosh OS uses the Hierarchical File System (HFS), in which files are stored in directories that can be nested in other directories. The File Manager utility handles reading, writing, and storing data to physical media, collects data to maintain the HFS, and is used to manipulate files, directories, and other items. The Finder utility works with the OS to keep track of files and maintain users' desktops.

NTFS can compress files, folders, or an entire volume. FAT16 can compress only entire volumes.

The Registry in Windows keeps a record of attached hardware, user preferences, net- work connections, and installed software. It also contains information such as pass- words in two binary files: System.dat and User.dat.

Criminal cases require a properly executed and well-defined search warrant. A specific crime and location must be spelled out in the warrant. For all criminal investigations in the United States, the Fourth Amendment specifies that a law enforcement officer and seize criminal evidence only with probable cause, which is facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed.

The plain view doctrine applies when investigators find evidentiary items that aren't specified in a warrant or under probable cause.

The Linux Second Extended File System (Ext2fs) uses inodes. Each file's inode contains information about the file, including its location in the volume, which is called the inode number.

The superblock on a Linux system keeps track of the geometry and available space on a disk, along with the list of inodes.

Microsoft used FAT12 and FAT16 on older operating systems, such as MS-DOS, Windows 3.x, and Windows 9x. The maximum partition size is 2 GB. Newer systems use FAT32. FAT12 is now used mainly on floppy disks and small USB drives.

To find a hard disk's capacity, use the cylinders, heads, and sectors (CHS) calculation. To find a disk's byte capacity, multiply the number of heads, cylinders, and sectors.

The Mac OS X Disk Images utility can be used to mount raw image files so that they can be examined with forensics tools. The raw image file must have a .dmg extension, and any additional segments must have a triple-digit sequential number followed by the .dmgpart extension.

UNIX/Linux file systems have four components: boot block, superblock, inode block, and data block. Block sizes can be 512 bytes and up. Typical block sizes are 1024 to 4096 bytes.

Sectors are grouped into clusters and clusters are chained because the OS can track only a given number of allocation units (65,536 in FAT16 and 4,294,967,296 in FAT32).

When files are deleted in a FAT file system, the Greek letter sigma (0x05) is inserted in the first character of the filename in the directory.

NTFS can encrypt data with Encrypting File System (EFS) and BitLocker. Decrypting data with these methods requires using recovery certificates. BitLocker is Microsoft's whole disk encryption utility that can be decrypted by using a one-time passphrase.

With a hexadecimal editor, you can determine information such as file type and OS configurations.

To analyze computer forensics data, learn to use more than one vendor tool. Different vendors offer varying methods for recovering data from magnetic media. AccessData FTK is a Windows GUI tool for recovering data from FAT, NTFS, and Ext2 file systems and has a unique method of cataloging and indexing data that speeds up the examination process.

You must handle all evidence the same way every time you handle it. Apply the same security and accountability controls for evidence in a civil lawsuit as for evidence from a crime scene to comply with state or federal rules of evidence.