CYBR 4305 - Chapter 13

nested search,

search within a search once all of the data that contains the name "Donna Smith" is located, the examiner can conduct an additional keyword search (e.g., "murder for hire") within that data,

partitions,

similar to storage bins in the real world.

hard drive

simply a data storage device for storing and retrieving data

Data reduction and filtering

After recovering the data during the examination phase, the next step is data reduction and filtering which occurs during the analysis phase Filtering may involve removing duplicate files, searching for keywords, or grouping data based on file types a hash value is a number generated by an algorithm to substantiate the integrity of digital evidence a hash value may also be used to identify unique or duplicate files. A hash value can be created for every file, and is a unique number similar to a digital fingerprint. Hash values may also be compared to datasets that contain known hash values for specific files, such as illicit materials (e.g., child pornography), steganography, or proprietary software The ultimate goal of data reduction and filtering is creating the smallest dataset with the highest potential of containing relevant digital evidence The final result of the examination/analysis phase is a reconstruction of the digital crime scene, so any disregarded evidence could significantly impact the findings of an investigation

the two most commonly used digital forensic tools

EnCase and FTK

bridges,

Hardware write blockers digital evidence is connected to the examiner's computer through the write blocker

drive slack

If there is any unused space between the start of the next sector and the end of the cluster, the operating system uses this space could contain fragments of deleted word-processing documents or old emails

Data analysis

The analysis phase of the investigation refers to the interpretation and reconstruction of the digital crime scene not an easy task due to the large amounts of data uncovered during a digital forensic investigation With so much data, one of the most important steps in the analysis phase of the digital forensic investigation is the filtering and reduction of evidence

Reporting of findings

The final stage in the digital forensic investigation is the report/presentation phase report/presentation stage the findings determined to be relevant to the investigation are finalized in a report Only relevant evidence should be included in the final report, rather than hypothetical or theoretical evidence this report should reflect complete transparency, meaning each step is described in detail so as to leave no mystery in the digital forensics process the digital forensic technicians should be prepared to testify in court Along with transparency, the digital forensic examiner should remain objective when drawing conclusions from the digital evidence

wiping

The process of cleaning a digital storage device to ensure that there are no remnants of data present is known as

hashing

The process of creating a hash value from a variable amount of data

de-NISTing.

The process of filtering the dataset and removing non-user-created files (e.g., operating system, program files) is sometimes referred to as comes from the fact that the known hash values for these noise files are maintained and published by NIST's NSRL

slack space

Therefore, this leftover space between the end of the file and the end of the last storage unit for that file is known the leftover area not used between the current allocated file and the end of the last cluster in which the file is stored can be a rich source of information because this leftover space does not remain unused The computer's operating system wants to use all available space in a cluster, so it will either write random bits of data (known as padding) or store whatever bits of old data remain in the unused sectors.

blind

This independent forensic examiner should also be completely unaware to the conclusions reached by the initial examine

write blocker

To ensure that no changes are made to the original data source a device that allows read-only access to all accessible data on a drive, as well as preventing anything from being written to the original drive, which would alter or modify the original evidence sending read-only commands to the drive, and not write or modify commands

EnCase

a digital forensics tool created by Guidance Software in 1997 capable of acquiring data from a variety of digital devices, including smart phones, hard drives, and removable media can image the drive, without altering its contents, and then verify that the image is an exact copy of the original drive capable of searching the unallocated space locating hidden data and deleted files the first court case specifically addressing the validity of EnCase was State (Ohio) vs. Cook has been involved in a number of high-profile cases

deleted file

a file whose entry has been removed from the computer's file system so that this space is now marked as usable again.

partition table

a reference description for how the operating system has divided the hard drive into partitions contain important information, such as the sizes and locations of the partitions and the file systems operating within each of these partitions on the hard drive can reveal to a digital forensics examiner whether or not space on the hard drive is hidden or contains leftover data from prior partitioning.

hash algorithm

a set of calculations that takes any amount of data (input) and creates a fixed-length value - hash,- acts as a unique reference number for the original data Hash values are fixed in length and made up of a unique combination of hexadecimal digits act as digital fingerprints since they are unique to the original data they reference play an integral part in the verification of digital evidence because they are extremely sensitive to any changes in the original data

authentic,

a true and unaltered copy of the original data source

MD5 (Message Digest Version 5)

a type of hashing algorithm that takes a large amount of data of arbitrary length (input) and calculates a unique "fingerprint" of this data (known as hashing) expressed as a unique combination of digits and letters of a specified length (output) produces a 128-bit hash value represented in text as a unique string of 32 digits and letters

File extensions

an individual attempting to hide a file may try to alter the file extension that part of the file's name that tells the operating system what program to use when you want to open it

Forensic Toolkit® (FTK®)

another commercial software application commonly used in digital forensic investigations, and was created by Access-Data founded in 1987 are more than 130,000 FTK users in law enforcement, government, and industry worldwide standard computer forensics tool used by the United States Federal Bureau of Investigation (FBI) capable of imaging a hard drive, scanning slack space, and identifying steganography; however, it is also capable of cracking passwords and decrypting files data visualization tool Explicit Image Detection (EID) The first court case to establish the validity of Forensic Toolkit was the civil lawsuit Gutman vs. Klein

One easy way to conceal or hide a file is

change the file extension so that the operating system will use the wrong program to open the file, resulting in an error File headers may be identified and compared to the file extensions using basic digital forensic tools.

magic numbers,

common file signatures,

National Software Reference Library (NSRL)

datasets designed to exclude "known to be good" hash value supported by the DHS and NIST

I/O error log

input/output errors, and these errors are often the result of a bad sector on the hard drive If the imaging tool maintains an error log identifying the bad sectors, it will be possible for the examiner to verify that the original and duplicate copy are in fact the same despite the mismatching hash values important for the imaging tool to document the examination process

free space

portion of the hard drive that has yet to be assigned to a partition any non-partitioned space on the hard drive

incriminating

potential evidence exonerating a suspect may be overlooked or evidence may be labeled as

partition recovery

process of evaluating the partition table and the unused space on the physical drive Evaluating the partition tables is considered a physical extraction method because all partition tables conform to a standard layout regardless of the operating system a hard drive is installed in a computer, it must be partitioned before it can be used

fragmented

A file that is stored in non-consecutive sectors is considered to be

Random Access Memory (RAM)

"working memory" because it stores that part of the data which is currently being used by the computer considered volatile in nature, meaning the data disappears when the computer is powered off When randomly selected data from RAM is stored in the file slack, it is known as RAM slack it is possible for RAM slack to contain important information, such as network login names and passwords.

To ensure reliability, NIST established specific criteria, as recommendations, for imaging tools used in digital investigations:

1. the tool shall make a bit-stream duplicate or an image of an original disk or partition, 2. the tool shall not alter the original disk, 3. the tool shall be able to verify the integrity of a disk image file, 4. the tool shall log I/O errors, and 5. the tool's documentation shall be correct

collision

In the hashing world, when two different sets of data (input) result in the same hash value (output), occurs when hashing a hard drive does not result in a unique "digi-tal fingerprint," but instead the same hash value is produced (e.g. X-copy and Y-copy have the same hash value). the digital forensics examiner is unable to verify and authenticate the imaged drive Research suggests that it is theoretically possible for a collision to occur with MD5 and SHA-1

the two most common hash algorithms are

MD5 and SHA

access key,

Most encryption programs require a password that unlocks the file so that the same algorithm that encrypted the information is now used to decrypt it the same algorithm used to encrypt the illegible message (ciphertext) now decrypts it back into the original legible message (plaintext).

Computer Forensic Tool Testing project (CFTT).

NIST, an agency of the United States Department of Commerce, launched the 150 different digital forensic tools currently being used by law enforcement worldwide provide unbiased, open, and objective means for manufacturers, law enforcement, and the legal community to assess the validity of tools used in computer forensics test results must be repeatable and reproducible

steganography medium,

Once the carrier medium has the secret message embedded, it becomes the only those individuals with the appropriate knowledge and software can reveal the secret message hidden within the carrier

examination/analysis stage.

Once the digital drive is imaged and verified, the digital forensic investigation moves into the concerned with the recovery or extraction of digital data

Active files

existing files that are currently available on a hard drive, meaning they have not been deleted

Data recovery

extraction the process of salvaging digital information two types of extraction: physical and logical

Hidden files

files that have been manipulated in such a way as to conceal the contents of the original file

physical extraction

identifies and recovers data across the entire physical drive regardless of the file systems present on the drive pulls all of the digital data from a computer hard drive but does not take into account how the data was stored on the drive three methods of physical extraction: keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.

Password-protected files

locked files that require a password to gain access, which prevents other people from opening or modifying these files specialized cracking dictionaries and software in order to circumvent the protection, such as Access-Data's Distributed Network Attack (DNA) and Password Recovery Toolkit time-consuming

Data preservation

make a copy of the original data files for examination in a way that minimizes the possibility of any changes being made to the original data files the first step toward uncovering digital evidence occurs during the collection/acquisition phase of the digital forensic investigation refers specifically to the ability to make a duplicate copy of the original digital evidence.

unallocated space

not written to

Secure Hash Algorithm

originally created by the National Security Agency in 1993 follows the same basic principles as MD5 an arbitrary amount of information can be uniquely represented by a combination of hexadecimal digits, resulting in a "digital fingerprint." the original SHA algorithm was revised to SHA-1 due to unspecified cryptographic flaws

forensic confirmation bias

summarize the class of effects through which an individual's preexisting beliefs, expectations, motives, and situational context influence the collection, perception, and interpretation of evidence during the course of a criminal case

header

the first few bytes that mark the beginning of a file,

NTFS (New Technology File System)

the later file system for the Windows NT operating systems ( offers better security, since it can restrict access to specific partitions or files on a hard drive, making it more difficult to recover files creates a Master File Table (MFT), which contains information about all of the files and folders on a drive The MFT can provide valuable information to a forensic examiner, including file type, size, and the data/time of creation and modification

file carving

the "process of searching for a certain file signature and attempting to extract the associated data" without regard for the file systems extracting pieces of information from a larger dataset without taking into consideration how the files were stored on the computer a great method for recovering files when the file allocation table is corrupt or a file has been deleted because in both cases there will no longer be an entry in the directory for that file's location the digital forensics examiner will first identify a particular header of interest (e.g., FF D8 FF E0) and then locate the footer By extracting the information in the middle, the examiner is essentially carving out a block of data

keyword search

the digital forensic examiner is able to look for a word or series of words (i.e., a phrase) in the entire physical drive regardless of the file systems.

forensically sound,

the digital forensics tool must eliminate the possibility of making any changes to the original data source

Verification

the final step in the preservation process of digital evidence.. establishes the integrity of the digital evidence by proving that the duplicate is authentic hash algorithm values a hash value is created for the original drive and its image. If the hash values match, the investigator has verified that the original and duplicate copies are one and the same during the imaging process any changes occur to the original drive, the hash values will be different, indicating that the image is not an exact copy of the original drive

Imaging

the initial step in the preservation process of digital evidence process of making an exact copy (bit-by-bit) of the original drive onto a new digital storage device

footer

the last few bytes that mark the end of the file

steganography

the practice of hiding information in such a way that others are not aware that a hidden message exists different from encryption because the goal of steganography is secrecy rather than privacy The primary purpose of steganography is to hide a secret message within a transport medium such as an image or video file may be used to conceal a variety of criminal activities

partitioning

the process of dividing up the hard drive into separate storage spaces, known as partitions, is referred to as

logical extraction

the process of identifying and recovering data based on the file systems present on the computer hard drive

Encryption

the process of transforming information (plaintext) so that it is no longer legible (ciphertext) by using a mathematical algorithm

sector

the smallest physical storage unit on a computer disk drive and is almost always 512 bytes Data files are assigned to the different sectors by the file system the smallest physical storage unit on a computer disk drive

Confirmation bias

the tendency to accept information that confirms our beliefs while rejecting information that contradicts those beliefs

FAT32 (File Allocation Table)

the type of file system used in older versions of Windows operating systems (e.g., Windows 98, Windows ME), identifies where on the hard drive a particular file is stored, or which clusters have been allocated to that file manages the space on a hard drive more efficiently by using smaller cluster sizes, which reduces slack space

Unallocated space

the unused portion of the hard drive that the operating system can write t that part of the hard drive which is not currently storing any files, but unallocated space is not empty per se

File systems

the way in which data is organized and retrieved on a computer drive, and each piece of data is called a file

Logical extraction

to the process of identifying and recovering data based on the file systems present on the computer hard drive takes into consideration the operating system (e.g., Windows XP) and file systems (e.g., NTFS) installed on the drive data may be retrieved from a variety of sources, such as active files, deleted files, file slack, and unallocated file space may recover digital evidence from hidden files, password-protected files, encrypted files, and steganography

carrier

transport medium

cluster

two or more consecutive sectors. It is the job of the computer's file system to allocate space The space allocated to these clusters is fixed in length depending on the operating system, but the files saved to these clusters rarely equal the same size of the allocated space

file signature

used to identify the content of a file, which in this case describes common file headers may be used to locate and salvage deleted files

repeatability

where independent test results are obtained with the same method, on identical test items, in the same laboratory, by the same operator, using the same equipment within short intervals of time the digital forensics tool replicates the same results when using the exact same methodology

reproducibility

where test results are obtained with the same method on identical test items in different laboratories with different operators using different equipment the digital forensic tool produces the same results even in a different testing environment.