ITSY2443 Midterm
Uniform Crime Reports
All updates done to workstations should be recorded by using a process called
Preparing to Acquire Digital Evidence
Before collecting digital evidence from a crime scene, ask your supervisor or senior forensics examiner: • Do you need to take the entire computer & all of its peripherals? • How are you going to protect the computer and media while transporting them to your lab? • Is the computer powered on when you arrive? • Is the suspect in the immediate area of the computer? • Is it possible the suspect damaged or destroyed the computer, peripherals, or media? • Will you have to separate the suspect from the computer?
Linux includes two hashing utilities: md5sum and sha1sum
Both utilities can compute hashes of a single file, multiple files, individual or multiple disk partitions, or an entire disk drive. Windows does not have built-in hashing algorithm tools for computer forensics but third-party programs such as X-Ways WinHex, ProDiscover, EnCase, and others can do this.
only one person should collect and catalog digital evidence at a crime scene or lab
Collecting computers and processing a criminal or incident scene must be done systematically. To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person should collect and catalog digital evidence at a crime scene or lab, if practical. If there's too much evidence or too many systems to make it practical for one person to perform these tasks, all examiners must follow the same established operating procedures, and a lead or managing examiner should control collecting and cataloging evidence. You should also use standardized forms for tracking evidence to ensure that you consistently handle evidence in a safe, secure manner.
warning banner
Displaying Warning Banners - Another way a private or public organization can avoid litigation is to display a warning banner on computer screens. A warning banner usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Hardware
Hardware forensics tools range from simple, single-purpose components to complete computer systems and servers. A single-purpose component could be a write-blocker. F.R.E.D. systems is an example of a complete system and portable units such as mobile-forensics workstations are also used.
Boot Sequence
Given that we do not want to boot into a forensics drive and instead boot using a forensics live bootable such as a CD, you must know how to get to a system's BIOS to change the computer's boot order. To do this, you access the CMOS setup by monitoring the subject's computer
the witness must have firsthand knowledge only of facts relevant to the case.
If you have to testify about your role in acquiring, preserving, and analyzing evidence, you don't have to know the inner workings of the tools you use, but you should understand their purpose and operation.
Whole Disk Encryption
Microsoft release whole disk encryption to help overcome the issues of trade secrets and identity theft. Vista and plus Windows OSes use Microsoft BitLocker utility to encrypt and protect drive data (note that it can only encrypt NTFS drives).
Proprietary Formats
Most commercial computer forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendor's analysis tool, such as the option to compress or not compress image files (to save space), to split an image into smaller segmented files for archiving purposes (to CDs or DVDs), and integrate metadata into the image file (to include the date, time, examiner name, comments, etc).
Master Boot Record
On Windows and DOS computer systems, the boot disk contains a file called the Master Boot Record (MBR), which stores information about partitions on a disk and their locations, size, and other important items.
configuration management.
One can use Uniform Crime Reports to figure out what equipment could be needed (these are generated at the federal, state, and local levels).
Establishing Company Policies
One way that businesses can reduce the risk of litigation is to publish and maintain policies that employees find easy to read and follow. In addition, these policies make internal investigations go more smoothly
Third party disk encryption tools
PGP full disk encryption voltage secure file Jetico bestcrypt colume encryption TrueCrypt
Validating Data Acquisitions
Probably the most critical aspect of computer forensics is validating digital evidence. The weakest point of any digital investigation is the integrity of the data you collect, so validation is essential. Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a "digital fingerprint." Because hash values are unique, if two files have the same hash values, they are identical, even if they have different filenames. Making any alteration in one of the files—even changing one letter from uppercase to lowercase—produces a completely different hash value, however. For imaging an evidence drive, many tools offer validation techniques ranging from CRC-32, MD5, and SHA-1 to SHA-512.
Understanding Storage Formats for Digital Evidence
The data a computer forensics acquisition tool collects is stored as an image file in one of three formats - an image file, an open-source, or proprietary format. Each vendor has unique features, so several different proprietary formats are available. Depending on the proprietary format, many computer forensics analysis tools can read other vendors' formatted acquisitions.
innocent information
Unrelated information is also referred to as
Encrypting File System (EFS)
When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called Encrypting File System (EFS). EFS implements a public key and private key method of encrypting files, folders, or disk volumes (partitions). Only the owner or user who encrypted the data can access encrypted files. The owner holds the private key, and the public key is held by a certificate authority, such as a global registry, network server, or company such as VeriSign.
allegation
an accusation or supposition of fact that a crime has been committed
Hearsay
an out-of-court statement that is offered to prove the truth of the matter asserted in the statement. If the statement is not offered to prove the truth of what it says, then it is not hearsay.
dd command
available on all UNIX and Linux distributions means "data dump." This command has many functions such copying an entire device (all data files, slack space, and free space). It creates a raw format that most forensics tools can read. Most forensics tools have the dd command built in already.
Digital evidence
can be any information stored or transmitted in digital form. Because you can't see or touch digital data directly, it's difficult to explain and describe. Is digital evidence real or virtual? Does data on a disk or other storage medium physically exist, or does it merely represent real information? U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that's related to a criminal or civil incident. Following are the general tasks investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence. • Collect, preserve, and document evidence. • Analyze, identify, and organize evidence. • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
logical acquisition
captures only specific files of interest to the case or specific types of files. . An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files. Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID server with several terabytes (TBs) of data storage, the logical method might be the only way you can acquire the evidence. In electronic discovery for the purpose of litigation, a logical acquisition is becoming the preferred method, especially with large data storage systems.
whole disk encryption
in Windows Vista Ultimate and Enterprise Editions, which makes performing static acquisitions more difficult. As part of your contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk encrypted drives currently involves decrypting the drives, which requires the user's cooperation in providing the decryption key. Most whole disk encrypted tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption use is that data isn't altered in slack space. The biggest concern with whole disk encryption is getting the decryption key. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key.
static acquisition
one is able to investigate data that does not change (on a copy of the investigation hard drive)
chain of custody
refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. *This is very important* - an investigator must take very detailed notes so that they can be used in court.
Processing Law Enforcement Crime Scenes
refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and the seizure of specific evidence related to the criminal complaint.
case law
related to the admissibility of evidence recovered from computers.
with live acquisitions
the data is dynamic and different acquisitions will yield new/different data (mainly due to changes in the OS).
evidence admitted in a criminal case might also be used in a civil suit, and vice versa.
. For example, suppose someone is charged with murder and acquitted at the criminal trial because the jury isn't convinced beyond a reasonable doubt of the person's guilt. If enough evidence shows that the accused's negligence contributed to a wrongful death, however, the victim's relatives can use the evidence in a civil lawsuit to recover damages.
Courts have consistently ruled that computer forensics investigators don't have to be subject matter experts on the tools they use
. In United States v. Salgado (250 F.3d 438, 453, 6th Cir., 2001), the court stated, "It is not necessary that the computer programmer testify in order to authenticate computer-generated records." In other words
Windows Registry
(.ini) files into the Registry, a database that stores hardware and software configuration information, network connections, user preferences (including usernames and passwords), and setup information. The Registry has been updated and is still used today.
The Fourth Amendment to the U.S. Constitution
(and each state's constitution) protects everyone's rights to be secure in their person, residence, and property from search and seizure
Advanced Forensic Format
- Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new open-source acquisition format called Advanced Forensic Format (AFF). This format has the following design goals: • Creating compressed or uncompressed image files • No size restriction for disk-to-image files • Providing space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Offer internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata. Because AFF is open source, computer forensics vendors will have no implementation restrictions on this format. Expect AFF to become the future standard for forensically sound acquisition formats.
covert surveillance
A common activity in the corporate environment is covert surveillance of employees who are abusing their computing and network privileges. The use of cover surveillance must be well defined in company policy before it can be carried out. For this to work, the company can setup real-time surveillance (sniffing data transmissions between a suspect's computer and a network server) such as Websense
Understanding Rules of Evidence
Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently. Apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with your state's rules of evidence
inculpatory evidence
Evidence that can establish guilt.
exculpatory evidence
Evidence that tends to show a person's innocence
FAT Disks
File Allocation Table (FAT) is the file structure database that Microsoft originally designed for floppy disks. FAT12 - used for MS-DOS 1.0, floppies up to 16MB. FAT16 - MS-DOS 3.0-6.22, Windows 95 (first release) and Windows NT 3.5 and 4.0. Disks up to 2GB. FAT32 - Windows 95 (second release), 98, Me, 2000, XP, and Vista. Disks up to 2TB. exFAT - Developed for mobile personal storage devices, such as flash memory devices, secure digital eXtended capacity (SDCX), and memory sticks. The exFAT file system can store very large files, such as digital images, video, and audio files. FATX - Xbox format
affidavit
In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit an affidavit. This sworn statement of support of facts about or evidence of a crime is submitted to a judge with the request for a search warrant before seizing evidence.
Raw Format
In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bit-stream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format. This format has unique advantages and disadvantages to consider when selecting an acquisition format. The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most computer forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected.
Acquiring Data with a Linux Boot CD
Linux Live CDs such as Ubuntu, Arch Linux, and Fedora (they come with ISO images that can be burned into a CD or DVD). The following are well-designed Linux Live CDs for digital forensics: Penguin Sleuth, F.I.R.E., CAINE, Deft, Kali Linux, Knoppix, SANS Investigative Forensic Toolkit.
Disk Partitions
Many hard disks are partitioned, or divided, into two or more sections. A partition is a logical drive. For example, a 1TB hard disk might contain four partitions or logical drives. Someone who wants to hide data on a hard disk can create hidden partitions or voids—large unused gaps between partitions on a disk drive. For example, partitions containing unused space (voids) can be created between the primary partition and the first logical partition. This unused space between partitions is called the partition gap. If data is hidden in a partition gap, a disk editor utility could also be used to alter information in the disk's partition table. Doing so removes all references to the hidden partition, concealing it from the computer's OS. With disk-editing tools, however, you can access these hidden or empty areas of the disk. One way to examine a partition's physical level is to use a disk editor, such as Norton Disk-Edit, WinHex, or Hex Workshop. These tools enable you to view file headers and other critical parts of a file. Both tasks involve analyzing the key hexadecimal codes the OS uses to identify and maintain the file system.
NTFS
New Technology File System (NTFS) was introduced when Microsoft created Windows NT and is the primary file system for many OSes such as XP, Vista, and Win7. NTFS offers significant improvements over FAT file systems. It provides more information about a file, including security features, file ownership, and other file attributes. With NTFS, you also have more control over files and folders (directories) than with FAT file systems
Using Acquisition Tools
Physical access for the purpose of reading data can be done on a connected media device, such as a disk drive, a USB drive, or other storage devices. In Windows Oss and newer Linux kernels, when you connect a drive via USB, FireWire, external SATA, or even PATA or SATA controllers, both OSs automatically mount and access the drive. Because you can easily contaminate your evidence drive, you must protect it with a well-tested write-blocking hardware device. Take a look at Figure 1 - this shows a hard-drive with a USB IDE/SATA external connector. You can then plug this drive to another device (via USB) to make a copy. One caution with doing that is to use the USB-write protection feature from Windows (been around since XP) which blocks any writing to USB devices (that way the drive's original data stay clean). In order to enable it, a change in the registry has to be done.
Probable cause
Preparing for search and seizure of computers or digital devices is probably the most important step in digital investigations. The better you prepare, the smoother the investigation will be. The following is a list of tasks you should perform before you search for evidence: • Identify the nature of the case • Identify the type of OS or Digital Device • Determine whether you can seize computers and digital devices • Get a detailed description of the location • Determine who is in charge • Use additional technical expertise • Determine the tools you need
Collecting Evidence in Private-Sector Incident Scenes
Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which might get funding from the government or other agencies. In the US, NGOs and similar agencies must comply with public disclosure and federal
Remote Network Acquisition Tools
Recent improvements in computer forensics tools include the capability to acquire disk data or data fragments (sparse or logical) remotely. From an investigation perspective, being able to connect to a suspect's computer remotely to perform an acquisition has tremendous appeal. It saves time because you don't have to go to a suspect's computer, and it minimizes the chances of a suspect discovering that an investigation is taking place. Most remote acquisitions have to be done as live acquisitions, not static acquisitions. There are some drawbacks to consider, however. For example, if you have access to the same LAN as the suspect's computer, data transfer speeds and routing table conflicts could cause problems. On a WAN, you have the problem of gaining the permissions needed to access more secure subnets. In addition, heavy traffic on the network could cause delays and errors during the acquisition, no matter what tool you're using. Another problem is the remote access program being detected by antivirus, antispyware, and firewall tools. Most of these security programs can be configured to ignore remote access programs. However, if suspects have administrator rights on their computers, they could easily install their own security tools that trigger an alarm to notify them of remote access intrusions.
Validation and Verification
Validation and verification functions work hand in hand. Validation is a way to confirm that a tool is functioning as intended, and verification proves that two sets of data are identical by calculating hash values or using another similar method. Another related process is filtering, which involves sorting and searching through investigation findings to separate good data and suspicious data.
Understanding RAID
Redundant array of independent disks (RAID) is a computer configuration involving two or more disks. Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure. As technology improved, RAID also provided increased storage capabilities. There are different RAID levels including: Note: when a RAID has parity, that means it has a parity bit (or check bit) added which just means error detecting code (read more about that here: http://en.wikipedia.org/wiki/Parity_bit) RAID 0 - provides rapid access and increased data storage. In RAID 0, two or more disk drives become one large volume, so the computer views the disks as a single disk. The drives are known to be "striping" data across each other which improves speed, but it also means if one drive fails, the entire array fails. RAID 1 - made up of two disks for each volume and is designed for data recovery in the event of a disk failure. The contents of the two disks in RAID 1 are identical. When data is written to a volume, the OS writes the data twice—once to each disk at the same time. If one drive fails, the OS switches to the other disk. RAID 1 ensures that data isn't lost and helps prevent computer downtime. The only disadvantage of RAID 1 is that it takes two disks for each volume, which doubles the cost of disk storage. RAID 5 - uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. RAID 5 places parity data on each disk. If a disk in a RAID array has a data failure, the parity on other disks rebuilds the corrupt data automatically when the failed drive is replaced.
Federal Rules of Evidence.
The Federal Rules of Evidence allow a duplicate instead of originals when it is produced by the same impression as the original. As long as bit-stream copies of data are created and maintained properly, the copies can be admitted in court, although they aren't considered best evidence.
"acceptable use policy."
The most important policies are those defining the rules for using the company's computers and networks; this type of policy is commonly known as an
Software
Those are the tools we have used in class thus-far. We installed them on different operating systems or used them as live CDs (boot with it). Helix, ProDiscover, Encase, FTK, are some of the big names.
"At least two tools rule"
When it comes to data acquisition also remember to try and use more than just one tool. For example a tool to make an image or to do a MD5 hash comparison. This goes a long way in getting good results not only in the lab, but as well as in court.
Homeland Security Act and the PATRIOT Act of 2001
have redefined how ISPs and large corporations operate and maintain their records. ISPs and other communication companies can be called on to investigate customers' activities that are deemed to create an emergency situation. An emergency situation under the PATRIOT Act is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an email.
Public investigations
involve government agencies responsible for criminal investigations and prosecution. Government agencies range from local, county, and state or provincial police departments to federal regulatory enforcement agencies.
Risk management
involves determining how much risk is acceptable for any process or operation, such as replacing equipment.
bit-stream copy
is a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate. The more exact the copy, the better chance you have of retrieving the evidence you need from the disk. The process is usually referred to as "acquiring an image" or "making an image" of a suspect drive. A bit-stream copy is different from a simple backup copy of a disk. Backup software can only copy or compress files that are stored in a folder or are of a known file type. Backup software can't copy deleted files and e-mails or recover file fragments.
bit-stream image
is the file containing the bit-stream copy of all data on a disk or disk partition. For simplicity, it's usually referred to as an "image" or "image save" or "image file." Some manufacturers also refer to it as a forensic copy.
A digital forensics lab
is where you conduct investigations, store evidence, and do most of your work. You use the lab to house your instruments, current and legacy software, and forensic workstations. In general, you need a variety of digital forensic hardware and software to do your work.
Freedom of Information Act (FOIA)
laws and make certain documents available as public records. State public disclosure laws define state public records as open and available for inspection. For example, divorces recorded in a public office, such as a courthouse, become matters of public record unless a judge orders the documents sealed. Anyone can request a copy of a public divorce decree.
ReFS
new file system for Windows 8 and Windows Server 2012. It is made to drastically improve data availability by continually checking data for errors. It can also handle extremely large single files or disk space (we don't have enough space in the world right now to fit one file's limit).
initial-response field kit
should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. * Computer forensics kit * Laptop computer * Digital Camera * Flashlight
extensive-response field kit
should include all the tools you can afford to take to the field. When you arrive at the scene, you should extract only those items you need to acquire evidence. Doing so protects your equipment and minimizes how many items you have to keep track of at the scene. Figure 3 lists the tools you might need in an extensive-response field kit, including external USB drives.
sparse acquisition
sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don't need to examine the entire drive.
Acquisition
this is the first task in digital forensics investigations: when you make a copy of the original drive.
bootstrap process
to identify the correct key or keys to use. The bootstrap process is contained in ROM and tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. The popular BIOS manufacturers Award and AMI use the Delete key to access CMOS; other manufacturers use Ctrl+Alt+Insert, Ctrl+A, Ctrl+S, or Ctrl+F1, F2, and F10. You should also know how to access and modify the Extensible Firmware Interface (EFI) and Unified Extensible Firmware Interface (UEFI) settings.
limiting phrase to the warrant
which allows the police to separate innocent information from evidence. The warrant must list which items can be seized.
data recovery
which involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash
professional curiosity
which involves the presence of police officers and other professionals who aren't part of the crime scene-processing team. They just have a compelling interest in seeing what happened, but their presence could contaminate the scene directly or indirectly.
circumstantial evidence
which requires finding other clues associated with the suspect's computer or location. The circumstantial evidence might be that the computer has a password consistent with the password the suspect used on other systems, a witness saw the suspect at the computer at the time the offense occurred, or additional trace evidence associates the suspect with the computer at the time of the incident.
Processing an Incident or Crime Scene
• Keep a journal to document your activities (include the date and time you arrive at the scene, the people you encounter, and notes on every important task you perform). • Secure the scene with whatever is practical to make sure only authorized people access the area (tape). • Take a video and still recordings of the area around the computer or digital device. • Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug in case you need to reassemble components in the lab • Sketch the incident or crime scene (it's usually a rough draft with notes on objects' dimensions and distances between fixed objects) • If the computer is off, leave it off. • Unplugging the power or doing a "clean" shutdown is up to debate (older Windows or MS-DOS systems should not have the electrical power cut off because certain files such as log files from the Event Viewer can be lost). • If you're working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. • If the nature of the case does not permit seizure of the computer, make an image of the hard drive. • Collect as much personal information as possible about the suspect or victim (look for passwords, passphrases, PIN #s, bank account #s - this could be in plain view or in a drawer or trashcan.
Securing a Computer Incident or Crime Scene
• Use barrier tape to prevent bystanders from entering the scene accidentally. • Ask police officers or security guards to prevent others from entering the scene or taking photos and videos with smartphones or other digital devices. • Access to the scene should be restricted to only those people who have a specific reason to be there.
