1. Digital Forensics
MD. Tawhidur Rahman Pial
CCNA,CCNA-SEC,CCNP,
C|EH,CHFI,CNDA, E|CSA, L|PT, E|NSA, WiMAX+
,Telecom+, Network+, Security+, Linux+, GSEC
Consultant of Cyber Crime & Digital Forensic
Certified Cyber Criminal Analyst, ISS, USA
Member Scotland Yard IACIS & High Tech Crime, USA
2. Introduction
• Topics to be covered
– Defining Computer Forensics
– Reasons for gathering evidence
– Who uses Computer Forensics
– Steps of Computer Forensics
– Handling Evidence
– Investigation initiation / response
– Handling Information
– Requirements & Software
– Anti-Forensics
– Evidence processing guidelines
– Methods of hiding Information/data
– Methods of discovering information/data
3. What is Digital Forensics?
• Emerging discipline in computer security
– “voodoo science”
– No standards, few research
• Investigation that takes place after an
incident has happened
• Try to answer questions: Who, what,
when, where, why, and how
4. Definition
• Multiple methods of
• Discovering data on computer system
• Recovering deleted, encrypted, or damaged file
information
• Monitoring live activity
• Detecting violations of corporate policy
– Information collected assists in arrests, prosecution,
termination of employment, and preventing future
illegal activity
5. Definition (cont)
• What Constitutes Digital Evidence?
– Any information being subject to human intervention or
not, that can be extracted from a computer.
– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.
• Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system
6. Reasons For Evidence
• Wide range of computer crimes and misuses
– Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes relating
to:
• Theft of trade secrets
• Fraud
• Extortion
• Industrial espionage
• Position of pornography
• SPAM investigations
• Virus/Trojan distribution
• Homicide investigations
• Intellectual property breaches
• Unauthorized use of personal information
• Forgery
• Perjury
7. Reasons For Evidence (cont)
• Computer related crime and violations include a
range of activities including:
– Business Environment:
• Theft of or destruction of intellectual property
• Unauthorized activity
• Tracking internet browsing habits
• Reconstructing Events
• Inferring intentions
• Selling company bandwidth
• Wrongful dismissal claims
• Sexual harassment
• Software Piracy
8. Who Uses Computer Forensics?
• Criminal Prosecutors
– Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
• Civil Litigations
– Personal and business data discovered on a computer
can be used in fraud, divorce, harassment, or
discrimination cases
• Insurance Companies
– Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
• Private Corporations
– Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases
9. Who Uses Computer Forensics? (cont)
• Law Enforcement Officials
– Rely on computer forensics to backup search warrants
and post-seizure handling
• Individual/Private Citizens
– Obtain the services of professional computer forensic
specialists to support claims of harassment, abuse, or
wrongful termination from employment
10. FBI Computer Forensic Services
• Content
• Comparison again known data
• Transaction sequencing
• Extraction of data
• Recovering deleted data files
• Format conversion
• Keyword searching
• Decrypting passwords
• Analyzing and comparing limited source code
11. Steps to Take in a Computer Forensics
Investigation
• Obtain authorization to search and seize.
• Secure the area, which may be a crime scene.
• Document the chain of custody of every item that was seized.
• Bag, tag, and safely transport the equipment and e-evidence.
• Acquire the e-evidence from the equipment by using forensically sound methods and
tools to create a forensic image of the e-evidence.
• Keep the original material in a safe, secured location.
• Design your review strategy of the e-evidence, including lists of keywords and search
terms.
• Examine and analyze forensic images of the e-evidence (never the original!)
according to your strategy.
• Interpret and draw inferences based on facts gathered from the e-evidence. Check
your work.
• Describe your analysis and findings in an easy-to-understand and clearly written
report.
• Give testimony under oath in a deposition or courtroom.
12. Typical investigation phases
1. Acquisition
2. Recovery
3. Analysis
4. Presentation
In a manner that is legally
acceptable by court or Law.
I A P I A R D
I : Identifying
A : Acquisition
P : Preservation
I : Interpretation
A : Analysis
R : Reporting
D : Destroy the evidence
13. Phase 1: Acquisition
• Analogous to crime scene in the “real
world”
• Goal is to recover as much evidence
without altering the crime scene
• Investigator should document as much as
possible
• Maintain Chain of Custody
14. Acquisition (2)
• Determine if incident actually happened
• What kind of system is to be investigated?
– Can it be shut down?
– Does it have to keep operating?
• Are there policies governing the handling of the
incident?
• Is a warrant needed?
15. Acquisition (3)
• Get most fleeting information first
– Running processes
– Open sockets
– Memory
– Storage media
• Create 1:1 copies of evidence (imaging)
• If possible, lock up original system in the
evidence locker
16. Phase 2: Recovery
• Goal is to extract data from the acquired
evidence
• Always work on copies, never the original
– Must be able to repeat entire process from
scratch
• Data, deleted data, “hidden” data
17. File systems
• Get files and directories
• Metadata
– User IDs
– Timestamps (MAC times)
– Permissions, …
• Some deleted files may be recovered
• Slack space
18. File deletion
• Most file systems only delete directory
entries but not the data blocks associated
with a file.
• Unless blocks get reallocated the file may
be reconstructed
– The earlier the better the chances
– Depending on fragmentation, only partial
reconstruction may be possible
19. Slack space
• Unallocated blocks
– Mark blocks as allocated to fool the file
system
• Unused space at end of files if it doesn’t
end on block boundaries
• Unused space in file system data
structures
20. Steganography
• Data hidden in other data
• Unused or irrelevant locations are used to
store information
• Most common in images, but may also be
used on executable files, meta data, file
system slack space
21. Encrypted data
• Depending on encryption method, it might
be infeasible to get to the information.
• Locating the keys is often a better
approach.
• A suspect may be compelled to reveal the
keys by law.
22. Recovery (cont.)
• Locating hidden or encrypted data is
difficult and might even be impossible.
• Investigator has to look at other clues:
– Steganography software
– Crypto software
– Command histories
23. File residue
• Even if a file is completely deleted from
the disk, it might still have left a trace:
– Web cache
– Temporary directories
– Data blocks resulting from a move
– Memory
24. Phase 3: Analysis
• Methodology differs depending on the
objectives of the investigation:
– Locate contraband material
– Reconstruct events that took place
– Determine if a system was compromised
– Authorship analysis
25. Contraband material
• Locate specific files
– Databases of illegal pictures
– Stolen property
• Determine if existing files are illegal
– Picture collections
– Music or movie downloads
26. Locating material
• Requires specific knowledge of file system
and OS.
• Data may be encrypted, hidden,
obfuscated
• Obfuscation:
– Misleading file suffix
– Misleading file name
– Unusual location
27. Event reconstruction
• Utilize system and external information
– Log files
– File timestamps
– Firewall/IDS information
• Establish time line of events
28. Time issues
• Granularity of time keeping
– Can’t order events that occur in the same time
interval
• Multiple systems:
– Different clocks
– Clock drift
• E-mail headers and time zones
29. The needle in the haystack
• Locating files:
– Storage capacity approaches the terrabyte magnitude
– Potentially millions of files to investigate
• Event reconstruction:
– Dozens, hundreds of events a second
– Only last MAC times are available
– Insufficient logging
30. Compromised system
• If possible, compare against known good
state
– Tripwire
– Databases of “good” files
• Look for unusual file MACs
• Look for open or listening network
connections (trojans)
• Look for files in unusual locations
31. Unknown executables
• Run them in a constrained environment
– Dedicated system
– Sandbox
– Virtual machine
• Might be necessary to disassemble and
decompile
– May take weeks or months
32. Authorship analysis
• Determine who or what kind of person created
file.
– Programs (Viruses, Tojans, Sniffers/Loggers)
– E-mails (Blackmail, Harassment, Information leaks)
• If actual person cannot be determined, just
determining the skill level of the author may be
important.
33. Phase 4: Presentation
• An investigator that performed the
analysis may have to appear in court as
an expert witness.
• For internal investigations, a report or
presentation may be required.
• Challenge: present the material in simple
terms so that a jury or CEO can
understand it.
34. Live Analysis Versus Static Analysis
• Live Analysis: Forensics performed on a
running system. More things to look at
during live analysis than a static analysis.
Do you pull the plug or perform an orderly
shutdown?
• Static Analysis: Forensics performed on a
copy of the data from a system. This type
of analysis is done most often.
35. Live Analysis
Things to record:
• System time and date.
• User’s logged on to the system.
• Open network connections.
• Network drives mapped to the system.
• Processes that are running.
• What is on the Desktop and Clipboard.
36. Static Analysis
Things to look for:
• Registry entries.
• Hidden files and folders, encrypted files.
• Images, emails, IM logs, other files.
• Misnamed files.
• Deleted files.
• Data in unallocated space and Slack space.
37. Capturing a Drive Image
• A write-blocker must be used to prevent
write operations on the drive being
imaged. Can be software or hardware.
• Entire drive is imaged, including
unallocated space, to a clean drive.
• Image must be verified to guarantee
integrity. This is done using a hash
function.
38. Capturing a Drive Image
• One bit is a 0 or a 1.
• One byte is 8 bits.
• One KB (Kilo Byte) is 1024 bytes.
• One MB (Mega Byte) is 1024 KB.
• One GB (Giga Byte) is 1024 MB.
• A 500 GB drive contains 536,870,912,000 bytes
(over 143 million pages!!!).
• One TB (Terra Byte) is 1024 GB.
39. Capturing a Drive Image
• Drive may be imaged via a USB or FireWire connection,
or over the network.
• The size of the drive being imaged affects the time
required to perform the capture.
• The speed of the connection also affects the time
required to image the drive.
• A 500 GB drive may require 8 hours or several days to
acquire.
41. Where’s the Data?
• Registry.
• Files and folders.
• Deleted files.
• Unallocated space.
• Slack space.
• System files: HIBERFIL.SYS, INDEX.DAT,
PAGEFILE.SYS.
42. Computer Forensic Requirements
• Hardware
– Familiarity with all internal and external
devices/components of a computer
– Thorough understanding of hard drives and settings
– Understanding motherboards and the various chipsets
used
– Power connections
– Memory
• BIOS
– Understanding how the BIOS works
– Familiarity with the various settings and limitations of
the BIOS
62. Some Steganography Detection
Tools
Stegdetect – www.outguess.org
Xstegsecret – stegsecret.sourceforge.net
Stego Watch – www.wetstonetech.com
StegAlyzer – www.sarc-wv.com
StegSpy – www.spy-hunter.com
Gargoyle Investigator Forensic – www.wetsonetech.com
StegMark – www.datamark.com.sg
-----
PS: Rather than tools please go manual parsing
63. Video Forensic Software
• Ocean Systems dTective
• Video Image Enhancement & Analysis
• Cognitech
• MotionDSP Ikena
• Salient Stills VideoFOCUS
• StarWitness
• Intergraph Video Analyst
• Forevid
• Amped FIVE
• Kinesense
• Paraben (Video Recovery from Mobile Device and Hard Drive)
• Videntifier Forensic (Automatic Video Identification)
• VideoCleaner FREE
64. Skills Needed by a Forensic Examiner
• Knowledge of Operating Systems.
• Knowledge of File Systems.
• Must understand networking and TCP/IP.
• Must possess necessary software for imaging
and analyzing images.
• Must possess additional software such as hex
editor, log file analyzer, etc.
• Lots of patience !!!
66. Anti-Forensics
• Software that limits and/or corrupts evidence
that could be collected by an investigator
• Performs data hiding and distortion
• Exploits limitations of known and used forensic
tools
• Works both on Windows and LINUX based
systems
• In place prior to or post system acquisition
67. Evidence Processing Guidelines
• New Technologies Inc. recommends following
16 steps in processing evidence
• They offer training on properly handling each
step
– Step 1: Shut down the computer
• Considerations must be given to volatile information
• Prevents remote access to machine and destruction of
evidence (manual or ant-forensic software)
– Step 2: Document the Hardware Configuration
of The System
• Note everything about the computer configuration
prior to re-locating
68. Evidence Processing Guidelines (cont)
– Step 3: Transport the Computer System to A Secure
Location
• Do not leave the computer unattended unless it is locked
in a secure location
– Step 4: Make Bit Stream Backups of Hard Disks and
Floppy Disks
– Step 5: Mathematically Authenticate Data on All
Storage Devices
• Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File
69. Evidence Processing Guidelines (cont)
– Step 9: Evaluate File Slack
• File slack is a data storage area of which most computer
users are unaware; a source of significant security
leakage.
– Step 10: Evaluate Unallocated Space (Erased Files)
– Step 11: Search Files, File Slack and Unallocated
Space for Key Words
– Step 12: Document File Names, Dates and Times
– Step 13: Identify File, Program and Storage
Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document Your Findings
– Step 16: Retain Copies of Software Used
70. Nothing is safe and secure in digital world, beware of
identity theft for privacy concern. You even don't don't who
all smelling you
71. Certification
Vendor-Neutral Computer Forensics Certifications
Computer Hacking Forensic Investigator CHFI : This certification from EC-Council
Certified Computer Examiner : The Certified Computer Examiner (CCE®) certification offered by the
International Society of Forensic Computer Examiners (ISFCE)
Certified Computer Forensics Examiner (CCFE) : Certification from the Information Assurance
Certification Review Board (IACRB)
Certified Digital Forensics Examiner (CDFE) : Certification from Mile2
Certified E-Discovery Specialist (CEDS) : This certification from the Association of Certified E-
Discovery Specialists (ACEDS)
CyberSecurity Forensic Analyst (CSFA) : Certification from CyberSecurity Institute
GIAC Certified Forensic Analyst (GIAC) and Certified Forensic Analyst (GCFA) : Certification from
The SANS (System Administration, Networking, and Security) Institute
IACIS Certified Forensic Computer Examiner : The IACIS Certified Forensic Computer Examiner
(CFCE) certification from the International Association of Computer Investigative Specialists (IACIS)
72. Cont.
Cont.
Vendor-Specific Computer Forensics Certifications
AccessData Certified Examiner : AccessData Certified Examiner
(ACE) certification from AccessData Group, LLC
AccessData also offers certifications in its Summation litigation
product :
i. Certified Forensic Investigation Practitioner
ii. Certified Mac Forensics Specialist
iii. Certified Malware Investigator
EnCase Certified Examiner : EnCase® from Guidance Software
EnCase Certified eDiscovery Practitioner : The EnCase® Certified
eDiscovery Practitioner (EnCEP™)
D3pak
73. Some Good Reads
1. XRY http://www.msab.com
2. UFED, UFED Physical Analyzer http://www.cellebrite.com
3. Oxygen Forensic Suit, Oxygen Forensic® SQLite Viewerhttp://www.oxygen-
forensic.com/en/
4. Secure View 3 http://secureview.us
5. Rooting (Android OS) http://en.wikipedia.org/wiki/Rooting_(Android_OS)
6. Android Forensics. Physical Techniques. https://viaforensics.com/…/android-
fo…/physical-techniques/…
7. FTK Imager http://www.accessdata.com/support/product-downloads
8. Robert Craig Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action
Group (JTAG) http://articles.forensicfocus.com/…/jtag-sch-r530u-that-ha…/
9. UFS Explorer http://www.ufsexplorer.com/index.php
10. Encase Forensic https://www.guidancesoftware.com
11. Supported Decoders data files and databaseshttp://www.andriller.com/decoders
12. Belkasoft Evidence Center http://forensic.belkasoft.com/en
13. R-Studio http://www.r-studio.com
14. The Sleuth Kit http://www.sleuthkit.org
15. ThumbnailExpert Forensic http://computer-forensics-lab.org/en/news/25/
16. Android software
developmenthttp://en.wikipedia.org/wiki/Android_software_development…
17. http://toolcatalog.nist.gov/populated_taxonomy/index.php