First Responders Course- Session 1 - Digital and Other Evidence 
Phil HugginsFebruary 2004
Investigation Theory Digital Evidence Order of Volatility Disks File Systems File Data Deleted Data Associated Evidence Summary
Three major types of evidence can be found Inculpatory Evidence: That which supports a theory Exculpatory Evidence: That which contradicts a theory Traces of tampering: That which does not support any theory, but shows that data was wiped or modified We want to find all three types of evidence to get the whole picture
The data on a system can be broken into two categories: static and volatile. Volatile data will cease to exist after the system is powered off. Examples of this include memory contents, a list of running processes, a list of open network ports, and a list of users that are currently logged on. Static data will continue to exist after the system is powered off. Examples of this include hard disk contents, BIOS settings, and other hard coded values (such as MAC addresses).
A byte is 8 bits (11111110 = 254) A disk can be thought of as a long stream of bytes The bytes are organized into 512-byte chunks called sectorsThe disk is divided into partitions (or slices)For Intel/DOS-based systems, the partition table describes thepartition layout (in the Master Boot Record)
File Systems manage data storage Organized into files Files can be spread around all over a disk in data units File system maintains data about a file such as; Name Where the data units are When it was last accessed Provide an addressing scheme that is easy for humans to understand Examples: FAT, EXT2FS, FFS, NTFS, EXT3FS
Data about files is useful as it can tell us; Which system account accessed a file last When that happened When the file was last written to When a file was created. By looking at files when we investigate a system we may destroy this sort of evidence
File deletion theory is the same across file system types There are five major actions: Mark the data describing the file as unallocated Mark the data unit itself unallocated Remove the file name so the ‘dir’ or ‘ls’ command does not show it Delete the link between the file name and the data about the file Delete the links between the data about a file and data units The first three are required, the last two are not
Deleted data is not removed but the bit of the disk that holds it may be reused for different data Just a matter of time and how much data a system need to write to disk We need to get that deleted data before it is overwritten Therefore we need to do as little as possible on a system that may overwrite the data while we are investigating.
Digital Evidence at best can only tell you which computer account did what when. When only one person has access to the account details then it is easy to identify a culprit. However, sometime we need to look into the real world for other associated evidence such as: CCTV Building Entry Logs Statements from Witnesses
We don’t want to prove someone guilty. We want the truth so don’t ignore sources exculpatory evidence. Be aware of what effect our investigation actions are going to have on the evidence. Use Forensically sound tools to avoid damaging evidence. Take copies of data early to avoid overwriting valuable deleted data. Look for non-digital sources of evidence that can support the investigation.