Computer Forensic

Digital Forensics
MD. Tawhidur Rahman Pial
CCNA,CCNA-SEC,CCNP,
C|EH,CHFI,CNDA, E|CSA, L|PT, E|NSA, WiMAX+
,Telecom+, Network+, Security+, Linux+, GSEC
Consultant of Cyber Crime & Digital Forensic
Certified Cyber Criminal Analyst, ISS, USA
Member Scotland Yard IACIS & High Tech Crime, USA

Introduction
• Topics to be covered
– Defining Computer Forensics
– Reasons for gathering evidence
– Who uses Computer Forensics
– Steps of Computer Forensics
– Handling Evidence
– Investigation initiation / response
– Handling Information
– Requirements & Software
– Anti-Forensics
– Evidence processing guidelines
– Methods of hiding Information/data
– Methods of discovering information/data

What is Digital Forensics?
• Emerging discipline in computer security
– “voodoo science”
– No standards, few research
• Investigation that takes place after an
incident has happened
• Try to answer questions: Who, what,
when, where, why, and how

Definition
• Multiple methods of
• Discovering data on computer system
• Recovering deleted, encrypted, or damaged file
information
• Monitoring live activity
• Detecting violations of corporate policy
– Information collected assists in arrests, prosecution,
termination of employment, and preventing future
illegal activity

Definition (cont)
• What Constitutes Digital Evidence?
– Any information being subject to human intervention or
not, that can be extracted from a computer.
– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.
• Computer Forensics Examples
– Recovering thousands of deleted emails
– Performing investigation post employment
termination
– Recovering evidence post formatting hard
drive
– Performing investigation after multiple
users had taken over the system

Reasons For Evidence
• Wide range of computer crimes and misuses
– Non-Business Environment: evidence collected by
Federal, State and local authorities for crimes relating
to:
• Theft of trade secrets
• Fraud
• Extortion
• Industrial espionage
• Position of pornography
• SPAM investigations
• Virus/Trojan distribution
• Homicide investigations
• Intellectual property breaches
• Unauthorized use of personal information
• Forgery
• Perjury

Reasons For Evidence (cont)
• Computer related crime and violations include a
range of activities including:
– Business Environment:
• Theft of or destruction of intellectual property
• Unauthorized activity
• Tracking internet browsing habits
• Reconstructing Events
• Inferring intentions
• Selling company bandwidth
• Wrongful dismissal claims
• Sexual harassment
• Software Piracy

Who Uses Computer Forensics?
• Criminal Prosecutors
– Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
• Civil Litigations
– Personal and business data discovered on a computer
can be used in fraud, divorce, harassment, or
discrimination cases
• Insurance Companies
– Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
• Private Corporations
– Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
embezzlement cases

Who Uses Computer Forensics? (cont)
• Law Enforcement Officials
– Rely on computer forensics to backup search warrants
and post-seizure handling
• Individual/Private Citizens
– Obtain the services of professional computer forensic
specialists to support claims of harassment, abuse, or
wrongful termination from employment

FBI Computer Forensic Services
• Content
• Comparison again known data
• Transaction sequencing
• Extraction of data
• Recovering deleted data files
• Format conversion
• Keyword searching
• Decrypting passwords
• Analyzing and comparing limited source code

Steps to Take in a Computer Forensics
Investigation
• Obtain authorization to search and seize.
• Secure the area, which may be a crime scene.
• Document the chain of custody of every item that was seized.
• Bag, tag, and safely transport the equipment and e-evidence.
• Acquire the e-evidence from the equipment by using forensically sound methods and
tools to create a forensic image of the e-evidence.
• Keep the original material in a safe, secured location.
• Design your review strategy of the e-evidence, including lists of keywords and search
terms.
• Examine and analyze forensic images of the e-evidence (never the original!)
according to your strategy.
• Interpret and draw inferences based on facts gathered from the e-evidence. Check
your work.
• Describe your analysis and findings in an easy-to-understand and clearly written
report.
• Give testimony under oath in a deposition or courtroom.

Typical investigation phases
1. Acquisition
2. Recovery
3. Analysis
4. Presentation
In a manner that is legally
acceptable by court or Law.
I A P I A R D
I : Identifying
A : Acquisition
P : Preservation
I : Interpretation
A : Analysis
R : Reporting
D : Destroy the evidence

Phase 1: Acquisition
• Analogous to crime scene in the “real
world”
• Goal is to recover as much evidence
without altering the crime scene
• Investigator should document as much as
possible
• Maintain Chain of Custody

Acquisition (2)
• Determine if incident actually happened
• What kind of system is to be investigated?
– Can it be shut down?
– Does it have to keep operating?
• Are there policies governing the handling of the
incident?
• Is a warrant needed?

Acquisition (3)
• Get most fleeting information first
– Running processes
– Open sockets
– Memory
– Storage media
• Create 1:1 copies of evidence (imaging)
• If possible, lock up original system in the
evidence locker

Phase 2: Recovery
• Goal is to extract data from the acquired
evidence
• Always work on copies, never the original
– Must be able to repeat entire process from
scratch
• Data, deleted data, “hidden” data

File systems
• Get files and directories
• Metadata
– User IDs
– Timestamps (MAC times)
– Permissions, …
• Some deleted files may be recovered
• Slack space

File deletion
• Most file systems only delete directory
entries but not the data blocks associated
with a file.
• Unless blocks get reallocated the file may
be reconstructed
– The earlier the better the chances
– Depending on fragmentation, only partial
reconstruction may be possible

Slack space
• Unallocated blocks
– Mark blocks as allocated to fool the file
system
• Unused space at end of files if it doesn’t
end on block boundaries
• Unused space in file system data
structures

Steganography
• Data hidden in other data
• Unused or irrelevant locations are used to
store information
• Most common in images, but may also be
used on executable files, meta data, file
system slack space

Encrypted data
• Depending on encryption method, it might
be infeasible to get to the information.
• Locating the keys is often a better
approach.
• A suspect may be compelled to reveal the
keys by law.

Recovery (cont.)
• Locating hidden or encrypted data is
difficult and might even be impossible.
• Investigator has to look at other clues:
– Steganography software
– Crypto software
– Command histories

File residue
• Even if a file is completely deleted from
the disk, it might still have left a trace:
– Web cache
– Temporary directories
– Data blocks resulting from a move
– Memory

Phase 3: Analysis
• Methodology differs depending on the
objectives of the investigation:
– Locate contraband material
– Reconstruct events that took place
– Determine if a system was compromised
– Authorship analysis

Contraband material
• Locate specific files
– Databases of illegal pictures
– Stolen property
• Determine if existing files are illegal
– Picture collections
– Music or movie downloads

Locating material
• Requires specific knowledge of file system
and OS.
• Data may be encrypted, hidden,
obfuscated
• Obfuscation:
– Misleading file suffix
– Misleading file name
– Unusual location

Event reconstruction
• Utilize system and external information
– Log files
– File timestamps
– Firewall/IDS information
• Establish time line of events

Time issues
• Granularity of time keeping
– Can’t order events that occur in the same time
interval
• Multiple systems:
– Different clocks
– Clock drift
• E-mail headers and time zones

The needle in the haystack
• Locating files:
– Storage capacity approaches the terrabyte magnitude
– Potentially millions of files to investigate
• Event reconstruction:
– Dozens, hundreds of events a second
– Only last MAC times are available
– Insufficient logging

Compromised system
• If possible, compare against known good
state
– Tripwire
– Databases of “good” files
• Look for unusual file MACs
• Look for open or listening network
connections (trojans)
• Look for files in unusual locations

Unknown executables
• Run them in a constrained environment
– Dedicated system
– Sandbox
– Virtual machine
• Might be necessary to disassemble and
decompile
– May take weeks or months

Authorship analysis
• Determine who or what kind of person created
file.
– Programs (Viruses, Tojans, Sniffers/Loggers)
– E-mails (Blackmail, Harassment, Information leaks)
• If actual person cannot be determined, just
determining the skill level of the author may be
important.

Phase 4: Presentation
• An investigator that performed the
analysis may have to appear in court as
an expert witness.
• For internal investigations, a report or
presentation may be required.
• Challenge: present the material in simple
terms so that a jury or CEO can
understand it.

Live Analysis Versus Static Analysis
• Live Analysis: Forensics performed on a
running system. More things to look at
during live analysis than a static analysis.
Do you pull the plug or perform an orderly
shutdown?
• Static Analysis: Forensics performed on a
copy of the data from a system. This type
of analysis is done most often.

Live Analysis
Things to record:
• System time and date.
• User’s logged on to the system.
• Open network connections.
• Network drives mapped to the system.
• Processes that are running.
• What is on the Desktop and Clipboard.

Static Analysis
Things to look for:
• Registry entries.
• Hidden files and folders, encrypted files.
• Images, emails, IM logs, other files.
• Misnamed files.
• Deleted files.
• Data in unallocated space and Slack space.

Capturing a Drive Image
• A write-blocker must be used to prevent
write operations on the drive being
imaged. Can be software or hardware.
• Entire drive is imaged, including
unallocated space, to a clean drive.
• Image must be verified to guarantee
integrity. This is done using a hash
function.

• One bit is a 0 or a 1.
• One byte is 8 bits.
• One KB (Kilo Byte) is 1024 bytes.
• One MB (Mega Byte) is 1024 KB.
• One GB (Giga Byte) is 1024 MB.
• A 500 GB drive contains 536,870,912,000 bytes
(over 143 million pages!!!).
• One TB (Terra Byte) is 1024 GB.

• Drive may be imaged via a USB or FireWire connection,
or over the network.
• The size of the drive being imaged affects the time
required to perform the capture.
• The speed of the connection also affects the time
required to image the drive.
• A 500 GB drive may require 8 hours or several days to
acquire.

Where’s the Data?
• Registry.
• Files and folders.
• Deleted files.
• Unallocated space.
• Slack space.
• System files: HIBERFIL.SYS, INDEX.DAT,
PAGEFILE.SYS.

Computer Forensic Requirements
• Hardware
– Familiarity with all internal and external
devices/components of a computer
– Thorough understanding of hard drives and settings
– Understanding motherboards and the various chipsets
used
– Power connections
– Memory
• BIOS
– Understanding how the BIOS works
– Familiarity with the various settings and limitations of
the BIOS

Forensic Tools
• Hex editor: Display, search, and modify
hexadecimal data.
• Forensic analysis software:
FTK (Forensic Toolkit)
EnCase
Autopsy
X-Ways
Oxygen Forensic

Oxygen Forensic Viewer Communication Diagram

FRED Forensic Workstation
Server

Digital
Forensic
Analysis
Server

CellDEK
Mobile
Phone
Analysis
Device

UFED
Cellebrite
Mobile
Phone
Forensic
Device

VIAEXTRACT- Android forensic software.

AccessData Mobile Phone Examiner (MPE)
Plus

Forensic Tools
• Network traffic sniffer/analyzer
• Imaging software
• Hashing software
• Log file analyzer
• Steganography software

Some Steganography Detection
Tools
Stegdetect – www.outguess.org
Xstegsecret – stegsecret.sourceforge.net
Stego Watch – www.wetstonetech.com
StegAlyzer – www.sarc-wv.com
StegSpy – www.spy-hunter.com
Gargoyle Investigator Forensic – www.wetsonetech.com
StegMark – www.datamark.com.sg
-----
PS: Rather than tools please go manual parsing

Video Forensic Software
• Ocean Systems dTective
• Video Image Enhancement & Analysis
• Cognitech
• MotionDSP Ikena
• Salient Stills VideoFOCUS
• StarWitness
• Intergraph Video Analyst
• Forevid
• Amped FIVE
• Kinesense
• Paraben (Video Recovery from Mobile Device and Hard Drive)
• Videntifier Forensic (Automatic Video Identification)
• VideoCleaner FREE

Skills Needed by a Forensic Examiner
• Knowledge of Operating Systems.
• Knowledge of File Systems.
• Must understand networking and TCP/IP.
• Must possess necessary software for imaging
and analyzing images.
• Must possess additional software such as hex
editor, log file analyzer, etc.
• Lots of patience !!!

Current and Emerging Cyber Forensic Tools of Law Enforcement

Anti-Forensics
• Software that limits and/or corrupts evidence
that could be collected by an investigator
• Performs data hiding and distortion
• Exploits limitations of known and used forensic
tools
• Works both on Windows and LINUX based
systems
• In place prior to or post system acquisition

Evidence Processing Guidelines
• New Technologies Inc. recommends following
16 steps in processing evidence
• They offer training on properly handling each
step
– Step 1: Shut down the computer
• Considerations must be given to volatile information
• Prevents remote access to machine and destruction of
evidence (manual or ant-forensic software)
– Step 2: Document the Hardware Configuration
of The System
• Note everything about the computer configuration
prior to re-locating

Evidence Processing Guidelines (cont)
– Step 3: Transport the Computer System to A Secure
Location
• Do not leave the computer unattended unless it is locked
in a secure location
– Step 4: Make Bit Stream Backups of Hard Disks and
Floppy Disks
– Step 5: Mathematically Authenticate Data on All
Storage Devices
• Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
– Step 6: Document the System Date and Time
– Step 7: Make a List of Key Search Words
– Step 8: Evaluate the Windows Swap File

Evidence Processing Guidelines (cont)
– Step 9: Evaluate File Slack
• File slack is a data storage area of which most computer
users are unaware; a source of significant security
leakage.
– Step 10: Evaluate Unallocated Space (Erased Files)
– Step 11: Search Files, File Slack and Unallocated
Space for Key Words
– Step 12: Document File Names, Dates and Times
– Step 13: Identify File, Program and Storage
Anomalies
– Step 14: Evaluate Program Functionality
– Step 15: Document Your Findings
– Step 16: Retain Copies of Software Used

Nothing is safe and secure in digital world, beware of
identity theft for privacy concern. You even don't don't who
all smelling you

Certification
Vendor-Neutral Computer Forensics Certifications
 Computer Hacking Forensic Investigator CHFI : This certification from EC-Council
 Certified Computer Examiner : The Certified Computer Examiner (CCE®) certification offered by the
International Society of Forensic Computer Examiners (ISFCE)
 Certified Computer Forensics Examiner (CCFE) : Certification from the Information Assurance
Certification Review Board (IACRB)
 Certified Digital Forensics Examiner (CDFE) : Certification from Mile2
 Certified E-Discovery Specialist (CEDS) : This certification from the Association of Certified E-
Discovery Specialists (ACEDS)
 CyberSecurity Forensic Analyst (CSFA) : Certification from CyberSecurity Institute
 GIAC Certified Forensic Analyst (GIAC) and Certified Forensic Analyst (GCFA) : Certification from
The SANS (System Administration, Networking, and Security) Institute
 IACIS Certified Forensic Computer Examiner : The IACIS Certified Forensic Computer Examiner
(CFCE) certification from the International Association of Computer Investigative Specialists (IACIS)

Cont.Cont.
Vendor-Specific Computer Forensics Certifications
 AccessData Certified Examiner : AccessData Certified Examiner
(ACE) certification from AccessData Group, LLC
 AccessData also offers certifications in its Summation litigation
product :
i. Certified Forensic Investigation Practitioner
ii. Certified Mac Forensics Specialist
iii. Certified Malware Investigator
 EnCase Certified Examiner : EnCase® from Guidance Software
 EnCase Certified eDiscovery Practitioner : The EnCase® Certified
eDiscovery Practitioner (EnCEP™)
D3pak

Some Good Reads
1. XRY http://www.msab.com
2. UFED, UFED Physical Analyzer http://www.cellebrite.com
3. Oxygen Forensic Suit, Oxygen Forensic® SQLite Viewerhttp://www.oxygen-
forensic.com/en/
4. Secure View 3 http://secureview.us
5. Rooting (Android OS) http://en.wikipedia.org/wiki/Rooting_(Android_OS)
6. Android Forensics. Physical Techniques. https://viaforensics.com/…/android-
fo…/physical-techniques/…
7. FTK Imager http://www.accessdata.com/support/product-downloads
8. Robert Craig Samsung Galaxy Android 4.3 Jelly Bean acquisition using Joint Test Action
Group (JTAG) http://articles.forensicfocus.com/…/jtag-sch-r530u-that-ha…/
9. UFS Explorer http://www.ufsexplorer.com/index.php
10. Encase Forensic https://www.guidancesoftware.com
11. Supported Decoders data files and databaseshttp://www.andriller.com/decoders
12. Belkasoft Evidence Center http://forensic.belkasoft.com/en
13. R-Studio http://www.r-studio.com
14. The Sleuth Kit http://www.sleuthkit.org
15. ThumbnailExpert Forensic http://computer-forensics-lab.org/en/news/25/
16. Android software
developmenthttp://en.wikipedia.org/wiki/Android_software_development…
17. http://toolcatalog.nist.gov/populated_taxonomy/index.php

Computer Forensic

More Related Content

What's hot (20)

Similar to Computer Forensic (20)

More from Tawhidur Rahman (12)

Recently uploaded (20)

Computer Forensic