Guide To Computer Forensics And Investigations
Guide%20to%20Computer%20Forensics%20and%20Investigations%20by%20B.%20Nelson%2C%20A.%20Phillips%2C%20C.%20Steuart
User Manual: Pdf
Open the PDF directly: View PDF .
Page Count: 715
Download | ![]() |
Open PDF In Browser | View PDF |
Information Security Web Site Resources www.cert.org - Computer Emergency Response Team Coordination Center (CERT/CC) www.ists.dartmouth.edu - Research and education for cyber security www.first.org - Organization of 170 incident response teams www.sans.org - SysAdmin, Audit, Network, Security (SANS) Institute www.infragard.net - Information sharing between private industry and the U.S. government www.issa.org - Information Systems Security Association (ISSA) nsi.org - Information about security vulnerabilities and threats csrc.nist.gov/index.html - Computer Security Resource Center (CSRC) cve.mitre.org - Dictionary of reported information security vulnerabilities www.mcafee.com/us/threat_center - McAfee Threat Center www.microsoft.com/security/portal/default.aspx - Microsoft Malware Protection Center secureitalliance.org - Industry partners to promote software that interoperates with Microsoft platform www.securityfocus.com/archive/1 - Detailed information about the latest computer security vulnerabilities and fixes atlas.arbor.net - Global threat analysis network secunia.com - Information regarding security vulnerabilities, advisories, viruses, and online vulnerability tests www.ieee.org - Institute of Electrical and Electronics Engineers (IEEE) www.wi-fi.org - Wi-Fi Alliance www.fcc.gov - Federal Communications Commission www.hhs.gov/ocr/hipaa - Health Insurance Portability and Accountability Act of 1996 (HIPAA) www.sec.gov/spotlight/sarbanes-oxley.htm - Sarbanes-Oxley Act of 2002 (Sarbox) www.ftc.gov/privacy/glbact/glbsub1.htm - Gramm-Leach-Bliley Act (GLBA) www.fincen.gov/statutes_regs/patriot/index.html - USA Patriot Act (2001) info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_ bill_20020926_chaptered.html - California Database Security Breach Act (2003) www.ftc.gov/bcp/conline/pubs/buspubs/coppa.shtm - Children’s Online Privacy Protection Act of 1998 (COPPA) secunia.com/software_inspector - Secunia Software Inspector software www.microsoft.com/security/malwareremove/default.mspx - Microsoft Windows Malicious Software Removal Tool www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx - Microsoft RootkitRevealer software www.softdd.com/keystrokerecorder/index.html - Keyboard Collector software irongeek.com/i.php?page=security/thumbscrew-software-usb-writeblocker - Thumbscrew software www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx - Microsoft Virtual PC 2007 www.vmware.com - Vmware Workstation www.grc.com/securable - Data Execution Prevention testing software www.eicar.org/anti_virus_test_file.htm - EICAR AntiVirus test file www.microsoft.com/downloads/details.aspx?FamilyID=a3d1bbed-7f354e72-bfb5-b84a526c1565&displaylang=en - Microsoft Vista security templates www.microsoft.com/technet/security/tools/mbsahome.mspx - Microsoft Baseline Security Analyzer (MBSA) www.wireshark.org - Wireshark protocol analyzer www.netstumbler.com - Netstumbler software www.klcconsulting.net/smac - MAC spoofing software ophcrack.sourceforge.net - Open-source password cracker program that uses rainbow tables keepass.info - KeePass password storage software www.nessus.org/download - Nessus vulnerability scanner www.gfi.com/lannetscan - GFI LANguard vulnerability scanner www.threatfire.com/download - ThreatFire behavior-based monitoring tool md5deep.sourceforge.net - Hash generator software www.truecrypt.org - TrueCrypt encryption software www.briggsoft.com - Directory Snoop software www.heidi.ie/node/6 - File wipe software Guide to Computer Forensics and Investigations Fourth Edition Bill Nelson Amelia Phillips Christopher Steuart Guide to Computer Forensics and Investigations, Fourth Edition Bill Nelson, Amelia Phillips, Christopher Steuart Vice President, Career and Professional Editorial: Dave Garza Executive Editor: Stephen Helba Managing Editor: Marah Bellegarde Senior Product Manager: Michelle Ruelos Cannistraci Developmental Editor: Lisa M. Lord Editorial Assistant: Sarah Pickering Vice President, Career and Professional Marketing: Jennifer McAvey Marketing Director: Deborah S. Yarnell Senior Marketing Manager: Erin Coffin Marketing Coordinator: Shanna Gibbs Production Director: Carolyn Miller Production Manager: Andrew Crouth Content Project Manager: Jessica McNavich Art Director: Jack Pendleton Cover photo or illustration: Shutterstock Production Technology Analyst: Tom Stover Manufacturing Coordinator: Julio Esperas Copyeditor: Ruth Bloom Proofreader: Michele Callaghan Compositor: Cadmus Communications c 2010 Course Technology, Cengage Learning ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher. For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, submit all requests online at cengage.com/permissions Further permissions questions can be emailed to permissionrequest@cengage.com Library of Congress Control Number: 2009929885 ISBN-13: 978-1-435-49883-9 ISBN-10: 1-435-49883-6 Course Technology 20 Channel Center Street Boston, MA 02210 Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit course.cengage.com Visit our corporate website at cengage.com. Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers. Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated with Microsoft in any manner. Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies. Course Technology and the Course Technology logo are registered trademarks used under license. Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice. The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs. Printed in the United States of America 1 2 3 4 5 6 7 12 11 10 09 Brief Table of Contents PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii CHAPTER 1 Computer Forensics and Investigations as a Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 CHAPTER 2 Understanding Computer Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 CHAPTER 3 The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 CHAPTER 4 Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 CHAPTER 5 Processing Crime and Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 CHAPTER 6 Working with Windows and DOS Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 CHAPTER 7 Current Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 CHAPTER 8 Macintosh and Linux Boot Processes and File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 CHAPTER 9 Computer Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 CHAPTER 10 Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 CHAPTER 11 Virtual Machines, Network Forensics, and Live Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 CHAPTER 12 E-mail Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 CHAPTER 13 Cell Phone and Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 CHAPTER 14 Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 CHAPTER 15 Expert Testimony in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 CHAPTER 16 Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 APPENDIX A Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 APPENDIX B Computer Forensics References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 iii iv Brief Table of Contents APPENDIX C Computer Forensics Lab Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 APPENDIX D DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 Table of Contents PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii CHAPTER 1 Computer Forensics and Investigations as a Profession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Understanding Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Forensics Versus Other Related Disciplines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Brief History of Computer Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Case Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Developing Computer Forensics Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing for Computer Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Law Enforcement Agency Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Following the Legal Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Corporate Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Establishing Company Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying Warning Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designating an Authorized Requester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conducting Security Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distinguishing Personal and Company Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 5 8 8 .9 11 12 14 14 15 17 17 19 Maintaining Professional Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 CHAPTER 2 Understanding Computer Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Preparing a Computer Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 An Overview of a Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 An Overview of a Company Policy Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Taking a Systematic Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assessing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning Your Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing Your Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 32 33 35 Procedures for Corporate High-Tech Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Employee Termination Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Abuse Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-mail Abuse Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attorney-Client Privilege Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Media Leak Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Industrial Espionage Investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interviews and Interrogations in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 37 37 38 39 40 41 43 Understanding Data Recovery Workstations and Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Setting Up Your Workstation for Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Conducting an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gathering the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Bit-stream Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Acquiring an Image of Evidence Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using ProDiscover Basic to Acquire a USB Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 46 47 48 48 v vi Table of Contents Analyzing Your Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Completing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Critiquing the Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 CHAPTER 3 The Investigator’s Office and Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Understanding Forensics Lab Certification Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying Duties of the Lab Manager and Staff. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lab Budget Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Acquiring Certification and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 72 73 76 Determining the Physical Requirements for a Computer Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying Lab Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conducting High-Risk Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Evidence Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overseeing Facility Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Considering Physical Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditing a Computer Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Floor Plans for Computer Forensics Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 79 80 80 82 82 83 83 Selecting a Basic Forensic Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Workstations for Police Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Workstations for Private and Corporate Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stocking Hardware Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining Operating Systems and Software Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning for Equipment Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Laptop Forensic Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 85 86 86 87 87 88 88 Building a Business Case for Developing a Forensics Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Preparing a Business Case for a Computer Forensics Lab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 CHAPTER 4 Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Understanding Storage Formats for Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raw Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proprietary Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced Forensic Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 101 101 102 Determining the Best Acquisition Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Contingency Planning for Image Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Using Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Windows XP Write-Protection with USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Table of Contents vii Acquiring Data with a Linux Boot CD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Capturing an Image with ProDiscover Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Capturing an Image with AccessData FTK Imager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Validating Data Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Linux Validation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Windows Validation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Performing RAID Data Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Understanding RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Acquiring RAID Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Using Remote Network Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with ProDiscover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with EnCase Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with R-Tools R-Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with WetStone LiveWire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with F-Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Acquisition with Runtime Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 134 136 136 137 137 137 Using Other Forensics Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SnapBack DatArrest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTI SafeBack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DIBS USA RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ILook Investigator IXimager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ASRData SMART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Australian Department of Defence PyFlag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 138 138 138 139 139 139 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 CHAPTER 5 Processing Crime and Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Identifying Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Understanding Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Collecting Evidence in Private-Sector Incident Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Processing Law Enforcement Crime Scenes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Understanding Concepts and Terms Used in Warrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Preparing for a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying the Nature of the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying the Type of Computing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Whether You Can Seize a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining a Detailed Description of the Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Who Is in Charge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Additional Technical Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining the Tools You Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing the Investigation Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 163 164 164 164 165 165 166 168 Securing a Computer Incident or Crime Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Seizing Digital Evidence at the Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing to Acquire Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Processing an Incident or Crime Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Processing Data Centers with RAID Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a Technical Advisor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 169 170 173 173 viii Table of Contents Documenting Evidence in the Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Processing and Handling Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Storing Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Evidence Retention and Media Storage Needs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Documenting Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Obtaining a Digital Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Reviewing a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample Civil Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample Criminal Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reviewing Background Information for a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying the Case Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Planning the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conducting the Investigation: Acquiring Evidence withAccessData FTK . . . . . . . . . . . . . . . . . . . . . . . . . 179 180 181 181 182 183 183 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 CHAPTER 6 Working with Windows and DOS Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Understanding File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Understanding the Boot Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Understanding Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Exploring Microsoft File Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Master Boot Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining FAT Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 202 205 206 Examining NTFS Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTFS System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MFT and File Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MFT Structures for File Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTFS Data Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTFS Compressed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTFS Encrypting File System (EFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EFS Recovery Key Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting NTFS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 210 211 215 224 224 225 227 227 Understanding Whole Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Examining Microsoft BitLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Examining Third-Party Disk Encryption Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Understanding the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Exploring the Organization of the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Examining the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Understanding Microsoft Startup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Startup in Windows NT and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Startup in Windows 9x/Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Understanding MS-DOS Startup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Other Disk Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Understanding Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Creating a Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Table of Contents ix Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 CHAPTER 7 Current Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Evaluating Computer Forensics Tool Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Computer Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tasks Performed by Computer Forensics Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tool Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Considerations for Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 261 261 271 272 Computer Forensics Software Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command-Line Forensics Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UNIX/Linux Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other GUI Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 273 274 277 Computer Forensics Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensic Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a Write-Blocker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recommendations for a Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 278 279 280 Validating and Testing Forensics Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Using National Institute of Standards and Technology (NIST) Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Using Validation Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 CHAPTER 8 Macintosh and Linux Boot Processes and File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Understanding the Macintosh File Structure and Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Mac OS 9 Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploring Macintosh Boot Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Macintosh Forensics Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 299 300 303 Examining UNIX and Linux Disk Structures and Boot Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UNIX and Linux Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Inodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding UNIX and Linux Boot Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Linux Loader and GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding UNIX and Linux Drives and Partition Schemes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining UNIX and Linux Disk Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 314 318 319 321 321 322 Understanding Other Disk Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining CD Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining SCSI Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining IDE/EIDE and SATA Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 330 332 333 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 x Table of Contents Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 CHAPTER 9 Computer Forensics Analysis and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Determining What Data to Collect and Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Approaching Computer Forensics Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Using AccessData Forensic Toolkit to Analyze Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Validating Forensic Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Validating with Hexadecimal Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Validating with Computer Forensics Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 Addressing Data-Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hiding Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Marking Bad Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bit-Shifting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Steganography to Hide Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining Encrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recovering Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 356 358 358 361 362 362 Performing Remote Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Remote Acquisitions with Runtime Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 CHAPTER 10 Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Recognizing a Graphics File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Bitmap and Raster Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Vector Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Metafile Graphics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Graphics File Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Digital Camera File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 382 383 383 383 384 Understanding Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Lossless and Lossy Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Locating and Recovering Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identifying Graphics File Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Repairing Damaged Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Searching for and Carving Data from Unallocated Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rebuilding File Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconstructing File Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 389 389 390 396 399 Identifying Unknown File Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analyzing Graphics File Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools for Viewing Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Steganography in Graphics Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Steganalysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 406 407 408 411 Understanding Copyright Issues with Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Table of Contents xi Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 CHAPTER 11 Virtual Machines, Network Forensics, and Live Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Virtual Machines Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Network Forensics Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Securing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Performing Live Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Performing a Live Acquisition in Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Developing Standard Procedures for Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Reviewing Network Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432 Using Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using UNIX/Linux Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Packet Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining the Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 435 439 441 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 CHAPTER 12 E-mail Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 Exploring the Role of E-mail in Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Exploring the Roles of the Client and Server in E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Investigating E-mail Crimes and Violations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining E-mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining E-mail Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining Additional E-mail Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracing an E-mail Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Network E-mail Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 455 456 463 465 466 466 Understanding E-mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining UNIX E-mail Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining Microsoft E-mail Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examining Novell GroupWise E-mail Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 469 470 471 Using Specialized E-mail Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using AccessData FTK to Recover E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a Hexadecimal Editor to Carve E-mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recovering Outlook Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 476 481 484 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 xii Table of Contents CHAPTER 13 Cell Phone and Mobile Device Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Understanding Mobile Device Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mobile Phone Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inside Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inside PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 497 499 500 Understanding Acquisition Procedures for Cell Phones and Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . 501 Mobile Forensics Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 CHAPTER 14 Report Writing for High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Understanding the Importance of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Limiting a Report to Specifics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Guidelines for Writing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What to Include in Written Preliminary Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Report Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Writing Reports Clearly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Designing the Layout and Presentation of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 520 521 522 523 Generating Report Findings with Forensics Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Using ProDiscover Basic to Generate Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Using AccessData FTK to Generate Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 CHAPTER 15 Expert Testimony in High-Tech Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Preparing for Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Documenting and Preparing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reviewing Your Role as a Consulting Expert or an Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and Maintaining Your CV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Technical Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing to Deal with the News Media. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 543 544 544 545 545 Testifying in Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding the Trial Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Providing Qualifications for Your Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Guidelines on Testifying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testifying During Direct Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testifying During Cross-Examination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 546 547 548 552 552 Preparing for a Deposition or Hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Guidelines for Testifying at Depositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Table of Contents xiii Guidelines for Testifying at Hearings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 Preparing Forensics Evidence for Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 Preparing Explanations of Your Evidence-Collection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 CHAPTER 16 Ethics for the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Applying Ethics and Codes to Expert Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Forensics Examiners’ Roles in Testifying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Considerations in Disqualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Traps for Unwary Experts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Admissibility of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 577 578 579 580 Organizations with Codes of Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Society of Forensic Computer Examiners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International High Technology Crime Investigation Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . International Association of Computer Investigative Specialists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . American Bar Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . American Medical Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . American Psychological Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 581 581 582 582 583 584 Ethical Difficulties in Expert Testimony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Ethical Responsibilities Owed to You. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Standard and Personally Created Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 An Ethics Exercise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Hexadecimal Values for Text Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Searching for Unicode Data in ProDiscover Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interpreting Attribute 0x80 Data Runs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Carving Data Run Clusters Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 587 588 589 594 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Key Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600 Case Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 APPENDIX A Certification Test References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 NIST Computer Forensics Tool Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Types of Computer Forensics Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Professional Certifying Organizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Vendor Certifying Companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Forensics Public and Private Training Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 604 605 605 APPENDIX B Computer Forensics References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Computer Forensics Reference Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 MS-DOS Reference Books. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 xiv Table of Contents Windows Reference Books Linux Reference Books . . . Legal Reference Books . . . Web Links . . . . . . . . . . . . E-mail Lists . . . . . . . . . . . Yahoo! Groups . . . . . . . . Professional Journals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 609 609 609 610 610 611 APPENDIX C Computer Forensics Lab Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 International Lab Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Considering Office Ergonomics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Considering Environmental Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 Considering Structural Design Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Determining Electrical Needs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Planning for Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Installing Fire-Suppression Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 APPENDIX D DOS File System and Forensics Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Overview of FAT Directory Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 Sample DOS Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Setting Up Your Workstation for Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 Creating Forensic Boot Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Assembling Tools for a Forensic Boot Floppy Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Making an Image of a Floppy Disk in MS-DOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Using MS-DOS Acquisition Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding How DriveSpy Accesses Sector Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using DriveSpy Data Preservation Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using DriveSpy Data Manipulation Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 637 639 645 Quick References for DriveSpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 A Sample Script for DriveSpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Using X-Ways Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 Preface The rapid advance of technology has changed and influenced how we think about gathering digital evidence. Soon after the attacks on the World Trade Center in New York City on September 11, 2001, many young men and women volunteered to serve their country in different ways. For those who did not choose the military, options included positions with law enforcement and corporate security organizations. Ultimately, the combination of a renewed emphasis on homeland security along with the popularity of mainstream television shows, such as CSI, Forensic Files, and NCIS, has created a huge demand for highly educated specialists in the discipline of computer forensics. This demand is now being met by the advent of specialized forensics courses in colleges, universities, and even high schools throughout the United States. Computer forensics, however, is by no means a new field of endeavor. During the early 1990s, while serving as a Special Agent with the Naval Criminal Investigative Service (NCIS), I realized that personal computers and, more specifically, unsecured personal computers posed a potential threat to national security. I became involved in conducting forensic investigations involving white collar crime, network intrusions, and telecommunications fraud. Recently, the U.S. government has taken significant steps to improve the quality and sophistication of the country’s computer forensic capabilities, including the formation of the U.S. Cyber Command (CYBERCOM) in the Department of Defense. Today, most new computer forensics specialists can expect to be involved in a wide variety of investigations, including terrorism counterintelligence, financial fraud issues, intellectual property theft, data security breaches, and electronic data discovery. The skill sets computer forensics specialists must have are varied. At a minimum, they must have an in-depth knowledge of the criminal justice system, computer hardware and software systems, and xv xvi Preface investigative and evidence-gathering protocols. The next generation of “digital detectives” will have to possess the knowledge, skills, and experience to conduct complex, data-intensive forensic examinations involving various operating systems, platforms, and file types with data sets in the multipleterabyte range. As time passes, the “hybrid discipline” of computer forensics is slowly evolving into a “hybrid science”—the science of digital forensics. Many colleges and universities in the United States and the United Kingdom have created multidiscipline curriculums that will offer undergraduate and graduate degrees in digital forensics. Guide to Computer Forensics and Investigations, now in its fourth edition, has emerged as a significant authoritative text for the computer and digital forensics communities. It’s my belief that this book, designed to be used primarily in an academic setting with an enthusiastic and knowledgeable facilitator, will make for a fascinating course of instruction. Today, it’s not just computers that harbor the binary code of 1s and 0s, but an infinite array of personal digital devices. If one of these devices retains evidence of a crime, it will be up to newly trained and educated digital detectives to find the digital evidence in a forensically sound manner. This book will assist both students and practitioners in accomplishing this goal. Respectfully, John A. Sgromolo As a Senior Special Agent, John was one of the founding members of the NCIS Computer Crime Investigations Group. John left government service to run his own company, Digital Forensics, Inc., and has taught hundreds of law enforcement and corporate students nationwide the art and science of computer forensics investigations. Currently, John serves as the senior forensics examiner for digital forensic investigations at Verizon. Introduction Computer forensics has been a professional field for many years, but most well-established experts in the field have been self-taught. The growth of the Internet and the worldwide proliferation of computers have increased the need for computing investigations. Computers can be used to commit crimes, and crimes can be recorded on computers, including company policy violations, embezzlement, e-mail harassment, murder, leaks of proprietary information, and even terrorism. Law enforcement, network administrators, attorneys, and private investigators now rely on the skills of professional computer forensics experts to investigate criminal and civil cases. This book is not intended to provide comprehensive training in computer forensics. It does, however, give you a solid foundation by introducing computer forensics to those who are new to the field. Other books on computer forensics are targeted to experts; this book is intended for novices who have a thorough grounding in computer and networking basics. The new generation of computer forensics experts needs more initial training because operating systems, computer hardware, and forensics software tools are changing more quickly. This book covers current and past operating systems and a range of computer hardware, from basic workstations to high-end network servers. Although this book focuses on a few forensics software tools, it also reviews and discusses other currently available tools. The purpose of this book is to guide you toward becoming a skilled computer forensics investigator. A secondary goal is to help you pass the appropriate certification exams. As the field of computer forensics and investigations matures, keep in mind that certifications will change. You can find more information on certifications in Chapter 3 and Appendix A. xvii xviii Introduction Intended Audience Although this book can be used by people with a wide range of backgrounds, it’s intended for those with an A+ and Network+ certification or equivalent. A networking background is necessary so that you understand how PCs operate in a networked environment and can work with a network administrator when needed. In addition, you must know how to use a computer from the command line and how to use popular operating systems, including Windows, Linux, and Mac OS, and their related hardware. This book can be used at any educational level, from technical high schools and community colleges to graduate students. Current professionals in the public and private sectors can also use this book. Each group will approach investigative problems from a different perspective, but all will benefit from the coverage. What’s New in This Edition The chapter flow of this book has been revised so that you’re first exposed to what happens in a computer forensics lab and how to set one up before you get into the nuts and bolts. Coverage of several GUI tools has been added to give you a familiarity with some widely used software. In addition, Chapter 6 includes new information on interpreting the Windows NTFS Master File Table. The book’s DVD includes video tutorials for each chapter that show how to perform the steps in inchapter activities and explain how to use most of the forensics tools on the DVD. Corrections have been made to this edition based on feedback from users, and all software packages and Web sites have been updated to reflect what’s current at the time of publication. A new lab manual is now offered to go with the new fourth edition textbook (ISBN: 1-4354-9885-2). Chapter Descriptions Here is a summary of the topics covered in each chapter of this book: Chapter 1, “Computer Forensics and Investigations as a Profession,” introduces you to the history of computer forensics and explains how the use of electronic evidence developed. It also introduces legal issues and compares public and private sector cases. Chapter 2, “Understanding Computer Investigations,” introduces you to tools used throughout the book and shows you how to apply scientific techniques to an investigative case. In addition, it covers procedures for corporate investigations, such as industrial espionage and employee termination cases. Chapter 3, “The Investigator’s Office and Laboratory,” outlines physical requirements and equipment for computer forensics labs, from small private investigators’ labs to the regional FBI lab. It also covers certifications for computing investigators and building a business case for a forensics lab. Chapter 4, “Data Acquisition,” explains how to prepare to acquire data from a suspect’s drive and discusses available command-line and GUI acquisition tools. This chapter also discusses acquiring data from RAID systems and gives you an overview of tools for remote acquisitions. Chapter 5, “Processing Crime and Incident Scenes,” explains search warrants and the nature of a typical computer forensics case. It discusses when to use outside professionals, how to assemble a team, and how to evaluate a case and explains proper procedures for searching and seizing evidence. This chapter also introduces you to calculating hashes to verify data you collect. Chapter 6, “Working with Windows and DOS Systems,” discusses the most common operating systems. You learn what happens and what files are altered during computer startup and how each Introduction xix system deals with deleted and slack space. In addition, a new section on working with virtual machines has been added. Chapter 7, “Current Computer Forensics Tools,” explores current computer forensics software and hardware tools, including those that might not be readily available, and evaluates their strengths and weaknesses. Chapter 8, “Macintosh and Linux Boot Processes and File Systems,” continues the operating system discussion from Chapter 6 by examining Macintosh and Linux operating systems. It also covers CDs, DVDs, and SCSI, IDE/EIDE, and SATA drives. Chapter 9, “Computer Forensics Analysis and Validation,” covers determining what data to collect and analyze and refining investigation plans. It also explains validation with hex editors and forensics software, data-hiding techniques, and techniques for remote acquisitions. Chapter 10, “Recovering Graphics Files,” explains how to recover graphics files and examines data compression, carving data, reconstructing file fragments, and steganography and copyright issues. Chapter 11, “Virtual Machines, Network Forensics, and Live Acquisitions” covers tools and methods for acquiring virtual machines, conducting network investigations, performing live acquisitions, and reviewing network logs for evidence. It also examines using UNIX/Linux tools and the Honeynet Project’s resources. Chapter 12, “E-mail Investigations,” covers e-mail and Internet fundamentals and examines e-mail crimes and violations. It also reviews some specialized e-mail forensics tools. Chapter 13, “Cell Phone and Mobile Device Forensics,” covers investigation techniques and acquisition procedures for recovering data from cell phones and mobile devices. It also provides guidance on dealing with these constantly changing technologies. Chapter 14, “Report Writing for High-Tech Investigations,” discusses the importance of report writing in computer forensics examinations; offers guidelines on report content, structure, and presentation; and explains how to generate report findings with forensics software tools. Chapter 15, “Expert Testimony in High-Tech Investigations,” explores the role of an expert or technical/scientific witness, including developing a curriculum vitae, understanding the trial process, and preparing forensics evidence for testimony. It also offers guidelines for testifying in court and at depositions and hearings. Chapter 16, “Ethics for the Expert Witness,” provides guidance in the principles and practice of ethics for computer forensics investigators and examines other professional organizations’ codes of ethics. Appendix A, “Certification Test References,” provides information on the National Institute of Standards and Technology (NIST) testing processes for validating computer forensics tools and covers computer forensics certifications and training programs. Appendix B, “Computer Forensics References,” lists recommended books, journals, e-mail lists, and Web sites for additional information and further study. Appendix C, “Computer Forensics Lab Considerations,” provides more information on considerations for forensics labs, including certifications, ergonomics, structural design, and communication and fire-suppression systems. xx Introduction Appendix D, “DOS File System and Forensics Tools,” reviews FAT file system basics and explains using DOS computer forensics tools, creating forensic boot media, and using scripts. It also reviews DriveSpy commands and X-Ways Replica. Features To help you fully understand computer forensics, this book includes many features designed to enhance your learning experience: • Chapter objectives—Each chapter begins with a detailed list of the concepts to be mastered in that chapter. This list gives you a quick reference to the chapter’s contents and is a useful study aid. • Figures and tables—Screenshots are used as guidelines for stepping through commands and forensics tools. For tools not included with the book or that aren’t offered in free demo versions, figures have been added to illustrate the tool’s interface. Tables are used throughout the book to present information in an organized, easy-to-grasp manner. • Chapter summaries—Each chapter’s material is followed by a summary of the concepts introduced in that chapter. These summaries are a helpful way to review the ideas covered in each chapter. • Key terms—Following the chapter summary, a list of all new terms introduced in the chapter with boldfaced text are gathered together in the Key Terms list, with full definitions for each term. This list encourages a more thorough understanding of the chapter’s key concepts and is a useful reference. • Review questions—The end-of-chapter assessment begins with a set of review questions that reinforce the main concepts in each chapter. These questions help you evaluate and apply the material you have learned. • Hands-on projects—Although understanding the theory behind computer technology is important, nothing can improve on real-world experience. To this end, each chapter offers several hands-on projects with software supplied with this book or free downloads. You can explore a variety of ways to acquire and even hide evidence. For the conceptual chapters, research projects are provided. • Case projects—At the end of each chapter are several case projects, including a running case example used throughout the book. To complete these projects, you must draw on real-world common sense as well as your knowledge of the technical topics covered to that point in the book. Your goal for each project is to come up with answers to problems similar to those you’ll face as a working computer forensics investigator. • Video tutorials—The book’s DVD includes audio-video instructions to help with learning the tools needed to perform in-chapter activities. Each tutorial is a .wmv file that can be played in most OSs. The skills learned from these tutorials can be applied to hands-on projects at the end of each chapter. • Software and student data files—This book includes a DVD containing student data files and free software demo packages for use with activities and projects in the chapters. (Additional software demos or freeware can be downloaded to use in some projects.) Four software companies have graciously agreed to allow including their products with this book: Technology Pathways (ProDiscover Basic), AccessData (Forensic Toolkit, Registry Viewer, and FTK Imager), X-Ways (WinHex Demo), and Runtime Software (DiskExplorer for FAT, Introduction xxi DiskExplorer for NTFS, and HDHOST). To check for newer versions or additional information, visit Technology Pathways, LLC at www.techpathways.com, AccessData Corporation at www.accessdata.com, X-Ways Software Technology AG at www.x-ways.net, and Runtime Software at www.runtime.org. Text and Graphic Conventions When appropriate, additional information and exercises have been added to this book to help you better understand the topic at hand. The following icons used in this book alert you to additional materials: The Note icon draws your attention to additional helpful material related to the subject being covered. Tips based on the authors’ experience offer extra information about how to attack a problem or what to do in real-world situations. The Caution icons warn you about potential mistakes or problems and explain how to avoid them. Each hands-on project in this book is preceded by the Hands-On icon and a description of the exercise that follows. These icons mark case projects, which are scenario-based assignments. In these extensive case examples, you’re asked to apply independently what you have learned. Instructor’s Resources The following additional materials are available when this book is used in a classroom setting. All the supplements available with this book are provided to instructors on a single CD (ISBN 1435498844). You can also retrieve these supplemental materials from the Cengage Web site, www.cengage.com, by going to the page for this book, under “Download Instructor Files & Teaching Tools.” • Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this book includes additional instructional material to assist in class preparation, including suggestions for lecture topics, recommended lab activities, tips on setting up a lab for hands-on projects, and solutions to all end-of-chapter materials. • ExamView Test Bank—This cutting-edge Windows-based testing software helps instructors design and administer tests and pretests. In addition to generating tests that can be printed and administered, this full-featured program has an online testing component that allows students to take tests at the computer and have their exams automatically graded. xxii Introduction • PowerPoint presentations—This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as a teaching aid for classroom presentations, to be made available to students on the network for chapter review, or to be printed for classroom distribution. Instructors are also at liberty to add their own slides for other topics introduced. • Figure files—All the figures in the book are reproduced on the Instructor’s Resources CD. Similar to the PowerPoint presentations, they’re included as a teaching aid for classroom presentation, to make available to students for review, or to be printed for classroom distribution. Student Resources Lab Manual for Guide to Computer Forensics and Investigations (ISBN: 1-4354-9885-2) • Companion to Guide to Computer Forensics and Investigations, Fourth Edition. This lab manual provides students with additional hands-on experience. Web-Based Labs for Guide to Computer Forensics and Investigations (ISBN: 1-4354-9886-0) • Using a real lab environment over the Internet, students can log on anywhere, anytime via a Web browser to gain essential hands-on experience in computer forensics using labs from Guide to Computer Forensics and Investigations, Fourth Edition. Lab Requirements The hands-on projects in this book help you apply what you have learned about computer forensics techniques. The following sections list the minimum requirements for completing all the projects in this book. In addition to the items listed, you must be able to download and install demo versions of software. Minimum Lab Requirements • Lab computers that boot to Windows XP • Computers that dual-boot to Linux or UNIX • At least one Macintosh computer running Mac OS X (although most projects are done in Windows or Linux/UNIX) • An external USB, FireWire, or SATA drive larger than a typical 512 MB USB drive The projects in this book are designed with the following hardware and software requirements in mind. The lab in which most of the work takes place should be a typical network training lab with a variety of operating systems and computers available. Operating Systems and Hardware Windows XP or Vista Use a standard installation of Windows XP Professional or Vista. The computer running Windows XP or Vista should be a fairly current model that meets the following minimum requirements: • USB ports • CD-ROM/DVD-ROM drive Introduction • VGA or higher monitor • Hard disk partition of 10 GB or more • Mouse or other pointing device • Keyboard • At least 512 MB RAM (more is recommended) xxiii Linux For this book, it’s assumed you’re using an Ubuntu, Red Hat Linux 9, or Fedora standard installation, although other Linux distributions will work with minor modifications. Also, some projects use specialized “live” Linux distributions, such as BackTrack. Some optional steps require the GIMP graphics editor, which must be installed separately in Red Hat Linux 9. Linux can be installed on a dual-boot computer as long as one or more partitions of at least 2 GB are reserved for the Linux OS. • Hard disk partition of 2 GB or more reserved for Linux • Other hardware requirements are the same as those listed for Windows computers This book contains a dual-layered DVD with data files, demo software, and video tutorials. Some older computers and DVD drives might have difficulty reading data from this type of DVD. If you have any problems, make sure your computer has a DVD drive capable of reading dual-layer DVDs, and copy the data to an external USB or FireWire drive before transferring it to your computer. Computer Forensics Software Several computer forensics programs, listed previously under “Features,” are supplied with this book. In addition, there are projects using the following software, most of which can be downloaded from the Internet as freeware, shareware, or free demo versions: Because Web site addresses change frequently, use a search engine to find the following software online if URLs are no longer valid. Efforts have been made to provide information that’s current at the time of writing, but things change constantly on the Web. Learning how to use search tools to find what you need is a valuable skill you’ll use as a computer forensics investigator. • BackTrack 3: Download from www.remote-exploit.org/backtrack.html. • BitPim: Download from www.bitpim.org. • BlackBag Technologies Macintosh Forensic Software: Download a trial version from www. blackbagtech.com/support/downloads.html. (Note that you must e-mail for a username and password before you can download the software. In addition, this URL has recently changed from the one given in Chapter 8.) • HexWorkshop: Download from Breakpoint Software at www.hexworkshop.com. • IrfanView: Download from www.irfanview.com. • Knoppix-STD: Download the ISO image from http://s-t-d.org and burn it to a CD. xxiv Introduction • Microsoft Virtual PC: Download from www.microsoft.com/virtualpc. (Check with your instructor about using an ISO image that the Microsoft Academic Alliance provides to schools.) • OpenOffice (includes OpenCalc): Download from www.openoffice.org. • PsTools: Download from www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx. • SecureClean: Download from www.whitecanyon.com/secureclean.php. • SIMCon: Download a commercial version from www.simcon.no. • Sleuth Kit 2.08 and Autopsy Browser 2.07: Download from www.sleuthkit.org. • S-Tools4: Download from www.stegoarchive.com. • WinZip: Download an evaluation version from www.winzip.com/download.htm. • Wireshark: Download from www.wireshark.org. In addition, you use Microsoft Office Word (or other word processing software) and Excel (or other spreadsheet software) as well as a Web browser. You also need to have e-mail software installed on your computer, as explained in Chapter 12. About the Authors Bill Nelson has been a lead computer forensics investigator for a Fortune 50 company for more than 11 years and has developed high-tech investigation programs for professional organizations and colleges. His previous experience includes Automated Fingerprint Identification System (AFIS) software engineering and reserve police work. Bill has served as president and vice president for Computer Technology Investigators Northwest (CTIN) and is a member of Computer Related Information Management and Education (CRIME). He routinely lectures at several colleges and universities in the Pacific Northwest. Amelia Phillips is a graduate of the Massachusetts Institute of Technology with B.S. degrees in astronautical engineering and archaeology and an MBA in technology management. After serving as an engineer at the Jet Propulsion Lab, she worked with e-commerce Web sites and began her training in computer forensics to prevent credit card numbers from being stolen from sensitive e-commerce databases. She designed certificate and AAS programs for community colleges in e-commerce, network security, computer forensics, and data recovery. She is currently tenured at Highline Community College in Seattle, Washington. Amelia is a Fulbright Scholar who taught at Polytechnic of Namibia in 2005 and 2006. Christopher Steuart is a practicing attorney maintaining a general litigation practice, with experience in information systems security for a Fortune 50 company and the U.S. Army. He is also General Counsel for Computer Investigators Northwest (CTIN). He has presented computer forensics seminars in regional and national forums, including the American Society for Industrial Security (ASIS), Agora, Northwest Computer Technology Crime Analysis Seminar (NCT), and CTIN. Acknowledgments The team would like to express its appreciation to Acquisitions Editor Steve Helba, who has given us a great deal of moral support. We would like to thank the entire editorial and production staff for their dedication and fortitude during this project, including Michelle Ruelos Cannistraci, Senior Product Manager, and Jessica McNavich, Content Project Manager. Our special thanks go to Lisa Lord, the Developmental Editor. We also appreciate the careful reading and thoughtful suggestions of the Introduction xxv Technical Editor, John Bosco. We would like to thank the reviewers: Dean Farwood, Heald College, and Michael Goldner, ITT Technical Institute. We would also like to thank Franklin Clark, an investigator for the Pierce County Prosecutor in Tacoma, Washington, for his input, and Mike Lacey for his photos. Bill Nelson I want to express my appreciation to my wife, Tricia, for her support during the long hours spent writing, along with my mother, Celia, and in memory of my father, Harry for their encouragement these past years. I would also like to express appreciation to my coauthors along with our editors for the team effort in producing this book. And special thanks for the support and encouragement from my computer forensics colleagues: Franklin Clark of the Pierce County Prosecutor’s Office, Tacoma, Washington; Detective Mike McNown, retired, Wichita PD; Scott Larson and Don Allison of Stoz Friedberg, LLC; Detectives Brian Palmer, Barry Walden, and Melissa Rogers of the King County Sheriff’s Office, Seattle, Washington; John Sgromolo of Verizon; Art Ehuan of Digital First; Brett Shavers of e3Discovery; Clint Baker of the RCMP; Colin Cree of Forensic Data Recovery, Inc.; Chris Brown of Technology Pathways; Gordon Ross, formerly of Net Nanny; and Gordon Mitchell of Future Focus, Inc. Amelia Phillips My deepest gratitude goes to my coauthor Bill Nelson. I want to reiterate the thanks to Steve Helba and Lisa Lord for their patience and support. Acknowledgments go to my students who helped with research on determining what you can and can’t do with a cell phone: Ron “Fry” Frymier, Rachel Sundstrom, Anne Weingart, Dave Wilson, Casey Draper, and Lynne Bowen. Acknowledgments also go to the fabulous group of students who put together the firestarter/arson case project used in the book. I would also like to thank the students from the Seattle area PDs and corporations who gave me a lot of case histories and insight. Thanks also go to Teressa Mobley, Detective Melissa Rogers, and Deb Buser who helped me with several cases and the cell phone software. Thanks go to my friends for their support, and special thanks to my aunties, who are all great teachers and set an excellent example for me. Christopher K. Steuart I would like to express my appreciation to my wife, Josephine, son, Alexander, and daughter, Isobel, for their enthusiastic support of my commitment to Guide to Computer Forensics and Investigations, even as it consumed time and energy that they deserved. I also want to express my thanks to my parents, William and Mary, for their support of my education and development of the skills needed for this project. I thank my coauthors for inviting me to join them in this project. I would like to express my appreciation to the Boy Scouts of America for providing me with the first of many leadership opportunities in my life. I want to recognize Lieutenant General (then Captain) Edward Soriano for seeing the potential in me as a young soldier and encouraging me in learning the skills required to administer, communicate with, and command an organization within the structure of law, regulation, and personal commitment. I must also thank the faculty of Drake University Law School, particularly Professor James A. Albert, for encouraging me to think and write creatively about the law. I also note the contribution of Diane Gagon and the staff of the Seattle Mission of the Church of Scientology in supporting my better understanding of commitment to myself and the others. Photo Credits Figure 1-3: 8088 computer courtesy of IBM Corporate Archives This page intentionally left blank chapter 1 Computer Forensics and Investigations as a Profession After reading this chapter and completing the exercises, you will be able to: • Define computer forensics • Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations • Explain the importance of maintaining professional conduct 1 2 Chapter 1 In the past several years, the field of computer forensics and investigations has evolved significantly. This chapter introduces you to computer forensics and investigations and discusses some problems and concerns prevalent in the industry. This book blends traditional investigation methods with classic systems analysis problem-solving techniques and applies them to computer investigations. An understanding of these disciplines combined with the use of computer forensics tools will make you a highly skilled computer forensics examiner. Understanding Computer Forensics Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases. The Federal Rules of Evidence (FRE) has controlled the use of digital evidence since 1970; from 1970 to 1985, state rules of evidence, as they were adopted by each state, controlled use of this type of evidence. The FBI Computer Analysis and Response Team (CART) was formed in 1984 to handle the increasing number of cases involving digital evidence. Figure 1-1 shows the home page for the FBI CART. By the late 1990s, CART had teamed up with the Department of Defense Computer Forensics Laboratory (DCFL) for research and training. Much of the early curriculum in this field came from the DCFL. Figure 1-1 The FBI CART Web site Documents maintained on a computer are covered by different rules, depending on the nature of the documents. Many court cases in state and federal courts have developed and clarified how the rules apply to digital evidence. The Fourth Amendment to the U.S. Constitution (and each state’s constitution) protects everyone’s rights to be secure in their person, residence, and property from search and seizure, for example. Continuing development of the jurisprudence of this amendment has played a role in determining whether the search for digital evidence has established a different precedent, so separate search warrants might not be necessary. However, when preparing to search for evidence in a criminal case, many investigators Understanding Computer Forensics 3 still include the suspect’s computer and its components in the search warrant to avoid later admissibility problems. In a significant case, the Pennsylvania Supreme Court addressed expectations of privacy and whether evidence is admissible (see Commonwealth v. Copenhefer, 587 A.2d 1353, 526 Pa. 555 [1991]). Initial investigations by the FBI, state police, and local police resulted in the discovery of a series of computer-generated notes and instructions, each one leading to another, which had been concealed in hiding places in and around Corry, Pennsylvania. The investigation also produced several possible suspects, including David Copenhefer, who owned a nearby bookstore and apparently had bad personal relations with the victim and her husband. Examination of trash discarded from Copenhefer’s store revealed drafts of the ransom note and directions. Subsequent search warrants resulted in seizure of evidence against him. Copenhefer’s computer contained several drafts and amendments of the text of the phone call to the victim on Thursday, the phone call to the victim’s husband on Friday, the ransom note, the series of hidden notes, and a plan for the entire kidnapping scheme (Copenhefer, p. 559). On direct appeal, the Pennsylvania Supreme Court concluded that the physical evidence, including the computer forensics evidence, was sufficient to support the bookstore owner’s conviction. Copenhefer’s argument was that “[E]ven though his computer was validly seized pursuant to a warrant, his attempted deletion of the documents in question created an expectation of privacy protected by the Fourth Amendment. Thus, he claims, under Katz v. United States, 389 U.S. 347, 357, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967), and its progeny, Agent Johnson’s retrieval of the documents, without first obtaining another search warrant, was unreasonable under the Fourth Amendment and the documents thus seized should have been suppressed” (Copenhefer, p. 561). The Pennsylvania Supreme Court rejected this argument, stating “A defendant’s attempt to secrete evidence of a crime is not synonymous with a legally cognizable expectation of privacy. A mere hope for secrecy is not a legally protected expectation. If it were, search warrants would be required in a vast number of cases where warrants are clearly not necessary” (Copenhefer, p. 562). Almost every United States jurisdiction now has case law related to the admissibility of evidence recovered from computers. Canadian criminal law is primarily federal and generally enforced in provincial court. The United States Department of Justice offers a useful guide to search and seizure procedures for computers and computer evidence at www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm. This guide includes the 2006 update on search warrants and affidavits. Computer Forensics Versus Other Related Disciplines According to DIBS USA, Inc., a privately owned corporation specializing in computer forensics (www.dibsusa.com), computer forensics involves scientifically examining and analyzing data from computer storage media so that the data can be used as evidence in court. You can find a similar definition on the FBI’s Web site (www.fbi.gov/hq/lab/fsc/backissu/oct2000/ computer.htm). Typically, investigating computers includes collecting computer data securely, examining suspect data to determine details such as origin and content, presenting computerbased information to courts, and applying laws to computer practice. 1 4 Chapter 1 In general, computer forensics investigates data that can be retrieved from a computer’s hard drive or other storage media. Like an archaeologist excavating a site, computer investigators retrieve information from a computer or its component parts. The information you retrieve might already be on the drive, but it might not be easy to find or decipher. In contrast, network forensics yields information about how a perpetrator or an attacker gained access to a network. Network forensics investigators use log files to determine when users logged on and determine which URLs users accessed, how they logged on to the network, and from what location. Keep in mind, however, that network forensics also tries to determine what tracks or new files were left behind on a victim’s computer and what changes were made. In Chapter 11, you explore when and how network forensics should be used in your investigation. Computer forensics is also different from data recovery, which involves recovering information from a computer that was deleted by mistake or lost during a power surge or server crash, for example. In data recovery, typically you know what you’re looking for. Computer forensics is the task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. The evidence can be inculpatory (in criminal cases, the expression is “incriminating”) or exculpatory, meaning it might clear the suspect. Investigators often examine a computer disk not knowing whether it contains evidence. They must search storage media, and if they find data, they piece it together to produce evidence. Forensics software tools can be used for most cases. In extreme cases, investigators can use electron microscopes and other sophisticated equipment to retrieve information from machines that have been damaged or reformatted purposefully. This method is usually cost prohibitive, running from a low end of US$3,000 to more than US$20,000, so it’s not normally used. Like companies specializing in data recovery, companies specializing in disaster recovery use computer forensics techniques to retrieve information their clients have lost. Disaster recovery also involves preventing data loss by using backups, uninterruptible power supply (UPS) devices, and off-site monitoring. Investigators often work as a team to make computers and networks secure in an organization. The computer investigations function is one of three in a triad that makes up computing security. In an enterprise network environment, the triad consists of the following parts (shown in Figure 1-2): • Vulnerability assessment and risk management • Network intrusion detection and incident response • Computer investigations Figure 1-2 The investigations triad Understanding Computer Forensics 5 Each side of the triad in Figure 1-2 represents a group or department responsible for performing the associated tasks. Although each function operates independently, all three groups draw from one another when a large-scale computing investigation is being conducted. By combining these three groups into a team, all aspects of a high-technology investigation are addressed without calling in outside specialists. The term enterprise network environment refers to large corporate computing systems that might include disparate or formerly independent systems. In smaller companies, one group might perform the tasks shown in the investigations triad, or a small company might contract with other companies for these services. When you work in the vulnerability assessment and risk management group, you test and verify the integrity of standalone workstations and network servers. This integrity check covers the physical security of systems and the security of operating systems (OSs) and applications. People who work in this group test for known vulnerabilities of OSs and applications used in the network. This group also launches attacks on the network and its workstations and servers to assess vulnerabilities. Typically, people performing this task have several years of experience in UNIX and Windows administration. Professionals in the vulnerability assessment and risk management group also need skills in network intrusion detection and incident response. This group detects intruder attacks by using automated tools and monitoring network firewall logs manually. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder. Litigation is the legal process of establishing criminal or civil liability in court. If an internal user is engaged in illegal acts, the network intrusion detection and incident response group responds by locating the user and blocking his or her access. For example, someone at a community college sends inflammatory e-mails to other users on the network. The network team realizes that the e-mails are coming from a node on the internal network and dispatches a security team to the location. Vulnerability assessment staff often contribute significantly to computing investigations. The computer investigations group manages investigations and conducts forensic analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, the computer investigations group draws on resources from those involved in vulnerability assessment, risk management, and network intrusion detection and incident response. This group resolves or terminates all case investigations. A Brief History of Computer Forensics Thirty years ago, most people didn’t imagine that computers would be an integral part of everyday life. Now computer technology is commonplace, as are crimes in which a computer is the instrument of the crime, the target of the crime, and, by its nature, the location where evidence is stored or recorded. By the 1970s, electronic crimes were increasing, especially in the financial sector. Most computers in this era were mainframes, used by trained people with specialized skills who worked in finance, engineering, and academia. White-collar fraud began when people in these industries saw a way to make money by manipulating computer data. One of the most 1 6 Chapter 1 well-known crimes of the mainframe era is the one-half cent crime. Banks commonly tracked money in accounts to the third decimal place or more. They used and still use the “rounding up” accounting method when paying interest. If the interest applied to an account resulted in a fraction of a cent, that fraction was used in the calculation for the next account until the total resulted in a whole cent. It was assumed that sooner or later every customer would benefit. Some computer programmers corrupted this method by opening an account for themselves and writing programs that diverted all the fractional monies into their accounts. In small banks, this practice amounted to only a few hundred dollars a month. In large banks with many branch offices, however, the amount reached hundreds of thousands of dollars. During this time, most law enforcement officers didn’t know enough about computers to ask the right questions or to preserve evidence for trial. Many began to attend the Federal Law Enforcement Training Center (FLETC) programs designed to train law enforcement in recovering digital data. As PCs gained popularity and began to replace mainframe computers in the 1980s, many different OSs emerged. Apple released the Apple 2E in 1983 and then the Macintosh in 1984. Computers such as the TRS-80 and Commodore 64 were the machines of the day. CP/M machines, such as the Kaypro and Zenith, were also in demand. Disk Operating System (DOS) was available in many varieties, including PC-DOS, QDOS, DR-DOS, IBM-DOS, and MS-DOS. Forensics tools at that time were simple, and most were generated by government agencies, such as the Royal Canadian Mounted Police (RCMP, which had its own investigative tools) and the U.S. Internal Revenue Service (IRS). Most tools were written in C and assembly language and weren’t available to the general public. In the mid-1980s, a new tool, Xtree Gold, appeared on the market. It recognized file types and retrieved lost or deleted files. Norton DiskEdit soon followed and became the preferred tool for finding deleted files. You could use these tools on the most powerful PCs of that time; IBMcompatible computers had 10 MB hard disks and two floppy drives, as shown in Figure 1-3. Figure 1-3 An 8088 computer Understanding Computer Forensics 7 In 1987, Apple produced the Mac SE, a Macintosh with an external EasyDrive hard disk with 60 MB of storage (see Figure 1-4). At this time, the popular Commodore 64 still used standard audiotapes to record data, so the Mac SE represented an important advance in computer technology. Figure 1-4 A Mac SE with an external EasyDrive hard disk By the early 1990s, specialized tools for computer forensics were available. The International Association of Computer Investigative Specialists (IACIS) introduced training on software for forensics investigations, and the IRS created search-warrant programs. However, no commercial GUI software for computer forensics was available until ASR Data created Expert Witness for Macintosh. This software could recover deleted files and fragments of deleted files. One of the ASR Data partners later left and developed EnCase, which has become a popular computer forensics tool. As computer technology continued to evolve, more computer forensics software was developed. The introduction of large hard disks posed new problems for investigators. Most DOS-based software didn’t recognize a hard disk larger than 8 GB. Because contemporary computers have hard disks of 200 GB and larger, changes in forensics software were needed. Later in this book, you explore the challenges of using older software and hardware. Other software, such as ILook, which is currently maintained by the IRS Criminal Investigation Division and limited to law enforcement, can analyze and read special files that are copies of a disk. AccessData Forensic Toolkit (FTK) has become a popular commercial product that performs similar tasks in the law enforcement and civilian markets, and you use it in several projects in this book. As software companies become savvier about computer forensics and investigations, they are publishing more forensics tools to keep pace with technology. This book discusses as many tools as possible. You should also refer to trade publications and Web sites, such as www. ctin.org (Computer Technology Investigators Network) and www.usdoj.gov (U.S. Department of Justice), to stay current. 1 8 Chapter 1 Understanding Case Law The technology of computers and other digital devices is evolving at an exponential pace. Existing laws and statutes simply can’t keep up with the rate of change. Therefore, when statutes or regulations don’t exist, case law is used. Case law allows legal counsel to use previous cases similar to the current one and addresses the ambiguity in laws. Each new case is evaluated on its own merit and issues. The University of Rhode Island (http://dfc. cs.uri.edu) cites many cases in which problems occurred in the past. One example on the Web site is about an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes. Be aware that case law doesn’t involve creating new criminal offenses, however. Developing Computer Forensics Resources To be a successful computer forensics investigator, you must be familiar with more than one computing platform. In addition to older platforms, such as DOS and Windows 9x, you should be familiar with Linux, Macintosh, and current Windows platforms. However, no one can be an expert in every aspect of computing. Likewise, you can’t know everything about the technology you’re investigating. To supplement your knowledge, you should develop and maintain contact with computing, network, and investigative professionals. Keep a log of contacts, and record the names of other professionals you’ve worked with, their areas of expertise, the most recent projects you worked on together, and their contributions. Join computer user groups in both the public and private sectors. In the Pacific Northwest, for example, Computer Technology Investigators Network (CTIN) meets monthly to discuss problems that law enforcement and corporations face. This nonprofit organization also conducts free training. You can probably locate a similar group in your area, such as the High Technology Crime Investigation Association (HTCIA), an organization that exchanges information about techniques related to computer investigations and security. (For more information, visit www.htcia.org.) In addition, build your own network of computer forensics experts and other professionals, and keep in touch through e-mail. Cultivate professional relationships with people who specialize in technical areas different from your own specialty. If you’re a Windows expert, for example, maintain contact with experts in Linux, UNIX, and Macintosh. User groups can be especially helpful when you need information about obscure OSs. For example, a user group helped convict a child molester in Pierce County, Washington, in 1996. The suspect installed video cameras throughout his house, served alcohol to young women to intoxicate them, and secretly filmed them playing strip poker. When he was accused of molesting a child, police seized his computers and other physical evidence. The investigator discovered that the computers used CoCo DOS, an OS that had been out of use for years. The investigator contacted a local user group, which supplied the standard commands and other information needed to gain access to the system. On the suspect’s computer, the investigator found a diary detailing the suspect’s actions over the past 15 years, including the molestation of more than 400 young women. As a result, the suspect received a longer sentence than if he had been convicted of molesting only one child. Preparing for Computer Investigations 9 Outside experts can provide detailed information you need to retrieve digital evidence. For example, a recent murder case involved a husband and wife who owned a Macintosh store. When the wife was discovered dead, apparently murdered, investigators found that she had wanted to leave her husband but didn’t because of her religious beliefs. The police got a search warrant and confiscated the home and office computers. When the detective on the case examined the home Macintosh, he found that the hard drive had been compressed and erased. He contacted a Macintosh engineer, who determined the two software programs used to compress the drive. With this knowledge, the detective could retrieve information from the hard drive, including text files indicating that the husband spent $35,000 in business funds to purchase cocaine and prostitution services. This evidence proved crucial in making it possible to convict the husband of premeditated murder. Take advantage of newsgroups, electronic mailing lists, and similar services devoted to computer forensics to solicit advice from experts. In one case, investigators couldn’t access the hard disk of an Intel computer containing digital evidence without the password, which was hard-coded in the motherboard. When they began to run out of options and time, they posted a description of the problem on a mailing list. A list member told them that a dongle (a mechanical device) would bypass the password problem. As a result, the investigators were able to gather evidence to convict the perpetrator. More recent cases involve laptops with specially designed ways of physically accessing the hard drives. Sometimes the manufacturer won’t tell the average person who calls how to access a laptop’s hard drive. Several investigators have had to go through law enforcement contacts to get this information—another example of the importance of developing good relationships with people in all aspects of the digital industry, not just other investigators. Preparing for Computer Investigations Computer investigations and forensics could be categorized several ways; for the purposes of this discussion, it falls into two distinct categories: public investigations and private or corporate investigations (see Figure 1-5). Public investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from local, county, and state or provincial police departments to federal regulatory enforcement agencies. These organizations must observe legal guidelines, such as Article 8 in the Charter of Rights of Canada, the Criminal Procedures Act of the Republic of Namibia, and U.S. Fourth Amendment issues of search and seizure (see Figure 1-6). The law of search and seizure protects the rights of all people, including (and perhaps especially) people suspected of crimes; as a computer investigator, you must be sure to follow these laws. The Department of Justice (DOJ) updates information on computer search and seizure regularly (see www.usdoj.gov/criminal/cybercrime/). Public investigations usually involve criminal cases and government agencies; private or corporate investigations, however, deal with private companies, non-law-enforcement government agencies, and lawyers. These private organizations aren’t governed directly by criminal law or Fourth Amendment issues but by internal policies that define expected employee behavior and conduct in the workplace. Private corporate investigations can also involve litigation. 1 10 Chapter 1 Figure 1-5 Public and private investigations Figure 1-6 The Fourth Amendment Preparing for Computer Investigations 11 Although private investigations are usually conducted in civil cases, a civil case can develop into a criminal case, and a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evidence found in your investigations can make the transition between civil and criminal cases. Understanding Law Enforcement Agency Investigations When conducting public computer investigations, you must understand city, county, state or province, and federal or national laws on computer-related crimes, including standard legal processes and how to build a criminal case. In a criminal case, a suspect is tried for a criminal offense, such as burglary, murder, molestation, or fraud. To determine whether there was a computer crime, an investigator asks questions such as the following: What was the tool used to commit the crime? Was it a simple trespass? Was it a theft, a burglary, or vandalism? Did the perpetrator infringe on someone else’s rights by cyberstalking or e-mail harassment? Laws, including procedural rules, vary by jurisdiction and can be quite different. Therefore, this book points out when items accepted in U.S. courts don’t stand up in other courts. Lately, a major issue has been European Union (EU) privacy laws as opposed to U.S. privacy laws. Issues related to international companies are still being defined. Over the past decade, more companies have been consolidating into global entities. As a result, internal corporate investigations can involve laws of multiple countries. For example, a company has a subsidiary operating in Australia. An employee at that subsidiary is suspected of fraud, and as part of your investigation, you need to seize his cell phone. Under U.S. law, you can if he used it on company property and synchronized it with the company network. Under Australian law, you cannot. Computers and networks might be only tools used to commit crimes and are, therefore, no different from the lockpick a burglar uses to break into a house. For this reason, many states have added specific language to criminal codes to define crimes involving computers. For example, they have expanded the definition of laws for crimes such as theft to include taking data from a computer without the owner’s permission, so computer theft is now on a par with shoplifting or car theft. Other states have instituted specific criminal statutes that address computer-related crimes but typically don’t include computer-related issues in standard trespass, theft, vandalism, or burglary laws. The Computer Fraud and Abuse Act was passed in 1986, but specific state laws weren’t formulated until later. To this day, many state laws on computer crime have yet to be tested in court. Computers are involved in many serious crimes. The most notorious are those involving sexual exploitation of minors. Digital images are stored on hard disks, Zip disks, floppy disks, USB drives, removable hard drives, and other storage media and circulated on the Internet. Other computer crimes concern missing children and adults because information about missing people is often found on computers. Drug dealers often keep information about transactions on their computers or personal digital assistants (PDAs). This information is especially useful because it helps law enforcement officers convict the person they arrested and locate drug suppliers and other dealers. Additionally, in stalking cases, deleted e-mail, digital photos, and other evidence stored on a computer can help solve a case. 1 12 Chapter 1 Following the Legal Processes When conducting a computer investigation for potential criminal violations of the law, the legal processes you follow depend on local custom, legislative standards, and rules of evidence. In general, however, a criminal case follows three stages: the complaint, the investigation, and the prosecution (see Figure 1-7). Someone files a complaint; a specialist investigates the complaint and, with the help of a prosecutor, collects evidence and builds a case. If a crime has been committed, the case is tried in court. Figure 1-7 The public-sector case flow A criminal investigation can begin only when someone finds evidence of an illegal act or witnesses an illegal act. The witness or victim (often referred to as the “complainant”) makes an allegation to the police, an accusation or supposition of fact that a crime has been committed. A police officer interviews the complainant and writes a report about the crime. The police department processes the report, and management decides to start an investigation or log the information into a police blotter. The police blotter provides a record of clues to crimes that have been committed previously. Criminals often repeat actions in their illegal activities, and these habits can be discovered by examining police blotters. This historical knowledge is useful when conducting investigations, especially in high-technology crimes. Blotters now are generally electronic files, often databases, so they can be searched more easily than the old paper blotters. Not every police officer is a computer expert. Some are computer novices; others might be trained to recognize what they can retrieve from a computer disk. To differentiate the training and experience officers have, CTIN has established three levels of law enforcement expertise: • Level 1—Acquiring and seizing digital evidence, normally performed by a police officer on the scene. • Level 2—Managing high-tech investigations, teaching investigators what to ask for, and understanding computer terminology and what can and can’t be retrieved from digital evidence. The assigned detectives usually handle the case. • Level 3—Specialist training in retrieving digital evidence, normally conducted by a data recovery or computer forensics expert, network forensics expert, or Internet fraud investigator. This person might also be qualified to manage a case, depending on his or her background. Preparing for Computer Investigations 13 If you’re an investigator assigned to a case, recognize the level of expertise of police officers and others involved in the case. You should have Level 3 training to conduct the investigation and manage the computer forensics aspects of the case. You start by assessing the scope of the case, which includes the computer’s OS, hardware, and peripheral devices. You then determine whether resources are available to process all the evidence. For example, collecting evidence is more difficult when information is stored on PDAs, cell phones, and other mobile devices. Determine whether you have the right tools to collect and analyze evidence and whether you need to call on other specialists to assist in collecting and processing evidence. After you have gathered the resources you need, your role is to delegate, collect, and process the information related to the complaint. After you build a case, the information is turned over to the prosecutor. Your job is finished when you have used all known and available methods to extract data from the digital evidence that was seized. As an investigator, you must then present the collected evidence with a report to the government’s attorney. Depending on the community and the nature of the crime, the prosecutor can be a prosecuting attorney, district attorney, state attorney, county attorney, Crown attorney, or U.S. attorney. In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit an affidavit. This sworn statement of support of facts about or evidence of a crime is submitted to a judge with the request for a search warrant before seizing evidence. Figure 1-8 shows a typical affidavit. It’s your responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant. You must then have the affidavit notarized under sworn oath to verify that the information in the affidavit is true. (You learn more about affidavits in Chapter 14.) Figure 1-8 Typical affidavit language 1 14 Chapter 1 After a judge approves and signs a search warrant, it’s ready to be executed, meaning you can collect evidence as defined by the warrant. After you collect the evidence, you process and analyze it to determine whether a crime actually occurred. The evidence can then be presented in court in a hearing or trial. A judge or an administrative law judge then renders a judgment, or a jury hands down a verdict (after which a judge can enter a judgment). Understanding Corporate Investigations Private or corporate investigations involve private companies and lawyers who address company policy violations and litigation disputes, such as wrongful termination. When conducting a computer investigation for a private company, remember that business must continue with minimal interruption from your investigation. Because businesses usually focus on continuing their usual operations and making profits, many in a private corporate environment consider your investigation and apprehension of a suspect secondary to stopping the violation and minimizing damage or loss to the business. Businesses also strive to minimize or eliminate litigation, which is an expensive way to address criminal or civil issues. Corporate computer crimes can involve e-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage, which involves selling sensitive or confidential company information to a competitor. Anyone with access to a computer can commit these crimes. Embezzlement is a common computer crime, particularly in small firms. Typically, the owner is busy and trusts one person, such as the office manager, to handle daily transactions. When the office manager leaves, the owner discovers some clients were overbilled, others weren’t billed at all, some payments weren’t credited, or false accounts exist. Rebuilding the paper and electronic trail can be tedious. Collecting enough evidence to press charges might be beyond the owner’s capabilities. Corporate sabotage is most often committed by a disgruntled employee. For example, an employee decides to take a job at a competitor’s firm and collects confidential files on a disk or USB drive before leaving. This type of crime can also lead to industrial espionage, which increases every year. Investigators will soon be able to conduct digital investigations on site without a lab and without interrupting employees’ work on a computer. Suppose an assisted-care facility has an employee involved in an insurance scam who is overcharging the insurance company and then funneling the monies into his or her own bank account. The facility’s network server keeps track of patient billing and critical information, such as medication, medical conditions, and treatments, for each patient. Taking that system offline for more than a short time could result in harm to patients. For this reason, investigators can’t seize the evidence; instead, they acquire a disk image and any other pertinent information and allow the system to go back online as quickly as possible. Organizations can help prevent and address these crimes by creating and distributing appropriate policies, making employees aware of policies, and enforcing policies. Establishing Company Policies One way that businesses can reduce the risk of litigation is to publish and maintain policies that employees find easy to read and follow. The most important policies are those that set rules for using the company’s computers and networks. Published company policies provide Preparing for Computer Investigations 15 a line of authority for a business to conduct internal investigations. The line of authority states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence. Well-defined policies give computer investigators and forensic examiners the authority to conduct an investigation. Policies also demonstrate that an organization intends to be fairminded and objective about how it treats employees and state that the organization will follow due process for all investigations. (“Due process” refers to fairness under the law and is meant to protect the innocent.) Without defined policies, a business risks exposing itself to litigation from current or former employees. The person or committee in charge of maintaining corporate policies must also stay current with local laws, which can vary depending on the city, state, and country. Displaying Warning Banners Another way a private or public organization can avoid litigation is to display a warning banner on computer screens. A warning banner usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. (An end user is a person using a computer to perform routine tasks other than system administration.) If this right isn’t stated explicitly, employees might have an assumed right of privacy when using a company’s computer systems and network accesses. With an assumed right of privacy, employees think their transmissions at work are protected in much the same way that mail sent via the U.S. Postal Service is protected. Figure 1-9 shows a sample warning banner. Figure 1-9 A sample warning banner A warning banner establishes the right to conduct an investigation. By displaying a strong, well-worded warning banner, an organization owning computer equipment doesn’t need to obtain a search warrant or court order as required under Fourth Amendment search and seizure rules to seize the equipment. In a company with a well-defined policy, this right to inspect or search at will applies to both criminal activity and company policy violations. Keep in mind, however, that your country’s laws might differ. For example, in some countries, even though the company has the right to seize computers at any time, if employees are suspected of a criminal act, they must be informed at that time. 1 16 Chapter 1 Computer system users can include employees or guests. Employees can access the intranet, and guests can typically access only the main network. Companies can use two types of warning banners: one for internal employee access (intranet Web page access) and another for external visitor access (Internet Web page access). The following list recommends phrases to include in all warning banners. Before using these warnings, consult with the organization’s legal department for other required legal notices for your work area or department. Depending on the type of organization, the following text can be used in internal warning banners: • Access to this system and network is restricted. • Use of this system and network is for official business only. • Systems and networks are subject to monitoring at any time by the owner. • Using this system implies consent to monitoring by the owner. • Unauthorized or illegal users of this system or network will be subject to discipline or prosecution. The DOJ document at www.usdoj.gov/criminal/cybercrime/ s&smanual2002.htm has several examples of warning banners. An organization such as a community college might simply state that systems and networks are subject to observation and monitoring at any time because members of the local community who aren’t staff or students might use the facilities. A for-profit organization, on the other hand, could have proprietary information on its network and use all the phrases suggested in the preceding list. Guests, such as employees of business partners, might be allowed to use the system. The text that’s displayed when a guest attempts to log on can include warnings similar to the following: • This system is the property of Company X. • This system is for authorized use only; unauthorized access is a violation of law and violators will be prosecuted. • All activity, software, network traffic, and communications are subject to monitoring. As a corporate computer investigator, make sure a company displays a well-defined warning banner. Without a banner, your authority to inspect might conflict with the user’s expectation of privacy, and a court might have to determine the issue of authority to inspect. State laws vary on the expectation of privacy, but all states accept the concept of a waiver of the expectation of privacy. Additionally, the EU and its member nations impose strict fines for information that crosses national boundaries without the person’s consent. So if your company is conducting an investigation in a subsidiary in the EU, you might not be able to acquire a network drive without notifying certain parties or making sure consent forms are in place. Some might argue that written policies are all that are necessary. However, in the actual prosecution of cases, warning banners have been critical in determining that a system user didn’t have an expectation of privacy for information stored on the system. A warning Preparing for Computer Investigations 17 banner has the additional advantage of being easier to present in trial as an exhibit than a policy manual. Government agencies, such as the Department of Energy, Argonne National Labs, and Lawrence Livermore Labs, now require warning banners on all computer terminals on their systems. Many corporations also require warning banners as part of the logon/startup process. Designating an Authorized Requester As mentioned, investigations must establish a line of authority. In addition to using warning banners that state a company’s rights of computer ownership, businesses are advised to specify an authorized requester who has the power to conduct investigations. Executive management should define this policy to avoid conflicts from competing interests between organizations or departments. In large organizations, competition for funding or management support can become so fierce that people sometimes create false allegations of misconduct to prevent a competing department from delivering a proposal for the same source of funds. To avoid trivial or inappropriate investigations, executive management must also define and limit who is authorized to request a computer investigation and forensic analysis. Generally, the fewer groups with authority to request a computer investigation, the better. Examples of groups with authority to request computer investigations in a corporate environment include the following: • Corporate security investigations • Corporate ethics office • Corporate equal employment opportunity office • Internal auditing • The general counsel or legal department All other groups, such as the Human Resources Department, should coordinate their requests through the corporate security investigations group. This policy separates the investigative process from the process of employee discipline. Conducting Security Investigations Conducting a computer investigation in the private sector is not much different from conducting one in the public sector. During public investigations, you search for evidence to support criminal allegations. During private investigations, you search for evidence to support allegations of abuse of a company’s assets and, in some cases, criminal complaints. Three types of situations are common in corporate environments: • Abuse or misuse of computing assets • E-mail abuse • Internet abuse Most computer investigations in the private sector involve misuse of computing assets. Typically, this misuse is referred to as “employee violation of company rules.” Computing abuse complaints often center on e-mail and Internet misuse by employees but could involve other computing resources, such as using company software to produce a product for personal profit. The scope of an e-mail investigation ranges from excessive use of a company’s e-mail 1 18 Chapter 1 system for personal use to making threats or harassing others via e-mail. Some common e-mail abuses involve transmitting offensive messages. These types of messages can create a hostile work environment that can result in an employee filing a civil lawsuit against a company that does nothing to prevent it (in other words, implicitly condones the e-mail abuse). Computer investigators also examine Internet abuse. Employees’ abuse of Internet privileges ranges from excessive use, such as spending all day Web surfing, to viewing pornographic pictures on the Web while at work. An extreme instance of Internet abuse is viewing contraband (illegal) pornographic images, such as child pornography. Viewing contraband images is a criminal act in most jurisdictions, and computer investigators must handle this situation with the highest level of professionalism. By enforcing policy consistently, a company minimizes its liability exposure. The role of a computer forensics examiner is to give management complete and accurate information so that they can verify and correct abuse problems in an organization. (In later chapters, you learn the procedures for conducting these types of investigations.) Be sure to distinguish between a company’s abuse problems and potential criminal violations. Abuse problems violate company policy but might not be illegal if performed at home. Criminal violations involve acts such as industrial espionage, embezzlement, and murder. However, actions that seem related to internal abuse could also have criminal or civil liability. Because any civil investigation can become a criminal investigation, you must treat all evidence you collect with the highest level of security and accountability. Later in this book, you learn the Federal Rules of Evidence (processes to ensure the chain of custody) and how to apply them to computing investigations. Similarly, your private corporate investigation might seem to involve a civil, noncriminal matter, but as you progress through your analysis, you might identify a criminal matter, too. Because of this possibility, always remember that your work can come under the scrutiny of the civil or criminal legal system. The Federal Rules of Evidence are the same for civil and criminal matters. By applying the rules to all investigations uniformly, you eliminate any concerns. These standards are emphasized throughout this book. Corporations can apply a principle similar to the silver-platter doctrine (no longer in effect between state law enforcement and the federal government) when a civilian or corporate investigative agent delivers evidence to a law enforcement officer. Remember that a police officer is a law enforcement agent. A corporate investigator’s job is to minimize risk to the company. After you turn over evidence to law enforcement and begin working under their direction, you become an agent of law enforcement, subject to the same restrictions on search and seizure as a law enforcement agent. However, an agent of law enforcement can’t ask you, as a private citizen, to obtain evidence that requires a warrant. The rules controlling the use of evidence collected by private citizens vary by jurisdiction, so check the law if you’re investigating a case outside the United States. Litigation is costly, so after you have assembled evidence, offending employees are usually disciplined or terminated with a minimum of fanfare. However, when you discover that a criminal act involving a third-party victim has been committed, generally you have a legal and moral obligation to turn the information over to law enforcement. In the next section, you learn about situations in which criminal evidence must be separated from any corporate proprietary information. Maintaining Professional Conduct 19 Distinguishing Personal and Company Property Many company policies distinguish between personal and company computer property; however, making this distinction can be difficult with PDAs, cell phones, and personal notebook computers. For example, an employee has purchased a PDA and connects the device to his or her company computer. As the employee synchronizes information on the PDA with information in the company computer’s copy of Microsoft Outlook, he or she copies some data in the PDA to the company network. During the synchronization, data on the company computer or network might be placed on the PDA, too. In this case, at least one question is “Does the information on the PDA belong to the company or the employee?” Now suppose the company gave the employee the PDA as part of a holiday bonus. Can the company claim rights to the PDA? Similar issues come up when an employee brings in a personal notebook computer and connects it to the company network. What rules apply? As computers become more entrenched in daily life, you’ll encounter these issues more often. These questions are still being debated, and companies are establishing their own policies to handle them. The safe policy is to not allow any personally owned devices to be connected to company-owned resources, thereby limiting the possibility of commingling personal and company data. This policy can be counterproductive; however, the risks should be identified and addressed in company policies. Other companies simply state that if you connect a personal device to the corporate network, it falls under the same rules as corporate property. At the time of this writing, this policy has yet to be tested in court. Maintaining Professional Conduct Your professional conduct as a computer investigation and forensics analyst is critical because it determines your credibility. Professional conduct, discussed in more detail in Chapters 15 and 16, includes ethics, morals, and standards of behavior. As a professional, you must exhibit the highest level of ethical behavior at all times. To do so, you must maintain objectivity and confidentiality during an investigation, expand your technical knowledge continuously, and conduct yourself with integrity. On any current crime drama, you can see how attorneys attack the character of witnesses, so your character and especially your reputation for honesty should be beyond reproach. Maintaining objectivity means you must form and sustain unbiased opinions of your cases. Avoid making conclusions about your findings until you have exhausted all reasonable leads and considered the available facts. Your ultimate responsibility is to find digital evidence to support or refute the allegation. You must ignore external biases to maintain the integrity of your fact-finding in all investigations. For example, if you’re employed by an attorney, do not allow the attorney’s agenda to dictate the outcome of your investigation. Your reputation and long-term livelihood depend on being objective in all matters. You must also maintain an investigation’s credibility by keeping the case confidential. Discuss the case only with people who need to know about it, such as other investigators involved in the case or someone in the line of authority asking for an update. If you need advice from other professionals, discuss only the general terms and facts about the case without mentioning specifics. All investigations you conduct must be kept confidential, until you’re designated as a witness or required by the attorney or court to release a report. 1 20 Chapter 1 In the corporate environment, confidentiality is critical, especially when dealing with employees who have been terminated. The agreement between the company and the employee might have been to represent the termination as a layoff or resignation in exchange for no bad references. If you give case details and the employee’s name to others, your company could be liable for breach of contract. In some instances, your corporate case might become a criminal case as serious as murder. Because of the legal system, it could be years before the case goes to trial. If an investigator talks about the digital evidence with others, the case could be damaged because of pretrial publicity. When working for an attorney on an investigation, the attorney-work-product rule and attorney-client privilege apply to all communication. This means you can discuss the case only with the attorney or other members of the team working with the attorney. All communication about the case to other people requires the attorney’s approval. In addition to maintaining objectivity and confidentiality, you can enhance your professional conduct by continuing your training. The field of computer investigations and forensics is changing constantly. You should stay current with the latest technical changes in computer hardware and software, networking, and forensic tools. You should also learn about the latest investigation techniques you can use in your cases. One way to enrich your knowledge of computer investigations is to record your fact-finding methods in a journal. A journal can help you remember how to perform tasks and procedures and use hardware and software tools. Be sure to include dates and important details that serve as memory triggers. Develop a routine of reviewing your journal regularly to keep your past achievements fresh in your mind. To continue your professional training, you should attend workshops, conferences, and vendor courses. You might also need to continue your formal education. You enhance your professional standing if you have at least an undergraduate degree in computing or a related field. If you don’t have an advanced degree, consider graduate-level studies in a complementary area of study, such as business law or e-commerce. Several colleges and universities now offer associate’s, bachelor’s, and master’s degrees and certificate programs in computer forensics. Many companies are willing to reimburse your education costs, although some require commitment to a certain term of employment in exchange. In addition to education and training, membership in professional organizations adds to your credentials. These organizations often sponsor training and offer information exchanges of the latest technical improvements and trends in computer investigations. Also, keep up to date with the most recent books and read as much as possible about computer investigations and forensics. As a computer investigation and forensics professional, you’re expected to maintain honesty and integrity. You must conduct yourself with the highest levels of integrity in all aspects of your life. Any indiscreet actions can embarrass you and give opposing attorneys opportunities to discredit you during your testimony in court or in depositions. Chapter Summary ■ Computer forensics applies forensics procedures to digital evidence. This process involves systematically accumulating and analyzing digital information for use as evidence in civil, criminal, or administrative cases. Computer forensics differs from network forensics, data recovery, and disaster recovery in scope, technique, and objective. Key Terms 21 ■ Laws relating to digital evidence were established in the 1970s. ■ To be a successful computer forensics investigator, you must be familiar with more than one computing platform. To supplement your knowledge, develop and maintain contact with computer, network, and investigative professionals. ■ Public and private computer investigations differ, in that public investigations typically require a search warrant before seizing digital evidence. The Fourth Amendment to the U.S. Constitution and similar legislation in other countries apply to governmental search and seizure. During public investigations, you search for evidence to support criminal allegations. During private investigations, you search for evidence to support allegations of abuse of assets and, in some cases, criminal complaints. ■ Warning banners should be used to remind employees and visitors of company policy on computer, e-mail, and Internet use. ■ Companies should define and limit the number of authorized requesters who can start an investigation. ■ Computer forensics investigators must maintain professional conduct to protect their credibility. Key Terms affidavit The document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation. allegation A charge made against someone or something before proof has been found. authorized requester In a corporate environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer. computer forensics The process of applying scientific methods to collect and analyze data and information that can be used as evidence. computer investigations Conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime. Computer Technology Investigators Network (CTIN) A nonprofit group based in Seattle– Tacoma, WA, composed of law enforcement members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest. criminal case A case in which criminal law must be applied. criminal law Statutes applicable to a jurisdiction that state offenses against the peace and dignity of the jurisdiction and the elements that define these offenses. data recovery A specialty field in which companies retrieve files that were deleted accidentally or purposefully. disaster recovery A specialty field in which companies perform real-time backups, monitoring, data recovery, and hot site operations. enterprise network environment A large corporate computing system that can include formerly independent systems. exculpatory Evidence that indicates the suspect is innocent of the crime. 1 22 Chapter 1 exhibits Evidence used in court to prove a case. Fourth Amendment The Fourth Amendment to the U.S. Constitution in the Bill of Rights dictates that the government and its agents must have probable cause for search and seizure. High Technology Crime Investigation Association (HTCIA) A nonprofit association for solving international computer crimes. hostile work environment An environment in which employees cannot perform their assigned duties because of the actions of others. In the workplace, these actions include sending threatening or demeaning e-mail or a co-worker viewing pornographic or hate sites. inculpatory Evidence that indicates a suspect is guilty of the crime with which he or she is charged. industrial espionage Selling sensitive or proprietary company information to a competitor. International Association of Computer Investigative Specialists (IACIS) An organization created to provide training and software for law enforcement in the computer forensics field. line of authority The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence. litigation The legal process leading to a trial with the purpose of proving criminal or civil liability. network intrusion detection and incident response Detecting attacks from intruders by using automated tools; also includes the manual process of monitoring network firewall logs. notarized Having a document witnessed and a person clearly identified as the signer by a notary public. police blotter A log of criminal activity that law enforcement personnel can use to review the types of crimes currently being committed. professional conduct Behavior expected of an employee in the workplace or other professional setting. right of privacy The belief employees have that their transmissions at work are protected. search and seizure The legal act of acquiring evidence for an investigation. See also Fourth Amendment. search warrants Legal documents that allow law enforcement to search an office, a place of business, or other locale for evidence related to an alleged crime. silver-platter doctrine A policy no longer in effect that allowed a state law enforcement officer to pass illegally obtained evidence to the federal government and allowed federal prosecution to use that evidence. verdict The decision returned by a jury. vulnerability assessment and risk management The group that determines the weakest points in a system. It covers physical security and the security of OSs and applications. warning banner Text displayed on computer screens when people log on to a company computer; this text states ownership of the computer and specifies appropriate use of the machine or Internet access. Review Questions 23 Review Questions 1. List two organizations mentioned in the chapter that provide computer forensics training. 2. Computer forensics and data recovery refer to the same activities. True or False? 3. Police in the United States must use procedures that adhere to which of the following? a. Third Amendment b. Fourth Amendment c. First Amendment d. None of the above 4. The triad of computing security includes which of the following? a. Detection, response, and monitoring b. Vulnerability assessment, detection, and monitoring c. Vulnerability assessment, intrusion response, and investigation d. Vulnerability assessment, intrusion response, and monitoring 5. List three common types of digital crime. 6. A corporate investigator must follow Fourth Amendment standards when conducting an investigation. True or False? 7. What is the purpose of maintaining a network of computer forensics specialists? 8. Policies can address rules for which of the following? a. When you can log on to a company network from home b. The Internet sites you can or cannot access c. The amount of personal e-mail you can send d. Any of the above 9. List two items that should appear on an internal warning banner. 10. Warning banners are often easier to present in court than policy manuals are. True or False? 11. Under normal circumstances, a corporate investigator is considered an agent of law enforcement. True or False? 12. List two types of computer investigations typically conducted in the corporate environment. 13. What is professional conduct and why is it important? 14. What is the purpose of maintaining a professional journal? 1 24 Chapter 1 15. Laws and procedures for PDAs are which of the following? a. Well established b. Still being debated c. On the law books d. None of the above 16. Why should companies appoint an authorized requester for computer investigations? 17. What is the purpose of an affidavit? 18. What are the necessary components of a search warrant? Hands-On Projects Hands-On Project 1-1 Use a Web search engine, such as Google or Yahoo!, and search for companies specializing in computer forensics. Select three and write a two-to three-page paper comparing what each company does. Hands-On Project 1-2 Research criminal law related to computer crime in a jurisdiction (the one where you live) that controls criminal law. If laws exist, list the source and how long they have been in existence. Identify cases that have been tried using these laws. Hands-On Project 1-3 Start your own list of professional contacts in your area who do forensic analysis. Where would you begin to find these people? How can you verify that they’re legitimate? How should you approach them? Hands-On Project 1-4 Compare Article 8 of the Charter of Rights of Canada or any country of your choice to the U.S. Fourth Amendment. How do they differ? How are they similar? Use sources such as the U.S. Department of Justice Web site to justify your conclusions in a paper at least two pages long. Hands-On Project 1-5 Search the Internet for articles on computer crime prosecutions. Find at least two. Write one to two pages summarizing the two articles and identify key features of the decisions you find in your search. Hands-On Project 1-6 Is there a high-tech criminal investigation unit in or near your community? If so, who are the participants? E-mail the person in charge and let him or her Case Projects 25 know you are taking a course in computer forensics. Ask what the unit’s policies and procedures are, and then write one to two pages summarizing your findings. Hands-On Project 1-7 Start building a professional journal for yourself. Find at least two electronic mailing lists you can join and three Web sites and read them on a regular basis. The electronic mailing lists should contain areas for OSs, software and hardware listings, people contacted or worked with, user groups, other electronic mailing lists, and the results of any research you have done thus far. Hands-On Project 1-8 Examine and summarize your community, state, or country’s rules for search and seizure of criminal evidence. What concerns do you have after reading them? Case Projects Case Project 1-1 A lawyer in a law firm is suspected of embezzling money from a trust account. Who should conduct the investigation? If evidence is found to support the claim, what should be done? Write at least two pages explaining the steps to take, who is involved, and what items must be considered. Case Project 1-2 A private corporation suspects an employee is using password-cracking tools to gain access to other accounts. The accounts include employees in the Payroll and Human Resources departments. Write a two-to three-page paper outlining what steps to take, who should be involved, and what should be considered. Case Project 1-3 An employee is suspected of operating his llama business with a company computer. It’s been alleged that he’s tracking the sales price of the wool and the cost of feed and upkeep on spreadsheets. What should the employer do? Write at least two pages explaining the tasks an investigator should perform. 1 This page intentionally left blank chapter 2 Understanding Computer Investigations After reading this chapter and completing the exercises, you will be able to: • Explain how to prepare a computer investigation • Apply a systematic approach to an investigation • Describe procedures for corporate high-tech investigations • Explain requirements for data recovery workstations and software • Describe how to conduct an investigation • Explain how to complete and critique a case 27 28 Chapter 2 This chapter gives you an overview of how to manage a computing investigation. You learn about the problems and challenges forensic examiners face when preparing and processing investigations, including the ideas and questions they must consider. This chapter introduces ProDiscover Basic, a GUI computer forensics tool. Throughout this chapter, you learn details about how other computer forensics tools are used in an investigation, too. You also explore standard problem-solving techniques. As a basic computer user, you can solve most software problems by working with a GUI tool. A forensics professional, however, needs to interact with primary levels of the OS that are more fundamental than what can be accessed with GUI. Some computer forensics software tools involve working at the command line, and you should learn how to use these tools because in some cases, the command line is your only option. Appendix D includes examples of how to use DOS forensics tools. In this chapter, you work with forensic disk images from small USB drives to perform the activities and projects in this chapter. After you know how to search for and find data on a small storage device, you can apply the same techniques to a large disk. Preparing a Computer Investigation Your role as a computer forensics professional is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy. If the evidence suggests that a crime or policy violation has been committed, you begin to prepare a case, which is a collection of evidence you can offer in court or at a corporate inquiry. This process involves investigating the suspect’s computer and then preserving the evidence on a different computer. Before you begin investigating, however, you must follow an accepted procedure to prepare a case. By approaching each case methodically, you can evaluate the evidence thoroughly and document the chain of evidence, or chain of custody, which is the route the evidence takes from the time you find it until the case is closed or goes to court. The following sections present two sample cases—one involving a computer crime and another involving a company policy violation. Each example describes the typical steps of a forensics investigation, including gathering evidence, preparing a case, and preserving the evidence. An Overview of a Computer Crime Law enforcement officers often find computers and computer components as they’re investigating crimes, gathering other evidence, or making arrests. Computers can contain information that helps law enforcement officers determine the chain of events leading to a crime or information providing evidence that’s more likely to lead to a conviction. As an example of a case in which computers were involved in a crime, the police raided a suspected drug dealer’s home and found a computer, several floppy disks and USB drives (also called keychain drives or memory sticks), a personal digital assistant (PDA), and a cell phone in a bedroom (see Figure 2-1). The computer was “bagged and tagged,” meaning it was placed in evidence bags along with the storage media and then labeled with tags as part of the search and seizure. Preparing a Computer Investigation 29 2 Figure 2-1 The crime scene The lead detective on the case wants you to examine the computer to find and organize data that could be evidence of a crime, such as files containing names of the drug dealer’s contacts. The acquisitions officer gives you documentation of items the investigating officers collected with the computer, including a list of other storage media, such as removable disks and CDs. The acquisitions officer also notes that the computer is a Windows XP system, and the machine was running when it was discovered. Before shutting down the computer, the acquisitions officer photographs all open windows on the Windows desktop, including one showing Windows Explorer, and gives you the photos. (Before shutting down the computer, a live acquisition should be done to capture RAM, too. This procedure is discussed in Chapter 11.) As a computer forensics investigator, you’re grateful the officers followed proper procedure when acquiring the evidence. With digital evidence, it’s important to realize how easily key data, such as the last access date, can be altered by an overeager investigator who’s first on the scene. The U.S. Department of Justice (DOJ) has a document you can download that reviews proper acquisition of electronic evidence, including the search and seizure of computers (www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm). If this link has changed because of site updates, use the search feature. In your preliminary assessment, you assume that the hard disk and storage media include intact files, such as e-mail messages, deleted files, and hidden files. A range of software is available for use in your investigation; your office uses the tool Technology Pathways ProDiscover. This chapter introduces you to the principles applied to computer forensics. In Chapter 7, you learn the strengths and weaknesses of several software packages. 30 Chapter 2 Because some cases involve computers running legacy OSs, older versions of tools often need to be used in forensics investigations. For example, Norton DiskEdit is an older tool that was last available on the Norton System Works 2000 CD. After your preliminary assessment, you identify the potential challenges in this case. Because drug dealers don’t usually make information about their accomplices available, the files on the disks you received are probably password protected. You might need to acquire password-cracking software or find an expert who can help you decrypt a file. Later, you perform the steps needed to investigate the case, including how to address risks and obstacles. Then you can begin the actual investigation and data retrieval. An Overview of a Company Policy Violation Companies often establish policies for employee use of computers. Employees surfing the Internet, sending personal e-mail, or using company computers for personal tasks during work hours can waste company time. Because lost time can cost companies millions of dollars, computer forensics specialists are often used to investigate policy violations. The following example describes a company policy violation. Manager Steve Billings has been receiving complaints from customers about the job performance of one of his sales representatives, George Montgomery. George has worked as a representative for several years. He’s been absent from work for two days but hasn’t called in sick or told anyone why he wouldn’t be at work. Another employee, Martha, is also missing and hasn’t informed anyone of the reason for her absence. Steve asks the IT Department to confiscate George’s hard drive and all storage media in his work area. He wants to know whether there’s any information on George’s computer and storage media that might offer a clue to George’s whereabouts and job performance concerns. To help determine George and Martha’s whereabouts, you must take a systematic approach, described in the following section, to examining and analyzing the data found on George’s desk. Taking a Systematic Approach When preparing a case, you can apply standard systems analysis steps, explained in the following list, to problem solving. Later in this chapter, you apply these steps to cases. • Make an initial assessment about the type of case you’re investigating—To assess the type of case you’re handling, talk to others involved in the case and ask questions about the incident. Have law enforcement or company security officers already seized the computer, disks, and other components? Do you need to visit an office or another location? Was the computer used to commit a crime, or does it contain evidence about another crime? • Determine a preliminary design or approach to the case—Outline the general steps you need to follow to investigate the case. If the suspect is an employee and you need to acquire his or her system, determine whether you can seize the computer during work hours or have to wait until evening or weekend hours. If you’re preparing a Taking a Systematic Approach 31 criminal case, determine what information law enforcement officers have already gathered. • Create a detailed checklist—Refine the general outline by creating a detailed checklist of steps and an estimated amount of time for each step. This outline helps you stay on track during the investigation. • Determine the resources you need—Based on the OS of the computer you’re investigating, list the software you plan to use for the investigation, noting any other software or tools you might need. • Obtain and copy an evidence drive—In some cases, you might be seizing multiple computers along with Zip disks, Jaz drives, CDs, USB drives, PDAs, and other removable media. (For the examples in this chapter, you’re using only USB drives.) Make a forensic copy of the disk. • Identify the risks—List the problems you normally expect in the type of case you’re handling. This list is known as a standard risk assessment. For example, if the suspect seems knowledgeable about computers, he or she might have set up a logon scheme that shuts down the computer or overwrites data on the hard disk when someone tries to change the logon password. • Mitigate or minimize the risks—Identify how you can minimize the risks. For example, if you’re working with a computer on which the suspect has likely passwordprotected the hard drive, you can make multiple copies of the original media before starting. Then if you destroy a copy during the process of retrieving information from the disk, you have additional copies. • Test the design—Review the decisions you’ve made and the steps you’ve completed. If you have already copied the original media, a standard part of testing the design involves comparing hash values (discussed in Chapters 4 and 5) to ensure that you copied the original media correctly. • Analyze and recover the digital evidence—Using the software tools and other resources you’ve gathered, and making sure you’ve addressed any risks and obstacles, examine the disk to find digital evidence. • Investigate the data you recover—View the information recovered from the disk, including existing files, deleted files, and e-mail, and organize the files to help prove the suspect’s guilt or innocence. • Complete the case report—Write a complete report detailing what you did and what you found. • Critique the case—Self-evaluation is an essential part of professional growth. After you complete a case, review it to identify successful decisions and actions and determine how you could have improved your performance. The amount of time and effort you put into each step varies, depending on the nature of the investigation. For example, in most cases, you need to create a simple investigation plan so that you don’t overlook any steps. However, if a case involves many computers with complex issues to identify and examine, a detailed plan with periodic review and updates is essential. A systematic approach helps you discover the information you need for your case, and you should gather as much information as possible. 2 32 Chapter 2 For all computing investigations, you must be prepared for the unexpected, so you should always have a contingency plan for the investigation. A contingency plan can consist of anything to help you complete the investigation, from alternative software and hardware tools to other methods of approaching the investigation. Assessing the Case As mentioned, identifying case requirements involves determining the type of case you’re investigating. Doing so means you should outline the case details systematically, including the nature of the case, the type of evidence available, and the location of the evidence. In the company-policy violation case, you have been asked to investigate George Montgomery. Steve Billings had the IT Department confiscate all of George’s storage media that might contain information about his whereabouts. After talking to George’s co-workers, Steve learned that George has been conducting a personal business on the side using company computers. Therefore, the focus of the case has changed from a missing person to a possible employee abuse of corporate resources. You can begin assessing this case as follows: • Situation—Employee abuse case. • Nature of the case—Side business conducted on the employer’s computer. • Specifics of the case—The employee is reportedly conducting a side business on his employer’s computer that involves registering domain names for clients and setting up their Web sites at local ISPs. Co-workers have complained that he’s been spending too much time on his own business and not performing his assigned work duties. Company policy states that all company-owned computing assets are subject to inspection by company management at any time. Employees have no expectation of privacy when operating company computer systems. • Type of evidence—Small-capacity USB drive. • Operating system—Microsoft Windows XP. • Known disk format—FAT16. • Location of evidence—One USB drive recovered from the employee’s assigned computer. Based on these details, you can determine the case requirements. You now know that the nature of the case involves employee abuse of company assets, and you’re looking for evidence that an employee was conducting a side business using his employer’s computers. On the USB drive retrieved from George’s computer, you’re looking for any information related to Web sites, ISPs, or domain names. You know that the computer OS is Windows XP, and the USB drive uses the FAT16 file system. To duplicate the USB drive and find deleted and hidden files, you need a reliable computer forensics tool. Because the USB drive has already been retrieved, you don’t need to seize the drive yourself. You call this case the Domain Name case and determine that your task is to gather data from the storage media seized to confirm or deny the allegation that George is conducting a side business on company time and computers. Remember that he’s suspected only of asset abuse, and the evidence you obtain might be exculpatory—meaning it could prove his innocence. You must always maintain an unbiased perspective and be objective in your fact-findings. If you are systematic and thorough, you’re more likely to produce consistently reliable results. Taking a Systematic Approach 33 Planning Your Investigation Now that you have identified the requirements of the Domain Name case, you can plan your investigation. You have already determined the kind of evidence you need; now you can identify the specific steps to gather the evidence, establish a chain of custody, and perform the forensic analysis. These steps become the basic plan for your investigation and indicate what you should do and when. To investigate the Domain Name case, you should perform the following general steps. Most of these steps are explained in more detail in the following sections. 1. Acquire the USB drive from George’s manager. 2. Complete an evidence form and establish a chain of custody. 3. Transport the evidence to your computer forensics lab. 4. Place the evidence in an approved secure container. 5. Prepare your forensic workstation. 6. Retrieve the evidence from the secure container. 7. Make a forensic copy of the evidence drive (in this case, the USB drive). 8. Return the evidence drive to the secure container. 9. Process the copied evidence drive with your computer forensics tools. The approved secure container you need in Step 4 should be a locked, fireproof locker or cabinet that has limited access. Limited access means that only you and other authorized personnel can open the evidence container. The first rule for all investigations is to preserve the evidence, which means it should not be tampered with or contaminated. Because the IT Department staff confiscated the storage media, you need to go to them for the evidence. The IT Department manager confirms that the storage media has been locked in a secure cabinet since it was retrieved from George’s desk. Keep in mind that even though this case is a corporate policy matter, many cases are thrown out because the chain of custody can’t be proved or has been broken. When this happens, there’s the possibility that the evidence has been compromised. To document the evidence, you record details about the media, including who recovered the evidence and when and who possessed it and when. Use an evidence custody form, also called a chain-of-evidence form, which helps you document what has and has not been done with the original evidence and forensic copies of the evidence. Depending on whether you’re working in law enforcement or private corporate security, you can create an evidence custody form to fit your environment. This form should be easy to read and use. It can contain information for one or several pieces of evidence. Consider creating a single-evidence form (which lists each piece of evidence on a separate page) and a multievidence form (see Figure 2-2), depending on the administrative needs of your investigation. If necessary, document how to use your evidence custody form. Clear instructions help users remain consistent when completing the form and ensure that everyone uses the same definitions for collected items. Standardization helps maintain consistent quality for all investigations and prevent confusion and mistakes about the evidence you collect. 2 34 Chapter 2 Figure 2-2 A sample multi-evidence form used in a corporate environment An evidence custody form usually contains the following information: • Case number—The number your organization assigns when an investigation is initiated. • Investigating organization—The name of your organization. In large corporations with global facilities, several organizations might be conducting investigations in different geographic areas. • Investigator—The name of the investigator assigned to the case. If many investigators are assigned, specify the lead investigator’s name. • Nature of case—A short description of the case. For example, in the corporate environment, it might be “Data recovery for corporate litigation” or “Employee policy violation case.” • Location evidence was obtained—The exact location where the evidence was collected. If you’re using multi-evidence forms, a new form should be created for each location. • Description of evidence—A list of the evidence items, such as “hard drive, 20 GB” or “one USB drive, 128 MB.” On a multi-evidence form, write a description for each item of evidence you acquire. • Vendor name—The name of the manufacturer of the computer evidence. List a 20 GB hard drive, for example, as a Maxtor 20 GB hard drive, or describe a USB drive as an Taking a Systematic Approach 35 Attache 1 GB PNY Technologies drive. In later chapters, you see how differences among manufacturers can affect data recovery. • Model number or serial number—List the model number or serial number (if available) of the computer component. Many computer components, including hard drives, memory chips, and expansion slot cards, have model numbers but not serial numbers. • Evidence recovered by—The name of the investigator who recovered the evidence. The chain of custody for evidence starts with this information. If you insert your name, for example, you’re declaring that you have taken control of the evidence. It’s now your responsibility to ensure that nothing damages the evidence and no one tampers with it. The person placing his or her name on this line is responsible for preserving, transporting, and securing the evidence. • Date and time—The date and time the evidence was taken into custody. This information establishes exactly when the chain of custody starts. • Evidence placed in locker—Specifies which approved secure container is used to store evidence and when the evidence was placed in the container. • Item #/Evidence processed by/Disposition of evidence/Date/Time—When you or another authorized investigator retrieves evidence from the evidence locker for processing and analysis, list the item number and your name, and then describe what was done to the evidence. • Page—The forms used to catalog all evidence for each location should have page numbers. List the page number, and indicate the total number of pages for this group of evidence. For example, if you collected 15 pieces of evidence at one location and your form has only 10 lines, you need to fill out two multi-evidence forms. The first form is noted as “Page 1 of 2,” and the second page is noted as “Page 2 of 2.” Figure 2-3 shows a single-evidence form, which lists only one piece of evidence per page. This form gives you more flexibility in tracking separate pieces of evidence for your chainof-custody log. It also has more space for descriptions, which is helpful when finalizing the investigation and creating a case report. With this form, you can accurately account for what was done to the evidence and what was found. Use evidence forms as a reference for all actions taken during your investigative analysis. You can use both multi-evidence and single-evidence forms in your investigation. By using two forms, you can keep the single-evidence form with the evidence and the multi-evidence form in your report file. Two forms also provide redundancy that can be used as a quality control for your evidence. Securing Your Evidence Computing investigations demand that you adjust your procedures to suit the case. For example, if the evidence for a case includes an entire computer system and associated storage media, such as floppy disks, Zip and Jaz cartridges, 4 mm DDS digital audio tape (DAT), and USB drives, you must be flexible when you account for all these items. Some evidence is small enough to fit into an evidence bag. Other items, such as the CPU cabinet, monitor, keyboard, and printer, are too large. To secure and catalog the evidence contained in large computer components, you can use large evidence bags, tape, tags, labels, and other products available from police supply 2 36 Chapter 2 Figure 2-3 A single-evidence form vendors or office supply stores. When gathering products to secure your computer evidence, make sure they are safe and effective to use on computer components. Be cautious when handling any computer component to avoid damaging the component or coming into contact with static electricity, which can destroy digital data. For this reason, make sure you use antistatic bags when collecting computer evidence. Consider using an antistatic pad with an attached wrist strap, too. Both help prevent damage to computer evidence. Be sure to place computer evidence in a well-padded container. Padding prevents damage to the evidence as you transport it to your secure evidence locker, evidence room, or computer lab. Save discarded hard drive boxes, antistatic bags, and packing material for computer hardware when you or others acquire computer devices. Because you might not have everything needed to secure your evidence, you have to improvise. Securing evidence often requires building secure containers. If the computer component is large and contained in its own casing, such as a CPU cabinet, you can use evidence tape to seal all openings on the cabinet. Placing evidence tape over drive bays, insertion slots for power supply cords and USB cables, and any other openings ensures the security of evidence. As a standard practice, you should write your initials on the tape before applying it to the evidence. This practice makes it possible to prove later in court that the evidence hasn’t been tampered with because the casing couldn’t have been opened nor could power have been supplied to the closed casing with this tape in place. If the tape had been replaced, your initials wouldn’t be present, which would indicate tampering. If you transport a CPU case, place new disks in disk drives to reduce possible drive damage while you’re moving the computer. Procedures for Corporate High-Tech Investigations 37 Computer components require specific temperature and humidity ranges. If it’s too cold, hot, or wet, computer components and magnetic media can be damaged. Even heated car seats can damage digital media, and placing a computer on top of a two-way car radio in the trunk can damage magnetic media. When collecting computer evidence, make sure you have a safe environment for transporting and storing it until a secure evidence container is available. Procedures for Corporate High-Tech Investigations As an investigator, you need to develop formal procedures and informal checklists to cover all issues important to high-tech investigations. These procedures are necessary to ensure that correct techniques are used in an investigation. Use informal checklists to be certain that all evidence is collected and processed properly. This section lists some sample procedures that computing investigators commonly use in corporate high-tech investigations. Employee Termination Cases The majority of investigative work for termination cases involves employee abuse of corporate assets. Incidents that create a hostile work environment, such as viewing pornography in the workplace and sending inappropriate e-mail messages, are the predominant types of cases investigated. The following sections describe key points for conducting an investigation that might lead to an employee’s termination. Consulting with your organization’s general counsel and Human Resources Department for specific directions on how to handle these investigations is recommended. Your organization must have appropriate policies in place, as described in Chapter 1. Internet Abuse Investigations The information in this section applies to an organization’s internal private network, not a public ISP. Consult with your organization’s general counsel after reviewing this list, and make changes according to their directions to build your own procedures. To conduct an investigation involving Internet abuse, you need the following: • The organization’s Internet proxy server logs • Suspect computer’s IP address obtained from your organization’s network administrator • Suspect computer’s disk drive • Your preferred computer forensics analysis tool (ProDiscover, Forensic Toolkit, EnCase, X-Ways Forensics, and so forth) The following steps outline the recommended processing of an Internet abuse case: 1. Use the standard forensic analysis techniques and procedures described in this book for the disk drive examination. 2. Using tools such as DataLifter or Forensic Toolkit’s Internet keyword search option, extract all Web page URL information. 3. Contact the network firewall administrator and request a proxy server log, if it’s available, of the suspect computer’s network device name or IP address for the dates of interest. Consult with your organization’s network administrator to confirm that 2 38 Chapter 2 these logs are maintained and how long the time to live (TTL) is set for the network’s IP address assignments that use Dynamic Host Configuration Protocol (DHCP). 4. Compare the data recovered from forensic analysis to the proxy server log data to confirm that they match. 5. If the URL data matches the proxy server log and the forensic disk examination, continue analyzing the suspect computer’s drive data, and collect any relevant downloaded inappropriate pictures or Web pages that support the allegation. If there are no matches between the proxy server logs, and the forensic examination shows no contributing evidence, report that the allegation is unsubstantiated. Before investigating an Internet abuse case, research your state or country’s privacy laws. Many countries have unique privacy laws that restrict the use of computer log data, such as proxy server logs or disk drive cache files, for any type of investigation. Some state or federal laws might supersede your organization’s employee policies. Always consult with your organization’s attorney. For companies with international business operations, jurisdiction is a problem; what is legal in the United States, such as examining and investigating a proxy server log, might not be legal in Germany, for example. For investigations in which the proxy server log doesn’t match the forensic analysis that found inappropriate data, continue the examination of the suspect computer’s disk drive. Determine when inappropriate data was downloaded to the computer and whether it was through an organization’s intranet connection to the Internet. Employees might have used their employer’s laptop computers to connect to their own ISPs to download inappropriate Web content. For these situations, you need to consult your organization’s employee policy guidelines for what’s considered appropriate use of the organization’s computing assets. E-mail Abuse Investigations E-mail investigations typically include spam, inappropriate and offensive message content, and harassment or threats. E-mail is subject to the same restrictions as other computer evidence data, in that an organization must have a defined policy, as described in Chapter 1. The following list is what you need for an investigation involving e-mail abuse: • An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator • If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available • For e-mail systems that store users’ messages on a central server, access to the server; consult with your e-mail server administrator • For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file, for example, access to the computer so that you can perform a forensic analysis on it • Your preferred computer forensics analysis tool, such as Forensic Toolkit or ProDiscover This is the recommended procedure for e-mail investigations: 1. For computer-based e-mail data files, such as Outlook .pst or .ost files, use the standard forensic analysis techniques and procedures described in this book for the drive examination. Procedures for Corporate High-Tech Investigations 39 2. For server-based e-mail data files, contact the e-mail server administrator and obtain an electronic copy of the suspect and victim’s e-mail folder or data. 3. For Web-based e-mail investigations, such as Hotmail or Gmail, use tools such as Forensic Toolkit’s Internet keyword search option to extract all related e-mail address information. 4. Examine header data of all messages of interest to the investigation. Attorney-Client Privilege Investigations When conducting a computer forensics analysis under attorney-client privilege (ACP) rules for an attorney, you must keep all findings confidential. The attorney you’re working for is the ultimate authority over the investigation. For investigations of this nature, attorneys typically request that you extract all data from drives. It’s your responsibility to comply with the attorney’s directions. Because of the large quantities of data a drive can contain, the attorney will want to know about everything of interest on the drives. Many attorneys like to have printouts of the data you have recovered, but printouts can present problems when you have log files with several thousand pages of data or CAD drawing programs that can be read only by proprietary programs. You need to persuade and educate many attorneys on how digital evidence can be viewed electronically. In addition, learn how to teach attorneys and paralegals to sort through files so that you can help them efficiently analyze the huge amount of data a forensic examination produces. You can also encounter problems if you find data in the form of binary files, such as CAD drawings. Examining these files requires using the CAD program that created them. In addition, engineering companies often have specialized drafting programs. Discovery demands for lawsuits involving a product that caused injury or death requires extracting design plans for attorneys and expert witnesses to review. You’re responsible for locating the programs for these design plans so that attorneys and expert witnesses can view the evidence files. The following list shows the basic steps for conducting an ACP case: 1. Request a memorandum from the attorney directing you to start the investigation. The memorandum must state that the investigation is privileged communication and list your name and any other associates’ names assigned to the case. 2. Request a list of keywords of interest to the investigation. 3. After you have received the memorandum, initiate the investigation and analysis. Any findings you made before receiving the memorandum are subject to discovery by the opposing attorney. 4. For drive examinations, make two bit-stream images (discussed later in this chapter) of the drive using a different tool for each image, such as EnCase for the first and ProDiscover or SafeBack for the second. If you have large enough storage drives, make each bit-stream image uncompressed so that if it becomes corrupt, you can still examine uncorrupted areas with your preferred forensic analysis tool. 5. If possible, compare hash values on all files on the original and re-created disks. Typically, attorneys want to view all data, even if it’s not relevant to the case. Many GUI forensics tools perform this task during bit-stream imaging of the drive. 2 40 Chapter 2 6. Methodically examine every portion of the drive (both allocated and unallocated data areas) and extract all data. 7. Run keyword searches on allocated and unallocated disk space. Follow up the search results to determine whether the search results contain information that supports the case. 8. For Windows OSs, use specialty tools to analyze and extract data from the Registry, such as AccessData Registry Viewer or a Registry viewer program (discussed in more detail in Chapter 6). Use the Edit, Find menu option in Registry Editor, for example, to search for keywords of interest to the investigation. 9. For binary files such as CAD drawings, locate the correct program and, if possible, make printouts of the binary file content. If the files are too large, load the specialty program on a separate workstation with the recovered binary files so that the attorney can view them. 10. For unallocated data (file slack space or free space, explained in Chapter 6) recovery, use a tool that removes or replaces nonprintable data, such as X-Ways Forensics Specialist Gather Text function. 11. Consolidate all recovered data from the evidence bit-stream image into wellorganized folders and subfolders. Store the recovered data output, using a logical and easy-to-follow storage method for the attorney or paralegal. Here are some other guidelines to remember for ACP cases: • Minimize all written communication with the attorney; use the telephone when you need to ask questions or provide information related to the case. • Any documentation written to the attorney must contain a header stating that it’s “Privileged Legal Communication—Confidential Work Product,” as defined under the attorney-work-product rule. • Assist the attorney and paralegal in analyzing the data. If you have difficulty complying with the directions or don’t understand the directives from the memorandum, contact the attorney and explain the problem. Always keep an open line of verbal communication with the attorney during these types of investigations. If you’re communicating via e-mail, use encryption (such as PGP) or another secure e-mail service for all messages. Media Leak Investigations In the corporate environment, controlling sensitive data can be difficult. Disgruntled employees, for example, might send an organization’s sensitive data to a news reporter. The reasons for media leaks range from employees’ efforts to embarrass management to a rival conducting a power struggle between other internal organizations. Another concern is the premature release of information about new products, which can disrupt operations and cause market share loss for a business if the information is made public too soon. Media leak investigations can be time consuming and resource intensive. Because management wants to find who leaked information, scope creep during the investigation is not uncommon. Consider the following guidelines for media leak investigations: • Examine e-mail, both the organization’s e-mail servers and private e-mail accounts (Hotmail, Yahoo!, Gmail, and so on), on company-owned computers. Procedures for Corporate High-Tech Investigations • 41 Examine Internet message boards, and search the Internet for any information about the company or product. Use Internet search engines to run keyword searches related to the company, product, or leaked information. For example, you might search for “graphite-composite bicycle sprocket” for a bicycle manufacturer that was the victim of a media leak about a new product in development. • Examine proxy server logs to check for log activities that might show use of free e-mail services, such as Gmail. Track back to the specific workstations where these messages originated and perform a forensic analysis on the drives to help determine what was communicated. • Examine known suspects’ workstations, perform computer forensics examinations on persons of interest, and develop other leads on possible associates. • Examine all company phone records for any calls to known media organizations. The following list outlines steps to take for media leaks: 1. Interview management privately to get a list of employees who have direct knowledge of the sensitive data. 2. Identify the media source that published the information. 3. Review company phone records to see who might have had contact with the news service. 4. Obtain a list of keywords related to the media leak. 5. Perform keyword searches on proxy and e-mail servers. 6. Discreetly conduct forensic disk acquisitions and analysis of employees of interest. 7. From the forensic disk examinations, analyze all e-mail correspondence and trace any sensitive messages to other people who haven’t been listed as having direct knowledge of the sensitive data. 8. Expand the discreet forensic disk acquisition and analysis for any new persons of interest. 9. Consolidate and review your findings periodically to see whether new clues can be discovered. 10. Report findings to management routinely, and discuss how much further to continue the investigation. Industrial Espionage Investigations Industrial espionage cases, similar to media leaks, can be time consuming and are subject to the same scope creep problems. This section offers some guidelines on how to deal with industrial espionage investigations. Be aware that cases dealing with foreign nationals might be violations of International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). For more information on ITAR, see the U.S. Department of State’s Web site (www.state.gov; substitute the actual state name or a shortened version of it for state) or do an Internet search for “International Traffic in Arms Regulations.” For EAR information, see the U.S. Department of Commerce Web site (www.doc.gov) or do an Internet search for “Export Administration Regulations.” Unlike the other corporate investigations covered in this section, all suspected industrial espionage cases should be treated as criminal investigations. The techniques described here are 2 42 Chapter 2 for private network environments and internal investigations that haven’t yet been reported to law enforcement officials. Make sure you don’t become an agent of law enforcement by filing a complaint of a suspected espionage case before substantiating the allegation. The following list includes staff you might need when planning an industrial espionage investigation. This list isn’t exhaustive, so use your knowledge to improve on these recommendations: • The computing investigator who is responsible for disk forensic examinations • The technology specialist who is knowledgeable about the suspected compromised technical data • The network specialist who can perform log analysis and set up network monitors to trap network communication of possible suspects • The threat assessment specialist (typically an attorney) who is familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage In addition, consider the following guidelines when initiating an international espionage investigation: • Determine whether this investigation involves a possible industrial espionage incident, and then determine whether it falls under ITAR or EAR. • Consult with corporate attorneys and upper management if the investigations must be conducted discreetly. • Determine what information is needed to substantiate the allegation of industrial espionage. • Generate a list of keywords for disk forensics and network monitoring. • List and collect resources needed for the investigation. • Determine the goal and scope of the investigation; consult with management and the company’s attorneys on how much work you should do. • Initiate the investigation after approval from management, and make regular reports of your activities and findings. The following are planning considerations for industrial espionage investigations: • Examine all e-mail of suspected employees, both company-provided e-mail and free Web-based services. • Search Internet newsgroups or message boards for any postings related to the incident. • Initiate physical surveillance with cameras on people or things of interest to the investigation. • If available, examine all facility physical access logs for sensitive areas, which might include secure areas where smart badges or video surveillance recordings are used. • If there’s a suspect, determine his or her location in relation to the vulnerable asset that was compromised. • Study the suspect’s work habits. • Collect all incoming and outgoing phone logs to see whether any unique or unusual places were called. Procedures for Corporate High-Tech Investigations 43 When conducting an industrial espionage case, follow these basic steps: 1. Gather all personnel assigned to the investigation and brief them on the plan and any concerns. 2. Gather the resources needed to conduct the investigation. 3. Start the investigation by placing surveillance systems, such as cameras and network monitors, at key locations. 4. Discreetly gather any additional evidence, such as the suspect’s computer drive, and make a bit-stream image for follow-up examination. 5. Collect all log data from networks and e-mail servers, and examine them for unique items that might relate to the investigation. 6. Report regularly to management and corporate attorneys on your investigation’s status and current findings. 7. Review the investigation’s scope with management and corporate attorneys to determine whether it needs to be expanded and more resources added. Interviews and Interrogations in High-Tech Investigations Becoming a skilled interviewer and interrogator can take many years of experience. Typically, a corporate computing investigator is a technical person acquiring the evidence for an investigation. Many large organizations have full-time security investigators with years of training and experience in criminal and civil investigations and interviewing techniques. Few of these investigators have any computing or network technical skills, so you might be asked to assist in interviewing or interrogating a suspect when you have performed a forensic disk analysis on that suspect’s machine. An interrogation is different from an interview. An interview is usually conducted to collect information from a witness or suspect about specific facts related to an investigation. An interrogation is the process of trying to get a suspect to confess to a specific incident or crime. An investigator might change from an interview to an interrogation when talking to a witness or suspect. The more experience and training investigators have in the art of interviewing and interrogating, the more easily they can determine whether a witness is credible and possibly a suspect. Your role as a computing investigator is to instruct the investigator conducting the interview on what questions to ask and what the answers should be. As you build rapport with the investigator, he or she might ask you to question the suspect. Watching a skilled interrogator is a learning experience in human relations skills. If you’re asked to assist in an interview or interrogation, prepare yourself by answering the following questions: • What questions do I need to ask the suspect to get the vital information about the case? • Do I know what I’m talking about, or will I have to research the topic or technology related to the investigation? • Do I need additional questions to cover other indirect issues related to the investigation? 2 44 Chapter 2 Common interview and interrogation errors include being unprepared for the interview or interrogation and not having the right questions or enough questions to increase your depth of knowledge. Make sure you don’t run out of conversation topics; you need to keep the conversation friendly to gain the suspect’s confidence. Avoid doubting your own skills, which might show the suspect you lack confidence in your ability. Ingredients for a successful interview or interrogation require the following: • Being patient throughout the session • Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect • Being tenacious Understanding Data Recovery Workstations and Software Now you know what’s involved in acquiring and documenting evidence. In Chapter 3, you examine a complete setup of a computer forensics lab, which is where you conduct your investigations and where most of your equipment and software are located, including secure evidence containers. Be aware that some companies that perform computer investigations also do data recovery, which is the more well-known and lucrative side of the business. Remember the difference between data recovery and computer forensics. In data recovery, you don’t necessarily need a sterile target drive when restoring the forensic image. Typically, the customer or your company just wants the data back. The other key difference is that in data recovery, you usually know what you’re trying to retrieve. In computer forensics, you might have an idea of what you’re searching for, but not necessarily. To conduct your investigation and analysis, you must have a specially configured PC known as a forensic workstation, which is a computer loaded with additional bays and forensics software. Depending on your needs, most computer forensics work can be performed on the following Microsoft OSs: • MS-DOS 6.22 • Windows 95, 98, or Me • Windows NT 3.5 or 4.0 • Windows 2000 • Windows XP • Windows Vista Chapters 3 and 7 cover the software resources you need and the forensics lab and workstation in detail. Visit www.digitalintel.com to examine the specifications of the Forensic Recovery of Evidence Device (F.R.E.D.) unit or www.forensicpc.com to examine the ForensicPC Dual Xeon Workstation and other current products. Understanding Data Recovery Workstations and Software 45 In addition to the Windows OSs listed, you can use Linux or UNIX to conduct your analysis. Several open-source and freeware tools are available for this purpose. Some newer forensics tools, such as AccessData FTK, now require dual-core processors. If you start Windows while you’re examining a hard disk, Windows alters the evidence disk by writing data to the Recycle Bin and corrupts the quality and integrity of the evidence you’re trying to preserve. Chapter 6 covers which files Windows updates automatically at startup. Windows XP and Vista systems also record the serial numbers of hard drives and CPUs in a file, which can be difficult to recover. Of all the Microsoft OSs, the least intrusive (in terms of changing data) to disks is MS-DOS 6.22. With the continued evolution of Microsoft OSs, it’s not always practical to use older MS-DOS platforms, however. Newer file system formats, such as NTFS, are accessible—that is, readable—only from Windows NT or newer OSs. You can use one of several writeblockers that enable you to boot to Windows without writing data to the evidence drive. In Chapter 4, you learn more about write-blockers and some inexpensive alternatives for preserving data during an acquisition. There are many hardware write-blockers on the market. Some are inserted between the disk controller and the hard disk; others connect to USB or FireWire ports. Several vendors sell write-blockers, including Technology Pathways NoWrite FPU; Digital Intelligence Ultra-Kit, UltraBlock, FireFly, FireChief 800, and USB Write Blocker; WiebeTECH Forensic DriveDock; Guidance Software FastBloc2; Paralan’s SCSI Write Blockers; and Intelligent Computer Solutions (www.ics-iq.com) Image LinkMaSSter Forensics Hard Case. Many older computer forensics acquisition tools work in the MS-DOS environment. These tools can operate from an MS-DOS window in Windows 98 or from the command prompt in Windows 2000 and later. Some of their functions are disabled or generate error messages when run in these OSs, however. Windows products are being developed that make performing disk forensics easier. However, because Windows has limitations in performing disk forensics, you might need to develop skills in acquiring data with MS-DOS and Linux. In later chapters, you learn more about using these other tools. Keep in mind that no single computer forensics tool can recover everything. Each tool and OS has its own strengths and weaknesses, so develop skills with as many tools as possible to become an effective computing investigator. Appendix D has additional information on how to use MS-DOS for data acquisitions. Setting Up Your Workstation for Computer Forensics With current computer forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that’s required are the following: • A workstation running Windows XP or Vista • A write-blocker device • Computer forensics acquisition tool • Computer forensics analysis tool 2 46 Chapter 2 • A target drive to receive the source or suspect disk data • Spare PATA or SATA ports • USB ports Additional useful items include the following: • Network interface card (NIC) • Extra USB ports • FireWire 400/800 ports • SCSI card • Disk editor tool • Text editor tool • Graphics viewer program • Other specialized viewing tools In Chapter 3, you learn more about setting up and configuring a computer to be a forensic workstation. Conducting an Investigation Now you’re ready to return to the Domain Name case. You have created a plan for the investigation, set up your forensic workstation, and installed the necessary forensic analysis software you need to examine the evidence. The type of software to install includes your preferred analysis tool, such as ProDiscover, EnCase, FTK, or X-Ways Forensics; an office suite, such as OpenOffice; and a graphics viewer, such as IrfanView. To begin conducting an investigation, you start by copying the evidence using a variety of methods. No single method retrieves all data from a disk, so using several tools to retrieve and analyze data is a good idea. Start by gathering the resources you identified in your investigation plan. You need the following items: • Original storage media • Evidence custody form • Evidence container for the storage media, such as an evidence bag • Bit-stream imaging tool; in this case, the ProDiscover Basic acquisition utility • Forensic workstation to copy and examine the evidence • Secure evidence locker, cabinet, or safe Gathering the Evidence Now you’re ready to gather evidence for the Domain Name case. Remember, you need antistatic bags and pads with wrist straps to prevent static electricity from damaging digital evidence. To acquire George Montgomery’s storage media from the IT Department and then secure the evidence, you perform the following steps: Conducting an Investigation 47 1. Arrange to meet the IT manager to interview him and pick up the storage media. 2. After interviewing the IT manager, fill out the evidence form, have him sign it, and then sign it yourself. 3. Store the storage media in an evidence bag, and then transport it to your forensic facility. 4. Carry the evidence to a secure container, such as a locker, cabinet, or safe. 5. Complete the evidence custody form. As mentioned, if you’re using a multi-evidence form, you can store the form in the file folder for the case. If you’re also using single-evidence forms, store them in the secure container with the evidence. Reduce the risk of tampering by limiting access to the forms. 6. Secure the evidence by locking the container. Understanding Bit-stream Copies A bit-stream copy is a bit-by-bit copy (also known as a sector copy) of the original drive or storage medium and is an exact duplicate. The more exact the copy, the better chance you have of retrieving the evidence you need from the disk. This process is usually referred to as “acquiring an image” or “making an image” of a suspect drive. A bit-stream copy is different from a simple backup copy of a disk. Backup software can only copy or compress files that are stored in a folder or are of a known file type. Backup software can’t copy deleted files and e-mails or recover file fragments. A bit-stream image is the file containing the bit-stream copy of all data on a disk or disk partition. For simplicity, it’s usually referred to as an “image,” “image save,” or “image file.” Some manufacturers also refer to it as a forensic copy. To create an exact image of an evidence disk, copying the image to a target disk that’s identical to the evidence disk is preferable (see Figure 2-4). The target disk’s manufacturer and model, in general, should be the same as the original disk’s manufacturer and model. If the target disk is identical to the original, the size in bytes and sectors of both disks should also be the same. Some image acquisition tools can accommodate a target disk that’s a different size than the original. These imaging tools are discussed in Chapter 4. Older computer forensics tools designed for MS-DOS work only on a copied disk. Current GUI tools can work on both a disk drive and copied data sets that many manufacturers refer to as “image saves.” Figure 2-4 Transfer of data from original to image to target 2 48 Chapter 2 Occasionally, the track and sector maps on the original and target disks don’t match, even if you use disks of exactly the same size that are different makes or models. Tools such as Guidance EnCase and NTI SafeBack adjust for the target drive’s geometry. Two other tools, X-Ways WinHex Specialist Edition and Technology Pathways ProDiscover, can copy sector by sector to equal-sized or larger disks without needing to force changes in the target disk’s geometry. Acquiring an Image of Evidence Media After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyze the data. The first rule of computer forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors provide MS-DOS, Linux, and Windows acquisition tools. Windows tools, however, require a write-blocking device (discussed in Chapter 4) when acquiring data from FAT or NTFS file systems. Using ProDiscover Basic to Acquire a USB Drive ProDiscover Basic from Technology Pathways is a forensics analysis tool. You can use it to acquire and analyze data from several different file systems, such as Microsoft FAT and NTFS, Linux Ext2 and Ext3, and other UNIX file systems, from a Windows XP or older OS. To use ProDiscover Basic in Windows Vista, you need to run it in Administrator mode. See the Tip in the following steps for instructions on selecting this mode. The DVD accompanying this book includes ProDiscover Basic. The installation program includes a user manual, ProDiscoverManual.pdf, in the C:\Program Files\Technology Pathways\ProDiscover folder (if the installation defaults are used). Read the user manual for instructions, and install ProDiscover Basic on your computer before you perform the following activity. Before starting this activity, you need to create a work folder on your computer for data storage and other related files ProDiscover creates when acquiring and analyzing evidence. You can use any location and name for your work folder, but you’ll see it referred to in activities as C:\Work or simply “your work folder.” To keep your files organized, you should also create subfolders for each chapter. For this chapter, create a Work\Chap02\Chapter folder to store files from in-chapter activities. Note that you might see work folder pathnames in screenshots that are slightly different from your own pathname. The following steps show how to acquire an image of a USB drive, but you can apply them to other media, such as disk drives and floppy disks. You can use any USB drive already containing files to see how ProDiscover acquires data. To perform an acquisition on a USB drive with ProDiscover Basic, follow these steps: 1. First, on the USB drive, locate the write-protect switch (if one is available) and place the drive in write-protect mode. Now connect the USB drive to your computer. Conducting an Investigation 49 This activity is meant to introduce you to the ProDiscover Basic tool. Proper forensics procedures require write-protecting any evidence media to ensure that it’s not altered. In Chapter 4, you learn how to use hardware and software write-blocking methods. 2. To start ProDiscover Basic, click Start, point to All Programs, point to ProDiscover, and click ProDiscover Basic. If the Launch Dialog dialog box opens (see Figure 2-5), click Cancel. If you’re using Windows Vista, right-click the ProDiscover Basic desktop icon (or menu item on the All Programs menu) and click Run as administrator. In the UAC message box, click Continue. Tree view Figure 2-5 The main window in ProDiscover For convenience, you can disable the display of the Launch Dialog dialog box by clicking the check box indicated in Figure 2-5. 2 50 Chapter 2 3. In the main window, click Action, Capture Image from the menu. 4. In the Capture Image dialog box shown in Figure 2-6, click the Source Drive list arrow, and select the USB drive. Figure 2-6 The Capture Image dialog box 5. Click the >> button next to the Destination text box. When the Save As dialog box opens, navigate to your work folder (Work\Chap02\Chapter) and enter a name for the image you’re making, such as InChp-prac. Click Save to save the file. 6. Next, in the Capture Image dialog box, type your name in the Technician Name text box and InChp-prac-02 in the Image Number text box (see Figure 2-7). Click OK. ProDiscover Basic then acquires an image of the USB drive. When it’s finished, it displays a notice to check the log file created during the acquisition. This log file contains additional information if errors were encountered during the data acquisition. ProDiscover also creates an MD5 hash output file. In Chapters 4 and 5, you learn how to use MD5 for forensic analysis and evidence validation. 7. When ProDiscover is finished, click OK in the completion message box. Click File, Exit from the menu to exit ProDiscover. Conducting an Investigation 51 2 Figure 2-7 The completed Capture Image dialog box This activity completes your first forensics data acquisition. Next, you learn how to locate data in an acquisition. Analyzing Your Digital Evidence When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them. The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as ProDiscover Basic can retrieve deleted files for use as evidence. In the following steps, you analyze George Montgomery’s USB drive. Before beginning, extract all compressed files from the Chap02 folder on the book’s DVD to your work folder. The first task is loading the acquired image into ProDiscover Basic by following these steps: 1. Start ProDiscover Basic, as you did in the previous activity. 2. To create a new case, click File, New Project from the menu. 3. In the New Project dialog box, type InChp02 in the Project Number text box and again in the Project File Name text box (see Figure 2-8), and then click OK. 4. In the tree view of the main window (see Figure 2-9), click to expand the Add item, and then click Image File. 52 Chapter 2 Figure 2-8 The New Project dialog box Figure 2-9 The tree view in ProDiscover 5. In the Open dialog box, navigate to the folder containing the image, click the InChp02.eve file, and click Open. Click Yes in the Auto Image Checksum message box, if necessary. The next task is to display the contents of the acquired data. Perform the following steps: 1. In the tree view, click to expand Content View, if necessary. Click to expand Images, click the image filename path C:\Work\InChp02.eve (substituting your folder path for “Work”—for example, C:\Work\Chap02\Chapter), and then click to expand the path. 2. Next, click All Files under the image filename path. When the CAUTION dialog box opens, click Yes. The InChp02.eve file is then loaded in the main window, as shown in Figure 2-10. 3. In the upper-right pane (the work area), click the letter1 file to view its content in the data area (see Figure 2-11). 4. In the data area, you see the contents of the letter1 file. Continue to navigate through the work and data areas and inspect the contents of the recovered evidence. Note that many of these files are deleted files that haven’t been overwritten. Leave ProDiscover Basic running for the next activity. Conducting an Investigation 53 2 Figure 2-10 The loaded InChp02.eve file Figure 2-11 Selecting a file in the work area and viewing its contents in the data area 54 Chapter 2 The next step is analyzing the data and searching for information related to the complaint. Data analysis can be the most time-consuming task, even when you know exactly what to look for in the evidence. The method for locating evidentiary artifacts is to search for specific known data values. Data values can be unique words or nonprintable characters, such as hexadecimal codes. There are also printable character codes that can’t be generated from a keyboard, such as the copyright (©) or registered trademark (™) symbols. Many computer forensics programs can search for character strings (letters and numbers) and hexadecimal values, such as A9 for the copyright symbol or AE for the registered trademark symbol. All these searchable data values are referred to as “keywords.” With ProDiscover Basic, you can search for keywords of interest in the case. For this case, follow these steps to search for any reference to the name George: 1. In the tree view, click Search. 2. In the Search dialog box, click the Content Search tab, if necessary. Click the Select all matches check box, the ASCII option button, and the Search for the pattern(s) option button, if they aren’t already selected. 3. Next, in the text box under the Search for the pattern(s) option button, type George (see Figure 2-12). Figure 2-12 Entering a keyword in the Search dialog box Conducting an Investigation 55 You can list keywords separately or combine words with the Boolean logic operators AND, OR, and NOT. Searching for a common keyword produces too many hits and makes it difficult to locate evidence of interest to the case. Applying Boolean logic can help reduce unrelated excessive hits, which are called “false-positive hits.” 4. Under Select the Disk(s)/Image(s) you want to search in, click C:\Work\InChap02.eve (substituting the path to your work folder), and then click OK to initiate the search. Leave ProDiscover Basic running for the next activity. When the search is finished, ProDiscover displays the results in the search results pane in the work area. Note the tab labeled Search 1 in Figure 2-13. For each search you do in a case, ProDiscover adds a new tab to help catalog your searches. Figure 2-13 The search results pane Click each file in the search results pane and examine its content in the data area. If you locate a file of interest that displays binary (nonprintable) data in the data area, you can double-click the file to display the data in the work area. Then you can double-click the file in the work area, and an associated program, such as Microsoft Excel for a spreadsheet, opens the file’s content. If you want to extract the file, you can right-click it and click Copy File. For this example, an Excel spreadsheet named Income.xls is displayed in the search results pane. The information in the data area shows mostly unreadable character data. To examine 2 56 Chapter 2 this data, you can export the data to a folder of your choice, and then open it for follow-up examination and analysis. To export the Income.xls file, perform the following steps: 1. In the search results pane, double-click the Income.xls file, which switches the view to the work area. 2. In the work area, right-click the Income.xls file and click Copy File. 3. In the Save As dialog box, navigate to the folder you’ve selected, and click Save. 4. Now that the Income.xls file has been copied to a Windows folder, start Excel (or another spreadsheet program, such as OpenOffice Calc) to examine the file’s content. Figure 2-14 shows the extracted file open in OpenOffice Calc. Repeat this data examination and file export process for the remaining files in the search results pane. Then close all open windows except ProDiscover Basic for the next activity. Figure 2-14 The extracted Income.xls file With ProDiscover’s Search feature, you can also search for specific filenames. To use this feature, click the “Search for files named” option button in the Search dialog box. When you’re dealing with a very large drive with several thousand files, this useful feature minimizes human error in looking at data. After completing the detailed examination and analysis, you can then generate a report of your activities. Several computer forensics programs provide a report generator or log file of actions taken during an examination. These reports and logs are typically text or HTML files. The text files are usually in plaintext or Rich Text Format (RTF). ProDiscover Basic offers a report generator that produces an RTF or a plaintext file that most word processing programs can read. You can also select specific items and add them to the report. For example, to select a file in the work area, click the check box in the Select column next to the file to open the Add Comment dialog box. Enter a description and click OK. The descriptive comment is then Conducting an Investigation 57 added to the ProDiscover Basic report. To create a report in ProDiscover Basic, perform the following steps: 1. In the tree view, click Report. The report is then displayed in the right pane, as shown in Figure 2-15. Figure 2-15 A ProDiscover report 2. To print the report, click File, Print Report from the menu. 3. In the Print dialog box, click OK. If the report needs to be saved to a file, you use ProDiscover Basic’s Export feature and choose RTF or plaintext for the file format. To export the report to a file, do the following: 1. In the tree view, click Report. 2. Click Action, Export from the menu. 3. In the Export dialog box, click the RTF Format or Text Format option button, type InChp02 in the File Name text box, and then click OK. To place the report in a different folder, click the Browse button and navigate to the folder where you want to save the report. Click Save, and then click OK in the Export dialog box. 4. Review the report, and then click File, Exit from the menu to exit ProDiscover Basic. 2 58 Chapter 2 This activity completes your analysis of the USB drive. In the next section, you learn how to complete the case. In later chapters, you learn how to apply more search and analysis techniques. Completing the Case After analyzing the disk, you can retrieve deleted files, e-mail, and items that have been purposefully hidden, which you do in Chapters 9, 10, and 12. The files on George’s USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: • How did George’s manager acquire the disk? • Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? • At what times of the day was George using the non-work-related files? How did you retrieve that information? • Which company policies apply? • Are there any other items that need to be considered? When you write your report, state what you did and what you found. The report you generated in ProDiscover gives you an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include the ProDiscover report file to document your work. In any computing investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings; without it, your work product has no value as evidence. Keep a written journal of everything you do. Your notes can be used in court, so be mindful of what you write or e-mail, even to a fellow investigator. Often these journals start out as handwritten notes, but you can transcribe them to electronic format periodically. Basic report writing involves answering the six Ws: who, what, when, where, why, and how. In addition to these basic facts, you must also explain computer and network processes. Typically, your reader is a senior personnel manager, a lawyer, or occasionally a judge who might have little computer knowledge. Identify your reader and write the report for that person. Provide explanations for processes and how systems and their components work. Your organization might have templates to use when writing reports. Depending on your organization’s needs and requirements, your report must describe the findings from your analysis. The report generated by ProDiscover lists your examination and data recovery findings. Other computer forensics tools generate a log file of all actions taken during your examination and analysis. Integrating a computer forensics log report from these other tools can enhance your final report. When describing the findings, consider writing your narrative first and then placing the log output at the end of the report, with references to it in the main narrative. Chapter 14 covers writing final reports for investigations in more detail. In the Domain Name case, you want to show conclusive evidence that George had his own business registering domain names and list the names of his clients and his income from this Chapter Summary 59 business. You also want to show letters he wrote to clients about their accounts. The time and date stamps on the files are during work hours, so you should include this information, too. Eventually, you hand the evidence file to your supervisor or to Steve, George’s manager, who then decides on a course of action. Critiquing the Case After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment questions such as the following: • How could you improve your performance in the case? • Did you expect the results you found? Did the case develop in ways you did not expect? • Was the documentation as thorough as it could have been? • What feedback has been received from the requesting source? • Did you discover any new problems? If so, what are they? • Did you use new techniques during the case or during research? Make notes to yourself in your journal about techniques or processes that might need to be changed or addressed in future investigations. Then store your journal in a secure place. Chapter Summary ■ Always use a systematic approach to your investigations. Follow the checklist in this chapter as a guideline for your case. ■ When planning a case, take into account the nature of the case, instructions from the requester, what additional tools and expertise you might need, and how you will acquire the evidence. ■ Criminal cases and corporate-policy violations should be handled in much the same manner to ensure that quality evidence is presented. Both criminal cases and corporate-policy violations can go to court. ■ When you begin a case, there might be unanticipated challenges that weren’t obvious when applying a systematic approach to your investigation plan. For all investigations, you need to plan for contingencies for any unexpected problems you might encounter. ■ You should create a standard evidence custody form to track the chain of custody of evidence for your case. There are two types of forms: a multi-evidence form and a single-evidence form. ■ Internet and media leak investigations require examining server log data. ■ For attorney-client privilege cases, all written communication should have a header label stating that it’s privileged communication and a confidential work product. 2 60 Chapter 2 ■ A bit-stream copy is a bit-by-bit duplicate of the original disk. You should use the duplicate, whenever possible, when analyzing evidence. ■ Always maintain a journal to keep notes on exactly what you did when handling evidence. ■ You should always critique your own work to determine what improvements you made during each case, what could have been done differently, and how to apply those lessons to future cases. Key Terms approved secure container A fireproof container locked by a key or combination. attorney-client privilege (ACP) Communication between an attorney and client about legal matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people. bit-stream copy A bit-by-bit duplicate of data on the original storage medium. This process is usually called “acquiring an image” or “making an image.” bit-stream image The file where the bit-stream copy is stored; usually referred to as an “image,” “image save,” or “image file.” chain of custody The route evidence takes from the time the investigator obtains it until the case is closed or goes to court. evidence bags Nonstatic bags used to transport removable media, hard drives, and other computer components. evidence custody form A printed form indicating who has signed out and been in physical possession of evidence. forensic copy Another name for a bit-stream image. forensic workstation A workstation set up to allow copying forensic evidence, whether on a hard drive, USB drive, CD, or Zip disk. It usually has software preloaded and ready to use. interrogation The process of trying to get a suspect to confess to a specific incident or crime. interview A conversation conducted to collect information from a witness or suspect about specific facts related to an investigation. multi-evidence form An evidence custody form used to list all items associated with a case. See also evidence custody form. password-cracking software Software used to match the hash patterns of passwords or to simply guess passwords by using common combinations or standard algorithms. password protected The method of requiring a password to limit access to certain files and areas of storage media; this method prevents unintentional or unauthorized use. repeatable findings Being able to obtain the same results every time from a computer forensics examination. Review Questions 61 single-evidence form A form that dedicates a page for each item retrieved for a case. It allows investigators to add more detail about exactly what was done to the evidence each time it was taken from the storage locker. See also evidence custody form. 2 Review Questions 1. What are some initial assessments you should make for a computing investigation? 2. What are some ways to determine the resources needed for an investigation? 3. List three items that should be on an evidence custody form. 4. Why should you do a standard risk assessment to prepare for an investigation? 5. You should always prove the allegations made by the person who hired you. True or False? 6. For digital evidence, an evidence bag is typically made of antistatic material. True or False? 7. Who should have access to a secure container? a. Only the primary investigator b. Only the investigators in the group c. Everyone on the floor d. Only senior-level management 8. For employee termination cases, what types of investigations do you typically encounter? 9. Why should your evidence media be write-protected? 10. List three items that should be in your case report. 11. Why should you critique your case after it’s finished? 12. What do you call a list of people who have had physical possession of the evidence? 13. What two tasks is an acquisitions officer responsible for at a crime scene? 14. What are some reasons that an employee might leak information to the press? 15. When might an interview turn into an interrogation? 16. What is the most important point to remember when assigned to work on an attorneyclient privilege case? 17. What are the basic guidelines when working on an attorney-client privilege case? 18. Data collected before an attorney issues a memorandum for an attorney-client privilege case is protected under the confidential work product rule. True or False? 62 Chapter 2 Hands-On Projects In the following Hands-On Projects, continue to work at the workstation you set up in this chapter. Extract the compressed files from the Chap02\Projects folder on the book’s DVD to your Work\Chap02\Projects folder. (If necessary, create this folder on your system to store your files.) If needed, refer to the directions in this chapter and the ProDiscover user manual, which is in C:\Program Files\ Technology Pathways\ProDiscover by default. Hands-On Project 2-1 The case in this project involves a suspicious death. Joshua Zarkan found his girlfriend’s dead body in her apartment and reported it. The first responding law enforcement officer seized a USB drive. A crime scene evidence technician skilled in data acquisition made an image of the USB drive with ProDiscover and named it C2Prj01.eve. Following the acquisition, the technician transported and secured the USB drive and placed it in a secure evidence locker at the police station. You have received the image file from the detective assigned to this case. He directs you to examine it and identify any evidentiary artifacts that might relate to this case. To process this case, follow these steps to evaluate what’s on the image of the USB drive: 1. Start ProDiscover Basic. (If you’re using Windows Vista, right-click the ProDiscover desktop icon and click Run as administrator.) 2. In the Launch Dialog dialog box, click the New Project tab, if necessary. Enter a project number. If your company doesn’t have a standard numbering scheme, you can use the date followed by the number representing the case that day in sequence, such as 20090129_1. 3. Enter C2Prj01 as the project name, enter a brief description of the case, and then click Open. 4. To add an image file, click Action from the menu, point to Add, and click Image File. 5. Navigate to your work folder, click C2Prj01.eve, and then click Open. If the Auto Image Checksum message box opens, click Yes. 6. In the tree view, click to expand Content View. Click to expand Images, and then click the pathname containing the image file. In the work area, notice the files that are listed. 7. Right-click any file and click View to start the associated program, such as Word or Excel. View the file, and then exit the program. 8. If you decide to export a file, right-click the file and click Copy File. (Note: Creating a separate folder for exports is a good idea to keep your files Hands-On Projects 63 organized.) In the Save As dialog box that opens, navigate to the location where you want to save the file, and then click Save. 9. To save the project to view later, click File, Save Project from the menu. The default project name is the one you entered in Step 3. Select the drive and folder (Work\Chap02\Projects, for example), and then click Save. After you have finished examining the files, exit ProDiscover Basic and save the project again, if prompted. You need to export any files in this image and present them to the investigator. In addition, write a brief report (no more than two paragraphs) including any facts from the contents of the recovered data. In ProDiscover Basic, you must exit the program before beginning a new case. Hands-On Project 2-2 In this project, you work for a large corporation’s IT security company. Your duties include conducting internal computing investigations and forensics examinations on company computing systems. A paralegal from the Law Department, Ms. Jones, asks you to examine a USB drive belonging to an employee who left the company and now works for a competitor. The Law Department is concerned that the former employee might possess sensitive company data. Ms. Jones wants to know whether the USB drive contains anything significant. In addition, she informs you that the former employee might have had access to confidential documents because a co-worker saw him accessing his manager’s computer on his last day of work. These confidential documents consist of 24 files with the text “book.” She wants you to locate any occurrences of these files on the USB drive’s bit-stream image. To process this case, make sure you have extracted the C2Prj02.eve file to your work folder, and then follow these steps: 1. Start ProDiscover Basic. In the New Project tab, enter a project number, the project name C2Prj02, and a project description, and then click Open. It’s a good idea to get in the habit of saving the project immediately, so click File, Save Project from the menu, and save the file in your work folder (Work\Chap02\Projects). 2. Click Action from the menu, point to Add, and click Image File. Navigate to and click C2Prj02.eve in your work folder, and then click Open. If the Auto Image Checksum message box opens, click Yes. 3. In the tree view, click to expand Content View. Click to expand Images, and then click the pathname containing the image file. In the work area, examine the files that are listed. 4. To search for the keyword “book,” click the Search toolbar button (the binoculars) to open the Search dialog box. 2 64 Chapter 2 5. Click the Content Search tab. If necessary, click the ASCII option button and the Search for the pattern(s) option button. Type book in the list box for search keywords. Under Select the Disk(s)/Image(s) you want to search in, click the drive you’re searching (see Figure 2-16), and then click OK. Figure 2-16 Entering search settings 6. In the tree view, click to expand Search Results, if necessary, and then click Content Search Results to specify the type of search. Figure 2-17 shows the search results pane. 7. Next, open the Search dialog box again, click the Cluster Search tab, and run the same search. Note that it takes longer because each cluster on the drive is searched. 8. In the tree view, click Cluster Search Results, and view the search results pane. Remember to save your project and exit ProDiscover Basic before starting the next case. Hands-On Projects 65 2 Figure 2-17 Viewing the search results When you’re finished, write a memo to Ms. Jones with the following information: the filenames in which you found a hit for the keyword and, if the hit occurred in unallocated space, the cluster number. Hands-On Project 2-3 Ms. Jones notifies you that the former employee has used an additional drive. She asks you to examine this new drive to determine whether it contains an account number the employee might have had access to. The account number, 461562, belongs to the senior vice president and is used to access the company’s banking service over the Internet. 1. Start ProDiscover Basic. In the New Project tab, enter a project number, the project name C2Prj03, and a brief description, and then click Open. Save the project in your work folder by clicking File, Save Project from the menu. 2. To add the evidence, click Action from the menu, point to Add, and click Image File. Navigate to your work folder, click the C2Prj03.dd file, and then click Open. Click Yes in the Auto Image Checksum message box, if necessary. Notice that the image file is a .dd file, not an .eve file. Like most forensics tools, ProDiscover can read standard UNIX .dd image files. 66 Chapter 2 3. To aid in your investigation, you might want to view graphics files on the drive. To do this, click to expand Content View in the tree view, click to expand Images, and then click the pathname containing the image file. 4. Click View, Gallery View from the menu. Scroll through the graphics files on the drive image. You’ll need to search through all folders, which can take some time. If a file is of interest, click the check box next to it in the Select column. In the Add Comment dialog box that opens, enter a description and click OK. These notes are added to the ProDiscover report. 5. This drive is related to the case in Hands-On Project 2-2, so you’re still looking for occurrences of the word “book.” Open the Search dialog box, and repeat Steps 5 through 8 of Hands-On Project 2-2 for this drive image. When you view the search results, click to select any files of interest (as described in Step 4), which opens the Add Comment dialog box where you can enter notes. 6. Next, search for the account number Ms. Jones gave you. Click the Search toolbar button. Click the Content Search tab, if necessary, and type 461562 as the search keyword. Click to select the drive you’re searching, and then click OK. Click the Cluster Search tab, and repeat the search for the account number. Remember to select any files of interest and enter notes in the Add Comment dialog box. Remember that text can be found in graphics files as well as in documents. 7. When you’re finished, click Report in the tree view. Scroll through the report to make sure all the items you found are listed. 8. Next, click the Export toolbar button. In the Export dialog box, click the RTF Format option button, type Ch2Prj03Report in the File Name text box, and then click OK. (If you want to store the report in a different folder, click Browse and navigate to the new location.) 9. Write a short memo to summarize what you found. Save the project and exit ProDiscover Basic. Hands-On Project 2-4 Sometimes discovery demands from law firms require you to recover only allocated data from a disk. This project shows you how to extract just the files that haven’t been deleted from an image. 1. Start ProDiscover Basic. In the New Project tab, enter a project number, brief description, and the project name C2Prj04, and then click Open. 2. In the tree view, click to expand Add, and then click Image File. Navigate to your work folder, click the C2Prj04.eve file, and then click Open. Click Yes in the Auto Image Checksum message box, if necessary. Save the project in your work folder. Hands-On Projects 67 3. In the tree view, click to expand Content View, click to expand Images, and then click the pathname containing the image file. Notice the files visible in the work area. 4. Click the column header Deleted to sort the files into YES and NO groups (see Figure 2-18). Figure 2-18 Deleted files displayed in the work area 5. To extract the allocated files from the image to your work folder, rightclick each file containing NO in the Deleted column and click Copy File. (Note that in ProDiscover Basic, there’s no way to select multiple files at once. You must copy each allocated file separately.) When you’re finished, save the project and exit ProDiscover Basic. Hands-On Project 2-5 This project is a continuation from the previous project; you’ll create a report listing all the unallocated (deleted) files ProDiscover finds. 1. Start ProDiscover Basic. Click the Open Project tab, and navigate to your work folder. 2. Click the C2Prj04.dft file and click Open. Click Yes in the Auto Image Checksum message box, if necessary. 3. If necessary, sort the files in the work area again by clicking the Deleted column header. Click the check box in the Select column next to all unallocated (deleted) files, as shown in Figure 2-19. As you click each check box, the Add Comment dialog box opens, where you can enter a description of each file. 4. In the Investigator comments text box, add a comment noting that the file is deleted and indicating its file type, such as a Word document or an image file (.jpeg or .gif, for instance). Be sure to enter something meaningful by examining the file first. 5. When you’re finished, click Report in the tree view. If you’re satisfied, export the report by clicking the Export toolbar button. In the Export 2 68 Chapter 2 Figure 2-19 Selecting a file to include in a report dialog box, select the format option you want, type C2Prj05Report in the File Name text box, and then click OK. Save the project and exit ProDiscover Basic. Hands-On Project 2-6 In this project, another investigator asks you to examine an image and search for all occurrences of the following keywords: • ANTONIO • HUGH EVANS • HORATIO 1. Start ProDiscover Basic. In the New Project tab, enter a project number, brief description, and the project name, and then click Open. 2. In the tree view, click to expand Add, and click Image File. Navigate to your work folder, click the C2Prj06.eve file, and click Open. Click Yes in the Auto Image Checksum message box, if necessary. Save the project in your work folder. Case Projects 69 3. Click the Search toolbar button. In the Search dialog box, type all keywords in the list box (placing each on a separate line), click to select the drive containing the image, and click OK. 4. Examine the files in the search results pane. Select the ones that look interesting and enter notes in the Add Comment dialog box. 5. Generate a report and export it, as explained in previous projects. Save the project and exit ProDiscover Basic. Case Projects Case Project 2-1 An insurance company has asked your computer forensics firm to review a case for an arson investigation. The suspected arsonist has already been arrested, but the insurance company wants to determine whether there’s any contributory negligence on the part of the victims. Two files were extracted to your work folder for this project. The first, CasePrj0201a.doc, is a memo about the case from the police department. The second, CasePrj0201b.doc, is a letter from the insurance company explaining what should be investigated. Review these files, and decide the course of action your firm needs to take. Write an outline for how your firm should approach the case. Case Project 2-2 Jonathan Simpson owns a construction company. One day a subcontractor calls him, saying that he needs a replacement check for the job he completed at 1437 West Maple Avenue. Jonathan looks up the job on his accounting program and agrees to reissue the check for $12,750. The subcontractor says that the original check was for only $10,750. Jonathan looks around the office but can’t find the company checkbook or ledger. Only one other person has access to the accounting program. Jonathan calls you to investigate. How would you proceed? Write a one-page report detailing the steps Jonathan needs to take to gather the necessary evidence and protect his company. Case Project 2-3 You are the computer forensics investigator for a law firm. The firm acquired a new client, a young woman who was fired from her job for inappropriate files discovered on her computer. She swears she never accessed the files. What questions should you ask and how should you proceed? Write a one- to two-page report describing the computer the client used, who else had access to it, and any other relevant facts that should be investigated. Case Project 2-4 A desperate employee calls because she has accidentally deleted crucial files from her hard drive and can’t retrieve them from the Recycle Bin. What are your options? Write one to two pages explaining your capabilities and listing the questions you need to ask her about her system. 2 This page intentionally left blank chapter 3 The Investigator’s Office and Laboratory After reading this chapter and completing the exercises, you will be able to: • Describe certification requirements for computer forensics labs • List physical requirements for a computer forensics lab • Explain the criteria for selecting a basic forensic workstation • Describe components used to build a business case for developing a forensics lab 71 72 Chapter 3 This chapter details some options for setting up an effective computer forensics laboratory. Each computer forensics investigator in a lab should also have a private office where he or she can manage cases, conduct interviews, and communicate without eavesdropping concerns. Whether you are new to computer forensics or are an experienced examiner, your goal is to make your office and lab work smoothly and efficiently for all casework. Computer forensics investigators must remember to consider budget and time when updating their labs to keep pace with computer technology changes. The workflow and processes you establish directly affect the quality of evidence you discover. You must balance cost, quality, and reliability when determining the kind of equipment, software, and other items you need to add to your lab. This chapter provides a foundation for organizing, controlling, and managing a safe, efficient computer forensics laboratory. Understanding Forensics Lab Certification Requirements A computer forensics lab is where you conduct investigations, store evidence, and do most of your work. You use the lab to house your instruments, current and legacy software, and forensic workstations. In general, you need a variety of computer forensics hardware and software to do your work. You also need to make sure you have defined policies, processes, and prescribed procedures before beginning any casework to ensure the integrity of an analysis and its results. A number of organizations have created guidelines for devising your own processes and procedures. What’s most important is that you follow the policies and procedures you have created to ensure consistency in your output. Be sure to research certifying bodies thoroughly before pursuing any certifications. Many certifications are offered by software vendors; others are specific for law enforcement or started by local groups. The American Society of Crime Laboratory Directors (ASCLD; www.ascld.org) provides guidelines to members for managing a forensics lab and acquiring crime and forensics lab certification. ASCLD also certifies computer forensics labs that analyze digital evidence as they do other criminal evidence, such as fingerprints and DNA samples. This certification is based on the original crime lab certification, ASCLD/LAB (www.ascld-lab.org), which regulates how crime labs are organized and managed. The ASCLD/LAB program includes specific audits on all functions to ensure that lab procedures are being performed correctly and consistently for all casework. These audits should be performed in computer forensics labs to maintain the quality and integrity of analysis. The following sections discuss several key guidelines from the ASCLD/LAB program that you can apply to managing, configuring, and auditing your computer forensics lab. Identifying Duties of the Lab Manager and Staff The ASCLD states that each lab should have a specific set of objectives that a parent organization and the lab’s director or manager determine. The lab manager sets up processes for managing cases and reviews them regularly. Besides performing general management tasks, Understanding Forensics Lab Certification Requirements 73 such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards (covered in Chapters 15 and 16) among staff members, the lab manager plans updates for the lab, such as new hardware and software purchases. The lab manager also establishes and promotes quality assurance processes for the lab’s staff to follow, such as outlining what to do when a case arrives, logging evidence, specifying who can enter the lab, and establishing guidelines for filing reports. To ensure the lab’s efficiency, the lab manager also sets reasonable production schedules for processing work. A typical case for an internal corporate investigation involves seizing a hard disk, making forensic copies of it, evaluating evidence, and filing a report. A forensics analysis of a 200 GB disk, for example, can take several days and often involves running imaging software overnight and on weekends. This means one of the forensic workstations in the lab is occupied for that time, which can be 20 hours or more. Based on past experience, the lab manager can estimate how many cases each investigator can handle and when to expect a preliminary and final report for each case. The lab manager creates and monitors lab policies for staff and provides a safe and secure workplace for staff and evidence. Above all, the lab manager accounts for all activities the lab’s staff conducts to complete its work. Tracking cases such as e-mail abuse, Internet misuse, and illicit activities can justify the funds spent on a lab. Staff members in a computer forensics lab should have sufficient training to perform their tasks. Necessary skills include hardware and software knowledge, including OS and file types, and deductive reasoning. Their work is reviewed regularly by the lab manager and their peers to ensure quality. Staff members are also responsible for continuing technical training to update their investigative and computer skills and maintaining a record of the training they have completed. Many vendors and organizations hold annual or quarterly training seminars that offer certification exams. The ASCLD Web site summarizes the requirements of managing a computer forensics lab, handling and preserving evidence, performing laboratory procedures, setting personnel requirements, and encouraging professional development. The site also provides a user license for printed and online manuals of lab management guidelines. ASCLD stresses that each lab should maintain an up-to-date library of resources in its field. For computer forensics, these resources include software, hardware information, and technical journals. Lab Budget Planning To conduct a professional computing investigation, you need to understand the cost of your lab operation. Lab costs can be broken down into daily, quarterly, and annual expenses. The better you understand these expenses, the better you can delegate resources for each investigation. Using a spreadsheet program helps you keep track of past investigation expenses so that you can extrapolate expected future costs. Remember, expenses include computer hardware and software, facility space, and trained personnel. When creating a budget, start by estimating the number of computer cases your lab expects to examine and identifying the types of computers you’re likely to examine, such as Windows PCs or Linux workstations. For example, suppose you work for a state police agency that’s planning to provide computing investigation services for the entire state. You could start by 3 74 Chapter 3 collecting state crime statistics for the current year and several previous years to determine how many computers were used to commit a crime and the types of computers used in these crimes. Criminal behavior often reflects sales trends for certain computing systems. Because more than 90% of consumers use Intel and AMD PCs, and 90% of these computers run Microsoft Windows, the same statistics are likely true of computers used in crimes. Verify this trend by determining how often each type of system is used in a crime. List the number of crimes committed using DOS/Windows, Linux/UNIX, and Macintosh computers. If you can’t find detailed information on the types of computers and OSs used in computer crimes, gather enough information to make an educated guess. Your goal is to build a baseline for the types and numbers of systems you can expect to investigate. In addition to the historical data you compile, identify any future trends that could affect your lab, such as a new version of an OS or an increase in the number of computers involved in crime. Next, estimate how many investigations you might conduct involving computer systems used less frequently to help determine how many tools you need to examine these systems. For example, if you learn that on average, one Macintosh computer running OS 9 or earlier is involved in a criminal investigation each month, you probably need only one or two software tools to conduct a forensic analysis on Macintosh file systems. Figure 3-1 shows a table of statistics from a Uniform Crime Report that identifies the number of hard disk types, such as IDE or SCSI, and the OS used to commit crimes. Annual Uniform Crime Reports are generated at the federal, state, and local levels to show the types and frequency of crimes committed. For federal reports, see www.fbi.gov/ucr/ucr.htm, and for a summary of crimes committed at various levels, see www.ojp.usdoj.gov/bjs/dtd.htm. You can also identify specialized software used with certain crimes. For example, if you find a check-writing software tool used in a large number of counterfeiting cases, you should consider adding this specialized software to your inventory. If you’re preparing to set up a computer forensics lab for a private company, you can determine your needs more easily because you’re working in a contained environment. Start by obtaining an inventory of all known computing systems and applications used in the business. For example, an insurance company often has a network of Intel PCs and servers and specialized insurance software using a database for data storage. A large manufacturing company might use Intel PCs, UNIX workstations running a computer-aided design (CAD) system, super minicomputers, and mainframes. A publishing company might have a combination of Intel PCs and Apple Macintosh systems and a variety of word processing, imaging, and composition packages. Next, check with your Management, Human Resource, and Security departments to determine the types of complaints and problems reported in the past year. Most companies using Internet connections, for example, receive complaints about employees accessing the Web excessively or for personal use, which generate investigations of Web misuse. Be sure to distinguish investigations of excessive Web use from inappropriate Web site access and e-mail harassment. Your budget should also take future developments in computing technology into account because drive storage capabilities improve constantly. When examining a disk, you need a target disk to which you copy evidence data. This disk should be at least one and a half Understanding Forensics Lab Certification Requirements 75 3 Figure 3-1 Uniform Crime Report statistics times the size of the evidence (suspect) disk. For example, a lab equipped with 100 GB disks can effectively analyze disks up to 66 GB. If your company upgrades its computers to 200 GB disks, however, you need disks that are 300 GB or larger or a central secure server with at least 1 TB of storage. (Several forensic servers on the market are in the 20 TB and higher range.) Many businesses replace their desktop computer systems every 18 months to three years. You must be informed of computer upgrades and other changes in the computing environment so that you can prepare and submit your budget for needed resources. 76 Chapter 3 Like computer hardware, OSs change periodically. If your current computer forensics tool doesn’t work with the next release of a Microsoft OS or file system, you must upgrade your software tools. You should also monitor vendor product developments to learn about upgrades. File systems change, too. Forensics tools had their birth in DOS, and over the years, Windows hard disks evolved into a variety of file systems, including FAT16, FAT32, New Technology File System (NTFS), and Windows File System. Most DOS-based tools can’t read NTFS disks. Now investigators must also address Vista, which has caused problems even with Windows forensics tools. In addition, the popularity and prevalence of the Xbox requires that investigators be familiar with the FATX file system. Time management is a major issue when choosing software and hardware to purchase. For example, you’ve decided to purchase eight machines for your lab. Many commercial forensics software packages require a USB dongle to operate or have a site license of five concurrent users. You or the budget manager must decide whether you’re using all the machines or need only two licensed copies of each software package. As another example, you can have a command-line tool running overnight for drive imaging; while it’s running; investigators can use a commercial or freeware package to evaluate a drive. You choices depend on what tools you have verified and what’s needed for your casework. Another option is to use Helix (a Linux Live CD, discussed in Chapter 4) to view file systems, as it doesn’t mount the hard drive automatically and, therefore, doesn’t write to the drive. (A hardware write-blocker is still recommended to prevent errors caused by the forensics technician, if nothing else.) Examining PDAs, USB drives, and cell phones is routine now in cases from criminal investigations to civil litigation discovery demands. Computer investigators must be prepared to deal with constant change in these devices and know what tools are available to safely extract data from them for an investigation. In Chapter 13, you learn how to acquire data from these devices. Acquiring Certification and Training To continue a career in computing investigations and forensic analysis, you need to upgrade your skills through training. Several organizations have developed or are currently developing certification programs for computer forensics that usually test you after you have completed one or more training sessions successfully. Certifying organizations range from nonprofit associations to vendor-sponsored groups. All these programs charge fees for certification, and some require candidates to take vendor- or organization-sponsored training to qualify for the certification. More recently, some state and federal government agencies have been looking into establishing their own certification programs that address the minimum skills for conducting computing investigations at various levels. Before enlisting in a certification program, thoroughly research the requirements, cost, and acceptability in your chosen area of employment. Most certification programs require continuing education credits or reexamination of candidates’ skills, which can become costly. International Association of Computer Investigative Specialists (IACIS) Created by police officers who wanted to formalize credentials in computing investigations, IACIS is one of the oldest professional computer forensics organizations. It restricts membership to sworn law enforcement personnel or government employees working as computer forensics examiners. This restriction might change, so visit the IACIS Web site (www.iacis .com) to verify the requirements. Understanding Forensics Lab Certification Requirements 77 IACIS conducts an annual two-week training course for qualified members. Students must interpret and trace e-mail, acquire evidence properly, identify OSs, recover data, and understand encryption theory and other topics. Students must pass a written exam before continuing to the next level. Passing the exam earns the status of Certified Electronic Evidence Collection Specialist (CEECS). The next level of training is completed through a correspondence course lasting up to one year. The IACIS certification process for this level consists of examining a variety of media and completing a written test. Some media must be examined by using a command-line tool. The testing agency plants files on these media that you must find, including easy-to-find items, data in unallocated space, RAM slack, file slack, and deleted files. Cell phones, PDAs, and other digital devices are being added as the field broadens. Other topics include data hiding, determining file types of disguised files, and accessing password-protected files. You might also be asked to draw conclusions on a case based on evidence found on the media. Proficiency in technical tools and deductive reasoning is necessary. A detailed report demonstrating accepted procedures and evidence control must be submitted with each disk before proceeding to the next. The most basic test is the CEECS exam. Other candidates who complete all parts of the IACIS test successfully are designated as a Certified Forensic Computer Examiner (CFCE). The CFCE process changes as technology changes. The description here is current as of this writing. IACIS requires recertification every three years to demonstrate continuing work in the field of computer forensics. Recertification is less intense than the original certification but does test examiners to make sure they’re continuing their education and are still active in the field of computer forensics. For the latest information about IACIS and applying for CFCE certification or membership in IACIS, visit the IACIS Web site. High-Tech Crime Network (HTCN) The High-Tech Crime Network (HTCN) also offers several levels of certification. Unlike IACIS, however, HTCN requires a review of all related training, including training in one of its approved courses, a written test for the specific certification, and a review of the candidate’s work history. HTCN certification is open to anyone meeting the criteria in the profession of computing investigations. At the time of this writing, the HTCN Web site (www.htcn.org) specifies requirements for the certification levels discussed in the following paragraphs. Requirements are updated without notice, so make sure you check the site periodically. Certified Computer Crime Investigator, Basic Level • Candidates must have three years of experience directly related to investigating computer-related incidents or crimes. • Candidates have successfully completed 40 hours of training from an approved agency, organization, or training company. • Candidates must provide documentation of at least 10 cases in which they participated. Certified Computer Crime Investigator, Advanced Level • Candidates must have five years of experience directly related to investigating computer-related incidents or crimes. • Candidates have successfully completed 80 hours of training from an approved agency, organization, or company. 3 78 Chapter 3 • Candidates have served as lead investigator in at least 20 cases during the past three years and were involved in at least 40 other cases as a lead investigator or supervisor or in a supportive capacity. Candidates have at least 60 hours of involvement in cases in the past three years. Certified Computer Forensic Technician, Basic • Candidates must have three years of experience in computing investigations for law enforcement or corporate cases. • Candidates must have completed 40 hours of computer forensics training from an approved organization. • Candidates must provide documentation of at least 10 computing investigations. Certified Computer Forensic Technician, Advanced • Candidates must have five years of hands-on experience in computer forensics investigations for law enforcement or corporate cases. • Candidates must have completed 80 hours of computer forensics training from an approved organization. • Candidates must have been the lead computer forensics investigator in 20 or more investigations in the past three years and in 40 or more additional computing investigations as lead computer forensics technician, supervisor, or contributor. The candidate must have completed at least 60 investigations in the past three years. EnCase Certified Examiner (EnCE) Certification Guidance Software, the creator of EnCase, sponsors the EnCE certification program. EnCE certification is open to the public and private sectors and is specific to use and mastery of EnCase computer forensics analysis. Requirements for taking the EnCE certification exam don’t depend on taking the Guidance Software EnCase training courses. Candidates for this certificate are required to have a licensed copy of EnCase. For more information on EnCE certification requirements, visit www.encase.com or www.guidancesoftware.com. AccessData Certified Examiner (ACE) AccessData, the creator of Ultimate Toolkit, sponsors the ACE certification program. ACE certification is open to the public and private sectors and is specific to use and mastery of AccessData Ultimate Toolkit. Requirements for taking the ACE exam include completing the AccessData BootCamp and Windows forensic courses. The exam has a knowledge base assessment (KBA) and a practical skills assessment (PSA), which is optional. For more information on this certification, visit www.accessdata.com/acepreparation.html. Other Training and Certifications Other organizations are considering certifications or have related training programs. Nonprofit high-technology organizations for public- and private-sector investigations that offer certification and training include the following: • High Technology Crime Investigation Association (HTCIA), www.htcia.org • SysAdmin, Audit, Network, Security (SANS) Institute, www.sans.org Determining the Physical Requirements for a Computer Forensics Lab • Computer Technology Investigators Network (CTIN), www.ctin.org • New Technologies, Inc. (NTI), www.forensics-intl.com • Southeast Cybercrime Institute at Kennesaw State University, www.certifiedcomputerexaminer.com 79 Organizations that offer training and certification for law enforcement personnel or qualified civilian government personnel include the following: • Federal Law Enforcement Training Center (FLETC), www.fletc.gov • National White Collar Crime Center (NW3C), www.nw3c.org Determining the Physical Requirements for a Computer Forensics Lab After you have the training to become a computer forensics investigator, you conduct most of your investigations in a lab. This section discusses the physical requirements for a computer forensics lab. Addressing these requirements can make a lab safer, more secure, and more productive. Your lab facility must be physically secure so that evidence isn’t lost, corrupted, or destroyed. As with hardware and software costs, you must consider what’s needed to maintain a safe and secure environment when determining physical lab expenses. You must also use inventory control methods to track your computing assets, which means you should maintain a complete and up-to-date inventory of all major hardware and software items in the lab. For consumable items, such as cables and storage media, maintain an inventory so that you know when to order more supplies. Identifying Lab Security Needs All computer forensics labs need an enclosed room where a forensic workstation can be set up. You shouldn’t use an open cubicle because it allows easy access to your evidence. You need a room you can lock to control your evidence and attest to its integrity. In particular, your lab should be secure during data analysis, even if it takes several weeks to analyze a disk drive. To preserve the integrity of evidence, your lab should function as an evidence locker or safe, making it a secure facility or a secure storage safe. The following are the minimum requirements for a computer forensics lab of any size: • Small room with true floor-to-ceiling walls • Door access with a locking mechanism, which can be a regular key lock or combination lock; the key or combination must be limited to authorized users • Secure container, such as a safe or heavy-duty file cabinet with a quality padlock that prevents drawers from opening • Visitor’s log listing all people who have accessed the lab For daily work production, several examiners can work together in a large open area, as long as they all have the same level of authority and access need. This area should also have floorto-ceiling walls and a locking door. In many public and private organizations, several investigators share a door to the lab that requires an ID card and entry code. 3 80 Chapter 3 Computing investigators and forensics examiners must be briefed on the lab’s security policy. Share information about a case investigation only with other examiners and personnel who need to know about the investigation. Conducting High-Risk Investigations High-risk investigations, such as those involving national security or murder, for example, demand more security than the minimum lab requirements provide. As technology improves and information circulates among computer attackers, keeping an investigation secure can be more difficult. For example, detecting computer eavesdropping is difficult and expensive, but sophisticated criminals and intelligence services in foreign countries can use equipment that detects network transmissions, wireless devices, phone conversations, and the use of computer equipment. Instructions for building a sniffing device that can collect computer emanations illegally can be found online and, therefore, are available to anyone. These devices can pick up anything you type on your computer. Most electronic devices emit electromagnetic radiation (EMR). Certain kinds of equipment can intercept EMR, which can be used to determine the data the device is transmitting or displaying. The EMR from a computer monitor can be picked up as far away as a half mile. During the Cold War, defense contractors were required to shield sensitive computing systems and prevent electronic eavesdropping of any computer emissions. The U.S. Department of Defense calls this special computer-emission shielding TEMPEST. (For a brief description of TEMPEST, see the National Industrial Security Program Operating Manual [NISPOM]. DoD 5220.22-M, Chapter 11, Section 1, Tempest, http://nsi.org/Library/Govt/Nispom.html. Another site listing reliable sources is www.eskimo.com/~joelm/tempestintro.html.) To protect your investigations, you might consider constructing a TEMPEST-qualified lab, which requires lining the walls, ceiling, floor, and doors with specially grounded conductive metal sheets. Typically, copper sheeting is used because it conducts electricity well. TEMPEST facilities must include special filters for electrical power that prevent power cables from transmitting computer emanations. All heating and ventilation ducts must have special baffles to trap emanations. Likewise, telephones inside the TEMPEST facility must have special line filters. A TEMPEST facility usually has two doors separated by dead space. The first exterior door must be shut before opening the interior door. Each door also has special copper molding to enhance electricity conduction. Because a TEMPEST-qualified lab facility is expensive and requires routine inspection and testing, it should be considered only for large regional computer forensics labs that demand absolute security from illegal eavesdropping. To avoid these costs, some vendors have built low-emanating workstations instead of TEMPEST facilities. These workstations are more expensive than average workstations but less expensive than a TEMPEST lab. Using Evidence Containers Evidence storage containers, also known as evidence lockers, must be secure so that no unauthorized person can access your evidence easily. You must use high-quality locks, such as padlocks, with limited duplicate-key distribution. Also, routinely inspect the contents of evidence storage containers to make sure only current evidence is stored. The evidence custody forms should indicate what’s still in the locker. Evidence for closed cases should be moved to a secure off-site facility. Determining the Physical Requirements for a Computer Forensics Lab 81 NISPOM Chapter 5, Section 3 (http://nsi.org/Library/Govt/Nispom.html) describes the characteristics of a safe storage container. Consult with your facility management or legal counsel, such as corporate or prosecuting attorneys, to determine what your lab should do to maintain evidence integrity. The following are recommendations for securing storage containers: • The evidence container should be located in a restricted area that’s accessible only to lab personnel. • The number of people authorized to open the evidence container should be kept to a minimum. Maintain records on who’s authorized to access each container. • All evidence containers should remain locked when they aren’t under the direct supervision of an authorized person. If a combination locking system is used for your evidence container, follow these practices: • Provide the same level of security for the combination as for the container’s contents. Store the combination in another equally secure container. • Destroy any previous combinations after setting up a new combination. • Allow only authorized personnel to change lock combinations. • Change the combination every six months, when any authorized personnel leave the organization, and immediately after finding an unsecured container—that is, one that’s open and unattended. If you’re using a keyed padlock, follow these practices: • Appoint a key custodian who’s responsible for distributing keys. • Stamp sequential numbers on each duplicate key. • Maintain a registry listing which key is assigned to which authorized person. • Conduct a monthly audit to ensure that no authorized person has lost a key. • Take an inventory of all keys when the custodian changes. • Place keys in a lockable container accessible only to the lab manager and designated key custodian. • Maintain the same level of security for keys as for evidence containers. • Change locks and keys annually; if a key is missing, replace all associated locks and the key. • Do not use a master key for several locks. The storage container or cabinet should be made of steel and include an internal cabinet lock or external padlock. If possible, purchase a safe, which provides superior security and protects your evidence from fire damage. Look for specialized safes, called media safes, designed to protect electronic media. Media safes are rated by the number of hours it takes before fire damages the contents. The higher the rating, the better the safe protects evidence. An evidence storage room is also convenient, especially if it’s part of your computer forensics lab. Security for an evidence room must integrate the same construction and securing devices as the general lab does. Large computer forensics operations also need an evidence custodian 3 82 Chapter 3 and a service counter with a securable metal roll-up window to control evidence. With a secure evidence room, you can store large computer components, such as computers, monitors, and other peripheral devices. Be sure to maintain a log listing every time an evidence container is opened and closed. Each time the container is accessed, the log should indicate the date it was opened and the initials of the authorized person. These records should be maintained for at least three years or longer, as prescribed by your prosecuting or corporate attorneys. Logs are discussed in more detail in Chapter 5. Overseeing Facility Maintenance Your lab should be maintained properly at all times to ensure the safety and health of lab personnel. Any damage to the floor, walls, ceilings, or furniture should be repaired immediately. Also, be sure to escort cleaning crews into the facility and monitor them as they work. Because static electricity is a major problem when handling computer parts, consider placing antistatic pads around electronic workbenches and workstations. In addition, floors and carpets should be cleaned at least once a week to help minimize dust that can cause static electricity. Maintain two separate trash containers, one to store items unrelated to an investigation, such as discarded CDs or magnetic tapes, and the other for sensitive material that requires special handling to make sure it’s destroyed. Using separate trash containers maintains the integrity of criminal investigation processes and protects trade secrets and attorney-client privileged communications in a private corporation. Several commercially bonded firms specialize in disposing of sensitive materials, and you should hire one to help maintain the integrity of your investigations. Considering Physical Security Needs In addition to your lab’s physical design and construction, you need to enhance security by setting security policies. How much physical security you implement depends on the nature of your lab. A regional computer crime lab has high physical security needs because of the risks of losing, corrupting, or damaging evidence. The physical security needs of a large corporation are probably not as high because the risk of evidence loss or compromise is much lower. Determining the risk for your organization dictates how much security you integrate into your computer forensics lab. When considering digital security needs, many companies neglect physical security. Regardless of the security risk to your lab, maintain a paper or electronic sign-in log for all visitors. The log should list the visitor’s name, date and time of arrival and departure, employer’s name, purpose of the visit, and name of the lab member receiving the visitor. Consider anyone who’s not assigned to the lab to be a visitor, including cleaning crews, facility maintenance personnel, friends, and family. All visitors should be escorted by an assigned Determining the Physical Requirements for a Computer Forensics Lab 83 authorized staff member throughout their visit to the lab to ensure that they don’t accidentally or intentionally tamper with an investigation or evidence. As an added precaution, use a visible or audible alarm, such as a visitor badge, to let all investigators know that a visitor is in the area. If possible, hire a security guard or have an intrusion alarm system with a guard to ensure your lab’s security. Alarm systems with guards can also be used after business hours to monitor your lab. Auditing a Computer Forensics Lab To make sure security policies and practices are followed, conduct routine inspections to audit your lab and evidence storage containers. Audits should include, but aren’t limited to, the following facility components and practices: • Inspect the lab’s ceiling, floor, roof, and exterior walls at least once a month, looking for anything unusual or new. • Inspect doors to make sure they close and lock correctly. • Check locks to see whether they need to be replaced or changed. • Review visitor logs to see whether they’re being used properly. • Review log sheets for evidence containers to determine when they have been opened and closed. • At the end of every workday, secure any evidence that’s not being processed on a forensic workstation. Determining Floor Plans for Computer Forensics Labs How you configure the work area for your computer forensics lab depends on your budget, the amount of available floor space, and the number of computers you assign to each computing investigator. For a small operation handling two or three cases a month, one forensic workstation should be enough to handle the workload. One workstation requires only the space an average desk takes up. If you’re handling many more cases per month, you can probably process two or three investigations at a time, which requires more than one workstation. The ideal configuration for multiple workstations is to have two forensic workstations plus one nonforensic workstation with Internet access. Because you need plenty of room around each workstation, a work area containing three workstations requires approximately 150 square feet of space, meaning the work area should be about 10 feet by 15 feet. This amount of space allows for two chairs so that the computing investigator can brief another investigator, paralegal, or attorney on the case. Small labs usually consist of one or two forensic workstations, a research computer with Internet access, a workbench (if space allows), and storage cabinets, as shown in Figure 3-2. Mid-size computer forensics labs, such as those in a private business, have more workstations. For safety reasons, the lab should have at least two exits, as shown in Figure 3-3. If possible, cubicles or even separate offices should be part of the layout to reinforce the needto-know policy. These labs usually have more library space for software and hardware storage. 3 84 Chapter 3 Figure 3-2 Small or home-based lab Figure 3-3 Mid-size computer forensics lab State law enforcement or the FBI usually runs most large or regional computer forensics labs. As shown in Figure 3-4, these labs have a separate evidence room, which is typical in police investigations, except this room is limited to digital evidence. One or more custodians might be assigned to manage and control traffic in and out of the evidence room. As discussed earlier, the evidence room needs to be secure. The lab should have at least two controlled exits and no windows. Separate offices for supervisors and cubicles for investigators are more practical in this configuration. Remember that forensic workstations are connected to an isolated LAN, and only a few machines are connected to an outside WAN or metropolitan area network (MAN). Selecting a Basic Forensic Workstation 85 3 Figure 3-4 Regional computer forensics lab Selecting a Basic Forensic Workstation The computer workstation you use as a forensics analysis system depends on your budget and specific needs. Many well-designed forensic workstations are available that can handle most computing investigation needs. However, when you start processing a case, you use a workstation for the duration of the examination. Use less powerful workstations for mundane tasks and multipurpose workstations for higher-end analysis tasks. Selecting Workstations for Police Labs Police departments in major cities probably have the most diverse needs for computing investigation tools because the communities they serve use a wide assortment of computing systems. Not all computer users have the latest technology, so police departments usually need older machines and software, such as a Commodore 64, an Osbourne I, or a Kaypro running CP/M or Minix, to match what’s used in their community. For small, local police departments, however, the majority of work involves Windows PCs and Apple Macintosh systems. A small police department’s computer forensics lab could be limited to one multipurpose forensic workstation with one or two basic workstations. One way to investigate older and unusual computing systems is to keep track of specialinterest groups (SIGs) that still use these systems. SIGs, which you can find through an Internet search, can be a valuable source of support for recovering and analyzing uncommon systems. You can also coordinate with or subcontract to larger computer forensics labs. Like 86 Chapter 3 large police departments, a regional computer forensics lab must have diverse systems to serve its community and often receives work from smaller labs involving unusual computers or OSs. Computing systems in a lab should be able to process typical cases in a timely manner. The time it takes to process a case usually depends on the size and type of industries in the region. For example, suppose your lab is located in a region with a large manufacturing firm that employs 50,000 people. Based on crime reports you’ve consulted, 10% of those employees might be involved in criminal behavior, meaning 5000 employees will commit crimes such as fraud, embezzlement, and so on. These statistics can help you estimate how much time is involved in processing these types of cases. Until recently, the general rule was at least one law enforcement computer investigator for every 250,000 people in a geographic region. For example, if your community has 1,000,000 people, the regional computer forensics lab should have at least four computer investigators, each with at least one multipurpose forensic workstation and one generalpurpose workstation. This rule is quickly changing, however, as the amount of data stored on digital devices increases. Selecting Workstations for Private and Corporate Labs For the private sector, such as a business conducting internal investigations or a commercial business providing computer forensics services to private parties, equipment resources are generally easy to determine. Commercial businesses providing computer forensics analysis for other companies can tailor their services to specific markets. They can specialize in one or two platforms, such as an Intel PC running a Microsoft OS. They can also gather a variety of tools to meet a wider market. The type of equipment they need depends on their specialty, if any. For general computer forensics facilities, a multipurpose forensic workstation is sufficient. Private companies conducting their own internal computing investigations can determine the type of forensic workstation they need based on the types of computers they use. If a company uses only Windows PCs, internal investigators don’t need a wide variety of specialized equipment. If a company uses many kinds of computers, the Internal Computing Investigation Department needs systems and equipment that support the same types of computers. With some computer forensics programs, you can work from a Windows PC and examine both Windows and Macintosh disk drives. Stocking Hardware Peripherals In addition to workstations and software, all labs should have a wide assortment of cables and spare expansion slot cards. Consider stocking your computer forensics lab with the following peripheral devices: • 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster • Ribbon cables for floppy disks • Extra SCSI cards, preferably ultra-wide • Graphics cards, both Peripheral Component Interconnect (PCI) and Accelerated Graphics Port (AGP) Selecting a Basic Forensic Workstation 87 • Extra power cords • A variety of hard drives (as many as you can afford and in as wide a variety as possible) • At least two 2.5-inch adapters from notebook IDE hard drives to standard IDE/ATA drives, SATA drives, and so on • Computer hand tools, such as Phillips and flathead screwdrivers, a socket wrench, and a small flashlight Maintaining Operating Systems and Software Inventories Operating systems are an essential part of your lab’s inventory. You should maintain licensed copies of as many legacy OSs as possible to handle cases involving unusual systems. Microsoft OSs should include Windows XP, 2000, NT 4.0, NT 3.5, 9x, 3.11, and DOS 6.22. Macintosh OSs should include Mac OS X, 9.x, and 8 or older. Linux OSs can include Fedora, Caldera Open Linux, Slackware, and Debian. The most recent OSs, such as Windows Vista, should also be included. Although most high-end computer forensics tools can open or display data files created with popular programs, they don’t support all programs. Your software inventory should include current and older versions of the following programs. If you deal with both Windows PCs and Macintosh systems, you should have programs for both. • Microsoft Office (including current and older versions) • Quicken (if you handle a lot of financial investigations) • Programming languages, such as Visual Basic and Visual C++ • Specialized viewers, such as QuickView, ACDSee, ThumbsPlus, and IrfanView • Corel Office Suite • StarOffice/OpenOffice • Peachtree accounting applications Using a Disaster Recovery Plan Besides planning for equipment needs, you need to plan for disasters, such as hard disk crashes, lightning strikes, and power outages. A disaster recovery plan ensures that you can restore your workstations and file servers to their original condition if a catastrophic failure occurs. A disaster recovery plan also specifies how to rebuild a forensic workstation after it has been severely contaminated by a virus from a drive you’re analyzing. Central to any disaster recovery plan is a system for backing up investigation computers. Tools such as Norton Ghost are useful for restoring files directly. As a general precaution, consider backing up your workstation once a week. You can restore programs from the original disks or CDs, but recovering lost data without up-to-date backups is difficult. Store your system backups where they are easily accessible. You should have at least one copy of backups on site and a duplicate copy or a previous copy of backups stored in a safe off-site facility. Off-site backups are usually rotated on a schedule that varies according to your needs, such as every day, week, or month. 3 88 Chapter 3 In addition, record all updates you make to your workstation by using a process called configuration management. Some companies record updates in a configuration management database to maintain compliance with lab policy. Every time you add or update software on your workstation, enter the change in the database or in a simple notebook with handwritten entries to document the change. A disaster recovery plan can also address how to restore a workstation you reconfigured for a specific investigation. For example, if you install a suite of applications, you might not have enough disk space for normal processing needs, so you could encounter problems during reconfigurations or even simple upgrades. The disaster recovery plan should outline how to uninstall software and delete any files the uninstall program hasn’t removed so that you can restore your system to its original configuration. For labs using high-end RAID servers (such as Digital Intelligence F.R.E.D.C. or F.R.E.D.M.), you must consider methods for restoring large data sets. These large-end servers must have adequate data backup systems available in the event of a major failure of more than one drive. When planning a recovery procedure for RAID servers, consider whether the amount of downtime it takes to restore backup data is acceptable to the lab operation. Planning for Equipment Upgrades Risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment. Identify the equipment your lab depends on, and create a schedule to replace that equipment. Also, identify equipment that you can replace when it fails. Computing components are designed to last 18 to 36 months in normal business operations, and new versions of OSs and applications that take up more disk space are released frequently. Therefore, systems periodically need more RAM, disk space, and processing speed. To keep your lab current with updates in hardware technology, schedule hardware replacements at least every 18 months and preferably every 12 months. Using Laptop Forensic Workstations Recent important advances in hardware technology offer more flexibility in computer forensics. You can now use a laptop PC with FireWire (IEEE 1394B standard), USB 2.0, or PCMCIA SATA hard disks to create a lightweight, mobile forensic workstation. Improved throughput speeds of data transfer on laptops also make it easier to create images of suspect drives. However, laptops are still limited as forensic workstations. Even with improved data transfer rates, acquiring data with a data compression imaging tool, such as EnCase or SafeBack, creates a bottleneck. The processor speed determines how quickly you can acquire an image of a hard disk. The faster the processor on your laptop (or other PC), the faster an image is created in a compressed mode. Building a Business Case for Developing a Forensics Lab Before you can set up a computer forensics lab, you must enlist the support of managers and other team members. To do so, you build a business case, a plan you can use to sell your Building a Business Case for Developing a Forensics Lab 89 services to management or clients. In the business case, you justify acquiring newer and better resources to investigate computer forensics cases. How you develop a business case depends on the organization you support. If you’re the sole proprietor, creating a business case is fairly simple. If you need money to buy tools, you can save your money for the purchase or negotiate with your bank for a loan. For a public entity such as a police department, business requirements can change drastically because budgets are planned a year or more in advance. Public agency department managers present their budget proposals to upper management. If the proposal is approved, upper management makes money available to acquire resources outlined in the budget. Some public organizations might have other funds available that can be spent immediately for special needs. Managers can divert these funds for emergency or unforeseen needs. Keep in mind that a private-sector business, especially a large corporation, is motivated by the need to make money. A business case should demonstrate how computing investigations could save money and avoid risks that can damage profits, such as by preventing litigation involving the company. For example, recent court decisions have defined viewing pornographic images in the workplace as creating a hostile environment for other employees, which is related to employee harassment and computer misuse. An employer is responsible for preventing and investigating harassment of employees and non-employees associated with the workplace. A company is also liable if it doesn’t actively prevent the creation of a hostile workplace by providing employee training and investigating allegations of computer misuse. A lawsuit, regardless of who wins, can cost an employer several hundred thousand dollars. In your business case, compare the cost of training and conducting computing investigations with the cost of a lawsuit. The Internet makes it difficult for employers to provide a safe and secure environment for employees. In particular, employees can misuse free Web-based e-mail services. These free services give senders anonymity, making it possible for employees to send inappropriate e-mails, often in the form of sexual harassment. Because training rarely prevents this type of behavior, an employer needs to institute an investigation program that involves collecting network logs, such as proxy server logs, and examining computer disks to locate traces of message evidence. Chapter 12 discusses e-mail abuse and using e-mail server and network logs. Your business case should also show how computing investigations can improve profits, such as by protecting intellectual property, trade secrets, and future business plans. For example, when employees leave one company for a competing company, they can reveal vital competitive information to their new employers. Suppose a company called Skateboard International (SI) has invested research and development funds into a new product that improves the stability of skateboards. Its main competitor is Better Skateboard; this company contacts Gwen Smith, a disgruntled SI employee, via e-mail and offers her a job. When Gwen leaves SI, she takes with her the plans for the new product. A few months later, Better Skateboard introduces a product similar to the skateboard Gwen had been researching at SI. SI recognizes that the new, improved skateboard is similar to the one Gwen had been developing and consults the noncompete agreement Gwen signed when she was hired. SI thinks the new technology Gwen might have given Better Skateboards belongs to its company. It suspects that Better Skateboard stole its trade secret and intellectual property. SI could sue Better Skateboard and demand discovery on internal documents. Because Gwen and Better Skateboard corresponded via e-mail, a computing investigator needs to find data 3 90 Chapter 3 related to hiring and research engineering at Better Skateboard. Better Skateboard can also demand discovery on SI’s research records to determine whether any discrepancies in product design could disprove the lawsuit. In this example, computing investigations can allow one company to generate revenue from a new product and prevent the other company from doing so. Information related to profit and loss makes a persuasive argument in a business case. Preparing a Business Case for a Computer Forensics Lab It’s important to understand the need for planning in the creation and continued maintenance of a computer forensics lab. The reason for this demand is the constant cost-cutting efforts of upper management. Because of organizations’ tendencies to constantly reduce costs, you must plan ahead to ensure that money is available for facilities, tools, supplies, and training for your computer forensics lab. The following sections describe some key elements for creating a computer forensics business case. It’s a good idea to maintain a business case with annual updates. Justification Before you can start, you need to justify to the person controlling the budget the reason a lab is needed. This justification step requires asking the following questions: • What type of computing investigation service is needed for your organization? • Who are the potential customers for this service, and how will it be budgeted—as an internal operation (police department or company security department, for instance) or an external operation (a for-profit business venture)? • How will you advertise your services to customers? • What time-management techniques will you use? • Where will the initial and sustaining budget for business operations come from? No matter what type of organization you work for—a public agency or a private business— operating a computer forensics lab successfully requires constant efforts to communicate, or advertise, the lab’s services to previous, current, and future customers and clients. By using marketing to attract new customers or clients, you can justify future budgets for the lab’s operation and staff. Budget Development The budget needs to include all items described in the following sections. You must be as exact as possible when determining the true cost of these items. Making a mistake could cause delays and possible loss of the opportunity to start or improve your lab. Facility Cost For a new computer forensics lab, startup costs might take most of the budget. Depending on how large the lab is, you must determine first how much floor space is needed. As mentioned, a good rule of thumb is 150 square feet per person. This amount of space might seem a bit larger than necessary, but consider how much storage space is needed to preserve evidence and to have enough supplies in stock. Check with your organization’s facility manager on per-square-foot costs for your area or building. Here are some sample questions to answer to get started on calculating a budget: • How many computer forensics examiners will you need? • How much training will each examiner require per year? • Will you need more than one lab? Building a Business Case for Developing a Forensics Lab 91 • How many computer forensics examiners will use each lab? Will there be a need to accommodate other nonexaminers temporarily to inspect recovered evidence? • What are the costs to construct a secure lab? • Is there a suitable room that can be converted into a lab? • Does the designated room have enough electrical power and heating, ventilation, and air-conditioning (HVAC) systems? • Does the designated room have existing telephone lines and network cables? If not, how much will it cost to install these additional items? • Is there an adequate door lock on the designated room’s door? • What will the furniture costs be? • Will you need to install an alarm system? • Are there any other facility costs, such as fees for janitorial services and facility maintenance services? Computer Hardware Requirements Determining the types of investigations and data that will be analyzed in your computer forensics lab dictates what hardware equipment you need. If your organization is using Intel-based PCs with Windows XP, for instance, your forensic workstation should be a high-end Intel-based PC, too. For a small police department, determining the types of computers the public uses is more difficult. The diversity of a community’s computer systems requires a police department to be more versatile in the tools needed to conduct investigations. To determine computer hardware budget needs, here are some questions to consider in your planning: • What types of investigations and data recovery will be performed in the lab? • How many investigations can be expected per month of operation? • Will there be any time-sensitive investigations that demand rapid analysis of disk data? • What sizes and how many drives will be needed to support a typical investigation? • Will you need a high-speed backup system, such as tape backup or DVD burners? • What is the predominant type of computer system you will investigate? • What will you use to store digital evidence? How long do you need to store it? Software Requirements In the past few years, many more computer forensics tools have become available. For the private sector, the cost for these tools ranges from about $300 and up. For the public sector, many computer forensics software vendors offer discounts. However, just as you select hardware for your computer forensics lab to fit specific needs, you must first determine what type of OSs and applications will be investigated and then make purchases that fit. Keep in mind that the more you spend on a computer forensics software package, the more function and flexibility will be available. To determine computer software budget needs, here are some questions to consider in your planning: • What types of OSs will be examined? • For less popular, uncommon, or older OSs (such as Mac OS 9.x, OS/2, and CP/M), how often will there be a need to investigate them? 3 92 Chapter 3 • What are the minimum needs for forensics software tools? For example, how many copies of each tool will be needed? How often will each tool be used in an average week? • What types of OSs will be needed to conduct routine examinations? • Will there be a need for specialized software, such as QuickBooks or Peachtree? • Is there a budget to purchase more than one forensics software tool, such as EnCase, FTK, or ProDiscover? • Which disk-editing tool should be selected for general data analysis? Miscellaneous Cost Needs For this section of the budget, you need to brainstorm on other items, tools, and supplies to consider purchasing for the lab, from general office supplies to specific needs for daily operations. To determine miscellaneous budget needs, here are some questions to consider in your planning: • Will there be a need for errors and omission insurance for the lab’s operation and staff? • Will you need a budget for office supplies? Approval and Acquisition The approval and acquisition phase for a computer forensics lab is a management function. It’s your responsibility to create a business case with a budget to present to upper management for approval. As part of the approval process, you should include a risk analysis describing how the lab will minimize the risk of litigation, which is a persuasive argument for supporting the lab. You also need to make an educated guess of how many investigations are anticipated and how long they will take to complete on average. Remember, part of the approval process requires using negotiation skills to justify the business case. You might need to revise your case as needed to get approval. As part of the business case, acquisition planning requires researching different products to determine which one is the best and most cost effective. You need to contact several vendors’ sales staff and design engineers to learn more about each product and service. Another factor to investigate is annual maintenance costs. You need to budget for this expense, too, so that you can get support if you run into problems during an investigation. An additional item to research from others in the profession is the vendor’s maintenance history. Do other computer forensics labs use the same product, and have they had any problems getting support for problems they encounter? Another consideration is vendors’ pricing structures. Vendor pricing isn’t based on the cost of creating CDs and DVDs and packaging them. Product prices are based on cost for development, testing, documentation support, shipping, and research and development for future improvements. In addition, vendors are for-profit organizations; they have investors to pay, too. Keep in mind that for vendors to be around next year to provide products and services for you, they need to make money. Implementation After approval and acquisition, you need to plan the implementation of facilities and tools. As part of your business case, describe how implementation of all approved items will be processed. A timeline showing expected delivery or installation dates and expected completion dates must be included. You should also have a coordination plan for delivery dates and times for materials and tools. Inspection of facility construction, Chapter Summary 93 equipment (including furniture and benches), and software tools should be included in the schedule. Make sure you schedule inspection dates, too, to ensure that what you ordered arrived and is functional. Acceptance Testing Following the implementation scheduling and inspection, you need to develop an acceptance test plan for the computer forensics lab to make sure everything works correctly. When writing the acceptance test plan, consider the following items: • Inspect the facility to see whether it meets the security criteria to contain and control digital evidence. • Test all communications, such as phone and network connections, to make sure they work as expected. • Test all hardware to verify that it operates correctly; for example, test a computer to make sure it boots to Windows. • Install and start all software tools; make sure all software can run on the computers and OSs you have in the lab. Correction for Acceptance The better you plan for your lab, the less likely you’ll have problems. However, any lab operation has some problems during startup. Your business case must anticipate problems that can cause delays in lab production. In the business case, you need to develop contingencies to deal with system or facility failures. For example, devise workarounds for problems such as the wrong locks being installed on lab doors or electrical power needing additional filtering. Production After all essential corrections have been made, your computer forensics lab can then go into production. At this time, you implement the lab operations procedures that have been described in this chapter. For additional information on how to write a business case, see www.sba.gov/smallbusinessplanner/plan/writeabusinessplan/index.html. Chapter Summary ■ A computer forensics lab is where you conduct investigations, store evidence, and do most of your work. You use the lab to house your instruments, current and legacy software, and forensic workstations. In general, you need a variety of computer forensics hardware and software. ■ To continue a career in computing investigations and forensic analysis, you need to upgrade your skills through training. Several organizations offer training and certification programs for computer forensics that test you after you have successfully completed training. Some state and federal government agencies are also considering establishing certification programs that address minimum skills needed to conduct computing investigations at different levels. ■ Your lab facility must be physically secure so that evidence is not lost, corrupted, or destroyed. 3 94 Chapter 3 ■ Police departments in major cities need a wide assortment of computing systems, including older, outdated technology. Most computer investigations in small, local police departments involve Windows PCs and Macintosh systems. As a general rule, there should be at least one law enforcement computer investigator for every 250,000 people in a geographic region. Commercial services providing computer forensics analysis for other businesses can tailor their services to specific markets. ■ A forensic workstation needs to have adequate memory, storage, and ports to deal with the common types of cases that come through your lab. ■ Before you can set up a computer forensics lab, you must enlist the support of your managers and other team members by building a business case, a plan you can use to sell your services to management or clients. In the business case, you justify acquiring newer and better resources to investigate computer forensics cases. Key Terms American Society of Crime Laboratory Directors (ASCLD) A national society that sets the standards, management, and audit procedures for labs used in crime analysis, including computer forensics labs used by the police, FBI, and similar organizations. business case A document that provides justification to upper management or a lender for purchasing new equipment, software, or other tools when upgrading your facility. In many instances, a business case shows how upgrades will benefit the company. Certified Electronic Evidence Collection Specialist (CEECS) A certificate awarded by IACIS at completion of the written exam. Certified Forensic Computer Examiner (CFCE) A certificate awarded by IACIS at completion of all portions of the exam. computer forensics lab A computer lab dedicated to computing investigations; typically, it has a variety of computers, OSs, and forensics software. configuration management The process of keeping track of all upgrades and patches you apply to your computer’s OS and applications. High Tech Crime Network (HTCN) A national organization that provides certification for computer crime investigators and computer forensics technicians. risk management The process of determining how much risk is acceptable for any process or operation, such as replacing equipment. secure facility A facility that can be locked and allows limited access to the room’s contents. special-interest groups (SIGs) Associated with various operating systems, these groups maintain electronic mailing lists and might hold meetings to exchange information about current and legacy operating systems. TEMPEST A term referring to facilities that have been hardened so that electrical signals from computers, the computer network, and telephone systems can’t be monitored or accessed easily by someone outside the facility. Uniform Crime Report Information collected at the federal, state, and local levels to determine the types and frequencies of crimes committed. Review Questions 95 Review Questions 1. An employer can be held liable for e-mail harassment. True or False? 2. Building a business case can involve which of the following? a. Procedures for gathering evidence b. Testing software c. Protecting trade secrets d. All of the above 3. The ASCLD mandates the procedures established for a computer forensics lab. True or False? 4. The manager of a computer forensics lab is responsible for which of the following? (Choose all that apply.) a. Necessary changes in lab procedures and software b. Ensuring that staff members have sufficient training to do the job c. Knowing the lab objectives d. None of the above 5. To determine the types of operating systems needed in your lab, list two sources of information you could use. 6. What items should your business plan include? 7. List two popular certification systems for computer forensics. 8. The National Cybercrime Training Partnership is available only to law enforcement. True or False? 9. Why is physical security so critical for computer forensics labs? 10. If a visitor to your computer forensics lab is a personal friend, it’s not necessary to have him or her sign the visitor’s log. True or False? 11. What three items should you research before enlisting in a certification program? 12. Large computer forensics labs should have at least _____ exits. 13. Typically, a(n) _______ lab has a separate storage area or room for evidence. 14. Computer forensics facilities always have windows. True or False? 15. The chief custodian of evidence storage containers should keep several master keys. True or False? 16. Putting out fires in a computer lab usually requires a ______ rated fire extinguisher. 17. A forensic workstation should always have a direct broadband connection to the Internet. True or False? 18. Which organization provides good information on safe storage containers? 3 96 Chapter 3 19. Which organization has guidelines on how to operate a computer forensics lab? 20. What term refers to labs constructed to shield EMR emissions? Hands-On Projects Hands-On Project 3-1 You have just been hired to perform digital investigations and forensics analysis for a company. You find that no policies, processes, or procedures are currently in place. Do an Internet search to find information, and then create a policy and processes document to provide the structure necessary for your lab environment. Be sure to cite your online sources. Hands-On Project 3-2 As mentioned previously, new forensics certifications are constantly being offered. Research certifications online and find one not discussed in this chapter. Write a short paper stating what organization offers the certification, who endorses the certification, how long the organization has been in business, and so forth. Hands-On Project 3-3 Physical security of a lab must always be maintained. In your classroom lab, get permission to make observations at different times of the day when classes are and aren’t in session. Record how many people go in and out during a period. Do you know all the people or can you identify them? Are they all students or faculty? Who monitors the lab when classes aren’t in session? Are the rooms locked? How often are things stolen from the labs? Write one to two pages about your observations. If it were a computer forensics lab, what changes would you have to make? Hands-On Project 3-4 Write a disaster recovery plan of not more than three pages for a fictitious company’s computer forensics lab. Include backup schedules, note the programs and OS installed on each machine, and list other information you would have to recover after a disaster. You should also note where the original disks and backups are located. Hands-On Project 3-5 A law firm has hired you to assist with digital evidence cases involving divorces. The main evidence consists of e-mail, spreadsheets, and documents. Before hiring you, the firm used an outside group to conduct investigations. You have to decide what equipment and software to purchase. What would you do to build a business plan that would be approved? Case Projects 97 Case Projects Case Project 3-1 Based on your evaluation of the arson case in Case Project 2-1, build a business case for the resources you think you’ll need to investigate it for the insurance company. Write a brief paper outlining the resources you’ll need, and make sure to justify your needs. Case Project 3-2 A new version of Windows has been released. What do you need to do to be ready in 6 to 10 months when you encounter cases involving the new OS? Include research, user groups, and others you need to contact. Write a onepage paper on the procedures you should use. 3 This page intentionally left blank chapter 4 Data Acquisition After reading this chapter and completing the exercises, you will be able to: • List digital evidence storage formats • Explain ways to determine the best acquisition method • Describe contingency planning for data acquisitions • Explain how to use acquisition tools • Describe how to validate data acquisitions • Describe RAID acquisition methods • Explain how to use remote network acquisition tools • List other forensics tools available for data acquisitions 99 100 Chapter 4 Data acquisition is the process of copying data. For computer forensics, it’s the task of collecting digital evidence from electronic media. There are two types of data acquisition: static acquisitions and live acquisitions. In this chapter, you learn how to perform static acquisitions from digital media. The future of data acquisitions is shifting toward live acquisitions because of the use of disk encryption with newer operating systems (OSs). In addition to encryption concerns, collecting any data that’s active in a suspect’s computer RAM is becoming more important to digital investigations. Techniques for acquiring live disk and RAM data are covered in Chapter 11. The processes and data integrity requirements for static and live acquisitions are the same. The only shortcoming with live acquisitions is not being able to perform repeatable processes, which are critical for collecting digital evidence. With static acquisitions, if you have preserved the original media, making a second static acquisition should produce the same results. The data on the original disk is not altered, no matter how many times an acquisition is done. Making a second live acquisition while a computer is running collects new data because of dynamic changes in the OS. Your goal when acquiring data for a static acquisition is to preserve the digital evidence. Many times, you have only one chance to create a reliable copy of disk evidence with a data acquisition tool. Although these tools are generally dependable, you should still take steps to make sure you acquire an image that can be verified. In addition, failures can and do occur, so you should learn how to use several acquisition tools and methods; you work with a few different tools in this chapter. Other data acquisition tools that work in Windows, MS-DOS 6.22, and Linux are described briefly in the last section, but the list of vendors and methods is by no means conclusive. You should always search for newer and better tools to ensure the integrity of your forensics acquisitions. For additional information on MS-DOS acquisition methods and tools, see Appendix D. You can perform most digital acquisitions for your investigations with a combination of the tools discussed in this chapter. Understanding Storage Formats for Digital Evidence Chapter 2 introduced the process of acquiring data from a USB drive and storing it in a data file. The acquisition tool you used, ProDiscover Basic, performed a bit-by-bit (or sectorby-sector) copy of the USB drive and wrote it to an image file, which was an exact duplicate of the source device (the USB drive). The data a computer forensics acquisition tool collects is stored as an image file in one of three formats. Two formats are open source and the third is proprietary. Each vendor has unique features, so several different proprietary formats are available. Depending on the proprietary format, many computer forensics analysis tools can read other vendors’ formatted acquisitions. Many computer forensics acquisition tools create a disk-to-image file in an older open-source format, known as raw, as well as their own proprietary format. The new open-source format, Advanced Forensic Format (AFF), is starting to gain recognition from computer forensics Understanding Storage Formats for Digital Evidence 101 examiners. Because AFF is open source, many vendors should be including this format soon in their tools. Each data acquisition format has unique features along with advantages and disadvantages. The following sections summarize each format to help you choose which one to use. Raw Format In the past, there was only one practical way of copying data for the purpose of evidence preservation and examination. Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. As a practical way to preserve digital evidence, vendors (and some OS utilities, such as the Linux/UNIX dd command) made it possible to write bit-stream data to files. This copy technique creates simple sequential flat files of a suspect drive or data set. The output of these flat files is referred to as a raw format. This format has unique advantages and disadvantages to consider when selecting an acquisition format. The advantages of the raw format are fast data transfers and the capability to ignore minor data read errors on the source drive. In addition, most computer forensics tools can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Another disadvantage is that some raw format tools, typically freeware versions, might not collect marginal (bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive. Many commercial tools have a much higher threshold of retry reads to ensure that all data is collected. Several commercial acquisition tools can produce raw format acquisitions and typically provide a validation check by using Cyclic Redundancy Check (CRC-32), Message Digest 5 (MD5), and Secure Hash Algorithm (SHA-1 or newer) hashing functions. These validation checks, however, usually create a separate file containing the hash value. Proprietary Formats Most commercial computer forensics tools have their own formats for collecting digital evidence. Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following: • The option to compress or not compress image files of a suspect drive, thus saving space on the target drive • The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment • The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details Computer forensics examiners have several ways of referring to copying evidence data to files: bit-stream copy, bit-stream image, image, mirror, and sector copy, to name a few. For the purposes of this book, “image” is generally used to refer to all forensics acquisitions saved to a data file. 4 102 Chapter 4 One major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis tools. For example, the ILook imaging tool IXimager produces three proprietary formats—IDIF, IRBF, and IEIF—that can be read only by ILook. (See www.perlustro.com for additional information on ILook, which is currently available only to law enforcement agencies.) If necessary, IXimager can copy IDIF, IRBF, and IEIF formats to a raw format image file that can be read by other tools. Another problem with proprietary and raw formats is a file size limitation for each segmented volume. Typically, proprietary format tools produce a segmented file of 650 MB. The file size can be adjusted up or down, with a maximum file size per segment of no more than 2 GB. Most proprietary format tools go up to only 2 GB because many examiners use a target drive formatted as FAT, which has a file size limit of 2 GB. Of all the proprietary formats for image acquisitions, the Expert Witness format is currently the unofficial standard. This format, the default for Guidance Software EnCase, produces both compressed and uncompressed image files. These files (or volumes) write an extension starting with .E01 and incrementing it for each additional segmented image volume. Several computer forensics analysis tools can generate generic versions of the Expert Witness format and analyze it, including X-Ways Forensics, AccessData Forensic Toolkit (FTK), and SMART. For more information on the Expert Witness format, see www.asrdata.com/ SMART/whitepaper.html. Advanced Forensic Format Dr. Simson L. Garfinkel of Basis Technology Corporation recently developed a new opensource acquisition format called Advanced Forensic Format (AFF). This format has the following design goals: • Creating compressed or uncompressed image files • No size restriction for disk-to-image files • Providing space in the image file or segmented files for metadata • Simple design with extensibility • Open source for multiple computing platforms and OSs • Offer internal consistency checks for self-authentication File extensions include .afd for segmented image files and .afm for AFF metadata. Because AFF is open source, computer forensics vendors will have no implementation restrictions on this format. Expect AFF to become the future standard for forensically sound acquisition formats. For more information on AFF, see www.afflib.org and www.basistech.com/digitalforensics/aff.html. For more information on acquisition file formats, see www.sleuthkit. org/informer, issues #19 and #23. Determining the Best Acquisition Method 103 Determining the Best Acquisition Method As mentioned, there are two types of acquisitions: static acquisitions and live acquisitions. Typically, a static acquisition is done on a computer seized during a police raid, for example. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available—meaning the computer is powered on and has been logged on to by the suspect. Static acquisitions are always the preferred way to collect digital evidence. However, they do have limitations in some situations, such as an encrypted drive that’s readable only when the computer is powered on or a computer that’s accessible only over a network. In Chapter 11, you learn how to perform live acquisitions, including collection of digital media and dynamic/volatile memory (RAM) on a computing system. For both types of acquisitions, data can be collected with four methods: creating a diskto-image file, creating a disk-to-disk copy, creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file. Determining the best acquisition method depends on the circumstances of the investigation. Creating a disk-to-image file is the most common method and offers the most flexibility for your investigation. With this method, you can make one or many copies of a suspect drive. These copies are bit-for-bit replications of the original drive. In addition, you can use other forensics tools, such as ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways Forensics, and ILook, to read the most common types of disk-to-image files you create. These programs read the disk-to-image file as though it were the original disk. MS-DOS tools can only read data from a drive. To use MS-DOS tools, you have to duplicate the original drive to perform the analysis. The newer GUI programs save time and disk resources because they can read and interpret directly from the disk-to-image file of a copied drive. Sometimes you can’t make a disk-to-image file because of hardware or software errors or incompatibilities. This problem is more common when you have to acquire older drives. For these drives, you might have to create a disk-to-disk copy of the suspect drive. Several imaging tools can copy data exactly from an older disk to a newer disk. These programs can adjust the target disk’s geometry (its cylinder, head, and track configuration) so that the copied data matches the original suspect drive. These imaging tools include EnCase and SafeBack (www.forensics-intl. com/safeback.html). SafeBack must run from an MS-DOS system. See the vendors’ manuals for instructions on using these tools for disk-to-disk copying. For more information about current and older drives, see www.t13.org. Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of unallocated (deleted) data; use this method only when you don’t need to examine the entire drive. An example of a logical acquisition is an e-mail 4 104 Chapter 4 investigation that requires collecting only Outlook .pst or .ost files. Another example is collecting only specific records from a large RAID server. If you have to recover data from a RAID server with several terabytes (TBs) of data storage, the logical method might be the only way you can acquire the evidence. In electronic discovery for the purpose of litigation, a logical acquisition is becoming the preferred method, especially with large data storage systems. To determine which acquisition method to use for an investigation, consider the size of the source (suspect) disk, whether you can retain the source disk as evidence or must return it to the owner, how much time you have to perform the acquisition, and where the evidence is located. If the source disk is very large, such as 500 GB or more, make sure you have a target disk that can store a disk-to-image file of the large disk. If you don’t have a target disk of comparable size, review alternatives for reducing the size of data to create a verifiable copy of the suspect drive. Older Microsoft disk compression tools, such as DoubleSpace or DriveSpace, eliminate only slack disk space between files. Other compression methods use an algorithm to reduce file size. Popular archiving tools, such as PKZip, WinZip, and WinRAR, use an algorithm referred to as lossless compression. Compression algorithms for graphics files use what’s called lossy compression, which can change data. For example, lossy compression is used with .jpeg files to reduce file size and doesn’t affect image quality when the file is restored and viewed. Because lossy compression alters original data, however, it isn’t used for forensics acquisitions. Both compression methods are discussed in more detail in Chapter 10. Most imaging tools have an option to use lossless compression to save disk space, which means the target drive doesn’t have to be as large as the suspect drive. For example, if you have a SATA 1.5 TB suspect drive, you might be able to use lossless compression to create the disk-to-image file on a 500 GB target drive. Image files can be reduced by as much as 50% of the original. If the suspect drive already contains compressed data, such as several large zipped files, the imaging tool can’t compress the data any further, however. An easy way to test lossless compression is to perform an MD5 or SHA-1 hash on a file before and after it’s compressed. If the compression is done correctly, both versions have the same hash value. If the hashes don’t match, that means something corrupted the compressed file, such as a hardware or software error. As an added precaution, perform two separate hashes with different algorithms, such as MD5 and SHA-1. This step isn’t mandatory; however, it’s a good way to establish that nothing has changed during data processing. When working with large drives, an alternative is using tape backup systems, such as Super Digital Linear Tape (SDLT) or Digital Audio Tape/Digital Data Storage (DAT/DDS). SnapBack and SafeBack have special software drivers designed to write data from a suspect drive to a tape backup system through standard PCI SCSI cards. The advantage of this type of acquisition is that there’s no limit to the size of data that can be acquired. The one big disadvantage, especially with microprocessor systems, is that it can be slow and time consuming. If you can’t retain the original evidence drive and must return it to the owner, as in a discovery demand for a civil litigation case, check with the requester, such as your lawyer or supervisor, and ask whether a logical acquisition is acceptable. If not, you have to refer the matter back to your lawyer or supervisor. When performing an acquisition under these conditions, make sure you have a good copy because most discovery demands give you only one chance to capture data. In addition, make sure you have a reliable forensics tool that you know how to use. Using Acquisition Tools 105 Contingency Planning for Image Acquisitions Because you’re working with electronic data, you need to take precautions to protect your digital evidence. You should also make contingency plans in case software or hardware doesn’t work or you encounter a failure during an acquisition. The most common and timeconsuming technique for preserving evidence is creating a duplicate of your disk-to-image file. Many computer investigators don’t make duplicates of their evidence because they don’t have enough time or resources to make a second image. However, if the first copy doesn’t work correctly, having a duplicate is worth the effort and resources. Be sure you take steps to minimize the risk of failure in your investigation. As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as ProDiscover, FTK, and X-Ways Forensics, make the first copy with one tool and the second copy with the other tool. If you have only one tool, consider making two images of the drive with the same tool, especially for critical investigations. With tools such as EnCase and ProDiscover, you can make one copy with no compression and compress the other copy. Remember that Murphy’s Law applies to computer forensics, too: If anything can go wrong, it will. Many acquisition tools don’t copy data in the host protected area (HPA) of a disk drive. (Refer to Chapter 8 for more information on host protected areas.) For these situations, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica. These tools can read a disk’s HPA. Microsoft has recently added whole disk encryption in Windows Vista Ultimate and Enterprise Editions, which makes performing static acquisitions more difficult. (Utimaco Software SafeGuard Easy also uses whole disk encryption.) As part of your contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key. Most whole disk encrypted tools at least have a manual process for decrypting data, which is converting the encrypted disk to an unencrypted disk. This process can take several hours, depending on the disk size. One good thing about encryption use is that data isn’t altered, in that free and slack space aren’t changed. The biggest concern with whole disk encryption is getting the decryption key. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect has a strong motivation not to supply the decryption key. Researchers at Princeton University have produced a technique to recover passwords and passphrases from RAM, however; for more information, visit http://citp. princeton.edu/pub/coldboot.pdf. Using Acquisition Tools Many computer forensics software vendors have developed acquisition tools that run in Windows. These tools make acquiring evidence from a suspect drive more convenient, especially when you use them with hot-swappable devices, such as USB-2, FireWire 1394A and 1394B, or SATA, to connect disks to your workstation. 4 106 Chapter 4 However, Windows acquisition tools have some drawbacks. Because Windows can easily contaminate your evidence drive, you must protect it with a well-tested write-blocking hardware device. (Chapter 7 discusses write-blocking devices in more detail.) Another drawback is that most Windows tools can’t acquire data from a disk’s host protected area. In addition, some countries haven’t yet accepted the use of write-blocking devices for data acquisitions. Check with your legal counsel for evidence standards in your community or country. Windows XP Write-Protection with USB Devices When Microsoft updated Windows XP with Service Pack 2 (SP2), a new feature was added to the Registry: The USB write-protection feature blocks any writing to USB devices. This feature is still available in Windows Vista SP1. The only additional hardware device needed for an acquisition is a USB external drive or a cable-connecting device (see Figure 4-1). On your acquisition workstation, simply connect the suspect drive to the USB external drive or connector after you’ve modified the Windows Registry to enable write-protection. The advantage of this Registry modification is that you don’t need an expensive physical writeblocker to make a disk acquisition from Windows. The disadvantage is that your target drive needs to be connected to an internal PATA (IDE), SATA, or SCSI controller, not another USB external drive. Figure 4-1 A typical inexpensive USB IDE/SATA external connector To update the Registry, you need to perform three tasks. First, back up the Registry in case something fails while you’re modifying it. Second, modify the Registry with the writeprotection feature. Third, create two desktop icons to automate switching between enabling and disabling writes to the USB device. Backing Up the Registry Activities for updating the Registry are written for Windows Vista. If you’re using Windows XP, you’ll notice slight differences in dialog boxes, and you won’t see the User Account Control (UAC) message box. Using Acquisition Tools 107 Before updating the Registry for the write-blocking feature or any other task, backing it up is crucial. To back up your Registry, follow these steps: 1. Click Start, point to All Programs, point to Accessories, point to System Tools, and click System Restore. When the UAC message box opens, click Continue. 2. In the first window of the System Restore Wizard (see Figure 4-2), click the open System Protection link to create a restore point. (Note that if you haven’t created a restore point previously, you must click the System Protection link.) 4 Figure 4-2 The System Restore Wizard 3. In the System Properties dialog box (see Figure 4-3), click the Create button. In the Create a restore point window, enter a name for the restore point (such as Primary Restore), click Create, and then click OK twice. Click Cancel in the System Restore Wizard. Modifying the Registry for USB Write-Blocking After you have created a restore point for the Registry, perform the following steps to enable the write-blocking feature: 1. Click Start, type regedit in the Start Search text box, and then press Enter. If the UAC message box opens, click Continue. (In Windows XP, click Start, Run, type regedit, and click OK.) 2. In Registry Editor, navigate to and click to expand the \HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet key. 3. Under the CurrentControlSet item, right-click the Control subkey, point to New, and then click Key. 108 Chapter 4 Figure 4-3 The System Properties dialog box 4. Registry Editor then prompts you for a key name. Type StorageDevicePolicies and press Enter. 5. Right-click the newly created StorageDevicePolicies descendent key, point to New, and click DWORD Value. (Depending on the Vista version you’re running, you might see selections for a 32-bit value and a 64-bit value. If so, select the 32-bit value.) 6. A new prompt appears in the key data area at the right. Type WriteProtect and press Enter. 7. Next, in the key data area, right-click WriteProtect DWORD (or just WriteProtect, depending on the Vista version) and click Modify. 8. In the Edit DWORD Value dialog box, change the Value Data setting from 0 to 1, and then click OK to activate write-blocking to USB devices. Keep Registry Editor open for the next task. Automating USB Write-Blocking To minimize errors in updating the Registry every time you need to write-block a USB device, exporting the Registry is recommended. To do this, you create a .reg file and save it to your workstation’s desktop. To make it easier to switch between writing and blocking modes for the Registry, follow these steps in Registry Editor: 1. Right-click the StorageDevicePolicies descendent key and click Export. 2. In the Export Registry File dialog box, click Desktop in the Save in list box. In the File name text box, type Write Protect USB ON, and click Save. Using Acquisition Tools 109 3. In Registry Editor, click StorageDevicePolicies. In the key data area, right-click WriteProtect DWORD and click Modify. 4. Next, in the Edit DWORD Value dialog box, change the Value Data setting from 1 to 0, and then click OK to deactivate write-blocking to USB devices. 5. Right-click the StorageDevicePolicies descendent key again and click Export. 6. In the Export Registry File dialog box, click Desktop in the Save in list box. In the File name text box, type Write Protect USB OFF, and click Save. Close Registry Editor. Now that you have made this Registry modification, you should see two desktop icons named Write Protect USB ON.reg and Write Protect USB OFF.reg. When you need to set your workstation so that it write-blocks (prevents writes to USB devices), double-click the Write Protect USB ON icon. When a dialog box opens, asking whether you want to modify the Registry, click OK, and then click OK again in the message box stating the Registry has been modified successfully. To undo write-blocking (allow writes to USB devices), double-click the Write Protect USB OFF icon. Click OK to modify the Registry and OK again to finish. For a more information on this Registry modification procedure and other useful guides, do an Internet search for “USB Registry write-blocker.” Acquiring Data with a Linux Boot CD The Linux OS has many features that are applicable to computer forensics, especially data acquisitions. One unique feature is that Linux can access a drive that isn’t mounted. Physical access for the purpose of reading data can be done on a connected media device, such as a disk drive, a USB drive, or other storage devices. In Windows OSs and newer Linux kernels, when you connect a drive via USB, FireWire, external SATA, or even internal PATA or SATA controllers, both OSs automatically mount and access the drive. For example, a Windows XP or Linux kernel 2.6 or later workstation automatically accesses a suspect drive when connecting to it, which could alter data. On Windows drives, an acquisition workstation can access and alter data in the Recycle Bin; on Linux drives, the workstation most likely alters metadata, such as mount point configurations for an Ext2 or Ext3 drive. In static acquisitions, this automatic access corrupts the integrity of evidence. When acquiring data with Windows, you must use a write-blocking device or Registry utility. With a correctly configured Linux OS, such as a forensic Linux Live CD, media aren’t accessed automatically, which eliminates the need for a write-blocker. If you need to acquire a USB drive that doesn’t have a write-lock switch, use one of the forensic Linux Live CDs (discussed in the next section) to access the device. Use caution when working with newer Linux distributions with KDE or Gnome GUIs. Many newer distributions mount most media devices automatically. If you’re using a nonforensic Linux distribution, you should test it before using it on actual evidence to see how it handles attached storage devices. If in doubt, always use a physical writeblocker for an acquisition from Linux. 4 110 Chapter 4 Using Linux Live CD Distributions Several Linux distributions, such as Knoppix (www.knoppix.org), provide an ISO image that can be burned to a CD or DVD. Linux ISO images are referred to as Live CDs. Most of these Linux distributions are for Linux OS recovery, not for computer forensics acquisition and analysis. For a list of the most current Linux Live CDs, see www.frozentech.com. A few Linux ISO images are specifically designed for computer forensics, however. These special Linux ISO images contain additional utilities that aren’t typically installed in normal Linux distributions. They are also configured not to mount, or to mount as read-only, any connected storage media, such as disk drives. This feature protects the media’s integrity for the purpose of acquiring and analyzing data. To access media, you have to give specific instructions to the Live CD boot session through a GUI utility or a shell command prompt. Mounting drives from a shell gives you more control over them. See the man page for the mount command (by typing “man mount” at the shell prompt) to learn what options are available for your Linux distribution. The man command displays pages from the online help manual for information on Linux commands and their options. Linux can read data from a physical device without having to mount it. As a usual practice, don’t mount a suspect media device as a precaution against any writes to it. Later in this section, you learn how to make a forensics acquisition in Linux without mounting the device. The following are well-designed Linux Live CDs for computer forensics: • Helix (www.e-fense.com/helix/; English interface) • Penguin Sleuth (www.linux-forensics.com; English interface) • FCCU (www.d-fence.be; French interface) You can download these ISO images to any computer, including a Windows system, and then burn them to CD/DVD with burner software, such as Roxio or Nero. Creating a bootable image from an ISO file is different from copying data or music files to a CD or DVD, however. If you aren’t familiar with how to do it, see the Help menu in your burner software for instructions on creating a bootable CD or DVD. For example, Roxio Creator Classic has a Burn from Disc Image File option in the File menu, and Nero Express has a Bootable CD option. After creating a Linux Live CD, test it on your workstation. Remember to check your workstation’s BIOS to see whether it boots first from the CD or DVD on the system. To test the Live CD, simply place it in the CD or DVD drive and reboot your system. If successful, Linux loads into your computer’s memory, and a common GUI for Linux appears on the screen. If you have problems with the video display on your workstation, try another computer with a different video card. No one Live CD distribution has all video drivers. Linux Live CDs load the OS into the computer’s RAM, so performance can be affected when you’re using GUI tools. The following sections explain how to use Linux to make forensically sound data acquisitions. Using Acquisition Tools 111 Preparing a Target Drive for Acquisition in Linux The Linux OS provides many tools that you can use to modify non-Linux file systems. Current Linux distributions can create Microsoft FAT and NTFS partition tables. Linux kernel version 2.6.17.7 and earlier can format and read only the FAT file system, although an NTFS driver, ntfs-3g, is available that allows Linux to mount and write data only to NTFS partitions. You can download this driver from www.linux-ntfs.org or www.ntfs-3g.org, where you can also find information about NTFS and instructions for installing the driver. In this section, you learn how to partition and format a Microsoft FAT drive from Linux so that you don’t have to switch OSs or computers to prepare a FAT target disk. After you make the acquisition, you can then transfer the FAT disk to a Windows system to use a Windows analysis tool. When preparing a drive to be used on a Linux system for forensics acquisition or analysis, do it in a separate boot session with no suspect drive attached. Linux/UNIX commands are case sensitive, so make sure you type commands exactly as shown in this section’s steps. Assuming you have a functioning Linux computer or one running with a Linux Live CD, perform the following steps from a shell prompt: 1. First, boot Linux on your computer. 2. Connect the USB, FireWire, or SATA external drive to the Linux computer and power it on. 3. If a shell window isn’t already open, start one. 4. At the shell prompt, type su and press Enter to log in as the superuser (root). Then type the root password and press Enter. If you’re using one of the Live CDs listed previously, these distributions are typically already in superuser (root) mode, so there’s no need to use the su command. Other Linux Live CDs might have no password set and simply require pressing Enter. 5. To list the current disk devices connected to the computer, type fdisk -l (lowercase L) and press Enter. You should see output similar to the following: Linux lists all IDE (also known as PATA) drives as hda, hdb, and so on. All SCSI, SATA, FireWire, and USB connected drives are listed as sda, sdb, and so forth. Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes 4 112 Chapter 4 Device Boot /dev/hda1 * /dev/hda2 Start 1 14 End 13 4864 Blocks 104391 38965657+ Id 83 8e System Linux Linux LVM Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Disk /dev/sda doesn't contain a valid partition table In the preceding output, the /dev/sda device has no partition listed. These steps show how to create a Microsoft FAT partition on this disk. If there’s a partition on this drive, it can be deleted with the Linux fdisk utility. For additional information on fdisk, refer to the man page. 6. Type fdisk /dev/sda and press Enter to partition the disk drive as a FAT file system. You should see output similar to the following: Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disk label Building a new DOS disk label. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by write) 7. Display fdisk menu options by typing m and pressing Enter. You should see output similar to the following: Command action a toggle a bootable flag b edit bsddisklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disk label t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only) 8. Determine whether there are any partitions on /dev/sda by typing p and pressing Enter. You should see output similar to the following: Using Acquisition Tools 113 Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Device Boot Start End Blocks Id System In this example, the disk has no previously configured partitions. If it did, there would be data under each column heading describing each partition’s configuration. 9. Next, you create a new primary partition on /dev/sda. To use the defaults and select the entire drive, type n and press Enter. To create a primary partition table, type p and press Enter, and then type 1 (the numeral) to select the first partition and press Enter. At the remaining prompts, press Enter. Your output should be similar to the following: Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-1020, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-1020, default 1020): Using default value 1020 In Linux, the first logical partition created after the primary and extended partitions is numbered 5; any additional logical partitions are numbered 6, 7, and so on. For example, the C partition is typically /dev/hda1, and the D partition is /dev/hda2. 10. List the newly defined partitions by typing p and pressing Enter, which produces the following output: Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Device Boot /dev/sda1 Start 1 End 1020 Blocks 6292349 Id 83 System Linux 11. To list the menu again so that you can select the change partition ID, type m and press Enter. You should see output similar to the following: Command action a toggle a bootable flag b edit bsddisklabel 4 114 Chapter 4 c d l m n o p q s t u v w x toggle the dos compatibility flag delete a partition list known partition types print this menu add a new partition create a new empty DOS partition table print the partition table quit without saving changes create a new empty Sun disk label change a partition's system id change display/entry units verify the partition table write table to disk and exit extra functionality (experts only) 12. To change the newly created partition to the Windows 95 FAT32 file system, first type t and press Enter, which produces the following output: Selected partition 1 Hex code (type L to list codes): 13. List available file systems and their code values by typing l (lowercase L) and pressing Enter. You should see output similar to the following: 0 1 2 3 4 5 6 7 8 9 a b c e f 10 11 12 14 16 17 18 1b Empty 1c Hidden W95 FAT3 70 DiskSecureMult bb Boot Wizard hid FAT12 1e Hidden W95 FAT1 75 PC/IX be Solaris boot XENIX root 24 NEC DOS 80 Old Minix c1 DRDOS/sec (FATXENIXusr 39 Plan 9 81 Minix / old Lin c4 DRDOS/sec (FATFAT16 <32M 3c PartitionMagic 82 Linux swap c6 DRDOS/sec (FATExtended 40 Venix 80286 83 Linux c7 Syrinx FAT16 41 PPC PReP Boot 84 OS/2 hidden C: da Non-FS data HPFS/NTFS 42 SFS 85 Linux extended db CP/M / CTOS / . AIX 4d QNX4.x 86 NTFS volume set de Dell Utility AIX bootable 4e QNX4.x 2nd part 87 NTFS volume set dfBootIt OS/2 Boot Manag 4f QNX4.x 3rd part 8e Linux LVM e1 DOS access W95 FAT32 50 OnTrack DM 93 Amoeba e3 DOS R/O W95 FAT32 (LBA) 51 OnTrack DM6 Aux 94 Amoeba BBT e4 SpeedStor W95 FAT16 (LBA) 52 CP/M 9f BSD/OS eb BeOS fs W95Ext’d (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi ee EFI GPT OPUS 54 OnTrackDM6 a5 FreeBSD ef EFI (FAT-12/16/ Hidden FAT12 55 EZ-Drive a6 OpenBSD f0 Linux/PA-RISC b Compaqdiagnost 56 Golden Bow a7 NeXTSTEP f1 SpeedStor Hidden FAT16 <3 5c PriamEdisk a8 Darwin UFS f4 SpeedStor Hidden FAT16 61 SpeedStor a9 NetBSD f2 DOS secondary Hidden HPFS/NTF 63 GNU HURD or Sys ab Darwin boot fd Linux raid auto ASTSmartSleep 64 Novell Netware b7 BSDI fsfeLANstep Hidden W95 FAT3 65 Novell Netware b8 BSDI swap ff BBT Using Acquisition Tools 115 14. Change the newly created partition to the Windows 95 FAT32 file system by typing c and pressing Enter. Your output should look similar to the following: Changed system type of partition 1 to b (W95 FAT32) 15. To display partitions of the newly changed drive, type p and press Enter, which produces the following output: Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Device Boot /dev/sda1 Start 1 End 1020 Blocks 6292349 Id b 4 System W95 FAT32 16. Save (write) the newly created partition to the /dev/sda drive by typing w and pressing Enter. Your output should look similar to the following: The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: If you have created or modified any DOS 6.x partitions, please see the fdisk manual page for additional information. Syncing disks. Fdisk exits back to the shell prompt after updating the partition table on the /dev/sda drive. 17. Show the known drives connected to your computer by typing fdisk -l and pressing Enter, which produces the following output: Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/hda1 * /dev/hda2 Start 1 14 End 13 4864 Blocks 104391 38965657+ Id 83 8e System Linux Linux LVM Disk /dev/sda: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Device Boot /dev/sda1 Start 1 End 1020 Blocks 6292349 Id b System W95 FAT32 18. To format a FAT file system from Linux, type mkfs.msdos -vF32 /dev/sda1 and press Enter, which produces the following output: 116 Chapter 4 mkfs.msdos 2.8 (28 Feb 2001) Selecting 8 sectors per cluster /dev/sde1 has 33 heads and 61 sectors per track, logical sector size is 512, using 0xf8 media descriptor, with 2047966 sectors; file system has 2 32-bit FATs and 8 sectors per cluster. FAT size is 1997 sectors, and provides 255492 clusters. Volume ID is 420781ea, no volume label. Newer Linux distributions automatically sync the newly created partition and format the drive. The sync feature eliminates the need to reboot the computer, unlike with Microsoft OSs. 19. Close the shell window for this session by typing exit and pressing Enter. This drive can now be mounted and used to receive an image of a suspect drive. Later in this section, you learn how to mount and write to this Microsoft FAT target drive. Acquiring Data with dd in Linux A unique feature of a forensic Linux Live CD is that it can mount and read most drives. To perform a data acquisition on a suspect computer, all you need are the following: • A forensic Linux Live CD • A USB, FireWire, or SATA external drive with cables • Knowledge of how to alter the suspect computer’s BIOS to boot from the Linux Live CD • Knowledge of which shell commands to use for the data acquisition The dd command, available on all UNIX and Linux distributions, means “data dump.” This command, with many functions and switches, can be used to read and write data from a media device and a data file. The dd command is not bound by a logical file system’s data structures, meaning the drive doesn’t have to be mounted for dd to access it. For example, if you list a physical device name, the dd command copies the entire device—all data files, slack space, and free space (unallocated data) on the device. The dd command creates a raw format file that most computer forensics analysis tools can read, which makes it useful for data acquisitions. Use extreme caution with the dd command. Make sure you know which drives are the suspect drive and target drive. Although you might not have mounted the suspect drive, if you reverse the input field (if=) of the suspect and target drives with the output field (of=), data is written to the wrong drive, thus destroying the original evidence drive. As powerful as this command is, it does have some shortcomings. One major problem is that it requires more advanced skills than the average computer user might have. Also, because it doesn’t compress data, the target drive needs to be equal to or larger than the suspect drive. It’s possible to divide the output to other drives if a large enough Using Acquisition Tools 117 target drive isn’t available, but this process can be cumbersome and prone to mistakes when you’re trying to keep track of which data blocks to copy to which target drive. The dd command combined with the split command segments output into separate volumes. Use the split command with the -b switch to adjust the size of segmented volumes the dd command creates. As a standard practice for archiving purposes, creating segmented volumes that fit on a 650 MB CD is convenient. For additional information on dd and split, see their man pages. Perform the following steps to make an image of an NTFS disk on a FAT32 disk by using the dd command: 1. Assuming that your workstation is the suspect computer and is booted from a Linux Live CD, connect the USB, FireWire, or SATA external drive containing the FAT32 target drive, and turn the external drive on. 2. If you’re not at a shell prompt, start a shell window, switch to superuser (su) mode, type the root password, and press Enter. 3. At the shell prompt, list all drives connected to the computer by typing fdisk -l and pressing Enter, which produces the following output: Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/hda1 * /dev/hda2 Start 1 14 End 13 4864 Blocks 104391 38965657+ Id 83 8e System Linux Linux LVM Disk /dev/sda: 163.9 GB, 163928605184 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/sda1 /dev/sda2 /dev/sda5 Start 1 12001 12001 End 12000 19929 19929 Blocks 96389968+ 63689692+ 63689661 Id b 5 c System W95 FAT32 Extended W95 FAT32 (LBA) Disk /dev/sdb: 6448 MB, 6448619520 bytes 199 heads, 62 sectors/track, 1020 cylinders Units = cylinders of 12338 * 512 = 6317056 bytes Device Boot /dev/sdb1 Start 1 End 1020 Blocks 6292349 Id 7 System HPFS/NTFS 4. To create a mount point for the USB, FireWire, or SATA external drive and partition, make a directory in /mnt by typing mkdir /mnt/sda5 and pressing Enter. 5. To mount the target drive partition, type mount -t vfat /dev/sda5 /mnt/sda5 and press Enter. 4 118 Chapter 4 6. To change your default directory to the target drive, type cd /mnt/sda5 and press Enter. 7. List the contents of the target drive’s root level by typing ls -al and pressing Enter. Your output should be similar to the following: total 40 drwxr-xr-x drwxr-xr-x 2 root root 32768 Dec 31 1969 . 5 root root 4096 Feb 6 17:22 .. 8. To make a target directory to receive image saves of the suspect drive, type mkdir case01 and press Enter. 9. To change to the newly created target directory, type cd case01 and press Enter. Don’t close the shell window. Next, you perform a raw format image of the entire suspect drive to the target directory. To do this, you use the split command with the dd command. The split command creates a two-letter extension for each segmented volume. The -d switch creates numeric rather than letter extensions. As a general rule, if you plan to use a Windows forensics tool to examine a dd image file created with this switch, the segmented volumes shouldn’t exceed 2 GB each because of FAT32 file size limits. This 2 GB limit allows you to copy only up to 198 GB of a suspect’s disk. If you need to use the dd command, it’s better to use the split command’s default of incremented letter extensions and make smaller segments. To adjust the segmented volume size, change the value for the -b switch from the 650 MB used in the following example to 2000 MB. 1. First, type dd if=/dev/sdb | split -b 650m - image_sdb. and press Enter. You should see output similar to the following: 12594960+0 records in 12594960+0 records out When using the split command, type a period at the end of the line as shown, with no space between it and the filename. Otherwise, the extension is appended to the filename with no “.” delimiter. 2. Now list the raw images that have been created from the dd and split commands by typing ls -l and pressing Enter. You should see output similar to the following: total 6297504 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 -rwxr-xr-x 1 root root root root root root root root root root root root root root root root 681574400 681574400 681574400 681574400 681574400 681574400 681574400 681574400 Feb Feb Feb Feb Feb Feb Feb Feb 6 6 6 6 6 6 6 6 17:26 17:28 17:29 17:30 17:32 17:33 17:34 17:36 image_sdb.aa image_sdb.ab image_sdb.ac image_sdb.ad image_sdb.ae image_sdb.af image_sdb.ag image_sdb.ah Using Acquisition Tools -rwxr-xr-x -rwxr-xr-x 1 root root 681574400 Feb 1 root root 314449920 Feb 119 6 17:37 image_sdb.ai 6 17:37 image_sdb.aj 3. To complete this acquisition, dismount the target drive by typing umount /dev/sda5 and pressing Enter. Depending on the Windows forensics analysis tool you’re using, renaming each segmented volume’s extension with incremented numbers instead of letters might be necessary. For example, rename image_sdb.aa as image_sdb.01, and so on. Several Windows forensics tools can read only disk-to-image segmented files that have numeric extensions. Most Linux forensics tools can read segments with numeric or lettered extensions. Acquiring a specific partition on a drive works the same way as acquiring the entire drive. Instead of typing /dev/sdb as you would for the entire drive, add the partition number to the device name, such as /dev/sdb1. For drives with additional partitions, use the number that would be listed in the fdisk -l output. For example, to copy only the partition of the previous NTFS drive, you use the following dd command: dd if=/dev/sdb1 | split -b 650m - image_sdb1 Remember to use caution with the dd command in your forensics data acquisitions. Acquiring Data with dcfldd in Linux The dd command is intended as a data management tool; it’s not designed for forensics acquisitions. Because of these shortcomings, Nicholas Harbour of the Defense Computer Forensics Laboratory (DCFL) developed a tool that can be added to most UNIX/Linux OSs. This tool, the dcfldd command, works similarly to the dd command but has many features designed for computer forensics acquisitions. The following are important functions dcfldd offers that aren’t possible with dd: • Specify hexadecimal patterns or text for clearing disk space. • Log errors to an output file for analysis and review. • Use the hashing options MD5, SHA-1, SHA-256, SHA-384, and SHA-512, with logging and the option of specifying the number of bytes to hash, such as specific blocks or sectors. • Refer to a status display indicating the acquisition’s progress in bytes. • Split data acquisitions into segmented volumes with numeric extensions (unlike dd’s limit of 99). • Verify the acquired data with the original disk or media data. When using dcfldd, you should follow the same precautions as with dd. The dcfldd command can also write to the wrong device, if you aren’t careful. The following examples show how to use the dcfldd command to acquire data from a 64 MB USB drive, although you can use the command on a larger media device. All commands need to be run from a privileged root shell session. To acquire an entire media device in one image file, you type the following command at the shell prompt: dcfldd if=/dev/sda of=usbimg.dat 4 120 Chapter 4 If the suspect media or disk needs to be segmented, use the dcfldd command with the split command, placing split before the output file field (of=), as shown here: dcfldd if=/dev/sda split=2M of=usbimg hash=md5 This command creates segmented volumes of 2 MB each. To create segmented volumes that fit on a CD of 650 MB, change the split=2M to split=650M. This command also displays the MD5 value of the acquired data. For additional information on the dcfldd command, see http://dcfldd. sourceforge.net. Information on how to download and install dcfldd is available for many UNIX, Linux, and Macintosh OSs. You can also use the man page to find more information on dcfldd’s features and switches. Capturing an Image with ProDiscover Basic In Chapter 2, you learned how to acquire an image of a USB drive. ProDiscover automates many acquisition functions, unlike current Linux tools. Because USB drives are typically small, a single image file can be acquired with no need to segment it. In this section, you learn how to make an image of a larger drive and use the Split function in ProDiscover Basic to create segmented files of 650 MB each that can be archived to CDs. Before acquiring data directly from a suspect drive with ProDiscover Basic, always use a hardware write-blocker device or the writeprotection method for USB-connected drives described earlier in this chapter. The following activity assumes you have removed the suspect drive and connected it to a USB or FireWire write-blocker device connected to your forensic workstation. The acquisition is written to a work folder on your C drive, assuming it has enough free space for the acquired data. Follow these steps to perform the first task of connecting the suspect’s drive to your workstation: 1. Document the chain of evidence for the drive you plan to acquire. 2. Remove the drive from the suspect’s computer. 3. Configure the suspect drive’s jumpers as needed, if it’s a PATA (IDE) disk. (Note: This step doesn’t apply to SATA drives.) 4. Connect the suspect drive to the USB or FireWire write-blocker device. 5. Create a storage folder on the target drive. For this activity, you use your work folder (C:\Work\Chap04\Chapter), but in real life, you’d use a folder name such as C:\Evidence. The work folder shown in screenshots might differ from the work folder you’ve created for this chapter’s activities. Using Acquisition Tools 121 Using ProDiscover’s Proprietary Acquisition Format Follow these 11 steps to perform the second task, starting ProDiscover Basic and configuring settings for the acquisition: 1. Start ProDiscover Basic. (Remember to select the Run as administrator option if you’re using Windows Vista.) If the Launch Dialog dialog box opens, click Cancel. 2. In the ProDiscover Basic window, click Action, Capture Image from the menu. 3. In the Capture Image dialog box, click the Source Drive list arrow, and then click PhysicalDrive1. Selecting PhysicalDrive1 assumes there’s only the system disk (drive C) and the suspect drive connected to your workstation. If you have additional drives connected, start the Computer Management utility from the Computer window, and click Disk Management. Identify the target and suspect drive to determine the physical disk numbers. 4. Click the >> button next to the Destination text box. In the Save As dialog box, navigate to the work folder you set up. In the File name text box, type InChp041, and then click Save. 5. Click the Split button. In the Split Image dialog box shown in Figure 4-4, type 650 in the Split into equal sized image of text box, click Split, and then click OK. Figure 4-4 The Split Image dialog box 6. In the Capture Image dialog box, click the Image Format list arrow, and click ProDiscover Format (recommended), if it’s not already selected. 7. In the Technician Name text box, type your name, and in the Image Number text box, type InChp04. If you like, in the Description text box, type any comments related to the case (see Figure 4-5). 4 122 Chapter 4 Figure 4-5 The Capture Image dialog box 8. If you need to save space on your target drive, click the Yes option button in the Compression section. 9. If additional security is needed for the acquired image, click Password. In the Password dialog box, enter a new password once, type it again to confirm it, and then click OK. 10. When you’re finished entering information in the Capture Image dialog box, click OK to begin the acquisition. ProDiscover then creates a segmented image file in your work folder. During this acquisition, ProDiscover displays a status bar in the lowerright corner to show the progress for each volume segment it’s creating. 11. When the acquisition is done, ProDiscover displays a message box instructing you to examine a log file for errors. Click OK to complete the acquisition, and then exit ProDiscover Basic. ProDiscover then creates image files (segmented volumes) with an .eve extension, a log file (.log extension) listing any errors that occurred during the acquisition, and a special inventory file (.pds extension) that tells ProDiscover how many segmented volumes were created. All these files have the prefix you specified in the Capture Image dialog box. ProDiscover uses the .pds file to load all segmented volumes in the correct order for analysis. For this activity, ProDiscover produced four files. Two are segments of the split image of the suspect drive, one is the log file, and one is the .pds file. A larger drive would have more than two segmented volumes. The first segmented volume (volume one) has the extension .eve, and all other segmented volumes have the suffix -Split1, -Split2, -Split3, and so on Using Acquisition Tools 123 before the .eve extension. If the compression option was selected, ProDiscover uses a .cmp rather than an .eve extension on all segmented volumes. Using ProDiscover’s Raw Acquisition Format For versatility, ProDiscover can produce raw format acquisitions that many other forensics tools can read. To perform a raw format acquisition, follow the same steps as for the proprietary format in the Capture Image dialog box, but select the UNIX style dd format in the Image Format list box. When you select this option, the input fields at the bottom of the Capture Image dialog box are grayed out. To segment the image acquisition, click the Split button as you would for the proprietary format. To initiate the raw acquisition, click OK, and then click Proceed in the warning box, which simply advises you that the raw acquisition saves only the image data and hash value. When the raw acquisition is finished, click OK in the message box. The raw format creates a log file (.pds extension) and segmented volume files, just like the proprietary format acquisition. Another file with the .md5 extension is also created, which contains the MD5 hash for the acquired drive. In the proprietary format, the hash value, the time zone where the acquisition occurred, the password if it was specified, the investigator’s name, and any comments entered in the Description text box are stored in the .eve file. Capturing an Image with AccessData FTK Imager FTK Imager is a Windows data acquisition program that’s included with a licensed copy of AccessData Forensic Toolkit. FTK Imager, like most Windows data acquisition tools, requires using a device such as a USB or parallel port dongle for licensing. However, a version of FTK Imager has been provided on this book’s DVD for you to use for activities and projects. FTK Imager is designed for viewing evidence disks and disk-to-image files created from other proprietary formats. FTK Imager can read AccessData .ad1, Expert Witness (EnCase) .e01, SafeBack (up to version 2.0), SMART .s01, and raw format files. In addition to disk media, FTK Imager can read CD and DVD file systems. This program provides a view of a disk partition or an image file as though it’s a mounted partition, with additional panes showing the contents of the selected file (see Figure 4-6). FTK Imager can make disk-to-image copies of evidence drives and enables you to acquire an evidence drive from a logical partition level or a physical drive level. You can also define the size of each disk-to-image file volume, allowing you to segment the image into one or many split volumes. For example, you can specify 650 MB volume segments if you plan to store volumes on 650 MB CD-Rs or 2.0 GB volume segments so that you can record volumes on DVD-/+Rs. Because FTK Imager is designed to run in Windows, the evidence drive from which you’re acquiring data must have a hardware write-blocking device or the USB write-protection Registry feature enabled between your workstation and the evidence drive. FTK Imager can’t acquire a drive’s host protected area, however. In other words, if the drive’s specifications indicate it has 11,000,000 sectors and the BIOS display indicates 9,000,000, a host protected area of 2,000,000 sectors might be assigned to the drive. If you suspect an evidence drive has a host protected area, you must use an advanced acquisition tool, such as ProDiscover, X-Ways Replica, NTI SafeBack, or SnapBack DatArrest, to 4 124 Chapter 4 Figure 4-6 The FTK Imager main window include this area when copying data. With MS-DOS tools, you might have to define the exact sector count to make sure you include more than what the BIOS shows as the number of known sectors on a drive. Review vendor product manuals to determine how to account for a drive’s host protected area. In the following activity, you use FTK Imager to make an image file. Use a write-blocking device or the USB write-protection method to protect the suspect drive, and then follow these steps: 1. Boot your forensic workstation to Windows, using an installed write-blocker or the USB write-protection Registry method. If you’re using the USB Registry method, connect a target drive to an internal PATA or SATA controller. 2. Connect the evidence drive to a write-blocking device or USB device. 3. Connect the target drive to a USB external drive, if you’re using a write-blocker. 4. To start FTK Imager, click Start, point to All Programs, point to AccessData, point to FTK Imager, and then right-click FTK Imager and click Run as administrator. (In Windows XP, click Start, point to All Programs, point to AccessData, point to FTK Imager, and then click FTK Imager.) 5. In the FTK Imager main window, click File, Create Disk Image from the menu. 6. In the Select Source dialog box, click the Physical Drive option button (see Figure 4-7), and then click Next. 7. In the Select Drive dialog box, click the Drive Selection list arrow, click the suspect drive, and then click Finish. 8. In the Create Image dialog box, click to select the Verify images after they are created check box, and then click Add. In the Select Image Type dialog box that opens (see Figure 4-8), click the Raw (dd) option button, and then click Next. Using Acquisition Tools 125 4 Figure 4-7 The Select Source dialog box Figure 4-8 The Select Image Type dialog box 9. In the Select Image Destination dialog box (see Figure 4-9), click Browse, navigate to the location for the image file (your work folder), and then click OK. 10. In the Image filename (excluding extension) text box, type InChp04-ftk, and then click Finish. You can adjust the segmented volume size in this dialog box, but for this activity, accept the default of 650 MB. 11. Next, in the Create Image dialog box, click Start to initiate the acquisition. 12. When FTK Imager finishes the acquisition, click Close in the Drive/Image Verify Results dialog box, and then click Close again in the Creating Image dialog box (see Figure 4-10). 13. Exit FTK Imager by clicking File, Exit from the menu. 126 Chapter 4 Figure 4-9 Selecting where to save the image file Figure 4-10 A completed image save For additional information, see the Help menu in FTK Imager to learn more about its many features. Validating Data Acquisitions Probably the most critical aspect of computer forensics is validating digital evidence. The weakest point of any digital investigation is the integrity of the data you collect, so validation is essential. In this section, you learn how to use several tools to validate data acquisitions. Validating digital evidence requires using a hashing algorithm utility, which is designed to create a binary or hexadecimal number that represents the uniqueness of a data set, such as a file or disk drive. This unique number is referred to as a “digital fingerprint.” Because hash values are unique, if two files have the same hash values, they are identical, even if they have Validating Data Acquisitions 127 different filenames. Making any alteration in one of the files—even changing one letter from uppercase to lowercase—produces a completely different hash value, however. In recent years, researchers have discovered that MD5 can produce collisions. For forensic examinations of data files on a disk drive, however, collisions are of little concern. If two files with different content have the same MD5 hash value, a comparison of each byte of a file can be done to see the differences. Currently, several tools can do a byte-by-byte comparison of files. Programs such as X-Ways Forensics, X-Ways WinHex, and IDM Computing Solution’s UltraCompare can analyze and compare data files. For more information on MD5 collisions, see www.x-ways.net/md5collision.html or www.mscs.dal.ca/*selinger/md5collision/. Chapter 5 discusses methods of using MD5 and SHA-1. For imaging an evidence drive, many tools offer validation techniques ranging from CRC32, MD5, and SHA-1 to SHA-512. The advantage of older validation utilities, such as CRC-32, is speed because it takes less CPU processing time to compute hash values. More advanced validation utilities, such as MD5 and the SHA series, require far more CPU cycles to complete. The higher the level of hashing done on an acquisition, the longer the calculation takes. These hashing algorithm utilities are available as standalone programs or are integrated into many acquisition tools. The following sections discuss how to perform validation with some currently available acquisition programs. Linux Validation Methods Linux and UNIX are rich in commands and functions. The two Linux shell commands shown earlier in this chapter, dd and dcfldd, have several options that can be combined with other commands to validate data. The dcfldd command has additional options that validate data collected from an acquisition. Validating acquired data with the dd command requires using other shell commands. Current distributions of Linux include two hashing algorithm utilities: md5sum and sha1sum. Both utilities can compute hashes of a single file, multiple files, individual or multiple disk partitions, or an entire disk drive. Validating dd Acquired Data As shown earlier, the following command produces segmented volumes of the /dev/sdb drive, with each segmented volume named image_sdb and an incrementing extension of .aa, .ab, .ac, and so on: dd if=/dev/sdb | split -b 650m - image_sdb To validate all segmented volumes of a suspect drive with the md5sum utility, you use the Linux shell commands in the following steps. For the saved images, remember to change to the directory where the data was saved, or list the exact path for the saved images. To use sha1sum instead of md5sum, just replace all md5sum references in commands with sha1sum. The drive should still be connected to your acquisition workstation. 1. If necessary, start Linux, open a shell window, and navigate to the directory where image files are saved. To calculate the hash value of the original drive, type md5sum /dev/sdb > md5_sdb.txt and press Enter. 4 128 Chapter 4 The redirect (>) option saves the computed MD5 hash value in the md5_sdb.txt file. This file should be saved with image files as validation of the evidence. 2. To compute the MD5 hash value for the segmented volumes and append the output to the md5_sdb.txt file, type cat image_sdb. | md5sum >> md5_sdb.txt and press Enter. By using the cat (concatenate) command with an asterisk (*) as the extension value, all segmented volumes are read sequentially as one big contiguous file, as though they were the original drive or partition. The pipe (|) function outputs the cat command read data to the input of the md5sum command. The >> option adds the md5sum hash results at the end of the md5_sdb.txt file’s content. 3. Examine the md5_sdb.txt file to see whether both hashes match by typing cat md5_sdb.txt and pressing Enter. If the data acquisition is successful, the two hash numbers should be identical. If not, the acquisition didn’t work correctly. You should see output similar to the following: 34963884a4bc5810b130018b00da9de1 /dev/sdb 34963884a4bc5810b130018b00da9de1 4. Close the Linux shell window by typing exit and pressing Enter. With the dd command, the md5sum or sha1sum utilities should be run on all suspect disks and volumes or segmented volumes. Validating dcfldd Acquired Data Because dcfldd is designed for forensic data acquisition, it has validation options integrated: hash and hashlog. You use the hash option to designate a hashing algorithm of md5, sha1, sha256, sha384, or sha512. The hashlog option outputs hash results to a text file that can be stored with the image files. To create an MD5 hash output file during a dcfldd acquisition, you enter the following command at the shell prompt: dcfldd if=/dev/sda split=2M of=usbimg hash=md5 hashlog=usbhash.log To see the results of files generated with the split command, you enter the list directory (ls) command at the shell prompt. You should see the following output: usbhash.logusbimg.004 usbimg.010 usbimg.016 usbimg.022 usbimg.028 usbseghash.logusbimg.005 usbimg.011 usbimg.017 usbimg.023 usbimg.029 usbimg.000 usbimg.006 usbimg.012 usbimg.018 usbimg.024 usbimg.030 usbimg.001 usbimg.007 usbimg.013 usbimg.019 usbimg.025 usbimg.002 usbimg.008 usbimg.014 usbimg.020 usbimg.026 usbimg.003 usbimg.009 usbimg.015 usbimg.021 usbimg.027 Note that the first segmented volume has an extension of .000 rather than .001. Some Windows forensics tools might not be able to read segmented file extensions starting with .000. They are typically looking for .001. If your forensics tool requires starting with a Performing RAID Data Acquisitions 129 .001 extension, the files need to be renamed incrementally. So segmented file .000 should be renamed .001, .001 should be renamed .002, and so on. Another useful dcfldd command is the vf (verify file) option, which compares the image file to the original medium, such as a partition or drive. The vf option applies only to a nonsegmented image file. To validate segmented files from dcfldd, use the md5sum command described previously. To use the vf option, you enter the following command at the shell prompt: dcfldd if=/dev/sdavf=sda_hash.img For additional information on dcfldd, see the man page. Windows Validation Methods Unlike Linux and UNIX, Windows has no built-in hashing algorithm tools for computer forensics. However, many Windows third-party programs do provide a variety of built-in tools. These third-party programs range from hexadecimal editors, such as X-Ways WinHex or Breakpoint Software Hex Workshop, to computer forensics programs, such as ProDiscover, EnCase, and FTK. In Chapter 9, you learn how to hash specific data by using a hexadecimal editor to locate and verify groups of data that have no file association or are sections within a file. Commercial computer forensics programs also have built-in validation features. Each program has its own validation technique used with acquisition data in its proprietary format. For example, ProDiscover’s .eve files contain metadata in the acquisition file or segmented files, including the hash value for the suspect drive or partition. Image data loaded into ProDiscover is hashed and then compared to the hash value in the stored metadata. If the hashes don’t match, ProDiscover notifies you that the acquisition is corrupt and can’t be considered reliable evidence. This function is called Auto Verify Image Checksum. In ProDiscover and many other computer forensics tools, however, raw format image files don’t contain metadata. As mentioned previously, a separate manual validation is recommended for all raw acquisitions at the time of analysis. The previously generated validation file for raw format acquisitions is essential to the integrity of digital evidence. The saved validation file can be used later to check whether the acquisition file is still good. In FTK Imager, when you select the Expert Witness (.e01) or the SMART (.s01) format, additional options for validation are displayed. This validation report also lists the MD5 and SHA-1 hash values. The MD5 hash value is added to the proprietary format image or segmented files. When this image is loaded into FTK, SMART, or X-Ways Forensics (X-Ways Forensics can read only .e01 and raw files), the MD5 hash is read and compared to the image to verify whether the acquisition is correct. Performing RAID Data Acquisitions Acquisitions of RAID drives can be challenging and frustrating for computing forensics examiners because of how RAID systems are designed, configured, and sized. Size is the biggest concern because many RAID systems are now pushing into many terabytes of data. The 4 130 Chapter 4 following sections review common RAID configurations and discuss ways to acquire data on these large storage devices. Understanding RAID Redundant array of independent disks (RAID) is a computer configuration involving two or more disks. Originally, RAID was developed as a data-redundancy measure to minimize data loss caused by a disk failure. As technology improved, RAID also provided increased storage capabilities. Several levels of RAID can be implemented through software or special hardware controllers. For Windows XP, 2000, and NT servers and workstations, RAID 0 or 1 is available. For a high-end data-processing environment, RAID 5 is common and is often based in special RAID towers. These high-end RAID systems usually have integrated controllers that connect to high-end servers or mainframes. These systems provide redundancy and high-speed data access and can make many small disks appear as one very large drive. Other variations of RAID besides 0, 1, and 5 are specific to their vendor or application. RAID 0 provides rapid access and increased data storage (see Figure 4-11). In RAID 0, two or more disk drives become one large volume, so the computer views the disks as a single disk. The tracks of data on this mode of storage cross over to each disk. The logical addressing scheme makes it seem as though each track of data is continuous throughout all disks. If you have two disks configured as RAID 0, track one starts on the first physical disk and continues to the second physical disk. When viewed from a booted OS, such as Windows XP, the two disks appear as one large disk. The advantage of RAID 0 is increased speed and data storage capability spread over two or more disks that can be one large disk partition. Its biggest disadvantage is lack of redundancy; if a disk fails, data isn’t continuously available. Figure 4-11 RAID 0: Striping RAID 1, shown in Figure 4-12, is made up of two disks for each volume and is designed for data recovery in the event of a disk failure. The contents of the two disks in RAID 1 are Performing RAID Data Acquisitions 131 4 Figure 4-12 RAID 1: Mirroring identical. When data is written to a volume, the OS writes the data twice—once to each disk at the same time. If one drive fails, the OS switches to the other disk. RAID 1 ensures that data isn’t lost and helps prevent computer downtime. The only disadvantage of RAID 1 is that it takes two disks for each volume, which doubles the cost of disk storage. Like RAID 1, RAID 2 (see Figure 4-13) provides rapid access and increased storage by configuring two or more disks as one large volume. The difference with RAID 2 is that data is written to disks on a bit level. An error-correcting code (ECC) is used to verify whether the write is successful. RAID 2, therefore, has better data integrity checking than RAID 0. Because of the bit-level writes and the ECC, however, RAID 2 is slower than RAID 0. Figure 4-13 RAID 2: Striping (bit level) RAID 3 uses data striping and dedicated parity and requires at least three disks. Similar to RAID 0, RAID 3 stripes tracks across all disks that make up one volume. RAID 3 also implements dedicated parity of data to ensure recovery if data is corrupted. Dedicated parity is stored on one disk in the RAID 3 array. Like RAID 3, RAID 4 uses data striping and dedicated parity (block writing), except data is written in blocks rather than bytes. RAID 5 (see Figure 4-14) is similar to RAIDs 0 and 3 in that it uses distributed data and distributed parity and stripes data tracks across all disks in the RAID array. Unlike RAID 3, however, RAID 5 places parity data on each disk. If a disk in a RAID array has a data 132 Chapter 4 Figure 4-14 RAID 5: Block-level striping with distributed parity failure, the parity on other disks rebuilds the corrupt data automatically when the failed drive is replaced. In RAID 6, distributed data and distributed parity (double parity) function the same way as RAID 5, except each disk in the RAID array has redundant parity. The advantage of RAID 6 over RAID 5 is that it recovers any two disks that fail because of the additional parity stored on each disk. RAID 10, or mirrored striping, also known as RAID 1+0, is a combination of RAID 1 and RAID 0. It provides fast access and redundancy of data storage. RAID 15, or mirrored striping with parity, also known as RAID 1+5, is a combination of RAID 1 and RAID 5. It offers the most robust data recovery capability and speed of access of all RAID configurations and is also more costly. Acquiring RAID Disks There’s no simple method for getting an image of a RAID server’s disks. You need to address the following concerns: • How much data storage is needed to acquire all data for a forensics image? • What type of RAID is used? Is it Windows RAID 0 or 1 or an integrated hardwarefirmware vendor’s RAID 5, 10, or 15? Is it another unknown configuration or OS (Linux, UNIX, mainframe)? • Do you have an acquisition tool capable of copying the data correctly? • Can the tool read a forensically copied RAID image? • Can the tool read split data saves of each RAID disk, and then combine all images of each disk into one RAID virtual drive for analysis? With the larger disks now available, copying small RAID systems to one large disk is possible, similar to the way non-RAID suspect drives are copied. For example, a small server running eight 36 GB SCSI drives in a RAID 0 tower requires about a 300 GB SATA or IDE (PATA) drive. Less data storage is needed if a proprietary format acquisition is used with compression applied. All forensics analysis tools can analyze an image because they see the acquired data as one large drive, not eight separate drives. Older hardware-firmware RAID systems can be a challenge when you’re making an image. For example, you’re making an acquisition of an older HP/Compaq ProLiant system configured as RAID 1. A software implementation of RAID 1 has two identical disks, but making Performing RAID Data Acquisitions 133 an acquisition requires only one of the two disks. However, with older ProLiant systems, you must have both mirrored disks to make the acquisition. In addition, the acquisition needs to be performed on a ProLiant server. Copying only one disk from this type of system produces unexpected results because of ProLiant’s proprietary format. For a HP/Compaq ProLiant RAID 1 acquisition, Guidance Software EnCase is capable of performing a static image acquisition. The EnCase DOS program En.exe requires using a forensic MS-DOS boot floppy or CD and a network crossover cable. The network crossover cable is connected to the suspect ProLiant server and your acquisition workstation. Using EnCase with a network crossover cable is reliable but slow at copying data, even on a 100 Mbps network connection. Several computer forensics vendors have added RAID recovery features. These vendors typically specialize in one or two types of RAID formats. The following are some vendors offering RAID acquisition functions: • Technologies Pathways ProDiscover • Guidance Software EnCase • X-Ways Forensics • Runtime Software • R-Tools Technologies You should know which vendor supports which RAID format and keep up to date on the latest improvements in these products. ProDiscover can acquire RAID disks at the physical level. After all disks have been acquired, a ProDiscover Group file (.pdg extension) is created, which includes instructions for how ProDiscover should load each physical disk’s image data. It also lists the paths to each physical disk’s image data if the RAID acquisition takes several storage drives. Being able to separate each physical disk into smaller save sets eliminates the need to have one large drive for storing acquired data. Acquiring RAID data requires only similar sized drives that match each disk in the RAID array. For example, with a RAID 0 array of three 250 GB disks, all you need are three target drives of the same size. If each acquisition is compressed, you might be able to get by with slightly smaller target drives. With ProDiscover, all you need are three 250 GB target drives to collect the image’s segmented files for each disk. This feature eliminates the need for a 750 GB drive to collect the combined data from all three 250 GB drives. EnCase and X-Ways Forensics also have similar features for RAID 0 and 5 acquisitions. Other tools, such as Runtime Software (www.runtime.org) and R-Tools Technologies (www. r-tt.com), are designed as data recovery tools. Although not intended as forensics acquisition tools, they have unique features that can aid in recovering corrupted RAID data and can perform raw format acquisitions and repair broken RAID 0 and 5 systems. The Runtime RAID Reconstructor tool copies the original RAID to a raw format file, which must then be restored on another RAID-configured system where repairs can be performed. It also scans and corrects errors on the newly copied RAID. R-Tools R-Studio creates a virtual volume of the RAID image file. All repairs are made on the virtual volume, which can then be restored to the original RAID. 4 134 Chapter 4 Occasionally, a RAID system is too large for a static acquisition. Under ideal circumstances, your goal is to collect a complete image of evidence drives. Because RAID systems can have dozens or more terabytes of data storage, copying all data isn’t always practical, as you would for a small desktop or laptop computer. For these occasions, retrieving only the data relevant to the investigation with the sparse or logical acquisition method is the only practical solution. When dealing with very large RAID servers, consult with the computer forensics vendor to determine how to best capture RAID data. Using Remote Network Acquisition Tools Recent improvements in computer forensics tools include the capability to acquire disk data or data fragments (sparse or logical) remotely. With this feature, you can connect to a suspect computer remotely via a network connection and copy data from it. Remote acquisition tools vary in configurations and capabilities. Some require manual intervention on remote suspect computers to initiate the data copy. Others can acquire data surreptitiously through an encrypted link by pushing a remote access program to the suspect’s computer. From an investigation perspective, being able to connect to a suspect’s computer remotely to perform an acquisition has tremendous appeal. It saves time because you don’t have to go to a suspect’s computer, and it minimizes the chances of a suspect discovering that an investigation is taking place. Most remote acquisitions have to be done as live acquisitions, not static acquisitions. There are some drawbacks to consider, however. For example, if you have access to the same LAN as the suspect’s computer, data transfer speeds and routing table conflicts could cause problems. On a WAN, you have the problem of gaining the permissions needed to access more secure subnets. In addition, heavy traffic on the network could cause delays and errors during the acquisition, no matter what tool you’re using. Another problem is the remote access program being detected by antivirus, antispyware, and firewall tools. Most of these security programs can be configured to ignore remote access programs. However, if suspects have administrator rights on their computers, they could easily install their own security tools that trigger an alarm to notify them of remote access intrusions. The following section describes how to perform remote acquisitions in ProDiscover. Chapter 11 covers other resources for data copying and explains how to perform a live forensics acquisition. Remote Acquisition with ProDiscover Two versions of ProDiscover can perform remote acquisitions: ProDiscover Investigator and ProDiscover Incident Response. When connected to a remote computer, both tools use the same ProDiscover acquisition method described previously. After the connection is established, the remote computer is displayed in the Capture Image dialog box. ProDiscover Investigator is designed to capture data from a suspect’s computer while the user is operating it, which is a live acquisition. Being able to connect to a suspect’s computer directly allows the following capabilities: • Preview a suspect’s drive remotely while it’s in use or powered on. • Perform a live acquisition (also called a “smear” because with an active computer, disk data is being altered) while the suspect’s computer is powered on. Using Remote Network Acquisition Tools 135 • Encrypt the connection between the suspect’s and examiner’s computers. • Copy the suspect computer’s RAM while the computer is powered on. • Use the optional stealth mode to hide the remote connection from the suspect while data is previewed or acquired. ProDiscover Incident Response is designed to be integrated as a network intrusion analysis tool. It offers all the functions and features of other tools in the ProDiscover suite plus the following: • Capture volatile system state information. • Analyze current running processes on a remote system. • Locate unseen files and processes on a remote system that might be running malware or spyware. • Remotely view and listen to IP ports on a compromised system. • Run hash comparisons on a remote system to search for known Trojans and rootkits. • Create a hash inventory of all files on a system remotely (a negative hash search capability) to establish a baseline if it gets attacked. The ProDiscover utility for remote access is the PDServer remote agent, which must be loaded on the suspect computer before ProDiscover Investigator or ProDiscover Incident Response can access it. This remote agent can be installed in three different ways: • Trusted CD—For this manual installation method, ProDiscover can create a special CD containing the PDServer remote agent. This CD is used to load PDServer manually on the suspect computer. • Preinstallation—For networks with a configured OS, PDServer remote agent can be added to the standard installation of high-risk computers, which enables network security administrators to respond to network attacks and malware contaminations quickly. Any network management tool, such as Dameware (www. dameware.com) or Hyena (www.systemtools.com/hyena/), can be used to initiate a connection with ProDiscover. This is a remote method of installing the remote acquisition tool. • Pushing out and running remotely—Downloading PDServer to a remote computer helps investigators respond quickly to incidents. Data is collected in real time when using this function. This is a remote method of installing the remote acquisition tool. With both remote methods of installing PDServer, you have the option of running it in a stealth mode to hide it from the suspect. Note that Windows Task Manager lists the process as PDServer. To disguise it, you can change the process name so that it appears to be an OS function in the suspect computer’s Task Manager. In addition, the following security features are available for remote connections: • Password Protection—PDServer on the target computer is password-protected, and the password is encrypted at all times. • Encryption—All communication between PDServer on the suspect’s and investigator’s computers can be encrypted. ProDiscover provides 256-bit Advanced Encryption Standard (AES) or Twofish encryption for the connection. 4 136 Chapter 4 • Secure Communication Protocol—All connections between the suspect’s and examiner’s computers have globally unique identifiers (GIUDs) to prevent inserting packets in the data stream. • Write Protected Trusted Binaries—PDServer can run from a write-protected device, such as a CD. • Digital Signatures—PDServer and its removal device driver, PARemoval.sys, are digitally signed to verify that they haven’t been tampered with before and during the remote connection. For more information on PDServer, see www.techpathways.com . Remote Acquisition with EnCase Enterprise Guidance Software was the first computer forensics vendor to develop a remote acquisition and analysis tool based on its desktop tool EnCase. This remote tool, EnCase Enterprise, comes with several capabilities. The following are some of its remote acquisition features: • Remote data acquisition of a computer’s media and RAM data • Integration with intrusion detection system (IDS) tools that copy evidence of intrusions to an investigation workstation automatically for further analysis over the network • Options to create an image of data from one or more systems • Preview of systems to determine whether future actions, such as an acquisition, are needed • A wide range of file system formats, such as NTFS, FAT, Ext2/3, Reiser, Solaris UFS, AIX Journaling File System (JFS), LVM8, FFS, Palm, Macintosh HFS/HFS+, CDFS, ISO 9660, UDF, DVD, and more • RAID support for both hardware and software EnCase Enterprise is set up with an Examiner workstation and a Secure Authentication for EnCase (SAFE) workstation. Acquisition and analysis are conducted on the Examiner workstation. The SAFE workstation provides secure encrypted authentication for the Examiner workstation and the suspect’s system. The remote access program in EnCase Enterprise is Servlet, a passive utility installed on the suspect computer. Servlet connects the suspect computer to the Examiner and SAFE workstations. A unique feature is that Servlet can run in stealth mode on the suspect computer. For more information on EnCase Enterprise, see www.guidancesoftware.com/downloads/ Review_Security_Schema.pdf. Remote Acquisition with R-Tools R-Studio The R-Tools suite of software is designed for data recovery. As part of this recovery capability, the R-Studio network edition can remotely access networked computer systems. Its remote connection uses Triple Data Encryption Standard (3DES) encryption. Data acquired Using Remote Network Acquisition Tools 137 with R-Studio network edition creates raw format acquisitions, and it’s capable of recovering the following file systems: • FAT12, FAT16, FAT32 • NTFS, NTFS5 • Ext2FS, Ext3FS • UFS1, USF2 For more information on R-Studio, see www.r-tt.com. Remote Acquisition with WetStone LiveWire LiveWire, part of a suite of tools developed by WetStone, can connect to a networked computer remotely and perform a live acquisition of all drives connected to it. LiveWire’s acquisition file format is raw (.dd). In addition to being able to copy disk data, LiveWire can capture RAM data from remote systems. You can find more information on LiveWire at www.wetstonetech.com/cgi-bin/shop.cgi?view,14. Remote Acquisition with F-Response F-Response (www.f-response.com) is a vendor-neutral specialty remote access utility designed to work with any computer forensics program. When installed on a remote computer, it sets up a security read-only connection that allows the computer forensics examiner to access it. With F-Response, examiners can access remote drives at the physical level and view raw data. After the F-Response connection has been set up, any computer forensics acquisition tool can be used to collect digital evidence. F-Response is sold in three different versions: Field Kit Edition, Consultant Edition, and Enterprise Edition. The Consultant and Enterprise editions allow accessing remote systems over longer distances. Remote Acquisition with Runtime Software Runtime Software offers several compact shareware programs for data recovery. For remote acquisitions, Runtime has created these utilities: • DiskExplorer for FAT • DiskExplorer for NTFS • HDHOST Runtime has designed its tools to be file system specific, so DiskExplorer versions for both FAT and NTFS are available. These tools offer the following features for acquisition needs: • Create a raw format image file. • Segment the raw format or compressed image for archiving purposes. • Access network computers’ drives. HDHOST is a remote access program that allows communication between two computers. The connection is established between systems by using the DiskExplorer program corresponding to the suspect (remote) computer’s drives. There are two types of connections in HDHOST. The first is between two computers using serial (RS232) ports and a null-modem 4 138 Chapter 4 cable. The second is with a NIC using TCP/IP with a standard network connection through a hub, router, or crossover network cable between the two computers. In Chapter 9, you learn how to use Runtime’s DiskExplorer and HDHOST utilities to make a remote acquisition. Using Other Forensics Acquisition Tools In addition to ProDiscover, FTK Imager, and X-Ways Forensics, you can use other commercial acquisition tools, described in the following sections. Prices for some tools are discounted for law enforcement officers working in computer forensics, and two tools are freeware. SnapBack DatArrest SnapBack DatArrest (www.intersys-group.com/snapback/datarrest_overview.htm) from Columbia Data Products is an older forensics acquisition program that runs from a true MS-DOS boot floppy disk. It can make an image of an evidence drive in three ways: disk to SCSI drive (magnetic tape or Jaz disk), disk to network drive, and disk to disk. Each method is a separate program that fits on a forensic boot floppy disk. SnapBack DatArrest provides network drivers so that you can boot from a forensic boot floppy disk and access a remote network server’s drive. You can then save an image file directly to a remote network server’s drive or restore image files created on a network drive or removable media to a new target drive for follow-up examination and analysis. NTI SafeBack SafeBack, another reliable MS-DOS acquisition tool, is small enough to fit on a forensic boot floppy disk. It performs an SHA-256 calculation for each sector copied to ensure data integrity. During the acquisition, SafeBack creates a log file of all transactions it performs. The log file includes a comment field where you can identify the investigation and data you collect. SafeBack does the following: • Creates image files • Copies from a suspect drive to an image on a tape drive • Copies from a suspect drive to a target drive (disk-to-disk copy), adjusting the target drive’s geometry to match the suspect drive • Copies from a suspect drive to a target drive by using a parallel port laplink cable • Copies a partition to an image file • Compresses image files to reduce the number of volume segments AccessData FTK and ILook can read SafeBack version 2 and older image files. For more information on SafeBack, see www.forensics-intl.com/safeback.html. DIBS USA RAID DIBS USA has developed Rapid Action Imaging Device (RAID) to make forensically sound disk copies. DIBS USA RAID is a portable computer system designed to make disk-to-disk images. The copied disk can then be attached to a write-blocker device connected to a forensic workstation for analysis. For more information on RAID, see www.dibsusa.com/products/ raid.asp. Chapter Summary 139 ILook Investigator IXimager IXimager runs from a bootable floppy disk or CD. It’s a standalone proprietary format acquisition tool designed to work only with ILook Investigator. It can acquire single drives and RAID drives. It supports IDE (PATA), SCSI, USB, and FireWire devices. The IXimager proprietary format can be converted to a raw format if other analysis tools are used. IXimager has three format options: • IDIF—A compressed format • IRBF—A raw format • IEIF—An encrypted format for added security For more information on IXimager, see www.perlustro.com. ASRData SMART ASRData SMART is a Linux forensics analysis tool that can make image files of a suspect drive. SMART can produce proprietary or raw format images and includes the following capabilities: • Robust data reading of bad sectors on drives • Mounting suspect drives in write-protected mode • Mounting target drives, including NTFS drives, in read/write mode • Optional compression schemes to speed up acquisition or reduce the amount of storage needed for acquired digital evidence For more information on SMART, see www.asrdata.com. Australian Department of Defence PyFlag The Australian Department of Defence created the PyFlag tool. Intended as a network forensics analysis tool, PyFlag can create proprietary format Expert Witness image files and uses sgzip and gzip in Linux. For more information, see www.pyflag.net. Chapter Summary ■ Forensics data acquisitions are stored in three different formats: raw, proprietary, and AFF. Most proprietary formats and AFF store metadata about the acquired data in the image file. ■ The four methods of acquiring data for forensics analysis are disk-to-image file, diskto-disk copy, logical disk-to-disk or disk-to-data file, or sparse data copy of a folder or file. ■ Large disks might require using tape backup devices. With enough tapes, any size drive or RAID drive can be backed up. Tape backups run more slowly but are a reliable method for forensics acquisitions. ■ Lossless compression for forensics acquisitions doesn’t alter the data when it’s restored, unlike lossy compression. Lossless compression can compress up to 50% for 4 140 Chapter 4 most data. If data is already compressed on a drive, lossless compression might not save much more space. ■ If there are time restrictions or too much data to acquire from large drives or RAID drives, a logical or sparse acquisition might be necessary. Consult with your lead attorney or supervisor first to let them know that collecting all the data might not be possible. ■ You should have a contingency plan to ensure that you have a forensically sound acquisition and make two acquisitions if you have enough data storage. The first acquisition should be compressed, and the second should be uncompressed. If one acquisition becomes corrupt, the other one is available for analysis. ■ Write-blocking devices or utilities must be used with GUI acquisition tools in both Windows and Linux. Practice with a test drive rather than suspect drive, and use a hashing tool on the test drive to verify that no data was altered. ■ Always validate your acquisition with built-in tools from a forensics acquisition program, a hexadecimal editor with MD5 or SHA-1 hashing functions, or the Linux md5sum or sha1sum commands. ■ A Linux Live CD provides many useful tools for computer forensics acquisitions. ■ The preferred Linux acquisition tool is dcfldd instead of dd because it was designed for forensics acquisition. Always validate the acquisition with the hashing features of dcfldd and md5sum or sha1sum. ■ When using the Linux dd or dcfldd commands, remember that reversing the output field (of=) and input field (if=) of suspect and target drives could write data to the wrong drive, thus destroying your evidence. If available, you should always use a physical write-blocker device for acquisitions. ■ To acquire RAID disks, you need to determine the type of RAID and then which acquisition tool to use. With a firmware-hardware RAID, acquiring data directly from the RAID server might be necessary. ■ Remote network acquisition tools require installing a remote agent on the suspect’s computer. The remote agent can be detected if suspects install their own security programs, such as a firewall. Key Terms Advanced Forensic Format (AFF) A new data acquisition format developed by Simson L. Garfinkel and Basis Technology. This open and extensible format stores image data and metadata. File extensions include .afd for segmented image files and .afm for AFF metadata. live acquisitions A data acquisition method used when a suspect computer can’t be shut down to perform a static acquisition. Data is collected from the local computer or over a remote network connection. The captured data might be altered during the acquisition because it’s not write-protected. Live acquisitions aren’t repeatable because data is continually being altered by the suspect computer’s OS. Review Questions 141 logical acquisition This data acquisition method captures only specific files of interest to the case or specific types of files, such as Outlook PST files. See also sparse acquisition. raw format A data acquisition format that creates simple sequential flat files of a suspect drive or data set. redundant array of independent disks (RAID) Two or more disks combined into one large drive in several configurations for special needs. Some RAID systems are designed for redundancy to ensure continuous operations if one disk fails. Another configuration spreads data across several disks to improve access speeds for reads and writes. sparse acquisition Like logical acquisitions, this data acquisition method captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data. See also logical acquisition. static acquisitions A data acquisition method used when a suspect drive is write-protected and can’t be altered. If disk evidence is preserved correctly, static acquisitions are repeatable. whole disk encryption An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acquisition method. Review Questions 1. What is the primary goal of a static acquisition? 2. Name the three formats for computer forensics data acquisitions. 3. What are two advantages and disadvantages of the raw format? 4. List two features common with proprietary format acquisition files. 5. Of all the proprietary formats, which one is the unofficial standard? 6. Name two commercial tools that can make a forensic sector-by-sector copy of a drive to a larger drive. 7. What does a logical acquisition collect for an investigation? 8. What does a sparse acquisition collect for an investigation? 9. What should you consider when determining which data acquisition method to use? 10. What is the advantage of using a tape backup system for forensic acquisitions of large data sets? 11. When is a standard data backup tool, such as Norton Ghost, used for a computing investigation? 12. Why is it a good practice to make two images of a suspect drive in a critical investigation? 13. When you perform an acquisition at a remote location, what should you consider to prepare for this task? 4 142 Chapter 4 14. What is the disadvantage of using the Windows XP/Vista USB write-protection Registry method? 15. With newer Linux kernel distributions, what happens if you connect a hot-swappable device, such a USB drive, containing evidence? 16. In a Linux shell, the fdisk -1 command lists the suspect drive as /dev/hda1. Is the following dcfldd command correct? dcfldd if=image_file.img of=/dev/hda1 17. What is the most critical aspect of computer evidence? 18. What is a hashing algorithm? 19. Which hashing algorithm utilities can be run from a Linux shell prompt? 20. In the Linux dcfldd command, which three options are used for validating data? 21. What’s the maximum file size when writing data to a FAT32 drive? 22. What are two concerns when acquiring data from a RAID server? 23. R-Studio and DiskExplorer are used primarily for computer forensics. True or False? 24. With remote acquisitions, what problems should you be aware of? a. Data transfer speeds b. Access permissions over the network c. Antivirus, antispyware, and firewall programs d. All of the above 25. How does ProDiscover Investigator encrypt the connection between the examiner’s and suspect’s computers? 26. What is the EnCase Enterprise remote access program? 27. What is the ProDiscover remote access program? 28. What is the Runtime Software utility used to acquire data over a network connection? 29. HDHost is automatically encrypted when connected to another computer. True or False? 30. List two types of connections in HDHOST. 31. Which computer forensics tools can connect to a suspect’s remote computer and run surreptitiously? 32. EnCase, FTK, SMART, and ILook treat an image file as though it were the original disk. True or False? 33. When possible, you should make two copies of evidence. True or False? 34. FTK Imager can acquire data in a drive’s host protected area. True or False? Hands-On Projects 143 Hands-On Projects If necessary, extract all data files in the Chap04\Projects folder on the book’s DVD to the Work\Chap04\Projects folder on your system. (If necessary, create this folder on your system before starting the projects.) Hands-On Project 4-1 In this project, you learn how to restore an image file to a drive. Subsequent projects in this book require using these steps. To prepare for this project, you need the following items: • A USB or FireWire drive that can hold up to 100 MB or a secondary internally connected drive • ProDiscover Basic installed on your workstation • The GCFI-datacarve-FAT.eve data file extracted from Chap04\Projects on the book’s DVD The first task is to transfer data from the GCFI-datacarve-FAT.eve file to the target drive. Follow these steps: 1. Boot your acquisition workstation. 2. Connect a hot-swappable media storage device to receive the data, such as a 100+ MB USB drive, a FireWire drive, or an internally connected drive. This device is referred to as the target drive. 3. Start ProDiscover Basic, and in the main window, click Tools, Copy Disk from the menu. 4. In the Copy source disk or image to destination disk dialog box, click the Image to Disk tab. 5. Click Browse next to the Image File text box, and navigate to the location where you copied this chapter’s data files (Work\Chap04\Projects). Click the GCFI-datacarve- FAT.eve file, and then click Open. 6. In the Copy source disk or image to destination disk dialog box, click in the space under the Disk Name column at the bottom, as shown in Figure 4-15. Figure 4-15 The Copy source disk or image to destination disk dialog box 4 144 Chapter 4 7. Click the Disk Name list arrow, click the target drive, and then click OK. 8. In the Copy dialog box that opens, click the Write All 0’s option button (see Figure 4-16), and then click OK to start the data loading. Figure 4-16 Selecting the writing method 9. Click OK in the completion dialog box to terminate the loading. 10. Exit ProDiscover Basic, shut down your acquisition workstation, and remove the target drive. Hands-On Project 4-2 In this project, you make a ProDiscover image file of the data load in HandsOn Project 4-1. To prepare, you need to do the following: • Make sure you have the suspect drive containing the data load from Hands-On Project 4-1. • Use a hardware write-blocker or the USB write-protection Registry method for the suspect drive. • Review the steps in “Using ProDiscover’s Raw Acquisition Format” for creating an image file. • Verify that you have enough free space on your computer’s internal drive to receive the image file (about 120 MB). To make this acquisition on a USB or FireWire drive using the USB writeprotection Registry method, follow these steps: 1. Turn on your acquisition workstation, if necessary. 2. Double-click the Write Protect USB ON icon on your desktop to protect the suspect drive. If necessary, click Yes and then OK in the two confirmation dialog boxes that follow. 3. Connect the suspect drive to the USB or FireWire cable, and then connect the cable to your acquisition workstation. 4. Start ProDiscover Basic. Follow the steps in this chapter for making a raw format acquisition in ProDiscover, making sure you click UNIX style dd in the Image Format drop-down list box. Then click OK in the Capture Image dialog box. Hands-On Projects 145 5. When the acquisition is finished, exit ProDiscover. Dismount the USB or FireWire device, remove the suspect drive, and secure it as evidence. 6. Next, click the Write Protect USB OFF icon on your desktop, and then shut down the acquisition workstation. To make this acquisition on an internally connected drive, follow these steps: 1. Use a write-blocking hardware device to protect the suspect drive. 2. Turn on your acquisition workstation. 3. Start ProDiscover. Follow the steps in this chapter for making a raw format acquisition, making sure you click UNIX style dd in the Image Format drop-down list box. Then click OK in the Capture Image dialog box. 4. When the acquisition is finished, exit ProDiscover. Shut down the acquisition workstation, remove the suspect drive, and secure it as evidence. Hands-On Project 4-3 In this project, you prepare a drive and create a FAT32 disk partition using Linux. You need the following: • A Linux distribution or Linux Live CD • A disk drive • A method of connecting a disk drive to your workstation, such as USB, FireWire, external SATA, or internal connections, such as PATA or SATA • Review steps in the “Preparing a Target Drive for Acquisition in Linux” section To format a drive as FAT32 in Linux, follow these steps: 1. Connect the target drive to be partitioned and formatted as FAT32 to your workstation. 2. Start your workstation, and log on to Linux or boot the Linux Live CD. 3. Follow the steps in the “Preparing a Target Disk for Acquisition in Linux” section. 4. When you’re done formatting the target drive, leave it connected for the next project. Hands-On Project 4-4 In this project, you learn how to use the Linux dd command to make an acquisition split into 30 MB segmented volumes. Then you validate the data by using the Linux md5sum command on the original drive and the image files. The output for md5sum is then redirected to a data file kept with the image files. For this project, you need the following: • A Linux distribution or Linux Live CD • The FAT32 drive partitioned and formatted in Hands-On Project 4-3 4 146 Chapter 4 • A method of connecting the FAT32 drive and the drive created in HandsOn Project 4-1 to your workstation, such as USB, FireWire, external SATA, or internal connections, such as PATA or SATA • A review of the “Acquiring Data with dd in Linux” and “Validating dd Acquired Data” sections Follow these steps: 1. Make sure you’ve connected the drive you prepared in Hands-On Project 4-3 to your Linux workstation. 2. Start your workstation, if necessary, and log on to Linux or boot the Linux Live CD. 3. Perform the dd acquisition, following the steps in “Acquiring Data with dd in Linux.” For the split -b command, make the segmented size 30m, and use the -d switch to create numeric extensions for each segmented file. 4. When the acquisition is done, perform a validation of the suspect drive and the acquired image files. Follow the steps in the “Validating dd Acquired Data” section. When you’re finished, close the shell window, and log off Linux. Case Projects Case Project 4-1 Your supervisor has asked you to research current acquisition tools. Using your preferred Internet search engine and the vendors listed in this chapter, prepare a report containing the following information for each tool and stating which tool you would prefer to use: • Computer forensics vendor name • Acquisition tool name and latest version number • Features of the vendor’s product With this data collected, prepare a spreadsheet listing vendors in the rows. For the column headings, list the following features: • Raw format • Proprietary format • AFF format • Other proprietary formats the tool can read • Compression of image files • Remote network acquisition capabilities • Method used to validate (MD5, SHA-1, and so on) Case Projects 147 Case Project 4-2 At a murder scene, you have started making an image of a computer’s drive. You’re in the back bedroom of the house, and a small fire has started in the kitchen. If the fire can’t be extinguished, you have only a few minutes to acquire data from a 10 GB hard disk. Write one to two pages outlining your options for preserving the data. Case Project 4-3 You need to acquire an image of a disk on a computer that can’t be removed from the scene, and you discover that it’s a Linux computer. What are your options for acquiring the image? Write a brief paper specifying the hardware and software you would use. Case Project 4-4 A bank has hired your firm to investigate employee fraud. The bank uses four 20 TB servers on a LAN. You are permitted to talk to the network administrator, who is familiar with where the data is stored. What diplomatic strategies should you use? Which acquisition method should you use? Write a two-page report outlining the problems you expect to encounter, explaining how to rectify them, and describing your solution. Be sure to address any customer privacy issues. Case Project 4-5 You’re investigating a case involving a 2 GB drive that you need to copy at the scene. Write one to two pages describing three options you have to copy the drive accurately. Be sure to include your software and media choices. 4 This page intentionally left blank chapter 5 Processing Crime and Incident Scenes After reading this chapter and completing the exercises, you will be able to: • Explain the rules for controlling digital evidence • Describe how to collect evidence at private-sector incident scenes • Explain guidelines for processing law enforcement crime scenes • List the steps in preparing for an evidence search • Describe how to secure a computer incident or crime scene • Explain guidelines for seizing digital evidence at the scene • List procedures for storing digital evidence • Explain how to obtain a digital hash • Review a case to identify requirements and plan your investigation 149 150 Chapter 5 In this chapter, you learn how to process a computer investigation scene. Because this chapter focuses on investigation needs for computing systems, you should supplement your training by studying police science or U.S. Department of Justice (DOJ) procedures to understand field-of-evidence recovery tasks. If you’re in another country, be aware of laws relating to privacy, searches, and the rules of evidence for your region and consult your local authorities. Evidence rules are critical, whether you’re on a corporate or a criminal case. As you’ll see, a civil case can quickly become a criminal case, and a criminal case can have civil implications larger than the criminal case. This chapter examines rules of evidence in the United States, but similar procedures apply in most courts worldwide. This chapter also describes differences between a business (private entity) and a law enforcement organization (public entity) in needs and concerns and discusses incident-scene processing for both types of investigations. Privatesector security officers often begin investigating corporate computer crimes and then coordinate with law enforcement as they complete the investigation. Law enforcement investigators should, therefore, know how to process and manage incident scenes. Because public agencies usually don’t have the funding to train officers continuously in technology advances, they must learn to work with private-sector investigators, whose employers can often afford to maintain their investigators’ computing skills. This chapter also discusses how the Fourth Amendment relates to corporate and law enforcement computing investigations in the United States. Many countries have similar statutes or charters. As the world becomes more global or “flat” in nature, you need to be aware of how laws are interpreted in other countries. As more countries establish e-laws and more cases go to court, the laws must be applied consistently. Cases of fraud and money laundering are becoming more of a global or an international issue, and crimes against consumers can originate from anywhere in the world. Computers and digital evidence seized in one U.S. jurisdiction might affect a case that’s worldwide in scope. To address these issues, this chapter explains how to apply standard crime scene practices and rules for handling evidence to corporate and law enforcement computing investigations. You must handle digital evidence systematically so that you don’t inadvertently alter or lose data. In addition, you should apply the same security controls to evidence for a civil lawsuit as evidence for a major crime. The same rules of evidence govern civil and criminal cases. These rules are similar in English-speaking countries because they have a common ancestor in English common law (judge-made law), dating back to the late Middle Ages. Identifying Digital Evidence Digital evidence can be any information stored or transmitted in digital form. Because you can’t see or touch digital data directly, it’s difficult to explain and describe. Is digital evidence real or virtual? Does data on a disk or other storage medium physically exist, or does it merely represent real information? U.S. courts accept digital evidence as physical evidence, which means that digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that’s related to a criminal or civil incident. Courts in other countries are still updating their laws to take digital evidence into account. Some require that all digital evidence be printed out to be presented in court. Groups such as the Scientific Working Group on Digital Evidence (SWGDE; www.swgde.org) and the International Organization on Identifying Digital Evidence 151 Computer Evidence (IOCE; www.ioce.org) set standards for recovering, preserving, and examining digital evidence. For more information on digital evidence, visit www.ojp.usdoj.gov/nij/ pubs-sum/187736.htm and read “Electronic Crime Scene Investigation: A Guide for First Responders,” which provides guidelines for U.S. law enforcement and other responders who protect an electronic crime scene and search for, collect, and preserve electronic evidence. Following are the general tasks investigators perform when working with digital evidence: • Identify digital information or artifacts that can be used as evidence. • Collect, preserve, and document evidence. • Analyze, identify, and organize evidence. • Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably. Collecting computers and processing a criminal or incident scene must be done systematically. To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one person should collect and catalog digital evidence at a crime scene or lab, if practical. If there’s too much evidence or too many systems to make it practical for one person to perform these tasks, all examiners must follow the same established operating procedures, and a lead or managing examiner should control collecting and cataloging evidence. You should also use standardized forms (discussed later in “Documenting Evidence”) for tracking evidence to ensure that you consistently handle evidence in a safe, secure manner. An important challenge investigators face today is establishing recognized standards for digital evidence. For example, cases involving several police raids are being conducted simultaneously in several countries. As a result, you have multiple sites where evidence was seized and hundreds of pieces of digital evidence, including hard drives, cell phones, memory sticks, PDAs, and other storage devices. If law enforcement and civil organizations in those countries have agreed on proper procedures (generally, the highest control standard should be applied to evidence collection in all jurisdictions), the evidence can be presented in any jurisdiction confidently. Understanding Rules of Evidence Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently. Apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with your state’s rules of evidence or with the Federal Rules of Evidence. Also, keep in mind that evidence admitted in a criminal case might also be used in a civil suit, and vice versa. For example, suppose someone is charged with murder and acquitted at the criminal trial because the jury isn’t convinced beyond a reasonable doubt of the person’s guilt. If enough evidence shows that the accused’s negligence contributed to a wrongful death, however, the victim’s relatives can use the evidence in a civil lawsuit to recover damages. You can review the Federal Rules of Evidence at www.law.cornell. edu/rules/fre/. 5 152 Chapter 5 As part of your professional growth, keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence. The following sections discuss some key concepts of digital evidence. You can find additional information at the U.S. Department of Justice Web site (www.usdoj.gov) and by searching the Internet for “digital evidence,” “best evidence rule,” “hearsay,” and other relevant keywords. Consult with your prosecuting attorney, Crown attorney, corporate general counsel, or the attorney who retained you to learn more about managing evidence for your investigation. In Chapter 2, you learned how to make an image of a disk as part of gathering digital evidence. The data you discover from a forensic examination falls under your state’s rules of evidence or the Federal Rules of Evidence. However, digital evidence is unlike other physical evidence because it can be changed more easily. The only way to detect these changes is to compare the original data with a duplicate. Furthermore, distinguishing a duplicate from the original electronically is impossible, so digital evidence requires special legal consideration. Most courts have interpreted computer records as hearsay evidence. The rule against hearsay evidence is deceptively simple and full of exceptions. Hearsay is any out-of-court statement presented in court to prove the truth of an assertion. In other words, hearsay is evidence of a statement made other than by a witness while testifying at the hearing and is offered to prove the truth of a statement. The definition of hearsay isn’t difficult to understand, but it can become confusing when considering all the exceptions to the general rule against hearsay. Twenty-four exceptions in the federal rules don’t require proof that the person who made the statement is unavailable. The following are the ones most applicable to computer forensics practice: • Business records, including those of a public agency. • Certain public records and reports. • Evidence of the absence of a business record or entry. • Learned treatises used to question an expert witness. • Statements of the absence of a public record or entry. • The catchall rule, which doesn’t require that the declarant be unavailable to testify. It does say that evidence of a hearsay statement not included in one of the other exceptions can be admitted if it meets the following conditions: • It has sound guarantees of trustworthiness. • It is offered to help prove a material fact. • It is more probative than other equivalent and reasonably obtainable evidence. • Its admission would forward the cause of justice. • The other parties have been notified that it will be offered into evidence. The business-record exception, for example, allows “records of regularly conducted activity,” such as business memos, reports, records, or data compilations. Business records are authenticated by verifying that they were created “at or near the time by, or from information transmitted by, a person with knowledge …” and are admissible “if the record was kept in the course of a regularly conducted business activity, and it was the regular practice of that business activity to make the record” (Federal Rules of Evidence, 803(6); see Section V, Identifying Digital Evidence 153 “Evidence,” in Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm). Generally, computer records are considered admissible if they qualify as a business record. Computer records are usually divided into computer-generated records and computer-stored records. Computer-generated records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates. Computer-stored records, however, are electronic data that a person creates and saves on a computer, such as a spreadsheet or word processing document. Some records combine computer-generated and computer-stored evidence, such as a spreadsheet containing mathematical operations (computer-generated records) generated from a person’s input (computer-stored records). Computer records must also be shown to be authentic and trustworthy to be admitted into evidence. Computer-generated records are considered authentic if the program that created the output is functioning correctly. These records are usually considered exceptions to the hearsay rule. For computer-stored records to be admitted into court, they must also satisfy an exception to the hearsay rule, usually the business-record exception, so they must be authentic records of regularly conducted business activity. To show that computer-stored records are authentic, the person offering the records (the “offeror”—the plaintiff, or defense) must demonstrate that a person created the data and the data is reliable and trustworthy—in other words, that it wasn’t altered when it was acquired or afterward. Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic, as does using established computer forensics software tools. Courts have consistently ruled that computer forensics investigators don’t have to be subject matter experts on the tools they use. In United States v. Salgado (250 F.3d 438, 453, 6th Cir., 2001), the court stated, “It is not necessary that the computer programmer testify in order to authenticate computer-generated records.” In other words, the witness must have firsthand knowledge only of facts relevant to the case. If you have to testify about your role in acquiring, preserving, and analyzing evidence, you don’t have to know the inner workings of the tools you use, but you should understand their purpose and operation. For example, Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) tools use complex algorithms. During a cross-examination, an opposing attorney might ask you to describe how these forensics tools work. You can safely testify that you don’t know how the MD5 hashing algorithm works, but you should know how to describe the steps for using the MD5 function in AccessData Forensic Toolkit, for instance. When attorneys challenge digital evidence, often they raise the issue of whether computergenerated records were altered or damaged after they were created. Attorneys might also question the authenticity of computer-generated records by challenging the program that created them. To date, courts have been skeptical of unsupported claims about digital evidence. Asserting that the data changed without specific evidence is not sufficient grounds to discredit the digital evidence’s authenticity. Most federal courts that evaluate digital evidence from computer-generated records assume that the records contain hearsay. Federal courts then apply the business-records exception to hearsay as it applies to digital evidence. As mentioned, one test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records. Establishing who created digital evidence can be difficult, however, because records recovered from slack space or unallocated disk space usually don’t identify the author. The same is true for other records, such as anonymous e-mail 5 154 Chapter 5 messages or text messages from instant-messaging programs. To establish authorship of digital evidence in these cases, attorneys can use circumstantial evidence, which requires finding other clues associated with the suspect’s computer or location. The circumstantial evidence might be that the computer has a password consistent with the password the suspect used on other systems, a witness saw the suspect at the computer at the time the offense occurred, or additional trace evidence associates the suspect with the computer at the time of the incident. In a recent case, the attorney chose not to use the digital evidence because although it could be proved that a particular camera was used to create the suspect’s movies, CDs, and DVDs, there was no way to prove that the suspect was the person using the camera. Therefore, there was no circumstantial or corroborating evidence to prove that the suspect was guilty. Although some files might not contain the author’s name, in the arrest of the BTK strangler, the author of a Microsoft Word document was identified by using file metadata. In February 2005, the man claiming to be the BTK strangler sent a floppy disk to FOX News in Wichita. The police he had been taunting told him that they wouldn’t be able to trace him via the floppy disk. Forensics analysis of the disk came back with the name of the church and a user named Dennis, who turned out to be Dennis Radar, president of the congregation. The police had enough physical evidence to link him to the crimes. They arrested him, and he confessed to the murders of 10 people over the course of 30 years. He was sentenced to nine life terms. (For the full story, visit the TruTV Web site at www.crimelibrary.com/serial_ killers/unsolved/btk/index_1.html.) The following activity shows an easy way to identify this file metadata. Follow these steps in the demo version of AccessData Forensic Toolkit: These steps are designed for FTK Demo, which has been provided on this book’s DVD. If you haven’t installed it, do so now. In addition, create a Work\Chap05\Chapter work folder on your system. Then extract all compressed files from the Chap05 folder on the book’s DVD to your work folder. The work folder path shown in screenshots might differ slightly from yours. 1. Start Microsoft Word, and in a new document, type By creating a file, you can identify the author with file metadata. Save it in your work folder as InChp05-01. doc, and then exit Microsoft Word. 2. To start FTK, click Start, point to All Programs, point to AccessData, point to Forensic Toolkit, and click Forensic Toolkit. If you’re prompted with a warning dialog box and/or notification, click OK to continue, and click OK, if necessary, in the message box thanking you for evaluating the program. 3. Click Go directly to working in program, and then click OK. Click File, Add Evidence from the menu. 4. In the Add Evidence dialog box, enter your name as the investigator, and then click Next. In the Evidence Processing Options dialog box, accept the default setting, and then click Next. 5. In the main Add Evidence to Case dialog box, click the Add Evidence button. In the next Add Evidence to Case dialog box, click the Individual File option button, and then click Continue. Identifying Digital Evidence 155 6. In the Browse for Folder dialog box, navigate to your work folder, click InChp05-01.doc, click Open, and then click OK. Click Next, and then click Finish. 7. In the main window, click the Overview tab, if necessary. Under the File Category heading, click the Documents button. Click to select the InChp05-01.doc file in the bottom pane; its contents are then displayed in the upper-right pane. Figure 5-1 shows an example (although the filename in this figure is different). 5 Figure 5-1 Selecting a document 8. On the File List toolbar at the upper right, click the View files in native format button, if the button isn’t already selected. (Hint: Hover your mouse over buttons to see their names displayed.) 9. Next, click the View files in filtered text format button. If you entered your username and organization when you installed Word, that information is displayed (see Figure 5-2). 10. Exit FTK, clicking No if prompted to back up your work. In addition to revealing the author, computer-stored records must be proved authentic, which is the most difficult requirement to prove when you’re trying to qualify evidence as an exception to the hearsay rule. The process of establishing digital evidence’s trustworthiness originated with written documents and the best evidence rule, which states that to prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required (see Federal Rules of Evidence, 1002). In other words, the original of a document is preferred to a duplicate. The best evidence, therefore, is the document created and saved on a computer’s hard disk. 156 Chapter 5 Figure 5-2 Viewing file metadata Agents and prosecutors occasionally express concern that a printout of a computer-stored electronic file might not qualify as an original document, according to the best evidence rule. In its most fundamental form, the original file is a collection of 0s and 1s; in contrast, the printout is the result of manipulating the file through a complicated series of electronic and mechanical processes (Federal Rules of Evidence, 803(6); see Searching and Seizing from Computers and Obtaining Electronic Evidence in Criminal Investigations, p. 152). To address this concern about original evidence, the Federal Rules of Evidence state: “[I]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’” Instead of producing hard disks in court, attorneys can submit printed copies of files as evidence. In contrast, some countries allow only the printed version to be presented in court, not hard disks. In addition, the Federal Rules of Evidence, 1001(4), allow duplicates instead of originals when the duplicate is “produced by the same impression as the original … by mechanical or electronic re-recording … or by other equivalent techniques which accurately reproduce the original.” Therefore, as long as bit-stream copies of data are created and maintained properly, the copies can be admitted in court, although they aren’t considered best evidence. The copied evidence can be a reliable working copy, but it’s not considered the original. Courts understand that the original evidence might not be available, however. For example, you could make one image of the evidence drive successfully but lose access to the original drive because it has a head crash when you attempt to make a backup image. Your first successful copy then becomes secondary evidence. The attorney must be able to explain to the judge Collecting Evidence in Private-Sector Incident Scenes 157 that circumstances beyond the examiner’s control resulted in loss of the original evidence; in this case, the hard drive is no longer available to be examined or imaged. Mishaps with evidence happen routinely in all aspects of evidence recovery. Another example of not being able to use original evidence is investigations involving network servers. Removing a server from the network to acquire evidence data could cause harm to a business or its owner, who might be an innocent bystander to a crime or civil wrong. For example, Steve Jackson Games was the innocent party in a case in which evidence of criminal activity had been stored in e-mail on company computers. The network administrator had reported evidence of a crime committed by users of the company’s bulletin board system (BBS) to the Secret Service. Secret Service agents seized all the computers at Steve Jackson Games and effectively put the company out of business. SJG sued the Secret Service, which was found liable for damages under the Privacy Protection Act and Title II of the Electronic Communications Privacy Act. For more information, see Steve Jackson Games v. United States Secret Service and United States of America (36 F.3d 457, USCA 5, 1994). In this situation, you might not have the authority to create an image or remove the original drive. Instead, make your best effort to acquire the digital evidence with a less intrusive or disruptive method. In this context, the recovered materials become the best evidence because of the circumstances. In summary, computer-generated records, such as system logs or the results of a mathematical formula in a spreadsheet, aren’t hearsay. Computer-stored records that a person generates are subject to rules governing hearsay, however. For the evidence to qualify as a businessrecord exception to the hearsay rule, a person must have created the computer-stored records, and the records must be original. The Federal Rules of Evidence treat images and printouts of digital files as original evidence. Collecting Evidence in Private-Sector Incident Scenes Private-sector organizations include businesses and government agencies that aren’t involved in law enforcement. In the United States, these agencies must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws and make certain documents available as public records. State public disclosure laws define state public records as open and available for inspection. For example, divorces recorded in a public office, such as a courthouse, become matters of public record unless a judge orders the documents sealed. Anyone can request a copy of a public divorce decree. Figure 5-3 shows an excerpt of a public disclosure law for the state of Idaho. State public disclosure laws apply to state records, but the FOIA allows citizens to request copies of public documents created by federal agencies. The FOIA was originally enacted in the 1960s, and several subsequent amendments have broadened its laws. Some Web sites now provide copies of publicly accessible records for a fee. A special category of private-sector businesses includes ISPs and other communication companies. ISPs can investigate computer abuse committed by their employees, but not by customers. ISPs must preserve customer privacy, especially when dealing with e-mail. However, federal regulations related to the Homeland Security Act and the Patriot Act of 2001 have redefined how ISPs and large corporate Internet users operate and maintain their records. 5 158 Chapter 5 Figure 5-3 Idaho public disclosure law ISPs and other communication companies now can investigate customers’ activities that are deemed to create an emergency situation. An emergency situation under the Patriot Act is the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail message. Some provisions of those laws have been revised over the past few years, so you should stay abreast of their implications. Investigating and controlling computer incident scenes in the corporate environment is much easier than in the criminal environment. In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated. Everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority—that is, company management. Typically, businesses have inventory databases of computer hardware and software. Having access to this database and knowing what applications are on suspected computers help identify the computer forensics tools needed to analyze a policy violation and the best way to conduct the analysis. For example, most companies use a single Web browser, such as Microsoft Internet Explorer, Mozilla Firefox, or KDE Konqueror. Knowing which browser a suspect used Collecting Evidence in Private-Sector Incident Scenes 159 helps you develop standard examination procedures to identify data downloaded to the suspect’s workstation. To investigate employees suspected of improper use of company computing assets, a corporate policy statement about misuse of computing assets allows corporate investigators to conduct covert surveillance with little or no cause and access company computer systems without a warrant, which is an advantage for corporate investigators. Law enforcement investigators cannot do the same, however, without sufficient reason for a warrant. However, if a company doesn’t display a warning banner or publish a policy stating that it reserves the right to inspect computing assets at will, employees have an expectation of privacy (as explained in Chapter 1). When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation. A well-defined corporate policy, therefore, should state that an employer has the right to examine, inspect, or access any company-owned computing assets. If a company issues a policy statement to all employees, the employer can investigate computing assets at will without any privacy right restrictions; this practice applies in most countries. As a standard practice, companies should use both warning banners and policy statements. For example, if an incident is escalated to a criminal complaint, prosecutors prefer showing juries warning banners rather than a policy manual. A warning banner leaves a much stronger impression on a jury. In addition to making sure a company has a policy statement or a warning banner, corporate investigators should know under what circumstances they can examine an employee’s computer. With a policy statement, an employer can freely initiate any inquiry necessary to protect the company or organization. However, every organization must also have a well-defined process describing when an investigation can be initiated. At a minimum, most corporate policies require that employers have a “reasonable suspicion” that a law or policy is being violated. For example, if a policy states that employees may not use company computers for outside business and a supervisor notices a change in work behavior that could indicate an employee is violating this rule, generally it’s enough to warrant an investigation. Note that some countries require notifying employees that they’re being investigated if they are suspected of criminal behavior at work. If a corporate investigator finds that an employee is committing or has committed a crime, the employer can file a criminal complaint with the police. Some businesses, such as banks, have a regulatory requirement to report crimes. In the United States, the employer must turn over all evidence to the police for prosecution. If this evidence had been collected by a law enforcement officer, it would require a warrant, which would be difficult to obtain without sufficient probable cause. In “Processing Law Enforcement Crime Scenes,” you learn more about probable cause and how it applies to a criminal investigation. Employers are usually interested in enforcing company policy, not seeking out and prosecuting employees, so typically they approve computer investigations only to identify employees who are misusing company assets. Corporate investigators are, therefore, primarily concerned with protecting company assets. Finding evidence of a criminal act during an investigation escalates the investigation from an internal civil matter to an external criminal complaint. If you discover evidence of a crime during a company policy investigation, first determine whether the incident meets the elements of criminal law. You might have to consult with your corporate attorney to determine whether the situation is a potential crime. Next, inform 5 160 Chapter 5 management of the incident; they might have other concerns, such as protecting confidential business data that might be included with the criminal evidence (referred to as “commingled data”). In this case, coordinate with management and the corporate attorney to determine the best way to protect commingled data. After you submit evidence containing sensitive information to the police, it becomes public record. Public record laws do include exceptions for protecting sensitive corporate information; ultimately, however, a judge decides what to protect. After you discover illegal activity and document and report the crime, stop your investigation to make sure you don’t violate Fourth Amendment restrictions on obtaining evidence. If the information you supply is specific enough to meet the criteria for a search warrant, the police are responsible for obtaining a warrant that requests any new evidence. If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement. Instead, consult with your corporate attorney on how to respond to a police request for information. The police and prosecutor should issue a subpoena for any additional new evidence, which minimizes your exposure to potential civil liability. In addition, you should keep all documentation of evidence collected to investigate an internal company policy violation. Later in this section, you learn more about using affidavits in an internal investigation. One example of a company policy violation involves employees observing another employee accessing pornographic Web sites. If your organization’s policy requires you to determine whether any evidence supports this accusation, you could start by extracting log file data from the proxy server (used to connect a company LAN to the Internet) and conducting a forensic examination of the subject’s computer. Suppose that during your examination, you find adult and child pornography. Further examination of the subject’s hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation’s hard drive. In the United States, possessing child pornography is a crime under federal and state criminal statutes. These situations aren’t uncommon and make life difficult for investigators who don’t want to be guilty of possession of contraband, such as child pornography, on their forensic workstations. You survey the remaining content of the subject’s drive and find that he’s a lead engineer for the team developing your company’s latest high-tech bicycle. He placed the child pornography images in a subfolder where the bicycle plans are stored. By doing so, he has commingled contraband with the company’s confidential design plans for the bicycle. Your discovery poses two problems in dealing with this contraband evidence. First, you must report the crime to the police; many states require reporting evidence of sexual exploitation of children. Second, you must also protect sensitive company information. Letting the high-tech bicycle plans become part of the criminal evidence might make it public record, and the design work will then be available to competitors. Your first step is to ask your corporate attorney how to deal with the commingled contraband data and sensitive design plans. Your next step is to work with the corporate attorney to write an affidavit confirming your findings. The attorney should indicate in the affidavit that the evidence is commingled with company secrets and releasing the information will be detrimental to the company’s financial health. When the affidavit is completed, you sign it before a notary, and then deliver the affidavit and the recovered evidence with log files to the police, where you make a criminal complaint. At the same time, the corporate attorney goes to court and requests that all evidence recovered from the hard disk that’s not related to the complaint and is a company trade secret Processing Law Enforcement Crime Scenes 161 be protected from public viewing. You and the corporate attorney have reported the crime and taken steps to protect the sensitive data. Now suppose the detective assigned to the case calls you. In the evidence you’ve turned over to the police, the detective notices that the suspect is collecting most of his contraband from e-mail attachments. The prosecutor instructed the detective to ask you to collect more evidence to determine whether the suspect is transmitting contraband pictures to other potential suspects. In this case, you should immediately inform the detective that collecting more evidence might make you an agent of law enforcement and violate the employee’s Fourth Amendment rights. Before collecting any additional information, consult with your corporate attorney or wait until you receive a subpoena or other court order. Processing Law Enforcement Crime Scenes To process a crime scene properly, you must be familiar with criminal rules of search and seizure. You should also understand how a search warrant works and what to do when you process one. For all criminal investigations in the United States, the Fourth Amendment limits how governments search and seize evidence. A law enforcement officer can search for and seize criminal evidence only with probable cause. Probable cause refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and the seizure of specific evidence related to the criminal complaint. The Fourth Amendment states that only warrants “particularly describing the place to be searched, and the persons or things to be seized” can be issued. Note that this excerpt uses the word “particularly.” The courts have determined that this phrase means a warrant can authorize a search only of a specific place for a specific thing. Without specific evidence and the description of a particular location, a warrant might be weak and create problems later during prosecution. For example, stating that the evidence is in a house located on Elm Avenue between Broadway and Main Street is too general, unless only one house fits that description, because several houses might be located in that area. Instead, provide specific information, such as “123 Elm Avenue.” Most courts have allowed more generality for computer evidence. For example, you can state that you want to seize a “computer” rather than specify a “Dell Optiplex GXA.” Figure 5-4 shows sample search warrant language for computer evidence that the state of Maryland makes available for computer crime investigators (available at http://ccu.mdsp.org; do a search for guidelines on seizing digital evidence). Although several court cases have allowed latitude when searching and seizing computer evidence, making your warrant as specific as possible to avoid challenges from defense attorneys is a good practice. Often a warrant is written and issued in haste because of the nature of the investigation. Law enforcement officers might not have the time to research the correct language for stating the nature of the complaint to meet probable cause requirements. However, because a judge can exclude evidence obtained from a poorly worded warrant, you should review these issues with your local prosecutor before investigating a case. 5 162 Chapter 5 Figure 5-4 Sample search warrant wording for computer evidence Understanding Concepts and Terms Used in Warrants You should be familiar with warrant terminology that governs the type of evidence that can be seized. Many computing investigations involve large amounts of data you must sort through to find evidence; the Enron case, for example, involved terabytes of information. Unrelated information (referred to as innocent information) is often included with the evidence you’re trying to recover. This unrelated information might be personal and private records of innocent people or confidential business information. When you find commingled evidence, judges often issue a limiting phrase to the warrant, which allows the police to separate innocent information from evidence. The warrant must list which items can be seized. When approaching or investigating a crime scene, you might find evidence related to the crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the plain view doctrine. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met: • The officer is where he or she has a legal right to be. • Ordinary senses must not be enhanced by advanced technology. • Any discovery must be by chance. For the officer to seize the item, he or she must have probable cause to believe the item is evidence of a crime or is contraband. In addition, the police aren’t permitted to move objects to get a better view. In Arizona v. Hicks (480 U.S. 321, 1987), the officer was found to have acted unlawfully because he moved stereo equipment, without probable cause, to record the Preparing for a Search 163 serial numbers. The plain view doctrine has also been expanded to include the subdoctrines of plain feel, plain smell, and plain hearing. In Horton v. California (496 U.S. 128, 1990), the court eliminated the requirement that the discovery of evidence in plain view be inadvertent. Previously, “inadvertent discovery” was required, which led to difficulties in defining this term. The three-prong Horton test requires the following: • The officer must be lawfully present at the place where the evidence can be plainly viewed. • The officer must have a lawful right of access to the object. • The incriminating character of the object must be “immediately apparent.” The plain view doctrine does not extend to supporting a general exploratory search from one object to another unless something incriminating is found (Coolidge v. New Hampshire, 403 U.S. 443, 466, 1971). The plain view doctrine’s applicability in the digital forensics world is subject to development. Only the United States Court of Appeals for the Ninth Circuit has directly addressed this doctrine and has used it to give wide latitude to law enforcement (United States v. Wong, 334 F.3d 831, 9th Cir., 2003). Other circuit courts have been less willing to address applying the doctrine to computer searches. For example, police investigating a case have a search warrant authorizing the search of a computer for evidence related to illegal drug trafficking; during the search, the examiner observes an .avi file, opens it, and sees that it’s child pornography. At that point, he must get an additional warrant or an expansion of the existing warrant to continue the search for child pornography. This approach is consistent with rulings in United States v. Carey (172 F.3d 1268, 10th Cir., 1999) and United States v. Walser (275 F.3d 981, 10th Cir. 2001). Preparing for a Search Preparing for a computer search and seizure is probably the most important step in computing investigations. The better you prepare, the smoother your investigation will be. The following sections discuss the tasks you should complete before you search for evidence. To perform these tasks, you might need to get answers from the victim (the complainant) and an informant, who could be a police detective assigned to the case, a law enforcement witness, or a manager or co-worker of the person of interest to the investigation. Identifying the Nature of the Case Recall from Chapter 2 that when you’re assigned a computing investigation case, you start by identifying the nature of the case, including whether it involves the private or public sector. For example, a corporate investigation might involve an employee abusing Internet privileges by surfing the Web excessively or an employee who has filed an equal employment opportunity (EEO) or ethics complaint. Serious cases might involve an employee abusing company computing assets to acquire or deliver contraband. Law enforcement cases could range from a check fraud ring to a homicide. The nature of the case dictates how you proceed and what types of assets or resources you need to use in the investigation (discussed in more detail in “Determining the Tools You Need” later in this chapter). 5 164 Chapter 5 Identifying the Type of Computing System Next, determine the type of computing systems involved in the investigation. For law enforcement, this step might be difficult because the crime scene isn’t controlled. You might not know what kinds of computers were used to commit a crime or how or where they were used. In this case, you must draw on your skills, creativity, and sources of knowledge, such as the Uniform Crime Report discussed in Chapter 3, to deal with the unknown. If you can identify the computing system, estimate the size of the drive on the suspect’s computer and how many computers you have to process at the scene. Also, determine which OSs and hardware might be involved and whether the evidence is located on a Microsoft, Linux, UNIX, Macintosh, or mainframe computer. For corporate investigators, configuration management databases (discussed in Chapter 3) make this step easier. Consultants to the private sector or law enforcement officers might have to investigate more thoroughly to determine these details. Determining Whether You Can Seize a Computer Generally, the ideal situation for incident or crime scenes is seizing the computers and taking them to your lab for further processing. However, the type of case and location of the evidence determine whether you can remove computers from the scene. Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab. If removing the computers will irreparably harm a business, the computers should not be taken offsite, unless you have disclosed the effect of the seizure to the judge. An additional complication is files stored offsite that are accessed remotely. You must decide whether the drives containing those files need to be examined. Another consideration is the availability of online data storage services that rent space, which essentially can’t be located physically. The data is stored on drives where data from many other subscribers might be stored. If you aren’t allowed to take the computers to your lab, determine the resources you need to acquire digital evidence and which tools can speed data acquisition. With large drives, such as a 200 GB drive, acquisition times can increase to several hours. In Chapter 4, you examined data acquisition software and learned which tools meet specific needs for acquiring disk images. Some software, such as EnCase, compresses data while making forensic images. For large drives, this compression might be necessary. Obtaining a Detailed Description of the Location The more information you have about the location of a computer crime, the more efficiently you can gather evidence from a crime scene. Environmental and safety issues are the primary concerns during this process. Before arriving at an incident or crime scene, identify potential hazards to your safety as well as that of other examiners. Some computer cases involve dangerous settings, such as a drug bust of a methamphetamine lab or a terrorist attack using biological, chemical, or nuclear contaminants. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. The recovery process might include decontaminating computing components needed for the investigation, if possible. If the decontamination procedure might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make an image of a suspect’s drive. If you have to rely on a HAZMAT specialist to acquire data, coach the specialist on how to connect cables between the computer and drives and how to run the software. You must be exact and articulate in your instructions. Preparing for a Search 165 Ambiguous or incorrect instructions could destroy evidence. Ideally, a computer forensics investigator trained in dealing with HAZMAT environments should acquire drive images. However, not all organizations have funds available for this training. Whether you or a HAZMAT technician is the one acquiring an image, you should keep some guidelines in mind. Before acquiring the data, a HAZMAT technician might suggest that you put the target drive in a special HAZMAT bag, leaving the IDE and power cables out of the bag but providing an airtight seal around the cables to prevent any contaminants from entering the bag and affecting the target drive. When the data acquisition is completed, power down the computer and then cut the IDE and power cables from the target drive. The HAZMAT technician can then decontaminate the bag. When dealing with extreme conditions, such as biological or chemical hazardous contaminants, you might have to sacrifice equipment, such as IDE and power cables, to accomplish a task. In certain instances, such as a meth lab bust, the contaminants might be so toxic that hazards to the safety of others prohibit acquiring any digital evidence. In addition, if the temperature in the contaminated room is higher than 80 degrees, you should take measures to avoid damage to the drive from overheating. In a dry desert region, consider cooling the target drive by using sealed ice packs or double-wrapped bags of ice so that moisture doesn’t leak out and damage the drive. In extreme conditions, consider the risks to evidence and your equipment. You’ll need to brainstorm for solutions to overcome these problems. Moving the equipment to a controlled environment is ideal; however, doing so isn’t always possible. Determining Who Is in Charge Corporate computing investigations usually require only one person to respond to an incident or crime scene. Processing evidence involves acquiring an image of a subject’s drive. In law enforcement, however, many investigations require additional staff to collect all evidence quickly. For large-scale investigations, a crime or incident scene leader should be designated. Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence. Using Additional Technical Expertise After you collect evidence data, determine whether you need specialized help to process the incident or crime scene. For example, suppose you’re assigned to process a crime scene at a data center running Microsoft Windows servers with several RAID drives and high-end UNIX servers. If you’re the leader of this investigation, you must identify the additional skills needed to process the crime scene, such as enlisting help with a high-end server OS. Other concerns are how to acquire data from RAID servers and how much data you can acquire. RAID servers typically process several terabytes of data, and standard imaging tools might not be able to handle these large data sets. When working at high-end computing facilities, identify the applications the suspect uses, such as Oracle databases. You might need to recruit an Oracle specialist or site support staff to help extract data for the investigation. Finding the right person can be an even bigger challenge than conducting the investigation. If you do need to recruit a specialist who’s not an investigator, develop a training program to educate the specialist in proper investigative techniques. This advice also applies to specialists you plan to supervise during search-and-seizure tasks. When dealing with computer evidence, 5 166 Chapter 5 an untrained specialist can easily and unintentionally destroy evidence, no matter how careful you are in providing instructions and monitoring his or her activities. Determining the Tools You Need After you have gathered as much information as possible about the incident or crime scene, you can start listing what you need at the scene. Being overprepared is better than being underprepared, especially when you determine that you can’t transfer the computer to your lab for processing. To manage your tools, consider creating an initial-response field kit and an extensiveresponse field kit. Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene. Your initial-response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. Figure 5-5 shows some items you might need, and Table 5-1 lists the tools you might need in an initial-response field kit. Figure 5-5 Items in an initial-response field kit Preparing for a Search 167 Table 5-1 Tools in an initial-response field kit Number needed 1 Tools Small computer toolkit 1 Large-capacity drive 1 IDE ribbon cable (ATA-33 or ATA-100) 1 SATA cable 1 Forensic boot media containing your preferred acquisition utility 1 Laptop IDE 40- to 44-pin adapter, other adapter cables 1 Laptop computer 1 FireWire or USB dual write-protect external bay 1 Flashlight 1 Digital or 35mm camera with film and flash 10 Evidence log forms 1 Notebook or dictation recorder 10 Computer evidence bags (antistatic bags) 20 Evidence labels, tape, and tags 1 Permanent ink marker 10 External USB devices or a portable hard drive An extensive-response field kit should include all the tools you can afford to take to the field. When you arrive at the scene, you should extract only those items you need to acquire evidence. Doing so protects your equipment and minimizes how many items you have to keep track of at the scene. Table 5-2 lists the tools you might need in an extensive-response field kit, including external USB drives. Table 5-2 Tools in an extensive-response field kit Number needed Varies Tools Assorted technical manuals, ranging from OS references to forensics analysis guides 1 Initial-response field kit 1 Portable PC with SCSI card for DLT tape drive or suspect’s SCSI drive 2 Electrical power strips 1 Additional hand tools, including bolt cutters, pry bar, and hacksaw 1 Leather gloves and disposable latex gloves (assorted sizes) 1 Hand truck and luggage cart 10 Large garbage bags and large cardboard boxes with packaging tape 1 Rubber bands of assorted sizes 5 168 Chapter 5 Table 5-2 Tools in an extensive-response field kit (continued ) Number needed Tools 1 Magnifying glass 1 Ream of printer paper 1 Small brush for cleaning dust from suspect’s interior CPU cabinet 10 USB drives of varying sizes 2 External hard drives (200 GB or larger) with power cables Assorted Converter cables 5 Additional assorted hard drives for data acquisition When deciding what items to include in initial-response and extensive-response field kits, you need to analyze your specific needs in your region or organization. Refer to Tables 5-1 and 5-2 for guidelines. Preparing the Investigation Team Before you initiate the search and seizure of digital evidence at an incident or crime scene, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data. Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. In some computing investigations, responding slowly might result in the loss of important evidence for the case. Securing a Computer Incident or Crime Scene Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation. If you’re in charge of securing a computer incident or crime scene, use yellow barrier tape to prevent bystanders from accidentally entering the scene. Use police officers or security guards to prevent others from entering the scene. Legal authority for a corporate incident scene includes trespassing violations; for a crime scene, it includes obstructing justice or failing to comply with a police officer. Access to the scene should be restricted to only those people who have a specific reason to be there. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene’s immediate location. In this way, you avoid overlooking an area that might be part of the scene. Shrinking the scene’s perimeter is easier than expanding it. For major crime scenes, computer investigators aren’t usually responsible for defining a scene’s security perimeter. These cases involve other specialists and detectives who are collecting physical evidence and recording the scene. For incidents primarily involving computers, the computers can be a crime scene within a crime scene, containing evidence to be processed. The Seizing Digital Evidence at the Scene 169 evidence is in the computer, but the courts consider it physical evidence. Computers can also contain actual physical evidence, such as DNA evidence or fingerprints on keyboards. Crime labs can use special vacuums to extract DNA residue from a keyboard to compare with other DNA samples. In a major crime scene, law enforcement usually retains the keyboard. Evidence is commonly lost or corrupted because of professional curiosity, which involves police officers and other professionals who aren’t part of the crime scene processing team. They just have a compelling interest in seeing what happened. Their presence could contaminate the scene directly or indirectly. Keep in mind that even those authorized and trained to search crime scenes can inadvertently alter the scene or evidence. For example, during one homicide investigation, the lead detective collected a good latent fingerprint from the crime scene. He compared it with the victim’s fingerprints and those of others who knew the victim. He couldn’t find a fingerprint matching the latent fingerprint from the scene. The detective suspected he had the murderer’s fingerprint and kept it on file for several years until his police department purchased an Automated Fingerprint Identification Systems (AFIS) computer. During acceptance testing, the software vendor processed sample fingerprints to see how quickly and accurately the system could match fingerprints in the database. The detective asked the acceptance testing team to run the fingerprint he found at the homicide scene. He believed the suspect’s fingerprints were in the AFIS database. The acceptance testing team complied and within minutes, AFIS found a near-perfect match of the latent fingerprint: It belonged to the detective. Always remember that professional curiosity can destroy or corrupt evidence, including digital evidence. When working at an incident or crime scene, be aware of what you’re doing and what you have touched, physically or virtually. A police detective can take elimination prints of everyone who had access to the crime scene to identify the fingerprints of known people; computer evidence doesn’t have an equivalent elimination process. You must protect all digital evidence, so make sure no one examines a suspect’s computer before you can capture and preserve an image of the hard disk. Starting a computer without forensic boot media alters important data, such as the date and time stamps of last access to certain files. Seizing Digital Evidence at the Scene With proper search warrants, law enforcement can seize all computing systems and peripherals. In corporate investigations, you might have similar authority; however, you might have the authority only to make an image of the suspect’s drive. Depending on company policies, corporate investigators rarely have the authority to seize all computers and peripherals. When seizing computer evidence in criminal investigations, follow the U.S. DOJ standards for seizing digital data (described later in this chapter, or see www.usdoj.gov/criminal/cybercrime/ searching.html). For civil investigations, follow the same rules of evidence as for criminal investigation. You might be looking for specific evidence, such a particular e-mail message or spreadsheet. In a criminal matter, investigators seize entire drives to preserve as much information as possible and ensure that no evidence is overlooked. If you have any questions, doubts, or concerns, consult with your attorney for additional guidance. Preparing to Acquire Digital Evidence The evidence you acquire at the scene depends on the nature of the case and the alleged crime or violation. For a criminal case involving a drug dealer’s computer, for example, you 5 170 Chapter 5 need to take the entire computer along with any peripherals and media in the area, including cell phones, USB devices, CDs, DVDs, printers, cameras, and scanners. Seizing peripherals and other media ensures that you leave no necessary system components behind; often, predicting what components might be critical to the system’s operation is difficult. On the other hand, if you’re investigating employee misconduct, you might need only a few specific items. Before you collect digital evidence, ask your supervisor or senior forensics examiner in the organization the following questions: • Do you need to take the entire computer and all peripherals and media in the immediate area? How are you going to protect the computer and media while transporting them to your lab? • Is the computer powered on when you arrive? (This question is discussed in more detail later in “Processing an Incident or Crime Scene.”) • Is the suspect you’re investigating in the immediate area of the computer? Is it possible the suspect damaged or destroyed the computer, peripherals, or media? Will you have to separate the suspect from the computer? For example, suppose a company employee, Edward Braun, is suspected of using a company computer at his desk to write a book. You suspect that Edward is saving personal files on the computer’s hard drive. Using imaging software, such as Norton Ghost from Symantec, you can copy the hard drive onto another drive, install the duplicate hard drive in the computer, and take the original drive to your forensics lab for examination. This procedure doesn’t create a bit-for-bit copy; you’re creating a working copy for continued business operations and taking the original for examination. Because Edward’s supervisors don’t want him to know he’s being investigated, you must create the working copy when he’s not at his desk and isn’t expected to return. Because most people notice when something is out of order on their desks, you should photograph the scene, measure the height of his chair, and record the position of items on his desk you need to move before removing the hard drive. (The following section has more tips on photographing and documenting the scene.) After you create an image of his hard drive and substitute the copy, return Edward’s belongings to their original locations. Processing an Incident or Crime Scene The following guidelines offer suggestions on how to process an incident or crime scene. As you gain experience in performing searches and seizures, you can add to or modify these guidelines to meet the needs of specific cases. Use your judgment to determine what steps to take when processing a civil or criminal investigation. For any difficult issues, seek out legal counsel or other technical experts. Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. To secure the scene, use whatever is practical to make sure that only authorized people can access the area. Remove anyone who isn’t investigating the scene unless you need his or her help to process the scene. For example, the company’s network administrator might need to help you collect and recover data. As mentioned earlier, you should secure a wider scene Seizing Digital Evidence at the Scene 171 perimeter than necessary. Make sure nothing in this area, including computer evidence, moves until you have had time to record it. Be professional and courteous to any curious onlookers, but don’t offer information about the investigation or incident or answer questions. Refer journalists to a public information officer or the organization’s public relations manager. Take video and still recordings of the area around the computer. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers. Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab. Make sure you take close-ups of all cable connections, including keyloggers (devices used to record keystrokes) and dongle devices used with software as part of the licensing agreement. Record the area around the computer, including the floor and ceiling, and all access points to the computer, such as doors and windows. Be sure to look under any tables or desks for anything taped to the underside of a table or desk drawer or on the floor out of view. If the area has ceiling panels—false ceiling tiles—remove them and record that area, too. Slowly pan or zoom the camera to prevent blurring in the video image, and maintain a camera log for all shots you take. When you finish videotaping or photographing the scene, sketch the incident or crime scene. This sketch is usually a rough draft with notes on objects’ dimensions and distances between fixed objects. For example, a note might read “The suspect’s computer is on the south wall, three meters from the southeast corner of the room.” When you prepare your report, you can make a clean, detailed drawing from your sketch, preferably using a computer drawing program so that the sketch is in electronic form. Because computer data is volatile, check the state of each computer at the scene as soon as possible. Determine whether the computer is powered on or off or in hibernation or sleep mode. If it’s off, leave it off. If it’s on, use your professional judgment on what to do next. Standard computer forensics practice has been to kill the computer’s power to make sure data doesn’t become corrupt through covert means. Typically, this procedure is still acceptable on legacy Windows and MS-DOS systems because turning off the power usually preserves data. On Windows XP/Vista, UNIX, and Linux computers, generally you should perform an orderly shutdown first. Every shutdown process has inherent risks, however; to avoid data loss, you or your supervisor might have to determine the best shutdown procedure. In addition, there are many urban legends about criminals placing self-destruct mechanisms— both hardware and software devices—in computers. Many years ago, a common trick was altering the DOS program Command.com by changing the Dir (directory) command to the Deltree (delete the directory tree) command. When an investigator entered the Dir command on a suspect’s computer, he would inadvertently start the Deltree command, which deletes all files and folders and their contents. More advanced computer criminals have been known to create similar command-altering methods that overwrite a drive’s contents. In addition, computer owners who suspect someone will investigate their computers might set the computer to delete the hard drive’s contents if the correct screensaver password isn’t entered. As a general rule, don’t cut electrical power to a running system unless it’s an older Windows 9x or MS-DOS system. However, it’s a judgment call because of recent trends in computer crimes. More computing investigations now revolve around network- and Internet-related cases, which rely heavily on log file data. Certain files, such as the Event log and Security 5 172 Chapter 5 log in Windows XP, might lose essential network activity records if power is terminated without a proper shutdown. If you’re working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. Don’t examine folders or network connections or press any keys unless it’s necessary. For systems that are powered on and running, photograph the screens. If windows are open but minimized, expanding them so that you can photograph them is safe. As a precaution, write down the contents of each window. As you’re copying data on a live suspect computer, make notes in your journal about everything you do so that you can explain your actions in your formal report to prosecutors and other attorneys. When you’ve finished recording screen contents, save them to external media. For example, if one screen shows a Word file, save it to an external drive. Keep in mind that the suspect might have changed the file since last using the Save command. If another screen is a Web browser, take a screenshot or save the Web page to a USB drive or an external hard drive. If the suspect computer has an active connection to a network server with enough storage, you can save large files to a folder on the server. To do so, you need the cooperation of the network administrator to help direct you to the correct server and folder for storing the file. If you can’t save an open application to external media, save the open application to the suspect drive with a new filename. Changing the filename avoids overwriting an existing file that might not have been updated already. This method isn’t ideal and should be done only in extreme emergency conditions. Remember that your goal is to preserve as much evidence in as good a condition as is practical. After you have saved all active files on the suspect computer, you can close all applications. If an application prompts you to save before closing, don’t save the files. When all applications are closed, perform an orderly shutdown. If you’re not familiar with the correct shutdown method for the computer you’re examining, consult someone who has expertise in this procedure. After you record the scene and shut down the system, bag and tag the evidence, following these steps: 1. Assign one person, if possible, to collect and log all evidence. Minimize the number of people handling evidence to ensure its integrity. 2. Tag all the evidence you collect with the current date and time, serial numbers or unique features, make and model, and name of the person who collected it. 3. Maintain two separate logs of collected evidence to be reconciled for audit control purposes and to verify everything you have collected. 4. Maintain constant control of the collected evidence and the crime or incident scene. If the nature of the case doesn’t permit you to seize the computer, create an image of the hard drive, as you learned in Chapter 4. In Chapter 11, you learn how to use forensics tools to acquire RAM. Many studies are being conducted on how to analyze RAM systematically, in an effort to find relevant information in what appears to look like random garbage data. Seizing Digital Evidence at the Scene 173 During the data acquisition or immediately after collecting the evidence, look for information related to the investigation, such as passwords, passphrases, personal identification numbers (PINs), and bank account numbers (particularly offshore bank accounts, often used to hide evidence of financial transactions). This information might be in plain view or out of sight in a drawer or trash can. At the scene, collect as much personal information as possible about the suspect or victim. Collect all information related to facts about the crime or incident, particularly anything that connects the suspect to the victim. To complete your analysis and processing of a scene, collect all documentation and media related to the investigation, including the following material: • Hardware, including peripheral devices • Software, including OSs and applications • All media, such as backup tapes and disks • All documentation, manuals, printouts, and handwritten notes Processing Data Centers with RAID Systems Computer investigators sometimes perform forensics analysis on RAID systems or server farms, which are rooms filled with extremely large disk systems and are typical of large business data centers, such as the Department of Motor Vehicles (DMV), banks, insurance companies, and ISPs. As you learned in Chapter 4, one technique for extracting evidence from large systems is called sparse acquisition. This technique extracts only data related to evidence for your case from allocated files and minimizes how much data you need to analyze. A drawback of this technique is that it doesn’t recover data in free or slack space. If you have a computer forensics tool that accesses unallocated space on a RAID system, work with the tool on a test system first to make sure it doesn’t corrupt the RAID system. Using a Technical Advisor When working with advanced technologies, recruit a technical advisor who can help you list the tools you need to process the incident or crime scene. At large data centers, the technical advisor is the person guiding you about where to locate data and helping you extract log records or other evidence from large RAID servers. In law enforcement cases, the technical advisor can help create the search warrant by itemizing what you need for the warrant. If you use a technical advisor for this purpose, you should list his or her name in the warrant. At the scene, a technical advisor can help direct other investigators to collect evidence correctly. Technical advisors have the following responsibilities: • Know all aspects of the system being seized and searched. • Direct investigators on how to handle sensitive media and systems to prevent damage. • Help ensure security of the scene. • Help document the planning strategy for the search and seizure. • Conduct ad hoc training for investigators on the technologies and components being seized and searched. • Document activities during the search and seizure. • Help conduct the search and seizure. 5 174 Chapter 5 Documenting Evidence in the Lab After you collect digital evidence at the scene, you transport it to a forensics lab, which should be a controlled environment that ensures the security and integrity of digital evidence. In any investigative work, be sure to record your activities and findings as you work. To do so, you can maintain a journal to record the steps you take as you process evidence. Your goal is to be able to reproduce the same results when you or another investigator repeat the steps you took to collect evidence. If you get different results when you repeat the steps, the credibility of your evidence becomes questionable. At best, the evidence’s value is compromised; at worst, the evidence will be disqualified. Because of the nature of electronic components, failures do occur. For example, you might not be able to repeat a data recovery because of a hardware failure, such as a disk drive head crash. Be sure to report all facts and events as they occur. Besides verifying your work, a journal serves as a reference that documents the methods you used to process digital evidence. You and others can use it for training and guidance on other investigations. Processing and Handling Digital Evidence You must maintain the integrity of digital evidence in the lab as you do when collecting it in the field. Your first task is to preserve the disk data. If you have a suspect computer that hasn’t been copied with an imaging tool, you must create a copy. When you do, be sure to make the suspect drive read-only (typically by using a write-blocking device), and document this step. If the disk has been copied with an imaging tool, you must preserve the image files. With most imaging tools, you can create smaller, compressed volume sets to make archiving your data easier. In Chapter 4, you learned how to use imaging tools, and in Chapter 2, you examined the steps for preserving digital evidence with chain-of-custody controls. You use the following steps to create image files: 1. Copy all image files to a large drive. Most forensics labs have several machines set up with disk-imaging software and multiple hard drives that can be exchanged as needed for your cases. You can use these resources to copy image files to large drives. Some might be equipped with large network storage devices for ongoing cases. 2. Start your forensics tool to analyze the evidence. 3. Run an MD5 or SHA-1 hashing algorithm on the image files to get a digital hash. Later in “Obtaining a Digital Hash,” you learn how to compare MD5 or SHA-1 hashes to make sure the evidence hasn’t changed. 4. When you finish copying image files to a larger drive, secure the original media in an evidence locker. Don’t work with the original media; it should be stored in a locker that has an evidence custody form. Be sure to fill out the form and date it. Storing Digital Evidence With digital evidence, you need to consider how and on what type of media to save it and what type of storage device is recommended to secure it. The media you use to store digital Storing Digital Evidence 175 evidence usually depends on how long you need to keep it. If you investigate criminal matters, store the evidence as long as you can. The ideal media on which to store digital data are CDRs or DVDs. These media have long lives, but copying data to them takes a long time. Older CDs had lives up to five years. Research is currently being done on CD-Rs and CD-RWs with lifespans of only one or two years. Today’s larger drives demand more storage capacity; 200 GB drives are common, and DVDs can store up to only 17 GB of data. You can also use magnetic tape to preserve evidence data. The 4-mm DAT magnetic tapes store between 40 to 72 GB or more of data, but like CD-Rs, they are slow at reading and writing data. If you’re using these tapes, test your data by copying the contents from the tape back to a disk drive. Then verify that the data is good by examining it with your computer forensics tools or doing an MD5 hash comparison of the original data set and the newly restored data set. If a 30-year lifespan for data storage is acceptable for your digital evidence, older DLT magnetic tape cartridge systems are a good choice. Keep in mind that you never know how long it will take for a case to go to trial. Figure 5-6 shows a 4-mm DAT drive and tape and a DLT tape drive. Figure 5-6 4-mm DAT and DLT tape drives DLT systems have been used with mainframe computers for several decades and are reliable data-archiving systems. Depending on the size of the DLT cartridge, one cartridge can store up to 80 GB of data in compressed mode. Speed of data transfer from your hard drive to a DLT tape is also faster than transferring data to a CD-R or DVD. The only major drawback of a DLT drive and tapes is cost. A drive can cost from $400 to $800, and each tape is about $40. However, with the current large disk drives, the DLT system does offer significant labor savings over other systems. Recently, manufacturers such as Quantum Corp. have introduced a high-speed, high-capacity tape cartridge drive system called Super Digital Linear Tape (Super-DLT or SLDT). These systems are specifically designed for large RAID data backups and can store more than 1 TB of data. Smaller external Super-DLT drives can connect to a workstation through a SCSI card. However, don’t rely on one media storage method to preserve your evidence—be sure to make two copies of every image to prevent data loss. Also, if practical, use different tools to create the two images. For example, you can use the Linux dd command to create the first image and ProDiscover to create the second image. 5 176 Chapter 5 Evidence Retention and Media Storage Needs To help maintain the chain of custody for digital evidence so that it’s accepted in court or by arbitration, restrict access to your lab and evidence storage area. When your lab is open for operations, authorized personnel must keep these areas under constant supervision. When your lab is closed, at least two security workers should guard evidence storage cabinets and lab facilities. As a good security practice, your lab should have a sign-in roster for all visitors. Most labs use a manual log system that an authorized technician maintains when an evidence storage container is opened and closed. These logs should be maintained for a period based on legal requirements, including the statute of limitations, the maximum sentence, and expiration of appeal periods. Make the logs available for management to inspect. The evidence custody form should contain an entry for every person who handles the evidence (see Figure 5-7). Figure 5-7 A sample log file If you’re supporting a law enforcement agency, you might need to retain evidence indefinitely, depending on the type of crime. Check with your local prosecuting attorney’s office or state laws to make sure you’re in compliance. For the private sector or corporate environments, check with your company’s legal department (the general counsel), which is responsible for setting your organization’s standards for evidence retention. Cases involving child pornography are the exception: The evidence must be turned over to law enforcement. This material is contraband and must not be stored by any person or organization other than a law enforcement agency. Documenting Evidence To document evidence, create or use an evidence custody form, as shown in Chapter 2. Because of constant changes in technologies and methods for acquiring data, create an Obtaining a Digital Hash 177 electronic evidence custody form that you can modify as needed. An evidence custody form serves the following functions: • Identifies the evidence • Identifies who has handled the evidence • Lists dates and times the evidence was handled After you have established these pieces of information, you can add others to your form, such as a section listing MD5 and SHA-1 hash values. Include any detailed information you might need to reference. Evidence bags also include labels or evidence forms you can use to document your evidence. Commercial companies offer a variety of sizes and styles of paper and plastic evidence bags. Be sure to write on the bag when it’s empty, not when it contains digital evidence, to make sure your writing is legible and to avoid possibly damaging the evidence. You should use antistatic bags for electronic components. Obtaining a Digital Hash To verify data integrity, different methods of obtaining a unique identity for file data have been developed. One of the first methods, the Cyclic Redundancy Check (CRC) is a mathematical algorithm that determines whether a file’s contents have changed. The most recent version is CRC-32. CRC, however, is not considered a forensic hashing algorithm. The first algorithm for computer forensics use was Message Digest 5 (MD5). Like CRC, MD5 is a mathematical formula that translates a file into a hexadecimal code value, or a hash value. If a bit or byte in the file changes, it alters the hash value, a unique hexadecimal value that identifies a file or drive. (Before you process or analyze a file, you can use a software tool to calculate its hash value.) After you process the file, you produce another digital hash. If it’s the same as the original one, you can verify the integrity of your digital evidence with mathematical proof that the file didn’t change. According to work done by Wang Xiaoyun and her associates from Beijing’s Tsinghua University and Shandong University of Technology, there are three rules for forensic hashes: • You can’t predict the hash value of a file or device. • No two hash values can be the same. (Note: Collisions have occurred in research using supercomputers.) • If anything changes in the file or device, the hash value must change. A newer hashing algorithm is Secure Hash Algorithm version 1 (SHA-1), developed by the National Institute of Standards and Technology (NIST). SHA-1 is slowly replacing MD5 and CRC-32, although MD5 is still widely used. (For more information on SHA-1, see http://csrc. nist.gov/publications/fips/fips180-2/fips180-2.pdf.) In both MD5 and SHA-1, collisions have occurred, meaning two different files have the same hash value. Collisions are rare, however, and despite flaws in MD5 and SHA-1, both are still useful for validating digital evidence collected from files and storage media. If a collision is suspected, you can do a byte-by-byte comparison to verify that all bytes are identical. Byte-by-byte comparisons can be performed with the MS-DOS Comp command or the Linux/UNIX diff command. New developments in this 5 178 Chapter 5 field are constant, however, so staying current by investigating the NIST Web site and reading related journals is a good idea. Most computer forensics hashing needs can be satisfied with a nonkeyed hash set, which is a unique hash number generated by a software tool, such as the Linux md5sum command. The advantage of this type of hash is that it can identify known files, such as executable programs or viruses, that hide themselves by changing their names. For example, many people who view or transmit pornographic material change filenames and extensions to obscure the nature of the contents. However, even if a file’s name and extension change, the hash value doesn’t. The alternative to a nonkeyed hash is a keyed hash set, which is created by an encryption utility’s secret key. You can use the secret key to create a unique hash value for a file. Although a keyed hash set can’t identify files as nonkeyed hash methods can, it can produce a unique hash set for your digital evidence. You can use the MD5 function in FTK Imager to obtain the digital signature of a file or an entire drive. In the following activity, you use a thumb drive, although you often work with hard drives in actual investigations. First, you create a test file and then generate an MD5 hash value for it. Then you change the file and produce another MD5 hash value, this time noting the change in the hash value. You need a blank, formatted USB drive and a Windows computer to complete the following steps: 1. Power on your forensic workstation, booting it to Windows. 2. Insert a blank, formatted USB drive into your computer. 3. Next, start Notepad. In a new text file, type This is a test to see how an MD5 digital hash works. 4. Click File, Save As from the menu. In the File name text box, type InChap05.txt. Click your thumb drive in the Save in drop-down list, and then click Save. 5. Exit Notepad. Next, you use FTK Imager to determine the MD5 and SHA-1 hash values: If you didn’t install FTK Imager in Chapter 4, do so before performing these steps. 1. If the FTK Imager icon is not on your desktop, click Start, point to All Programs, point to AccessData, point to FTK Imager, and click FTK Imager. 2. Click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Logical Drive option button, and then click Next. 3. In the Select Drive dialog box, click the Drive Selection list arrow, click your USB drive in the drop-down list, and then click Finish. 4. Right-click the USB drive at the upper left and click Verify Drive/Image. The verification process takes a few minutes. When it finishes, you should see a window similar to Figure 5-8. Copy the MD5 and SHA-1 hash values for this file to a text file in Notepad, and then click Close. Save the text file in your work folder with a filename of your choosing, and then exit Notepad. Reviewing a Case 179 5 Figure 5-8 Using FTK Imager to verify hash values 5. In FTK Imager, click File, Remove Evidence Item from the menu. (You’re about to make changes to the file and don’t want it open in FTK Imager while you do so.) Leave FTK Imager running for the next set of steps. Now you change the text file: 1. Start Notepad, and open the InChap05.txt file. 2. Delete one word from the sentence. Save the file with the same filename, and exit Notepad. 3. Repeat the previous steps in FTK Imager to generate MD5 and SHA-1 hash values. They should be different from the original hash values you found for this file. When you’re finished, exit FTK Imager. Reviewing a Case Chapter 2 introduced tasks for planning your investigation, some of which are repeated in the following list. Later in this section, you apply each task to a hypothetical investigation to create a preparation plan for searching an incident or crime scene. The following are the general tasks you perform in any computer forensics case: • Identify the case requirements. • Plan your investigation. • Conduct the investigation. • Complete the case report. • Critique the case. The following sections give you an example of civil and criminal investigations, and then you review how to perform some of these general tasks in a case involving a hypothetical company. 180 Chapter 5 Sample Civil Investigation Most cases in the corporate environment are considered low-level investigations, or noncriminal cases. This doesn’t mean corporate computing investigations are less important; it means they require less effort than a major criminal case. The example of a low-level civil investigation in this section is an e-mail investigation that resulted in a lawsuit between two businesses. An investigation of this nature requires examining only e-mail messages, not a complete disk forensics analysis. Mr. Jones at Company A claims to have received an order for $200,000 in widgets from the purchasing manager, Mr. Smith, at Company B. Company A manufactures the widgets and notifies Company B that they’re ready for shipment. Mr. Smith at Company B replies that they didn’t order any widgets and won’t pay for them. Company A locates an e-mail requesting the widgets that appears to be from Mr. Smith and informs Company B about the e-mail. Company B tells Company A that the e-mail didn’t originate from its e-mail server, and it won’t pay for the widgets. Company A files a lawsuit against Company B based on the widget order in Mr. Smith’s e-mail. The lawyers for Company A contact the lawyers for Company B and discuss the lawsuit. Company A’s lawyers make discovery demands to conduct a computer forensics analysis on Mr. Smith’s computer in hopes of finding the original message that caused the problem. At the same time, Company B’s lawyers demand discovery on Mr. Jones’s computer because they believe the e-mail is a fake. As a computing investigator, you receive a call from your boss asking you to fulfill the discovery demands from Company B’s lawyers to locate and determine whether the e-mail message on Mr. Jones’s computer is real or fake. Because it’s an e-mail investigation, not a major crime involving computers, you’re dispatched to Company A. When you get there, you find Mr. Jones’s computer powered on and running Microsoft Outlook. The discovery order authorizes you to recover only Mr. Jones’s Outlook e-mail folder, the .pst file. You aren’t authorized to do anything else. You would take the following steps in this situation: 1. Close the Outlook program on Mr. Jones’s computer. 2. Use Windows Explorer to locate the Outlook .pst file containing his business e-mail. You might need to use the Windows Search feature to find files with the .pst extension. 3. Determine how large the .pst file is and connect the appropriate media device, such as an external USB drive, to Mr. Jones’s computer. 4. Copy the .pst file to your external USB drive, and then remove the USB drive. 5. Fill out your evidence form, stating where on Mr. Jones’s disk you located the .pst file, along with the date and time you performed this task. 6. Leave Company A and return to your computer forensics lab. Place the USB drive in your evidence safe. For most civil investigations, you collect only specific items that have been determined germane by lawyers or the Human Resources Department. Another activity common in the corporate computing environment is covert surveillance of employees who are abusing their computing and network privileges. The use of covert surveillance of employees must be well defined in company policy before it can be carried out. If a company doesn’t have a policy that informs employees they have no privacy rights Reviewing a Case 181 when using company computers, no surveillance can be conducted without exposing the company to civil or even criminal liability. If no policy exists, the company must create a policy and notify all employees about the new rules. Your legal department should create policy language appropriate for your state or country and define the rights and authority the company has in conducting surveillance of employees according to provincial, state, or country privacy laws. For covert surveillance, you set up monitoring tools that record a suspect’s activity in real time. Real-time surveillance requires sniffing data transmissions between a suspect’s computer and a network server. Sniffing software allows network administrators and others to determine what data is being transmitted over the network. Other data-collecting tools (called keylogger programs—Spector and WinWhatWhere, for example) are screen capture programs that collect most or all screens and keystrokes on a suspect’s computer. Most of these tools run on Windows and usually collect data through remote network connections. The tools are hidden or disguised as other programs in Windows Task Manager and process logs. Another covert surveillance product is Guidance Software EnCase Enterprise Edition (EEE), which is a centrally located server with specialized software that can activate servlets over a network to remote workstations. Computing investigators can perform forensics examinations in real time through this remote connection to a suspect’s computer. Sample Criminal Investigation Crime scenes involving computers range from fraud cases to homicides. Because high-quality printers are now available, one of the most common computer-related crimes is check fraud. Many check fraud cases also involve making and selling false ID cards, such as driver’s licenses. In one recent case, the police received a tip that a check-forging operation was active in an apartment building. After the detective contacted a reliable informant, he had enough information for a search warrant and asked the patrol division to assist him in serving the warrant. When the detective entered the suspect’s apartment and conducted a preliminary search, he found a network of six high-end workstations with cables connected to devices in the adjacent apartment through a hole in the wall (see Figure 5-9). Unfortunately, the warrant specified a search of only one apartment. The detective contacted the deputy prosecutor, who instructed him to stand guard at both apartments until she could have a judge issue an additional warrant for the neighboring apartment. When he received the second search warrant, the detective entered the adjoining apartment and continued his search, finding more computers, high-quality color laser printers, checks, and stolen blank driver’s licenses. The outcome of the investigation revealed that the perpetrators were three enterprising high school students who were selling fake IDs to fellow students. The check fraud scheme was a new sideline they were developing to improve their cash flow. Reviewing Background Information for a Case A company called Superior Bicycles, with a Web site at www.superiorbicycles.biz, specializes in creating new and inventive modes of human-driven transportation. Two employees, Chris 5 182 Chapter 5 Figure 5-9 Search warrant limits Murphy and Nau Tjeriko, have been missing for several days. A USB drive has been recovered from Chris’s office with evidence that he had been conducting a side business using company computers. Steve, a manager, talks to other employees, but no one knows why Chris and Nau aren’t at work. To learn where Nau might be, Steve searches the surface of her desk and notices travel brochures for European tours. Steve also looks around Chris’s office again and finds notes about a Swiss supplier Steve once used and another USB drive with the supplier’s name on the label. Steve suspects the USB drive contains more information and calls you, the computing investigator for his company. He describes Chris and Nau’s absence from the company and asks you to examine the USB drive to see whether it identifies their whereabouts. Identifying the Case Requirements Before you analyze the USB drive, answer the following basic questions to start your investigation: • What is the nature of the case? Two people are missing or overdue at work. • What are their names? Chris Murphy and Nau Tjeriko. • What do they do? Chris works in the Financial Records Department, and Nau is a nurse who does ergonomic work for Superior Bicycles. • What is the OS of the suspect computer? Microsoft Windows XP. • What type of media needs to be examined? One USB drive. • What is the suspect computer’s configuration, such as type, CPU speed, and hard drive size? An AMD dual-core processor, 3 GB RAM, and a 200 GB Western Digital hard drive. Reviewing a Case 183 Planning the Investigation To find information about Chris and Nau’s whereabouts, list what you can assume or already know about the case: • Chris and Nau’s absences might or might not be related. • Chris’s computer might contain information explaining their absence. • No one else has used Chris’s computer since he disappeared. You need to make an image of Chris’s USB drive and attempt to retrieve evidence related to the case. The following section explains how to use AccessData FTK to examine the drive’s contents. Conducting the Investigation: Acquiring Evidence with AccessData FTK In the following activity, you use AccessData FTK to extract and analyze an image file. In Chapters 2 and 4, you learned how to acquire an image of a drive with ProDiscover Basic and other tools. To prepare FTK for analyzing the image of a suspect drive, follow these steps: 1. Make sure you have extracted data files from the Chap05 folder on the book’s DVD to your work folder for this chapter. 2. To start FTK, click Start, point to All Programs, point to AccessData, point to Forensic Toolkit, and click Forensic Toolkit. If you’re prompted with a warning dialog box and/or notification, click OK to continue, and click OK, if necessary, in the message box thanking you for evaluating the program. 3. In the AccessData FTK Startup dialog box, click the Start a new case option button, and then click OK. 4. In the New Case dialog box, enter your name as the investigator, InChp05 as the case number, and a suitable case name, and then click Next. 5. Fill out the information in the Forensic Examiner Information dialog box as you want it to appear in your final report, and then click Next until you reach the Evidence Processing Options dialog box. Make sure the Data Carve check box is not selected because this option makes processing take much longer; you can always do data carving later, if necessary. Then click Next. 6. In the Refine Case - Default dialog box, click the Include All Items button (see Figure 5-10), and then click Next. 7. In the Refine Index - Default dialog box, accept the default settings, and then click Next. 8. In the main Add Evidence to Case dialog box, click the Add Evidence button. 9. In the second Add Evidence to Case dialog box, click the Acquired Image of Drive option button, and then click Continue. 10. In the Open dialog box, navigate to your work folder, click to select the InChap05.001 file, and then click Open. 5 184 Chapter 5 Figure 5-10 The Refine Case - Default dialog box 11. In the Evidence Information dialog box, enter the additional information, using Figure 5-11 as a guideline. Click the Local Evidence Time Zone list arrow at the bottom, click the suspect’s time zone in the drop-down list, and then click OK. Figure 5-11 The Evidence Information dialog box Reviewing a Case 185 12. In the main Add Evidence to Case dialog box, shown in Figure 5-12, accept the default settings, and then click Next. 5 Figure 5-12 The Add Evidence to Case dialog box with image file listed 13. In the Case Summary dialog box (see Figure 5-13), click Finish to initiate the analysis. FTK then performs several steps of cataloging data and indexing every word in the InChap05.001 image file. The cataloging process organizes and lists each file in its own section for follow-up analysis (see Figure 5-14). The indexing feature creates a database of every word in the image file with its exact location so that you can easily look up keywords of interest to the investigation. 14. When FTK finishes cataloging and indexing, the FTK window opens to the Overview tab. To analyze an image with FTK, click the Explore tab. In the upper-left pane (the tree view), click to expand a folder, if needed, and then click the List all descendants check box. When you’re navigating between the Explore, Graphics, and E-Mail tabs in the FTK window, only the folder tree is displayed. If you click to expand a folder in the upper-left pane, its contents (files) are displayed in the lower pane. The List all descendants option enables you to view all files, regardless of which folder they’re in, and you can scroll through all files at once. 186 Chapter 5 Figure 5-13 The Case Summary dialog box Figure 5-14 The Processing Files dialog box 15. Navigate through each file in the lower pane by clicking the filenames one at a time. The upper-right pane displays any data in the files. For example, Figure 5-15 shows the data for the PICT0032.jpg file selected in the lower pane. Review this data to see what information can be retrieved from this image. Reviewing a Case 187 5 Figure 5-15 Selecting files of interest 16. When you have located a file containing information you think is important, click the check box next to the filename in the lower pane. Continue searching for more information, and select any additional files of interest. 17. After you have selected all files of interest, click Tools, Create Bookmark from the menu. In the Create New Bookmark dialog box, type a bookmark name and any comments. Then click the All checked items button, click the Include in report and Export files check boxes (see Figure 5-16), and click OK. The purpose of bookmarks in FTK is to provide a way to copy information of evidentiary value to a report. 18. After you have bookmarked key files containing possible evidence, click File, Report Wizard from the menu. In the Case Information dialog box, click to select the Include Investigator Information in report check box (if necessary), click to select the investigator’s name in the drop-down list box, and then click Next. 19. In the Bookmarks - A window, click Next. Continue clicking Next through the remaining report wizard windows until you reach the Report Location window, and then click Finish. 188 Chapter 5 Figure 5-16 The Create New Bookmark dialog box 20. When the Report Wizard displays a prompt asking whether you want to view the report, click Yes to see the report in your default Web browser. Click the links to view the report’s contents, and then close your browser. When you’re done, exit FTK by clicking File, Exit from the menu. If prompted to back up your case, click No. Chapter Summary ■ Digital evidence is anything stored or transmitted on electronic or optical media. It’s extremely fragile and easily altered. ■ In the private sector, an incident scene is often a place of work, such as a contained office or manufacturing area. Because everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority, investigating and controlling the scene are easier than at a crime scene. ■ Companies should publish policies stating that they reserve the right to inspect computing assets at will; otherwise, employees’ expectation of privacy prevents an employer from legally conducting an intrusive investigation or covert surveillance. A well-defined corporate policy states that an employer has the right to examine, inspect, or access any company-owned computing asset. ■ Proper procedure needs to be followed even in private-sector investigations because civil cases can easily become criminal cases. If an internal corporate case is turned over to law enforcement because of criminal activity, the corporate investigator must avoid becoming an agent of law enforcement. ■ Criminal cases require a properly executed and well-defined search warrant. A specific crime and location must be spelled out in the warrant. For all criminal investigations in the United States, the Fourth Amendment specifies that a law enforcement officer Chapter Summary 189 can search for and seize criminal evidence only with probable cause, which is facts or circumstances that lead a reasonable person to believe a crime has been committed or is about to be committed. ■ The plain view doctrine applies when investigators find evidentiary items that aren’t specified in a warrant or under probable cause. ■ When preparing for a case, describe the nature of the case, identify the type of OS, determine whether you can seize the computer, and obtain a description of the location. ■ When dealing with a hazardous materials (HAZMAT) situation, you might need to obtain HAZMAT certification or have someone else with that certification collect the evidence. ■ Always take pictures or use a video camera to document the scene. Prevent professional curiosity from contaminating evidence by limiting who enters the scene. ■ As you collect digital evidence, guard against physically destroying or contaminating it. Take precautions to prevent static electricity discharge to electronic devices. If possible, bag or box digital evidence and any hardware you collect from the scene. As you collect hardware, sketch the equipment, including exact markings of where components are located. Tag and number each cable, port, and other connection and record its number and description in a log. ■ Selecting a medium for storing digital evidence usually depends on how long you need to keep the evidence. The ideal storage media are CD-Rs or DVDs. You can also use magnetic tape, such as 4-mm DAT and DLT magnetic tapes. ■ Forensic hash values are used to verify that data or storage media have not been altered. The two most common hashing algorithms for forensics purposes are currently MD5 and SHA-1, although both are being replaced slowly as more research is done. A forensic hash can’t be predicted, no two files can have the same hash value, and if the file changes, the hash value must change. ■ To analyze computer forensics data, learn to use more than one vendor tool. Different vendors offer varying methods for recovering data from magnetic media. AccessData FTK is a Windows GUI tool for recovering data from FAT, NTFS, and Ext2 file systems and has a unique method of cataloging and indexing data that speeds up the examination process. ■ You must handle all evidence the same way every time you handle it. Apply the same security and accountability controls for evidence in a civil lawsuit as for evidence from a crime scene to comply with state or federal rules of evidence. ■ After you determine that an incident scene has digital evidence, identify the digital information or artifacts that can be used as evidence. Next, catalog or document the evidence you find. Your goal is to preserve evidence integrity, which means you must not modify the evidence as you collect and catalog it. An incident scene should be photographed and sketched, and then each item labeled and put in an evidence bag. Collect, preserve, document, analyze, identify, and organize the evidence. Then rebuild evidence or repeat a situation to verify that you get the same results every time. 5 190 Chapter 5 Key Terms 4-mm DAT Magnetic tapes that store about 4 GB of data, but like CD-Rs, are slow to read and write data. Automated Fingerprint Identification Systems (AFIS) A computerized system for identifying fingerprints that’s connected to a central database; used to identify criminal suspects and review thousands of fingerprint samples at high speed. computer-generated records Data generated by a computer, such as system log files or proxy server logs. computer-stored records Digital files generated by a person, such as electronic spreadsheets. covert surveillance Observing people or places without being detected, often using electronic equipment, such as video cameras or key stroke/screen capture programs. Cyclic Redundancy Check (CRC) A mathematical algorithm that translates a file into a unique hexadecimal value. digital evidence Evidence consisting of information stored or transmitted in electronic form. extensive-response field kit A portable kit designed to process several computers and a variety of operating systems at a crime or incident scene involving computers. This kit should contain two or more types of software or hardware computer forensics tools, such as extra storage drives. hash value A unique hexadecimal value that identifies a file or drive. hazardous materials (HAZMAT) Chemical, biological, or radiological substances that can cause harm to people. initial-response field kit A portable kit containing only the minimum tools needed to perform disk acquisitions and preliminary forensics analysis in the field. innocent information Data that doesn’t contribute to evidence of a crime or violation. International Organization on Computer Evidence (IOCE) A group that sets standards for recovering, preserving, and examining digital evidence. keyed hash set A value created by an encryption utility’s secret key. limiting phrase Wording in a search warrant that limits the scope of a search for evidence. low-level investigations Corporate cases that require less effort than a major criminal case. Message Digest 5 (MD5) An algorithm that produces a hexadecimal value of a file or storage media. Used to determine whether data has been changed. National Institute of Standards and Technology (NIST) One of the governing bodies responsible for setting standards for various U.S. industries. nonkeyed hash set A unique hash numbered generated by a software tool and used to identify files. person of interest Someone who might be a suspect or someone with additional knowledge that can provide enough evidence of probable cause for a search warrant or arrest. plain view doctrine When conducting a search and seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine’s limitations are less clear. Review Questions 191 probable cause The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest. professional curiosity The motivation for law enforcement and other professional personnel to examine an incident or crime scene to see what happened. Scientific Working Group on Digital Evidence (SWGDE) A group that sets standards for recovering, preserving, and examining digital evidence. Secure Hash Algorithm version 1 (SHA-1) A forensic hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered. sniffing Detecting data transmissions to and from a suspect’s computer and a network server to determine the type of data being transmitted over a network. Review Questions 1. Corporate investigations are typically easier than law enforcement investigations for which of the following reasons? a. Most companies keep inventory databases of all hardware and software used. b. The investigator doesn’t have to get a warrant. c. The investigator has to get a warrant. d. Users can load whatever they want on their machines. 2. In the United States, if a company publishes a policy stating that it reserves the right to inspect computing assets at will, a corporate investigator can conduct covert surveillance on an employee with little cause. True or False? 3. If you discover a criminal act, such as murder or child pornography, while investigating a corporate policy abuse, the case becomes a criminal investigation and should be referred to law enforcement. True or False? 4. As a corporate investigator, you can become an agent of law enforcement when which of the following happens? (Choose all that apply.) a. You begin to take orders from a police detective without a warrant or subpoena. b. Your internal investigation has concluded, and you have filed a criminal complaint and turned over the evidence to law enforcement. c. Your internal investigation begins. d. None of the above. 5. The plain view doctrine in computer searches is well-established law. True or False? 6. If a suspect computer is located in an area that might have toxic chemicals, you must do which of the following? (Choose all that apply.) a. Coordinate with the HAZMAT team. b. Determine a way to obtain the suspect computer. c. Assume the suspect computer is contaminated. d. Do not enter alone. 5 192 Chapter 5 7. What are the three rules for a forensic hash? 8. In forensic hashes, a collision occurs when ________________________________. 9. List three items that should be in an initial-response field kit. 10. When you arrive at the scene, why should you extract only those items you need to acquire evidence? 11. Computer peripherals or attachments can contain DNA evidence. True or False? 12. If a suspect computer is running Windows 2000, which of the following can you perform safely? a. Browsing open applications b. Disconnecting power c. Either of the above d. None of the above 13. Describe what should be videotaped or sketched at a computer crime scene. 14. Which of the following techniques might be used in covert surveillance? a. Keylogging b. Data sniffing c. Network logs 15. Commingling evidence means what in a corporate setting? 16. List two hashing algorithms commonly used for forensic purposes. 17. Small companies rarely need investigators. True or False? 18. If a company doesn’t distribute a computing use policy stating an employer’s right to inspect employees’ computers freely, including e-mail and Web use, employees have an expectation of privacy. True or False? 19. You have been called to the scene of a fatal car crash where a laptop computer is still running. What type of field kit should you take with you? 20. You should always answer questions from onlookers at a crime scene. True or False? Hands-On Projects There are no data files to extract for this chapter’s projects, but create a Work\Chap05\ Projects folder on your system before starting the projects. Hands-On Project 5-1 In the past few years, there have been challenges to and changes in the way the Patriot Act is applied and what information ISPs must supply. Research these Hands-On Projects 193 recent changes online, making sure to check the date of any articles you find. Write a one- to two-page paper explaining how the Patriot Act originally affected ISPs and what changes have taken place since then. Hands-On Project 5-2 You’re investigating an internal policy violation when you find an e-mail about a serious assault for which a police report needs to be filed. What should you do? Write a two-page paper specifying who in your company you need to talk to first and what evidence must be turned over to the police. Hands-On Project 5-3 You’re at a crime scene, which is the home of a suspected drug dealer. You find a computer turned on with three applications running. An online session is also open through a DSL connection. Write a one- to two-page paper outlining what you should do to document the crime scene and collect and package the evidence. Hands-On Project 5-4 In this project, you create a file on a USB drive and calculate its hash value in FTK Imager. Then you change the file and calculate the hash value again to compare the files. You need a Windows computer and a USB drive. 1. Create a folder called C5Prj04 on your USB drive, and then start Notepad. 2. In a new text file, type This is a test of hash values. One definition of a forensic hash is that if the file changes, the hash value changes. 3. Save the file as hash1.txt in the C5Prj04 folder on your USB drive, and then exit Notepad. 4. Start FTK Imager, and click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Logical Drive option button, and then click Next. 5. In the Select Drive dialog box, click the Drive Selection list arrow, click to select your USB drive, and then click Finish. 6. In the upper-left pane, click to expand your USB drive and continue expanding until you can click the C5Prj04 folder. In the upper-right pane, you should see the hash1.txt file you created. 7. Right-click the file and click Export File Hash List. Save the file as original hash in the C5Prj04 folder on your USB drive. FTK Imager saves it as a .csv file. Exit FTK Imager, and start Notepad. 8. Open hash1.txt in Notepad. Add one letter to the end of the file, save it, and exit Notepad. 9. Start FTK Imager again. Repeat Steps 4 to 7 (but without starting Notepad again), but this time when you export the file hash list, save the file as changed hash. 5 194 Chapter 5 10. Open the original hash and changed hash files on your USB drive in Excel (or another spreadsheet program). Compare the hash values in both files to see whether they are different, and then exit Excel. Hands-On Project 5-5 In this project, you create a file on your USB drive and calculate its hash values in FTK Imager. Then you change the filename and extension and calculate the hash values again to compare them. You need a Windows computer and a USB drive. 1. Create a folder called C5Prj05 on your USB drive, and then start Notepad. 2. In a new text file, type This project shows that the file, not the filename, has to change for the hash value to change. 3. Click File, Save As from the menu, and save the file as testhash.txt in the C5Prj05 folder on your USB drive. Exit Notepad, and start FTK Imager. 4. Click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Logical Drive option button, and then click Next. 5. In the Select Drive dialog box, click the Drive Selection list arrow, click to select your USB drive, and then click Finish. 6. In the upper-left pane, click to expand your USB drive and continue expanding until you can click the C5Prj05 folder. In the upper-right pane, you should see the testhash.txt file you created. 7. Right-click the file and click Export File Hash List. Save the file as original hash value in the C5Prj05 folder on your USB drive. FTK Imager saves it as a .csv file. 8. Click to select your USB drive in the upper-left pane, if necessary, and then click File, Remove Evidence Item from the menu. Exit FTK Imager. 9. Open Windows Explorer. Right-click the testhash.txt file on your USB drive, and rename it as testhash.doc. In the error message about the change in extension, click Yes. 10. Start FTK Imager. Follow Steps 4 to 7, but this time when you export the file hash list, right-click the testhash.doc file, and save it as changed hash value. Exit FTK Imager. 11. Open original hash value and changed hash value in Excel (or another spreadsheet program). Compare the hash values in both files to see whether they are different, and then exit Excel. Case Projects 195 Case Projects Case Project 5-1 In the arson running case project, what information do you need about the crime scene and how the digital evidence was acquired? Review the memos you received from the Seattle Police Department and the Legatima Insurance Company, and write a short paper outlining what information might be missing and what you need to find out. Case Project 5-2 You’re a detective for the local police. Thomas Brown, the primary suspect in a murder investigation, works at a large local firm and is reported to have two computers at work in addition to one at home. What do you need to do to gather evidence from these computers, and what obstacles can you expect to encounter during this process? Write a two- to three-page report stating what you would do if the company had its own Computer Forensics and Investigations Department and what you would do if the company did not. Case Project 5-3 A murder in a downtown office building has been widely publicized. You’re a police detective and receive a phone call from a computer forensics investigator, Gary Owens, who says he has information that might relate to the murder case. Gary says he ran across a few files while investigating a policy violation at a company in the same office building. Considering the silver-platter doctrine, what procedures might you, as a public official, have to follow? Write a one-page paper detailing what you might do. Case Project 5-4 Your spouse works at a middle school and reports rumors of a teacher, Zane Wilkens, molesting some students and taking illicit pictures of them. Zane allegedly viewed these pictures in his office. Your spouse wants you to take a disk image of Zane’s computer and find out whether the rumors are true. Write a one- to two-page paper outlining how you would tell your spouse and school administrators to proceed. Also, explain why walking into Zane’s office to acquire a disk image wouldn’t preserve the integrity of the evidence. Case Project 5-5 As a computing investigator for your local sheriff’s department, you have been asked to go with a detective to a local school that received a bomb threat in an anonymous e-mail. The detective already has information from a subpoena sent to the last known ISP where the anonymous e-mail originated, and the message was sent from a residence in the school’s neighborhood. The detective 5 196 Chapter 5 tells you the school principal also stated that the school’s Web server had been defaced by an unknown computer attacker. The detective has just obtained a warrant for the search and seizure of a computer at the residence the ISP identified. Prepare a list of what items should be included in an initial-response field kit to ensure the preservation of computer evidence when the warrant is carried out. chapter 6 Working with Windows and DOS Systems After reading this chapter and completing the exercises, you will be able to: • Explain the purpose and structure of file systems • Describe Microsoft file structures • Explain the structure of New Technology File System (NTFS) disks • List some options for decrypting drives encrypted with whole disk encryption • Explain how the Windows Registry works • Describe Microsoft startup tasks • Describe MS-DOS startup tasks • Explain the purpose of a virtual machine 197 198 Chapter 6 Chapters 6 and 8 provide an overview of computer data and drives. This chapter reviews how data is stored and managed on Microsoft operating systems (OSs). To become proficient in recovering data for computer investigations, you should understand file systems and their OSs, including legacy (MS-DOS, Windows 9x, and Windows Me, for example) and current OSs, such as Windows 2000, XP, and Vista. In this chapter, you examine the tasks an OS performs when it starts so that you can avoid altering evidence when you examine data on a drive. You also learn how to use a Virtual PC environment to further analyze Windows digital evidence. Chapter 8 discusses Macintosh and Linux file systems and covers hardware devices such as CDs, CD-RWs, and SCSI, IDE, and SATA drives. Understanding File Systems To investigate computer evidence effectively, you must understand how the most commonly used OSs work and how they store files. In addition to this section on file systems, you should review books on Computer Technology Industry Association (CompTIA) Aþ certifications in hardware and firmware startup tasks and operations. A file system gives an OS a road map to data on a disk. The type of file system an OS uses determines how data is stored on the disk. A file system is usually directly related to an OS, although some vendors grandfather in previous OSs so that newer ones can read them. For example, most current Linux releases can access disks configured in the older Linux Ext2fs and Ext3fs file systems. No matter which platform you use, you need to know how to access and modify system settings when necessary. When you need to access a suspect’s computer to acquire or inspect data related to your investigation, you should be familiar with the computer’s platform. This chapter examines Windows and DOS in detail; Chapter 8 covers information on Macintosh and Linux. For other computer systems, consult system administrators and vendor manuals. Understanding the Boot Sequence To ensure that you don’t contaminate or alter data on a suspect’s Windows or DOS PC, you must know how to access and modify a PC’s Complementary Metal Oxide Semiconductor (CMOS) and Basic Input/Output System (BIOS) settings. A computer stores system configuration and date and time information in the CMOS when power to the system is off. The system BIOS contains programs that perform input and output at the hardware level. When a subject’s computer starts, you must make sure it boots to a forensic floppy disk or CD, as described in Chapters 2 and 4, because booting to the hard disk overwrites and changes evidentiary data. To do this, you access the CMOS setup by monitoring the subject’s computer during the initial bootstrap process to identify the correct key or keys to use. The bootstrap process is contained in ROM and tells the computer how to proceed. As the computer starts, the screen usually displays the key or keys, such as the Delete key, you press to open the CMOS setup screen. You can also try unhooking the keyboard to force the system to tell you what keys to use. The key you press to access Understanding File Systems 199 CMOS depends on the computer’s BIOS. The popular BIOS manufacturers Award and AMI use the Delete key to access CMOS; other manufacturers use CtrlþAltþInsert, CtrlþA, CtrlþS, or CtrlþF1, F2, and F10. Figure 6-1 shows a typical CMOS setup screen, where you check a computer’s boot sequence. If necessary, you can change the boot sequence so that the OS accesses the CD/ DVD drive or a floppy drive (if available) before any other boot device. Each BIOS vendor’s screen is different, but you can refer to the vendor’s documentation or Web site for instructions on changing the boot sequence. 6 Figure 6-1 A typical CMOS setup screen Understanding Disk Drives You should be familiar with disk drives and how data is organized on a disk so that you can find data effectively. Disk drives are made up of one or more platters coated with magnetic material, and data is stored on platters in a particular way. For additional information on disk drive configurations, see www.storagereview.com/guide2000/ref/hdd/index.html. Following is a list of disk drive components, illustrated in Figure 6-2: • Geometry—Geometry refers to a disk’s structure of platters, tracks, and sectors. • Head—The head is the device that reads and writes data to a drive. There’s one head per platter. • Tracks—Tracks are concentric circles on a disk platter where data is located. • Cylinders—A cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom. • Sectors—A sector is a section on a track, usually made up of 512 bytes. The manufacturer engineers a disk to have a certain number of sectors per track, and a typical disk drive stores 512 bytes per sector. To determine the total number of addressable bytes on a disk, multiply the number of cylinders by the number of heads (actually tracks) and by the number of sectors (groups of 512 or more bytes), as shown 200 Chapter 6 Figure 6-2 Components of a disk drive in Figure 6-3. Disk drive vendors refer to this formula as a cylinder, head, and sector (CHS) calculation. Tracks also follow a numbering scheme starting from 0, which is the first value in computing. If a disk lists 79 tracks, you actually have 80 tracks from 0 to 79. Other disk properties, such as zoned bit recording (ZBR), track density, areal density, and head and cylinder skew, are handled at the drive’s hardware or firmware level. ZBR is how most manufacturers deal with a platter’s inner tracks being shorter than its outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data. Track density is the space between each track. As with old vinyl records, the smaller the space between each track, the more tracks you can place on the platter. On older disks, the space was wider, which allowed heads to wander, making it possible for specialists to retrieve data from previous writes to a platter. Exploring Microsoft File Structures 201 6 Figure 6-3 CHS calculation Areal density refers to the number of bits in one square inch of a disk platter. This number includes the unused space between tracks. Head and cylinder skew are used to improve disk performance. As the read-write head moves from one track to another, starting sectors are offset to minimize lag time. Exploring Microsoft File Structures Because most PCs use Microsoft software products, you should understand Microsoft file systems so that you know how Windows and DOS computers store files. In particular, you need 202 Chapter 6 to understand clusters, File Allocation Table (FAT), and New Technology File System (NTFS). The method an OS uses to store files determines where data can be hidden. When you examine a computer for forensic evidence, you need to explore these hiding places to determine whether they contain files or parts of files that might be evidence of a crime or policy violation. In Microsoft file structures, sectors are grouped to form clusters, which are storage allocation units of one or more sectors. Clusters are typically 512, 1024, 2048, 4096, or more bytes each. Combining sectors minimizes the overhead of writing or reading files to a disk. The OS groups one or more sectors into a cluster. The number of sectors in a cluster varies according to the disk size. For example, a double-sided floppy disk has one sector per cluster; a hard disk has four or more sectors per cluster. Clusters are numbered sequentially starting at 2 because the first sector of all disks contains a system area, the boot record, and a file structure database. The OS assigns these cluster numbers, which are referred to as logical addresses. These addresses point to relative cluster positions; for example, cluster address 100 is 98 clusters from cluster address 2. Sector numbers, however, are referred to as physical addresses because they reside at the hardware or firmware level and go from address 0 (the first sector on the disk) to the last sector on the disk. Clusters and their addresses are specific to a logical disk drive, which is a disk partition. Disk Partitions Many hard disks are partitioned, or divided, into two or more sections. A partition is a logical drive. For example, an 8 GB hard disk might contain four partitions or logical drives. FAT16 does not recognize disks larger than 2 MB, so these disks have to be partitioned into smaller sections for FAT to recognize the additional space. Someone who wants to hide data on a hard disk can create hidden partitions or voids—large unused gaps between partitions on a disk drive. For example, partitions containing unused space (voids) can be created between the primary partition and the first logical partition. This unused space between partitions is called the partition gap. If data is hidden in a partition gap, a disk editor utility could also be used to alter information in the disk’s partition table. Doing so removes all references to the hidden partition, concealing it from the computer’s OS. Another technique is to hide incriminating digital evidence at the end of a disk by declaring a smaller number of bytes than the actual drive size. With disk-editing tools, however, you can access these hidden or empty areas of the disk. One way to examine a partition’s physical level is to use a disk editor, such as Norton DiskEdit, WinHex, or Hex Workshop. These tools enable you to view file headers and other critical parts of a file. Both tasks involve analyzing the key hexadecimal codes the OS uses to identify and maintain the file system. Table 6-1 lists the hexadecimal codes in a partition table and identifies some common file system structures. Table 6-1 Hexadecimal codes in the partition table Hexadecimal code 01 File system DOS 12-bit FAT 04 DOS 16-bit FAT for partitions smaller than 32 MB 05 Extended partition Exploring Microsoft File Structures 203 Table 6-1 Hexadecimal codes in the partition table (continued ) Hexadecimal code 06 File system DOS 16-bit FAT for partitions larger than 32 MB 07 NTFS 08 AIX bootable partition 09 AIX data partition 0B DOS 32-bit FAT 0C DOS 32-bit FAT for interrupt 13 support 17 Hidden NTFS partition (XP and earlier) 1B Hidden FAT32 partition 1E Hidden VFAT partition 3C Partition Magic recovery partition 66–69 Novell partitions 81 Linux 82 Linux swap partition (can also be associated with Solaris partitions) 83 Linux native file systems (Ext2, Ext3, Reiser, Xiafs) 86 FAT16 volume/stripe set (Windows NT) 87 High Performance File System (HPFS) fault-tolerant mirrored partition or NTFS volume/stripe set A5 FreeBSD and BSD/386 A6 OpenBSD A9 NetBSD C7 Typical of a corrupted NTFS volume/stripe set EB BeOS In some instances, you might need to identify the OS on an unknown disk. You can use Norton DiskEdit, WinHex, or Hex Workshop for this task. The following steps show you how to determine a disk’s OS by using Hex Workshop: 1. If necessary, download Hex Workshop from BreakPoint Software (www.hexworkshop .com) and install it. Check with your instructor about where you should install it on your computer. 2. Insert a USB drive into a USB port. 3. Start Hex Workshop by right-clicking the Hex Workshop desktop icon and clicking Run as administrator, and then clicking the Continue button in the UAC message box. (In Windows XP or an older Windows OS, simply double-click the Hex Workshop desktop icon.) 4. In Hex Workshop, click Disk, Open Drive from the menu to see a list of your logical drives. Click the C: drive (or your working drive), and click OK. Figure 6-4 shows a typical hard disk in the Hex Workshop window. 6 204 Chapter 6 Indicates the file system Figure 6-4 Hex Workshop identifying the file system The C drive displays “.R.NTFS” if the partition is formatted as an NTFS drive. If it’s a FAT drive, it displays MSD0S5.0 or MSWIN4.1 in the first logical sector. 5. Click Disk, Open Drive again, but this time, in the Open Drive drop-down list, click your USB drive, and then click OK. Compare the file system label for this drive to the one you saw in Step 4. Leave Hex Workshop open for the next activity. With tools such as Hex Workshop, you can also identify file headers to identify file types with or without an extension. Before performing the following steps in Hex Workshop, use Windows Explorer or My Computer to find a folder on your system containing a bitmap (.bmp) file and a folder containing a Word document (.doc). Then follow these steps: 1. To open a bitmap file on your computer, click File, Open from the Hex Workshop menu. Navigate to a folder containing a bitmap (.bmp) file, and then double-click the .bmp file. (If you’re prompted to select any bookmarks, click Cancel and continue with this activity.) 2. As shown in Figure 6-5, the Hex Workshop window identifies the file type for the graphic. For .bmp files, it shows “BM6,” “BM,” or “BMF.” As shown in the figure, “42 4D” is also displayed to indicate a .bmp file. 3. To open a Word document, click File, Open from the menu. Navigate to a folder containing a Word document (.doc) file, and then double-click the .doc file. As shown in Figure 6-6, the first line contains a row of 0s followed by “D0 CF 11 E0 A1 B1 1A E1,” which identifies the file as a Microsoft Office document. The same file header is displayed for an Excel or a PowerPoint file but doesn’t apply to Access databases. 4. Exit Hex Workshop. Depending on the hexadecimal editor, hex values can be grouped in sets of two or four digits. Exploring Microsoft File Structures Indicates a .bmp file 205 Also indicates a .bmp file 6 Figure 6-5 Hex Workshop indicating a .bmp file Indicates a Microsoft Office file Figure 6-6 Hex Workshop indicating a Microsoft Office file In the Hands-On Projects, you apply these techniques to other file types. Master Boot Record On Windows and DOS computer systems, the boot disk contains a file called the Master Boot Record (MBR), which stores information about partitions on a disk and their locations, size, and other important items. Several software products can modify the MBR, such as Partition Magic’s Boot Magic. These boot partition utilities can interfere with some computer forensics acquisition tools, which is another reason you need several data acquisition tools. 206 Chapter 6 Examining FAT Disks File Allocation Table (FAT) is the file structure database that Microsoft originally designed for floppy disks. FAT is used on file systems before Windows NT and 2000. The FAT database is typically written to a disk’s outermost track and contains filenames, directory names, date and time stamps, the starting cluster number, and file attributes (archive, hidden, system, and read-only). PCs use FAT to organize files on a disk so that the OS can find the files it needs. There are four versions of FAT—FAT12, FAT16, FAT32, and FATX (used by Xbox game systems)—and a variation called Virtual File Allocation Table (VFAT). Microsoft developed VFAT to handle long filenames when it released Windows 95 and Windows for Workgroups. The FAT version in Microsoft DOS 6.22 had a limitation of eight characters for filenames and three characters for extensions. The following list summarizes the evolution of FAT versions: • FAT12—This version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. • FAT16—To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 2 GB. • FAT32—When disk technology improved and disks larger than 2 GB were created, Microsoft developed FAT32, which is used on Microsoft OSs such as Windows 95 (second release), 98, Me, 2000, XP, and Vista. FAT32 can access up to 2 TB of disk storage. One disk can have multiple partitions in FAT16, FAT32, or NTFS. • FATX—Xbox media is stored in the FATX format and can be read by any Windows system. The date stamps start at the year 2000, unlike the other FAT formats that start at 1980. Cluster sizes vary according to the hard disk size and file system. Table 6-2 lists the number of sectors and bytes assigned to a cluster on FAT16 disk according to hard disk size. For Table 6-2 Sectors and bytes per cluster Drive size 0–32 MB Sectors per cluster 1 FAT16 512 bytes 33–64 MB 2 1 KB 65–128 MB 4 2 KB 129–255 MB 8 4 KB 256–511 MB 16 8 KB 512–1023 MB 32 16 KB 1024–2047 MB 64 32 KB 2048–4095 MB 128 68 KB Exploring Microsoft File Structures 207 FAT32 file systems, cluster sizes are determined by the OS. Clusters can range from 1 sector consisting of 512 bytes to 128 sectors of 64 KB. Microsoft OSs allocate disk space for files by clusters. This practice results in drive slack, composed of the unused space in a cluster between the end of an active file and the end of the cluster. Drive slack includes RAM slack (found primarily in older Microsoft OSs) and file slack. For example, suppose you create a text document containing 5000 characters—that is, 5000 bytes of data. If you save this file on a FAT16 1.6 GB disk, a Microsoft OS reserves one cluster for it automatically. For a 1.6 GB disk, the OS allocates about 32,000 bytes, or 64 sectors (512 bytes per sector), for your file. The unused space, 27,000 bytes, is the file slack (see Figure 6-7). RAM slack is created in the unused space on a sector. The 5000-byte text document uses up 10 sectors, or 5120 bytes, so 120 bytes of a sector aren’t used; however, DOS must write in full 512-byte chunks of data (sectors). The data to fill the 120-byte void is pulled from RAM and placed in the area between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any information in RAM at that point, such as logon IDs or passwords, is placed in RAM slack on older Microsoft OSs when you save a file. File fragments, deleted e-mails, and passwords are often found in RAM and file slack. Figure 6-7 File slack space An unintentional side effect of FAT16 having large clusters was that it reduced fragmentation as cluster size increased. The OS added extra data to the end of the file and allowed the file to expand to this assigned cluster until it consumed the remaining reserved 27,000 bytes. This increased cluster size resulted in inefficient use of disk space. Because of this inefficient allocation of sectors to clusters, when nearly full FAT16 drives were converted to FAT32, users discovered they had a lot of extra free disk space because the files wasted less space. When you run out of room for an allocated cluster, the OS allocates another cluster for your file, which creates more slack space on the disk. As files grow and require more disk space, assigned clusters are chained together. Typically, chained clusters are contiguous on the disk. However, as some files are created and deleted and other files are expanded, the chain can be broken or fragmented. With a tool such as ProDiscover, you can view the cluster-chaining sequence and see how FAT addresses linking clusters to one another (see Figure 6-8). When the OS stores data in a FAT file system, it assigns a starting cluster position to a file. Data for the file is written to the first sector of the first assigned cluster. When this first assigned cluster is filled and runs out of room, FAT assigns the next available cluster to the 6 208 Chapter 6 Figure 6-8 Chained sectors associated with clusters as a result of increasing file size file. If the next available cluster isn’t contiguous to the current cluster, the file becomes fragmented. In the FAT for each cluster on the volume (the partitioned disk), the OS writes the next assigned cluster, which is the number to the right of [0] in the FAT cluster assignment. Think of clusters as buckets that can hold a specific number of bytes. When a cluster (or bucket) fills up, the OS allocates another cluster to collect the extra data. On rare occasions, such as a system failure or sabotage, these cluster chains can break. If they do, data can be lost because it’s no longer associated with the previous chained cluster. FAT looks forward for the next cluster assignment but doesn’t provide pointers to the previous cluster. Rebuilding these broken chains can be difficult. Many recent disk forensics tools have automated much of the filerebuilding process. These improved features make recovering data easier. Deleting FAT Files When a file is deleted in Windows Explorer or with the MS-DOS Delete command, the OS inserts a HEX E5 (0xE5), which many hex-editing programs reflect as the lowercase Greek letter sigma (s) in the filename’s first letter position in the FAT database. The sigma symbol tells the OS that the file is no longer available and a new file can be written to the same cluster location. In Microsoft OSs, when a file is deleted, the only modifications made are that the directory entry is marked as a deleted file, with the HEX E5 character replacing the first letter of the filename, and the FAT chain for that file is set to 0. The data in the file remains on the disk drive. The area of the disk where the deleted file resides becomes unallocated disk space (also called “free disk space”). The unallocated disk space is now available to receive new data from newly created files or other files needing more space as they grow. Most forensics tools can recover data still residing in this area. Examining NTFS Disks New Technology File System (NTFS) was introduced when Microsoft created Windows NT and is the primary file system for Windows Vista. Each generation of Windows since NT has included minor changes in NTFS configuration and features. The NTFS design was Examining NTFS Disks 209 partially based on, and incorporated many features from, Microsoft’s project for IBM with the OS/2 operating system; in this OS, the file system was High Performance File System (HPFS). When Microsoft created Windows NT, it provided backward compatibility so that NT could read OS/2 HPFS disk drives. Since the release of Windows 2000, this backward compatibility is no longer available. For a detailed explanation of NTFS structures, see www.linux-ntfs.org. To be an effective computer forensics investigator, you should maintain a library of old OSs and application software. Also, keep older hardware that’s in good working condition. You might need old software and hardware to do an analysis because some forensics tasks can’t be performed with modern tools on older OSs and hardware. NTFS offers significant improvements over FAT file systems. It provides more information about a file, including security features, file ownership, and other file attributes. With NTFS, you also have more control over files and folders (directories) than with FAT file systems. NTFS was Microsoft’s move toward a journaling file system. The system keeps track of transactions such as file deleting or saving. This journaling feature is helpful because it records a transaction before the system carries it out. That way, in a power failure or other interruption, the system can complete the transaction or go back to the last good setting. In NTFS, everything written to the disk is considered a file. On an NTFS disk, the first data set is the Partition Boot Sector, which starts at sector [0] of the disk and can expand to 16 sectors. Immediately after the Partition Boot Sector is the Master File Table (MFT). The MFT, similar to FAT in earlier Microsoft OSs, is the first file on the disk. An MFT file is created at the same time a disk partition is formatted as an NTFS volume and usually consumes about 12.5% of the disk when it’s created. As data is added, the MFT can expand to take up 50 % of the disk. (The MFT is covered in more detail in “NTFS System Files.”) An important advantage of NTFS over FAT is that it results in much less file slack space. Compare the cluster sizes in Table 6-3 to Table 6-2, which showed FAT cluster sizes. Clusters are smaller for smaller disk drives. This feature saves more space on all disks using NTFS. Table 6-3 Cluster sizes in an NTFS disk Drive size 0–512 MB Sectors per cluster 1 Cluster size 512 bytes 512 MB–1 GB 2 1024 bytes 1–2 GB 4 2048 bytes 2–4 GB 8 4096 bytes 4–8 GB 16 8192 bytes 8–16 GB 32 16,384 bytes 16–32 GB 64 32,768 bytes More than 32 GB 128 65,536 bytes 6 210 Chapter 6 NTFS also uses Unicode, an international data format. Unlike the American Standard Code for Information Interchange (ASCII) 8-bit configuration, Unicode uses an 8-bit, a 16-bit, or a 32-bit configuration. These configurations are known as UTF-8 (Unicode Transformation Format), UTF-16, and UTF-32. For Western-language alphabetic characters, UTF-8 is identical to ASCII (see www.unicode.org/versions for more details). Knowing this feature of Unicode comes in handy when you perform keyword searches for evidence on a disk drive. (This feature is discussed in more detail in Chapter 9.) Because NTFS offers many more features than FAT, more utilities are used to manage it. NTFS System Files Because everything on an NTFS disk is a file, the first file, the MFT, contains information about all files on the disk, including the system files the OS uses. In the MFT, the first 15 records are reserved for system files. Records in the MFT are referred to as metadata. Table 6-4 lists the first 16 metadata records you find in the MFT. Table 6-4 Metadata records in the MFT Filename $Mft System file MFT Record position 0 $MftMirr MFT 2 1 The first four records of the MFT are saved in this position. If a single sector fails in the first MFT, the records can be restored, allowing recovery of the MFT. $LogFile Log file 2 Previous transactions are stored here to allow recovery after a system failure in the NTFS volume. $Volume Volume 3 Information specific to the volume, such as label and version, is stored here. $AttrDef Attribute definitions 4 A table listing attribute names, numbers, and definitions. $ Root filename index 5 This is the root folder on the NTFS volume. $Bitmap Boot sector 6 A map of the NTFS volume showing which clusters are in use and which are available. $Boot Boot sector 7 Used to mount the NTFS volume during the bootstrap process; additional code is listed here if it’s the boot drive for the system. $BadClus Bad cluster file 8 For clusters that have unrecoverable errors, an entry of the cluster location is made in this file. $Secure Security file 9 Unique security descriptors for the volume are listed in this file. It’s where the access control list (ACL) is maintained for all files and folders on the NTFS volume. Description Base file record for each folder on the NTFS volume; other record positions in the MFT are allocated if more space is needed. Examining NTFS Disks 211 Table 6-4 Metadata records in the MFT (continued ) Filename $Upcase System file Upcase table $Extend NTFS extension file Record position 10 Description Converts all lowercase characters to uppercase Unicode characters for the NTFS volume. 11 Optional extensions are listed here, such as quotas, object identifiers, and reparse point data. 12–15 Reserved for future use. MFT and File Attributes When Microsoft introduced NTFS, the way the OS stores data on disks changed significantly. In the NTFS MFT, all files and folders are stored in separate records of 1024 bytes each. Each record contains file or folder information. This information is divided into record fields containing metadata about the file or folder and the file’s data or links to the file’s data. A record field is referred to as an attribute ID. File or folder information is typically stored in one of two ways in an MFT record: resident and nonresident. For very small files, about 512 bytes or less, all file metadata and data are stored in the MFT record. These types of records are called resident files because all their information is stored in the MFT record. Files larger than 512 bytes are stored outside the MFT. The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as data runs. This type of MFT record is called nonresident because the file’s data is stored in its own separate file outside the MFT. Each MFT record starts with a header identifying it as a resident or nonresident attribute. The first 4 bytes (characters) for all MFT records are FILE. The header information contains additional data specifying where the first attribute ID starts, which is typically at offset 0x14 from the beginning of the record. Each attribute ID has a length value in hexadecimal defining where it ends and where the next attribute starts. The length value is located 4 bytes from the attribute ID. Table 6-5 list the types of attributes in an MFT record. For more details on how the MFT is configured, search on MFT and NTFS at http://technet.microsoft.com/en-us/library/cc781134. aspx and http://sourceforge.net/project/showfiles.php?group_id=13956&package_ id=16543& release_id=244298. Table 6-5 Attributes in the MFT Attribute ID 0x10 Purpose $Standard Information This field contains data on file creation, alterations, MFT changes, read dates and times, and DOS file permissions. 0x20 $Attribute_List Attributes that don’t fit in the MFT (nonresident attributes) are listed here along with their locations. 6 212 Chapter 6 Table 6-5 Attributes in the MFT (continued ) Attribute ID 0x30 Purpose $File_Name The long and short names for a file are contained here. Up to 255 Unicode bytes are available for long filenames. For POSIX requirements, additional names or hard links can also be listed. Files with short filenames have only one attribute ID 0x30. Long filenames have two attribute ID 0x30s in the MFT record: one for the short name and one for the long name. 0x40 $Object_ID (for Windows NT, it’s named $Volume_Version) Ownership and who has access rights to the file or folder are listed here. Every MFT record is assigned a unique GUID. Depending on your NTFS setup, some file records might not contain this attribute ID. 0x50 $Security_Descriptor Contains the access control list (ACL) for the file. 0x60 $Volume_Name The volume-unique file identifier is listed here. Not all files need this unique identifier. 0x70 $Volume_Information This field indicates the version and state of the volume. 0x80 $Data File data or data runs to nonresident files. 0x90 $Index_Root Implemented for use of folders and indexes. 0xA0 $Index_Allocation Implemented for use of folders and indexes. 0xB0 $Bitmap Implemented for use of folders and indexes. 0xC0 $Reparse_Point This field is used for volume mount points and Installable File System (IFS) filter drivers. For the IFS, it marks specific files used by drivers. 0xD0 $EA_Information For use with OS/2 HPFS. 0xE0 $EA For use with OS/2 HPFS. 0x100 $Logged_Utility_Stream This field is used by EFS in Windows 2000, XP, and Vista. Figure 6-9 is an MFT record showing the resident attributes of a small file viewed in a hexadecimal editor. Note that on line 035B3530 near the bottom, there’s text data in the right pane. In Figure 6-10, the bottom half of the hexadecimal editor window shows the remaining portion of this resident file’s MFT record. Examining NTFS Disks D A 213 E B C 6 H I J K F G A: All MFT records start with FILE0 B: Start of attribute 0x10 C: Length of attribute 0x10 (value 60) D: Start of attribute 0x30 E: Length of attribute 0x30 (value 70) F: Start of attribute 0x40 G: Length of attribute 0x40 (value 28) H: Start of attribute 0x80 I: Length of attribute 0x80 (value 70) J: Attribute 0x80 resident flag K: Starting position of resident data Figure 6-9 Resident file in an MFT record Figure 6-11 is an example of a nonresident file’s hexadecimal view. Note that on line 35B3D50 near the bottom, there’s no text data. This file is a longer version of the file shown in Figure 6-9. Current computer forensics tools, such as ProDiscover, EnCase, FTK, and X-Ways Forensics, can interpret the MFT from an image file. 214 Chapter 6 A: Starting position of attribute 0x80 $Data B: Length of attribute 0x80 in little endian format C: Interpreted little endian value Figure 6-10 File data for a resident file A B C D A: Start of nonresident attribute 0x80 B: Length of nonresident attribute 0x80 C: Attribute 0x80 nonresident flag D: Starting point of data run E: End-of-record marker (FF FF FF FF) for the MFT record Figure 6-11 Nonresident file in an MFT record E Examining NTFS Disks 215 To understand how data runs are assigned for nonresident MFT records, you should know that when a disk is created as an NTFS file structure, the OS assigns logical clusters to the entire disk partition. These assigned clusters, called logical cluster numbers (LCNs), are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to nonresident files (files outside the MFT) on the disk’s partition. When data is initially written to nonresident files, an LCN address is assigned to the MFT (attribute 0x80 field); it’s the first data run for a nonresident file. If the file can’t be stored contiguously on the disk (because of excessive file fragmentation), another data run is added. The second and all other data runs have a virtual cluster number (VCN) assigned. A VCN is the offset position from the previous LCN value in the data run. VCNs are signed integers so that if the next largest unused disk space is at a lower address than the previous LCN, the lower value address can be computed by simply adding a negative number to the VCN. For example, if the previous LCN data run is at offset 3000000 and the next available open area to receive data is at LCN 2900000, the VCN is -100000 (3000000 þ [-100000] = 2900000). The following two sections explain the basic configuration of resident and nonresidents files managed by the MFT. By learning how data is stored in the MFT, a computer forensics examiner can manually reconstruct any residual data on NTFS-formatted disk media. The following descriptions aren’t exhaustive, as far as the values and functions of NTFS and the MFT. Be aware that future Windows updates could change these configurations. This discussion should be used as a quick reference for locating and interpreting data artifacts where you might find residual fragments from partially overwritten MFT records. MFT Structures for File Data When viewing an MFT record with a hexadecimal editor, such as WinHex, the data is displayed in little endian format, meaning it’s read from right to left. For example, the hexadecimal value 400 is displayed as 00 04 00 00, and the number 0x40000 is displayed as 00 00 04 00. The first section of an MFT record is the header that defines the size and starting position of the first attribute. Following the header are the attributes that are specific for the file type, such as an application file or a data file. MFT records for directories and system files have additional attributes that don’t appear in a file MFT record. The following sections explain how data files are configured in the MFT. MFT Header Fields For the header of all MFT records, the record fields of interest are as follows: • At offset 0x00—The MFT record identifier FILE; the letter F is at offset 0. • At offset 0x1C to 0x1F—Size of the MFT record; the default is 0x400 (1024) bytes, or two sectors. • At offset 0x14—Length of the header, which indicates where the next attribute starts; it’s typically 0x38 bytes. • At offset 0x32 and 0x33—The update sequence array, which stores the 2 two bytes of the first sector of the MFT record. It’s used only when MFT data exceeds 512 bytes. The update sequence array is used as a checksum for record integrity validation. 6 216 Chapter 6 Figure 6-12 shows these fields and their relationships in the MFT record. MFT record identifier Length of the MFT record header Size of the entire MFT record Update sequence array: This data goes into position/offset IE and IF Note: This data is swapped with data in position IE and IF of the MFT record Figure 6-12 An MFT header Attribute 0x10: Standard Information Following the MFT header for a data file is the Standard Information attribute, 0x10, which has the following fields (see Figure 6-13): Last modified date and time Attribute 0x10 Size of attribute 0x10 Create date and time Last access date and time Record update date and time Figure 6-13 Attribute 0x10: Standard Information • At offset 0x38 from the beginning of the MFT record—The start of attribute 0x10. • At offset 0x04 and 0x05 from the beginning of attribute 0x10—Size of the 0x10 attribute. • At offset 0x18 to 0x1F—The file’s create date and time; all dates and times are stored in the Win32 Filetime format. • At offset 0x20 to 0x27—The last modified date and time for the file. • At offset 0x28 to 0x2F—The last access date and time. • At offset 0x30 to 0x37—The record update date and time. Examining NTFS Disks 217 Attribute 0x30: File_Name For files with filenames that are eight characters or less, the MFT record has only one attribute 0x30. If a filename is longer than eight characters, there are two attribute 0x30s. The following description shows an MFT record with a short and long filename in attribute 0x30. The fields of interest for the short filename attribute 0x30 are as follows: • At offset 0x04 and 0x05 from the beginning of attribute 0x30—The size of attribute 0x30. • At offset 0x5A from the 0x30 attribute’s starting position—The short filename; note that it’s in Unicode. • At offset 0x20 to 0x27—The file’s create date and time; all dates and times are stored in Win32 Filetime format. • At offset 0x28 to 0x2F—The last modified date and time for the file. • At offset 0x30 to 0x37—The last access date and time. • At offset 0x38 to 0x3F—The record update date and time. The date and time values in attribute 0x30 are usually the same as in attribute 0x10. On occasion, depending how data is copied to a disk and the Windows OS version, these values might differ significantly. The following are fields of interest for the long filename attribute 0x30: • At offset 0x04 and 0x05 from the beginning of attribute 0x30—The size of attribute 0x30. • At offset 0x5A from the 0x30 attribute’s starting position—The long filename; note that it’s in Unicode. • At offset 0x20 to 0x27—The file’s create date and time; all dates and times are stored in Win32 Filetime format. • At offset 0x28 to 0x2F—The last modified date and time for the file. • At offset 0x30 to 0x37—The last access date and time. • At offset 0x38 to 0x3F—The record update date and time. Figure 6-14 shows these fields and their relationships in the MFT record. Attribute 0x40: Object_ID Depending on the Windows version, sometimes attribute 0x40 is listed in the MFT. This attribute contains file ownership and access control information and has the following fields: • At offset 0x04 and 0x05 from the beginning of attribute 0x40—The size of attribute 0x40 • At offset 0x14—Starting offset position for GUID data • At offset 0x18 to 0x27—Starting position for GUID Object_ID data 6 218 Chapter 6 B A E G H I J D F C L N M K A: Attribute 0x30 short filename B: Size of attribute 0x30 short filename C: Short create date and time D: Short last modified date and time E: Short last access date and time F: Short record update date and time G: Starting position of short filename H: Attribute 0x30 long filename I: Size of attribute 0x30 long filename J: Long create date and time K: Long last modified date and time L: Long last access date and time M: Long record update date and time N: Starting position of long filename Figure 6-14 Attributes 0x30: short and long filenames In this example, only the GUID Object_ID is listed. In large enterprise systems, typically additional information is listed, such as the following: • GUID Birth Volume ID • GUID Birth Object ID • GUID Birth Domain ID Figure 6-15 shows these fields and their relationships in the MFT record. Attribute 0x80: Data for a Resident File For a resident file’s attribute 0x80, the fields of interest are as follows (see Figure 6-16): • At offset 0x04 and 0x05 from the beginning of attribute 0x80—Size of the attribute. • At offset 0x08—The resident/nonresident flag; for resident data, it’s set to 0x00. Examining NTFS Disks Attribute 0x40 219 Size of attribute 0x40 Starting position for GUID data Starting offset position for GUID data Figure 6-15 Attribute 0x40: Object_ID Resident flag Start of resident data run Size of attribute 0x80 Start of attribute 0x80 Sector boundary Number of bytes allocated for data Sector checksum Figure 6-16 Attribute 0x80: Data for a resident file • At offset 0x10—Number of bytes in the data run. • At offset 0x18—Start of the resident data run. • At offset 0x1E and 0x1F from the beginning of the MFT header—The sector checksum value, used to validate the first 512 bytes of the MFT record. The break between the first and second sectors is referred to as the sector boundary. The 2 bytes at positions 0x32 and 0x33 of the MFT header in the update sequence array field are where the actual values for these bytes are stored. The end of the MFT record is indicated by the hexadecimal values FF FF FF FF at the end of the record. Attribute 0x80: Data for a Nonresident File For a nonresident file, the fields of interest for attribute 0x80 are as follows: • At offset 0x04 and 0x05 from the beginning of attribute 0x80—Size of the attribute. • At offset 0x08—The resident/nonresident flag; for nonresident data, it’s set to 0x01. • At offset 0x40—The start of the data run. The first run is the LCN; if the file is fragmented, additional data runs follow, as shown in Figure 6-17. In this example, there are a total of six data runs, which means this file has several fragments. 6 220 Chapter 6 Following the last data run, the value 0x00 indicates the end of the Data attribute. Figure 6-17 shows these fields and their relationships in the MFT record. B A C G D H I J E F A: Start of attribute 0x80 B: Size of attribute 0x80 C: Nonresident flag D: First data run E: Second data run F: Additional data runs G: End of data run H: End of MFT record I: Sector checksum J: Sector boundary Figure 6-17 Attribute 0x80: Data for a nonresident file Interpreting a Data Run As discussed, the first data run for a nonresident attribute 0x80 field starts at offset 0x40 from the beginning of the attribute. In this discussion, a file Examining NTFS Disks 221 called SanteFe001.jpg is used as an example of how data runs are interpreted. Data runs have three components: The first component declares how many bytes in the attribute field are needed to store the values for the second and third components. The second component stores the number of clusters assigned to the data run, and the third component contains the starting cluster address value (the LCN or the VCN). This discussion uses a file with six fragments (data runs). For the first component—the 32 shown in Figure 6-18 as the data run’s starting position— the second digit, 2, means that the next 2 bytes contain the number of clusters assigned to this data run. The first digit, 3, means that the next 3 bytes (after the number of clusters assigned) contain the cluster address value; for the first data run, this value is the LCN. The next and all other data runs contain the VCN value rather than the LCN value. Starting position of each data run End of data run marker End of MFT record Checksum for first sector (see update sequence array in MFT header field) Figure 6-18 Multiple data runs In Figure 6-19, the second component shows the 2 bytes needed to store the hexadecimal value (in little endian) for the number of clusters assigned to this data run. The number of clusters assigned to this data run is 7B1 (hexadecimal) or 1969 in decimal. First component Second component Third component Figure 6-19 Data run components As shown in Figure 6-20, for the third component, the starting assigned cluster address is 0x8C8C (hexadecimal), or 35980 in decimal. Because it’s the first data run of the file, this address is the LCN. 6 222 Chapter 6 Assigned clusters for the SanteFe001.jpg file First data run (note address match) Number of clusters assigned to this data run Bytes needed to store Starting LCN address the number of clusters assigned to this data run Bytes needed to store the LCN address value Figure 6-20 First data run with an LCN address Figures 6-21 and 6-22 show the second and third data runs for the SanteFe001.jpg file. For the second and all other data runs, the third component is a signed integer; for example, in Figure 6-21, this value is converted from a hexadecimal number to a negative decimal number. In NTFS, if the next available open area of a highly fragmented disk is at a lower address, a negative number is assigned as the VCN value. The way NTFS navigates to this second open area is by adding the VCN to the previous LCN. For example, the first data run has the LCN address 35980, and the second data run has a value of -4715. The OS adds the two numbers, but because the second data run has a negative number, they’re actually subtracted: 35980 þ (-4715) = 31265. As you can see in the assigned cluster lists in Figure 6-22, the second fragment has a starting cluster number (an LCN) of 31265. In the third data run, the VCN value is a positive number. For additional information on NTFS and its design, see http://data. linux-ntfs.org/ntfsdoc.pdf. Examining NTFS Disks 223 Assigned cluster for the SanteFe001.jpg file This VCN value is a negative number because the next available LCN is at a lower address than the first LCN data run. 6 VCN value for the address of the next disk location Figure 6-21 Second data run with a VCN address Figure 6-22 Third data run with a VCN address 224 Chapter 6 NTFS Data Streams Of particular interest when you’re examining NTFS disks are data streams, which are ways data can be appended to existing files. When you’re examining a disk, be aware that data streams can obscure valuable evidentiary data, intentionally or by coincidence. In NTFS, a data stream becomes an additional file attribute and allows the file to be associated with different applications. As a result, it remains one data unit. You can also store information about a file in a data stream. In its resource documentation Web page, Microsoft states: “For example, a graphics program can store a thumbnail image of a bitmap in a named data stream within the NTFS file containing the image.” From a Windows NT and later command prompt, you can create a data stream with this MS-DOS command: C:\echo text_string > myfile.txt:stream_name You can also use the following Type command to redirect the contents of a small file to a data stream: C:\type textfile.txt > myfile.txt:stream1 In these commands, the data stream is defined in the MFT by the colon between the file extension and the data stream label. To display a data stream’s content as a simple text string, use this command: C:\more < myfile.txt:stream1 Be aware that if you save a file with data streams attached to a FAT volume, the data streams aren’t transferred. If you perform a keyword search and retrieve a file associated with a keyword, you might not be able to open the data stream. A data stream isn’t displayed when you open a file in a text editor. The only way you can tell whether a file has a data stream attached is by examining that file’s MFT record entry. Figure 6-23 shows the MFT record of a file containing a text data stream. Note that there are two attribute 0x80 fields. Figure 6-24 shows what larger files that are nonresident look like in an MFT record. Note that the sector boundary’s checksum value (item R) must be swapped with the update sequence array’s value (item C). NTFS Compressed Files To improve data storage on disk drives, NTFS provides compression similar to FAT DriveSpace 3, a Windows 98 compression utility. Under NTFS, files, folders, or entire volumes can be compressed. With FAT16, you can compress only a volume. On a Windows Vista, XP, 2000, or NT system, compressed data is displayed normally when you view it in Windows Explorer or applications such as Microsoft Word. During an investigation, typically you work from an image of a compressed disk, folder, or file. Most computer forensics tools can uncompress and analyze compressed Windows data, including data compressed with the Lempel-Ziv-Huffman (LZH) algorithm and in formats such as PKZip, WinZip, and GNU gzip. Forensics tools might have difficulty with thirdparty compression utilities, such as the RAR format. If you identify third-party compressed data, you need to uncompress it with the utility that created it. Examining NTFS Disks 225 6 Second attribute 0x80 Start of data run for second attribute 0x80 (location of hidden data stream) Size of second attribute 0x80 Figure 6-23 A text data stream NTFS Encrypting File System (EFS) When Microsoft introduced Windows 2000, it added built-in encryption to NTFS called Encrypting File System (EFS). EFS implements a public key and private key method of encrypting files, folders, or disk volumes (partitions). Only the owner or user who encrypted the data can access encrypted files. The owner holds the private key, and the public key is held by a certificate authority, such as a global registry, network server, or company such as VeriSign. When EFS is used in Windows Vista Business Edition or higher, XP Professional, or 2000, a recovery certificate is generated and sent to the local Windows administrator account. The purpose of the recovery certificate is to provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key. The recovery key is stored in one of two places. When the user of a network workstation initiates EFS, the recovery key is sent to the local domain server’s administrator account. If the workstation is standalone, the recovery key is sent to the workstation’s administrator account. 226 Chapter 6 F K M C P I G D N L A: Attribute 0x10 B: Attribute 0x10 size C: Update sequence array D: Attribute 0x30 short filename E: Attribute 0x30 size short filename F: Attribute 0x30 long filename G: Attribute 0x30 size long filename H: Sector boundary I: First attribute 0x80 Figure 6-24 A nonresident data stream A B O J E R J: Size of attribute K: Nonresident flag L: Start of first data run M: Second attribute 0x80 N: Size of attribute O: Nonresident flag P: Start of second data run R: Sector boundary’s checksum H Examining NTFS Disks 227 Users can apply EFS to files stored on their local workstations or a remote server. Windows 2000 and XP decrypt the data automatically when the user or an application the user runs accesses an EFS file, folder, or disk volume. In Windows Server 2003 and 2008, users can grant other users access to their EFS data. If a user copies a file encrypted with EFS to a folder that isn’t encrypted, the copied data is saved in unencrypted format. EFS Recovery Key Agent The Recovery Key Agent implements the recovery certificate, which is in the Windows administrator account. Windows administrators can recover a key in two ways: through Windows or from an MS-DOS command prompt. These three commands are available from the MS-DOS command prompt: • Cipher • Copy • Efsrecvr (used to decrypt EFS files) 6 For information on how to use these commands, enter the question mark switch after each command. For example, type cipher /? and press Enter. Encrypted files aren’t part of FAT12, FAT16, or FAT32 file systems, so Cipher and Efsrecvr work only on NTFS systems running Windows 2000 Professional, XP Professional, and Vista Business Edition or higher. The Copy command, however, works in both FAT and NTFS. In Vista Business Edition and higher, Microsoft has added features to the Cipher command that aren’t available when encrypting data in Windows Explorer. One is the /w switch that overwrites all deleted files, making them impossible to recover with data recovery or forensics carving tools. If you copy an encrypted file from an EFS-enabled NTFS disk or folder to a non-EFS storage media or folder, it’s unencrypted automatically. To recover an encrypted EFS file, a user can e-mail it or copy the file to the administrator. The administrator can then run the Recovery Key Agent function to restore the file. For additional information, review the Microsoft Windows Resource Kit documentation (www. microsoft.com/windows/reskits/default.asp) for the latest procedures on how to recover EFS files. Deleting NTFS Files Typically, you use Windows Explorer to delete files from a disk. When a file is deleted in Windows NT and later, the OS renames it and moves it to the Recycle Bin. Another method is using the Del (delete) MS-DOS command. This method doesn’t rename and move the file to the Recycle Bin, but it eliminates the file from the MFT listing in the same way FAT does. 228 Chapter 6 When you delete a file in Windows Explorer, you can restore it from the Recycle Bin. The OS takes the following steps when you delete a file or a folder in Windows Explorer: 1. Windows changes the filename and moves the file to a subfolder with a unique identity in the Recycle Bin. 2. Windows stores information about the original path and filename in the Info2 file, which is the control file for the Recycle Bin. It contains ASCII data, Unicode data, and the date and time of deletion for each file or folder. NTFS files deleted at an MS-DOS command prompt function much like FAT files. (The following steps also apply when a user empties the Recycle Bin.) The OS performs the following tasks: 1. The associated clusters are designated as free—that is, marked as available for new data. 2. The $Bitmap file attribute in the MFT is updated to reflect the file’s deletion, showing that this space is available. 3. The file’s record in the MFT is marked as being available. 4. VCN/LCN cluster locations linked to deleted nonresident files are then removed from the original MFT record. 5. A run list is maintained in the MFT of all cluster locations on the disk for nonresident files. When the list of links is deleted, any reference to the links is lost. NTFS is more efficient than FAT at reclaiming deleted space. Deleted files are overwritten more quickly. Understanding Whole Disk Encryption In recent years, there has been more concern about loss of personal identity information (PII) and trade secrets caused by computer theft. Company PII might consist of employees’ full names, home addresses, and Social Security numbers. With this information, criminals could easily apply for credit card accounts in these employees’ names. Trade secrets are any information a business keeps confidential because it provides a competitive edge over other companies. The inadvertent public release of this information could devastate a business’s competitive edge. Of particular concern is the theft of laptop computers and other handheld devices, such as PDAs. If data on these devices isn’t secured properly, the owners could be liable for any damages incurred, such as stolen identities, credit card fraud, or loss of business caused by the release of trade secrets to the competition. Because of the PII problem, many states have enacted laws requiring any person or business to notify potential victims of the loss as soon as possible. To help prevent loss of information, software vendors, including Microsoft, now provide whole disk encryption (WDE, introduced in Chapter 4). This feature creates new challenges in examining and recovering data from drives. Understanding Whole Disk Encryption 229 Current whole disk encryption tools offer the following features that computer forensics examiners should be aware of: • Preboot authentication, such as a single sign-on password, fingerprint scan, or token (USB device) • Full or partial disk encryption with secure hibernation, such as activating a password-protected screen saver • Advanced encryption algorithms, such as AES and IDEA • Key management function that uses a challenge-and-response method to reset passwords or passphrases • A Trusted Platform Module (TPM) microchip to generate encryption keys and authenticate logins Whole disk encryption tools encrypt each sector of a drive separately. Many of these tools encrypt the drive’s boot sector to prevent any efforts to bypass the secured drive’s partition. To examine an encrypted drive, you must decrypt it first. An encryption tool’s key management function typically uses a challenge-and-response method for decryption, which means you must run a vendor-specific program to decrypt the drive. Many vendors use a bootable CD or USB drive that prompts for a one-time passphrase generated by the key management function. If you need to decrypt the same computer a second time, you need a new one-time passphrase. The biggest drawback to decrypting a drive is the several hours required to read, decrypt, and write each sector. The larger the drive, the longer decryption takes. After you’ve decrypted the drive, however, you can use standard acquisition methods to retrieve data. Examining Microsoft BitLocker Microsoft’s utility for protecting drive data is called BitLocker, available only with Vista Enterprise and Ultimate editions. BitLocker’s current hardware and software requirements are as follows: • A computer capable of running Windows Vista • The TPM microchip, version 1.2 or newer • A computer BIOS compliant with Trusted Computing Group (TCG) • Two NTFS partitions for the OS and an active system volume with 1.5 GB available space • The BIOS configured so that the hard drive boots first before checking the CD/DVD drive or other bootable peripherals For more information on BitLocker, see http://technet.microsoft.com/ en-us/windows/aa905065.aspx or go to http://technet.microsoft.com and search on BitLocker. Examining Third-Party Disk Encryption Tools Several vendors offer third-party WDE utilities that often have more features than BitLocker. For example, BitLocker can encrypt only NTFS drives. If you want to encrypt a FAT drive, 6 230 Chapter 6 you need a third-party solution. Decrypting with third-party utilities typically follows the same process as in BitLocker, with some exceptions. Before using one of these utilities, make sure you investigate its features thoroughly. The following list describes some available thirdparty WDE utilities: • PGP Whole Disk Encryption (www.pgp.com/products/wholediskencryption/index. html) can be used on PCs, laptops, and removable media to secure an entire disk volume. This tool works in Windows 2000, XP Professional (SP1 and SP2), and Mac OS X 10.4 and can also encrypt FAT volumes. • Voltage SecureDisk (www.voltage.com/products/index.htm) is designed for an enterprise computing environment. • Utimaco SafeGuard Easy (http://americas.utimaco.com/safeguard_easy/) provides whole disk encryption for NTFS and FAT file systems. • Jetico BestCrypt Volume Encryption (www.jetico.com) provides whole disk encryption for older MS-DOS and Windows NTFS systems. • SoftWinter Sentry 2020 for Windows XP (www.softwinter.com/sentry_nt.html) is an inexpensive disk encryption tool. It doesn’t encrypt the entire drive. To secure data, it creates a virtual drive saved to a large data file. This virtual file is similar to MS-DOS DoubleSpace, Stacker, or DriveSpace. Recovering deleted data from this type of encrypted volume file might be difficult or impossible because volume file space is overwritten quickly. In addition to commercial tools, several open-source tools are available to encrypt files, folders, and entire disk volumes on Microsoft file systems. These tools have no standards other than meeting the requirements of open-source software. Most create a virtual encrypted disk volume, similar to the commercial product Sentry 2020. The following list describes some available open-source encryption tools: • TrueCrypt (www.truecrypt.org) creates a virtual encrypted volume—a file mounted as though it were a disk drive. Data is encrypted automatically and in real time. • CrossCrypt (www.scherrer.cc/crypt/) also creates a virtual encrypted volume and provides Filedisk, a command-line utility with options for creating, mounting, dismounting, and encrypting volumes. • FreeOTFE (on-the-fly encryption, www.freeotfe.org), like other open-source encryption tools, creates a virtual disk that can encrypt data with several popular algorithms. FreeOTFE can be used in Windows 2000, XP, and Vista as well as with PDAs. With improved encryption methods, extracting digital evidence will become more difficult. Because of these challenges, you need to know how to make remote live acquisitions, discussed in Chapter 11. Understanding the Windows Registry When Microsoft created Windows 95, it consolidated initialization (.ini) files into the Registry, a database that stores hardware and software configuration information, network connections, user preferences (including usernames and passwords), and setup information. The Registry has been updated and is still used in Windows Vista. Understanding the Windows Registry 231 For investigative purposes, the Registry can contain valuable evidence. To view the Registry, you can use the Regedit (Registry Editor) program for Windows 9x and Regedt32 for Windows 2000, XP, and Vista. For more information on how to use Regedit and Regedt32, see the Microsoft Windows Resource Kit documentation for the OS. You can find information at http://support.microsoft.com/kb/256986 and http://technet.microsoft.com/en-us/library/ cc775519(WS.10).aspx. For more information on Regedit and Regedt32, visit http://support. microsoft.com/kb/141377 and http://msdn.microsoft.com/en-us/library/ aa965884(VS.85).aspx. In general, you can use the Edit, Find menu command in Registry Editor to locate entries that might contain trace evidence, such as information identifying the last person who logged on to the computer, which is usually stored in user account information. Windows 9x systems don’t record a user’s logon information reliably, but you can find related user information, such as network logon data, by searching for all occurrences of “username” or application licenses. You can also use the Registry to determine the most recently accessed files and peripheral devices. In addition, all installed programs store information in the Registry, such as Web sites accessed, recent files, and even chat rooms accessed. As a computing investigator, you should explore the Registry of all Windows systems. On a live system, be careful not to alter any Registry setting to avoid corrupting the system and possibly making it unbootable. Several third-party tools, such as FTK Registry Viewer, are also available for accessing the Registry. Exploring the Organization of the Windows Registry The Windows Registry is organized in a specific way that has changed slightly with each new version of Windows. However, the major Registry sections have been consistent, with some minor changes, since Windows 2000; they’re slightly different in Windows 9x/Me. Before proceeding, review the following list of Registry terminology: • Registry—A collection of files containing system and user information. • Registry Editor—A Windows utility for viewing and modifying data in the Registry. There are two Registry Editors: Regedit and Regedt32 (introduced in Windows 2000). • HKEY—Windows splits the Registry into categories with the prefix HKEY_. Windows 9x systems have six HKEY categories and Windows 2000 and later have five. Windows programmers refer to the “H” as the handle for the key. • Key—Each HKEY contains folders referred to as keys. Keys can contain other key folders or values. 6 232 Chapter 6 • Subkey—A key displayed under another key is a subkey, similar to a subfolder in Windows Explorer. • Branch—A key and its contents, including subkeys, make up a branch in the Registry. • Value—A name and value in a key; it’s similar to a file and its data content. • Default value—All keys have a default value that may or may not contain data. • Hives—Hives are specific branches in HKEY_USER and HKEY_LOCAL_MACHINE. Hive branches in HKEY_LOCAL_MACHINE\Software are SAM, Security, Components, and System. For HKEY_USER, each user account has its own hive link to Ntuser.dat. The next piece of the puzzle is learning where data files that the Registry reads are located. The number of files the Registry uses depends on the Windows version. In Windows 9x/Me, it uses only two files; in Windows NT, 2000, XP, and Vista, it uses six files. When examining Registry data from a suspect drive, you need to know where these files are located so that you can extract them and analyze their content. You can find these files with tools such as AccessData Registry Viewer. Table 6-6 shows how Registry data files are organized and explains these files’ purposes in different versions of Windows. Table 6-6 Registry file locations and purposes Filename and location Windows 9x/Me Purpose of file Windows\System.dat User-protected storage area; contains installed program settings, usernames and passwords associated with installed programs, and system settings Windows\User.dat Contains the most recently used (MRU) files list and desktop configuration settings; every user account created on the system has its own user data file Windows\profile\UserAccount Windows NT, 2000, XP, and Vista Documents and Settings\user-account\ Ntuser.dat (in Vista, Users\UserAccount\ Ntuser.dat) User-protected storage area; contains the MRU files list and desktop configuration settings Winnt\system32\config\Default Contains the computer’s system settings Winnt\system32\config\SAM Contains user account management and security settings Winnt\system32\config\Security Contains the computer’s security settings Winnt\system32\config\Software Contains installed programs settings and associated usernames and passwords Winnt\system32\config\System Contains additional computer system settings When viewing the Registry with Registry Editor, you can see the HKEYs used in Windows (see Figure 6-25). Understanding the Windows Registry 233 Figure 6-25 Viewing HKEYs in Windows XP Registry Editor Table 6-7 describes the functions of Registry HKEYs. Table 6-7 Registry HKEYs and their functions HKEY HKEY_CLASS_ROOT Function A symbolic link to HKEY_LOCAL_MACHINE\SOFTWARE\Classes; provides file type and file extension information, URL protocol prefixes, and so forth HKEY_CURRENT_USER A symbolic link to HKEY_USERS; stores settings for the currently logged-on user HKEY_LOCAL_MACHINE Contains information about installed hardware and software HKEY_USERS Stores information for the currently logged-on user; only one key in this HKEY is linked to HKEY_CURRENT_USER HKEY_CURRENT_CONFIG A symbolic link to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Hardware Profile\xxxx (with xxxx representing the current hardware profile); contains hardware configuration settings HKEY_DYN_DATA Used only in Windows 9x/Me systems; stores hardware configuration settings For additional information on the Registry, see http://support.microsoft. com/default.aspx?scid=kb;EN-US;256986 and www.computerhope.com/ registry.htm. Although you can examine the Registry in a variety of ways, one of the easiest is loading an image of a Windows machine into AccessData FTK and then clicking File, Registry Viewer from the menu, which enables you to view HKEY data. The demo version of Registry Viewer disables the following features, however: • Common areas—Registry keys containing useful information, such as usernames, passwords, and Web browser history information • Report window—Displaying certain keys selected for a report • Generating a report—Copying and adding selected keys to an FTK report • Protected storage—Viewing Registry areas containing confidential user information, such as password-protected Web sites, username/password combinations, and e-mail passwords 6 234 Chapter 6 Examining the Windows Registry Some forensics tools, such as ProDiscover and FTK, have built-in Registry viewers. For this next activity, your company’s Legal Department has asked you to search for any references to the Superior Bicycles company and e-mail addresses containing the name Denise. A paralegal tells you the home page for Superior Bicycles (www.superiorbicycles.biz) and gives you a ProDiscover .eve file containing the image of a Windows 98 computer belonging to a Superior Bicycle employee named Denise Robinson. For this activity, you use ProDiscover Basic to extract System.dat and User.dat from the image file, and then use AccessData Registry Viewer to see what information you can find in these files. If you find any items of interest, you copy the Registry path and name to a text file that you can give to the paralegal. Although the file is an image of a Windows 98 computer, you can use Windows XP or Vista to run ProDiscover Basic and AccessData Registry Viewer in the following activities. Registry Viewer can run in Windows 9x and later and analyze all Windows Registry versions. Before beginning this activity, extract compressed files from the Chap06 folder on the book’s DVD to your Work\Chap06\Chapter folder. If necessary, create the Chap06 and Chapter folders first. The work folder pathname you see in screenshots might differ. To extract Registry files with ProDiscover Basic, follow these steps: 1. Start ProDiscover Basic with the Run as administrator option. If the Launch Dialog dialog box opens, click Cancel. 2. Click File, New Project from the menu. 3. In the New Project dialog box, type InChap06 in the Project Number text box and the Project File Name text box, and then click OK. 4. In the tree view of the main window, click to expand Add and then click Image File. 5. In the Open dialog box, navigate to your work folder, click the GCFI-Win98.eve image file, and click Open. Click Yes in the Auto Image Checksum message box, if necessary. 6. Click the Search toolbar button. In the Search dialog box, click the Content Search tab. Click the Search for files named option button, and in the Search text box, type system.dat and user.dat. Under Select the Disk(s)/Image(s) you want to search in, click the image file (see Figure 6-26), and then click OK. 7. In the search results, click the check box next to the SYSTEM.DAT file. When the Add Comment dialog box opens, type Registry files to extract, click the Apply to all items check box, and then click OK (see Figure 6-27). 8. Click the check box next to the USER.DAT file, and then click Tools, Copy Selected Files from the menu. In the Choose Destination dialog box, click Browse. In the Browse for Folder dialog box, navigate to and click your work folder, and then click OK. Click OK again in the Choose Destination dialog box. 9. Exit ProDiscover Basic, saving the project if prompted. Understanding the Windows Registry 235 6 Figure 6-26 Searching for Registry files Figure 6-27 Selecting files in the search results 236 Chapter 6 To extract Registry files for other Windows OSs, refer to Table 6-6 for the filenames and path locations. Next, you learn how to examine extracted Registry files with the demo version of AccessData Registry Viewer. This tool has been provided on the book’s DVD, so copy and install it on your system. When you’ve finished installing Registry Viewer, follow these steps to examine a Registry file: 1. Start Notepad or another text editor. 2. Start Registry Viewer by clicking Start, pointing to All Programs, pointing to AccessData, pointing to Registry Viewer, right-clicking Registry Viewer, clicking Run as administrator, and then clicking Continue. If you see a message stating “…cannot find … C:\windows\system32\CodeMeter.exe…” and then “No dongle found,” click OK to start the program. In Windows XP and older Windows OSs, click Start, point to All Programs, point to AccessData, point to Registry Viewer, and click Registry Viewer. 3. In Registry Viewer’s main window, click the Open toolbar button and navigate to Work\Chap06\Chapter\GCFI-Win98.eve Recovered\Windows. Click USER.DAT, and then click Open. When ProDiscover extracts Registry files, it creates a subfolder with the image file’s name and the suffix Recovered, followed by the folder path where the file was recovered. In the previous activity, the Registry files were originally located on the suspect’s drive at C:\Windows. ProDiscover maintains this directory path prefaced by the image filename. 4. Click Edit, Find from the menu. In the Find dialog box, type superior in the Find what text box (see Figure 6-28), and then click Find Next. Figure 6-28 Entering a search term in Registry Viewer 5. When the search results are displayed, right-click the folder in the left pane containing the key and click Copy Key Name (see Figure 6-29). Paste it into Notepad. 6. Back in Registry Viewer, press F3 to search for the next occurrence of the keyword “superior,” and copy and paste the key name as before. Repeat this step until you find no more occurrences. 7. Click USER.DAT in the left pane, and then click Edit, Find from the menu again. This time, type denise in the Find what text box and click Find Next. Understanding Microsoft Startup Tasks 237 6 Figure 6-29 Copying a key name in Registry Viewer 8. When the search results are displayed, right-click the folder in the left pane containing the key, click Copy Key Name, and paste it into Notepad. Press F3 to search for the next occurrence of the keyword “denise,” and copy and paste the key name as before. Repeat until no more occurrences are found. 9. Exit Registry Viewer by clicking File, Exit from the menu, and then clicking Yes in the Exit Registry Viewer dialog box. 10. Delete any redundant folder names in Notepad (refer to Figure 6-30), and save this text document as InChap6-reg-search.txt. Exit Notepad. Figure 6-30 The search results showing paths for keys of interest An extensive amount of information is stored in the Registry. With Registry data, you can ascertain when users went online, when they accessed a printer, and many other events. A lot of the information in the Registry is beyond the scope of this book, so you’re encouraged to expand your knowledge by attending training sessions or classes. Understanding Microsoft Startup Tasks You should have a good understanding of what happens to disk data at startup. In some investigations, you must preserve data on the disk exactly as the suspect last used it. Any access to a computer system after it was used for illicit purposes alters your disk evidence. As 238 Chapter 6 you learned in Chapter 4, altering disk data lessens its evidentiary quality considerably. In some instances, accessing a suspect computer incorrectly could make the digital evidence corrupt and less credible for any litigation. In the following sections, you learn what files are accessed when Windows starts. This information helps you determine when a suspect’s computer was last accessed, which is particularly important with computers that might have been used after an incident was reported. Startup in Windows NT and Later Although Windows NT is much different from Windows 95 and 98, the startup method for the NT OSs—NT, 2000, XP, and Vista—is about the same. There are some minor differences in how certain system start files function, but basically, they accomplish the same orderly startup. All NTFS computers perform the following steps when the computer is turned on: • Power-on self test (POST) • Initial startup • Boot loader • Hardware detection and configuration • Kernel loading • User logon Windows OSs use the files discussed in the following sections to start. These files can be located on the system partition or boot partition. Startup Files for Windows Vista When Microsoft developed Vista, it updated the boot process to use the new Extensible Firmware Interface (EFI) as well as the older BIOS system. The EFI boot firmware is designed to provide better protection against malware than BIOS does. EFI Vista’s boot processes have also changed since Windows XP. The Ntldr program in Windows XP used to load the OS has been replaced with these three boot utilities: • Bootmgr.exe—The Windows Boot Manager program controls boot flow and allows booting multiple OSs, such as booting Vista along with XP. • Winload.exe—The Windows Vista OS loader installs the kernel and the Hardware Abstraction Layer (HAL) and loads memory with the necessary boot drivers. • Winresume.exe—This tool restarts Vista after the OS goes into hibernation mode. Windows Vista also includes a tool for modifying boot options called Boot Configuration Data (BCD); it replaces Windows XP’s Boot.ini file. For additional information on EFI, see www.microsoft.com/whdc/system/platform/firmware/bcd.mspx. Startup Files for Windows XP Unless otherwise specified, most startup files for Windows XP are located in the root folder of the system partition. The NT Loader (Ntldr) file loads the OS. When the system is powered on, Ntldr reads the Boot.ini file, which displays a boot menu. After you select the mode to boot to, Boot.ini runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll, and startup device drivers. Boot.ini specifies the Windows XP path installation and contains options for selecting the Windows version. Understanding Microsoft Startup Tasks 239 If a system has multiple boot OSs, including older ones such as Windows 9x or DOS, Ntldr reads BootSect.dos (a hidden file), which contains the address (boot sector location) of each OS. When the boot selection is made, Ntldr runs NTDetect.com, a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to Ntldr. This program identifies components and values on the computer system, such as the following: • CMOS time and date value • Buses attached to the motherboard, such as Industry Standard Architecture (ISA) or Peripheral Component Interconnect (PCI) • Disk drives connected to the system • Mouse input devices connected to the system • Parallel ports connected to the system NTBootdd.sys is the device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS. (On some workstations, a SCSI disk is used as the primary boot disk.) Controllers that don’t use Interrupt 13 (INT-13) use NTBootdd.sys. It runs in privileged processor mode with direct access to hardware and system data. Ntoskrnl.exe is the Windows XP OS kernel, located in the %system-root%\Windows\ System32 folder. Hal.dll is the Hardware Abstraction Layer (HAL) dynamic link library, located in the %system-root%\Windows\System32 folder. The HAL allows the OS kernel to communicate with the computer’s hardware. At startup, data and instruction code are moved in and out of the Pagefile.sys file to optimize the amount of physical RAM available. The HKEY_LOCAL_MACHINE\SYSTEM Registry key contains information the OS requires to start system services and devices. This system Registry file is located in the %system-root%\Windows\System32\Config\System folder. Device drivers contain instructions for the OS for hardware devices, such as the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder. To identify the specific path for %system-root% at a DOS prompt, type Set with no switches or parameters and press Enter. This command displays all current %system-root% paths. Windows XP System Files Next, you need to examine the core OS files that Windows XP, 2000, and NT use, usually located in %system-root%\Windows\System32 or %system-root%\Winnt\System32. Table 6-8 lists the essential files Windows XP uses. Although a few of these files are repeats of previous table entries, you should be aware of their key roles. 6 240 Chapter 6 Table 6-8 Windows XP system files Filename Ntoskrnl.exe Description The XP executable and kernel Ntkrnlpa.exe The physical address support program for accessing more than 4 GB of physical RAM Hal.dll The Hardware Abstraction Layer (described earlier) Win32k.sys The kernel-mode portion of the Win32subsystem Ntdll.dll System service dispatch stubs to executable functions and internal support functions Kernel32.dll Core Win32 subsystem DLL file Advapi32.dll Core Win32 subsystem DLL file User32.dll Core Win32 subsystem DLL file Gdi32.dll Core Win32 subsystem DLL file Contamination Concerns with Windows XP When you start a Windows XP NTFS workstation, several files are accessed immediately. When any of these or other related OS files are accessed at startup, the last access date and time stamp for the files change to the current date and time. This change destroys any potential evidence that shows when a Windows XP workstation was last used. For this reason, you should have a strong working knowledge of the startup process. Startup in Windows 9x/Me Like Windows XP, system files in Windows 9x/Me containing valuable information can be altered easily during startup, which affects their evidentiary value and integrity. Windows 9x OSs have similar boot processes. Windows Me is similar, too, with one important exception: You can’t boot to a true MS-DOS mode. When you’re conducting a computing investigation, being able to boot to MS-DOS is preferred, especially if you’re running a later version of Windows 95 OEM SR2 (version 4.00.1111) or a newer one in which the MS-DOS boot mode can read and write to a FAT32 disk. Windows 9x OSs have two modes: DOS protected-mode interface (DPMI) and protectedmode GUI (serves the same purpose as Config.sys in MS-DOS). Many older computer forensics tools use DPMI mode and can’t be run from a Windows command prompt window because they use certain disk accesses that conflict with the GUI. (See www.webopedia.com/ TERM/D/DOS_Protected_Mode_Interface.html for more details.) The system files Windows 9x uses have their origin in MS-DOS 6.22. The Io.sys file communicates between a computer’s BIOS, the hardware, and the OS kernel. During the boot phase of a Windows 9x system, Io.sys monitors the keyboard for an F8 keystroke. If F8 is pressed during startup, Io.sys loads the Windows Startup menu, which has options such as booting to Windows normally and running in Safe mode to perform maintenance. Option 5 in the Windows Startup menu (see Figure 6-31) is “Command prompt only.” By selecting this option, you can go directly to a Windows 9x version of MS-DOS. You need to be familiar with MS-DOS 6.22 or Windows 9x MS-DOS. Msdos.sys is a hidden text file containing startup options for Windows 9x. In MS-DOS 6.22, this file is the actual OS kernel. In Windows 9x, Msdos.sys has a different role; it has replaced the Autoexec.bat and Config.sys files used in MS-DOS 6.22. The Msdos.sys file is usually located in the root folder of the C drive. Understanding MS-DOS Startup Tasks 241 Figure 6-31 Windows 9x startup options The Command.com file provides a command prompt when booting to MS-DOS mode (DPMI). You can run a limited number of MS-DOS commands built into Command.com, called internal MS-DOS commands and described in the following list: • Dir—List directories. • Cd (Chdir)—Change directory location. • Cls—Clear the screen of all output. • Date—Display the CMOS calendar value. • Copy—Copy a file from one location to another. • Del (Erase)—Erase a file. • Md (Mkdir)—Create a subdirectory. • Path—Define where to find other commands and programs. • Prompt—Define what your MS-DOS prompt looks like. • Rd (Rmdir)—Erase a directory or folder. • Set—Define or remove environmental variables. • Time—Display the CMOS clock value. • Type—List the content of a text file on screen. • Ver—Get the MS-DOS version number in which you’re working. • Vol—Display the volume label of the disk drive. Understanding MS-DOS Startup Tasks MS-DOS uses three files when starting, with the same names as in Windows 9x/Me: Io.sys, Msdos.sys, and Command.com. Two other files are then used to configure MS-DOS at startup: Config.sys and Autoexec.bat. Although MS-DOS and Windows 9x use some of the same startup filenames, there are some important differences between the files in these OSs. Io.sys is the first file loaded after the ROM bootstrap loader finds the disk drive. Io.sys then resides in RAM and provides the basic input and output service for all MS-DOS functions. Msdos.sys is the second program to load into RAM immediately after Io.sys. As mentioned, this file is the actual OS kernel, not a text file as in Windows 9x and Me. After Msdos.sys 6 242 Chapter 6 finishes setting up DOS services, it looks for the Config.sys file to configure device drivers and other settings. Config.sys is a text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. Msdos.sys then loads Command.com, which contains the same internal DOS commands in MS-DOS 6.22 as in Windows 9x. As the loading of Command.com nears completion, Msdos.sys looks for and loads Autoexec.bat, a batch file containing customized settings for MS-DOS that runs automatically. In this batch file, you can define the default path and set environmental variables, such as temporary directories. MS-DOS then accesses and resets the last access dates and times on files when powered up. Other Disk Operating Systems Years ago, other microcomputer OSs, such as Control Program for Microprocessors (CP/M), Digital Research Disk Operating System (DR-DOS), and Personal Computer Disk Operating System (PC-DOS) were used. Of these OSs, only DR-DOS is still available. As mentioned in Chapter 1, if you encounter an old computer running one of these OSs, you might need to call on your network of experts to research, explore, and test the OS. This section summarizes some features of these OSs. In the 1970s, Digital Research created the first nonspecific microcomputer OS, CP/M, which had a unique file system. Computers using CP/M had 8-inch floppy drives and didn’t support hard drives. The CPU was the Zilog Z-80, which could access up to 64 KB RAM. In the early 1980s, IBM supplied an expansion card with a built-in Z-80 CPU that allowed users to process applications available for CP/M. After Microsoft developed MS-DOS, Digital Research created DR-DOS in 1988 to compete with that OS; it used FAT12 and FAT16 and had a richer command environment than MS-DOS. DR-DOS is now sold primarily as an embedded OS for out-of-the-box ROM or Flash ROM systems. When IBM created the first PC using the Intel 8088 processor, it contracted with Microsoft, then a startup company, to create an OS. In 1981, Microsoft purchased 86-DOS from Seattle Computing; it could run on the Intel 8088 16-bit processor and was a modification of CP/M. Microsoft supplied 86-DOS to IBM for use on its PCs, and IBM called it PC-DOS. IBM maintained upgrades to PC-DOS until Microsoft released Windows 95. PC-DOS works much like MS-DOS, although its OS files are slightly different. For example, Io.sys is called Ibmio.sys, and Msdos.sys is called Ibmdos.sys. However, PC-DOS uses FAT12 and FAT16, so accessing data is no different from working with MS-DOS. For more information on DOS commands and batch files, see Appendix D. Understanding Virtual Machines New versions of OSs and applications are released frequently, but older versions are still widely used. As an investigator, you’ll be faced with the challenge of having enough resources Understanding Virtual Machines 243 to support the variety of software you’re likely to encounter. More companies are turning to virtualization to reduce the cost of hardware purchases, so the number of investigations involving virtual machines will increase as this practice continues. As an investigator, you might need a virtual server to view legacy systems, and you might need to forensically examine suspects’ virtual machines. Virtual machines enable you run another OS on an existing physical computer (known as the host computer) by emulating a computer’s hardware environment. Figure 6-32 shows a VMware Server virtual machine running Windows XP Professional on the desktop of a host computer. Typically, a virtual machine consists of several files. The two main files are the configuration file containing hardware settings, such as RAM, network configurations, port settings, and so on, and the virtual hard disk file, which contains the boot loader program, OS files, and users’ data files. (Depending on the virtualization software, these files might be organized differently.) 6 Figure 6-32 A virtual machine running on the host computer’s desktop A virtual machine acts like any other file but with a twist: It performs all the tasks the OS running on the physical computer can, up to a certain point. The virtual machine recognizes hardware components of the host computer it’s loaded on, such as the mouse, keyboard, and CD/DVD drive. However, the guest OS (the one running on a virtual machine) is limited by the host computer’s OS, which might block certain operations. For example, most virtual machines recognize a CD/DVD drive because the host computer defaults to auto-detect. Some 244 Chapter 6 virtual machines don’t recognize a USB drive; this capability varies with the virtualization software. Although networking capabilities are beyond the scope of this book, be aware that virtual machines can use bridged, Network Address Translation (NAT), or other network configurations to determine how they access the Internet and communicate with systems on the local network. Say your company has upgraded to Windows Vista, but you still have a few applications that require Windows 98. Not a problem! Choose your virtualization software, install the Windows 98 OS and the applications you want to run, and you’re ready to go. Depending on the host computer’s hard drive size and amount of RAM, you can have an entire virtual network running on one physical computer. One advantage is that if you’re running several virtual machines, you can pause some of the guest OSs to keep them from consuming CPU cycles and then resume them when needed. In computer forensics, virtual machines make it possible to restore a suspect drive on a virtual machine and run nonstandard software the suspect might have loaded, for example. You can browse through the drive’s contents, and then go back to the forensic image and test the items you found. Remember that in forensics, everything should be reproducible. Therefore, anything you found in the virtual machine re-creation of the suspect drive should exist in the forensic image, too. From a network forensics standpoint, you need to be aware of some potential issues, such as a virtual machine used to attack another system or network. The technology is still developing, so it’s unclear how much of the physical drive is represented in the virtual disk file. File slack, unallocated space, and so forth don’t exist on a virtual machine, so many standard items don’t work on virtual drives. Malware can be tested on virtual machines with little fear of infecting the host computer, but some malware, unfortunately, can detect that it’s on a virtual machine and won’t activate. You learn more about forensics procedures with virtual machines in Chapter 11. Creating a Virtual Machine Some common applications for creating virtual machines are VMware Server and VMware Workstation, Sun Microsystems VirtualBox, and Microsoft Virtual PC, although others are available. VirtualBox is an open-source program that can be downloaded at www. virtualbox.org. Virtual PC 2007 can be downloaded free from www.microsoft.com/virtualpc. (This version of Virtual PC doesn’t run on Vista Home Edition.) The Microsoft Academic Alliance issues ISO images to schools and students for an inexpensive annual fee. Consult with your instructor before doing the following activity. You must download and install Virtual PC first, and you need an ISO image of an OS because no OSs are provided with Virtual PC. Follow these steps to create a virtual machine: 1. If you haven’t already done so, install Microsoft Virtual PC. 2. Start Virtual PC. In Virtual PC 2007, the New Virtual Machine Wizard starts automatically. (If it doesn’t, click File, New Virtual Machine Wizard from the menu.) Understanding Virtual Machines 245 3. In the welcome window of the New Virtual Machine Wizard, click Next. 4. In the Options window, click the Create a virtual machine option button, as shown in Figure 6-33, and click Next. 6 Figure 6-33 Creating a new virtual machine 5. In the Virtual Machine Name and Location window, type Windows Server 2003 for the virtual machine name. Note that the default location for Vista is Documents\ Virtual Machines. Your instructor might tell you to use a different location. Click Next. 6. In the Operating System window, click Windows Server 2003 in the Operating system list box, and then click Next. 7. In the Memory window, you allocate the amount of RAM. You can increase the amount of RAM if needed, but for now, leave it at the recommended level, and then click Next. 8. In the Virtual Hard Disk Options window, click the A new virtual hard disk option button, and then click Next. 9. In the Virtual Hard Disk Location window, accept the default location (generated by your selection in Step 5), and then click Next. 10. Click Finish. The Virtual PC Console should look like Figure 6-34. Microsoft Virtual PC isn’t as easy to use when you’re trying to load non-Microsoft OSs. For Linux and SUN systems, another virtual platform is recommended. 246 Chapter 6 Figure 6-34 The Virtual PC Console with a virtual machine available In the following activity, you use an ISO image that your instructor will provide on the network or a CD for installing a guest OS. For any guest OS, you must have a valid product key to install it. You can get the product key from your instructor. 1. In the Virtual PC Console, make sure the Windows Server 2003 virtual machine is selected, and then click the Start button. 2. The Virtual PC user console opens, similar to the window you see when a physical computer starts, and Virtual PC examines the host computer’s hardware. 3. This book assumes you know how to install an OS, so detailed steps aren’t given. Virtual PC treats an ISO image the same as an installation CD, so when you’re prompted for the source disk, enter the location of the ISO image. For the name of the owner, type Sally Freidman, and for the company name, type ABC Corporation. 4. Create a domain name of MainHost. 5. Create an administrator password and make a note of it. 6. After the OS is installed, log on. Note that pressing CtrlþAltþDelete activates the host computer. To log on to the virtual machine, press right AltþDelete. (You can also use AltþEnter for full screen.) 7. You should be able to navigate through the contents of the Windows Server 2003 virtual server as though it were a real computer. To switch between the virtual machine window and the desktop, press right Alt and move the cursor. 8. To exit Virtual PC, click File, Close from the menu, and then click Turn off in the drop-down list. In Virtual PC, the virtual hard disk file has a .vhd extension, and the configuration file has a .vmc extension (see the right pane in Figure 6-35). To see what type of physical computer the virtual machine thinks it’s running, open the Virtual PC Console, and click the Settings button. You should see a dialog box similar to the one in Figure 6-36, which shows you the settings for the virtual machine’s emulated hardware. Notice that you can rename the virtual machine. Understanding Virtual Machines 247 6 Figure 6-35 Virtual machine configuration files Figure 6-36 Properties of a virtual machine 248 Chapter 6 Be aware that as you install software and perform other tasks, you might encounter problems with recognition of the CD/DVD drive, for example. Virtual machines present some challenges because they are limited by the host computer they’re loaded on. For this reason, many legal issues need to be addressed before these systems are accepted for use in court. Chapter Summary ■ When booting a suspect’s computer, using boot media, such as forensic boot floppies or CDs, is important to ensure that disk evidence isn’t altered. ■ You should access a suspect computer’s BIOS to configure the computer to boot to a floppy disk or CD first. ■ The Master Boot Record (MBR) stores information about partitions on a disk. ■ Microsoft used FAT12 and FAT16 on older operating systems, such as MS-DOS, Windows 3.x, and Windows 9x. The maximum partition size is 2 GB. Newer systems use FAT32. FAT12 is now used mainly on floppy disks and small USB drives. ■ To find a hard disk’s capacity, use the cylinders, heads, and sectors (CHS) calculation. To find a disk’s byte capacity, multiply the number of heads, cylinders, and sectors. ■ Sectors are grouped into clusters and clusters are chained because the OS can track only a given number of allocation units (65,536 in FAT16 and 4,294,967,296 in FAT32). ■ When files are deleted in a FAT file system, the Greek letter sigma (0x05) is inserted in the first character of the filename in the directory. ■ New Technology File System (NTFS) is more versatile because it uses the Master File Table (MFT) to track file information. Approximately the first 512 bytes of data for small files (called resident files) are stored in the MFT. Data for larger files (called nonresident files) is stored outside the MFT and linked by using cluster addresses. ■ Records in the MFT contain attribute IDs that store metadata about files. ■ In NTFS, data streams can obscure information that might be of evidentiary value to an investigation. ■ File slack, random access memory (RAM) slack (in older Windows OSs), and drive slack are areas in which valuable information, such as downloaded files, swap files, passwords, and logon IDs, can reside on a drive. ■ To be an effective computer forensics investigator, you need to maintain a library of older OSs and applications. ■ NTFS uses 16-bit Unicode for character code representation instead of the 8-bit configuration that ASCII uses. ■ NTFS can encrypt data with Encrypting File System (EFS) and BitLocker. Decrypting data with these methods requires using recovery certificates. BitLocker is Microsoft’s whole disk encryption utility that can be decrypted by using a one-time passphrase. ■ With a hexadecimal editor, you can determine information such as file type and OS configurations. Key Terms 249 ■ NTFS can compress files, folders, or an entire volume. FAT16 can compress only entire volumes. ■ The Registry in Windows keeps a record of attached hardware, user preferences, network connections, and installed software. It also contains information such as passwords in two binary files: System.dat and User.dat. ■ User information in Windows is stored in User.dat for Windows 9x/Me and Ntuser.dat for Windows 2000 and later. Every user with an account on a Windows computer has his or her own User.dat or Ntuser.dat file. ■ Virtualization software enables you to run other OSs on a host computer. Virtual machines are beneficial if, for example, you need to run a previous OS to test old software that won’t run on newer OSs. 6 Key Terms American Standard Code for Information Interchange (ASCII) An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols. areal density The number of bits per square inch of a disk platter. attribute ID In NTFS, an MFT record field containing metadata about the file or folder and the file’s data or links to the file’s data. Autoexec.bat A batch file containing customized settings for MS-DOS that runs automatically. It includes the default path and environmental variables, such as temporary directories. Boot.ini A file that specifies the Windows path installation and a variety of other startup options. BootSect.dos If a machine has multiple booting OSs, NTLDR reads BootSect.dos, which is a hidden file, to determine the address (boot sector location) of each OS. See also NT Loader (Ntldr). bootstrap process Information contained in ROM that a computer accesses during startup; this information tells the computer how to access the OS and hard drive. clusters Storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, or 4096 bytes each. Command.com This system file provides a command prompt when booting to MS-DOS mode. Config.sys A text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration. cylinder A column of tracks on two or more disk platters. data runs Cluster addresses where files are stored on a drive’s partition outside the MFT record. Data runs are used for nonresident MFT file records. A data run record field consists of three components; the first component defines the size in bytes needed to store the second and third components’ content. 250 Chapter 6 data streams Ways in which data can be appended to a file (intentionally or not). In NTFS, data streams become an additional file attribute. device drivers Files containing instructions for the OS for hardware devices, such as the keyboard, mouse, and video card. DOS protected-mode interface (DPMI) Used by many computer forensics tools that don’t operate in the Windows environment. It allows DOS programs to access extended memory while protecting the system. drive slack Unused space in a cluster between the end of an active file and the end of the cluster. It can contain deleted files, deleted e-mail, or file fragments. Drive slack is made up of both file slack and RAM slack. See also file slack and RAM slack. Encrypting File System (EFS) A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key. File Allocation Table (FAT) The original Microsoft file structure database. It’s written to the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, and FATX. file slack The unused space created when a file is saved. If the allocated space is larger than the file, the remaining space is slack space and can contain passwords, logon IDs, file fragments, and deleted e-mails. file system The way files are stored on a disk; gives an OS a road map to data on a disk. geometry A disk drive’s internal organization of platters, tracks, and sectors. Hal.dll The Hardware Abstraction Layer dynamic link library allows the OS kernel to communicate with hardware. head The device that reads and writes data to a disk drive. head and cylinder skew A method manufacturers use to minimize lag time. The starting sectors of tracks are slightly offset from each other to move the read-write head. High Performance File System (HPFS) The file system IBM uses for its OS/2 operating system. Info2 file In Windows NT through Vista, the control file for the Recycle Bin. It contains ASCII data, Unicode data, and date and time of deletion. Io.sys This MS-DOS file communicates between a computer’s BIOS, the hardware, and the OS kernel. logical addresses When files are saved, they are assigned to clusters, which the OS numbers sequentially starting at 2. Logical addresses point to relative cluster positions, using these assigned cluster numbers. logical cluster numbers (LCNs) The numbers sequentially assigned to each cluster when an NTFS disk partition is created and formatted. The first cluster on an NTFS partition starts at count 0. LCNs become the addresses that allow the MFT to read and write data to the disk’s nonresident attribute area. See also virtual cluster number (VCN) and data runs. Master Boot Record (MBR) On Windows and DOS computers, this boot disk file contains information about partitions on a disk and their locations, size, and other important items. Key Terms 251 Master File Table (MFT) NTFS uses this database to store and link to files. It contains information about access rights, date and time stamps, system attributes, and other information about files. metadata In NTFS, this term refers to information stored in the MFT. See also Master File Table (MFT). Msdos.sys A hidden text file containing startup options for Windows 9x. In MS-DOS 6.22 and earlier, it was an actual OS executable. New Technology File System (NTFS) The file system Microsoft created to replace FAT. NTFS uses security features, allows smaller cluster sizes, and uses Unicode, which makes it a more versatile system. NTFS is used mainly on newer OSs, starting with Windows NT. NTBootdd.sys A device driver that allows the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS. NTDetect.com A 16-bit program that identifies hardware components during startup and sends the information to Ntldr. NT Loader (Ntldr) A program located in the root folder of the system partition that loads the OS. See also Bootsect.dos. Ntoskrnl.exe The kernel for the Windows XP OS. one-time passphrase A password used to access special accounts or programs requiring a high level of security, such as a decryption utility for an encrypted drive. This passphrase can be used only once, and then it expires. Pagefile.sys At startup, data and instruction code are moved in and out of this file to optimize the amount of physical RAM available during startup. partition A logical drive on a disk. It can be the entire disk or part of the disk. Partition Boot Sector The first data set of an NTFS disk. It starts at sector [0] of the disk drive and can expand up to 16 sectors. partition gap Unused space or void between the primary partition and the first logical partition. personal identity information (PII) Any information that can be used to create bank or credit card accounts, such as name, home address, Social Security number, and driver’s license number. physical addresses The actual sectors in which files are located. Sectors reside at the hardware and firmware level. private key In encryption, the key used to decrypt the file. The file owner keeps the private key. protected-mode GUI Provides the same functional startup process for Windows that Config.sys provided for DOS. It loads all the device drivers. public key In encryption, the key used to encrypt a file; it’s held by a certificate authority, such as a global registry, network server, or company such as VeriSign. RAM slack The unused space between the end of the file (EOF) and the end of the last sector used by the active file in the cluster. Any data residing in RAM at the time the file is saved, such as logon IDs and passwords, can appear in this area, whether the information was saved or not. RAM slack is found primarily in older Microsoft OSs. 6 252 Chapter 6 recovery certificate A method NTFS uses so that a network administrator can recover encrypted files if the file’s user/creator loses the private key encryption code. Registry A Windows database containing information about hardware and software configurations, network connections, user preferences, setup information, and other critical information. sector A section on a track, typically made up of 512 bytes. track density The space between tracks on a disk. The smaller the space between tracks, the more tracks on a disk. Older drives with wider track densities allowed the heads to wander. tracks Concentric circles on a disk platter where data is stored. Trusted Computing Group (TCG) A nonprofit organization that develops support standards for trusted computer access across multiple platforms. Trusted Platform Module (TPM) A microchip that stores encryption key data used to encrypt and decrypt drive data. unallocated disk space Partition disk space that isn’t allocated to a file. This space might contain data from files that have been deleted previously. Unicode A character code representation that’s replacing ASCII. It’s capable of representing more than 64,000 characters and non-European-based languages. UTF-8 (Unicode Transformation Format) One of three formats Unicode uses to translate languages for digital representation. virtual cluster number (VCN) When a large file is saved in NTFS, it’s assigned a logical cluster number specifying a location on the partition. Large files are referred to as nonresident files. If the disk is highly fragmented, VCNs are assigned and list the additional space needed to store the file. The LCN is a physical location on the NTFS partition; VCNs are the offset from the previous LCN data run. See also logical cluster numbers (LCNs) and data runs. virtual machines Emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer. For example, a computer running Windows Vista could have a virtual Windows 98 OS, allowing the user to switch between OSs. volume Any storage media, such as a floppy disk, a partition on a hard drive, the entire drive, or several drives. On Intel systems, a volume is any partitioned disk. zoned bit recording (ZBR) The method most manufacturers use to deal with a platter’s inner tracks being shorter than the outer tracks. Grouping tracks by zones ensures that all tracks hold the same amount of data. Review Questions 1. In DOS and Windows 9.x, Io.sys is the first file loaded after the ROM bootstrap loader finds the disk. True or False? 2. On a Windows system, sectors typically contain how many bytes? a. 256 b. 512 c. 1024 d. 2048 Review Questions 253 3. What does CHS stand for? 4. Zoned bit recording is how disk manufacturers ensure that a platter’s outer tracks store as much data as possible. True or False? 5. Areal density refers to which of the following? a. Number of bits per disk b. Number of bits per partition c. Number of bits per square inch of a disk platter d. Number of bits per platter 6. Clusters in Windows always begin numbering at what number? 7. What is the ratio of sectors per cluster in a floppy disk? a. 1:1 b. 2:1 c. 4:1 d. 8:1 8. List three items stored in the FAT database. 9. Windows 2000 can be configured to access which of these file formats? (Choose all that apply.) a. FAT12 b. FAT16 c. FAT32 d. NTFS 10. In FAT32, a 123 KB file uses how many sectors? 11. What is the space on a drive called when a file is deleted? (Choose all that apply.) a. Disk space b. Unallocated space c. Drive space d. Free space 12. List two features NTFS has that FAT does not. 13. What does MFT stand for? 14. In NTFS, files smaller than 512 bytes are stored in the MFT. True or False? 15. RAM slack can contain passwords. True or False? 16. A virtual cluster consists of what kind of clusters? 17. The Windows Registry in Windows 9x consists of what two files? 18. HPFS is used on which OS? 6 254 Chapter 6 19. Device drivers contain what kind of information? 20. Which of the following Windows XP files contains user-specific information? a. User.dat b. Ntuser.dat c. System.dat d. Sam.dat 21. Virtual machines have which of the following limitations when running on a host computer? a. Internet connectivity is restricted to virtual Web sites. b. Applications can be run on the virtual machine only if they’re resident on the physical machine. c. Virtual machines are limited to the host computer’s peripheral configurations, such as mouse, keyboard, CD/DVD drives, and other devices. d. Virtual machines can run only OSs that are older than the physical machine’s OS. 22. An image of a suspect drive can be loaded on a virtual machine. True or False? 23. EFS can encrypt which of the following? a. Files, folders, and volumes b. Certificates and private keys c. The global Registry d. Network servers 24. To encrypt a FAT volume, which of the following utilities can you use? a. Microsoft BitLocker b. EFS c. PGP Whole Disk Encryption d. FreeOTFE 25. What are the functions of a data run’s field components in an MFT record? Hands-On Projects There are no data files to extract for this chapter’s projects, but create a Work\Chap06\ Projects folder on your system before starting the projects. Hands-On Project 6-1 In this project, you compare two files created in Microsoft Office to determine whether the files are different at the hexadecimal level. Keep a log of what you find. Use a Windows XP or Vista computer, and follow these steps: 1. Start Word, and in a new document, type This is a test. 2. Save the file as Mywordnew.doc in your work folder, using Word 97 2003 (*.doc) as the file type. Exit Word. Hands-On Projects 255 3. Start Excel, and in a new workbook, enter a few random numbers. Save the file in your work folder as Myworkbook.xls, using Excel 97 - 2003 (*.xls) as the file type. 4. Exit Excel, and start Hex Workshop (which you downloaded earlier). 5. Click File, Open from the menu. In the Open dialog box, navigate to your work folder and double-click Mywordnew.doc. 6. In Hex Workshop, there are two upper panes: the Editor pane and the Data Inspector pane. The Editor pane is divided into three columns: Offset, Hex, and Text. (Note: If needed, click Help, Contents from the menu, and read the Layout and Editing section.) You should see eight 0s in the Offset column. The file header D0 CF 11 E0 A1 B1 1A E1 should be in the first row of the Hex column. 7. When you’ve finished examining this information, print just the first page of the document. 8. Click File, Close from the menu to close Mywordnew.doc. 9. Click File, Open from the menu. In the Open dialog box, navigate to your work folder and double-click Myworkbook.xls. 10. Examine the information in the Hex Workshop window, and then print the first page. 11. Close Myworkbook.xls, and compare the two printouts. There should be no difference between any files created in Microsoft Office, except in Microsoft Access files. Describe any differences you see in the Office 2007 header. Exit Hex Workshop. Hands-On Project 6-2 In this project, you explore the MFT and learn how to locate date and time values in the metadata of a file you create. These steps help you identify fragments of MFT records, which you might find in unallocated disk space or Pagefile.sys. You need the following for this project: • Windows 2000 or later with the C drive configured as NTFS • Notepad to create a small text file • ProDiscover Basic to copy the MFT to your work folder (Note: Vista users, remember to use the Run as administrator option.) • WinHex Demo to analyze the metadata in the MFT (provided on the book’s DVD, so copy and install it on your system first, if necessary) 1. Start Notepad, and create a text file with one or more of the following lines: • A countryman between two lawyers is like a fish between two cats. • A slip of the foot you may soon recover, but a slip of the tongue you may never get over. • An investment in knowledge always pays the best interest. • Drive thy business or it will drive thee. 6 256 Chapter 6 2. Save the file in your work folder as C6Prj02.txt, and exit Notepad. (If your work folder isn’t on the C drive, make sure you save the C6Prj02.txt file on your C drive to have it entered in the $MFT files you copy later.) 3. Next, review the material in “MFT and File Attributes,” paying particular attention to attributes 0x10 and 0x30 for file dates and times. The following charts show the offset byte count starting at position FILE of the file’s MFT record for the date and time stamps: The offsets listed in the following charts are from the first byte of the MFT record, not the starting position of the specific attributes 0x10 and 0x30. 0x10 $Standard Information (data starts at offset 0x18) Description of field C Time (file creation) Offset position 0x50 Byte size 8 A Time (file altered) 0x58 8 M Time (MFT change) 0x60 8 0x30 $File_Name (data starts at offset 0x18) Description of field C Time (file creation) Offset position 0xB8 Byte size 8 A Time (file altered) 0xC0 8 M Time (MFT change) 0xC8 8 R Time (file read) 0XD0 8 4. Start ProDiscover Basic, and start a new project, using C6Prj02 for the project number and filename. 5. Click Action from the menu, point to Add, and click Disk. 6. In the Add Disk to Project dialog box, click PhysicalDrive0. Type c-drive in the Please enter unique name for physical disk text box, and then click Add. If you see the Add Disk warning message, click OK. 7. In the tree view, click to expand Content View, Disks, and PhysicalDrive0. Then click to select the C drive. 8. In the work area, scroll down, if necessary, and then right-click $MFT and click Copy File. In the Save As dialog box, navigate to your work folder, and then click Save. 9. When the $MFT file has been copied to your work folder, exit ProDiscover Basic, saving the project if prompted. Next, you examine the copied $MFT file to learn how metadata is stored. Follow these steps: Hands-On Projects 257 1. Start WinHex Demo by clicking Start, pointing to All Programs, and clicking WinHex. If you see an evaluation warning message, click OK. 2. Click the Open toolbar button. In the Open dialog box, navigate to your work folder, click the $MFT file, and then click Open. If you see another evaluation warning message, click the Do not display this kind of message again check box, and then click OK. 3. Click Search, Find Text from the menu. 4. In the text box for specifying the text string to search, type C6Prj02.txt. Click the Format Code list arrow (next to the list box containing the text “ASCII”), click Unicode, and then click OK. By default, WinHex displays a floating Data Interpreter window that converts hex values to decimal values and can also convert date and time codes. If you don’t see this window, activate it by clicking View, pointing to Show, and clicking Data Interpreter. 5. Right-click the Data Interpreter window and click Options. In the Data Interpreter Options dialog box, click the Win32 FILETIME (64 bit) check box, and then click OK. The Data Interpreter should then have FILETIME as an additional display. 6. In the WinHex window, scroll up so that the MFT record label FILE for C6Prj02.txt is the first line at the top of the hexadecimal and text displays. 7. Click at the beginning of the record, on the letter F in FILE, and then drag down and to the right while you monitor the hexadecimal counter in the lower-right corner. When the counter reaches 50, release the mouse button. 8. Move the cursor one position to the left (to the next byte), and record the date and time of the Data Interpreter’s FILETIME values. 9. Repeat Steps 7 and 8, using the offset positions plus 1 byte to see the values for the remaining date and time positions. Write down these values. 10. When you’re finished, exit WinHex and hand in the date and time values you recorded. Hands-On Project 6-3 In this project, you use Hex Workshop to become familiar with different file types. Follow these steps on a Windows XP or Vista computer: 1. On your hard drive, locate or create Microsoft Excel (.xls), Microsoft Word (.doc), .gif, .jpg, and .avi files. 2. Start Hex Workshop. 3. Open each file by clicking File, Open from the menu, and then print just the first page of each file. 4. On each printout, circle the item that identifies the file type. Do this for all five file types. 5. Exit Hex Workshop. 6 258 Chapter 6 Hands-On Project 6-4 In this project, you generate a word list based on an in-chapter activity. If you didn’t do the activity in “Examining the Windows Registry,” go back and perform those steps now. This word list could be used later with a password recovery program. When you’re finished, follow these steps: 1. Start AccessData Registry Viewer and open the User.dat file you retrieved from GCFI-Win98.eve earlier in this chapter. 2. Click Report, Export Word List from the menu. 3. In the Generate Word List dialog box, navigate to your work folder, and then click Save. 4. After the word list has been generated, exit Registry Viewer and turn the report file in to your instructor. Case Projects Case Project 6-1 For the arson running case project, decide whether you’re going to work from the image or restore it to a drive. Next, determine the file system type, such as FAT32 or NTFS, and investigate whether any files used EFS or another encryption method. Write a short paper on your findings, and if any encryption methods were used, include a discussion of what forensics tools you could use to open those files. Case Project 6-2 An employee suspects that his password has been compromised. He changed it two days ago, yet it seems someone has used it again. What might be going on? chapter 7 Current Computer Forensics Tools After reading this chapter and completing the exercises, you will be able to: • Explain how to evaluate needs for computer forensics tools • Describe available computer forensics software tools • List some considerations for computer forensics hardware tools • Describe methods for validating and testing computer forensics tools 259 260 Chapter 7 Chapter 3 outlined how to set up a computer forensics laboratory. This chapter explores many software and hardware tools used during computer forensics investigations. No specific tools are recommended; instead, the goal is to explain how to select tools for computing investigations based on specific criteria. Computer forensics tools are constantly being developed, updated, patched, and revised. Therefore, checking vendors’ Web sites routinely to look for new features and improvements is important. These improvements might address a difficult problem you’re having in an investigation. Before purchasing any forensics tools, consider whether the tool can save you time during investigations and whether that time savings affects the reliability of data you recover. Many GUI forensics tools are resource intensive and demand computers with more memory and faster processor speeds. Sometimes they require more resources than a typical workstation has because of other applications, such as antivirus programs, running in the background. These background programs compete for resources with a computer forensics program, and a GUI forensics tool or the OS can stop running or hang, causing delays in your investigation. Finally, when planning purchases for your computer forensics lab, determine what a new forensics tool can do better than one you’re currently using. In particular, assess how well the software performs in validation tests, and then verify the integrity of the tool’s results. Evaluating Computer Forensics Tool Needs As described in Chapter 3, you need to develop a business plan to justify the acquisition of computer forensics hardware and software. When researching tools, strive for versatile, flexible, and robust tools that include technical support. The goal is to find the best value for as many features as possible. Some questions to ask when evaluating tools include the following: • On which OS does the forensics tool run? • Is the tool versatile? For example, does it work in Windows 98, XP, and Vista and produce the same results in all three OSs? • Can the tool analyze more than one file system, such as FAT, NTFS, and Ext2fs? • Can a scripting language be used with the tool to automate repetitive functions and tasks? • Does the tool have any automated features that can help reduce the time needed to analyze data? • What is the vendor’s reputation for providing product support? As you learn more about computing investigations, you’ll have more questions about tools for conducting these investigations. When you search for tools, keep in mind what file types you’ll be analyzing. For example, if you need to analyze Microsoft Access databases, look for a product designed to read these files. If you’re analyzing e-mail messages, look for a forensics tool capable of reading e-mail content. When you’re selecting tools for your lab, keep an open mind, and compare platforms and applications for different tasks. Although many investigators are most comfortable using Microsoft platforms, you’re encouraged to check into other options, such as Linux and Macintosh platforms. Evaluating Computer Forensics Tool Needs 261 Types of Computer Forensics Tools Computer forensics tools are divided into two major categories: hardware and software. Each category has additional subcategories discussed in more depth later in this chapter. The following sections outline basic features required and expected of most computer forensics tools. Hardware Forensics Tools Hardware forensics tools range from simple, singlepurpose components to complete computer systems and servers. Single-purpose components can be devices, such as the ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge, which is designed to write-block an IDE drive connected to a SCSI cable. Some examples of complete systems are Digital Intelligence F.R.E.D. systems, DIBS Advanced Forensic Workstations, and Forensic Computers Forensic Examination Stations and portable units. To see photos of these tower and portable units, go to the Forensic Computers Web site at www.forensic-computers.com and do a search. Software Forensics Tools Software forensics tools are grouped into command-line applications and GUI applications. Some tools are specialized to perform one task, such as SafeBack, a command-line disk acquisition tool from New Technologies, Inc. (NTI). Other tools are designed to perform many different tasks. For example, Technology Pathways ProDiscover, X-Ways Forensics, Guidance Software EnCase, and AccessData FTK are GUI tools designed to perform most computer forensics acquisition and analysis functions. Software forensics tools are commonly used to copy data from a suspect’s drive to an image file. Many GUI acquisition tools can read all structures in an image file as though the image were the original drive. Many analysis tools, such as ProDiscover, EnCase, FTK, X-Ways Forensics, ILook, and others, have the capability to analyze image files. In Chapter 4, you learned how some of these tools are used to acquire data from suspects’ drives. Tasks Performed by Computer Forensics Tools All computer forensics tools, both hardware and software, perform specific functions. These functions are grouped into five major categories, each with subfunctions for further refining data analysis and recovery: • Acquisition • Validation and discrimination • Extraction • Reconstruction • Reporting In the following sections, you learn how these five functions and associated subfunctions apply to computing investigations. Acquisition Acquisition, the first task in computer forensics investigations, is making a copy of the original drive. As described in Chapter 4, this procedure preserves the original drive to make sure it doesn’t become corrupt and damage the digital evidence. In Chapter 5, you learned how to handle digital evidence correctly, and in Chapter 9, you learn more about using acquisition tools. Subfunctions in the acquisition category include the following: • Physical data copy • Logical data copy 7 262 Chapter 7 • Data acquisition format • Command-line acquisition • GUI acquisition • Remote acquisition • Verification Some computer forensics software suites, such as AccessData FTK and EnCase, provide separate tools for acquiring an image. However, some investigators opt to use hardware devices, such as the Logicube Talon, VOOM HardCopy 3, or ImageMASSter Solo III Forensic unit from Intelligent Computer Solutions, Inc., for acquiring an image. These hardware devices have their own built-in software for data acquisition. No other device or program is needed to make a duplicate drive; however, you still need forensics software to analyze the data. To see a photo of the Logicube Talon, go to www.logicube.com/ products/hd_duplication/talon.asp. To see the ImageMASSter Solo III unit, search at www.icsforensic.com. To see VOOM HardCopy 3, search at www.voomtech.com. Other acquisition tools require combining hardware devices and software programs to make disk acquisitions. For example, Guidance Software has a DOS program, En.exe, and a function in its Windows application, EnCase, for making data acquisitions. Making an acquisition with En.exe requires a PC running MS-DOS, a 12-volt hard drive power connector (Molex, SATA, or one specified for the hard drive you’re acquiring), and a data cable, such as an IDE (PATA), a SATA, or a SCSI connector cable. The Windows EnCase application requires a write-blocker device, such as FastBloc, to prevent Windows from accessing and corrupting a suspect drive. Later in “Using a Write-Blocker,” you learn more about these devices. If you use a Linux/UNIX platform for data acquisitions, an EnCase program called LinEn.exe is supported. Two types of data-copying methods are used in software acquisitions: physical copying of the entire drive and logical copying of a disk partition. Most software acquisition tools include the option of imaging an entire physical drive or just a logical partition. The situation dictates whether you make a physical or logical acquisition. One reason to choose a logical acquisition is drive encryption. With the increasing emphasis on data security, drive encryption is used more commonly now. As mentioned in Chapter 4, making a physical acquisition of a drive with whole disk encryption results in unreadable data. With a logical acquisition, however, you can still read and analyze the files. Of course, this method requires a live acquisition (covered in Chapter 11) because you need to log on to the system. Disk acquisition formats vary from raw data to vendor-specific proprietary, as you learned in Chapter 4. The raw data format, typically created with the UNIX/Linux dd command, is a simple bit-for-bit copy of a data file, a disk partition, or an entire drive. A raw imaging tool can copy data from one drive to another disk or to segmented files. Because it’s a true unaltered copy, you can view a raw image file’s contents with any hexadecimal editor, such as Evaluating Computer Forensics Tool Needs 263 Hex Workshop or WinHex. Hexadecimal editors, also known as disk editors (such as Norton DiskEdit), provide a hexadecimal view and a plaintext view of the data (see Figure 7-1). 7 Figure 7-1 Viewing data in a hexadecimal editor Creating smaller segmented files is a typical feature in vendor acquisition tools. The purpose of segmented files is to make it easier to store acquired data on smaller media, such as CD-Rs or DVD-Rs. All computer forensics acquisition tools have a method for verification of the data-copying process that compares the original drive with the image. For example, EnCase prompts you to obtain the MD5 hash value of acquired data, FTK validates MD5 and SHA-1 hash sets during data acquisition, and SafeBack runs an SHA-256 hash while acquiring data. Hardware acquisition tools, such as ImageMASSter Solo, can perform simultaneous MD5 and CRC-32 hashing during data acquisition. Whether you choose a software or hardware solution for your acquisition needs, make sure the tool has a hashing function for verification purposes. 264 Chapter 7 Validation and Discrimination Two issues in dealing with computer evidence are critical. First is ensuring the integrity of data being copied—the validation process. Second is the discrimination of data, which involves sorting and searching through all investigation data. The process of validating data is what allows discrimination of data. Many forensics software vendors offer three methods for discriminating data values. These are the subfunctions of the validation and discrimination function: • Hashing • Filtering • Analyzing file headers Validating data is done by obtaining hash values. As a standard feature, most forensics tools and many disk editors have one or more types of data hashing. How data hashing is used depends on the investigation, but using a hashing algorithm on the entire suspect drive and all its files is a good idea. This method produces a unique hexadecimal value for data, used to make sure the original data hasn’t changed. This unique value has other potential uses. For example, in the corporate environment, you could create a known good hash value list of a fresh installation of an OS, all applications, and all known good images and documents (spreadsheets, text files, and so on). With this information, an investigator could ignore all files on this known good list and focus on other files on the disk that aren’t on this list. This process is known as filtering. Filtering can also be used to find data for evidence in criminal investigations or to build a case for terminating an employee. The primary purpose of data discrimination is to remove good data from suspicious data. Good data consists of known files, such as OS files and common programs (Microsoft Word, for example). The National Software Reference Library (NSRL) has compiled a list of known file hashes for a variety of OSs, applications, and images that can be downloaded from www.nsrl.nist.gov/Downloads.htm (see Figure 7-2). You learn more about the NSRL in “Validating and Testing Forensics Software” later in this chapter. Several computer forensics programs can integrate known good file hash sets, such as the ones from the NSRL, and compare them to file hashes from a suspect drive to see whether they match. With this process, you can eliminate large amounts of data quickly so that you can focus your evidence analysis. You can also begin building your own hash sets. Another feature to consider for hashing functions is hashing and comparing sectors of data. This feature is useful for identifying fragments of data in slack and free disk space that might be partially overwritten. An additional method of discriminating data is analyzing and verifying header values for known file types. Similar to the hash values of known files, many computer forensics programs include a list of common header values. With this information, you can see whether a file extension is incorrect for the file type. Renaming file extensions is a common way to try to hide data, and you could miss pertinent data if you don’t check file headers. For example, in the file header for ForensicData.doc, you see the letters “JFIF” (see Figure 7-3). Evaluating Computer Forensics Tool Needs 265 7 Figure 7-2 The download page of the National Software Reference Library Indicates a .jpeg file Figure 7-3 The file header indicates a .jpeg file 266 Chapter 7 After some practice in viewing file headers, you’ll learn to recognize common header values. In this example, .jpeg files, not .doc files, are known to have “JFIF” in the header. Therefore, ForensicData.doc is a .jpeg image, not a .doc file. If you try to view ForensicData.doc in Microsoft Word, you see the error message shown in Figure 7-4. Figure 7-4 Error message displayed when trying to open a .jpeg file in Word If you try to open the file with an image viewer, such as Windows Picture and Fax Viewer, you see the image shown in Figure 7-5. Figure 7-5 ForensicData.doc open in an image viewer Most forensics tools can identify header values. Searching and comparing file headers rather than file extensions improves the data discrimination function. With this feature, you can locate files that might have been altered intentionally. In Chapters 10 and 12, you see how to use this feature to locate hidden data. Extraction The extraction function is the recovery task in a computing investigation and is the most challenging of all tasks to master. In Chapter 2, you learned how system analysis Evaluating Computer Forensics Tool Needs 267 applies to an investigation. Recovering data is the first step in analyzing an investigation’s data. The following subfunctions of extraction are used in investigations: • Data viewing • Keyword searching • Decompressing • Carving • Decrypting • Bookmarking Many computer forensics tools include a data-viewing mechanism for digital evidence. How data is viewed depends on the tool. Tools such as ProDiscover, X-Ways Forensics, FTK, EnCase, SMART, ILook, and others offer several ways to view data, including logical drive structures, such as folders and files. These tools also display allocated file data and unallocated disk areas with special file and disk viewers. Being able to view this data in its normal form makes analyzing and collecting clues for the investigation easier. A common task in computing investigations is searching for and recovering key data facts. Computer forensics programs have functions for searching for keywords of interest to the investigation. Using a keyword search speeds up the analysis process for investigators, if used correctly; however, a poor selection of keywords generates too much information. For example, the name “Ben” is a poor search term because it generates a large number of falsepositive hits. To reduce false-positive hits, you need to refine the search scope. One way is to search on combinations of words, in which one word is within so many words of the next. For example, with FTK’s Indexed Search feature (see Figure 7-6), you could search for the word “Ben” within one word of the word “Franklin” by entering “Ben w/1 Franklin” and narrow the search further with the word “Son” as a separate entry in the Search Term text box. With some tools, you can set filters to select the file types to search, such as searching only PDF documents. Another function in some forensics tools is indexing all words on a drive. X-Ways Forensics and FTK 1.6x and earlier offer this feature, using the binary index (Btree) search engine from dtSearch. FTK 2.0 also includes indexing but has switched to an Oracle database and takes advantage of this database program’s indexing capabilities. These features make instant lookup for keywords possible, which speeds up analysis. Another function to consider for extraction is the format the forensics tool can read. For example, FTK has a built-in function that reads and indexes data from Microsoft .pst and. ost files; EnCase has a third-party add-on that performs indexing and analyzes Microsoft .pst files. In addition, EnCase, X-Ways Forensics, and ProDiscover enable you to create scripts for extracting data, but FTK doesn’t have this feature. Keep in mind that you have to use a combination of tools to retrieve and report on evidence from digital devices accurately. Part of the investigation process also involves reconstructing fragments of files that have been deleted from a suspect drive. In North America, this reconstruction is referred to as “carving”; in Europe, it’s called “salvaging.” (Carving is covered in more depth in Chapter 10.) Investigators often need to be able to extract data from unallocated disk space. Locating file header information, as mentioned previously in “Validation and Discrimination,” is 7 268 Chapter 7 Figure 7-6 The Indexed Search feature in FTK a reliable method for carving data. Most forensics tools analyze unallocated areas of a drive or an image file and locate fragments or entire file structures that can be carved and copied into a newly reconstructed file. Some investigators prefer carving fragmented data manually with a command-line tool, but advanced GUI tools, such as X-Ways Forensics, EnCase, FTK, and ProDiscover, with built-in functions for carving are used more commonly now. For example, Figure 7-7 shows an option in FTK for adding carved files to a case automatically. Some tools, such as DataLifter and Davory, are specifically designed to carve known data types from exported unallocated disk space. DataLifter includes a customization feature that enables you to add other header values. A major challenge in computing investigations is analyzing, recovering, and decrypting data from encrypted files or systems. Encryption can be used on a drive, disk partition, or file. Many e-mail services, such as Microsoft Outlook, provide encryption protection for .pst folders and messages. The types of encryption range from platform specific, such as Windows Encrypting File System (EFS), to third-party vendors, such as Pretty Good Privacy (PGP) and GnuPG. From an investigation perspective, encrypted files and systems are a problem. Many password recovery tools have a feature for generating potential password lists for a password dictionary attack. FTK, for example, produces a list of possible passwords for an encrypted file from a suspect drive. The password could also have been written to a temporary file or system file, such as Pagefile.sys. FTK’s generated password list can be loaded into the AccessData Password Recovery Toolkit (PRTK) dictionary, and PRTK runs the password Evaluating Computer Forensics Tool Needs 269 7 Figure 7-7 Data-carving options in FTK list against the encrypted file. If it fails to match the password’s hash values, it runs a bruteforce attack on the encrypted file. AccessData has also created an advanced password-cracking software suite called Distributed Network Attack (DNA) that allows multiple machines to attempt cracking a password. AccessData DNA can also take advantage of AccessData Rainbow Tables, which are a collection of tables containing hash values of plaintext passwords. After locating the evidence, the next task is to bookmark it so that you can refer to it later when needed. Many forensics tools use bookmarks to insert digital evidence into a report generator, which produces a technical report in HTML or RTF format of the examination’s findings. When the report generator is launched, bookmarks are loaded into the report. Reconstruction The purpose of having a reconstruction feature in a forensics tool is to re-create a suspect drive to show what happened during a crime or an incident. Another reason for duplicating a suspect drive is to create a copy for other computer investigators, who might need a fully functional copy of the drive so that they can perform their own acquisition, test, and analysis of the evidence. These are the subfunctions of reconstruction: • Disk-to-disk copy • Image-to-disk copy • Partition-to-partition copy • Image-to-partition copy There are several ways to re-create an image of a suspect drive. Under ideal circumstances, the best and most reliable method is obtaining the same make and model drive as the suspect drive, as discussed in Chapter 4. If the suspect drive has been manufactured recently, 270 Chapter 7 locating an identical drive is fairly easy. However, because computer manufacturers use justin-time delivery systems for inventory supplies, a drive manufactured three months ago might be out of production and unavailable for sale, which makes locating identical older drives more difficult. The simplest method of duplicating a drive is using a tool that makes a direct disk-to-disk copy from the suspect drive to the target drive. Many tools can perform this task. One free tool is the UNIX/Linux dd command, but it has a major disadvantage: The target drive being written to must be identical to the original (suspect) drive, with the same cylinder, sector, and track count. If an identical drive is unavailable, manipulating the drive’s cylinders, sectors, and tracks to match the original drive might be possible through your workstation’s BIOS. Be aware, however, that other issues might prevent this technique from working correctly because of the target drive’s firmware. To address the problem of matching a suspect drive, several vendors have developed tools that can force a geometry change from a suspect drive to a target drive. For most forensics disk duplication tools, the target drive must be equal in size to or larger than the suspect drive. For a disk-to-disk copy, both hardware and software duplicators are available; hardware duplicators are the fastest way to copy data from one disk to another. Hardware duplicators, such as Logicube Talon, Logicube Forensic MD5, and ImageMASSter Solo III Forensics Hard Drive Duplicator, adjust the target drive’s geometry to match the suspect drive’s cylinder, sectors, and tracks. Software duplicators, although slower than hardware duplicators, include SnapBack, SafeBack, EnCase, and X-Ways Forensics. For image-to-disk and image-to-partition copies, many more tools are available, but they are considerably slower in transferring data. The following are some tools that perform an image-to-disk copy: • SafeBack • SnapBack • EnCase • FTK Imager • ProDiscover • X-Ways Forensics All these tools have proprietary formats that can be restored only by the same application that created them. For example, a ProDiscover image (.eve format) can be restored only by using ProDiscover. When you must demonstrate in court how criminal activity was carried out on a suspect’s computer, you need a product that shadows the suspect drive. This shadowing technique requires a hardware device such as Voom Technologies Shadow Drive. This device connects the suspect drive to a read-only IDE port and another drive to a read-write port. The readwrite port drive is referred to as a “shadow drive.” When the Voom device with drives is connected to a computer, you can access and run applications on the suspect drive. All data that would normally be written to the suspect drive is redirected to the shadow drive. This tool saves time and helps solve problems you might encounter when trying to make a working duplicate of a suspect drive. Evaluating Computer Forensics Tool Needs 271 Reporting To complete a forensics disk analysis and examination, you need to create a report. Before Windows forensics tools were available, this process required copying data from a suspect drive and extracting the digital evidence manually. The investigator then copied the evidence to a separate program, such as a word processor, to create a report. File data that couldn’t be read in a word processor—databases, spreadsheets, and graphics, for example— made it difficult to insert nonprintable characters, such as binary data, into a report. Typically, these reports weren’t stored electronically because investigators had to collect printouts from several different applications to consolidate everything into one large paper report. Newer Windows forensics tools can produce electronic reports in a variety of formats, such as word processing documents, HTML Web pages, or Acrobat PDF files. These are the subfunctions of the reporting function: • Log reports • Report generator As part of the validation process, often you need to document the steps you took to acquire data from a suspect drive. Many forensics tools, such as FTK, ILook, and X-Ways Forensics, can produce a log report that records activities the investigator performed. Then a built-in report generator is used to create a report in a variety of formats. The following tools are some that offer report generators displaying bookmarked evidence: • EnCase • FTK • ILook • X-Ways Forensics • ProDiscover The log report can be added to your final report as additional documentation of the steps you took during the examination, which can be useful if repeating the examination is necessary. For a case that requires peer review, log reports confirm what activities were performed and what results were found in the original analysis and examination. Tool Comparisons To help determine which computer forensics tool to purchase, a comparison table of functions, subfunctions, and vendor products is useful. Cross-referencing functions and subfunctions with vendor products makes it easier to identify the computer forensics tool that best meets your needs. Table 7-1 is an example of how to compare forensics vendors’ tools. Your needs might differ from the functions and subfunctions listed in this table. When developing your own table, add other functions and subfunctions you think are necessary to determine which tools you should acquire for an investigation. Table 7-1 Comparison of forensics tool functions Function Acquisition Physical data copy ProDiscover Basic ProDiscover Investigator AccessData Ultimate Toolkit Guidance Software EnCase 3 3 3 3 7 272 Chapter 7 Table 7-1 Comparison of forensics tool functions (continued ) Function Logical data copy ProDiscover Basic 3 ProDiscover Investigator 3 AccessData Ultimate Toolkit 3 Guidance Software EnCase 3 Data acquisition formats 3 3 3 3 3 Command-line process GUI process 3 3 3 3 Remote acquisition 3* 3 3 3 3 3** 3** Filtering 3 3 3 Analyzing file headers 3 3 3 Verification 3 3 Validation and discrimination Hashing 3 Extraction Data viewing 3 3 3*** 3*** Keyword searching 3 3 3 3 3 3 3 3 Decompressing 3 Carving 3 Decrypting 3 3 3 3 Disk-to-disk copy 3 3 3 3 Image-to-disk copy 3 3 3 3 Partition-to-partition copy 3 3 3 Image-to-partition copy 3 3 3 Bookmarking Reconstruction Reporting Log reports Report generator 3 3 3 3 3 3 Automation features Scripting language 3 3 *Must purchase EnCase Enterprise Edition for this feature. **Both MD5 and SHA-1 hashing are available. ***Supported file formats vary. Other Considerations for Tools As part of the business planning for your lab, you should determine which tools offer the most flexibility, reliability, and future expandability. The software tools you select should be Computer Forensics Software Tools 273 compatible with the next generation of OSs. For example, Windows Vista has a new file structure, Windows File Structure (WFS). As an investigator, it’s your responsibility to find information on changes in new hardware or software releases and changes planned for the next release. Because OS vendors don’t always supply adequate information about future file system upgrades, you must research and prepare for these changes and develop resources for finding new specifications if the vendor fails to provide them. For example, when NTFS was introduced with Windows NT, forensics software vendors revised their products for this new file system, but addressing the file system changes took some time. Therefore, investigators had to look for alternatives to getting the data they needed, such as consulting Microsoft resource kits for Windows NT. Another consideration when maintaining a computer forensics lab is creating a software library containing older versions of forensics utilities, OSs, and other programs. When purchasing newer and more versatile tools, you should also ensure that your lab maintains older versions of software and OSs, such as Windows and Linux. If a new software version fixes one bug but introduces another, you can use the previous version to overcome problems caused by the new bug. Computer Forensics Software Tools Whether you use a suite of tools or a task-specific tool, you have the option of selecting one that enables you to analyze digital evidence through the command line or in a GUI. The following sections explore some options for command-line and GUI tools in both Windows and UNIX/Linux. Command-Line Forensics Tools As mentioned in Chapter 1, computers used several OSs before MS-DOS dominated the market. During this time, computer forensics wasn’t a major concern. After people started using PCs, however, they figured out how to use them for illegal and destructive purposes and to commit crimes and civil infractions. Software developers began releasing computer forensics tools to help private- and public-sector investigators examine PCs. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems. One of the first MS-DOS tools used for computer investigations was Norton DiskEdit. This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive. Eventually, programs designed for computer forensics were developed for DOS, Windows, Apple, NetWare, and UNIX systems. Some of these early programs could extract data from slack and free disk space; others were capable only of retrieving deleted files. Current programs are more robust and can search for specific words or characters, import a keyword list to search, calculate hash values, recover deleted items, conduct physical and logical analyses, and more. One advantage of using command-line tools for an investigation is that they require few system resources because they’re designed to run in minimal configurations. In fact, most tools fit on bootable media (floppy disk, USB drive, CD, or DVD). Conducting an initial inquiry or a complete investigation with bootable media can save time and effort. Most tools also produce a text report small enough to fit on a floppy disk. 7 274 Chapter 7 Some command-line forensics tools are created specifically for DOS/Windows platforms; others are created for Macintosh and UNIX/Linux. Because there are many different versions of UNIX and Linux, these OSs are often referred to as *nix platforms. In Chapter 4, you were introduced to using some command-line tools in Linux, such as the dd and dcfldd commands. For DOS/Windows platforms, a number of companies, such as NTI, Digital Intelligence, MaresWare, DataLifter, and ByteBack, are well recognized for their work in command-line forensics tools. As software continues to evolve and investigators develop new needs, vendors will address these needs. The tools listed in this chapter are in no way a complete list of tools available for DOS/Windows or *nix platforms. Some tools that are readily available in the command line are often overlooked. For example, in Windows 2000, XP, and Vista, the Dir command shows you the file owner if you have multiple users on the system or network. Try it by following these steps: 1. First, open a command prompt window. In Windows Vista, click Start, type cmd in the Start Search text box, and then press Enter. In Windows XP, click Start, Run, type cmd, and click OK. 2. At the command prompt, type cd \ and press Enter to take you to the root directory. 3. Type dir /q > C:\Fileowner.txt and press Enter. 4. In any text editor, open Fileowner.txt to see the results. When you’re finished, exit the text editor and close the command prompt window. UNIX/Linux Forensics Tools The *nix platforms have long been the primary command-line OSs, but typical end users haven’t used them widely. However, with GUIs now available with *nix platforms, these OSs are becoming more popular with home and corporate end users. This newfound popularity and the staggering number of versions give investigators a challenge: learning the *nix command line and investigating the *nix environment. In Chapter 8, you learn more about several *nix tools for forensics analysis, such as SMART, BackTrack, Autopsy with Sleuth Kit, and Knoppix-STD. This book isn’t geared toward the Linux platform for forensics analysis, but using a Linux tool for the processes described in this book works as well as on a Microsoft platform. SMART SMART is designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more. You can analyze a variety of file systems with SMART; for a list of file systems or to download an evaluation ISO image for SMART and SMART Linux, go to www.asrdata2.com. SMART includes several plug-in utilities. This modular approach makes it possible to upgrade SMART components easily and quickly. SMART can also take advantage of multithreading capabilities in OSs and hardware, a feature lacking in other forensics utilities. Computer Forensics Software Tools 275 This tool is one of the few that can mount different file systems, such as journaling file systems, in a read-only format. Another useful option in SMART is the hex viewer. Hex values are color-coded to make it easier to see where a file begins and ends. SMART also offers a reporting feature. Everything you do during your investigation with SMART is logged, so you can select what you want to include in a report, such as bookmarks. Helix One of the easiest suites to use is Helix because of its user interface. Although Helix is no longer a free package, you can visit www.e-fense.com to learn more about it. What’s unique about Helix is that you can load it on a live Windows system, and it loads as a bootable Linux OS from a cold boot. Its Windows component is used for live acquisitions. Be aware, however, that some international courts have not accepted live acquisitions as a valid forensics practice. During corporate investigations, often you need to retrieve RAM and other data, such as the suspect’s user profile, from a workstation or server that can’t be seized or turned off. This data is extracted while the system is running and captured in its state at the time of extraction. Make sure to keep a journal to record what you’re doing, however. To do a live acquisition, insert the Helix CD into the suspect’s machine. After clicking I ACCEPT in the licensing window, you see the Helix menu shown in Figure 7-8. Figure 7-8 The Helix menu BackTrack BackTrack is another Linux Live CD used by many security professionals and forensics investigators. It includes a variety of tools and has an easy-to-use KDE interface. You can download the ISO image from www.remote-exploit.org/backtrack.html. Autopsy and Sleuth Kit, discussed next, are included with the BackTrack tools as well as Foremost 7 276 Chapter 7 (covered in Chapter 8), dcfldd, Pasco, MemFetch, and MBoxGrep. You work with some BackTrack tools in Chapter 11. Autopsy and Sleuth Kit Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser interface for accessing Sleuth Kit’s tools. Chapter 8 explains how to install these tools, but if you’re accessing them from Helix, for example, shut down your Windows computer with the Helix disc in the CD/DVD drive, making sure your system is set to boot from the CD/DVD drive before the hard drive. Then do a hard boot to the computer. In the options that are displayed, select Expert Mode. (Note that this mode is forensically sound.) If you’re booting from a laptop, you might have display issues. You can select “scan” to have Helix find the correct settings. (If Helix fails to find these settings, experiment until you find a setting that works.) After the correct display setting is applied, a GUI with a blue background is displayed. If prompted, specify whether to load SCSI modules or additional modules from a floppy disk. On your desktop, you should see what drives have been detected. For example, say that /mnt/hda1 and /mnt/hda2 are displayed at the upper left. If you click the Helix button, which is similar to the Start button in Windows, you see the GUI selection. When you select Forensic Tools, the Autopsy option is displayed. From here, you can open an existing case or start a new case. For more information on these tools, visit www.sleuthkit. org. Knoppix-STD Knoppix Security Tools Distribution (STD) is a collection of tools for configuring security measures, including computer and network forensics. Note that KnoppixSTD is forensically sound, so it doesn’t allow you to alter or damage the system you’re analyzing. You can download the ISO image at www.knoppix-std.org and create a bootable CD with it. If you boot this CD into Windows, Knoppix lists available tools. Although many of the tools have GUI interfaces, some are still command line only. If you right-click each category while booted in Linux, a section called rtfm has a README file for each application. Figure 7-9 shows what you see if you load the Knoppix-STD CD in Windows. You can scroll through this window and see some of the available tools (see Figure 7-10). Figure 7-9 The Knoppix-STD information window in Windows Computer Forensics Software Tools 277 7 Figure 7-10 A list of forensics tools available in Knoppix-STD Like Helix, Knoppix-STD is a Linux bootable CD. If you shut down Windows and reboot with the Knoppix-STD disc in the CD/DVD drive, your system boots into Linux. Other GUI Forensics Tools Several software vendors have introduced forensics tools that work in Windows. Because GUI forensics tools don’t require the same understanding of MS-DOS and file systems as command-line tools, they can simplify computer forensics investigations. These GUI tools have also simplified training for beginning examiners; however, you should continue to learn about and use command-line tools because some GUI tools might miss critical evidence. Most GUI tools are put together as suites of tools. For example, the largest GUI tool vendors—Technology Pathways, AccessData, and Guidance Software—offer tools that perform most of the tasks discussed in this chapter. As with all software, each suite has its strengths and weaknesses. GUI tools have several advantages, such as ease of use, the capability to perform multiple tasks, and no requirement to learn older OSs. Their disadvantages range from excessive resource requirements (needing large amounts of RAM, for example) and producing inconsistent results because of the type of OS used, such as Windows Vista 32-bit or 64-bit systems. Another concern with using GUI tools is that they create investigators’ dependence on using 278 Chapter 7 only one tool. In some situations, GUI tools don’t work and a command-line tool is required, so investigators must be familiar with more than one type of tool. Computer Forensics Hardware Tools This section discusses computer hardware used for forensics investigations. Technology changes rapidly, and hardware manufacturers have designed most computer components to last about 18 months between failures. Hardware is hardware; whether it’s a rack-mounted server or a forensic workstation, eventually it fails. For this reason, you should schedule equipment replacements periodically—ideally, every 18 months if you use the hardware fulltime. Most computer forensics operations use a workstation 24 hours a day for a week or longer between complete shutdowns. You should plan your hardware needs carefully, especially if you have budget limitations. Include the amount of time you expect the forensic workstation to be running, how often you expect hardware failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing forensic workstations. The longer you expect the forensic workstation to be running, the more you need to anticipate physical equipment failure and the expense of replacement equipment. Forensic Workstations Many computer vendors offer a wide range of forensic workstations that you can tailor to meet your investigation needs. The more diverse your investigation environment, the more options you need. In general, forensic workstations can be divided into the following categories: • Stationary workstation—A tower with several bays and many peripheral devices • Portable workstation—A laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation • Lightweight workstation—Usually a laptop computer built into a carrying case with a small selection of peripheral options When considering options to add to a basic workstation, keep in mind that PCs have limitations on how many peripherals they can handle. The more peripherals you add, the more potential problems you might have, especially if you’re using an older version of Windows. You must learn to balance what you actually need with what your system can handle. If you’re operating a computer forensics lab for a police agency, you need as many options as possible to handle any investigation. If possible, use two or three configurations of PCs to handle diverse investigations. You should also keep a hardware inventory in addition to your software library. In the corporate environment, however, consider streamlining your workstation to meet the needs of only the types of systems used in your business. Building Your Own Workstation To decide whether you want to build your own workstation, first ask “How much do I have to spend?” Building a forensic workstation isn’t as difficult as it sounds but can quickly become expensive if you aren’t careful. If you have the time and skill to build your own forensic workstation, you can Computer Forensics Hardware Tools 279 customize it to your needs and save money, although you might have trouble finding support for problems that develop. For example, peripheral devices might conflict with one another, or components might fail. If you build your own forensic workstation, you should be able to support the hardware. You also need to identify what you intend to analyze. If you’re analyzing SPARC disks from workstations in a corporate network, for example, you need to include a SPARC drive with a write-protector on your forensic workstation. If you decide that building a forensic workstation is beyond your skills, several vendors offer workstations designed for computer forensics, such as the F.R.E.D. unit from Digital Intelligence or the Dual Xeon Workstation from ForensicPC. Having a vendor-supplied workstation has its advantages. If you aren’t skilled in computer hardware maintenance and repair, having vendor support can save you time and frustration when you have problems. Of course, you can always mix and match components to get the capabilities you need for your forensic workstation. If you don’t have the skills to build and support a PC, you might want to consider taking an A+ certification course. Using a Write-Blocker The first item you should consider for a forensic workstation is a write-blocker. Writeblockers protect evidence disks by preventing data from being written to them. Software and hardware write-blockers perform the same function but in a different fashion. Software write-blockers, such as PDBlock from Digital Intelligence, typically run in a shell mode (for example, DOS). PDBlock changes interrupt 13 of a workstation’s BIOS to prevent writing to the specified drive. If you attempt to write data to the blocked drive, an alarm sounds, advising that no writes have occurred. PDBlock can run only in a true DOS mode, however, not in a Windows MS-DOS shell. With hardware write-blockers, you can connect the evidence drive to your workstation and start the OS as usual. Hardware write-blockers are ideal for GUI forensics tools. They prevent Windows or Linux from writing data to the blocked drive. Hardware write-blockers act as a bridge between the suspect drive and the forensic workstation. In the Windows environment, when a write-blocker is installed on an attached drive, the drive appears as any other attached disk. You can navigate to the blocked drive with any Windows application, such as Windows Explorer, to view files or use Word to read files. When you copy data to the blocked drive or write updates to a file with Word, Windows shows that the data copy is successful. However, the write-blocker actually discards the written data—in other words, data is written to null. When you restart the workstation and examine the blocked drive, you won’t see the data or files you copied to it previously. Many vendors have developed write-blocking devices that connect to a computer through FireWire, USB 2.0, SATA, and SCSI controllers. Most of these write-blockers enable you to remove and reconnect drives without having to shut down your workstation, which saves time in processing the evidence drive. For more information on write-blocker specifications, visit www.cftt.nist.gov. The following vendors provide write-blocking devices: 7 280 Chapter 7 • www.digitalintelligence.com • www.forensicpc.com • www.guidancesoftware.com • www.voomtech.com • www.mykeytech.com • www.lc-tech.com • www.logicube.com • www.forensic-computers.com • www.wiebetech.com • www.paraben-forensics.com • www.usbgear.com/USB-FORENSIC.html Recommendations for a Forensic Workstation Before you purchase or build a forensic workstation, determine where your data acquisitions will take place. If you acquire data in the field, consider streamlining the tools you use. With the newer FireWire and USB 2.0 write-blocking devices, you can acquire data easily with Digital Intelligence FireChief and a laptop computer, for example. If you want to reduce the hardware you carry, consider a product such as the WiebeTech Forensic DriveDock with its regular DriveDock FireWire bridge or the Logicube Talon. When choosing a computer as a stationary or lightweight forensic workstation, you want a full tower to allow for expansion devices, such as a 2.5-inch drive converter to analyze a laptop hard drive on a 3.5-inch IDE write-protected drive controller. You want as much memory and processor power as your budget allows and various sizes of hard drives. In addition, consider a 400-watt or better power supply with battery backup, extra power and data cables, a SCSI controller card, external FireWire and USB ports, an assortment of drive adapter bridges to connect SATA to IDE (PATA) drives, an ergonomic keyboard and mouse, and a good video card with at least a 17-inch monitor. If you plan to conduct many investigations, a high-end video card and monitor are recommended. If you have a limited budget, one option for outfitting your lab is to use high-end game PCs from a local computer store. With some minor modifications and additions of hardware components, these systems perform extremely well. As with any technology, what your forensic workstation includes is often a matter of preference. Whatever vendor you choose, make sure the devices you select perform the functions you expect to need as an investigator. Validating and Testing Forensics Software Now that you have selected some tools to use, you need to make sure the evidence you recover and analyze can be admitted in court. To do this, you must test and validate your software. The following sections discuss validation tools available at the time of this writing and how to develop your own validation protocols. Validating and Testing Forensics Software 281 Using National Institute of Standards and Technology (NIST) Tools The National Institute of Standards and Technology publishes articles, provides tools, and creates procedures for testing and validating computer forensics software. Software should be verified to improve evidence admissibility in judicial proceedings. NIST sponsors the Computer Forensics Tool Testing (CFTT) project to manage research on computer forensics tools. For additional information on this testing project, visit www.cftt.nist.gov. NIST has created criteria for testing computer forensics tools, which are included in the article “General Test Methodology for Computer Forensic Tools” (version 1.9, November 7, 2001), available at www.cftt.nist.gov/testdocs.html. The article addresses the lack of specifications for what forensics tools should do and the importance of tools meeting judicial scrutiny. The criteria are based on standard testing methods and ISO 17025 criteria for testing items that have no current standards. Your lab must meet the following criteria and keep accurate records so that when new software and hardware become available, testing standards are in place for your lab: • Establish categories for computer forensics tools—Group computer forensics software according to categories, such as forensics tools designed to retrieve and trace e-mail. • Identify computer forensics category requirements—For each category, describe the technical features or functions a forensics tool must have. • Develop test assertions—Based on the requirements, create tests that prove or disprove the tool’s capability to meet the requirements. • Identify test cases—Find or create types of cases to investigate with the forensics tool, and identify information to retrieve from a sample drive or other media. For example, use the image of a closed case file created with a trusted forensics tool to test a new tool in the same category and see whether it produces the same results. • Establish a test method—Considering the tool’s purpose and design, specify how to test it. • Report test results—Describe the test results in a report that complies with ISO 17025, which requires accurate, clear, unambiguous, and objective test reports. Another standards document, ISO 5725, demands accuracy for all aspects of the testing process, so results must be repeatable and reproducible. “Repeatable results” means that if you work in the same lab on the same machine, you generate the same results. “Reproducible results” means that if you’re in a different lab working on a different machine, the tool still retrieves the same information. NIST has also developed several tools for evaluating drive-imaging tools. These tools are posted on the CFTT Web site at www.cftt.nist. gov/disk_imaging.htm. In addition, NIST created the National Software Reference Library (NSRL) project (www. nsrl.nist.gov) with the goal of collecting all known hash values for commercial software and OS files. The primary hash NSRL uses is SHA-1, which generates a known set of digital 7 282 Chapter 7 signatures called the Reference Data Set (RDS). SHA-1 provides better accuracy than other hashing methods, such as MD5 or CRC-32. The purpose of collecting known hash values is to reduce the number of known files, such as OS or program files, included in a forensics examination of a drive so that only unknown files are left. You can also use the RDS to locate and identify known bad files, such as illegal images and computer viruses, on a suspect drive. Using Validation Protocols After retrieving and examining evidence data with one tool, you should verify your results by performing the same tasks with other similar forensics tools. For example, after you use one forensics tool to retrieve disk data, you use another to see whether you retrieve the same information. Although this step might seem unnecessary, you might be asked on the witness stand “How did you verify your results?” To satisfy the need for verification, you need at least two tools to validate software or hardware upgrades. The tool you use to validate the results should be well tested and documented. You perform a tool validation exercise in the Hands-On Projects at the end of this chapter. Investigators must be confident in a tool’s capability to produce consistent and accurate findings during analysis. Understanding how the tool works is equally important, as you might not have vendor support in a courtroom. One way to compare results and verify a new tool is by using a disk editor, such as Hex Workshop or WinHex, to view data on a disk in its raw format. Disk editors typically show files, file headers, file slack, RAM slack, and other data on the physical disk. Although disk editors aren’t known for their flashy interfaces, they are reliable and capable of accessing sectors of the digital evidence to verify your findings. Although a disk editor gives you the most flexibility in testing, it might not be capable of examining a compressed file’s contents, such as a .zip file or an Outlook .pst file. This is another reason that testing and validating your tools’ capabilities are essential. If you decide to use a GUI computer forensics tool, use the recommended steps in the following sections to validate your findings. Computer Forensics Examination Protocol 1. First, conduct your investigation of the digital evidence with one GUI tool. 2. Then perform the same investigation with a disk editor to verify that the GUI tool is seeing the same digital evidence in the same places on the test or suspect drive’s image. 3. If a file is recovered, obtain the hash value with the GUI tool and the disk editor, and then compare the results to verify whether the file has the same value in both tools. Many investigators in both the public and private sectors use FTK and EnCase as their choice of “flagship” forensics software suites, but they don’t rely on them solely; investigators’ software libraries often include other forensics utilities to supplement these tools’ capabilities. Chapter Summary 283 Computer Forensics Tool Upgrade Protocol In addition to verifying your results by using two disk-analysis tools, you should test all new releases and OS patches and upgrades to make sure they’re reliable and don’t corrupt evidence data. New releases and OS upgrades and patches can affect the way your forensics tools perform. If you determine that a patch or upgrade isn’t reliable, don’t use it on your forensic workstation until the problem has been fixed. If you have a problem, such as not being able to read old image files with the new release or the disk editor generating errors after you apply the latest service pack, you can file an error report with the vendor. In most cases, the vendor addresses the problem and provides a new patch, which you should check with another round of validation testing. One of the best ways to test patches and upgrades is to build a test hard disk to store data in unused space allocated for a file, also known as file slack. You can then use a forensics tool to retrieve it. If you can retrieve the data with that tool and verify your findings with a second tool, you know the tool is reliable. As computer forensics tools continue to evolve, you should check the Web for new editions, updates, patches, and validation tests for your tools. Always validate what the hardware or software tool is doing as opposed to what it’s supposed to be doing. Be confident and knowledgeable about the capabilities of your forensics toolbox. Remember to test and document why a tool does or doesn’t work the way it’s supposed to. Chapter Summary ■ Consult your business plan to get the best hardware and software solution for your computer investigation needs. ■ The five functions required for computer forensics tools are acquisition, validation and discrimination, extraction, reconstruction, and reporting. ■ For your computer forensics lab, you should create a software library for older versions of forensics utilities, OSs, and applications and maintain older versions of software you have used and retired, such as previous versions of Windows and Linux. ■ Some computer forensics tools run in a command-line interface, including those that can find file slack and free space, recover data, and search by keyword. They are designed to run in minimal configurations and can fit on a bootable disk. ■ Hardware required for computer forensics includes workstations and devices, such as write-blockers, to prevent contamination of evidence. Before you purchase or build a forensic workstation, consider where you acquire data, which determines the hardware configuration you need. ■ Tools that run in Windows and other GUI environments don’t require the same level of computing expertise as command-line tools and can simplify training and investigations. ■ Before upgrading to a new version of a computer forensics tool, run a validation test on the new version. The National Institute of Standards and Technology has standard guidelines for verifying forensics tools. 7 284 Chapter 7 Key Terms acquisition The process of creating a duplicate image of data; one of the five required functions of computer forensics tools. brute-force attack The process of trying every combination of characters—letters, numbers, and special characters typically found on a keyboard—to find a matching password or passphrase value for an encrypted file. Computer Forensics Tool Testing (CFTT) A project sponsored by the National Institute of Standards and Technology to manage research on computer forensics tools. discrimination The process of sorting and searching through investigation data to separate known good data from suspicious data; along with validation, one of the five required functions of computer forensics tools. extraction The process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the five required functions of computer forensics tools. keyword search A method of finding files or other information by entering relevant characters, words, or phrases in a search tool. National Software Reference Library (NSRL) A NIST project with the goal of collecting all known hash values for commercial software and OS files. password dictionary attack An attack that uses a collection of words or phrases that might be passwords for an encrypted file. Password recovery programs can use a password dictionary to compare potential passwords to an encrypted file’s password or passphrase hash values. reconstruction The process of rebuilding data files; one of the five required functions of computer forensics tools. validation The process of checking the accuracy of results; along with discrimination, one of the five required functions of computer forensics tools. write-blocker A hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blockers typically alter interrupt 13 write functions to a drive in a PC’s BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensic workstation. Review Questions 1. What are the five required functions for computer forensics tools? 2. A disk partition can be copied only with a command-line acquisition tool. True or False? 3. What two data-copying methods are used in software data acquisitions? a. Remote and local b. Local and logical c. Logical and physical d. Physical and compact Review Questions 285 4. During a remote acquisition of a suspect drive, RAM data is lost. True or False? 5. Hashing, filtering, and file header analysis make up which function of computer forensics tools? a. Validation and discrimination b. Acquisition c. Extraction d. Reporting 6. Sleuth Kit is used to access Autopsy’s tools. True or False? 7. When considering new forensics software, you should do which of the following? a. Uninstall other forensics software. b. Reinstall the OS. c. Test and validate the software. d. None of the above. 8. What are the subfunctions of the extraction function? 9. Data can’t be written to the disk with a command-line tool. True or False? 10. Hash values are used for which of the following purposes? (Choose all that apply.) a. Determining file size b. Filtering known good files from potentially suspicious data c. Reconstructing file fragments d. Validating that the original data hasn’t changed 11. What’s the name of the NIST project established to collect all known hash values for commercial software and OS files? 12. Many of the newer GUI tools use a lot of system resources. True or False? 13. Building a forensic workstation is more expensive than purchasing one. True or False? 14. A live acquisition is considered an accepted forensics practice. True or False? 15. Which of the following is true of most drive-imaging tools? (Choose all that apply.) a. They perform the same function as a backup. b. They ensure that the original drive doesn’t become corrupt and damage the digital evidence. c. They create a copy of the original drive. d. They must be run from the command line. 16. The standards for testing forensics tools are based on which criteria? a. U.S. Title 18 b. ISO 5725 c. ISO 17025 d. All of the above 7 286 Chapter 7 17. Which of the following tools can examine files created by WinZip? a. FTK b. Hex Workshop c. Registry Viewer d. SMART 18. List four subfunctions of reconstructing drives. 19. When validating the results of a forensics analysis, you should do which of the following? a. Calculate the hash value with two different tools. b. Use a different tool to compare the results of evidence you find. c. Repeat the steps used to obtain the digital evidence, using the same tool, and recalculate the hash value to verify the results. d. Do both a and b. e. Do both b and c. f. Do both a and c. g. Do none of the above. 20. NIST testing procedures are valid only for government agencies. True or False? Hands-On Projects If necessary, extract all data files in the Chap07\Projects folder on the book’s DVD to the Work\Chap07\Projects folder on your system. (If necessary, create this folder on your system before starting the projects; it’s referred to as “your work folder” in steps.) Hands-On Project 7-1 In this project, you create and delete files on a USB drive (or small disk partition, if you don’t have a USB drive), and then use AccessData FTK to analyze the drive. In Hands-On Project 7-2, you use SecureClean to erase this drive to make sure it contains no data. To download and install SecureClean, follow these steps: 1. Start your Web browser and go to www.whitecanyon.com/secureclean. php. 2. Click the Try Demo link, scroll down if necessary, and click the Download Demo link for SecureClean. Save the Secureclean.exe download file in your work folder. 3. Exit your Web browser, closing any download dialog boxes, if necessary. 4. Start Windows Explorer or My Computer, navigate to your work folder, and then double-click Secureclean.exe. Hands-On Projects 287 5. In the first installation window, click Next. Click Yes to accept the license agreement, and then click Next to accept the default destination folder. Click Next to accept the default location for program files, and then click Next to accept the default Start menu folder. Finally, click Finish to complete the installation. 6. In the “What would you like to try first” dialog box, click Cancel to exit SecureClean. Then close any open windows. Next, you use Microsoft Word and Excel to create and delete files and use FTK to analyze the drive. Follow these steps: 1. Create a C7Prj01 folder on your USB drive or disk partition. 2. Start a new document in Word and type This is to test deleting files and then wiping them. Save the file in the C7Prj01 folder as Test7-1.doc. Exit Word. 3. Start a new workbook in Excel. Type a few numbers, and then save the workbook in the C7Prj01 folder on your USB or disk drive as Test7-2.xls. Exit Excel. 4. Use Windows Explorer or My Computer to delete both files from the USB or disk drive. 5. Start AccessData FTK, and start a new case. Type your name for the investigator’s name, enter C7Prj01 for the case number and case name, and enter your work folder as the case path. Click Next until you reach the Add Evidence dialog box. 6. Click the Add Evidence button, click the Local Drive option button, and then click Continue. 7. In the Select Local Drive dialog box, make sure the USB or disk drive and Logical Analysis are selected, and then click OK. 8. Read the message in the warning box, and then click Yes to continue adding evidence. 9. In the Evidence Information dialog box, click to select your time zone, and then click OK. Click Next, and then click Finish. FTK processes the data on the USB or disk drive. 10. Click the Deleted Files button in the Overview tab to display the files deleted from the USB or disk drive (the two test files you created and deleted). The FTK window might also display temporary files that were created. 11. Click any file in the lower pane to view its contents in the upper-right pane. 12. Close all open windows, and exit FTK. If prompted to back up the case, click No. 7 288 Chapter 7 Hands-On Project 7-2 Now you’re ready to use SecureClean to remove all traces of data from your USB or disk drive. Follow these steps: 1. Create a C7Prj02 folder on your USB or disk drive. 2. To start SecureClean, click Start, point to All Programs, point to WhiteCanyon, point to SecureClean 4, and click Clean My Computer. 3. If you see the Protected Recycle Bin warning message, click OK to continue. 4. In the SecureClean window, click the Try It Free button. If you see a notice about checking for online updates, click No, and then click Continue. 5. In the Drive List section, click to clear the check boxes, if necessary, and then click the check box corresponding to your USB or disk drive. Make sure SecureClean is the only open window, and then click Deep Clean. 6. When you see a message about checking the drive for errors, click OK to continue. 7. Click the Start Clean Now button. 8. In the warning message stating that the data can no longer be recovered, click OK to continue. When SecureClean finishes cleaning the drive, click OK to exit the program. 9. Start AccessData FTK, and start a new case. Type your name for the investigator’s name, enter C7Prj02 for the case number and case name, and enter your work folder as the case path. Click Next until you reach the Add Evidence dialog box. 10. Click the Add Evidence button, click the Local Drive option button, and then click Continue. The Select Local Drive dialog box opens. 11. Make sure the USB or disk drive and Logical Analysis are selected, and then click OK. If you see a warning message about using live evidence, click Yes to continue. 12. In the Evidence Information dialog box, click to select your time zone, and then click OK to accept the default settings. Click Next, and then click Finish. 13. In the Overview tab, click the Unknown Type button, click the F*S0001T*P file, and note that it contains no data. The FTK window shows only the root folder, slack/free space, and perhaps an unknown file type. Click the Unknown Type button again, if necessary, to see the contents of slack space. If you used SecureClean without deleting any files on the drive, the FTK window shows filenames with hexadecimal values of all 0s. If a SecureClean document appears in the FTK window, the contents are reported as “Nothing to view, document is empty.” In the Slack/ Free Space area, the Disk Free, FAT1, and FAT2 columns show 0s, indicating that the drive contains no data. 14. Exit FTK, clicking No if prompted to back up the case. Hands-On Projects 289 Hands-On Project 7-3 In this project, you create a test drive by planting evidence in the file slack space on a USB drive or small disk partition. Then you use FTK and Hex Workshop (which you downloaded in a previous chapter from www.hexworkshop.com) to verify that the drive contains evidence. Follow these steps: 1. First, you format the drive in Windows Explorer. Right-click the drive icon and click Format, click to clear the Quick Format check box, if necessary, and then click Start. If you see a warning message, click OK to continue. You can also use SecureClean as described in Hands-On Project 7-2 to wipe the drive. When you’re finished, exit Windows Explorer or SecureClean. 2. Create a C7Prj03 folder on the USB or disk drive. Warning: This drive should contain data you no longer need. 3. Start a new document in Word and type Testing for string Namibia. Save the file in the C7Prj03 folder as C7Prj03a.doc. 4. Close the file, start a new Word document, and type Testing for string XYZX. Save the file in the C7Prj03 folder as C7Prj03b.doc. Exit Word. Next, you use Hex Workshop to hide information in file slack space: 1. Start Hex Workshop. On a sheet of paper, create a chart with two columns. Label the columns Item and Sector. 2. In Hex Workshop, click Disk, Open Drive from the menu. Make sure the USB or disk drive is selected, and then click OK. 3. Click File, Open from the menu. Navigate to and double-click C7Prj03a.doc. Scroll down until you see “Testing for string Namibia.” 4. Click the tab corresponding to your USB or disk drive, and then click at the beginning of the right column. Click Edit, Find from the menu. In the Find dialog box, make sure Text String is selected in the Type list box. Type Namibia in the Value text box, click the Either option button, and then click OK. (If Hex Workshop doesn’t find “Namibia” the first time, repeat this step.) 5. In the Item column on your chart, write C7Prj03a.doc. In the Sector column, write the sector number containing the search text, as shown on the Hex Workshop title bar. 6. Scroll to the bottom of the sector, if necessary. Type Murder She Wrote near the end of the sector in the right pane, and then click the Save toolbar button. (Note: If you’re asked to enable Insert mode, click OK, press Insert, click to select the Disable notification message check box, and click OK, if necessary.) 7. Click the C7Prj03a.doc tab. Click Edit, Find from the menu, type Murder in the Value text box, and then click OK. Hex Workshop can’t find this text in C7Prj03a.doc. Click Edit, Find from the menu, and then click OK to verify that Hex Workshop doesn’t find “Murder” in the document. Close the file by clicking the lower Close button in the upper-right corner. 7 290 Chapter 7 8. Click File, Open from the menu. Navigate to and double-click C7Prj03b.doc. Scroll down, if needed, until you see the “Testing for string XYZX” text you entered earlier. (Hint: You might need to use the Find command more than once to find this text.) 9. Click the tab for your USB or disk drive, if necessary, and then click at the beginning of the right column. Click Edit, Find from the menu, type XYZX as the value you want to find, and then click OK. On your chart, write C7Prj03b.doc as the filename in the Item column, and in the Sector column, note the sector number containing the search text, as shown on the Hex Workshop title bar. 10. In the tab for your USB or disk drive, type I Spy near the end of the sector in the right pane, in the slack space, and then click the Save toolbar button. 11. Verify that “I Spy” doesn’t appear as part of the file by clicking the C7Prj03b.doc tab and searching for this string twice. 12. Close the C7Prj03b.doc file, and exit Hex Workshop. In a forensics lab, you would generate the drive’s MD5 hash value with a tool such as md5sum, and generate a copy with a tool such as FTK Imager. Hands-On Project 7-4 Follow these steps to verify your results from Hands-On Project 7-3 with AccessData FTK: 1. Create a C7Proj04 folder on your USB or disk drive. 2. Start AccessData FTK, and start a new case. Type your name for the investigator’s name, enter C7Prj04 for the case name and case number, and enter your work folder as the case path. Click Next until you reach the Add Evidence to Case dialog box. 3. Click the Add Evidence button, click the Local Drive option button, and then click Continue. 4. In the Select Local Drive dialog box, make sure your USB or disk drive and Logical Analysis are selected, and then click OK. (Click Yes in the warning message box, if necessary, to continue working.) 5. In the Evidence Information dialog box, click to select your time zone, and then click OK. Click Next, and then click Finish. FTK processes the files on the drive, and then indicates the evidence items contained on the drive. 6. Click the Search tab. Click Tools, Analysis Tools from the menu, click to select the Full Text Indexing check box, if necessary, and then click OK. 7. In the Search Term text box, type Namibia, and then click Add. Click the View Cumulative Results button, and then click OK in the Filter Search Hands-On Projects 291 Hits dialog box. Repeat this search for the XYZX, Murder, and I Spy keywords. The list under Search Items indicates how many matches (hits) FTK finds on the drive for each keyword. (Note that items in the file slack space aren’t listed in the Indexed Search tab.) 8. Click the Overview tab, click Documents, click C7Prj03b.doc, and then scroll the upper-right pane, if necessary, until you can see the “I Spy” text. Make note of the logical sector position displayed at the bottom of the upper-right pane. 9. Click the Search tab and then the Live Search tab. In the Search Term text box, type I Spy and make sure ASCII and Unicode are selected. Click the Add button and then the Search button, click to select the All files option button if necessary, and then click OK. When the search is finished, click View Results. A “Search Performed” message and the date are displayed at the upper right. 10. Click the expand (+) buttons to find the results of the search, which are displayed as “1 Hit.” In the middle pane, scroll until you find “I Spy.” 11. Repeat Steps 9 and 10 for “Murder.” 12. The bottom pane displays details about the data FTK found on the drive that match your search criteria. Click each occurrence and scroll to the right to see any other information FTK supplies, such as the file’s MD5 hash value. 13. Write the filename and sector information for each item found. Note that FTK finds more than one occurrence of each word on the drive. Below your chart, explain why the words appear more than once. 14. Close all open windows, and exit FTK, clicking No if prompted to back up the case. Hands-On Project 7-5 You should test new or updated computer forensics tools to make sure they’re performing correctly. When complex software applications are updated, they might create new problems and function failures the vendor wasn’t aware of. In this project, you test two competing computer forensics analysis tools to see how they compare in locating and recovering data. To test these tools, you need one or more controlled sample drive images. You should know the contents of these drive images so that you can determine how efficient the tools are at locating data. Developing a good sample test image takes experience in knowing what to look for on a suspect drive. To prepare for this project, testing FTK against ProDiscover Basic, you need the following: • ProDiscover Basic installed on your workstation • FTK installed on your workstation • The GCFI-datacarve-NTFS.eve file you extracted to your work folder 7 292 Chapter 7 In the following steps, you use ProDiscover to convert the image file to raw (.dd) format and then analyze the two images: 1. Start ProDiscover Basic, click Tools from the menu, point to Image Conversion Tools, and then click Convert ProDiscover Image to “DD”. 2. In the Convert ProDiscover Image to “DD” Image dialog box, click Browse next to the Source ProDiscover Image text box. Navigate to your work folder and click GCFI-datacarve-NTFS.eve. Click Open, and then click OK. 3. To start your analysis, click the New Project toolbar button. In the New Project dialog box, type C7Prj05PD for the project number and project filename, and then click OK (Note: If you get an error when starting a new project, exit ProDiscover and start it again.) 4. In the tree view, click to expand Add and then click Image File. In the Open dialog box, navigate to your work folder, click gcfi-datacarve-ntfs.dd, and then click Open. 5. In the tree view, click to expand Content View and then Images. Click to expand the. dd image file, and then click All Files. If necessary, click Yes in the ProDiscover message box that opens. 6. In the work area, right-click any column header, such as Select or File Name, and then click Field Chooser. In the right pane of the Field Chooser dialog box, scroll down and click Modified Date. Click the Move Up button until Modified Date is immediately under File Extension, and then click OK. 7. In the work area, click the Modified Date column header until the oldest data is displayed at the top of the list. 8. Click the check box next to all deleted files with the date 5/20/2005. For each file, when the Add Comment dialog box opens, type Deleted date test for the comment, and then click OK. 9. Next, click the Search toolbar button. In the Search dialog box, click the Content Search tab. In the Search for the pattern(s) text box, type BM6 (to search for headers for bitmap files). Under Select the Disk(s)/Image(s) you want to search in, click the. dd image file, and then click OK. 10. In the Search 1 tab of the search results, click the check box next to deleted files with a .jpg extension that have bitmap headers. When the first Add Comment dialog box opens, type Search results for non-BMP extensions, click the Apply to all items check box, and then click OK. Continue selecting the remaining deleted files with .jpg extensions. When you’re finished, click Add to Report. 11. Click the Search toolbar button. In the Search dialog box, click the Content Search tab. In the Search for the pattern(s) text box, type S5000. Under Select the Disk(s)/Image(s) you want to search in, click the. dd image file, and then click OK. 12. In the Search 2 tab of the search results, click the check box next to deleted files with an .html extension that contain the search term S5000, Hands-On Projects 293 and then click Add to Report. Note that the files selected from the first search appear in the second search results, too. Don’t clear the check boxes next to these files because they are added to the report for this test. 13. In the tree view, click Report, and then click the Export toolbar button. In the Export dialog box, click the RTF Format option button, click Browse, and navigate to and click your work folder. Type Chap7-5-PD.rtf in the File Name text box, and then click Save. Click OK in the Export dialog box, and then click File, Print Report from the menu to print your report. 14. When you’re finished, click File, Exit from the menu. When prompted, click Yes to save, and then click Save. Next, you perform the same searches in FTK: 1. Start AccessData FTK, clicking OK or Yes to any information or warning messages to continue. 2. In the Startup dialog box, click Start a new case, and then click OK. 3. In the New Case dialog box, enter your name for the investigator, type C7Prj05FTK for the case name and number, enter your work folder as the case path, and then click Next. 4. In the FTK Report Wizard - Case Information dialog box, fill in your information, and then click Next. Continue clicking Next until you reach the Add Evidence to Case dialog box. 5. Click the Add Evidence button. In the next Add Evidence to Case dialog box, click Acquired Image of Drive, and then click Continue. In the Open dialog box, navigate to your work folder, click the gcfi-datacarve-ntfs.dd image file, and then click Open. 6. In the Evidence Information dialog box, click to select your time zone, and then click OK. Click Next, and then click Finish in the Case Summary dialog box. 7. When FTK finishes indexing the image file, click the Overview tab, and then click the Total File Items button under the File Items column. 8. Click the File Filter Manager toolbar button (a purple funnel icon to the left of the Unfiltered menu). In the File Filter Manager dialog box, click the File Date check box, and click the Modified option button. Click the between option button, and type 5/20/2005 in both date range text boxes. Click Save/Apply, and in the Save As dialog box, type Modify Date 5/20/2005 for the filename, and then click OK. Click Close in the File Filter Manager dialog box. 9. In the File Items column, click Filtered Out. Right-click the first file listed in the lower pane and click Create Bookmark. 10. In the Create New Bookmark dialog box, type May 5, 2005 files in the Bookmark name text box, click the Include in report check box, and then click OK. 7 294 Chapter 7 11. Click the Search tab and then the Indexed Search tab. Type BM6 in the Search Term text box, click Add, click View Cumulative Results, and then click OK in the Filter Search Hits dialog box. 12. In the Search Hit pane, click to expand the results. Right-click the first file listed in the lower pane and click Create Bookmark. 13. In the Create New Bookmark dialog box, type Index Search BM6 in the Bookmark name text box, click the Include in report check box, and then click OK. 14. Click the Live Search tab. Type BM6 in the Search Term text box, click Add to add this term to the search items, click Search, and then click OK in the Filter Search Hits dialog box. In the Live Search Progress dialog box, click View Results. 15. In the Search Hit pane, click the first search result, click the first file in the lower pane, and then press Ctrl+A to highlight all files. Right-click the first file listed in the lower pane and click Create Bookmark. 16. In the Create New Bookmark dialog box, type Live Search BM6 in the Bookmark name text box, click the Include in report check box, and then click OK. 17. To create a report, click File, Report Wizard from the menu, and then click OK in the FTK Friendly Reminder message box. 18. In the FTK Report Wizard - Case Information dialog box, enter your name and any additional information, and then click Next. In the Bookmarks dialog box, click Next. 19. In the Bookmarks - B dialog box, click Add/Remove File Properties, and in the Detailed List - Data Items to Include dialog box, click Unselect All. Click the File Name, Full Path, Ext, and Mod Date check boxes, and then click OK. In the Bookmarks - B dialog box, click Next. 20. Continue clicking Next until you reach the FTK Report Wizard - Report Location dialog box, and then click Finish. 21. In the Report Wizard dialog box, click Yes. Under Selected Bookmarks, click Index Search BM6, Live Search BM6, and May 5, 2005 files, printing the Web page after you click each item. 22. Exit your Web browser and exit FTK, clicking No if prompted to back up the case. Case Projects Case Project 7-1 For the arson running case project, the insurance company gives you an image file called Firestarter.dd (extracted to your work folder with the other project files for this chapter). Given the resources you determined you need in Chapter 3, describe the tools you’ll use to evaluate and analyze the image. Case Projects 295 Case Project 7-2 On the Internet, research two popular GUI tools, Guidance Software EnCase and AccessData FTK, and compare their features to other products, such as ProDiscover (www.techpathways.com) and Ontrack EasyRecover Professional (www.ontrack.com/easyrecoveryprofessional). Create a chart outlining each tool’s current capabilities, and write a one- to two-page report on the features you found most beneficial for your lab. Case Project 7-3 Research the forensics tools available for Mac OS and Linux. Are tools similar to Hex Workshop available for these OSs? Based on their documentation, how easy would validating these tools be? Select at least two tools, and write a oneto two-page paper describing what you would do to validate them, based on what you have learned in this chapter. Case Project 7-4 You need to establish a procedure for your corporation on how to verify a new forensics software package. Write two to three pages outlining the procedure you plan to use in your lab. 7 This page intentionally left blank chapter 8 Macintosh and Linux Boot Processes and File Systems After reading this chapter and completing the exercises, you will be able to: • Explain Macintosh file structures and the boot process • Explain UNIX and Linux disk structures and boot processes • Describe other disk structures 297 298 Chapter 8 In Chapter 6, you explored Microsoft OSs, including DOS and Windows, and Microsoft file systems. Because computer forensics investigators must understand how most OSs store and manage data, this chapter continues that exploration by examining Linux and Macintosh OSs. Chapters 6 and 8 give you a foundation to build on as you become more knowledgeable about current and legacy OSs and their file systems. In addition, this chapter discusses media and hardware, such as CDs and DVDs and IDE, SCSI, and SATA drives. You should understand how these devices store data so that you can retrieve evidence as needed. Keep in mind that this chapter is simply an introduction to techniques for examining Linux and Macintosh file systems. Understanding the Macintosh File Structure and Boot Process The current Macintosh OS is Mac OS X, version 10.5, known as Leopard. Mac OS X is built on a core called Darwin, which consists of a Berkeley Software Distribution (BSD) UNIX application layer built on top of a Mach microkernel. Apple’s OSs have been evolving since 1984 with the Apple System 1 and have continued through System 7. In 1997 Apple introduced Mac OS 8 followed by Mac OS 9 before moving on to OS X. This section focuses primarily on older Mac OS 9 file systems. The next section, “Examining UNIX and Linux Disk Structures and Boot Processes,” discusses file systems used by UNIX, Linux, and OS X. The Macintosh is popular with schools and graphics professionals, and Apple’s innovations continue to make it popular in the PC market. Because the OS 9 file system was so widely used, mostly in public schools, computer forensics investigators should be familiar with its file and disk structure. In addition, Apple has kept the same GUI, utilities, and application in each major OS release, including OS X. Directory file structures have had only minor changes with each new OS update. Before OS X, the Hierarchical File System (HFS) was used, in which files are stored in directories (folders) that can be nested in other directories. With Mac OS 8.1, Apple introduced Extended Format File System (HFS+), which continues to be an optional format in Mac OS X. The primary difference between HFS and HFS+ is that HFS was limited to 65,536 blocks (512 bytes per block) per volume, and HFS+ raised the number of blocks to more than 4 billion. Consequently, HFS+ supports smaller file sizes on larger volumes, resulting in more efficient disk use. Mac OS X also supports the Unix File System (UFS), which isn’t covered in this book. The File Manager utility handles reading, writing, and storing data on physical media. It also collects data to maintain the HFS and manipulates files, directories, and other items. The Finder is another Macintosh utility that works with the OS to keep track of files and maintain users’ desktops. In older Mac OSs, a file consists of two parts: a data fork, where data is stored, and a resource fork, where file metadata and application information are stored (see Figure 8-1). Both forks contain the following essential information for each file: • Resource map • Resource header information for each file • Window locations • Icons Understanding the Macintosh File Structure and Boot Process 299 Figure 8-1 The resource fork and data fork in a Mac OS file The data fork typically contains data the user creates, such as text or spreadsheets. Applications, such as Microsoft Word or Excel, also read and write to the data fork. When you’re working with an application file, the resource fork contains additional information, such as menus, dialog boxes, icons, executable code, and controls. In the Mac OS, the resource or data fork can be empty. Because File Manager is in charge of reading and writing information to files, it can access both forks. Understanding Mac OS 9 Volumes A volume is any storage medium used to store files. A volume can be all or part of the storage media for hard disks; however, in Mac OS 9 or earlier, a volume on a floppy disk is always the entire floppy. With larger disks, the user or administrator defines a volume. Volumes have allocation blocks and logical blocks. A logical block is a collection of data that can’t exceed 512 bytes. When you save a file, File Manager assigns the file to an allocation block, which is a group of consecutive logical blocks. On a floppy disk, an allocation block is usually one logical block. As volumes increase in size, one allocation block might be composed of three or more logical blocks. Figure 8-2 shows the relationship between these two types of blocks. File Manager can access a maximum of 65,535 allocation blocks per volume. If a file contains information, it always occupies one allocation block. For example, if a data fork contains only 11 bytes of data, it occupies one allocation block (512 bytes) on a disk, which leaves more than 500 bytes empty in the data fork. The Macintosh HFS and HFS+ file systems have two descriptors for the end of file (EOF)— the logical EOF and the physical EOF. The logical EOF is the actual size of the file, so because file B is 510 bytes, byte 510 is the logical EOF. The physical EOF is the number of allocation blocks for that file, as shown in Figure 8-3, so for file B, it’s byte 1023. 8 300 Chapter 8 Figure 8-2 Logical and allocation block structures Figure 8-3 Logical EOF and physical EOF Macintosh reduces file fragmentation by using clumps, which are groups of contiguous allocation blocks. As a file increases in size, it occupies more of the clump. Volume fragmentation is kept to a minimum by adding more clumps to larger files. Exploring Macintosh Boot Tasks Older Macintosh computers don’t use the same type of BIOS firmware commonly found in PCs. Instead, they use Open Firmware, a processor- and system-independent boot firmware (part of the boot ROM in most Power PC Macintosh systems). Open Firmware controls the Understanding the Macintosh File Structure and Boot Process 301 microprocessor after hardware initialization and diagnostics take place before control is passed to the OS. It’s responsible for building the device tree, probing for IO devices, and loading the OS kernel from the disk. Newer Macintosh computers use Intel Core Duo processors with Extensible Firmware Interface (EFI), which replaces BIOS firmware (see www.intel.com/technology/efi/). The boot process for OS 9 is as follows: 1. Power on the computer. 2. Hardware self-test and Open Firmware run. 3. Macintosh OS starts. 4. The startup disk is located. 5. System files are opened. 6. System extensions are loaded. 7. OS 9 Finder starts. Newer Macintoshes can be booted from a CD, DVD, or FireWire drive. To boot from a CD or DVD, press and hold the C key immediately after powering the system on, and then insert a Macintosh-bootable CD or DVD into the optical drive. To boot from a FireWire drive, connect it to the Macintosh, power it on, and then press and hold the T key. To determine whether an older Macintosh can boot to a FireWire drive, refer to http://support.apple.com/ kb/HT2699?viewlocale=en_US for more information. Tables 8-1 and 8-2 are an overview of how HFS and HFS+ system files handle data. Table 8-1 HFS system files HFS block position 0 and 1 HFS structure Boot block Purpose of structure Startup volume containing boot instructions; also stores system files and Finder information. 2 Master Directory Block (MDB) Contains volume creation date and time and location of other system files, such as Volume Bitmap. A duplicate of this file called the Alternate MDB is located at the second-to-last block on the volume. Its purpose is to provide information to OS disk utilities. 3 Volume Bitmap Tracks used and unused blocks on the volume. Catalog Lists all files and directories on the volume. It’s a B*-tree file that uses the extents overflow file to coordinate all file allocations to the volume. Extents overflow file This B*-tree file lists the extra extents, which are the allocated blocks used to store data files. 8 302 Chapter 8 Table 8-2 HFS+ system files HFS+ byte offset (fixed starting position) 0 HFS+ structure Boot blocks Purpose of structure No change from HFS. 1024 Volume Information Block (VIB) Replaces the MDB used in HFS. Not fixed Allocation file Tracks available free blocks on the volume; replaces the HFS Volume Bitmap. Not fixed Extents overflow file For files with more than eight extents, additional extents are recorded and managed through this B*-tree system file. Not fixed Catalog Similar to an HFS catalog, this improved version allows up to eight extents for each file’s forks. It’s a B*-tree file. Not fixed Attributes file Stores new file attribute information that isn’t available in HFS. The new attributes are inline data attribute records, fork data attribute records, and extension attribute records. Not fixed Startup file New to HFS+, this file can boot non-HFS and non-HFS+ volumes. Not fixed Alternate VIB Same file as the HFS Alternate MDB. Reserved (512 bytes) Last sector of the volume; used by Apple during manufacturing. For more information on B*-tree and HFS, see http://tldp.org/HOWTO/ Filesystems-HOWTO-7.html. For older HFS-formatted drives, the first two logical blocks, 0 and 1, on the volume (or disk) are the boot blocks containing system startup instructions. Optional executable code for system files can also be placed in boot blocks. Older Macintosh OSs use the Master Directory Block (MDB) for HFS, also known as the Volume Information Block (VIB) for HFS+. All information about a volume is stored in the MDB and written to the MDB when the volume is initialized. A copy of the MDB is also written to the next-to-last block on the volume to support disk utility functions. When the OS mounts a volume, some information from the MDB is written to a Volume Control Block (VCB), which is stored in system memory and used by File Manager. When the user no longer needs the volume and unmounts it, the VCB is removed. The copy of the MDB is updated when the extents overflow file or catalog increases in size. File Manager uses the extents overflow file to store any file information not in the MDB or a VCB. The catalog is the listing of all files and directories on the volume and is used to maintain relationships between files and directories on a volume. A system application called Volume Bitmap tracks each block on a volume to determine which blocks are in use and which ones are available to receive data. Volume Bitmap has Understanding the Macintosh File Structure and Boot Process 303 information about the blocks’ use but not about their content. Volume Bitmap’s size depends on the number of allocated blocks for the volume. File Manager stores file-mapping information in two locations: the extents overflow file and the file’s catalog entry. Mac OS 9 also uses the B*-tree file system to organize the directory hierarchy and file block mapping for File Manager. In this file system, files are nodes (records or objects) containing file data. Each node is 512 bytes. The nodes containing actual file data are called leaf nodes; they’re the bottom level of the B*-tree. The B*-tree also has the following nodes that handle file information: • The header node stores information about the B*-tree file. • The index node stores link information to previous and next nodes. • The map node stores a node descriptor and map record. For more information on HFS and HFS+, see http://developer.apple.com/ technotes/tn/tn1184.html, http://developer.apple.com/technotes/tn/tn1150. html, http://developer.apple.com/documentation/mac/Files/Files-100. html#HEADING100-0, and http://developer.apple.com/referencelibrary/ Carbon/idxFileManagement-date.html. Using Macintosh Forensics Software Recently, several computer forensics software vendors have updated or created new tools to investigate Macintosh file systems. This section covers BlackBag Technologies (www.black bagtech.com/products/overview.htm). Another product specific to Macintosh forensics is SubRosaSoft MacForensicsLab (www.macforensicslab.com). Other vendors, such as Guidance EnCase and X-Ways Forensics, have also added the capability to analyze HFS, HFS+, UFS, and UFS2 file systems. Other forensics software products that can examine UFS and UFS2 are ProDiscover Forensic Edition from Technology Pathways and the freeware tools Sleuth Kit and Autopsy (www.sleuthkit.org). Sleuth Kit is discussed in “Examining UNIX and Linux Disk Structures” later in this chapter. Macintosh Acquisition Methods To examine a Macintosh computer, you need to make an image of the drive, using the same techniques described in Chapter 4. There are some exceptions you should be aware of, however, because of Macintosh design and engineering. For example, a static acquisition of the suspect drive is preferable to a live acquisition. In addition, removing the drive from a Macintosh Mini’s CPU case is difficult, and attempting to do so without Apple factory training could damage the computer. You need a Macintosh-compatible forensic boot CD to make an image, which then must be written to an external drive, such as a FireWire or USB drive. Larger Macintoshes are constructed similarly to desktop PCs, making it much easier to remove the hard drive. For Macintosh computers such as the Mac Mini, booting from a forensic boot CD might not be possible because the CD/DVD drive can’t be accessed without powering on the computer. For this type of computer, you need a FireWire drive instead of a CD. For additional information on bootable FireWire drives, see http://support.apple.com/kb/ HT2699?viewlocale=en_US. 8 304 Chapter 8 BlackBag Technologies sells acquisition products designed for OS 9 and earlier as well as OS X and offers a forensic boot CD called MacQuisition for making an image of a Macintosh drive (see www.blackbagtech.com/products/macquisition.htm). BlackBag Technologies has also written a guide for newer Macintoshes on making an acquisition with a FireWire-connected drive (www.macforensicslab.com/ProductsAndServices/index.php?main_page=document_general_ info&products_id=134 ). After making an acquisition, the next step is examining the image of the file system with a computer forensics tool. The tool you use depends on the image file’s format. For example, if you used EnCase, FTK, or X-Ways Forensics to create an Expert Witness (.e01) image, you must use one of these tools to analyze the image because they can read the Expert Witness format and the HFS+ file system. If you made a raw format image, you can use any of the following tools: • BlackBag Technologies Macintosh Forensic Software (OS X only) • SubRosaSoft MacForensicsLab (OS X only) • Guidance Software EnCase (Windows 2000 or later) • X-Ways Forensics (Windows 2000 or later) Of these tools, BlackBag Technologies Macintosh Forensic Software and SubRosaSoft MacForensicsLab have a feature for disabling and enabling Disk Arbitration. You can configure newer Macintoshes running OS X (10.3 or later) so that they don’t automatically mount a drive connected through a FireWire or USB device (see www.macosxforensics.com/ Technologies/DiskArbitration/DiskArbitration.html). Being able to turn off the mount function in OS X allows you to connect a suspect drive to a Macintosh without a write-blocking device. In the next section, you learn how to use Macintosh forensics tools on an acquired image of an OS 9 drive. Examining OS 9 Data Structures with BlackBag This section explains how to perform a forensics examination by using BlackBag’s tools on an OS 9 image. BlackBag provides demo software to download that’s a fully functioning version of its licensed software. For a copy of the demo software, go to http://blackbagtech.com/store/software/forensic_ suite_2.5_-_demo.html, where you’ll find instructions about e-mailing for a username and password to access the download page. You’ll have full use of the software until the expiration date listed on this Web page. SubRosaSoft also offers a demo version of MacForensicsLab. If you want to download this demo, contact sales@subrosasoft.com. As with any computer forensics software, the more RAM and processor speed your computer has, the more efficiently it can examine a drive. At a minimum, the latest model, Mac Mini, is suitable for running BlackBag. The activities in this section assume you have a Macintosh running OS X and have installed BlackBag’s demo or licensed version on your computer. If you don’t have a Macintosh available, read the steps to acquaint yourself with how this application works. Before starting BlackBag, all data acquisitions (image files) must be configured as Disk Images with the correct filename and extensions. Disk Images are copies of entire disks, Understanding the Macintosh File Structure and Boot Process 305 volumes, or files used by OS X. If you have made a raw image of an OS 9 drive with another tool, such as the dd command-line utility or ProDiscover Basic, you can rename the image file and its segmented files as Disk Image files to make them compatible with OS X. These renamed files are then mounted as virtual drives. The .dmg extension tells OS X that the file is a Disk Image. If an image file has additional segments, each segment must have a .dmgpart extension. To keep the correct order of each segment, numbers need to be inserted between the filename and the extension, as shown in Table 8-3. Table 8-3 Requirements for renaming Disk Image files Original filenames for image file and segments GCFI-0S9.001 Macintosh Disk Image filenames GCFI-0S9.dmg GCFI-0S9.002 GCFI-0S9.002.dmgpart GCFI-0S9.003 GCFI-0S9.003.dmgpart GCFI-0S9.004 GCFI-0S9.004.dmgpart After the image and any associated segments have been renamed, they can be loaded as a virtual disk image. Before mounting the image, however, you need to write-protect it to prevent OS X from writing to the virtually mounted drive. When using a Macintosh computer for forensics examinations, images should be placed on a Macintosh drive formatted as Mac OS Extended (with or without the journaling feature) or with a USB-connected NTFSformatted drive. Do not examine an image from a FAT-formatted drive because the readonly feature can’t be used. To write-protect a Macintosh drive before mounting it, you change permissions for the image and its associated segments by following these steps: 1. In Finder, right-click the image and each segmented associated file and click Get Info. 2. In the Info dialog box, click the Ownership & Permissions drop-down list, and change all permissions to Read Only. 3. In the General section, click the Locked check box to complete the write-protection for the image and associated segments. To mount the .dmg files listed in Table 8-3, in Finder, navigate to the drive and then the directory containing the .dmg files (see Figure 8-4), and double-click the first segmented file, GCFI-OS9.dmg, to load the entire collection of segmented volumes. (Note that OS X Disk Image reads and mounts all associated segments with the .dmgpart extension automatically.) OS X loads and displays a desktop icon of the virtual mounted disk with the name “untitled.” You can rename the icon with the case name, such as GCFI-OS9 DISK, to make it easier to identify. To do this, right-click it and click Get Info. In the Info dialog box, click the Name & Extension drop-down list and type a new name, as shown in Figure 8-5. 8 306 Chapter 8 Figure 8-4 OS X Finder showing the renamed raw files as .dmg files Figure 8-5 Changing the icon name Understanding the Macintosh File Structure and Boot Process 307 Now data is ready for BlackBag to read and examine forensically. To start BlackBag from Finder, navigate to the Applications/BBT Forensic Suite/ directory and double-click the application file BBTFSToolBar_nnn (nnn is the version number) shown in Figure 8-6. 8 Figure 8-6 Starting BlackBag from Finder In the BlackBag About dialog box, click OK to display the BlackBag Forensic Suite ToolBar (see Figure 8-7), where you can select a utility to start your analysis. BlackBag is made up of several utilities for conducting a full analysis of evidence, including PDISKInfo, PMAPInfo, DirectoryScan, FileSearch, MacCarver, and FileSpy. For the latest list of tools that have been integrated into BlackBag and explanations of their uses, see http://blackbagtech.com/support/documents.html. Before starting the following activity, extract all data files from the Chap08 folder on the book’s DVD to the Work\Chap08\Chapter folder on your Macintosh system. (You might have to create these folders on your system first.) Then rename the files with .dmg and .dmgpart extensions (as explained in Table 8-3), load the .dmg files on your workstation as a virtual disk, and rename the desktop icon, as described previously. In this activity, you use the BlackBag DirectoryScan utility, which lists all folders and files, visible and hidden, in the image loaded as a .dmg file: 1. Start BlackBag from Finder, as described previously. 2. In the BlackBag Forensic Suite ToolBar, click DirectoryScan. When the Authentication dialog box opens, type the root password for your Macintosh, and then click OK. 308 Chapter 8 Figure 8-7 The BlackBag Forensic Suite ToolBar Many of the utilities in BlackBag require system privileges. These utilities prompt you for the root password the first time you start them. 3. In the DirectoryScan window, click the Volume list arrow, and then click to select the .dmg image. DirectoryScan can scan specific folders as well as an entire volume. To use this option, click the Choose button under Folder. 4. Click the Select button to start the directory scanning. When the scanning is done, click OK in the Scan Complete! dialog box. Understanding the Macintosh File Structure and Boot Process 309 To locate files of interest, click the appropriate column header to sort in descending or ascending order. 5. Next, survey the listing and click the check boxes next to files of interest to your investigation. If all files and folders are needed for a report, click the small X box at the lower left. Figure 8-8 shows the GCFI-OS9 DISK volume selected. 8 Figure 8-8 Selecting the entire GCFI-OS9 DISK volume in the DirectoryScan window 6. Click Save Selected or Save Full Report to complete this scan. 7. In the Save dialog box, navigate to the folder where you’re saving the scan output and click Save. In the notification message box, click OK. 8. To exit this utility, click the DirectoryScan drop-down list and click Quit Directory Scan or press Command+Q. Leave the BlackBag Forensic Suite ToolBar open for the next activity. The next activity shows you how to use the FileSearcher utility to locate files by a specific extension: 1. In the BlackBag Forensic Suite ToolBar, click FileSearcher. When the Authentication dialog box opens, type the root password for your Macintosh, and then click OK. 2. In the FileSearcher dialog box, click the Select Volume list arrow, and then click GCFI-OS9 DISK. 3. Click the Name option button if it’s not already selected, click the right arrow button to list available extensions, and click .pdf. If it’s not listed, simply type it in the 310 Chapter 8 Name text box and press Enter. When the Search Complete dialog box opens, click OK. 4. Next, examine the files listed in the search results output shown in Figure 8-9. Click the check boxes next to the a9-02.pdf and act4.pdf files. Figure 8-9 FileSearcher listing all .pdf documents in the search results 5. Click the Save Report button. In the Save dialog box, type the name of the report in the Save As text box. Click the Where list arrow, navigate to the Documents or Desktop folder to save the report, and then click Save. 6. Click Quit FileSearcher from the FileSearcher menu. To exit BlackBag Forensic Suite ToolBar, click BBTFSToolBar and then click Quit BBTFSToolBar. For more information on performing Macintosh forensics, see www. macforensicslab.com/ProductsAndServices/index.php?main_page= index&cPath=11. Examining UNIX and Linux Disk Structures and Boot Processes In addition to Windows and Macintosh OSs, contemporary computers and networks use UNIX and Linux. Many flavors of UNIX are available, including System V variants, such as Sun Solaris, IBM AIX, and HP-UX, and BSD variants, such as FreeBSD, OpenBSD, and Examining UNIX and Linux Disk Structures and Boot Processes 311 NetBSD. Linux is also available in many distributions, such as Red Hat, Fedora, Ubuntu, and Debian. All Linux references in this book are to Fedora because of its popularity and ease of use. Linux is probably the most consistent UNIX-like OS because the Linux kernel is regulated under the GNU General Public License (GPL) agreement. The GPL states that anyone is allowed to use, modify, and redistribute software developed under this agreement. It also stipulates that source code for software distributed under the GPL must be publicly available, and any works derived from GPL code must also be licensed under the GPL. BSD variants are released under the BSD license, which is similar to the GPL but makes no requirements for derivative works except that the original copyright remain attached. GPL and BSD variations are examples of open-source software. Open-source software is popular because it’s freely available, can be modified to suit users’ needs, and has a reputation for stability and security. This stability and security are possible because anyone can view the source code and make revisions and contributions, so bugs and security vulnerabilities are found and fixed quickly. Open-source software does, however, require a higher level of user skill. If you’re interested in using open-source tools, see http://sourceforge. net or www.gnu.org/software. Table 8-4 lists several system files in UNIX OSs that you need to examine when dealing with a UNIX or Linux partition. These files can yield information about users and their activities. Table 8-4 UNIX system files OS AIX HP-UX System files /etc/exports Purpose Configuration file /etc/filesystems File system table of devices and mount points /etc/utmp Current user’s logon information /var/adm/wtmp Logon and logoff history information /etc/security/lastlog User’s last logon information /var/adm/sulog Substitute user attempt information /etc/group Group memberships for the local system /var/log/syslog System messages log /etc/security/passwd Master password file for the local system /etc/security/failedlogin Failed logon attempt information /etc/utmp and /etc/utmpx Current user’s logon information /var/adm/wtmp and /var/adm/ wtmpx Logon and logoff history information /var/adm/btmp Failed logon attempt information /etc/fstab File system table of devices and mount points /etc/checklist File system table information (version 9.x) /etc/exports Configuration files 8 312 Chapter 8 Table 8-4 UNIX system files (continued ) OS IRIX Linux Solaris System files /etc/passwd Purpose Master password file for the local system /etc/group Group memberships for the local system /var/adm/syslog.log System messages log syslog System log files /var/adm/sulog Substitute user attempt information /var/adm/syslog System log files /etc/exports Configuration files /etc/fstab File system table of devices and mount points /var/adm/btmp Failed logon information /var/adm/lastlog User’s last logon information /var/adm/wtmp and /var/adm/ wtmpx Logon and logoff history information /var/adm/sulog Substitute user attempt information /etc/shadow Master password file for the local system /etc/group Group memberships for the local system /var/adm/utmp and /var/adm/ utmpx Current user’s logon information /etc/exports Configuration files /etc/fstab File system table of devices and mount points /var/log/lastlog User’s last logon /var/log/wtmp Logon and logoff history information /var/run/utmp Current user’s logon information /var/log/messages System messages log /etc/shadow Master password file for the local system /etc/group Group memberships for the local system /etc/passwd Account information for local system /etc/group Group information for local system /var/adm/sulog Switch user log data /var/adm/utmp Logon information /var/adm/wtmp, /var/adm/ wtmpx, and /var/adm/lastlog Logon history information /var/adm/loginlog Failed logon information /var/adm/messages System log files /etc/vfstab Static file system information /etc/dfs/dfstab and /etc/vfstab Configuration files Examining UNIX and Linux Disk Structures and Boot Processes 313 In the following steps, you use standard Linux commands to find information about your Linux system: 1. Start your Linux computer and open a terminal window, if necessary. If your computer starts at a graphical desktop, such as KDE, click the Fedora desktop icon, point to System, and then click Terminal. If you’re using GNOME, click the Applications drop-down menu, point to Accessories, and then click Terminal. 2. To find the name of your computer and the Linux kernel revision number, type uname -a and press Enter. Record the results or capture a screen image. To capture a screen image in Linux, use the GIMP graphics program. In Fedora, for example, click the Fedora desktop icon, point to Graphics, and then click The GIMP. From the GIMP menu, click File, Acquire, and then click Screen Shot. In the Screen Shot dialog box, click the Single Window option button, and then minimize the main GIMP window if you want to capture the entire screen. Next, change the setting for Grab After ___ Seconds Delay to 3 seconds, and then click Grab. Now click the window you want to capture. To save the captured image, click File, Save As from the menu in the window containing the captured image. Enter a filename in the Name text box, navigate to and select a location, and then click Save. 3. Type ls -l and press Enter to list the files in the current directory. Write down the name of one file in the directory. 4. To determine the access time of a file (the last time a command was executed on the file), type ls -ul filename (substituting the filename you recorded in Step 3 for filename) and press Enter. Record or capture a screen image of the results. 5. Type netstat -s and press Enter to see a list of protocols your computer uses to communicate with other systems connected to it. 6. Exit the terminal window. The standard Linux file system is the Second Extended File System (Ext2fs), which can support disks as large as 4 TB and files as large as 2 GB. Ext3fs is a journaling version of Ext2fs that reduces file recovery time after a crash. Of the file structures you have studied so far, Linux is most closely related to Mac OS X because it too uses a BSD file system. The Linux file structure is made up of metadata and data. Metadata includes items such as user ID (UID), group ID (GID), size, and permissions for each file. Linux is unique in that it uses inodes, or information nodes, containing descriptive information about each file or directory. (See “Understanding Inodes” later in this chapter for more in-depth information.) Inodes contain modification, access, and creation (MAC) times, not filenames. To keep track of files and data, Linux assigns an inode number that’s linked with the filename in a directory file. (The directory file is where inode information is stored.) The data portion of the Linux file structure contains the file’s contents. In addition to metadata, an inode has a pointer, also referred to as an inode number, to other inodes or blocks where data resides on the disk. Linux can use inodes to store the file in one location and create pointers to it in other locations, such as other directories. For example, suppose you need to access the MyDatabase file when you’re working in the Clients, Accounting, and General_Documents directories. Instead of making copies of MyDatabase in each directory, 8 314 Chapter 8 you create the file once in one directory, and then create a symbolic link that points to MyDatabase in the other two directories. To determine an inode’s content, you can use the UNIX/Linux ls -l command. To find an inode’s pointer number, use the UNIX/Linux ls -i command. Each inode keeps a symbolic link count. If that number becomes 0, Linux deletes the file. To find deleted files during a forensics investigation, you search for inodes that contain some data and have a link count of 0. UNIX and Linux Overview In UNIX and Linux, everything is a file, including disk drives, monitors, any connected tape drives, network interface cards, system memory, directories, and actual files. All UNIX files are defined as objects, which means that a file, like an object in an object-oriented programming language, has properties and methods (actions such as writing, deleting, and reading) that can be performed on it. UNIX consists of four components that define the file system: boot block, superblock, inode block, and data block. A block is the smallest disk allocation unit in the UNIX file system and can be 512 bytes and up. As explained previously, the boot block contains the bootstrap code—instructions for startup. A UNIX/Linux computer has only one boot block, located on the main hard disk. The superblock contains vital information about the system and is considered part of the metadata. It indicates the disk geometry, available space, and location of the first inode and keeps track of all inodes. The superblock also manages the UNIX/Linux file system, including configuration information, such as block size for the drive, file system names, blocks reserved for inodes, free inode list, free block starting chain, volume name, and inodes for last update time and backup time. Multiple copies of the superblock are kept in various locations on the disk to prevent losing such important information. Inode blocks are the first data after the superblock. An inode is assigned to every file allocation unit. As files or directories are created or deleted, inodes are also created or deleted. The link between inodes associated with files and directories controls access to those files or directories. The data block is where directories and files are stored on a disk drive. This location is linked directly to inodes. As in Microsoft file systems, the Linux file system on a PC has 512-byte sectors. A data block is equivalent to a cluster of disk sectors on a FAT or NTFS volume. Blocks range from 1024 to 4096 bytes each on a Linux volume. Figure 8-10 shows that when you save a file, data blocks are clustered and a unique inode is assigned. As with other OSs, the size of a data block determines how much disk space is wasted. The larger the data block, the higher the likelihood of fragments. If you create a 512 KB database, 19 data blocks of 8192 bytes are clustered to save the file, and 3648 bytes are left empty but allocated. In addition to keeping track of file size, an inode keeps track of the number of blocks assigned to the file. All disks have more storage capacity than the manufacturer states. For example, a 20 GB disk might actually have 20.5 GB free space because disks always have bad sectors despite the most careful procedures. DOS and Windows don’t keep track of bad sectors, but Linux does in an inode called the bad block inode. The root inode is inode 2, and the bad block inode is inode 1. Some forensics tools ignore inode 1 and fail to recover valuable data for Examining UNIX and Linux Disk Structures and Boot Processes 315 Figure 8-10 Clustering data blocks to save a file in Linux cases. Someone trying to mislead an investigator can access the bad block inode, list good sectors in it, and then hide information in these supposedly “bad” sectors. To find bad blocks on your Linux computer, you can use the badblocks command, although you must log on as root to do so. Linux includes two other commands that provide bad block information: mke2fs and e2fsck. The badblocks command can destroy valuable data, but the mke2fs and e2fsck commands include safeguards that prevent them from overwriting important information. The following activity assumes you have a floppy drive on a Linux computer. If you don’t, read the steps to learn how to identify bad blocks on a disk. In the following steps, you check a floppy disk for bad blocks. These steps assume you’re using the KDE GUI available in most Linux distributions. This activity uses the Fedora distribution. You need a blank floppy disk or one containing data you no longer need, and you must log on as root. 1. Boot your Linux computer to a graphical desktop. Insert a floppy disk in the floppy drive, but don’t mount it. If your system is set to mount disks automatically, dismount the drive by clicking the Fedora desktop icon, pointing to System, and clicking Disk Management. Make sure the floppy drive is selected, and then click the Unmount button. You can also dismount the floppy manually with the umount command. 2. To open a terminal window, click the Fedora desktop icon, point to System, and click Terminal. (If you’re using GNOME, click the Applications drop-down menu, point to Accessories, and then click Terminal.) 8 316 Chapter 8 3. Type cd /sbin and press Enter, or make sure /sbin is in your .bash_profile path statement. Next, type mke2fs -c /dev/fd0 and press Enter. (If you get a warning message about /dec/fd0 being the entire device, not just a partition, type y and press Enter to continue.) The /dev/fd0 specifies the location of the first floppy drive on the system. If you’re using a different floppy drive, such as fd1, use that location instead. Linux reads and displays disk information, including any bad blocks. After the command prompt appears, record or capture a screen image of the results. (Note: Depending on your current location, you might need to type ./mke2fs -c /dev/fd0 and make a similar correction in Step 4.) 4. To compare the results of the mke2fs and e2fsck commands, mount the floppy disk. If necessary, create a mount point in /mnt or /media by typing mkdir /mnt/floppy (or mkdir /media/floppy) and pressing Enter, and then typing mount /dev/fd0 /mnt/ floppy (or mount /dev/fd0 /media/floppy) and pressing Enter. 5. (Note: Before using the e2fsck command, make sure your floppy drive is dismounted by using the umount /mnt/floppy command.) Next, type e2fsck -c /dev/fd0 and press Enter, and then type y to start the check. (Replace fd0 with your floppy drive, if necessary.) Linux again reads and displays disk information, including any bad blocks. After the command prompt appears, record or capture a screen image of the results. 6. To find information about the badblocks command, type man badblocks and press Enter. The first manual page for the badblocks command is displayed. Press Page Down to see additional pages. Record or capture a screen image of each page, and then press q to exit the man page. The man command displays pages from the online help manual for information on UNIX and Linux commands and their options. 7. Dismount the floppy disk by typing umount /dev/fd0 and pressing Enter. Leave the terminal window open for the next activity. You can display information about files and directories by using the Linux ls (list) command along with options for determining the type of information to display. Figure 8-11 shows some of the information you can find with the ls -l command. Figure 8-11 Finding information about a file Examining UNIX and Linux Disk Structures and Boot Processes 317 In the following steps, you use the ls command and some of its options. This activity is performed with Fedora and the KDE GUI. If you’re using another Linux distribution, consult its documentation to learn how to start a terminal session. 1. If necessary, start your Linux computer and open a terminal window. 2. Navigate to your home directory, if necessary, by typing cd /home/username (replacing username with the name of your home directory) and pressing Enter. Be sure to insert a space after the cd command. 3. At the command prompt, type ls -A and press Enter. (Be sure to insert a space after the ls command and use an uppercase “A” because Linux commands are case sensitive.) The ls command with the -A option lists all files, including hidden ones, but not the current or parent directories. Write down the files and directories listed, or if too many are listed, scroll to the top of the screen where you entered the ls -A command and note the first filename listed after the command. 4. Next, type ls -a and press Enter. The ls command with the -a (lowercase “a”) option lists all files, including hidden ones and their parent and current directories. Review the results and compare them with the results from Step 3. Note that this option displays “.” and “..” immediately after the command. 5. To find the inode number for files in the current directory, type ls -i and press Enter. What do you notice about the numbering scheme? Record the results. (Note: If you’re using a fresh install that hasn’t been used previously, this step might not produce any results.) 6. To find detailed information about files in the current directory, including size, permission, and modification time, type ls -l and press Enter. Record the results, and write down the differences and similarities you observed for these commands. 7. You can leave the terminal window open for the next activity, if you like. If not, type exit and press Enter to close it. To provide more information about a file or directory, UNIX/Linux file systems have a continuation inode, which has more room for detailed information. This information includes the mode and file type, the quantity of links in the file or directory, the file’s or directory’s access control list (ACL), the least and most significant bytes of the ACL UID and GID, and the file or directory status flag. The status flag is a bit, usually expressed in octal format, containing unique information about how Linux handles permissions for a file or directory. Table 8-5 describes the code values for the status flag bit. Table 8-5 Code values for an inode Code values 4000 Description UID on execution—set 2000 GID on execution—set 1000 Sticky bit—set 0400 Read by owner—allowed 0200 Write by owner—allowed 0100 Execution/search by owner—allowed 8 318 Chapter 8 Table 8-5 Code values for an inode (continued ) Code values 0040 Description Read by group—allowed 0020 Write by group—allowed 0010 Execution/search by group—allowed 0004 Read by others—allowed 0002 Write by others—allowed 0001 Execution/search by others—allowed Understanding Inodes Inodes provide a mechanism for linking data stored in data blocks. Block size depends on how the disk volume was initiated. As mentioned, block sizes can be 512 bytes and up, but many Linux distributions assign 1024 bytes per block. The Linux Ext2fs and Ext3fs file systems are improvements over the Ext file system in the first Linux release. One major improvement in Ext3fs is that it adds information to each inode that links the other inodes in a chain. Therefore, if one inode becomes corrupt, data can be recovered more easily than in Ext2fs. When a file or directory is created on a UNIX or Linux file system, an inode is assigned that contains the following information: • The mode and type of the file or directory • The number of links to a file or directory • The UID and GID of the file’s or directory’s owner • The number of bytes in the file or directory • The file’s or directory’s last access time and last modified time • The inode’s last file status change time • The block address for the file data • The indirect, double-indirect, and triple-indirect block addresses for the file data • Current usage status of the inode • The number of actual blocks assigned to a file • File generation number and version number • The continuation inode’s link This assigned inode has 13 pointers that link to data blocks and other pointers where files are stored. Pointers 1 through 10 link directly to data storage blocks in the disk’s data block and contain block addresses indicating where data is stored on the disk. These pointers are direct pointers because each one is associated with one block of data storage. As a file grows, the OS provides up to three layers of additional inode pointers. In the file’s inode, the first 10 pointers are called indirect pointers. The pointers in the second layer are called double-indirect pointers, and the pointers in the last or third layer are called tripleindirect pointers. Examining UNIX and Linux Disk Structures and Boot Processes 319 To expand storage allocation, the OS initiates the original inode’s 11th pointer, which links to 128 pointer inodes. Each pointer links directly to 128 blocks located in the drive’s data block. If all 10 pointers in the original inode are consumed with file data, the 11th pointer links to another 128 pointers. The first pointer in this indirect group of inodes points to the 11th block. The last block of these 128 inodes is block 138. The term “indirect inodes” refers to the 11th pointer in the original inode, which points to another group of inode pointers. In other words, it’s linked indirectly to the original inode. If more storage is needed, the 12th pointer of the original inode is used to link to another 128 inode pointers. From each of these pointers, another 128 pointers are created. This second layer of inode pointers is then linked directly to blocks in the drive’s data block. The first block these double-indirect pointers point to is block 139. If more storage is needed, the 13th pointer links to 128 pointer inodes, each of which points to another 128 pointers, and each pointer in this second layer points to a third layer of 128 pointers. File data is stored in these data blocks, as shown in Figure 8-12. You work with files and directories at the Linux command line in a shell, which you used in Chapter 4. Table 8-6 lists useful commands for most UNIX and Linux shells, including options that are unique to a UNIX version. Table 8-6 UNIX and Linux shell commands Shell command cat file more file Associated options Purpose Displays the contents of a file (similar to the MS-DOS Type command) dd Refer to man pages for available options Copies a disk drive by blocks, which is the same as creating an image of a disk drive df bdf (HP-UX) -k (Solaris) Displays partition information for local or NFS mounted partitions find Refer to man pages for available options Locates files matching a specific attribute, such as name, last modification time, or owner netstat -a Identifies other systems connected via the network to a UNIX or Linux system ps ax (BSD) -ef (System V) Displays the status of OS processes uname -a Displays the name of the system Understanding UNIX and Linux Boot Processes As a computer forensics investigator, you’ll probably need to acquire digital evidence from a UNIX or Linux system that can’t be shut down, such as a Web server or file server, so you must understand UNIX/Linux boot processes to identify potential problems. When you power on a UNIX workstation, instruction code stored in firmware on the 8 320 Chapter 8 Figure 8-12 Inode pointers in the Linux file system system’s CPU loads into RAM. This firmware is called memory-resident code because it’s located in ROM. As soon as the memory-resident code is loaded into RAM, the instruction code checks the hardware. Typically, the code first tests all components, such as RAM chips, to verify that they’re available and capable of running. Then it probes the bus, looking for a device containing the boot program, such as a hard disk, floppy disk, or CD. When it locates the boot device, it starts reading the boot program into memory. The boot program, in turn, reads the kernel into memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. Examining UNIX and Linux Disk Structures and Boot Processes 321 The kernel’s first task is to identify all devices. It then configures the identified devices and starts the system and associated processes. After the kernel becomes operational, the system is usually booted to single-user mode, in which only one user can log on. Single-user mode is usually an optional feature that allows users to access other modes, such as maintenance mode. If a user bypasses single-user mode, the kernel runs system startup scripts that are specific to the workstation and then runs in multiuser mode. Users can then log on to the workstation. As the kernel finishes loading, it identifies the root directory, the system swap file, and dump files. It also sets the hostname and time zone, runs consistency checks on the file system, mounts all partitions, starts network service daemons, sets up the NIC, and establishes user and system accounting and quotas. Review the documentation for the UNIX system you’re examining for more information on the boot process. Understanding Linux Loader and GRUB Linux Loader (LILO) is an older Linux utility that initiates the boot process, which usually runs from the disk’s MBR. LILO is a boot manager that allows you to start Linux or other OSs, including Windows. If a system has two or more OSs on different disk partitions, LILO can be set up to start any of them. For example, you might have Windows 2000 on one partition and Linux on another. When you turn on the computer, LILO displays a list of available OSs and asks which one you want to load. LILO uses a configuration file named Lilo.conf in the /etc directory. This file is a script containing the location of the boot device, the kernel image file (such as Vmlinuz), and a delay timer that specifies how much time you have to select the OS you want to use. Grand Unified Boot Loader (GRUB) is more powerful than LILO. It, too, resides in the MBR and enables you to load a variety of OSs. GRUB can load any kernel to a partition easily. Erich Boleyn created GRUB in 1995 to deal with multiboot processes and a variety of OSs. It works from the command line or can be menu driven. For more details, see www.gnu. org/software/grub/manual. Understanding UNIX and Linux Drives and Partition Schemes Drives and partitions are viewed in UNIX/Linux much differently than in MS-DOS and Windows. For example, in Windows XP, the primary master disk containing the first boot partition is typically listed as the C drive. In UNIX and Linux, disks and partitions are labeled as paths, with each path starting at the root directory, designated with the / symbol. In IDE drives, the primary master disk is defined as /dev/hda. The first partition on the primary master disk is defined as /dev/hda1; this device is equivalent to drive C in Windows or MS-DOS. If other partitions are located on the primary master disk, their number values are incremented; for example, the second partition on the primary master disk is /dev/hda2. If a disk has a third partition, it’s /dev/hda3, and so on. A drive connected to the primary slave controller is defined as /dev/hdb. If a drive is connected to the secondary master controller, it’s listed as /dev/hdc, and the drive connected to 8 322 Chapter 8 the slave controller is /dev/hdd. Any additional controllers and drives are incremented alphabetically. For example, if a drive is mounted to a third additional controller, it’s listed as /dev/hde, and so on. If a SCSI controller is installed on a UNIX or Linux workstation, its designation is similar to that of IDE drives and partitions. The first drive connected to the SCSI controller is defined as /dev/sda and its first partition as /dev/sda1. Any additional partitions are incremented by one; for example, the second partition on a SCSI drive is /dev/sda2. Linux treats SATA, USB, and FireWire devices the same way as SCSI devices. These plugand-play devices have the same naming scheme as SCSI drives—/dev/sdb or /dev/sdc—and the partition numbers follow the same sequence as IDE drives. Examining UNIX and Linux Disk Structures Several commercial and freeware tools are available for analyzing UNIX and Linux file systems. Most commercial computer forensics tools, such as ASR SMART, X-Ways Forensics, Guidance Software EnCase, AccessData FTK, and ProDiscover Forensic Edition, can analyze UNIX UFS and UFS2 and Linux Ext2, Ext3, ReiserFS, and Reiser4 file systems. (ProDiscover Basic and Windows editions can analyze only FAT and NTFS file systems.) Freeware tools include Sleuth Kit and its Web browser interface, Autopsy Browser, maintained by Brian Carrier (see www.sleuthkit.org). Sleuth Kit, previously called TASK, is partially based on the TCT toolset by Dan Farmer and Wietse Venema and designed as a network analysis tool for investigating attackers. The U.S. Air Force Office of Special Investigations and the Center for Information Systems Security Studies and Research developed another specialized freeware tool called Foremost (see http://foremost.sourceforge.net). Foremost is a carving tool that can read many image file formats, such as raw and Expert Witness. Foremost has a configuration file, foremost.conf, listing the most common file headers, footers, and data structures. If a file format isn’t included in the configuration file, it can be added by using a hex editor to determine the new format’s header and footer values and a text editor to update foremost.conf. Foremost.conf is typically in the /usr/local/etc directory and contains instructions on updating it. If your installation is different, read the makefile script in the Foremost tarball to see how the current version is installed. A tarball is a data file containing one or more files or whole directories and their contents. Installing Sleuth Kit and Autopsy To begin using Sleuth Kit and Autopsy, you need to install them on a UNIX system, such as Linux, FreeBSD, or Macintosh OS X. Installing Sleuth Kit and Autopsy requires downloading and installing the most recent updates of these tools. You can find current and past versions of Sleuth Kit at www.sleuthkit.org/ sleuthkit/download.php and Autopsy Browser at www.sleuthkit.org/autopsy/download.php. Older RPM versions of Sleuth Kit and Autopsy are available at Web sites listed on Sleuth Kit’s main page. The Red Hat Package Manager (RPM) utility makes installing these tools on Red Hat and Fedora Linux much easier. Several other Linux distributions have tools for installing RPM packages. Check their documentation to see how they handle RPM packages. Examining UNIX and Linux Disk Structures and Boot Processes 323 For the latest versions of Sleuth Kit and Autopsy Browser, download the most current source code from www.sleuthkit.org. The source code for these two tools is packaged into tarballs, which contain installation scripts you run from a terminal window with root privileges. After you have downloaded and extracted the source code and related files, read the README or INSTALL file for instructions explaining how to run the make command to complete the installation. The make command in the latest Sleuth Kit and Autopsy tarballs tests, compiles, and installs each tool. If your Linux distribution is missing any special libraries used by these tools, the make command displays error messages listing the missing components. Correcting the installation errors can be challenging if you lack skills in UNIX/Linux administration. Sleuth Kit must be installed before Autopsy Browser, or Autopsy isn’t installed correctly. To run Sleuth Kit and Autopsy Browser, you need to have root privileges. To start Autopsy, follow these steps: 1. If necessary, start your Linux computer and open a terminal window. 2. Change the default location to the Autopsy Browser directory. For example, if you installed Autopsy Browser in /usr/local/autopsy-2.08, type cd usr/local/autopsy-2.08 and press Enter. 3. At the prompt, type su and press Enter. At the password prompt, enter the root password and press Enter. If you’re running Autopsy Browser on a Macintosh or in some Linux distributions, such as Ubuntu, you might not need to switch to superuser. If you don’t, make sure you preface all commands with “sudo.” 4. To start Autopsy, type ./autopsy and press Enter. Figure 8-13 show the results of this command. 5. Right-click the URL http://localhost:9999/autopsy, as indicated in the terminal window, and then click Copy. When copying the Autopsy URL from the terminal window, don’t use the Ctrl+C shortcut. This shortcut terminates the privileged URL link needed to run Sleuth Kit from your Web browser. 6. Start your Web browser. Select the current URL in the Address text box, right-click the URL, click Paste to insert the Autopsy URL, and then press Enter. Figure 8-14 shows the Autopsy main window. 8 324 Chapter 8 Figure 8-13 Starting Autopsy from a Linux terminal window Figure 8-14 The Autopsy main window Examining UNIX and Linux Disk Structures and Boot Processes 325 If you see a warning message at the top stating that JavaScript is enabled, you have to reconfigure your browser to disable it. After reconfiguring the browser, you might have to exit and restart. If the Autopsy terminal session is still running, simply paste the Autopsy URL into the Address text box again. 7. Leave your Web browser open for the next activity. Examining a Case with Sleuth Kit and Autopsy In this section, you learn how to use Sleuth Kit and Autopsy Browser to analyze a Linux Ext2 and Ext3 file system. If you closed your Web browser with Autopsy, restart it. Before starting the examination with Sleuth Kit and Autopsy, copy the GCFI-LX.00n (with n representing a number from 1 to 5) image files from your work folder to the evidence locker, which is the folder designated as the working area for Autopsy when it was installed. Autopsy uses the evidence locker to save results from examinations. If you don’t recall the evidence locker path, navigate to the Autopsy installation folder, open the conf.pl file, and look for the $LOCKDIR parameter to see the current path setting. If you want to change the evidence locker location, update the $LOCKDIR parameter with single quotation marks at the beginning and end of the new path. The following steps use Sleuth Kit 2.07 and Autopsy Browser 2.08. If you’re using different versions, your screens and output might be different from what’s shown in this activity. To start the examination of an acquired image of a Linux disk, follow these steps: 1. In Autopsy’s main window, click the New Case button. When the Create A New Case dialog box opens, enter the investigation data, using Figure 8-15 as a guide, and then click the New Case button to continue. 2. In the Creating Case dialog box, click Add Host to continue. 3. In the Add A New Host dialog box, enter your information, using Figure 8-16 as a guide, and then click Add Host. 4. In the Adding Host dialog box, click Add Image to continue. 5. In the Open Image dialog box, click Add Image File. 6. In the Add A New Image dialog box, type the complete path to the evidence locker in the Location text box, click the Partition and Move option buttons, and then click Next. (Remember that UNIX/Linux commands are case sensitive. If you enter a lowercase filename and the filename is uppercase, Autopsy can’t find and load the file.) If you have multiple segment volumes that are sequentially numbered or lettered (the dd command with the split option without the -d switch), use an asterisk as the extension (for example, GCFI-LX.*) so that all segments are read sequentially. 8 326 Chapter 8 Figure 8-15 The Create A New Case dialog box Figure 8-16 The Add A New Host dialog box 7. In the Split Image Confirmation dialog box, verify that all images are correctly loaded; if they are, click Next. If not, click Cancel. (If this data is incorrect, it’s probably caused by an error in the pathname to the evidence locker or image files.) Examining UNIX and Linux Disk Structures and Boot Processes 327 If you didn’t click Partition in Step 6, the image is read as raw data, and file and directory structures aren’t visible to Autopsy. 8. In the Image File and File System Detail dialog box, click the Calculate the hash value for this image option button, and then click Add. In the Calculating MD5 message box, click OK. 9. In the Select a volume to analyze or add a new image file dialog box, click Keyword Search to initiate a search for keywords of interest to the investigation. 10. In the Keyword Search dialog box, type the name martha in the text box, as shown in Figure 8-17, and then click Search. 8 Figure 8-17 The Keyword Search dialog box 11. When the search is finished, Autopsy displays a summary of the search results (see Figure 8-18). To see detailed search results, click the link to results link at the upper left. 12. Examine the search results by scrolling through the left pane, and then click the Fragment 236019 “Ascii” link to view details of the search. Repeat this examination by clicking other ASCII and Hex links for the remaining hits. When you’re finished examining the search hits, close the Searching for ASCII and Searching for Unicode dialog box to return to the Select a volume to analyze or add a new image file box. Leave this program open for the next activity. 328 Chapter 8 Figure 8-18 Summary of search results Fragment hits can be exported as a text file for reports by clicking the Export Content button. You can also add notes to each fragment hit by clicking the Add Note button. Next, you learn how to use the File Activity Time Lines function, which is useful for identifying what files were active at a specific time. This function displays files that might have been corrupted or accessed so that you can examine them further. Follow these steps to see how this function works: 1. To analyze the timelines of the evidence, you need to navigate back to the Select a volume to analyze or add a new image file dialog box, shown in Figure 8-19. 2. Click the File Activity Time Lines button. 3. In the File Activity Time Lines dialog box, click Create Data File. In the Create Data File dialog box, click the /1/ gcfi-lx.001-0-0 ext check box, type GCFI-LX-body for the name of the output file, and click OK. 4. In the Running fls and Running ils dialog box, click OK. 5. In the next dialog box, click the GCFI-LX-body option button. Enter the starting date, click the Specify option button, and change the date to Dec 1, 2006. Then enter the ending date, click the Specify option button, and change the date to Jan 23, 2007 (see Figure 8-20). Then click OK. Examining UNIX and Linux Disk Structures and Boot Processes Figure 8-19 The Select a volume to analyze or add a new image file dialog box For this activity, make sure you use the dates shown in Step 5. If you’re analyzing your own Linux disk image instead of using the image file supplied with this book, use a date range that matches the incident you’re examining. Figure 8-20 Entering timeline options 329 8 330 Chapter 8 6. When the timeline is done, click OK in the notification dialog box to display the timeline results. After reviewing the results, exit Autopsy. You can leave your system running for the Hands-On Projects at the end of the chapter, if you like. With Sleuth Kit and Autopsy, you can perform additional analysis and produce other output files in subdirectories of the evidence locker. You can then use these files in a narrative report, as explained in Chapter 14. Understanding Other Disk Structures This section covers media and hardware devices you might encounter during an investigation, including SCSI, IDE/EIDE, and SATA drives. Although some of these devices were popular in the early days of computing, they have been upgraded to deal with high-end or high-speed devices. You should be familiar with the purpose of each device, its basic operation, and the problems it poses during a forensics investigation. Examining CD Data Structures CDs and DVDs are commonly used to store large amounts of data. Many people use CD and DVD burners to transfer digital information from a hard disk to a CD or DVD. As a computer forensics investigator, you might need to retrieve evidence from CDs and DVDs; these optical media store information differently than magnetic media do. To create a CD, a laser burns flat areas (lands) on the top side of the CD (the side without the label). Lower areas not burned by the laser are called pits. The transitions from lands to pits have the binary value of 1, or on. Where there’s no transition, the location has a binary value of 0, or off. Figure 8-21 shows the basic structure of a CD. The International Organization of Standardization (ISO) has established standards for CDs, including ISO 9660 for a CD, CD-R, and CD-RW and ISO 13346 for DVDs. ISO 9660 has an extension standard called Joliet, which allows long filenames in Windows 9x, NT, 2000, and XP. Under ISO 13346 for DVDs, the Micro-UDF (M-UDF) function has been added to allow long filenames. A variety of products have been developed to make CDs more versatile. The writeable CD-R has a dye layer substance that changes when a laser heats it. The heat from the dye causes a change in the CD’s reflective capability. This change in reflectivity is what alters the values of 1s and 0s. Rewriteable CD-RW disks use a medium that changes appearance depending on the temperature the laser applies. This medium, called a phase change alloy (also known as a Metal PC layer), changes from amorphic (noncrystalline) to crystalline. The amorphic condition is achieved when the laser heats the Metal PC layer to 600° Celsius. When the laser cools it to 200° Celsius, the Metal PC layer becomes crystalline. Each change reflects or deflects light, which signals that a bit is set to 0 or 1. On the surface of a CD, data is configured into three regions: the lead-in area, the program area, and the lead-out area. The lead-in area contains the table of contents in the subcode Q-channel. Subcode channels are additional data channels that provide start and end markers for tracks, time codes for each frame, the table of contents in the lead-in area, and graphics Understanding Other Disk Structures 331 8 Figure 8-21 Physical makeup of a CD codes. Up to 99 tracks are available for the table of contents. The lead-in area also synchronizes the CD as it’s spinning. The program area of the CD stores data and, like the lead-in area, has up to 99 tracks available. The lead-out area is the end-of-CD marker for the storage area. Figure 8-22 shows a CD’s logical layout. Figure 8-22 Logical layout of a CD A unit of storage on a CD is called a frame, which includes a synchronized pattern, a control and display symbol, and eight error correction symbols. Each frame contains 24 17-bit 332 Chapter 8 symbols, and frames are then combined into blocks that form a sector. A block on a CD is 2352 bytes for music CDs (also called CD-DAs) or 2048 bytes for data CDs. CD players that are 12X or slower use a constant linear velocity (CLV) method for reading discs, usually music CDs. Newer CD players that are 12X or faster read discs with a constant angular velocity (CAV) method. Unlike CDs, DVD disk file structures use a Universal Disk Format (UDF) called Micro-UDF (M-UDF). For backward compatibility, some DVDs have integrated ISO 9660 to allow compatibility with current OSs. For more information on DVDs, see http://homepage.mac.com/ wenguangwang/myhome/udf.html, www.osta.org/dvdcc/articles.htm, and www.osta.org/dvdcc/links.htm. Examining SCSI Disks Small computer system interface (SCSI) is an input/output standard protocol device that allows a computer to access devices such as hard drives, tape drives, scanners, CD-ROM drives, and printers. Shugart Systems created SCSI in 1979 to provide a common bus communication device for all computer vendors. As SCSI evolved, it became a standard for PCs, Macintosh, and many UNIX workstations. Older Macintosh systems, such as the Mac SE, shipped with only a SCSI port. When you examine evidence on a computer system, you need to inventory all connected devices to make sure you collect all possible magnetic media that can help you determine what you need to investigate. During this inventory, you should identify whether the computer uses a SCSI device. If so, determine whether it’s an internal SCSI device, such as a hard drive, or an external device, such as a scanner or tape drive. If the computer is using external media devices, such as a tape drive with tapes, or removable disk drives, such as a Jaz drive, examine the content of these devices as part of your investigation. Determine whether you have the right SCSI card, cables, adapters, and terminators to examine a suspect’s SCSI drive. You also need the correct software drivers that allow your OS to communicate with a SCSI device. The Advanced SCSI Programming Interface (ASPI) provides several software drivers for communication between the OS and SCSI component. Windows versions from 9x and up have integrated ASPI drivers, which make adding a SCSI card to a Windows workstation easy. The Windows 98 Config.sys file, for example, contains ASPI drivers for reading a CD from an emergency boot disk or a Windows 98 startup disk. However, to access a SCSI device from MS-DOS, you must configure MS-DOS to install the correct SCSI driver. Most manuals or textbooks covering A+ certification from CompTIA have information on this procedure. When connecting a SCSI device to your forensic workstation, you might have to change the port number on the hard disk, for example, to make sure duplicate port numbers aren’t assigned to other devices. If you’re using a SCSI UltraWide card, such as the Adaptec 29160, port 7 is usually reserved for the SCSI card. Verifying which ports are used for your SCSI device is a good practice to make sure you’re prepared to examine SCSI drives. Understanding Other Disk Structures 333 One characteristic of a SCSI device is proper termination. A SCSI terminator is a resistor that’s connected to the end of the SCSI cable or device. Newer SCSI devices typically use an integrated self-terminator. Some newer SCSI cards, such as the Adaptec 29160, self-correct and allow access to a SCSI driver. The device might take several seconds to adjust, however. One problem with older SCSI drives is identifying which jumper group terminates and assigns a port number. Use Internet search engines to find specification sheets with this information for different types of SCSI drives. Examining IDE/EIDE and SATA Devices Most forensic disk examinations involve EIDE and SATA drives. You might, however, encounter older IDE drive versions as well as obsolete versions of MFM and RLL drives. Accessing older drives for the purpose of a forensics acquisition can be a challenge because current technology might not be backward compatible. For these older drives, one of the best resources for information is the Internet. You can often search for a drive’s documentation (old and new) by simply using the drive’s model number. All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE drives use the standard 40-pin ribbon or shielded cable. ATA-66, ATA-100, and ATA-133 can use the newer 40-pin/80-wire cable, which provides considerably faster data transfer rates. A pre-ATA-33 IDE drive might not work correctly or be accessible to your workstation, although PCs are usually backward compatible with older IDE drives. When you must access an older IDE drive, you might need to locate an older Pentium I or 486 PC and rely on your technical skills and those of other experts to investigate the disk. For more information on ATA drive architecture and future developments, consult the T13 Web site (www.t13.org). T13, a committee of the International Committee for Information Technology Standards (www.incits.org), is the current authority on ATA standards. For SATA drive architecture and future developments, consult the Serial ATA-International Organization Web site (www.sata-io.org). For an overview of most drive standards, see http://kb.iu.edu/data/adlt.html#current. The CMOS on current PCs uses logical block addressing (LBA) and enhanced cylinder, head, and sector (CHS) configurations. When you connect an ATA-33 or newer drive to a PC, the CMOS identifies the disk’s correct setting automatically, which is convenient when you’re installing hard disks on your workstation. However, this feature can pose problems during an investigation. If you need to make a copy of a pre-ATA-33 256 MB drive, for example, you need its CHS configuration. Suppose you have a spare 4.0 GB drive where you plan to store a copy of the 256 MB drive. When you connect the two drives and power on your workstation, you enter CMOS and manually set it to match the CHS of the 256 MB drive. When you restart your workstation and access CMOS, you find that the CHS setting you changed didn’t take effect. To solve this problem, use a disk-imaging tool, such as NTI SafeBack or Guidance Software EnCase. These tools force the correct CHS configuration onto the target drive so that you can copy evidence data correctly. 8 334 Chapter 8 Another solution is obtaining a 486 PC. The CMOS and BIOS in the 486 don’t adjust the CHS of newer ATA drives automatically but do allow you to set the CHS configuration manually. However, one disadvantage of a 486 PC is that the IDE ATA controller doesn’t recognize drives larger than 8.4 GB. If you need to configure the CHS of a drive larger than 8.4 GB manually, you can explore other alternatives. One solution is using an Enhanced Industry Standard Architecture (EISA) card that’s engineered to connect to an IEEE 1394 FireWire device. Several vendors make EIDE drive bays that connect to FireWire devices. Another option with a 486 PC is using an older ISA SCSI card and an A-Card IDE adapter card. A-Card, a Taiwan manufacturer, sells SCSI-to-IDE adapter cards for various SCSI models, including one card designed for UltraWide SCSI that prevents any write accesses to the connected IDE drive. One of many good sources for A-Cards is Microland USA (www. microlandusa.com). For the adapter card that prevents data from being written on a disk, locate the model card AEC7720WP that’s listed with a write-blocker feature. (When you’re searching for these products, enter the product number in a search engine because some might not be listed on the vendor’s main site.) With an EISA FireWire card, a FireWireto-EIDE interface, or a SCSI card with an IDE A-Card adapter, you can change the CHS configuration manually on any EIDE drive from a 486 PC. Examining the IDE Host Protected Area In 1998, T13 created a new standard for ATA drives (ATA or ATAPI-5 AT; ATAPI stands for Attachment with Packet Interface5). This new standard provides a reserved and protected area of an IDE drive that’s out of view of the OS. This feature is called Protected Area Run Time Interface Extension Service (PARTIES). Many disk manufacturers also refer to it as host protected area (HPA) in their documentation. Service technicians use this protected area to store data created by diagnostic and restore programs. Using the HPA eliminates the need for a disaster recovery disk. Accessing the HPA might require a password and always requires special commands that can be run only from the computer’s BIOS level. A disk partition utility, such as Fdisk, can’t see a disk’s HPA because it’s accessible only at the BIOS level, not the OS level. As a computer forensics examiner, you should be familiar with the HPA on newer drives because criminals have used it to hide data related to their illegal activities. One commercial tool for open access to the HPA is X-Ways Replica (see www.x-ways.net/ replica.html), a DOS utility that fits on a bootable floppy disk or CD. When a suspect computer is booted and Replica is started, it detects whether the HPA is enabled. If it is, Replica notifies you and asks whether you want to turn it off. If you select yes, Replica makes changes to the BIOS to turn HPA off. It then instructs you to reboot to allow access to the HPA. The HPA is also referred to as a BIOS Engineering Extension Record (BEER) data structure. Exploring Hidden Partitions Another trick suspects use to conceal evidence is hiding disk partitions. Older tools, such as Norton DiskEdit, can be used to change the disk partition table so that when the drive is viewed from the operating system, as in Windows Explorer, there’s no indication that the deactivated partition exists. Because the hard disk you’re investigating might have a hidden partition, use imaging tools that can access unpartitioned areas of a drive. Modern computer forensics tools can identify hidden partitions on most drives. This potential problem is covered in more detail in Chapter 9. Chapter Summary 335 Chapter Summary ■ The Macintosh OS uses the Hierarchical File System (HFS), in which files are stored in directories that can be nested in other directories. The File Manager utility handles reading, writing, and storing data to physical media, collects data to maintain the HFS, and is used to manipulate files, directories, and other items. The Finder utility works with the OS to keep track of files and maintain users’ desktops. ■ In HFS, a file consists of two parts: a data fork and a resource fork. The resource fork contains a resource map and resource header information for each file, window locations, and icons. The data fork contains data the user creates. ■ A volume is any storage medium used to store files. Volumes have allocation blocks and logical blocks. A logical block is a collection of data that can’t exceed 512 bytes. An allocation block is a group of consecutive logical blocks. When you save a file, File Manager assigns the file to an allocation block. ■ HFS files are assigned allocation blocks, which are made of up of one or more logical blocks of 512 bytes each. In allocation blocks, a file has a logical EOF that’s the actual end of a file, and the end of allocated blocks is the physical EOF. ■ In older Macintosh OSs, the first two logical blocks on each volume (or disk) are the boot blocks, which contain information about system startup. The boot blocks also contain information about system configuration and can store optional executable code for the system file. Typically, system startup instructions are stored in the HFS system file rather than the boot blocks. ■ To boot a Macintosh with a Macintosh-bootable CD, press and hold the C key when powering on the computer. To boot to a Macintosh-configured FireWire drive, press and hold the T key when powering on the computer. ■ If a write-blocker isn’t available, in Mac OS X 10.3 and later, you can disable write capability with Disk Arbitration. This feature prevents a drive from being mounted when it’s connected to a computer. ■ The Mac OS X Disk Images utility can be used to mount raw image files so that they can be examined with forensics tools. The raw image file must have a .dmg extension, and any additional segments must have a triple-digit sequential number followed by the .dmgpart extension. ■ UNIX/Linux file systems have four components: boot block, superblock, inode block, and data block. Block sizes can be 512 bytes and up. Typical block sizes are 1024 to 4096 bytes. ■ The Linux Second Extended File System (Ext2fs) uses inodes. Each file’s inode contains information about the file, including its location in the volume, which is called the inode number. ■ The superblock on a Linux system keeps track of the geometry and available space on a disk, along with the list of inodes. ■ Ext3fs is a journaling version of Ext2fs that reduces file recovery time after a crash. ■ The Linux file structure is made up of metadata and data. Metadata includes items such as the user ID (UID), group ID (GID), size, and permissions for each file. An 8 336 Chapter 8 inode contains the modification/access/creation (MAC) times, not a filename. An inode is assigned a number that’s linked with the filename in the directory file. Pairing the inode number with the filename is how Linux keeps track of files and data. The data portion of the Linux file structure contains the file’s contents. ■ CDs and DVDs are optical media used to store large amounts of data. They adhere to standards defined by ISO 9660 and ISO 13346, respectively. A unit of storage is called a frame, which contains 24 17-bit symbols. ■ SCSI connectors are used for a variety of peripheral devices. They pose unique challenges to a forensics investigation, such as finding the correct device drivers and interfaces. ■ IDE/EIDE drives are other physical drives you might run across in investigations. You need to keep older drives in your lab in case you need to restore items from IDE/EIDE drives. Key Terms Advanced SCSI Programming Interface (ASPI) A component that provides several software drivers for communication between the OS and SCSI component. allocation blocks In the Macintosh file system, a group of consecutive logical blocks assembled in a volume when a file is saved. B*-tree A Macintosh file that organizes the directory hierarchy and file block mapping for File Manager. Files are represented as nodes (objects); leaf nodes contain the actual file data. bad block inode In the Linux file system, the inode that tracks bad sectors on a drive. Berkeley Software Distribution (BSD) UNIX A variation of UNIX created at the University of California, Berkeley. catalog An area of the Macintosh file system used to maintain the relationships between files and directories on a volume. clumps In the Macintosh file system, groups of contiguous allocation blocks used to keep file fragmentation to a minimum. constant angular velocity (CAV) The method of reading CDs in CD players that are 12X or faster. constant linear velocity (CLV) The method of reading CDs in CD players slower than or equal to 12X. continuation inode An inode containing more detailed information, such as the mode and file type, the quantity of links in the file or directory, the file’s or directory’s access control list (ACL), the least and most significant bytes of the ACL UID and GID, and the file or directory status flag. data fork The part of a Macintosh file containing the file’s actual data, both user-created data and data written by applications. The data fork also contains the resource map and header information, window locations, and icons, as does the resource fork. See also resource fork. Key Terms 337 Disk Arbitration The Mac OS X feature for disabling and enabling automatic mounting when a drive is connected via a USB or FireWire device. Disk Images The format Mac OS X uses for image files (.dmg extension). If the image file has additional segments, these segments must have a .dmgpart extension. double-indirect pointers The inode pointers in the second layer or group of an OS. See also inodes. Extended Format File System (HFS+) File system used by Mac OS 8.1 and later; the primary difference between HFS and HFS+ is that HFS is limited to 65,536 blocks per volume, and HFS+ raised this number to more than 4 billion. HFS+ supports smaller file sizes on larger volumes, resulting in more efficient disk use. extents overflow file A file in HFS and HFS+ that’s used by the catalog to coordinate all file allocations to the volume. File Manager uses this file when the list of a file’s contiguous blocks becomes too long for the catalog. The list’s overflow is placed in the extents overflow file. Any file extents not in the MDB or a VCB are also contained in this file. See also catalog, Master Directory Block (MDB), and Volume Control Block (VCB). File Manager A Macintosh utility that handles reading, writing, and storing data to physical media. It also collects data to maintain the HFS and is used to manipulate files, folders, and volumes. Finder A Macintosh utility for keeping track of files and maintaining users’ desktops. GNU General Public License (GPL) An agreement that defines Linux as open-source software, meaning that anyone can use, change, and distribute the software without owing royalties or licensing fees to another party. header node A node that stores information about the B*-tree file. See also B*-tree. Hierarchical File System (HFS) The system Mac OS uses to store files, consisting of directories and subdirectories that can be nested. index node A B*-tree node that stores link information to the previous and next nodes. See also B*-tree. indirect pointers The inode pointers in the first layer or group of an OS. See also inodes. inodes A key part of the Linux file system, these information nodes contain descriptive file or directory data, such as UIDs, GIDs, modification times, access times, creation times, and file locations. International Organization of Standardization (ISO) An organization set up by the United Nations to ensure compatibility in a variety of fields, including engineering, electricity, and computers. The acronym ISO is the Greek word for “equal.” leaf nodes The bottom-level nodes of the B*-tree that contain actual file data in the Macintosh file system. See also B*-tree. logical blocks In the Macintosh file system, a collection of data that can’t exceed 512 bytes. Logical blocks are assembled in allocation blocks to store files in a volume. logical EOF In the Macintosh file system, the number of bytes in a file containing data. map node A B*-tree node that stores a node descriptor and map record. See also B*-tree. Master Directory Block (MDB) On older Macintosh systems, the location where all volume information is stored. A copy of the MDB is kept in the next-to-last block on the volume. Called the Volume Information Block (VIB) in HFS+. 8 338 Chapter 8 Open Firmware The platform-independent boot firmware Macintosh systems use instead of BIOS firmware to gather information, control boot device selection, and load the OS. phase change alloy The Metal PC layer of a CD-RW that changes appearance (from noncrystalline to crystalline) depending on the temperature the laser applies. This medium allows writing to the CD several times. physical EOF In the Macintosh file system, the number of allocation blocks assigned to a file. Red Hat Package Manager (RPM) A utility that automates installing and uninstalling programs on Red Hat and Fedora Linux distributions. resource fork The part of a Macintosh file containing file metadata and application information, such as menus, dialog boxes, icons, executable code, and controls. The resource fork also contains the resource map and header information, window locations, and icons, as does the data fork. See also data fork. Second Extended File System (Ext2fs) The standard Linux file system. small computer system interface (SCSI) An input/output standard protocol device that allows a computer to access devices such as hard drives, tape drives, scanners, CD/DVDROM drives, and printers. tarball A method originally designed to store data on magnetic tapes; the name stands for “tape archive.” This storage method has been used for many years in UNIX computing environments to combine files and directories. In UNIX, BSD, and Linux, tarball files have a .tar extension. The tar command creates an uncompressed continuous file of data. If a tarball file is compressed, another extension is added after .tar, such as .gz or .bz2. triple-indirect pointers The inode pointers in the third layer or group of an OS. See also inodes. Volume Bitmap A Macintosh application used to track blocks that are in use and blocks that are available. Volume Control Block (VCB) An area of the Macintosh file system that contains information from the MDB and is used by File Manager. See also Master Directory Block (MDB). Review Questions 1. Explain the differences in resource and data forks in Mac OS 9 and earlier. 2. In Mac OS 9, which of the following is a function of B*-tree nodes? (Choose all that apply.) a. The header node stores information about the B*-tree file. b. The index node stores link information to the previous and next nodes. c. The map node stores a node descriptor and a map record. d. The file node stores file metadata. Review Questions 339 3. In Mac OS 9 and earlier, storage media are referred to as which of the following? a. Segmented blocks b. Disks c. Inodes d. Volumes 4. How does Mac OS 9 reduce disk fragmentation? a. Clumps are used to group contiguous allocated blocks. b. The MDB is reconfigured by File Manager. c. Data is written to the extents overflow file. d. Disk Arbitration is used to reorganize data on the volume. 5. What are the boot firmware utilities older Power PC and newer Intel Macintosh computers use? (Choose all that apply.) a. Bootstrap code b. Open Firmware c. Runtime application binaries d. Extensible Firmware Interface (EFI) 6. What do you need to do to a raw image file so that Mac OS X sees it and its segments as a virtual disk? 7. How do you mount a .dmg file in Mac OS X? 8. What are the differences in General Public License and BSD agreements for open-source use? 9. What are the differences between the Linux Ext2 and Ext3 file systems? 10. List three pieces of information found in metadata in the Linux file system. 11. How do inodes keep track of a file’s name and data? 12. In UNIX OSs, drives, monitors, and NICs are treated as which of the following? a. Objects b. Tar devices c. Files d. Mount devices 13. What are the four components of the UNIX file system? 14. Only one copy of the superblock is kept. True or False? 15. What does the superblock in Linux define? (Choose all that apply.) a. File system names b. Disk geometry 8 340 Chapter 8 c. Location of the first inode d. Available space 16. In the UNIX file system, where are directories and files stored? a. Superblocks b. Data blocks c. Inode blocks d. Boot blocks 17. The bad block inode can be used to hide data. True or False? 18. The first inode assigned to a file in Linux has 13 pointers that link to which of the following? (Choose all that apply.) a. Data blocks b. B*-tree nodes c. Other pointers where files are stored d. Extents overflow file 19. Disk manufacturers use the host protected area for which of the following? a. Storing disaster recovery data b. Storing BIOS settings c. Storing data created by diagnostic and restore programs d. Storing OS information 20. What are the ISO standards for CDs, CD-RWs, and DVDs? Hands-On Projects If necessary, extract all data files in the Chap08\Projects folder on the book’s DVD to the Work\Chap08\Projects folder on your system. (You might need to create this folder on your system before starting the projects; it’s referred to as “your work folder” in steps.) Hands-On Project 8-1 In this project, you perform an OS X file system analysis to become familiar with the functions and tools available in BlackBag Technologies Macintosh Forensic Software. You need the following: • Macintosh G4 or newer running OS X 10.2 or later with 4 GB storage space on the internal drive or an attached work drive to store the analysis output • BlackBag Technologies demo or licensed version To prepare for this project, do the following: Hands-On Projects 341 1. Make sure the following files have been extracted to your work folder: GCFI-OSX.001 through GCFI-OSX.007. 2. Rename each GCFI-OSX image file in the Macintosh Disk Image format with .dmg and .dmgpart extensions. BlackBag requires the first segment volume to have the segment filename followed by the .dmg extension. All other segmented volumes must have a sequential three-digit extension followed by the .dmgpart extension. In addition, the second segmented file must be .002.dmgpart, not .001.dmgpart. The following chart shows an example of correct renaming: Uncompressed image files GCFI-0SX.001 Macintosh Disk Image name GCFI-0SX.dmg GCFI-0SX.002 GCFI-0SX.002.dmgpart GCFI-0SX.003 GCFI-0SX.003.dmgpart GCFI-0SX.004 GCFI-0SX.004.dmgpart 3. Start Finder, and locate and double-click the first file, GCFI-OSX.dmg (previously GCFI-OSX.001), to mount the disk image. Now follow these steps for the partition mapping data on this OS X drive: 1. Start BlackBag from Macintosh Finder and click OK in the Welcome window. 2. To determine what partitions are on this image of an OS X system, click PDISKInfo on the BlackBag Forensic Suite ToolBar. 3. In the PDISKInfo window, click the Suspect Device list arrow, and then click the .dmg file drive you mounted. Determining which drive is the .dmg image can be a problem. The Suspect Device list box also displays all connected drives, including the system drive (typically /dev/disk0) and any other drives connected or mounted previously, such as FireWire and USB drives. These additional drives are listed as /dev/disk1, /dev/disk2, and so on. If you have only the main operating drive connected, the .dmg drive is most likely /dev/disk1. If you connected one USB drive before mounting the .dmg drive, the USB drive would be /dev/disk1 and the .dmg drive would be /dev/disk2. Because this tool is read only, you won’t harm anything if you access the wrong drive, however. 4. Click the Partition Map button to see partition information for the suspect drive. When the Authentication window opens, type the root password for your Macintosh system. 5. Next, save the PDISKInfo output by clicking Save Report. In the Save As text box, type GCFI-OSX-partrpt.txt, and then click Save. In the Where drop-down list box, click the folder where you want to save it. If the Report Saved dialog box opens, click OK. When you’re finished, exit PDISKInfo. 8 342 Chapter 8 6. Repeat these steps, clicking the PMAPInfo and IORegInfo buttons on the BlackBag Forensic Suite ToolBar, and save the report each utility creates. For the IORegInfo utility, click All Information. Continue the analysis of this drive to learn how the DirectoryScan, FileSearcher, and VolumeExplorer utilities work. When you have finished, write a short paper describing the results of each function. You can leave BlackBag running for the next project. Hands-On Project 8-2 In this project, you test other features of BlackBag and document your findings to learn more about BlackBag’s evidence extraction capabilities. You need the following: • Macintosh G4 or newer running OS X 10.2 or later with a 4 GB storage space on the internal drive or an attached work drive to store the analysis output • BlackBag Technologies demo or licensed version • The image files you used in Hands-On Project 8-1 Your report on these functions, which should be three to four pages, should include all items listed on the BlackBag Forensic Suite ToolBar. Hands-On Project 8-3 On the Internet or in your library, research why Apple decided to change to the BSD UNIX format for its file structure. Write a one- to two-page paper on the reasons for the change and the pros and cons of this decision. Hands-On Project 8-4 The purpose of this project is to become more familiar with Sleuth Kit and Autopsy. The best way to learn a tool, especially one that isn’t well documented, is to explore its functions. You’re encouraged to work in teams for this project and share your findings with other students. For this project, you convert the image file GCFI-datacarve-FAT.eve from Chapter 4 to a raw dd image by using ProDiscover Basic, and then analyze it with Sleuth Kit and Autopsy. You need the following: • A PC running Windows with ProDiscover Basic installed • A Linux or UNIX system with Sleuth Kit and Autopsy installed • Disk storage of at least 200 MB to convert the .eve file to a dd file • Instructions on using the computer forensics tools in this chapter and Chapters 2 and 4 Follow these steps: 1. Start ProDiscover Basic with the Run as administrator option. To convert the GCFI-datacarve-FAT.eve file to GCFI-datacarve-FAT.dd on a PC, click Tools, Image Conversion Tools from the menu and then click Convert Hands-On Projects 343 ProDiscover Image to ‘DD’. In the Convert ProDiscover Image to ‘DD’ Image dialog box, click the Browse button, navigate to and click the location in your work folder where you saved GCFI-datacarve-FAT.eve, and then click OK. Exit ProDiscover Basic. 2. Copy the converted file to a Linux or UNIX system with Sleuth Kit and Autopsy installed. Start Sleuth Kit and Autopsy, as you did earlier in this chapter. In the main window, click New Case. In the Create A New Case dialog box, fill in your information (using GCFI-datacarve-FAT for the case name), and then click New Case. 3. In the Creating Case dialog box, click Add Host, and in the Add A New Host dialog box, enter your information, and click Add Host. 4. In the Adding Host dialog box, click Add Image to continue. In the Open Image dialog box, click Add Image File. In the Add A New Image dialog box, type the full pathname and the GCFI-datacarve-FAT.dd image filename in the Location text box, click the Partition option button, click the Copy option button for the import method, and then click Next. 5. In the Image File and File System Detail dialog box, click Add, and in the Test Partition dialog box, click OK. In the Select a volume to analyze or add a new image file dialog box, click the Analyze button. 6. In the Analysis dialog box, click File Analysis, and then click Generate MD5 List of Files. In the MD5 results window, save the list as GCFI-datacarve-FAT-MD5.txt in your work folder, and close the MD5 results window. 7. Next, in the Analysis dialog box, click File Type, click Sort Files by Type, and then click OK. When the analysis is finished, print the Results Summary frame of the Web page. 8. Click Image Details, and in the General File System Details dialog box, print the frame containing the results. 9. Write a report describing the information each function asks for and what information it produces so that you can begin building your own user manual for this tool. Leave Sleuth Kit and Autopsy running for the next project. Hands-On Project 8-5 This project is a continuation of Hands-On Project 8-4, using Sleuth Kit and Autopsy. First, convert the image files C2Prj01.eve and C2Prj04.eve from Chapter 2 to raw dd images in ProDiscover Basic. Second, use Sleuth Kit and Autopsy to perform the same tasks described in Hands-On Project 8-4 for these two image files. When examining these image files, compare the results with your findings in Hands-On Project 8-4, and write a brief report on any similarities or differences to continue adding to your user manual. 8 344 Chapter 8 Case Projects Case Project 8-1 You receive a computer system from the officer who tagged and bagged the evidence at a crime scene in a suspect’s home. You examine the computer and discover that it uses a SCSI drive on a Windows system. How will you continue the investigation? Write a one-page outline of your options for accessing the SCSI drive and list any additional computer components (including vendors, model numbers, and prices) that might be needed to examine this drive. Case Project 8-2 You have been asked to review documentation for Sleuth Kit and determine whether the new acquisition format AFF would be practical to use. Your manager instructs you to review the documents at www.sleuthkit.org/informer/ for any references to AFF, review the Informer documentation, and search the Web to see what information is available on this acquisition format and what computer forensics tools can read it. Your report should be no longer than two pages. Case Project 8-3 Search the Internet for tools that allow Linux to mount and perform read and write access to an NTFS-formatted drive. The report should list available drivers that can be downloaded and installed with any Linux distribution. The report should be no more than two pages. (Hint: See www.linux-ntfs.org or http://sourceforge.net/projects/linux-ntfs/ to start your research.) chapter 9 Computer Forensics Analysis and Validation After reading this chapter and completing the exercises, you will be able to: • Determine what data to analyze in a computer forensics investigation • Explain tools used to validate data • Explain common data-hiding techniques • Describe methods of performing a remote acquisition 345 346 Chapter 9 This chapter explains how to apply your computer forensics skills and techniques to a computing investigation. One of the most critical functions is validating evidence during the analysis process. In Chapter 4, you learned how data acquisitions are validated for Windows and Linux file systems; in Chapter 5, you were introduced to hashing algorithms; and in Chapter 7, you learned about validating forensics software tools. In this chapter, you learn more about using hashing algorithms in forensics analysis to validate data. You also learn how to refine and modify an investigation plan, use data analysis tools and practices to process digital evidence, determine whether data-hiding techniques have been used, and learn methods for performing a remote acquisition. Determining What Data to Collect and Analyze Examining and analyzing digital evidence depend on the nature of the investigation and the amount of data to process. Criminal investigations are limited to finding data defined in the search warrant, and civil investigations are often limited by court orders for discovery. Corporate investigators might be searching for company policy violations that require examining only specific items, such as e-mail. Therefore, investigations often involve locating and recovering a few specific items, which simplifies and speeds processing. In the corporate environment, however, especially if litigation is involved, the company attorney often directs the investigator to recover as much information as possible. Satisfying this demand becomes a major undertaking with many hours of tedious work. These types of investigations can also result in scope creep, in which an investigation expands beyond the original description because of unexpected evidence you find, prompting the attorney to ask you to examine other areas to recover more evidence. Scope creep increases the time and resources needed to extract, analyze, and present evidence. Be sure to document any requests for additional investigation, in case you must explain why the investigation took longer than planned, why the scope widened during the course of the investigation, and so forth. One reason scope creep has become more common is that criminal investigations increasingly require more detailed examination of evidence just before trial to help prosecutors fend off attacks from defense attorneys. Because defense attorneys typically have the right of full discovery of digital evidence used against their clients, it’s possible for new evidence to come to light while complying with the defense request for full discovery. However, this new evidence often isn’t revealed to the prosecution; instead, the defense uses it to defend the accused. For this reason, it’s become more important for prosecution teams to ensure that they have analyzed the evidence exhaustively before trial. (It should be noted that the defense request for full discovery applies only to criminal cases in the United States; civil cases are handled differently.) Approaching Computer Forensics Cases Recall from Chapter 2 that you begin a computer forensics case by creating an investigation plan that defines the investigation’s goal and scope, the materials needed, and the tasks to perform. Although there are some basic principles that apply to almost all computer forensics cases, the approach you take depends largely on the specific type of case you’re investigating. For example, gathering evidence for an e-mail harassment case might involve little more than accessing network logs and e-mail server backups to locate specific messages. Your approach, Determining What Data to Collect and Analyze 347 however, depends on whether it’s an internal corporate investigation or a civil or criminal investigation carried out by law enforcement. In an internal investigation, evidence collection tends to be fairly easy and straightforward because corporate investigators usually have ready access to the necessary records and files. In contrast, when investigating a criminal cyberstalking case, you need to contact the ISP and e-mail service. Some companies, such as AOL, have a system set up to handle these situations, but others do not. Many companies don’t keep e-mail for longer than 90 days, and some keep it only two weeks. An employee suspected of industrial espionage can require the most work. You might need to set up a small camera to monitor his or her physical activities in the office. You might also need to plant a software or hardware keylogger (for capturing a suspect’s keystrokes remotely), and you need to engage the network administrator’s services to monitor Internet and network activities. In this situation, you might want to do a remote acquisition of the employee’s drive, and then use another tool to determine what peripheral devices have been accessed. As a standard practice, you should follow these basic steps for all computer forensics investigations: For more information on basic processes and recommendations, refer to Chapter 3 for guidelines on setting up a forensic workstation. 1. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses. For example, use ProDiscover Secure Wipe Disk, Digital Intelligence PDWipe, or WhiteCanyon SecureClean to clean all data from the target drive you plan to use. 2. Inventory the hardware on the suspect’s computer and note the condition of the computer when seized. Document all physical hardware components as part of your evidence acquisition process. 3. For static acquisitions, remove the original drive from the computer, if practical, and then check the date and time values in the system’s CMOS. 4. Record how you acquired data from the suspect drive—note, for example, that you created a bit-stream image and which tool you used. The tool you use should also create an MD5 or SHA-1 or better hash for validating the image. 5. When examining the image of the drive’s contents, process the data methodically and logically. 6. List all folders and files on the image or drive. For example, FTK can generate a Microsoft Access database listing all files and folders on a suspect drive. Note where specific evidence is found, and indicate how it’s related to the investigation. 7. If possible, examine the contents of all data files in all folders, starting at the root directory of the volume partition. The exception is for civil cases, in which you look for only specific items in the investigation. 8. For all password-protected files that might be related to the investigation, make your best effort to recover file contents. You can use password recovery tools for this purpose, such as AccessData Password Recovery Toolkit (PRTK), NTI Password Recovery, or Passware Kit Enterprise. 9 348 Chapter 9 9. Identify the function of every executable (binary or .exe) file that doesn’t match known hash values. Make note of any system files or folders, such as the System32 folder or its content, that are out of place. If you can’t find information on an executable file by using a disk editor, examine the file to see what it does and how it works. 10. Maintain control of all evidence and findings, and document everything as you progress through your examination. Refining and Modifying the Investigation Plan In civil and criminal cases, the scope is often defined by search warrants or subpoenas, which specify what data you can recover. However, private sector cases, such as employee abuse investigations, might not specify limitations in recovering data. For these cases, it’s important to refine the investigation plan as much as possible by trying to determine what the case requires. Generally, you want the investigation to be broad enough to encompass all relevant evidence, yet not so wide-ranging that you waste time and resources analyzing data that’s not going to help your case. Of course, even if your initial plan is sound, at times you’ll find that you need to deviate from the plan and follow where the evidence leads you. Even in these cases, having a plan that you deliberately revise along the way is much better than searching for evidence haphazardly. Suppose, for example, an employee is accused of operating an Internet-based side business using company resources during normal business hours. You use this timeframe to narrow the set of data you’re searching, and because you’re looking for unauthorized Internet use, you focus the search on temporary Internet files, Internet history, and e-mail communication. Knowing the types of data you’re looking for at the outset helps you make the best use of your time and prevents you from casting too wide a net. However, in the course of reviewing e-mails related to the case, you might find references to spreadsheets or Word documents containing financial information related to the side business. In this case, it makes sense to broaden the range of data you’re looking for to include these types of files. Again, the key is to start with a plan but remain flexible in the face of new evidence. Using AccessData Forensic Toolkit to Analyze Data So far, you have used several different features of FTK; this section goes into more detail on its search and report functions. FTK can perform forensics analysis on the following file systems: • Microsoft FAT12, FAT16, and FAT32 • Microsoft NTFS (for Windows NT, 2000, XP, and Vista) • Linux Ext2fs and Ext3fs FTK can analyze data from several sources, including image files from other vendors. It can also read entire evidence drives or subsets of data, allowing you to consolidate large volumes of data from many sources when conducting a computer forensics analysis. With FTK, you can store everything from image files to recovered server folders on one investigation drive. FTK also produces a case log file, where you can maintain a detailed record of all activities during your examination, such as keyword searches and data extractions. This log is also handy for reporting errors to AccessData. At times, however, you might not want the log feature turned on. If you’re following a hunch, for example, but aren’t sure the evidence you Determining What Data to Collect and Analyze 349 recover is applicable to the investigation, you might not want opposing counsel to see a record of this information because he or she could use it to question your methods and perhaps discredit your testimony. (Chapter 15 covers testimony issues in more detail.) Look through the evidence first before enabling the log feature to record searches. This approach isn’t meant to conceal evidence; it’s a precaution to ensure that your testimony can be used in court. FTK has two options for searching for keywords. One option is an indexed search, which catalogs all words on the evidence drive so that FTK can find them quickly. This option returns search results quickly, although it does have some shortcomings. For example, you can’t search for hexadecimal string values, and depending on how data is stored on the evidence drive, indexing might not catalog every word. If you do use this feature, keep in mind that indexing an image file can take several hours, so it’s best to run this process overnight. The other option is a live search, which can locate items such as text hidden in unallocated space that might not turn up in an indexed search. You can also search for alphanumeric and hexadecimal values on the evidence drive and search for specific items, such as phone numbers, credit card numbers, and Social Security numbers. Figure 9-1 shows the hits found during a live search of an image of a suspected arsonist’s laptop. You can right-click a search hit to add it to your bookmarks, which includes the result in your final report. 9 Figure 9-1 Viewing live search results in FTK 350 Chapter 9 In addition to indexed and live searches, FTK has several advanced searching techniques, such as stemming, which enables you to look for words with extensions such as “ing,” “ed,” and so forth. You can search for similar-sounding words (homonyms, called “Phonics” in FTK), synonyms, and fuzzy representations (words that are close but not exact matches). In an FTK query, a fuzzy search for “raise” would also find “raize,” for example. In the Indexed Search tab, you can also look for files that were accessed or changed during a certain time period. Simply click the Options button to open the Search Options dialog box, and use the settings shown in Figure 9-2. During data processing, FTK also opens compressed files, including Microsoft cabinet (.cab) files, Microsoft personal e-mail folders (.pst or .ost), and .zip files. FTK indexes any compressed files it can open. Figure 9-2 Selecting search options in FTK To generate reports with the FTK Report Wizard, first you need to bookmark files during an examination. FTK and other computer forensics programs use bookmarks to tag and document digital evidence. To tag an item, simply right-click it in the search results and click Bookmark. You can also select an item, click Tools, Add to Bookmark from the menu, fill in a descriptive name for the bookmark (see Figure 9-3), and click OK. After you have bookmarked data to include in a report, FTK integrates these selected items into an HTML document that you can view in a browser. Each bookmark appears as a hyperlink. You can also use the FTK Report Wizard to insert external files, such as a Word document or an Excel spreadsheet, into the HTML file. Before printing an FTK report, you might need to use Adobe Acrobat or another conversion program to convert the HTML code to a PDF file. Validating Forensic Data 351 Figure 9-3 Creating a bookmark Validating Forensic Data One of the most critical aspects of computer forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court. Chapter 5 introduced forensic hashing algorithms, and in this section, you learn more about validating an acquired image before you analyze it. Most computer forensic tools—such as ProDiscover, X-Ways Forensics, FTK, and EnCase— provide automated hashing of image files. For example, when ProDiscover loads an image file, it runs a hash and compares that value to the original hash calculated when the image was first acquired. You might remember seeing this feature when the Auto Image Checksum Verification message box opens after you load an image file in ProDiscover. Computer forensics tools have some limitations in performing hashing, however, so learning how to use advanced hexadecimal editors is necessary to ensure data integrity. Validating with Hexadecimal Editors Advanced hexadecimal editors offer many features not available in computer forensics tools, such as hashing specific files or sectors. Learning how to use these tools is important, especially when you need to find a particular file—for example, a known contraband image. With the hash value in hand, you can use a computer forensics tool to search for a suspicious 9 352 Chapter 9 file that might have had its name changed to look like an innocuous file. (Recall that two files with exactly the same content have the same hash value, even if they have different names.) Getting a hash value with a full-featured hexadecimal editor is much faster and easier than with a computer forensics tool. In previous chapters, you’ve used the hashing functions available in FTK Imager. Hex Workshop also provides several hashing algorithms, such as MD5 and SHA-1. Sometimes you need the hash value of specific files or sectors to validate whether data or fragments (sectors) match, or you need to verify data during and immediately after an acquisition. To use the hashing functions of Hex Workshop, follow these steps: Before beginning this activity, extract all data files from the Chap09 folder on the DVD to your Work\Chap09\Chapter folder (referred to as “your work folder” in steps). Create this folder on your system first, if necessary. 1. Start Word, and in a new document, type a sentence or two, and save the file as test_hex.doc in your work folder. When you’re finished, exit Word. 2. Start Hex Workshop. (In Windows Vista, right-click the Hex Workshop desktop icon and click Run as administrator. When the UAC message box opens, click Continue.) Click File, Open from the menu. In the Open dialog box, navigate to your work folder, click to select test_hex.doc, and click Open. Figure 9-4 shows the file open in Hex Workshop. Figure 9-4 Viewing a file opened in Hex Workshop Validating Forensic Data 353 3. To obtain an MD5 hash of this file, click Tools, Generate Checksum from the menu to open the Generate Checksum dialog box (see Figure 9-5). Figure 9-5 The Generate Checksum dialog box 4. In the Select Algorithms list box, scroll down and click MD5, and then click the Generate button to see the MD5 hash value in the results pane at the lower right (see Figure 9-6). 5. Right-click the hash value and click Copy. Start Notepad and paste the hash value into a new text document. Save the file as test_hex_hashvalue.txt in your work folder, and exit Notepad. Leave Hex Workshop running for the next activity. Another feature of Hex Workshop generates the hash value of selected data in a file or sector. To see how this feature works, follow these steps: 1. In Hex Workshop, open the Jeffersonian quotes.doc file from your work folder. 2. Place the mouse pointer at the beginning of the byte address 00000000; the cursor should be positioned on the hexadecimal D0 because you’re examining the first sector of the file. 3. Now drag to select a complete sector (512 bytes). To know when you’ve selected the sector, watch the Offset counter at the lower right in the status bar. It should display “Sel: 00000200” when you’ve highlighted the entire sector. As you drag the mouse, note that the Offset counter increments or decrements according to the direction of the mouse’s movement across the window. This counter defaults to hexadecimal but can be altered to decimal counting. 4. Click Tools, Generate Checksum from the menu. 9 354 Chapter 9 Figure 9-6 Hex Workshop displaying the MD5 hash value 5. In the Select Algorithms list box, scroll down and click MD5, click to enable the Selection option button (if necessary), and then click Generate. 6. Right-click the hash value in the results pane and click Copy. Start Notepad, and then paste the hash value into a new text document. Save the file as Quotes_hashvalue.txt in your work folder, and then exit Notepad and Hex Workshop. The advantage of recording hash values is that you can determine whether data has changed. As shown in the preceding steps, you can use this method for specific sectors or entire files. Using Hash Values to Discriminate Data In Chapter 7, you learned about using the discrimination function to sort known good files from suspicious files. The discrimination function is useful in limiting the amount of data you have to examine, and many current computer forensics tools offer this function. AccessData has a separate database, Known File Filter (KFF), which is available only with FTK. KFF filters known program files from view, such as MSWord.exe, and identifies known illegal files, such as child pornography. KFF compares known file hash values to files on your evidence drive or image files to see whether they contain suspicious data. Periodically, AccessData updates these known file hash values and posts an updated KFF. As Validating Forensic Data 355 mentioned in Chapter 7, the National Software Reference Library (NSRL; www.nsrl.nist. gov) also maintains a national database of updated file hash values for a variety of OSs, applications, and images. Other computer forensics tools, such as X-Ways Forensics, can load the NSRL database and run hash comparisons. Validating with Computer Forensics Programs As mentioned, commercial computer forensics programs have built-in validation features. For example, ProDiscover’s .eve files contain metadata that includes the hash value. When an image file is loaded in ProDiscover, it’s hashed and then compared to the hash value in the stored metadata. If the hashes don’t match, ProDiscover notifies you that the acquisition is corrupt and can’t be considered reliable evidence. This feature is called Auto Image Checksum Verification. In ProDiscover and other computer forensics tools, however, raw format image files (.dd extension) don’t contain metadata, so you must validate raw format image files manually to ensure the integrity of data. You can also use these hash values to check whether the image file has been corrupted. Sometimes you work on a case for several months, and during that time, files can become corrupted, so you should check for this possibility periodically. In AccessData FTK Imager, when you select the Expert Witness (.e01) or SMART (.s01) format, additional options for validating the acquisition are available. This validation report also lists MD5 and SHA-1 hash values. The MD5 hash value is added to the proprietary format image file. When this image file is loaded in tools such as FTK, SMART, or X-Ways Forensics, the MD5 hash value is read and compared to the hash value for the original acquisition to verify whether the image file is correct. Follow these steps to see how ProDiscover’s built-in validation feature works: In this activity, you use a data file from Chapter 6. Before beginning, move the GCFI-Win98.eve file from your Chapter 6 work folder to this chapter’s work folder. 1. Start ProDiscover Basic with the Run as administrator option (if you’re using Vista), and start a new project. Enter today’s date for the project number, GCFI-Win98 for the project name, and Denise Robinson, Superior Bicycles - suspected of industrial espionage for the description, and then click OK. 2. In the tree view, click to expand Add, and click Image File. 3. Navigate to your work folder, click the GCFI-Win98.eve file, and click Open. (If you’re using Windows XP, in the message box about proceeding with the checksum verification, click Yes.) 4. After the checksum verification has finished validating the image file, click the Save Project button on the toolbar. Save the file as GCFI-Win98.dft in your work folder. 5. In the tree view, click to expand Content View, if necessary, and then click to expand Images. 9 356 Chapter 9 6. Next, click the GCFI-Win98 image file, and then click to expand it. You should see the folders on that drive listed. 7. Click to expand the My Documents folder and the New Folder folder, and then click the first Temp folder. Notice that a few files in this folder are graphics files. Click View, Gallery View from the menu (see Figure 9-7). Figure 9-7 ProDiscover’s Gallery view 8. In this view, you can right-click any file and export it, view the cluster numbers, compare it to a database containing hashes of known files, mark it as evidence, and so on. When you’re finished exploring this view, exit ProDiscover Basic. Addressing Data-Hiding Techniques Data hiding involves changing or manipulating a file to conceal information. Data-hiding techniques include hiding entire partitions, changing file extensions, setting file attributes to hidden, bit-shifting, using encryption, and setting up password protection. Some of these techniques are discussed in the following sections. Hiding Partitions One way to hide partitions is to create a partition and then use a disk editor, such as Norton DiskEdit, to delete any reference to it manually. To access the deleted partition, users can edit Addressing Data-Hiding Techniques 357 the partition table to re-create the links, and then the hidden partition reappears when the computer is restarted. Another way to hide partitions is with a disk-partitioning utility, such as GDisk, Partition Magic, System Commander, or Linux Grand Unified Bootloader (GRUB), which provides a startup menu where you can select an OS. The system then ignores other bootable partitions. To circumvent these techniques, be sure to account for all disk space when you’re examining an evidence drive. Analyze any disk areas containing space you can’t account for so that you can determine whether they contain additional evidence. For example, in the following code, Disk Manager recognizes the extended partition (labeled EXT DOS) as being 5381.1 MB (listed as Mbytes). The LOG DOS labels for partitions E through F indicate that they’re logical partitions that make up the extended partition. However, if you add the sizes of drives E and F, the result is only 5271.3 MB, which is your first clue to examine the disk more closely. The remaining 109.8 MB could be a previously deleted partition or a hidden partition. For this example, the following code shows the letter “H” to indicate a hidden partition. Disk Partitions Cylinders Heads Sectors Mbytes Sectors 2 5 11166 16 63 5495.8 11255328 Partition Status Type Volume Label Mbytes System Usage D: 1 PRI DOS 109.8 FAT16 2% 2 EXT DOS 5381.1 98% E: 3 LOG DOS 109.8 FAT16 2% 4 H LOG DOS 109.8 FAT16 2% F: 5 LOG DOS 5161.5 FAT32 94% Windows creates a partition gap between partitions automatically; however, you might find a gap that’s larger than it should be. For example, in Windows 2000/XP, the partition gap is only 63 sectors, so 109.8 MB is too large to be a standard partition gap. In Windows Vista, the gap is approximately 128 sectors. In Figure 9-8, you can see a hidden partition in Disk Manager, which shows it as an unknown partition. In addition, the drive letters in the visible partitions are nonconsecutive (drive I is skipped), which can be another clue that a hidden partition exists. Most skilled users would make sure this anomaly doesn’t occur, however. Figure 9-8 Viewing a hidden partition in Disk Manager In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS. Figure 9-9 shows four partitions, similar to Figure 9-8, except the hidden partition shows as the drive letter Z. To carve (or salvage) data from the recovered partition gap, you can use other computer forensics tools, such as FTK or WinHex. 9 358 Chapter 9 Figure 9-9 Viewing a hidden partition in ProDiscover Marking Bad Clusters Another data-hiding technique, more common in FAT file systems, is placing sensitive or incriminating data in free or slack space on disk partition clusters. This technique involves using a disk editor, such as Norton DiskEdit, to mark good clusters as bad clusters. The OS then considers these clusters unusable. The only way they can be accessed from the OS is by changing them to good clusters with a disk editor. To mark a good cluster as bad in Norton DiskEdit, you type the letter B in the FAT entry corresponding to that cluster. You can then use any DOS disk editor to write and read data to this cluster, which is effectively hidden because it appears as bad to the OS. If a FAT partition containing clusters marked as bad is converted to an NTFS partition, the bad clusters remain marked as bad, so the conversion to NTFS doesn’t affect the content of these clusters. Most GUI tools skip clusters marked as bad in FAT and NTFS, and these clusters might contain valuable evidence for your investigation. Bit-Shifting Some home computer users developed the skill of programming in the computer manufacturer’s assembly language and learned how to create a low-level encryption program that changes the order of binary data, making the altered data unreadable when accessed with a text editor or word processor. These programs rearrange bits for each byte in a file. To secure a file containing sensitive or incriminating information, these users run an assembler program (also called a macro) on the file to scramble the bits. To access the file, they run another program that restores the scrambled bits to their original order. Some of these programs are still used today and can make it difficult for investigators to analyze data on a Addressing Data-Hiding Techniques 359 suspect drive. You should start by identifying any files you’re not familiar with that might lead to new evidence. Training in assembly language—as well as higher-level programming languages, such as Visual Basic, Visual C++, or Perl—is also helpful. A related, and well-known, technique for hiding data is shifting bit patterns to alter the byte values of data. Bit-shifting changes data from readable code to data that looks like binary executable code. Hex Workshop includes a feature for shifting bits and altering byte patterns of entire files or specified data. To shift bits in a text file, follow these steps: 1. Start Notepad, and in a text document, type TEST FILE. Test file is to see how shifting bits will alter the data in a file. 2. Save the file as Bit_shift.txt in your work folder, and exit Notepad. 3. Start Hex Workshop. Click File, Open from the menu. Navigate to your work folder, and then double-click Bit_shift.txt. Figure 9-10 shows the file open in Hex Workshop. 9 Figure 9-10 Bit_shift.txt open in Hex Workshop 4. To set up Hex Workshop for the bit-shifting exercise, click Options, Toolbars from the menu. 5. In the Customize dialog box, click the Data Operations check box, and then click OK. 6. Click the Shift Left button (<< icon) on the Data Operations toolbar. The Shift Left Operation dialog box opens (see Figure 9-11), where you specify how you want to treat the data, the ordering scheme to use for bytes, and whether you shift bits for selected text or the entire file. 360 Chapter 9 Figure 9-11 The Shift Left Operation dialog box 7. Click OK to accept the default settings and shift the bits in Bit_shift.txt to the left. 8. Save the file as Bit_shift_left.txt in your work folder. Figure 9-12 shows the file in Hex Workshop, with the @ symbols indicating shifted bits. Figure 9-12 Viewing the shifted bits 9. To return the file to its original configuration, shift the bits back to the right by clicking the Shift Right button (>> icon) on the Data Operations toolbar. Click OK Addressing Data-Hiding Techniques 361 to accept the default settings in the Shift Right Operation dialog box. The file is displayed in its original format. 10. Save the file as Bit_shift_right.txt in your work folder, and leave Hex Workshop open for the next activity. Now you can use Hex Workshop to find the MD5 hash values for these three files and determine whether Bit_shift.txt is different from Bit_shift_right.txt and Bit_shift_left.txt. (You could also use FTK or ProDiscover to find the MD5 hash values.) To check the MD5 values in Hex Workshop, follow these steps: 1. With Bit_shift_right.txt open in Hex Workshop, click File, Open to open Bit_shift.txt, and then repeat to open Bit_shift_left.txt. 2. Click the Bit_shift.txt tab in the upper pane to make it the active file. 3. Click Tools, Generate Checksum from the menu to open the Generate Checksum dialog box. In the Select Algorithms list box, click MD5, and then click the Generate button. Copy the MD5 hash value of Bit_shift.txt, shown in the lower-right pane, and paste it in a new text document in Notepad. 4. Repeat Steps 2 and 3 for Bit_shift_left.txt and Bit_shift_right.txt, pasting their hash values in the same text file in Notepad. 5. Compare the MD5 hash values to determine whether the files are different. When you’re finished, exit Notepad and Hex Workshop. Typically, antivirus tools run hashes on potential malware files, but some advanced malware uses bit-shifting as a way to hide its malicious code from antivirus tools. With the bit-shifting functions in Hex Workshop, however, you can inspect potential malicious code manually. In addition, some malware that attacks Microsoft Office files consists of executable code that’s embedded at the end of document files, such as Word documents, and hidden with bitshifting. When an Office document is opened, the malware reverses the bit-shifting on the executable code and then runs it. Using Steganography to Hide Data The term steganography comes from the Greek word for “hidden writing.” It’s defined as hiding messages in such a way that only the intended recipient knows the message is there. Many steganography tools were created to protect copyrighted material by inserting digital watermarks into a file. Some digital watermarks are designed to be visible—for example, to notify users that an image is copyrighted. The digital watermarks used for steganography aren’t usually visible, however, when you view the file in its usual application and might even be difficult to find with a disk editor. A nonsteganographic graphics file is the same size as an identical steganographic graphics file, and they look the same when you examine them in a graphics viewing utility, such as IrfanView. However, if you run an MD5 or SHA-1 hash comparison on both files, you’ll find that the hash values aren’t equal. Chapter 10 discusses a few steganography tools available for lossy graphics files. These tools insert data into the graphics file but often alter the original file in size and clarity. To hide data, people can use steganography tools, many of which are freeware or shareware, to insert information into a variety of files. If you encrypt a plaintext file with PGP and insert 9 362 Chapter 9 the encrypted text into a steganography file, for example, cracking the encrypted message is extremely difficult. However, most steganography tools can insert only small amounts of data into a file and usually require a password to restrict access to the inserted data. To detect steganography in evidence, you need information about the case so that you can detect files that might have been used to hide data. During your examination, look for steganography tools on the suspect computer, such as S-Tools, DPEnvelope, jpgx, and tte. If you locate any of these tools, look for files that could be used to hide data—specifically graphics files, but even text documents can be used for steganography. To help identify steganography files, use the following list as a guideline: 1. Locate the last modified date by checking the steganography tool’s timestamp. 2. Look for files that appear as both a .bmp and a .jpg file, which might indicate files that started out in one format and then were modified (perhaps by a steganography tool) and saved in another format. 3. Generate a list of all files with a date and time equal to or after the last modified date of the steganography tool, and then examine each file in the generated listing. If you locate files, especially graphics files, that appear to have been created by a steganography tool, attempt to reverse-engineer the file by re-creating known nonsteganographic images in the steganographic files. This technique is a trial-and-error process and might not be practical unless the investigation is extremely important. Try building a timeline of possible output files that match the last used date of the steganography tools. You can build a timeline with tools such as FTK and Sleuth Kit. Examining Encrypted Files People who want to hide data can also use advanced encryption programs, such as PGP or BestCrypt. Encrypted files are encoded to prevent unauthorized access. To decode an encrypted file, users supply a password or passphrase. Without the passphrase, recovering the contents of encrypted files is difficult. Many commercial encryption programs use a technology called key escrow, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. Forensics examiners can also use key escrow to attempt to recover encrypted data. Although some vendors have developed key recovery tools, the resources needed to crack encryption schemes are usually beyond what’s available to small or medium organizations. If you do encounter encrypted data in an investigation, make an effort to persuade the suspect to reveal the encryption passphrase. Some encryption schemes are so complex that the time to crack them can be measured in days, weeks, years, and even decades. Key sizes of 128 bits to 512 bits make the job of breaking them with a brute-force attack impossible with current technology. The development of quantum computing will probably make today’s encryption schemes obsolete. Until then, some will remain unbroken. Recovering Passwords Password recovery is a fairly easy task in computer forensics analysis. Several passwordcracking tools are available, such as AccessData PRTK, NTI Advanced Password Recovery Software Toolkit, and John the Ripper (www.openwall.com/john). These tools use a dictionary or brute-force attack to crack passwords. Brute-force attacks use every possible letter, Addressing Data-Hiding Techniques 363 number, and character found on a keyboard. Eventually, a brute-force attack can crack any password; however, this method can be time and processor intensive. In a dictionary attack, the program uses common words found in the dictionary and tries them as passwords. Most password crackers have dictionaries in a variety of languages, including English, French, Russian, and even Swahili. With some password-cracking tools, you can import additional unique words that are typically extracted from evidence. In FTK, for example, you can export a word list to PRTK. With other programs, you can build profiles of a suspect to help determine the suspect’s password. These programs consider information such as names of relatives or pets, favorite colors, and schools attended. The principle behind these programs is that people have a habit of using things they are comfortable with, especially if it requires memorizing something secret, such as a password. Using AccessData Tools with Passworded and Encrypted Files AccessData offers a tool called Password Recovery Toolkit (PRTK), which is designed to create possible password lists from many sources so that you can access password-protected files. You can create a password list in many ways, including generating a password list with FTK, as shown in Figure 9-13, or creating a text file of passwords manually, as shown in Figure 9-14. 9 Figure 9-13 Using FTK to generate a password list 364 Chapter 9 Figure 9-14 A partial list of possible passwords If you haven’t installed Password Recovery Toolkit yet, it’s available on the book’s DVD with the other software. Go ahead and install it now so that you can investigate its features. To see the variety of dictionaries available in PRTK that you can use for cracking passwords, navigate in Windows Explorer to the main AccessData folder, and open the Dictionaries subfolder (see Figure 9-15). Better yet, you can create your own custom dictionary based on facts in the case. With PRTK, you can also create a profile of a suspect and use that biographical information to generate likely passwords. Password cracking requires a lot of memory, so the more RAM on your forensic workstation, the better. FTK can also identify known encrypted files and those that seem to be encrypted. For example, a simple encrypted file is a password-protected WinZip file or PGP file. In the Overview tab of FTK, simply click the Encrypted Files button under the File Status column, and FTK lists all files that appear to be encrypted. For password-protected WinZip or PGP files, select them in the bottom pane. FTK shows you the files contained in the Performing Remote Acquisitions 365 9 Figure 9-15 Dictionaries available in PRTK zipped files, and you can them export them for analysis. Figure 9-16 shows a .zip file selected and the file it contains. As a shortcut, you can export a group of files by selecting them, right-clicking the selection, and clicking Export Files. In the Export Files dialog box, select the All checked files option button (see Figure 9-17). You can then import these files into PRTK and attempt to crack them. WinZip 9.0 and later password-protected files are almost impossible to crack, so check the suspect’s system to determine what version of WinZip was used. Performing Remote Acquisitions Remote acquisitions are handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. This method can save time and money, too. Many tools are available for remote acquisitions; in the following sections, you use Runtime Software to learn how remote acquisitions are made. 366 Chapter 9 Figure 9-16 FTK displaying encrypted files Figure 9-17 Exporting encrypted files Performing Remote Acquisitions 367 Remote Acquisitions with Runtime Software Runtime Software (www.runtime.org) offers the following shareware programs for remote acquisitions: • DiskExplorer for FAT • DiskExplorer for NTFS • HDHOST Chapter 4 introduced these tools; remember that they’re designed to be file system specific, so there are DiskExplorer versions for both FAT and NTFS that you can use to create raw format image files or segmented image files for archiving purposes. HDHOST is a remote access program for communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system. The following sections show how to make a live remote acquisition of another computer over a network. To use these tools, it’s best to have computers connected on the same local hub or router with minimal network traffic. When you’re using remote access tools, you might have connection difficulties caused by firewall settings on your computer. If so, check firewall settings for the server and client systems. 9 Preparing DiskExplorer and HDHOST for Remote Acquisitions Preparing for remote access requires the Runtime software, a portable media device (USB drive or floppy disk), and two networked computers. After installing both DiskExplorer programs and HDHOST on your acquisition workstation, copy the installed HDHOST folder to a portable media device, which is used on the suspect’s computer. To install the DiskExplorer and HDHOST programs, follow these steps. In this example, a USB drive is used to run HDHOST on the suspect’s computer. 1. Copy the Runtime tools from the book’s DVD to your workstation, and install DiskExplorer for FAT, DiskExplorer for NTFS, and HDHOST in their default folders. 2. After installing these tools, insert a USB drive. Open Windows Explorer, navigate to the C:\Program Files\Runtime Software folder, and copy the HDHOST folder to the USB drive. 3. Dismount and remove the USB drive from the workstation. Your workstation is now ready to connect remotely to a suspect’s computer. In the next section, you learn how to set up the host (the suspect’s computer). Making a Remote Connection with DiskExplorer Using HDHOST and DiskExplorer requires running HDHOST on a suspect’s computer. To establish a connection with HDHOST, the suspect’s computer must be connected to the network, powered on, and logged on to any user account with permission to run uninstalled applications. HDHOST can’t be run surreptitiously, as ProDiscover or EnCase Enterprise can. To establish a connection, perform the following steps. This example is for a suspect computer with an NTFS partition. 368 Chapter 9 Both DiskExplorer programs can acquire entire physical drives; this process isn’t file system dependent. To copy specific files remotely, however, you must use the correct DiskExplorer program for the suspect’s file system. In addition, you might have to disable any firewalls you have running for these steps to work correctly. Note that some pathnames and filenames in figures might differ from what’s on your system. 1. On your acquisition workstation, connect the target drive for receiving the suspect computer’s image data (assuming the target drive is a USB or FireWire external hotswappable drive). 2. After powering on and logging on to the network with the suspect computer, insert the USB drive containing the HDHOST folder. 3. To start HDHOST, open Windows Explorer from the suspect computer. Navigate to the connected USB drive and the HDHOST folder, as shown in Figure 9-18. Figure 9-18 Displaying the contents of the HDHOST folder in Windows Explorer 4. Double-click HDHOST.exe to start the remote connection. When the HDHOST startup window opens, click the TCP/IP option button (see Figure 9-19). 5. On the acquisition workstation, start the correct DiskExplorer program. For example, to start DiskExplorer for NTFS, click Start, point to All Programs, point to Runtime Software, and then click DiskExplorer for NTFS to open the window shown in Figure 9-20. Performing Remote Acquisitions 369 9 Figure 9-19 Selecting a connection type Figure 9-20 The DiskExplorer for NTFS window 370 Chapter 9 6. In the acquisition workstation’s DiskExplorer window, click File, Drive from the menu. 7. In the Select drive dialog box (see Figure 9-21), click Remote at the bottom of the pane listing the drives. Figure 9-21 The Select drive dialog box 8. In the Remote dialog box, click the LAN option button. 9. Referring to the Connection drop-down list in the suspect computer’s HDHOST window, write down its IP address, and then click the Wait for connection button (see Figure 9-22). 10. In the Remote dialog box, type the suspect computer’s IP address in the IP of host text box (see Figure 9-23), and then click the Connect button. 11. At a successful connection, the acquisition workstation’s Remote dialog box changes to a list of drives on the suspect computer (see Figure 9-24). Click the first drive (HD128) to access the C partition, and then click OK. Click OK again in the Select drive dialog box. 12. If additional computers need to be connected, repeat these steps. Leave DiskExplorer open for the next activity. Performing Remote Acquisitions 371 9 Figure 9-22 The HDHOST remote connection window Figure 9-23 Connecting to the remote computer 372 Chapter 9 Figure 9-24 Select a drive to access Making a Remote Acquisition with DiskExplorer After you have established a connection with DiskExplorer from the acquisition workstation, you can navigate through the suspect computer’s files and folders or copy data. The following steps explain how to make an acquisition through this remote connection and assume you’re using the link you established in the previous steps. 1. To initiate the remote acquisition, in the main window of DiskExplorer, click Tools, Create image file from the menu. 2. In the Create an Image File dialog box, click the Lookup button (the button with three dots). Navigate to the target drive and folder, type InChp09RT.img in the File name text box, and click Save. Click the Start button shown in Figure 9-25. Figure 9-25 The Create an Image File dialog box Chapter Summary 373 Drive acquisition can take a long time, and time management is a critical part of running a forensics lab. For example, acquiring a 2 GB USB drive takes 10 to 20 minutes, depending on your network and processor speed. Plan to be doing other things while the acquisition takes place. 3. Monitor the data copying progress. When the acquisition is finished, click Cancel in the Create an Image File dialog box to return to the DiskExplorer main window. 4. Click File, Exit from the menu to close the program on the acquisition workstation. 5. On the suspect computer, click File, Exit to close HDHOST. The Runtime tools don’t generate a hash for acquisitions; therefore, you need to use another tool, such as Hex Workshop or FTK, to calculate a hash value for the validation. In Chapter 11, you learn more about issues in live acquisitions. Chapter Summary ■ Examining and analyzing digital evidence depend on the nature of the investigation and the amount of data to process. You begin a computer forensics case by creating an investigation plan that defines the investigation’s goal and scope, the materials needed, and the tasks to perform. Depending on the evidence you find, you might have to modify your investigation plan at some point. ■ For most computer forensics investigations, you follow the same general procedures: Wipe and prepare target drives, document all hardware components on the suspect’s computer, check date and time values in the suspect computer’s CMOS, acquire data and document your steps, list all folders and files on the suspect system and examine their contents, attempt to open any password-protected files, determine the function of executable files, and document all your steps, making sure to follow evidence preservation procedures. ■ One of the most critical aspects of computer forensics is validating digital evidence because ensuring the integrity of data you collect is essential for presenting evidence in court. Computer forensics tools have built-in validation features, but hexadecimal editors offer more advanced features. All data needs to be validated before and during your analysis because digital evidence can be corrupted easily. Use hash values such as MD5 and SHA-1 to verify that data has not changed. ■ Data hiding involves changing or manipulating a file to conceal information. Datahiding techniques include hiding partitions, changing file extensions, setting file attributes to hidden, bit-shifting, using steganography, and using encryption and password protection. ■ Remote acquisitions are useful for making an image of a drive when the computer is far away from your location or when you don’t want a suspect to be aware of an ongoing investigation. 9 374 Chapter 9 Key Terms bit-shifting The process of shifting one or more digits in a binary number to the left or right to produce a different value. key escrow A technology designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure. Known File Filter (KFF) A database containing the hash values of known legitimate and suspicious files. It’s used to identify files for evidence or eliminate them from the investigation if they are legitimate files. scope creep The result of an investigation expanding beyond its original description because the discovery of unexpected evidence increases the amount of work required. steganography A cryptographic technique for embedding information in another file for the purpose of hiding that information from casual observers. Review Questions 1. Which of the following represents known files you can eliminate from an investigation? (Choose all that apply.) a. Any graphics files b. Files associated with an application c. System files the OS uses d. Any files pertaining to the company 2. For which of the following reasons should you wipe a target drive? a. To ensure the quality of digital evidence you acquire b. To make sure unwanted data isn’t retained on the drive c. Neither of the above d. Both a and b 3. FTK’s Known File Filter (KFF) can be used for which of the following purposes? (Choose all that apply.) a. Filter known program files from view. b. Calculate hash values of image files. c. Compare hash values of known files to evidence files. d. Filter out evidence that doesn’t relate to your investigation. 4. For what legal and illegal purposes can you use steganography? 5. Password recovery is included in all computer forensics tools. True or False? 6. After you shift a file’s bits, the hash value remains the same. True or False? 7. Validating an image file once, the first time you open it, is enough. True or False? Review Questions 375 8. ________________ happens when an investigation goes beyond the bounds of its original description. 9. Suppose you’re investigating an e-mail harassment case. Generally, is collecting evidence for this type of case easier for an internal corporate investigation or a criminal investigation? a. Criminal investigation because subpoenas can be issued to acquire any needed evidence quickly b. Criminal investigation because law enforcement agencies have more resources at their disposal c. Internal corporate investigation because corporate investigators typically have ready access to company records d. Internal corporate investigation because ISPs almost always turn over e-mail and access logs when requested by a large corporation 10. You’re using Disk Manager to view primary and extended partitions on a suspect’s drive. The program reports the extended partition’s total size as larger than the sum of the sizes of logical partitions in this extended partition. What might you infer from this information? a. The disk is corrupted. b. There’s a hidden partition. c. Nothing; this is what you’d expect to see. d. The drive is formatted incorrectly. 11. Commercial encryption programs often rely on a technology known as _______________ to recover files if a password or passphrase is lost. 12. Steganography is used for which of the following purposes? a. Validating data b. Hiding data c. Accessing remote computers d. Creating strong passwords 13. Which FTK search option is more likely to find text hidden in unallocated space: live search or indexed search? 14. Which of the following statements about HDHOST is true? (Choose all that apply.) a. It can be used to access a suspect’s computer remotely. b. It requires installing the DiskExplorer program corresponding to the suspect’s file system. c. It can run surreptitiously to avoid detection. d. It works over both serial and TCP/IP interfaces. 9 376 Chapter 9 15. Which of the following tools is most helpful in accessing clusters marked as “bad” on a disk? a. Norton DiskEdit b. FTK c. ProDiscover d. HDHOST e. None of the above 16. The likelihood that a brute-force attack can succeed in cracking a password depends heavily on the password length. True or False? Hands-On Projects If necessary, create a C:\Work\Chap09\Projects folder on your system before starting the projects; it’s referred to as “your work folder” in steps. Then extract all files from the Chap09\Projects folder on the DVD to your work folder. Hands-On Project 9-1 In this project, you perform bit-shifting on a file and verify that the file can be restored. 1. Start Notepad and type the following in a new text document: This document contains very sensitive information. We do not want the competition to be able to read it if they intercept the message. 2. Save the file as correspondence.txt in your work folder, and then exit Notepad. 3. Start Hex Workshop, and open the correspondence.txt file. 4. In the chapter, you used the Shift Left and Shift Right buttons on the Data Operations toolbar. Notice as you move your cursor over the toolbar buttons to the right that Rotate Left, Rotate Right, Block Shift Left, and Block Shift Right are also available. Click the Rotate Right button. As shown in the Operand section of the Rotate Right Operation dialog box, the data can be treated as an 8-, 16-, 32-, or 64-bit unsigned long. Write down which one it is (assuming little endian is the byte ordering), and then click OK. 5. Click the Rotate Left button. In the Rotate Left Operation dialog box, make sure the same setting is listed in the Treat Data As text box as for the Rotate Right operation, and then click OK. The file should return to its original form. In a rotated shift operation, the bits that “fall off” one end of the number as it’s rotated appear on the other end of the number. In this way, no bits are lost, and the process can be reversed to restore the original message. 6. Save the file. 7. Click the Shift Right button and click OK twice, noting how the data is being treated. Click OK. Hands-On Projects 377 8. Finally, click the Block Shift Left button. 9. Attempt to reverse the procedure by doing the following: Click Block Shift Right, click Shift Left twice, and click OK as needed. 10. Notice that the message is garbled. In a normal (nonrotated) shift operation, the bits that fall off one end of the number when it’s rotated are discarded; therefore, the original data is lost or modified. Click File, Close from the menu. When prompted to save, click No. 11. Open the file again in Hex Workshop, and repeat Steps 7 and 8. Save the file as correspondence2.txt in your work folder. If you’re prompted to create a backup, click Yes. 12. Attempt to undo the procedure by working in reverse, as in Step 9. 13. Write a short paper stating whether you think this method is a reliable one for encrypting. Leave Hex Workshop running for the next project. Hands-On Project 9-2 In this project, you validate the files used in Hands-On Projects 9-3 and 9-4. Chris Murphy, a Superior Bicycles employee suspected of industrial espionage, had a Windows XP system formatted in NTFS that was seized as part of the investigation. You use the GCFI-NTFS image files for this project, which consist of several .zip files. Extract them to your work folder, if necessary. You need at least 9 GB of storage space for these files. 1. Start Microsoft Word, and open the GCFI-NTFS hash values.doc file from your work folder. Print the file so that you can compare it with your results later in this project, and then exit Word. 2. Start Notepad, and open GCFI-NTFS.pds (included with the GCFI-NTFS image files). Read this document, which tells ProDiscover how to reassemble the image file from the segments. When you’re finished, exit Notepad. 3. In Hex Workshop, open GCFI-NTFS.eve from your work folder. 4. Click Tools, Generate Checksum from the menu. In the Select Algorithms list box, click MD5, and then click the Generate button. 5. When the checksum process is finished, check the MD5 hash value in Hex Workshop’s lower-right pane, and compare it to the one in the document you printed in Step 1. 6. Repeat Steps 3 through 5 for each remaining GCFI-NTFS file. 7. After you have verified all the files, make a note in your log listing the files you examined and their hash values, and then exit Hex Workshop. Hands-On Project 9-3 In this project, you search the GCFI-NTFS drive image that belonged to Chris Murphy. You should have completed Hands-On Project 9-2 before beginning this one. 1. Start ProDiscover Basic with the Run as administrator option (if you’re using Vista), and start a new project. Enter C9Prj03 for the project number 9 378 Chapter 9 and Chris Murphy for the project filename. In the Description text box, type suspected of industrial espionage at Superior Bicycles, and then click OK. 2. In the tree view, click to expand Add, and then click Image File. Navigate to your work folder. Because this image file is segmented, ProDiscover needs the .pds file to reassemble the image. Click GCFI-NTFS.pds (in Windows Vista, the .pds extension might not be displayed), and then click Open. In the message box prompting you to verify the checksum, click Yes. This process takes several minutes. 3. After this process is finished, save the project with its default name in your work folder. 4. In the tree view, click to expand Project, if necessary, and then expand Content View and Images. 5. Click GCFI-NTFS.eve and then click to expand it, and then click the Delorme Docs folder in the tree view. Browse through this folder in the work area, and mark any files of interest. 6. Chris is known to be a sports fan, and his manager believes the espionage he engaged in was done to support his gambling habit, betting on games’ outcomes. Using search terms for the most common U.S. sports—baseball, football, and basketball—ascertain whether any evidence exists to support this claim. 7. Next, examine his Internet history. If necessary, use terms such as “ESPN” during this part of the search. 8. Finally, Chris has been sightseeing in Washington, D.C., so search for terms such as White House, Lincoln Memorial, George Washington University, Washington Convention Center, and National Museum of Women in the Arts. Exit ProDiscover Basic, saving the project when prompted. 9. Write a short memo to Ileen Johnson, the lead investigator in this case, summarizing your findings and what they indicate. Hands-On Project 9-4 In this project, you determine what tools Chris used to take pictures of kayak prototypes and smuggle them out of the office. Make sure you have completed Hands-On Project 9-2 before starting this one. 1. Start ProDiscover Basic with the Run as administrator option (if you’re using Vista), and start a new project. Enter C9Prj04 for the project number and Chris Murphy for the project filename. Enter suspected of industrial espionage at Superior Bicycles in the Description text box, and then click OK. 2. In the tree view, click to expand Add, and then click Image File. Navigate to your work folder. 3. Because this image file is segmented, ProDiscover needs the .pds file. If you didn’t load this case in Hands-On Project 9-3, perform this step: Click GCFI-NTFS.pds, and then click Open. In the message box prompting you to verify the checksum, click Yes. This process takes several Case Projects 379 minutes. After it’s finished, save the project with its default name in your work folder. 4. As mentioned, Chris is suspected of taking pictures of the new kayak prototypes, and you need to determine what type of camera he used. If necessary, click to expand Project in the tree view. 5. Next, expand Content View and then Images. Click the GCFI-NTFS.eve file, and then expand it. 6. Click the Special Files folder, and examine the files in it. You should see some files with the .sxc and .sxw extensions. They were created in Open Office 1.x, but you can open them in Open Office 2.x, too. 7. Using ProDiscover’s Search function, search the GCFI-NTFS.eve file, using the keyword kayak. Right-click any .jpeg files you find and click View EXIF Data. (EXIF data is metadata that includes the camera’s make and model.) Copy this information to a text file in your work folder. 8. To export any .zip files you find, right-click them and click Copy File. In the dialog box that opens, create a folder for this case and save the files there. Then you can expand them with a standard zip utility. 9. When you’re finished, exit ProDiscover Basic, and write a one- to twopage report explaining what you found and how this evidence is relevant to the case. Case Projects Case Project 9-1 Review the facts in the arson running case project (the Firestarter.dd file), and create a list of search terms that apply to the case, such as explosives, bombs, and fires. Run the search in your preferred computer forensics tool, and write a report on any relevant findings. Case Project 9-2 Several graphics files were transmitted via e-mail from an unknown source to a suspect in an ongoing investigation. The lead investigator gives you these graphics files and tells you that at least four messages should be embedded in them. Use your problem-solving and brainstorming skills to determine a procedure to follow. Write a short report outlining what to do. Case Project 9-3 A drive you’re investigating contains several password-protected files and other files with headers that don’t match the extension. Write a report describing the procedures you need to follow to retrieve the evidence. Identify the mismatched file headers to extensions and discuss techniques you can apply to recover passwords from the protected files. 9 This page intentionally left blank chapter 10 Recovering Graphics Files After reading this chapter and completing the exercises, you will be able to: • Describe types of graphics file formats • Explain types of data compression • Explain how to locate and recover graphics files • Describe how to identify unknown file formats • Explain copyright issues with graphics 381 382 Chapter 10 Many computer forensics investigations involve graphics, especially those downloaded from the Web and circulated via e-mail. To examine and recover graphics files, you need to understand the basics of computer graphics, including file characteristics, common file formats, and compression methods for reducing file size. This chapter begins with an overview of computer graphics and data compression, and then explains how to locate and recover graphics files based on information stored in file headers. You learn how to identify and reconstruct graphics file fragments, analyze graphics file headers, and repair damaged file headers. This chapter also explores tools for viewing graphics files you recover and discusses two computer graphics issues: steganography and copyrights. Steganography involves hiding data, including images, in files. Copyrights determine the ownership of media, such as images downloaded from a Web site. Recognizing a Graphics File Graphics files contain digital photographs, line art, three-dimensional images, and scanned replicas of printed pictures. You might have used a graphics program, such as Microsoft Paint, Adobe Photoshop, or Gnome GIMP, to create or edit an image. A graphics program creates one of three types of graphics files: bitmap, vector, and metafile. Bitmap images are collections of dots, or pixels, in a grid format that form a graphic. Vector graphics are based on mathematical instructions that define lines, curves, text, ovals, and other geometric shapes. Metafile graphics are combinations of bitmap and vector images. You can use two types of programs to work with graphics files: graphics editors and image viewers. You use graphics editors to create, modify, and save bitmap, vector, and metafile graphics. You use image viewers to open and view graphics files but not change their contents. When you use a graphics editor or an image viewer, you can open a file in one of many graphics file formats, such as .bmp, .gif, or .eps. Each format has different qualities, including the amount of color and compression it uses. If you open a graphics file in a graphics editor that supports multiple file formats, you can save the file in another file format. However, converting graphics files in this way can change the image quality, as you see in a Hands-On Project at the end of this chapter. Understanding Bitmap and Raster Images Bitmap images store graphics information as grids of pixels, short for “picture elements.” Raster images are also collections of pixels, but they store pixels in rows to make images easy to print. In most cases, printing an image converts, or rasterizes, it to print pixels line by line instead of processing the complete collection of pixels. A bitmap’s image quality on a monitor is governed by resolution, which determines the amount of detail that’s displayed. Resolution is related to the density of pixels onscreen and depends on a combination of hardware and software. Monitors can display a range of resolutions; the higher the resolution, the sharper the image. Computers also use a video card containing a certain amount of memory for displaying images. The more advanced the video card’s electronics and the more memory it has, the more detailed instructions it can accept, resulting in higher-quality images. For example, the monitor and video card on your Windows computer might support a 1024 × 768 resolution, which means displaying 1024 pixels horizontally and 768 pixels vertically. Recognizing a Graphics File 383 The more pixels displayed, the smaller they must be to fit onscreen and, therefore, the smaller pictures appear onscreen. Because a bitmap image is defined by pixel size, high-resolution images use smaller pixels than low-resolution images do. Software also contributes to image quality. Software includes drivers, which are coded instructions that set a video card’s display parameters, and programs used to create, modify, and view images. With some programs, such as IrfanView (www.irfanview.com), you can view many types of images; with other programs, you can view or work with only the graphics files they create. Computer graphics professionals use programs that support high resolutions to have more control over the display of bitmap images. However, bitmaps, especially those with low resolution, usually lose quality when you enlarge them. Another setting that affects image quality is the number of colors the monitor displays. Graphics files can have different amounts of color per pixel, but each file must support colors with bits of space. The following list shows the number of bits per colored pixel: • 1 bit = 2 colors • 4 bits = 16 colors • 8 bits = 256 colors • 16 bits = 65,536 colors • 24 bits = 16,777,216 colors • 32 bits = 4,294,967,296 colors Bitmap and raster files use as much of the color palette as possible. However, when you save a bitmap or raster file, the resolution and color might change, depending on the colors in the original file and whether the file format supports these colors. Understanding Vector Graphics Vector graphics, unlike bitmap and raster images, use lines instead of dots to make up an image. A vector file stores only the calculations for drawing lines and shapes; a graphics program converts these calculations into an image. Because vector files store calculations, not images, they are generally smaller than bitmap files, thereby saving disk space. You can also enlarge a vector graphic without affecting image quality—to make an image twice as large, a vector graphics program, such as CorelDRAW and Adobe Illustrator, computes the image mathematically. Understanding Metafile Graphics Metafile graphics combine raster and vector graphics and can have the characteristics of both file types. For example, if you scan a photograph (a bitmap image) and then add text or arrows (vector drawings), you create a metafile graphic. Although metafile graphics have the features of both bitmap and vector files, they share the limitations of both. For example, if you enlarge a metafile graphic, the area created with a bitmap loses some resolution, but the vector-formatted area remains sharp and clear. Understanding Graphics File Formats Graphics files are created and saved in a graphics editor, such as Microsoft Paint, Adobe Freehand MX, Adobe Photoshop, or Gnome GIMP. Some graphics editors, such as Freehand 10 384 Chapter 10 MX, work only with vector graphics, and some programs, such as Photoshop, work with both. Most graphics editors enable you to create and save files in one or more of the standard graphics file formats. Standard bitmap file formats include Graphics Interchange Format (.gif), Joint Photographic Experts Group (.jpg or .jpeg), Tagged Image File Format (.tif or .tiff), and Windows Bitmap (.bmp). Standard vector file formats include Hewlett Packard Graphics Language (.hpgl) and AutoCad (.dxf). Nonstandard graphics file formats include less common formats, such as Targa (.tga) and Raster Transfer Language (.rtl); proprietary formats, such as Photoshop (.psd), Illustrator (.ai), and Freehand (.fh10); newer formats, such as Scalable Vector Graphics (.svg); and formats for old or obsolete formats, such as Paintbrush (.pcx). Because you can open standard graphics files in most or all graphics programs, they are easier to work with in a computer forensics investigation. If you encounter files in nonstandard formats, you might need to rely on your investigative skills to identify the file as a graphics file, and then find the right tools for viewing it. To determine whether a file is a graphics file and to find a program for viewing a nonstandard graphics file, you can search the Web or consult a dictionary Web site. For example, suppose you find a file with a .tga extension during an investigation. None of the programs on your forensic workstation can open the file, and you suspect it could provide crucial evidence. To learn more about this file format, follow these steps: 1. Start your Web browser, and go to www.webopedia.com. 2. Type tga in the Enter a word for a definition text box, and then press Enter. Webopedia lists links to additional Web pages describing the .tga file format. 3. Click the Webopedia: Data Formats and Their File Extensions link to open a page with information about different file formats. 4. Scroll down until you find a definition of this format, and write it down. When you’re finished, exit your Web browser. Understanding Digital Camera File Formats Digital cameras’ popularity has had quite an impact on computer forensics because witnesses or suspects can create their own digital photos. As a computer forensics investigator, you might need to examine a digital photo created by a witness to an accident, for example. Crimes such as child pornography might involve hundreds of digital photos of alleged victims, and knowing how to analyze the data structures of graphics files can give you additional evidence for a case. In addition, knowing how digital photos are created and how they store unique information can contribute to your credibility when presenting evidence. Most, if not all, digital cameras produce digital photos in raw or EXIF format, described in the following sections. Examining the Raw File Format Referred to as a digital negative, the raw file format is typically used on many higher-end digital cameras. The camera performs no enhancement processing—hence the term “raw” for this format. Sensors in the digital camera simply record pixels on the camera’s memory card. The advantage of this format is that it maintains the best picture quality. Recognizing a Graphics File 385 From a computer forensics perspective, the biggest disadvantage of the raw file format is that it’s proprietary, and not all image viewers can display these formats. To view a raw graphics file, you might need to get the viewing and conversion software from the camera manufacturer. Each manufacturer has its own program with an algorithm to convert raw data to other standard formats, such as JPEG or TIF. The process of converting raw picture data to another format is referred to as demosaicing. Adobe (www.adobe.com/products/photoshop/cameraraw.html), the maker of Photoshop, is trying to get a standard for the raw format called Digital Negative (DNG). Examining the Exchangeable Image File Format Most digital cameras use the Exchangeable Image File (EXIF) format to store digital pictures. The Japanese Electronic Industry Development Association (JEIDA) developed it as a standard for storing metadata in JPEG and TIF files. When a digital picture is taken, information about the camera, such as model, make, and serial number, and settings, such as shutter speed, focal length, resolution, date, and time, are stored in the graphics file. Most digital cameras store graphics files as EXIF JPEG files. Because the EXIF format collects metadata, investigators can learn more about the type of digital camera and the environment in which pictures were taken. Viewing an EXIF JPEG file’s metadata requires special programs, such as Exif Reader (see www.snapfiles.com/get/ exifreader.html) or ProDiscover, which has a built-in EXIF viewer. Originally, JPEG and TIF formats were designed to store only digital picture data. EXIF is an enhancement of these formats that modifies the beginning of a JPEG or TIF file so that metadata can be inserted. In the similar pictures in Figure 10-1, the one on the left is an EXIF JPEG file, and the one on the right is a standard JPEG file. Figure 10-1 Similar EXIF and JPEG pictures Figure 10-2 shows the differences between file headers in EXIF and standard JPEG files. Sawtoothmt.jpg is an EXIF file, and Sawtoothmtn.jpg is a standard JPEG file. The first 160 (hexadecimal 0x9F) bytes are displayed for both files. All JPEG files, including EXIF, start from offset 0 (the first byte of a file) with hexadecimal FFD8. The current standard header for regular JPEG files is JPEG File Interchange Format 10 386 Chapter 10 Figure 10-2 Differences in EXIF and JPEG file header information (JFIF), which has the hexadecimal value FFE0 starting at offset 2. For EXIF JPEG files, the hexadecimal value starting at offset 2 is FFE1. In addition, the hexadecimal values at offset 6 specify the label name (refer to Figure 10-2). For all JPEG files, the ending hexadecimal marker, also known as the end of image (EOI), is FFD9 (see Figure 10-3). Figure 10-3 EOI marker FFD9 for all JPEG files With tools such as ProDiscover and Exif Reader, you can extract metadata as evidence for your case. As shown in Figure 10-4, the camera’s make and model are Minolta Dimage 2330 Zoom, and the picture was taken on August 12, 2002, at 9:16 p.m. You might have noticed in Figure 10-1 that there’s a lot of sunlight in the photos, but the metadata shows the time of day as after 9:00 p.m. in August. As in any computer forensics investigation, determining date and time for a file is important. Getting this information might not be possible, however, for a variety of reasons, such as suspects losing cameras Understanding Data Compression 387 10 Figure 10-4 Exif Reader displaying metadata from an EXIF JPEG file after transferring photo files to their computers. You should list this type of evidence as subjective in your report because intentional and unintentional acts make date and time difficult to confirm. For example, suspects could alter a camera’s clock intentionally so that an incorrect date and time are recorded when a picture is taken. An unintentional act could be the battery or camera’s electronics failing, for example, which causes an incorrect date and time to be recorded. When you’re dealing with date and time values in EXIF metadata, always look for corroborating information, such as where the picture was taken, to help support what you find in metadata. Understanding Data Compression Most graphics file formats, including GIF and JPEG, compress data to save disk space and reduce the file’s transmission time. Other formats, such as BMP, rarely compress data or do so inefficiently. In this case, you can use compression tools to compact data and reduce file size. Data compression is the process of coding data from a larger form to a smaller form. Graphics files and most compression tools use one of two data compression schemes: lossless 388 Chapter 10 or lossy. You need to understand how compression schemes work to know what happens when an image is altered. Lossless and Lossy Compression This section describes how lossless and lossy compression work, explains their advantages and disadvantages, and discusses what they mean in terms of computer forensics. Lossless compression techniques reduce file size without removing data. When you uncompress a file that uses lossless compression, you restore all its information. GIF and Portable Network Graphics (PNG) file formats reduce file size with lossless compression, which saves file space by using mathematical formulas to represent data in a file. These formulas generally use one of two algorithms: Huffman or Lempel-Ziv-Welch (LZW) coding. Each algorithm uses a code to represent redundant bits of data. For example, if a graphics file contains a large red area, instead of having to store 200 red bytes, the algorithm can set one byte to red and set another byte to specify 200 red bytes. Therefore, only 2 bytes are used. Lossy compression is much different because it compresses data by permanently discarding bits of information in the file. Some discarded bits are redundant, but others are not. When you uncompress a graphics file that uses lossy compression, you lose information, although most people don’t notice the difference unless they print the image on a high-resolution printer or increase the image size. In either case, the removed bits of information reduce image quality. The JPEG format is one that uses lossy compression. If you open a JPEG file in a graphics program, for example, and save it as a JPEG file with a different name, lossy compression is reapplied automatically, which removes more bits of data and, therefore, reduces image quality. If you simply rename a file by using Windows Explorer or the command line, however, the file doesn’t lose any more data. Another form of lossy compression, vector quantization (VQ), uses complex algorithms to determine what data to discard based on vectors in the graphics file. In simple terms, VQ discards bits in much the same way rounding off decimal values discards numbers. Some popular lossless compression utilities include WinZip, PKZip, StuffIt, and FreeZip. Lzip is a lossy compression utility. You use compression tools to compact folders and files for data storage and transmission. Remember that the difference between lossless and lossy compression is the way data is represented after it has been uncompressed. Lossless compression produces an exact replica of the original data after it has been uncompressed, whereas lossy compression typically produces an altered replica of the data. Locating and Recovering Graphics Files In a computer forensics investigation involving graphics files, you need to locate and recover all graphics files on the suspect drive and determine which ones are pertinent to your case. Because images aren’t always stored in standard graphics file formats, you should examine all files that your computer forensics tools find, even if they aren’t identified as graphics files. Some OSs have built-in tools for recovering graphics files, but they are time consuming, and the results are difficult to verify. Instead, you can use computer forensics tools dedicated to analyzing graphics files. As you work with these tools and built-in OS tools, develop standard Locating and Recovering Graphics Files 389 procedures for your organization and continue to refine them so that other investigators can benefit from your experience. You should also follow standard procedures for each case to ensure that your analysis is thorough. As discussed earlier in “Examining the Exchangeable Image File Format,” you can use computer forensics tools to analyze images based on information in graphics files. Each graphics file contains a header with instructions for displaying the image; this header information helps you identify the file format. The header is complex and difficult to remember, however; instead of memorizing header information, you can compare a known good file header with that of a suspected file. For example, if you find an image that you suspect is a JPEG file but can’t display it with a bitmap graphics program, compare its file header with a known JPEG file header to determine whether the header has been altered. You could then use the information in the known JPEG file header to supply instructions for displaying the image. In other words, you use the known JPEG header information to create a baseline analysis. Before you can examine a graphics file header, often you need to reconstruct a fragmented graphics file. To do so, you need to identify the data patterns the graphics file uses. If part of the file header has been overwritten with other data, you might also need to repair the damaged header. By rebuilding the file header, you can then perform a forensics analysis on the graphics file. These techniques are described in the following sections. Identifying Graphics File Fragments If a graphics file is fragmented across areas on a disk, first you must recover all the fragments to re-create the file. Recovering file fragments is called carving, also known as salvaging outside North America. To carve a graphics file’s data from file slack space and free space, you should be familiar with the data patterns of known graphics file types. Many computer forensics programs, such as ProDiscover or FTK, can recognize these data patterns and carve the graphics files from slack and free space automatically, however. After you recover fragments of a graphics file, you restore them to continue your examination. You use ProDiscover Basic and Hex Workshop later in this chapter to copy known data patterns from files you recover, and then restore this information to view the graphics file. Repairing Damaged Headers When you’re examining recovered fragments from files in slack or free space, you might find data that appears to be a header for a common graphics file type. If you locate header data that’s partially overwritten, you must reconstruct the header to make it readable by comparing the hexadecimal values of known graphics file formats to the pattern of the file header you found. Each graphics file type has a unique header value. As you become familiar with these header values, you can spot data from partially overwritten headers in file slack or free space. For example, as mentioned earlier, a JPEG file has the hexadecimal header value FFD8, followed by the label JFIF for a standard JPEG or EXIF file at offset 6. Suppose you’re investigating a possible intellectual property theft by a contract employee of Exotic Mountain Tour Service (EMTS). EMTS has just finished an expensive marketing and customer service analysis with Superior Bicycles, LLC. Based on this analysis, EMTS plans to release advertising for its latest tour service with a joint product marketing campaign with Superior Bicycles. Unfortunately, EMTS suspects that a contract travel consultant, Bob 10 390 Chapter 10 Aspen, might have given sensitive marketing data to another bicycle competitor. EMTS is under a nondisclosure agreement with Superior Bicycles and must protect this advertising campaign material. An EMTS manager found a USB drive on the desk Bob Aspen was assigned to. Your task is to determine whether the drive contains proprietary EMTS or Superior Bicycles data. The EMTS manager also gives you some interesting information he gathered from the Web server administrator. EMTS filters all Web-based e-mail traffic traveling through its network and detects suspicious attachments. When a Web-based e-mail with attachments is received, the Web filter is triggered. The EMTS manager gives you two screen captures, shown in Figures 10-5 and 10-6, of partial e-mails intercepted by the Web filter that lead him to believe Bob Aspen might have engaged in questionable activities. Figure 10-5 First intercepted capture of an e-mail from Terry Sadler For this examination, you need to search for all possible places data might be hiding. To do this, in the next section you use ProDiscover’s cluster search function with hexadecimal search strings to look for known data. Searching for and Carving Data from Unallocated Space At this time, you have little information on what to look for on the USB drive Bob Aspen used. You need to ask some basic questions and make some assumptions based on available information to proceed in your search for information. In the first message from terrysadler@goowy.com, you see that it’s addressed to baspen99@aol.com, which matches the contract employee’s name, Bob Aspen. Next, you look at the date and time stamps in this message. The first is 4 Feb 2007 9:21 PM, and the Locating and Recovering Graphics Files 391 Figure 10-6 Second intercepted capture of an e-mail from denisesuperbic@hotmail.com second, farther down, is a header from Jim Shu with a date and time stamp of February 5, 2007, 5:17 AM -08:00. Therefore, it seems that Jim Shu originally sent the message, which was then forwarded to the terrysadler@goowy.com account. Because the time stamp for Jim Shu is later than the time stamp for terrysadler@goowy.com, Terry Sadler’s location might be in a different time zone, somewhere west of Jim Shu, or one of the two e-mail server’s time values is off because e-mail servers, not users, provide time stamps. In Chapter 12, you learn more about e-mail header information. Continuing with the first message, you note that Jim is telling Terry to have Bob alter the file extensions from .txt to .jpg, and the files are about new kayaks. The last line appears to be a previous response from terrysadler@goowy.com commenting that Bob (assuming it’s Bob Aspen) can’t receive this message. So far, you have the following facts: • Jim Shu’s e-mail refers to JPEG files. • Jim Shu’s attached JPEG files need to have the extension renamed from .txt to .jpg. • Jim Shu’s attachments might be photographs of new kayaks. • The e-mail account names in this message are terrysadler@goowy.com, baspen99@aol.com, and jim_shu1@yahoo.com. Now examine the second e-mail, which contains the following pieces of information: • Jim Shu had a tour of the new kayak factory. • Another party might be interested in competing in manufacturing kayaks. • Jim Shu smuggled out JPEG photos he modified with a hexadecimal editor so that they wouldn’t be detected by any Web or e-mail filters. 10 392 Chapter 10 • Jim Shu provides specific instructions on how to reedit the digital photos and add the .jpeg extension so that they can be viewed. • Jim Shu thinks Bob Aspen is working at EMTS. • Jim Shu sent a copy (CC) to nautjeriko@lycos.com. With these collected facts and your knowledge of JPEG file structures, you can use the steps in the following sections to determine whether these allegations are true. Planning Your Examination In the second e-mail from Jim Shu to Terry Sadler, Jim states, “So to view them you have to re-edit each file to the proper JPEG header of offset 0x FF D8 FF E0 and offset 6 of 4A.” From this statement, you can assume that any kayak photographs on the USB drive contain unknown characters in the first four bytes and the sixth byte. Because this is all Jim Shu said about the JPEG files, you need to assume that the seventh, eighth, and ninth bytes have the original correct information for the JPEG file. In “Examining the Exchangeable Image File Format,” you learned the difference between a standard JFIF JPEG and an EXIF JPEG file: The JFIF format has 0x FFD8 FFE0 in the first four bytes, and the EXIF format has 0x FFD8 FFE1. In the sixth byte, the JPEG label is listed as JFIF or EXIF. In the second e-mail, Jim Shu mentions 0x FF D8 FF E0, which is a JFIF JPEG format. He also says to change the sixth byte to 0x 4A, which is the uppercase letter “J” in ASCII. Because the files might have been downloaded to the USB drive, Bob Aspen could have altered or deleted them, so you should be thorough in your examination and analysis. You need to search all sectors of the drive for deleted files, both allocated space (in case Bob didn’t modify the files) and unallocated space. In the next section, you use ProDiscover to search for and recover these JPEG files. Searching for and Recovering Digital Photograph Evidence In this section, you learn how to use ProDiscover to search for and extract (recover) possible evidence of JPEG files from the USB drive the EMTS manager gave you. The search string to use for this examination is “FIF.” Because it’s part of the label name of the JFIF JPEG format, you might have several false hits if the USB drive contains several other JPEG files. These false hits, referred to as false positives, require examining each search hit to verify whether it’s what you are looking for. It’s assumed you have already acquired an image of the USB drive, so the image file is provided on the book’s DVD. You should extract all files in the Chap10 folder on the book’s DVD to your C:\Work\Chap10\Chapter folder (referred to as “your work folder” in steps). Create this folder on your system first, if necessary. Remember that the work folder you create most likely has a different name from what’s shown in screenshots. To begin the examination, follow these steps to load the image file: 1. Start ProDiscover Basic (with the Run as administrator option if you’re using Windows Vista), and click the New Project toolbar button. In the New Project dialog box, type C10InChp for the project number and filename, and then click OK. Locating and Recovering Graphics Files 393 2. Click Action from the menu, point to Add, and click Image file. 3. In the Open dialog box, navigate to your work folder, click C10InChp.eve, and then click Open. If necessary, click Yes in the Auto Image Checksum message box. 4. To begin a search, click the Search toolbar button or click Action, Search from the menu to open the Search dialog box. 5. Click the Cluster Search tab, and then click the Case Sensitive check box. Under Search for the pattern(s), type FIF (see Figure 10-7). Under Select the Disk(s)/Image(s) you want to search in, click the C10InChp.eve file, and then click OK. 10 Figure 10-7 Searching clusters in ProDiscover 6. When the search is done, click the first search hit, 4CA(1226), to display the cluster’s content (see Figure 10-8). 394 Chapter 10 Figure 10-8 Completed cluster search for FIF 7. Double-click the highlighted row 4CA(1226) to display the cluster view shown in Figure 10-9. Figure 10-9 Viewing cluster use and location of search hit for 4CA(1226) Locating and Recovering Graphics Files 395 In Figure 10-10, the header for this JPEG file has been overwritten with zzzz. This unique header information might give you additional search values that could minimize false-positive hits in subsequent searches. Figure 10-10 Content of cluster 4CA(1226) 8. Next, you need to locate the file. Right-click cluster block 4CA(1226) and click Find File, and then click Yes in the warning message. 9. In the List of Clusters dialog box, click Show File (see Figure 10-11), and then click Close. Figure 10-11 Viewing all clusters used by the gametour2.exe file 10 396 Chapter 10 10. In the work area, right-click the gametour2.exe file (shown selected in Figure 10-12) and click Copy File. In the Save As dialog box, delete the original filename, type Recover1.jpg, and then click Save to save this file in your work folder. Figure 10-12 Mislabeled file that appears to be altered intentionally 11. Click File, Exit from the menu, and then click Yes to save this project in your work folder. The next section shows you how to rebuild header data from this recovered file by using Hex Workshop, although any hexadecimal editor has the capability to examine and repair damaged file headers. From a computer forensics view, this procedure can be considered corrupting the evidence, but knowing how to reconstruct data, as in the preceding example, is part of an investigator’s job. When you change data as part of the recovery and analysis process, make sure you document your steps as part of your reporting procedures. Your documentation should be detailed enough that other investigators could repeat the steps, which increases the credibility of your findings. When you’re rebuilding a corrupted evidence image file, create a new file and leave the original file in its initial corrupt condition. Rebuilding File Headers Before attempting to edit a graphics file you have recovered, try to open it with an image viewer, such as the default Microsoft tool. To test whether you can view the image, doubleclick the recovered file in its current location in Windows Explorer. If you can open and view Locating and Recovering Graphics Files 397 the image, you have recovered the graphics file successfully. If the image isn’t displayed, you have to inspect and correct the header values manually. If some of the data you recovered from the graphics file header is corrupt, you might need to recover more pieces of the file before you can view the image, as you’ll see in the next section. Because the deleted file you recovered in the previous activity, Recover1.jpg, was altered intentionally, when you attempt to open it, you might see an error message similar to the one in Figure 10-13. 10 Figure 10-13 Error message indicating a damaged or an altered graphics file If you can’t open a graphics file in an image viewer, the next step is to examine the file’s header data to see whether it matches the header in a good JPEG file. If the header doesn’t match, you must insert the correct hexadecimal values manually with a hexadecimal editor. To inspect a file with Hex Workshop, follow these steps: 1. Start Hex Workshop. Click File, Open from the menu. Navigate to your work folder, and then double-click Recover1.jpg. Figure 10-14 shows this file open in Hex Workshop. 2. At the top of the Hex Workshop window, note that the hexadecimal values starting at the first byte position (offset 0) are 7A 7A 7A 7A, and the sixth position (offset 6) is also 7A. Leave Hex Workshop open for the next set of steps. 398 Chapter 10 Figure 10-14 Recover1.jpg open in Hex Workshop As mentioned, a standard JFIF JPEG file has a header value of FF D8 FF E0 from offset 0 and the label name JFIF starting at offset 6. Using Hex Workshop, you can correct this file header manually by following these steps: 1. In the center pane, click to the left of the first 7A hexadecimal value. Then type FF D8 FF E0, which are the correct hexadecimal values for the first 4 bytes of a JPEG file. 2. In the right pane, click to the left of FIF, backspace to delete the z, and type J, as shown in Figure 10-15. Figure 10-15 Inserting correct hexadecimal values for a JPEG file Locating and Recovering Graphics Files 399 In Hex Workshop, when you type a keyboard character in the right pane, the corresponding hexadecimal value appears in the center pane. So, for example, when you type J in the right pane, the hexadecimal value 4A appears in the center pane. 3. Click File, Save As from the menu. In the Save As dialog box, navigate to your work folder, type Fixed1.jpg as the filename, and then click Save. Exit Hex Workshop. Every two hexadecimal values you entered in the previous steps are equivalent to one ASCII character. For example, an uppercase “A” has the hexadecimal value 41, and a lowercase “a” has the hexadecimal value 61. Most disk editors have a reference chart for converting hexadecimal values to ASCII characters, such as Hex Workshop’s in Figure 10-16. 10 Figure 10-16 ASCII equivalents of hexadecimal values After you repair a graphics file header, you can test the updated file by opening it in an image viewer, such as Windows Photo Gallery, IrfanView, ThumbsPlus, Quick View, or ACDSee. To test the repaired JPEG file, follow these steps: 1. In Windows Explorer, navigate to your work folder and double-click Fixed1.jpg. The file opens in your default image viewer, such as Windows Photo Gallery (see Figure 10-17). 2. Verify that you have recovered the file correctly, and then exit the image viewer. The process of repairing file headers isn’t limited to JPEG files. You can apply the same technique to any file for which you can determine the header value, including Microsoft Word, Excel, and PowerPoint documents and other image formats. You need to know only the correct header format for the type of file you’re attempting to repair. Reconstructing File Fragments You might occasionally encounter corrupt data that prevents you from recovering data fragments for files. Whether the data corruption is accidental or intentional, you need to know how to examine a suspect drive and extract possible data fragments to reconstruct files for evidentiary purposes. In this section, you learn how to locate noncontiguous clusters from a deleted file. Modern computer forensics tools can typically follow the links between clusters for FAT and NTFS file systems. However, sometimes the pointer information in a FAT or an NTFS MFT file doesn’t list this information. 400 Chapter 10 Figure 10-17 Fixed1.jpg open in Windows Photo Gallery This following activity shows you how to recover a graphics file with a corrupt header that’s fragmented on the suspect drive. To perform this data-carving task, you need to locate the starting and ending clusters for each fragmented group of clusters in the corrupted file. Here’s an overview of the procedure: 1. Locate and export all clusters of the fragmented file. 2. Determine the starting and ending cluster numbers for each fragmented group of clusters. 3. Copy each fragmented group of clusters in their correct sequence to a recovery file. 4. Rebuild the corrupted file’s header to make it readable in a graphics viewer. Use the project you created previously, C10InChp, to analyze the fragmentation: 1. Start ProDiscover Basic (with the Run as administrator option in Windows Vista). Click File, Open Project from the menu, navigate to your work folder, click the C10InChp.dft file, and then click Open. 2. In the tree view, click Cluster Search Results, and then in the work area, click AE3 (2787), as shown in Figure 10-18. Locating and Recovering Graphics Files 401 Figure 10-18 Cluster search results for the AE3(2787) cluster 3. Right-click the cluster row AE3(2787) and click Find File. 4. In the List of Clusters dialog box, click Copy to Clipboard. Start Notepad, paste the cluster into a new document, and save the file as AE3-carve.txt in your work folder. Leave Notepad open for the following steps. 5. In ProDiscover’s List of Clusters dialog box, click Close. 6. In the tree view, click to expand Cluster View, if necessary, click to expand Images, and then click the C10InChp.eve image file, as shown in Figure 10-19. 7. Examine the AE3-carve.txt file in Notepad to determine the clusters that are grouped together—the range for each cluster group. For example, locate the first cluster number, AE3, and count downward until you locate a cluster number that’s not sequential. Make note of the last contiguous cluster number before the change to determine the first cluster group for this fragmented file. Continue through the list of cluster numbers to determine all fragments. The following list shows the cluster groups you should find: • Fragment range 1—AE3 to B3F • Fragment range 2—1F5 to 248 • Fragment range 3—3EB to 425 • Fragment range 4—16A to 1A1 • Fragment range 5—957 to 98C • Fragment range 6—25 to 2C 10 402 Chapter 10 Figure 10-19 Cluster view of C10InChp.eve The first fragment starts at hexadecimal AE3 (decimal 2787) and continues to hexadecimal B3F. The next fragment starts at 1F5 and continues to 248, and so on until the last segment of fragmented clusters. This file is very fragmented. 8. In ProDiscover’s tree view, click Cluster View, Images, and the C10InChp.eve file, if necessary. In the work area’s Sector text box, type AE3 (see Figure 10-20) and click Go. To view all cluster columns in the work area, as shown in Figures 10-20 and 10-21, you need to maximize ProDiscover Basic’s view and increase the work area’s size. Drag its left border to the left, into the tree view, until you can see all 30 hexadecimal columns, and then release the mouse button. 9. In the work area, click to select all blocks from AE3 to B3F (see Figure 10-21). 10. Right-click the highlighted blocks (sectors) in the work area and click Select. In the Add Comment dialog box, click the Apply to all items check box. In the Investigator comments text box, type Fragment 1 to recover, and then click OK. 11. Repeat Steps 8 through 10 to select the remaining fragmented blocks for these sectors: 1F5 to 248, 3EB to 425, 16A to 1A1, 957 to 98C, and 25 to 2C. In the Add Comment dialog box, increase the comment’s fragment number by 1 for each block: Fragment 2 to recover, Fragment 3 to recover, and so on. 12. After all sectors have been selected, click Tools, Copy Selected Clusters from the menu. Locating and Recovering Graphics Files 403 Figure 10-20 Cluster view of sector AE3 10 Figure 10-21 Selected blocks from sector AE3 to B3F 13. In the Recover Clusters dialog box, click the Recover all clusters to a single file option button and the Recover Binary check box (see Figure 10-22). Click Browse, navigate to and click your work folder, and then click OK. 14. Exit ProDiscover Basic, saving this project in your work folder if prompted. Exit Notepad, saving the file if prompted. The next step would be rebuilding the header of this recovered file, as you did in a previous activity. When you copy the selected data with ProDiscover’s Recover Clusters function, a file named C10InChp-0000-0353.txt is created. ProDiscover adds a .txt extension automatically on all copied sectors or clusters the Recover Clusters function exports. 404 Chapter 10 Figure 10-22 Copying all selected clusters or sectors to a file In this recovered file, sector AE3 contains “FIF” preceded by the altered header you found at sector 4CA. To view and rebuild C10InChp-0000-0353.txt, you would use the techniques described previously in “Rebuilding File Headers.” Remember to save the updated recovered data with a .jpg extension. Figure 10-23 shows the results. Figure 10-23 Recovered data from starting sector AE3 after Hex Workshop corrects the header Identifying Unknown File Formats 405 In addition to the natural occurrence of file fragmentation, sometimes suspects intentionally corrupt cluster links in a disk’s FAT. Anyone can use a disk-editing tool, such as Norton DiskEdit, to access the FAT and mark specific clusters as bad by typing the letter “B” at the cluster. After you mark a cluster as bad, it’s displayed with a 0 value in a disk editor. As Figure 10-24 shows, cluster position 156 has a 0 value, indicating that this cluster doesn’t link to any other clusters on the disk. The OS ignores clusters marked in this manner and doesn’t use them, which makes it possible to hide data in these clusters. Figure 10-24 Bad cluster appearing as 0 in Norton DiskEdit Identifying Unknown File Formats With the continuing changes in technology and computer graphics, eventually you’ll encounter graphics file formats you’re not familiar with. In addition, suspects might use older computer systems with programs that create files in uncommon or obsolete file formats. Therefore, you must research both old and new file types. Knowing the purpose of each format and how it stores data is part of the investigation process. The Internet is the best source for learning more about file formats and their extensions. You have already used the Webopedia site to research the TGA file format. You can also use a search engine to search for “file type” or “file format” and find the latest list of Web sites with information on file extensions. If you still can’t find a specific file extension, try refining your search by entering the file extension along with the words “file format” in a search engine. One nonstandard graphics file format is XIF. To search for information on this file format, follow these steps: 1. Start your Web browser, and go to www.google.com. 2. Type XIF file format in the text box and press Enter. 3. Click a few links in the search results to learn more about this file format. When you’re finished, exit your Web browser. 10 406 Chapter 10 Nuance PaperPort is a scanning program that produces images in the XIF format, which is derived from the TIF file format. Older versions of PaperPort have a free viewer utility for XIF files; you can also use Windows 2000 Kodak Imaging for Windows. For more information about XIF files, go to www.scantips.com/pagis1.html. The following sites provide information to help you analyze file formats. Keep in mind that information on the Web changes frequently; use a search engine to find graphics file information if you can’t access these Web sites: • www.digitek-asi.com/file_formats.html • www.wotsit.org • www.martinreddy.net/gfx/ Analyzing Graphics File Headers You should analyze graphics file headers when you find new or unique file types that computer forensics tools don’t recognize. The simplest way to access a file header is to use a hexadecimal editor, such as Hex Workshop. You can then record the hexadecimal values in the header and use them to define a file type. For example, suppose you encounter an XIF file, which you learned about in the previous section. Because this format is so old, not much information on it is available. If you need to look for hidden or deleted XIF files, you must build your own header search string. To do this, you need a hexadecimal editor, such as Hex Workshop. To see the differences between XIF and TIF, viewing and comparing header values for these file formats is good practice. TIF is a well-established file format for transmitting faxes and for use in printed publications. All TIF files start at offset 0 with hexadecimal 49 49 2A. These hexadecimal values translate to the letters “II” in ASCII. Figure 10-25 shows the Sawtooth_050.tif file open in Hex Workshop. Figure 10-25 A TIF file open in Hex Workshop Identifying Unknown File Formats 407 The first 3 bytes of an XIF file are the same as a TIF file, followed by other hexadecimal values that distinguish it from a TIF file (see Figure 10-26). As you can see, the XIF header starts with hexadecimal 49 49 2A and has an offset of 4 bytes of 5C 01 00 00 20 65 58 74 65 6E 64 65 64 20 03. (Some values have been cut off in Figure 10-26 to conserve space.) With this information, you can configure your computer forensics tool to detect an XIF file header. Figure 10-26 An XIF file open in Hex Workshop Tools for Viewing Images Throughout this chapter, you have been learning about recognizing file formats, using compression techniques, salvaging header information, recovering graphics files, and saving your modifications. After you recover a graphics file, you can use an image viewer to open and view it. Several hundred image viewers are available that can read many graphics file formats, although no one viewer program can read every file format. Therefore, having many different viewer programs for investigations is best. Many popular viewer utilities are freeware or shareware programs, such as ThumbsPlus, ACDSee, Quick View, and IrfanView, that can be used to view a wide range of graphics file formats. Most GUI computer forensics tools, such as ProDiscover, EnCase, FTK, X-Ways Forensics, and ILook, include image viewers that display only common image formats, especially GIF and JPEG, which are often found in Internet-related investigations. However, for less common file formats, such as PCX, integrated viewers often simply identify the data as a graphics file or might not recognize the data at all. Being unable to view all formats can prevent you from finding critical evidence for a case. Be sure that you analyze, identify, and inspect every unknown file on a drive. With many computer forensics tools, you can open files with external viewers. 10 408 Chapter 10 Understanding Steganography in Graphics Files When you open some graphics files in an image viewer, they might not seem to contain information related to your investigation. However, someone might have hidden information inside the image by using a data-hiding technique called steganography (introduced in Chapter 9), which uses a host file to cover the contents of a secret message. Steganography has been used since ancient times. Greek rulers used this technique to send covert messages to diplomats and troops via messengers. To protect the message’s privacy, rulers shaved their messengers’ heads and tattooed messages on their scalps. After their hair grew enough to cover the message, the messengers left for their destinations, where they shaved their heads so that recipients could read the message. This method was a clever way to send and retrieve encrypted information, but it was inefficient because the messengers’ hair took a long time to grow back, and only a limited amount of space was available to write messages. However, it enabled the Greeks to send secret messages until their enemies discovered this early form of steganography and began intercepting messengers. Contemporary steganography is also inefficient because a graphics file can hide only a certain amount of information before its size and structure change. However, it does allow someone to send covert information to a recipient, unless someone else detects the hidden data. The two major forms of steganography are insertion and substitution. Insertion places data from the secret file into the host file. When you view the host file in its associated program, the inserted data is hidden unless you analyze the data structure carefully. For example, if you create a Web page with HTML, you can display images and text in a Web browser without revealing the HTML code. Figure 10-27 shows a typical Web page as it was Figure 10-27 A simple Web page displayed in a Web browser Identifying Unknown File Formats 409 intended to be viewed in a Web browser. This Web page contains hidden text, which is shown in Figure 10-28 along with the source HTML code. To detect hidden inserted text, you need to compare what the file displays and what the file contains. Depending on your skill level, this process can be difficult and time consuming. Figure 10-28 The HTML code reveals hidden text The second type of steganography, substitution, replaces bits of the host file with other bits of data. With a bitmap file, for example, you could replace bits used for pixels and colors with hidden data. To avoid detection, you substitute only those bits that result in the least amount of change. For example, if you use an 8-bit graphics file, each pixel is represented by 8 bits of data containing information about the color each pixel displays onscreen. The bits are prioritized from left to right, such as 11101100. The first bit on the left is the most significant bit (MSB), and the last bit on the right is the least significant bit (LSB). As the names suggest, changing the MSB affects the pixel display more than changing the LSB does. Furthermore, you can usually change only the last two LSBs in an image without producing a noticeable change in the shade of color the pixel displays. To detect a change to the last two LSBs in a graphics file, you need to use a steganalysis tool, which is software designed to identify steganography techniques. For example, if your secret message is converted to binary form to equal 01101100 and you want to embed this secret message into a picture, you alter the last 2 bits of four pixels. You break the binary form into sections of two, as in 01 10 11 00, and insert the bits into the last 2 bits of each pixel, as shown in Table 10-1. Table 10-1 Bit breakdown of a secret message Original pixel 1010 1010 Altered pixel 1010 1001 1001 1101 1001 1110 1111 0000 1111 0011 0011 1111 0011 1100 10 410 Chapter 10 The sequence of 2 bits is substituted for the last 2 bits of the pixel. This bit substitution can’t be detected by the human eye, which can see only about 6 bits of color. Figure 10-29 shows the original picture, a simple line drawing, on the left and the altered image on the right. Figure 10-29 Original and altered images The altered image contains the hidden picture shown in Figure 10-30. Figure 10-30 Hidden picture in the altered image Whether insertion or substitution is used, graphics files are usually chosen for steganography because they contain enough bits to manipulate for hiding data. Therefore, you should always inspect graphics files for steganography evidence, especially if your suspect is technically savvy. Steganography can be used with file formats other than graphics files, such as MPEG and AVI files. Understanding Copyright Issues with Graphics 411 Using Steganalysis Tools You can use several different steganalysis tools (also called “steg tools”) to detect, decode, and record hidden data, even in files that have been renamed to protect their contents. If you suspect steganography has been used, search the suspect device for evidence of installed steganalysis tools. A steganalysis tool can also detect variations of an image. If a graphics file has been renamed, a steganalysis tool can identify the file format from the file header and indicate whether the file contains an image. Although steganalysis tools can help identify hidden data, steganography is generally difficult to detect. In fact, if steganography is done correctly, in most cases you can’t detect the hidden data unless you can compare the altered file with the original file. Check to see whether the file size, image quality, or file extensions have changed. If so, you might be dealing with a steganography image. As an example of the complexity of detecting steganography, Niels Provos and Peter Honeyman at the University of Michigan conducted a study of more than two million images used in eBay auctions to see whether hidden data might have been placed in photos (see www.citi.umich.edu/techreports/reports/ citi-tr-01-11.pdf). They were unable to determine whether any graphics files contained hidden messages. Steganography and steganalysis tools change as rapidly as some OSs. Current steg tools include Stegowatch, Outguess, StegDetect, and S-Tools. For a list of other steg tools, you can do an Internet search on “steganography” or “steganalysis.” Steganalysis tools usually compare a suspect file to a known good version or a known bad version of the graphics file. Some recent tools can detect steganography without a known good or bad file, however. Because graphics files are binary, these tools perform complex mathematical calculations to verify a file’s authenticity by checking file size and palette color. Other tools compare the hash value of a known good or bad file to the suspect file to determine whether steganography was used. You can also use steganalysis tools to determine which sectors of a graphics file hide data. Keep in mind that this investigation task can be time consuming. Your first obstacle is obtaining the original graphics file to compare to the suspected steganography file. In some cases, you can find the original file on the suspect’s computer or recover it, if it was deleted. If the filename has been changed, you might need to view each graphics file you recover to try to find a match. If you can’t find the original file, you can still analyze the suspect file by using a steganalysis tool to detect hidden data. In the Hands-On Projects at the end of this chapter, you analyze a steganography file. Understanding Copyright Issues with Graphics Steganography has also been used to protect copyrighted material by inserting digital watermarks into a file. When working with graphics files, computer investigators need to be aware of copyright laws, especially in the corporate environment, where they often work closely with the legal department to guard against copyright violations. Investigators might also need to 10 412 Chapter 10 determine whether a photo is from a known copyrighted source, such as a news photo being posted on a Web page without permission. The U.S. Copyright Office Web site defines precisely how copyright laws pertain to graphics (see www.copyright.gov for information on the 1976 Copyright Act). Copyright laws as they pertain to the Internet, however, aren’t as clear. For example, a server in another country might host a Web site, which could mean it’s regulated by copyright laws in that country. Because each country has its own copyright laws, enforcement can be difficult. Contrary to what some might believe, there’s no international copyright law. The U.S. Copyright Office identifies what can and can’t be covered under copyright law in the United States: Copyright protects “original works of authorship” that are fixed in a tangible form of expression. The fixation need not be directly perceptible so long as it may be communicated with the aid of a machine or device. Copyrightable works include the following categories: 1. literary works; 2. musical works, including any accompanying words; 3. dramatic works, including any accompanying music; 4. pantomimes and choreographic works; 5. pictorial, graphic, and sculptural works; 6. motion pictures and other audiovisual works; 7. sound recordings; 8. architectural works. These categories should be viewed broadly. For example, computer programs and most “compilations” may be registered as “literary works”; maps and architectural plans may be registered as “pictorial, graphic, and sculptural works.” Anything that would ordinarily be copyrighted through noncomputer means and is now being created on digital media is considered to be copyrighted, as long as the process for obtaining a copyright has been followed. Digital watermarks can be visible or imperceptible in media such as digital photos or audio files. Visible watermarks are usually an image, such as the copyright symbol or a company logo, layered on top of a photo. Imperceptible watermarks don’t change the appearance or sound quality of a copyrighted file. Methods used for imperceptible watermarks sometimes involve modifying a file’s LSBs into a unique pattern. Chapter Summary ■ A graphics file contains an image, such as a digital photo, line art, a three-dimensional image, or a scanned replica of a printed picture. A graphics program creates and saves one of three types of graphics files: bitmap, vector, and metafile. Bitmap images are collections of dots, or pixels, that form an image. Vector graphics are mathematical instructions that define lines, curves, text, and geometric shapes. Metafile graphics are combinations of bitmap and vector images. Chapter Summary 413 ■ When you use a graphics editor or an image viewer, you can open a file in one of many graphics file formats. Each format has different qualities, including the amount of color and compression it uses. If you open a graphics file in a program that supports multiple file formats, you can save the file in a different file format. However, converting graphics files this way can change image quality. ■ Bitmap images store graphics information as grids of pixels (short for “picture elements”). The quality of a bitmap image displayed onscreen is governed by resolution, which determines the amount of detail displayed. Vector graphics, unlike bitmap and raster files, use lines instead of dots. A vector graphic stores only the calculations for drawing lines and shapes; a graphics program converts these calculations into images. You can enlarge a vector graphic without affecting image quality. Metafile graphics combine bitmap and vector graphics and can have the characteristics of both image types. ■ Most graphics editors enable you to create files in one or more of the standard graphics file formats, such as Graphic Interchange Format (.gif), Joint Photographic Experts Group (.jpeg), Windows Bitmap (.bmp), or Encapsulated Postscript (.eps). Nonstandard graphics file formats include less common formats, such as Targa (.tga) and Raster Transfer Language (.rtl); proprietary formats, such as Photoshop (.psd); newer formats, such as Scalable Vector Graphics (.svg); and old or obsolete formats, such as Paintbrush (.pcx). ■ Most graphics file formats, including .gif and .jpeg, compress data to save disk space and reduce transmission time. Other formats, such as .bmp, rarely compress data or do so inefficiently. You can use compression tools to compact data and reduce file size. Lossless compression saves file space by using mathematical formulas to represent data in a file. Lossy compression compresses data by permanently discarding bits of information in the file. ■ Digital camera photos are typically in raw and EXIF JPEG formats. The raw format is the proprietary format of the camera’s manufacturer. The EXIF format is different from the standard JFIF JPEG format because it contains metadata about the camera and picture, such as shutter speed and date and time a picture was taken. ■ In a computer forensics investigation involving graphics files, you need to locate and recover all graphics files on a drive and determine which ones are pertinent to your case. Because these files aren’t always stored in standard graphics file formats, you should examine all files your computer forensics tools find, even if they aren’t identified as graphics files. A graphics file contains a header with instructions for displaying the image. Each type of graphics file has its own header that helps you identify the file format. Because the header is complex and difficult to remember, you can compare a known good file header with that of a suspect file. ■ When you’re examining recovered data remnants from files in slack or free space, you might find data that appears to be a header for a common graphics file type. If you locate header data that’s partially overwritten, you must reconstruct the header to make it readable again by comparing the hexadecimal values of known graphics file formats to the pattern of the file header you found. After you identify fragmented data, you can use a computer forensics tool to recover the fragmented file. 10 414 Chapter 10 ■ If you can’t open a graphics file in an image viewer, the next step is to examine the file header to see whether it matches the header in a known good file. If the header doesn’t match, you must insert the correct hexadecimal values manually with a hex editor. ■ The Internet is the best source for learning more about file formats and their extensions. You can search for “file type” or “file format” and find a list of Web sites with information on file extensions. ■ You should analyze graphics file headers when you find new or unique file types that computer forensics tools don’t recognize. The simplest way to do this is with a hex editor. You can record the hexadecimal values in the header for future reference. ■ Many popular viewer utilities are freeware or shareware and enable you to view a wide range of graphics file formats. Most GUI forensics tools, such as ProDiscover, EnCase, FTK, X-Ways Forensics, and ILook, include image viewers that display common image formats, especially GIF and JPEG. ■ Steganography is a method of hiding data by using a host file to cover the contents of a secret message. The two major techniques are insertion and substitution. Insertion places data from the secret file into the host file. When you view the host file in its associated program, the inserted data is hidden unless you analyze the data structure. Substitution replaces bits of the host file with other bits of data. ■ Steganalysis tools can detect hidden data in graphics files, ev