D1 Digital Ev Locations

8/3/2019 D1 Digital Ev Locations

1/22

T HE NATIONAL C ENTER FOR J USTICE ANDTHE R ULE OF L AW

AND T HE NATIONAL J UDICIAL C OLLEGE

SI: HANDLING CHILD PORNOGRAPHY CASES WB/KZ OCTOBER 17-18, 2011OXFORD, MS

DIGITAL EVIDENCE LOCATIONS &COMPUTER FORENSICS INTRODUCTION

DIVIDER 1

Professor Donald R. Mason

OBJECTIVES:

After this session, you will be able to:

1. Define digital evidence and identify types;

2. Describe how digital evidence is stored in computers;

3. Identify devices and locations where digital evidence may be found;

4. Define basic computer and digital forensics; and

5. Identify and describe the essential principles, tools and trends in digitalforensics

REQUIRED READING: PAGE

Donald R. Mason, Digital Evidence & Computer Forensics (Sept. 2011)[NCJRL PowerPoint] .......................................................................................................................1


2/22

Digital Evidence and Computer Forensics Technology Assisted Crimes Against Children: Evidentiary and Procedural Matters at Trial, August 1-2, 2011Copyright 2011 National Center for Justice and the Rule of Law All Rights Reserved

Digital EvidenceDigital Evidence

andand

Computer ForensicsComputer Forensics

Don MasonDon MasonAssociate DirectorAssociate Director

Copyright 2011 National Center for Justice and the Rule of Law All Rights Reserved

ObjectivesObjectivesAfter this session, you will be able to:After this session, you will be able to:

Define and describe digital evidenceDefine and describe digital evidenceIdentify devices and locations where digitalIdentify devices and locations where digitalev ence may e ounev ence may e ounIdentify and describe the basic principles,Identify and describe the basic principles,practices, and tools of digital forensicspractices, and tools of digital forensicsDescribe selected trends andDescribe selected trends and challenges inchallenges incomputer forensicscomputer forensics

From the old days to From the old days to

1


3/22


Evolving technology in Evolving technology in

The Digital age with The Digital age with

Convergent, Smart DevicesConvergent, Smart Devices

2


4/22


Computers = Digital Devices

A computer is like a light switchSwitch Computer Binary Symbol

ON signal present 1

OFF no signal present 0

Each 0 or 1 is a BIT (for BINARY DIGIT)0 0 0 0 0 0 0 1 = 10 0 0 0 0 0 1 0 = 2 (2+0)0 0 0 0 0 0 1 1 = 3 (2+1)

An 8-bit sequence = 1 byte = a keystroke

Printer Monitor

Digital DevicesDigital Devices

Computer

Computer asComputer as TargetTarget Unauthorized access, damage, theftUnauthorized access, damage, theft Spam, viruses, wormsSpam, viruses, worms Denial of service attacksDenial of service attacks

Roles of Digital DevicesRoles of Digital Devices

omputer asomputer as oooo FraudFraud Threats, harassmentThreats, harassment Child pornographyChild pornography

Computer asComputer as ContainerContainer From drug dealer records to how to commitFrom drug dealer records to how to commit

murdermurder

3


5/22



Information of probative value that isInformation of probative value that is

stored or transmitted in binary form andstored or transmitted in binary form andmay be relied upon in courtmay be relied upon in court

Two typesTwo types

Digital EvidenceDigital EvidenceUserUser--createdcreated Text (documents, eText (documents, e- -mail, chats, IMs)mail, chats, IMs) Address booksAddress books DatabasesDatabases

Images (photos, drawings, diagrams)Images (photos, drawings, diagrams) Video and sound filesVideo and sound files Web pagesWeb pages Service provider account subscriber recordsService provider account subscriber records

Computer/NetworkComputer/Network- -createdcreated Email headersEmail headers MetadataMetadata

Activity logsActivity logs


Browser cache, history, cookiesBrowser cache, history, cookies Backup and registry filesBackup and registry files Configuration filesConfiguration files Printer spool filesPrinter spool files Swap files and other transient dataSwap files and other transient data Surveillance tapes, recordingsSurveillance tapes, recordings

4


6/22


Data Generated in 2010Data Generated in 2010

1200 trillion gigabytes1200 trillion gigabytes (1.2(1.2 zettabytes) )

89 stacks of books each reaching89 stacks of books each reachingfrom the Earth to the Sunfrom the Earth to the Sun

22 million times all the books ever22 million times all the books everwrittenwritten

Would need more than 750 millionWould need more than 750 millioniPods to hold itiPods to hold it

90 trillion emails sent in 200990 trillion emails sent in 2009

ProjectionProjection

In 2020: 35In 2020: 35 zettabyteszettabytes will bewill beproducedproduced

,,written 7 timeswritten 7 times

How Much Data?How Much Data?1 Byte1 Byte (8 bits):(8 bits): A single characterA single character1 Kilobyte1 Kilobyte (1,000 bytes):(1,000 bytes): A paragraphA paragraph1 Megabyte1 Megabyte (1,000 KB):(1,000 KB): A small bookA small book1 Gigabyte1 Gigabyte (1,000 MB):(1,000 MB): 10 yards of shelved books10 yards of shelved books

1 Terab te1 Terab te (1,000 GB):(1,000 GB): 1,000 co ies of Enc clo edia1,000 co ies of Enc clo edia11 PetabytePetabyte (1,000 TB):(1,000 TB): 20 million four20 million four- -door filing cabinetsdoor filing cabinetsof textof text1 Exabyte1 Exabyte (1,000 PB):(1,000 PB): 5 EB = All words ever spoken by5 EB = All words ever spoken byhumanshumans11 ZettabyteZettabyte (1,000 EB, or 1 billion TB)(1,000 EB, or 1 billion TB) == 250 billion DVDs,36 million years of HD video, or the volume of the GreatWall of China

5


7/22


How Much in Real Cases?How Much in Real Cases?

One recent example:One recent example:

17 terabytes17 terabytes 24+ million images24+ million images , mov es, mov es 4600+ CVIP hits (known CP images)4600+ CVIP hits (known CP images)

Sources of EvidenceSources of EvidenceOffenders computerOffenders computer accessed and downloaded imagesaccessed and downloaded images documentsdocuments user log filesuser log files Internet connection logsInternet connection logs browser history and cache filesbrowser history and cache files email and chat logsemail and chat logs

passwords & encryption keyspasswords & encryption keys

Sources of EvidenceSources of EvidenceHandHand--held devicesheld devices digital camerasdigital cameras PDAsPDAs

tabletstablets mobile phonesmobile phones GPS devicesGPS devices

6


8/22


Sources of EvidenceSources of EvidenceServersServers

ISP authentication user logsISP authentication user logs FTP and Web server access logsFTP and Web server access logs LAN server logsLAN server logs Cloud storageCloud storage Web pagesWeb pages Social mediaSocial media

Sources of EvidenceSources of EvidenceOnline activityOnline activity Internet Protocol addressesInternet Protocol addresses Router logsRouter logs

Forms of EvidenceForms of EvidenceFilesFiles Present / ActivePresent / Active (docs, spreadsheets, images,(docs, spreadsheets, images,

email, etc.)email, etc.) ArchiveArchive (including as backups)(including as backups) DeletedDeleted (in slack and unallocated space)(in slack and unallocated space) Tem orarTem orar cache rint records Internet usa ecache rint records Internet usa e, ,, ,

records, etc.)records, etc.) Encrypted or otherwise hiddenEncrypted or otherwise hidden Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files ParagraphsParagraphs SentencesSentences WordsWords

7


9/22


"inside the box, outside the "inside the box, outside the box" box"

The Box Outside the box:network investigations

Inside the Box

Computers hard driveand other memory Documents Pictures

What the computer owner actually has possession of

Outlook Emails Internet Cache

CDs and floppy disksiPodsCell PhonesExternal Hard Drives

Inside the BoxWhat the computer owner actually has possession of

8


10/22


Outside the Box

Online Email Accounts (Gmail and Yahoo)

Internet Shopping AccountsSocial Networking Accounts

What is not stored on the owners computer

ac ups o ex messagesCell Site Location DataUsing Pen/Trap for Internet DRAS informationUsing Pen/Trap for Internet DRAS informationSubscriber account recordsSubscriber account recordsContents of WebsitesContents of Websites

Outside the BoxWhat is not stored on the owners computer

Computer ForensicsComputer Forensics

9


11/22


Computer ForensicsComputer ForensicsObtaining,Obtaining,

Processing,Processing,

Authenticating, andAuthenticating, and

ProducingProducing

digital data/records for legal proceedings.digital data/records for legal proceedings.

Computer ForensicsComputer ForensicsUsually preUsually pre- -defined procedures followeddefined procedures followedbut flexibility is necessary as the unusualbut flexibility is necessary as the unusualwill be encounteredwill be encountered

Was lar el ostWas lar el ost- -mortemmortem Whats on the hard drive?Whats on the hard drive?

Rapidly evolvingRapidly evolving Ex:Ex:

From Pull the plugFrom Pull the plugtoto

Dont power down before you know whats on itDont power down before you know whats on it

Branches, Evolutionary trendsBranches, Evolutionary trendsComputer forensicsComputer forensics

Network forensicsNetwork forensicsLive forensicsLive forensics

Image forensicsImage forensics

Mobile device forensicsMobile device forensicsBrowser forensicsBrowser forensics

Triage forensicsTriage forensicsDistributed forensics

10


12/22


Digital Digital KnowledgeKnowledgeand Intent Evidenceand Intent Evidence

Evidence that the CP files were purposely collectedEvidence that the CP files were purposely collected CP found in computers allocated space?CP found in computers allocated space?

In folders assigned to particular user of the computer?In folders assigned to particular user of the computer? Files organized, given relevant folder/file titles?Files organized, given relevant folder/file titles? Default settings of the computers software changed?Default settings of the computers software changed?

v ence t at was o ta n e v a e rows n gv ence t at was o ta n e v a e rows n g Evidence in the Index.dat files of web searches for CP?Evidence in the Index.dat files of web searches for CP? CP found in the Temporary Internet Files?CP found in the Temporary Internet Files? Any CPAny CP--related Bookmarks/Favorites saved?related Bookmarks/Favorites saved?

Evidence that the CP was viewed by a userEvidence that the CP was viewed by a user Any Recent Files/Link Files to the CP?Any Recent Files/Link Files to the CP? Windows Registry list other devices (scanners, thumb drives, etc.)Windows Registry list other devices (scanners, thumb drives, etc.)

recently connected to the computer?recently connected to the computer? AnyAny Thumbs.dbThumbs.db files containing CP?files containing CP? Any CP videos listed in Windows Media Player/Real Player histories?Any CP videos listed in W indows Media Player/Real Player histories?31

Basic StepsBasic StepsAAcquiringcquiring (and preserving)(and preserving)

evidence without altering orevidence without altering ordamaging original datadamaging original data

u en ca ngu en ca ng acqu re ev enceacqu re ev enceby showing its identical to databy showing its identical to dataoriginally seizedoriginally seized

AAnalyzingnalyzing (searching for) the(searching for) the

evidence without modifying itevidence without modifying it

Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data

11


13/22


Skills / Expertise RequiredSkills / Expertise Required

TechnicalTechnical

Data processing and productionData processing and productionInvestigativeInvestigative n erstan ng computer ev encen erstan ng computer ev ence Building a caseBuilding a case

LegalLegal Maintaining chain of custodyMaintaining chain of custody Managing digital evidence per the rulesManaging digital evidence per the rules

CertificationsCertifications

Various offeredVarious offered IACISs CFCEIACISs CFCE Guidance Softwares Encase CEGuidance Softwares Encase CE

ss

Some states require P.I. licensesSome states require P.I. licensesGrowing number of schools offeringGrowing number of schools offeringcertificate and degree programscertificate and degree programsBut no uniform, accepted standardsBut no uniform, accepted standards

Acquiring the EvidenceAcquiring the EvidenceSeizing computer (bag and tag)Seizing computer (bag and tag)Handling computer evidence carefullyHandling computer evidence carefully Chain of custodyChain of custody Evidence collection (including volatile memory)Evidence collection (including volatile memory)

Evidence identificationEvidence identification TransportationTransportation StorageStorageMaking at least two images of each containerMaking at least two images of each container Perhaps 3rd in criminal casePerhaps 3rd in criminal caseDocumenting, Documenting, DocumentingDocumenting, Documenting, Documenting

12


14/22


Preserving Digital EvidencePreserving Digital EvidenceThe Forensic Image or DuplicateThe Forensic Image or Duplicate

A virtual clone of the entire drive

Every bit & byteErased & reformatted dataData in slack & unallocated spaceVirtual memory data

Authenticating the EvidenceAuthenticating the EvidenceProving that evidence to be analyzed isProving that evidence to be analyzed isexactly the same as what suspect/partyexactly the same as what suspect/partyleft behindleft behind Readable text and pictures dont magicallyReadable text and pictures dont magically

appear at randomappear at random Calculating hash values for the originalCalculating hash values for the original

evidence and the images/duplicatesevidence and the images/duplicatesMD5MD5 (Message(Message- -Digest algorithm 5)Digest algorithm 5)SHASHA (Secure Hash Algorithm)(Secure Hash Algorithm)((NSANSA/ /NISTNIST))

What Is a Hash Value?An MD5 Hash is a 32 character string that looks

like:

Acquisition Hash:3FDSJO90U43JIVJU904FRBEWH

er ca on as :3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producingthe same MD5 Hash is greater than:

1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000

13


15/22


Hashing Tools Examples

http://www.miraclesalad.com/webtools/md5.phphttp://www.fileformat.info/tool/md5sum.htmhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessDatas FTK Imager can bedownloaded free at

http://www.accessdata.com/downloads.html

MD5MD5 HashHash128128--bit (16bit (16--byte)byte) message digest message digest

a sequence of 32 charactersa sequence of 32 charactersThe quick brown fox jumps over the lazyThe quick brown fox jumps over the lazy

dogdog9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6

The quick brown fox jumps over the lazyThe quick brown fox jumps over the lazydog.dog.

e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0

http://www.miraclesalad.com/webtools/md5.php

14


16/22


Hashing an ImageHashing an Image

MD5MD5

021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371

SHA1

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

Analyzing the EvidenceAnalyzing the EvidenceWorking on bitWorking on bit- -stream images of thestream images of theevidence; never the originalevidence; never the original

Prevents damaging original evidencePrevents damaging original evidence Two backups of the evidenceTwo backups of the evidence

One to work onOne to work onOne to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everythingAnalyzing everything Clues may be found in areas or filesClues may be found in areas or files

seemingly unrelatedseemingly unrelated

Analysis (contd)Analysis (contd)Existing FilesExisting Files MislabeledMislabeled HiddenHidden

Deleted FilesDeleted Files Trash BinTrash Bin Show up in directory listing withShow up in directory listing with in placein place

of first letterof first lettertaxes.xls appears as taxes.xls appears as axes.xlsaxes.xls

Free SpaceFree SpaceSlack SpaceSlack Space

15


17/22


Forms of EvidenceForms of EvidenceFilesFiles Present / ActivePresent / Active (docs, spreadsheets, images,(docs, spreadsheets, images,

email, etc.)email, etc.)

ArchivedArchived (including as backups)(including as backups) DeletedDeleted (in slack and unallocated space)(in slack and unallocated space) Tem orarTem orar cache rint records Internet usa ecache rint records Internet usa e, ,, ,

records, etc.)records, etc.) Encrypted or otherwise hiddenEncrypted or otherwise hidden Compressed or corruptedCompressed or corrupted

FragmentsFragments ParagraphsParagraphs SentencesSentences WordsWords

Sources of Digital GoldSources of Digital GoldInternet historyInternet historyTemp files (cache, cookies etc)Temp files (cache, cookies etc)Slack/unallocated spaceSlack/unallocated spaceBuddy lists, chat room records, personal profiles, etc.Buddy lists, chat room records, personal profiles, etc.News groups, club listings, postingsNews groups, club listings, postingsSettings, file names, storage datesSettings, file names, storage datesMetadata (email header information)Metadata (email header information)Software/hardware addedSoftware/hardware addedFile sharing abilityFile sharing ability

EmailEmail

How Data Is StoredHow Data Is Stored

TrackTrack

SectorSector

ClustersClusters aregroups of sectors

16


18/22



Files are written to ClustersClusters

Each file may occupyEach file may occupymore or less than fullmore or less than full

clustersclusters ____ ____

May write to nonMay write to non- -contiguous clusterscontiguous clusters

Free SpaceFree SpaceCurrently unoccupied, orCurrently unoccupied, orunallocated spaceunallocated spaceMay have held information beforeMay have held information beforeValuable source of dataValuable source of data

Files that have been deletedFiles that have been deleted Files that have been moved duringFiles that have been moved during

defragmentationdefragmentation

Old virtual memoryOld virtual memory

Slack SpaceSlack SpaceSpace not occupied by an activeSpace not occupied by an activefile, but not available for use by thefile, but not available for use by theoperating systemoperating system

17


19/22


Every file in a computer fills aEvery file in a computer fills a

minimum amount of spaceminimum amount of space In some old computers, one kilobyteIn some old computers, one kilobyte


, ytes . n newer computers,, ytes . n newer computers,32 KB (32,768 bytes).32 KB (32,768 bytes).

If file is 2,000 bytes long, everythingIf file is 2,000 bytes long, everythingafter the 2000after the 2000 thth byte is slack space.byte is slack space.

File B(Draft

in RAM)

File Bsaved

to disk,

File Bover-writes

File B(Savedto disk)

How Slack Is GeneratedHow Slack Is Generated

File B(Now

on disk)

File A(Erased,on disk)

on topof File A

part oFile A,

creatingslack

Remainsof File A(Slack)

Slack space : The area between the endof the file and the end of the storage unit

Selected Trendsin Digital Forensics

Browser Forensics

Triage Forensics

18


20/22


Browser ForensicsBrowser Forensics

Web browsers (e.g. Microsoft InternetExplorer, Mozilla Firefox, Safari, Opera)maintain histories of recent activity,even if not web related

Internet HistoryInternet History

Computers store Internet history in anumber of locations including:

emporary nternet es Windows Registry Browser / Search Term history Cookies

This information is browser specific

56

Triage Forensics

Rolling forensics, or on-site previewImage scan

Especially useful in knock & talkconsent situations, screening multiplecomputers to determine which to seize, orprobation or parole monitoringNot all agencies equipped or trained yetto do this.

19


21/22


Triage Forensics

Increasingly important, as the number and

storage capacities of devices rapidly grow.But does NOT enable a comprehensive

device on the scene.

When is enoughWhen is enough enoughenough??

Triage Forensics - Steps

Attach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:

.doc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

Triage Forensics - StepsAttach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:

.doc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

20


22/22


Triage Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separatedrive.Determine file structure or file path.

Resources

https://blogs.sans.org/computer-forensics/ http://www.e-evidence.info/biblio.html

http://craigball.com/

E.g., What Judges Should Know About Computer Forensics (2008)

Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

D1 Digital Ev Locations

Documents

Transcript of D1 Digital Ev Locations