Transcript Computer Forensics - Long Island University


What you will find in this presentation
◦ What is computer forensics?
◦ The four “A”s
◦ How disk storage works in your case
 How files live on disk
 Where evidence might reside
 What is slack space?
 What is unallocated space?
◦ Hex & Ascii representation
◦ Tools
◦ Steganography, recovering hidden data


Requirements
Glossary


Digital version of “CSI”
Finds evidence of incidents on digital
equipment
◦
◦
◦
◦
◦
◦

Computers & drives
PDA’s
iPods
Cell phones
Digital camera & flash cards
Network equipment
Evidence must stand up in court




Acquire
Archive
Analyze
Attest

Crime Scene Considerations
 Identify and acquire the evidence
 Safeguard and process physically
◦ Prints and trace evidence
 Handling of Magnetic media (drives and floppies, etc)
◦ Keep away from magnets, machinery which generate
magnetic fields and static electricity (no plastic evidence
bags to generate static electricity)
 Note where found, under what circumstances
 Nature of material expands where it might be hidden
◦ Between pages of a book
◦ Inside a device
 Locate material which may assist
◦ User manuals, lists, password which might be written down

Identify sources of information
◦ hard drives
◦ disks (floppy, CD, DVD)
◦ other devices
 Digital cameras
 Cell phones
 PDA’s


Technician must understand technology
required to ‘archive’ information
Once seized as evidence, the technician will
then create a bit-for-bit forensic image and
make it available to the analyst

Image is a ‘bit-for-bit’ snapshot of the disk
◦ This image is used by the analyst
◦ The image contains everything on the disk
 Files, deleted files, “dead space” on disk, etc…
 Can’t read it directly
 The forensic software ‘interprets’ the image and “sees” all the
files on the disk

NEVER use the original media unless no other
alternative… always use the bit-for-bit image if
possible
◦ If you ever need to use the original material, document it
along with the reason

2008 CSI Challenge
◦ Teams will be provided a ‘bit-for-bit image’ for analysis
◦ Your team will not have to create this image


Examination of your evidence
In Forensic Toolkit (FTK)
◦ Create a New or Open an Existing case
◦ Add evidence to the case
 Drive (hard disk, floppy, USB flash drive, etc)
 Previously acquired bit-image
 2008 CSI Challenge teams will use this option
 A Folder and its contents
 Individual files

Find the evidence
◦ Examine the structure of the disk itself
 hidden data
◦ Suspicious files
 Renamed, altered or deleted
◦ Search for ‘strings’
◦ ( a string is a group of characters, such as a name,
credit card number, or even a fragment of a word)
 in files
 in deleted files
 in ‘dead space’ (slack or unallocated, explained later)

Look for ‘stuff’ in plain sight

Look for hidden evidence
◦ Files, emails, etc
◦ Files renamed to appear as different file types
 Word document renamed as a ‘jpg’ image file
 Stego’d file (see later)
◦ Encrypted files
 Password required
 Locate password
 In existing evidence
 At crime scene
 Guess password (important dates, names, etc)
 Might require personal knowledge about suspect’s background
 ‘Crack’ the password using a computer program
 (not an option for 2008 CSI Challenge… not enough time)

File anomalies (irregularities)
◦ File name does not match the file type
 An internal “signature” in the file indicates the type of file
 Signatures are also called “magic numbers”
 “JFIF” inside a file might mean it’s really a JPG image file and not a
text file or whatever the filename indicates
◦ File times are inconsistent
 MAC times (Modification-Access-Creation)
 It’s possible for creation time to be post-modification time,
depending on OS and how file copied, etc..

Compressed files (zip or other format)
◦ May be passworded, contain many files bundled into one
file
◦ You should know how to “unzip” a file if it’s compressed or
“zipped”
 File ends in ‘.zip’

Critical thinking: the investigative part!
◦ incriminating evidence
 (or exculpatory… excluding a suspect)
◦ discovering new avenues of inquiries




Emails
Recently used documents
visited websites
Snippets or fragments of information
 Including slack space…

Saving the evidence for future use once
you’re done with the case
◦ In case you need to review your work

Reporting of analysis results
◦ written competency

Testimony
◦ expert witness
◦ verbal and non-verbal skills

Any reporting of results by 2008 CSI
Challenge teams should be clear, legible,
using whole sentences to state your findings

This is a basic explanation of how
information is stored on a computer’s disk
◦ Byte
 The basic unit of storage
 Roughly equivalent to a ‘character’
 1,000,000 byte =1 Megabyte (1 Mb)
 Holds about a million typewritten characters
◦ Sector
 How bytes are organized on disk
 512 bytes per sector
◦ Cluster
 A group of sectors
 Floppy disk: 1 sector per cluster
 Hard drive: depends on system


Sectors are grouped into ‘clusters’
a cluster can be
◦
◦
◦
◦


1
2
4
8
sector/cluster
sectors/cluster
sectors/cluster
sectors/cluster
(512 bytes)
(1024 bytes)
(2048 bytes)
(4096 bytes)
on a floppy, we use one sector / cluster
when we need space for a file, the system
gives us a cluster (not just a sector)

When we write a file using a cluster
◦ We have “left over” room in the cluster
 This is called “slack space”

Information can reside in slack space


Cannot say that the person who wrote the file in that cluster
also put that slack information into that cluster
Clusters can be reused once a file is deleted
 They’re put back into a pool of unallocated clusters
◦ (they don’t belong to any file)
◦ If these clusters haven’t been used for writing a
new file, it’s possible to recover this ‘deleted’ file


Cluster (512 bytes)
we write about 100 bytes
◦ the rest is ‘slack’
This is
Dear
Sir;
anWe
example
have read
of ayour
cluster
proposal,
containing
and information….blah
… no thanks
blah blah…

No, for the 2008 CSI Challenge you might see
hexadecimal notation of the disk’s data,
along with the “English” readable data
◦ This is presented so that you’ll recognize it when
you see it while using FTK (see the next screen)
◦ You will not be responsible for knowing “hex”
◦ Computers really only know “numbers”
 Certain numbers (values) are associated with letters of
the alphabet
 For example a value of “44” in hexadecimal is a capital
“D”, and a hex “20” is a space, a “64” value is a small “d”
 This is called the ASCII code
Upper Case “D”

Software such as FTK (which you will be using) contain tools that
allow you to:
◦ Acquire an evidence image
◦ Identify deleted files
 Possibly recover a deleted file
◦ Search the bit image
◦ Search for string of text (last name, etc)


Identify files containing the string
Identify that area as belonging to a file, or in slack space
◦ Examine attributes of files




Hidden
Deleted
File times
Mismatch between file name and actual file type

‘bad signature’ (txt file might actually be a ‘jpg’ file)
 Show thumbnails of picture type files
◦ Export files (or fragments) (collect them in one spot)
◦ Bookmark critical findings (highlight relevant findings)
◦ Document case for report (times, investigator, etc)

Existing software
◦ Word, Adobe, etc
 Open files of that format
◦ Analyst must know how the application software
works

PKZIP, WinZip, WinRAR
◦ Extract compressed files

Steganograhpy (S-Tools)
◦ Extract files from a “stego’d” file
◦ S-Tools will use BMP, GIF or WAV files as
‘containers’ to hide other files
◦ Can be used to reveal and extract hidden files


Forensic ToolKit (AccessData)
Demo version allows examination of cases
with a max of 5000 files
◦ Add your evidence image file
◦ Analyze it
◦ Document your results

You will use FTK to add your evidence to a
new case and analyze it

Hidden information inside a file
 A file inside a file (container file and message file)
 Can be passworded / encrypted

The “container” (stego’d) file is either a “bmp” or
“gif” image type
◦ Can also be an ‘audio’ file
 On a hard drive, or on someone’s iPod, etc…


Files can be included in a Word (or other
document), such as webpages or be a “standalone”
file on someone’s hard drive
S-Tools can be downloaded to reveal stego’d
evidence

Laptop
◦ CD / ROM drive
◦ Software





Windows XP or Vista
Microsoft Office (2003 or better)
Access Data’s Forensic ToolKit (FTK)
S-tools
WinZip or capability to unzip files on your drive
 Should already be built into Windows when you right-click
on a zipped filename

Tutorials (including this) can be found on the
website

ASCII
◦ Computers only know numbers. ASCII is a ‘code’
that associates numbers with letters or characters
of the alphabet.

Bit
◦ Binary digit; a ‘one’ or a ‘zero’

Byte
◦ Grouping of eight bits, representing a numerical
value from 0 to 255
◦ Can also represent a “character” or letter of the
alphabet

Bit-for-bit image
◦ Also known as a bitstream image
◦ A “snapshot” of a piece of evidence, taken in a
forensically sound manner (no alteration of original
evidence)

Bitstream image
◦ See bit-for-bit image

Cluster
◦ A group of sectors. Files are written by the system
using clusters
 Floppy clusters are 1 sector per cluster
 Hard drives vary (common to find 8 sectors / cluster)

Compression (of files)
◦ a method of making a large file smaller, by
eliminating repetitive sequences of characters
 See “zip” files

Encryption
◦ Used to make information unreadable unless you
have a password

Evidence
◦ Something that provides proof
 Could be a hard drive, floppy, USB device, paper notes
or anything containing information

Hexadecimal
◦ Numerical representation used by computer
scientists. See ASCII code

Password
◦ A mechanism which prevents a person from accessing a file
unless a user provides the correct password or passphrase.

Slack or slack space
◦ That area of a cluster belonging to a file, which is “left
over.” Information can be contained in slack space.

Steganography
◦ “Hidden writing.” The process of hiding information inside a
container file. The container picture typically looks no
different after having hidden data inside it. Software such
as S-Tools is used both to hide as well as reveal
information.

Zip file
◦ A compressed file. A zip can contain a single file, or
many files. The zip file can contain a directory
(folder) structure, along with all the files in that
folder. Zip files can also be passworded.

Good luck to all contestants

End of PowerPoint presentation