adam's notes

Collecting, Seizing, and Protecting Evidence

Proper Procedure

Shutting Down the Computer

  • Prior to shutting the system down, need to see what is currently running
  • Using Windows as example:
    1. Check for running processes
      • use Task Manager > Processes
      • take a picture with external device of all running processes
    2. Check for live connections
      • use netstat for network statistics and current connections
        • look for outside connections
      • use net sessions shows only established network communication sessions
      • openfiles command shows if any shared files or folders are open and who has them open
      • photograph all results
    3. Capture memory
      • run tools from a USB device
      • tools:
        • OSForensics
        • Magnet RAM Capture
        • DumpIt
        • FTK
    4. Document device surroundings and attachments
      • cables, devices, etc.
    5. Document all actions
    6. Shut down machine
      • recommend to pull the plug rather than normal power-down process
      • malware could destroy evidence

Transporting Computer to Secure Location

  • ensure proper chain-of-custody
  • keep locked in vehicle
  • drive directly to lab

Preparing the System

  • remove drive(s) from suspect machine
  • create chain-of-custody form
  • take photographs of device and connections

Documenting Hardware Configurations of the System

  • photograph system hardware components from all angles
  • label each wire
    • easier to restore to original condition
  • record BIOS/UEFI information
    • document in chain-of-custody form
    • record system time and date
  • after powered on, eject all media that was not able to be ejected without power
  • create separate chain of custody form for each removed item

Mathematically Authenticating Data on Storage Drives

  • prove you did not alter any evidence after taking possession of suspect computer
  • create a hash of the original and the copy
  • document hashing algorithm used and results

Handling Evidence

  • 3 basic tasks:
    • find evidence
    • preserve evidence
    • prepare evidence

Collecting Evidence

  • 3 primary data types to collect:
    • volatile data
    • temporary data
    • persistent data
  • carefully secure physical evidence first
  • collect volatile data
    • e.g.,
      • Swap file
        • used to optimize the use of RAM
      • state of network connections
        • capture before system is shut down
      • state of running processes
        • capture before system is shut down
  • collect temporary data
    • temporary data is data that an OS creates and overwrites without the computer user taking a direct action to save this data
  • collect persistent data

Documenting Filenames, Dates, and Times

  • document and catalog filenames, creation dates, last-modified dates and times
  • catalog all allocated and “erased” files
  • sort files based on filename, file size, file content, creation date and last-modified date and time
  • output should be in a word processing-compatible file

Identifying File, Program, and Storage Anomalies

  • text search programs cannot identify text data stored as binary data
    • e.g.,
      • encrypted files
      • compressed files
      • graphics files
    • require manual evaluation
  • evaluate hidden partitions
  • document:
    • how you found the file
    • what condition
      • recovered partial or full file?
    • when was file originally saved

Evidence-Gathering Measures

  • Avoid changing the evidence
  • Determine when evidence was created
  • Search throughout the device
  • Determine information about encrypted and steganized files
    • do not attempt to decrypt files
      • instead look for evidence that tells you what is in the files
  • Present the evidence well

What to Examine

  • 3 techniques of examining evidence:
    • Live analysis
    • Physical analysis
      • making a physical copy of the disk
    • Logical analysis
      • uses the target system’s file system to copy data to an image for analysis
      • can miss deleted files
  • 2 easiest things to extract and analyze:
    • list of URLs
    • list of all email addresses
  • next index the different kinds of file formats

Swap File

  • most important type of ambient data
  • used when OS needs additional data after RAM is used up
  • contain remnants of:
    • word processing documents
    • emails
    • internet browsing activity
    • database entries
    • many other kinds of work
  • can be temporary or permanent
  • called pagefile.sys in Windows

Unallocated (Free) Space

  • is leftover area after file deletion
  • when file is deleted
    • only header or reference point is deleted
    • file data remains
    • the space taken by the file is now considered unallocated space
  • only way to clean unallocated space is with cleansing devices
    • called sweepers or scrubbers
    • write over unallocated space to remove evidence

Storage Formats

Magnetic Media

  • data is organized by sectors and clusters which are organized in tracks around the platter
  • typical sector size is 512 bytes
  • new drives use 4096 bytes
  • cluster can be 1-128 sectors
  • susceptible to magnetic interference
    • if a drive is demagnetized, data cannot be recovered
  • 5 types of drive connections:
    • integrated drive electronics (IDE)
    • Extended integrated drive electronics (EIDE)
    • parallel advanced technology attachment (PATA)
    • serial advanced technology attachment (SATA)
      • most common
    • Serial SCSI

Solid-State Drive

  • use microchips that store data in non-volatile memory
  • no moving parts
  • most use Negated AND (NAND) gate-based flash memory
    • retains memory even without power
  • require less power than HDDs

Drive Features

  • features important for forensics
    • host protected area (HPA)
      • area where computer vendors could store data that is protected from user activities and OS utilities
    • master boot record (MBR)
      • requires only 1 sector
      • leaves 62 empty sectors of MBR space for hiding data
    • volume slack
      • space that remains on a hard drive if the partitions do not use all the available space
    • unallocated space
    • good blocks marked bad
      • can mark unused blocks as bad
      • can then be used to hide data
    • file slack
      • unused space that is created between the end of file and the end of the last data cluster assigned to the file

Digital Audio Tape Drives

  • digital audio tape (DAT) drives use 4-mm magnetic tape enclosed in a protective plastic shell
  • tapes can wear out
  • need to restore to a hard drive to analyze

Digital Linear Tape and Super DLT

  • Digital Linear Tape (DLT) is a magnetic tape storage that uses a linear recording method
  • tape has 128 or 208 total tracks
  • used to store archived data
  • need to restore to hard drive to analyze
  • uncommon

Optical Media

  • optical media includes CD-ROMs, DVD, and Blu-ray disks
  • use high and low polarization to set bits of data
  • CDs have reflexive pits that represent the low bit
  • if pit is nonexistent, the data is a 1
  • if pit exists, data is a 0
  • laser mechanism detects the distance to determine if pit is present or absent
    • this is why scratches can cause problems
  • DVD can hold 4.7 GB for one sided and 9.4 GB for double-sided
  • Blu-ray discs can store up to 25 GB per layer
    • can be dual, triple, or quadruple layer
  • should be forensically copied to a clean drive for analysis

USB Drives

  • refers to the connection technology
  • use solid state drive technology
  • may come with a switch for read-only mode

File Formats

  • file formats for storing forensic data:
    • advanced forensic format (AFF)
      • is an open file standard with 3 variations
        • AFF
          • stores all data and metadata in a single file
          • part of AFF Library and Toolkit
          • used in open-source forensics programs
        • AFM
          • stores data and metadata in separate files
        • AFD
          • stores data and metadata in multiple small files
    • EnCase format
      • used in EnCase tool to store hard drive images and individual files
      • includes hash of file
    • Generic Forensic Zip
      • Gfzip is an open-source file format used to store evidence from a forensic examination

Forensic Imaging

  • always work off an image of a drive
  • first forensically wipe the target drive
    • clear data from previous cases
    • involves overwriting every bit
    • can use Linux dd command
      • used for low-level (bit-level) copying and conversion of raw data
      • dd if=/dev/zero of=/dev/hdb1 bs=2048
        • /dev/zero is input file
          • is a special file on UNIX-like systems that reads out as many nulls as required
          • so overwrites with null values
        • writes its contents to /dev/hdb1 as output file

RAID Acquisitions

  • RAID 0
    • disk striping
    • distributes data across multiple disks to increase retrieval speed
  • RAID 1
    • mirrors contents of disks
  • RAID 3 or 4
    • striped with dedicated parity
    • combines three or more disks in a way that protects data against loss of any one disk
    • fault tolerance with one extra disk dedicated to storing parity information
  • RAID 5
    • striped disks with distributed parity
    • combines 3 or more disks in a way that protects data against the loss of any one disk
    • similar to RAID 3, but parity data is interspersed across the drive array, not to a dedicated drive
  • RAID 6
    • striped disks with dual parity
    • combines 4 or more disks in a way that protects against the loss of any two disks
  • RAID 10
    • is a mirrored data set that is then striped
    • requires 4 drives
      • 2 mirrored drives hold half the data
      • 2 more mirrored drives hold the other half
  • make a forensic image of the entire RAID array to a large target drive

Graph View

Backlinks