Computer Forensics and Cyber

Security
Forensic examination of computers
and digital electronic media part 2

1
 Storage Formats for Digital Evidence
• Three formats
– Raw format
– Proprietary formats
– Advanced Forensics Format (AFF)

2
 Raw Format
• Makes it possible to write bit-stream data to files
• Advantages
– Fast data transfers
– Can ignore minor data read errors on source drive
– Most computer forensics tools can read raw format
• Disadvantages
– Requires as much storage as original disk or data
– Tools might not collect marginal (bad) sectors

3
 Proprietary Formats
• Features offered
– Option to compress or not compress image files
– Can split an image into smaller segmented files
– Can integrate metadata into the image file
• Disadvantages
– Inability to share an image between different tools
– File size limitation for each segmented volume

4
 Advanced Forensics Format
• Developed by Basis Technology Corporation
• Design goals
– Provide compressed or uncompressed image files
– No size restriction for disk-to-image files
– Provide space in the image file or segmented files
for metadata
– Simple design with extensibility
– Open source for multiple platforms and OSs

5
 Advanced Forensics Format
• Design goals (continued)
– Internal consistency checks for self-authentication
• File extensions include .afd for segmented
image files and .afm for AFF metadata
• AFF is open source

6
 Understanding Files Systems
• File System:
– Used to control how data is stored and retrieved.
– Space management
– File names
– Directories
– Metadata

7
 Common File System Types
• Function of a file system is to manage files and
folders on a system
• The OS performs the following to help with
this:
– Partitions and formats storage devices
– Creates a standard for naming files and folders
– Maintains the integrity of files and folders
– Provides for error recovery
– Provides for security of the file system

8
 Common File System Types
• FAT (file allocation table) file system
– File allocation table is a directory the OS uses to
keep track of where files are
– Root directory is the top directory on a FAT system
• FAT16
– Uses 16 bits in the file allocation table
– Uses the 3-character extension to identify file type
– Can assign attributes to files and folders

9
 Common File System Types
• FAT 32
– Expands the capabilities of FAT 16
– Designed to accommodate large hard drives
– Designed to use space more efficiently
– 2 terabyte limit on partition size
– 4GB file size (double FAT 16)

10
 Common File System Types
• NTFS (New Technology File System)
introduced the following features:
– Long file name support
– Ability to handle large storage devices
– Built-in security controls
– POSIX support
– Volume striping
– File compression
– Master file table (MFT)

11
 Common File System Types
• UNIX/Linux
– Can handle many different file systems
– UNIX file system (UFS) is most native format
– Extended file system (EXT) is primarily used by
Linux
– UNIX uses inodes, clearinghouses of information
about files on UNIX systems
– To access the actual file system, a superblock is
created

12
 Investigating Windows Systems
• Activities of the user result in user data
– User profiles
– Program files
– Temporary files (temp files)
– Special application-level files

13
 Investigating Windows Systems
• System data and artifacts are generated by the
operating system
– Metadata
– Windows system registry
– Event logs or log files
– Swap files
– Printer spool
– Recycle Bin

14
 Hidden Files
• Files that do not appear by default are hidden
files
• These can be viewed through the following
steps:
– Open Windows Explorer
– Go to Tools > Folder Options > View > Hidden files
and folders
– Select Show hidden files and folders
– Click OK

15
 Investigating Windows Systems
• Data and user authentication weaknesses of
FAT
– Userids are not required
– Only attributes are associated with files or folders
• Data and user authentication improvements in
NTFS
– Separation of duties
– Anonymity of the user

16
 Investigating Windows Systems
• Identify the operating systems of a target hard
drive by:
– Operating system folder names
– The folder for the Recycle Bin
– The construction of the user root folders because
of the differences in the way user data is kept

17
 Finding User Data and Profiles in Windows
Folders
• Documents and Settings folder
– Contains a user root folder for each user account
created on the computer
– Windows NT and above automatically install
• Administrator
• All users
• Default user (hidden)

18
 Finding User Data and Profiles in Windows
Folders
• Data stored in the user root folder:
– Desktop settings, such as wallpaper, screensavers,
color schemes, and themes
– Internet customizations, such as the homepage,
favorites, and history
– Application parameters and data, such as e-mail
and upgrades
– Personal files and folders, such as My Documents,
My Pictures, and so on

19
 Finding User Data and Profiles in Windows
Folders
• Some of the subfolders in the user root folder
include:
– Application data (hidden)
– Cookies
– Desktop
– Favorites
– Local Settings (hidden)
– My Documents
– NetHood (hidden)

20
Temp Internet Files: Valuable E-Evidence

• Data stored in the Temporary Internet Files

21
 Investigating System Artifacts
• Types of metadata
– Descriptive: describes a resource for purposes
such as discovery and identification
– Structural: indicates how compound objects are
put together
– Administrative: provides information to help
manage a resource, such as when it was created,
last accessed, and modified
• Be alert for alternate data streams (ADS)
22
 In Practice: Searching for Evidence
• Do not use the suspect system itself to carry
out a search for evidence
• Using Windows to search and open files can
change the file’s metadata
• Such changes may cause evidence to be
disallowed in court

23
 Investigating System Artifacts
• Registry
– Can reveal current and past applications, as well
as programs that start automatically at bootup
– Viewing the registry requires a registry editor
• Event logs track system events
– Application log tracks application events
– Security log shows logon attempts
– System log tracks events such as driver failures

24
 Investigating System Artifacts
• Swap file/page file
– Used by the system as virtual memory
– Can provide the investigator with a snapshot of
volatile memory
• Print spool
– May contain enhanced metafiles of print jobs
• Recycle Bin/Recycler
– Stores files the user has deleted

25
 “Shredding” Data
• Third-party software packages can be used to
delete data and actually overwrite the
information, essentially shredding the data

26
 Investigating Linux Systems
• Windows can have many users with
administrator access, but Linux has only one
administrative account, called root
• Root account has complete control of the
system
• In Linux, all devices, partitions, and folders are
seen as a unified file system
• A typical installation creates three partitions:
the root, boot, and swap partitions
27
 Investigating Linux Systems
• The Linux file system includes the data
structure as well as the processes that manage
the files in the partition
• Linux’s virtual file system provides a common
set of data structures:
– Superblock
– Inode
– Dentry
– Data block

28
 Investigating Linux Systems
• Seven different file types available in Linux:
– Normal files
– Directories
– Links
– Named pipes
– Sockets
– Block devices
– Character devices

29
 Investigating Linux Systems (Cont.)
• Default Linux installations generally include
system directories such as the following:
– /boot  /proc
– /dev  /root
– /etc  /sbin
– /home  /tmp
– /lib  /usr
– /lost+found  /var
– /mnt

30
 Investigating Linux Systems (Cont.)
• Key Linux files and directories to investigate:
– /etc/passwd
– /etc/shadow
– /etc/hosts
– /etc/sysconfig/
– /etc/syslog.conf

31
 Investigating Linux Systems
• Deleted files
– Check the Trash can for each login user for deleted
files that can be recovered
• Using grep to search file contents
– Grep allows for sophisticated character-based
data searches
• Compressed files
– Some Linux applications such as OpenOffice
automatically compress data files

32
 Graphic File Forensics
• The investigator can use file signatures to
determine where data starts and ends and the
file type
– File extension (such as .jpg) one way to identify a
graphic file
– A user can easily change the file extension, but
the data header does not change
– Forensic tools can resolve conflicts between file
extensions and file types

33
 Graphic File Forensics
• The process of retrieving all relevant pieces of
a file is called data carving or data salvaging
• An investigator may have to reconstruct the
data header using file signature information
• Layered graphic files (such as Photoshop or
Corel) can hide information behind layers
• Graphics saved as JPEG, TIFF, GIF, or BMP do
not have layers

34
 Graphic File Forensics (Cont.)
• Steganography is a form of data hiding in
which a message is hidden within another file
– Data to be hidden is the carrier medium
– The file in which the data is hidden is the
steganographic medium
• Both parties communicating via
steganography must use the same stego
application

35
 Graphic File Forensics
• Steganography is difficult to detect; the
following clues may indicate stego use
– Technical capabilities or sophistication of the
computer’s owner
– Software clues on the computer
– Other program files that indicate familiarity with
data-hiding methods
– Multimedia files
– Type of crime being investigated
36
 Summary
• A savvy user can hide data through:
– Nonstandard file folders
– Renaming file types
– Using layered graphics
– Masquerading data with steganographic
techniques

37
 Thing to Look For
• Hidden Files
• Steganography
• Slack Space
• Malware
• Deleted Files
• Swap Files
• Bad Blocks
• NTFS Streams