Essential Tasks Performed During Digital Analysis

There are three essential tasks that an examiner performs during the analysis of evidentiary digital media: (1) creation of a forensic image; (2) creation of a forensic archive from the forensic image; and (3) exporting potential probative digital data related to the investigation. All three tasks are critical to the overall success of the investigation and eventual prosecution of the case.

FORENSIC IMAGE AND FORENSIC ARCHIVE
The admissibility of potential probative data at trial is probably going to be based upon the successful creation of the initial forensic image, its digital authenticity, and its chain of custody (if appropriate). Any of the many available forensic software tools can be used to create a forensic image. They all generate a bit-by-bit copy (a “bitstream image” or “mirror image”) of the data residing on the digital media. This ensures that all the data from allocated space, unallocated space, and free space is made available for examination. Hash algorithms, such as Message Digest 5 (MD-5) or Secure Hash Algorithm-1 (SHA-1) provide a digital authenticity of not only the forensic image, but also the forensic archive and any potential digital probative data.

After receipt and inventory, the first priority is to create both a forensic image and a forensic archive. Using an approved forensic software tool and an appropriate write blocker, the evidence is acquired, resulting in creation of the forensic image, which is normally stored on a forensic computer’s evidence hard drive. Subsequently, the forensic archive is created from this forensic image. Once the forensic archive is exported onto optical media, digital tape, and/or another hard drive, the forensic image is analyzed for potential probative data. In addition to hashing, there are certain other precautions that have to be taken into consideration to ensure the authenticity of both the forensic image and the forensic archive. Specific policy and procedure needs to be defined to preclude the commingling of forensic images from separate items or different cases. There has to be a procedure for wiping the forensic image after analysis is completed. Although the forensic image is work product, it can be considered evidence since it is an exact copy of the digital evidentiary media. Therefore, the examination area needs to be physically secured with limited access. Forensically sterile media must be used when creating the forensicarchive. If an agency chooses to archive the evidence hard drive itself, other issues will arise. These include maintaining a chain of custody, proper packaging to prevent inadvertent damage and/or deleterious change, and the costs associatedwith purchasing additional hard drives.

A number of agencies create and store all examiner-generated forensic images on a Storage Area Network (SAN). There are many advantages in doing so. Virtually all SANs are configured into a RAID (Redundant Array of Inexpensive Disks). This provides data reliability, redundancy, and increased input/output performance. A SAN can also be configured with automated tape back-ups to provide another level of redundancy. Likewise, there are some disadvantages. The initial cost of the SAN and its maintenance can be costly. There has to be policy and procedure in place to preclude not only commingling of forensic images, but also limiting access to the forensic images themselves. One method would be to create individual, secured partitions for each examiner. Security procedures would dictate that access to the individual partitions is restricted. Other issues then arise: Is the forensic image going to be maintained on the SAN after the completion of the analysis? Is a forensic archive going to be created from the forensic image and stored separately on the SAN? Will the forensic image be eventually wiped and the space reclaimed? Storing forensic images on the SAN becomes a question of sufficient hard drive capacity, physical security, and a chain of custody. Remember, although the forensic image is work product, it can still be considered as evidence. In fact, there are a number of agencies that specifically keep these forensic images available for further analysis. Other agencies allow case investigators access to the forensic image to bookmark potential probative data for prosecution purposes. When this occurs, a higher level of security has to be established. Likewise, if the SAN is used as a repository of forensic archives, then appropriate additional layers of redundancy, physical security, and access will become necessary.

POTENTIAL PROBATIVE DATA
A variety of digital media can be used when exporting potential probative data: floppy disk, zip disk, optical disc, hard drive, and digital tape. In most instances, optical discs and hard drives are the only realistic options. An important consideration is how much data to export. Although investigators and prosecutors generally want all the potential probative data, this is beginning to become an unrealistic expectation. Rather, a question should be asked: “How much potential probative data do you need?” The following is a real-world example: A 120-gigabyte evidence hard drive contained 30 gigabytes of user-generated files, which consisted of pictures and movies of apparent child pornography, e-mails, spreadsheets, and text documents. The user-generated files were burned onto seven DVDs. Each picture averaged about 100 kilobytes in size. Three gigabytes of pictures were burned onto one of the DVDs. That alone represented at least 30,000 pictures that had to be viewed. The investigator and/or the prosecutor still had to review thousands of other files on the other six DVDs for potential probative data.

It is recognized that in many jurisdictions, the possession of each picture of child pornography can be a separate charge. Prosecutors often use this fact to obtain a plea bargain from the suspect. However, in the above example, does the prosecutor really need to view all 30,000 pictures? Would a better approach be to export several hundred pictures of the apparent child pornography, indicating that they are representative of what was found? Since the forensic archive is available for further analysis, additional potential probative data could be generated at a later time. Every examiner, investigator, and prosecutor is continually faced with handling and sorting through gigabytes of data to determine what is of potential probative value. This will only become more difficult and time-consuming as hard drives increase in size. The question “How much potential probative data do you need?” does not have a simple answer. It can only be resolved by the investigator, prosecutor, and the court working together to determine what evidence is necessary tosupport the indictment.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press in 2007.

Source: Forensicmag

Forensic operation on windows registry

Windows General


Even more Windows Forensics goodness (or badness depending on your perspective).

Description: Temp folder
Location: C:\Users\<user name>\AppData\Local\Temp
Why you care: Lots of programs need a safe place, where the user has permissions, to dump temp data. This is the place to look. They may have wiped/shredded the main file, but there could be a version in this directory depending on how the application works.
Entry by: Irongeek, but thanks to Nir.

Description: Recycle Bin
Location: C:\$Recycle.Bin
Why you care: Do I really need to say?
Entry by: Irongeek, but thanks to Nir.

Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.
Entry by: Irongeek, but thanks to Nir.

Description: Event logs
Location: Should be in C:\Windows\System32\config or C:\Windows\System32\winevt\Logs depending on OS
Why you care: These may be relocated, so do a desktop search for *.evt and *.evtx. Let you know all sorts of things about what is happening on the box.
Entry by: Irongeek.

Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose (like writing an article on Forensically interesting spots in the Windows 7 file system and registry).
Entry by: Irongeek, but thanks to Nir.

Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Entry by: Irongeek.

Description: List of installed USB storage devices
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
Entry by: Irongeek.

Description: SetupAPI Device Log
Location: C:\windows\inf\setupapi.dev.log
Why you care: Log that can help you find out what USB devices have been installed, including thumbdrives. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but notthis file when I tested last.
Entry by: Irongeek, but thanks to Nir.

Description: Windows Prefetch
Location: C:\Windows\Prefetch
Why you care: Windows Prefetch is a feature in Windows XP and newer system (Including Windows 7) that is ment to speed up commonly executed application and boot load times by recording what on the system is accessed. Mark McKinnon has a tool you might be interested in for parsing this data. Also, you may want to read the Wikipedia entry: http://en.wikipedia.org/wiki/Prefetcher
Entry by: Irongeek, but thanks to Nir and Mark McKinnon.


Source: Irongeek

Forensically analyze Windows 7, Vista and XP file system and registry

Windows Explorer

Not to be confused with Internet Explorer, Windows Explorer is the default GUI shell for Windows 7 / Vista / XP. It leaves all sorts of data in the registry and file system for a forensics investigation.

Description: Recently opened files from Windows Explorer
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Why you care: It can be quite useful to know what files have been opened recently. Think someone is accessing records of embezzlement? Maybe there is a pointer to the Excel file here that can lead you to where the data has been stored. You may also see links to videos and images in here. I've had this lead to personal embarrassment before while doing a presentation for the ISSA. :)
Entry by: Irongeek, but thanks to Nir.

Description: Network Shortcuts
Location: C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Why you care: This could show an investigator what fileservers the person is accessing, or on a captured laptop a little about the internal network (useful for pen-testing).
Entry by: Irongeek, but thanks to Nir.

Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.
Entry by: Irongeek, but thanks to Nir.


Source: http://www.irongeek.com