Acquisition and Examination of Forensic Evidence

Slides:



Advertisements
Similar presentations
Computer Forensics.
Advertisements

2008 CSI Challenge.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.
COEN 252 Computer Forensics
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
File System Analysis.
Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Collection of Evidence Computer Forensics 152/252.
By Drudeisha Madhub Data Protection Commissioner Date:
COEN 252 Computer Forensics
Capturing Computer Evidence Extracting Information.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
Topics Introduction Hardware and Software How Computers Store Data
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
MAC OS – Unit A Page: 10-11, Investigating Data Processing Understanding Memory.
Digital Crime Scene Investigative Process
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
Computer Forensics Principles and Practices
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. System Forensics, Investigation, and Response.
Guide to Computer Forensics and Investigations Fourth Edition
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
OCR GCSE Computing © Hodder Education 2013 Slide 1 OCR GCSE Computing Chapter 2: Memory.
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Files Chapter 4.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Computer Forensics Tim Foley COSC 480 Nov. 17, 2006.
CIT 180 Security Fundamentals Computer Forensics.
Forensic Investigation Techniques Michael Jones. Overview Purpose People Processes Michael Jones2Digital Forensic Investigations.
Computer Forensics By Chris Brown. Computer Forensics Defined Applying computer science to aid in the legal process Utilization of predefined set of procedures.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Photo Recovery How to Get Back your Lost Photos Easily?
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Digital Forensics Anthony Lawrence. Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
Analysing Image Files Michael Jones. Overview Images and images Binary, octal, hexadecimal File headers and footers Example (image) files Looking for.
10. Mobile Device Forensics Part 2. Topics Collecting and Handling Cell Phones as Evidence Cell Phone Forensic Tools GPS (Global Positioning System)
Creighton Barrett Dalhousie University Archives
Guide to Computer Forensics and Investigations Fifth Edition
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
Topics Introduction Hardware and Software How Computers Store Data
Fourth Amendment: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall.
Ad Hoc Phase Structured Phase Enterprise Phase
Modern PC operating systems
Digital Forensics CJ
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Chapter 17 COMPUTER FORENSICS.
Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police.
By Anwar Campbell.
Presentation transcript:

Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal

Identification social media, devices, IoT, hidden flash drives Collection Should respect privacy rights and the law of search and seizure Analysis Use digital data to uncover details about the crime Reporting Reporting to the court Reporting the results of the investigation. Detailed, transparent, scientifically and forensically sound statements

Evidence preservation Hashing Collection Should respect privacy rights and the law of search and seizure Evidence preservation Hashing Bit by bit copying of the data to another hard drive Process transparency Documenting the chain of custody Checking for evidence integrity

Digital evidence is defined as any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime (Arnes, 2018) Chain of custody refers to the documentation of acquisition, control, analysis, and disposition of physical and electronic evidence (Arnes, 2018) “Metadata, or data about data, contains information about data objects. For example, the metadata associated with a digital photograph can contain the time of taking the photo, the geographical location, and the camera used. The analysis of metadata is an important activity throughout the forensic process, as metadata can contain information that is key to solving a case” (Arnes, 2018)

First Respondent Mistake “a detective at the crime scene allegedly tried to unlock the mobile phone of the suspect. While doing so, he repeatedly entered incorrect PIN and PUK codes to unlock the SIM card. This led to data relevant to the case being erased. The defense team argued that the police investigation destroyed critical evidence that would have been relevant to the case” (Arnes, 2018) https://www.wral.com/news/local/video/9359162/

Science: Falsifiability, Replication

“ The documentation activities begin from the moment the investigator starts handling the digital devices that will be “touched” during the investigation phases. The documentation enables reproducibility of results and traceability from the physical object’s origin to the final evidence presentation. This calls for thorough documentation throughout the digital forensic process ” (Arnes, 2018) A process is replicable when a repetition of the same process leads to the same results

Analysis of a digital forensics investigation. Identify 3 mistakes made by the investigator. https://www.youtube.com/watch?v=1BVG6cmPlPk

If a digital forensics investigation fails to prove that a person is guilty, it does not necessarily mean that the person is not guilty

Live systems: systems that are running and are at the time of identification potentially holding evidence that may be lost or hard to acquire if the system is shut down. Dead systems: systems not running. Any data in temporary storage areas such as cache, main memory, running processes, or active application dialogues on a computer will normally be lost when the system is powered down. Arnes (2018)

Arnes, 2018

turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

Magnetic/Electrical charges Hardware Magnetic/Electrical charges bits 01010101011 bytes 1 byte = 8 bits 7643217 Hex 1 Hex = 16 bits ASCII English Characters

Marcella and Guillossou, 2012

Marcella and Guillossou, 2012

Marcella and Guillossou, 2012

Create a notepad file and insert one word in it: Hello. Convert the ASCII characters to hexadecimal characters. You can use any hexadecimal calculator. Add the hex signature for a .txt file to the beginning of your hex code. Open your file with a hexadecimal editor. The hex code in the file reader should match with the hex code you created manually. Marcella and Guillossou, 2012

Magnetic/Electrical charges Hardware Magnetic/Electrical charges Allocated/Unallocated areas 10001010101010101010101010101………………00101011010100001010101 Allocated to file file1.txt When file1.txt is deleted The data for file1.txt will continue to be available till it gets overwritten

Example of a recovered Image Arnes, 2018

Should the results of the investigation be published ? Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367

Should the results of the investigation be published ? Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? “imagine research into a product which revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence”

Discuss the case from the perspectives of: Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367 Discuss the case from the perspectives of: Categorical Imperialism Utilitarianism The ethics of care

4 sentences Sentence 1: Digital Forensics Case you will be writing about. Sentence 2: How was the evidence identified, collected, and reported. If not enough details found describe how the evidence should have been identified, collected, safeguarded, and reported. Sentence 3: How was the evidence safeguarded. If not enough details are provided, describe how the evidence should have been safeguarded Sentence 4: What ethical concerns and issues does the case raise.

Hash Values are admissible to court Imaging “The process of making an exact copy (bit by bit) of the original drive” Hash Values are admissible to court “the government’s expert witness testified that no two dissimilar files will have the same hash value” The law prohibits the distribution of forensic images of child pornography files “The Adam Walsh Child Protection and Safety Act […] prohibited the defense from obtaining copies of the child pornography evidence”

National Institute of Standards and Technology Criteria of reliability of a forensic tool The tool shall make a bit-stream duplicate or an image of an original disk or partition The tool shall not alter the original disk The tool shall be able to verify the integrity of a disk image file The tool shall log I/O errors The tool’s documentation shall be correct

Files and File System Forensics Data on Disk: 10001010101010101010101 A sector: 512 bytes A cluster: 2 or more sectors File: data that resides on clusters

First few bytes: File header 1 First few bytes: File header The file header contains the file signature File content

1 A 1 E 4 6 7 8 B C F 9 To make the investigation of files easier, files are read in hexadecimal format

Which of the following is NOT a valid hexadecimal String: ABCDEFG 1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA

Which of the following is NOT a valid hexadecimal String: ABCDEFG 1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA

https://digital-forensics. sans https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf

Independent of Operating System Checking file signatures 1 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data A 1 E 4 6 7 8 B C F 9 IF 30 30 30 is found in a .word file, how would it be interpreted? IF 30 30 30 is found in a .gif file, how would it be interpreted?

Independent of Operating System Checking file signatures 1 A 1 E 4 6 7 8 B C F 9 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data Examine partition table to know which files sectors are allocated and which ones are not allocated

1 A 1 E 4 6 7 8 B C F 9 “Ryan Jaye created two partitions on his on his 80 GB hard drive […] 20 GB were dedicated to his child pornography collection. When Ryan Jaye became suspicious that he had been discovered, he decided to delete the second partition[…] Luckily for law enforcement, when a partition is deleted, the data within that partition remains until it is overwritten”

Search strategies specific to the File System NTFS: Master File Table 1 A 1 E 4 6 7 8 B C F 9 Logical Extraction: Search strategies specific to the File System NTFS: Master File Table Slack

A sector is 512 bytes. What if the file size is 200 bytes? A 1 E 4 6 7 8 B C F 9 Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’

A sector is 512 bytes. What if the file size is 200 bytes? Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’ Which Slack space will most likely contain data from deleted files? 1 A 1 E 4 6 7 8 B C F 9

Filtering with Hashing: “file hashes may be used to eliminate duplicate data” “Hash values may also be compared to datasets that contain known hash values for specific files” 1 Create three or four or n copies of a notepad file (file1.txt) in a new folder Create other notepad files Hash all files in the folder Create a python script that checks all the hashes of all the files in a folder and that deletes all duplicated of (file1.txt) in a new folder. Use handout from class 5 and use the code below: import os os.remove(“file.txt")