Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal
Identification social media, devices, IoT, hidden flash drives Collection Should respect privacy rights and the law of search and seizure Analysis Use digital data to uncover details about the crime Reporting Reporting to the court Reporting the results of the investigation. Detailed, transparent, scientifically and forensically sound statements
Evidence preservation Hashing Collection Should respect privacy rights and the law of search and seizure Evidence preservation Hashing Bit by bit copying of the data to another hard drive Process transparency Documenting the chain of custody Checking for evidence integrity
Digital evidence is defined as any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime (Arnes, 2018) Chain of custody refers to the documentation of acquisition, control, analysis, and disposition of physical and electronic evidence (Arnes, 2018) “Metadata, or data about data, contains information about data objects. For example, the metadata associated with a digital photograph can contain the time of taking the photo, the geographical location, and the camera used. The analysis of metadata is an important activity throughout the forensic process, as metadata can contain information that is key to solving a case” (Arnes, 2018)
First Respondent Mistake “a detective at the crime scene allegedly tried to unlock the mobile phone of the suspect. While doing so, he repeatedly entered incorrect PIN and PUK codes to unlock the SIM card. This led to data relevant to the case being erased. The defense team argued that the police investigation destroyed critical evidence that would have been relevant to the case” (Arnes, 2018) https://www.wral.com/news/local/video/9359162/
Science: Falsifiability, Replication
“ The documentation activities begin from the moment the investigator starts handling the digital devices that will be “touched” during the investigation phases. The documentation enables reproducibility of results and traceability from the physical object’s origin to the final evidence presentation. This calls for thorough documentation throughout the digital forensic process ” (Arnes, 2018) A process is replicable when a repetition of the same process leads to the same results
Analysis of a digital forensics investigation. Identify 3 mistakes made by the investigator. https://www.youtube.com/watch?v=1BVG6cmPlPk
If a digital forensics investigation fails to prove that a person is guilty, it does not necessarily mean that the person is not guilty
Live systems: systems that are running and are at the time of identification potentially holding evidence that may be lost or hard to acquire if the system is shut down. Dead systems: systems not running. Any data in temporary storage areas such as cache, main memory, running processes, or active application dialogues on a computer will normally be lost when the system is powered down. Arnes (2018)
Arnes, 2018
turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)
turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)
Magnetic/Electrical charges Hardware Magnetic/Electrical charges bits 01010101011 bytes 1 byte = 8 bits 7643217 Hex 1 Hex = 16 bits ASCII English Characters
Marcella and Guillossou, 2012
Marcella and Guillossou, 2012
Marcella and Guillossou, 2012
Create a notepad file and insert one word in it: Hello. Convert the ASCII characters to hexadecimal characters. You can use any hexadecimal calculator. Add the hex signature for a .txt file to the beginning of your hex code. Open your file with a hexadecimal editor. The hex code in the file reader should match with the hex code you created manually. Marcella and Guillossou, 2012
Magnetic/Electrical charges Hardware Magnetic/Electrical charges Allocated/Unallocated areas 10001010101010101010101010101………………00101011010100001010101 Allocated to file file1.txt When file1.txt is deleted The data for file1.txt will continue to be available till it gets overwritten
Example of a recovered Image Arnes, 2018
Should the results of the investigation be published ? Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367
Should the results of the investigation be published ? Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? “imagine research into a product which revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence”
Discuss the case from the perspectives of: Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367 Discuss the case from the perspectives of: Categorical Imperialism Utilitarianism The ethics of care
4 sentences Sentence 1: Digital Forensics Case you will be writing about. Sentence 2: How was the evidence identified, collected, and reported. If not enough details found describe how the evidence should have been identified, collected, safeguarded, and reported. Sentence 3: How was the evidence safeguarded. If not enough details are provided, describe how the evidence should have been safeguarded Sentence 4: What ethical concerns and issues does the case raise.
Hash Values are admissible to court Imaging “The process of making an exact copy (bit by bit) of the original drive” Hash Values are admissible to court “the government’s expert witness testified that no two dissimilar files will have the same hash value” The law prohibits the distribution of forensic images of child pornography files “The Adam Walsh Child Protection and Safety Act […] prohibited the defense from obtaining copies of the child pornography evidence”
National Institute of Standards and Technology Criteria of reliability of a forensic tool The tool shall make a bit-stream duplicate or an image of an original disk or partition The tool shall not alter the original disk The tool shall be able to verify the integrity of a disk image file The tool shall log I/O errors The tool’s documentation shall be correct
Files and File System Forensics Data on Disk: 10001010101010101010101 A sector: 512 bytes A cluster: 2 or more sectors File: data that resides on clusters
First few bytes: File header 1 First few bytes: File header The file header contains the file signature File content
1 A 1 E 4 6 7 8 B C F 9 To make the investigation of files easier, files are read in hexadecimal format
Which of the following is NOT a valid hexadecimal String: ABCDEFG 1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA
Which of the following is NOT a valid hexadecimal String: ABCDEFG 1 A 1 E 4 6 7 8 B C F 9 Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA
https://digital-forensics. sans https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf
Independent of Operating System Checking file signatures 1 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data A 1 E 4 6 7 8 B C F 9 IF 30 30 30 is found in a .word file, how would it be interpreted? IF 30 30 30 is found in a .gif file, how would it be interpreted?
Independent of Operating System Checking file signatures 1 A 1 E 4 6 7 8 B C F 9 Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data Examine partition table to know which files sectors are allocated and which ones are not allocated
1 A 1 E 4 6 7 8 B C F 9 “Ryan Jaye created two partitions on his on his 80 GB hard drive […] 20 GB were dedicated to his child pornography collection. When Ryan Jaye became suspicious that he had been discovered, he decided to delete the second partition[…] Luckily for law enforcement, when a partition is deleted, the data within that partition remains until it is overwritten”
Search strategies specific to the File System NTFS: Master File Table 1 A 1 E 4 6 7 8 B C F 9 Logical Extraction: Search strategies specific to the File System NTFS: Master File Table Slack
A sector is 512 bytes. What if the file size is 200 bytes? A 1 E 4 6 7 8 B C F 9 Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’
A sector is 512 bytes. What if the file size is 200 bytes? Logical Extraction: Slack A sector is 512 bytes. What if the file size is 200 bytes? The remaining 312 bytes are slack spaces The OS uses slack as RAM slack and DRIVE slack RAM slack is NOT volatile. DRIVE slack: ‘storing old information that was once available on the storage device’ Which Slack space will most likely contain data from deleted files? 1 A 1 E 4 6 7 8 B C F 9
Filtering with Hashing: “file hashes may be used to eliminate duplicate data” “Hash values may also be compared to datasets that contain known hash values for specific files” 1 Create three or four or n copies of a notepad file (file1.txt) in a new folder Create other notepad files Hash all files in the folder Create a python script that checks all the hashes of all the files in a folder and that deletes all duplicated of (file1.txt) in a new folder. Use handout from class 5 and use the code below: import os os.remove(“file.txt")