FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device

IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII ASCII to Hex: A  41 B  42 C  43 D  44 42 IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII IF .docx, .pdf THEN the content of the file has to be ‘mounted’ before being interpreted

“With the release of Office ‘07, Microsoft Word documents now use the same file format signature as a .ZIP file. If we were to view the entirety of the file with our HEX editor we would not uncover any legible ASCII characters. Why? The file structure and assembly instructions are contained within the file; thus, the file would need to be mounted by its native software in order for the contents to be viewed. Viewing and, more importantly, searching the contents of these “complex” files are possible once they are mounted. Forensic tools incorporate the software to mount these so that searching is possible”

4D414453203639370000 The above code is the hex representation of a file Find out the file type (extension) (.txt,.doc,.zip,.html,.png,.jpg) What is the data stored in this file ?

HEX values represent pixel colors .bmp file hex  color .png, jpg: same issue as .docx and .pdf File has to be mounted first, hex cannot be interpreted as colors

http://magazine.art21.org/2011/09/13/how-to-create-a-bitmap-image-file-by-hand-without-stencils Go to the link above and follow the step by step instructions You will create a .bmp file by writing by writing hex code Step 1: https://hexed.it/ and select new file Step 2: Paste the hex representation of the HEADER of a .bmp file Step 3: Choose a number of pixels that is divisible by 4: 4*4, 8*8, 16*16 Step 4: Create an image that looks like the image below

Take a Break This Photo by Unknown Author is licensed under CC BY-NC

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics IoT and Big Data Statistical analysis of data generated by IoT devices Machine learning and IoT data Research Paper Topics

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Research paper: 3000 words + Presentation References: At least three academic articles published in the last 5 years Reference: At least one theoretical chapter from a book or theoretical article explaining the concept you are investigating Research Paper Topics

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Specific Relevant Achievable within four/five weeks Topic 1: The dark web Topic 2: The selling/buying/sharing of illegal material on the Dark Web Topic 3: The uses of Dark Web by law enforcement to gather digital evidence Topic 4: Anti forensics Topic 5: Methods of wiping data Which topics are specific and which topics are NOT specific ? Research Paper Topics

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Specific Relevant Achievable within four/five weeks Write down 2 research topics that are NOT specific and one research topic that is specific Save your three topics to a file Email your list to louai@fdu.edu LATER Research Paper Topics

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Academic journals and Books

Legal and ethical issues Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics “Timelining is a powerful tool for forensic analysis and contextual awareness. Many forensic tools can automatically structure files and data based on the time they were accessed, last changed, or deleted” (Arnes, 2018) Research Paper Topics

Legal and ethical issues Conceptual Map Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Create a conceptual map that summarizes the concepts related to file system forensics (Check the book, slides from class 8 and any other resources) Your map should include the following concepts: File carving, physical extraction, logical extraction, slack, partition table, file signature, file header, file mounting, RAM slack, drive slack, order of volatility Add to document, Email to louai@fdu.edu Research Paper Topics

Purpose of examination Findings Conclusions Writing Reports Case data Purpose of examination Findings Conclusions

Writing Reports “Case data, or similar in a criminal setting is simply information that describes the investigation that the examination is part of. Case data would include the name of the person that ordered the examination, some identifier information that identifies the evidence pieces that are subject to examination. Key point here is to maintain chain of custody or similar as well as being able to distinguish the examination from other examinations”

Writing Reports Examples of purpose of examination: “The purpose of this examination was to identify if documents stolen during the break-in at samplestreet 41 was present on the computer. The suspect stated, in an interrogation, that the computer was hacked. Thus, the examination also included looking for evidence of remote control software, malicious software and evidence of intrusion” “The aim of the examination was to extract all pictures from the device”

Investigation of whether a suspect has used their laptop to visit a website where illegal services are advertised. (1) What is the case data, (2) Description of purpose of examination, (3) Findings and Conclusions.

C:\Windows\System32 \winevt\Logs\Security.evtx Checking when a user logged

Check Browser’s History Check Cached Memory Check Cookies Internet Forensics Check Browser’s History Check Cached Memory Check Cookies

Email Headers and the Limitations of IP addresses Received: from SAM-MBX03.ead.ubc.ca ([169.254.6.120]) by s-itsv-hub04p.ead.ubc.ca ([137.82.151.86]) with mapi id 14.03.0389.001; Tue, 26 Jun 2018 14:15:20 -0700 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Sometimes it is possible to find the ip address of the sender in the email header, other times the ip address found is the ip address of the mail server.

https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457

https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/#7d804b215457