Digital Forensics Andrew Schierberg, Fort Mitchell Police, Schierberg LAw Jay Downs, Kenton County Police
Overview Definitions Process Common Issues, Strategy & Case Examples
Data Storage Bits, Bytes, Sectors, Clusters, and Slack Space 1 Bits, Bytes, Sectors, Clusters, and Slack Space Bit: Smallest unit of data on a computer (0 or 1) Byte: 8 bits (A = 01000001) Sector: A subdivision of the storage medium, commonly 512 bytes Cluster: A group of sectors (commonly 8)
Simple example A 2048 byte file (a text file with 2048 characters) would take up 4096 bytes of space because that is 1 cluster and a cluster is the smallest amount of data a computer can address This means that the other 2048 bites of that cluster won’t be used and could contain data (called slack space)
Deleted files When you delete a file, operating systems generally delete the reference to the file, but not the file itself. The deleted file can remain on the storage device until the space it occupies is needed for new data.
Overwritten Previously deleted file where operating system has written new data over some or all of the file.
Wipe/Secure Delete Generally done for free space, intentionally overwrites data so that original data isn’t recoverable Secure delete functions do this at the time of deleting Can be used to infer intentional destruction of discovery Generally files are overwritten with a specific character, commonly 0
file carving Identification and extraction of files from unallocated space using file signatures
Partially Overwritten File Active File Deleted File Wiped File 1 1 1
Trash/Recycle Easily recoverable Metadata probably still in tact Unallocated Space Data carving Easily Recoverable Metadata may be gone Overwritten May recover partial file if partially overwritten Secure Delete/Wipe File intentionally overwritten Data gone and not recoverable
Forensic imaging/Forensic image Non-destructive, verifiable, and repeatable exact bit-for-bit duplication of a storage device used for forensic examination. Non-destructive – does not alter anything on the original device Verifiable – uses hash values to confirm exact bit-for-bit match Repeatable – subsequent forensic images will produce the same results
Forensic Process Identification Acquisition Preservation Analysis Reporting
Identification Use knowledge of case to identify or predict types of electronic devices involved, information each device may provide, and rank importance of devices
Acquisition Obtain original electronic items (if possible) Create forensic images of devices (if possible) Critical step because, if not done properly, data can be altered First step in chain of custody
Forensic image vs backup Bit-for-bit copy of drive Entire drive Captures deleted files Non-destructive Verifiable Repeatable Copy of active files User-selected portions of drive May capture files in trash May alter metadata Generally no verification Results may vary with repetition
Preservation Original evidence should be pulled and tagged to prevent changes If parties agree, verified forensic image can be shared with all parties. This is generally done when servers are involved
Analysis Generally performed on forensic image, not on original disk Uses forensically sound software Should be a joint effort between forensic expert and attorney or investigator Triage can help narrow the focus
Reporting Reports include information to show that forensic copies are verified copies Anything provided in report should be able to be replicated by another expert Reporting, at least on the criminal side, is changing a bit (more on that later)
Common issues & Strategy
How long does this take? Time it takes can cause speedy trial issues as well as cost issues Factors influencing time: Amount of data Quality of storage devices Quality of forensic devices Scope of search Priority of case
Triage & Preliminary reports Triage is now commonly used to narrow focus of searches Preliminary reports & products generated automatically by forensic tools can be used to negotiate a deal Full reporting is only used when a trial will happen
Forensic Expert vs. IT Expert Two different skill sets at play Forensic experts don’t need to be IT experts and IT experts don’t need to be forensic experts Forensics is an expensive field to enter, free file recovery tools from the Internet aren’t forensic tools IT professionals aren’t commonly trained on evidentiary issues like chain of custody etc…
juries Forensic experts need to be able to speak to normal humans Many times, the first part of testimony may be something like the beginning of this presentation If two experts get into a battle of technical terms, the jury is guaranteed to get lost An expert who can draw non-technical analogies is golden
Mobile devices Repeatable results? Why not? Flash memory is a chip not a "disk". Limited life of hardware as memory is programmed and erased using electrical currents. Files written to blocks with defined space. Garbage Collection - Background process of duplication of files and deletion of "dead" files maximizing space without user involvement. Wear Leveling "rotating your tires" – User deletion will copy everything in that block to another block. Leaving duplicates behind until the space is needed.
Wear leveling
The cloud Phones, tablets, computers, appliances, smart home, fitness trackers, any "smart" technology. APPLICATIONS – data is not local The Cloud Act - PL 115-141 (March 23, 2018) Primarily the CLOUD Act amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. Preservation orders and notification. Volatile and available during preview. Seize and seek authority to search?
On-site preview Useful and volatile data. ENCRYPTION RAM dump. Known files. Triage what to seize and what can be left behind. Improve workload efficiency at forensic lab. Assist in interview and investigation in real time. Father / son example Destruction of evidence? Search Warrant issues. One warrant or two?