Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011

Data handling workflow Obtain data from depositor / donor Examine the acquired data to locate user generated content Appraise data to select data of potential value to the institution Transfer selected data into digital repository for curation & preservation

Acquisition

Data Acquisition Methods Act of obtaining copy of digital data from depositor media and transferring into a managed environment for subsequent analysis: 1.File copy: Files are copied/moved from the donor’s media to AIM-owned storage, e.g. FTP, DVD-R, hard disk 2.Disk clone: Bit copy of files on source disk copied to mirror disk 3.Disk image: Bit copy of disk is created and stored as a file on other media. Different Hardware Different Media

Decision tree for choosing capture method

Analysis

7 Data held on a digital media Content held on digital media serves many purposes: Operating system files, e.g. Windows has 30,000+ after fresh install Software: Applications, utilities, games, etc. Log data: Windows Registry, browser cache, cookies, temp files User-generated content: Documents, images, sound, s, etc. Different data layers available: 1.Active data: Information readily available as normally seen by an OS 2.Inactive/residual data: Information that has been deleted or modified Deleted files located in unallocated space that have yet to be overwritten (retrieved using undelete application) Data fragments that contains information from a partially deleted file (retrieved through carving) Inactive data useful, but need to consider ethical issues

1. Analysis techniques for active data Common techniques: Navigate directory structure to get a ‘feel’ for data files held on disk Search by: File name, e.g. *report* File type, e.g. *.doc, *.pdf, etc. Creation/modification date Content type, e.g. word usage File size Additional parameters configurable Windows search easy to perform, but does not identify everything – investigation process can leave artefacts, e.g. thumbs.db behind

1. OSForensic Search UI for active files Sort by: Name, Folder, Size Type, Creation date, Modification date, Hash set, Foreground colour, Background colour

10 2. Recovering deleted files Data files deleted by user continue to exist on disk! filename is changed and occupied space is simply labelled as ‘unallocated’, i.e. available for use. May be recovered if the space has not been reallocated to new data. However, likelihood of retrieving entire file decreases with usage of disk. Recovering partial/complete files Recoverable using Undelete\File recovery software to search unallocated space and relabel found files as available. Recovering Data Fragments Fragments of files may be recovered using Data carving technique - raw bits of disk analysed to identify recognisable patterns that may indicate a data file, e.g. header/footer, semantic information. Carving software designed to take a linear approach to locating data files – ineffective on fragmented disks Creates Franken-Files! – incomplete files, large files containing info from multiple sources, extracts embedded images from Powerpoints, etc Img source:

2. OSForensic Deleted File UI 99-50% complete content Data carving identifies data fragments, but frequently wrong about file type

3. Keyword Search Scan the content of a disk, including all s, documents and other text content, to locate a particular search term. Commonly used by police to identify illegal content, e.g. bank numbers, telephone numbers, drug references, etc. Archival use: Does the disk contain reference to topic X? What trends may be identified in use of concept – when did term appear and disappear?

4. Analysis of research behaviour Hard disk contain large amount of other information: Web sites visited/bookmarked for research Chat logs indicating discussion with colleagues Other digital media that may have been used to store data This may be useful for understanding researcher work process, but be wary of the ethical issues

Decision tree for choosing appropriate analysis method

Forensic Hardware 1) Desktop PC Intel Pentium Dual Core E5800 CPU (3.20Ghz) 2GB DDR 500GB HD Super multi DVD-RW (2) USB Write Blocker Prevents OS writing to connected devices (4) Kryoflux USB Floppy disk controller to enable attachment of disparate disk devices & forensic imaging (3) Drive enclosure Enables connection of internal ATA/SATA disks via USB

16 Thank You! Gareth Knight Centre for e-Research, King’s College Questions