Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 7: Investigating Windows, Linux, and Graphics Files.

Similar presentations


Presentation on theme: "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 7: Investigating Windows, Linux, and Graphics Files."— Presentation transcript:

1 Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 7: Investigating Windows, Linux, and Graphics Files

2 © Pearson Education Computer Forensics: Principles and Practices 2 Objectives Conduct efficient and effective investigations of Windows systems Find user data and profiles in Windows folders Locate system artifacts in Windows systems Examine the contents of Linux folders

3 © Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) Identify graphic files by file extensions and file signatures Identify what computer forensics graphic tools and techniques can reveal and recover

4 © Pearson Education Computer Forensics: Principles and Practices 4 Introduction In many cases you may have gigabytes or even terabytes of data that must be searched for evidence. This chapter helps maximize efficiency of the search by showing default locations of file storage and hiding techniques of wrongdoers.

5 © Pearson Education Computer Forensics: Principles and Practices 5 Investigating Windows Systems Activities of the user result in user data  User profiles  Program files  Temporary files (temp files)  Special application-level files

6 © Pearson Education Computer Forensics: Principles and Practices 6 Investigating Windows Systems (Cont.) System data and artifacts are generated by the operating system  Metadata  Windows system registry  Event logs or log files  Swap files  Printer spool  Recycle Bin

7 © Pearson Education Computer Forensics: Principles and Practices 7 Hidden Files Files that do not appear by default are hidden files These can be viewed through the following steps:  Open Windows Explorer  Go to Tools > Folder Options > View > Hidden files and folders  Select Show hidden files and folders  Click OK

8 © Pearson Education Computer Forensics: Principles and Practices 8 Investigating Windows Systems (Cont.) Data and user authentication weaknesses of FAT  Userids are not required  Only attributes are associated with files or folders Data and user authentication improvements in NTFS  Separation of duties  Anonymity of the user

9 © Pearson Education Computer Forensics: Principles and Practices 9 Investigating Windows Systems (Cont.) Identify the operating systems of a target hard drive by:  Operating system folder names  The folder for the Recycle Bin  The construction of the user root folders because of the differences in the way user data is kept

10 © Pearson Education Computer Forensics: Principles and Practices 10 Finding User Data and Profiles in Windows Folders Documents and Settings folder  Contains a user root folder for each user account created on the computer  Windows NT and above automatically install Administrator All users Default user (hidden)

11 © Pearson Education Computer Forensics: Principles and Practices 11 Finding User Data and Profiles in Windows Folders (Cont.) Data stored in the user root folder:  Desktop settings, such as wallpaper, screensavers, color schemes, and themes  Internet customizations, such as the homepage, favorites, and history  Application parameters and data, such as e-mail and upgrades  Personal files and folders, such as My Documents, My Pictures, and so on

12 © Pearson Education Computer Forensics: Principles and Practices 12 Finding User Data and Profiles in Windows Folders (Cont.) Some of the subfolders in the user root folder include:  Application data (hidden)  Cookies  Desktop  Favorites  Local Settings (hidden)  My Documents  NetHood (hidden)

13 © Pearson Education Computer Forensics: Principles and Practices 13 Location of User Root Folders Operating System (Platform)User Root FolderLocation Windows 9x :\WINDOWS\Profiles\useridUSER.DAT file Windows NT :\WINNT\Profiles\useridNTUSER.DAT file Windows 2000 and Windows XP :\Documents and Settings\userid NTUSER.DAT file

14 © Pearson Education Computer Forensics: Principles and Practices 14 In Practice: Temp Internet Files Provide Valuable E-Evidence Data stored in the Temporary Internet Files folder can be valuable supporting evidence, even if deleted Statute 18 U.S.C. §2256(8) rules as pornography any data stored on computer disk that can be converted into a visual image

15 © Pearson Education Computer Forensics: Principles and Practices 15 Investigating System Artifacts Types of metadata  Descriptive: describes a resource for purposes such as discovery and identification  Structural: indicates how compound objects are put together  Administrative: provides information to help manage a resource, such as when it was created, last accessed, and modified Be alert for alternate data streams (ADS)

16 © Pearson Education Computer Forensics: Principles and Practices 16 In Practice: Searching for Evidence Do not use the suspect system itself to carry out a search for evidence Using Windows to search and open files can change the file’s metadata Such changes may cause evidence to be disallowed in court

17 © Pearson Education Computer Forensics: Principles and Practices 17 Investigating System Artifacts (Cont.) Registry  Can reveal current and past applications, as well as programs that start automatically at bootup  Viewing the registry requires a registry editor Event logs track system events  Application log tracks application events  Security log shows logon attempts  System log tracks events such as driver failures

18 © Pearson Education Computer Forensics: Principles and Practices 18 Investigating System Artifacts (Cont.) Swap file/page file  Used by the system as virtual memory  Can provide the investigator with a snapshot of volatile memory Print spool  May contain enhanced metafiles of print jobs Recycle Bin/Recycler  Stores files the user has deleted

19 © Pearson Education Computer Forensics: Principles and Practices 19 “Shredding” Data Third-party software packages can be used to delete data and actually overwrite the information, essentially shredding the data

20 © Pearson Education Computer Forensics: Principles and Practices 20 Investigating Linux Systems Windows can have many users with administrator access, but Linux has only one administrative account, called root Root account has complete control of the system In Linux, all devices, partitions, and folders are seen as a unified file system A typical installation creates three partitions: the root, boot, and swap partitions

21 © Pearson Education Computer Forensics: Principles and Practices 21 Investigating Linux Systems (Cont.) The Linux file system includes the data structure as well as the processes that manage the files in the partition Linux’s virtual file system provides a common set of data structures:  Superblock  Inode  Dentry  Data block

22 © Pearson Education Computer Forensics: Principles and Practices 22 Investigating Linux Systems (Cont.) Seven different file types available in Linux:  Normal files  Directories  Links  Named pipes  Sockets  Block devices  Character devices

23 © Pearson Education Computer Forensics: Principles and Practices 23 Investigating Linux Systems (Cont.) Default Linux installations generally include system directories such as the following:  /boot  /dev  /etc  /home  /lib  /lost+found  /mnt  /proc  /root  /sbin  /tmp  /usr  /var

24 © Pearson Education Computer Forensics: Principles and Practices 24 Investigating Linux Systems (Cont.) Key Linux files and directories to investigate:  /etc/passwd  /etc/shadow  /etc/hosts  /etc/sysconfig/  /etc/syslog.conf

25 © Pearson Education Computer Forensics: Principles and Practices 25 Investigating Linux Systems (Cont.) Deleted files  Check the Trash can for each login user for deleted files that can be recovered Using grep to search file contents  Grep allows for sophisticated character-based data searches Compressed files  Some Linux applications such as OpenOffice automatically compress data files

26 © Pearson Education Computer Forensics: Principles and Practices 26 Graphic File Forensics The investigator can use file signatures to determine where data starts and ends and the file type  File extension (such as.jpg) one way to identify a graphic file  A user can easily change the file extension, but the data header does not change  Forensic tools can resolve conflicts between file extensions and file types

27 © Pearson Education Computer Forensics: Principles and Practices 27 Graphic File Forensics (Cont.) The process of retrieving all relevant pieces of a file is called data carving or data salvaging An investigator may have to reconstruct the data header using file signature information Layered graphic files (such as Photoshop or Corel) can hide information behind layers Graphics saved as JPEG, TIFF, GIF, or BMP do not have layers

28 © Pearson Education Computer Forensics: Principles and Practices 28 Graphic File Forensics (Cont.) Steganography is a form of data hiding in which a message is hidden within another file  Data to be hidden is the carrier medium  The file in which the data is hidden is the steganographic medium Both parties communicating via steganography must use the same stego application

29 © Pearson Education Computer Forensics: Principles and Practices 29 Graphic File Forensics (Cont.) Steganography is difficult to detect; the following clues may indicate stego use  Technical capabilities or sophistication of the computer’s owner  Software clues on the computer  Other program files that indicate familiarity with data-hiding methods  Multimedia files  Type of crime being investigated

30 © Pearson Education Computer Forensics: Principles and Practices 30 In Practice: Child Pornography Hiding criminal content within “innocent” files can allow perpetrators such as child pornographers to exchange information A scenario is described by which child pornographers can easily pass information to others in the ring

31 © Pearson Education Computer Forensics: Principles and Practices 31 Summary Search times can be reduced through the use of default folders and operating system artifacts The skill level of the user will determine whether this is an effective use of time in the case

32 © Pearson Education Computer Forensics: Principles and Practices 32 Summary (Cont.) A savvy user can hide data through:  Nonstandard file folders  Renaming file types  Using layered graphics  Masquerading data with steganographic techniques


Download ppt "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 7: Investigating Windows, Linux, and Graphics Files."

Similar presentations


Ads by Google