Digital

The Quarterly Magazine for Digital Forensics Practitioners

Competition!

ForensicS
Win 3 State of the Art
Sony Dictaphones

ISSUE 02

/ magazine

INSIDE
/ Forensic Investigation of
Virtual Environments
/ Lab tested: Disklabs’
Faraday Evidence Bag
/ Inside the EU Data
Retention Act
/ Brew your own
version of COFEE

ANDROID
ON THE LOOSE
Andrew Hoog unveils Google’s new mobile
operating system, showings us exactly what’s
important for forensic investigators
01

9 772042 061103
Issue 2 / £17.50 TR Media

/ REGULARS / LATEST News / Book Reviews / 20% DISCOUNT

LEGAL NEWS, 360, Mobile phone Malware Forensics Elcomsoft PASSWORD
IRQ… AND MORE encryption hacked Live Hacking RECOVERy SOFTWARE
 Shape your future

Forensic Computing MSc Forensic Computing BSc Honours

Computer Security MSc Computer Security BSc Honours

To find out more visit dmu.ac.uk/technology or contact us:

T: (0116) 257 7456
E: technology@dmu.ac.uk AD9117A

EDITORIAL
H
as it really been three months already since we
launched the first issue? A huge thanks to all of you
who have sent your good wishes and kind comments
following our launch. You can find some of these comments in
360 along with our responses to your letters.
We have been listening…! Many comments were received
about the online delivery platform and we have already moved to
a new platform. We have also launched the new website provid-
ing subscribers with access to additional articles and information,
as ever we are happy to receive your feedback via 360.
Issue 2 comes in at 84 pages, 32 additional pages of packed
content that will be the standard for all future issues. Our amazing
authors have also provided articles that are topical and full of inter-
esting practical advice and tips to practitioners, as well as the more
thought provoking research articles. As the pace of change and
competition heats up in the mobile phone market we take a look
inside Android. In addition, we report on the first Mobile Telephone
Examination Board (MTEB) conference and have included a piece
on the issues and difficulties of a mobile phone practitioner. On the
back of the COFEE leak, we take a look at what all the hype is about
and provide information about how to create your own toolkit.
We also take a look into the virtual world and how digital forensic
practitioners can investigate this environment.
I could go on listing all the content of this issue but think it
better that you look for yourselves to find all the interesting
and varied articles.
2009 was a year where the term CyberCrime was constantly
in the news. Consequently, the interest in how online crime can
be investigated and how criminals are brought to justice using
Digital Forensic tools and techniques became the subject of
much discussion and debate. This trend is set to continue in
2010 as the pace and change to technology and how we use it
continues. So too will the challenges to both the researchers and
the practitioners of Digital Forensics. We already know that the
UK Forensic Science Regulator is working to produce standards
and guidelines and the USA has a new Cyber champion and we
will watch these areas with interest. If any significant events take
place in your region, please be sure to let the news desk know by
sending details to news@digitalforensicsmagazine.com.
Digital Forensics covers a large number of activities, not just
those tools and techniques associated with investigation around
law enforcement, the requirements for internal audit, eDiscovery
and data recovery, to name but a few can all be considered under
the umbrella of Digital Forensics. It is this and the fact that the
use of technology is now and continues to become an integral
part of our lives that tells me that the future for those working in
the field of Digital Forensics is set to become a very interesting
and challenging one and we here at DFM are committed to doing
our part in providing all the support that we are able.
/ ROY ISBELL
/ EDITORIAL
Digital Forensics Magazine is a quarterly magazine, published by
TR Media Ltd, registered in the UK. It can be viewed online at:
www.digitalforensicsmagazine.com
Editorial Board
Tom Knight, Tony Campbell, Roy Isbell, Dr Tim Watson,
Moira Carroll, Alastair Clement, Angus Marshall
Acquisitions
Roy Isbell, Tony Campbell
Editorial Assistant
Sharon Campbell
News Desk
Matt Isbell
Chief Sub Editor
Tom Knight
Sales & Marketing
Matthew Rahman
Production and Design
Matt Dettmar (Loud Vision Ltd)
Contributing Authors
Robert Aynsworth, George Bailey, Tony Campbell, Liz Conway,
Moira Carroll-Mayer, Bill Dean, Eric Fiterman, Alistair Duffy,
Andrew Hoog, Dr Barry Hood, Matt Isbell, Roy Isbell, Peter Jones,
Noemi Kuncik, Angus Marshall, Mark Osborne, Scott Zimmerman
Technical Reviewers
Tony Campbell, Eric Fitterman, Roy Isbell, Dr Tim Watson,
Dr Gavin Manes, Tarak Modi, Moira Carroll-Mayer,
Scott Zimmerman, Roy Isbell, Darin Dutcher, Tarak Modi,
Peter Jones
Contact Digital Forensics Magazine
Editorial
Contributions to the magazine are always welcome; if you are
interested in writing for Digital Forensics Magazine or would
like to be on our technical review panel, please contact us on
editorial@digitalforensicsmagazine.com
Alternatively you could telephone us on:
Phone: +44 (0) 203 2393666
News
If you have an interesting news items that you’d like us to cover,
please contact us on: news@digitalforensicsmagazine.com
Advertising
If you are interested in advertising in Digital Forensics Magazine
or would like a copy of our media kit, contact the marketing team
on: marketing@digitalforensicsmagazine.com.
Subscriptions
For all subscription enquiries, please visit our website at
www.digitalforensicsmagazines.com and click on subscriptions.
For institutional subscriptions please contact our marketing
department on marketing@digitalforensicsmagazine.com.
Feedback
Feedback or letters to the Digital Forensics Magazine editor
should be sent to 360@digitalforensicsmagazine.com.
Copyright and Trademarks
Trademarked names may appear in this magazine. Rather than
use a trademark symbol with every occurrence of a trademarked
name, we use the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement
of the trademark.
Digital Edition Provider
Digital Forensics Magazine uses ZMags for its Digital Editions,
allowing the creation of carbon neutral publications.
3
 Reviewing the latest
sports highlights

Attending a Review
Seminar online

Put your time to better use. In pursuit of your (ISC)²®

certification, attend an Official (ISC)² CBK® Review Seminar
live online, in person or on site. You’ll ready yourself for an
(ISC)² exam by refreshing your knowledge in information
security. You’ll also send a message to peers and current
employers that you’re in this game for real.
Learn more at www.isc2.org/reviewseminar

Look for an (ISC)2 Authorized Education Provider.

 / CONTENTS

CONTENTS
/ DIGITAL FORENSICS MAGAZINE ISSUE 02

REGULARS
/ NEWS 06
/ 360° 09
/ COMPETITION 34
/ BOOK REVIEWS 78
/ IRQ 82
Introducing our new regular column...

FEATURES
/ ANDROID FORNESICS 12
Andrew Hoog explores the challenges posed by the

12
Android platform for the digital forensics community
/ COUNTER-FORENSICS TECHNIQUES 19
Noemi Kuncik and Andy Harbison take a trip into the
sinister world of counter forensics
/ INTRODUCTION TO FORENSICS
George Bailey explains the forensic investigative
process from evidence collection to the courtroom
27
64
/ WHO NEEDS COFEE? 45
Bill Dean separates fact from fiction as he evaluates
what COFEE means for digital forensics professionals
/ FORENSIC MODELLING
Dr Barry Hood explores a number of novel approaches to
support operational forensics with formal models
52
45
LEGAL
/ DATA RETENTION ACT 38
Mark Osborne takes a look at the challenges posed
to UK & European organizations by the 2006 directive

TECHNOLOGY
/ FARADAY BAG TEST
Alistair Duffy summarises the initial results from
60 52 69
19
De Montfort University’s evaluation process
/ MOBILE PHONE PRACTITIONER 64
Peter Jones explores the prospects for a discipline in a
constant state of revolution, and makes a plea for action
/ DATA INTEGRITY 69
Examining the emergence of data-centric information
integrity to prove the integrity of an electronic file
/ FORENSIC EVIDENCE COLLECTION 73
Eric Fitterman & JD Durick examine the implications of
Platform and desktop virtualization for digital investigators
 / NEWS
NEWS
Photo © UCL Media Services, Photography
WIFS at the limits of forensic knowledge
Pure research at the limits of digital forensic knowledge took
pride of place at the 1st International Workshop of Information
Forensics and Security, sponsored by the IEEE Signal Processing
Society held in December 2009 at the British Telecoms offices
and auditorium near St Paul’s Cathedral in London.
The workshop and conference was held over four days with
delegates being provided with tutorials on Mobile Device
Forensics, Privacy Enhancing Technologies and DRM Beyond
Access Control; a technical workshops program covering
Watermarking, Forensics, Traitor Tracing, Biometry, Privacy
& Anonymity, Content Fingerprinting, Device Identification
and Cryptography.
The conference was interspersed by Keynote speeches from
David Bénichou (Vice Président Chargé de l’instruction), Bruce
Schneier (BT) and Mikko Hypponen (F-Secure).
The call for papers resulted in 124 submissions of which
39 were selected for presentation during the technical
workshops. The quantity, quality, diversity and depth of the
subjects researched demonstrates the far reaching subject
of Digital Forensics and the international research effort that
6 Digital / ForensicS
is going on in the various academic institutions. Some of the
research will forever be in the theoretical research domain;
however much could and does have practical application and
it is the building of bridges to pass this knowledge to the
Digital Forensic practitioners that will be the test for a wider
success or failure of the research being undertaken.
From a practitioners perspective the research presentations
were academic-focused, with the standard complex applied
mathematic formulaic approach assuming a high degree of
prior knowledge that failed to demonstrate just how the re-
search was carried out in practical terms, thereby allowing the
practitioners who were attending to better understand how
they might apply the research to their own work.
As an academic workshop it was a success, the quality of
the Keynote speakers supported by an excellent venue loca-
tion. A highlight was the dinner held at the Guildhall, which
enhanced what was four days packed full of content and
diversity, though some participants hoped for the organizing
committee to consider how they might expand beyond the
academic to include more of
those who have a practical
use for the research being
carried out.
Cyber security challenge UK-style
As part of the UK National Security Strategy the first ever
Cyber Security Strategy for the UK was released in June 2009.
Part of this strategy was the establishment of the “Office of
Cyber Security” to provide strategic leadership and establish a
programme to achieve the UK Cyber Security objectives.
One initiative of this programme is to establish the OCS
UK ‘Cyber Security Challenge’. This is an initiative based on
models used in the USA such as the DC3 Digital Forensics
Challenge (www.dc3.mil/challenge/2010) hosted by the US
Department of Defence, the CyberPatriot Defence Competition
(www.highschoolcdc.com) organised by the US Air Force
Association as a national high school cyber defence competi-
tion on cyber investigation and forensics and the NetWars
(www.sans.org/netwars) Capture-the-Flag Competition
organised by the SANS Institute.
All of these competitions are designed to market the field of
Cyber Security as an attractive career option and to identify those
who have the technical skills to fill the ranks of the cyber security
practitioners and researchers required to protect and investigate
the Cybercrime and Forensic challenges of the 21st century.
It is planned that those successful in the UK challenge will be
offered sponsorship or internships. The competitions will initially
be targeted at school/university leavers. It is intended that the
first Challenge will be up and running by the autumn of 2010.
The OCS plans to involve Industry, Universities, Schools,
including initiatives such as the eSkills Academy along with
the major Government Departments MoD, GCHQ and CPNI in
the competition to raise awareness of CyberSecurity in general
and develop the links required to ensure success.
/ NEWS ROUND-UP
ANDROID OS CHALLENGES
As mobile phone technology rapidly changes, the need for
improved software and operating systems increases. In recognition
of this, the Open Handset Alliance released Android; an open
source mobile device platform based on the Linux 2.6 kernel.
The first Android device was released in October 2008 and by
early 2010 it is estimated that over 40 Android devices will be
commercially available. It is also predicted that by 2012, Android
will be on over 15% of the mobile phone market. For mobile phone
forensic practitioners, Android presents a significant new addition
to the many operating systems in use and understanding how this
new operating system works and can be forensically investigated
adds to the challenges in this growing aspect of digital forensics.
US CYBERSECURITY CZAR NAMED
The White House has appointed a new head of cybersecurity,
Howard Schmidt. Schmidt, a 40-year security and business
veteran, is charged with establishing computer security policy.
He previously served as George W. Bush’s cyber-adviser and chief
security strategist for the US CERT Partners Program. Schmidt
was formerly chief security strategist for eBay and also worked
at Microsoft as director of information security. Most recently
he has been active as President and CEO of the Information
Security Forum and president of the Information Systems Security
Association. His memberships include the High Technology Crime
Investigation Association, the American Academy of Forensic
Sciences and the International Association of Chiefs of Police.
Among his challenges will be working within the NSA to improve
cyber defence and ensuring privacy protection for citizens.
MICROSOFT IN CHINA CROSSFIRE
Google has threatened to cease operations in China after
the search engine giant was the victim of a “systematic and
targeted” cyber attack. The attack originated from within China
and, as a result, Google has threatened to end the censorship
of its search engine site, although this change has yet to be
made. A Google spokesman said he believed that the attack
was at least in part aimed at accessing the email accounts of
Chinese Human Rights Activists. This is understood to have been
unsuccessful. The attack (codenamed Aurora) was made possible
through a previously little known Remote Code Execution (RCE)
vulnerability in Internet Explorer, the exploit code of which has
been released into the wild. As a result Germany and France
are now urging their citizens to switch from Internet Explorer to
open source browsers in response to the threat. Microsoft has
responded by advising an upgrade to version 8 of their browser.
CELL PHONE ENCRYPTION HACKED
Bringing in the New Year in December 2009, the GSM
encryption securing 88% of the world’s mobile phones for
almost 20 years was cracked. The “A5/1 Cracking Project”
released “attack tables”, these tables use a combination
of compression techniques, including rainbow tables and
distinguished point chains, and were computed in three
months using 40 distributed CUDA nodes, and subsequently
published on the Internet using BitTorrent. There have been
as yet unconfirmed reports that Israel’s Weizmann Institute of
Science announced they had also cracked the KASUMI system,
a 128-bit A5/3 algorithm implemented across 3G networks.
7
 Forensic Computing
12-month student placements

Undergraduates: Postgraduates:
August 2010–July 2011 June 2010–May 2011

Shape your future

To find out more visit dmu.ac.uk/technology or contact us:
Technology Placement Unit
T: (0116) 257 7465/66
E: placementunitech@dmu.ac.uk AD9117B
360°
Your chance to have your say …
T
he response we had to issue 1 was fantastic, and our
thanks go to all those who took the time to let us know
what you think, and make suggestions on how we might
improve. You will see that we have already taken on board a
number of your comments, thoughts and ideas, and we will
continue to look at ways that we can improve the content and
delivery of the magazine. Rather than fill up the magazine with
all your comments we have selected those that give a represen-
tative view of your thoughts. A ‘Star Letter’ has been selected to
which the author of which will receive a Faraday Bag worth £90,
as tested in this issue of Digital Forensics Magazine.
This is your magazine so we want to hear from you with your
ideas on how we can improve, articles you would like to read,
and information you would like to know about. Or just let us
know what you feel is good or bad about the whole thing.
Send your letters and feedback to:
360@digitalforensicsmagazine.com
Not just for anoraks
I am not entirely sure how to start this email without wishing
to appear a sycophant, but I will, and so here it is. As my wife
would say, I am now an official member of the Anorak and no
mates club, as I found myself immersed in the first issue of the
magazine and read it from cover to cover without a break.
Every article was of relevance to my work and was written so
that even I could understand it .The article Forensic Examination
of a computer system was something I could have done with
about 3 years ago, before my baptism of fire in creating a foren-
sic unit from scratch; it is reassuring to see that the common
sense procedures we have adopted in house are in line with the
way others are working, even if it is by a combination of luck
and some good advice from others in the forensic community.
Areas I would be interested to here about in future issues:
• Hashes – md5 vs sha1 etc, is it safe to use just one? If MD5
is broken and no longer used in cryptography, what are the
arguments for/against it still being valid as a method of image
verification/file identification? (Is it true that the lady at Shan-
dong University who first broke the algorithm memorises taxi
plates as a hobby or is that an urban myth?)
• Cross-jurisdictional issues (standard procedures required to
satisfy different courts may affect how that evidence can be
/ Tackle the identity crisis
Congratulations on the launch of DFM! This magazine could
fill a much-needed gap in the world of Digital Forensics here in
the UK, where much of the available material is US centric and
of little interest to practitioners in the UK.
I do encourage you tackle what seems to be a bit of an
identity crisis and to become a more UK focussed and limit
references to US procedures that have little relevance here
in the UK. It may also widen interest in countries worldwide,
which do not follow the US legal framework.
You have also made the mistake of describing English legal
disclosure as “discovery” and of referencing cases in the US that
are of marginal interest to UK based practitioners. It would have
been much more interesting to see some analysis of English
cases such as Digicel v C&W, Earles v Barclays etc. which are the
cases that UK practitioners need to know about. I would have
preferred to see some commentary on the English Civil Procedure
Rules rather than the Federal equivalent. Your Competition asks
a very US specific question using an abbreviation that will be a
mystery to many UK readers. I was also surprised to see your
book review was of a book published 4 years ago.
I could go on and mention a number of other criticisms, but
that would be unfair against a first edition which overall rates
at least 7 out of 10.
I do hope you will revisit your decision to use YUDA as a
distribution technology. The first thing I had to do was print the
magazine in PDF format so that I could read flowing pages in a
truly portable format. YUDA makes it very difficult to produce a
high quality print in PDF format and limits printing to a maximum
of 15 pages. The flash version does not allow flowing pages or
the use of “page down” to view the bottom half of the page, if the
“page width” screen option is selected. Also, a number of forensic
practitioners will disable flash for security reasons.
Ian R Henderson CCE CISA FCA
You raise a number of issues that have been much discussed
here at DFM. Our original intention to be UK focussed magazine
and to develop it to a point where we could take international
was dramatically changed by the response to our initial web
launch and call for authors, such that we found we had a
significant international audience from Day 1. The legal area
is one that will continue to challenge us just as it does in the
practical world. The world of Cybercrime and Forensics crosses
international jurisdictions and presents challenges to those
working in this field. Understanding international issues as well
as those within our own jurisdiction will prepare us all better to
deal with the international aspects of investigations. We hope
you will find that the changeover from Yuda to Zmags improves
your enjoyment of the on-line version of the magazine.
This issue’s star letter wins a Disklabs’ Faraday Bag!
9
/ LETTERS
used in a third party country – indeed the terms under which
any evidence is transferred can sometimes limit how you can
deal with further offences you may discover)
• Build your own forensic PC’s vs off the shelf systemsWindows
7 as a forensic environment (is the integrated XP virtualisation
a saviour for users of trusty old XP tools?).
• Imaging using Forensic Linux distros such as deft, helix etc –
is this a cheap way of kitting out a lab?
Once again thanks for the hard work that has obviously
been put into creating a professional and informative first issue,
long may it continue.
Chris Woolley
The magazine is aiming to provide information suitable for the stu-
dent, the practitioner and the academic, and to develop a bridge
for information sharing and learning. All of your ideas have been
noted and we will be looking for additional as well as our current
authors to develop some of these ideas, perhaps the lady from
Shandong University might like to comment on your question. You
might also like to consider sharing your own experiences with the
rest of us? The legal aspects of Digital Forensics is one that has
been and I am sure will continue to be commented on as the pro-
fession grows and the need for international cooperation becomes
greater, we will do our part by keeping you informed.
New career path
As a student studying software engineering and intelligent
systems I was surprised at how interested I found the articles
in the first issue of the digital forensics magazine. Having read
the first issue (cover to cover in one sitting) I found myself
signing up to the BCS cybercrime forensics specialist group
and looking for universities that offer MSc’s in Computer/
Digital Forensics and eDiscovery. I was delighted to see a book
review section and hope that many more reviews will take
place highlighting good texts in digital forensics and perhaps
other sources of good information in future issues.
Given that mobile and rugged devices are now as common (if
not more common) than PC’s, and also given the ease of which
one can network and share data with such devices, it would be
interesting to read a few articles on digital forensics highlight-
ing the unique challenges pertaining to this specialist area.
Keep up the good work.
R Fairbairn
Welcome to the world of Digital Forensics, we are sure you will
find it a fascinating and varied subject in which to continue
your studies. A number of Universities advertise their Computer
Forensic MSc courses with us and I urge you to contact them
to discuss what they have to offer. There are three more book
reviews in Issue 2 and we will continue to develop this area, we
have been in discussions with a number of publishing compa-
nies who specialise in this area and have agreements in place
to be provided with the latest books as they become available.
Mobile computing especially mobile phone forensics is indeed
a challenging and fascinating area; we have an in depth look at
Android this issue that might get you started.
10
/ COMMENTS FROM THE WEBSITE
Some responses from the various forensic forums/blogs that
the Digital Forensics team found interesting, or that we felt
merited a response:
The Yudu software was quick enough when loading in my browser
but navigating the pages was clunky and the cursor was very
slow (jumping over the page after a significant time lag).
Yudu. Nice. Easy navigation. Very greedy on RAM (254K+),
making it jumpy and irresponsive/slow at times. Great mag,
thanks.
Interestingly, with ‘NoScript’ running on Firefox, the front page
is a blank screen.
So far so good. DFM looks like it could develop into a
potentially useful resource for computer forensics experts.
A quarterly publication schedule raises legitimate questions
of timeliness, given how fast the forensics world changes. The
magazine could focus on so-called “evergreen” articles, which
are designed to have a longer shelf life, but it’s a dubious
approach for a rapidly evolving industry.
Moreover, it’s a little hard to imagine that many folks will be
all that keen to pony up that amount of coin for a handful of
articles, particularly given the fact that such large amounts of
computer forensics material is available online for free (i.e.,
advertising-supported).
As the computer forensics industry continues its inexorable
climb towards multi-billion revenues, there will be a demand
for trade journals. Whether DFM will be part of the mix
remains to be seen.
The first issue was very nicely done; I was very pleasantly
surprised with the quality of the articles and presentation of
the online format.
Your magazine is GREAT! All of my forensic students have
taken a look at the first issue it’s going to be required reading
for my classes from now on. The articles are top-notch.
It was clear very early on that many of you were having problems
with the Yudu system and we responded by providing a pdf
version of the magazine via the web site. We have subsequently
moved to a new provider who we feel is much better, to provide
a more flexible capability for regression to other formats if
subscribers systems do not have the facility for Flash. The issue
of price will always be a tricky one and we will be constantly
reviewing this to ensure that our subscribers get value for
money, and one of the ways that we are looking into is moving
from 50 plus pages to 80 plus pages per issue, and moving from
4 issues a year to 6 issues a year, watch this space..!
Issue 1 was a free issue to not only test the appetite for
the magazine, but to also test both our internal and external
processes for production and delivery. This as it turns out
was very prudent, and has moved us to a point where Issue
2 should see the back of most of our early problems. Let us
know if you have any comments as we are on a constant
improvement journey to make sure that you receive a great
magazine both on-line and in print.
Digital / ForensicS
 Book
PRACTICAL C OM PUTE R & M OBIL E PH ONE
before

FORENSICS 17 Feb
2010
and

C O N F E R E N C E £20
ASSISTING INVESTIGATIONS WITH TECHNOLOGY
receive a

discount

17 March 2010
Wyboston Lakes - Willows Centre, Bedfordshire

Computers and mobile phones often hold the key

to solving many of today’s criminal investigations and
can be used as vital evidence in court.
This one day conference provides anyone involved in the
investigation process with all the latest thinking and best practice in
digital forensics. Experts from the police service, industry and
academia will provide a fascinating insight into current and future
trends and provide invaluable advice as to how to maximise use of
the techniques available to investigators.
only
£235
CONFERENCE AGENDA
• Devising an effective digital evidence strategy from the outset p/p
of an investigation
• Maximising the evidential potential of digital evidence; seizing electronic
evidence at crime scenes – pitfalls and best practice
• Using social media to secure vital evidence in criminal investigations
• Cutting edge techniques in mobile phone forensics and cell site analysis
• The emerging threat of steganography to conceal criminal material in
computer files
• Using the science of forensic linguistics to identify anonymous texts and
email messages

DIGITAL FORENSICS MAGAZINE READERS SPECIAL OFFER

Book your place using code DF/mag1 to receive a £20 discount (payment must be made by 17 February)
To book your place download a booking form at
www.the-inves�gator.co.uk or contact the organisers on
Tel: +44 (0) 844 660 8707 or email: info@the-inves�gator.co.uk
/ LEAD FEATURE

ANDROID
ON THE LOOSE
Everything a mobile examiner needs to know (for now)
about Google’s mobile platform

The Android platform is fast becoming established, with new devices and applications appearing
weekly. Andrew Hoog explores the challenges this poses for the digital forensics community
/ ADVANCED

W
hen Google, the world’s largest search company moved
into the mobile application platform business, the lines
between mobile/cell forensics and traditional com-
puter forensics became even blurrier. Until recently, most cell
phones have awkwardly tried to participate in the both the
voice and data worlds; devices where phones first and data
applications were a kludge add-on. However, Android was
built from the ground up as a data-aware device and as such
provides a wealth of information about how it was used and
ultimately the user.
This article will provide an overview of the Android platform
including supported hardware devices, the structure of the
Android development project, implementation of core services
such as wireless communication, data storage and other low-
level functions, strategies to forensically acquire an image of
the device and finally techniques effective in the analysis of
the file systems.
Android emulator
/ History and background
Android is an open source mobile device platform based of charge, carriers and hardware vendors alike can focus their
on the Linux 2.6 kernel and managed by the Open Handset efforts in customizations intended to retain their customers.
Alliance, a group of major mobile device hardware and And let’s face it, Android has buzz. It is unlikely Motorola could
software vendors. The first Android device was released in have generated more than a mild yawn from consumers about
October 2008 and by early 2010, 41 Android devices will be their next phone if it wasn’t something radically new.
commercially available. An October 2009 report released
by Gartner predicted that by 2012, Android will be the 2nd / Technologies and forensic considerations
largest smart phone provider with 18% of the market (total- As mentioned earlier, Android is based on the Linux 2.6 kernel.
ing 94.5 million units sold). Already, Android devices ac- For those of us involved in Linux and Unix over the years,
count for 20% of the traffic generated by smart phones (the the familiar architecture will aid in your understanding and
largest being the iPhone at 55%) according to an October analysis of the device. While the current devices available all
2009 report by Admob1. use ARM-based processors, Android is being ported to other
But enough statistics; nearly everyone agrees that Android architectures. In the near future, expect to see ports to both
is poised to make a significant impact on the smart phone Intel and MIPS, if not more.
(and forensics) market. The open source nature of the project Unlike traditional Linux though, Android does not use the
has not only established a new direction for the industry standard C-library and instead uses the Bionic C-library (a
(forcing behemoths like Nokia/Symbian to open source their BSD-derived implementation) which means that executable
platform) but enables a developer or code savvy forensic ana- code must be compiled against that library to run on the
lyst to understand the device at the most fundamental level. device. However, only a small group of developers should
As the core platform is quickly maturing and is provided free be concerned with this as user application development in

12 Digital / ForensicS
Android is done in Java and runs in a Dalvik virtual machine.
The choice of the non-standard Dalvik VM has upset some, as
standards in the Java world would have pointed to Java ME as
the platform; so the promise of write-once, run-everywhere is
once again thrown a curveball.
Each user application is run in a separate Dalvik virtual
machine (DVM) with a separate user id and process which
is a key mechanism used to enforce data security. Appli-
cations can only access the data within their DVM unless
another application and the phone owner specifically
allows the data to be shared. So each time an application
is installed on an Android device, the user is presented
with screen to authorize the access the new application
is requesting.
/ Discretion required
As a result of this secure architecture, forensic examiners
do not have a built-in mechanism we can use on the phone
to extract core user data. Instead, new techniques must be
developed which required some interaction with the device.
This brings us to the inevitable discussion about the
challenges of mobile phone forensics. A fundamental goal
in digital forensics is to prevent any modification of the
target device by the examiner. However, mobile phones lack
traditional hard drives which can be shutdown, connected to
a write blocker and imaged in a forensically sound way. As
such, the examiner must use their discretion when examin-
ing a mobile device and if the device is modified, they must
explain how it was modified and more important, why that
choice was made.
There are critics of this approach who point out that any
modification of the targeted device is unacceptable and
certainly that is a primary goal for every examiner. While I
understand that position, the reality of smart phone dilemma
is that short of physical memory chip extraction, every tech-
nique will modify the device in some way; sticking ones head
in the sand about the evolving digital devices isn’t going to
help solve any crimes. In fact, techniques which may alter
the device in a known way have been in place for some time.
Some examples of such approaches are a live memory analy-
sis for a malware attack, a live image of an encrypted drive
while it is still mounted or of a complex RAID environment;
any examiner who cannot see the need and value in these
examples should probably just focus on the traditional cases
involving a hard drive which can be removed.
But before we get into specific techniques, there are a few
additional concepts keys to understand how Android devices
work. The Linux kernel acts as an abstraction layer between
the device hardware and the user applications. It provides
memory and process management, hardware drivers and
other core functionality, allow the application developer to
focus on development through an application framework and
its supporting libraries. The libraries cover needed functional-
ity such as graphics rendering and acceleration (OpenGL), font
rendering (FreeType), media support using OpenCORE (audio,
pictures, videos, etc) and structured data storage (SQLite), to
name a few.
But an Android application developer interacts at one ad-
ditional level of abstraction, the Application Framework. Us-
ing this layer, the developer has access to the devices core
functionality in a simplified and structured way. Google
has provided consideration documentation on these topics
which should be reviewed to better understand how the
device works. One key concept is that of a Content Provider.
These interfaces allow applications to share their own
data with other applications as well as access other
applications data.
/ Memory mechanisms
One important concept to understand is the mechanisms by
which an application can store data on the device. While all
persistent data is stored to either the NAND memory or the SD
Card, developers have four different methods which they can
use. Forensic examiners will uncover data in at least three of
these formats and as such it is important to understand each.
The formats are:
1. Preferences allow a developer to store key-value pairs in a
lightweight format
2. Files allow for more complicated data storage which are
saved directly to the file system
3. SQLite databases are used for structured data store.
Android uses SQLite3 databases and recovery of and from
these files is a very key part of the forensic analysis.
4. The final data storage is via the network (or to be trendy,
the cloud). While certain investigations may require network
analysis, most reply on data stored on the device.
Android has buzz. It is
unlikely Motorola could have
generated more than a mild
yawn from consumers about
their next phone if it wasn’t
something radically new
/ Android SDK and Emulator
One important step any aspiring Android forensics examiner
must complete is setting up the free software development kit
provided by Google2. The SDK not only provides a set of tools
and drivers needed by the examiner but also a full emulator
(running as root) which is critical to application profiling and
other forensic research. The SDK is supported in many
environments including Linux, Windows and OS X.
While Linux is my preferred development environment, the
SDK directions below are targeted for Windows XP. At the
time of this article, the current Android SDK available was
2.01. The installation requires Java and we recommend you
install the Eclipse development environment and associated
ADT plug-in for faster development and testing, although
this step is not required.
13
/ LEAD FEATURE

1. Install Java and you should then be presented with an AVD running
a. JDK5 or JDK6 Android 1.5 which you can interact with via the emulator, adb
i. JDK 6 Update 17 or other techniques.
ii. http://java.sun.com/javase/downloads/index.jsp Note that when you connect your first physical Android
2.[Optional] Install Eclipse (3.4 or newer is recommended) device to your workstation, you may need to install drivers.
a. http://www.eclipse.org/downloads/ For Windows XP, you will need to specify the driver location
b. For Eclipse 3.5, the “Eclipse Classic” version is which is at the <SDK root>\usb_driver.
recommended.
i. Galileo – Eclipse Classic 3.5.1 File system overview
ii. http://www.eclipse.org/downloads/download. Like most Linux systems, there are several file systems in
php?file=/eclipse/downloads/ use on Android, many of which are used to boot and run the
drops/R-3.5.1-200909170800/eclipse-SDK-3.5.1-win32.zip system. While these are important areas, this article will focus
c. Unzip eclipse-SDK-3.5.1-win32.zip to the directory on the file systems where user data is store, in particular the
of choice FAT32 SD Card and the YAFFS2 partitions.
3. SDK Most (if not all) Android phones come with an SD Card where
a. Download SDK some of the user data is stored. On the T-Mobile G1, the card was
i. http://developer.android.com/sdk/index.html 1GB, the T-Mobile MyTouch was a 2GB and the Motorola Droid is
b. Unzip android-sdk_r04-windows.zip and add to your path 16GB card. The card is formatted with FAT32 for interoperability
i. Control Panel -> System -> Advanced -> Environment with common operating systems. Some of the data stored on the
Variable -> Select Path -> Edit -> append to the path card includes photos, videos, thumbnails, downloaded files, text
the tools directory in your SDK to speech temporary files and Google Maps Navigation data as
4. [Optional] Install ADT for Eclipse well data from many Android Market applications.
a. Follow directions at http://developer.android.com/sdk/ While the SD Card data is very important, much of the sensitive
eclipse-adt.html information found on the device is located in the user data parti-
5. Run “SDK Setup.exe” from SDK directory (I had to use the tion found on the phone’s NAND memory. This partition uses the
http instead of https option under Settings -> Misc), select open source file system YAFFS2 (Yet Another Flash File System 2)
the desired platform(s) and click OK. and is one of the new challenges with the Android platform.

/ Source code issues

A fundamental goal in
digital forensics is to
prevent any modification
of the target device by
the examiner
Once the SDK and Eclipse are fully downloaded and
installed, we can fire up our first Android emulator which
Google calls an Android Virtual Device (AVD). To do this, open
a Command prompt and type:
android list targets
which will display the Android versions available for
emulation on your system. For our example, we will create an
AVD running Android 1.5 which is what the G1 eventually ran.
Due to this, type the following in your command prompt:
android create avd -n af15 -t 2
which will create the files needed for the AVD. On Windows XP,
the files are located in your profile in a folder called .android and
the then each AVD has its own directory inside a parent avd
directory. To then run the emulator, type the following command:
emulator -avd af15
YAFFS2 was built specifically for the growing NAND memory
devices and has a number of important features, which ad-
dress the stringent needs of this medium. It is a log-structured
file system, provides built in wear-leveling and error correc-
tion, is fast and has a small footprint in RAM. However, since
its usage was limited prior to Android, there are currently no
forensic tools (commercial or open source) that support the
file system. This leaves the forensic analysts with few options
except to download the YAFFS2 source code, grab a forensic
image of a partition, open it up in your favorite hex editor and
start digging. Of course, we’ve done a bit of this work for you
so read on if you like the full details which are a synthesis of
the source and its implementation on an Android phone.
Let’s start with the YAFFS2 file system as it is written on
NAND memory. The memory is addressed in blocks and each
contains a set number of pages (often called chunks). For
Android devices, each block has 64 chunks and each chunk is
2048 bytes (so blocks are 128k) plus a 64 byte Out-Of-Band/
spare area where various tags and metadata are stored. When
a block is allocated for writing it is assigned a sequence num-
ber which starts at 1 and increments with each new block.
Before we look further into the YAFFS2 data structures,
there are a few key properties of NAND memory which must
be understood. First, unlike magnetic hard drives, flash
memory is a very limited number of writes which it can sup-
port (generally around 100,000). As a result, flash-aware file
systems take great care at reducing the number of writes.
When flash memory is erased, the entire block is written with

14 Digital / ForensicS

Android applications framework
0xFF (all 1’s) and this is the only mechanism by which a 0
can be changed to a one. As a result, when flash is written to
(not erased), it will only change the 1 bit to a 0. An example
provided by the YAFFS2 developers is if a byte holds 10110011
and you write 11011010 to it you will get 10010010, the logical
and of the two values.
Data structures stored in YAFFS2 are referred to as Objects
and can be files, directories, symbolic links and hard links.
Each chunk either stores a yaffs_ObjectHeader (object meta-
data) or data for the object. The yaffs_ObjectHeader tracks
various information including the Object type, the parent
object, a checksum of the name to speed up searching, the
object name, permissions and ownership, MAC information
and the size of the object if it is a file.
In the 64 byte OOB/spare area, YAFFS2 stores critical
information about the chunk but also shares the area with the
Memory Technology Devices (MTD) subsystem. The critical
YAFFS2 tags are:
1 byte: Block state (0xFF if block is good, any other value for block is a candidate for garbage collection. The system is
a bad block)
4 bytes: 32-bit chunk ID (0 indicates chunk is storing a yaffs_ chunks to new blocks thus making the block available for
ObjectHeader, else data)
4 bytes: 32-bit Object ID (similar to traditional Unix inode)
2 bytes: Number of data blocks in this chunk (all but final On Android devices, YAFFS2 does not access the NAND
chunk will be fully allocated)
4 bytes: Sequence number for this block
3 bytes: ECC for tags (in Android, handled by MTD)
12 bytes: ECC for data (in Android, handled by MTD)
If an object is changed, a new yaffs_ObjectHeader is written
to flash since NAND memory can only be written once before
erasing. The old data and headers still exists but are ignored
in the file structure by examining the values of the sequence
number. Using this process complies with the guideline that
blocks in NAND can never be re-written (only written once and
then erased when no longer needed).
Similarly, when a file is deleted in YAFFS2, it is moved to
a special, hidden “unlinked” or deleted directory. The file
remains in this directory until all of the chunks in the file are
erased. To achieve this, the file system tracks the number of
chunks in the system for the file and when it reaches 0, the
remnants of the file no longer exist. At that point, it will no
longer track the object in the “unlinked” directory.
/ Regeneration
While the file system can be regenerated completely from the
OOB area and Object Header information, this is not efficient,
especially as the size of NAND memory grows. The structure
is thus loaded and then maintained in RAM (with writes to
the NAND as needed) using a tree node structure (T-node) to
track all allocated chunks. T-nodes are a fixed 32 bytes and at
their lowest level (Level 0), it stores an index, used to locate
the first chunk id. As the file size grows, additional levels are
added which consist of 8 pointers to other T-nodes.
To regenerate, YAFFS2 reads each chunk in its block
allocation order, starting from the end and working back and
populates the file system structures as T-nodes in RAM. This
requires scanning the entire NAND and is a time consuming
operation. To work around this issue, Checkpointing was
developed for YAFFS2, which persists the RAM structure to
NAND (using 10 blocks) when it is properly unmounted.
Like most Linux systems,
there are several file
systems in use on Android,
many of which are used to
boot and run the system
A few other key concepts are needed to round out your
understanding on YAFFS2. First, garbage collection is queued
up and if needed is done each time a write to the system
occurs. If all the chunks in a block are no longer in use, the
also capable of taking the “dirtiest” block, copying allocated
garbage collection. To make the block available again, it is
erased by writing all 1’s (0xFF).
directly, instead interfacing through the Memory Technology
Devices (MTD) subsystem. This system handles the direct
interaction with the NAND and is responsible for formatting
the OOB area as well as error correction. MTD was developed
since the Linux kernel did not originally support flash memory,
which has very different characteristics than the traditional
block or character devices.
When YAFFS2 is ready to write data to the NAND, it makes
a call to the MTD and passes the data and the OOB structure.
The MTD is then responsible for writing both the data and the
OOB, as well as reading; YAFFS2 does not have specific knowl-
edge of how the data is written to NAND memory. MTD is a
significant system itself and an entire article could be written
on it. For the purposes of this article, we provide this simpli-
fied view as an abstracted mechanism for managing the NAND
and leave further research to the reader.
15
/ LEAD FEATURE
Forensics techniques
Of course, the real reason you are reading this article is to
understand various techniques for the forensics acquisition
and analysis of Android devices. Over the past year, we have
developed six distinct methods for acquiring an Android
device. The methods each have their advantages and disad-
vantages which we will also briefly highlight:
The SD Card should be removed from the phone (you will
have to decide between a shutdown, safe unmount or removal
without unmounting) and forensically analyzed. As mentioned
earlier, the card is formatted as FAT32 and your traditional
techniques should suffice.
Some Android devices will have backups (often on the
SD Card but can be elsewhere) which hold a varying degree
of data. If the phone is an ADP1 (developer phone) or has
otherwise gained root access, they may use a backup package
called Nandroid, which is very thorough. Also, some applica-
tions are now available on the Android Marketplace, which
allow a user to backup some of their data. Either way, you
should attempt to locate any backup files and examine them.
Some Android devices
will have backups (often
on the SD Card but can be
elsewhere) which hold a
varying degree of data
The Android Debug Bridge (adb) ships with the SDK and
is a very powerful tool for interacting with the device. Under
normal circumstances, the adb daemon on the phone runs
as “shell” and does not have access to the critical user data.
However, you can still extract significant information about the
phone and some information about this owner by using adb. If
the device has root access, you can use adb to extract nearly
all allocated data on the system.
Several commercial tools now support Android. To date,
each of them install an application on the device and as such
modify the device in a significant way. They are then able to
extract “the usual” information from the device included SMS,
call logs, contact information, etc. It is not able to pull deleted
information. In our forthcoming Android Forensics book, we
intend to release an open source “proof of concept” applica-
tion which will read the SMS database and save it for further
analysis. Our hope is that the community will then extend the
application to support many more applications.
The technique we developed through our R&D, referred to
as the Hoog Method, allows the examiner to gain a full “dd
image” from an Android device. The method does not work on
all Android devices but the R&D continues. After the examiner
has a full dd image, they have the ability to recover all infor-
mation (deleted and undeleted), especially as the researching
into YAFFS2 matures.
Various theoretical techniques also exist. Ones that are
being actively researched include a method targeting HTC
16
phones, using a simulated SD Card (software) that would
allow for a controlled update to the firmware. By creating a
custom firmware, we could gain root access yet not modify
the user data. One other technique is reverse engineering
the commands available using a USB-to-serial connection.
Finally, possibilities exist with JTAG and chip-off techniques
however these are generally too significant of an undertaking
for most examiners.
The Android community is learning new information about
the devices and the operating system each day. The tech-
niques listed above are always evolving and require signifi-
cantly more research. However, each technique will produce
data relevant to an investigation of an Android device.
/ File system and application data analysis
The final, and arguably most interesting, part of a forensic anal-
ysis is the detailed examination of the file system, application
and data. Below is a listing of interesting mounted partitions on
the G1, which we will briefly review in Table 1.
The sqlite_stmt_journals filesystem is interesting in both
its name and type. Presumably, activity on sqlite3 databases
(the structured stored option for Android applications)
could use this partition to perform operations quickly in
RAM. Since Android device do not have swap space, an
analyst would have to image RAM to determine if remnants
of important data exist.
The remaining partitions are all YAFFS2. The system parti-
tion is read only and is unmodified by the end user unless they
have root access.
The cache directory contains cached, unlinked and deleted
files. We have recovered images, audio files, thumbnails,
metadata (yaffs_ObjectHeaders) from deleted, renamed or
updated files and much more. While more research is needed,
we know from posts by Google that the /cache directory is
used for Gmail attachment previews, downloads of files con-
taining DRM, downloads of applications from the Marketplace
and OTA system updates. I’m sure additional analysis will
provide a more definitive list.
File carving does work as a brute force method for data
recovery. However, far more detail can be gleaned from the
partition when taking the YAFFS2 file system structures
into account. Unfortunately, this requires deep knowledge
of the source code and tedious work in a hex editor. If
warranted, though, the additional information recovered is
worthwhile. Our current research is focused on fully recre-
ating this metadata which should allow for full versioned
recovered of each file, provided the previous pages in use
were not yet garbage collected. I’m sure the power of a
suspect’s file system with its own version system built in
(similar to some benefits of CVS or SVN) is not lost on any
examiner reading the article this far.
The final directory is worthy of an entire paragraph; actually
an entire chapter of a book. The /data directory has the struc-
ture illustrated in Table 2.
The subdirectories in /data/data contain the data from the
applications running on the phone. A few examples are shown
in Table 3.
Digital / ForensicS
DEVICE MOUNT POINT FILE SYSTEM TYPE OPTIONS
tmpfs /sqlite_stmt_journals tmpfs rw,size=4096k 0 0
/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosuid,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
Table 1

/DATA
/anr Debug info with timestamps from apps running in Dalvik VM
/app Application files (.apk)
/dalvik-cache The .dex files (Dalvik Virtual Machine executables)
/data Subdirectory per application with associated data including preferences, unstructured files and
SQLite3 databases for structured data
/misc Non-application data, including information about dhcp, wifi, etc. For example, on G1, /data/misc/wifi/
wpa_supplicant.conf contains Wifi password in clear text
/property Localization information including country, language, locale and timezone
/system List of all applications and their permissions (packages.xml), checkin.db which lists many network,
system and application events, syncmanager.db which lists results from various Gmail sync
applications and several other files.
Table 2

com.android.browser/
com.android.providers.calendar/
com.android.providers.downloads/
com.android.providers.im/
com.android.providers.telephony/
com.google.android.apps.maps/
com.google.android.providers.gmail/
com.google.android.street/
com.google.android.youtube/
com.htc.android.mail/
com.tmobile.myfaves/
com.twidroid/
com.web.facebook/
Table 3
Contains 7 directories including web icons, Google gears data, thumbnails, full cache
with file and supporting database, cookies, bookmarks, searches and user/pass/form
data in clear text
Sqlite3 database with full calendar info (invites, details, date/time, etc.)
Sqlite3 database with downloads for the system. Deleted records can be found with
strings or by reverse engineering the format
Sqlite3 database with IM information include service, user/pass (again in clear text),
groups, contacts and more
Sqlite3 (mmssms.db) data for all text messages
Google Maps search history and suggestions
Gmail information including attachments, to/from and full message
Cache of Google Maps street images
YouTube info
HTC’s ActiveSync mail client. Includes folders synced, emails and temporary files
(recovered .jpg attachment). Some of the data is also stored on the SD Card
Since this is a T-Mobile G1, contact info is stored here in contact.db. Also, “calls” table
holds call log information
Twitter account info (clear text), messages, thumbnails, etc.
Facebook account info (clear text)

/ Conclusion
The Android platform is emerging as a significant force within
the fast paced smart phone market. Like other smart phones,
the device holds and enormous amount of information about
the owner. There are also several methods which a forensic
examiner can use to extract information from the phone.
However, the platform has several challenges including a fairly
effective security model, entirely new file systems and a wide
range (and ever growing) of hardware and software lever-
aged. While we are beginning to understand the details of
the Android platform, significant research is still needed. The
only way our community can effectively address the Android
platform is by pooling our collective knowledge and resources
into this complicated device. More information on this topic
including updated research, mailing lists and upcoming train-
ing can be found at http://viaforensics.com/android. /
Endnotes
1. http://metrics.admob.com/2009/11/october-2009-mobile-
metrics-report/
2. http://developer.android.com
/ Author Bio
Andrew Hoog is a computer scientist,
computer/mobile forensic researcher and
Chief Investigative Officer at viaForensics.
His company assists and trains law
enforcement and provides innovative
digital forensics solutions to corporations
and attorneys.  He is currently writing
a book about Android Forensics and maintains the Android
Forensics Wiki at http://viaforensics.com/afwiki.

17

Counter-forensics
and the push to stay
ahead of the game
Noemi Kuncik and Andy Harbison continue their discussions from issue 1 on how the increasing
sophistication in anti-investigation techniques is making life harder for forensics specialists.
/ INTERMEDIATE
I
t is a well known fact that computer evidence can easily
be modified and just as easily deleted. Over many years,
in our analysis of computer based evidence, we have very
occasionally come across cases where an individual altered
documents in an attempt to confuse or mislead our clients, or
had deleted large numbers of files in an attempt to prevent
them from being read.
These attempts were rarely much of a problem. IT forensic
tools are very effective at identifying altered documents and
retrieving deleted data when the alteration and deletion is
done using conventional means. Until a couple of years ago,
we would rarely see sophisticated attempts to dispose of
evidence, such as ‘file shredding’ and ‘evidence eliminating’
tools. This activity was found only when investigating the
activities of highly skilled computer specialists.
But in the last couple of years, things have begun to change.
Electronic discovery and IT forensic support of litigation have
/ FEATURE
become far more common, alongside the use by those under
investigation of sophisticated ‘counter-forensic’ techniques to
inhibit the recovery of valid evidence from computers. It is now
routine procedure to check for data tampering in every case.
Consequently, IT forensics specialists have now had to acquire a
new set of skills, while at the same time becoming less heavily
reliant on the standard forensic applications, some of which
counter-forensic tools are designed specifically to subvert.
/ What kinds of counter forensic techniques
are there?
There are four broad options open to an individual trying to
prevent or inhibit the investigation and analysis of data on
a computer. They can simply attempt to destroy the data;
or they can try to alter it; they can hide it inside a computer
system; or they can try to pre-empt data recovery altogether
by preventing it from accumulating in the first place.

Data Destruction
At first glance, it would appear that the best
solution to dealing with incriminating data is
simply to destroy it. Many individuals employ different
techniques to fully remove accumulated data from their
computers, from simply deleting it conventionally, to using
sophisticated ‘evidence elimination’ software, to actually
replacing the evidential hard drive.
File Deletion
From the perspective of someone with something to hide,
the biggest problem with file deletion is that computers store
information in many different locations and, in most cases,
simple file deletion will do practically nothing to remove it.
In the course of normal use, the computer will have created
link files and other “tags” in the operating systems as well as
references in the registry. All these will indicate that files that
once were stored on the computer are no longer there. Also,
because many computer applications make temporary copies
of the files on which they work, deletion is no guarantee that
the data stored in a file cannot be recovered.
Reformatting
Many people think that reformatting a drive will destroy
everything on it, largely because when they do it, the process
sometimes takes some hours to complete. But this is based
on a misunderstanding of the formatting process – in fact, it
could easily take a forensics investigator less time to reverse
the effects of a disk reformatting than it does to carry it out in
the first place.
The main action carried out by a format is resetting the hard
drive’s file table. This is equivalent to removing all the index
cards from a library indexing system. It does nothing to the
files on the disk. The format will also look for defects on the
surface of the disk (so-called ‘bad sectors’), which it records
and maps out. This sweep for bad sectors is time consuming
and can cause a format to take hours on a large hard drive.
Without this sweep, reformatting will normally take a matter
of seconds.
20
To reverse the format, all the investigator need to do is locate
the deleted file table and reconstruct it. This is something a lot
of forensics tools allow investigators to do straightforwardly.
Occasionally, individuals reinstall the operating system after
a format. This can cause some problems because it usually
overwrites the old file table. Nevertheless, deleted files on the
hard drive can still be found, although the process is typically a
lot more difficult and time-consuming.
Defragmentation
When a computer hard drive gets very full, it
becomes difficult for the computer to store large
files on it, and sometimes it is impossible
to store a file in one contiguous space on
the drive. Instead the computer will store
parts of the file in a number of different
locations. The file is said to have been
‘fragmented’.
Fragmentation tends to slow down the
computer a great deal. It means that the hard
drive has to be searched in a number of dif-
ferent locations to assemble a file before it can
be loaded in memory. This is particularly problematic because
computers routinely use a number of system files which can find
themselves fragmented in this way.
Defragmentation reorganises the hard drive so that all parts of
all files are stored in a single location in contiguous fashion and
also concatenates all files on a computer into a single logical area
on the disk allowing for a faster file search on the disk. In doing
this the computer rewrites and erases files all over the disk caus-
ing disruption to data in the unallocated spaces of the hard drive.
These actions are all normal parts of the defragmentation
process and are not normally problematic, unless the com-
puter in question is under forensic analysis. Anything that
disrupts the unallocated space is very likely to destroy evi-
dential remnants written in those locations. When combined
with file deletion it can greatly increase the chance that
forensic traces of a deleted file are rendered irrecoverable.
As with file deletion, defragmentation is most likely to be
effective in destroying evidence when the disk is nearly full,
or when defragmentation is performed a considerable time
before analysis occurs. As with file deletion, defragmentation
will still leave a lot of trace evidence across a hard drive which
will prove that files have been removed. Hence it is of limited
effectiveness as a counter forensic technique.
Furthermore, using a defragmenter is atypical behaviour, and
most courts will become suspicious on a defendant who sud-
denly becomes enthusiastic about defragmenting their computer
only when it becomes the likely subject of forensic analysis.
/ Formatting
A full duration format of a 60GB 2.5 inch 5,400 rpm SATA
hard drive, took around 27 minutes on a recently purchased
NT-based forensic workstation. A ‘quick’ format of an identical
model disk took around 20 seconds on the same machine.
File ‘Shredding’
By performing file shredding, a file is not merely deleted, but
overwritten. The data bytes of the file stored on the disk are
overwritten with new data, and in most cases the file table
entry is also overwritten. File shredders are readily available
both for purchase and as free downloads on the Internet.
File shredding is more effective than conventional dele-
tion as some specific data may not be retrieved by forensic
analysts. However, it retains many of the other drawbacks of
conventional file deletion. It usually does not remove all traces
of the erased files. A good investigator should be able to
establish which files were on a computer and when they were
removed. Hence it is a technique that still holds considerable
risks for any defendant who decides to use it.
File shredding can however be used for legitimate reasons
such as additional security on a computer for anyone needing
to routinely destroy sensitive data.
Evidence Elimination
‘Evidence Eliminators’, named after an early example of the
type, are software tools that explicitly attempt to remove as
much residual data from a computer as possible that might be
of interest to a forensic investigator. They are far more effective
than any of the techniques already discussed in removing data.
Almost all eliminators will include a file shredder, but many
will also contain functions that will overwrite empty slack and
unallocated spaces, history files, log files and registry settings.
The better ones are run from a CD or USB device so as not to
leave traces of themselves on the media being “cleansed”.
Most of the more effective evidence eliminating applications are
commercial, and some of the best can be quite expensive.
Although these methods are more successful, they are far
from foolproof and can often rebound on their users. Their
principal problem is that they tend to remove too much data.
A competent IT forensic analyst will know to expect to find
residual data in some locations on any hard drive, such as some
file data in the ‘slack’ space and some file fragments in the unal-
located space. If this material is not present, an investigator will
probably become suspicious. With little work, a good analyst
may be able to determine not only that an evidence eliminator
has been employed, but when and by whom. Sadly for evidence
tamperers, there are few, if any, perfect evidence eliminating
applications, so incriminating material can still be left behind.
Disk Wiping
In some circumstances a defendant decides that it is worth their
while to destroy evidence regardless of how much upset it might
cause. There are plenty of disk wiping tools on the market, many
of them free to download, and most are straightforward to use.
The use of disk wiping tools will represent a serious contempt of
court, if undertaken after the subpoena or other notification has
been received, and the penalties might be severe.
We occasionally find suspects wiping their disks and reinstall-
ing the operating system, or ‘re-imaging’ their computers – copy-
ing the entire contents of another disk drive onto the evidence
drive – to disguise the fact that the drive has been erased. The re-
sults of such activity are so obvious, however, that it would take a
/ File shredding
If a Word Document is shredded in Windows, if might leave link
files in the Recent folder, MRU records in multiple locations in
the Registry, fragments of any temporary files created during
editing (which will themselves contain extensive metadata),
and possibly other material in the Pagefile and Hiberfile.
very careless analyst to miss them. Of course, the suspect might
claim that they re-image their machine regularly as a matter of
course, and that it was not done in response to legal action. This
is, however, highly atypical behaviour in most circumstances, and
may be looked-on with a jaundiced eye by any court.
Theoretically, data from an entirely overwritten disk can be
recovered, although there is some argument among computer
scientists about this point. Unfortunately the technology
needed is beyond the scope of most forensic service provid-
ers (the process typically needs a scanning magnetic force
microscope) and is inevitably very costly. We will discuss the
recovery of erased data in more detail in a later article.
‘Unfortunate Accidents’ Finally, if a suspect can afford the
loss, there is no substitute for a well timed ‘accident’ if they
want to plausibly (or semi-plausibly) get rid of an unwanted
evidential device. It is a well-known saying in IT security that a
five-pound sledgehammer is the best disk wiping tool known to
man. Unfortunately some of the people we investigate also dis-
cover this fact and apply it to the evidence in their possession.
defragmentation will still
leave a lot of trace evidence
across a hard drive which
will prove that files have
been removed
In the last year, we have seen an evidential laptop
‘accidentally’ dropped down a flight of (concrete) stairs prior
to collection, another shaken vigorously while it was switched
on (causing a catastrophic drive failure called a ‘head crash)
and a large cup of coffee spilled over a running computer
causing the hard drive to short-circuit. In the first two cases,
the damage to the evidence was too severe to repair, in the
third case we were able to recover the comprehensively
incriminating evidence after a hard-drive rebuild.
Not even physical destruction of evidence can guarantee that it
will not return to haunt the suspect. On one occasion, the suspect
cut up a number of evidential floppy disks with a pair of scissors,
assuming that the data would be irrecoverable. In the end the
data was brought back by sellotaping the individual pieces of
the damaged disks to new intact floppies, and reading the data
normally. In this case the suspect was convicted and jailed.
/ Counterfeiting
Another common method of covering up information is to
simply change it. It is, of course, perfectly straightforward to
21
/ FEATURE
modify material stored on a computer, and printed documents
show no trace of any modifications that might have been
made. When documents are examined in their electronic state,
however, recent changes are far more obvious.
Many standard file types by default contain large quantities
of metadata (structured information that describes, explains,
or locates an information resource) which can provide an
evidence trail of any modifications that have been made to the
file in the recent past. For example, a Microsoft Word file con-
tains a list of its previous saved names and locations, the last
accessed, printed or modified times, as well as the number of
edits the file has undergone, the total edit time, and the name
of the last editor. Analysing this metadata can often demon-
strate that a file has been tampered with.
If a suspicious file is examined in the context of the computer
on which it was last edited, even more evidence is potentially
available. The operating system preserves a parallel set of meta-
data against which the internal data can be verified. As discussed
above, many applications including Microsoft Office make tempo-
rary copies of files under modification as a precaution in case
the computer hangs or crashes during the editing process. These
temporary files are often useful in tracing the drafting history of
any document, and can clearly show up counterfeiting attempts.
Because material can accumulate on the hard drive that can
validate or put into question the evidential documents stored on
computer systems, IT forensics and electronic discovery special-
ists greatly prefer copying the entire hard drive of an evidential
computer, rather than just the potentially relevant files.
Defragmenting software, already discussed, can also be used
as a counterfeiting tool. As discussed, evidence eliminator or
file shredder software leaves considerable trace evidence of
their use on hard drives. An observant investigator will find
large areas of blank or pseudo-randomised data (called ‘data
voids’) on the disk which can lead to a finding of deliberate
evidence destruction. A defragmenter run may move existing
files around the empty spaces of the disk, potentially creating
many deleted copies of existing files and thereby ‘repopulating’
22
/ Hidden in plain sight
Computer graphics formats can display many more colours
than the human eye can discern. Limited sensitivity means the
human eye cannot differentiate between more than a few tens
of thousands of colours. This means that we simply cannot
see the difference between a 64,0,0 red pixel and a 65,0,0 red
pixel, or a 100,100,0 yellow pixel and a 101,101,0 yellow pixel.
Written in binary numbers 64 is 01000000. 65 is 01000001. You
can see that in the case of red bytes (or those of other colours) it
doesn’t matter whether the right-most or ‘least significant bit’ in
each byte is a 0 or a 1. The eye cannot tell. This data is redundant.
Across the spectrum, this means that each pixel in an image
has 4 bits of redundant data that can be used for something
else, one in the red byte, one in the green and two in the blue.
Two pixels between them have 8 redundant bits – a redundant
byte. An image may be made up of thousands or millions of
pixels, and so may contain kilobytes or even megabytes of
redundant data. This is more than enough to hide something
else – invisibly. If you were to change this data for, say, a
Microsoft Word file, the picture file would stay the same size,
and the picture itself would show no discernable change, yet
the Word file would be present and completely recoverable.
Some sound and movie file formats may contain redundant
data in a similar way, and movie files can be gigabytes in size.
the erased areas of the unallocated spaces. This will make it a
lot more difficult for an investigator to recognise that evidence
eliminating software has been used.
Fortunately, using the defragmenter can be seen as
evidence destruction in its own right, and an experienced
forensic investigator should be able to demonstrate that it has
been used – and, crucially, that the use of the defragmenter is
exceptional on the evidential computer. A standard defence
used by individuals using the defragmenter is that they use it
habitually to improve the performance of the computer.
The defence is given strength by the fact that Microsoft has
published technical documents stating that regular defragmenta-
tion is good practice (it is, but in most cases it is something that
needs to be done on an annual- or semi-annual- basis rather
than, for example, weekly.) Recent Microsoft operating systems
also run defragmentation software automatically as part of
normal operations, so investigators need to be able to tell auto-
matic and manually initiated defragmentation runs apart.
Users attempting to ‘counterfeit’ empty space have other
options. One is to make copies of large folders on the computer
and then delete them. This will show up clearly on the computer
if the investigator is looking for it. Another option is to visit large
numbers of web-pages using the web-browser, which will fill the
empty spaces with browser cache remnants, or to download large
media files from the Internet. The disadvantage with these
approaches is that if the counterfeiter is not normally a heavy
user of the web, or is not a regular downloader, this behaviour
will appear anomalous to an investigator and will encourage
them to pay particular attention to it.
Evidence counterfeiting does not just
end with the use of word-processors and
web-browsers. In one case the person under
investigation decided to swap their entire hard
drive with a new unit, set the clock on their
Digital / ForensicS
computer back three years, install the operating system, then set
the computer forward in time again. This gave the impression of a
computer set up three years in the past and not used thereafter.
The subject claimed that the computer has barely been used,
and there was no data of relevance on it. The subject, however,
neglected to observe that the manufacturing date of the replace-
ment hard drive was two years later than their fictional ‘installa-
tion’ date, which shattered the credibility of their testimony.
/ Data Hiding
Hiding data is perhaps the least obvious counter-forensic
strategy, but is more common than is widely appreciated. It
relies on the belief that investigators typically have a limited
amount of time or resources to devote to a single investiga-
tion, and an enormous amount of material to search through.
Modern computer hard drives are huge, capable of storing
the data equivalents of million of printed books – for example,
the entire printed collections of the US Library of Congress,
estimated at 10 Terrabytes by the University of California at
Berkeley, can in principle be stored on a few, cheap, high-
capacity hard drives (a 1 TB hard drive costs, at time of writing,
around £65). So it is entirely practical to hide data on a
modern computer or network. If the location or nature of a file
is sufficiently obscured that commonly used data searching
techniques will not detect it then data has been successfully
protected against discovery by an investigator.
The disadvantage of data hiding is that the hidden data still
remains on the evidential computer or network and a skilled,
diligent or lucky investigator may still bring it to light. Among
the approaches we have seen in the past have been:
Relocation of data
The simplest way of hiding data is to move it to a separate
storage location that may not be examined by an investigator.
The disadvantage to this approach is that computers often
record instances of data transfer in automated logs, poten-
tially tipping off an investigator that data has been moved.
Computers also typically update their system logs whenever a
data storage device is connected to a computer, another way
in which an investigator may spot that something is amiss.
Modification of file extensions
Different types of computer files can normally be identified by
their (usually three letter) ‘file extension’ at the end of their
file name, such as .xls for an excel file. One of the oldest meth-
ods of hiding a file from scrutiny is to alter its file extension.
For example, to hide a JPEG graphics file an individual might
alter its extension from .jpg to .exe, making it appear to be a
program file rather than a picture. Windows identifies files by
their file extension and will not, for example, open a picture
file unless its file extension identifies it as such.
Fortunately, most modern forensic applications allow in-
vestigators to ‘signature analyse’ all the files on an evidential
computer to make sure that their file extensions match their
actual file types. Most forensic investigators will do this rou-
tinely as part of any investigation, and will pay close attention
to files whose signature doesn’t match their file extensions.
The signature is often based on values of the first few bytes
of a file (sometimes referred to as the “file header”) , and oc-
casionally, the last few bytes as well. These are often standard
to a particular file format e.g. the first 10 bytes of a jpeg file
are always FF D8 FF 60 00 10 4A 46 49 46, and D0 CF 11 E0 are
always the first 4 bytes of a Microsoft Word .DOC document.
Cloaking of data
Data is compressed, encoded or encrypted so that it is not
found using standard search approaches such as keyword
searches. Cloaking is far from foolproof, however, because the
more effectively data is cloaked, the more obvious the fact of
the cloaking becomes to an investigator.
For example, zipped files are very common on evidential
computers, but provide very little protection for the data
residing in them. Conversely, encrypted files are usually very
difficult to open without their encryption keys and are good
protection for the data stored within them. However, these are
relatively infrequent on evidential computers, and when found
diligent investigators will pay special attention to them.
It is a well-known saying in
IT security that a five-pound
sledgehammer is the best disk
wiping tool known to man
Encapsulation of data
The most effective way of hiding data is to render it ‘invisible’
– to obscure the fact that the hidden data even exists. Encapsu-
lation hides files inside other larger files, making the presence
of the hidden file difficult or impossible to detect. The two most
effective approaches involve Steganography and Streaming.
Steganography,(from the Greek for “hidden writing”) is a
topic that has had entire books devoted to it. In computer
terms it involves replacing the redundant data in a file with
the data you wish to hide. For example, documents can be
hidden in graphics files by making use of the fact that modern
graphics formats can display many more colours than the
human eye can actually discern (see box). Such hidden files
are exceptionally difficult to spot. Steganographically hidden
files are typically only detected when the user of the tech-
nique is careless enough to keep the program that performs
the steganography on the evidential computer, tipping off the
investigator to the fact that such files may be present.
Streaming is less complicated. Some operating systems allow
users to associate more than one file with a single file table
entry. Computer scientists refer to this process as ‘streaming’
files. (This term is most often associated with NTFS.)
Most forensic tools will only display one file associated with
a file table entry. Any other files are essentially ‘hidden’ to the
forensic investigator, lost in the unallocated spaces of the hard
drive. They may still be spotted by keyword or other searches,
but files can be compressed or encoded before streaming, ren-
dering such techniques useless. Hackers often use streaming to
hide their tools on systems they have broken into.
23
/ FEATURE
/ Pre-emption
This technique involves stopping the evidence accumulating
on a computer or network in the first place. In many cases it
is difficult to stop computers from accumulating forensically
useful material as would disrupt the normal operation of the
computer. However, there are some pre-emptive methods that
can be quickly accessed and one of them is switching off the
browser cache functionality on the Internet browser software.
In most cases switching off this functionality does not stop the
computer downloading or storing the data, however it ensures
data is deleted when the browser leaves the web-site or is shut
down. This means that some forensically recoverable data is
stored on the computer, but in a form that is considerably more
fragmentary and ephemeral than might otherwise be the case.
Encapsulation hides files
inside other larger files,
making the presence of
the hidden file difficult
or impossible to detect
Pre-emption techniques are commonly used by computer
hackers. Some tools such as U3 pens – USB thumb drives with
complete suites of office and technical tools – are designed
to prevent any data accumulating on a hard drive. Another
approach is to run the computer using an operating system
loaded from a bootable CD or DVD instead of the operating
system on the hard drive. These ‘CD Distros’ as they are
known prevent anything being written onto a hard drive.
The problem with this pre-emption is that it is atypical
behaviour. Ordinary users normally don’t reorganise their disks
to minimise slack data, or switch off the browser cache, usually
because it makes the computer perform less efficiently. Simi-
larly, most computers collect logging information by default,
and even the largest logs fill only the tiniest fraction of the hard
drives total storage capacity. There is no practical reason to turn
them off other than to hide your activity on the computer.
Hence the problem! Pre-emption is inherently suspicious
behaviour. It will tell the investigators that something ‘fishy’ is
going on and will encourage them to look at the computer in a
great deal more detail.
/ Conclusion
Counter-forensic tools have become both more common and
easier to use. Counter forensics has for years been a problem in
the field of hacking investigations, largely because the malefac-
tors are usually highly IT literate and are well aware of the kind
of trace evidence their hacking tools are likely to leave behind.
Although many counter-forensic techniques exists and in
recent years most powerful and complex such tools have
been written by hackers for hackers, none of these methods
guarantee to eliminate all evidence of their use and they are
more likely to leave some traces of their use on computers,
networks and servers.
24
Every method used to destroy evidence, once found, entails
a risk to the individual doing the destruction. Any attempt to
destroy evidence indicates that there is something to hide,
and is likely to destroy the credibility of the side that does
it. There are few pieces of evidence that can be found on a
computer that are more damaging than a finding of evidence
tampering. That being said, particularly in criminal cases, the
penalty for evidence tampering may not be as severe as being
caught with the original evidence, so an incentive to tamper
remains. Either way, the role of the investigator remains cru-
cial to a successful prosecution. /
REFERENCES
Harris R., Arriving at an anti-forensics consensus: Examining how to
define and control the anti-forensics problem Digital Investigation 3S
(2006) S44 – S49
Wright C. Overwriting Hard Drive Data http://sansforensics.wordpress.
com/2009/01/15/overwriting-hard-drive-data/ excerpted from Wright
C., Kleiman, D. and Shyaam Sundhar R.S. Overwriting Hard Drive Data:
The Great Wiping Controversy in the proceedings of ICISS2008
Karl J. Flusche, Computer Crime and Analysis of Computer Evidence
in Rebecca Herold (ed.) ‘The Privacy Papers’ Auerbach 2001
Lange M.C.S. & Nimsinger K.S. Electronic Evidence and Discovery:
What Every Lawyer Should Know, American Bar Association, 2004.
Berinato, S. The Rise of Anti-Forensics in CSO Magazine, June 8
2007 http://www.csoonline.com/article/221208/The_Rise_of_Anti_
Forensics retrieved 2 December 2009.
Inch S., A Simple Image Hiding Technique: What You May Be Missing
in Journal of Digital Forensic Practice Volume 2, Issue 2 April 2008 ,
pages 83 - 94
Cole E., Hiding in Plain Sight: Steganography and the Art of Covert
Communication, John Wiley, 2003
McClure S., Scambray J., Kurtz G. Hacking Exposed (5th ed), McGraw
Hill, 2005
Berinato, S. The Rise of Anti-Forensics CSO Magazine, June 8 2007
http://www.csoonline.com/article/221208/The_Rise_of_Anti_
Forensics retrieved 2 December 2009.
See Kuncik N & Harbison A. A Brief Introduction to Counter-Forensics,
Digital Forensics Magazine, Issue 1, September 2009
/ Author BioS
Andy Harbison is a Director and IT Forensic Lead, he holds a BSc
in Electronic Engineering & MScs in Business Administration and
Information Technology. Andy also lectures at University College
Dublin, the Law Society of Ireland and Dublin City University, has
written articles on computer fraud, electronic litigation and data
privacy, and is a regular speaker at conferences.
Noemi Kuncik is an IT Forensics Specialist and has a BA
(Honours) degree in Computer Science and an Masters in
Computer Science and Informatics from University College
Dublin. Noemi has worked with Interpol investigating online
child exploitation and is researching the use of data mining
applications and techniques in conjunction with Digital
Forensic Investigations.
Both work for the Forensic Investigation Services at Grant
Thornton in Dublin, Ireland.
Digital / ForensicS

FROM EVIDENCE
COLLECTION TO THE
COURTROOM
Introduction to Digital Forensics
by George Bailey
/ entry
J
ust imagine you’re a system administrator for a mid-
sized company and you are awoken by your pager at
3am. You call the night operator who is frantically
stating, “We’ve been hacked, we’ve been hacked!” You rush
into the office to discover that someone has defaced the
company web site. The perpetrators apparently hacked into
the web server and have displayed their politically charged
message all through the web site. To determine the extent
of the intrusion, you start to look through firewall and web
server logs. Clearly a crime has been committed here, so
you call the police. The dispatcher advises you not to touch
anything and says that she will send a uniformed officer and a
digital forensic investigator. You ask yourself, “Digital forensic
investigator, what’s that … ?”
This article is an introduction to digital forensics. It
discusses the collection, examination, and presentation of
digital evidence relating to computer-aided crimes.
/ What is Digital Forensics?
Digital forensics is the art and science of acquiring digital
evidence from electronic devices. A more formal definition
is “the application of computer investigation and analysis
techniques in the interests of determining potential legal evi-
dence” (Nelson , Phillips, Enfinger, & Stewart, 2004). Digital
evidence can be anything from copies of entire hard
drives, to individual files, or Internet brows-
ing history. Essentially digital evidence
is any information of probative
value that is either stored
/ FEATURE
or transmitted in a digital form (SWGDE, 2007). The most
common devices of interest are personal computers; however,
there is an increasing need to examine portable devices such
as mobile phones, personal digital assistants (PDA), media
players such as iPods, and game consoles like Sony’s PlaySta-
tion Portable (PSP). If any type of device has the capability to
transmit, process, and store data then odds are it will feature
in an investigation at some point.
The digital forensic
investigator is a computer
crime specialist who is
trained in proper evidence
collection
The digital forensic investigator is a computer crime special-
ist who is trained in proper evidence collection and handling
techniques to ensure accurate and competent findings. The
investigation is an iterative process. It involves repeatedly
acquiring and analyzing data until a decision can be reached
about the evidence in question.
Like traditional forensic investigations, those involving
digital evidence must follow a rigorous protocol in order to
maintain a high degree of integrity, reliability, and legality.
25
/ FEATURE
Computer data can be extremely volatile and the mere act
of opening a file can change certain characteristics; these
changes can taint the evidence and make the data inadmis-
sible in a court of law. The investigative process should avoid
changing any data on the suspect system (G8, 2004). Once
data has been altered, reasonable doubt arises as to whether
the contents of the data are admissible. The techniques used
by digital forensic examiners will be questioned in court, so
the results must be reliable.
The steps taken to discover
evidence must be thoroughly
documented and repeatable
by an unbiased third party.
Regardless of whether
a crime occurred, the
investigation process
must be legal
The steps taken to discover evidence must be thoroughly
documented and repeatable by an unbiased third party.
Regardless of whether a crime occurred, the investiga-
tion process must be legal. The Fourth Amendment to the
US Constitution lays down how searches and seizures
of physical evidence are to be handled, and under many
circumstances searches and seizures of digital evidence
must follow the same rules (Kerr, 2006). In contrast to the
high-handed procedures we often see in fictional TV shows,
search warrants must be very explicit about what can be
searched and the type of evidence that is being searched for.
Unless evidence is in plain sight when a search is exercised,
it may not be admissible unless it is indicated in the warrant.
There have been cases in which examiners conducting an in-
vestigation into one suspected offence discovered evidence
of another crime. For example, an investigator was examin-
ing a personal PC looking for evidence of drug trafficking and
discovered child pornography. At that point the examiner
stopped looking for evidence related to the drug trafficking
offence and focused on discovering all instances of child
pornography. But because it was out of the scope of the
search warrant, the discovered child pornography was
not admissible (Kerr, 2005).
26
/The investigative process
The investigative process involving digital evidence starts
in a similar way to traditional crime scene investigations.
The physical surroundings of the computer are secured and
clearly documented (NIJ, 2001). Photographs of the area
should be taken before anything is touched. The computer is
generally photographed from several angles. Cables connect-
ed to the computer are labelled to document the computer’s
hardware components and how they are connected. Once
the scene has been documented, active data collection
can commence.
/ Collecting Evidence
Collecting evidence is the first step in the digital forensic
investigation process. Depending on the case, evidence may
be collected from multiple sources including the suspect’s
personal computer, mobile phone, hand held devices, and
any available media such as floppies, CDs, or flash memory.
Because evidence can be stored in so many places, law en-
forcement is learning to request the search and seizure of all
electronic devices.
Traditionally, digital forensic examiners will take a bit
stream image of each device. A bit stream image is an exact
copy of the storage medium – most often a hard disk. The bit
stream image copies the entire contents of the drive, while
also capturing deleted files, temporary files, and any evi-
dence that may still remain in slack space (ISFS, 2004). Slack
space is a term used to denote storage space that has been
allocated to a file, but isn’t currently being used. For example,
a file may be allocated 512 bytes of disk space but only be
consuming 200 bytes at present; this leaves 312 bytes of slack
space. Remnants of data can reside in slack space until it is
overwritten with other data.
The growing size of hard drives is making it more difficult to
create full bit stream images of suspects’ disks. In some cases
partial images or selective data gathering may be sufficient.
Some recent research advises against capturing full images
because they are resource intensive, costly, and prolong the
investigative process; in the end full image examinations may
not add any value to an investigation (Kenneally & Brown,
2005). This is a judgment call that should be left to an experi-
enced digital forensic investigator.
The state of the system is important to note. If a system
is running, the investigator will more than likely
try to perform a live capture of the system. A
live capture entails a memory dump (a
bit stream image of RAM), and
Digital / ForensicS
documenting all running processes and network connections
(Adelstein, 2006). Documentation of who is logged in and a
general survey of the computer is also performed during a
live capture. This type of evidence is very volatile and may
not be available in a bit stream image of the system. During
a live capture the investigator has to be very careful not to
alter the system or modify any data. Some investigators
forego live capture because of this risk. If the system was
powered off prior to documenting these characteristics,
important evidence could be lost. If the system is found in a
powered off state, the investigator will leave it powered off
(Forcht, 2004). Changing the running state of the computer
can have dire affects on data collection. The computer could
have a booby trap configured to delete files if it is not started
in a particular way. Booting the computer could bring into
play additional password protections that the investigator
will have to work around, as well as encryption and other
security mechanisms.
All media must be labelled and properly stored and
protected. The chain of custody is extremely important in
forensic examinations, especially since digital evidence is
very susceptible to damage (NIJ, 2001). Leaving a hard disk
containing a bit stream image of a suspect’s computer in a
hot vehicle could render it useless. Exposing the media to
electromagnetic fields could cause full or partial deletion
of evidence.
Once evidence has been collected and properly stored, it
must be analyzed for probative value. The analysis phase is
generally performed in a controlled environment such as a
crime lab or computing facility.
/ Extracting Evidence
Back in the lab the evidence collected at the scene is
searched, catalogued, and documented. The bit stream
copy made at the crime scene may be duplicated so that
the examiners can be sure of not contaminating or damag-
ing the evidence during the analysis phase. If the original
system was seized, it will be secured along with any other
physical evidence, so that the original evidence will remain
The growing size of hard
drives is making it more
difficult to create full bit
stream images of suspects’
disks. In some cases partial
images or selective data
gathering may be sufficient
intact and available in case additional images from the
source are required. Any evidence either incriminating or
exonerating a suspect is compiled in a formal report for
the prosecutor’s office. During the evidence extraction and
analysis phase the bit stream image is examined using a
variety of methods. Depending on the type of evidence
sought, the investigator will perform keyword searches,
compile thumbnail libraries of all stored images, and look
for evidence in various forms of communications includ-
27
/ FEATURE
Hash libraries are created
of all the evidence collected.
A hash is a short value
calculated from digital data
that serves to distinguish it
from other data
ing e-mails, instant messaging, and stored documents. In
short, all exposed data should be examined for clues. Evi-
dence can also be located in the type of software installed
on the computer. For example, if a suspect is accused of
controlling a botnet, more than likely there will be hacker
tools and other remote control software installed on the
system, along with evidence of their usage.
Special programs (e.g. EnCase, FTK, and P2) can be used
to recover deleted files and to reconstruct files from slack
space. If a suspect is paranoid, evidence of wrongdoing may
be deleted; however, with special forensic tools such data can
be recovered.
Hash libraries are created of all the evidence collected. A
hash is a short value calculated from digital data that serves
28
to distinguish it from other data (Arms, 2000). Because a
“hash collision” (obtaining the same hash value for different
files) is mathematically very unlikely, this technique is used to
confirm that data has not been tampered with. The computed
hashes can be compared to the original evidence to show that
data has not been altered in any way during the examination.
Any and all evidence discovered during the analysis phase
must be preserved so that it can be admissible in court.
/ Preserving Evidence
As soon as the investigator begins work, he must maintain a
strict chain of custody. The chain of custody documents that
the evidence was under strict control at all times, and no
unauthorized person was given the opportunity to corrupt
the evidence. The first rule of digital forensics is not to alter
the data. In the rare cases when alterations are required to
perform certain searches, the steps taken and the reasoning
behind them is thoroughly documented. A chain of custody
includes documenting all the serial numbers of the systems
involved, who handled and had custody of the systems and
for what length of time, how the computer was shipped, and
any other steps in the process (NIJ, 2001). In short, a chain of
custody is a detailed document describing where the evidence
was at all times (SWGDE, 2007). Gaps in this chain of custody
can result in severe legal consequences.
Digital / ForensicS
29
/ FEATURE
/ Verifiable Procedures
The goal of the forensic investigator is to discover the
truth. As Grissom would say on the popular TV show CSI,
“the evidence doesn’t lie”. However, the procedures used
to collect, analyze and preserve data can result in evidence
not being admitted in court. Forensic examiners must follow
the law, and then they must take a methodical approach to
handling evidence so that the process can be repeated by the
defence if needed. In many cases the defence lawyer’s only
avenue is to attack the forensic investigation process looking
for flawed techniques or an inappropriate chain of custody.
To obviate any such objections, examiners take painstaking
steps to “dot every I and cross every T”.
Forensic examiners must
follow the law, and then
they must take a methodical
approach to handling
evidence
/ Presenting the Evidence
Presenting evidence in a court of law is just as important as
unearthing it during the analysis phase. To compile a report
for the prosecutor’s office showing strong evidence of criminal
activity is one thing; to explain what the bits and bytes mean
to a jury of lay men and women is another thing altogether.
To begin with, the results of a forensic examination must be
relevant, credible and competent; this will assist decision-
makers in their task (Palmer, nd). The legal system is not as
“technology savvy” as forensic examiners would like. For
every expert witness testifying to the truth of the findings,
there will be another expert who will cast doubt on the collec-
tion and analysis processes used. When a forensic examiner
gets the opportunity to testify in court, she must be very
careful to keep technical jargon to a minimum. If the jury is
confused, or doesn’t understand the science behind the inves-
tigation, it will be difficult for them to pass judgment. Forensic
examiners may be tempted to add their personal opinions to
the evidence they have discovered, but they should resist this
urge. Their job is to reveal evidence of probative value, not to
cast judgment or cloud the issue with personal biases.
/ Conclusion
Digital forensics is the application of art and science to reveal,
preserve, and present evidence of probative value stored on
electronic devices. As the proliferation of electronic devices
continues, it becomes more probable that some of them will
be used to commit fraud, deception, and general lawlessness.
As criminals move to the digital era, the need for forensic
examinations will increase. Like technology in general, digital
forensics is an ever-changing field requiring constant updates
and advances. As the state of the art moves on, so will the
forensic techniques, processes and tools used to glean
evidence from electronic devices. /
30
References
Adelstein, F. (2002,
August 2002). The mobile
forensic platform. Paper
presented at the Digital Forensic
Research Workshop, S
Adelstein, F. (2006). Live Forensics: Diagnosing
your system without killing it first. Communications
of the ACM, 49(2), 63-66.yracuse, NY.
Arms, W. (2000, December 2002). Digital Libraries: Glossary.
Retrieved Oct 8, 2008, from http://www.cs.cornell.edu/wya/diglib/
MS1999/Glossary.html
Forcht, K. A. (2004). Legal Methods of Using Computer Forensics
Techniques for Computer Crime Analysis and Investigation. Issues in
Information Systems, 5(2), 692-698.
G8. (2004). Best Practices for Network Security, Incident Response and
Reporting to Law Enforcement. Washington: Department of Justice.
ISFS. (2004, April 2004). Computer Forensics: An Introduction to Computer
Forensics. Retrieved Sept 2, 2008, from http://www.isfs.org.hk
Kenneally, E. E., & Brown, C. L. T. (2005). Risk sensitive digital
evidence collection. Digital Investigation, 2005(2), 101-119.
Kerr, O. S. (2005). The Fourth Amendment and the Computer Forensic
Process: George Washington University Law School.
Kerr, O. S. (2006). Searches and seizures in the Digital World.
Harvard Law Review, 119.
Nelson, B., Phillips, A., Enfinger, F., & Stewart, C. (2004). Guide to
Computer Forensics and Investigations. Boston: Thomson.
NIJ. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders (No. NCJ 187736): National Institute of Justice.
Palmer, G. L. (nd). Forensic Analysis in the Digital World. Retrieved
Aug 20, 2008
SWGDE. (2007, November 2, 2007). SWGDE and SWGIT Digital
& Multimedia Evidence Glossary. Retrieved Sept 10, 2008,
from http://www.swgde.org/documents/swgde2008/SWGDE_
SWGITGlossaryV2.2.pdf
/ Author Bio
George Bailey is an IT security professional
with over 15 years of experience. George is
currently employed at Ivy Tech Community
College as the senior security engineer.
George’s role at Ivy Tech relates to IT policy
formulation, security architecture, and risk
assessment. His areas of expertise include
network security, remote access, wireless security, and digital
forensics. George has presented at many security conferences
and is routinely published in academic journals. George
currently holds the Certified Information Systems Security
Professional (CISSP) credential, among other IT security related
certifications. He has BS and MS degrees in Technology and is
actively pursuing a PhD at Purdue University.
Digital / ForensicS
 / FUTURE ISSUES

COMING SOON…
A Roundup of features and articles for future issues

W
e are already busy planning future issues of
Digital Forensics Magazine and here is just a taster
of what is in store:

/ Time For Forensics

We will investigate the general nature of the recording
of time, how this impacts on computer systems and how
the forensic analyst can interpret the resultant data. Time
stamps can be fertile ground for cross-examination because
these are something lawyers can understand perhaps more
readily than complex data structures.

/ Mobile Phone Analyser Comparison

We will be delving into the world of the Mobile Phone
Analysers and comparing MSAB’s XACT with CelleBrite’s
Physical Analyser - these solutions are now the most
popular solutions in the arsenal of a mobile phone
forensic lab.

/ Do You Have A Story To Tell

Do you have an interesting case study, research paper, tool or
technique that you think our readers would be interested in?
Find out how on page 81.

/ More Features on the Website

We are adding more and more feature articles to the
subscribers area of the website along with other news and
information relating to Digital Forensics. So do not forget
to visit www.digitalforensicsmagazine.com for all the latest
news on Digital Forensics.

On the legal side we’ll continue to look deep into the role
of expert witnesses and the impact of varying legislation on NEXT ISSUE PUBLISHED
cross-jurisdictional boundaries. We’ll also analyze the forensic
investigator’s relationship to eDiscovery and what the forensic MAY 2010
mindset can contribute to the development of this booming new
sector. Also, we’ll take a look at the impact of cloud computing
on how we investigate cybercrime. Our “In The Lab” section
will introduce the topics of live memory forensics and security
visualisation (looking at data patterns and relationships).
The Magazine has access to a large and rapidly growing
community of practitioners and academics, whose knowledge
we encourage you to tap. Just ask our virtual team of experts
for answers to the questions and problems you are encounter-
ing. (See the Reader’s Letters section for details on how to
pose your questions). You can submit proposals by going to
our website on www.digitalforensicsmagazine.com

31
Forensic Trade Shows, LLC and The New York Metro InfraGard are proud to announce:
The Computer
Forensics Show
April 19-20, 2010
7 W NEW YORK Convention Center, New York City, NY
F
or some companies, it is not a question if one of their
computers will be used as evidence in a legal matter; it
is a question of when. Like it or not, every computer is a
potential crime scene and must be treated with care.
Today’s business environment continues to become more
and more complex with strict regulatory and compliance
requirements, increased scrutiny and the ever-present threat
of litigation. Because most information today is created and
available only in an electronic format, electronic data and
the ability to properly address it in a defensible manner is
increasingly critical. IT Security and Computer Forensics are
vital to any individual, company, or law practice dealing with
sensitive information stored on digital media.
The Computer Forensics Show will meet the needs of industry
professionals by providing detailed information regarding the
changes and advancements in the IT security marketplace.
The event will highlight exhibits from some of the leading
companies in the industry, complemented by a comprehensive
conference program with the involvement of well known
companies in the computer forensics industry.
Our conference will provide attendees with an important
information about the latest technological advancement,
ideas and practical information available today. Conference
participants will learn how the computer forensics science
could successfully save organizations millions in litigation
costs and, in some cases, its reputation
The Computer Forensics Show conference will focus
in-depth on topics of interest to legal, risk management, and
accounting professionals, as well as the IT sector, and features
six conference tracks including:
Track 1
Legal (A) – EDD, including Litigation and Best Practice Issues.
Track 2
Legal (B) – Emerging Technologies/Litigation, Data/Records
Management, Reporting, and Privacy.
Track 3
IT Security – For organizations that are just beginning to
encounter security issues and deals with more broad issues
effecting organizations today.
Track 4
IT Security Advanced Track – Encompasses more complex and
in-depth issues and can highlight the need for additional training.
Track 5
Forensic Accounting – Fraud, Financial Investigations,
Compliance, Best Practices, Litigation. Forensic accounting is
the number one growing field in accounting today.
Track 6
InfraGard Track / Cyber-crime, terrorism, and information
warfare. Cyber crime and terrorism as it relates to Homeland
Security, public and corporate policy, risk management, and
the protection of our nation’s critical infrastructures.
/About InfraGard
InfraGard is a partnership for the protection of our nation’s
critical infrastructures from terrorism and related criminal
activity through information sharing and analysis. It is a
collaborative effort between the Federal Bureau of Investigation
(FBI), other Federal, state and local law enforcement,
government, academic, and private sector experts focusing on
physical and cyber security, and risk management.
The InfraGard National Members Alliance today is a
network of 85 InfraGard Members Alliances with over
33,000 FBI-vetted industry professional volunteers serving
as critical infrastructure subject matter experts in one
or more sectors. More information about the InfraGard
National Members Alliance may be found at
http://www.infragardmembers.org/
The New York Metro InfraGard Members Alliance, a not-
for-profit corporation, fulfills the InfraGard mission in the
greater NY City area. They provide a unique capability within
the InfraGard network to broadcast training and educational
content to all InfraGard members and other qualified
professionals, along with facilitating additional channels for
information sharing across geographic boundaries. NY Metro
InfraGard provides both interactive, internally developed
content and material from selected partners to its national
audience to enhance the value of the InfraGard network for all
its members. More information about the NY Metro InfraGard
Alliance is available at http://www.nym-infragard.us/cms.
/ Topics will include :
• Accountant Malpractice Claims
• Authentication and Access Control
• Civil Litigation
• Class Action Disputes
• Computer Crime and Information Warfare
• Construction Solutions
• Corporate Governance
• Corporate Risk and Security
• Criminal fraud and Deception Cases
• Cyber Forensics
• Damage Assessment
• Digital Forensic Case Studies
• Digital Forensic Processes and Workflow Models
• Digital Law
• Digital Signatures
• E-Discovery
• Employee Internet Abuse
• Employment and Family Law Cases
• Environmental Litigation
• Financial Investigations and Forensic Accounting
• Fraud Investigation
• General Commercial Disputes
• Identity Theft
• Industrial Espionage
• Insurance Claims
• Integrity of Archival Data
• Intellectual Property Claims
• International Risk and Investigations
• Intrusion Detection
• IT Security and Compliance
• Legal, Ethical and Policy Issues
• Mobile Forensics
• More General Criminal Cases
• Network forensics
• New Firewall Technologies
• Portable Electronic Device Forensics
• Post-Acquisition Disputes
• Privacy and Data Mining
• Privacy Leakage Case Studies
• Privacy Policy Enforcement
THE COMPUTER FORENSICS SHOW
IS THE ‘DON’T MISS’ EVENT OF
THE YEAR FOR ALL LITIGATION,
ACCOUNTING AND
IT PROFESSIONAL
• Security Education and Training
• Smart Card Applications
• Stealth Data
• Unauthorized Disclosure of Corporate Information
/ Attendee titles include :
• CIO’s, CSO’s, CTO’s
• CFO
• IT Managers
• Law Firm Administrators
• Lawyers
• Legal Assistants
• Legal Marketing Directors
• Legal Technology Consultants
• Paralegals
• General Counsel
• Accountants
• VP/Director/Manager of IT Security
• Chairman/CEO/COO/President/Owner
• IS/MIS/Systems/Service Administrators
• Sales & Marketing Professionals
• Consultants
• Judges
• Engineer/Architect/Developer/Tech
For more information regarding the show,
please contact us at (203) 661-4312 or
info@computerforensicshow.com. Or visit our
website: www.computerforensicshow.com
/ COMPETITION

COMPETITION
/ 3 Sony ICD-UX71 Digital Dictaphones to Win with
Digital Forensics Magazine Issue 2

/ Question Terms and Conditions

What word is used to describe the hiding of data within a This competition is open to anyone aged 18 or over, except
for employees of TR Media Limited and their immediate
digital file? families. Only one entry is permitted per person. Entries can be
submitted by email only and should be sent to competition@

A. Cryptography digitalforensicsmagazine.com. TR Media shall not be responsible

for technical errors in telecommunication networks, Internet
B. Steganography access or otherwise, preventing entry to this competition. Closing
date for all entries is on 31st March 2010 at 9.30am. Any entries
C. Phreaking received after that time will not be included. The first correct entry,
chosen at random by the DFM team, will be notified by email on
Monday 12/04/2010. The winner will be announced in Issue 3
of the magazine and on the Digital Forensics Magazine website.
/ To Enter Submitting your entry constitutes your consent for us to use your
To enter the competition all you need to do is send an name for editorial or publicity purposes, should you be the winner.
email to competition@digitalforensicsmagazine.com writing TR Media reserves the right to change or withdraw the competition
and/or prize at any time. By entering the competition, entrants are
ICD-UX71 in the subject line including your name address
deemed to have accepted these terms and conditions.
and telephone number with your entry.

Features
USB direct key (Windows and Mac compatible) / mp3
stereo recording and playback / Advanced dictation
features like Digital Pitch Control and Voice Operate
Recording / Built in stereo microphone / Selectable
microphone sensitivity (High/Low) / Built-in speaker
/ Dot-matrix LCD display with backlight / Hi-speed
USB data transfer (Voice recordings, music, images
and data) / 1 x NiMH Rechargeable battery / 1GB built-
in flash memory to record over 290 hours / Stereo
headphone, USB extension cable & carrying pouch

34 Digital / ForensicS
 / LEGAL EDITORIAL

LEGAL EDITORIAL
Welcome again to DFM’s legal section. Plenty of action in this issue …
by Moira Carroll-Mayer

W
elcome again to the Legal Section of DFM. I am delighted
to announce an eye-opening new feature entitled ‘News
Round-up’, aimed at alerting digital forensics investigators
to events across the globe directly affecting them. In this issue
‘News Round-up’ describes the new Civil Procedure Rules exposing
digital forensics investigators in UK courts to comprehensive cross
examination on their knowledge of procedure and responsibilities.
The transposition into the UK law of most of the EU Data Re-
tention Directive (2006/24/EC) was approved on 24 July 2007
by the House of Lords and signed the next day by the Home
Secretary. Since then confusion and dismay have prevailed in
every networked camp. In his riveting article ‘What Security
Professionals Need to Know about EU Data Retention’, Mark
Osborne walks us through the most commonly experienced
horrors of the Directive which phantom like disperse before his
penetrative gaze. Mark clarifies the categories of network data
38
affected, the meaning of ‘internet access’ under the Directive
and what should be retained. Most helpfully, Mark provides a
storage summary table for ready reckoning and concludes by
answering some of the most worrisome questions. The article is
indispensible reading for anyone encumbered by the nightmare
role of data-sitter for the purposes of law enforcement or as
[name of author] would put it for ‘a bloke with a job to do’.
In an exponentially expanding open source environment the flex-
ibility and freedom offered by custom made dual use technologies
for the conduct of digital forensics are irresistible allurements. Bill
Dean introduces an exciting new concept in his article ‘Creating a
Free Volatile Data Collection Toolkit’. According to Bill, the toolkit’s
capabilities exceed those of Microsoft’s COFEE opening secret
doors, avoiding passwords, decrypting and showing all evidence.
Effective maximisation of the capabilities cannot be achieved
however in isolation from legal requirements. Knowledge is power
and in the complementary article ‘From COFEE to Do It Yourself:
Know Your Limits’ loins are girded against the most troublesome
legal pitfalls associated with the development, possession and
deployment of dual use data collection toolkits.
May I wish you all a happy and secure 2010.

/ AUTHOR BIO
Moira Carroll-Mayer, Digital Forensics Magazine’s Legal Editor,
is a lecturer in Procedural and Substantive Law of Forensic
Computing with published articles on Communication Ethics,
Identity Management & the Implications for Criminal Justice,
the Ethical Implications of Nanotechnology, and Digital
Crime & Forensic Science in Cyberspace. Moira is currently
conducting research into the ethical and legal implications of
advanced autonomous weapons systems.

35
/ LEGAL NEWS ALERT
LEGAL NEWS ALERT
Sixth Amendment shocker
In June 2009 the US Supreme Court in Melendez-Diaz vs.
Massachusetts found that notarized forensic analysts’ reports
without live testimony violate a defendant’s 6th Amendment
right to confront witnesses under the Confrontation Clause
and are therefore precluded from evidence.
The basis of the finding is that such certificates are identical to
live court room testimony and cannot be exempt from the Con-
frontation Clause on the strength of scientific neutrality because
errors and fraudulent statements are not unknown. Signing and
swearing before a notary affirms the origin of a document but
says nothing about the substance of the evidence; such testi-
mony attracts the right of an accused to confront the maker.
The finding affects all forms of forensic evidence includ-
ing digital forensics. As Justice Kennedy dissenting put it this
‘threatens to disrupt forensic investigations across the country
[...] The FBI laboratory at Quantico, Virginia, supports federal,
state, and local investigations across the country. Its 500 em-
ployees conduct over one million scientific tests each year’.
Now, before any test is considered by a jury, at least one direct-
ly involved analyst must deliver live testimony without deviation
from the expert report. The shock of the decision is seismic, the
implications for digital forensics experts potentially global.
Another trans-global headache
Digital forensic investigations frequently encounter cross-border
legal and cultural conflicts. However, the standard advice to seek
local assistance on legal requirements and technical capabilities by
partnering with a local lawyer and or vendor who understands local
requirements and has the technical ability to help you meet them
may require augmentation in cases involving some US states.
Legal tangles, customs checks on complex equipment, ensu-
ing delays and language barriers are avoidable with assistance
at local level. Some states, including Texas, Georgia, South
Carolina and Michigan now require digital forensics technicians
to hold a private investigators licence. Under the Professional
Investigator Licensure Act persons conducting the “collection,
investigation, analysis, and scientific examination of data held
on, or retrieved from, computers …” must have professional
investigator licenses issued by the Department of Labor and
Economic Growth prior to performing these services.
Violations amount to a felony and may attract a four year
custodial sentence with either a civil fine up to $25,000 or a
criminal fine of up to $5,000.
In North Carolina, the state run Private Protective Services
Board for the regulation of private investigators, is proposing a
36
/ Changes to UK procedures
Fundamental amendments to Part 35 of the Civil Procedure
Rules came into force on 1st October 2009 in England and
Wales. Expert witnesses, including digital forensic expert
witnesses, must sign a revised Statement of Truth, a
declaration of awareness of the existing and the updated Civil
Procedure Rules, Practice Directions and Protocols.
In addition, it is likely that if cases go to court, experts could
be cross-examined in relation to their knowledge of Part 35 of
CPR. For these reasons instructing solicitors will now look for
evidence that an expert has a full understanding of Part 35 of
CPR, Practice Directions and Protocols.
In brief, digital forensics experts can expect to be examined
upon knowledge of; interpretations and definitions of Part 35,
the overriding duty to the court, the court’s power to restrict
expert evidence, general requirements for expert evidence to
be given in a written report, written questions to the expert, the
court’s power to direct evidence be given by a single joint expert,
instructions to a single joint expert, power to direct a party to
provide information, the contents of the expert report, use by
one party of an experts report disclosed by another, discussions
between experts, consequences of failure to disclose, expert’s
right to ask courts for directions and assessors.
For clarification you could do worse than to go to http://www.
justice.gov.uk/civil/procrules_fin/contents/parts/part35.htm
separate license category for ‘Digital Forensic Examiners’ with a
requirement of 3,000 hours of digital forensics experience.
Worryingly the Professional Investigation Licensure Act
defines computer forensics so widely that even the activity of
printing off a web page for use in court must be licensed. Ad-
ditionally, just how many licenses do you need if data is to be
scanned from computers in more than one participating state?
The academic debate rages but for digital forensics investi-
gators the writing is on the wall.
New data theft penalties
From April 2010, in the UK it will be a criminal offence under
section 55 of the Data Protection Act 1998 to obtain personal
data from Data Controllers without their consent.  It will also
be an offence to sell illegally obtained personal data.
Digital forensics investigators, in common with all citizens are
liable for prosecution under section 55. The offence is described
as knowingly or recklessly obtaining or disclosing personal data
or the information contained in personal data, or procuring the
disclosure to another person of the information contained in
personal data, without the data controller’s consent.
Breaches of the section 55 amendment attract custodial
penalties of up to two years imprisonment. The focus of the
section is on individuals rather than organisations or their
Digital / ForensicS

standards of processing personal data, nonetheless digital
forensics investigators no less than law firms and other bod-
ies hiring their services must be vigilant to ensure that their
activities do not amount to a breach of Section 55.
Informed opinion is that accidental errors are unlikely to attract
imprisonment; the loss of reputation ensuing from police investi-
gation or court appearance may detract from that small mercy.
There will however be a new defence for anyone who can
show that he acted: For the special purposes (defined by
section 3 of the DPA as (a) the purposes of journalism, (b)
artistic purposes, and (c) literary purposes); With a view to the
publication by any person of any journalistic, literary or artis-
tic material; and In the reasonable belief that in the particular
circumstances the obtaining, disclosing or procuring was justi-
fied as being in the public interest.
Singapore restrictions
The Singaporean Department of Statistics will allow researchers
access to information collected on individuals following changes
to the Statistics Act introduced on Monday 11th January 2010. The
information however will not include a person’s particulars such
as his/her identity. The Chief Statistician will also be empow-
ered to obtain data from public agencies. Commentators are
concerned about the dangers of accidentally revealing identity
or sensitive information. The imperatives of protecting retrieved
data and of preventing it from falling into the wrong hands may
not be all that easy to satisfy. Extraordinarily, the definition
of wrong hands appears to include those of law enforcement
agencies, at least according to interested politicians. Paulin
Tay Straughan, Nominated MP, said: “Let me illustrate with an
example: HPB commissions research on teen smoking, and
to encourage participation from teenagers, the HBP assures
all respondents that the aim of the study is to appreciate the
motivators that push a teen to take up smoking...But if the data
is later used by law enforcement agencies to locate hot-spots
where underage smokers are likely to hang out, that would be a
serious breach of ethics.” Trade Minister Lim Hng Kiang echoes
this: “If requests for such data compromise the informed consent
or ethical issues, then the agencies involved in collecting data
can veto and not release this information. So that’s the check and
balance.” There is a world of difference between data enabling
the identification of a geographical location and data tending to
evidence of criminal activity. Given that Nominated MPs such as
Straughan are allegedly admitted to dilute the perceived need
for opposition and the presence of that weasel word ‘may’, to
what extent the admissibility of electronic evidence of crime and
thereby the fortunes of digital forensics investigators of Singa-
porean data are affected remains to be seen.
/ E-Discovery v. E-Disclosure
There is growing consensus on who must see what and how
between US and UK jurisdictions. In Covad Communs. Co. v.
Revonet, Inc., 2009 U.S. Dist. LEXIS 75325 (D.D.C. Aug. 25,
2009) it is acknowledged that taking an electronic document
such as a spreadsheet, printing it, cutting it up, and telling
one’s opponent to paste it back together again, when the
electronic document can be produced with a keystroke, is
madness today.
Producing paper spreadsheets that “run horizontally across
several sheets of paper, resulting in a sea of seemingly
random numbers and data, with no effective labels, column
headings, or other identifying information” and expecting the
Plaintiff’s lawyer to ‘paste these hundreds of pages together,”
to make the “paper-ized” spreadsheets useable is rejected by
the court. The Defendants had also failed to produce all emails
in native file format because the review platform they used
for the first paper production was only able to export email in
HTML, thereby causing a discrepancy between the paper and
native file productions. 
Challenged, they claimed it was too burdensome to cross-
reference the two productions to define the size and scope of
the discrepancy; the court was unsympathetic, ordering full
production of the missing emails based upon common sense
principles. ESI should be collected in a documented methodology
and processed in a defensible manner allowing the party involved
MD5 Hash Values and an index of the processed ESI. 
Litigation support review software automatically creates a
document index and usually a production log, enabling what
has and has not been produced in discovery to be tracked. 
Cumbersome cross-referencing of a HTML system to a PST
production was avoidable by not producing paper documents
in the first place; documents originally created in electronic
format must be produced in an electronic format, the form or
forms in which it is ordinarily maintained or in a reasonably
usable form or forms [Covad, 12, Fed. R. Civ. P. 34 (b)(2)(E)(ii)].
However, to withstand the deluge otherwise possible under
the Federal Rule of Civil Procedure Rule 26(b)(2)(C) the court
applied “balancing factors” including (i) whether the discovery
is “unreasonably cumulative or duplicative,” and (ii) whether
the party seeking discovery “has had ample opportunity to
obtain the information by discovery in the action.”
Between 2008 and 2009, four landmark cases in the UK
and a new Practice Direction to Part 31 of the Civil Procedure
Rules, specifically on e-disclosure, marked the convergence. In
Digicel, a party was forced to redo much of its disclosure and
to co-operate as to the scope of further disclosure.
In Abela, the court re-iterated the duty to co-operate and the
requirement to bring an informed technical understanding to the
court in the absence of agreement, while in Hedrich a solicitor
just about avoided a wasted costs order for disclosure failures.
Earles v Barclays Bank Plc ([2009] EWHC 2500) provides a clear
reminder to undertake proper electronic disclosure.
The judge makes it clear that Practice Direction 31 2A “is
in the Civil Procedure Rules and those practising in the civil
courts are expected to know the rules and practice them; it is
gross incompetence not to”. By implication the work of those
digital forensics experts whose services are employed by
lawyers is cut out for them.
37
/ LEGAL FEATURE

SETTING STORE ON
NEW DATA RULES
What security professionals need to know about EU Data Retention

Mark Osborne takes a personal look at the challenges posed to UK & European
organizations by the 2006 directive
/ INTERMEDIATE

E
U Directives always cause debate. Think of the prob-
lems caused by the working-hours directive or the data
protection directive. But the EU data retention direc-
tive has caused more than most. But there are reasons for
transposing the Directive into UK law. As network complexity
increases through such as BT 21CN it becomes harder to moni-
tor communications traffic in the reasonably practicable manner
allowed by the Regulation of Investigatory Powers Act 2000.
‘Traditional’ PSTN calls admit taping anywhere along the line
but Next Generation Network packets travel myriad, frequently
impenetrable paths. The Directive, in accordance with the Home
Office’s Interception Modernisation Programme, ensures lawful
interception on demand, even in complex environments.
The title and reference is: ‘Directive 2006/24/EC of the
European Parliament and of the Council of 15 March 2006 on
the retention of data generated or processed in connection
with the provision of publicly available electronic communi-
cations services or of public communications networks and
amending Directive 2002/58/EC’1. What a mouthful! From
here on we shall refer to it as the Directive.
Its’ purpose stated at Article 1 is to harmonise Member States’
provisions concerning the obligations of providers of public
communications services or networks regarding data generated
or processed by them so that it is available for the purposes of
investigation, detection and prosecution of serious crime”.
It sounds clear enough. And not unreasonable… at least, ap-
parently not. Just look around at the many lucrative conference,
online forums and journals that have spent some time conjec-
turing, discussing and arguing about the true meaning of it all.
There are many reasons cited for, but the main points of
contention aree:

• Some people believe that the Directive is an infringement

of their rights, and that it enables the authorities to bug all
conversations and transactions on the Net. Add to the mix,
the various reported comments from a number of authorities
that the Directive’s stated requirements fall short of what they
really wanted, and that some of guidance documents explicitly
ask for items that could not be justified by the directive, and
you can certainly see a level of discord.

38 Digital / ForensicS
• People that wrote the directive claim that all the data required
to be retained would be collected as part of normal business –
yet much of the non-voice data is far from what is routinely col-
lected. Indeed, it is expensive and difficult to obtain, especially
when you consider the abundance of traffic on today’s Internet.
Such a massive change will inevitably cause confusion. Many
engineers across EU are saying to themselves, “How in the Hell
am I going to get that data – I must have read it wrong!”.
• The Directive doesn’t clearly identify what is meant by “the
providers of publicly available electronic communications
services”. Many people that should comply are avoiding doing
so because “it only applies to ISPs.”
The original purpose of this article was to dispel these
causes of confusion, particularly the second and third points,
in the light of supporting documentation and the Directive
itself. Initially, I had some sympathy for the arguments that the
Directive was confusing.
However, on revisiting the directive to construct this article, I
found myself believing the requirements to be relatively clear (by
the standards set by other computer laws). Could it be that our
industry relies on its legal requirements being spoon-fed to it by
the very magazines, conferences and journals mentioned previ-
ously, and they, plus the activists from the first point above, could
be engaged in successful campaign of obfuscation?
Perhaps too many years spent solving security problems,
caused by “events” that everybody said would never happen,
have left me paranoid. I will let you decide the reason for con-
fusion – but confusion there is. Lots of time has been spent on
the Civil liberties issue, and as much as I sympathise, I am a
bloke with a job to do and these guys aren’t really helping.
/ So, let’s go straight to Point 2:
what do we need to store?
Data retention requirements are described in Article 5 of the
Directive. As I have said, on my first reading, I found the require-
ments complex. However, I must have been suffering from some
kind of mid-life crisis, as, on later reflection, the data require-
ments are actually not very difficult to understand.
The data requirements are sub-divided into two general
types as they are specified. These are:
• Fixed network telephony and mobile telephony
• Internet access, Internet e-mail and Internet telephony
From this we can plainly see, with no hypothesis or extrapo-
lation (don’t worry, that will come!), that we are supposed to
record information about four categories of network traffic:
Some people believe that the
Directive is an infringement
of their rights, and that it
enables the authorities to
bug all conversations and
transactions on the Net
• Fixed network telephony and mobile telephony
• Internet access
• Internet e-mail
• Internet telephone
Fixed network telephony and mobile telephony
My expertise in this area derives from my sitting next to
many experts in this field, which is a dubious qualification
at best. That said, the stated requirements appear succinct
and with some experience in the area, most telecom security
pros will come up with a valid implementation. The stated
retention requirements for fixed network telephony and
mobile telephony cover:
39
/ LEGAL FEATURE

• (A1i) the calling telephone number – as this will be a custom-

er, the name and address of the subscriber or registered user;
• (B1i) The telephone number(s) called or the number end-point if
it has been forwarded or transferred, routed; If it is your customer
you should retain the name(s) and address(es) of the subscriber;
• (C1) the date and time of the start and end of the communication;
• (D1)the telephone service used;
• (E1) Where a mobile is concerned, data to identify the hand-
set and its data necessary to identify the location of mobile
communication equipment:
• The calling and called telephone numbers – surely a careless rep-
etition in the document as these requirements are already stated
• The International Mobile Subscriber Identity (IMSI) of the
calling party; (mobile only)
• The International Mobile Equipment Identity (IMEI) of the
calling party; (mobile)
• The IMSI of the called party; (mobile only)
• The IMEI of the called party; (mobile only)
• In the case of pre-paid anonymous services, the date and time
of the initial activation of the service and the location label (Cell
ID) from which the service was activated; (mobile only)
• (f1) the location label (Cell ID) at the start of the communication;
• (f2) data identifying the geographic location of cells by refer-
ence to their location
• Labels (Cell ID) during the period for which communications
data are retained / Internet access
“Internet access” generally refers to the process of “How the con-
nection from the subscriber to the Internet is performed”. So here
most authorities have we should be looking at how a user will acquire an IP address,
nearly a hundred years replete with routes, and how that user will talk to the Internet.
Under the section “a2) data necessary to trace and identify
of experience in telephone- the source of a Communication” we can see the following data
related law enforcement must be kept:

Having broken it down like this, it doesn’t look too outrageous.
In fact, anyone who runs a public voice system (please note this
phrase), will know they are able to source nearly or all of this
information from CDRs (call data records) produced by the switch
manufacturers to allow call billing. In fact, they will probably be
storing these for 6 to 12 months for billing purposes and will, no
doubt, be used to providing this information for warrants.
As I said, these requirements are not outrageous at all. The
truth is most authorities have nearly a hundred years of expe-
rience in telephone-related law enforcement. They understand
what is available to a carrier and how it might be used. This
isn’t to say there isn’t a whole host of problems that need to
be dealt with, including those of jurisdiction, lawful requests
and proportionality, and International number rationalization.
But the major issues of this nut are well and truly cracked.
This is good, because you should have been compliant
some time ago. So let’s not spend any more time on it.
The aforementioned breadth of knowledge of the law-mak-
ers is not apparent when dealing with the authorities and their
understanding of data networks, and particularly IP networks.
So let’s dissect the requirements for “Internet access.”
• The user ID
• The user ID and telephone number allocated to any commu-
nication entering the public telephone network;
• The name and address of the subscriber or registered user to
whom an Internet Protocol (IP) address, user ID or telephone
number was allocated at the time of the communication;
Most people reading this (1 and 2) will spot the repetition. Point
Number 1 - they want me store the userid! Point Number 2 – they
want me to store the userid!! – Thanks but I got it the first time.
Legacy providers will instantly think of SLIP and PPP used in
the bad old days of dial-in access. If you are a 21st century access
provider via WiFi or GSM or even provide Ethernet connections
in public places like conference centres, this section will be very
pertinent. But this information is easily and readily available
your access servers which will record CHAP or PAP authentica-
tion information in a RADIUS or TACACCS+ system, even if some
augmentation of the information from your RAS or DHCP system
is needed. Traditionally, operators throw away the information
after the transaction has expired – but not any more.
Paragraph a2 (iii) has a meaning that is clear: You need to
be able to correlate the IP address, telephone number and

40 Digital / ForensicS
user id to a subscriber name and postal address. For a back-
bone provider, a provider that supplies fixed links with a fixed
IP range, this is all you need to store.
There is no data relevant to how the internet access is gained
in B2 so let’s look at C2, which is mainly about time of internet
access. It contains the following jumble of information:
“the date and time of the log-in and log-off of the Internet
access service, based on a certain time zone, together with
the IP address, whether dynamic or static, allocated by the
Internet access service provider to a communication, and the
user ID of the subscriber or registered user”.
What this actually means is that when you login or log out,
you need to record the IP and the user ID allocated plus the
Date/time. For those of you seeking guidance, I suggest that
you synchronise to a common time source and use UTC.
Section (D) is entitled “Data necessary to identify the type
of communication” and for just Internet Access I would sug-
gest we record this data as either a login event or logoff event.
Section E seeks to record the line and hardware used for access:
• The calling telephone number for dial-up access;
• The digital subscriber line (DSL) (or other end point) of the
originator of the communication;
This is self explanatory.
Internet Access: summary
For each login or logout, we need to store:
• User ID, if available or Telephone Number, If available
• A link to the bill payers name and address
• The ip address
• The date-time
• xDSL line, Telephone number or other access media if no
fixed access.
/ Internet e-mail and Internet telephony
As before, if we re-analyze the storage requirements for section
“a2” in terms of VOIP & Email, we see:
• The user ID
• The user ID and telephone number allocated to any commu-
nication entering the public telephone network;
• The name and address of the subscriber or registered user to
whom an Internet Protocol (IP) address, user ID or telephone
number was allocated at the time of the communication;
Items (i) and (ii) are straightforward:
• For each VOIP communication, they want you to store a
record containing SIP URL, userid (if different but not usually)
and a PSTN telephone number (if one is allocated/used (e.g.,
• For a skype-out type applications);
• For each Email sent, they want you to store a record contain-
ing Email address and userid (if different).
In Section B, the document simply refers to the destination(s)
of a given VoIP call or any sent email. They require you to store:
• The user ID or telephone number of the intended recipient(s)
of an Internet telephony call;
• The name(s) and address(es) of the subscriber(s) or reg-
istered user(s) and user ID of the intended recipient of the
communication.
So:
• For each VoIP communication, they want you to store a
record with a field-containing destination SIP URL, a user ID (if
different but not usually) and a PSTN telephone number if one
is allocated/used (e.g., for a Skype-out type applications).
• For each Email sent, they want you to store a record with a
field containing destination Email addresses (if there is more
than 1) and a user ID (if different).
Para (ii) is only relevant if you host source and destination
address.
Section C contains the relevant paragraph:
(ii) the date and time of the log-in and log-off of the Internet
e-mail service or Internet telephony service, based on a cer-
tain time zone;
You need to be able to
correlate the IP address,
telephone number and user
id to a subscriber name and
postal address
So:
• For a SIP based VoIP service, they want you to store a record
showing when a user registers with a SIP server, which is the
equivalent to a login. SIP will treat a Register with an expiry=0
as a logout, but most servers rely on the registration timing out;
• For each Email post office service like POP3 or IMAP, you
need to record when you login or logout.
“Section D - data necessary to identify the type of communi-
cation”. As before, to satisfy this requirement we need record
the protocol. This would be:
• SIP/RTP
• SMTP
• POP3
• IMAP
Please note for the purposes of simplicity, I have ignored
other VoIP protocols such as H323, SKYPE and have concen-
trated on SIP/RTP. /
41
/ LEGAL FEATURE

DATA RETENTION STORAGE SUMMARY

NAME / ALLOCATED PSTN SRC DEST
EVENT TIME USERID OTHER INFO COMMENT
ADDRESS / SRC IP BREAKOUT ADDR ADDR(S)
INTERNET
ACCESS
DAIL-IN OR LOGIN X UTC – at X X The CLI or
BROADBAND record time DSL identifier
LOGOUT X As above X X

ASSOCIATE X As above X X
WIFI

DISASSOCIATE X As above X X

INTERNET
TELEPHONY
REGISTER X As above X ADVISABLE X SIP URL SIP has no LOGIN or
SIP/RTP
(userid ) LOGOUT
INVITE X As above X ADVISABLE SIP URL SIP URL Dst IP/port
(userid )
BYE/ X As above X ADVISABLE SIP URL SIP URL
CANCEL (userid )
INTERNET
E-MAIL
SMTP RCTP TO / X As above ADVISABLE E-MAIL E-MAIL Dst IP/port SMTP has no LOGIN or
MAIL FROM ADDRESS ADDRESS LOGOUT
POP3 USER X As above X ADVISABLE E-MAIL LOGIN
ADDRESS
QUIT X As above X ADVISABLE E-MAIL Must be carried forward
ADDRESS from the login
LOGIN X As above X ADVISABLE E-MAIL
IMAP
ADDRESS
BYE X As above X ADVISABLE E-MAIL LOGOUT
ADDRESS

The table above summaries fields within a packet or protocol command verbs that can be
used to satisfy the “non-technical” terminology used in the directive

/ So where are the problems?
Q If I just provide Internet Access and Colo, How can I get access
to the customers Email logs to record the information?
A Good news: you don’t have to. The Directive states in para
13 that:
“Data generated or processed when supplying the commu-
nications services concerned refers to data that are acces-
sible. In particular, as regards the retention of data relating to
Internet e-mail and Internet telephony, the obligation to retain
data may apply only in respect of data from the providers’ or
the network providers’ own services.”
So if you are an ISP that provides a user an Internet
connection, you don’t have to raid your customer machines
to get their VoIP logs.
Q I am a backbone provider but I provide an SMTP relay for
use by my Internet access customers?
A You are providing an Email service to a Public Network so
the Directive applies to you. You cannot provide Login/Logout
events but you must provide details of your send events.
Q I have seen documents that refer to Web traffic or IM.
A There are a number of current UK Government documents pre-
dating the Directive that specifically asked for more. For example,
the document called “Retention Of Communications Data Under
Part 11: Anti-Terrorism, Crime & Security Act 2001 Voluntary Code
Of Practice” 2 asks for the retention of Web and IM traffic. Clearly
omission of IM from the Directive was a mistake. Some parties try
to rectify that mistake by claiming that IM is a form of Email.
Q For how long should I keep the data?
A 12 Months is a good starting place. I suspect that it is un-
likely that the “prescriptive online” requirement would apply
to data after this period so archive it to secondary storage to
be on safe side – it will only cost you one tape cycle.
Q To whom does it apply?
A The Directive states that it applies to “the providers of pub-
licly available electronic communications services or of public
communications networks”. In general, most people assume
that it refers only to ISPs and Telcos. But think: the Directive is
designed to provide evidence against serious crime – Terror-
ists or MafiA These are people who are mobile and technically
savvy – they are going to be on the move.
The authorities are well aware of this, so the Directive is
worded to include anyone who provides an Internet connec-
tion to the Public. I know this broader definition hasn’t been
widely considered. However, it must cover more than Telcos
and ISPs, if the community at large are to derive any benefit.
This means it should cover access providers in the form of:

42 Digital / ForensicS
• Hosting companies;
• Internet Cafes & Wireless Hot Spots;
• Ethernet providers in conference centres.
Most of the people committing serious criminal activities
and crimes against humanity will use these in preference to a
registered fixed line to Dr Evil’s HQ There is some evidence to
support this assertion. France and Italy have already issued
guidance or legislation that incorporates this broader scope.
In fact, Italy has already passed legislation that requires Inter-
net Cafes with more than 3 terminals to comply.
Additionally, many leading HotSpot software providers now
advertise EU data retention features as standard. These com-
mercial companies would not have developed these features if
it hadn’t been necessary. Typically, the UK authorities have not
issued anything since the Act referred to above, so watch-out
for some future statement.
Q Does the Directive impact civil liberties?
A Only time will tell – but my best bet is it may, but not in the way
predicted by the campaigners. Some campaigners have suggest-
ed that the Directive endorses eavesdropping. It does not. The
last paragraph of Article 5 of the Directive strictly forbids it:
“No data revealing the content of the communication may
be retained pursuant to this Directive.”
Article 7 goes on to re-enforce the security requirements.
The data must be stored with better security than that prevail-
ing when it was transmitted and with due consideration of
data-protection requirements. So our rights to private com-
munication are not damaged in that respect.
If there is a risk, it is that the data will become used to
prosecute more mundane crimes. Currently, this is the case for
RIPA3 in the UK where the legislation is often not used only to
protect society from so-called High-Crimes but for the pursu-
ance of relative misdemeanours – recently publicised cases
show that local authorities have been using the legislation
for very minor cases like dogs fouling public parks (which is
disgusting but hardly a serious crime).
Most CISO or CIOs that work in service providers will have
assisted the authorities with enquiries. Personally I am happy
to do so when presented with the correct documentation.
Unfortunately but frequently, this is not presented as neces-
sary with the initial requests. It is my duty under law and as a
member of a number of profession associations not to provide
the information until the correct warrants etc are in place. It is
my belief that sufficient controls are in place but the govern-
ment representatives requesting the information AND the
corporate officers providing the data needed to be reminded
of the gravity of the process. This opinion was reinforced by
an encounter with a bunch of government & police analysts
at an “executive briefing” at the beginning of the year. Some
fairly capable Data Retention software that had been devel-
oped for a large mobile provider was being demonstrated to
a dozen provider representatives. And all was going well until
the sponsor declared his intention to allow certain agencies to
retrieve the data directly. I represented that with out dual-au-
thorisation from both LEA management and service provider
management, the service provider would be failing to meet
their obligations (legal & moral) to the customer. One of the
analysts suggested in a far too glib manner that should wrong
information be retrieved a simple “notify” under the data pro-
tection act would make everything better. I hope the inevitable
but unfortunate victim feels the same way!
Fortunately others in authority understand the subject
better and take matters more seriously. Sir Paul Kennedy, in
his recent report4 notes that most of the reported 55 errors in
data intercepts resulted from simple typos and don’t have a
damaging impact. However, he acknowledges the potential for
damage through control failure and in his words describes the
impact as potentially “Catastrophic”.
/ Conclusion
The directive on data retention could be a powerful tool to
protect us all against serious crimes – and have a minimal
impact on our freedoms as long as we concentrate on the
obvious flaws and don’t just jump on the bandwagon.
However, like most computer and security law the people
writing the directive would have benefitted with a better
knowledge of the protocols and telecoms operations. This
produces confusion and correspondingly too much idiosyn-
cratic interpretation in the areas of the Directive that impact
newer Internet technologies.
A draft schema for a storage model can be derived from the
information in this article that could serve an operator well or
at least provide a good starting comparison when considering
commercial offerings. /
References:
1. Directive 2006/24/EC of the European Parliament and of the
Council of 15 March 2006 on the retention of data generated or
processed in connection with the provision of publicly available
electronic communications services or of public communications
networks and amending Directive 2002/58/EC. Available at
http://eur-lex.europAeu/LexUriServ/site/en/oj/2006/l_105/
l_10520060413en00540063.pdf
2. UK Acquisition and Disclosure of Communications Data - a Code of
Practice, HMSO
3. UK Regulation of Investigatory Powers Act 2000, Office of Public
Sector Information http://www.opsi.gov.uk/acts/acts2000/
ukpga_20000023_en_1
4. Report of the Interception of UK Communications Commissioner for 2008
/ Author Bio
Mark Osborne ran the KPMG security
practice for many years (1993-2003). He
has published several Zero-Day security
vulnerabilities (e.g. Fatajack), and has
also been an expert witness in the “cash-
for-rides” case. Mark has designed the
popular open-source wireless IDS/IPS
(WIDZ), as well as the largest Cyber Security System in Europe.
He is the author of “How To Cheat at Managing Information
Security”, which reached the Amazon.com Top-500.
43
Digital
ForensicS
/ magazine
Digital Forensics magazine keeps you up to date on all the latest
developments in the world of computer and cyber forensics.

The magazine covers the following topics areas:

/ Cyber terrorism
/ Law from the UK and rest of the world
/ Management issues
/ Investigation technologies and procedures
/ Tools and techniques
/ Hardware, software and network forensics
/ Mobile devices
/ Training
/ eDiscovery
/ Book/product reviews

CHECK OUT
digitalforensicsmagazine.com
for all the latest news and views on the world
of digital forensics (special feature articles are
available for registered users).

SPREAD THE WORD

www.digitalforensicsmagazine.com/subscribe

WAKE UP AND
SMELL THE COFEE
CREATING A FREE VOLATILE DATA COLLECTION TOOLKIT
Microsoft’s forensic data collection tool has caused a stir in the IT world and raised awareness
of digital forensics across the board. Bill Dean separates fact from fiction as he evaluates what
COFEE means for digital forensics professionals
/ INTERMEDIATE
A
s everyone in the digital forensics community is well
aware, Microsoft recently developed and released a
forensic data collection tool named COFEE (Computer
Online Forensic Evidence Extractor), intended for the law
enforcement community only. But what seemed to be only
minutes later, the tool was leaked to various Internet websites
and torrent feeds. Very soon, many digital forensics specialists
searched for, found, and then anxiously performed their first
test of this revolutionary toolset.
Disappointment quickly set in. COFEE doesn’t disclose secret
backdoors into the system? COFEE doesn’t automatically bypass
all passwords or provide the decryption keys? It doesn’t install
the “show all evidence” button? No it doesn’t. I want to make one
very important point: COFEE does not perform digital forensics.
Its primary function is to perform data collection, to be analyzed
at a later time. In my opinion, COFEE has a core design flaw; it is
comprised of only Microsoft tools. Since many of us do not legally
have access to COFEE, let us instead learn to build our own kit
and add key functionality not available from Microsoft tools.
/ Don’t pull the plug
COFEE is a collection of various data collection tools to be
executed from a portable USB drive. The tool is specifically
designed to allow law enforcement to collect digital evidence
from a running computer while at the crime scene. It gathers
volatile data such as machine information, running processes,
network connections, and so on. Overall, I applaud the efforts
of Microsoft to help the law enforcement community. With law
enforcement finally evolving from the “pull the plug” approach,
to gathering volatile information from a running computer, this
will greatly aid in their ability to be more successful in their
investigations. Microsoft is enabling them to do so without
extensive training. As stated on their website “An officer with
even minimal computer experience can be tutored—in less than
10 minutes—to use a pre-configured COFEE device.”
What many of the press releases failed to mention is that
the most recent release of COFEE is actually the second ver-
sion of this toolset. The initial version was released in early
2008. What is notable is that the very experienced Microsoft
/ FEATURE
legal team is now in full force to have COFEE removed from
the websites that were hosting it. In addition, there is rumor
of altered binaries floating around. I would wager that these
alterations are not legitimate enhancements. Microsoft has
built this kit with only Microsoft tools; I am convinced that
the COFEE would not even exist without the previous acquisi-
tion of Mark Russinovich’s and Bryce Cogswell’s Sysinternals
tool suite. Because Microsoft only uses their native tools for
the kit, they cannot take advantage of the great Open Source
and free utilities available to you and I. As a word of caution,
please do not use this tool in your investigations if you are not
authorized to have it. Instead, let’s build a better toolset.
COFEE is a collection of
various data collection
tools to be executed from a
portable USB drive
COFEE uses Microsoft’s native and freely available tools
to collect volatile information from a running computer. In
my experience in using many of the Microsoft tools in both
incident response and forensic investigations, below is a list
of useful volatile artifacts that Microsoft’s COFEE gathers and
the associated tool to do so.
• Machine specific information (msconfig,exe, hostname.exe,
psuptime.exe, and psinfo.exe)
• Local and remote file shares (net.exe)
• Groups and user information (net.exe, showgrps.exe,
psloggedon.exe)
• Current user info (whoami.exe)
• Services list and their state (sclist.exe, sc.exe, and
psservice.exe)
• Running Processes (pslist.exe, tasklist.exe, and
pstat.exe)
• Scheduled Jobs (at.exe and schtasks.exe)
• Open Files (handles.exe and psfile.exe)
45
/ FEATURE
• Network information (ipconfig.exe, route.exe, netstat.exe,
nbtstat.exe, arp.exe, getmac.exe)
• Registry information (reg.exe, autorunsc.exe)
/ Volatile data collection methodology
Contrary to some whitepapers and standards within certain
sectors of our field, pulling the plug on a running machine is no
longer a viable solution for preserving information when the
machine is running. In fact, pulling the plug destroys electronic
evidence. Depending on the situation, the most valuable
information sought may be located in transient locations that
will likely not be available after the machine is shut down. While
volatile information has always been key in incident response,
successful digital forensic investigations now benefit from this
sensitive information.
We should always make
best effort to perform our
volatile data collection
using trusted binaries
When a machine is running, there is an opportunity that
volatile data will provide value to your investigation and it
should be collected. A paradigm with many investigators with
this approach is the staple of not altering the evidence in any
way. This is an understandable concept and one that should
be observed, until the artifacts you need are to be destroyed
unless some changes are made to the evidence. The concept
to keep in mind when having to alter evidence is Locard’s
exchange principle. Locard’s exchange states, “with contact
between two items, there will be an exchange”. For a very
good application of this principle to electronic evidence, pick
up your copy of Harlan Carvey’s Windows Forensics Analysis1
and read chapter 1. If you do not have either of the Windows
Forensic Analysis books, I strongly suggest getting them. With
this principal in place, we must accept that we will alter the
electronic evidence to gather the needed volatile information.
As a matter if fact, standing in front of the running machine
making the decision on whether or not to collect volatile data
is passively altering the digital evidence.
Now that we have accepted that we must alter the evidence
to gather volatile information, we do have the option of either
being surgical with each command executed or leveraging an
automated collection tool to harvest as much information as
possible. This decision will depend on the specific situation
and the sensitivity of the incident. When responding to an
incident that is currently in progress, the option to be surgical
with the commands issued may be most applicable. However,
since we are discussing COFEE and building our own kit, we
will be focusing on gathering as much information as possible
in an automated fashion. When choosing to gather informa-
tion from various volatile sources in an automated fashion,
we must still be very strategic in the order in which we issue
commands. The goal is to start with gathering the information
most sensitive to change and work our way to the least sensi-
46
tive. While working in this fashion, we must also be cautious
not to perform steps that will alter evidence that we will need
to draw specific conclusions or move that action to the end.
Whether you are building a kit specific to incident response
or a kit geared for forensic investigations, you will find that you
seek much of the same information. Because of this, let’s build
a core kit that meets both of these objectives. We will first out-
line the type of volatile information that we desire, determine
our priorities from most volatile to least volatile, find the utili-
ties to collection the information, and then script the automa-
tion of the collection. During the order of operations, we must
be very cautious not to alter evidence that we will actually need
to draw conclusions both while analyzing the volatile informa-
tion and during a further forensic analysis. For example if we
hash all files in the windows\system32 directory, we will alter
the last access time for each of these files. If we are later trying
to perform a timeline analysis of a malware infection in this di-
rectory, our volatile data collection efforts may prevent us from
having all of the information needed during the full forensic
analysis. We will be altering evidence, but we must understand
what level of alteration we are performing and understand the
consequences of these actions during the analysis.
We should always make best effort to perform our volatile
data collection using trusted binaries. It is well documented
and demonstrated that machines infected with rootkits may
alter the utilities that we are using to gather data to mask
themselves, and information specific to their activities. The
best method to reach this objective is to place all binaries,
and scripts used to automated their tasks, on read only media
such as a CD-ROM. However, there may be instances in which
this may not be feasible. The reality is that you may not be
present when the kit is needed. Maybe it is an end customer
or armed law enforcement officer executing a search warrant
in a dangerous situation. When there are instances in which
the end user of the kit may have “minimal computer experi-
ence”, you need the ability to hand someone a USB drive and
instruct “insert this, run the executable, send the USB drive
back to me”. It is advisable that you have the kit with static
binaries, but is also a good idea to provide a kit that it as easy
as possible to use. With all of this said, let’s built our kit with
these methodologies in mind.
/ A WORD OF CAUTION...
As word of caution, please do not use COFEE in your
investigations if you are not authorized to have it. Instead,
let’s build a better toolset.
The primary purpose and application of volatile data
collection kits are to retrieve information to be analyzed at a
later time.
Contrary to some whitepapers and standards within certain
sectors of our field, pulling the plug on a running machine is
no longer a viable solution for preserving information when
the machine is running.
The goal is to start with gathering the information most
sensitive to change and work our way to the least sensitive.
Hash sets hashes provide the ability to quickly analyze the
integrity of a file set.
Digital / ForensicS
/ Building the toolkit
A
lthough there is some valuable data that Microsoft
cannot obtain natively, as we previously mentioned,
they do provide a solid foundational toolset for us to
begin. Information pertaining to running process, file shares,
mapped drives, computer information, services, scheduled
jobs, open files, network information, and registry information
will provide value to us. Since Microsoft provides the tools and
we have already covered their usage, we will use these tools
as the foundation to build our forensic data collection kit.
/ MEMORY IMAGES
One of the core aspects of volatile information that Microsoft
cannot gather natively, and is the most volatile treasure of
artifacts is a full memory dump. Memory is the most volatile
piece of information and should be gathered first. I am certain
that the developers at Microsoft understand the importance of
a memory image, but they do not have a way to capture this.
Memory image analysis has been a focus for a couple of years.
I personally give credit to the organizers of the Digital Foren-
sics Rodeo Workshop, and their 2008 challenge of memory
analysis, for the vast advancement of memory analysis capa-
bilities and tools. There are many free and open source tools
that can be used for capturing memory analysis. One of my
personal favorites from an automation perspective is mdd.exe
from ManTech. Once we have captured memory, there are a
wide variety of memory analysis tools for different platforms:
Mandiant’s Memoryze, Volatility, PTK, HBGary, and FTK 3.0 are
currently great tools for analyzing memory captures.
Similar to traditional hard drive forensics, new tools and
methodologies for analysis are continually under develop-
ment. Some of the current examples of evidence that can be
obtained from a memory image are: running processes, cur-
rent network connections, open ports, open files, password
hashes, and decryption keys. A specific plug-in of the volatility
framework will actually let you extract a process executable
from memory to analyze further. With the pace that memory
forensics is evolving, there will likely be more information
available from a memory capture by the time this article goes
to print. The asset of capturing memory is the ability to return
to that evidence to extract additional information as the meth-
ods evolve. Now that memory has been captured, let’s move
on to other aspects that will aid us in our objective. While still
respecting the integrity of information for analysis, let’s begin
the strategic collection of information from other sources.
There are many free and
open source tools that
can be used for capturing
memory analysis
/ PREFETCH
For Windows XP desktop operating systems, the C:\WIN-
DOWS\PREFETCH directory will provide us with the last 128
programs that have executed on the machine, with some
exceptions. We want to gather this first, as subsequent com-
mands will register here potentially overwriting artifacts that
may be of interest to our investigation. Once the contents
of the PREFETCH directory are obtained, we can determine
47
/ FEATURE
application execution information such as: executable name,
executable path, first executed, last executed, and number
of times executed. A simple file copy of the entire contents of
the C:\WINDOWS\PREFTECH directory to a directory named
“prefetch” will be sufficient.
/ SCREENSHOTS
As previously described, we may not have the opportunity to
be the person at the computer as the volatile data collection
occurs. In some instances, we may not want to be there. There-
fore, having a screenshot of the system may provide value to
our objective. Is there certain value? Maybe..Maybe not. As with
some of the information gathered with this methodology, we
would rather have it and not need it than need it and not have
it. Nirsoft’s NIRCMD command line utility from is a proverbial
Swiss army knife for gathering information such as this.
/ DRIVER INFORMATION
In many incident response instances and forensic investiga-
tions, there may be great value in knowing what system drivers
are loaded on the machine. The DRIVERS.EXE application from
Microsoft is an adequate utility to gather this information.
/ DLL INFORMATION
From an incident response perspective, we will want to know
what DLL’s are loaded and in use on the system. The LIST-
DLLS.EXE application from Microsoft will accomplish this task.
BREW YOUR OWN COFEE
BUT KNOW YOUR LIMITS
DFM’s Legal Editor Moira Carroll-Mayer examines the legal implications
associated with a DIY volatile data collection toolkit
I
n his article volatile data collection, Bill Dean presents an
independently assembled, accessible forensic toolkit with ca-
pabilities ‘modified as you see fit’, based upon, but exceed-
ing Microsoft’s COFEE. An accompanying message in the open
source free for all, is do as you see fit with well tested tools and
adequate regard to national and international legal frameworks.
Legislation sets traps; civil collection and retention exercises
seamlessly mutate into crimes. Under section 55(1) of the UK
Data Protection Act 1998, it is an offence to knowingly or reck-
lessly obtain, disclose or procure the disclosure of personal in-
formation without the consent of the data controller. Offences
of processing or altering notified processing without notifying
the Data Commissioner threaten. The prudence of deploying a
volatile data collection toolkit on internal investigations or a
victim’s computer as averse to a suspect’s evaporates.
48
/ REGISTRY INFORMATION
There are two approaches to gathering information from
the Windows registry: gather specific information or collect
the entire registry hives. I personally like a hybrid approach
of gathering specific registry keys and their values for
initial analysis, but also gathering the entire registry hive
for full analysis if needed. Again from Microsoft, the REG.
EXE utility is our preferred method from an automation
perspective.
/ EVENT LOGS
When possible Windows event logs should always be gath-
ered for analysis. Many times, it can be an event such as a
driver starting or an application crash that provides the lead
that we are looking for in our investigation. The Microsoft
Windows Resource Kit Utility DUMPEL.EXE is a great tool to
accomplish this.
/ CLIPBOARD INFORMATION
There is always the possibility that values located in the Windows
clipboard may contain information of interest. The NIRCMD com-
mand line utility suite is again a tool of choice for this.
/ SYSTEM DATE AND TIME
As a point of reference, will want to know the system date and
time at the moment of collection. Using the Windows native
DATE and TIME commands, we can obtain this information.
In the UK ACPO Guidelines for Computer Based Electronic
Evidence place a premium on trusted volatile data collection
tools applied by experienced investigators, capable of decid-
ing whether collection is evidentially necessary within a sound
pre-determined methodology. The British Standards Institute
BS10008:2008 ‘Evidential Weight and Legal Admissibility of
Electronic Information’ issues of storage, communication and
linking identities to documents are observable in architecture
and application. Non-compliance hazards evidential viability,
reputation and the fruits of labour.
Between countries, policing and prosecution differ; witness
the dangerous discrepancies of UK and Irish law.
In October 2008 the UK finally implemented section 37
of the Police and Justice Act, which amends the Computer
Misuse Act (CMA) 1990. The section 3A, after section 3 of the
Digital / ForensicS
/ FILE HASHES
MD5 or SHA1 files hashes provide the ability to quickly
analyze the integrity of a file set. This can be accomplished
by either having a “bad” hash set that will flag files that are
known to be bad or have a “good” hash set to filter out the
files that are of no interest. Many times for malware, bad hash
sets are available for use. However at the rapid rate in which
new malware is found, keeping this hash set up to date can
be a daunting task. Another approach is the “good” hash set.
The best source to download known or “good” hash sets is
to download them free from the NIST website. With the value
that hash filtering can provide, we have the option to hash
files in specific directories such as C:\WINDOWS\SYSTEM32.
SHA1DEEP.EXE or MD5DEEP.EXE are great utilities go gather
this information.
/ NETWORK INFORMATION
In our base toolset, we already have Microsoft utilities that
gather network information for ports, connections, IP address
information, but we will gain value from gathering more
information. I find that FPORT from Foundstone provides great
insight into network connections and their associated pro-
cesses. I also like to know the state and configuration of the
Windows Firewall. This information will tell what specific port
rules are configured and whether or not it was enabled. The
Windows firewall configuration information can be gathered
by using the native Windows utility NETSH.
CMA, makes it an offence to make, supply or obtain articles
likely to be used in computer misuse offences. A person guilty
of an offence under this section is liable on summary convic-
tion in England and Wales, to imprisonment for a term not
exceeding 12 months or to a fine, or to both; on conviction
of indictment, to imprisonment for a term not exceeding two
years or to fine or to both.
/ Closed or open?
The term ‘likely’ remains undefined, but prosecutors should
look at the functionality of the article and at what, if any,
thought the suspect gave to who would use it; whether for
example the article was circulated to a closed, vetted list of IT
security professionals or posted openly; whether it was devel-
oped primarily, deliberately and for the sole purpose of commit-
ting a CMA offence; distributed on a commercial basis through
legitimate channels; whether it is widely used for legitimate
purposes; whether it has a substantial installation base and
whether the context in which the article was used to commit the
offence compared with its original intended purpose.
The Crown Prosecution Service has issued Guidelines, not
guaranteed to safeguard the virtuous from prosecution, culmi-
nating in three questions:
1. Does the institution, company or other body have in place
robust and up to date contracts, terms and conditions or ac-
ceptable use policies?
Starting with the base features that COFEE is said to consist of,
and adding our own customizations with both Microsoft and non-
Microsoft binaries, we have now developed a basic volatile data
collection kit. There may be aspects of our kit that some disagree
with, others may be wondering why we did not add a specific
feature, why we overlooked certain pieces of information, or why
we chose to use one application over another. Our kit is to be
considered a “starter” kit to be modified and improved however
you see fit. With the hard work that you have already put into de-
signing this kit, you can now go to the downloads area of http://
www.digitalforensicsmagazine.com and get the basic kit that we
have built and make your desired changes. As disappointed as
many were with COFEE, it does currently have a feature that our
kit we just developed does not, a dynamic html output of the in-
formation that we have gathered. Our kit currently provides only
raw output from our data collection. Digital Forensics Magazine
would like to challenge additional effort from you to develop a
reporting engine for this kit. Send your responses to 360.
There is always the
possibility that values
located in the Windows
clipboard may contain
information of interest
2. Are students, customers and others made aware of the CMA
and what is lawful and unlawful?
3. Do students, customers or others have to sign a declaration
that they do not intend to contravene the CMA?
In Ireland, no law deals specifically with the making,
distribution and receipt of dual use articles. Section 4 of the
Criminal Damage Act 1991 states,
‘A person who has any thing in his custody or under his
control intending without lawful excuse to use it or cause
or permit another to use it-(a) to damage any property
belonging to some other person..shall be guilty of an offence’
Due to the requirement of establishing a defendant had the in-
tention to use the article to damage property, (property includes
data) mere intention to gain unauthorised access is insufficient. It
is ineffectual for example to establish that possession of dual use
technology is for the purpose of unauthorised viewing (hacking
in UK terms). Makers and distributors are uneasily affected since
the section talks about intention to cause or permit a person to
use the article to commit an offence; awareness it might seems
insufficient. Lastly, the question remains open whether software
is a ‘thing’ within the meaning of Section 4.
Across the philosophical spectrum, Finnis to Raz to Fuller and
beyond, consensus is that the affairs of man are best served
by laws that are clear, coherent, stable and consistent. There is
precious little certainty for the makers, purveyors or recipients
of dual use software; know your markets and their laws. /
49
/ FEATURE
These data collection kits
are very versatile and
there will be continual
improvements of
functionality
/ SUMMARY
An essential toolkit
Volatile data collection kits are being developed from various
companies to assist experienced and non-experienced foren-
sic analysts gather volatile information from running comput-
ers. Regardless of the developer of the kit, they are designed
for one of two reasons: collecting the volatile information
before shutting the machine down for a full forensic image or
collecting information to analyze to determine if a full forensic
investigation is warranted. Although the term “forensic” may
be used in the name or description, these tools do not perform
forensics analysis. The primary purpose and application of
volatile data collection kits are to retrieve information to be
analyzed at a later time.
These data collection kits are very versatile and there will
be continual improvements of functionality. Recently, there
have been numerous projects to simplify the digital forensics
process allowing less skilled and experienced examiners
collect digital evidence. I applaud this effort by Microsoft
and other companies working on these initiatives. As the
backlog for digital forensic labs continue to increase for
law enforcement agencies, many agencies are turning to
commercial digital forensic labs for assistance. If given the
opportunity to go along with armed law enforcement on a
50
dangerous search warrant to collect volatile information
from any running computers, I will likely choose to give them
a USB drive with data collection tools on it over getting shot
at. The kit that I provide to them will likely choose the one
that we just developed.
I would like to give thanks to Adam Compton and Adrian
Sanabria, colleagues of mine at Sword & Shield Enterprise
Security Inc, for their ideas and development efforts into
scripting the tools into the downloadable kit. /
REFERENCES
NIST 800-61 – “Computer Security Incident Handling Guide” - http://
csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
NIST hash sets: http://www.nsrl.nist.gov/Downloads-old.htm
NIRSOFT – http://www.nirsoft.net
MD5DEEP.EXE - http://md5deep.sourceforge.net/
FPORT - http://www.foundstone.com/us/resources/proddesc/fport.htm
Digital Forensics Rodeo Workshop - http://www.dfrws.org/2008/
rodeo.shtml
MDD - http://sourceforge.net/projects/mdd/files/
Computer Online Forensic Evidence Extractor (COFEE) - http://www.
microsoft.com/industry/government/solutions/cofee/default.aspx
Endnotes
1. Windows Forensic Analysis DVD Toolkit, Carvey, Syngress 2009
/ Author Bio
Bill Dean is the Director of Computer
Forensics for Sword & Shield Enterprise
Security. He has more than 13 years
of experience in the technical field, in
roles such as programmer, systems
support, enterprise systems design
and engineering, virtualisation, digital
forensics, and information security. Bill is a frequent speaker
and published author on the topics of digital forensics and
electronic discovery for numerous legal associations.
Digital / ForensicS
 Maximise
Prioritise
Visualise

Call IntaForensics on 0845 0092600 for a demo and

to discuss how Lima’s end-to-end forensic case
management can work for you

tel: 0845 0092600

fax: 0845 0092601
email: limasales@intaforensics.com
web: www.intaforensics.com
/ FEATURE

MODELLING FOR
OPERATIONAL FORENSICS
PART 1: DEFINITION AND MODELLING PARADIGMS

In this two part technical article, Dr Barry Hood explores a number of novel approaches to
support operational forensics with formal models. Neither complements nor supplements
to existing forensic methods, or replacements for them, the intention is that the methods
presented here can enhance current approaches.
/ ADVANCED

M
J Corby1 defines Operational Forensics as “The application
of computer forensic techniques to the identification of
occurrences and underlying causes of observed computer-
based events”. I want to extend this definition to not just com-
puter forensic techniques, but to include other relevant forensic
techniques. This extension is justified by the aims of operational
forensics laid out below.
Whereas Computer or Digital Forensics is concerned with the
gathering of evidence for prosecution or disciplinary action, Opera-
tional Forensics is more concerned with gathering evidence for the
purpose of correction and improvement. Thus a forensic investiga-
tion of an incident with an operational intent has the following aims:

• To find root causes rather than just proximate causes

• To extend the investigation beyond the normal contexts to
any additional ones relevant to improvement
• To approach matters holistically and systematically with the
intent of providing effective (doing the right thing) and effica-
cious (doing it right) solutions for prevention in the future

As can be seen from the above, digital or computer forensics

is a part of operational forensics. In the case of traditional digital
or computer forensics the process can stop when sufficient
evidence is available for prosecution. An operational analysis can
only really stop when the root cause or causes of the incident are
found. A digital forensic analysis in going beyond legal evidential
requirements is becoming operational in character.

/ Operational Forensics Needs

In order to carry out the sort of investigation required for opera-
tional forensics the process has to cover more than just Physical
and Digital Forensics. It needs to cover all of the security areas. This
leads to the following operational forensic areas being indentified:

• Physical
• Digital
• Procedural
• Personnel
• Organizational

52 Digital / ForensicS
 The latter two can be usefully conjoined into a single area
which for want of a better word I shall call Psychosocial Forensics.
In addition to looking at all the relevant security arenas, an opera-
tional view requires – if it is to be truly effective and efficacious
– a method that is holistic and systematic in its approach.
If all these areas are to be investigated under operational
forensic analysis then there is a need for an approach that
allows all these areas to be consistently and coherently
investigated. Models that can represent relevant aspects of
all these different areas would be useful. They would enable
an operational forensic analysis to move from one area to
another as required by the evidence.
In the two parts of this paper I briefly investigate the use
of some models for operational forensic analysis that can be
used to guide the improvements activity. What do models
bring to forensic analysis and especially operational forensics?
They bring the following:
• Formality – notions and representations that are Ill founded
• Focus – a model represents an aspect of reality not all of it
• Reasoning – a good model enables reliable reasoning
• Sharing – a model can be easily shared for both comment
and retention for future reuse
• Guidance – a relevant model can guide the direct of investi-
gation increasing its efficiency
I will explore briefly three modelling paradigms in relation to
operational forensics:
• Contextual
• Behavioural
• Conceptual
/ Security Zones as Crime Scenes
One of the useful paradigms in relation to security analysis is
that of a Security Zone. Developed out of safety zones in 2004
by work at the University of York2 and implicit in Microsoft’s
Threat Modelling work3. A Security Zone represents any parti-
tioning of the world, physical, logical, social that has security
relevance. Examples of security zones are clear secured rooms,
a PC, example of logical zones are a user account, a database
and an application. Security zones can also be Temporal. That
secured room could be considered as consisting of two tem-
poral security zones – the room during working hours and the
room outside working hours. People can also be considered as
a security zone, in which case social engineering may be the rel-
evant security feature of interest. Zones can be both static and
mobile. An example of the later is a data packet on a network.
Security zones are associated
with security policy, and
as operational forensics is
about improvement, policy is
one area which may need to be
improved after an incident
It has been suggested that Digital or Computer Forensics is
more comparable with a Crime Scene Investigation (CSI) than
true forensic work as carried out in the context of physical inves-
tigations4. What I propose is that each security zone be treated as
a crime scene in just the same way as a physical situation. Each is
connected to the main scene but each having unique characteris-
tics that affect the investigation within that zone.
The use of security zones with their associated entry points
leads naturally to a set of forensic questions. Which entry points
where involved in the incident, how where they used and where
any unknown entry points used? By tracing the entry points back-
wards through the respective security zones the path of events that
led to the incident can begin to be traced out, at least in terms of
entry points and security zones used. This in turn can lead to the
examination of the relevant security policies associated to each en-
try point and zone looking for fails within them or in their workings.
53
/ FEATURE

PC

LOGIN SCREEN Crtl+Alt+Del

Ethernet port ACCOUNT Parallel port

VGA Login PS/2

HDMI Firewire

USB Compact flash

CD/DVD Serial port DVI Power on

switch

Figure 1. Example of Security Zones and Entry

One issue that raises itself in connection with entry and exit
points is the number of such objects that may exist in any real
situation. The existence of a zone with a large number of such
points indicates that the particular security zone represents an
aspect of the system that possesses a large attack surface. Large
attack surfaces represent potentially more vulnerable system
components that could draw the focus of attention of any foren-
sic analysis and provide some form of prioritisation of effort.
Figure 1 shows this problem with entry point numbers for a
simple model of a PC.
have been identified and documented as part of the design, in
which case part of the analysis will consist of identifying any
additional points that the attacker has used.
As I have already stated, security zones are associated
with security policy, and as operational forensics is about im-
provement, policy is one area that may need to be improved
after an incident.
Zonal models can be used to show the perspectives
involved in a conceptual model. Figure 2 illustrates this point
showing where some of the concepts used above repose.

/ Petri Nets as a Forensic Tool

One issue that raises itself
in connection with entry and
exit points is the number of
such objects that may exist in
any real situation
This however does not resolve the complexity that could
manifest itself in the case of a large number of entity and exit
points. It may even be difficult to discover all the entry and
exit points that exist for a particular component in many real
life situations. It is not the intent that the forensic analyst
should discover all of these unaided. Rather they should all
Petri Nets 5 6 are used as a tool for post incident root cause
analysis. In each case they use Petri Nets in two different
ways. In neither case are Coloured Petri Nets used to their full
power as a mechanism for root cause analysis within a forensic
investigation. To do this, the nets have to be extended beyond
their basic form to extended Coloured Nets. One of the main
advantages that Coloured Petri Nets with the appropriate exten-
sions has, is that of internal choice, that is choice by an internal
to an action or process itself is modelled. This is important as it
allows for the modelling of failure, a key component of security
compromises. This connects the approach to the Ill-used FMEA
approach already in use in safety. Without this facility, this
important aspect of analysis is not available. Place nodes are
represented by round icons in the diagram and transition nodes

Door Door Wind

locked Door locked Door
open closed
Door Door
closed closed

Need to Need to Door

enter room Open enter room Open open Shut
door door

A. B. C.

Figures 2 (a) & (b) Link between Conceptual and Zonal Models & Figure 3 (c)Firing of a Transition

54 Digital / ForensicS
 PHYSICAL LOGICAL
Document
Storage
Data
Figures 4, 5 & 6 Storage Concept Model; Document Concept Model; User Concept Model
are represented by rectangular icons. Arrows connecting the
elements signify activation conditions or outcome conditions.
The truth of a condition is indicated by the marking of a place
node with a token, a tick as it Ire. The relevant transition is
then able to fire, meaning the associated action can take place.
This results in the outcomes becoming marked. This process
is shown in (a) and (b) of Figure 3 below. If the condition ‘Door
Locked’ had been marked this would have prevent the door
from being opened as shown by the inhibitor arc connecting
this node to the action. Finally the condition ‘Need to enter the
room’ drives the opening of the door this condition is not itself
changed by the action, hence the double head arrow to show
this. Figure 3 (c) shows a situation where the door can be forced
closed if there is a wind, which is if the place ‘wind’ is marked
with a token indicating that the fact holds.
Although Figure 3 shows briefly the entire notation needed
in this paper. For the detailed definitions of various Petri Nets
and related concepts, the author refers the reader to the work
of Claude Girualt and Rudiger Valk7.
/ Conceptual Modelling
Concept modelling gives a different perspective. This could
be done in a number of ways using entity relationship models
from UML or conceptual graphs from AI. I have chosen to use
object role modelling (ORM) from relational databases8 9 10.
Figure 4, Figure 5 and Figure 6 show a set of ORM models
linked through the concepts of data and document. Figure 4 is a
physical perspective; Figure 5 is a logical perspective and Figure
6 an organizational perspective. Figure 4 states that there is a
binary relationship between data and the storage media that
holds it (A Data item held-on a storage item) and that a storage
item can consist of a number of subtypes of storage item, Hard
disk, RAM removable media, etc as indicated by the arrows.
Figure 5 shows a number of binary relationships between
Data, Document, Type and Specifications. This is a simple logi-
cal model of how data can be logically organized.
Finally Figure 6 presents an organizational perspective
around a Person, their Manager, Project and expected behav-
iour according to Policy.
ORGANISATIONAL
Person Manager
Behaviour
References
1. Operational Forensics – the New Frontier, M. J. Corby Netigy
Corporation, http://csrc.nist.gov/nissc/2000/proceedings/
papers/317slide.pdf, 2000
2. Security Zonal Analysis, Thitima Srivatanakul, John Clark, Fiona
Plack, Technical Report YCS-2004-374, University of York, 2004
3. Threat Modelling, Frank Swiderski, Window Snyder, Microsoft
Press, 2004
4. Event-based Digital Forensic Investigation Framework, B.D. Carrier
and E.H. Spafford, Purdue University 2004
5. Modeling of Post-Incident Root Cause Analysis, Peter Stephenson,
International Journal of Digital Evidence, Fall 2003 Volume 2, Issue 2
6. The Application of Formal Methods to Root Cause Analysis of
Digital Incidents, Peter Stephenson, International Journal of Digital
Evidence, Fall 2004 Volume 3, Issue 1
7. Petri Nets for Systems Engineering A Guide to Modeling, Verification
and Applications, Claude Girualt, Rudiger Valk, Springer 2003
8. ORM 2 Constraint Verbalization Part 1, T. Halpin and M. Cutland ,
Technical Report ORM2-02, June 2006
9. Information Modelling and Relational Data bases, T. Halpin and T.
Morgan, 2nd Edition, Elsevier, 2008
10. A Primer on Object Role Modelling, Stanley D. Blum, Museum of
Vertebrate Zoology, University of California, Berkeley, April 14, 1995
/ Author Bio
Dr Barry M. Hood, a mathematician by
training, has been in IT for more than 35
years covering all aspects of the software
lifecycle, including extensive involvement
with development methods. Security
became his exclusive activity more than
15 years ago some 10 years after his first
involvement with the subject.
55
/ PROACTIVE COMPUTER FORENSICS
Planning for
trouble in daily
operations
Scott Zimmerman introduces a series of articles that explore the benefits of pre-emptive
planning and preparation in coping with unexpected incidents.
/ ENTRY
W
hen an organization invests a significant amount of re-
sources – personnel, hardware, intellectual property –
in its electronic infrastructure, and relies heavily on this
infrastructure on a daily basis, then its senior management
has a responsibility to protect these assets in a reasonable
fashion, and to minimize risk to operations. These protective
measures should include policies and standards that are care-
fully translated into the deployment of hardware and software.
While this responsibility is generally seen as a duty to
shareholders or to other financially interested parties, the ob-
ligation also includes the staff of the organization: staff mem-
bers must be properly equipped and trained to perform their
respective tasks, so the mission as a whole may continue.
These tasks may be addressed in the mission statement or in
a policy document tucked away in the employee handbook,
but quite often the policy is not translated into explicit instruc-
tions or into the application of technology.
An incident response policy that reads simply “Find out how
the intruder gained access; repair the damage; and resume
operations” is not at all helpful. In fact, such a policy is worse
than useless, for it very likely will instill a false sense of readi-
ness in the organization. Staff personnel may read the policy,
assume that the topic of incident response preparation has
been adequately covered, and then carry on without revisiting
the policy until the unthinkable happens.
The result is a disconnect between planning and implemen-
tation, with very little clear guidance available to the person-
nel in the trenches who must comply with these policies.
Individuals on the IT staff who put hands to keyboards should
be thoroughly trained in all aspects of their duties. Unfor-
tunately, rarely visited topics such as forensics and incident
response can be overshadowed by day-to-day tasking, and
training can fall by the wayside.
To address this, Digital Forensics is launching a new series of
articles, designed to provide technical personnel – from the CSO
to the System Administrator – with the practical knowledge and
methodologies needed to address computer forensics issues on
an ongoing basis while supporting mission-critical systems.
56
The articles will discuss the legal issues involved in prosecut-
ing intruders, in preserving evidence, and in maintaining the
chain of custody for collected evidence. The system procedures
described in later articles are comparatively man-hour-intensive
and may seem like overkill. However, describing the legal
requirements first lays the ground rules and shows why infor-
mation must be gathered and handled in a particular manner.
There will also be articles devoted to justifying the expense of
these procedures to middle and upper management.
/ What the Series of Articles Will Not Do for You
These articles are not a treatise on how to secure any particu-
lar application or platform. The optimal security posture of
a given system - operating system and application versions,
patch levels, configurations, et cetera - is and shall remain a
moving target. Numerous resources are available to provide
extensive and timely information to administrators to keep
them up to date on recent developments. The procedures in
these articles are conceptual and thus platform-independent.
Where examples are given, the reader is reminded that the
demonstration is not meant to be exclusive, and that the nec-
essary steps can be adapted to the reader’s environment.
Reading these articles will not transform the reader into
an experienced computer crime investigator. However, it will
show system administrators what they should do in order
to make post-intrusion recovery as painless as possible for
themselves and for any Law Enforcement (LE) personnel who
may be investigating the incident.
Equally, these articles are not meant to be definitive legal advice;
the author is not a lawyer. Statutes and regulations are open to
interpretation in court, and readers are reminded that organiza-
tions that wish to pursue legal action should consult with in-house
counsel or otherwise retain the services of a qualified legal profes-
sional. Beyond this, specific regulations differ between countries.
Neither will these articles show an administrator how to
interpret information found in log files or elsewhere. Each
exploit and class of exploit carries its own characteristics.
Describing all currently available attack signatures is nigh
impossible in a magazine article; far too many exploits are
available, and the list is constantly growing and changing.
(Information on specific vulnerabilities can be found at sites
like https://www.us-cert.gov and http://cve.mitre.org/ .)
However, the goal of the series is nevertheless to teach sys-
tem administrators how to preserve all relevant information
in a reliable manner. Once the information is captured and
stored successfully, the analyst can then search the data for
the attack signature du jour.
/ Drawbacks of Traditional
Investigatory Procedures
From the first extensive use of computer networks through the
early 1990s, disaster recovery and incident response procedures
were fairly limited. If an intrusion was suspected, the standard
response was to wipe the system drives, re-install the operating
system from original vendor-supplied media, and restore user
and application data from the most recent backup tape. While
this approach can get the compromised system back online in a
known state, it is sub-optimal in a number of important areas.
/ The vulnerability that allowed the
intruder to gain access is still present
A simple reinstallation of the operat-ing system – without
changes to the configuration – will solve only the most im-
mediate problem of getting the system back online. Without
patches or other modifications, it is still vulnerable and will
likely be compromised again in the future.
/ No one learns anything.
How exactly did the intruder gain access? Did a user ac-
count have an easily guessed password? Was there a buffer
overflow exploit in the mail server application? What must
be done to close the security hole? Without reliable logging
and auditing information, these questions will be difficult to
answer with any certainty.
/ Data can be lost.
Any changes made to the system or to user data since the last
backup was taken may be lost. If the system in question is a
static web server, the loss may not be too vexing. If the sys-
tem contains a mission-critical internal database, however, the
consequences may be slightly more dire, particu-larly if the
most recent backup was taken a week prior to the incident.
/ Get Proactive!
Currently the most commonly referenced aspect of computer
forensics involves magnetic remanence: recovering deleted
files or otherwise gaining information from a hard drive that
has been removed from a suspect’s or (victim’s) computer.
While this is a crucial part of any investigation, a recovered
hard drive may not contain enough information to recreate a
situation with sufficient accuracy.
This is because the hard drive can represent only a single point
on the timeline of the event: the information thereon shows the
state of the drive at the time it was recovered and imaged. Some
events leading up to the recovery may be lost, particularly if the
intruder attempted to cover his tracks, and any events that hap-
pened after the seizure will of course not be recorded to the drive.
By gathering relevant system information and storing it ac-
cording to evidentiary requirements, personnel investigating an
incident may be able to reconstruct events with greater levels of
accuracy and detail and with a much clearer representation of
the timeline leading up to the security incident in question.
From the time a machine is powered on, parts of the boot
process and other actions are logged to local storage, such as a
hard drive. If the logs and other data are not archived offline in
a timely fashion, they may be overwritten as new log entries are
generated. This process, called log rotation, conserves disk space
by overwriting the oldest log entries with new ones according to a
configured schedule; the administrator may rotate logs accord-
ing to a time-related milestone – every day, once a week, and so
on – or he may do so when the logs reach a certain size. Log files
must be rotated in some fashion because they would grow to fill
their partitions if left unattended. (Log files should never be left
unattended, but this is not a perfect world.)
How can we gather useful information consistently and thor-
oughly? Functionally the answer will depend on the platform
in question, but conceptually the answer is straightforward:
• Identify the types of actions that could be detrimental to the
system: reconnaissance activity, brute force password-guess-
ing attempts, exploitation of vulnerabilities such as buffer
overflows and cross-site scripting, and so on.
• Identify information gathering methods available on the host.
• Decide which methods are most useful, i.e. generate higher
levels of desirable information based on the priorities of the
organization.
• Configure these facilities to gather detailed and relevant
information and store it in a secure fashion; this may require
additional hardware or software.
• Ensure that stored information is archived appropriately given
the sensitivity of the data and the media on which they are stored.
Evidentiary requirements will also affect the storage method.
Later articles will address these concepts in detail, but this
framework should give the reader a rough overview of the con-
tinuous forensic process as implemented on a single machine.
/ What’s Next?
In the first article in the series, we will discuss some principal
aspects of computer crime law. We will primarily examine rel-
evant US/UK Law, but readers please note that though specific
statutes will vary from country to country, the underlying con-
cepts are universal. Laws and other statutes are often written
in peculiar language and might be charitably described as ‘less
than universally accessible’. We will bridge the gap between
legalese and technical jargon and make sense of the legal
requirements that must be met in order to acquire and preserve
evidence that will be admissible – and effective – in court.
The second article will examine requirements for handling,
storing, and presenting evidence. Subsequent articles will
provide extensive technical guidance to assist IT personnel while
operating within the Proactive Computer Forensics framework. /
57
/ tech FEATURE

RELAX,
IT’S IN THE BAG
Mobile phone Faraday Bag testing in a reverberation chamber

Alistair Duffy summarises the initial results from De Montfort University’s evaluation process

/ ADVANCED

I
n the previous issue of the DFMnewsletter, I wrote a
small piece to introduce the fact that some tests are being
undertaken at De Montfort University on Faraday Bags.
This has clearly generated some interest from the Industry as
a more general problem, looking for a solution. This article
presents some of the preliminary results on Faraday Bag
testing, including a short introduction to the mode stirred
reverberation chamber.
The ‘Faraday bag’ is intended to shield a mobile phone or
similar small device to prevent unwanted applications being
invoked remotely, such as wiping the memory, or to prevent
possible problems with veracity of evidence. It is, therefore, of
interest to the police and security forces. The key to the qual-
ity of the bag is the quality of the shielding. Good shielding
reduces the signal strength to a point where the phone and
the base station cannot detect that they are each there.
In order to determine how good the bags are at this, it is
important to test the bag as a complete unit and not just the
material itself. This article addresses testing the bags in a
mode-stirred reverberation chamber and we are indebted to
Disklabs (http://www.faradaybag.com/) for providing a Fara-
day Bag for us to test and publish the results of those tests.
The bag, as tested, has a window in it. Clearly, Faraday bags
without this transparent window would measure as more ef-
fective, but be less functional in an investigation. The window
is vital in the case of mobile phone forensics, as it allow the
investigating officer to photograph the time and date of the
phone – when a phone is turned off, data is lost, including
vital time and data stamps, which means the phone report,
will be less accurate. It allows an officer at the scene of the
crime to interrogate without the phone sending or receiving
any further information, or changing the data on the phone.
/ Mode Stirred Reverberation Chamber
Electromagnetic Compatibility (EMC) measurements often
require the measurement of emissions from a device / system
or the illumination of that device / system from an exter-
nal source. In many ways, an ideal facility is somewhere in
deep-space away from anything liable to interfere with those
measurements. The impracticality of this has lead to a number
of recognised facilities being developed. These include:
Figure 2. the inside of the reverberation chamber showing the
mechanical stirrer, the transmitting antenna and a reference
monopole (in the foreground)
The Open Area Test Site (OATS) which consists of a very flat
conducting plane over which tests are performed, nothing
that can influence the results is allowed within the area of the
ground-plane. The price that gets paid (compared with the
fictitious deep-space facility) is the existence of the ground-
plane and the resulting reflections which cause constructive
and destructive interference with the direct path signal.
Anechoic (or semi-anechoic) chamber, which consists of an
electromagnetically isolated volume where radiation-absorb-
ing material (RAM) has been placed on the surfaces or some
of the surfaces. This is a step towards the deep-space ideal
but is expensive.
Mode-stirred reverberation chambers isolate the internal,
test, environment from the polluted external environment by
enclosing it in a metal shield. Effectively, it is a Faraday cage.
A major problem with a shielded room such as this, without
a stirrer or RAM, is that the field strength can vary by 40dB
within a distance of a few centimetres due to standing wave
phenomena. However, this high field strength can be capita-
lised on by inclusion of a metallic ‘stirrer’ that changes the
boundary conditions so those hot-spots move around – i.e.
stirred – and bathe the object under test in a varying field.
There are advantages and disadvantages with all these facil-
ities (and those that have not been described here). However,

58 Digital / ForensicS
the reverberation chamber does have a number of features
that makes it attractive for shielding testing such as the tests
being carried out on the Faraday Bags. Firstly, the movement
of the fields due to the stirrer makes the fields statistically uni-
form. So, assuming adequate stirring, the mean field strength
over one revolution of the stirrer, is the same anywhere in the
working volume and, if we assume that the field at a point has
components in the three orthogonal Cartesian directions (i.e.
x, y and z), each of those components is the same value and
1/3 of the value of the overall field. In simple terms, it does
not matter where the test object is put or in what orientation
it is placed, it will still experience the same fields. Secondly,
the effect of this moving standing wave is to present relatively
high field strengths at the receiver for modest input powers,
which means that if the highest value of received signal is
measured for all stirrer positions, a much lower input power Figure 1. an indication of the dimensions of the
is needed than if an OATS was to be used. Thirdly, the test DMU reverberation Chamber
object will see a maximum field strength at all locations over
its surface sometime during the full revolution of the stirrer. placed in a reverberation chamber can have its total shielding
Hence, the device under test – in this case the bag with an effectiveness tested because all locations over the surface of
enclosed receiving antenna – is placed in the chamber and the product will see a high field strength, thus avoiding the
illuminated by an antenna with a mechanical ‘paddle wheel’ case where an unexpected weak-spot was not identified until
stirrer rotating to move the electromagnetic hotspots round in the product failed in actual use. Similarly, the power required
the room, to ensure that the device under test is illuminated to test to an adequate level of discrimination is relatively low.
by a worst case field strength from all directions and all angles
of incidence over one rotation of the stirrer.
Good shielding reduces the
/ Effective measurement signal strength to a point
In terms of measuring shielding effectiveness, the reverbera-
tion chamber has an advantage over other possible methods.
where the phone and the
The traditional method is to place the material being tested base station cannot detect
between two antennas and take the difference in received
signal with, and without, the material in place. There are
that they are each there
many variants of this approach, including the use of different
antenna types and waveguides. Unfortunately, this generally Figure 1 gives some dimensions of the chamber at De Mont-
measures the bulk shielding effectiveness of the material and fort University (the input and output points give an indication
not the finished product. Of course, the finished product can of where the illumination and the test object are placed),
have inherent weaknesses due to its manufacture or design while Figure 2 shows the reverberation chamber being set
which a bulk measurement will not be able to test (unless up for use, in this case for a reference measurement using a
the designer creates specific tests to explore these design monopole antenna. Thus using the reverberation chamber to
or manufacturing issues). However, considering the points test complete Faraday Bags has some potential advantages.
made previously about the reverberation chamber, an object The next section describes the tests.

Mobile phone cover

Monopole antenna tuned to 1800

Cu ground-pane

Cable to Network Analyzer

Ferrite clamps

Figure 3. Test phone construction

59
/ tech FEATURE

/ Setting up the test

The tests undertaken on the bags are, initially, to deter-
mine how much electromagnetic shielding the Faraday Bag
provides the mobile phone. In order to set up the tests, a
receiving antenna was placed in a mobile phone body – actu-
ally this was a clear protective cover – which will ensure that
the bag material will be kept at the same distance from the
antenna as it would be in practical use. The antenna was a
simple monopole tuned for resonance at approximately 1800
MHz rather than a multiband PIFA or similar antenna. This
was chosen as a simple way to undertake tests at a required
frequency. The measurements are made by comparing the
insertion loss, with and without the bag between transmit Figure 4. Faraday Bag shielding effectiveness at 1800 MHz +/- 300MHz
and phone antennas using a network analyser. One of the
difficulties with the test is that the antenna in the Faraday
Bag needs a cable running through the bag itself. While
this is not the recommended use of the Bag, the potential
deleterious effects of doing this were ameliorated, as much
as possible, by folding over the top of the bag as much
as possible, ensuring that the seal around the cable is as
tight as possible and using ferrite clamps on the cable
itself, close to the bag entry, to attenuate any interference
due to currents on the shield. Figure 3 illustrates the test-
phone construction.

/ Results
Testing was undertaken over a range of frequencies (1500
MHz – 2100 MHz). Over a complete revolution of the stirrer,
the maximum value of coupling at all frequencies was deter-
mined for the case of the bag not being in place and with it
being in place. Then, the differences between the two sets of
results were taken to give a measure of the shielding effective-
ness of the bag as a whole. Figure 4 presents the shielding
effectiveness results for the Faraday Bag. The results were
obtained using 200 stirrer steps per revolution and 401 points
across the frequency range.
Despite the initial
shortcoming of the cable
egress from the bag itself,
the results suggest that the
bag tested performs well
around 1800 MHz
The best way to interpret the results is to look for the
minimum shielding effectiveness in the region of interest.
Around 1800 MHz, this is 30dB. The excursions below this
are relatively minor and the accuracy can be improved by
increasing the data-point density, i.e. the number of points
used in the measurement. These figures agree well with
tests published on the manufacturer’s website http://www.
faradaybag.com/faraday_bag_testing.html which state that
the attenuation at 1800 MHz and 2100 MHz is 30 dB (these
were single frequency measurements)
Figure 5. Comparison of shielding provided by a Faraday Bag and a foil
food container.
/ Conclusions
This article has provided a fairly gentle introduction to the
application of reverberation chambers to testing Faraday Bags
and has presented some preliminary results from one bag.
Despite the initial shortcoming of the cable egress from the
bag itself, the results suggest that the bag tested performs
well around 1800 MHz and this method of cable entry is pos-
sibly not a serious effect. (Cable shields are available and will
be tested in future measuring sessions).
One question that is reasonable to ask is whether there is any
real benefit in buying a Faraday Bag when foil trays (the sort used
for home baking or take-away meals) are nearly two orders of
magnitude cheaper. In order to provide some evidence to answer
this question, the same test was performed using a foil tray with
a foilised lid (with the lid being placed foil-side outwards to im-
prove the contact). The comparative results are given in Figure 5.
It can be clearly seen that there is a difference of around 10 dB
at 1800MHz, with the Faraday Bag being better. The foil container
shielding may be improved by using some foil for the lid rather
than the foilised cardboard lid! Of course, it is up to the user to
decide if a shielding effectiveness of 15 – 20 dB for a few pennies is
cost effective when 30dB can be provided for a few tens of pounds.
Further work is underway to look towards improving the test
methodology and ensuring the accuracy of the results, as well
as testing over both narrower and broader frequency ranges. /
Alistair Duffy is Reader in Electromagnetics at the Department
of Engineering, De Montfort University, Leicester

60 Digital / ForensicS
/ JOBS
UNIVERSITY
VACANCIES
Digital Forensic Vacancies at International Universities
I
received two notifications of vacancies for Digital Forensics
Professionals from Universities in the United Arab Emirates
and the United States of America. After consideration we
thought a great way that DFM can show support for the
Digital Forensics community at large was to carry these adverts
in the Magazine. We would also encourage other Universities
with vacancies for Digital Forensics to send their notices to
acquisitions@digitalforensicsmagazine.com for inclusion in
future issues.
As a magazine serving a specialist and growing sector
we had always planned to carry open opportunities and
this is just an extension of our original plans. We are look-
ing to provide a “Professional Opportunities” section in
future issues where Industry and Agencies can advertise.
This will also be a dual role where professionals can post
themselves. This facility will also be provided via the DFM
website at www.digitalforensicmagazine.com where the site
will be refreshed as new Professional Opportunities and
Individuals start their search.
62
We do recognise that the Magazine being quarterly will
require the latest opportunities to be in the Magazine and
we will be working with our advertisers to ensure that
all vacancies are real and timely. We would also like to
receive feedback from all who are successful in finding
that new opportunity to measure the benefit that the
service is providing.
Vacancy 1 – Khalifa University
Khalifa University of Science, Technology and Research
(KUSTAR) is an independent, non-profit coeducational insti-
tution, dedicated to the advancement of learning through
teaching and research and to the discovery and application of
knowledge. It pursues international recognition as a world-
class research university, with a strong tradition of inter-disci-
plinary teaching and research and of partnering with leading
universities around the world.
Digital / ForensicS
 As the educational and technical arm of the Abu Dhabi 2030
plan, the Khalifa University contributes to the development
of Abu Dhabi’s growing knowledge economy and diversified
industry profile. The University is wholly owned and financed
by the Emirate of Abu Dhabi.
This is a young University; the University opened its new
interim campus in Abu Dhabi on October 2008 to add to the
campus in Sharjah (formerly Etisalat University College).
The Sharjah campus has a very proud 18-year history has been
chosen to be the centre of excellence in the region for Informa-
tion Security and a number of other research areas. The Sharjah
Campus has recently started an M.Sc. program in Information
Security and Computer Crime. There are currently a number of
vacancies for both full time staff and sabbaticals, located on the
Sharjah Campus. Full time positions are available in:
• Digital Forensics
• Software Security
• Wireless and Mobility
The candidate must have a graduate degree, a strong affinity
for student mentorship and community service, and be able to
guide students through successful engagement learning oppor-
tunities in a robust hands-on curriculum. The ideal candidate
would have an earned doctorate in computer, digital or cyber fo-
rensics; computer security; or a related field. Significant digital
forensics work experience, teaching experience, and industry
certifications (e.g., CFCE, CCE, EnCE, ACE, GCFA, DFCP, CEH,
SSCP, CISSP) will improve the candidate’s competitiveness.
This full-time faculty position will commence Fall 2010. Ap-
pointment is anticipated at the Assistant/Associate Professor
level, the rank being determined based on qualifications of the
successful candidate. Further details and application procedures
can be found at www.defiance.edu/pages/employment.html.
The Defiance College vision creates an educational experi-
ence of engagement in civic, cultural, and learning dimen-
sions. Located in the city of Defiance in northwest Ohio,
Defiance College is an independent, coeducational, liberal
arts-based institution. www.defiance.edu.

All candidates must hold a relevant Ph.D and appointments

are normally at the Assistant/Associate Professor level, de-
pending on experience.
A six-month sabbatical may also be considered for suit-
ably qualified applicants. This position would focus on the
establishment of a new forensics lab and the development of
tutorials and exercises for the forensics M.Sc. course
For more information about the Khalifa University , please
visit our website www.kustar.ac.ae. Interested applicants
should forward their CV to careers@kustar.ac.ae.

Vacancy 2 – Defiance University

Defiance College seeks an enthusiastic, challenge-hungry,

full-time faculty member to develop, refine, and teach courses
in the rapidly growing undergraduate Digital Forensic Science
(DFS) major. Duties include:

• Instructing courses on computer fundamentals; computer

and small-scale digital device forensics; information security;
network forensics; network intrusion detection; and legal,
ethical, and professional issues
• Providing training to local law enforcement agencies
• Developing select on-line/hybrid delivery courses
• Participating in development of a DFS graduate program

63
DF1_OFC_Cover - Online.indd 1 29/10/09 4:58:43 pm

THE trials AND
tribulations
of a Mobile Phone
Practitioner
Peter Jones explores the prospects for a discipline in a constant state of revolution,
and makes a plea for action.
/ ENTRY
M
obile phones and other wireless devices are a
ubiquitous sight in any workplace or social setting,
with the UK now boasting more mobile phones than
users. This increase has had a knock-on effect in the digital
forensics world, where computer examiners have had to try
their hands at mobile phone forensics in order to keep up
with shifting demands.
For a long time, digital forensics has mainly focused on the
computer side of the forensics industry, with mobile phones
being of a secondary concern. This has been due to the mobile
phone’s comparative lack of abilities, a situation that has
been changing very fast as modern-day handsets, from the
iPhone to Windows Mobile devices, increasingly incorporate
the operating system and applications complexities previously
restricted to fully-fledged laptop or desktop computers.
To a large extent, forensic disciplines have been slow to
catch up with these developments, and anyone entering the
mobile arena in forensics today would find the array of knowl-
edge and solutions available in mobile phone forensics to be
far less than the computing equivalent.
Nevertheless, an awareness of how the digital forensic mar-
ket is changing has been recognized by a number of forensic
firms both law enforcement and non-law enforcement, by
creating dedicated mobile phone forensic teams to offer a bet-
ter understanding of what each mobile phone offers in order
to supply evidence that is suitable and accurate to the needs
of the client.
In the UK, those working to develop the space have
frequently worked in isolation, and in particular, a tendency
towards Law Enforcement only conferences and events, and
Law Enforcement specific solutions; regardless, there are
firms who often work for Law Enforcement who would benefit
from the same solutions.
Indeed a regular issue that arises in the digital forensics
market is the difference between what is available to law
/ TECH FEATURE
enforcement and non-law enforcement companies with regard
to available training, forensic solutions and knowledge
bases. Often, advanced courses are not available in the UK
to organizations that are non-law enforcement, even to those
companies who solely work with law enforcement. Courses
by SANS and MFI are available if European practitioners are
willing to travel across the pond, but they do not come over
unless they have enough interest, so I encourage everyone
to pester them to do so.
In the UK, we do have our own pool of talent, but it’s a small
pool, especially in the non-law enforcement area. A solution
might well be to grow to develop a new breed of examiners
in conjunction with the Mobile Telephone Examination Board
conference, with both law enforcement and non-law enforce-
ment in mind.
For a long time, digital
forensics has mainly focused
on the computer side of the
forensics industry, with
mobile phones being of a
secondary concern
This problem also applies with regard to some of the
tools that are available on the market for extractions,
which became apparent to me when trying to get a solution
for the Apple iPhone. The more advanced software solu-
tions that I found were only available to law enforcement,
regardless of the fact that I was working on a handset for a
police constabulary. Off the shelf solutions from MicroSys-
temation, CelleBrite and Oxygen are available to all types
of firms, and these companies are recognizing the rapid
65
/ TECH FEATURE
change in the mobile phone forensic industry, but there is
still a variety of standards with regards to physical memory
extractions and analysis in comparison to computing equiv-
alents, for example EnCase and FTK Imager. Personally I
encourage users to speak up and help the manufacturers
to produce better tools to help us all.
Conferences are a great source of knowledge, with the
added benefit of providing the opportunity to network with
fellow practitioners. Once again we hit another hurdle of the
lack of mobile phone forensic conferences in the UK and no
conferences near our shores like the Mobile Phone World Con-
ference in Chicago. This has begun to change, thanks to the
first MTEB Conference recently held in Dorking, Surrey where
law enforcement and non-law enforcement practitioners were
able to share ideas. Something I would like to see, is the
mobile phone manufacturers start to recognize the forensic
market; yes, we do not increase their sales, but they should
feel some obligation to work with law enforcement, and a
better dialogue would help increase the understanding and
support of the handsets we are examining.
Conferences are a great
source of knowledge,
with the added benefit of
providing the opportunity
to network with fellow
practitioners
The second conference is already in the pipeline for spring
2010, with further plans for MTEB conferences around the
country. Other knowledge bases like forums and blogs are
still in their infancy, but I hope we can encourage a sharing of
knowledge within the community, instead of always trying to
keep information secret behind closed doors.
At the conference, the idea was discussed of promoting
the MTEB as a cross-practitioner forum to act as support and
a professional body to increase standards in mobile phone
forensics, as well as to work with law enforcement, non-law
enforcement and the makers of both handsets and forensic
tools. The worthy goal is for the MTEB to act as a central point
for knowledge and help within the UK for all practitioners.
The mobile market is changing and we need to embrace it or
get left behind. /
/ Author Bio
Peter Jones is a Masters graduate in
“Internet and Enterprise Systems” with 10
years experience in telecommunications,
gained from working in a variety of roles
for Orange and Systems Developer for
telecommunications firm, Eurotel. He now
leads the mobile phone team at Zentek
Forensics Limited where he has conducted thousands of
examinations on behalf of law enforcement and is primarily
responsible for research and development in data extraction
from smart phones.
66
MOBILE
MISCELLANY
Liz Conway reports on the first UK MTEB
Mobile Phone Forensics Conference
D
igital Forensics specialists – be they members of
law enforcement, independent practitioners, or
academics – spend a great deal of time working in
isolation from each other, focused whatever is the task at
hand. So the first inaugural UK MTEB Mobile Phone Forensic
conference, held in November 2009 provided a highly wel-
come launch pad for skilled practitioners to bond together
and share their knowledge and experience.
Mobile phone forensic analysts had the opportunity to
join in a collaborative event to share their collective wisdom
in the congenial setting of Denbie’s Wine Estate, Conference
Centre, Surrey, London, UK. This opportunity of bringing
specialists together allowed much transfer of knowledge,
principally through a ‘lessons learned’ approach, and there
seems little doubt this will become an regular and invaluable
event for our small but growing community.
It was all about the sharing of knowledge, embracing
the challenges we are faced with, and our ability as
specialists to interpret these difficulties and come up
with creative and innovative solutions. The UK MTEB
mobile forensic community is original in its approach,
and its mantra is self-driven and vendor neutral. So
the event was about building up that community and
fostering a mindset that encourages everyone to help
each other. This ethic of active participation allowed the
conference to focus on achieving the highest standards
of excellence.
The contributions were mainly centred on sharing of
experience, of mistakes as well as successes. The atmosphere
encouraged and applauded informed risk-taking, while for
many, the networking opportunities proved invaluable.
Key among the challenges encountered at this confer-
ence were those of training and skills development, iden-
tifying important skill-sets and discussing how to make
sure that mechanisms were in place to meet the challenge
of bringing on new people. This emphasis on learning and
development ran throughout the conference. Many ideas
were generated and there is a hopeful anticipation that
the UK can harness this momentum and channel it into
tangible outcomes.
The areas that were explored gave shape to how we
interpret seizure procedures, and explored investigative
techniques and approaches to analysis of data. Subject
matter experts on such topics as hex dumping, U/SIM
card examination and dangerous weapons gave invalu-
able insight, which spurred active discussions, cement-
Digital / ForensicS
ing new relationships and providing a hugely valuable
platform for knowledge exchange.
The pathfinder approach adopted by the UK MTEB allowed
individuals to selectively pick and choose what courses
and presentations they wanted to attend. The aim was to
help them navigate through the murky waters of forensic
data and analysis and make informed choices. The maze of
technical, legal and educational challenges that face mobile
phone forensic analysts was actively embraced. This path-
finder approach helped individuals to find and cherry pick
what resonated best with them.
The event saw a dawning realisation among practitioners
that there is a lot of talent in the UK, and there was much dis-
cussion of how the opportunity should be grasped to cultivate
this talent and build an even stronger, more vibrant practitio-
ner community. For example, among the topics was the chal-
lenge associated with the impending mandatory certification
ISO 17025, where the consensus was that compliance could
demonstrate competency, and allow a mobile phone forensic
department to showcase its standards and methodologies.
The UK has a pool of talent that needs to be nurtured and
developed. The collaborative approach, which underpinned
this conference, has the potential to foster and develop
collective wisdom and build a strong community. The drive
and commitment shown in this event augurs well for the
potential of UK law enforcement, independent practitioners
and academics to become world leaders in GSM and mobile
phone forensics. /
Digital Forensics Magazine is now collaborating with Greg Smith, of
Trew & Co, organiser of the UK MTEB Mobile Forensic Conference,
who has a wealth of experience in handling mobile telephone
evidence in criminal and civil proceedings, going back more than 20
years. A follow-up event is being organised for April 20th to 22nd,
entitled GS M/3G UK MTEB Mobile Forensics Conference 2010. For
further details, contact Greg Smith, telephone 07817 845105, or go to
www.forensicfocus.com/mobile-forensics-forum
/ Author Bio
Liz Conway MBA, MSc, EnCE, TDip IT, MCSE has over 12
years experience in computer security. She has worked
for many of the US Multi-nationals and is based in Dublin,
Ireland. Liz is currently working on her dissertation in
computer forensics with the University of Bedfordshire.
67
BLADE
F O R E N S I C D AT A R E C O V E R Y

BLADE is a Windows-based, advanced professional forensic data recovery solution

designed by Digital Detective Group. It supports professional module plug-ins which
give it advanced data recovery and analysis capabilities. The power and flexibility
of the tool can be expanded as new modules become available.
BLADE supports all of the major forensic image formats and is more than
just a data recovery tool. The professional modules have in-built data validation
and interpretation routines to assist with accurate data recovery.
The software has been designed for fast/accurate forensic data recovery. Not
only is it highly effective in the pre-analysis stage of a forensic examination, it
can be quickly configured to recover bespoke data formats.
With the addition of professional modules, BLADE can recover data which is
not extracted by other forensic tools.

P R O F E S S I O N A L R E C O V E RY M O D U L E S

Live and Deleted Outlook Express (v5-6) Email Messages

(including attachments)
Live and Deleted AOL (Personal Filing Cabinet) Email Messages
(including attachments)
Live and Deleted Windows Link Files

K E Y F E AT U R E S

Regular Expression High Speed Advanced Carving

Supports Headers, Data Landmarks & Footers
User Created/Customiseable Data Recovery Profiles
Professional Modules for Advanced/Specialised Data Recovery
Variable Input Block Size, Sector Boundary Options
Multithreaded for fast searching and recovery
Forensic Audit Logging

SUPPORTS

Single/Segmented Unix/Linux DD/Raw Image Files

EnCase® (v1-6) Compressed/Uncompressed Image Files
SMART/Expert Witness Compressed/Uncompressed image Files
AccessData® FTK Image Files
Physical/Logical disk access

W W W . B L AD E F O R E N S I C S . C O M
Digital Detective Group, PO Box 698, Folkestone, Kent, CT20 9FW.
Telephone: 0845 224 8892
 / TECH FEATURE

PROVIDING
THE PROOF
At some point in the future, any computer user – from private individual to company – may
need to prove the integrity of an electronic file. Robert Aynsworth examines the emergence of
data-centric information integrity.
/ ENTRY

W
e all know about the explosion in digital information. An Not only must they prove these things, but they must prove
IDC White Paper from 20071 estimated that 161 billion them quickly and easily. By applying this form of protection,
Gigabytes of information were created in 2006, and this organizations are able to protect their data wherever it goes
figure was expected to increase six fold between 2006 and within or beyond their IT systems and to continue to prove the
2010. The same source estimated that 20% of that data was integrity of that data for as long as required.
subject to some form of compliance requirement. Legislation Going further, technology solutions to these issues must
is an increasingly important consideration, Sarbanes-Oxley address the following needs to support data-centric information
being the most prominent example. The body of case law dem- integrity:
onstrating the real costs and impact of failing to demonstrably
protect the integrity of electronic data is also growing2. Orga- • Protection against unauthorised access
nizations must comply with relevant legislation and compli- • Defence against changes, ranging from content modification
ance requirements by – inter alia – demonstrating the integrity to virus insertion
of their IT systems and electronic records. Irrespective of • Preservation of evidential weight and non-repudiation
issues of legal admissibility or evidential weight, organiza-
tions must ensure that the electronic storage of information
complies with best practice, for example BIP0008 in the UK.
There is also a technological move towards network
de-perimeterization3. The traditional ‘firewalled’ approach
to securing network boundaries increasingly is regarded as
limited. Constructing higher and higher firewalls leads to
more innovative solutions to bypass the perimeters. System
centric solutions are also susceptible to internal fraud or
malfeasance. While traditional security solutions like network
boundary technology will continue to have their roles, there is
a need to respond to their limitations and protect information
wherever it goes in the extended enterprise including home
workers, global supply chain partners and others.
Legislative electronic record storage requirements, the demand
for greater IT system interoperability, de-perimeterization and the
need to prove the evidential weight of electronic records, are all
driving the move towards data-centric information integrity.

/ Data-centric Information Integrity

Data-centric information integrity ensures that individual files are
independently secure in any location. Data-centric information
integrity enables anyone to prove:

• The electronic record’s author

• The integrity of the content
• The time when the record was created or issued
• The record’s approval history

69
/ TECH FEATURE

/ Product Implications
Existing products support the first two requirements to large
extent. Microsoft Word™ provides a password protection
mechanism. Similarly, it is possible to encrypt an electronic
record and thereby protect it against being read by anyone who
does not have the relevant key. To defend against changes, it is
common practice to convert documents into Portable Document
Format (PDF) prior to delivery to third parties. PDF documents
are automatically protected against accidental modification.
However, these common desktop applications are insufficient
to address the third requirement. Once a password is ‘cracked’
an electronic record’s integrity is irrevocably compromised. The
protection of encryption evaporates once a file is decrypted.
PDF documents are not protected against determined and
informed attempts to modify them.

Best forensic practice

requires that the original
record must not be
changed in the process
of creating a seal
Ensuring non-repudiation and evidential weight requires a
further class of product: an electronic evidential seal.
/ Applications of Evidential Electronic Seals
Data-centric technology would reap significant benefits in any
organization where there are legislative or best practice require-
ments relating to the storage of electronic records. Any organi-
zation which archives paper records would also profit from this
technology in terms of cost savings and green credentials, even
if the paper records are retained but accessed less frequently.
Data-centric information integrity would also benefit organiza-
tions developing IT systems in which there is public anxiety at the
nature of the material held; the NHS medical records system being
one such example. Data-centric technology would enable patients
to approve their electronic medical records by countersealing them
(i.e. adding their own private seal to that of the organization main-
taining the data), thereby making visible any modifications to the
record that had not yet received the approval of the individual. In
that sense, this technology can be a bulwark against “big brother”.
Data-centric technology could assist an SME trading via the
Internet, enabling them to replace paper-based systems, while
providing absolute proof of electronic correspondence and
contractual material. Any organization distributing material
electronically, which might be modified or spoofed and used in
litigation against them or to undermine their reputation, should
consider protection that identifies original material uniquely.
/ Ensuring Non-Repudiation/Evidential twenty-five years.
Weight: the Practical Problem
Ensuring the evidential weight of electronic records presents a
number of challenging problems. An electronic record must be
irrevocably sealed, together with details of the record’s author, the
time of creation or issuance and any approval history. Best forensic
practice requires that the original record must not be changed in
the process of creating a seal; if it is modified by adding further
information to the file or by changing the file format, an astute
lawyer might argue that the content could also have been changed.
This requirement suggests drawbacks to watermarking or stegano-
graphic solutions which put the content of the seal record into the
file itself and a requirement to associate the seal with the file using
techniques such as a wrapper or a complimentary file name. An
electronic record’s accessibility and usability must be maintained.
Placing a wrapper (e.g. a jar or zip file) around an electronic record
would restrict access, requiring a user to extract the content and
unnecessarily increasing their workload. Use of a wrapper could
preclude integration with existing IT systems, in particular Docu-
ment Management Systems. Creating an electronic evidential seal
should not significantly increase the storage requirement.
/ Adopting Data-centric Information
Integrity: Considerations
There are many issues that must be considered prior to
adopting data-centric information integrity systems; some of
the most important are discussed below.
/ Longevity
The value in sealing electronic records is realised when an
organization proves a document in court. Within the NHS,
some health-care records must be retained for at least
Best practice in the insurance industry dictates that records
relating to certain matters are retained for eighty years. Any
data-centric product must be future–proofed, enabling elec-
tronic records sealed for years to be validated.

70 Digital / ForensicS
/ Trusted Third-Party
Organizations may consider whether they should employ a
trusted third-party to support their data-centric information in-
tegrity rather than hosting their own systems. Use of a third-party
increases the integrity of electronic record keeping because the
warranty comes from an organization which is not party to any
dispute. It also provides a more cost-efficient managed service
– possibly available on a ‘pay per click’ basis. IT directors must
establish the credibility of any trusted third-party, the resilience
of its systems, the origins of its software solution, accreditations
and its ability to support large transaction volumes.
/ Ubiquity
Sealed documents will inevitably be received by users outside
of the organization in which they were created. Any third-party
recipient must be able to freely establish the integrity of an elec-
tronic file, at any time, from any location with minimal overhead.
/ Conclusion – data integrity is coming of age
Electronic evidential sealing complements encryption and digi-
tal rights management solutions, thereby constituting a suite of
data centric information integrity products. It offers direct cost
savings by reducing the requirement for paper and the need for
complex compliance activities and systems. Further, compre-
hensive payback comes the very first time that the protection is
used to resolve a dispute quickly and favourably.
The increasing reliance on electronic business-to-business
communication and the need to comply with legislation and
electronic discovery processes will drive widespread adoption of
electronic evidential seals. The firewall has emerged as a main-
stream product within the last ten years. Data-centric information
integrity systems will be similarly ubiquitous in the next decade. /
The value in sealing
electronic records
is realised when an
organization proves a
document in court
REFERENCES
1. A Forecast of Worldwide Information Growth Through 2010,
John F. Gantz et al, March 2007
2. See for example American Express vs. Vinhnee 2005 WL 3609376,
06 Cal. Daily Op. Serv. 146, 2006 Daily Journal D.A.R. 169 (B.A.P. 9th
Cir. Dec 16, 2005) and Lorraine v. Markle American Insurance Co.,
2007 U.S. Dist. Lexis 33020 (D. Md. 2007).
3. The Jericho Foundation is prominent in leading this debate –
www.jerichoforum.org
/ Author Bio
Robert has over twenty years' experience within the
software industry. As Head of Software Development at
Tru Data Integrity, Robert has played a pivotal role in the
development of information integrity systems, including
evidential seals. Robert earned a degree in Mathematics
from Nottingham University and is a Chartered Engineer
71
/ FEATURE

Hacker's
HIDDEN TERROR
Robert A Andrews on a nightmare scenario for organizations …
/ ENTRY

I
magine you are the website administrator in charge of
security and availability for your corporate website. You
come into work one day only to be confronted by your
boss informing you that the website has been defaced.
Not only has the website been defaced but the CEO’s picture has
been changed to a cartoon. He is in the elevator on the way down
to speak with you directly. Not such a great start to the morning.
Once you get past the embarrassing discussion, you call in
a forensics expert to clean up the situation, and hopefully find
out how this happened and perhaps who was responsible.
Sounds reasonable. Now what do you do when the forensic
investigator comes back and lets you know that the deface-
ment is the least of your problems? A larger, more significant
breach occurred nine months earlier.
In this particular case, the primary web portal for a univer-
sity was compromised and several pages were defaced. The
investigation scope included the web portal server and its
back-end database server.
During the investigation, it was discovered that the deface-
ment was a secondary attack of lesser magnitude. It was ulti-
mately discovered that the primary attack occurred 9 months
prior to the defacement attack. In this primary attack, the web
server was compromised and taken over by the attacker. Once
the attacker took control of the web server, they proceeded to
take control of the back-end database server as well.
Once in complete control of both servers, the attacker placed
code on the database server designed to harvest information.
Once harvested, the code was also designed to place the recov-
ered data into graphic files that were being served to the web
server for all web pages. At that point, the attacker no longer
needed to return to the exploited servers to gather information.
Harvested information was served up in graphic files to anyone
that visited the web portal pages of the university.
Explain that to the CEO… /
Robert A Andrews is CTO and co-founder of P3Strategic
Not only has the website
been defaced but the CEO’s
picture has been changed to
a cartoon

72 Digital / ForensicS

GHOST IN THE
MACHINE
Forensic Evidence Collection in the Virtual Environment
Platform and desktop virtualization are changing the nature of IT
environments across organizations of all sizes. Eric Fitterman & JD Durick
examine the implications for digital investigators
/ ADVANCED
I
f you are responsible for collecting and analyzing digital evi-
dence, you are already aware of how platform and desktop
virtualization are changing the way organizations deliver,
store, and manage digital content. The clear cost and efficiency
benefits to virtualization have driven organizations to dramati-
cally consolidate physical infrastructure, greatly reducing the
complexity of provisioning resources and inventory in a hetero-
geneous IT environment. While ushering in welcomed changes
for businesses and IT managers, the virtualization model has
fundamentally changed many of the ‘tried and true’ concepts of
digital evidence collection and acquisition. Practitioners need to
be aware of these considerations to work more effectively with
case data that will be recovered from virtual infrastructure.
It is not uncommon for enterprise-class data centers to
employ exotic file systems and infrastructure tailored for
high-performance, distributed and agile computing require-
ments. An incident responder may find herself collecting data
from enterprise-class Fibre Channel storage area networks
(SANs), RAID-configured and partitioned with proprietary file
systems like VMware’s Virtual Machine File System (VMFS).
Further complicating things, valuable forensic evidence now
resides within virtual disks of varied proprietary formats, like
VMware’s Virtual Machine Disk (.vmdk) format.
While this topic could fill several book volumes, our goal is to
provide an outline of key issues, best practices, and recommen-
dations for practitioners who have responsibility for collecting
forensic data from production, enterprise-class virtual storage
environments. While evidence can be recovered from the hyper-
visor environment used to host virtual machines, this article is
focused on recovering evidence encapsulated within the virtual
disk files used to store virtual machine state and data. We pres-
ent a walk-through scenario to introduce this topic to readers
who are familiar with virtualization, but may not have collected
virtual evidence in the course of their duties.
This article explores some of the legal and technical chal-
lenges when undertaking an investigation that has gone
virtual, and is focused on VMware’s ESXi 4 Server product,
though the lessons apply equally well to Microsoft’s Hyper-V
and Xen environments.
/ TECH FEATURE
/ Key Considerations
In a demanding production environment, taking systems
offline may not be an option. Forensic practitioners need to
carefully weigh the old adage of ‘pulling the plug’ or booting
from a live CD on systems to facilitate evidence collection.
A client may indicate that downtime is not feasible or
practical due to existing Service Level Agreements (SLAs)
and contract requirements.
Hard drive and forensic acquisition is no longer a ‘drive-to-
drive’ operation. High performance, distributed file systems
that store and deliver data from wide area storage clusters, or
architectures that provide consolidated, concurrent-access to
large Fibre Channel or iSCSI SANs, store tremendous volumes
of information that require specialized tools, equipment, and
resources to process. Practitioners need to have a well-struc-
tured plan to collect data from production systems, taking into
account storage size, network throughput, and device con-
nectivity. Walking in the door with a hard drive and enclosure
should not be your only strategy.
The clear cost and efficiency
benefits to virtualization
have driven organizations
to dramatically consolidate
physical infrastructure
Proprietary formats are an issue. One of the most reliable
methods for interacting with VMFS is in a live VMware environ-
ment. There are options for extracting files from VMFS, like the
Open Source VMFS Driver, but as a proprietary format, acquir-
ing and imaging virtual data may be most reliably accomplished
through the native VMFS support in VMware’s products.
What is the best way to collect volatile data from a virtual ma-
chine? Volatile data analysis has gotten a lot of attention within
the last few years, due to the development of memory-resident
malware and exploits (Metasploit’s Meterpreter)1, the ability to
73
/ TECH FEATURE
extract encryption keys from physical memory2, and observa-
tion of in-memory processes that may not leave a residual disk
footprint. There are also new and emerging techniques being
developed to extract volatile data from virtual machines3.
When working on virtual data, tools and options will be lim-
ited. Many of these virtual servers are called ‘bare metal’ for
a reason, and having local access to imaging utilities, hashing
functions, or other functionality may not be available.
/ Scenario Introduction
You are responding to an incident involving the potential
compromise of financial data in an enterprise data center. The
client’s data center uses the VMware ESXi Server 4 Update 1 to
host several virtual machines, and the affected virtual guest re-
source is running Windows Server 2008 Web Server Edition. The
customer believes that attackers exploited an application-level
flaw in the guest operating system to extract customer names,
credit card data, and other critical accounting information. The
company has identified the flaw and can patch the system, but
is first interested in preserving forensic evidence to support a
criminal investigation or civil suit. Technical staff determined
that the flaw would not have enabled persistent access to the
guest server. The company has already disabled inbound web
access to the virtual guest, but the system needs to be kept up
and online to support other critical business functionality.
When generating the
snapshot, we want to avoid
invoking any code within
the guest
The customer employs a Fibre Channel SAN disk array with
several Disk Array Enclosures to provide a total of 40 TB of
disk storage. This storage uses RAID for protection and has
broken the storage into several Logical Units (LUNs), each of
which is formatted with one VMFS partition. The LUN used to
store the Server 2008 image is only used by one VM, and the
Virtual Machine Disk (.vmdk) is configured as a pre-allocated
(flat) disk. For convenience, the box-out (right) provides an
overview of the life cycle of a virtual machine and critical files
you may encounter on ESXi 4. Understanding how and when
VMware creates and destroys these files is important to prop-
erly scoping your work and analysis.
/ Response Methodology
First step: generate an evidentiary ‘Image’
One of the first questions you need to consider is whether
systems need to be taken offline for acquisition and collec-
tion. If you are conducting an investigation related to contra-
band imagery, for example, or if you have full legal authority to
seize hardware and equipment, systems will likely need to be
shut down. However, if you are conducting your investigation
on consent, or are responding to an incident where the client
is a victim and has requested your assistance, you may want
to use a gentler approach to collect the information you need.
74
In this scenario, the customer has indicated that no part of
the virtual infrastructure can be shut down. At first glance, this
may seem to present a real problem. Traditional forensic proto-
col expects machines to be powered down to collect an image.
However, one benefit of VMware’s virtualization suite is that you
can capture a snapshot (forensic image) of a virtual machine’s
state while the machine is still running. Not only will the snap-
shot preserve the state of the machine, but the process can
optionally generate an image of the running system’s memory
in a .vmsn file. This allows us to collect our evidentiary image
while the system is still online to support critical business func-
tions. The key here is that creating a snapshot ensures that any
changes made to a virtual machine after creating the snapshot
are not written to the original image.
One limitation of performing these operations on a live
system is that the snapshot functionality does not currently
capture an image or copy of the .vswp file (see table 1). This
file is locked and cannot be manually copied or imaged while
the machine is running. However, this file will be captured if
you acquire the partition upon which the .vswp resides. The
only potential issue here is that this file may be changing
underneath you. It is important to keep in mind that this file
may contain useful information in the event the guest cannot
allocate the memory it needs from the host -- either because
the host’s physical memory is exhausted, or the guest was not
allocated the requisite amount of memory needed to function
efficiently. If you are concerned about establishing the integ-
rity of this file to mitigate potential admissibility arguments,
consider examining memory usage to determine whether this
condition exists. The availability of memory resources may
mitigate arguments that this file contained information of sig-
nificant or evidentiary value. Ultimately, consult with appropri-
ate legal counsel in your jurisdiction to weigh this option with
‘killing’ the running VM.
If you are working a case and have determined that guest
shutdown is authorized or necessary, you will want to follow
the steps and scripts outlined in Edward L. Haletky’s book,
VMware vSphere and Virtual Infrastructure Security, Securing
the Virtual Environment4. In his book, Mr. Haletky provides
sound guidance for stopping a virtual machine in a manner
that preserves the state of a VM while minimizing the possibil-
ity of invoking shutdown code on the guest.)
When generating the snapshot, we want to avoid invoking any
code within the guest, or any obtrusive process that could signifi-
cantly alter the state of the running machine; thus, do not select
the ‘Quiesce guest file system’ option (scripts that run within
the guest) when generating the snapshot. For the purposes of
this scenario, we assume that there were no previous snapshots
taken of the system. After the snapshot is generated, any writes
will be made to one or more redo log files, thereby preserving the
original .vmdk disk image file. As always, maintain detailed logs
and notes regarding your investigative steps when generating a
snapshot and memory image of the running guest.
You can verify this behavior yourself by hashing an original
virtual disk while continuing to use the machine after taking a
snapshot. You will see that the machine writes data to the redo
logs instead of the original disk, thus preserving your image.
Digital / ForensicS

Next step: establish file integrity
After the snapshot has completed, you now need to capture key
characteristics of the evidence files to support proper chain of
custody and to establish the integrity and fidelity of the acquired
evidence files. For the purposes of readability, the Windows
2008 Web Server virtual machine bears the name Server_2008,
and resides on the VMFS-formatted datastore bearing the name
‘datastore1.’ You will need to connect to the ESXi service console
over SSH in order to obtain command line access to perform the
necessary steps. Having connected to the console, you need
to determine where the VM files are saved. You can issue the
command ‘esxcfg-info –s’ to view details regarding storage on
this server (For the purposes of this test, we used a simplified
architecture with internal disk storage; however, Fibre Channel
and iSCSI storage is presented to ESXi as a directly-connected
physical device, and will look similar):
Looking at the results, you see that the volume bear-
ing the name ‘datastore1’ is found on the path ‘/vmfs/
volumes/4b1733e2-995617e0-a185-002185975721.
Chain of custody
Capturing the details from the esxcfg-info command to a
file can be used to establish your chain of custody and is
good practice since this command maps storage volumes
to a physical device. We have observed device names that
bear the model and serial number of hard disks connected
to ESXi, and this would be important for investigations that
require the seizure of physical evidence or contraband from
a physical device.)
Browsing to the path containing the virtual machine files,
you want to immediately establish an integrity hash for the
/ Virtual Machine Life Cycle
in VMware ESXi 4
Creation
When a virtual machine is created, several important files are
generated in the location specified by the user. These files include:
• A configuration file for teaming features (.vmxf ). Teaming
is a feature used primarily with VMware Workstation to
allow administrators to logically group virtual machines for
streamlined administration.
• The primary virtual machine configuration file (.vmx). The
.vmx file contains the bulk of the virtual machine’s settings
and configuration, hardware support and emulation features.
• Snapshot descriptor file (.vmsd). This empty file is created
when you configure and generate a new virtual machine, and
maintains information about the virtual machine’s snapshots.
• The disk descriptor File (.vmdk) contains disk geometry,
layout, structure, and physical properties. The disk descriptor
will describe an extent (also carrying the .vmdk extension)
that represents the physical storage used by the disk.
Startup
When a VM is started, several additional files are created,
including:
• VMware log files (.log) that contain extensive diagnostic
information, configuration and run-time messages.
• The virtual machine’s BIOS settings (.nvram).
• A swap file (.vswp). When the virtual machine needs to be
allocated more memory than has been configured during
initialization, the swap file will be used instead of physical memory.
Suspend
When a virtual machine is suspended, a suspended state file
(.vmss) is created that represents the state of the machine
at the time it was suspended, or paused; the .vswp file is
deleted.
Resume
When a virtual machine is resumed from a suspended state,
the .vmss file remains and the .vswp is regenerated.
Snapshot
The previously empty .vmsd file is populated with information
about the new snapshot. A .vmsn file is generated, containing
memory contents for the virtual machine, if specified in the
snapshot options menu. A snapshot descriptor file (.vmsd)
and redo logs (.vmdk) are generated to represent changes
made after generating the snapshot. The parent .vmdk disk
descriptor and extents are untouched, meaning this operation
will provide a forensically sound image file.
Shutdown
When a virtual machine is shutdown, the .vswp and .vmss files
are deleted.
75
/ TECH FEATURE
files comprising the virtual machine’s state. We recommend
using a hash from the SHA-2 family of secure hash functions
to establish the integrity of files, pre- and post-acquisition.
We recommend this not only due to the cryptographic
strength of the SHA-2 Secure Hash functions, but for those
who perform incident response work in the US, the National
Institutes of Standards and Technology (NIST) has ordered
US agencies to use the SHA-2 family of hash functions
after 2010)
ESXi 4 Update 1 comes with an implementation of OpenSSL,
which can be used to hash the contents of the virtual machine
files. At a minimum, you will want to hash the .vmx, .vmsn, and
the preallocated .vmdk and disk descriptor using the following
command format: ‘openssl dgst -sha256 <file-to-hash>,’ as
illustrated in the following command (if you are presented with
the config file warning, it can be safely ignored):
Image and Collect the VMFS Disk LUN Partition
Capturing the details from
the esxcfg-info command to a
file can be used to establish
your chain of custody
/ Valued sources
Having generated the necessary virtual disk files, you may
wonder why you would want to image the VMFS partition in-
stead of beginning to save the .vmdk and associated state files.
As indicated in table 1, .vswp and .vmss are normally deleted
during the course of a VM’s lifecycle. These files could be valu-
able sources of information, and would need to be recovered
or carved from the VMFS. Imagine investigating an incident
76
where a suspect was conducting nefarious activity in a virtual
machine, deleting the redo logs and restoring to a known clean
snapshot, in order to conceal his illicit activity. In this case,
deleted redo logs may be your best source of investigative data,
as there would not be a .vmdk file containing evidence of the
criminal activity. (If available, the VMware log files would also
be good sources of information to establish whether any such
activity occurred.)
There is one other important caveat here: since the VM is
mounted, the partition will be active and will change while
your image process is under way. This is one area of risk you
must address. We mitigate this risk by hashing the files con-
tained on the partition, to ensure that the key .vmdk files were
not changed when conducting our acquisition.
The first issue is determining how to map the datastore
volume to the physical device (partition) containing the .vmdk
and state files. The command ‘esxcfg-info –s’ can be used to
identify the path to the physical device (the DevFS Path) that
you will use as the input to the imager:
To image the partition, we use the command line tool, dd, to
generate an image on a location accessible to the Infrastruc-
ture Client, but not on the volume or partition being imaged.
In our case, ‘evidence’ is the label of a datastore separate from
the datastore that contains the source files:
Be careful with dd, as the improper usage could delete or over-
write information. Make sure you are saving your VMFS image (the
‘of’ parameter) to a file and not a system device or evidence file.
Remember that your objective is to pull this VMFS image file
onto your own storage device, and ESXi will not allow you to
directly connect a USB drive to move files off of the ESXi host.
In this case, we have identified a location on the network where
we can pull this image down onto our own storage device. Here
we have generated a raw, uncompressed, and unencrypted disk
Digital / ForensicS

image, but keep in mind that you may want to consider encrypt-
ing or compressing this image if there are security, privacy, or
bandwidth considerations when transferring this file.
Extract VM State from VMFS Image and Verify Integrity
After generating at least one forensically-sound working
copy from the evidentiary image, we will begin to extract the
files from the working image to begin our analysis. To accom-
plish this, we will use the Open Source Virtual Machine File
System driver to extract the files of interest, in this case, the
memory snapshot (.vmsn) and disk (.vmdk) files:
After extracting these files, you will want to hash the .vmdk
and .vmsn files and compare the results from our previous
SHA-2 hash. If the file has been transferred correctly, the file
hashes will match, which they do:
/ Verifying the Acquisition
Memory snapshots may contain interesting information: en-
cryption keys (reference Princeton case) and hidden in-memory
processes that don’t leave a residual disk footprint are just two
examples. To verify that the .vmsn memory snapshot captures
volatile data, such as a list of running processes, we developed
a small Python script to parse the memory file looking for the
names of running processes. We confirmed that the .vmsn
captures running process names by launching and killing pro-
cesses, and verifying these delta changes in the .vmsn file.
The figure below yields a list of the processes that were
carved from the .vmsn memory file, which are consistent with
the process names identified using Server 2008’s Task Man-
ager in the virtual machine.
Numerous commercial tools on the market today make it
possible to mount, dissect or examine the contents of Virtual
Machine Disk (.vmdk) files.  These tools include Access Data’s
FTK, Smart Mount, Mount Image Pro, Live View and EnCase
Forensic/Enterprise. To validate that we have acquired an
in-tact .vmdk file, we successfully open the extent (.vmdk) file
in FTK Imager:
/ Quick Tips
In this article we presented a methodology for capturing and
collecting digital evidence from a virtual environment. Here
are a few additional tips to consider when working with virtual
disk evidence:
• Familiarize yourself with the virtualization technologies you
are likely to encounter. Virtualization products can be found in
the data center and on the desktop, and familiarity is neces-
sary to effectively work with virtual data.
• Have a strategy for extracting your evidence. Standardize
your tool chain and have several options available for collect-
ing data from a hypervisor environment.
• Conduct your own tests. As indicated in this article, new
technology requires new thinking. Find ways to apply consen-
sus-developed forensic practices to this new technology.
References
1. Skape. “Metasploit’s Meterpreter Guide.” 2004. <http://www.
metasploit.com/documents/meterpreter.pdf>
2. Halderman, J. Alex et al. “Lest We Remember: Cold Boot Attacks on
Encryption Keys.” Proc. 2008 USENIX Security Symposium. (2008).
http://citp.princeton.edu/memory/
3. Hay, Brian, and Kara Nance. “Forensics Examination of Volatile
System Data Using Virtual Introspection.” ACM SIGOPS Operating
Systems Review. (2008).
4. Haletky, Edward L. VMware vSphere and Virtual Infrastructure
Security, Securing the Virtual Environment. Boston: Prentice Hall, 2009.
Additional reading
What Files Make Up a Virtual Machine? VMware. <http://www.
VMware.com/support/ws5/doc/ws_learning_files_in_a_vm.html>
Virtual Machine Disk Format. VMware. <http://www.vmware.com/
technical-resources/interfaces/vmdk.html>
Secure Hashing. National Institute of Standards and Technology
(NIST) Computer Security Resource Center. <http://csrc.nist.gov/
groups/ST/toolkit/secure_hashing.html>
Open Source VMFS Driver. <http://code.google.com/p/vmfs>
/ Author BioS
Eric M. Fiterman is a former FBI Special Agent and founder of
Methodvue, a consultancy that provides cyber security and
computer forensics services to government and commercial
clients. Eric specializes in cybercrime prevention and has
been recognized by the United States Secret Service for his
contributions to the Service’s investigative responsibilities.
JD Durick, MSc(CS), is a digital forensics examiner and
computer security specialist in the Washington, DC area with
twelve years experience in the security domain.  He earned his
MS in computer science from Johns Hopkins University and is
finishing his MFS from George Washington University in High
Tech Crime Investigation.
77
/ BOOK REVIEWS
BOOK REVIEWS
Malware Forensics:
Investigating and
Analyzing Malicious Code
Authors: James M. Aquilina,
Eoghan Casey, Cameron H. Malin
Publisher: Syngress
Date of Publication: 30 June 2008
Price: £41.99 (UK), $69.95 (USA)
ISBN: 978-1597492683
Reviewer: Tony Campbell
It has seemed to me for some time that the publisher Syngress
has had the Digital Forensics book market almost exclusively
to itself – at least in terms of quality contributions. After read-
ing Malware Forensics, my mind had not been changed one
iota. This book, although published in June 2008, is by far the
most comprehensive introduction to the inner workings of
malware that I’ve come across.
Understanding malware is a really complicated subject for
sure, covering a broad spectrum of illicit software types, but
there is no doubt that the combined efforts of James Aquilina,
Eoghan Casey, and Cameron Malin delivers a fantastic result
throughout these pages.
Quite often, I personally struggle with reading heavyweight
textbooks cover to cover, and often find these sorts of books
sitting on my bookshelf as unread references, just in case I
might need them in the future. However, I did read this one
cover to cover, and have come out the other side of that expe-
rience a better man. The authors go into the low-level details
of both Windows and Linux malware, and decompose the
inner working of each type of illicit software to a fundamental
degree of understanding that is consumable by both program-
mers and non-programmers (like me) alike.
Another great feature of this book is that the authors do
not hold back on their use of Windows and Linux tools, taking
the reader through the processes involved analyzing real
examples of malware in both operating system environments.
I would recommend this book to anyone who has an interest
in understanding malware, and certainly recommend it to
anyone who has a need to understand the context of malware
in computer forensics.
It is very apparent both from the style of delivery and (es-
pecially after re-reading the introductory section) from many
comments made throughout the book that the authors are very
focused on the evidentiary weight of their malware analysis. I
applaud them for these efforts and highly recommend this book
as not just being for malware geeks, but really important for
anyone trying to understand the nature of malicious code and
how it can adversely affect a forensic investigation.
78
At 592 pages, this book is a true heavyweight contender
and is without doubt the best value for money I’ve found on
this subject. Well done, Syngress and well done the authors.
The authors do a great job of stepping through each chapter
and explaining techniques in a way that is easy to understand.
The section of the book that helped me most professionally
was section five, Creating a Complete Forensic Toolkit, which
explains exactly how to create a bootable toolkit that will not
alter data on the host system. On the whole, this book pro-
vides a consistent introduction to a wide array of IT forensics
topics. One topic that feels incomplete, however - perhaps be-
cause of the book’s vintage - is Mobile Device Forensics. There
is no information on mobile phones and MP3 players. That is
an isolated shortcoming, however. The book introduces and
discusses many of the tools that are widely used in the field,
and its screenshots are helpful in illustrating sample output
from tools. In my opinion “Real Digital Forensics: Computer
Security and Incident Response” is a great resource for any
forensic investigator.
Live Hacking
The Ultimate Guide to
Hacking Techniques and
Countermeasures for
Ethical Hackers &
IT Security Experts
Author: Ali Jahangiri
Publisher: Dr. Ali Jahangiri
Date of Publication: 2009
Price: $49.99 (USA)
ISBN: 978-0-9842715-0-4
Reviewer: John Forrester
I would never be so presumptuous as to label myself a
hacker, but I am an IT security guy, so I know the subject
area pretty well. The allure of Dr. Jahangiri’s book was that it
might educate me to think like a hacker, so helping me better
understand how the bad guys operate and how they gain
unauthorized access to our computer systems and networks.
As Sun Tzu once wrote, “To know your enemy you, must
become your enemy.”
So I was really quite excited to get my hands on this book,
especially after reading the back cover blurb on Amazon.com
and seeing the rave review that a previous reader (or friend)
had given it. However, when the package arrived (courtesy of
DFM), I was really disappointed. It’s obviously self-published
– no problem with that as long as it’s done well – but unfortu-
nately, it shows. Grammatical and spelling errors are liberally
Digital / ForensicS
sprinkled throughout the text, and these soon start to call into
question the book’s overall quality. But it wasn’t just grammar
that concerned me – I soon also had issues with the quality of
the content. With a cover price of USD$49, I began to have se-
rious reservations about ‘value for money’. If I wasn’t writing
a review for DFM I would have considered sending the book
back to where it came from, demanding a refund.
However, in the line of duty, I ploughed on, and here’s what
I found. On the question of value, it soon becomes appar-
ent that the book is full of (and I mean packed tight with)
screen grabs from websites, where what’s on the page is so
condensed that it’s virtually impossible to read or interpret
the detail. As a result, the impact of what is attempting to be
shown to the reader gets completely lost.
The opening chapter on essential terminology is sparse and
did not deliver the glossary I was hoping for, while Chapter
2 on reconnaissance simply lists a plethora of websites from
where you might be able to glean some information about
your target (the bulk of this chapter’s content is screen grabs).
Chapter 3 on Google hacking is ok for a stratospheric overview
of a complex subject, but after reading an excellent treatment
on exactly this subject just a few months ago (Google Hacking
by Johnny Long, published by Syngress) this chapter left me
somewhat flat.
Chapters 4, 5 and 6 on scanning, enumeration and pass-
word cracking again were ok, not fantastic, but ok. What each
of these three chapters offer are simplistic, high-level over-
views of three subjects which each deserve (and, indeed, have
already got) books in their own right – some at lower price
points. Chapter 7 delivers a whopping 11 pages on Windows
hacking. Now, I have some experience with penetration testers
trying to hack into my systems, and I would suggest that the
subject requires something more than 11 pages worthtoto to
do it justice. Wholly inadequate.
Uncommonly in this book, I was pleasantly surprised with
Chapter 8 on malware, as the author covers a good range of
nefarious technologies. Aside from an unnecessary abun-
dance of full sized screen captures (yawn … I do go on) from
Spytector (there are eight back-to-back across just five pages)
the author does a good job of providing an overview of the
various forms of ‘bad code’ that can gain access to systems
and data. I was fairly unimpressed with the rest of the book,
with the only highlight being Chapter 10’s treatment of a SQL
injection attack – I’d always wondered how that works.
So, with 185 pages of doubtful usefulness, many of which
are crammed with often illegible screen grabs, I was not
impressed. Sorry, Dr. JahanGri, I’m sure you are a very clever
man and very proficient in teaching this stuff to your students,
but maybe you should consider looking for a professional
publisher next time, rather than taking the DIY option.
Windows Forensic Analysis
DVD Toolkit 2nd Edition
Author: Harlan Carvey
Publisher: Syngress
Date of Publication: 2009
Price: $69.95 (USA)
ISBN: 978-1597494229
Reviewer: Peter Sheffield
This second edition of Harlan Carvey’s excellent book on
Windows Forensic Analysis is a fantastic uplift to what I’d
classify as the best book I have owned on Windows forensics,
especially from a practitioners’ perspective.
This book works on multiple levels, with practical advice
and guidance for live Windows forensic analysis, as well as
more in depth discovery guidelines for your work back in the
lab, all augmented by real scripts and utilities that will help
you retrieve valuable forensic evidence from a target machine.
Chapter 4 on registry analysis is particularly strong, with
details on audit policy and event log analysis, wireless SSID
discovery, understanding autostart, and one of my favorites, a
section on how to track USB removable storage devices across
Windows systems. Earlier chapters on Windows Live Response
and Windows memory analysis are also extremely strong
and very useful, with loads of practical tips on extracting and
preserving evidence.
Chapter 5, on file analysis, is also really useful with a
fantastic discussion on Alternate Data Streams, one of the less-
understood features of the NTFS file system. Data can easily be
hidden inside NTFS using ADS techniques, and forensic investi-
gators should know how to find this stuff and what to do with it.
Chapters 6 and 7 deal with malicious code and understand-
ing executable files, as well as delving down into the details of
rootkits to see how they may affect a system being investigat-
ed, and how an investigator might identify their presence and
what they are doing. Chapter 8 pulls everything together into
a series of case studies where the author walks us through
using all the techniques previously discussed.
The final chapter looks at performing forensic analysis on a
budget using a bunch of free tools, such as dd for Windows, the
SleuthKit, PyFlag, hex editors, network tools and packet capture
and analysis. On the DVD, there are movies showing a variety of
investigation techniques, scripts and tools that all contribute to
this being the best Windows Forensic Toolkit available today.
The only criticism I have – a fairly major one at that – is
that now that Windows 7 is on the shelves and becoming the
preferred operating system on OEM PCs, although many of the
tools and techniques will still be relevant, there are new topics
that will need covering, such as Jump Lists.
79
Digital
ForensicS
/ magazine

PLACE YOUR ADS HERE

email: marketing@digitalforensicsmagazine.com
CALLING ALL
RESEARCHERS &
PRACTITIONERS
If you are a practitioner or researcher working in the field of Digital Forensics
then we want to hear from you…

/ Academic where further work is required, again fostering collaboration

If you are a researcher, academic or student of digital fo-
rensics, we would like to hear about your work. One of the
key aims of Digital Forensics Magazine is to bridge the gap
between the researcher and the practitioner. We provide a
platform where your research can reach the widest possible
audience, far greater than that of an academic journal. By
showcasing your work in Digital Forensics Magazine you will
be able to find like-minded parties who are interested in your
research, maybe for collaboration projects or indeed for a
route to market.
/ Practitioners
For those of you living and breathing in the professional world
of Digital Forensics we would love to hear from you. It is a
well-known fact that some of the best learning comes from
“on-the-job” experience and we want you to share that experi-
ence with your peers. Whether it is a complete case study
of an investigation (obfuscated where required) or a tool for
extracting information from a website, you can guarantee that
your fellow practitioners will want to hear about it. Provid-
ing these articles are a great way to let our community know
between industry and academia.
We also want to let the wider community know what prob-
lems practitioners are facing. You can do this by writing to
360@digitalforensicsmagazine.com (details on the website)
and we’ll do our best to get an ‘expert’ to get back to you.
/ Submissions
If you would like to submit an article to DFM you can do this
by sending an email to editorial@digitalforensicsmagazine.
com with your details and a 250-word abstract explaining
what the subject is and how you will cover it. You should also
include why you think it will make a good article, and what
target audience it addresses.
Digital Forensics Magazine bridges the
gap between the researcher and the
practitioner… It is a well-known fact that
some of the best learning comes from
“on the job” experiences

20% discount
on ELCOMSOFT PASSWORD
RECOVERy SOFTWARE

To receive the discount, readers should enter the

DFM-DISC-15 coupon code during a website purchase
between February 1 to April 1 2010.

www.ELCOMSOFT.CO.UK/EDPR.HTML

81
/ COLUMN
IRQ
Triage and the triumph of common sense
I
t has often been said that examining a digital system is
like examining a physical crime scene and that similar
processes can be followed – but how true is it and what
does it mean for digital evidence examiners ?
Conventional wisdom has it that, when dealing with a digital
device, attempts should be made to capture the totality of
storage present – that is, image everything – but this is com-
pletely at odds with a crime scene approach. In dealing with a
crime scene, we make efforts to record the scene as accurately
as possible by taking notes, drawing sketches and taking
photographs. A purely visual process. Then we start to select
items of interest, recording them in more detail, before finally
removing them for processing at a later date. It simply is not
practical to try to capture the entire contents of a room, build-
ing or outside location, so pragmatism and common sense dic-
tate that decisions need to be made and only material which is
believed to be relevant to the enquiry should be taken.
To many, triage is a dirty
word in digital evidence,
but perhaps it is time to
re-evaluate it
With storage devices, though, we are told that we must image
the entire device and ensure that every little of bit is captured
completely and accurately with checksums galore to show that
the copy is identical to the original. In practice, though, how
much of the data on a device is actually relevant and useful?
If we accept the proposition that live data is better than
deleted, which is better than slack, which is better than swap
space, then we can start to argue the case for considering the
nature of the activity under investigation and the most likely
sources of relevant data. Of course in serious crime or major
enquiries it is easier to justify the decision to capture every-
thing but in other cases, it may be more efficient to perform an
evaluation at the scene and capture only data which appears
relevant at the time, along with a snapshot of the context in
which they exist (e.g. a complete FAT or MFT). The contextual
snapshot, we can argue, is the equivalent of the crime scene
photograph and the selectively acquired data are the eviden-
tial items selected by the experienced and trusted SOCO/CSI.
82
Considering the initial acquisition process in this way
helped me considerably during a recent seizure. Faced with
11 PCs to process at the scene, and only four available target
drives, a decision had to be taken about how best to image
the machines. A simple inspection of the machines, using the
CAINE live CD, showed that of the 320Gb available on one,
only 4% was in use. As the machine was only two weeks old,
used by non-experts, and the enquiry related to consumer law,
it was considered unlikely that there would be a great deal of
additional useful material in anything beyond live files. So, the
decision was taken to produce a tarball of live data only – a
five-minute process as opposed to several hours for full imag-
ing. Another six were not imaged at all as they were seen to be
simple network workstations used for presentations & web ac-
cess but no storage of relevant data. The remaining four were
categorised as a server and the admininstrative machines
most likely to contain relevant data. These four
were fully imaged.
Was the decision right? In the circumstances at the time
– yes, it was. Full images had already been taken of other
machines, which were deemed more important. Live data on
the 4% usage machine is likely to be sufficient for the enquiry
in question and the judgment on the day was that the other 6
were unlikely to produce anything of value.
In fact, what was done on that occasion was Triage in the
truest sense of the word. Prioritisation of processing and al-
location of resources based on the circumstances at the time.
To many, triage is a dirty word in digital evidence, but perhaps
it is time to re-evaluate it in light of practices elsewhere and
think about how we can use triage properly, not as a way of
cutting costs or promoting “Computer Game Forensics”, but
as a way of ensuring that enough data is captured in the right
way and in the right format.
/ Author Bio
Angus Marshall is an independent digital forensic practitioner,
author and researcher, currently working on the ‘fitness for
purpose’ challenge. In a past life he was an academic course
leader in Digital Forensics & Forensic Computing and still
retains strong links with academia, professional bodies and
regulators. He can be contacted through his company, n-gate
ltd. (http://www.n-gate.net).
Digital / ForensicS
 Cisco Router and Switch Forensics
ISBN 9781597494182
£35.99, €42.95, $59.95
Mac OS, iPod and iPhone Forensic
Analysis DVD Toolkit
Visit the BRAND NEW www.syngress.com
ISBN 9781597492973
£41.99, €49.95, $69.95
to purchase these or other great Syngress titles!
Windows Forensic Analysis
DVD Toolkit, 2e
ISBN 9781597494229
£34.99, €51.95, $69.95
Now Available!
Malware Forensics
ISBN 9781597492683
£41.99, €49.95, $69.95
Cutting Edge Content in Digital Security
 Apr

Ma
2010il

2010y
Virtualization and Forensics Phone Forensic Analysis
By Diane Barrett, Greg Kipper By Sean Morrissey
9781597495578 9781597495554
$59.95/£32.99/€40.95 $69.95/£37.99/€47.95
Order Today!
2010

AvaiNow
May

lable
!
Windows Forensic Analysis Digital Forensics for Network,
DVD Toolkit, 2nd Edition Internet, and Cloud Computing
By Harlan Carvey By Clint P Garrison

Visit the BRAND NEW www.syngress.com

9781597494229 9781597495370

to purchase these or other great Syngress titles!

$69.95/£37.99/€47.95 $69.95/£37.99/€47.95
Cutting Edge Content in Digital Security