Contents

Overview of Digital Forensics Reporting

Digital Evidences Tools
Forensics

•Chapter 1: •Chapter 3: Data •Chapter 4: OS and •Chapter 8: Report

Understanding Acquisition Multimedia Writing & Expert
Digital Forensics Forensics Witness
•Chapter 2: Digital •Chapter 5:
Forensics Network Forensics
Investigation •Chapter 6: E-mail
Process & Social Media
Forensics
•Chapter 7: Various
Internet Forensics

1
2
Proper Procedure
• Shutting Down the Computer
• Could lose valuable evidence found in
running processes or memory
• Computer is using hard drive encryption
• May not be able to get back into the
system
• Before shutting down?
• See what is currently running on the
computer
• E.g.: In Windows 10, press the
Ctrl+Alt+Delete keys simultaneously, then
select Task Manager
• Take a picture of the screen, not taking a
screenshot.

3
Proper Procedure (cont.)
• Shutting Down the Computer
(cont.)
• Check if there are live
connections to the system.
E.g.: run netstat
• Capture memory using tools

4
Proper Procedure (cont.)
• Transporting the Computer System to a Secure Location
• A seized computer left unattended can easily be compromised
• It should be locked in a vehicle and the vehicle should be driven
directly to the lab

5
Proper Procedure (cont.)
• Preparing the System
• Take photographs of all the drive connections,
cable connections to the case and general work
area
• If the device you have seized is a computer,
remove the drive(s) from the machine, create a
chain of custody form
• Can also leave the drives in the system and
acquire them with some forensically safe boot
disks, or thumb drives

6
Proper Procedure (cont.)
• Documenting the Hardware
Configuration of the System
• Before disassembling the computer, it
is important to take pictures of the
computer from all angles
• Labeling each wire
• Record BIOS (basic input/output
system)/UEFI (Unified Extensible
Firmware Interface) information

7
Proper Procedure (cont.)
• Mathematically Authenticating Data on All Storage Devices
• Helps refute allegations that the investigator changed or altered the
original evidence
• After imaging any drive, you must always create a hash of the original
and the copy. Compare the hashes
• Document what hashing algorithm you used and what the results were
• Linux has built-in tools for hashing
• Forensic tools such as EnCase, FTK, OSForensics hash the suspect drive
when imaging is complete

8
Handling Evidence
• Collecting Data
• Avoid permanently losing data
• Always refer order of volatility in which you should collect evidence

9
Handling Evidence (cont.)
• Documenting Filenames, Dates, and Times
• Sort the files based on the filename, file size, file content, creation
date, and last modified date and time
• Sorted information can provide a timeline of computer usage
• Identifying File, Program and Storage Anomalies
• Review the partition on seized hard disk drives
• Evaluate content in the Recycle Bin
• Document the issues involved such as:
• How did you find the files?
• What condition were they in (did you recover the entire file or just part of the
file)?
• When was the file originally saved?
10
Handling Evidence (cont.)
• Evidence-Gathering Measures
Determine when Determine
1.Avoid changing Search throughout Present the
evidence was information about
the evidence a device evidence well
created encrypted files
• Photograph • The time a • Search at the bit • Should not • Step-by-step
equipment in document was level attempt to reconstruction of
place and label created, last • Correlate decode actions with
wires time it was evidence to encrypted files documented
• Avoid heat opened, last activities and • Look for dates and times
damage, time it was sources evidence that • Prepare charts,
touching original changed tells what is in graphs, exhibits
evidence the encrypted that explain both
file what was done
and how it was
done
• Explain technical
points clearly in
plain English

11
12
Storage Formats for Digital Evidence
• Forensics acquisition tool stored data as an image file.
• Each vendor has unique features, produced several different
proprietary formats.
• Many forensics analysis tools can read other vendors’
formatted acquisitions.
• Many acquisition tools create a disk-to-image file in an older
open-source format (raw), their own proprietary formats and
the new open-source format, Advanced Forensic Format (AFF).

13
Data Acquisition Formats
Proprietary Advanced Forensic
Raw Format
Format Format
Most commercial An alternative to
Bit-by-bit copy
forensics tools current
from one disk to
have their own proprietary disk
another disk
formats image formats

Proprietary
formats typically
Creates simple
offer several Can store any
sequential flat
features that type of data and
files of a suspect
complement the metadata
drive or data set
vendor’s analysis
tool

14
Data Acquisition Formats (cont.)
Proprietary Advanced Forensic
Raw Format
Format Format
Option to Provide
Fast data compress or not compressed or
transfers compress image uncompressed
files image files

Can split an No size

Can ignore minor
image into restriction for
data read errors
smaller disk-to-image
on source drive
segmented files files

Most computer Provide space in

Can integrate
forensics tools the image file or
metadata into
can read raw segmented files
the image file
format for metadata

15
Data Acquisition Formats (cont.)
Proprietary Advanced Forensic
Raw Format
Format Format
Requires as much Inability to share
storage as an image
original disk or between
data different tools

File size
Tools might not
limitation for
collect marginal
each segmented Developed to
(bad) sectors
volume solve problem
with raw and
Used by EnCase, proprietary
Validation check
FTK, X-Ways format
must be stored in
Forensics, and
a separate file
SMART

16
Disk Drive

17
File Systems
A set of data types, which is employed for storage,
hierarchical categorization, management, navigation, access
& recovering the data

Provides mechanism for users to store data logically in a

hierarchy of files and directories
Includes a format for specifying the path to a file through a
structure of directories
Different OS have a different file system format.
OS File System
Windows FAT, NTFS, exFAT
Linux EXT, EXT2, EXT3, EXT4
Mac OS Mac OS HFS, HFS+, APFS
18
List of Disk File Systems

19
List of Disk File Systems (cont.)

20
List of Disk File Systems (cont.)

21
Popular Windows File Systems

22
Gathering Evidence on Windows Systems

23
Gathering Volatile Evidence on Windows

24
Example: Checking Current Processes
with Forensic Tool pslist
• Lists all currently running processes on the
system
• Download at https://docs.microsoft.com/en-
us/sysinternals/downloads/pslist
• It includes the
information of:
• Time of the process when
executed
• Time of the process when
executed in kernel and
user modes
• Physical memory assigned
to the process by OS
25
 Example: Checking
Registry Entries (Regedit)

• Keys to be checked

26
Example: Resplendent Registrar
https://www.resplendence.com/registrar

• From Resplendence Software

• Allows detailed
examination of Microsoft
Windows registry files
with more advanced
features than those
offered by Microsoft
registry editors (regedit)

27
Popular Linux File Systems

28
Mac OS X File Systems

29
CD-ROM / DVD File System

30
NEXT WEEK: LAB 4 Preparation
SETTING UP THE EVIDENCE
• USB DRIVE
• You will need a USB drive (EVIDENCE) preferably 4GB or less.

31
32
Data Acquisition and Duplication
• Data acquisition is the act or process of gathering information
and evidence.
• Goal: To preserve evidence, should not alter the data in any
way and should provide an exact duplicate.
• Duplication of data is a critical part of any computer forensic
investigation.

33
Duplicate Image
• To ensure that the evidence is not contaminated.
• Duplicate image allows the following:
• Preserves the original evidence
• Prevents inadvertent alteration of original evidence during
examination
• Allows recreation of the duplicate image if necessary
• Evidence can be duplicated with no degradation from copy to copy

34
Issues with Data Duplication
• May contaminate the original data – would NOT be accepted as
evidence.
• Data fragments can be overwritten and data stored in the
Windows swap file can be altered / destroyed.
• There are chances of tampering with the duplicate data.
• If the original data is contaminated, then important evidence
is lost, which causes problems in the investigation process.

35
Data Acquisition Types
Static Acquisition Live Acquisition

• Acquiring data that from a • Acquiring data from a

hard drive that remains running computer (already
unaltered when the system powered on when
is powered off or shutdown encountered at a crime
• Copying a hard drive from scene) that would be lost
a powered-off system when it powered off
• Usually client based • Usually a server operating
operating system system
• Sources: Non-volatile data • Sources: Server/desktop
include CD-ROMs, USB computer that is still
thumb drives, smart running
phones

36
Data Acquisition Types (cont.)
Static Acquisition Live Acquisition

• When do we used it? • Memory contains important

• System can be shut down; data e.g. password;
• Deleted files are more • Business critical systems
important than volatile that cannot be shut down;
data; • Volatile data is more
important than deleted
files;
• RAID system configuration;
• Encrypted file system:
• BitLocker in Windows Vista
• Hardware lock in IBM
machines

37
Static Acquisition
Method #1:
Using Software

38
Static Acquisition
Method #2:
Using Hardware

39
Static Acquisition
Method #3:
Using LiveCD

In case that the machine is shut down and the First Responder
(FR) cannot have access to its hard disk, then FR can use Live
CD to boot up the machine and image the data.

40
Live Acquisition
Run command dd or dcfldd from the machine

Use EnCase or live cd to

acquire data from the
machine

41
Always Remember To…

Hash value is important to validate

the evidence integrity in court!

42
Data Acquisition Methods
Logical disk-
Disk-to-image Disk-to-disk Sparse copy of
to-disk or disk-
file copy a folder or file
to-data file

Common when Captures only

Most common you have to specific files Similar to
method acquire older of interest to logical
drives the case or acquisition but
specific types also collects
of files fragments of
Tools: EnCase, unallocated
Norton Ghost (deleted) data
Bit-for-bit
E.g. collect
replications of
only Outlook
the original
.pst
drive

Tools: ProDiscover,
EnCase, FTK, Autopsy

43
Which acquisition method to use?
• Consider:
• the size of the source (suspect) disk
• whether you can retain the source disk as evidence or must return it
to the owner
• how much time you have to perform the acquisition
• where the evidence is located

44
 Hardware Based Tools

Product: Voom Hardcopy Product: Tableau

Model: 3P Model: TD2u
SATA/IDE drives SATA, USB 3.0, and IDE hard disks

7.1 GB per minute without hashing/checksums Imaging speeds in excess of 15 GB/minute (.e01,
compressed with MD5 and SHA-1 hashing)
Wipes (on the destination ports only) at over 7 GB per minute Wiping speeds in excess of 25 GB/minute

https://www.voomtech.com/
https://www.guidancesoftware.com/tableau

45
X-Forensik Tools
• Pendua
• A portable digital document that
comes in a USB thumb drive
contains forensics duplicator
software to copy data evidence
from a suspect’s computer at a
crime scene.
• Kloner
• A light weight portable external
storage duplicator equipped with
forensic data preservation
functions. It is designed and
developed for investigator inclusive
first responders at a crime scene

46
Software Based Tools
Live CD
• Example: DFLive, Helix, Kali
• An open source software
• It prevent OS from mounting the target hard disk
• It has a compilation of forensic tools
• It uses dd or dcfldd for imaging dd or dcfldd Command
• Downloadable for free • dd = image only
• dcfldd = image + hash
• Command line interface
• Only available in Linux OS

47
Hardware vs Software Based Tool

Hardware-Based Software-Based
Cheaper than
Expensive
hardware based
Fast speed Slow speed

48
CSI…….WHAT TO EXPECT???
Physical location #1: Data Centre
• Usually a secured
environment.
• Require authorization for
the search.
• Pre-communication
needed before set off to
the premise.
• For complex system,
advice from “trusted”
System Administrator is
very helpful.

49
Technology @ Data Centre People @ Data Centre
• Usually a server uses Linux or Operation System Administrator
Unix operating system. Level Web Developer
Database Administrator
• Database may be on a separate
server
• May use virtualization Commercial Web hosting provider
technology Level
• Take note that a server can host
several domain Other Level Top management
Fraud or abuse unit or
• Backup data server may be department
separate location
• May use RAID configuration for
physical hard drives

50
Physical location #2: Cyber Cafe
Operating system
• In Malaysia, most client PCs are using Windows
platform
• Server machine contains a lot of Windows-based
applications to manage the Internet Café
• The applications/software usually are illegal copies.
• It is very rare to find Linux@Unix operating system.

51
Technology @ Cyber Cafe People @ Cyber Cafe
• Involves a lot of exhibits Operation Level IT Technician
• In common, there are 2 types of Cashier
setting used for client PC:
• Fully-disk
Commercial Level Owner
• Diskless
• There is a server that served the Other Level Student
client pc, the server may be located Regular people
in the same premise or in other
premise.
• Network oriented environment

52
Exhibits @ Cyber Cafe
1. Server
May contain client images 3. Clients PC
CCTV video
Use to access to the illegal
software from the server
2. Cashier@ Manager PC
Manage the client (lock/unlock
client’s screen)
4. Router & Switches
Users @ members record
Connectors between the
May manage the images
client’s PC and the server
Contain MAC address

53
Physical location #3: Office Premises
Operating System
• In Malaysia, most client PCs are Windows-
based
• But there is a growing trend for Mac OS
• The office may have a server room
• Server machines may use Linux

54
Technology @ People @
Office Premises Office Premises
• Exhibits are numerous Operation System Administrator
Level IT department
• Network oriented environment Commercial Accounting Manager
• Investigator may need to look at the Level Finance Manager
Human Resource Manager
company’s network topology
Procurement Manager
• Investigator may need to narrow down target Other Level Small /home office (SOHO)
machine – by interviewing the System Medium scale
Administrator or the top management. Large

Exhibits @ Office Premises

1. Server
2. Staff PC
Employee’s data – internet activities, files
& folder, etc 3. CCTV system (including DVR)
CCTV recording 4. Routers & Switches
Record of customer & purchase 5. Documents (if necessary)
55
Physical location #4: Home
• Windows based are widely used.
• Growing trend – Mac OS
• Occupier may have hidden devices
• May use Linux-based OS for intrusion
related case

56
 Technology @
Home
• Basic home network with
simple setup from ISP
• May hide their devices
• If wireless connection
detected, they may hide
their access point
People @
Home
• Suspect may be individual
or more than one person
or a group
• Unauthorized access to
occupier’s network may
happen if the network is
not password-protected

Exhibits @ Home
• Desktop computer • Wireless router
• Laptop • Mobile phones
• Netbook • Cables
• Router or switches
57
RAID Data Acquisition
• Redundant array of independent (formerly “inexpensive”)
disks (RAID)
• Computer configuration involving two or more disks
• Originally developed as a data-redundancy measure
• Size is the biggest concern
• Many RAID systems now have terabytes of data
• To acquire RAID disks, you need to determine the type of RAID
and which acquisition tool to use.
• With a firmware hardware RAID, acquiring data directly from
the RAID server might be necessary
58
Remote Network Acquisition
• You can remotely connect to a suspect computer via a network
connection and copy data from it
• Remote network acquisition tools require installing a remote
agent on the suspect computer.
• The remote agent can be detected if suspects install their own
security programs, such as a firewall.

59
Rule of Thumb
• You should have a contingency plan to ensure that you have a
forensically sound acquisition
• Make two acquisitions if you have enough data storage.
• If one acquisition becomes corrupt, the other one is available for
analysis.
• Always validate your acquisition with built-in tools from a
forensics acquisition program.

60
61
Evaluating Digital Forensics Tool Needs
• Look for versatility, flexibility, and robustness
• OS
• File system(s)
• Script capabilities
• Automated features
• Vendor’s reputation for support
• Keep in mind what OSs and what application files you will be
analyzing
• Compare platforms and applications for different tasks

62
Tasks Performed by Digital Forensics
Tools
• Follow guidelines:
• NIST’s Computer Forensics Tool Testing (CFTT) program,
• ASTM International’s (formerly the American Society of Testing and
Materials) E2678 standard
• International Organization on Computer Evidence (IOCE)
• ISO standard 27037 (www.iso.org/standard/44381.html)
• Digital Evidence First Responders (DEFRs) should use validated tools

63
Tasks Performed by Digital Forensics
Tools
• Five major categories:

Validation and
Acquisition Extraction
Verification

Reconstruction Reporting

64
Acquisition
• Making a copy of the original drive
• Acquisition subfunctions:
• Physical data copy
• Logical data copy
• Data acquisition format
• Command-line acquisition
• GUI acquisition
• Remote acquisition
• Verification

65
Acquisition (cont.)
• Two types of data-copying methods are used in software
acquisitions:
• Physical copying of the entire drive
• Logical copying of a disk partition
• The formats for disk acquisitions vary
• From raw data to vendor-specific proprietary compressed data
• You can view the contents of a raw image file with any
hexadecimal editor
• Creating smaller segmented files is a typical feature in vendor
acquisition tools
• All computer forensics acquisition tools have a method for
verification of the data-copying process
• That compares the original drive with the image
66
Viewing Data in WinHex

67
Validation and Verification
• Validation is a way to confirm that a tool is functioning as intended
• Verification proves that two sets of data are identical by
calculating hash values or using another similar method
• Filtering: sorting and searching through investigation findings to
separate good data and suspicious data
• Shared Test Report: https://www.nist.gov/itl/ssd/software-
quality-group/computer-forensics-tool-testing-program-
cftt/federated-testing
• Computer Forensics Tools & Techniques Catalog:
https://toolcatalog.nist.gov/

68
Validation and Verification (cont.)
• Subfunctions:
• Hashing
• CRC-32, MD5, Secure Hash Algorithms
• Filtering
• Known system files can be ignored
• Based on hash value sets
• Analyzing file headers
• Discriminate files based on their types

69
 Validation and Verification (cont.)
• Many computer forensics programs include a list of common
header values
• With this information, you can see whether a file extension is
incorrect for the file type
• Most forensics tools can identify header values

E.g.: Filename is List.docx file has “FF D8” in the header, it’s a .jpeg file not a .docx file. If
you try to open this file in Microsoft Word, you might see the error. But, if you open the file
with an image viewer, such as Microsoft Paint, you will see the image

70
Extraction
• Recovery task in a computing investigation
• Most demanding of all tasks to master
• Recovering data is the first step in analyzing an
investigation’s data
• Subfunctions:
• Data viewing
• Display allocated file data and unallocated disk areas with special
file and disk viewers
• Keyword searching
• Keyword search speeds up analysis for investigators
• Decompressing or uncompressing
• Correct algorithm for uncompressing the files
71
Extraction (cont.)
• Subfunctions: (cont.)
• Carving
• Reconstructing file fragments
• Decrypting
• From an investigation perspective, encrypted files and systems are
a problem
• Many password recovery tools have a feature for generating
potential password lists
• For a password dictionary attack
• If a password dictionary attack fails, you can run a brute-force
attack
• Bookmarking or tagging

72
Data viewing in Autopsy

73
Keyword searching in Autopsy

74
Tagging in Autopsy

75
Reconstruction
• Re-create a suspect drive to show what happened during a
crime or an incident
• Subfunctions:
• Disk-to-disk copy
• Partition-to-partition copy
• Image-to-disk copy
• Image-to-partition copy
• Disk-to-image copy
• Rebuilding files from data runs and carving
• This is easiest if a matching blank hard disk is available, same
make and model

76
Reporting
• To complete a forensics disk analysis and examination, you
need to create a report
• Subfunctions:
• Bookmarking or tagging
• Log reports
• Timelines
• Report generator
• Use this information when producing a final report for your
investigation
*NOTE: Reports generated by forensics tools are no substitute for an
investigator’s report
77
Reporting in Autopsy

78
Tool Comparisons
Function AccessData FTK OSForensics EnCase Magnet Forensics
Acquisition
Physical data copy ⁄ ⁄ ⁄ ⁄
Logical data copy ⁄ ⁄ ⁄ ⁄
Data acquisition ⁄ ⁄ ⁄ ⁄
formats
Command-line ⁄
processes
GUI processes ⁄ ⁄ ⁄ ⁄
Remote acquisition ⁄ ⁄ ⁄
Validation and Verification
Hashing ⁄ ⁄ ⁄ ⁄
Verification ⁄ ⁄ ⁄ ⁄
Filtering ⁄ ⁄ ⁄ ⁄
Analyzing file ⁄ ⁄ ⁄ ⁄
headers
79
Tool Comparisons (cont.)
Function AccessData FTK OSForensics EnCase Magnet Forensics
Extraction
Data viewing ⁄ ⁄ ⁄ ⁄
Keyword searching ⁄ ⁄ ⁄ ⁄
Decompressing ⁄ ⁄ ⁄
Carving ⁄ ⁄ ⁄ ⁄
Decrypting ⁄ ⁄ ⁄
Bookmarking ⁄ ⁄ ⁄
Reconstruction
Disk-to-disk copy ⁄ ⁄ ⁄ ⁄
Partition-to- ⁄ ⁄ ⁄ ⁄
partition copy
Image-to-disk copy ⁄ ⁄ ⁄ ⁄
Image-to-partition ⁄ ⁄ ⁄ ⁄
copy
Disk-to-image copy ⁄ ⁄ ⁄ ⁄
Rebuilding files ⁄ ⁄ ⁄ ⁄ 80
Tool Comparisons (cont.)
Function AccessData FTK OSForensics EnCase Magnet Forensics
Reporting
Bookmarking/ ⁄ ⁄ ⁄ ⁄
tagging
Log reports ⁄ ⁄ ⁄ ⁄
Timeline ⁄ ⁄ ⁄ ⁄
Report generator ⁄ ⁄ ⁄ ⁄
Automation and other features
Scripting language ⁄
Mount virtual ⁄ ⁄ ⁄
machines
E-discovery ⁄ ⁄ ⁄

81
Other Considerations for Tools
• Considerations
• Flexibility
• Reliability
• Expandability
• Keep a library with older version of your tools
• Create a software library containing older versions of forensics
utilities, OSs, and other programs

82
Validating and Testing Forensic Software
• Make sure the evidence you recover and analyze can be
admitted in court
• Test and validate your software to prevent damaging the
evidence
• Using National Institute of Standards and Technology Tools
• Using Validation Protocols

83
Using National Institute of Standards and
Technology (NIST) Tools
• Computer Forensics Tool Testing (CFTT) program
• Manages research on computer forensics tools
• https://www.nist.gov/itl/ssd/software-quality-group/computer-
forensics-tool-testing-program-cftt
• NIST has created criteria for testing computer forensics tools
based on:
• Standard testing methods
• ISO 17025 criteria for testing items that have no current standards

84
Accredited DF Labs

85
Using National Institute of Standards and
Technology (NIST) Tools (cont.)
• DF lab must meet the following criteria:
• Establish categories for digital forensics tools
• Identify digital forensics category requirements
• Develop test assertions
• Identify test cases
• Establish a test method
• Report test results

86
Using Validation Protocols
• Always verify your results
• Use at least two tools
• Retrieving and examination
• Verification
• Understand how tools work
• One way to compare results and verify a new tool is by using a
disk editor
• Such as Hex Workshop or WinHex
• But it won't work with encrypted or compressed files

87
Using Validation Protocols (cont.)
• Disk editors
• Do not have a flashy interface
• Reliable tools
• Can access raw data
• GUI forensics tool
• Digital Forensics Examination Protocol
1. Perform the investigation with a GUI tool
• Usually FTK or EnCase
2. Verify your results with a disk editor
3. If a file is recovered, compare hash values obtained with both
tools

88
Using Validation Protocols (cont.)
• GUI forensics tool (cont.)
• Computer Forensics Tool Upgrade Protocol
• Test
• New releases
• OS patches and upgrades
• If you find a problem, report it to forensics tool vendor
• Do not use the forensics tool until the problem has been fixed
• Use a test hard disk for validation purposes
• Check the Web for new editions, updates, patches, and validation
tests for your tools

89
90
Forensics Imaging
• Imaging Using DD and DCFLDD
• https://youtu.be/V4SyO7-bgCE
• Imaging with OSForensics
• https://youtu.be/5RZkOWtZZp4
• Imaging with FTK Imager
• https://youtu.be/1OxR4KLj-4I

91