Professional Documents
Culture Documents
Chapters - 3,4,5,6 and 7
Chapters - 3,4,5,6 and 7
Chapter- 3:
collecting Evidence
.
1
Outlines
o When the device is off
o When the device is on
o Live investigation: Preparation
o Live investigation: Conducting
o Live investigation: Afterthoughts
2
Evidence collection
Evidence collection is the act of documenting an organization’s compliance
processes and outcomes
Documenting Evidence
Relevant and fact-based
Understandable format
Clearly written
Describe evidence collection process
Results clearly stated
3
Why Collect Evidence?
The simple reasons for collecting evidence are:
Future Prevention: without knowing what happened, you have no hope of ever
being able to stop someone else from doing it again.
Responsibility: the attacker is responsible for the damage done, and the only way to
bring him to justice is with adequate evidence to prove his actions.
The victim has a responsibility to the community.
Information gathered after a compromise can be examined and used by others
to prevent further attacks
4
Presenting Computer Evidence in Court
Four types of computer evidence may be presented in court
Real—actual and tangible
Documentary—written
• Evidence in a computer crime case may differ from traditional forms of evidence in as
• The evidence must be competent, relevant, and material to the issue, and it must be
presented in compliance with the rules of evidence.
• Anything that tends to prove directly or indirectly that a person may be responsible for
the commission of a criminal offense may be legally presented against him.
• Proof may include the oral testimony of witnesses or the introduction of physical or
6
documentary evidence.
Rules of Evidence
• Admissible: Must be able to be used in court or elsewhere.
7
Types of Evidences
• The most common forms of evidence are direct, real, documentary, and demonstrative.
• Direct evidence is oral testimony, whereby the knowledge is obtained from any of
the witness’s five senses and is in itself proof or disproof of a fact in issue.
• Real evidence, also known as associative or physical evidence, is made up of
tangible objects that prove or disprove guilt.
• Documentary evidence is evidence presented to the court in the form of business
records, manuals, and printouts, for example. Much of the evidence submitted in
a computer crime case is documentary evidence.
• Demonstrative evidence is evidence used to aid the jury. It may be in the form of a
model, experiment, chart, or an illustration offered as proof.
8
Cont’d …
• When seizing evidence from a computer-related crime, the investigator should collect any
and all physical evidence, such as the computer, peripherals, notepads, or documentation,
in addition to computer-generated evidence.
9
Best evidence rule
• The best evidence rule, which had been established to deter any alteration of evidence,
either intentionally or unintentionally, states that the court prefers the original evidence at
the trial rather than a copy, but will accept a duplicate under these conditions:
• The original was lost or destroyed by fire, flood, or other acts of God. This has
included such things as careless employees or cleaning staff.
• The original was destroyed in the normal course of business.
• The original is in possession of a third party who is beyond the court’s order power
10
exclusionary and hearsay Rule
• Evidence must be gathered by law enforcement in accordance with court guidelines
governing search and seizure or it will be excluded (Exclusionary Rule).
• Any evidence collected in violation of the guideline is considered to be “Fruit of the
Poisonous Tree” and will not be admissible.
• Evidence may also be excluded for other reasons, such as violations of the Electronic
Communications Privacy Act(ECPA)
• Hearsay is secondhand evidence: evidence that is not gathered from the personal knowledge
of the witness but from another source.
• Its value depends on the veracity and competence of the source.
• Under the US federal Rules of Evidence, all business records, including computer records,
are considered hearsay, because there is no firsthand proof that they are accurate, reliable, and
trustworthy.
• In general, hearsay evidence is not admissible in court.
11
Top 10 LOCATION FOR EVIDENCE
1) Internet History Files 6) Settings, folder structure, file names
2) Temporary Internet Files 7) File Storage Dates
3) Slack/Unallocated Space 8) Software/Hardware added
4) Buddy lists, personal chat room 9) File Sharing ability
records, P2P, others saved areas
10) E-mails
5) News groups/club lists/posting
12
Digital evidence
Any data that is recorded or preserved on any medium in or by a computer system
or other similar device, that can be read or understand by a person or a computer
system or other similar device.
It includes a display, print out or other output of that data.”
Characteristics Include”
Latent as fingerprint or DNA
Fragile and can be easily altered, damaged, or destroyed.
Can be Time sensitive
13
Types of Digital evidence
1. PERSISTANT DATA,
Meaning data that remains intact when the computer is turned off. E.g. hard
drives, disk drives and removable storage devices (such as USB drives or flash
drives).
2. VOLATILE DATA,
Which is data that would be lost if the computer is turned off. E.g. deleted files,
computer history, the computer's registry, temporary files and web browsing
history.
14
Digital evidence
When the Device is off: There is only the data stored on the static memory, such as
a hard drive, for you to examine.
However, there is still some processing that needs to be done before you can
analyze the actual data on the storage unit
When conducting a forensic examination, especially in law enforcement, actions
must be taken to eliminate any chance of modifying the actual evidence
Contaminated evidence will in turn not be viable in court
live evidence: the rule of thumb is to always document, in detail, what you do to
live evidence
15
Digital evidence…
The goal of any software is to create a bit-by-bit copy of the original data and then
17
Digital Evidence Collection …
There are three main steps of live Investigations: preparation, conducting, and afterthoughts
Live Investigation: Preparation
The preparation step is divided into two parts
1. general (indicated by orange boxes) step is divided into creating a process and a response kit
Create a process concerns putting words and deciding how to carry out the rest of
the tasks in the process
process should cover a list of hardware and software you need, persons that are
supposed to carry out live searches and preferably the competences needed.
2. Specific: concerned with the preparation related to the specific live investigation in question
make any preparations needed for the specific live investigation including gathering
additional tools and knowledge and include getting in contact with any other persons that are
involved in the house search
18
Evidence Collection …
19
Evidence Collection …
Live Investigation: Conducting:
conducting is done with police officers and any other forensic experts
Conducting step involves all tasks that are performed on-site and has two important things
1. depending on legislation or a corporate environment, you will have different rules and
regulations that restrict how you may work
2. depending on the type of investigation and when you are called to the scene, all steps
may not apply
The live investigation should have the following ultimate goals:
Document what is visually present on screen
Collect volatile data
Check if any data is encrypted and secure data from encrypted storage
Provide clues for the continued house search. 20
Evidence Collection …
21
Evidence Collection …
Live Investigation: Afterthoughts
First thing to do is to write a protocol that describes what was done and any
possible findings during the live investigating
The responsibility of documenting may vary between different legislations but at
the very least, you should document what you have done during the live
investigations
22
Chapter -4
Collecting Data
23
o Outlines
o Imaging
o Collecting memory dumps
o Collecting registry data
o Collecting video from surveillance
24
Collecting Data
A forensic examination will most likely begin with collecting data.
Collecting data from different sources such as hard drives, windows registry, and volatile
sources.
It is also common, especially in incident response, to collect live data from a network and
networking devices such as routers and switches.
Collecting data from video surveillance systems can be a tedious task that often falls into
the hands of a forensic examiner
Imaging: is the process of copying a hard drive or other secondary storage media into a
forensic image that can be used for the forensic examination.
An important aspect of a forensic examination is to ensure that the actual data on the hard
drive that is to be examined is not compromised and the only way to fully do is by making
a forensic image and examine the image. 25
Collecting Data
Imaging: ….
The best and safest way to create a forensic image is making a physical image of a
hard drive
To do this, you physically remove the hard drive from the computer and connect it to
your own computer using a write blocker.
A write blocker is a device that prohibits your computer from writing to the hard drive
To make a disk image with FTK you can use the program FTK imager
Selecting an image file or contents of a folder will let you browse for the image or
folder you want to import
26
Imaging …
FTK imager
physical source
27
Collecting Memory Dumps
Memory can hold a lot of interesting information including encryption keys, encrypted
data in its decrypted format and more.
Unfortunately, the possibility to collect memory only presents itself during live
investigations as the memory is volatile and the content is lost when the power is
turned off.
However, collecting the data in memory should be a natural part of the forensic
process whenever possible
the most common way to collect memory is by using some trusted tool from within the
operating system of the computer from which you are going to collect the memory
dump
One tool that can be used for this purpose is FTK imager
28
Cont’d
collecting memory is that the memory dump is stored as one big file
DMA attacks exploit the design of the IEEE 1394 interface specifically the part of the
standard called DMA
Many different connectors, including Firewire, Thunderbolt, PC card, and other PCI
express devise, use the IEEE 1394 interface and are thereby susceptible to a DMA attack
To conduct a DMA attack, you would connect your computer to the victim computer and
present your computer as a SBP-2 unit directory.
The victim computer will then give you read/write access to the lower 4 GB of its RAM,
allowing you to dump it
DMA attack is Inception, a free open source tool easy to carry out and
drawback only get access to the lower 4 GB of RAM, and modern computers often hold
much more memory 29
Cont’d …
Cold boot attack is an attack were you basically freeze the memory modules, reboot
the victim computer and use a USB stick to make it boot a small process designed to
dump the contents of memory
The attack is possible due to the fact that when a computer is rebooted or turned off,
data in memory is not lost immediately
30
Collecting Registry Data
To analyze the registry, you need to collect the registry hives.
Collecting the registry hives is a straight forward process.
If you are examining the forensic image of a computer, the registry hives are stored
as files in the system partition.
They are located in the folder “C:\Windows \System32\config\”.
The NTuser.dat is located in the root of each user’s home directory.
31
Collecting Network Data
A source of information is sometimes important in criminal investigations and in
incident response in the actual network infrastructure.
By collecting data from the network and information from network devices, a
Computer Security Incident Response Team (CSIRT) or forensic examiner can get an
understanding
what is actually going on in the network
incident response, incident could be malware infected some device in
the network using relay malicious e-mails to other organizations.
A CSIRT would be very interested in swiftly locating the infected host, and monitor
network traffic to identify the originating device of those e-mails.
Collecting and analyzing network traffic can be done with a number of different tools
32
and usually requires some knowledge about data communication
Collecting Network Data
monitoring the actual traffic is powerful, network devices such as routers, switches,
firewalls, and intrusion detection systems (IDS) should be given equal attention.
routers and switches are used to forward data from one location to another
while firewalls and IDS determine and monitor what type of traffic can leave and enter
the network
devices contain log files or volatile data that describes the rules that are used at the moment
and how they were recently applied.
can answer questions about who communicated with whom and what service (or at least port
number) used for communication.
a very common objection to evidence found in a computer during a forensic
examination in law enforcement, the computer must have been remote controlled
While it is very hard to determine if a computer wasn’t remote controlled, 33
Collecting Video from Surveillance
collecting video from surveillance is not as easy as you would think
you never know what to expect when you set out to collect video from surveillance
equipment
there are loads of different manufacturers, standards, and approaches to record and
store surveillance video
some systems only accept FAT32-formatted memory sticks, while others require
NTFS or even ext4 formatting due to file size limitations
Time is critical when dealing with surveillance video
It's essential to record both the surveillance equipment's timestamp and current
accurate time, noting any differences.
Being prepared and adaptable is key to successfully collecting video from surveillance
equipment. 34
Process of a Live Examination
the process of a live examination is often more comprehensive than just imaging,
collecting memory, and collecting registry.
At a minimum, you would also like to collect information about time settings, active
users, devices connected via USB or the network, and document active programs
Reading assignment
35
Chapter 5:
Analyzing Data and Writing Reports
36
Outlines
37
Setting the Stag
o A general rule in criminal investigations is that everyone is innocent until proven guilty
and that investigations should not aim to prosecute a specific person but to uncover the
truth.
o this is achieved in different ways including that suspects has the right to a proper
defense, investigations should be unconditional and transparent and the defense should
be able to know how conclusions were reached so that they can be disputed
o the analysis and report writing of forensic expert has to make sure that his work meets
the following requirements:
o Unbiased: incriminating and exonerating evidence is considered and taken into account.
In reality, this would mean that if you are asked to see if a computer was used during a
specific period in time
o Reproducible meaning that you document the basis for your conclusions well enough for
someone else to replicate your analysis. The general idea is that if someone does the
38
Forensic Analysis
o forensic analysis is way of answering question that the investigation has
o To answer the question
o Use forensic image
o Live investigation
o sources of information such as interrogations or whatever seems reasonable
in your case
o forensics is usually needed to clarify the purpose of the forensic investigation.
o E.g. Find all incriminating or exonerating evidence in relation to online fraud
39
Forensic Analysis
o What is considered on the while doing analysis is :
o Account for all data
o Get computer install date, operating system version, list of users and registered owner
o Get time zone information and clock settings
o Find network drive maps
o When completed the investigation and used different methods to search through the data on the
computer, you are examining, time to analyze the information you found and draw conclusions
o When completed your analysis, it is time for the final task of reporting your findings in a good
report, and that deserves a section of its own
40
Reporting
o The final step in a forensic analysis is to write a report.
o The report basically serves two purposes.
1. to present the objective findings and then may include conclusions based on the
findings.
2. understand the conclusions always depend on the knowledge and interpretation of
the findings, thus the conclusions are in some sense subjective
o The content of a report differ based on legislation and local policies
o The all report includes:
o Case data
o Purpose of examination
o Findings
o Conclusions
41
Chapter 6
Indexing, Searching and Cracking
42
o Outlines
o Indexing
o Searching
o Cracking
43
Indexing
o A text index is commonly used for two purposes
1. a database that allows for fast searching using keywords or regular expressions.
2. can be extracted and used as a dictionary in password cracking attempts
Indexing is a technique where you create an index of a forensic image
When creating an index, the data on the hard drive is seen in alphanumerical form
The data is read from beginning to end, and all cohesive strings are listed in the
index
The resulting index is useful in two ways:
1. use the index to do fast searches for keywords,
E.g. the forensic software returns all files that contains that keyword
2. use of the index is as a word list in password cracking
index contain every alphanumerical string present on the device that you are examining,
there is a good chance that contain one or more passwords related to something on the
44
Indexing
o On indexes, there are some terms that needs to be familiar with: spaces, letters and
noise words.
o Spaces are symbols that are used to separate the data into strings
o letters are the symbols that make up a string
o noise words are words that are ignored in the index because they are considered too
frequent
o E.g. words like it, and, or
o The strings that can be added to the index are the following:
o Stretch
o Center
o FF
o The reason that those strings are the cohesive strings of signs defined as letters in the
sample data.
45
Indexing
o Understanding indexing works is crucial for conducting efficient searches.
o Indexing involves creating a structured data format that maps specific terms or
keywords to their locations within a dataset, such as text documents or databases.
o The representation "FF808080" likely refers to a hexadecimal color code, which can be
interpreted as a format or encoding method when letters represent numbers.
o During the indexing process, noise words like "Center" are often filtered out to focus on
more relevant terms, optimizing the index for faster and more accurate searches.
o Forensic tools commonly offer options to control the string length used in index entries,
allowing customization to meet specific analysis needs.
o Tools like Autopsy enable users to select specific character sets (comprising letters,
numbers, signs, etc.) for inclusion in searches. This customization is particularly
important for tasks like password cracking.
o Indexing plays a significant role in password cracking by facilitating faster searches for
specific character combinations or patterns within large datasets, leveraging indexing
efficiency to quickly identify potential passwords.
46
Indexing
o
47
Searching
o A very common task during forensic examinations is to search for keywords
o searching is a common and important task, it can be time consuming
o Most forensic tools, including FTK, provide two different ways to conduct searches:
1. live searches: is quite straightforward
are not constrained by a precomputed index, can search any sign you want and most
forensic tools accept some kind of regular expressions
more flexibility than index searches
FTK, live and index searches are conducted from within the case analysis mode in
the tabs “live search” and “index search
1. index searches: very fast, and you commonly get the results instantly but
o Finding specific sentences can be challenging, even though many indexing search
engines allow for use of regular expressions and logical operators
48
Searching
o Digging deeper into how keywords for any type of search can be expressed in two
different options:
1. Exact words: is a simple task, and they are exact words
2. Regular expressions: expressing patterns using what is called a regular expression
language
Variations in spelling: spelled in different ways, as ecstasy, Xstasy and ecstasy
Searching for patterns: pattern matching any e-mail address, phone numbers,
credit card number, social security numbers
E.g. [a-zA-Z] will match any upper or lowercase English letter
any proper forensic software support both exact and regular expression
49
Cracking
o Cracking called hacking, intrusion or whatnot is the art of breaking something
o It is to break passwords or encryption to get access to data or to break authentication
systems to gain access to some system
o In context of digital forensics, cracking is a common practice used to get access to
data that someone made unavailable
o tools for password cracking Access Data Password Recovery ToolKit (PRTK) and
open-source alternative Hashcat
o use of the DMA attack, to bypass authentication mechanisms of operating systems
o Password Cracking Using PRTK
o PRTK is a tool that can crack a large number of different file types and encryption
schemes
50
Cracking
o The following procedure are used for password cracking:
Create dictionaries.
Create attack profile.
Run the attack.
Password Cracking Using Hashcat: is a vastly different approach than using
PRTK. Perhaps the most notable differences are the following:
Hashcat expects a password hash to be cracked
Hashcat is a cracking tool and not a dictionary utility
Hashcat is a password cracker: its support many hash algorithms but
does not include decryption attacks.
It is a CLI cracker, not a GUI.
51
Chapter 7
Finding Artifacts
52
o outlines
o Install date
o Time zone information
o Users on the system
o Registered owner
o Partition analysis and recovery
o Deleted files
o Analyzing compound files
o Analyzing file metadata
o Analyzing Log file
o Analyzing Unorganized data
53
Artifacts
o In doing a forensic examination to answer questions asked by the investigation, you
need to look for evidence that you can use to draw conclusions.
o The pieces of evidence that you find are sometimes referred to as artifacts
o Install Date: install date for the computer can be of great importance
o e.g. Imagine you're investigating an event from 2015. If a computer was set up in 2016,
finding relevant information on it will likely be challenging, so you might choose to
disregard that computer. Additionally, if a suspect claims to have purchased a computer
in 2017 but it shows signs of being installed in 2015, this could raise suspicions that the
suspect is concealing information.
o Anyhow, the install date is found in Windows registry, in the SOFTWARE hive.
54
o Using AccessData Registry Viewer, the install date can be found by viewing common
Artifacts
o The InstallDate key can also be found by browsing the registry hive to the following
path: Microsoft\Windows NT\CurrentVersion.
o the world is divided into time zones that make the time differ from location to location.
o The time zone settings on your computer will therefore affect the displayed time and the
time that is noted in time stamps
o The time zone is sometimes expressed as the name of the time zone (Pacific Standard
Time) or as the offset from UTC (UTC-08:00)
o Time zone settings applied for a computer are found in Windows registry, in the
SYSTEM hive, in the following path: ControlSet001\Control\TimeZoneInformation
55
o The system clock is also dependent on the daylight savings settings.
o Daylight savings tells you to turn the clock one hour back in the fall and one hour
forward in the spring.
o Users in the System: finding out what users that are present in the system
o There are several ways to find out what users that are present in the system such as
looking into what users that have home folders in the Users folder
o Registry is a much safer way to find out the users of the system
o Information about the users in the system is present in the SAM hive under the key:
SAM\SAM\Domains\Account\Users.
56
o Good place to describe user identifiers in Windows
The RID for the built-in administrator account is always 500 and the guest account is
always 501
the SAM registry hive tell you the users present in the systems and AccessData Registry
Viewer will evaluate the RID and username for each user.
The registry keep track of the number of logins for each user, when the user last logged
57
Registered Owner
o When installing Windows, you can register a name as the registered owner of the
system and information is kept in registry
o The registered owner is present in the SYSTEM registry hive at the following
o Partition Analysis and Recovery: accounting for all data on a hard drive is essential and
a good way to identify hidden partitions or slack space
58
Deleted Files
o Finding deleted files is a very common task for a computer forensic expert
o In criminal investigations, deleted files are great importance cover their tracks
59
Deleted Files
Recovering files deleted from the MFT: Windows systems commonly use the NTFS file
system and that all files are listed in the Master File Table (MFT)
when a file is deleted that the file entry in the MFT is removed but the actual file is
commonly left on the hard drive until it is overwritten
A file carver is a tool that does the carving process and generate a file that can be used
as evidence, it has to be:
A compound file is basically a file that maintains its own file structure and includes file
types such as compressed files and Microsoft Office files
The same can be done in Autopsy using the ingest module “Embedded File Extractor”.
Focuses on actual file content, metadata is often equal interest to a forensic examiner
most file systems attach some metadata, including time stamps, to all files in the file
61
Analyzing Compound Files
Analyzing File Metadata…
NTFS time stamps created, access, modified and MFT modified time
includes messages going in and out of a chat application or analyzing transactions to and from a bit
coin wallet
Analyzing chat logs is commonly a quite straightforward process as the structure of chat logs tend to
be rather obvious
63
Analyzing Unorganized Data
A hard drive contains unorganized data, including slack space, which is residual data left behind after
file deletion.
Other sources of unorganized data in forensic examinations include Pagefile and memory dumps, as
well as the Hiberfile created during Windows hibernation.
categorization as unorganized, Pagefile, Hiberfile, and memory dumps can actually be analyzed in a
structured manner, as detailed in memory analysis.
These data sources, due to their unique handling within the operating system, often yield valuable
artifacts.
Pagefile and Hiberfile, much like memory dumps, store information used by the computer, such as
data swapped from working memory or the machine state during hibernation.
For instance, if a file occupying five clusters is deleted and replaced by a new file that is four and a
half clusters large, the remaining half cluster contains file slack, potentially harboring fragments of
various file types and information
65
End of chapter -1
thank you
questions ?????
66