- Eagle Eye Investigations Group

•08/14/2013
Digital Forensics Examinations
What NOT to do with Digital Evidence
Gary Thomas
AccessData Certified Examiner (ACE)
AccessData Certified Mobile Examiner (AME)
McAfee Institute Board Certified Cyber Intelligence Investigator (CCII)
NC Licensed Private Investigator #4061
•© Thomas Computer Forensics LLC
•1
TCFLLC Disclaimer:
ANY INFORMATION AND/OR OPINIONS CONTAINED IN THIS
PRESENTATION SHOULD NOT BE CONSIDERED AS LEGAL
ADVICE.
AS ALWAYS, CONSULT WITH AN ATTORNEY AT LAW FOR
LEGAL ADVICE.
•© Thomas Computer Forensics LLC
•2
Topics
•1. Digital Forensics Terminology
•2. What is a digital evidence?
•3. Client contact - Interviews
•4. Things NOT to do when gathering digital evidence
•5. Basic Questions at Crime Scenes
•6. Best Practices when handling digital evidence
•7. Following Digital Forensics Protocol
•8. Logical vs. Physical Capture
•9. Performing a Forensics Digital Exam
•© Thomas Computer Forensics LLC
•3
Digital Forensics Terminology
•© Thomas Computer Forensics LLC
•4
Geometry of a Hard Drive Sector
Track
Sector
Allocated Unit
sizes
(per sector)
•512 bytes
•1024 bytes
•2048 bytes
•4096 bytes
•8192 bytes
•16 Kilobytes
Cluster – Group of Sectors
•32 Kilobytes
•64 Kilobytes
•© Thomas Computer Forensics LLC
•5
Allocated Space
Allocated space is composed of “Clusters,” they may be full or
partially filled with digital media that are tracked by the file
system. (Allocated Unit Size)
When data is loaded onto a hard drive, it is loaded into clusters.
Once the cluster is full, the data is then loaded into another
cluster until all of the data is loaded onto the hard drive.
Note that when the last block of data is loaded into a cluster, if
the cluster is not filled (which is almost always the case), then the
remaining space in that cluster is empty and will NOT be available
for data to be loaded into that remaining space.
The empty space at the end of the cluster becomes the “Slack
Space.”
•© Thomas Computer Forensics LLC
•6
Unallocated Space (Free Space)
•All clusters on a drive or media that are NOT currently
assigned, and not in use by the file system are referred to
as unallocated (Free Space).
•NOTE: These items are part of the “Physical Exam” but
NOT part of a “Logical Exam.”
•Clusters that are not assigned will contain file and file
fragments (remnants) from previously occupying files.
•© Thomas Computer Forensics LLC
•7
Slack Space
Files are created in varying lengths depending on their content.
Rarely do file sizes exactly match the size of a single cluster.
“The data storage space that exists from the end of the file to
the end of the last cluster assigned to the file is called Slack
Space”
When a file is written to the cluster, the data over-flows into the
next cluster (NOT necessarily in sequence) .
The file system chains these clusters together to form the file.
•© Thomas Computer Forensics LLC
•8
Metadata (meta-data)
•Data about data… ( Properties )
•For forensic purposes, documentation inside of the
document which may include items such as:
•Time stamps, create date, modified date and time
•Author of the document
•Userid, Computer Name, Printer information
•Other unique user information valuable to forensics.
•Owner Security ID (SID) info.
•.exif information from a camera (GPS, type of camera)
•© Thomas Computer Forensics LLC
•9
Data Carving “Carving”
Data Carving is a process of locating files and
artifacts that have been deleted or that are embedded in
other files.
If the artifact has a valid file header and footer, the
custom carvers can be built to perform the analysis on
those specific artifacts.
Examples of custom carvers would be items
associated with Social Media, Facebook, Gmail, Yahoo,
web mail artifacts, and other artifacts that may be located
in both allocated, unallocated, and slack space.
•© Thomas Computer Forensics LLC
•10
Types of acquisitions
•Logical acquisition
•Does NOT contain deleted file
•Does NOT contain “Unallocated” or “Slack” space items
•View of items from a “file system” prospective.
•Only contains items in “Allocated Space”
•Physical acquisition
•Contents of Allocated Space – (file system)
•Contents of previously deleted files and ambient data.
•Contents of Unallocated and Slack Space are present.
•Most comprehensive type of acquisition.
•Volatile Memory acquisition
•Is the acquisition of the “contents in memory” of a “running /
live” computer.
•© Thomas Computer Forensics LLC
•11
What is Digital Evidence ?
Digital Evidence is any information stored or transmitted
in a digital form that could be a party to any litigation
efforts that may used by either the prosecution or defense
at trial.
•© Thomas Computer Forensics LLC
•12
Before accepting digital evidence to be use at trial,
“The Court” must determine whether the digital evidence is:
•
Authentic?
•
If it is hearsay?
• Whether a copy is acceptable and/or admissible ?
• If the original is required?
• How the digital evidence was acquired?
•© Thomas Computer Forensics LLC
•13
Initial Client Contact
Lets examine some of the issues PI’s
face with digital evidence
Domestic Situation…
•© Thomas Computer Forensics LLC
•14
Client reveals the following:
“I believe my spouse has been cheating on
me!”
“I found some emails on my computer
about meeting someone … falling in love
with them… and talking about having sex
with them.”
•© Thomas Computer Forensics LLC
•15
Client reveals the following:
“ I found a list of my spouses user names and
passwords… I Logged into their Internet e-mail
account and saw they were having a
relationship”
•© Thomas Computer Forensics LLC
•16
Client reveals the following:
“I know my spouse is cheating on me…”
“I installed Key logger Spyware on their
computer and cell phone to find out what they
were doing…”
•© Thomas Computer Forensics LLC
•17
Client reveals the following:
“I have been looking through the files on the
computer for weeks trying to find any evidence
of their affair”
•© Thomas Computer Forensics LLC
•18
Issues with the previous client’s statements?
• Will any of the artifacts be admissible in a court of law ?
•Different jurisdictions / courts (Judges) may approach these issues
differently.
o what is their Interpretation (Case Law)
o Judicial Arguments (attorney’s)
o Quash (SUPRESS) exam efforts
• Is it legal to log into your spouses email account using their
credentials? (case law …. all over the map)
•Was the email account password protected? (posted in the open)?
• Did the person have authorization to login to the spouses account?
•© Thomas Computer Forensics LLC
•19
Stored Communications Act
 Under 18 U.S.C. § 2701 , an offense is committed by
anyone who: “(1) intentionally accesses without
authorization a facility through which an electronic
communication service is provided;” or “(2)
intentionally exceeds an authorization to access that
facility; and thereby obtains...[an] electronic
communication while it is in electronic storage in
such system.” 18 U.S.C. § 2701(a)(1)-(2). However, it
does not apply to an "electronic communication [that]
is readily accessible to the general public." 18 U.S.C. §
2511(2)(g). See, e.g. Orin S. Kerr, A User’s Guide to the
Stored Communications Act, and a Legislator’s Guide to
Amending It, 72 GEO. WASH. L. REV. 1208, 1220
(2004).b
•© Thomas Computer Forensics LLC
•20
The argument for the attorney’s will be …
Was there a “reasonable expectation of privacy?”
•© Thomas Computer Forensics LLC
•21
In North Carolina
Is it legal to install Spyware (Capture-Ware)/Key
loggers on another person’s
computer or cell phone?
•© Thomas Computer Forensics LLC
•22
This NC Statute states
“a person is guilty of a Class H felony”
•North Carolina Statute
•Chapter 15A Criminal Procedure Act
Sub chapter II Law-Enforcement and Investigative Procedures
Article 16 Electronic Surveillance
Current through 2009 Legislative Session
§ 15A-288.
Manufacture, distribution, possession, and advertising of wire,
oral, or electronic communication intercepting devices
prohibited.
•© Thomas Computer Forensics LLC
•23
•North Carolina Statutes
•Chapter 15A Criminal Procedure Act
Sub chapter II Law-Enforcement and Investigative Procedures
Article 16 Electronic Surveillance
Current through 2009 Legislative Session
§ 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication
intercepting devices prohibited.
(a)Except as otherwise specifically provided in this Article, a person is guilty of a Class H felony if the person:
(1)Manufactures, assembles, possesses, purchases, or sells any electronic, mechanical, or other device, knowing or having reason to know that
the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic
communications; or
(2) Places in any newspaper, magazine, handbill, or other publication, any advertisement of:
a. Any electronic, mechanical, or other device knowing or having reason to know that the design of the device renders it primarily useful for
the purpose of the surreptitious interception of wire, oral, or electronic communications; or
b. Any other electronic, mechanical, or other device where the advertisement promotes the use of the device for the purpose of the
surreptitious interception of wire, oral, or electronic communications.
(b) It is not unlawful under this section for the following persons to manufacture, assemble, possess, purchase, or sell any
electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily
useful for the purpose of the surreptitious interception of wire, oral, or electronic communications:
(1)A communications common carrier or an officer, agent, or employee of, or a person under contract with, a communications common
carrier, acting in the normal course of the communications common carrier's business, or
(2) An officer, agent, or employee of, or a person under contract with, the State, acting in the course of the activities of the State, and with the
written authorization of the Attorney General.
(c) An officer, agent, or employee of, or a person whose normal and customary business is to design, manufacture, assemble, advertise and sell
electronic, mechanical and other devices primarily useful for the purpose of the surreptitious interceptions of wire, oral, or electronic
communications, exclusively for and restricted to State and federal investigative or law enforcement agencies and departments.
(1995, c. 407, s. 1.)
•© Thomas Computer Forensics LLC
•24
http://www.nccourts.org/Courts/CRS/Councils/spac/Documents/citizenguide2012.pdf
A CITIZEN’S GUIDE TO STRUCTURED
SENTENCING
(Revised 2012)
•© Thomas Computer Forensics LLC
•25
Class “H” Felony for using Spyware / Capture-ware
•© Thomas Computer Forensics LLC
•26
Things NOT to do when gathering Digital Evidence
(and why)…
You receive a computer as evidence, or you are asked to
look at data on the computer to see if there is anything
of value on the computer.
THINGS YOU SHOULD NOT DO….
•© Thomas Computer Forensics LLC
•27
Do NOT boot up and start the OS (power up) the computer.
•If you did start up the system, you changed important registry
keys that could have tied the last start up to a specific person.
Check time stamps for “folders” in C:\>windows\system32\config\
SAM
Security
Software
System
These FOLDERS will reflect the last Startup/ last written time
Besides these files, you changed time stamps in start up files, Dll’s, and
hundreds of other OS file system and applications files.
•© Thomas Computer Forensics LLC
•28
 Registry keys reveal (subset)
Startup locations at Boot UP
Last person (profile) who signed onto the device
Automatically Launched Programs at Startup
System Launched DLL’s at Startup
Processes that were used at startup
LINK (.lnk) file Data
All of these (and more) contain “time stamps”
•© Thomas Computer Forensics LLC
•29
•© Thomas Computer Forensics LLC
•30
Do NOT start looking through the file system...
If you did, you may have changed important metadata
and times stamps that could have been of value to the case.
Depending upon the Operating System , some files last access
time will change just by looking at the file. Other “last written”
times will change just by Booting up the system.
If any of the time stamps were changed “after” the time the
examiner took possession of the device, then it can be argued
that the digital evidence has been tainted.
The reasonable argument could be “the examiner” changed the
items and the may “NOT” be in their “original” state…
•© Thomas Computer Forensics LLC
•31
Forensic Took Kit File List pane
•© Thomas Computer Forensics LLC
•32
Keep in mind that at some point, the person may
become aware that they are being watched.
They may start using “Counter Measures” to avoid
getting caught such as installing an “automatic-wiping” utility.
If you boot the computer and it has an “auto-start-up”
(auto-start) utility to wipe programs, you would have
destroyed important artifacts.
The next slide shows some examples of auto-wiping utilities
•© Thomas Computer Forensics LLC
•33
•Examples of Auto-wiping utilities
•© Thomas Computer Forensics LLC
•34
If there was NOT a auto-wiping utility set to run on
start-up, there could have been a auto-wiping utility set
for Shut-down.
(example of a registry key edit)
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0]
"Script"="C:\\script.bat"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
The utility could have deleted/or wiped valuable
information from important files, unallocated space,
internet system cache, Internet cache, page files, and
numerous other locations.
The next slide reveals a popular wiping program that is
set to run at “Start-up” automatically.
•© Thomas Computer Forensics LLC
•35
Notice the number of Options that are available to set upon Start-up
•© Thomas Computer
Forensics LLC
•36
This program executed at Windows Start-up.
Note the number of items that were NOT checked in this screen-shot
•© Thomas Computer Forensics LLC
•37
Lets take a look at ‘Time Stamps’
•© Thomas Computer Forensics LLC
•38
The Matrix above shows what time stamp elements are changed and
under what circumstances.
File Rename or Moved - Metadata changed
File Copy - Accessed, Created, Metadata changed
File Accessed - Accessed time changed (Win XP)
File Creation - Modified, Accessed, Created, Metadata changed
File Deletion – Metadata changed (Info2 Record)
Viewing digital artifacts on “original media”
can cause valuable metadata and time stamps
to be changed.
•© Thomas Computer Forensics LLC
•39
Note the imbedded time stamp on this photo
11/28/2011 17:14
•© Thomas Computer Forensics LLC
•40
The photo’s original Create/Accessed/Modified time is:
11/28/2011 at 5:14:02 PM
On 1/24/2013 at 04:09:45PM the image was copied from a USB Flash Drive to the
computer HD. The copy function caused the Create Date and the Accessed Date to
be changed. The “physical” photo was NOT altered.
On 1/26/2013 at 11:13:51AM, the image was viewed using a graphics application.
The graphic application caused the Create Date and the Accessed Date to be
changed. The “physical” photo was NOT altered.
Name Ext
IMG_0001.JPG jpg
Created Date Accessed Date Modified Date -
MD5
402558E5FCB9E96B393464C7BB160C29
1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)
1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC)
11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)
Metadata After viewing the same object with a graphic viewer
IMG_0001.JPG jpg
Created Date Accessed Date Modified Date -
402558E5FCB9E96B393464C7BB160C29
1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)
1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC)
11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC)
•© Thomas Computer Forensics LLC
•41
On the Stand….’if you booted up the original hard drive and reviewed the files
on the hard drive’
•Attorney: Mr. Thomas,
When you booted up the computer, and started looking at the
files, did you change any time stamps or original digital data
on this computer?
•Mr. Thomas :
Yes I did.
•Attorney: Mr. Thomas,
When performing a digital examination, Is it correct protocol
to perform the exam on the “original hard drive” without
first imaging it?
•Mr. Thomas :
No, the correct protocol is to image the media first.
•Attorney: Mr. Thomas,
Do you realize that you changed information on this hard
drive, thus making any of the information on this hard drive
“Questionable” to the court?
•© Thomas Computer Forensics LLC
•42
Do NOT mount the “original” target hard drive into an
external drive enclosure and start looking through the files.
If you MUST look at the files, or boot up the operating
System (Options are):
•Using a “write-blocker device”
• CLONE the original
• Build a Data Dump (DD) or .e01 image
•Install the Clone into the device and boot up
•Mount the DD/.e01 into an external hard drive enclosure
• Use FTK Imager to review the files
• Using FTK Imager mount the DD
• Review the file with Windows File Manager
•If it was NOT write protected, you will change
•© Thomas Computer Forensics LLC
•43
Yes!
You tainted digital evidence !
•© Thomas Computer Forensics LLC
•44
Answering these “BASIC” questions from
any Crime Scene….
When did the crime take place?
Who did the crime?
What evidence do you have?
Were there any finger prints?
•© Thomas Computer Forensics LLC
•45
Crime Scene Questions
The “same questions” are asked when applied to
Digital Evidence
•When did the crime take place? (time & date, IP address, GPS
Tags, .exif, ISP authentication records, Mail & Social Media
authentication records, metadata artifacts (properties)
• Who did the crime? (SID, Profile, Email, Message Post, Social
Post), authentication records
• What evidence do you have? (Deleted, Allocated, Unallocated,
Slack)
• Were there any finger prints? (HASH Values
MD5/SHA1/SHA256, GPS Location Data), authentication records
•© Thomas Computer Forensics LLC
•46
TIME
•© Thomas Computer Forensics LLC
•47
How critical are time stamps ?
•© Thomas Computer Forensics LLC
•48
“WHAT If” you exam evidence hinged
on a “specific time frame”?
•© Thomas Computer Forensics LLC
•49
“WHAT If” the opposing attorney was able
show the times in the digital examination were
not in sync with actual events because the
time stamps in the exam were not correct?
•© Thomas Computer Forensics LLC
•50
Credibility issue ?
•© Thomas Computer Forensics LLC
•51
You may step down !
When did the crime take place?
One of the first things to do as an examiner is to check the
target clock settings in the Registry.
#1 How was the PC Clock set? , Time Zone?, AM vs. PM?
Ref Registry Key : Automatic Time Zone Adjustment
HKEY_Local_Machine\SYSTEM\ControlSet001\Control\TimeZoneInfor
mation\DynamicDaylightTimeDisabled \Value Date: (in Hex)
How is the value set ?
0 = Default – ON <Auto Sync with internet>
1 = Disabled
<Turned off, manually set>
•53
•© Thomas Computer Forensics LLC
Changing the PC Clock
To change the time, click on the clock at the bottom right:
Select “change date and time settings”
(three tabs are displayed)
Date and Time <change time or time zone selections button>
Additional clocks <ability to display two clocks when clicked>
Internet Time
Options <Checked – Synchronized with Internet Time Server>
<Unchecked> - will NOT sync with the Time Server
NOTE: The default for Internet time is CHECKED
•© Thomas Computer Forensics LLC
•54
Where is a good place to look for clock changes?
•Event Viewer Items (Start Run EventVWR)
•Windows Logs
•System
•EventID = 1
•Source = Kernal-General
•“The system time has changed…”
Review WEB logs, temporary internet files, e-mail file headers
and see if the (imbedded) time in the artifacts is equal to the
time on the Access, Created , and Modified time metadata.
•© Thomas Computer Forensics LLC
•55
When did the crime take place?
Time Stamps – Date and Time
Metadata
* (IMPORTANT) Carved items, File Slack items, Unallocated Space
items WILL NOT ALWAYS contain time stamps. (Most of the time not)
This depends upon if the artifact was carved from deleted or imbedded.
The challenge with these items is to find imbedded time stamps
within the block of data or the artifact.
More times than not, the “Smoking Gun” will be found in
unallocated, slack space, or carved items.
•Actual Files “will contain time stamps”
•© Thomas Computer Forensics LLC
•56
Time Stamp Rules
•Date Created – the event that created the file at it’s current
location
•Date Modified – the event that caused the metadata or the
file to be changed (edit metadata or content)
•Date Accessed – the event that caused the file to be read,
copied, modified.
•Date Last Written – event that caused the content of the file to
change Registry Keys
•© Thomas Computer Forensics LLC
•57
Registry Hive Elements that will contain
Internal and external time elements
• Most Recent documents / saved / visited
• IE History / Manually entered searches
• ICQ History / users / login / passwords
• IM History / users / login / passwords
• Network / POP3 / passwords / Temp Internet Files
• Yahoo! / messaging / passwords / messages
• Security / logon info / Passwords/SIDs
• Software Install Dates / times
• OS info / settings / configurations
• Mounted Devices / USB / Flash drives(Registry)
• Event Logs and Settings
•© Thomas Computer Forensics LLC
•58
Who did the crime?
•© Thomas Computer Forensics LLC
•59
Desktop Icons can be valuable during the Digital Exam.
How ?
•© Thomas Computer Forensics LLC
•60
Profiles … and SID’s
Windows profiles are associated with specific user’s.
The Profile Name, is assigned by the System Administrator, or
during initial system setup .
Profiles are tied to the user’s security access. They are assigned
a unique and specific Security Identifier (SID) by the system.
There is a naming convention used by the windows operating
system when they SID(s) are created.
Forensically, the SID becomes a invaluable identifier when tracking
What a user did and where they went during their login.
SID’s are also associated with the Desktop Login Icons.
•© Thomas Computer Forensics LLC
•61
Security Identifier (SID)
Example, the following SID(s) shows up in the
metadata of a document.
S-1-5-21-2777932499-928484944-2849932064-1006
S-1-5-21-2777932499-928484944-2849932064-1000
The components of the SID are:
Component
Description
S
A SID always begins with the letter ‘S’
1
Revision level of the SID structure, in this case ‘revision 1’
5
The authority that issued the SID – ‘5’ is the NT Authority
21
The String of numbers up to 500 is the domain identifier
2777932499
The relative identifier which is the account or group
928484944-28449932064-1006 The last four characters is the ‘specific’ user in the SAM file i.e.: 1006
2849932064-1000
Another specific user on this same computer i.e.: 1000
Now…. Why is this important in a investigation ?
•© Thomas Computer Forensics LLC
•62
•SID - Security Identifier – SAM File
•© Thomas Computer Forensics LLC
•63
•© Thomas Computer Forensics LLC
•64
•© Thomas Computer Forensics LLC
•65
•© Thomas Computer Forensics LLC
•66
This is a screen shot of a Digital Forensic application (FTK) File List Pane.
Notice the “Owner SID” is appended to each record. Using the SID
and Time Stamps, the forensics examiner can build a road map of
what was done during a specific time.
•© Thomas Computer Forensics LLC
•67
What evidence do you have?
•© Thomas Computer Forensics LLC
•68
This is a “Filtered” view of all graphics associated with the SID
ending in 1006 – which is the SID for the User “Brother’s Stuff”
There were a total of “652” graphics associated with this SID
•© Thomas Computer Forensics LLC
•69
Were there any fingerprints?
Digital Fingerprints
Authenticity & Hash values
•© Thomas Computer Forensics LLC
•70
Hash Values
A Hash value is a mathematical calculation of the
composition of the artifact.
FTK and other Forensic Software tools ‘automatically
calculate’ the HASH values.
Here are the most common Hash Algorithms
(though there are more)
MD-5
SHA-1
SHA-256
(Message Digest 5 - 32 characters)
(Secure Hash Algorithm - 40 characters)
(Secure Hash Algorithm - 64 characters)
NIST Approved Hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224 and SHA-512/256
•© Thomas Computer Forensics LLC
•71
(.TIFF days? – Tagged Image File Format – A computer file
format used to store images
Until now, the “legal” explanation of two items being
similar has been…
“Are they reasonable representations of one another?”
•© Thomas Computer Forensics LLC
•72
HASH Value Dilemma!
Today, Artifacts can be compared using these HASH values.
The Questions are:
If two (or more) documents, graphics, (artifacts) look
similar when viewed , but when Hashed, their HASH values are
different, then are they identical?
They are “within a shadow of a doubt” different.
The National Institute Of Standards and Technology (NIST) says
they are different.
But will the courts “still say” they are “ A reasonable
representation of each other?”
•© Thomas Computer Forensics LLC
•73
In this screen shot are examples of five HASHED text messages
•Text1 is the simple “the quick brown fox jumped over the lazy dogs back”
•Text2 same text in “UPPER CASE”
•Text3 same text with extra “spaces” at the end of the text
•Text4 same text with the first letter of the first word in “Upper Case”
•Text4 renamed same text as Text4 but the “file name” is changed
•© Thomas Computer Forensics LLC
•74
HASH values
• Can be used to up-hold Authenticity of the Digital Artifacts.
“If the HASH values are different,…. Should it be argued that
that one or more are NOT AUTHENTIC?”
If proven to be unauthentic, then should they be admissible?
Even if they appear to be the same on paper they are
Forensically different.
Was one of the items “photo-shopped?”
•© Thomas Computer Forensics LLC
•75
Now that we’ve talked about what NOT to do
with Digital Evidence,
Lets look at what should be done
when approaching a Digital Exam.
•© Thomas Computer Forensics LLC
•76
Show of hand…How many people Know what
the following files are?
•What are Shadow Copy Files?
•What is Pagefile.sys?
•What is Hiberfil.sys?
•What are System Volume Information Files?
•What is Unallocated Space?
•What is Slack Space?
•Are documents always (physically) in one big “cluster”
on a hard drive? (all the data grouped together)?
•© Thomas Computer Forensics LLC
•77
•What are System Volume Information Files?
When attempting to open and view contents of the System Volume
Information Folder from Windows File Manager – Logical view
When attempting to open the pagefile.sys file from Windows File
Manager – Logical view
•© Thomas Computer Forensics LLC
•78
The point is …
Many of the key word “hits” resulting in the
digital exam are NOT in common files such as
word documents, spread-sheets, Adobe PDF files,
and e-mail files.
Most are in Internet Cache, unallocated space,
slack space, and carved items.
•© Thomas Computer Forensics LLC
•79
•© Thomas Computer Forensics LLC
•80
TIME CHECK …….
What time is it… How much time do we have
left?
•81
What is a Digital Forensics
Examination?
“A set of established, investigative protocols
and techniques used to analyze digital media.”
•© Thomas Computer Forensics LLC
•82
Digital Forensics Process
(high level)
Data Acquisition & Imaging
Seizure &
Preservation of all
Digital Evidence
Analyze Data
Report
Indexing Case Data
Forensics
Document the
Evidence found
Reporting &
Testimony
Electronic
Discovery
Ensure Personal Safety
Interviews
Interviews
Seizure and preservation can make the difference in the
digital evidence being admissible or inadmissible in court
•© Thomas Computer Forensics LLC
•83
Why Perform a Digital Investigation?
•© Thomas Computer Forensics LLC
•84
•A digital forensic investigation may be initiated for many reasons.
In respect to civil, or criminal investigations, digital forensics
investigations may be of value in a wide range of situations.
•Ability to “re-trace” digital foot prints, such as when, where, how and
why individuals (suspects) do what they do.
•With the advent of social web sites and people’s ability to share
information, it is not uncommon for people to divulge private
information to others electronically. Including via cell phones.
•Digital forensics may reveal peoples emotions, reactions, or motives.
•They may also be able to provide “time lines”, (time stamped) to reveal
a person’s innocence, guilt, or participation associated with specific
events.
•© Thomas Computer Forensics LLC
•85
Evidence found during the digital forensics
investigation can provide the interviewer
with valuable information when
confronting the suspect.
•© Thomas Computer Forensics LLC
•86
The Forensic Imaging Process
•© Thomas Computer Forensics LLC
•87
What is the actual process?
 #1 Document information associated with the
media. (device type/serial#/size..etc)
 #2 Complete an evidence inventory document.
 #3 Maintain the chain-of-custody document.
 #4 Start the imaging/cloning process
 #5 Digital forensics examination (FTK/EnCase/Nuix)
•© Thomas Computer Forensics LLC
•88
How many hard drives do we need to perform
a Digital Forensics Exam?
•© Thomas Computer Forensics LLC
•89
•HD0 – Original HD – Sealed after imaging
(original evidence)
•HD1 (required) – Data Dump (DD) image of HD0
•HD2 (optional) – Cloned Copy of HD0
•HD3 (required) – Case Data, Case Index, Evidence
and Reports
•© Thomas Computer Forensics LLC
•90
Mounting and Viewing the Imaged Data
On the Internet, select the following URL, then select The item
FTK Imager. At the drop-down, select the most current version.
Download, save and Install the AccessData FTK Imager Utility.
(it is free)
http://www.accessdata.com/support/product-downloads
With the FTK Imager software, and a “write blocker device” you
may MOUNT the Digital Image (DD) onto a computer and view the
files as they would be see in Windows File Manager.
NOTE: Don’t forget to use a write blocked device or software
write-blocker when connecting the DD image to a computer.
There is a “BLOCK– Read Only” option in Imager but the writeblocker is just another safeguard for keeping the Image safe.
•© Thomas Computer Forensics LLC
•91
•After FTK Imager is installed
•Select “File”
•Select “Image Mounting”
•On the screen to the right
Select the file path to the
First file xxx.001
•Make sure the Mount
Method box is set to
Block Device / Read Only
•Click the “Mount” button
•The Image will be
Mounted (example H drive)
•Go to Windows File Manger
•View the files in the H: drive
(whatever your mount drive
letter is)
•When you are finished, go
back to FTK Imager and
UNMOUNT the drive by
clicking on the UNMOUNT
button.
•© Thomas Computer Forensics LLC
•92
Now you are ready for a Digital Forensics Examiner to
start processing the Image.
Questions ?
•© Thomas Computer Forensics LLC
•93
TCFLLC Contact Information
 For a free consultation or to discuss your
specific issues, contact:
 Gary Thomas ACE AME CCII
 NC Private Investigator #4061
704-668-9671 (cell)
Email: gary@thomasforensics.com
www.thomasforensics.com
•© Thomas Computer Forensics LLC
•94