•08/14/2013 Digital Forensics Examinations What NOT to do with Digital Evidence Gary Thomas AccessData Certified Examiner (ACE) AccessData Certified Mobile Examiner (AME) McAfee Institute Board Certified Cyber Intelligence Investigator (CCII) NC Licensed Private Investigator #4061 •© Thomas Computer Forensics LLC •1 TCFLLC Disclaimer: ANY INFORMATION AND/OR OPINIONS CONTAINED IN THIS PRESENTATION SHOULD NOT BE CONSIDERED AS LEGAL ADVICE. AS ALWAYS, CONSULT WITH AN ATTORNEY AT LAW FOR LEGAL ADVICE. •© Thomas Computer Forensics LLC •2 Topics •1. Digital Forensics Terminology •2. What is a digital evidence? •3. Client contact - Interviews •4. Things NOT to do when gathering digital evidence •5. Basic Questions at Crime Scenes •6. Best Practices when handling digital evidence •7. Following Digital Forensics Protocol •8. Logical vs. Physical Capture •9. Performing a Forensics Digital Exam •© Thomas Computer Forensics LLC •3 Digital Forensics Terminology •© Thomas Computer Forensics LLC •4 Geometry of a Hard Drive Sector Track Sector Allocated Unit sizes (per sector) •512 bytes •1024 bytes •2048 bytes •4096 bytes •8192 bytes •16 Kilobytes Cluster – Group of Sectors •32 Kilobytes •64 Kilobytes •© Thomas Computer Forensics LLC •5 Allocated Space Allocated space is composed of “Clusters,” they may be full or partially filled with digital media that are tracked by the file system. (Allocated Unit Size) When data is loaded onto a hard drive, it is loaded into clusters. Once the cluster is full, the data is then loaded into another cluster until all of the data is loaded onto the hard drive. Note that when the last block of data is loaded into a cluster, if the cluster is not filled (which is almost always the case), then the remaining space in that cluster is empty and will NOT be available for data to be loaded into that remaining space. The empty space at the end of the cluster becomes the “Slack Space.” •© Thomas Computer Forensics LLC •6 Unallocated Space (Free Space) •All clusters on a drive or media that are NOT currently assigned, and not in use by the file system are referred to as unallocated (Free Space). •NOTE: These items are part of the “Physical Exam” but NOT part of a “Logical Exam.” •Clusters that are not assigned will contain file and file fragments (remnants) from previously occupying files. •© Thomas Computer Forensics LLC •7 Slack Space Files are created in varying lengths depending on their content. Rarely do file sizes exactly match the size of a single cluster. “The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called Slack Space” When a file is written to the cluster, the data over-flows into the next cluster (NOT necessarily in sequence) . The file system chains these clusters together to form the file. •© Thomas Computer Forensics LLC •8 Metadata (meta-data) •Data about data… ( Properties ) •For forensic purposes, documentation inside of the document which may include items such as: •Time stamps, create date, modified date and time •Author of the document •Userid, Computer Name, Printer information •Other unique user information valuable to forensics. •Owner Security ID (SID) info. •.exif information from a camera (GPS, type of camera) •© Thomas Computer Forensics LLC •9 Data Carving “Carving” Data Carving is a process of locating files and artifacts that have been deleted or that are embedded in other files. If the artifact has a valid file header and footer, the custom carvers can be built to perform the analysis on those specific artifacts. Examples of custom carvers would be items associated with Social Media, Facebook, Gmail, Yahoo, web mail artifacts, and other artifacts that may be located in both allocated, unallocated, and slack space. •© Thomas Computer Forensics LLC •10 Types of acquisitions •Logical acquisition •Does NOT contain deleted file •Does NOT contain “Unallocated” or “Slack” space items •View of items from a “file system” prospective. •Only contains items in “Allocated Space” •Physical acquisition •Contents of Allocated Space – (file system) •Contents of previously deleted files and ambient data. •Contents of Unallocated and Slack Space are present. •Most comprehensive type of acquisition. •Volatile Memory acquisition •Is the acquisition of the “contents in memory” of a “running / live” computer. •© Thomas Computer Forensics LLC •11 What is Digital Evidence ? Digital Evidence is any information stored or transmitted in a digital form that could be a party to any litigation efforts that may used by either the prosecution or defense at trial. •© Thomas Computer Forensics LLC •12 Before accepting digital evidence to be use at trial, “The Court” must determine whether the digital evidence is: • Authentic? • If it is hearsay? • Whether a copy is acceptable and/or admissible ? • If the original is required? • How the digital evidence was acquired? •© Thomas Computer Forensics LLC •13 Initial Client Contact Lets examine some of the issues PI’s face with digital evidence Domestic Situation… •© Thomas Computer Forensics LLC •14 Client reveals the following: “I believe my spouse has been cheating on me!” “I found some emails on my computer about meeting someone … falling in love with them… and talking about having sex with them.” •© Thomas Computer Forensics LLC •15 Client reveals the following: “ I found a list of my spouses user names and passwords… I Logged into their Internet e-mail account and saw they were having a relationship” •© Thomas Computer Forensics LLC •16 Client reveals the following: “I know my spouse is cheating on me…” “I installed Key logger Spyware on their computer and cell phone to find out what they were doing…” •© Thomas Computer Forensics LLC •17 Client reveals the following: “I have been looking through the files on the computer for weeks trying to find any evidence of their affair” •© Thomas Computer Forensics LLC •18 Issues with the previous client’s statements? • Will any of the artifacts be admissible in a court of law ? •Different jurisdictions / courts (Judges) may approach these issues differently. o what is their Interpretation (Case Law) o Judicial Arguments (attorney’s) o Quash (SUPRESS) exam efforts • Is it legal to log into your spouses email account using their credentials? (case law …. all over the map) •Was the email account password protected? (posted in the open)? • Did the person have authorization to login to the spouses account? •© Thomas Computer Forensics LLC •19 Stored Communications Act Under 18 U.S.C. § 2701 , an offense is committed by anyone who: “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains...[an] electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a)(1)-(2). However, it does not apply to an "electronic communication [that] is readily accessible to the general public." 18 U.S.C. § 2511(2)(g). See, e.g. Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1220 (2004).b •© Thomas Computer Forensics LLC •20 The argument for the attorney’s will be … Was there a “reasonable expectation of privacy?” •© Thomas Computer Forensics LLC •21 In North Carolina Is it legal to install Spyware (Capture-Ware)/Key loggers on another person’s computer or cell phone? •© Thomas Computer Forensics LLC •22 This NC Statute states “a person is guilty of a Class H felony” •North Carolina Statute •Chapter 15A Criminal Procedure Act Sub chapter II Law-Enforcement and Investigative Procedures Article 16 Electronic Surveillance Current through 2009 Legislative Session § 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited. •© Thomas Computer Forensics LLC •23 •North Carolina Statutes •Chapter 15A Criminal Procedure Act Sub chapter II Law-Enforcement and Investigative Procedures Article 16 Electronic Surveillance Current through 2009 Legislative Session § 15A-288. Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited. (a)Except as otherwise specifically provided in this Article, a person is guilty of a Class H felony if the person: (1)Manufactures, assembles, possesses, purchases, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or (2) Places in any newspaper, magazine, handbill, or other publication, any advertisement of: a. Any electronic, mechanical, or other device knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications; or b. Any other electronic, mechanical, or other device where the advertisement promotes the use of the device for the purpose of the surreptitious interception of wire, oral, or electronic communications. (b) It is not unlawful under this section for the following persons to manufacture, assemble, possess, purchase, or sell any electronic, mechanical, or other device, knowing or having reason to know that the design of the device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications: (1)A communications common carrier or an officer, agent, or employee of, or a person under contract with, a communications common carrier, acting in the normal course of the communications common carrier's business, or (2) An officer, agent, or employee of, or a person under contract with, the State, acting in the course of the activities of the State, and with the written authorization of the Attorney General. (c) An officer, agent, or employee of, or a person whose normal and customary business is to design, manufacture, assemble, advertise and sell electronic, mechanical and other devices primarily useful for the purpose of the surreptitious interceptions of wire, oral, or electronic communications, exclusively for and restricted to State and federal investigative or law enforcement agencies and departments. (1995, c. 407, s. 1.) •© Thomas Computer Forensics LLC •24 http://www.nccourts.org/Courts/CRS/Councils/spac/Documents/citizenguide2012.pdf A CITIZEN’S GUIDE TO STRUCTURED SENTENCING (Revised 2012) •© Thomas Computer Forensics LLC •25 Class “H” Felony for using Spyware / Capture-ware •© Thomas Computer Forensics LLC •26 Things NOT to do when gathering Digital Evidence (and why)… You receive a computer as evidence, or you are asked to look at data on the computer to see if there is anything of value on the computer. THINGS YOU SHOULD NOT DO…. •© Thomas Computer Forensics LLC •27 Do NOT boot up and start the OS (power up) the computer. •If you did start up the system, you changed important registry keys that could have tied the last start up to a specific person. Check time stamps for “folders” in C:\>windows\system32\config\ SAM Security Software System These FOLDERS will reflect the last Startup/ last written time Besides these files, you changed time stamps in start up files, Dll’s, and hundreds of other OS file system and applications files. •© Thomas Computer Forensics LLC •28 Registry keys reveal (subset) Startup locations at Boot UP Last person (profile) who signed onto the device Automatically Launched Programs at Startup System Launched DLL’s at Startup Processes that were used at startup LINK (.lnk) file Data All of these (and more) contain “time stamps” •© Thomas Computer Forensics LLC •29 •© Thomas Computer Forensics LLC •30 Do NOT start looking through the file system... If you did, you may have changed important metadata and times stamps that could have been of value to the case. Depending upon the Operating System , some files last access time will change just by looking at the file. Other “last written” times will change just by Booting up the system. If any of the time stamps were changed “after” the time the examiner took possession of the device, then it can be argued that the digital evidence has been tainted. The reasonable argument could be “the examiner” changed the items and the may “NOT” be in their “original” state… •© Thomas Computer Forensics LLC •31 Forensic Took Kit File List pane •© Thomas Computer Forensics LLC •32 Keep in mind that at some point, the person may become aware that they are being watched. They may start using “Counter Measures” to avoid getting caught such as installing an “automatic-wiping” utility. If you boot the computer and it has an “auto-start-up” (auto-start) utility to wipe programs, you would have destroyed important artifacts. The next slide shows some examples of auto-wiping utilities •© Thomas Computer Forensics LLC •33 •Examples of Auto-wiping utilities •© Thomas Computer Forensics LLC •34 If there was NOT a auto-wiping utility set to run on start-up, there could have been a auto-wiping utility set for Shut-down. (example of a registry key edit) [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0] "Script"="C:\\script.bat" "Parameters"="" "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 The utility could have deleted/or wiped valuable information from important files, unallocated space, internet system cache, Internet cache, page files, and numerous other locations. The next slide reveals a popular wiping program that is set to run at “Start-up” automatically. •© Thomas Computer Forensics LLC •35 Notice the number of Options that are available to set upon Start-up •© Thomas Computer Forensics LLC •36 This program executed at Windows Start-up. Note the number of items that were NOT checked in this screen-shot •© Thomas Computer Forensics LLC •37 Lets take a look at ‘Time Stamps’ •© Thomas Computer Forensics LLC •38 The Matrix above shows what time stamp elements are changed and under what circumstances. File Rename or Moved - Metadata changed File Copy - Accessed, Created, Metadata changed File Accessed - Accessed time changed (Win XP) File Creation - Modified, Accessed, Created, Metadata changed File Deletion – Metadata changed (Info2 Record) Viewing digital artifacts on “original media” can cause valuable metadata and time stamps to be changed. •© Thomas Computer Forensics LLC •39 Note the imbedded time stamp on this photo 11/28/2011 17:14 •© Thomas Computer Forensics LLC •40 The photo’s original Create/Accessed/Modified time is: 11/28/2011 at 5:14:02 PM On 1/24/2013 at 04:09:45PM the image was copied from a USB Flash Drive to the computer HD. The copy function caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered. On 1/26/2013 at 11:13:51AM, the image was viewed using a graphics application. The graphic application caused the Create Date and the Accessed Date to be changed. The “physical” photo was NOT altered. Name Ext IMG_0001.JPG jpg Created Date Accessed Date Modified Date - MD5 402558E5FCB9E96B393464C7BB160C29 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC) 1/24/2013 4:09:45 PM (2013-01-24 21:09:45 UTC) 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC) Metadata After viewing the same object with a graphic viewer IMG_0001.JPG jpg Created Date Accessed Date Modified Date - 402558E5FCB9E96B393464C7BB160C29 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC) 1/26/2013 11:13:51 AM (2013-01-26 16:13:51 UTC) 11/28/2011 5:14:01 PM (2011-11-28 10:14:02 UTC) •© Thomas Computer Forensics LLC •41 On the Stand….’if you booted up the original hard drive and reviewed the files on the hard drive’ •Attorney: Mr. Thomas, When you booted up the computer, and started looking at the files, did you change any time stamps or original digital data on this computer? •Mr. Thomas : Yes I did. •Attorney: Mr. Thomas, When performing a digital examination, Is it correct protocol to perform the exam on the “original hard drive” without first imaging it? •Mr. Thomas : No, the correct protocol is to image the media first. •Attorney: Mr. Thomas, Do you realize that you changed information on this hard drive, thus making any of the information on this hard drive “Questionable” to the court? •© Thomas Computer Forensics LLC •42 Do NOT mount the “original” target hard drive into an external drive enclosure and start looking through the files. If you MUST look at the files, or boot up the operating System (Options are): •Using a “write-blocker device” • CLONE the original • Build a Data Dump (DD) or .e01 image •Install the Clone into the device and boot up •Mount the DD/.e01 into an external hard drive enclosure • Use FTK Imager to review the files • Using FTK Imager mount the DD • Review the file with Windows File Manager •If it was NOT write protected, you will change •© Thomas Computer Forensics LLC •43 Yes! You tainted digital evidence ! •© Thomas Computer Forensics LLC •44 Answering these “BASIC” questions from any Crime Scene…. When did the crime take place? Who did the crime? What evidence do you have? Were there any finger prints? •© Thomas Computer Forensics LLC •45 Crime Scene Questions The “same questions” are asked when applied to Digital Evidence •When did the crime take place? (time & date, IP address, GPS Tags, .exif, ISP authentication records, Mail & Social Media authentication records, metadata artifacts (properties) • Who did the crime? (SID, Profile, Email, Message Post, Social Post), authentication records • What evidence do you have? (Deleted, Allocated, Unallocated, Slack) • Were there any finger prints? (HASH Values MD5/SHA1/SHA256, GPS Location Data), authentication records •© Thomas Computer Forensics LLC •46 TIME •© Thomas Computer Forensics LLC •47 How critical are time stamps ? •© Thomas Computer Forensics LLC •48 “WHAT If” you exam evidence hinged on a “specific time frame”? •© Thomas Computer Forensics LLC •49 “WHAT If” the opposing attorney was able show the times in the digital examination were not in sync with actual events because the time stamps in the exam were not correct? •© Thomas Computer Forensics LLC •50 Credibility issue ? •© Thomas Computer Forensics LLC •51 You may step down ! When did the crime take place? One of the first things to do as an examiner is to check the target clock settings in the Registry. #1 How was the PC Clock set? , Time Zone?, AM vs. PM? Ref Registry Key : Automatic Time Zone Adjustment HKEY_Local_Machine\SYSTEM\ControlSet001\Control\TimeZoneInfor mation\DynamicDaylightTimeDisabled \Value Date: (in Hex) How is the value set ? 0 = Default – ON <Auto Sync with internet> 1 = Disabled <Turned off, manually set> •53 •© Thomas Computer Forensics LLC Changing the PC Clock To change the time, click on the clock at the bottom right: Select “change date and time settings” (three tabs are displayed) Date and Time <change time or time zone selections button> Additional clocks <ability to display two clocks when clicked> Internet Time Options <Checked – Synchronized with Internet Time Server> <Unchecked> - will NOT sync with the Time Server NOTE: The default for Internet time is CHECKED •© Thomas Computer Forensics LLC •54 Where is a good place to look for clock changes? •Event Viewer Items (Start Run EventVWR) •Windows Logs •System •EventID = 1 •Source = Kernal-General •“The system time has changed…” Review WEB logs, temporary internet files, e-mail file headers and see if the (imbedded) time in the artifacts is equal to the time on the Access, Created , and Modified time metadata. •© Thomas Computer Forensics LLC •55 When did the crime take place? Time Stamps – Date and Time Metadata * (IMPORTANT) Carved items, File Slack items, Unallocated Space items WILL NOT ALWAYS contain time stamps. (Most of the time not) This depends upon if the artifact was carved from deleted or imbedded. The challenge with these items is to find imbedded time stamps within the block of data or the artifact. More times than not, the “Smoking Gun” will be found in unallocated, slack space, or carved items. •Actual Files “will contain time stamps” •© Thomas Computer Forensics LLC •56 Time Stamp Rules •Date Created – the event that created the file at it’s current location •Date Modified – the event that caused the metadata or the file to be changed (edit metadata or content) •Date Accessed – the event that caused the file to be read, copied, modified. •Date Last Written – event that caused the content of the file to change Registry Keys •© Thomas Computer Forensics LLC •57 Registry Hive Elements that will contain Internal and external time elements • Most Recent documents / saved / visited • IE History / Manually entered searches • ICQ History / users / login / passwords • IM History / users / login / passwords • Network / POP3 / passwords / Temp Internet Files • Yahoo! / messaging / passwords / messages • Security / logon info / Passwords/SIDs • Software Install Dates / times • OS info / settings / configurations • Mounted Devices / USB / Flash drives(Registry) • Event Logs and Settings •© Thomas Computer Forensics LLC •58 Who did the crime? •© Thomas Computer Forensics LLC •59 Desktop Icons can be valuable during the Digital Exam. How ? •© Thomas Computer Forensics LLC •60 Profiles … and SID’s Windows profiles are associated with specific user’s. The Profile Name, is assigned by the System Administrator, or during initial system setup . Profiles are tied to the user’s security access. They are assigned a unique and specific Security Identifier (SID) by the system. There is a naming convention used by the windows operating system when they SID(s) are created. Forensically, the SID becomes a invaluable identifier when tracking What a user did and where they went during their login. SID’s are also associated with the Desktop Login Icons. •© Thomas Computer Forensics LLC •61 Security Identifier (SID) Example, the following SID(s) shows up in the metadata of a document. S-1-5-21-2777932499-928484944-2849932064-1006 S-1-5-21-2777932499-928484944-2849932064-1000 The components of the SID are: Component Description S A SID always begins with the letter ‘S’ 1 Revision level of the SID structure, in this case ‘revision 1’ 5 The authority that issued the SID – ‘5’ is the NT Authority 21 The String of numbers up to 500 is the domain identifier 2777932499 The relative identifier which is the account or group 928484944-28449932064-1006 The last four characters is the ‘specific’ user in the SAM file i.e.: 1006 2849932064-1000 Another specific user on this same computer i.e.: 1000 Now…. Why is this important in a investigation ? •© Thomas Computer Forensics LLC •62 •SID - Security Identifier – SAM File •© Thomas Computer Forensics LLC •63 •© Thomas Computer Forensics LLC •64 •© Thomas Computer Forensics LLC •65 •© Thomas Computer Forensics LLC •66 This is a screen shot of a Digital Forensic application (FTK) File List Pane. Notice the “Owner SID” is appended to each record. Using the SID and Time Stamps, the forensics examiner can build a road map of what was done during a specific time. •© Thomas Computer Forensics LLC •67 What evidence do you have? •© Thomas Computer Forensics LLC •68 This is a “Filtered” view of all graphics associated with the SID ending in 1006 – which is the SID for the User “Brother’s Stuff” There were a total of “652” graphics associated with this SID •© Thomas Computer Forensics LLC •69 Were there any fingerprints? Digital Fingerprints Authenticity & Hash values •© Thomas Computer Forensics LLC •70 Hash Values A Hash value is a mathematical calculation of the composition of the artifact. FTK and other Forensic Software tools ‘automatically calculate’ the HASH values. Here are the most common Hash Algorithms (though there are more) MD-5 SHA-1 SHA-256 (Message Digest 5 - 32 characters) (Secure Hash Algorithm - 40 characters) (Secure Hash Algorithm - 64 characters) NIST Approved Hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 •© Thomas Computer Forensics LLC •71 (.TIFF days? – Tagged Image File Format – A computer file format used to store images Until now, the “legal” explanation of two items being similar has been… “Are they reasonable representations of one another?” •© Thomas Computer Forensics LLC •72 HASH Value Dilemma! Today, Artifacts can be compared using these HASH values. The Questions are: If two (or more) documents, graphics, (artifacts) look similar when viewed , but when Hashed, their HASH values are different, then are they identical? They are “within a shadow of a doubt” different. The National Institute Of Standards and Technology (NIST) says they are different. But will the courts “still say” they are “ A reasonable representation of each other?” •© Thomas Computer Forensics LLC •73 In this screen shot are examples of five HASHED text messages •Text1 is the simple “the quick brown fox jumped over the lazy dogs back” •Text2 same text in “UPPER CASE” •Text3 same text with extra “spaces” at the end of the text •Text4 same text with the first letter of the first word in “Upper Case” •Text4 renamed same text as Text4 but the “file name” is changed •© Thomas Computer Forensics LLC •74 HASH values • Can be used to up-hold Authenticity of the Digital Artifacts. “If the HASH values are different,…. Should it be argued that that one or more are NOT AUTHENTIC?” If proven to be unauthentic, then should they be admissible? Even if they appear to be the same on paper they are Forensically different. Was one of the items “photo-shopped?” •© Thomas Computer Forensics LLC •75 Now that we’ve talked about what NOT to do with Digital Evidence, Lets look at what should be done when approaching a Digital Exam. •© Thomas Computer Forensics LLC •76 Show of hand…How many people Know what the following files are? •What are Shadow Copy Files? •What is Pagefile.sys? •What is Hiberfil.sys? •What are System Volume Information Files? •What is Unallocated Space? •What is Slack Space? •Are documents always (physically) in one big “cluster” on a hard drive? (all the data grouped together)? •© Thomas Computer Forensics LLC •77 •What are System Volume Information Files? When attempting to open and view contents of the System Volume Information Folder from Windows File Manager – Logical view When attempting to open the pagefile.sys file from Windows File Manager – Logical view •© Thomas Computer Forensics LLC •78 The point is … Many of the key word “hits” resulting in the digital exam are NOT in common files such as word documents, spread-sheets, Adobe PDF files, and e-mail files. Most are in Internet Cache, unallocated space, slack space, and carved items. •© Thomas Computer Forensics LLC •79 •© Thomas Computer Forensics LLC •80 TIME CHECK ……. What time is it… How much time do we have left? •81 What is a Digital Forensics Examination? “A set of established, investigative protocols and techniques used to analyze digital media.” •© Thomas Computer Forensics LLC •82 Digital Forensics Process (high level) Data Acquisition & Imaging Seizure & Preservation of all Digital Evidence Analyze Data Report Indexing Case Data Forensics Document the Evidence found Reporting & Testimony Electronic Discovery Ensure Personal Safety Interviews Interviews Seizure and preservation can make the difference in the digital evidence being admissible or inadmissible in court •© Thomas Computer Forensics LLC •83 Why Perform a Digital Investigation? •© Thomas Computer Forensics LLC •84 •A digital forensic investigation may be initiated for many reasons. In respect to civil, or criminal investigations, digital forensics investigations may be of value in a wide range of situations. •Ability to “re-trace” digital foot prints, such as when, where, how and why individuals (suspects) do what they do. •With the advent of social web sites and people’s ability to share information, it is not uncommon for people to divulge private information to others electronically. Including via cell phones. •Digital forensics may reveal peoples emotions, reactions, or motives. •They may also be able to provide “time lines”, (time stamped) to reveal a person’s innocence, guilt, or participation associated with specific events. •© Thomas Computer Forensics LLC •85 Evidence found during the digital forensics investigation can provide the interviewer with valuable information when confronting the suspect. •© Thomas Computer Forensics LLC •86 The Forensic Imaging Process •© Thomas Computer Forensics LLC •87 What is the actual process? #1 Document information associated with the media. (device type/serial#/size..etc) #2 Complete an evidence inventory document. #3 Maintain the chain-of-custody document. #4 Start the imaging/cloning process #5 Digital forensics examination (FTK/EnCase/Nuix) •© Thomas Computer Forensics LLC •88 How many hard drives do we need to perform a Digital Forensics Exam? •© Thomas Computer Forensics LLC •89 •HD0 – Original HD – Sealed after imaging (original evidence) •HD1 (required) – Data Dump (DD) image of HD0 •HD2 (optional) – Cloned Copy of HD0 •HD3 (required) – Case Data, Case Index, Evidence and Reports •© Thomas Computer Forensics LLC •90 Mounting and Viewing the Imaged Data On the Internet, select the following URL, then select The item FTK Imager. At the drop-down, select the most current version. Download, save and Install the AccessData FTK Imager Utility. (it is free) http://www.accessdata.com/support/product-downloads With the FTK Imager software, and a “write blocker device” you may MOUNT the Digital Image (DD) onto a computer and view the files as they would be see in Windows File Manager. NOTE: Don’t forget to use a write blocked device or software write-blocker when connecting the DD image to a computer. There is a “BLOCK– Read Only” option in Imager but the writeblocker is just another safeguard for keeping the Image safe. •© Thomas Computer Forensics LLC •91 •After FTK Imager is installed •Select “File” •Select “Image Mounting” •On the screen to the right Select the file path to the First file xxx.001 •Make sure the Mount Method box is set to Block Device / Read Only •Click the “Mount” button •The Image will be Mounted (example H drive) •Go to Windows File Manger •View the files in the H: drive (whatever your mount drive letter is) •When you are finished, go back to FTK Imager and UNMOUNT the drive by clicking on the UNMOUNT button. •© Thomas Computer Forensics LLC •92 Now you are ready for a Digital Forensics Examiner to start processing the Image. Questions ? •© Thomas Computer Forensics LLC •93 TCFLLC Contact Information For a free consultation or to discuss your specific issues, contact: Gary Thomas ACE AME CCII NC Private Investigator #4061 704-668-9671 (cell) Email: gary@thomasforensics.com www.thomasforensics.com •© Thomas Computer Forensics LLC •94