Guide to Computer Forensics and Investigations, Fourth Edition
Chapter 9
Computer Forensics Analysis and Validation
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
9-1
Guide to Computer Forensics and Investigations, Fourth Edition
9-2
Lecture Notes
Overview
Chapter 9 explains how to apply your computer forensics skills and techniques to a
computing investigation. One of the most critical functions is validating your evidence
during the analysis process. In Chapter 4, you learned how data acquisitions are
validated for Windows and Linux file systems; in Chapter 5, you were introduced to
hashing algorithms; and in Chapter 7, you learned about validating forensics software
tools. In this chapter, you learn more about how hashing algorithms are used in
forensics analysis to validate data. You also learn how to refine and modify your
investigation plan, use data analysis tools and practices to process digital evidence,
determine whether data-hiding techniques have been used, and learn methods for
performing a remote acquisition.
Chapter Objectives




Determine what data to analyze in a computer forensics investigation
Explain tools used to validate data
Explain common data-hiding techniques
Describe methods of performing a remote acquisition
Teaching Tips
Determining What Data to Collect and Analyze
1. Describe some of the factors that can shape the way digital evidence is examined or
analyzed both on private and public sectors, including:
a. Nature of the case
b. Amount of data to process
c. Search warrants
d. Court orders
e. Company policies
2. Define scope creep and how it can affect an investigation on the private sector.
3. Describe the right of full discovery of digital evidence and how it can affect criminal
investigations.
Approaching Computer Forensics Cases
1. Explain that although there are some basic principles that apply to almost all computer
forensics cases, the approach you take depends largely on the specific type of case
you’re investigating.
Guide to Computer Forensics and Investigations, Fourth Edition
9-3
2. Describe some of the basic steps for all computer forensics investigations, including:
a. For target drives, use only recently wiped media that have been reformatted and
inspected for computer viruses
b. Inventory the hardware on the suspect’s computer and note the condition of the
computer when seized
c. Remove the original drive from the computer and then check the date and time
values in the system’s CMOS
d. Record how you acquired data from the suspect drive
e. Process the data methodically and logically
f. List all folders and files on the image or drive
g. If possible, examine the contents of all data files in all folders, starting at the
root directory of the volume partition
h. For all password-protected files that might be related to the investigation, make
your best effort to recover file contents
i. Identify the function of every executable (binary or .exe) file that doesn’t match
known hash values
j. Maintain control of all evidence and findings, and document everything as you
progress through your examination
Refining and Modifying the Investigation Plan
1. Describe some of the considerations to refine an investigation plan:
a. Determine the scope of the investigation
b. Estimate number of hours to complete the case
c. Whether you should collect all information
d. What to do in case of scope creep
2. Mention that the key is to start with a plan but remain flexible in the face of new
evidence.
Using AccessData Forensic Toolkit to Analyze Data
1. Explain that FTK supports FAT12, FAT16, FAT32, NTFS, Ext2fs, and Ext3fs file
systems. Also, FTK can interact with several other forensic tools.
2. Illustrate the use of log files when performing an investigation.
3. Describe the two keyword searching options available on FTK, as well as their
advantages and disadvantages including performance and accuracy. Searches can be
refined with different options. Use Figures 9-1 and 9-2 to illustrate your explanation.
4. Mention that FTK can analyze compressed files.
5. Explain how to create bookmarks on FTK and how to use those bookmarks for creating
a final investigation report. Use Figure 9-3 to illustrate your explanation.
Guide to Computer Forensics and Investigations, Fourth Edition
Teaching
Tip
9-4
You can obtain a copy of FTK at:
www.accessdata.com/common/pagedetail.aspx?PageCode=homepage.
Validating Forensic Data
1. Explain that validating digital evidence is one of the most critical aspects of computer
forensics because ensuring the integrity of data you collect is essential for presenting
evidence in court.
2. Explain that most computer forensic tools provide automated hashing of image files.
Computer forensics tools have some limitations in performing hashing, so learning how
to use advanced hexadecimal editors is necessary to ensure data integrity.
Validating with Hexadecimal Editors
1. Explain that advanced hexadecimal editors offer many features not available in
computer forensics tools, such as hashing specific files or sectors.
2. Explain that Hex Workshop provides several hashing algorithms, such as MD5 and
SHA-1. Hex Workshop also generates the hash value of selected data sets in a file or
sector. Use Figures 9-4 through 9-6 to illustrate your explanation.
3. Mention that AccessData has a separate database, the Known File Filter (KFF). KFF
filters known program files from view, such as MSWord.exe, and identifies known
illegal files, such as child pornography.
4. Explain that KFF compares known file hash values to files on your evidence drive or
image files.
5. Mention that periodically, AccessData updates these known file hash values and posts
an updated KFF.
Validating with Computer Forensics Programs
1. Mention that commercial computer forensics programs have built-in validation features.
2. Explain that ProDiscover’s .eve files contain metadata that includes the hash value, and
data validation is done automatically. Raw format image files (.dd extension) don’t
contain metadata, so you must validate raw format image files manually to ensure the
integrity of data.
3. Explain that in AccessData FTK Imager, when you select the Expert Witness (.e01) or
the SMART (.s01) format, additional options for validating the acquisition are
displayed. This validation report also lists MD5 and SHA-1 hash values.
4. Use Figure 9-7 to show how ProDiscover’s built-in validation feature works.
Guide to Computer Forensics and Investigations, Fourth Edition
Teaching
Tip
9-5
For more information about ProDiscover, visit its official Web site at:
www.techpathways.com/prodiscoverdft.htm.
Addressing Data-hiding Techniques
1. Mention that data hiding involves changing or manipulating a file to conceal
information.
2. Explain that data-hiding techniques include hiding entire partitions, changing file
extensions, setting file attributes to hidden, using encryption, and setting up password
protection.
Hiding Partitions
1. Explain how to create a partition and then hide it using a disk editor.
2. Describe how you can get access to hidden partitions. List several tools that can help
you with this task, such as: GDisk, PartitionMagic, System Commander, and LILO.
3. Mention that you should account for all disk space when analyzing a disk. Use Figures
9-8 and 9-9 to illustrate your explanation.
Teaching
Tip
Mention that Windows creates a partition gap between partitions automatically;
however, you might find a gap that’s larger than it should be.
Marking Bad Clusters
1. Illustrate the process of marking clusters as bad so information can be hidden there from
the OS.
Quick Quiz 1
1. The term ____ means that an investigation expands beyond the original description
because of unexpected evidence you find, prompting the attorney to ask you to examine
other areas to recover more evidence.
Answer: scope creep
2. True or False: One of the most critical aspects of computer forensics is validating digital
evidence because ensuring the integrity of data you collect is essential for presenting
evidence in court.
Answer: True
Guide to Computer Forensics and Investigations, Fourth Edition
9-6
3. ____ filters known application software files from view and identifies illegal images,
such as child pornography.
Answer: Known File Filter (KFF)
Known File Filter
KFF
4. ____ involves changing or manipulating a file to conceal information.
Answer: Data hiding
Bit-shifting
1. Define bit-shifting as an old technique that shifts bit patterns to alter byte values of data
and makes files look like binary executable code.
2. Describe how Hex Workshop can be used to shift bits on any file. Use Figures 9-10
through 9-12 to illustrate your explanation.
Using Stenography
1. Define steganography and describe how this technique can be used to hide information.
2. Explain that steganography tools were created to protect copyrighted material by
inserting digital watermarks into a file.
3. Explain that a suspect can hide information on image or text document files. Most
steganography programs can insert only small amounts of data into a file.
4. Mention that data hidden using this technique is very hard to find without prior
knowledge.
5. Describe some of the most common steganography tools, such as S-Tools, DPEnvelope,
jpgx, and tte.
Teaching
Tip
Read more about steganography at: http://en.wikipedia.org/wiki/Steganography.
Examining Encrypted Files
1. Describe all problems you may encounter when analyzing a data encrypted file and the
techniques available for recovering data without a password or passphrase, including:
a. Key escrow
b. Cracking passwords
c. Persuade suspect to reveal password
Guide to Computer Forensics and Investigations, Fourth Edition
9-7
Recovering Passwords
1. Describe the main techniques for finding passwords:
a. Dictionary attack
b. Brute-force attack
c. Profile attack
2. Mention some of the tools used to recover passwords, including:
a. AccessData PRTK
b. Advanced Password Recovery Software Toolkit
c. John the Ripper
3. Explain that AccessData offers a tool called Password Recovery Toolkit (PRTK)
designed to create possible password lists from many sources. Use Figures 9-13 and 914 to illustrate your explanation.
4. Explain that with PRTK, you can create your own custom dictionary based on facts in
the case. You can also create a profile of a suspect and use that biographical information
to generate likely passwords. Use Figure 9-15 to illustrate your explanation.
Teaching
Tip
Mention that password cracking requires a lot of memory, so the more RAM on
your forensic workstation, the better.
5. Explain that FTK can identify known encrypted files and those that seem to be
encrypted and export them. You can then import these files into PRTK and attempt to
crack them. Use Figures 9-16 and 9-17 to illustrate your explanation.
Performing Remote Acquisitions
1. Explain that remote acquisitions are handy when you need to image the drive of a
computer far away from your location or when you don’t want a suspect to be aware of
an ongoing investigation.
Remote Acquisitions with Runtime Software
1. Mention that Runtime Software offers the following shareware programs for remote
acquisitions:
a. DiskExplorer for FAT
b. DiskExplorer for NTFS
c. HDHOST
2. Explain that preparing DiskExplorer and HDHOST for remote acquisitions requires the
Runtime software, a portable media device (USB thumb drive or floppy disk), and two
networked computers.
Guide to Computer Forensics and Investigations, Fourth Edition
9-8
3. Describe how to install DiskExplorer and HDHOST in your computer for remote
acquisitions.
4. Mention that making a remote connection with DiskExplorer requires running
HDHOST on a suspect’s computer.
5. Explain that to establish a connection with HDHOST, the suspect’s computer must be
connected to the network, powered on, and logged on to any user account with
permission to run noninstalled applications. HDHOST can’t be run surreptitiously.
6. Use Figures 9-18 through 9-24 to explain how to establish a connection with HDHOST.
7. Explain that after you have established a connection with DiskExplorer from the
acquisition workstation, you can navigate through the suspect computer’s files and
folders or copy data. Use Figure 9-25 to illustrate your explanation.
8. Mention that the Runtime tools don’t generate a hash for acquisitions.
Quick Quiz 2
1. ____ password attacks use every possible letter, number, and character found on a
keyboard.
Answer: Brute-force
2. In a(n) ____ password attack, the program uses common words found in the dictionary
and tries them as passwords.
Answer: dictionary
3. True or False: Remote acquisitions are handy when you need to image the drive of a
computer far away from your location or when you don’t want a suspect to be aware of
an ongoing investigation.
Answer: True
4. ____ is a remote access program for communication between two computers. The
connection is established by using the DiskExplorer program (FAT or NTFS)
corresponding to the suspect (remote) computer’s file system.
Answer: HDHOST
Class Discussion Topics
1. Is it easier to perform a computer forensic investigation if the suspect’s computer is a
Linux or UNIX system instead of Windows? Does the OS affect the process at all?
Consider all flavors of Linux/UNIX and Windows.
Guide to Computer Forensics and Investigations, Fourth Edition
9-9
2. The U.S. Department of Defense recommends wiping a storage media at least three to
seven times to prevent possible retrieval of sensitive information. Do these numbers
seem excessive?
Additional Projects
1. Ask your students to investigate partition manager utilities and create a comparison
table including the following information:
a. OSs supported
b. File systems supported
c. Maximum partition size supported
d. Interface (command line or graphical)
e. Cost
2. Ask your students to read more about key recovery and key escrow. Ask them to write a
report explaining the most important risks.
Additional Resources
1. Known files hash set Web sites:
a. www.dmares.com/maresware/hash_cd.htm
b. http://hashtool.gwlink.net/
2. Storage media wiping software Web sites:
a. http://staff.washington.edu/jdlarios/autoclave/
b. http://dban.sourceforge.net/
c. www.dmares.com/maresware/df.htm#DECLASFY
d. www.cyberscrub.com/cybercide/
e. www.tolvanen.com/eraser/
f. www.jiiva.com/
g. www2.neweb.ne.jp/wd/morimoto/en/diskeraser/
h. http://itso.iu.edu/Securely_Removing_Data
3. Steganography Revealed:
www.securityfocus.com/infocus/1684
4. Key escrow:
http://en.wikipedia.org/wiki/Key_escrow
5. Brute-force attack:
http://en.wikipedia.org/wiki/Brute_force_attack
6. Dictionary attack:
http://en.wikipedia.org/wiki/Dictionary_attack
Guide to Computer Forensics and Investigations, Fourth Edition
9-10
Key Terms
 bit-shifting — The process of shifting one or more digits in a binary number to the left
or right to produce a different value.
 key escrow — A technology designed to recover encrypted data if users forget their
passphrases or if the user key is corrupted after a system failure.
 Known File Filter (KFF) — A database containing the hash values of known
legitimate and suspicious files. It’s used to identify files for evidence or eliminate them
from the investigation if they are legitimate files.
 scope creep — The result of an investigation expanding beyond its original description
because the discovery of unexpected evidence increases the amount of work required.
 steganography — A cryptographic technique for embedding information in another file
for the purpose of hiding that information from casual observers.