i
NICA Tool: Extract and Correlate Evidences in Computer Forensics
by
Alicia Castro
B.S. Computer Engineering, University of Louisville, 2003
A Thesis
Submitted to the Faculty of Graduate School of the
University of Colorado at Colorado Springs
In partial fulfillment of the Requirements
for the Degree of
Master of Engineering in Software Engineering
Department of Computer Science
2010
ii
©Copyright by Alicia Castro 2010
All rights Reserved
iii
This thesis for the Master of Engineering degree by
Alicia Castro
has been approved for the
Department of Computer Science
by:
Dr. Edward Chow
(Advisor)
Dr. Jugal Kalita
Dr. Xiaobo Zhou
_______________
Date
iv
NICA Tool: Extract and Correlate Evidences in Computer Forensics
by
Alicia Castro
(Master of Engineering, Software Engineering)
Thesis directed by Professor C. Edward Chow
Abstract
Computer forensics is a fast growing field. The technology is advancing faster
than some U.S. laws can keep up with. Probable cause, search warrants, and focus of
search when dealing with computers, software, and Web content have been compared to
traditional searches. Since computers contain so much information, it is possible to
uncover incriminating information that cannot be used due to the limits of search
warrants. The motivation behind the search and seizure laws will be examined in relation
to the computer forensic field. This thesis examines the close relationship between the
constitution and other important laws about search and seizure of computers and digital
evidence. It is very important to understand the connection between the legality of the
act of getting the evidence and proving that a crime was committed.
This thesis also developed a new forensic tool named NICA Forensic Tool that will
help the investigator gather more detailed information about sites visited with date and
time stamp. Also if there is any doubt that the user logged into the computer or was the
one that download or visited those sites, the tool will search for other login activities from
programs like Skype, Outlook and Instant Messenger. The tool helps reduce the doubt
about whether there is the intention to commit a crime and simplify the tedious data
collection and processing.
v
This thesis is dedicated to my husband Dean
my children: Christina, Richard and Christopher
vi
Acknowledgements
I would like to express my appreciation to my advisor Dr. Edward Chow for his
constant support and guidance. Special thanks to my advisory committee: Dr. Xiaobo
Zhou, and Dr. Jugal Kalita. My gratitude also goes to Patricia Rea, who helped to keep
track of my time and all the paperwork needed in order to graduate on time.
Special thanks to Dean, Marlon and Rebecca that helped me editing this thesis.
The most special thanks go to my best partner and friend, my husband Dean, who helped
me and support me through all this long process.
vii
TABLE OF CONTENTS
Table of Figures..................................................................................................................x
Chapter 1 Forensics Legal Issues Overview .......................................................................1
1.1 Introduction ...........................................................................................................1
1.2 Related Work .........................................................................................................3
1.3 Search and Seizure ................................................................................................4
1.4 Electronic Communications Privacy Act (ECPA) ................................................8
1.5 Wiretap Statute ....................................................................................................16
1.6 Pen/Trap Statute ..................................................................................................19
1.7 USA PATRIOT ACT ..........................................................................................20
1.8 Colorado House Bill Amendment .......................................................................23
1.9 Roles of Computer Forensic ................................................................................24
1.10
Computer Forensic Investigation ................................................................27
Chapter 2 Related Work....................................................................................................31
2.1 Forensic Tool Requirements................................................................................31
2.1.1
Basic Customer Requirements ............................................................31
2.1.2
Purpose ...............................................................................................32
2.2 Project Scope .......................................................................................................32
2.3 Software System Perspective ..............................................................................33
2.3.1
Operating Environment ......................................................................33
Chapter 3 Designing of the NICA Computer Forensic Tool ............................................34
3.1.Objectives of the Computer Forensic Tool Design .............................................34
3.2 Design of the Forensic Tool ................................................................................35
3.3 Brief Introduction to the Essential Registry Key Information ............................35
3.4 Understanding the Actors ....................................................................................37
viii
3.4.1
User Profile .........................................................................................37
3.4.2
Internet Explorer .................................................................................42
3.4.3
Mozilla Firefox ...................................................................................51
3.4.4
Google Chrome ...................................................................................53
3.4.5
Skype ..................................................................................................54
3.4.6
Outlook ...............................................................................................56
3.4.7
Instant Messenger ...............................................................................57
3.5 Understanding the Data Flow ..............................................................................61
Chapter 4 External Tools used with NICA Forensic Tool ................................................64
4.1 Internet Explorer Cache View (IECacheView) ...................................................65
4.2 Internet Explorer History Viewer (IEHistoryView) ............................................66
4.3 MozillaCacheView ..............................................................................................68
4.4 ChromeCacheView..............................................................................................70
4.5 SQLite..................................................................................................................71
4.6 Microsoft Log Parser ...........................................................................................72
4.7 Outlook Redemption ...........................................................................................76
Chapter 5 Cracking a Criminal Case Using the NICA Forensic Tool ..............................78
5.1 Criminal Case Statement .....................................................................................78
5.2 Computer Forensics Analysis ..............................................................................79
5.3 Finding Evidence .................................................................................................80
5.4 Analysis of Evidence Found ................................................................................88
5.5 Correlating Evidence ...........................................................................................89
5.6 Relevant Evidence ...............................................................................................91
Chapter 6 NICA Forensic Tool Analysis ........................................................................93
6.1 Functionality Analysis .........................................................................................93
ix
6.2 Performance Analysis ..........................................................................................94
6.3 Usage Evaluation .................................................................................................94
Chapter 7 Lessons Learned ...............................................................................................99
Chapter 8 Conclusions ....................................................................................................101
References ........................................................................................................................104
Appendix A User’s Manual ............................................................................................114
Product ............................................................................................................114
Scope/Purpose: ................................................................................................114
User’s Data Flow.............................................................................................115
Conventions ....................................................................................................115
Installing the software .............................................................................................116
System Requirements (General) .....................................................................116
Information/resources required in the process of installation .........................117
Deploying the Forensic Tool ...................................................................................117
NICA Forensic Tool GUI: .......................................................................................117
x
Table of Figures
Figure1. Registry key for users (SID). ...............................................................................42
Figure 2. Internet Explorer location of the cookies files. .................................................44
Figure 3. IE location of the History file containing web site information ........................45
Figure 4. IE location of the Internet Files containing web sites info and index.dat files. .46
Figure 5. IE TypedURL information location. ..................................................................47
Figure 6.Index.dat file header. ...........................................................................................49
Figure 7.Index.dat file size.................................................................................................49
Figure 8.Location of the hash table....................................................................................50
Figure 9.Begining of the hash table. ..................................................................................50
Figure 10.Files downloaded from the web. .......................................................................50
Figure 11.Mozilla Firefox profiles information .................................................................52
Figure 12.Google Chrome file’s location. .........................................................................54
Figure 13.Instant Messenger Menu default settings. .........................................................58
Figure 14.Windows Live Messenger keys location. ..........................................................59
Figure 15. Data Flow Diagram. .........................................................................................61
Figure 16. IE History file content. .....................................................................................66
Figure 18. Location of Mozilla Firefox Cache files. .........................................................69
Figure19. Location of Google Chrome Cache files. ..........................................................71
Figure 20.Log Parser architecture diagram. .......................................................................73
Figure 21. Log parser output to the console. ....................................................................75
Figure 22. Log parser output to a datagrid .........................................................................76
Figure 23.Enter New Case Information. ............................................................................81
xi
Figure 24 .Run Parser to get activity entries. .....................................................................81
Figure 25.User profile and timeline for activities. .............................................................82
Figure 26.Mark items that seem suspicious. ......................................................................82
Figure 27. Enter the preferred time frame between activities. ...........................................83
Figure 28. View the suspicious activities and surrounding activities that were marked. ..84
Figure 29. Right Click to get details of outlook activities’ selected ..................................85
Figure 30. Mark Items by Pattern on the Outlook grid. .....................................................86
Figure 31. Search evidence between two outlook users. ...................................................86
Figure 32.Report displayed activities that comply with the pattern selected. ...................87
Figure 33.Select and mark activities by defined keywords. ..............................................87
Figure 34.Display the amount of activities found. .............................................................88
Figure 35. Histogram Analyzing data ................................................................................90
1
Chapter 1
Forensics Legal Issues Overview
In order to better understand computer forensics legal issues, one needs to
understand the fundamentals about search and seizure laws, electronic communications
privacy act, wiretap statue, pen/trap status and the PATRIOT act. Computer Forensics or
investigators need to apply these laws to their daily investigative work. There is a strong
relationship between the legal issues related to forensics and the use of forensic tools.
Evidence must be collected in a way that is legally admissible in a court case.
1.1
Introduction
For years the police have entered homes and offices, hauled away filing cabinets
full of records, and searched them back at the police station for evidence. In Fourth
Amendment terms, these actions are entry, seizure, and search, respectively, and usually
require the police to obtain a warrant. Modern-day police can avoid some of these messy
steps with the help of technology: They have tools that duplicate stored records and
collect evidence of behavior, all from a distance and without the need for physical entry.
These tools generate huge amounts of data that may be searched immediately or stored
indefinitely for later analysis. Meanwhile, it is unclear whether the Fourth Amendment’s
restrictions apply to these technologies: Are the acts of duplication and collection
themselves seizure? Before the data is analyzed, has a search occurred? Today, tools can
detect heat released from buildings, recreate images displayed on distant computer
2
monitors, determine what is typed on a keyboard by listening to the distinct sounds of the
key presses, and eavesdrop on Wi-Fi Internet communications traveling through the air.
Handheld GPS units can monitor and store our movements around town, and web
browsers keep detailed records of the websites we have visited. Tomorrow will surely
bring new tools that are more invasive, easier to use, and able to work from greater
distances (Ohm, 2005).
Computer forensics is a relatively new discipline to the courts and many of
the existing laws used to prosecute computer-related crimes, legal precedents, and
practices related to computer forensics are in a state of flux. New court rulings are issued
that affect how computer forensics is applied. The important point for forensics
investigators is that evidence must be collected in a way that is legally admissible in a
court case (CERT, 2008).
Computer forensics involves obtaining and analyzing digital information for use as
evidence in civil, criminal or administrative cases. Documents maintained on a computer
are covered by different rules, depending on the nature of the documents. Many court
cases in state and federal court have developed and clarified how rules apply to digital
evidence. The Fourth Amendment of the US Constitution (and each state’s constitution)
protects everyone’s right to be secure in their person, residence and property from search
and seizure (Computer Forensics, 2008). Thus like any other crime scene, rules apply to
obtaining search warrants to search and seize computers, computer files, and disks.
3
1.2
Related Work
Computer Forensics in Forensics
Computer Forensics in Forensics (Peisert, 2008)paper explains the relation
between seize and seizures laws, forensic investigation rules and the use of the forensic
tools and/or forensic analysis. I actually used this paper as a guide for my thesis. I was
attracted and puzzle by the ambiguity of the laws and I wanted to investigate more about
it. Also the steps and structure that the forensic analysis needs to follow was of a lot of
interest and of course the use of forensic tools, that in this case was the creation and use
of a forensic tool.
Discipline of Internet Forensic
In Discipline of Internet Forensic (Berghel, 2003) paper is a brief explanation of
the correlation of seizes and seizure and computer forensic tools and explains that an
internet forensic specialist needs to know as much or more that a hacker. So actually a
forensic specialist kind of needs to be a hacker to understand how the tools work. Even
though this paper focus more on network tools and netscan tools, the general theory about
having a knowledge how computers works is a fact to create and understand how a
forensic tool works.
Next Generation Digital Forensics
Next Generation Digital Forensics (Roussev, 2006) paper exposes the need of
new forensic tools and strategies. Investigators have more and complex cases, there is a
feeling that forensic tools now are not up to the new challenges. Even thought this paper
4
did not apply to my thesis, I found out that cyber crime is going up and getting more
sophisticated and forensic tools are lagging behind.
Secure Audit Logs to Support Computer Forensics
In Secure Audit Logs to Support Computer Forensics (Kelsey, 1999) paper uses the audit
log as a forensic tool. It assumes that audit log entries detect an intrusion; like record the
opening of a door, removal of a tamper resistant coating, access of a normally secret files
etc. The main objective is to detect intrusion and provide audit capabilities. This
solution could be efficient for detecting hacking or intrusion, but this thesis objective is
about getting information of users that have a user profile already in the computer
1.3
Search and Seizure
In computer forensics the search and seizure Fourth Amendment has played a
fundamental roll. The fourth amendment states:
The right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no Warrants shall
issue, but upon probable cause, supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons or things to be seized (Wegman,
2004).
5
The Fourth Amendment is part of the Bill of Rights which guards against
unreasonable searches and seizures. It was ratified as a response to the abuse of the writ
of assistance which was a type of general search warrant in the American Revolution. It
specified that any warrant must be judicially sanctioned for a search or an arrest in order
for such a warrant to be considered reasonable. Warrants must be supported by probable
cause and be limited in scope according to specific information supplied by a person. It
only applies to governmental actors and to criminal law (IST 432- Computer Forensic).
An example would be if a warrant is issued for child porn on an individual’s computer,
but finds records of embezzlement, the embezzlement records could not be used in a
court of law. The exception is if the police could justify obtaining a warrant to search the
computer for records of embezzlement.
The Fourth Amendment interposes a magistrate as an impartial arbiter between
the defendant and the police. The magistrate may issue a search warrant if the magistrate
or judge is convinced that probable cause exists to support a belief that evidence of a
crime is located at the premises. The officer must prepare an affidavit that describes the
basis for probable cause and the affidavit must limit the area to be searched and evidence
searched for. The warrant thus gives the police only a limited right to violate a citizen’s
privacy. If the police exceed that limited right, or if a warrant is required, but the police
have not first obtained one, then any evidence seized must be suppressed (U.S.
Department of justice 2002). The issue of suppression driven by a determination of
whether the Fourth Amendment has been correctly followed by the police is often the
determining factor in criminal cases (Wegman, 2004).
6
Search warrants give only limited authority to the police to search. The search
should be no more extensive than necessary as justified by probable cause. Thus, if the
probable cause indicates that the contraband is located in a file on a CD, this would not
justify seizing every computer and server on the premises. The extent of the search is
tailored to the probable cause. If the police wish to seize a computer for analysis at a
later time, the probable cause statement should demonstrate the impracticality or danger
of examining the computer on the premises; hence the need to confiscate it and analyze it
off-site (Wegman, 2004).
Another question facing law enforcement is when to notify the target of a search.
Normally the target is notified at the time a physical search is made. However, the USA
PATRIOT Act amended Title 18, Sec.3103a of the United States Code to permit delayed
notification. Law enforcement may now delay notification of the target for up to 90 days,
with another delay possible upon a showing of good cause. In order to obtain authority
for delayed notification, an investigator must show a need for the delay (IST 432Computer Forensic). Reasons include danger to the life or safety of an individual, risk of
flight from prosecution, witness or evidence tampering, or that immediate notice would
seriously jeopardize the investigation.
Another legal issue in computer forensic cases is how much time the police may
have to analyze a computer after seizing it. Federal Rule of Criminal Procedure 41 (c)
(1) gives the police ten days after issuance of the warrant to serve it. But there is nothing
in the Federal Rule of Criminal Procedure about how long the police may keep and
analyze the computer. As a practical matter, the search of a computer in police custody
7
should be done as quickly as possible. This is especially important if the computer is
needed for the operation of a business (Wegman, 2004).
In the United States Supreme court case of Illinois v. Andreas, 463 U.S. 765
(1983), the Court held that a search warrant is not needed if the target does not have a
reasonable expectation of privacy in the area searched. The loss of a reasonable
expectation of privacy, and therefore the loss of Fourth Amendment protection is
extremely important because much information is transmitted to networks and to the
internet. If circumstances suggest the sender had no reasonable expectation of privacy,
then no warrant is required by the police in order to obtain that information (Wegman,
2004). Examples would be blogs, website posts, and websites themselves. Public
computers like library computers are not covered under the expectation of privacy.
No warrant is needed when the target consents to a search of his/her computer. No
warrant is needed where a third party, such as a spouse, parent, employer or co-worker
consents to the search, so long as the third party has equal control over the computer
(USA Dept of Justice, 2009). An example would be if a married couple shared a
computer in their home. The wife could consent to a search without the husband’s
consent and vice versa.
Agents should be especially careful about relying on consent as the basis for a
search of a computer when they obtain consent for one reason, but then wish to conduct a
search for another reason. In two recent cases, the Courts of Appeals suppressed images
of child pornography found on computers after agents procured the defendant's consent to
search his property for other evidence. In United States v. Turner, 169 F.3d 84 (1st Cir.
1999), detectives searching for physical evidence of an attempted sexual assault obtained
8
written consent from the victim's neighbor to search the neighbor's "premises" and
"personal property." Before the neighbor signed the consent form, the detectives
discovered a large knife and blood stains in his apartment, and explained to him that they
were looking for more evidence of the assault that the suspect might have left behind.
While several agents searched for physical evidence, one detective searched the contents
of the neighbor's personal computer and discovered stored images of child pornography.
The neighbor was charged with possessing child pornography. On interlocutory appeal,
the First Circuit held that the search of the computer exceeded the scope of consent and
suppressed the evidence. According to the Court, the detectives' statements that they were
looking for signs of the assault limited the scope of consent to the kind of physical
evidence that an intruder might have left behind. By transforming the search for physical
evidence into a search for computer files, the detective had exceeded the scope of
consent. (Concluding that agents exceeded scope of consent by searching the computer
after the defendant signed a broadly-worded written consent form, because agents told
the defendant that they were looking for drugs and drug-related items rather than
computer files containing child pornography) (USA Dept of Justice, 2009).
1.4
Electronic Communications Privacy Act (ECPA)
Congress has responded to the changing technological landscape. The most important
federal statutes affecting computer forensics are the Electronic Communications Privacy
ACT (ECPA), the Wiretap Statute, the Pen/Trap Statute and the USA PATRIOT
Act(Wegman, 2004). Enacted in 1986, the Electronic Communications Privacy Act sets
9
provisions for the access, use, disclosure, interception and privacy protections of
electronic communications. Violations of the ECPA may result in criminal penalties and
civil remedies, including punitive damage. This act was written to expand the
wiretapping provisions to wireless telephony (cellular) and email communications. The
ECPA works to prohibit unauthorized interceptions or disclosure of electronic
communications. According to the US code electronic communications “means any
transfer of signs, signals, writing images, sounds, data or intelligence of any nature
transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or
photo optical system that affects interstate or foreign commerce, “thereby making much
of the desired content of possible forensics searches out of reach (IST 432- Computer
Forensic).
In more detail, the ECPA covers communications via pager, cellular and wireless
telephony, browser requests, internet downloads, chat room traffic, voice mail and emails
when transmitted by common carriers in interstate commerce. ECPA prohibits unlawful
access and certain disclosures of communications contents. Additionally, the law
prevents government entities from requiring disclosure of electronic communications
from a provider without proper procedure (IST 432- Computer Forensic).
Computer forensics is affected a great deal by the ECPA. There are prohibitions
in place against unlawful access to stored communications which include probing into
RAM or disk drives for information in source or destination computer or during transit
while the communication temporary intermediary storage such as on a server. Such a law
may affect the searching of certain protected material; however, there are some
exceptions under the ECPA. Currently the ECPA has not been updated to accommodate
10
the Internet. Investigators have sought to use technologies which collect much more
information than pen registers or trap and trace devices under the authority of this law. It
should be strengthened to protect citizen’s privacy in electronic communications (IST
432- Computer Forensic).
There are certain critical exceptions to ECPA. If the situation falls within an
exception, the communications may be disclosed (18 U.S.C. & 2511(1) (18 U.S.C &
2702(b). Where an individual lacks an expectation of privacy law enforcement officers
do not need a warrant to listen in. ECPA will not bar intercepting the communications in
these instances. Where one has an expectation of privacy is not always clear. If I set up
a rendezvous with an acquaintance in a secluded public park in the middle of the day,
sitting on a solitary park bench, do we have an expectation of privacy? According to
DOJ, this inquiry embraces two discrete questions. First is whether the individual's
conduct reflects "an actual (subjective) expectation of privacy” (IST 432- Computer
Forensic). Secondly is whether the individual's subjective expectation of privacy is "one
that society is prepared to recognize as 'reasonable'" (IST 432- Computer Forensic). In
most cases, the difficulty of contesting a defendant's subjective expectation of privacy
focuses the analysis on the objective aspect of the Katz test, i.e., whether the individual's
expectation of privacy was reasonable (IST 432- Computer Forensic).
Courts foraying into cyberspace must shift their focus away from the two-prong
Katz expectation of privacy test in order to preserve the values underlying the Fourth
Amendment. In developing a new framework for expectation of privacy analysis in
cyberspace, courts should focus on the historic context of the Fourth Amendment and the
intent of its Framers. Government monitoring and analysis of click stream data is closely
11
analogous to the general searches which the Founding Fathers sought to curtail in
enacting the Fourth Amendment. Both types of searches are indiscriminate, exposing
lawful activity along with contraband or unlawful action. Also both are incredibly
intrusive, exposing intimate details about the lives of citizens to government scrutiny. A
new rule needs to be established which recognizes that click stream data may be
protected by the Fourth Amendment. Not because that the protection fits well with
expectation of privacy analysis as developed by the Court in recent years, but rather
because government click stream analysis is precisely the type of search the Framers
intended to be subject to the Amendment's limitations (Winn, 2008).
Courts addressing this question should apply the normative analysis set forth by
the Supreme Court in Smith v. Maryland instead of the rigid two-prong Katz test. The
Court in Smith recognized that the two-prong Katz expectation of privacy test will
sometimes provide an inadequate index of Fourth Amendment protection. In such
situations, the Court explained, courts must undertake a normative inquiry to determine
whether Fourth Amendment protection was appropriate. This normative inquiry asks a
very simple question. Should an individual in a free and open society be forced to
assume the risk that the government will monitor her as she engages in the activity at
issue? Courts employing the normative inquiry "must evaluate the 'intrinsic character' of
investigative practices with reference to the basic values underlying the Fourth
Amendment" (Winn, 2008). Unlike the two-prong test, which assumes that society has
already reached an objective conclusion about the proper amount of protection a
particular activity deserves, the normative test acknowledges that society has not reached
12
a consensus about the proper level of protection a certain activity warrants. In that case,
the activity can be evaluated against constitutional norms (Winn, 2008).
Application of Smith's normative inquiry to click streams reveals that Internet
users should retain an expectation of privacy in click streams, because this data is
precisely the type of information the Framers sought to protect against arbitrary
government intrusion. The Fourth Amendment was intended to limit government
searches which held the potential to intrude into the intimate details of the private lives of
citizens. Courts must recognize a legitimate expectation of privacy in the intimate
records of our online activity in order to satisfy these constitutional norms (Winn, 2008).
The passage of the Fourth Amendment was the Framers' reaction to overly
intrusive searches and seizures conducted by British and colonial authorities. Prior to the
Amendment's passage, the colonists were plagued by the use of general warrants and
writs of assistance which authorized law and customs enforcement officers to enter and
search any building suspected of housing contraband (Winn, 2008). The searches
conducted using these devices were broad and abusive, and occurred without
particularized suspicion. The raids were led by executive officials with unlimited
discretion (Winn, 2008). For example, the New Hampshire Council once allowed search
warrants for "all houses, warehouses, and elsewhere in this Province", and the
Pennsylvania Council once required a weapons search of "every house in Philadelphia"
(Winn, 2008). Far from being isolated instances, such searches were widespread (Winn,
2008).
In response to these abuses, the Framers sought to limit the power of government
actors to search or seize persons, houses, papers, and effects. The invasion the Framers
13
sought to prohibit was not merely the physical intrusion upon a "person" or "house."
Instead, "the amendment's opposition to unreasonable intrusion ... sprang from a popular
opposition to the surveillance and divulgement that intrusion made possible" (Winn,
2008). As one scholar explained, "The objectionable feature of general warrants was
their indiscriminate character" (Winn, 2008). In addition to any contraband or unstamped
goods that the generalized searches uncovered, the entirety of a person's private life was
exposed to prying government eyes. This sort of indiscriminate search stripped the
colonists of privacy without adequate justification, exposing them to the arbitrary and
potentially despotic acts of government officials (Winn, 2008).
Monitoring and analysis of click streams by government officials is closely
analogous to colonial general searches because it exposes the intimate lives of Web users,
fails to discriminate between lawful and unlawful activity and grants enormous discretion
to front-line executive officials. As with general searches of colonial homes, click stream
searches will unnecessarily reveal private information to government view, even when
this information pertains to lawful activity. For example, law enforcement agents
monitoring click streams could learn that an outwardly heterosexual man spends time
entertaining homosexual fantasies online in an adult chat room, or that a high-profile
political leader used the Internet to reserve a spot in an addiction recovery center. While
such conduct is certainly legal, it is also intensely private. Allowing government agents
to expose the conduct of the innocent in order to pursue the guilty contradicts the purpose
and intent of the Fourth Amendment (Winn, 2008).
On a more general level, the broad and arbitrary intrusion occasioned by a click
stream search is contrary to "the most basic values underlying the Fourth Amendment"
14
(Winn, 2008). Although the use of general warrants and writs of assistance undoubtedly
motivated the Framers in drafting the Amendment, they did not intend its protection to be
limited to the narrow purpose of outlawing general searches. Instead, the Amendment
was intended to protect citizens against the type of arbitrary invasions by government
into the lives of citizens which general searches typified. As one commentator explained:
While the history of the Fourth Amendment reveals many facets, one central
aspect of that history is pervasive: controlling the discretion of government officials to
invade the privacy and security of citizens, whether that discretion be directed toward the
homes and offices of political dissentients, illegal smugglers, or ordinary
criminals.(Winn, 2008)
Similarly, the Supreme Court has repeatedly recognized that the harm the Fourth
Amendment seeks to prevent is not the tangible invasion of one's person, papers, effects,
or home, but rather the intangible invasion upon the sanctity and privacy of those objects
occasioned by an unreasonable search or seizure (Winn, 2008).
The indiscriminate nature of click stream searches illustrates their incompatibility
with the values upon which the Fourth Amendment was based. As one scholar argued:
The first problem with indiscriminate searches is that they expose people and their
possessions to interferences by government when there is no good reason to do so. The
concern here is against unjustified searches and seizures: it rests upon the principle that
every citizen is entitled to security of his person and property unless and until an
adequate justification for disturbing that security is shown. The second problem is that
indiscriminate searches and seizures are conducted at the discretion of executive officials,
15
who may act despotically and capriciously in the exercise of the power to search and
seize. This latter concern runs against arbitrary searches and seizures; it condemns the
petty tyranny of unregulated rummages. (Winn, 2008)
Absent an expectation of privacy in click stream data, law enforcement agents
will be free to rummage through our online lives, revealing intensely private conduct.
The Founding Fathers found the ability to conduct such arbitrary and suspicion without
reason searches to be one of the most offensive aspects of general warrants and writs of
assistance. This was clearly intended such searches to be illegal. Allowing such
intrusions into private cyberspace activity merely because an outdated expectation of
privacy test would find assumption of risk or the absence of a subjective expectation of
privacy in click stream data does intense violence to the values underlying both the
Fourth Amendment and a free society. Yet this is exactly the result that will be reached if
courts continue to cling to Katz's two part test.
Once an expectation of privacy is established in click stream data, traditional
Fourth Amendment principles regulating the reasonableness of searches and seizures can
easily be applied. The traditional test of reasonableness, which balances the nature and
quality of the intrusion upon an individual's Fourth Amendment interests against the
importance of the governmental interests alleged to justify the intrusion, is perfectly
suited for cyberspace. This test allows courts to protect against overly extensive and
indiscriminate intrusion into online lives while also acknowledging that a sufficiently
compelling governmental interest may justify such searches. This is the question that
should be getting asked in every click stream search. However, it will never be asked
16
until courts loosen their vise grip on the two-prong Katz test and decide that Internet
users should retain a legitimate expectation of privacy in click stream data (Winn, 2008).
ECPA is a highly nuanced example of public policy. Congress felt that
information stored on a network deserved varying levels of privacy protection, depending
on how important or sensitive the information was. Accordingly, in Title 18, section
2703 of the U.S Code ECPA created five categories of sensitivity. The more sensitive the
category, the greater the justification the government must show in order to obtain the
information from a third party (usually the system administrator). The most sensitive
information consists of the content of un-retrieved communications such as email that has
resided in electronic storage for 180 days or less. After one hundred eighty days the
information is considered “stale” and not deserving of the top category of protection, so
does not require a full search warrant for access (Bui, Enyeart, Luong., 2003). The least
sensitive category includes only basic information such as the name of the subscriber and
how bills are paid. To obtain that information, the government needs only an
administrative subpoena. An administrative subpoena can be issued by a government
agency on its own, without prior approval by a court. For example, the FBI could issue
an administrative subpoena for good cause. That subpoena could later be challenged, and
if a court later decided that good cause did not exist then information obtained under that
subpoena would be suppressed (Bui et all. 2003).
1.5
Wiretap Statute
The Wiretap Statute (Title III) was amended 2001. While ECPA regulates government
access to stored computer information in the hands of third parties, the Wiretap statute
17
deals with direct surveillance or real time interception of electronic communications by
government agents. Wiretaps most commonly affect telephone conversations (IST 432Computer Forensic). Wiretap requires special judicial and executive authorization. An
application for interception may not be filed unless it is first authorized by the attorney
general or a specially designated deputy or assistant. The application must identify the
officer authorizing the application. Attached to the government application should be the
authorization, as well as copies of the attorney general’s designations of those
Department of Justice officials who have been authorized to approve wiretaps. Unlike
traditional search warrants, a federal magistrate judge is not authorized to issue a wiretap.
Only a federal district or circuit court judge may issue a wiretap. The application must
contain a full and complete statement of the facts and circumstances relied upon to
support a belief that an interception order should issue. The issuing judge must determine
that there exists probable cause to believe that particular communications concerning the
alleged offenses will be obtained through interceptions of communications. Before an
interception order may issue, the judge must find:

Probable cause for belief that a particular enumerated offense is being committed.

Probable cause for belief that particular communications concerning that offense
will be obtained through interception.
Besides a sufficient factual predicate like probable cause, the Fourth Amendment requires
that every search be reasonable. As with any other search, whether an electronic search
is reasonable depends upon balancing the degree of intrusion against the need for it.
Thus, because an order to surreptitiously intercept private conversations is such an
intrusive search, the application for interception must show more than mere probable
18
cause, it must also show necessity. The application must contain a full and complete
statement as to whether other investigative procedures have been tried and failed, or the
reasons why such procedures reasonably appear to be unlikely to succeed or to be too
dangerous if tried. The issuing judge must find that normal investigative procedures have
been tried and failed or reasonably appear unlikely. A wiretap may issue only for
particular crimes. The application must contain a full and complete statement regarding
the details as to the particular offense that has been, is being, or is about to be committed.
The issuing judge must find probable cause to believe those particular crimes are being
committed, have been committed, or are about to be committed by an individual. The
identities of persons to be intercepted must be particularly described in the application
and order. The nature and location of the communication facilities to be intercepted
must be particularly set forth in the application and order. The application must contain a
particular description of the type of communications sought to be intercepted. The
issuing judge must determine that there exists probable cause to believe that particular
communications concerning the alleged offenses will be obtained through interceptions
of communications. The application and order must set forth either that interception will
cease after the particular communication sought is first intercepted or that interception
will continue for a particular time period. Requirements of the Fourth Amendment is to
prevent the execution of the overbroad general warrant abhorred by the colonists which
results in a general, exploratory rummaging in a person’s belongings. Given the intrusive
nature of an interception order, the Wiretap Act incorporates a number of provisions
which circumscribe the scope of the warrant and guard against law enforcement officers
generally rummaging through phone calls. The order for interception must contain a
19
provision requiring the officers to execute the order in a manner whereby the interception
of calls not particularly described and not otherwise subject to interception will be
minimized. Similarly, no order may be entered authorizing interception for a period of
time longer than necessary to achieve the objective, but in no event shall the
authorization exceed thirty days (Monnat, Ethen., 2004).
Three U.S. federal statutes govern the interception, accessing, use, disclosure and
privacy protections of electronic and wire communications. The U.S. Electronic
Communications Privacy Act (ECPA, 18 U.S.C. §§ 2701-2712) of 1986 covers stored
communications. Real-time interception, as in wireless networks, is covered by the
Pen/Trap Statute, 18 U.S.C. §§ 3121-3127, centered in addressing information (like
802.11 protocol headers), and by the Wiretap Statute ("Title III"), 18 U.S.C. §§ 25102522, centered in the contents of communication.
1.6
Pen/Trap Statute
The Pen/Trap Statute was amended in 2001. The Pen/Trap Statute, 18 United
Sates Code Sec. 3121-3127, provides for a less intrusive form of government surveillance
than wiretap statue; it authorizes the installation of pen registers and trap and trace
devices. A pen register records only dialing, routing and addressing information
regarding outgoing electronic communications. Electronic communications include
telephone, computer, telegraph and telex communications. A trap can trace device
records the same information regarding incoming electronic communications. The
significant fact regarding both becomes that the content of communications is not
20
recorded. Only information such as telephone numbers of incoming and outgoing calls is
recorded. Because these devices record less sensitive private information the legal
burden upon the government is significantly less than with a wiretap. Court orders for a
pen/trap device require only a statement by the investigator that is the investigator’s
belief that the information likely to be obtained is relevant to a criminal investigation. A
recitation of probable cause is not necessary, nor is it necessary to attest to the many
other requirements necessary to obtain a wiretap order or a search warrant (Wegman,
2004).
To obtain an order, applicants must identify themselves, identify the law
enforcement agency conducting the investigation and then certify their belief that the
information likely to be obtained is relevant to an ongoing criminal investigation being
conducted by the agency. The law prohibits unlawful monitoring and disclosure of the
content of communications. It also mandates law enforcement to follow proper
procedures to review electronic communications, such as the search and seizure
electronic evidence procedures detailed in the “Searching and Seizing Computers and
Obtaining Electronic Evidence in Criminal Investigations” document by the US DOJ,
specifically sections III and IV, focused on electronic communications and surveillance.
1.7
USA PATRIOT ACT
On October 26, 2001 President Bush signed the Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Act (USA PATRIOT Act). This Act was overwhelmingly passed by Congress shortly
21
after the events of September 11, 2001. It expands the government’s investigative power.
This Act has become very controversial drawing criticism from both Conservatives and
Liberals who question whether the Act goes too far.
Perhaps the most controversial provision of the PATRIOT Act is the so-called
“sneak and peek” authority conveyed in Section 213 of the Act. This Section provides
delayed notification to the targets of searches. The Act modifies the U.S. Criminal Code,
Title 18, Sections 3103a and 2705. These modifications allow the government to delay
notification of physical searches for up to ninety days. Extensions may be given for good
cause. However, the delayed notification provision is restricted to cases where the
government demonstrates an urgent need for delay, including situations where the life or
physical safety of an individual is in jeopardy or to avoid the destruction of evidence.
Excerpts of Section 2705 are reproduced in Appendix A.
Delayed notification is not an entirely new element in federal criminal law. It is
the norm in wiretap cases, as noted above, has been used and upheld in the seminal U.S.
Supreme Court case of Dalia v. U.S. in 1979. In that case federal investigators entered a
home, searched and implanted a hidden microphone pursuant to a search warrant. Notice
was delayed until the surveillance ended. What is new about the PATRIOT Act is that it
provides for delayed notification in ordinary physical searches. In the past delayed
notification has been used only in connection with electronic surveillance (Waxman,
2004).
The Act also makes it easier for law enforcement to install an electronic
surveillance device. Formerly, a wiretap order or pen register order had to be obtained in
22
the jurisdiction in which the device was to be installed. Internet communications
typically involve Internet service providers (ISP) located in many jurisdictions. Sections
216 and 220 allow devices to be installed anywhere in the U.S.A.
Section 225 of the Act is of particular importance to computer forensic investigators
and providers of information to the government. It gives immunity from civil lawsuits to
any person who provides technical or other assistance in obtaining electronic information
pursuant to a court order or valid request for emergency assistance.

The PATRIOT Act contains numerous other provisions expanding the scope of
forensic investigations. However, it also contains a sunset provision. Under this
provision the Act will terminate on December 31, 2005, unless Congress votes to
extend it. The sunset provision does not apply to the entire Act. Significant
sections, including those authorizing delayed notification, national wiretap and
pen register orders will not sunset automatically. The Obama administration
supported the revisions to the law as approved by the committee and on Feb 2010,
it was extended for one more year. The three sections of the Patriot act that would
stay in force:
o Authorize court approved roving wiretaps that permit surveillance on
multiple phone
o Allow court approved seizure of records and property in anti-terrorism
operations
o Permit surveillance against a so called lone wolf, a non-US citizen
engaged in terrorism who may not be part of a recognized terrorist group.
23
Computer forensics is specifically supported by the PATRIOT Act. Section 816
authorizes the expenditure of $50 million for the creation and support of regional
computer forensic laboratories. These laboratories will conduct investigations and also
train investigators (wegman, 2004).
1.8
Colorado House Bill Amendment
Effective April 30, 2010 House Bill 10-1201
CRS 16-3-310. Oral advisement and written consent prior to search of a vehicle or a
person during a police contact. (1) (a) Prior to conducting a consensual search of a
person who is not under arrest, the person’s effects or a vehicle, a peace officer shall
comply with paragraph (b) of the subsection(1).
(b) A peace officer may conduct a consensual search only after articulating the
following factors to, and subsequently receiving consent from, the person subject to the
search of the person with the apparent or actual authority to provide permission to search
the vehicle or effects. The factors are:
(I) The person is being asked to voluntarily consent to a search; and
(II) The person has the right to refuse the request to search
(c) After providing the advisement required in paragraph (b) of this subsection(1),
a peace officer may conduct the requested search only if the person subject to the search
voluntarily provides verbal or written consent. Other evidence of knowing and voluntary
consent may be acceptable, if the person is unable to provide written or verbal consent.
24
(2) A peace officer providing the advisement required pursuant to subsection (1)
of this section need not provided a specific recitation of the advisement, substantial
compliance with the substance of the factors is sufficient to comply with the requirement
(3)If a defendant moves to suppress any evidence obtained in the course of the
search, the court shall consider the failure to comply with the requirements of this section
as a factor in determining the voluntariness of the consent.
(4) This section shall not apply to a search conducted pursuant to section 16-3103 C.R.S. a valid search incident to or subsequent to a lawful arrest, or to a search for
which there is a legal basis other than voluntary consent. This shall include, but not be
limited to, a search in a correctional facility or on correctional facility property, a
detention facility, county detention facility, custody facility, juvenile correctional facility
of any mental health institute or mental health facility operated by or under a contract
with the department of human services, a community corrections facility or a jail or a
search of a person subject to probation or parole by a community supervision or parole
officer when the person has consented to search as a term and condition of any probation
or parole. (House Bill 10-1201, 2010)
1.9
Roles of Computer Forensic
The issue most related to computer forensics has to do with wire-tapping and
warrant gathering. The bill changes the ability of the government to delay the notification
of a warrant by up to ninety days after the search. In the past, it had been possible to
delay notification when doing surveillance such as wiretaps, since it would be pointless to
listen in on a conversation when the parties involved know of the surveillance. This was
25
upheld in the case Dalia v. U.S., where a wiretap was used and notification was delayed.
The change in the PATRIOT Act, however, extends this ability to actual physical
searches, including the search of computers. This can theoretically be very helpful, as it
is can be an easy process to remove data from a hard disk, but combined with the ability
of not needing a warrant in terrorist matters can be a very infringing ability.
As alluded to the USA PATRIOT Act also allows investigators to act prior to
actually obtaining a warrant, as long as the individual involved personally feels that a
threat is inherent. It also prevents third parties who aid in the surveillance from being
liable in a civil case. This, however, can be conflicting. There could theoretically be
times where a government agent feels there is a threat and elicits the help of another, but
then the third party might not be protected if a warrant is not granted in the future. This is
definitely an issue that is relevant to computer forensics, as an ISP may grant access to a
government official, only to then be held liable for granting that access in the future (IST
432- Computer Forensic).
Computer forensics is about investigating digital evidence related to criminal or
suspicious behavior where computers or computer and related equipment may or may not
be the targets. This process of identifying, preserving, analyzing and presenting digital
evidence in a legally acceptable manner is not much different from traditional forensic
science. The only difference is that the former focuses on digital evidence, whereas the
latter focuses on physical evidence. Casey defines digital evidence as:
Any data stored or transmitted using a computer that support or refute a theory of
how an offence occurred or that address critical elements of the offence such as intent or
26
alibi. Digital evidence includes computer generated records such as outputs of computer
programs and computer-stored records such as email messages. It is important to
criminal investigations because it can be used as proof of crime, connection or alibi.
However, handling digital evidence is challenging because the evidence can be easily
hidden, manipulated or altered. Moreover, it is difficult to attribute certain computer
activities to an individual especially in a multi-access environment. Similar to physical
evidence digital evidence provides only a partial view of what may have happened.
(Lim, Khoo, 2008)
The field of computer forensics has become a critical part of legal systems
throughout the world. As early as 2002 the FBI stated that fifty percent of the cases the
FBI now opens involve a computer (Reyes, Wiles., 2007). However, the accuracy of the
methods and therefore the extent to which forensic data should be admissible is not yet
well understood. Therefore, it is not yet safe to make the kinds of claims about computer
forensics that can be made about other kinds of forensic evidence that has been studied
more completely, such as DNA analysis. The accuracy of DNA analysis is well
understood by experts, and the results have been transformational both in current and
previous court cases. DNA evidence has been instrumental in convicting criminals, and
clearing people who have been wrongly convicted and imprisoned. DNA evidence
condenses to a single number (alleles) with a very small, and will depend on probability
of error. On the other hand, computer forensic evidence has matured without foundational
research to identify broad scientific standards, and without underlying science to support
its use as evidence. Another key difference between DNA and computer forensic data is
that DNA evidence takes the form of tangible physical objects created by physical events.
27
Contrast these to computer objects that are created in a virtual world by computer events
(IST 432- Computer Forensic).
The technology of computers and other digital devices is evolving at an
exponential pace. Existing laws and statutes simply cannot keep up with the rate of
change. Therefore, when statutes or regulations do not exist, case law is used. Case law
allows legal counsel to use previous case similar to the current one because the laws do
not yet exist. Each new case is evaluated on its own merit and issues (Nelson, Phillips,
Enfinger & Steuart, 2008).
1.10
Computer Forensic Investigation
When conducting a computer investigation for potential criminal violations of the law the
legal processes one follows depends on local custom, legislative standards and rules of
evidence. In general, however, a criminal case follows three stages: complaint,
investigation and prosecution.
A criminal case begins when someone finds evidence of an illegal act or
witnesses an illegal act. The witness or victim makes a complaint to the police. Based
on the incident or crime, the complainant makes allegations, an accusation or supposition
of fact that a crime has been committed. A police officer interviews the complainant and
writes a report about the crime. The police department processes the report and the
department’s upper management decides to start an investigation, or log the information
into a police blotter. The police blotter provides a record of clues to crimes that have
been committed previously. Criminals often repeat actions in their illegal activities, and
these habits can be discovered by examining police blotters. This historical knowledge is
28
useful when conducting investigation especially in high technology crimes (Nelson et all.
2008).
The investigator assigned to the case should be a specialist in retrieving digital
evidence or computer forensic expert. After the investigator builds a case the information
is turned over to the prosecutor. When conducting a computer investigation for a
business, remember that businesses must continue with minimal interruption from an
investigation. Because businesses usually focus on continuing their usual operations and
making profits, many in a private corporate environment consider an investigation and
apprehension of a suspect secondary to stopping the violation and minimizing damage or
loss to the business.
Law enforcement officers often find computers and computer components as they
are investigating crimes, gathering other evidence or making arrests. With digital
evidence, it is important to realize how easily key data such as last access date, can be
altered by an overeager investigator who is first at the scene. The U.S Department of
Justice (DOJ) lays out a procedure in a manual that reviews proper acquisition of
electronic evidence.
The authenticity and integrity of the evidence examined will be of critical
importance. The first step is to establish a chain of custody policy for your organization.
The goal of the policy is to ensure that each piece of evidence collected is accountable to
an individual until it is either returned to its original owner or disposed of (Reyes, Wiles.,
2007).
Computing investigations demand that you adjust procedures to suit the case. For
example, if the evidence for a case includes an entire computer system and associated
29
storage media, such as floppy disks, cartridges, tapes and thumb drives, an investigator
must be flexible when accounting for the entire item. Some evidence is small enough to
fit into an evidence bag. Other items, such as the monitor and printer are too large. To
secure and catalog the evidence contained in large computer components an investigator
can use large evidence bags, tape, tags, labels and other products available from police
supply. Be cautious when handling a computer component to avoid damaging the
components, or coming into contact with static electricity which can destroy digital data.
For this reason, an investigator needs to use antistatic bags when collecting computer
evidence. An investigator might consider using an antistatic pad with an attached wrist
strap as well. Both help prevent damage to computer evidence. Computer components
require specific temperature and humidity ranges also. If it is too cold, hot, or wet,
computer components and magnetic media can be damaged. Even heated car seats can
damage digital media. Placing a computer on top of a two-way car radio in the trunk can
damaged magnetic media. When collecting computer evidence, an investigator must
have a safe environment for transporting and storing it until a secure evidence container
is available (Nelson et all., 2008).
In traditional, old fashioned cases, a detective would receive information from a
reliable informant that contraband, for example drugs, are located at a premises. The
detective would prepare a statement describing the informant’s reliability and that the
informant had recently observed drugs at the premises. The detective would take the
affidavit to a judge, who would determine whether probable cause existed. If that
determination was positive, the judge would sign the search warrant authorizing the
detective to search for and seize a specific type and quantity of drugs at that premises.
30
The detective would then go to the location and execute the warrant (Skibell 2003).
However, in computer forensics cases there is added complexity. The contraband might
consist of child pornography, or records of drug sales. This information might be located
on a laptop computer, but it might also be located on a network server in another state or
in a foreign country. The information might be located on a hard drive, a diskette or a
CD. The contraband information might be very difficult to recognize, it could be
encrypted, misleadingly titled or buried among a large number of innocent files
(Weigman, 2004). It could take considerable time to identify the contraband.
As noted above, a search warrant gives only limited authority to the police to
search. The search should be no more extensive than necessary, as justified by probable
cause. Thus, if the probable cause indicates that the contraband is located in a file on a
CD, this would not justify seizing every computer and server on the premises (Brenner
2002). The extent of the search is tailored to the extent of the probable cause. If the
police wish to seize a computer and analyze it at a later time, the probable cause
statement should demonstrate the impracticality or danger of examining the computer on
the premises hence the need to confiscate it and analyze it off-site.
31
Chapter 2
Related Work
The work of this thesis bases itself upon previous work in the forensic fields,
particularly the open source forensic tools Galleta and Pasco were used as a very basic
reference.
2.1
Forensic Tool Requirements
Design a forensic tool that captures user information from any of the three more
popular web browsers like Internet Explorer, Mozilla Firefox and Google Chrome, to
obtain detailed evidence of date and time of accessed sites and the frequency of access to
the same sites. Also capture more supporting information that correlates the times
between sites visited and any other login activities like Skype, Instant Messaging or
Outlook. A time line report should be generated to correlate all the information collected
and weighted as relevant evidence or discarded as it is not relevant.
2.1.1 Basic Customer Requirements
Investigate the computer forensic techniques for improving the accuracy of the evidences
on web accesses by correlating the events in the other logs. Due to the increasing cyber
threats and potential insider attacks, it is critical to validate that web accesses are indeed
generated by the person of interest and not planted by others.
32
2.1.2
Purpose
The web accesses are typically captured by the cookie files on the client side and the
access logs on the server side. The web accesses of a person can be verified by
correlating the login period in system access logs. It can also be supported by the access
logs of other applications such as, email, instant messaging or Skype. Of interest in
computer crime evidence collections are

The date and time of the access to a certain site.

The frequency of the access.

Other supporting evidences that the person is using the same machine.

The collaborating evidences that the web site has corresponding access records.
Investigate how to weigh the different support evidences and related practices by District
Attorney’s Office Investigators Office
2.2
Project Scope
Develop a .NET windows form application that can be used by the investigators or the
forensic technician. The application will allow for the requesting and reporting of the
case related forensic information.
SQLlite will be used to store the case information. The web interface will be developed
using the Microsoft Development Suite (Visual Studio C#).
33
2.3
Software System Perspective
This application will assist the investigator with information about the user’s
browser activities and history, any other activities using Outlook, Skype and instant
messaging. The information collected can be used to find out the frequency of a user
visiting a particular web site, the history of the user visiting that web site, and other login
activities that could be used as evidence against the user.
A thumb drive with the Forensic Tool on it will be given to investigators; they can
run the tool from the thumb drive on the computer that an alleged crime was committed
on, open a case, and view/save the reports
Features:
Report tool: Investigators will have the ability to run reports as needed. These reports
will include a timeline for each activity on the browsers, IM, Skype or Outlook.
Printing: Case can be saved and then printed
Database: All data input can be saved into a database
Entry: New entries can be added to the database through the New case->save
Reload: Reports can be run on previously saved cases.
2.3.1
Operating Environment
The system will be using Windows XP, SQLite, NET 3.5 and a C# compiler.
34
Chapter 3
Designing of the NICA Computer Forensic Tool
It is very important to know the primary players because based on that, we can
select the actors that will be part of the forensic application. The application will look for
user profiles. Getting the user profiles requires an understanding of how the registry
works .The information gathering task involves getting the information about the cookies,
temporary files and history from the web browsers, login information and date/time
stamps that Skype, Outlook or Instant Messenger stored. More detailed information is
offered throughout this chapter.
3.1.
Objectives of the Computer Forensic Tool Design
The forensic tool application looks into the user profile directory, to find out how
many users profiles exist on the computer to be investigated, then finds the surfing
history, typed URLS, cookies, and numbers of visits to a particular site. To accomplish
this objective the forensic tool will look into the cookies files, internet temporary files,
internet history files and cache files. Also the forensic tool will look into the logins and
activities for Skype, Outlook and Instant Messenger if any of them are installed on the
machine to be investigated. The information collected will be used to generate a report
with timeline by date and time of each activity. This application cannot replace the final
analysis of an investigator and his/her conclusion about the evidence compiled.
35
3.2
Design of the Forensic Tool
Statistics have important information. Studies by different companies have
shown that Internet Explorer is used for 32% of the web users, Firefox 46.4% and
Chrome 13.6%. Internet Explorer and Firefox are the most common browsers. Because
of the popularity of these browsers, they were selected to be players for this application.
Also Instant Messaging is said to be one of the most popular forms of internet
communications today beating out email thanks to the lack of spam and instant feedback.
Microsoft Instant Messenger and Skype were also selected as players for this application
because their popularity and the video properties that Skype provides.
Outlook is the most frequently used email program by companies. A lot of
forensic are being done to computers used by employees, so it is very important to get
information from Outlook.
3.3
Brief Introduction to the Essential Registry Key Information
The Registry contains information that Windows continually references during
operation, such as profiles for each user, the applications installed on the computer and
the types of documents that each can create, property sheet settings for folders and
application icons, what hardware exist on the system and the ports that are being used.
A registry hive is a group of keys, subkey and values in the registry that has a set
of supporting files that contains backups of its data. The registry is a database used to
store computer and user specific settings. Portions of the registry can be saved as files
36
and reloaded for use as necessary. The supporting files for all hives except
HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on
Windows XP. The supporting files for HKEY_CURRENT_USER are in the
%SystemRoot%\Profiles\Username folder. There are five registry hives:
HKCR - Abbreviated from the registry key name HKEY_CLASSES_ROOT.
HKCR stores information about registered applications, such as Associations from files
Extensions and OLE object Class ID’s tying them to the applications used to handle these
items.
HKCU - Abbreviated from the registry key name
HKEY_CURRENT_USER.
HKCU stores settings that are specific to the currently logged in user. The HKCU key is
a link to the subkey of HKEY_USERS that corresponds to the users; the same
information is reflected in both locations.
HKU - Abbreviated from the registry key name HKEY_USERS. HKU contains
subkey corresponding to the HKEY_CURRENT_USER keys for each user registered on
the machine.
HKCC - Abbreviated from the registry key name HKEY_CURRENT_CONFIG.
HKCC contains information gathered at runtime; information stored in this key is not
permanently stored on the hard disk, but rather regenerated at boot time.
HKPD - Abbreviated from the registry key name
HKEY_PERFORMANCE_DATA. HKPD provides runtime information of performance
data provided by either the operating system kernel itself or other programs that provide
performance data. This key is not displayed in the Registry Editor, but it is visible
through the registry functions in the Windows API (Yang, 2008).
37
Computer accounts, user accounts, groups, and other security−related objects are
security principles. Security Identifiers (SIDs) uniquely identify security principles. Each
time Windows XP or Active Directory creates a security principle, they generate a SID
for it. Windows XP's Local Security Authority (LSA) generates SIDs for local security
principles and then stores them in the local security database. The Domain Security
Authority generates SIDs for domain security principles and then stores them in Active
Directory. SIDs is unique within their scope. Every local security principle's SID is
unique on the computer. And every domain security principle's SID is unique within any
domain in the enterprise. What's more, Windows XP and Active Directory never reuse a
SID, even if they delete the security principle to which that SID belonged. Thus, if you
delete an account and then add it back, the account gets a new SID.
3.4
Understanding the Actors
3.4.1
User Profile
A user profile describes the desktop computing configuration for a specific user,
including the user’s environment and preference settings.
A profile is created the first time that a user logs on to a computer running
Windows Server 2003, Windows XP, Windows 2000, or Windows NT Workstation. A
user profile is a group of settings and files that defines the environment that the system
loads when a user logs on. It includes all the user-specific configuration settings, such as
program items, screen colors, network connections, printer connections, mouse settings,
38
and window size and position. Profiles are not user policies and the user has a profile
even if you don't use Group Policy.
Depending on how you manage your network, you or a user can define the
desktop settings. The following user profiles are available in Windows Server 2003,
Windows XP Professional, and Windows 2000 Professional (TechNet, 2010):

Local User Profile. Created the first time that a user logs on to a computer, the
local user profile is stored on a computer's local hard disk. Any changes made to
the local user profile are specific to the computer on which the changes are made.

Roaming User Profile. A copy of the local profile is copied to, and stored on a
server share. This profile is downloaded every time that a user logs on to any
computer on the network, and any changes made to a roaming user profile are
synchronized with the server copy upon logoff.

Mandatory User Profile. A type of profile that administrators can use to specify
particular settings for users. Only system administrators can make changes to
mandatory user profiles. Changes made by the user to desktop settings are lost
when the user logs off.

Temporary User Profile. A temporary profile is issued any time that an error
condition prevents the users profile from being loaded. Temporary profiles are
39
deleted at the end of each session - changes made by the user to their desktop
settings and files are lost when the user logs off.
A primary goal of user profiles is to separate each users settings and data from that of
other users and the local computer (Technet2, 2010). A user profile consists of a registry
hive and a set of profile folders stored in the file system.
Registry hive. User profiles take advantage of the hive feature to provide roaming
profile functionality. The user profile registry hive is the NTuser.dat in file form, and is
mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on.
The NTuser.dat hive maintains the user’s environment preferences when the user is
logged on. It stores those settings that maintain network connections, Control Panel
configurations unique to the user such as the desktop color and mouse, and applicationspecific settings. The majority of the settings stored in the registry are opaque to user
profiles settings and are owned and maintained by individual applications and operating
system components (Technet2, 2010).
A set of profile folders stored in the file system. User profile files are stored in the
file system in the Documents and Settings directory, in a per user folder. The user profile
folder is a container for applications and other operating system components to populate
with subfolders and per-user data, such as shortcut links, desktop icons, startup
applications, documents, configuration files and so forth. Windows Explorer uses the user
profile folders extensively for special folders such as the user’s desktop, start menu and
my documents folder (Technet2, 2010).
40
The NICA Forensic Tool application presented in this thesis uses the log parser to
query the registry for the information we need to find (user information and application
information). When log parser is executed it returns a logrecordset. We first iterate thru
the logrecordset to get the NTUSER.DAT path from the registry key
(HKLM\system\controlse001\control\hivelist) for every user (see table 2). Next we get
the ProfileImagePath (usually it will be like %SystemDrive%\Documents and
Setting\UserName) from the logrecordset; then we get the user SID’s for each user
profile that contains the pattern S-1-5-21 %.
NICA Forensic Tool not only checks the currently logged in user but it also
checks all other users on the computer. With all the users SID’s we can iterate thru the
registry one user at a time and make them active so that we can gain access to the HKCU
which would not normally be available. Once active we then proceed to get all the users
application settings that will be used later.
string iQuery = @"SELECT * FROM '\HKLM\SOFTWARE\MICROSOFT\WINDOWS
NT\CURRENTVERSION\PROFILELIST' WHERE PATH LIKE '%S-1-5-21%'";
// Execute the query
LogRecordSet oRecordSet = oLogQuery.Execute(iQuery, oREGInputFormat);
String iSIDValue = string.Empty;
List<String> iLoggedUsers = GetLoggedUsers();
UserProfile iUserProfile = new UserProfile();
// Browse the recordset
do
{ if (iUserProfile.KeyName == String.Empty)
{
iUserProfile.KeyName = oRecordSet.getRecord().getValue("KeyName").ToString();
41
iUserProfile.LastWriteTime =
Convert.ToDateTime(oRecordSet.getRecord().getValue("LastWriteTime").ToString());
iUserProfile.RegistryKeyPath = Convert.ToString(oRecordSet.getRecord().getValue("Path"));
switch (oRecordSet.getRecord().getValue("ValueName").ToString())
case "ProfileImagePath":
}
{
{
iUserProfile.ProfilePath = oRecordSet.getRecord().getValue("Value").ToString();
iUserProfile.UserName = iUserProfile.ProfilePath.Replace(iProfilesDirectory + "\\", "");
iUserProfile.Logged=iLoggedUsers.Contains(iUserProfile.UserName);
if (File.Exists(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT"))
{
FileInfo iFileInfo = new FileInfo(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT");
iUserProfile.CreatedTime=iFileInfo.CreationTime;
iUserProfile.ModifiedTime = iFileInfo.LastWriteTime;
iUserProfile.RegistryFileSize = iFileInfo.Length;
} } break;
Table 2. Using Log parser
Local Profile - Existing User

The user logs on. Windows checks the list of user profiles located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList to get the path to the user’s profile (see Fig. 1).

The users registry hive NTUSER.DAT is mapped to the
HKEY_CURRENT_USER portion of the registry.
42

The users %userprofile% environment variable is updated with the value of the
local profile folder.

When the user logs off, the profile is saved to the local hard disk of the computer
Figure1. Registry key for users (SID).
3.4.2
Internet Explorer
During Forensic analysis it is often relevant to parse the information in IE cookies files
into a human readable format. Cookies aid forensic analysts during the investigation by
providing insight to a suspect’s internet activity.
Internet Explorer stores its data in one key and has three subkey within it that holds the
majority of useful information

HKCU\software\Microsoft\InternetExplorer\Main: stores the user’s
settings in Internet Explorer. It contains information such as search bars, start
43
page, form settings, etc.

HKCU\software\Microsof\InternetExplorer\TypedURLs: stores all URLs
that a user has typed into the address field of the web browser.

HKCU\software\Microsoft\InternetExplorer\DownloadDirectory: displays
the last directory used to store a downloadable file from Internet Explorer
(Farmer, 2008)
IE stores data in: the drive\Documents and Settings\user\profile folders
Folders = Favorites, cookies, history, and Temporary Internet Files
Registry stores Typed URL’s, Passwords and protected Storage information
NICA Forensic Tool gets the paths for the IE Cache, IE History and IE Cookie of the
application. For each application we define the name, exe file and the three paths. The
input type is KEY because the information is kept in the windows registry, the output is
type S that means single value.
IE Cookies:
The IE cookie file format: after visiting a website such as www.securityfocus.com a
cookie will be generated on the user’s pc that looks similar to the following
(Jones, 2003):
ssfocus---variable
home ----- value of the variable
44
securityfocus.com/---website that issue the cookie
0----contains flags
1238799232----the most significant integer for expiration time for the cookie
29570658-------the least significant integer for expiration time for the cookie
1484443312--- the most significant integer for creation time
29552553-------the least significant integer for creation time
After visiting a website, a cookie will be generated on the user’s computer. This cookie
contains the information meant to be saved on the client from the web server, the domain
name that is responsible for this cookie, and the relevant time/date stamps.
The file will be created in the user’s IE cookie directory:
C:\Documents and Settings\<username>\Cookies (see Fig. 2).
Figure 2. Internet Explorer location of the cookies files.
45
IE History
History tracks the websites visited by the user and includes date/time info in
C:\Documents and Setting\<username>\Local Settings\History (see Fig. 3).
The History folder contains a master index.dat file that tracks the History
The History folder displays icons that represent the weekly/daily history activity. Each of
these folders contain an index.dat file
Figure 3. IE location of the History file containing web site information
IE Temporary Internet Files

Located at drive C:\Documents and Settings\user\Local Settings\ (see Fig.4).

Contains an index.dat file that records the URL, Filename, Username and Content
info
46

Provides information about browser activity even if the user deletes their
Temporary Internet Files

Review the Temporary Internet Files for cached Internet emails
Outlook = read ~.htm or main~.htm
Figure 4. IE location of the Internet Files containing web sites info and index.dat files.
Registry – Typed URL’s
Most URLs that you visit are saved in the History folder. However, Internet Explorer also
saves the last 25 URLs that you typed in the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (see
Fig.5)
47
The lowest numbered entry is the most recent site visited (url1, url2, url3, etc)
Figure 5. IE TypedURL information location.
Index.dat file
Index.dat is a file used by the Internet Explorer web browser. The index.dat file
functions as an active database, which runs as long as a user is logged on in Windows. It
functions as a repository of redundant information, such as web URLs, search queries and
recently opened files. Its role is similar to that of an index file in the field of databases,
where a technique called “indexing” stores the contents of a database in a different order
to help speed up query responses. Similarly when the auto complete function is enabled
in Internet Explorer, every web address visited is sorted in the index.dat file, allowing
Internet Explorer to attempt to find an appropriate match when a user types in an edit
field. Separate index.dat files exist for the Internet Explorer history, cache, and cookies
48
The index.dat file contains a header that harbors important information about the file’s
properties. Specifically the header will contain the index.dat file length, the HASH table
offset and the internet cache directory names (Jones, 2003). (See Fig.6)
The first field we notice is the file size. The file size is given in the file header
immediately following the NULL (0x00) terminated version string. (See Fig. 7)
Immediately following the file size is the location of the HASH table. The HASH table is
an array of data that contains entries pointing to the relevant activity data within the
index.dat file.
 Bytes 0x20 – 0x23: Location of hash table.(see Fig. 8)
Hash table is used to store the actual entries
Beginning of hash table (see Fig.9):
After the HASH table offset is a listing of directories that this index.dat file uses to store
the locally cached files on the user’s computer (Jones, 2003). These directories contain
the files that were actually downloaded from the web (see Fig. 10).
o Size: 0x00394000 3751936
o Hash Table: 0x00005000
o Directories: (null-terminated, 0x50)
49
Figure 6.Index.dat file header.
Figure 7.Index.dat file size.
50
Figure 8.Location of the hash table.
Figure 9.Begining of the hash table.
Figure 10.Files downloaded from the web.
51
3.4.3
Mozilla Firefox
Firefox stores a user’s personal information such as bookmarks, extensions, and user
preferences in a unique profile stored in files within a special folder on your pc. The first
time you start Firefox, it will automatically create a default profile; additional profiles can
be created using the profile manager. Profile folders are placed in a common location by
default but are named randomly for additional security (e.g. “xxxxxx.default” is the
profile folder name for the “default” profile, where xxxxxx represents a random string of
characters). The NICA Forensic Tool will only search up to 5 profiles for any given user.
Starting in Firefox 3 a new file format is used to record browser history information.
Rather than storing this information in a flat file using the mork file format, the
information is kept in a SQLlite database (MozillaZine, Profile Folder, 2009).
Firefox stores most of its data in files instead of the registry; it is easy to find, in
individual folders and it is very easy for a user to wipe the folders securely.
It stores personal information such as bookmarks, extensions and user preferences in a
unique profile, called Profile
Files in Profile.ini
NICA Forensic Tool gets the path for History, Cache and Cookies of the Firefox
application. For each application we define the name, exe file and the three paths. The
input type is INI because Firefox does not use the windows registry; the information can
52
only be retrieved thru the INI file. Firefox keeps the INI file in the Application Data or
Local Application Data directory, the source path is “[ApplicationData] +
”\\Mozilla\\Firefox.
Firefox History Files
File location:
C:\Documents and Settings\<username>\Application
Data\Mozilla\Firefox\Profiles\zb0sttcz.default\places.sqlite (see Fig.11).
The following registry path is will tell us if Mozilla Firefox is installed and where the
Mozilla Firefox info is contained: (Musings, 2007)
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox (see Fig.12)
Figure 11.Mozilla Firefox profiles information
53
3.4.4
Google Chrome
Google Chrome is a web browser developed by Google. The name is derived
from the graphical user interface frame or Chrome of web browsers. As of April 2010,
Chrome was the third most widely used browser.
File location:
C:\Documents and Settings\<username>\Local Settings\Application
Data\Google\Chrome\User Data\Default\Local Storage (see Fig 12).
Google Chrome stores the browser history in a SQLite database.
The database file that contains the browsing history is stored under the Default
folder as “History” and can be examined using any SQLlite browser there is (such as
sqlite3). The available tables are download, presentation, urls, keyword search terms,
segment usage, visits, Meta and segments. The most relevant tables for browsing history
are the “urls” table that contains all the visited URLs, the “visits” table that contains
among other information the type of visit and the timestamps and finally the “downloads”
table that contains a list of downloaded files (Brainfold, 2010).
54
Figure 12.Google Chrome file’s location.
NICA Forensic Tool get the paths for History, Cache and Cookies of the Google Chrome
application. For each application we define the name, exe file and three paths. The
input type is DIR because Firefox does not use the windows registry; the information
only can be retrieve thru the DIR file. Google Chrome keeps the DIR file on the Local
Application Data directory (C:\Documents and Settings [USERNAME] Local
Settings\Application Data\Google\Chrome).
3.4.5
Skype
Skype is communications software that allows users to communicate with each other
in real time using VoIP, video chat or text chat. It is unique among other IM applications
in that Skype runs over a decentralized peer to peer (P2P) network rather than routing all
55
communications packets through a central server or cluster of servers ( ISO Consensus
Paper: Skype, 2009)
For windows systems, Skype’s functionality can be managed at a number of levels.
Skype configuration and policy settings are maintained in the following hierarchy:
o HKEY_LOCAL_MACHINE Registry Keys
o HKEY_LOCAL_USER Registry Keys
o XML configuration. Files in C:\Documents and
Settings\<username>\Application Data\Skype\
Skype software uses a number of files to store data. These files relate mainly to
historical information, call histories, file transfers, messaging sessions, etc. They also
cache user profiles. The interpretation of these log files can yield a significant amount of
information about communications that have taken place through the software.
Information available in log files
This section details the information available for extraction from Skype logs. Note
that the sequence number allows the order of events to be determined, without relying on
the resolution of the timestamp. The timestamps give date and time to a resolution of one
second.
File-naming convention
Files are stored with a .dbb extension with the filename consisting of a string
describing the contents followed by a number which indicates the record length (e.g.
call256.dbb, chatmsg512.dbb etc). The minimum record length observed is 256 bytes,
with files seen up to 16384 bytes. Items are stored in the smallest length format possible
56
with blank padding to fill any space remaining in the record. Therefore it is quite
common to have multiple files with the same prefix and different record lengths.
Skype Log File Analysis Skype Log File Analysis
call*.dbb Call history
chatmsg*.dbb Chat history
profile*.dbb Details of user profiles
transfer*.dbb Details of file transfers
chat*.dbb Chat history
contactgroup*.dbb Unknown
user*.dbb Local user's profile
voicemail*.dbb Details of voicemail messages (no contents)
NICA Forensic tool get the path of the Skype Activity. For each application we
define the name, exe file target path, Input Type is DIR, and the source path is
[ApplicationData] + \\Skype
3.4.6
Outlook
Email is one of the most common ways people communicate. From internal
meeting requests, distribution of documents and general conversation one would be hard
pressed to find an organization of any size that does not rely on email. Studies have
shown that more email is generated every day than phone conversations and paper
57
documents combined. Forensic Analysis of email clients and servers has been in the
spotlight of civil and criminal cases worldwide and no examination of Document
Discovery is complete without requesting, searching and organizing email.
What is a PST file? A PST file (personal storage file) is Microsoft Outlooks file format
for email storage. This single file, is a compound file, like a ZIP file, and can contain
thousands of emails, contacts, tasks, and calendar entries.
To view the contents of a PST file, the file can be mounted in Outlook or specialist
forensic tools such as EnCase.
PST files are important, if not critical, in forensic and electronic discovery investigations
as they provide one of the primary storage methods for email within companies.
NICA Forensic tool gets the path to the Outlook applications PST file. For each
application we define the name, file target path: target name is Microsoft Outlook, Input
Type is KEY (registry key), and the source path is
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging
Subsystem\Profiles, value name is 001f6700 (works for outlook 2003-2007) and the
output type is L for List Value. 001f6700 is a subkey and it contains a byte array that
when converted and parsed gives you the path to the PST file.
3.4.7
Instant Messenger
MSN Messenger has the ability to keep an indefinite log of all conversations.
58
In MSN Messenger select the Tools menu, Options... menu item, and then the Messages
tab. At the bottom of the dialog is an item labeled: Message History. Select it and your
conversations will be recorded in the directory listed in the box below (see Fig 13).
When conversations are saved in the listed directory you'll find several files, typically
one per person that you've had a conversation with. The files will all end with ".XML".
Figure 13.Instant Messenger Menu default settings.
There is not a way that I know of to retrieve the IM messages unless logging has
been enabled. Conversations, when not being archived, may never even hit the disk, so
59
there's nothing to be recovered. There might be small, tiny chances that some memory
swapping happened and that a fragment landed on disk, but again the chances are small
and it was probably immediately overwritten. The same tiny chance applies for any
equipment that the conversation traveled through (Notenboon, 2004).
Instant messaging applications can provide strong evidence in certain cases
(Farmer, 2008). Windows Messenger, MSN Messenger and Windows Live Messenger
generally utilize any of the three following keys:
HKEY-CURRENT-USER\software\Microsoft\Messenger Service
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger (See Fig. 14)
HKEY_LOCAL_MACHINE\Software\MICROSOFT\Messenger Service
Figure 14.Windows Live Messenger keys location.
NICA Forensic Tool passes the parameters thru the code of where to look for the
files: C:\\Documents and Settings\<username>\Local Settings\Application
60
Data\Microsoft\Messenger; what files to look for: ContactsLog.txt; where to output the
results: save the information in the database.
This one was the most challenging because there was not any information
available about how to get the information that we need. I had to look into several files
and through a lot of trial and error; I found the one that contained the information needed.
Once all information is gathered in the dataset the program then saves the information in
the SQLite database.
61
3.5
Understanding the Data Flow
Figure 15. Data Flow Diagram.
62
The application allows for creating a new case (1) or opening an existing one (4).
For a new case the user needs to enter the properties of the case (2), like Case ID number,
charges associated with the case, forensic analyst or investigator’s name and a short
description that identifies the case or any relevant notes. Save the case (3) to the database.
Once saved, the case status is set to open automatically (4) and the user can execute the
parser tool (5). When the parser tool is executed, the application gets the user profile by
reading the valueNames of the windows registry. For each user profile found (6) we
check, if this is the logged in user it means the active user (7). If it is not the logged in
user, we get the Hive file (NTUSER.DAT) of the user corresponding to the HKU key of
the actual user of the name declared in the User Profile (8) then we proceed to obtain the
paths of the folders and/or files that we are going to evaluate (9). This process is based in
a series of parameters established for each application’s activity. The search of the paths
and folders and files is done by: Key (window registry), DIR (in a specific location, like
the ones for Google Chrome Browser and Skype) and INI (that contains a section where
we can find the paths to follow, like Firefox Browser). Before we read the target paths,
the program verifies if the application is installed under the sub key
software\Microsoft\CurrentVersion\App Paths\ (Skype path is located under
software\Skype\Phone. To read from a non active user, the reading is done under
HKU\[username], otherwise HKLM. Once the information is gathered, if it is a non
active user (10) we get the Hive File (11). This process repeats itself until we reach the
last user in the user profile list.
Once the data for the users is obtained, we establish a list of jobs considering the
particularities of each application and tools to be used (12). This list is displayed to the
63
investigator before proceeding to execute the parser. When the parser is executed, we
clean the pre-existing data in the database (12) and a principal thread is sent to the job list
(14). This thread is in charge of searching the job list and serves each one of the jobs
contained in the list (15) and executes another thread in the background (16). If the
analysis is finished with the internal process (17) then execute the corresponding method
thru delegation (18), where we proceed to create a dataset that contains the tables (19),
extract the data from the activity of the target application, store it temporarily in the
dataset (20), when the process ends the data is stored in the database (21). When we use
the tool for parsing (17) an asynchronous thread executes the tool (22) and evaluates if
the alternative process is ended (23). The external tools create xml files containing the
activity of the applications; tools add non valid tags or non standard characters, so before
an xml file is created (24) it has to be sanitized (25) and then save the data in the database
(26) until the job list is done (27).
After the parser has been executed (29) you can see all the activities displayed in
the viewer (28).
64
Chapter 4
External Tools used with NICA Forensic Tool
Microsoft Log Parser is distributed by Microsoft; Outlook Redemption was
developed by Ditrimty Streblechenko and can be downloading for free from his web site
dimastr/redemption. IECacheView, IEHistoryView, MozillaCacheView and
ChromeCacheView are utilities developed by Nir Sofer, who is the owner of NirSoft.
Nirsoft is a web site that provides more than a hundred free utilities.
The Log parser and outlook redemption tools are .dll libraries integrated in to the
forensic tool. ChromeCacheView, IEHistoryView, IEChacheView and
MozillaCacheView are utilities that are executed thru the program. The parameters and
the paths to the applications are directed thru the code with the help of the log parser. The
Utilities generate an xml report that needs to be sanitized, and then the xmlreader reads
the XML files and saves the information in the SQLite database.
ChromeCacheView, IECacheView and MozillaCacheView are utilities used in
the NICA Forensic Tool to read the cache folder. The cache folder contains Web page
content that is stored on the hard disk for quick viewing. IEHistoryView reads the
Internet History. Internet History is a record of all the sites visited.
SQLite is an open source ADO.NET database. It is used to save all the case
information and reports. It was selected as the database choice because it is serverless,
compact size and primarily because it is used by Mozilla Firefox and Google Chrome to
record the cookies, history, bookmark, password and user’s information.
65
Outlook Redemption is used to access and manipulate MAPI profiles and
accounts.
Microsoft Log Parser is used to slice and dice log file types. It can process and
query all the common logs formats and can address the file system and the registry as
well.
4.1
Internet Explorer Cache View (IECacheView)
Internet Explorer Cache View is a small utility that reads the cache folder of
Internet Explorer, and writes the content to a file that is the read in to the Forensic Tool.
For each cache file, the following information is captured and displayed: Filename,
Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number
of Hits, File Size, Folder Name, and full path of the cache filename.
NICA Forensic Tool calls the IECacheView utility and passes the parameters of
where to look for the files: C:\\Documents and Settings\<username>\Local
Settings\Temporary Internet Files; what files to look for: folder Temporary Internet Files;
where to output the results: put the output in a temp file in the forensic main temp folder
and save the information in the database.
Advantages over the 'Temporary Internet Files' viewer of Windows
The reasons that Forensic tools used IECacheView instead of reading the
information directly from the Temporary Internet files are: IECacheView displays only
the list of cache files, while the cache view of Windows displays a mix of cookies and
cache files, IECacheView allows you to filter the cache files by file type (image, text,
66
video, audio, or application), allows you to view the cache files of another user or from
another disk, while with the Windows viewer; you can only watch the cache of the
current logged-on user. IECacheView displays some columns that are not displayed by
the cache viewer of Windows: Content Type, Number of hits, Sub-folder name, and the
full-path of the cached filename.
4.2
Internet Explorer History Viewer (IEHistoryView)
Each time that you type a URL in the address bar or click on a link in Internet
Explorer browser, the URL address is automatically added to the history index file (See
Fig. 16).
Figure 16. IE History file content.
67
When you type a sequence of characters in the address bar, Internet Explorer
automatically suggests to you all URLs that begin with the character sequence that you
typed (unless the AutoComplete feature for Web addresses is turned off). However,
Internet Explorer doesn't allow you to view and edit the entire URL list that it stores
inside the history file. The location of the history folder is different from one operating
system to another. On Windows 2000/XP, the History folder is located inside the "Local
Settings" folder of your user profile. For Example: C:\Documents and
Settings\Administrator\Local Settings\History. The "Local Settings" folder is hidden by
default, so you won't see this folder unless your system is configured to display hidden
files and folders.
NICA Forensic Tool calls the IEHV utility and passes the parameters of where to
look for the files: C:\Documents and Settings\Administrator\Local Settings\History; what
files to look for: folder History; where to output the results: put the output in a temp file
in the forensic main temp folder and save the information in the database.
The Typed URLs List
Most URLs that you visit are saved in the History folder. However, Internet
Explorer also saves the last 25 URLs that you typed in the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
By default, IEHistoryView doesn't display the URLs list from the Registry, but with the
Forensic tools parameters were pass to enable this feature. The URLs list in the Registry
are captured and displayed, in addition to the list of all URLs stored in the History folder.
68
4.3
MozillaCacheView
Mozilla Cache View is a small utility that reads the cache folder of
Firefox/Mozilla Web browsers, and writes the content to a file that is the read in to the
Forensic Tool. For each cache file, the following information is captured and displayed:
URL, Content type, File size, last modified time, last fetched time, expiration time, fetch
count, server name, and more.
Starting in Firefox 3 a new file format is used to record browser history information.
Rather than storing this information in a flat file, the information is kept in a SQLlite
database (See Fig.17).
Figure 17. Google Chrome SQLite Database Structure.
69
Firefox stores most of its data in files instead of the registry, easy to find, in
individual folders and it is very easy for a user to wipe the folders securely. This is a nice
feature for users but a nightmare for computer forensics because there is not an easy way
to retrieve the deleted information.
Using MozillaCacheView
The cache folder of Mozilla Firefox is located under: C:\Documents and
Settings\[User Name]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[Profile
Name]\Cache (See Fig 18)
Figure 18. Location of Mozilla Firefox Cache files.
70
NICA Forensic Tool calls the MozillaCacheView utility and passes the
parameters of where to look for the files: C:\Documents and Settings\<username>\Local
Settings\Application Data \Mozilla\ Firefox\Profiles\zb0ttcz.default\cache; what files to
look for: folder cache; where to output the results: put the output in a temp file in the
forensic main temp folder and save the information in the database.
4.4
ChromeCacheView
Chrome Cache View is a small utility that reads the cache folder of Google
Chrome web browser, and writes the content to a file that is the read in to the Forensic
Tool. For each cache file, the following information is captured and displayed: URL,
content type, file size, last accessed time, expiration time, server name, server response,
and more.
Chrome Cache Folder location
The cache folder for Google Chrome is located under [User Profile]\Local
Settings\Application Data\Google\Chrome\User Data\Default\Cache (See Fig 19)
71
Figure19. Location of Google Chrome Cache files.
NICA Forensic Tool calls the ChromeCacheView utility and passes the
parameters of where to look for the files: C:\\Documents and Settings\<username>\Local
Settings\Application Data\Google\Chrome\User Data\Default\Cache; what files to look
for: folder cache; where to output the results: put the output in a temp file in the forensic
main temp folder and save the information in the database.
4.5
SQLite
SQLite is an embeddable database system that uses flat files. It does not need to be
started, stopped, configured, or managed like other SQL databases. It is lightweight, fast,
and compact. And it works completely out of the box without any configuration. The
entire database (definitions, tables, indices, and the data itself) is stored as a single cross-
72
platform file on a host machine. This simple design is achieved by locking the entire
database file during writing (Kristianto, 2009).
Advantages of SQLite:
Some of the advantages are: zero configuration, serverless, single database file, stable
cross platform database file, compact size, variable length records, and free with the
public domain license.
Disadvantages of SQLite:
Some of the disadvantages are that in most cases database size is restricted to 2 GB, it
Lock the whole file while writing, no caching mechanism, not very scalable.
4.6
Microsoft Log Parser
Microsoft log parser queries everything with SQL. It lets you slice and dice a variety
of log file types using a common SQL-like syntax. It's an incredibly powerful concept,
and the LogParser implementation doesn't disappoint. This architecture diagram from the
LogParser documentation explains it better (See Fig.20).
73
Figure 20.Log Parser architecture diagram.
Log Parser operates as a kind of data pipeline. Into this pipe you can send
information from IIS logs, Windows Event logs, Active Directory information, file
system data, Registry data, Network Monitor traces, and so on. Once the data is in the
pipe, you can process it using SQL statements; for example, to select certain portions of
the data by using a SELECT query. Then, as the processed data comes out of the
pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL
database table, or simply to the console as raw output.
Log parser consists of three components, which are: 1) input engine, 2) SQL query
engine, and 3) output engine. The input engine and output engines are truly incredible
and, combined, make this tool shine. When investigating network intrusions, you are
faced with analyzing logs from many sources, none of them being compatible with the
other. Log parser can accept most any common log format and output it into one of many
74
formats of your choosing. When you are done, you can combine all your disparate logs
into one common format for analysis.
At any point in the process you can subject your logs to a query so that you narrow
down the data to that which is relevant. While many GUI tools are out there that provide
filters, even those that allow the user to build custom filters can't compare with the power
of writing a custom SQL query in Log Parser.
As an intrusion investigator / forensic examiner, you are tasked with mastering many
tools to get your work done. It would be nice if we only had to master a couple of tools,
but such will never be the case. We can however, limit the number of tools we have to
use if we make careful selections. Whenever you can use one tool that will handle
multiple tasks instead of multiple tools for the same number of tasks, that should be your
tool of choice. Log parser fits this criterion as it can process and query all the common
logs formats and can address your file system and your registry as well, including those
of remote systems (Bunting, 2006).
Using Log parser
One of the cooler things about the Log Parser is that it is exposed via a COM interface so
the tool can be scripted or called from your application (like Forensic Tool). It uses SQL
queries that are very straightforward and very easy to use. It makes a programmers life
easier because it helps to find registry key information without much hassle.
NICA Forensic Tool uses the log parser to get all the SID’s that start with S-1-521 because they belong to the user profiles. Log parser is also use to find the logged in
user and the users that are not logged in but have a user profile.
75
These are some examples of how log parser can be used:
Open the command (cmd.exe) line interface in the root of the folder "C:\Program
Files\Log Parser 2.2" wherein lies the executable "logparser.exe". From the command
line interface, type in the following: logparser.exe -i:EVT -o:NAT "SELECT
TimeGenerated, EventID FROM System (See Fig. 21)
Figure 21. Log parser output to the console.
Another output feature of log parser is its "DATAGRID" output. Instead of dumping the
query to a screen, you can send it to a GUI interface. To send it to a datagrid, enter the
following: logparser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated, EventID,
message FROM System" and you should see the following (see Fig. 22).
76
Figure 22. Log parser output to a datagrid
4.7
Outlook Redemption
Outlook security patches prevent users from listing out the internet headers from
the emails they receive; most of the header information is not accessible. Outlook
Redemption is a regular COM object that allows access to any properties and methods
available on an original outlook item, both blocked and not blocked.
With Outlook Redemption you can make your code run unaffected by the Security
Patches, access properties not exposed by the Outlook Object Model (internet message
headers, sender e-mail address and hundreds more properties), Display Address Book,
Directly access the RTF body of any Outlook item, Import MSG, EML (RFC822) and
TNEF files, Export messages to the MSG, EML, TXT, HTML, TNEF, iCal and vCard
formats, Access and manipulate Outlook accounts (Outlook 2002 and above, RDO
library),Create, access and manipulate MAPI profiles and accounts, Access MAPI stores,
Access Outlook nicknames, Manage Junk Mail settings, Manage categories, Directly
access message attachments as strings or as arrays without saving them as files first
77
Redemption supports Outlook 98, 2000, 2002, 2003, 2007 and 2010-32 bit,
(Streblechenko, 2010)
NICA Forensic Tool passes the parameters thru the code of where to look for the
files: C:\\Documents and Settings\<username>\My Documents; what files to look for:
Personal Folder .pst ; where to output the results: save the information in the database.
With the basic information of where to look for the pst(s) the NICA Forensic Tool
first loops thru all pst(s) one at a time, then within each pst it loops thru all messages in
the pst and gathers the pertinent information including create and modified dates for the
messages as well as attachments and saves this information in a dataset. Once all
information is gathered in the dataset the program then saves the information in the
SQLite database.
78
Chapter 5
Cracking a Criminal Case Using the NICA Forensic Tool
5.1
Criminal Case Statement
The legal process for computer investigations for potential criminal violations of
the law depends on local customs, legislative standards and rules of evidence. In general
a criminal case follows three stages: the complaint, the investigation and the prosecution.
Complaint: Colorado Springs Police Department agents received information
that an employee from All About Cats was downloading child pornography images on his
work computer.
Investigation: A search warrant was executed at the All about Cats’ building.
Agents conducted a preview examination of Doe’s hard drive and discovered numerous
image files of children engaged in sexually explicit conduct. During the investigation,
Doe stated that he had about 13, 0000 images of child pornography, ranging in age from
toddlers to teens.
Prosecution: First Appearance court day is schedule for November 3, 2010.
The extent of the search is tailored to the extent of the probable cause. If the
police wish to seize a computer and analyze it at a later time, the probable cause
statement should demonstrate the impracticability or danger of examining the computer
on the premises hence the need to confiscate it and analyze it off-site. The forensic
79
Technician considered that the investigation should be done on premises being that some
networking connections to the server could be needed.
5.2
Computer Forensics Analysis
Examining and analyzing digital evidence depends on the nature of the
investigation and the amount of data to process. Criminal investigations are limited to
finding data defined in the search warrant and civil investigations are often limited by
court order for discovery. Investigations often involve locating and recovering a few
specific items which simplifies and speeds processing.
Although there are some basic principles that apply to almost all computer
forensics cases, the approach taken depends largely on the specific type of case to be
investigated.
Mr. Doe’s case is required to gather email information, so the case will involve
more than accessing network logs and email server backups to locate specific messages.
The investigator may need to contact the ISP and e-mail service.
Mr. Doe stated that he did not download any images, that those images were
planted on his computer by an employee that was jealous of him and wanted to get him
fired.
The NICA Forensic Tool that was designed in this thesis is the chosen tool by the
forensic technician because it is the perfect tool for this specific case.
80
5.3
Finding Evidence
Finding evidence is usually done by the forensic technician. He or she uses the
tools available and more important their expertise in their area.
Mr. Holmes is the forensic Technician designated to find the evidence of this
case. His first step is to insert the thumb drive with the NICA Forensic Tool on it and run
the program. Enter a new court case number that was already assigned:
C021CR20103456, type of case: Child Pornography, investigator’s name: Holmes and
any notes important to the case (See Fig. 23). Run the parser to collect the information
(See Fig. 24), once it is done open the viewer and select the user and timeline (See Fig.
25), select a date, view the activities and mark the ones that looks suspicious or are
important for evidence (See Fig.26). Select the preferred time frame between activities,
for this demonstration we are using the 15 minutes time frame. It will display activities
that occurred 15 minutes before and 15 minutes after the previous selected suspected
activity. The suspicious activities (See Fig.27) corresponding to the selected time frame
will be display in a separate screen to facilitate the interpretation of the data (See Fig.28).
81
Figure 23.Enter New Case Information.
Figure 24 .Run Parser to get activity entries.
82
Figure 25.User profile and timeline for activities.
Figure 26.Mark items that seem suspicious.
83
Figure 27. Enter the preferred time frame between activities.
84
Figure 28. View the suspicious activities and surrounding activities that were marked.
Surrounding activities that required a login and/or non browser activities are colored in
blue to get the investigators attention (See Fig. 28). A percent of probability will be
displayed by the suspected activity previously selected. This case shows that there is an
83.68 % probability that the suspect committed the crime.
Also there is the option of right clicking any activities and getting more detailed
outlook email information (see Fig 29). It will display information like who is the
85
sender and who is the receiver, subject, received date and time, and sent date and time.
Another outlook search option is viewing items by pattern (See Fig. 30); this option
allows the investigator to search all the emails that were sent or received from/to a
particular email address (See Fig. 31).The window viewer will display all the email
activities between the email addresses already selected (See Fig 32). The information will
be displayed in a date tree form. A specific date can be selected and will display the
information by time order. Searching by keywords is another search option available for
investigators (See Fig. 33). It is a very useful feature when a specific search is needed.
For example we can search for a particular word in any of the fields like subject, email
address, website, instant messaging or Skype (See Fig. 34). The window viewer will
display all the activities that are within the parameters in the pattern.
Figure 29. Right Click to get details of outlook activities’ selected
86
Figure 30. Mark Items by Pattern on the Outlook grid.
Figure 31. Search evidence between two outlook users.
87
Figure 32.Report displayed activities that comply with the pattern selected.
Figure 33.Select and mark activities by defined keywords.
88
Figure 34.Display the amount of activities found.
5.4
Analysis of Evidence Found
On a specific date, evidence shows that the defendant visited the child
pornographic web site at 9:16 pm. Defendant states that someone planted the images, but
he shows activities from Outlook sending emails to family members at 9:12 pm.
Evidence also shows that he logged into his Skype account using his password, at 9:21pm
and there are also several sites visited in the 15 minute window selected.
In conclusion there is strong evidence that the defendant visited the child
pornographic site based on the following facts:
Suspect logged in to Skype 5 minutes after he allegedly visited the site and he
sent an email to a family member 4 minutes before. That information put him at his desk
89
between 9:12 pm and 9:21pm. Also there is evidence that he previously visited this site
at least 5 times on different dates and times. It can be stated that there is more evidence
that he did it than there is that the images were planted.
5.5
Evidence Math
We need to evaluate the evidence using statistics. We have two variables Time
and Weight; the time that the activity occurred and the weight or points that we assign to
each activity according to their proximity to the main suspicious activity.
Let’s assume that we want to look at the relationship between time and weight.
We collect some information about the amount of activities occurred during a time period
of 15 minutes. Time is measured in seconds and Weight is measured in points of a 1-15
rating, where a higher score means more relevant activities. Looking at the previous
evidence data (See Fig. 28), we have the suspicious activity at 9:16 pm on 8/24/2010.
We already selected the time frame of 15 minutes before the suspicious activity and 15
minutes after the suspicious activity. The windows viewer will display any existing
activities between 9:01 pm and 9:36 pm. Observing the data, we found that: We have
two outlook activities at 9:12:10 pm 9:12:20 pm. The first activity occurred 4 minutes
and 10 seconds before the suspicious activity and the second activity occurred 4 minutes
and 20 seconds before the suspicious activity. Analyzing the data we have that the event
time frame is +/- 15 minutes, so an activity 4 minutes away from the suspicious activity
will get 12 points and then each additional second will be divide e.g. 10/60 = 0.1666, so
the first activity will be 12.16 points and the second activity should be 12 +(20/60) =
12.33 points. At the end we add the total points for each activity and divide by the
90
amount of events/activities to get the average points. Then the average point is divided
by the windows time frame and multiply by 100 to get the percent evidence weight. The
math to calculate the evidence weight is: (Total Points/events = average points), (average
points/time frame * 100 = evidence weight). This correlation statistics method is used by
several call centers in Colorado Springs to monitor their customer service response time
Figure 35. Histogram analyzing the data from fig.28
91
The mean in our example is 10.77 and the standard deviation is 2.812, we can
from the above statement, estimate that approximately 95% of the scores will fall in the
range of 10.77-(2*2.812) to 10.77+(2*2.812) or between 16.394 and 5.146 minutes. This
kind of information is a critical stepping stone to enabling us to compare the performance
of an individual on one variable with their performance on another, even when the
variables are measured on entirely different scales.
5.6
Relevant Evidence
There is Inclusion and Exclusion Criteria weighted by the Investigators of the District
Attorney’s Office. Note that this is not an official statement, just an opinion based on
hypothetical cases.
Inclusion Criteria:

There is more than one different activity e.g. visiting a web site and sending an
email and

The time difference between activities should not be more than 15 minutes apart

The more activities close in time, the more relevant is the evidence

Show that user’s history previously visited the same web site (very relevant)
92
Exclusion Criteria

There is only one activity and no history of user’s visiting the same web site

More than one activity but more than 15 minutes apart and no history of user’s
visiting the same web site
93
Chapter 6
NICA Forensic Tool Analysis
6.1
Functionality Analysis
NICA Forensic Tool was designed as a tool to be used by investigators or forensic
analysts it in no means should be a substitute for the investigators experience. It will
allow the investigators to find the specific suspected sites, times that they were visited
and previous history; also it will provide information if any other applications like Skype,
Instant Messenger or Outlook were used.
NICA Forensic Tool uses external tools to help parse the cache files from IE,
Mozilla Firefox and Google Chrome browsers and also to gain access and parse the
Outlook pst files. The external tools just perform the function of parsing the related files,
they do not do anything other than create an output which the NICA Forensic Tool then
consumes. NICA Forensic Tool takes the output of the parsers and uses logic to
determine what information is valuable, put that information in a database, and display
any necessary output. All other tasks of the NICA Forensic Tool such as getting cookies,
history file, Skype logs, instant messenger, all GUI displays for all information and all
reports are completely the job of the NICA Forensic Tool.
With this information investigators can mark the suspicious activities, and display
and analyze the time between any of the activities. That information can be used as
evidence. How relevant the information is will depend on the law enforcement policies,
but it can be a very powerful tool.
94
6.2
Performance Analysis
The performance analysis goal is to analyze a small portion of the system
independent of other components. For instance we are interested in studying the
performance of the application independent of the type of memory or the size of its
memory or the type of processor.
I tested the performance of the NICA Forensic Tool on three different computers
and obtained the following results:
Computer Name
Activities
Entries
Total Time
Computer 1
IE, Firefox, Chrome, Skype, Outlook, IM,
25,356
5min, 10 sec
Computer 2
IE, Firefox, Outlook
256
2 sec
Computer 3
IE, Firefox, Outlook, IM
16,381
2min, 12 sec
Table 1. NICA Forensic Tool Performance Analysis
The time depends on how many activities are stored on the computer and how
many applications are installed. It can be as fast as two seconds or can take several
minutes. I was difficult to find volunteers that wanted a forensic tool run on their
computer.
6.3
Usage Evaluation
95
Possible Users of the NICA Forensic Tool
Investigators: police investigators or DA’s investigators that are searching for
evidence to support an alleged criminal case.
Forensic Technician: assist law enforcement agencies in searching for digital
evidence.
System Administrators from large corporations: to investigate if employees have
broken any company computer/network usage policies.
Learning Difficulties and technical difficulties for the users
NICA Forensic Tool is a new application, during the beginning, the user might
have some challenges but it is easy to use. A user’s manual is available to each user, it
explains step by step each process needed to find and get the evidence needed. The
evidence accuracy is an important key in the court of law; users will be very motivated to
find evidence for their case.
User’s Tasks
The actions that the user will perform with the program are:

Copy the program to the “suspected” computer

Create a New Case or Open a case if one has been previously saved. Run the
parser to get the quantity of items that the program finds. Mark the suspected
activities, select the time windows between activities
96

Additional information can be found by entering a keyword or dates, mark the
items by selecting keyword and/or dates

Get the time line report by: marking suspected activities that occurred in the time
frame already specified and/or marked as suspicious activities by keyword and/or
dates.
User’s Informational Needs
Users need to read the user manual to understand how the application works
Users can save all the information and retrieve it as need it.
User’s observations from testing the NICA Forensic Tool
The Nica Forensic tool was tested by three different investigators; each
investigator created a case number and used a different computer.
The first investigator report contained the following observations:
He recommended that the user manual could have more images and guide him step by
step. He used the 30 minute window setting between activities instead of the default
value of 15 minutes. He stated that additional activities closer in time to the suspected
activity make the evidence more convincing, but that 30 minutes is also reasonable.
After he marked a suspected site, the time window activities report displayed the
suspected activity and surrounding activities within the 30 minute time frame. He
thinks that the information displayed is very valuable and useful in a court of law
because the time was very specific. The report also contained detailed information
97
about the suspect logins and usage of other applications within the 30 minute time
frame. The evidence found will at least create a doubt in the jury’s mind when the
evidence shows that the suspect was doing other activities almost at the same time
that he/she visited the suspected site. He suggested the ability to print the report in a
word document to make it easier to read.
The second investigator reported these observations:
She found that the user manual was very detailed in the step by step instructions and
that she could skip some areas. She used the feature of marking by pattern; she
wanted to find out if a suspect previously visited a specific site. Windows Time
Activities displayed all the requested information. The investigator was pleased with
the information found because it could be used in court to prove that the suspect had
previously visited the sites. This type of information helps with the theory that the
suspect had the intention to commit a crime. She wanted to know if there was a way
to find if a suspect visited a site and then later he deleted the file trying to cover up
his/her crime. She would want this feature added to the NICA Forensic Tool if it was
possible. Otherwise she found the information very useful and suggested to put it on
the market.
The third investigator observations:
He chose to mark the items by keyword because he has experience looking for
evidence in the outlook application. Marking items by keyword allows him to find
emails that were sent back and forth between two users. The report displayed
98
information about the sender and receiver and what time each activity occurred. He
also tested the feature of finding an email that contained a specific keyword in the
subject. The report displayed the information found by date and time. He suggested a
future enhancement would be to enable searching information on all the existing
email applications like Hotmail, Gmail and Yahoo.
User’s Learning Preferences
Users prefer a user manual, explaining the process step by step.
99
Chapter 7
Lessons Learned
I learned a great deal of information about the legal side of forensics and in the
technical part of forensics.
On the legal side I found out that the laws are very ambiguous, leaving the judges
with a lot room for interpretation of the law. I learned about all the new amendments
done to the PATRIOT act and to the search and seizure bill affecting the state of
Colorado.
In the technical part I did not know much about the windows registry keys, it is
amazing how much information can be tracked using them. The information and potential
evidence that reside in the Registry make it a significant forensic resource; uncovering
this data can be crucial to any computer related investigation. Another big thing I learned
about was the Microsoft log parser tool and how useful it can be for daily activities
tracking.
There are not any standard rules for computer forensics, a tool can be admitted in
court in one county and maybe it will not be admitted in another county. Even Encase
which is the most popular tool for forensic investigations sometimes has issues in court.
100
Chapter 8
Future Directions

<expand the following into parapgraphs>

Port to different OS. Right now it only works for Windows XP.

Adding other networked applications, such as Yahoo, Facebook, Twitter.

Make available to larger group of users and analyze the feedback for
future improvements.
101
Chapter 9
Conclusions
I have created a computer forensic tool called NICATool that captures and
correlates evidences about web sites visited and related activities in Outlook, Skype and
instant messenger. It simplifies the data collection and integrate the access and processing
of log records in these networked applications. It analyzes the timing and relevance of the
related events to provide an well-organized forensic report that can be admitted in courts
for supporting the prosecuting the cases.
The tool was tried internally by the detectives at the 4th district attorney office and
was requested by a Italian Interpol officer. It was found useful in dramatically
simplifying the tasks of performing computer forensic in cyber related crimes, in
particular, the pornography cases. An unintentional uses of the tool was by the
administrator or managers to monitor the employees’ email activities.
Forensic analysis of a computer system involves identifying suspicious objects or
events and then examining them in enough detail to form a hypothesis as to their cause
and effect. Much more cyber crime exists than law enforcement acknowledges or
identifies and there are many techniques that law enforcement is largely unaware of.
Because the focus of law enforcement is on recovering files rather than discovering how
the files entered the system there is little emphasis on enhancing systems to collect such
data. None of the forensic techniques currently used in court are sufficient to justify
claims that implicate a specific person. It is not enough to recover a deleted file or view a
standard system log. One has to know the history of files and the events that led up to
102
their creation, viewing, deletion and modification. A criminal conviction requires proving
beyond a reasonable doubt that a person intentionally downloaded child pornography
onto the schools computer. Images might appear on a disk without the computer user
knowing about them for many reasons – pop up- images’ on web sites may download
files in the background and save them in the cache; the images could be part of
unsolicited spam email, another person may simply have downloaded them, either to
view the pornography themselves or to implicate someone else. Many forms of malware
are capable of commandeering a computer in order to store and/or redistribute porn.
Such malware would have explained the images as well as the corresponding changes to
the browser’s history. Forensic software used in the vast majority of court cases cannot
make the distinction among these methods of file creation (Peisert, Bishop., 2007).
In general, the goal of this thesis was achieved by getting the evidence with a
timeline to prove that a defendant had the intention to commit a crime. It will not make a
distinction if someone planted the evidence, but if other login activities were done by the
user at the same time or very close in time; it will help the investigator to demonstrate
that there is relevant evidence positioning the defendant at that place and time of the
crime activities. NICA Forensic Tool helps the prosecutor providing relevant evidence
the rest is up to him/her.
There a lot of open source forensic tools available. The most popular forensic
tools are very expensive and available mostly to law enforcement agencies. There is no
ruleset established for capturing forensic evidence, the laws are very ambiguous.
Computer Forensics is a relatively young area, it is changing to quickly and our laws are
lagging behind.
103
The lack of standardization for forensic tools has allowed different tools to have
different ways of generating the data and different formats for outputting the data.
104
References
Berson, T (2005, October 18) Skype Security Evaluation. Retrieve from
http://security.utexas.edu/consensus/skype.html
Brenner, S.W., & Frederiksen B.A. (2001/2002). Computer Searches and Seizures: Some
Unresolved Issues. Michigan Telecommunications and Technology Law Review 8/39
Bui, S., Enyeart, M., & Luong, J., (2003, May 22) Issues in Computer Forensics Retrieve
from
http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic%20Investigation.pdf
Bunting, S., (2006) Computer Forensic Resources – Log Parser. Retrieved from
http://www.stevebunting.org/udpd4n6/forensics/logparser.htm
Computer Forensics. (2008) Retrieve from
http://en.wikipedia.org/wiki/computer_forensics
Herong Yang. (2008). Registry Hives. Retrieved May 7, 2010, from Herong's Tutorial
Examples Web site: http://www.herongyang.com/Windows/Registry-Hives-HKCRHKCU-HKLM-HKU-HKCC-HCPD.html (Herong Yang).
H. Berghel. The Discipline of Internet Forensics. Communications of the ACM (46)
August 2003.
105
Downloadatoz, (2010) Outlook Redemption. Retrieved from
http://www.downloadatoz.com/outlook-redemption/
House Bill 10-1201 (2010) General Assembly of the State of Colorado
IST 432- Computer Forensic. Retrieve from
http://faculty.ist.psu.edu/bagby/432Portals/T2/IST%20432%2020Computer%20Forensics.htm
Jones, K., (2003, May 06). Forensic Analysis of Internet Explorer Activity Files
Retrieved from http://www.foundstone.com/us/pdf/wp_index_dat.pdf
Jones, K., (2003) Forensic Analysis of Microsoft Internet Explorer Cookies Files.
Retrieved from
http://sourceforge.net/projects/odessa/files/ODESSA/White%20Papers/IE_Cookie_File_
Reconstruction.pdf/download
Kristianto, I., (2009) How to use SQLite ADO.NET with C#. Retrieve from
http://www.ivankristianto.com/software-development/visual-studio-net/howto-use-sqliteado-net-with-c/943/
Llim, N., & Khoo, A.,(2009) Forensics of computers and Handheld Devices Identical of
Fraternal Twins? Communications of the ACM, volume 52, issue 6 (June 2009)
106
Monnat, D., & Ethen, L.,(2004, March) A Primer on the Federal Wiretap Act and Its
Fourth Amendment Framework. Retrieve from
http://www.monnat.com/Publications/Wiretap.pdf
MozillaZine, Profile Folder – Firefox, 2009. Retrieve from
http://kb.mozillazine.org/Profile_folder
MozillaZine, Profile.ini Folder – Firefox, 2009. Retrieve from
http://kb.mozillazine.org/Profiles.ini_file
Nelson, B., Phillips, A., Enfinger, F., & Steuart, C., (2008) Guide to Computer Forensics
and Investigations. Thomson Course Technology
Nirsoft (2009) IEHistoryView Retrieve from http://www.nirsoft.net/utils/iehv.html
Nirsoft(2009)ChromeCacheView Retrieve from
http://www.nirsoft.net/utils/chrome_cache_view.html
Nirsoft(2009) MozillaCacheView Retrieve from
http://www.nirsoft.net/utils/mozilla_cache_viewer.html
NirSoft (2009) IECacheView–Internet Explorer Cache Viewer – Retrieved from
http://www.nirsoft.net/utils/ie_cache_viewer.html
107
otenboom, L., (2004) Are you sure there is no way to retrieve msn messenger history
without archive messages selected?. Retrieve from http://askleo.com/are_you_sure_theres_no_way_to_retrieve_msn_messenger_history_without_arc
hive_messages_selected.html Website: Ask Leo
Notenboon, L., (2004) Can I retrieve old msn messenger conversations? Retrieve from
http://ask-leo.com/can_i_retrieve_old_msn_messenger_conversations.html Website: Ask
Leo
Ohm, P., (2005) The Fourth Amendment Right to Delete Retrieved from
http://www.harvardlawreview.org/forum/issues/119/dec05/ohm.pdf]
Peisert, S., Bishop, M., Marzullo, K. Computer Forensics in Forensis. Communications
of the ACM, (42), April 2008.
PeterI., Outlook Redemption. Retrieved from
http://en.wikipedia.org/wiki/User:Peterl/Outlook_Redemption
Richard III, G., & Roussev, V. Next Generation Digital Forensics. Communications of
the ACM (49), February 2006
Reyes, A & Wiles, J., (2007). The Best Damn Cybercrime and Digital Forensics.
Burlington, MA. Syngress Publishing Inc.
Schneier, B., Kelsey, J., Secure Audit Logs to Support Computer Forensics.
Communications of the ACM (2), May 1999
.
108
Skibell, R. (2003). Cybercrimes and Misdemeanors: A Reevaluation of the Computer
Fraud and Abuse Act. Berkely Technology Law Journal, 18/909.
Skype Log File Analysis (2009) Retrieve from
http://www.lpcforensic.it/public_html/yabbfiles/Attachments/SkypeLogFileAnalysis.pdf
Streblechenko, D., (2010) Outlook Redemption Retrieved from
http://www.dimastr.com/redemption/
United States Department of Justice. (2009, Sept) Computer Crime and Intellectual
Property Section. Retrieve from http://www.cybercrime.gov/ssmanual/index.html
US-CERT,(2008) Computer Forensics Retrieved from http://www.uscert.gov/reading_room/forensics.pdf
Wegman, J., (2004) Computer Forensic: Admissibility of Evidence in Criminal Cases.
Retrieve from
http://www.cbe.uidaho.edu/wegman/Computer%20Forensics%20AA%202004.htm
Winn, P., (2008, Dec 8) Katz and the Origins of the “Reasonable Expectation of Privacy”
test. Retrieve from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1291870
109
Appendix A
US Criminal Code 2705
US Criminal Code 2705 was modified by Section 213 of the PATRIOT
act.
§ 2705. Delayed notice
(a) Delay of notification.--(1) A governmental entity acting under section 2703(b) of this
title may--
(A) where a court order is sought, include in the application a request, which the
court shall grant, for an order delaying the notification required under section 2703(b)
of this title for a period not to exceed ninety days, if the court determines that there is
reason to believe that notification of the existence of the court order may have an
adverse result described in paragraph (2) of this subsection; or
(B) where an administrative subpoena authorized by a Federal or State statute or a
Federal or State grand jury subpoena is obtained, delay the notification required under
section 2703(b) of this title for a period not to exceed ninety days upon the execution
of a written certification of a supervisory official that there is reason to believe that
notification of the existence of the subpoena may have an adverse result described in
paragraph (2) of this subsection.
(2) An adverse result for the purposes of paragraph (1) of this subsection is--
110
(A) endangering the life or physical safety of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
(3) The governmental entity shall maintain a true copy of certification under
paragraph (1) (B).
(4) Extensions of the delay of notification provided in section 2703 of up to ninety
days each may be granted by the court upon application, or by certification by a
governmental entity, but only in accordance with subsection (b) of this section.
(5) Upon expiration of the period of delay of notification under paragraph (1) or (4)
of this subsection, the governmental entity shall serve upon, or deliver by registered
or first-class mail to, the customer or subscriber a copy of the process or request
together with notice that--
(A) states with reasonable specificity the nature of the law enforcement inquiry; and
(B) informs such customer or subscriber--
111
(i) that information maintained for such customer or subscriber by the service
provider named in such process or request was supplied to or requested by that
governmental authority and the date on which the supplying or request took place;
(ii) that notification of such customer or subscriber was delayed;
(iii) what governmental entity or court made the certification or determination
pursuant to which that delay was made; and
(iv)which provision of this chapter [18 USCS §§ 2701 et seq.] allowed such delay.
(6) As used in this subsection, the term "supervisory official" means the investigative
agent in charge or assistant investigative agent in charge or an equivalent of an
investigating agency's headquarters or regional office, or the chief prosecuting
attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting
attorney's headquarters or regional office.
(b) Preclusion of notice to subject of governmental access.--A governmental entity
acting under section 2703, when it is not required to notify the subscriber or customer
under section 2703(b)(1), or to the extent that it may delay such notice pursuant to
subsection (a) of this section, may apply to a court for an order commanding a
provider of electronic communications service or remote computing service to whom
a warrant, subpoena, or court order is directed, for such period as the court deems
appropriate, not to notify any other person of the existence of the warrant, subpoena,
or court order. The court shall enter such an order if it determines that there is reason
112
to believe that notification of the existence of the warrant, subpoena, or court order
will result in--
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction of or tampering with evidence;
(4) intimidation of potential witnesses; or
(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.
SEC. 213
AUTHORITY FOR DELAYING NOTICE OF THE EXECUTION OF A
WARRANT.
Section 3103a of title 18, United States Code, is amended-(1) by inserting (a) IN GENERAL- ' before `In addition'; and
(2) by adding at the end the following:
(b) DELAY- With respect to the issuance of any warrant or court order under this
section, or any other rule of law, to search for and seize any property or material that
constitutes evidence of a criminal offense in violation of the laws of the United
States, any notice required, or that may be required, to be given may be delayed if--
113
(1) the court finds reasonable cause to believe that providing immediate notification
of the execution of the warrant may have an adverse result (as defined in section
2705);
(2) the warrant prohibits the seizure of any tangible property, any wire or electronic
communication (as defined in section 2510), or, except as expressly provided in
chapter 121, any stored wire or electronic information, except where the court finds
reasonable necessity for the seizure; and
(3) the warrant provides for the giving of such notice within a reasonable period of its
execution, which period may thereafter be extended by the court for good cause
shown.
114
Appendix B
User’s Manual
This chapter is an explanation of the GUI and the information that the NICA
Forensic Tool will provide to the investigator
Product
NICA Forensic Tool is designed to help forensic investigators in finding out if a
crime was or was not committed. It is tailored towards web activities related to child
pornography, Credit Card Fraud, Identify Theft, Industrial Espionage, Casual Hacks and
others.
This application will get the information needed to provide the investigator with
the information about what web sites the user visited if the browsers used were: Internet
Explorer, Google Chrome and/or Mozilla Firefox. Also it will collect information from
outlook, Skype and Instant Message if they are installed on their computer. Finally it will
provide the investigator with a timeline of information for each activity which will allow
them to weigh the evidence.
Scope/Purpose:
This new tool is very easy to use, it is a windows form with a very user friendly
GUI. It is accessible to everybody that has the system requirements to download the
115
application. It was designed to help forensic investigators, providing more information
than just browser information; it supplies a timeline of activities and a weight of the
evidence. Most of the information is retrieved from the registry keys that provide
accurate information.
User’s Data Flow
Conventions
Dates conform to ISO 8601 to avoid international ambiguity
116
Numbers conform to the IEEE convention that spaces separate every three digits and the
decimal place should be represented by a dot.
Each file has a similar look and feel. Several templates are necessary to cover the
different programming languages. A new source file is created by running the
appropriate template script and redirecting the output into a new file.
Uniform code is used though out the application along with naming convention.
Installing the software
System Requirements (General)
Processor
600 MHz processor
Same
Same
Same
256 MB
Same
Same
Same
Same
Recommended: 1 gigahertz (GHz) processor1
RAM
192 MB
Recommended: 256 MB1
Available Hard

1 GB of available space
Disk Space
Operating System
Windows 2000 Service Pack 4, Windows XP Service
Pack 2, Windows Server 2003 Service Pack 1, or
Windows Vista3,4
For a 64-bit computer, the requirements are as follows:

Windows Server 2003 Service Pack 1 x64
117
editions

CD-ROM Drive or
Windows XP Professional x64 Edition
Required
Required Required
800 X 600, 256 colors
Same
DVD-ROM Drive
Video
Same
Recommended: 1024 X 768, High Color 16-bit
Mouse
Microsoft mouse or compatible pointing device
Information/resources required in the process of installation
All the utilities are included in the application; there is nothing for the user to install.
Deploying the Forensic Tool
NICA Forensic Tool Application will be distributed to investigators using a thumb
drive. They should extract the zip file to a location on the computer to be investigated
like the hard drive (i.e. User desktop), Open the folder and run (double click) the
forensicTool.exe file to launch the program.
NICA Forensic Tool GUI:
File-> Open Case to create a new forensic case
118
Under the file tab, investigators have the choice to create a new case or to open an
existing case. Also Save Case, Save Case As, or Exit the application.
If New Case is selected:
119
Enter case reference ID, usually cases numbers are C021CR2010002323, but it depends
on the law enforcement department.
Forensic Analyst is the name of the forensic investigator and Notes relevant to the case
Case will be saved if the case number was not created and saved before; otherwise it will
send a message to the users stating that case already exists.
If case already exists - > Open case
120
Previous cases are saved in a table, using the SQLite database.
Find and select the case number to reload the case and run the parser
Parser - > Run Parser
121
Press Start to do the search or press cancel
In this case there are 3 user profiles in the computer, there are 15,883 entries in the IE
cache file, 2726 history files, 923 cookies, 6 Firefox history files, 151 Firefox cache files,
71 Firefox cookies, 1189 Chrome history files, 788 Chrome cache files.
122
There is also Skype, Outlook and Windows Live Messenger entries if those programs are
being run on the investigated computer.
Viewer allows the investigator to view user profiles, internet explorer, Firefox, chrome,
Skype, outlook, windows live messenger and timeline activities for each user.
123
Viewer - > Internet Explorer - > History to view the History of the Internet Explorer
The IE History file contains the user’s URL, Title of the site, how many times the site
was hit, date that file was last modified, expiration time, subfolder if there is any, and the
user name. The title of the site give the name of the specific site and a little more
information about the site, this feature helps investigators to glance faster to information
124
and find the suspected sites. E.g. url: Durango.org does not tell the investigator much
information but the title name information: Colorado vacation: Colorado sightseeingDurango area gives more specific easy to read information.
The following procedures can be done with each of browsers: Internet Explorer,
Firefox and Chrome and can be use on each grid that contains the history, cache and
cookie file for each browser.
To find all the Internet Explorer visits to any “Durango” site, investigators needs to right
click the activity select Mark items by pattern and enter Durango as keyword to be
search
There are 5 items found that contains the keyword “Durango”
125
After the entries have been selected by the NICA forensic tools, it would be easier to
display all the information found by itself. Go to Viewer -> Time Window Activities to
view the suspected activities
Time Window Activities grid display the days and times that the suspect visited the sites
that contain the keyword “Durango”. Eg on 4/28/2010 sites containing the keyword
“Durango” was visited five times: at 8:47 am, 8:47 am, 10:37am, 10:43 am and 10:46
am.
126
If more information about the site is needed, right click and select properties. A window
will display more information about the sites
127
Internet cache Files and cookie files
Viewer - >Internet Explorer - > Cache will display the Internet Explorer cache file. The
information displayed is the file name that can be gif files, Content type that explains
what type of file it is, like an image file, URL, the last time the file was created, the last
time the file was modified, expiration time, how many times the file was hit, file size,
subfolder location, the full path location and the user name.
128
Viewer - > Internet Explorer - > Cookies, displays the IE cookies information, like web
site, modified time, last time it was accessed, created time, file name, missing file, file
size and user name.
Viewer - > Firefox - > History
It display the URL information, last visited time, how many times the site was visited,
reference (redirected links tracks), web site title, visit type, like link, typed URL and user
name.
129
Viewer - > Firefox - > cache. Display the information in the Firefox cache files like file
name, content type, url, file size, how many times the site was visited, last time the file
was modified, last fetched, expiration time, server name,
server response, server time, server last time modified, content encoding, cache name,
cache control, entity tag and user name.
130
Viewer -> Firefox - > cookies. Displays the information in the cookies files like, domain
host, path, value, expiration time, last accessed time, secure, domain access, line Id and
user name
Viewer - > Chrome - > History
131
It display chrome history files information like URL, last visited time, how many times it
was visited, reference, title, visit type, redirect type and user name
Viewer - > Chrome - > cache. Displays the cache file information like file name, content
type, url, file size, last accessed time, expiration time,
132
server name, server response, server time, server last modified, content, cache name,
cache control, entity tag and user name
Viewer - > chrome - > cookies, displays the cookies information like domain host, path,
value, expiration time, last accessed time, secure, domain access, line id and user name.
133
Skype Activities
If Skype is installed in the investigated computer a list of activities will show on the
viewer - > Skype. If it is not installed or does not have activities it will show zero
activities
Record number, action type (chat message, outgoing call, incoming call, video) action
time, Skype user, display name, (Skype user name is most of the time just a nickname not
the name of the user), duration time for the current activity, the chat message (notice that
calls messages could not be retrieved), chat ID,
134
Filename, Skype Account (when an account is set up, a username and password needs to
be created. The Skype account is that user name) and User name (who logged into the
computer).
Also specific Skype activities can be found by right clicking and mark items by
pattern to select information as with whom the suspected was having communication,
what time and what days.
135
A total of activities will be shown
TimeWindowsActivitiesViewer will display all the activities that comply with the
requested parameters. Dates, times and activities’ detail will be available for the
investigator to help on the search for evidence.
136
Outlook Activities
This viewer will display if Outlook has any activities
Folder Name, Sender Name, Sender email address, send to, copy to, blind copy to is
some of the information that the viewer can display
137
Modified, last modification time, if the message was read or it is unread, submitted,
deleted, auto forward, read receipt, size, and the .pst file (this is the outlook file where it
stores the information). Note that the email message is not displayed. This NICA
Forensic Tool is concerned about the time and other particular evidences like send to, the
email message contents are not required for the functionality of the tool.
Time information is needed for the timeline report and send to can be used as evidence to
prove that the owner of the computer knows the receiver of the email.
Also Outlook specific activities could be found by right click on the Outlook activity grid
select the specific activity of interest and select the mark items by pattern
138
Activities can be choose by sender name or email address. This feature will help the
investigators to find all the outlook activities between a specific sender name and a
receiver name.
The windows activity viewer will show all the days that the conditions met. Just
select the day and a window will show each acitity by day
139
Instant Messenger
The viewer is showing windows live messenger activities
Right click to mark items by pattern to select specific activities
140
Activities by account are being selected, and will be display by dates, times and
activities’ description.
141
TimeLine Report
This report shows all the combined information by date and time for each user found. In
this case we have four users. Select a user that is under investigation; choose the date
that you suspect that suspected activities occurred.
If there is a suspect activity click to select and right click to open a dialog box to mark the
selected item - > suspect items or malicious items
Then go to tools -> Time Window Setting
142
This feature will allow the investigator to select any other activity like Skype, outlook,
IM or any visited to a site that is contain in the specific time frame. In this case, the time
frame will be 15 minutes.
Go to Viewer -> TimeWindowActivities
143
A Time window will open showing all the activities around the previously marked
suspected activity that are 15 minutes apart. Also will display the percent of probability
that the alleged suspected commit the crime.
144
NICA forensic tool feature helps the investigators to get faster information from
sites visited. Tools-> Browser Keyword List allow the investigator to enter a keyword
for visited sites, like 1and1.
145
On the timeline viewer mark with defined keywords (already selected previosly)
A window will display the total amount of entries found with the specific parameters.
146
On the time window viewer will display with highlights all the dates and times that the
site 1and1 was visited
Also if more information is needed for a specific activity, right click and select view
properties. An open window will display all the details of the selected activity
147