Introduction to Computer
Forensics and Hashing
1
What is Forensics?
Forensics is the art and study of
argumentation and formal debate. It uses
the application of a broad spectrum of
sciences to answer questions of interest
to the legal system.
Forensic Science is the science and
technology that is used to investigate and
establish facts in criminal or civil courts
of law.
2
Criminal Justice Fundamentals

How a case usually plays out:
Law Enforcement notified of crime
 Evidence is gathered – may require search
warrants
 Suspects are developed
 Interviews or interrogations are conducted
 Suspect is charged
 Case w/evidence is turned over to
prosecutor

3
What is Computer Forensics?



Computer forensics is forensics applied to
information stored or transported on
computers
It “involves the preservation, identification,
extraction, documentation, and interpretation
of computer media for evidentiary and/or root
cause analysis”
Procedures are followed, but flexibility is
expected and encouraged, because the unusual
will be encountered.
4
What is Computer Crime?

Three situations where you might find evidence on a
digital device:

Device used to conduct the crime






Device is the target of the crime



Child Pornography/Exploitation
Threatening letters
Fraud
Embezzlement
Theft of intellectual property
Incident Response
Security Breach
Device is used to support the crime
5
What is evidence in terms of
Computer Forensics?

Can be anything!


As small as a few bytes
Could be, and hopefully will be complete files



Likely will be fragments of files




Could be Deleted
Could be Encrypted
A few Words
A couple of sentences
Hopefully some paragraphs
Registry entries, or log entries!
6
Where do we find it?

Storage Media

RAM
Log Files
Registry


7
How might the information be
stored?
Might be plain data with no hidden
agenda
 The data could be encrypted
 Data could be hidden
 Could be hostile code

8
Data Encryption
Encrypting data could guard the data in two
ways.

Protect data





Use of Ciphers
Files might need to be decrypted
Decryption program generally stored fairly close to the file
to be decrypted.
Probably password protected.
Prove integrity
9
Data Hiding

Data could be obfuscated
encryption is some method of modifying data so that it is meaningless and
unreadable in it’s encrypted form. It also must be reasonably secure, that is it must
not be easily decrypted without the proper key. Anything less than that is
obfuscation. This is data that is rendered unusable by some means, but is not
considered as a serious form of encryption.
Data could be compressed
 Data could be hidden in plain sight –
innocent looking data has alternate
meaning
 Data could be hidden within File system

10
Data Hiding (contd.)

Data could be hidden in a file

Steganography - science of writing hidden messages in such a way
that no-one apart from the sender and intended recipient even realizes there is
a hidden message





Hidden data might not be in file


Invisible names
Misleading names
Obscurity
No names
Slack, swap, free space
Removable Media
11
Hostile Code

Presume that any unknown code is hostile.


Guilty until proven innocent.
Any code used by an unauthorized person to gain
advantage or power over someone else should be
considered hostile.
–
–
–
–
–
Remote access
Data gathering
Sabotage
Denial-of-service
Eluding detection
– Resource theft
– Circumvention of
access control
mechanisms
– Social status
12
How do we go about the business
of Computer Forensics?
Three A’s of Computer Forensics
 Acquire the evidence without altering or
damaging the original.
 Authenticate that your recovered
evidence is the same as the originally
seized data.
 Analyze the data without modifying it.
13
Acquire the evidence
How do we seize the computer?
 How do we handle computer evidence?

What is chain of custody?
 Evidence collection
 Evidence Identification
 Transportation
 Storage


Documenting the Investigation
14
Authenticate the Evidence

Prove that the evidence is indeed what
the criminal left behind.
Contrary to what the defense attorney might
want the jury to believe, readable text or
pictures don’t magically appear at random.
 Calculate a hash value for the data

 MD5
 SHA-1,SHA-256,SHA
-512
15
Analysis

Always work from an image of the
evidence and never from the original.
Prevent damage to the evidence
 Make two backups of the evidence in most
cases.


Analyze everything, you may need clues
from something seemingly unrelated.
16
Tools


Password crackers
Hard Drive Tools

Fdisk on Linux



Viewers





QVP
Diskview
Thumbsplus
Unerase tools
CD-R Utilities
Text search tools
Drive Imaging





Safeback
Linux dd
Disk Wiping
Forensic Toolkits
Forensic Computers
17
Forensic Software
Forensic Toolkit
 The Coroner’s Toolkit
 Sleuth Kit
 Encase
 ILook

18
Digital Crime Scene
Investigation Process

No one right way to do it!
System Preservation
Phase
Evidence Searching
Phase
Event Reconstruction
Phase
Carrier, B., Page. 5, Figure 1.1
19
System Preservation Stage

Crime Scene Preservation
Depending on the situation, this will vary.
 Take pictures of everything.

 Room
setup
 Connections
 Open windows on computers
Label all wires and connections.
 Bag and Tag all evidence.

20
System Preservation (cont.)

Evidence Preservation
Seize all hardware that is necessary to
reconstruct evidence
 Jam or disable all wireless connections if
possible
 Make 2 (3) copies of all media
 Authenticate all copies of media with MD-5
and SHA-1 hash algorithms

21
Evidence Preservation
The data has to be protected physically and
logically. Physically, make sure when
transporting hard drives that it is stabilized and
is not damaged by excessive vibrations.
Another thing to look out for is static
electricity.
Logically preserving evidence means that that
the information contained on the drive down to
the last bit never changes during seizing,
analysis and storage.
22
Evidence Preservation – Write
Blockers
Write blockers are devices that allow
acquisition of information on a drive without
creating the possibility of accidentally
damaging the drive contents. They do this by
allowing read commands to pass but by
blocking write commands. These can be in the
form or hardware or software blockers. It is
very important that some type of write blocker
is tested and used when working with data.
23
Evidence Preservation – Write
Blockers (contd.)
On our systems, we would use software write
blockers to preserve the integrity of the data.
We have included a tool that would do that
(disable_usb_write.reg). BEFORE attaching
the usb drive, the write-blocker needs to be
invoked. Now, the usb drive can be attached,
and this would ensure that nothing would be
written on the usb drive.
In a real scenario, a hardware write blocker
would provide much stronger protection.
24
Evidence Preservation – Making
Copies
With the write blocker in place, you can now
make several copies of the image. It is
important that an image is made of the hard
drive and not a copy or a backup. The reason
for this is that an image will make sure to
preserve important information such as slack
space, time stamps, unallocated space and file
system structures, which would not necessarily
be there in a copy or a backup.
25
Evidence Preservation – Making
Copies (contd.)
It is a good idea to make at least 2
working images – one to be used as a
backup and one to work on. In our tools
folder, there is a Image command that
actually uses the dd command to create
an image of a hard drive.
Most texts also suggest making a third
image for discovery.
26
Evidence Preservation –
Authenticating and Hash Functions
It is now necessary to prove that all of these
images are exactly the same, down to the very
last bit!
A hash function is any well-defined procedure
or mathematical function for turning some kind
of data into a relatively small integer. The
values returned by a hash function are called
hash values, hash codes, hash sums, or simply
hashes.
27
Evidence Preservation – Hashing
(contd.)
In authentication, hashing is used to create a set
of numbers that represent a drive or set of files.
This is similar to fingerprinting someone. With
hashing, a finger print is created from the
evidence. No details about the evidence can be
determined from the hash value, but if the
evidence is altered in any way, the hash value
will also change.
28
Evidence Preservation – Hashing
(contd.)
Two examples of hash functions are MD5 and
SHA-1. MD5 was developed by Professor
Ronald L. Rivest of MIT. The MD5 algorithm
takes as input a message of arbitrary length and
produces as output a 128-bit fingerprint of the
input.
29
Evidence Preservation – Hashing
(contd.)
SHA stands for Secure Hash Algorithm. The
SHA hash functions are a set of cryptographic
hash functions designed by the National
Security Agency (NSA). The five algorithms
are denoted SHA-1, SHA-224, SHA-256, SHA384, and SHA-512. SHA-1 produces a message
digest that is 160 bits long; the number in the
other four algorithms' names denote the bit
length of the digest they produce.
30
Evidence Preservation – Hashing
(contd.)
Hashing tools can be found in the tools
directory. The md5sum tool produces an md5
message digest (hash value). The hashcalc
application can also create hash values using
different hashing methods.
The hashing is done on the data itself, and not
on the names of files. There are existing
databases of hash values for images, that can
be used to find child pornography.
31
Evidence Searching Stage
Once everything is preserved, analysis
must begin.
 Forensics is a science, so there should be
a hypothesis from which to work.
 Direct searching activities to support this
hypothesis.

32
Evidence Searching (cont.)
If you are looking for a specific file, i.e.,
child porn, compare hash values.
 If you are looking for keywords, most
software gives you a search capability.
 Be specific to what you are looking for:


If you are looking for web activity, look in
web files; history, cache, cookies, etc.
33
Event Reconstruction Stage
Last phase of investigation.
 Trying to answer the question of what
happened and how.
 Evidence discovered during searching
phase is reconciled with non-digital
evidence to create a sequence of events
to support the hypothesis.

34
General Guidelines





Use a write-blocking device to prevent
accidentally writing to the suspect media.
Always work from a copy, not from the
original.
Authenticate the copy so that you can prove
that evidence discovered was on the original
media.
Minimize file creation on working media to
prevent over-writing of free space.
Be especially careful of opening files,
especially without a write-blocker, because
CMA times will change.
35