Techshow Day 2 -CSI For Real: Science of Computer Forensics

Craig Ball and John Simek

Craig: a simple Walmart purchased hard drive holds more data than you can imagine. 80GB is a ton of stuff, and maybe 2/3 of what is on that drive is unreadable to you, so you can’t even be sure what it says. Even then, we’ve moved way beyond that. We’re talking servers, cell phones, blackberries, thumb drives, memory cards and into access control tools, toll tag data (key card systems), even iPods keep track of things. Digital cameras and surveillance, (EXIF data, freeway cams, etc.), copiers and fax machines have data on them, gps tracking and ever air bag systems have data. And then we get to the Internet, Facebook, Gmail, etc.

There are many digital footprints left behind. Rather than being scared of this, be aware that this rich, useful information can be used to get at the truth. The smart guy surfing pr*n may know to get rid of his internet history and cache, and delete the images, but he may not be aware of index.dat, or thumbs.db, let alone deleted items recovery tools.

Other useful information: Registry tracks any connected USB devices. Prefetch can show recently used apps just like recently opened documents. Windows Registry User Assist Keys, encrypted in ROT-13, (Really not encrypted at all in reality, just moves letters 13 letters ahead in alphabet). The only thing it is protected against, is a keyword search, which is important to know.

Craig is describing how Windows deletes files by deleting the file table information, even though the data is still on the disk. (Need to see if this presentation is on the CD, might help explain forensics to non-technical people.)

John: Email and internet activity are the two main areas of interest in cases. Index.dat can show you that information. Showing Net Analysis tool to show how it reads the internet history that exists in index.dat. It shows last visited date, secondary date, which is the date from the server (can be useful occasionally), and username. Can filter for search terms that were used.

John: You get a really good idea of the personality of the user when doing an exam. Craig: It’s mind-reading really. You can watch classic behavior, someone gets a subpeona, starts searching for law.com, legal information, lawyers, etc. Then they start searching for permanent deletion tools. He’s never found evidence more damning than the hole left behind by getting rid of information. Jury will assume the absolute worst! People will wipe things that they simply don’t want people to see, even when it isn’t that bad, that’s why you get the PC and clone it before human frailty comes into play. Recovering that data is more costly, and will lead to partial information that you now have to defend, rather than full information that may, again, not be that bad.

Craig asked for a volunteer with thumb drive, is using FTK to examine that drive live. There’s not much on it, nothing in the unallocated space, but we can see everything on it, and the deleted items, we can see the last time he accessed stuff on it, etc.

Hashing is invaluable, it can help the examiner eliminate all the system files and other stuff that isn’t user created. Also being able to verify file types to get to those documents that the extension has been changed on. It can extract all images, regardless of where they might be embedded, and has a skin tone recognition to pull out images that have skin tone in them.

John: that being said, there are no silver bullets. Just because you have a tool, doesn’t mean you can interpret what you have with your knowledge and that tool. You may need another tool, for email for example.

Read Craig’s articles on DIY forensic imaging. Use FTK Imaging, because it’s free. Get a write blocking device. Don’t run forensic examinations on original drives, they change the information! John’s example, IT guy ran undelete utility when he examined drive to find deleted files, the evidence was ruined at that point.

Craig has moved away from cloning, does software imaging instead. Except when doing “black bag” collections, when you come in at night and get a clone and leave the PC back in it’s original state as quickly as possible.

Unallocated clusters on servers rarely has useful information, servers, especially RAID arrays, overwrite information very quickly, you really need to get it quick and know where the data was before deletion.

Time to hit some vendor booths, more later!

Follow these topics: LitigationSupport, Tech