Page Header Banner
Page Header Banner

Basic Understanding To Digital Forensics

Post Header Banner
Post Header Banner

BASIC UNDERSTANDING TO DIGITAL FORENSICS

Presented by Mr. Sovichea Cheat (aka Victor C. Sovichea)
Master of Science in Computing, RMIT University, Australia

“Defense Saturday 7”
July 18th, 2015
Development Innovative, Phnom Penh, Cambodia

This is not an HOW TO, but an INTRODUCTION

What is Digital Forensics?

Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events which is legally acceptable.

Video on What is Cyber Forensics?

Why do we need Digital Forensics?

There are many reasons to do Digital Forensics, but those have been classified into two main categories below:

  • Collect evidence
  • Recover Data

Who will need Digital Forensics?

  • Governments (Cyber Police, FBI, NSA, Inter-Pol,…)
  • Boss
  • Private Investigators
  • Data Recovery Specialists
  • Bad Guys
  • etc.

 Digital Forensics Sub-Branches

  • Computer Forensics
  • Mobile Device Forensics
  • Network/Internet Forensics
  • Forensics Data Analysis
  • Database Forensics
  • Photo Forensics
  • Voice Forensics
  • etc.

Digital Forensics Counterparts

Investigation of digital crime requires investigators from different backgrounds:

  • Computer security professionals
  • Forensic scientists
  • Law enforcement officers
  • Lawyers
  • …(case by case)

What do you need to know before starting to do Digital Forensics?

Skills:

1.Experience within IT Administration / Computer Forensics / Computer Security

2.Good understanding in dealing with a wide range of Hardware and Software.

3.Experience within IT Security, including Security policies.

4.Highly presentable and client facing role.

5.Able to pull files from storage mediums, phone, etc.

6.Details analytic skills

7.Strong troubleshooting, analytical, investigations skills, etc.

Data Structure on Disk

1.Tracks, Sectors

2.Disk partitions,..

3.Logical block addressing

4.Geometry of disk drives and zoned-bit recording

5.Master Boot Record

Hard Drive Structure
Hard Drive Structure – Photo: ils.unc.edu
Master Boot Record
Master Boot Record

Video about the Inside a Hard Disk Drive

Common Disk File Systems

1. FAT12, FAT16: DOS, Windows 95, Flash Media <= 2GB

2. (v)FAT32: Windows 95 OSR 2, 98, Me, XP, Flash Media > 2GB

3. NTFS: Windows NT, XP, Server,..

4. ext2, ext3: Linux

5. NFS, UFS/FFS: Solaris, BSD

6. HFS+: Mac OS

7. ISSO9660: CDs

8. UDF: DVDs, BluRay, etc.

9. ReiserFS: Linux

Encoding/Decoding

1. TEXT(ASCII/ANSI): security

2. BINARY: 01110011 01100101 01100011 01110101 01110010 01101001 01110100 01111001

3. OCTAL: 163 145 143 165 162 151 164 171

4. DECIMAL: 115 101 99 117 114 105 116 121

5. HEXADECIMAL: 73 65 63 75 72 69 74 79

6. BASE64: c2VjdXJpdHk=

7. ROT13: frphevgl

8. etc.

File Curving

This method is used to curve broken files or analyse file which suspected to be injected with other codes or file. Specialists normally investigate with hexadecimal code.

For example, JPEG file starts with FFD8FFE0 and ends with FFD9

FC1

FC2

If a word document has a picture inside the content, the start of file will no longer be FFD8FE0, it would be something like below:

FC3

Yet, you can still find the picture by searching for the head and end of JPEG file.

FC4

FC5By copying from the head/start to the end of JPEG file, pasting into a new file and saving it with a name and JPEG extension, you will get the individual JPEG file.

The method is widely implemented in finding malicious code in files, and modern criminal cases related to computer file and child pornography, etc.

Recovery/Forensics Tools

Linux-Based

  • Low-level tool:

1. Sleuthkit: update version of The Coroner’s Toolkit (TCT)

  • High-level tools:

2. Autopsy: Graphical Front-end to Sleuthkit

3. PyFLAG: log file analysis for forensics investigators

4. Helix: can perform live dumps of Linux and Windows host. This tool includes: Sleuthkit, Autopsy, PyFLAG, macabre, WireShare, md5deep,..

Windows-Based

  • EnCase: industry standard image analysis tool
  • WinHex: list in the top used tools

 

Crime Scene

Immediately isolate the scene. Only concerned officers are allowed to enter.

Materials we should take to the scene:

  • Laptop computer
  • Live CD Forensic
  • Forensic Software
  • Journal/notebook
  • Evidence log form
  • Large-scale storage drive
  • IDE ribbon cable
  • SATA cable
  • Network cable
  • Flashlight
  • Camera (video and recorder), and voice recorder
  • External media(USB, portable hard drive,..)
  • Evidence bags(water proof plastic bags),
  • Evidence labels, tape, and tags
  • etc.

Why do we need Live Analysis?

There are some evidences of the crime scene might be lost or unavailable due to the disconnection between the computer and network if it is existed, and when the machine was shutdown.

The live analysis has advantage in obtaining live data from the computer which is currently running.

Also, avoiding BOOBY TRAP.

However,  the method would destroy the evidence when there is more accesses to the system; Data Integrity is the issue.

The system will keep continuously record the transaction while analyst keep doing their duties on the live system and the later record might overwrite the existed ones. It need to be noted in notebook carefully to track every single process. Moreover, the copies of the live system from network (if it is connected) are huge and take longer time to get it done.

Acquisition

Evidence Acquisition

  • Objective: Recovery and examination of suspect digital evidence
  • MUST proceed according to the Order of Volatility (OOV) from most to least:

1.Registers, cache

2.RAM

3.Open files, open network connection, swap space

4.Encrypted filie systems where you do not have key to unlock

5.Temporary file systems(/tmp, /proc)

  • Non-volatile: Physical disk, backup media, removable media, etc.
  • Make a bit-for-bit copy (make an image) of the data storage areas (i.e. dd command)
  • The copies of the IMAGE will be used for detailed analysis.

Area to explore in the IMAGE

  • Partitions
  • Activities timeline (audit logs)
  • Browser bookmarks (favourites), cookies, history
  • Databases
  • Data hidden in files
  • Deleted files
  • Email
  • File contents
  • File remnants in file slack and unallocated disk space
  • Memory contents and remnants in memory slack
  • Print queue
  • Recently-opened documents
  • Registry
  • Temporary files
  • Trash/recycle bin

 

When you delete file or format your device; where will you file goes?
do you think it is forever gone?

The answer is NO! when you delete file, it will just clear the file allocation table and boot block only, you files are still in your disk drive.

Some people claim that “to completely remove files from hard drive, we have to overwrite on the same data block.”

OSX & iOS repeat the “delete & overwrite on the same data block” 8 times whenever we secure delete files.

Two other suggested methods:
Secure Wiping (shredding) 
Degaussing (place in strong magnetic fields)

But some files are still RECOVERABLE by SPECIALISTS

Because the read and write head of the disk has never exactly travelled along the same path.
And the magnetic fields won’t discharge the data 100%.

The best way to destroy data is to melt the storage device.

MeltHDD

Photo Forensics

 

PC1
Scenario 1: Original photo about military trucks in the forest.
PC2
Scenario 1: One of the truck was covered by leaves using photo editing software.
PC4
Scenario 1: The investigator uses software and technique to reveal the truth. There is no coincidence that the tree will grow with the exact same shape or style.
PC5
Scenario 2: Sometime the evidence could not be seen by normal eyes. Gray Scale picture or other method could help to reveal the facts.

 

Voice Forensics

Voice forensics is widely used to investigate crime cases. It could reveal the fact of who, what, when, where and how.

Voice

 

References:

Comments

comments

Related posts