BASIC UNDERSTANDING TO DIGITAL FORENSICS
Presented by Mr. Sovichea Cheat (aka Victor C. Sovichea)
Master of Science in Computing, RMIT University, Australia
“Defense Saturday 7”
July 18th, 2015
Development Innovative, Phnom Penh, Cambodia
This is not an HOW TO, but an INTRODUCTION
Video on What is Cyber Forensics?
Why do we need Digital Forensics?
There are many reasons to do Digital Forensics, but those have been classified into two main categories below:
- Collect evidence
- Recover Data
Who will need Digital Forensics?
- Governments (Cyber Police, FBI, NSA, Inter-Pol,…)
- Private Investigators
- Data Recovery Specialists
- Bad Guys
Digital Forensics Sub-Branches
- Computer Forensics
- Mobile Device Forensics
- Network/Internet Forensics
- Forensics Data Analysis
- Database Forensics
- Photo Forensics
- Voice Forensics
Digital Forensics Counterparts
Investigation of digital crime requires investigators from different backgrounds:
- Computer security professionals
- Forensic scientists
- Law enforcement officers
- …(case by case)
What do you need to know before starting to do Digital Forensics?
1.Experience within IT Administration / Computer Forensics / Computer Security
2.Good understanding in dealing with a wide range of Hardware and Software.
3.Experience within IT Security, including Security policies.
4.Highly presentable and client facing role.
5.Able to pull files from storage mediums, phone, etc.
6.Details analytic skills
7.Strong troubleshooting, analytical, investigations skills, etc.
Data Structure on Disk
3.Logical block addressing
4.Geometry of disk drives and zoned-bit recording
5.Master Boot Record
Video about the Inside a Hard Disk Drive
Common Disk File Systems
1. FAT12, FAT16: DOS, Windows 95, Flash Media <= 2GB
2. (v)FAT32: Windows 95 OSR 2, 98, Me, XP, Flash Media > 2GB
3. NTFS: Windows NT, XP, Server,..
4. ext2, ext3: Linux
5. NFS, UFS/FFS: Solaris, BSD
6. HFS+: Mac OS
7. ISSO9660: CDs
8. UDF: DVDs, BluRay, etc.
9. ReiserFS: Linux
1. TEXT(ASCII/ANSI): security
2. BINARY: 01110011 01100101 01100011 01110101 01110010 01101001 01110100 01111001
3. OCTAL: 163 145 143 165 162 151 164 171
4. DECIMAL: 115 101 99 117 114 105 116 121
5. HEXADECIMAL: 73 65 63 75 72 69 74 79
6. BASE64: c2VjdXJpdHk=
7. ROT13: frphevgl
This method is used to curve broken files or analyse file which suspected to be injected with other codes or file. Specialists normally investigate with hexadecimal code.
For example, JPEG file starts with FFD8FFE0 and ends with FFD9
If a word document has a picture inside the content, the start of file will no longer be FFD8FE0, it would be something like below:
Yet, you can still find the picture by searching for the head and end of JPEG file.
By copying from the head/start to the end of JPEG file, pasting into a new file and saving it with a name and JPEG extension, you will get the individual JPEG file.
The method is widely implemented in finding malicious code in files, and modern criminal cases related to computer file and child pornography, etc.
- Low-level tool:
1. Sleuthkit: update version of The Coroner’s Toolkit (TCT)
- High-level tools:
2. Autopsy: Graphical Front-end to Sleuthkit
3. PyFLAG: log file analysis for forensics investigators
4. Helix: can perform live dumps of Linux and Windows host. This tool includes: Sleuthkit, Autopsy, PyFLAG, macabre, WireShare, md5deep,..
- EnCase: industry standard image analysis tool
- WinHex: list in the top used tools
Immediately isolate the scene. Only concerned officers are allowed to enter.Crime Scene
Materials we should take to the scene:
- Laptop computer
- Live CD Forensic
- Forensic Software
- Evidence log form
- Large-scale storage drive
- IDE ribbon cable
- SATA cable
- Network cable
- Camera (video and recorder), and voice recorder
- External media(USB, portable hard drive,..)
- Evidence bags(water proof plastic bags),
- Evidence labels, tape, and tags
Why do we need Live Analysis?
There are some evidences of the crime scene might be lost or unavailable due to the disconnection between the computer and network if it is existed, and when the machine was shutdown.
The live analysis has advantage in obtaining live data from the computer which is currently running.
Also, avoiding BOOBY TRAP.
However, the method would destroy the evidence when there is more accesses to the system; Data Integrity is the issue.
The system will keep continuously record the transaction while analyst keep doing their duties on the live system and the later record might overwrite the existed ones. It need to be noted in notebook carefully to track every single process. Moreover, the copies of the live system from network (if it is connected) are huge and take longer time to get it done.
- Objective: Recovery and examination of suspect digital evidence
- MUST proceed according to the Order of Volatility (OOV) from most to least:
3.Open files, open network connection, swap space
4.Encrypted filie systems where you do not have key to unlock
5.Temporary file systems(/tmp, /proc)
- Non-volatile: Physical disk, backup media, removable media, etc.
- Make a bit-for-bit copy (make an image) of the data storage areas (i.e. dd command)
- The copies of the IMAGE will be used for detailed analysis.
Area to explore in the IMAGE
- Activities timeline (audit logs)
- Browser bookmarks (favourites), cookies, history
- Data hidden in files
- Deleted files
- File contents
- File remnants in file slack and unallocated disk space
- Memory contents and remnants in memory slack
- Print queue
- Recently-opened documents
- Temporary files
- Trash/recycle bin
When you delete file or format your device; where will you file goes?
do you think it is forever gone?
The answer is NO! when you delete file, it will just clear the file allocation table and boot block only, you files are still in your disk drive.
Some people claim that “to completely remove files from hard drive, we have to overwrite on the same data block.”
OSX & iOS repeat the “delete & overwrite on the same data block” 8 times whenever we secure delete files.
Two other suggested methods:
Secure Wiping (shredding)
Degaussing (place in strong magnetic fields)
But some files are still RECOVERABLE by SPECIALISTS
Because the read and write head of the disk has never exactly travelled along the same path.
And the magnetic fields won’t discharge the data 100%.
The best way to destroy data is to melt the storage device.
Voice forensics is widely used to investigate crime cases. It could reveal the fact of who, what, when, where and how.
- Computer and Internet Forensics class materials from RMIT University, Australia