What is digital forensics
-examination of digital storage and digital environments in order to determine what has happened
- also including monitoring in real time
-forensic investigating is collecting analysing and reporting
computer forensics face same scrutiny as an analysis of a fingerprint or DNA test
Types of crimes
- cyber crime
- cyber aided crime
- crimes with digital evidence
computer theory chapter:
- secondary storage devices - hard drives , Cdr DVD's , flash drives and memory cards
- on hard drives the c: drive maybe a partition of 200 GB , analysis made sure that 50 GB is hidden somewhere or it has been formatted but that 50GB may contain valuable information
- hard drive formatting handled by the operating system
- repartition does not mean data is overwritten
- hard drive is made up of clusters and sectors that can be allocated to a file or a partition
- when hard drive partition you create a master boot record mbr or partition table
- the partition table is information of partitions , start an ending sector for each partition as well
- if you resize your partitions only the table gets updated the actual data on the hard drive is unaffected. this makes Daytona hard drive inaccessible to the operating system but still possible to recover using forensic tools
- also note an empty hard drive may just be a formatted hard drive , often only the partition table is removed
NTFS File systems:
- the file system is essentially a structure used to control how data is stored and retrieved on a story device and is common content of a partition
- so a hard drive contains partitions
- a partition commonly contains a file system
- a file system is used to structure data
types of file systems:
- EX64 (commonly found on Linux )
- nfs (common for network storage )
- fat 32 (common on surveillance videos and thumb drives )
-partitions are stated in the partition table which are found in the master boot record
- A partition formatted with a NTFS file system begins with a metadata file called the partition boot sector
- this contains the master file table (MFT)
- MFT Is basically a Dictionary of all files and folders on the NTFS partition
- most important for forensic examiner in the MFT is the file records
- all files and folders on partition have one
- an mft record cannot be bigger than 1024 bytes (so files which are bigger than 600 bytes (as 400 bytes are reserved for filename and such ) cannot reside in record
- files contained in mft resident
- files not contained in mft are non resident
- be aware there is a backup mfti located at end of partition
- note a technology known as trim that overrides clusters that are unallocated by mft , used for SSD hard drives
File Structures:
- common file structure, METADATA ACTUAL DATA TRAILER
- Metadata contains information on type of file (JPEG, PDF etc)
- search for files using metadata or trailers , searching for hexadecimal or alphanumerical file signatures
- most file formats such as plain text many picture formats are stored as plain files
- However some files including Microsoft Office files and compressed zip are stored as compound files
- compound files cannot be fully examined when they're in there packed state
- must be unpacked to be fully analysed
- because data in compressed state is represented differently
Data Representation:
- data stored on any storage media is in binary
- 8 bits = one bite
- different apps may store data in different order
- single byte is 8 bits , left is more significant, right is least significant
- two ways to store subsequent bytes
- 1st is big Indian , which is storing bikes with the biggest and 1st making the first bite the more significant
- 2nd is little Indian , which is storing data with the smallest and first reading from left to right
- computers have different ways of representing data and characters also known as encoding (ascii, utf8, utf16)
- encoding is how sign is represented in binary or Hex
Windows Registry:
- Is it hierarchal database which stores information about users installed apps on the windows system itself
- great place for forensic examiners
- windows registry is tree structure , each node is a tree is called a key and every key may have a value or some keys
- the key can be as deep as 512 keys
- values that a key can container just arbitrary data up to the app to decide the format and interpretation
- the registry is made up of hives
- hives contain sets of data
- the high which is of most interest to a forensic examiner is the, SAM, Security, System , Software
- another file associated with user is NTUSER.DAT
- registry hives = system32/config/folder
- - ntuser.dat - stores info about specific user account
- software - information related to applications , common information she says the windows version installed it on the owner
- subkey = /mircosft/windowsnt/current version
- system - information about the system including USB drives that have been connected to the system , time zone , information about networks that the computer has been connected to
- sam and security - protected and cannot be viewed using regedit on a running computer but can be extracted from
- SAM - user information , uses on local machine ,login information , user created and stored hashes
- SYS - mainly system audit policy , syskey needed in collaboration to sam to crack files
-
encryption and hashing:
- cryptographic techniques to hide data
- for hash to be considered secure must have the following properties
- collision resistant - meaning that there is only one H for each P
- irreversible - I mean it is impossible to derive P from H
memory and paging:
- memory is very important
- memory emptied when computer restarts so content in memory relates only to what the computer was up to since the last reboot
- when viewing encrypted data in a decrypted format , the decrypted version of the data is temporarily stored in memory. so it makes a good place to find encrypted data which has been decrypted
- whenever the computer needs to hold more data in memory than memory allows, part of the memory stored on hard drive this process is called PAGING
- on windows systems the paged out part of the memory are stored in a file called PAGEFILE.SYS, and it contains the same type of information as memory
notable artefacts :
- metadata - very important , Information about information , most objects have metadata
- Exifdata: metadata stored in pictures , tells how the picture was taken and with what such as the information is the name of the device the person sometimes the GPS location
Prefetch:
- process of bringing data and code pages into memory before it is needed
- idea is to track normal application usage unload the data the app usually needs doing one time when the app is loaded.
- process was implemented to increase performance of applications
- stored in prefetch files located in prefetch folder under system route
- most important function of prefetch files (from forensic view ) Is they contain information about how many times an executable was run on when it was last run
- filename of a prefetch file begins with the name of the executable followed by a hash of the location where the executable is stored
shellbags:
- used to store information about gui settings for explorer , that is used to browse files and folders on a windows based computer
- means they store information about what preferences a user sets for viewing certain directories an example of this is how a user prefers the layout of the folds of the directory's
- the use of shellbags - from fact that a shell bag for certain folder is created when a user is actually viewing that folder
- thus meaning that user in question has visited that particular folder
- hey stored in ntuser.dat and usrclass.dat
- - shell bugs are not deleted find can serve as evidence of deleted folders and since they collect information about network shares , mounted encrypted volumes , removable media - they can provide that information as well
- shellbags need tools to pass through
.LNK file
- Shortcuts within windows
- think of a shortcut you place on your desktop
- but several other reasons why the OS would create .lnk files that make them useful during forensic examinations , for instance .lnk files are created whenever a user opens a file local or remote
- what makes .lnk good ?
- not deleted when remote drive containing the target file is removed open file is deleted
- good source of information about network storage , removable storage , undelete files
- info in link files?
- location of target file (the pah)
- time of creation , last update of link
- information of device let target stored , serial , local and type
MRU – Stuff:
- most recently used keys
- shows what last accessed
- when an event occurs an entry is created with a number . the order of events is recorded in numbers stored in dword (four bites)
- order in MRUlistEx I can tell in what order the events recorded in the listing appeared
thumbcache:
- windows feature - purpose of making previewing of pictures quicker
- windows stores the miniatures of thumbnails when their first created
- stored in database files called thumb caches
- two things are important
- 1. contain the actual thumbnails produced when a user is viewing the content of the folder (smoother to analyse )
- 2. they are not deleted and therefore thumbnails of pictures that was deleted or stored on a storage devices removed are still there
- how's the thumbcache stored in the database he need a special programme to view them such as thumbcache viewer
windows event viewer:
- event viewer maintains logs about the applications / system / security
- logs under security could be success or fail
- look at event IDs , very important in forensics
- located at winevt/logs in system32
program log files:
- Those that do not log to event viewer are useful
- log files provide a wealth of information
- used in document upload or downloads , chat logs , applicatian behaviour
- go to rule of thumb is to look for application logs wherever there is a suspicion of an application being involved in a case
- look for logs in the user appdata folder under the system root programme data
USB device history :
- windows keeps track of connected and unconnected USB drives
- windows combines information from three sources
- 1. Setupapiadev = hello log file located in sysroot/windows/INF
- 2. the registry
- 3. system logs
- the most important information is the serial number
- additional information can be found in windows registry
- using USB thumbs will have several traces in registry all in system hive
- first interest = constrolset001/enum/usbstor - this key will hold sub keys for the different USB devices that have been connected
- other places are the mounted device in the registry
decryption and password enforcing:
- practical tip is to analyse files and tell if a decryption is possible
- always analyse the software and algorithm you about to crack
- beware of the side channel attacks before doing decryption attack
- side channel is an attack where you find information by looking at sources that the creator of the system did not expect you to look at
- in forensics a common side channel would be computer memory
- the reason is a temporary copy of the decrypted file may be kept in memory even after encryption has happened
- remember parts of memory are paged out and stored in a file on the hard drive called pagefile.sys, wait can't be recovered using forensic tools