A NALYSIS T OOLS AND T ECHNIQUES

We will use several of the same tools for analysis that we used in collecting our data. The difference is that we will use them somewhat differently. For example, we can use GETSLACK to collect all of the information from the slack space and save it to a file on a floppy, which we will use FILTER_I to analyze. We could also use FILTER_I to analyze file slack right on our test machine. Because we are interested in following leads, hunches, and anything else we can to get started, we might simply dig right in with FILTER_I.

The text search tool has an advantage for us if we want to explore the physical backup. SafeBack creates a single file that contains all of sectors of the original disk. This means that buried in the file we may find keywords that could lead us to evidence. However, there is also the strong possibility that information is scattered all over the disk, making it hard to collect. There is an advanced technique, which we will discuss shortly, called chaining. Chaining consists of following fragmented files from sector to sector to reconstruct the file. Generally, however, NTI recom- mends the following steps when using their forensic tools in an investigation:2

• Make a mirror image bitstream backup using SafeBack — restore to your test machine.

• Catalog the disk contents using the NTI FILELIST utility. This produces a file level directory listing of the entire disk.

• Create a keyword list that is appropriate to your investigation. Use your own ideas and leads developed from interviews with witnesses. You can also run FILTER_I to use its fuzzy logic to help develop keyword leads. • Use TEXTSEARCH to search for your keywords in all of the hidden areas

of the disk (slack, unallocated space, etc.) • Manually evaluate the results of your searches. • Rerun FILTER_I using the binary filter. • Document your results.

Here’s a quick word about the last step: documentation. There are two issues you’ll need to face when dealing with documentation. First, is it an accurate repre- sentation of what you actually found? That means you can swear to the way you gathered your information and documented it. The second issue is the need to prove that what you are presenting as evidence has not been altered since it was collected. We briefly mentioned this earlier. Here’s the documentation process. We’ll use the example of cataloging the disk.

First, we run our FILELIST utility to get a catalog of the files on the disk. This will be a logical catalog, containing only what the DOS directory structure can recognize. It will not contain anything from the hidden areas of the disk. The output of the utility is a text file with directory details. It is date-stamped.

Now, we run another NTI utility, called CRCMD5, against the file. CRCMD5 creates a unique fingerprint of the file. Any change, no matter how trivial, will alter the fingerprint indicating that the file has been altered. It is virtually impossible to

guess what the change in the fingerprint would be if you made an alteration in the file. We redirect the output of CRCMD5 to a text file.

Finally, we encrypt both files using a public key encryption program and either our own public key or the key of a trusted third party, such as your company’s attorney or a law enforcement or criminal justice official. When it comes time to attest to the unaltered state of the catalog, all you need to do is unencrypt the files, rerun CRCMD5, and compare the results.

You can use the same technique to preserve and certify any files you wish to keep for future evidence. The encrypted nature of the files says that the only person who could have accessed the files after encryption was the person who owned the secret key corresponding to the public key. The CRCMD5 fingerprint says that the file hasn’t been altered since it was fingerprinted.

One of the problems with computer forensic techniques is the huge amount of data you may have to analyze. Today’s computers typically use drives in excess of a gigabyte in size. That’s a lot of space at 32 K per cluster. The ability to process large amounts of data rapidly is one of the benefits of automated forensic processing, such as we find with the NTI tools.

Chaining

Chaining is a very complex approach to recreating a large file from slack or unal- located space on a fragmented disk. The technique requires a couple of tools. First, to see how the sectors are arranged, you will need a copy of a program such as the Norton Utilities. Because we want to work in DOS — never Windows — an older version of the Utilities is best. I like the old DOS version 4.0. We will also need to be able to find a starting point for our file. For that, any of the NTI search utilities will do. Use the search utility to locate the keyword you want on the rebuilt mirror. Select a phrase in the area of your keyword that is unique.

Go to the Norton Utilities and examine the disk. Do a search on the phrase or keyword (if the keyword is unique) to find the portion of the file that you found with your NTI search tool. Note the sector number. That sector will have a sector that connects to it and/or that it connects to. Let’s expand on that a bit.

Recall that we said only a single file can occupy a sector of a disk. Any leftover space will be used by DOS. Let’s begin with a legitimate file, not a fragment that DOS saves to slack. The sector you found will be part of a collection of sectors that makes up the whole file. By finding any sector you can find the rest, even if they are not contiguous. Norton will tell you the previous sector, and next sector, if any. You can save each sector separately to a floppy disk and, after you find all of the sectors, recombine them to see a whole file.

If the data you want is in slack, it is probable that you have all there is. Remember that slack for a given file is continually overwritten until DOS has dumped its memory completely. If this is a result of closing a program or document, DOS will try to use the slack for the original file.