Computer Forensics Principles and Practices

(1)

Computer Forensics

Principles and Practices

(2)

Objectives

  Conduct efficient and effective investigations

of Windows systems

  Find user data and profiles in Windows

folders

  Locate system artifacts in Windows systems   Examine the contents of Linux folders

(3)

Objectives

(Cont.)

  Identify graphic files by file extensions and

file signatures

  Identify what computer forensics graphic

(4)

Introduction

In many cases you may have gigabytes or even terabytes of data that must be searched for

evidence. This chapter helps maximize

efficiency of the search by showing default

locations of file storage and hiding techniques of wrongdoers.

(5)

Investigating Windows Systems

  Activities of the user result in user data

  User profiles

  Program files

  Temporary files (temp files)

(6)

Investigating Windows Systems

(Cont.)

  System data and artifacts are generated by

the operating system

  Metadata

  Windows system registry

  Event logs or log files

  Swap files

  Printer spool

(7)

Hidden Files

  Files that do not appear by default are hidden

files

  These can be viewed through the following

steps:

  Open Windows Explorer

  Go to Tools > Folder Options > View > Hidden

files and folders

(8)

Investigating Windows Systems

(Cont.)

  Data and user authentication weaknesses of

FAT

  Userids are not required

  Only attributes are associated with files or folders

  Data and user authentication improvements

in NTFS

  Separation of duties

(9)

Investigating Windows Systems

(Cont.)

  Identify the operating systems of a target

hard drive by:

  Operating system folder names

  The folder for the Recycle Bin

  The construction of the user root folders because

(10)

Finding User Data and Profiles in

Windows Folders

  Documents and Settings folder

  Contains a user root folder for each user account

created on the computer

  Windows NT and above automatically install

  Administrator

  All users

(11)

Finding User Data and Profiles in

Windows Folders

(Cont.)

  Data stored in the user root folder:

  Desktop settings, such as wallpaper,

screensavers, color schemes, and themes

  Internet customizations, such as the homepage,

favorites, and history

  Application parameters and data, such as e-mail

and upgrades

  Personal files and folders, such as My

(12)

Finding User Data and Profiles in

Windows Folders

(Cont.)

  Some of the subfolders in the user root folder

include:

  Application data (hidden)

  Cookies

  Desktop

  Favorites

  Local Settings (hidden)

(13)

Location of User Root Folders

Operating System

(Platform) User Root Folder Location

Windows 9x <partition>:\WINDOWS\Profiles\userid USER.DAT file

Windows NT <partition>:\WINNT\Profiles\userid NTUSER.DAT file

Windows 2000 and Windows XP

<partition>:\Documents and Settings \userid

NTUSER.DAT file

(14)

In Practice: Temp Internet Files

Provide Valuable E-Evidence

  Data stored in the Temporary Internet Files

folder can be valuable supporting evidence, even if deleted

  Statute 18 U.S.C. §2256(8) rules as

pornography any data stored on computer disk that can be converted into a visual

(15)

Investigating System Artifacts

  Types of metadata

  Descriptive: describes a resource for purposes

such as discovery and identification

  Structural: indicates how compound objects are

put together

  Administrative: provides information to help

manage a resource, such as when it was created, last accessed, and modified

(16)

In Practice: Searching for Evidence

  Do not use the suspect system itself to carry

out a search for evidence

  Using Windows to search and open files can

change the file’s metadata

  Such changes may cause evidence to be

(17)

Investigating System Artifacts

(Cont.)

  Registry

  Can reveal current and past applications, as well

as programs that start automatically at bootup

  Viewing the registry requires a registry editor

  Event logs track system events

  Application log tracks application events

  Security log shows logon attempts

(18)

Investigating System Artifacts

(Cont.)

  Swap file/page file

  Used by the system as virtual memory

  Can provide the investigator with a snapshot of

volatile memory

  Print spool

  May contain enhanced metafiles of print jobs

  Recycle Bin/Recycler

(19)

“Shredding” Data

  Third-party software packages can be used

to delete data and actually overwrite the information, essentially shredding the data

(20)

Investigating Linux Systems

  Windows can have many users with

administrator access, but Linux has only one administrative account, called root

  Root account has complete control of the

system

  In Linux, all devices, partitions, and folders

are seen as a unified file system

(21)

Investigating Linux Systems

(Cont.)

  The Linux file system includes the data

structure as well as the processes that manage the files in the partition

  Linux’s virtual file system provides a common

set of data structures:

  Superblock

  Inode

(22)

Investigating Linux Systems

(Cont.)

  Seven different file types available in Linux:

  Normal files

  Directories

  Links

  Named pipes

  Sockets

  Block devices

(23)

Investigating Linux Systems

(Cont.)

  Default Linux installations generally include

system directories such as the following:

  /boot

  /dev

  /etc

  /home

  /lib

  /lost+found

  /proc

  /root

  /sbin

  /tmp

  /usr

(24)

Investigating Linux Systems

(Cont.)

  Key Linux files and directories to investigate:

  /etc/passwd

  /etc/shadow

  /etc/hosts

  /etc/sysconfig/

(25)

Investigating Linux Systems

(Cont.)

  Deleted files

  Check the Trash can for each login user for

deleted files that can be recovered

  Using grep to search file contents

  Grep allows for sophisticated character-based

data searches

  Compressed files

  Some Linux applications such as OpenOffice

(26)

Graphic File Forensics

  The investigator can use file signatures to

determine where data starts and ends and the file type

  File extension (such as .jpg) one way to identify a

graphic file

  A user can easily change the file extension, but

the data header does not change

(27)

Graphic File Forensics

(Cont.)

  The process of retrieving all relevant pieces

of a file is called data carving or data salvaging

  An investigator may have to reconstruct the

data header using file signature information

  Layered graphic files (such as Photoshop or

Corel) can hide information behind layers

(28)

Graphic File Forensics

(Cont.)

  Steganography is a form of data hiding in

which a message is hidden within another file

  Data to be hidden is the carrier medium

  The file in which the data is hidden is the

steganographic medium

  Both parties communicating via

steganography must use the same stego application

(29)

Graphic File Forensics

(Cont.)

  Steganography is difficult to detect; the

following clues may indicate stego use

  Technical capabilities or sophistication of the

computer’s owner

  Software clues on the computer

  Other program files that indicate familiarity with

data-hiding methods

  Multimedia files

(30)

In Practice: Child Pornography

  Hiding criminal content within “innocent” files

can allow perpetrators such as child

pornographers to exchange information

  A scenario is described by which child

pornographers can easily pass information to others in the ring

(31)

Summary

  Search times can be reduced through the

use of default folders and operating system artifacts

  The skill level of the user will determine

whether this is an effective use of time in the case

(32)

Summary

(Cont.)

  A savvy user can hide data through:

  Nonstandard file folders

  Renaming file types

  Using layered graphics

  Masquerading data with steganographic