Lt. Joseph Rampolla, Park Ridge (NJ) Police. Department. • Richard Kaplan,
Computer Forensic Specialist,. USDOJ CEOS. • For their willingness to
collaborate ...
National District Attorneys Association National Center for Prosecution of Child Abuse
Special Thanks To
Computer Forensics for Prosecutors
• Lt. Josh Moulin, Southern Oregon High Tech Crimes Task Force
January 17-18, 2012 ● Bismarck, North Dakota
• Lt. Joseph Rampolla, Park Ridge (NJ) Police Department
• Richard Kaplan, Computer Forensic Specialist,
Detective Micah Smith Linn County Sheriff’s Office
USDOJ CEOS
• For their willingness to collaborate and share ideas in the digital world
1
Objectives
2
Objectives
• Be able to identify sources of technical
• Understand commonly used computer
investigations
forensics terms, hardware and software
• Understand common terms related to
• Understand the importance of computer
computer hardware
forensics examinations, and how they are completed
• Understand how the Internet works and how IP addresses are assigned
• Be able to understand content of a computer
• Understand how data is written, stored and
forensics report
deleted from storage devices
3
4
Sources of Investigations
Computer Forensics Defined
• Walk-in complaints from citizens
• “Pertaining to the Law”
• CyberTips from The National Center for Missing and
• Coined in 1991 in the first training session held
Exploited Children - passed on from ICAC Task Force
by the IACIS in Portland
• Referrals from other Law Enforcement Agencies
• Described as the autopsy of a computer hard disk drive
• Child Protection System undercover operations
5
6
Examination and Documentation
Computer Forensics defined:
Digital Evidence can be: • The Fruits of the Crime • The Instrumentality • the Evidence
Collection, Preservation, Examination, Documentation, and Presentation
Your Electronic Crime Scene just changed...again!
…of computer related evidence. 7
8
What type of examination is needed?
Where is the Crime Scene?
• Tier 1 - On-scene preview of digital evidence
Cyberspace
• Seizure of evidence, documentation, interviews • Encryption, P2P evidence, wireless/storage, • RAM capture, Forensic Scan, zSearch
Perpetrator’s
Victim’s
System
System
• Tier 2 - Evidentiary Forensic Analysis
• Acquisition, analysis for indictment and plea agreements • Case-specific forensic analysis • Evidence to corroborate statements, CVIP submission
Electronic Crime Scene
9
What type of examination is needed?
10
Basics to Understand
• Tier 3 - Requests from DA/Defense
• Analysis to answer concerns and requests of DA • Analysis offered to Defense to exculpate their client • Opportunity to close door on defenses, move plea forward
•
• Common types of digital storage media • How data is stored
Tier 4 - Trial Prep Forensics and Analysis • Includes all seized digital evidence for case • Defeating known/plausible defenses, complete analysis report,
• Hashing, how it works, and why it is important
preparation of demonstrative evidence, meeting with DA, prep of expert witness questions/testimony
11
12
Identifying Digital Evidence
13
14
Computer Forensics defined:
Digital Evidence What does it look like?
Collection,
!
Preservation,
!
Examination,
!
Documentation, and
!
Presentation
! ! !
…of computer related evidence.
!
15
USB Drives Memory Cards External Hard Drives Computers Mobile Devices GPS Devices Cloud Storage RAM / CPU 16
Digital & Electronic Evidence: RAM / CPU
Digital & Electronic Evidence: RAM / CPU
17
18
19
20
Wireless Devices • Be prepared to investigate wireless devices • Understand how your own devices may interact wirelessly with suspect devices
• Wireless devices can contain evidence of crimes
• Evidence on wireless devices is generally volatile, and gone once power is lost
Evidence of Wireless Devices
Understanding Data 21
Data Sizes •
Bit (b) is a single zero or one
•
Byte (B) is eight bits in sequence together
•
Kilobytes (KB) is 1024 bytes, sometimes shown as 1000 bytes
•
Megabytes (MB) is 1,048,576 bytes, sometimes shown as a million bytes
•
Gigabytes (GB) is 1,073,741,824 bytes, sometimes shows as a billion bytes
•
Terabytes (TB) is 1,099,511,627,776 bytes, sometimes shown as a trillion bytes 23
22
How Data is Written
•
Data is written and read in 1’s and 0’s on the drive
•
The hard drive is equipped with platters which spin at generally 7200 or 10000 rpm
•
Mechanical arms move back and forth over the platters while they spin and write or retrieve data
•
The data is written as the mechanical arm changes the magnetic coating on the platter’s surface as either + or – (a 1 or 0) 24
Hard Drive Terminology •
Sectors and Clusters • A sector contains a fixed number of bytes –
Data$is$stored$on$the$surface$of$a$pla2er$in$sectors$and$ tracks.$$Tracks$are$concentric$circles$and$sectors$are$pie6 shaped$wedges$on$the$track:
typically 512 bytes. Sectors are grouped together to form clusters
• Performing a high-level format prepares the
hard drive for data by writing the file storage structure
25
26
Understanding Unallocated Space
How Digital Data is Stored
• Allocated Space: Physical space on the hard
• Data is written in binary code, or 1’s and 0’s
drive that has been assigned and is being used by the file system at a specific moment in time. This includes:
• These 1’s and 0’s are grouped together in block of 8 and called bytes
• Visible files
• For example a sequence of “1010011”
represents the letter “S”. The sequence ”1001111” is the letter “O”
• Hidden files • Slack space 27
28
Slack Space
Slack Space
•
File slack can be an excellent source of evidence
• If there was a program on the tape before you
•
Computers write data one sector at a time but must allocate a minimum number of sectors for each file. These sectors are allocated even if you don’t use them
•
recorded the new ½ hour show, you would see it at the end minus the first ½ hour. This is slack space. ------------------------ SLACK ------------------------
It’s like a video tape… If you say that a video tape can only have one show on it at a time, you would allocate a 2 hour video tape per show. Now if you record a ½ hour program, you still have 1½ hours of tape left
½ hour program
1½ hour of old program
29
30
Slack Space Recovery • Often if data resides in slack space it can be forensically recovered
• Evidence from slack space will normally not
have dates/times associated with it because that information may have been overwritten
• It is possible to get enough of a document or image to prosecute an individual
Partial File Recovery - Slack Space 31
32
Understanding Unallocated Space
How Files are Deleted • When a user deletes a file the computer does absolutely nothing with the file’s data itself
• Unallocated Space = Physical space on the hard
• Depending on the file system that the hard drive is
drive that has not been assigned by the file system at a specific moment in time and is considered available for use. This includes:
formatted to, some things are handled differently
• Regardless of the file system, the data still remains and the computer sees the space where that file resides as “available for use”
• Deleted files • Space that has not been assigned to a file
• Until something else is placed in its spot on the drive,
the file will remain and can be recovered with forensic methods
33
34
Methods Impacting Deleted Files • Running system utilities such as defrag can
rearrange data and overwrite unallocated space and slack space
• Using secure erase features such as Norton
secure erase or other third party applications that are designed to “shred” data
• Although this class is primarily about Windows computers, it should be noted that Mac computers have functionality built in to securely erase data
Hashing and Forensics 35
36
Terminology - Forensic Image
Hashing
• It is no longer recommended to call forensic
• Hashing is a very important tool for forensics
images a “mirrored image”
• Hashing is like a digital fingerprint for a file. It
• Mirroring would imply that the duplicate looks
is mathematically derived from the contents of the item being hashed
exactly like the original. Although the content is the same it looks nothing like the original
• The odds of two files with different content
• “Forensic Image” is the most appropriate and
sharing the same MD5 hash value is more than 1 in 340 undecillion (or 1 followed by 36 zeros)
recommended.
37
Hashing •
Hashing • There are several algorithms such as MD5 (Message
Hashing is used in forensics for many things:
•
Known File Filters
•
Narrow search scope
•
Exclude items to be searched
•
Find known images of child pornography
•
Compare files to determine if they have been altered
•
Ensure the integrity of a forensic image process
38
Digest 5), SHA1 (Secure Hash Algorithm), and others
• MD5 is a 128 bit 32 character algorithm and is the most commonly used hashing algorithm
• There are other hashing algorithms available for
encryption, however forensics primarily focuses on MD5 and SHA1
• Hashing is used in many other areas such as download confirmation and encryption
39
40
What Affects a Hash Value
Tier 1 - On-scene Preview
• Any change to the content of the file How to collect:
• One pixel in a picture • Add/remove one character in a document • Changing the filename or file extension will have no affect on the hash value
" On-Site
Preview
" On-Site
Acquisition
" RAM
• Sophisticated CP traders modify files to
Acquisition and Analysis
" Seizure
change hashes, and avoid detection
Items
of Computer and Associated
41
42
Tier 1 - On-scene Preview
WARNING!!!
On-Site Preview & Acquisition:
#Document all actions surrounding manipulation of system:
" Bootable
CDs
# ImageScan, Helix, Trinux, BartPE,
Seizure ! Live Preview - Findings, exported files, reports ! Live Acquisition ! Automated Acquisition and Field Search
ForwardDiscovery, Knoppix, WinEN, etc.
!
" USB/Other
# e-fense “Live Response”, Forensic Dossier,
Solo3, Logicube, Forensic Scan, FieldAgent, zSearch
" Acquisition
and Analysis
# MacLockPick # FTK Imager # EnCase Portable 43
44
MacLockPick
EnCase Portable
#USB Auto-performing system scan #Retrieves “state of machine” information !
#USB auto-performing data collection #Integrates with EnCase Forensics #Hash, search & copy #Image entire drive
Passwords, logs, registry entries, documents, pictures, etc.
#Forensically sound, X-platform #First-responder deployable
!
All attached drives
#$748.50 LE
#$399 for LE 45
46
Tier 1 - Collection and Preservation
zSearch #Free product by SA Eric Zimmerman
Random Access Memory Analysis:
FBI - Salt Lake City, UT ! Distribution - eric[at]feeble-industries.com !
" Data
is traditionally lost - no more! Computer’s recent activity
" Contains
# Images, documents, web pages, videos, etc # Passwords (BitLocker, KeyChain, Crypto)
Plug-in live triage via USB ! Virtualization, encryption, mass storage, P2P, Gigatribe, picture & video preview, password gathering, and MORE! !
" Large
amount of evidentiary data
# RAM sizes up to > 32GB of information " Captured
forensically, saved to image file for analysis (data carving)
#FREE!!! 47 47
48
Tier 1 - Defeating Passwords
Tier 1 - Collection and Preservation
If password protected:
How to Seize Digital Evidence:
On-scene analysis information ! RAM Analysis ! Social engineering ! Known backdoors ! Internet ! Computer or BIOS manufacturer ! Passwords extracted from removable media ! Brute force attacks ! Specialized Software ! Court Order / Immunity !
"If
needed, call for assistance legal authority "Document and Photograph #Area, screen, cables, etc "Determine
"If "If
“off” --> leave “off” “on” --> that changes things
49
Tier 1 - Collection and Preservation
Tier 1 - Collection and Preservation
If it is “on” then: "Is
Working around Encryption:
there encryption in use?
"“Known”
backdoors Analysis "Written notes "Corporate assistance "Legal process/demand "Co-defendant plea agreements
" Windows
Vista & 7 " Mac Leopard & Snow Leopard " Preview search using DOD-ICE CryptHunter "Are "Can
"RAM
there programs open?
" TrueCrypt,
BestCrypt, PGP
it be shutdown properly?
"Don’t
50
hesitate to call for help 51
52
Tier 1 - Collection and Preservation
Tier 1 - Collection and Preservation Computer and All Associated Items:
What to collect:
Monitor ! Keyboard ! Mouse ! Speakers ! Printer ! Scanner !
"Hard
Drive/Media Only #Not best for running systems #Fine for loose digital media
"Tower/Media
Only
#Best option "Computer
Web Camera ! Microphone ! External Drives ! Manuals ! Notes ! Other Media !
and All Peripherals* 53
54
Tier 1 - Collection and Preservation
Tier 1 - Collection and Preservation
Marking The Computer and Associated Items:
Transporting the System and Media:
Photographs are the BEST documentation ! Evidence Numbers ! Label all Connections to Re-Assemble in Court if Required ! Tape over Power, etc. if going to another agency…
Comfortable temperature ! Avoid car seats if possible (bouncy) – floorboards are more stable ! Avoid using police radio in transport vehicle if possible
!
!
55
56
Tier 1 - Collection and Preservation
Ponder this...
Storing the System and Media:
#Each case’s variables will dictate the path of the computer forensic examination
Clean, dry, secure area with reasonable temperature ! Avoid moving shelves ! Avoid areas with magnetic storage ! Avoid areas with police radio transmitters ! Consider Anti-static bags, boxes, temp and static controlled storage room !
#No two exams will be the same #No two reports will be the same 58 57
58
Ponder this...
Ponder this...
Forensic Examination:
Forensic Examination Equipment and Media:
$ Know Your Scope $ $ $
Search Warrant – Affidavit Type of Crime Being Investigated Articulate Authority
$ Secure, robust, dedicated $ Forensically Sterile Media $
$ Licensed Software $ Tested write-block devices
#Multi-Disciplinary Legal Auth. #
Wiped & Verified
Prosecutors should review/approve SW, Aff, Subpoenas, etc 59
60
Tier 2 - Examination and Documentation
Tier 2 - Evidentiary Forensic Analysis
Forensic Documentation:
Acquisition Authentication analysis
$ Status of Computer $
Operating system, users, ownership, media size, internet…
$ Seized/Searched for indictment and plea agreements Case-specific analysis and examination Evidence to corroborate statements CVIP submission
$ $
Item by Item Evidence? Contraband? 3rd Party?
#Methodology of examination 61
63
62
64 63
64
Tier 2 - Evidentiary Forensic Analysis Examine the BIOS settings: !
Date and Time settings "Compare
to known time – note
findings !
Boot Order (CD, HDD, Etc.) "Important
for Network other direct acquisitions
65 65
66
68 67
68
Tier 2 - Evidentiary Forensic Analysis
Tier 2 - Evidentiary Forensic Analysis
•Do NOT allow the hard drive to
$ Note digital media’s capacity and geometry and compare to later findings
•Can Change THOUSANDS of Files
$ Obtain data from digital media using forensic methods
Image Acquisition: enter the boot process
and attributes
$
•But - if it does happen, DOCUMENT IT.
$ $
Write Blockers Live / Network Acquisitions, Etc. Smeared images*
69
70
Tier 2 - Evidentiary Forensic Analysis Bit Image / Forensic Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $
Different Machine, Drive, Folder
$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required 72 71
72
File D
Tier 2 - Evidentiary Forensic Analysis
File D Bitstream copy
Bit Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases
File D
File D Standard (logical) copy
$
Page ____ of ____ 1. INCIDENT NUMBER
2. OTHER NUMBER
7. INCIDENT TYPE
Linn County Sheriff’s Office Narrative Report
DEATH INVESTIGATION 8. REPORTED DATE
10-13-07
Form H
Physical vs. Logical
07-17765
9. REPORTED TIME
1726
10. OCCURRED DATE
11. OCCURRED TIME
01-25-07 to 10-13-07
Unknown
12. FOLLOW-UP DATE
071311
Different Machine, Drive, Folder
$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required
13. FOLLOW-UP TIME
1120
data on the source drive. Once the drive was connected properly, I opened FTK Imager (Version 3.0.0.1443) 73 from the AccessData Corporation. Using FTK Imager, I hashed the contents of evidence item DB14 as a connected physical device connected to my computer forensics workstation, through the write-block device. The results of that hash process were presented to me on the screen at the completion of the process. I took a screen capture of the results, documented below as Figure 1.
Figure 1
Then, also using FTK Imager, I created an exact duplicate of the contents of DB14, called a forensic
Pre-Acquisition Hash
image file, which comprises a bit-for-bit copy of the contents of DB14. FTK Imager makes an exact duplicate, verified by matching hash value, of the suspect computer media and saves the forensic image file. Further analysis of the evidence is then conducted using the forensic image file created by FTK without modifying or 75 destroying the original computer media. At the completion of the acquisition process results are presented to the examiner on the screen. I took a screen capture of those results, which stated the acquisition process completed with a verified matching hash value, and no errors or bad sectors. This information is also written to an acquisition file accompanying the forensic image file. Refer to Figure 2 and the Acquisition Report below.
1. INCIDENT NUMBER
Page ____ of ____ 74
2. OTHER NUMBER
7. INCIDENT TYPE
DEATH INVESTIGATION 8. REPORTED DATE
10-13-07
9. REPORTED TIME
1726
Form H
Linn County Sheriff’s Office Narrative Report
07-17765
10. OCCURRED DATE
11. OCCURRED TIME
01-25-07 to 10-13-07
Unknown
12. FOLLOW-UP DATE
071311
Acquisition Hash & Verification Figure 2
Acquisition Report for DB14: Created By AccessData® FTK® Imager 3.0.0.1443 101008
13. FOLLOW-UP TIME
1120
76
Linn County Sheriff’s Office Narrative Report
07-17765 7. INCIDENT TYPE
DEATH INVESTIGATION 8. REPORTED DATE
9. REPORTED TIME
10-13-07
1726
10. OCCURRED DATE
11. OCCURRED TIME
01-25-07 to 10-13-07
12. FOLLOW-UP DATE
Unknown
13. FOLLOW-UP TIME
071311
1120
Tier 2 - Evidentiary Forensic Analysis Forensic Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $
Different Machine, Drive, Folder
$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required
Post-Acquisition Hash 77
Figure 3
78
The forensic image file for evidence item DB14, along with the other forensic image files related to this investigation, were all copied to the defense-provided external hard drive related to discovery for this case. I then returned the drive to Detective Beth Miller, for production to the defense council. This report may not be inclusive of all potential evidence contained on the computer media referenced in this report. Any additional forensic analysis conducted on the referenced computer media will be documented in future reports. ACTION RECOMMENDED: Investigation continuing. REPORTING DEPUTY / RADIO #
DPSST #
SHIFT
ASSIGNMENT
Detective Micah W. Smith / 770
42020
Detectives
177
SUPER APP DATE/INITIALS
DATA
LCSO Revised Date: 04/15/2009
79
80 79
80
Tier 2 - Evidentiary Forensic Analysis
Analogy # Slack Space: It’s like a video tape… If you say that a video tape can only have one show on it at a time, you would allocate a 2 hour video tape per show. Now if you record a ½ hour program, you still have 1½ hours of tape left
Bit Image: $ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $
------------------------ SLACK ------------------------
Different Machine, Drive, Folder ½ hour program
$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required
1½ hour of old program
82 81
82
Tier 2 - Evidentiary Forensic Analysis
Tier 2 - Evidentiary Forensic Analysis
Bit Image:
$ Forensic Write-block Devices
$ Physical or Logical acquisition $ Acquired & Verified by HASH $ Separate from other cases $
$ $
Hardware vs. Software Verified (and Validated?)
$ Tableau $ FastBloc $ Voom Technologies $ Logicube
Different Machine, Drive, Folder
$ Must Include Slack, Erased, Unallocated, Pagefile, Etc. $ Archived – Reload if Required 83
84
85
86 85
87
86
88 87
88
89
90 89
90
Tier 2 - Evidentiary Forensic Analysis Forensic Examination: $ Index, Hash, Categorize files present ! !
Hash Set analysis Known files comparison
$ Document Registry, LNK files. $
As appropriate for your case
91 91
92
HASH Sets
Traditional Hash Analysis
#Collections of File Identification Information HASHes used during forensic investigations: !
!
!
!
! ! !
# Hashes of “known” files compared against hashes of files on suspect media
National Software Reference Library " www.nsrl.nist.gov DHS-ICE HASH " Contact a Special Agent
!
!
HashKeeper " www.usdoj.gov/ndic/domex/hashkeeper.htm AccessData Known Files Filter " www.AccessData.com/downloads.html Beyond FairPlay Tools (Forensic Scan, Media Library, etc) Operation Round-Up hash sets Case-specific hash values (from other seized evidence or UC Ops)
Hash analysis is based on binary content of file, rather than visual examination Not effective against deleted files, Unallocated, slack space, unused disk area
This enables us to identify over 100 occurrences of target files without looking at one single file!
Image Courtesy: Simon Key, CEIC 2011 File Block Hash Map Analysis CEIC 2011 - V6 Screenshots.ppt.
93
File Block Hash Analysis
94
Partial File Recovery
#Simon Key ~ Guidance Software (EnCase) Block-based hash analysis works by calculating a hash value for each block of the target file that would be allocated a sector or cluster to store its data. ! A map of each block is generated, with the corresponding hash of each block. This is then fed to EnCase, and a search for the block-based hashes begins. ! **Must have full version of target file sought !
Image Courtesy: Simon Key, CEIC 2011 File Block Hash Map Analysis CEIC 2011 - V6 Screenshots.ppt.
95
96 96
Tier 2 - Evidentiary Forensic Analysis
Partial File Recovery We can rebuild partially recovered files (based on the hash map from good file) ! Render partial files as playable/viewable
Forensic Examination:
!
!
Document Registry Artifacts !
MRUs, WinRAR, Jump Lists
$ Document LNK files. $ $ $
New File System Features
Show path to other devices Folder structure Access
97
98
99
100
Jump Lists
Jump Lists - You can think of Jump Lists as miniature Start menus for program icons on the Taskbar. Each Jump List can contain tasks, links to recent and frequently used documents, and links to pinned documents.
LAW$ENFORCEMENT$SENSITIVE$INFORMATION$ DO$NOT$SHARE$THESE$MATERIALS ©2007 Microsoft Corporation
All Rights Reserved
101
102
Tier 2 - Evidentiary Forensic Analysis Forensic Examination: $ View Pictures, Movies, Docs $ $
View in Native Format View Forensically $ $
$
103
EXIF Data for Pictures Hidden Text, Updates/Changes
Notes, Properties, Etc.
104
105
106
Tier 2 - Evidentiary Forensic Analysis
Tier 2 - Evidentiary Forensic Analysis
EXIF/MetaData:
“Case Specific” Data : $ Instant Messages
$ Can be modified by programs $ Can be ‘cleaned’ or ‘stripped’ away during up/download $ Good corroborative evidence
$
View in Native Format $
$
View Forensically $ $
107
LE or Commercial Decryption Plain Text Not Saved – Search UC for SN
108
109
110 109
110
Tier 2 - Evidentiary Forensic Analysis “Case Specific” Data : $ File Sharing Programs (KaZaa, LimeWire, BearShare, Etc.) $
View in Native Format $
$
LE or Commercial Decoder
View Forensically $ $
Database or Spreadsheet Formats Additional Information in Slack Space
112 111
112
113 113
114
Examination and Documentation “Case Specific” Data : $ Embedded Data $
View in Native Format $
$
Email attachments, Word, PPT
View Forensically $
Encoding format, link to other files, notable differences to like files,
116 115
116
Tier 2 - Evidentiary Forensic Analysis “Case Specific” Data : $ E-Mail Messages $
View in Native Application $
$
Thunderbird, Outlook, Lotus Notes, Etc.
View Forensically EnCase, FTK, ILook, Paraben, Etc. Other Programs or Raw Data $ Interim Changes/Embedded Data $ $
117 117
119
118
120 119
120
Tier 3 - Requests from DA & Defense Acquisition Authentication Analysis Answer concerns & questions of DA Analysis of artifacts at request of Defense Exculpatory evidence specific search/analysis Investigate suggested defenses (from D)
121 121
122
Tier 4 - Trial Forensics Examination
Tier 4 - Trial Forensics Examination Forensic Examination:
Acquisition Authentication Analysis
$ Run Searches &/or Scripts $ $
Includes all seized digital evidence for case Defeating known/plausible defenses complete analysis report preparation of demonstrative evidence meeting with DA prep of expert witness questions/testimony
$ $ $ $
123
Document search keywords & why Careful of script pitfalls Test/Authenticate Search String Headers – Not Extensions Case Names (Victim, Suspect, Etc.) Case Terminology (R@ygold…) 124
125 125
127
126
128 127
128
Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine Erased/Recent Files $ $
Sort by status “Deleted” Sort by Dates/Times $ $
$
Most Recent Close Proximity to Crime, Etc.
Info/Recycle Bin
129 129
130
Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine for Cloud/Network Storage $
File sync software " File
$ $ $
versions & comparisons
Online backup solutions Push services to mobile/cloud Stored shared user list
131 131
132
133
134 133
134
Tier 4 - Trial Forensics Examination Forensic Examination: $ Examine Internet History
$
Registry for TypedURLs Saved forms, pwds, cookies Visited sites, first and last visit, count, info up/downloaded Comb through HTML files
$
EnCase, FTK, Net Analysis, etc
$ $ $
135 135
136
138 137
138
Tier 4 - Trial Forensics Examination Forensic Examination: $ Check for Virus, Trojans, Etc. $ $
Emulated Disk for Scan Scripts for Virus Signatures
$ If Found – Obtain More Info… $ $ $ $
Virus Company Web Sites, Etc. Research Capabilities, Etc. Log files from computer Statements of suspect RE: viruses
139 139
140
141
142 141
142
Mobile Devices
Mobile Devices
Gathering Data from Device: $ $ $ $ $
Seizure Documentation:
Hand-Jamming Examination & Analysis Extraction & Analysis Cloning, Examination & Analysis Flasher Box Extraction & Analysis
$ Location were device found $ $ $ $
Condition when located (on/off) Chain of Custody Physical issues/description Photograph and document manipulation
Some information in following slides taken from Purdue University’s Purdue Phone Phorensics (P3) project at www.MobileForensicsWorld.com/p3
143
144
Mobile Devices Device Shielding/Isolation: $ Jamming/Spoofing signal $
Vio of Comm. Act 1934 (FCC)
$ Radio sheilding bag/container $ Airplane Mode $ Turning off device $ Network Service Provider (NSP) $
Court Orders & Assistance 146 145
146
Mobile Devices Document w/o Modifying: $ $ $ $ $ $ $ $
147
Make, Model, Model # Vendor Logo Style (Flip/Slider/Clam Shell/Form Factor) External Memory Present (Type, Capacity) Digital Camera (Forward/Rear Facing) Compliance Label (ESN/MEID or IMEI & SIM) Battery present/not present Damage - Condition
148
Mobile Devices
Mobile Devices
Examination & Analysis: $
$
$
Gathering Data:
Subscriber Identity Module $ Possibly clone SIM for analysis External Memory Cards $ Same as Digital Media (Forensics) $ Data carve deleted data Examination, extraction and analysis of data on physical handset
$
Ideally through: $ Cable connected - most secure $ InfraRed (IrDA) - less secure $ BlueTooth (BT) - least secure $
All may result in changed data or state of phone from original seizure
149
150
Mobile Devices
Mobile Devices
Gathering Data: $
Integrated Tools $
$
$
UFED, Secure View, Device Seizure, BitPim, MOBILedit!,etc
SIM Tools $
$
Evidence Analysis:
SIMCon, SIMSeizure, SIMDetective, etc
Hex Dump Tools $
Cell Phone Analyzer, HeXRY, etc
$
Screen Capture Tools
$
Manufacturer Specific Tools
$
Digital Camera (Duh!), Fernico ZRT, Project-a-Phone, etc
151
Through Automated Tools or Raw Analysis: $ Text (Short Msg Service) $ MMS (Multimedia Msg Service) $ Contacts / Address Book $ Call Logs $ Web History $ Email $ App Data
152
Mobile Devices
Forensic Principle
Considerations: $
$
$
Always Show Unbiased Methodology and emphasize the evidence that relates to the current charges – incriminating or exculpatory
Can we “forensically” analyze a phone or other mobile device? $ Can’t separate storage from device $ Often, access only provided areas of phone Do we need to perform “forensics” on mobile devices? $ If we document our actions, is that sufficient? **Most evolving area of forensics
153
Forensic Principle
154
Instructor Information Detective Micah Smith
Consider Possible Defenses and attempt to prove or disprove them with your evidence
Linn County Sheriff’s Office Computer Crimes and Computer Forensics Voice: 541-812-9200 Email:
[email protected]
155
156