Guide to Computer Forensics
and Investigations
Sixth Edition
Chapter 9
Digital Forensics Analysis and Investigation
1
� Determining What Data to Collect and
Analyze (1 of 2)
• Examining and analyzing digital evidence depend on the nature of the
investigation
• And the amount of data to process
• Scope creep - when an investigation expands beyond the original description
• Because of unexpected evidence found
• Attorneys may ask investigators to examine other areas to recover more evidence
• Increases the time and resources needed to extract, analyze, and present evidence
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 2
classroom use.
� Determining What Data to Collect and
Analyze (2 of 2)
• Scope creep has become more common
• Criminal investigations require more detailed examination of evidence just before trial
• To help prosecutors fend off attacks from defense attorneys
• New evidence often isn’t revealed to prosecution
• It’s become more important for prosecution teams to ensure they have analyzed the
evidence exhaustively before trial
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 3
classroom use.
� Approaching Digital Forensics Cases (1 of 4)
• Begin a case by creating an investigation plan that defines the:
• Goal and scope of investigation
• Materials needed
• Tasks to perform
• The approach you take depends largely on the type of case you’re investigating
• Corporate, civil, or criminal
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 4
classroom use.
� Approaching Digital Forensics Cases (2 of 4)
• Follow these basic steps for all digital forensics investigations:
• 1. For target drives, use recently wiped media that have been reformatted and
inspected for viruses
• 2. Inventory the hardware on the suspect’s computer, and note condition of seized
computer
• 3. For static acquisitions, remove original drive and check the date and time values in
system’s CMOS
• 4. Record how you acquired data from the suspect drive
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 5
classroom use.
� Approaching Digital Forensics Cases (3 of 4)
• Follow these basic steps for all digital forensics investigations (cont’d):
• 5. Process drive’s contents methodically and logically
• 6. List all folders and files on the image or drive
• 7. Examine contents of all data files in all folders
• 8. Recover file contents for all password-protected files
• 9. Identify function of every executable file that doesn’t match hash values
• 10. Maintain control of all evidence and findings
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 6
classroom use.
� Approaching Digital Forensics Cases (4 of 4)
• Refining and Modifying the Investigation Plan
• Even if initial plan is sound, at times you may need to deviate from it and follow
evidence
• Knowing the types of data to look for helps you make the best use of your time
• The key is to start with a plan but remain flexible in the face of new evidence
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 7
classroom use.
� Validating Forensic Data
• Ensuring the integrity of data collected is essential for presenting evidence in
court
• Most forensic tools offer hashing of image files
• Using advanced hexadecimal editors ensures data integrity
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 8
classroom use.
� Addressing Data-Hiding Techniques
• Data hiding - changing or manipulating a file to conceal information
• Techniques:
• Hiding entire partitions
• Changing file extensions
• Setting file attributes to hidden
• Bit-shifting
• Using encryption
• Setting up password protection
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 9
classroom use.
� Hiding Files by Using the OS
• One of the first techniques to hide data:
• Changing file extensions
• Advanced digital forensics tools check file headers
• Compare the file extension to verify that it’s correct
• If there’s a discrepancy, the tool flags the file as a possible altered file
• Another hiding technique
• Selecting the Hidden attribute in a file’s Properties dialog box
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 10
classroom use.
� Hiding Partitions (1 of 4)
• By using the Windows diskpart remove letter command
• You can unassign the partition’s letter, which hides it from view in File Explorer
• To unhide, use the diskpart assign letter command
• Other disk management tools:
• IM-Magic, EaseUS Partition Master, and Linux Grand Unified Bootloader (GRUB)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 11
classroom use.
� Hiding Partitions (2 of 4)
• To detect whether a partition has been hidden
• Account for all disk space when examining an evidence drive
• Analyze any disk areas containing space you can’t account for
• Many digital forensics tools can detect and view a hidden partition
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 12
classroom use.
�Hiding Partitions (3 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 13
classroom use.
�Hiding Partitions (4 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 14
classroom use.
� Marking Bad Clusters
• A data-hiding technique used in FAT file systems is placing sensitive or
incriminating data in free or slack space on disk partition clusters
• Involves using old utilities such as Norton DiskEdit
• Can mark good clusters as bad clusters in the FAT table so the OS considers
them unusable
• Only way they can be accessed from the OS is by changing them to good clusters with
a disk editor
• DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 15
classroom use.
� Bit-Shifting (1 of 4)
• Some users use a low-level encryption program that changes the order of
binary data
• Makes altered data unreadable to secure a file, users run an assembler program (also
called a “macro”) to scramble bits
• Run another program to restore the scrambled bits to their original order
• Bit shifting changes data from readable code to data that looks like binary
executable code
• WinHex and Hex Workshop includes a feature for shifting bits
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 16
classroom use.
�Bit-Shifting (2 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 17
classroom use.
�Bit-Shifting (3 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 18
classroom use.
�Bit-Shifting (4 of 4)
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 19
classroom use.
� Understanding Steganalysis Methods (1 of
3)
• Steganography - comes from the Greek word for “hidden writing”
• Hiding messages in such a way that only the intended recipient knows the message is
there
• Steganalysis - term for detecting and analyzing steganography files
• Digital watermarking - developed as a way to protect file ownership
• Usually not visible when used for steganography
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 20
classroom use.
� Understanding Steganalysis Methods (2 of
3)
• A way to hide data is to use steganography tools
• Many are freeware or shareware
• Insert information into a variety of files
• If you encrypt a plaintext file with PGP and insert the encrypted text into a
steganography file
• Cracking the encrypted message is extremely difficult
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 21
classroom use.
� Understanding Steganalysis Methods (3 of
3)
• Steganalysis methods
• Stego-only attack
• Known cover attack
• Known message attack
• Chosen stego attack
• Chosen message attack
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 22
classroom use.
� Examining Encrypted Files
• To decode an encrypted file
• Users supply a password or passphrase
• Many encryption programs use a technology called “key escrow”
• Designed to recover encrypted data if users forget their passphrases or if the user key
is corrupted after a system failure
• Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with
current technology
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 23
classroom use.
� Recovering Passwords (1 of 4)
• Password-cracking tools are available for handling password-protected data or
systems
• Some are integrated into digital forensics tools
• Stand-alone tools:
• Last Bit
• AccessData PRTK
• ophcrack
• John the Ripper
• Passware
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 24
classroom use.
� Recovering Passwords (2 of 4)
• Brute-force attacks
• Use every possible letter, number, and character found on a keyboard
• This method can require a lot of time and processing power
• Dictionary attack
• Uses common words found in the dictionary and tries them as passwords
• Most use a variety of languages
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 25
classroom use.
� Recovering Passwords (3 of 4)
• With many programs, you can build profiles of a suspect to help determine his
or her password
• Many password-protected OSs and application store passwords in the form of
MD5 or SHA hash values
• A brute-force attack requires converting a dictionary password from plaintext to
a hash value
• Requires additional CPU cycle time
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 26
classroom use.
� Recovering Passwords (4 of 4)
• Rainbow table
• A file containing the hash values for every possible password that can be generated
from a computer’s keyboard
• No conversion necessary, so it is faster than a brute-force or dictionary attack
• Salting passwords
• Alters hash values and makes cracking passwords more difficult
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 27
classroom use.
