Raw format image files don't contain metadata such as hashes!
o You must validate them manually to ensure integrity
o Tools such as ProDiscovereve filescontain metadata that includeshash value
o If the Auto Verify Image Checksum and the hashes in the .eve file's metadata don't
match
ProDiscoverwill notifythat the acquisition is corrupt and can't be considered
reliable evidence
Addressing data-hiding techniques
• Data hiding - changing or manipulating a file to conceal information
Techniques
O Hiding entire partitions
O Changing file extensions
O Setting file attributes to hidden
O Bit-shifting
O Using encryption
O Setting up password protection
Hiding files by using the OS
One of the first techniquesto hide data
o Changing file extensions
Advanced digital forenslcs tools check file headers and would flag this
Another hiding technique
o Select the hiddenattribute in a file's propertiesdialog box
Also not very successful unless hiding things form investigator
Hiding partitions
By using the Windows diskpart remove letter command
o You can unassign the partition's letter,which hides it from view in File Explorer
o Of course, it's not hidden from drive management tools, so investigatorswould
check for this
Another known reason for knowing drive total size!
Marking Bad Clusters
• A data-hidingtechnique used in FAT file systems is placing sensitiveor incriminatingdata in
free or slack space on disk partition clusters
o Involvesusing old utilitiessuch as Norton DiskEdit
Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable
o Only way they can be accessed from the OS is by changing them to good clusters
with a disk editors
Bit-shifting
Some users use a lowlevel encryption program that changes the order of binary data
o Makes altereddata unreadable To secure a file, users run an assembler program
(also called a "macro") to scramble bits
� O Run another program to restore the scrambled bits to their original order
Bit shifting changes data from readable code to data that looks like binary executable code
WinHex includes a feature for shifting bits
Understanding Steganalysis Methods
Steganography - comes from the Greek word for "hidden writing"
o Hiding messages in such a way that only the intended recipient knows the message is
there
Steganalysis - term for detecting and analysing steganography files
Digitalwatermarking - developed as a way to protect file ownership
o Usually not visible when used for steganography
Examining Encrypted Files
To decode an encrypted file
O Users supply a password or passphase
Many encryption programs use a technology called "key escrow"
o Designed to recover encrypted data if users forget their passphrases or if the user
key is corrupted after a system failure
Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with current
technology
Recovering Passwords
Password-cracking tools are available for handling password protected data or system
o Some are integrated into digital forensics tools
Stand-alone tools:
0 Last Bit
o AccessData PRTK
0 Ophcrack
0 John the Ripper
0 Passware
Brute-force attacks
o Use every possible letter, number and character found on a keyboard
o This method can require a lot of time and processing power
Dictionary attack
o Uses common words found in the dictionary and tries them as passwords
o Most use a variety of languages
Understanding the importance of reports
Communicate the results of your investigation
o Including expert opinion
Forensic reports can
o Provide justification for collecting more evidence
o Be used at a probable cause hearing
o Communicate expert opinion
Many courts require expert witnesses to submit written reports
