Sources of digital evidence

Windows Registry

1
 Understanding the Windows Registry

• Registry
– A database that stores hardware and software configuration
information, network connections, user preferences, and setup
information
• For investigative purposes, the Registry can contain
valuable evidence
• To view the Registry, you can use:
– Regedit (Registry Editor) program for Windows 9x systems
– Regedt32 for Windows 2000 and XP

2
 Organisation and Terminology

• At the physical level

– Files called hives
– Located in: %SYSTEMROOT%\System32\config
• Keys (analogous to folders)
• Values (analogous to files)
• Hierarchy:
– Hives
• Keys
– Values

3
Hives

4
 Value

Key

5
 Hive Properties

• HKEY_USERS – all loaded user data

• HKEY_CURRENT_USER – currently logged on user (NTUSER.DAT)
• HKEY_LOCAL_MACHINE – array of software and hardware
settings
• HKEY_CURRENT_CONFIG – hardware and software settings at
start-up
• HKEY_CLASSES_ROOT – contains information about application
needs to be used to open files

6
File Locations and Purpose

7
Windows 7 Root Keys

8
 Registry: A Wealth of Information

Information that can be recovered include:

– System Configuration
– Devices on the System
– User Names
– Personal Settings and Browser Preferences
– Web Browsing Activity
– Files Opened
– Programs Executed
– Passwords

9
Forensic Analysis - Hardware

10
11
 Windows Security and Relative ID

• The Windows Registry utilizes a alphanumeric

combination to uniquely identify a security principal or
security group.
• The Security ID (SID) is used to identify the computer
system.
• The Relative ID (RID) is used to identity the specific
user on the computer system.
• The SID appears as:
– S-1-5-21-927890586-3685698554-67682326-1005

12
 Forensic Analysis – User ID

• SID (security identifier)

– Well-known SIDs
• SID: S-1-0 Name: Null Authority
• SID: S-1-5-2 Name: Network
– S-1-5-21-2553256115-2633344321-4076599324-1006
• S string is SID
• 1 revision number
• 5 authority level (from 0 to 5)
• 21-2553256115-2633344321-4076599324 - domain or local
computer identifier
• 1006 RID – Relative identifier
• Local SAM resolves SID for locally authenticated users
(not domain users)
– Use recycle bin to check for owners
13
Forensic Analysis - Software

14
 Forensics Analysis: NTUSER.DAT

• Internet Explorer
– IE auto logon and password
– IE search terms
– IE settings
– Typed URLs
– Auto-complete passwords

15
Forensics Analysis - NTUSER.DAT
IE explorer Typed URLs

16
 Forensic Analysis – MRU List
A “Most Recently Used List” contains entries made due to specific actions performed
by the user. There are numerous MRU list locations throughout various Registry keys.
These lists are maintained in case the user returns to them in the future. Essentially,
their function is similar to how the history and cookies act in a web browser.

17
Forensic Analysis – Last Opened
Application in Windows

18
Forensic Analysis – USB Devices

19
 RegRipper
The RegRipper is an open-source application for extracting, correlating, and
displaying specific information from Registry hive files from the Windows NT (2000,
XP, 2003, Vista and 7) family of operating systems.

20
Phases for recovering evidence
from a computer system
Acquisition, analysis, and reporting

21
 Approaching Computer
Forensics Cases
• Know exactly what the case requires
• Simply follow leads you uncover
– Physical evidence
– Digital evidence

22
 Acquisition
• Covered in previous lesson

23
 Examining the Evidence
• No specific rules for examining evidence
– Variety of cases
• Experience level of the user determines how
the examiner approaches the investigation of
evidence
• Physical extraction or examination
• Logical extraction or examination

24
 Examining the Evidence
• Examination layers
– Bottom layer
– Second –layer
– Third layer
– Fourth layer
– Fifth layer

25
 Examining the Evidence
• Bottom-layer examinations
– File system details
– Directory/file system structure
– Operating system norms
– Other partition information
– Other operating systems (dual/multiboot systems)

26
 Examining the Evidence
• Second-layer examinations
– Exclusion of known files using hash analysis
– File header and extension
– Obvious files of interest
• Third-layer examinations
– Extraction of:
• Password-protected and encrypted files
• Compressed and deleted files
– Link analysis

27
 Examining the Evidence
• Fourth-layer examinations
– Extraction of:
• Unallocated space files of interest
• File slack space files of interest
• Fifth-layer examinations
– Documentation should reflect how the evidence
was extracted and where it has been extracted to
for further analysis

28
 Analysis
• Steps:
– Use recently wiped target disks
– Inventory suspect’s hardware
– Remove the original disk and check date and time
on CMOS
– Record data acquisition steps
– Process the data methodically and logically
– List all directories and files on the copied image

29
 Analysis
• Steps:
– If possible, examine all directories and files
starting at root
– Recover content of encrypted files
– Create a document with directory and file names
on the evidence disk
– Identify functions of every executable file
– Always maintain control of evidence

30
 Analysis

• File analysis investigations include:

– File content
– Metadata
– Application files
– Operating system file types
– Directory/folder structure
– Patterns
– User configurations

31
 Analysis
• Data-hiding analyses should include:
– Password-protected files
• Check the Internet for password-cracking software
• Check with the software developer of the application
• Contact a firm that specializes in cracking passwords
– Compressed files
– Encrypted files
– Steganography

32
 Analysis
• Time frame analysis should examine the
following file attributes:
– Creation date/time
– Modified date/time
– Accessed date/time

33
 Performing Forensic Analysis on
Microsoft File Systems
• Recommendations
– Use antivirus on bit-stream disk-to-disk copies
– Examine all boot files
– Recover all deleted files, slack, and unallocated
space
• FAT disk forensic analysis
– Create image volumes and store them on CDs
• Be alert for compressed partitions

34
 Performing Forensic Analysis on
Microsoft File Systems
• NTFS analysis tools
– DriveSpy
– NTI DiskSearch NT
– NTFSDOS
– GUI tools
• FTK, EnCase, Pro Discover DFT, FactFind, and iLook

35
 UNIX and Linux Forensic Analysis
• Windows forensics tools
– EnCase
– FTK
– iLook
• UNIX and Linux forensics tools
– Kali Linux
– Sleuthkit
– Knoppix-STD
– Autopsy
– TASK

36
Addressing Data-hiding Techniques
• File manipulation
– File names and extensions
– Hidden property
• Disk manipulation
– Hidden partitions
– Bad clusters
• Encryption
– Bit shifting
– Steganography

37
 Hiding Partitions
• Delete references to a partition
– Re-create links for accessing it
• Use disk-partitioning utilities
– PartitionMagic
– System Commander
– LILO
• Account for all disk space when analyzing a
disk

38
 Marking Bad Clusters
• Place sensitive information on free space
• Use a disk editor to mark that space as a bad
cluster
• Common with FAT systems

39
 Bit-shifting
• Old technique
• Shift bit patterns to alter byte values of data
• Make files look like binary executable code
• Tool
– Hex Workshop

40
 Using Steganography
• Suspect can hide information on image or text
document files
• Very hard to spot without prior knowledge
• Tools
– S-Tools
– DPEnvelope
– jpgx
– tte

41
 Examining Encrypted Files
• Prevent unauthorized access
– Password or passphrase
• Recovering data is difficult without password
– Key escrow
– Cracking password
• Expert and powerful computers
– Persuade suspect to reveal password

42
 Recovering Passwords
• Dictionary attack
• Brute-force attack
• Password guessing based on suspect’s profile
• Tools
– PRTK
– Advanced Password Recovery Software Toolkit
– @stake’s LC5 (L0phtCrack)

43
 Reporting on the Investigation
• Last step is to finish documenting the investigation and
prepare a report on the investigation
• Documentation should include information such as:
– Notes taken during initial contact with the lead investigator
– Any forms used to start the investigation
– A copy of the search warrant
– Documentation of the scene where the computer was located
– Procedures used to acquire, extract, and analyze the evidence

44
 Reporting on the Investigation
• A detailed final report should be organized
into the following sections:
– Report summary
– Body of the report
– Conclusion
– Supplementary materials
• More on report structure to follow

45
 Reporting on the Investigation
• The final detailed report should cover:
– Case investigator information, name and contact
details
– The suspect user information
– Case numbers or identifiers used by your
department
– Location of the examination
– Type of information you have been requested to
find

46
 Reporting on the Investigation
• The report summary should contain:
– Files found with evidentiary value
– Supporting files that support allegations
– Ownership analysis of files
– Analysis of data within suspect files
– Search types including text strings, keywords, etc.
– Any attempts at data hiding such as passwords,
encryption, and steganography

47
 Importance of Reports
• Communicate the results of your investigation
– Including expert opinion
• Courts require expert witness to submit
written reports
• Keep copy of your reports
• Deposition banks
– Examples of expert witness’ previous testimonies

48
 Limiting the Report to Specifics
• All reports to client should start with the job
mission or goal
– Find information on a specific subject
– Recover certain significant documents
– Recover certain types of files

49
 Types of Reports
• Identify your audience
– Education paragraphs
• Examination plan
– What questions to expect when testifying
– Prepared by the attorney
– Multiple source for questions
– Do not include things you do not want the jury to
see

50
 Types of Reports
• Verbal report
– Less structured
– Attorneys cannot be forced to release verbal
reports
– Preliminary report
• Tests that have not been concluded
• Interrogatories
• Document production
• Depositions

51
 Types of Reports
• Written report
– Affidavit or declaration
– Limit what you write and pay attention to details
– Use natural language style
• Describe yourself in the first person
• Word usage
– High-risk documents
– Spoliation
– Include same information as in verbal reports

52
 Guidelines for Writing Reports
• Hypothetical questions based on factual
evidence
– Less favored today
– Guide and support your opinion
– Can be abused and complex
• Opinions based on knowledge and experience
• Exclude from hypothetical questions
– Facts that can change, cannot be used, or are not
relevant to your opinion

53
 Report Structure

• Abstract
• Summary
• Table of contents
• Body of report
• Conclusion

54
 Report Structure
• Reference
• Glossary
• Acknowledgments
• Appendixes

55
 Writing Reports Clearly
• Consider:
– Communicative quality
– Ideas and organization
– Grammar and vocabulary
– Punctuation and spelling
• Lay out ideas in logical order
• Build arguments piece by piece
• Group related ideas and sentences into
paragraphs

56
 Writing Reports Clearly
• Group paragraphs into sections
• Avoid jargon, slang, and colloquial terms
• Define technical terms
– Consider your audience
• Writing style
– Avoid repetition and vague language
– Be precise and specific
– Avoid presenting too many details and personal
observations

57
Designing the Layout and Presentation
of Reports
• Decimal numbering structure
– Divides material into sections
– Readers can scan heading
– Readers see how parts relate to each other
• Legal-sequential numbering
– Used in pleadings
– Roman numerals represent major aspects
– Arabic numbers are supporting information

58
Designing the Layout and Presentation
of Reports
• Include signposts
– Draw reader’s attention to a point
• Provide supporting material
– Figures, tables, data, and equations
• Use consistent formatting
• Explain methods
– How you studied the problem
• Include data collection
59
Designing the Layout and Presentation
of Reports
• Include calculations
• Provide for uncertainty and error analysis
– Protect your credibility
• Explain results and conclusion
• Provide references
– Cite references by author and year
– Harvard system
• Include appendices
60
 Generating Report Findings with
Forensic Software Tools
• Forensics tools generate report when
performing analysis
• Report formats
– Plaintext
– Word processor
– HTML format

61
 Presenting Your Evidence
• Steps:
– State your opinions
– Identify evidence to support your opinions
– Relate the method used to arrive to that opinion
– Restate your opinion
– Never carry on with a lengthy build-up
• Consider your audience
• Do not talk with anybody during court recess

62
 Preparing for Testimony
• Technical or scientific witness
– Provides facts found in investigation
– Do not offer conclusions
– Prepare testimony
• Expert witness
– Has opinions based on observations
– Opinions make the witness an expert
– Works for the attorney

63
 Preparing for Testimony
• Confirm your findings with documentation
– Corroborate them with other peers
• Detect conflict of interest
• Avoid conflicting out practice
– Prevents another attorney from using you

64
 Preparing Technical Definitions
• Definitions of technical material
• Use your own words and language
• Some terms
– Computer forensics
– Hash algorithms
– Image and bit-stream backups
– File slack and unallocated space
– File data and time stamps
– Computer log files

65
 Summary
• Four main steps to any computer forensics
investigation:
– Planning
– Acquisition
– Analysis
– Reporting
• Computer forensic analyst must:
– Keep up with the technology of the day
– Be a psychologist who understands how people
use technology

66