First Steps for any Incident:
- Consider photographs of the scene
- Ordinary forensic issues, CCTV, fingerprints
- Locate all physical articles and plane in a sealed bag
- Identify any witnesses to the events
- If a computer is switched on - should not be immediately switched off
- If a computer is switched off - it should not be switched on
Four Stages of Investigation:
1) Collection
2) Examination
3) Analysis
4) Report & Statement
Mirror Image Copying Process:
1) Use a write-blocking device
2) Use cryptographic hash functions and check-sums to ensure integrity
3) After copying, has values and digital signatures can be verified later
Creating mirror images may require a large selection of specialised devices and equipment…
- Different connectors, interface specifications
- e.g. Tableau TD2U DuplicatorImager
- Such devices are required for different storage interfaces, recent proliferation of standards has made this substantially more expensive
- Some devices may also be protected
Forensic Image Tools:
- Built-in image capabilities
- Ability to recover previously deleted files/folders
- Ability to recover deleted material in space that is not currently allocated to a file
- Searching through and/or carving files from unallocated space
- Keyword searches over storage images
- Sorting files by any property
- Bookmarking files for subsequent investigation steps
- Extracting files from images, documenting the provenance and process
- Creating reports according to approved templates
- Mounting files such as compressed archives, Microsoft Windows Registry or other database formats
- Examination of proprietary email files
- Internet access history analysis including temporary Internet files, cookies, history, favourites
- Password recovery
Problems in Evidence Collection:
- Losing RAM
- Deleting evidential files
- Accidental writing to evidential disk
- Installing diagnostic software on disk
- Changes to date & time stamps
- Re-location of evidential files & directories
- Creation of files & directories
- Recovering deleted files directly onto disk
- Executing native software or applications, batch files, macros on the evidential disk
Maintaining Continuity of Evidence:
Ensuring evidence remains admissible.
• Everything in Court must be proved
• Every part of the structure of a disk is evidence
• If tampered with or accessed except under provable circumstances not affecting content, integrity as evidence is lost
Active (live) systems present a number of challenges and opportunities…
Both potentially rich sources of additional evidence, but also risks of losing data particularly to counter-forensic techniques
Copying Volatile Memory Contents Challenge Solutions:
- Virtual Machine snapshots
- Hardware debuggers and in-circuit emulators
- Exploiting Hibernating Mode or equivalent
- Exploit crash dumps
Key Factors Contributing to Fragility of Digital Evidence and Difficulties in Accessing:
- Data is easily changed
- Data can be disguised or concealed
- Encryption
- Data destruction - overwriting
- Data can be misinterpreted or unintelligible
- Clocks
Strict Procedures Followed For Storage Media:
• Static electricity must be discharged
• The host system must be switched off
• Computer and configuration must be photographed
• Manufacturer, model & serial numbers noted
• Covers must be removed
• Internal configuration of the system must be photographed
• Storage devices can now be removed from the enclosure
• Device must also itself be photographed
• Manufacturer and other data of device noted
• Any configuration items noted
• Device placed in anti-static bag
Anti-static bag placed in envelope and sealed with tape
• Each aperture of the envelope signed and dated
• Witness must sign and date apertures
• Envelope stored in safe together with a record entry to the safe
Examination Phase:
- A technical review conducted under (reproducible) laboratory conditions
- Critical goal is data reduction due to the potential volume of data on modern systems
Examination Phase must include…
System timestamps (clock), registry files, input/output access files, swap files, slack space, other nodes where evidence will accumulate, e.g. internet/web cache
Analysis Phase - Actus Reus:
The guilty act. What is there? or what has been done?
Analysis Phase - Mens Rea:
The guilty mind or intent. Is it deliberate?
Analysis Phase - Must Document:
- Date and time of all investigation events
- All methods used
- All software or other tools used
- Any expert re-construction of events
- Continuity of Evidence
- Tools used to maintain the documentation
-
Introduction to Forensic Science3
-
Digital Evidence14
-
Forensics Walk-Through16
-
Magnetic Storage Media, Volumes, and Encryption17
-
FAT File Systems14
-
Reconstructing FAT File System Structures29
-
Microsoft Windows Storage Architecture38
-
The Windows NTFS File System35
-
File and Volume Encryption11
-
Physical Storage Artefacts in Magnetic Media8
-
Nonvolatile Storage Forensics43
-
Microsoft Windows Kernel Architecture65
-
Introduction to Microsoft Windows Live Forensics17
-
Microsoft Windows Security Architecture35
-
Memory Acquisition and Forensics6
-
Firmware and Forensics0
-
Host-Based Network Forensics Sources0
-
Network-Component Forensic Information Collection0
-
Email Forensics0
-
Malware Concepts and Objectives0
-
Malware Infiltration Mechanisms0
-
Malware Exfiltration Mechanisms0
-
Malware Concealment and Detection Techniques0
-
Mobile Device Forensics Introduction0
-
Android Forensics Fundamentals0
-
iOS Forensics Fundamentals0
