Computing systems in a forensics lab should be able to process typical cases in a timely manner.

9.8 Preparing the Forensic Workstation

The procedures below are for all forensic cases whether the work is to be carried out on-site using a portable forensic workstation or using a desktop workstation in the Forensic Laboratory.

Any forensic workstation that is to be used to process a forensic case in the Forensic Laboratory must be sterile and unable to contaminate the new case from a previous case so as to avoid any suspicion of tainting. To perform this, the following is carried out:

The operating system disk is wiped to delete the current operating system and any files held on the disk.

The Forensic Laboratory standard build for the forensic workstations is loaded from the image held in the ERMS.

The wiping tool used is recorded on the Case Work Log. Details of the Forensic Case Work Log contents are given in Appendix 9.

One or more suitably sized sterile hard disks are chosen from the hard disk pool held in the Secure Property Store and are assigned to the case and loaded into the forensic workstation. The process for assigning a disk to a case is defined in Section 9.3.1.1.2.

7.4.3.9 Managing Changes to Forensic Workstations

All forensic workstations are connected to the dedicated forensic network, which is primarily used to provide information storage and printing facilities.

Where appropriate, Forensic Analysts have a separate workstation that is on the main business network.

A number of stand-alone workstations also exist in the Forensic Laboratory for Forensic Analysts, these are all for dedicated processes (e.g., forensic imaging, malware testing, multiple media copying devices, stand-alone Internet access, etc.).

Forensic workstations are frequently rebuilt, upgraded for a specific case, or have specific hardware added to them.

Changes to these forensic workstations do not need to go through any change control process, the Forensic Analysts are all presumed to be competent to make changes to their workstations as required. If the change is considered a risk, a stand-alone workstation is used.

Disable Automount

It is critical that forensic workstations do not have automount enabled which, as the name infers, will automatically mount a file system when one is found on a device connected. The option to disable automount in Ubuntu is done per user, so if the workstation will have more than one user account, please make sure you change each of them:

Then navigate to apps > nautilus > preferences and ensure the “media_automount” and “media_automount_open” options are unchecked as illustrated in Fig. 1.4.

You can then close the Gnome Configuration editor. Now, automount is disabled. For typical users, this is more work. However, for a forensic analyst, it is an absolute necessity (as is the use of hardware write blockers).

Connect the device

First, the iPhone should be connected to the forensic workstation using a USB cable. In the testing done in Chapter 7, a VM was used that required extra steps to ensure that the iPhone was being seen by the VM rather than the host machine. Once the device is connected and the acquisition process initiated, the examiner is prompted to place the device in DFU mode with the help of a timer in the upper right-hand corner of the software. Next, the wizard walks the examiner through the installation of device drivers.

Acquisition

To begin the acquisition, the examiner must first connect the Android device to the forensic workstation using USB and ensure USB debugging is enabled. MOBILedit! attempts to detect the device as shown in Fig. 6.19.

After clicking “Finish,” there was a notification prompting the installation of the “Connector” app on the device, shown in Fig. 6.20.

Following the quick installation, you create a name for the investigation and select the type of data you want to extract. In the example shown in Fig. 6.21, the option to take a backup of the “Whole file system” was selected, which then executed without error and presented a success status as illustrated in Fig. 6.22.

You can then decide if you want to add this to an already existing case or create a new one. For this example, shown in Fig. 6.23, a new case was created and a data export format option of XLS was selected.

Summary

The Android SDK not only provides deep insight into the Android platform but also provides powerful tools to investigate a device, from both a forensic and security viewpoint. Once the SDK is installed on a forensic workstation, the examiner has the ability to interact with an Android device connected via USB, provided the USB debugging feature is enabled. Not only is it possible to query information from the device but apps can also be installed, run, and ultimately data extracted from the device. The Android SDK is an important tool used for forensic and security analysis.

Disk Imaging

Disk imaging refers to the process of making an exact copy of a disk. Imaging is sometimes also called disk cloning or ghosting, but the latter terms usually refer to images created for purposes other than evidence preservation. Disk imaging differs from just copying all the files on a disk in that the disk structure and relative location of data on the disk are preserved. When you copy all the data on one disk to another disk the data is usually stored on the new disk in contiguous clusters as space permits. That way, all the data on the two disks will be identical, but the way the data is distributed on the disks will not. When you create a disk image (a bitstream copy), each physical sector of the disk is copied so that the data is distributed in the same way, and then the image is compressed into a file called an image file. This image is exactly like the original, both physically and logically.

You can create a bit-level duplicate of a disk in a number of different ways, including:

Removing the hard disk from the suspect computer and attaching it to another computer (preferably a forensic workstation) to make the copy

Attaching another hard disk to the suspect computer and making the copy

Using a stand-alone imaging device such as the DIBS Rapid Action Imaging Device

Using a network connection (Ethernet connection, crossover cable, null modem cable, Universal Serial Bus [USB], or the like) to transfer the contents of the disk to another computer or forensic workstation

Which of these methods you choose will usually depend on the equipment you have at hand. A portable forensic workstation or stand-alone imaging device is probably the best solution, but it's also the most expensive.

Windows E-mail Clients

E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive e-mail (via SMTP, POP, and IMAP), manage newsgroups, and organize helpful information, such as contacts and calendars. The forensic artifacts related to these mail clients are numerous, but here is a quick overview of each program.

Microsoft Outlook is an e-mail client that is part of the Microsoft Office suite of utilities. It provides a popular platform (particularly in larger organizations) for e-mail management. The primary data file types associated with Outlook are personal storage (.PST) and offline storage (.OST) files. These .PST and .OST files contain a user's e-mail, calendar, contacts, and other data that allow Outlook to function effectively for the user. The default location for these files is the C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook folder in XP, and each user maintains their own Outlook data files.

There is a wide variety of different ways for an examiner to get at the data within a .PST or .OST file. Perhaps the easiest (if not most forensically sound) is to add a .PST file into Outlook on a forensic workstation via the File→Open→Outlook Data File… option. Once the .PST file is opened in Outlook, the examiner can access and view the user's mail and other Outlook objects as if they were the user themselves. If the .PST is password protected, this is obviously more of challenge, but there are a host of programs available for cracking .PST passwords. Other than Outlook itself, virtually any forensic suite worth its salt will process Outlook data files for viewing and searching by the examiner.

Tool Feature: Outlook Conversion

It may be necessary to convert an .OST file into a .PST file before opening it with Microsoft Outlook, as .OST files cannot generally be read unless the user is connected to its home network. Tools such as Stellar Information Systems Limited's Stellar Phoenix Mailbox Exchange Desktop (www.stellarinfo.com/exchange-ost-recovery.htm), Recoveronix Limited's Recovery for Exchange OST (www.officerecovery.com/recovery-for-exchange-ost/index.htm very expensive), and Chily Softech Private Limited's OST to PST (www.ost2pst.net/; does not work with Outlook 2003) can do it.

Further, the advantage of using a forensic suite to parse e-mail is that many of them can recover deleted objects (such as messages, contacts, etc.) from the unallocated space within .PST and .OST files. Outlook data files have their own structures, similar to their own file systems, complete with unallocated space in which examiners can find snippets of deleted conversations and even entire messages, with the right forensic tool.

Microsoft Outlook Express is similar to Outlook, but it has been historically bundled with Windows OSs and Internet Explorer, rather than Microsoft Office. In Windows Vista and later, Outlook Express was replaced by Windows Mail and Windows Live Mail, but the concept was still the same: give consumers a slim, easy-to-use mail and news reader without all the overhead of Microsoft Outlook. In contrast to Outlook, Outlook Express utilizes .DBX files as its primary data file type. However, the good news is that .DBX files serve roughly the same purpose as Outlook .PST and .OST files, and almost every forensic tool that can handle Outlook data files can parse and search Outlook Express .DBX files in a similar manner. The default location for .DBX files in XP/2k3 and earlier is C:\Documents and Settings\<username>\Local Settings\Application Data\Identities\<{long GUID-style value}>\Microsoft\Outlook Express.

Windows Mail in Vista and later operating systems is significantly different than Outlook or Outlook Express. Instead of .PST, .OST, or .DBX data files, Windows Mail maintains message data in plain-text .EML files, located under a user's profile at C:\Users\<username>\AppData\Local\Microsoft\Windows Mail\Local Folders. It should also be noted that users can encrypt Windows Mail fairly easily as part of Windows’ normal operation, so Windows Mail message content may not always be easily readable for the examiner.

Appendix 13 User Account Management Form Contents

One form is used in the Forensic Laboratory for all management of user accounts. The form below covers account:

creation;

modification;

deletion.

Computer Forensic Equipment and Software

A number of companies including Guidance Software (www.guidancesoftware.com) and DIBS (www.dibsusa.com) market special equipment to aid in forensic examinations. The following types of equipment can be useful to investigators and forensic technicians:

Imaging equipment These devices allow you to rapidly make bitstream copies of hard disks onto another hard disk, an optical cartridge, or a tape. Portable units that fit into a suitcase are available and can be easily transported to the crime scene to make disk copies on-site before the computer is shut down. The target media include write-protection features to ensure that data cannot be tampered with after the copies are made.

Forensic workstations These are complete computer workstations set up for easy reconstruction and analysis of copied drives, usually with removable drive racks that allow booting of the “working copies” of suspect disks. Analysis software is installed to assist in searching for particular types of data using artificial intelligence techniques or fuzzy logic to conduct searches when the investigator isn't sure of the text strings or file types he or she is looking for. Data recovery software is installed to locate data from “deleted” or “erased” files. Mobile workstations set up on portable computers are also available. Examples include the DIBS forensic workstations and F.R.E.D., the Forensic Recovery of Evidence Device, which is made by Digital Intelligence (www.digitalintel.com/fred.htm).

Forensic software Packages provided by companies such as Guidance Software, NTI, and DIBS include imaging software, “undelete” programs, comprehensive file and text string search programs, programs that can verify the accuracy of bitstream copies, programs that can remove binary characters from data to ease analysis of the data, programs that quickly document lists of files and directories, programs that can capture the data in unallocated space or file slack space, programs that can rebuild cache, uncompression tools, system-checking utilities, steganography detection software, password recovery programs, and much more. For a list of some of the best computer forensic software programs, see the Timberline Technologies Web site at www.timberlinetechnologies.com/products/forensics.html. Also, NTI provides several free forensic tools at www.forensics-intl.com/download.html.

On the Scene