David Watson, Andrew Jones, in
Digital Forensics Processing and Procedures, 2013 The procedures below are for all forensic cases whether the work is to
be carried out on-site using a portable forensic workstation or using a desktop workstation in the Forensic Laboratory. Any forensic workstation that is to be used to process a forensic case in the Forensic Laboratory must be sterile and unable to contaminate the new case from a previous case so as to avoid any suspicion of tainting. To perform this, the following is carried out: The operating system disk is wiped
to delete the current operating system and any files held on the disk. The Forensic Laboratory standard build for the forensic workstations is loaded from the image held in the ERMS. The wiping tool used is recorded on the Case Work Log. Details of the Forensic Case Work Log contents are given in Appendix 9. One
or more suitably sized sterile hard disks are chosen from the hard disk pool held in the Secure Property Store and are assigned to the case and loaded into the forensic workstation. The process for assigning a disk to a case is defined in Section 9.3.1.1.2.Case Processing
9.8 Preparing the Forensic Workstation
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597497428000091
IT Infrastructure
David Watson, Andrew Jones, in Digital Forensics Processing and Procedures, 2013
7.4.3.9 Managing Changes to Forensic Workstations
All forensic workstations are connected to the dedicated forensic network, which is primarily used to provide information storage and printing facilities.
Where appropriate, Forensic Analysts have a separate workstation that is on the main business network.
A number of stand-alone workstations also exist in the Forensic Laboratory for Forensic Analysts, these are all for dedicated processes (e.g., forensic imaging, malware testing, multiple media copying devices, stand-alone Internet access, etc.).
Forensic workstations are frequently rebuilt, upgraded for a specific case, or have specific hardware added to them.
Changes to these forensic workstations do not need to go through any change control process, the Forensic Analysts are all presumed to be competent to make changes to their workstations as required. If the change is considered a risk, a stand-alone workstation is used.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597497428000078
Android and mobile forensics
Andrew Hoog, in Android Forensics, 2011
Disable Automount
It is critical that forensic workstations do not have automount enabled which, as the name infers, will automatically mount a file system when one is found on a device connected. The option to disable automount in Ubuntu is done per user, so if the workstation will have more than one user account, please make sure you change each of them:
Then navigate to apps > nautilus > preferences and ensure the “media_automount” and “media_automount_open” options are unchecked as illustrated in Fig. 1.4.
Figure 1.4. Disable automount on Ubuntu.
You can then close the Gnome Configuration editor. Now, automount is disabled. For typical users, this is more work. However, for a forensic analyst, it is an absolute necessity (as is the use of hardware write blockers).
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597496513100019
Acquisitions
In iPhone and iOS Forensics, 2011
Connect the device
First, the iPhone should be connected to the forensic workstation using a USB cable. In the testing done in Chapter 7, a VM was used that required extra steps to ensure that the iPhone was being seen by the VM rather than the host machine. Once the device is connected and the acquisition process initiated, the examiner is prompted to place the device in DFU mode with the help of a timer in the upper right-hand corner of the software. Next, the wizard walks the examiner through the installation of device drivers.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597496599000055
Android forensic techniques
Andrew Hoog, in Android Forensics, 2011
Acquisition
To begin the acquisition, the examiner must first connect the Android device to the forensic workstation using USB and ensure USB debugging is enabled. MOBILedit! attempts to detect the device as shown in Fig. 6.19.
FIGURE 6.19. detect Android device.
After clicking “Finish,” there was a notification prompting the installation of the “Connector” app on the device, shown in Fig. 6.20.
FIGURE 6.20. Install the connector.
Following the quick installation, you create a name for the investigation and select the type of data you want to extract. In the example shown in Fig. 6.21, the option to take a backup of the “Whole file system” was selected, which then executed without error and presented a success status as illustrated in Fig. 6.22.
FIGURE 6.21. Take backup of the whole file system.
FIGURE 6.22. Operation completed successfully.
You can then decide if you want to add this to an already existing case or create a new one. For this example, shown in Fig. 6.23, a new case was created and a data export format option of XLS was selected.
FIGURE 6.23. Data export format.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597496513100068
Android software development kit and android debug bridge
Andrew Hoog, in Android Forensics, 2011
Summary
The Android SDK not only provides deep insight into the Android platform but also provides powerful tools to investigate a device, from both a forensic and security viewpoint. Once the SDK is installed on a forensic workstation, the examiner has the ability to interact with an Android device connected via USB, provided the USB debugging feature is enabled. Not only is it possible to query information from the device but apps can also be installed, run, and ultimately data extracted from the device. The Android SDK is an important tool used for forensic and security analysis.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597496513100032
Computer Forensic Software and Hardware
Littlejohn Shinder, Michael Cross, in Scene of the Cybercrime (Second Edition), 2008
Disk Imaging
Disk imaging refers to the process of making an exact copy of a disk. Imaging is sometimes also called disk cloning or ghosting, but the latter terms usually refer to images created for purposes other than evidence preservation. Disk imaging differs from just copying all the files on a disk in that the disk structure and relative location of data on the disk are preserved. When you copy all the data on one disk to another disk the data is usually stored on the new disk in contiguous clusters as space permits. That way, all the data on the two disks will be identical, but the way the data is distributed on the disks will not. When you create a disk image (a bitstream copy), each physical sector of the disk is copied so that the data is distributed in the same way, and then the image is compressed into a file called an image file. This image is exactly like the original, both physically and logically.
You can create a bit-level duplicate of a disk in a number of different ways, including:
▪Removing the hard disk from the suspect computer and attaching it to another computer (preferably a forensic workstation) to make the copy
▪Attaching another hard disk to the suspect computer and making the copy
▪Using a stand-alone imaging device such as the DIBS Rapid Action Imaging Device
▪Using a network connection (Ethernet connection, crossover cable, null modem cable, Universal Serial Bus [USB], or the like) to transfer the contents of the disk to another computer or forensic workstation
Which of these methods you choose will usually depend on the equipment you have at hand. A portable forensic workstation or stand-alone imaging device is probably the best solution, but it's also the most expensive.
A History of Disk Imaging
Disk imaging can serve a number of purposes and was initially used for purposes other than computer forensics and digital evidence collection. Computer virus researchers used disk imaging in the 1980s when studying new computer viruses so that they could execute the virus code without destroying or damaging the data on the original disk. Copying just the virus files didn't always work because some viruses had to be on specific parts of the disk to do what they were written to do. For this reason, a program was developed that would copy the data exactly as it was located on the disk, duplicating sector addresses and creating an exact duplication or disk “image.”
The usefulness of such a program did not go unnoticed to computer crime investigators. Detective Inspector John Austen at London's Scotland Yard was the first to recognize the investigative applications of the tool, and the concept of computer forensic imaging equipment was born shortly thereafter.
Meanwhile, disk imaging has come to be used for creating backups that can be put into place quickly and easily if the original disk fails, by simply swapping out the imaged disk for the original. Another popular use of imaging is to speed up the process of rolling out operating systems and software on a large number of computers simultaneously, with the same configuration. Norton Ghost is one of the most popular programs used for this purpose. For more information on Ghost, investigate the Product menus at www.symantec.com.
It is important for investigators to understand the differences between these imaging purposes and the products that are designed for different purposes. Cloning products such as Ghost are not designed to preserve the user data on a disk; the purpose is to create a standard installation configuration that can be distributed to multiple computers. Although these products can be used on a disk with user data, there is another problem: The images they create are not exact bit-by-bit copies of the originals. According to the Symantec Knowledge Base, “Normally, Ghost does not create an exact duplicate of a disk. Instead, Ghost re-creates the partition information as needed and copies the contents of the files.” Thus, a checksum of the image disk almost always results in a value that is different from the checksum value of the original disk. This could be why such evidence is excluded in some courts, because rules of evidence generally require that when a duplicate is admitted as evidence in place of the original, it must be an exact duplicate of the original. Although investigators sometimes use Ghost to create a disk image, and some versions of Ghost have switches and options that can be used to force it to create a bitstream copy, it is usually best to use software specifically designed for forensic purposes. On the other hand, if Ghost is the only duplication program you have, a ghosted image is better than no image.
Imaging Software
A number of disk-imaging programs are popular with law enforcement computer forensic specialists. These programs were developed specifically for the purpose of creating duplicate disks to be used in processing computer evidence and analyzing that evidence. Examples of products that we'll discuss later in this chapter include SafeBack, EnCase, and ProDiscover.
The National Institute of Standards and Technology (NIST) developed a disk-imaging tool specification as part of its Computer Forensics Tool Testing (CFTT) project, the objective of which was to provide for standardization of automated tools used in investigations involving computer forensics.
Stand-alone imaging tools such as the DIBS Portable Evidence Recovery Unit and Rapid Action Imaging Device eliminate the need for a second computer while maintaining the integrity of the suspect computer. These portable units can make duplicates of the suspect computer's disk(s) onto another clean hard disk or optical media without the need to remove the original disk from the suspect computer.
Disk imaging is accepted as standard practice in computer forensics to preserve the integrity of the original evidence. Disk imaging differs from creating a standard backup of a disk (for fault-tolerance purposes) in that ambient data is not copied to a backup; only active files are copied. Because a backup created with popular backup programs such as the Windows built-in backup utility, Backup Exec, ARCserve, and the like is not an exact duplicate (in other words, a physical bitstream image), these programs should not be used for disk imaging. Programs such as Norton Ghost include switches that allow you to make a bitstream copy, but these programs were not originally designed for forensic use and do not include the features and analysis tools that are included with imaging programs and stand-alone imaging systems designed especially for forensic examination.
Despite this, network administrators may have created regular backups of servers and workstations on a network, or individuals may have backed up data on their home computers. These may also contain important data, as they contain a snapshot of data from a specific point in time, and you shouldn't overlook them as potential sources of evidence.
“Snapshot” Tools and File Copying
Sometimes it is not possible or desirable to make a full bitstream image of a disk. This could be because the system is mission-critical and management does not want to have it out of commission during an investigation, or because the decision has already been made not to pursue prosecution. However, there are still ways to collect data about the intrusion or other crime for the purpose of analyzing what happened and preventing it from happening again.
One set of software tools designed to allow administrators to create a “snapshot” of the state of a machine that has been compromised is The Coroner's Toolkit, written by the authors of the once popular UNIX utility called the System Administrator Tools for Analyzing Networks (SATAN). Running these tools on a UNIX system that has been breached is very helpful in performing a forensic analysis, because it will provide information on running processes, the state of the network, deleted files, user information, and much more.
In some cases, when evidence is documentary in nature, it might be possible to introduce copies of individual files rather than copying the entire disk. You should use this method only when you need specific identifiable documents and there's no need to search for ambient data or other hidden data.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492768000066
Windows Forensic Analysis
Ryan D. Pittman, Dave Shaver, in Handbook of Digital Forensics and Investigation, 2010
Windows E-mail Clients
E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive e-mail (via SMTP, POP, and IMAP), manage newsgroups, and organize helpful information, such as contacts and calendars. The forensic artifacts related to these mail clients are numerous, but here is a quick overview of each program.
Microsoft Outlook is an e-mail client that is part of the Microsoft Office suite of utilities. It provides a popular platform (particularly in larger organizations) for e-mail management. The primary data file types associated with Outlook are personal storage (.PST) and offline storage (.OST) files. These .PST and .OST files contain a user's e-mail, calendar, contacts, and other data that allow Outlook to function effectively for the user. The default location for these files is the C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook folder in XP, and each user maintains their own Outlook data files.
There is a wide variety of different ways for an examiner to get at the data within a .PST or .OST file. Perhaps the easiest (if not most forensically sound) is to add a .PST file into Outlook on a forensic workstation via the File→Open→Outlook Data File… option. Once the .PST file is opened in Outlook, the examiner can access and view the user's mail and other Outlook objects as if they were the user themselves. If the .PST is password protected, this is obviously more of challenge, but there are a host of programs available for cracking .PST passwords. Other than Outlook itself, virtually any forensic suite worth its salt will process Outlook data files for viewing and searching by the examiner.
Tool Feature: Outlook Conversion
It may be necessary to convert an .OST file into a .PST file before opening it with Microsoft Outlook, as .OST files cannot generally be read unless the user is connected to its home network. Tools such as Stellar Information Systems Limited's Stellar Phoenix Mailbox Exchange Desktop (www.stellarinfo.com/exchange-ost-recovery.htm), Recoveronix Limited's Recovery for Exchange OST (www.officerecovery.com/recovery-for-exchange-ost/index.htm very expensive), and Chily Softech Private Limited's OST to PST (www.ost2pst.net/; does not work with Outlook 2003) can do it.
Further, the advantage of using a forensic suite to parse e-mail is that many of them can recover deleted objects (such as messages, contacts, etc.) from the unallocated space within .PST and .OST files. Outlook data files have their own structures, similar to their own file systems, complete with unallocated space in which examiners can find snippets of deleted conversations and even entire messages, with the right forensic tool.
Microsoft Outlook Express is similar to Outlook, but it has been historically bundled with Windows OSs and Internet Explorer, rather than Microsoft Office. In Windows Vista and later, Outlook Express was replaced by Windows Mail and Windows Live Mail, but the concept was still the same: give consumers a slim, easy-to-use mail and news reader without all the overhead of Microsoft Outlook. In contrast to Outlook, Outlook Express utilizes .DBX files as its primary data file type. However, the good news is that .DBX files serve roughly the same purpose as Outlook .PST and .OST files, and almost every forensic tool that can handle Outlook data files can parse and search Outlook Express .DBX files in a similar manner. The default location for .DBX files in XP/2k3 and earlier is C:\Documents and Settings\<username>\Local Settings\Application Data\Identities\<{long GUID-style value}>\Microsoft\Outlook Express.
Windows Mail in Vista and later operating systems is significantly different than Outlook or Outlook Express. Instead of .PST, .OST, or .DBX data files, Windows Mail maintains message data in plain-text .EML files, located under a user's profile at C:\Users\<username>\AppData\Local\Microsoft\Windows Mail\Local Folders. It should also be noted that users can encrypt Windows Mail fairly easily as part of Windows’ normal operation, so Windows Mail message content may not always be easily readable for the examiner.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780123742674000057
Secure Working Practices
David Watson, Andrew Jones, in Digital Forensics Processing and Procedures, 2013
Appendix 13 User Account Management Form Contents
One form is used in the Forensic Laboratory for all management of user accounts. The form below covers account:
•creation;
•modification;
•deletion.
Account Owner Details
•
name;
•forename;
•employer;
•position;
•room number;
•phone;
•e-mail address;
•start date;
•status (permanent, part time, direct contractor, third party, other);
•end date (for fixed-term contracts and known end dates only).
Authorized Requestor Details
•
name;
•forename;
•position;
•room number;
•phone;
•e-mail address;
•signature.
Request Type
•
new user;
•account modification;
•account deletion.
Hardware Required
•
desktop;
•forensic workstation (Windows);
•forensic workstation (Unix and variants);
•Apple Mac;
•laptop;
•desk phone—define type;
•other specialized forensic case processing hardware;
•secureID.
Mobile Devices Required
•
Blackberry;
•iPhone;
•other mobile device—define.
Communications Accounts
•
corporate e-mail;
•e-mail distribution lists—define;
•outlook calendars—define;
•groups to be a member of—define;
•internet access;
•Skype;
•Lync;
•other.
Drive Access
•
standard Forensic Laboratory shared drive;
•standard department shared drive;
•personal home drive;
•others—define.
Software Required
•
Forensic Laboratory standard desktop;
•Forensic Laboratory standard forensic toolkit;
•other—define.
Information Access
•
ERMS;
•finance system;
•human resources system;
•forensic case processing;
•others—define.
Note
For each application or information to be accessed, each application or information database must be authorized by the Application or Information Owner. This authorization can be by signature on the form or by e-mail associated to the application.
Forensic Case Processing
For each forensic case, specific access rights are assigned so that only named Forensic Laboratory employees can have access to the case:
•define case number.
Setup details
•
name;
•forename;
•position;
•room number;
•phone;
•e-mail address;
•date actions completed;
•date user advised (e-mail);
•signature.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597497428000121
Collecting and Preserving Digital Evidence
Littlejohn Shinder, Michael Cross, in Scene of the Cybercrime (Second Edition), 2008
Computer Forensic Equipment and Software
A number of companies including Guidance Software (www.guidancesoftware.com) and DIBS (www.dibsusa.com) market special equipment to aid in forensic examinations. The following types of equipment can be useful to investigators and forensic technicians:
▪Imaging equipment These devices allow you to rapidly make bitstream copies of hard disks onto another hard disk, an optical cartridge, or a tape. Portable units that fit into a suitcase are available and can be easily transported to the crime scene to make disk copies on-site before the computer is shut down. The target media include write-protection features to ensure that data cannot be tampered with after the copies are made.
▪Forensic workstations These are complete computer workstations set up for easy reconstruction and analysis of copied drives, usually with removable drive racks that allow booting of the “working copies” of suspect disks. Analysis software is installed to assist in searching for particular types of data using artificial intelligence techniques or fuzzy logic to conduct searches when the investigator isn't sure of the text strings or file types he or she is looking for. Data recovery software is installed to locate data from “deleted” or “erased” files. Mobile workstations set up on portable computers are also available. Examples include the DIBS forensic workstations and F.R.E.D., the Forensic Recovery of Evidence Device, which is made by Digital Intelligence (www.digitalintel.com/fred.htm).
▪Forensic software Packages provided by companies such as Guidance Software, NTI, and DIBS include imaging software, “undelete” programs, comprehensive file and text string search programs, programs that can verify the accuracy of bitstream copies, programs that can remove binary characters from data to ease analysis of the data, programs that quickly document lists of files and directories, programs that can capture the data in unallocated space or file slack space, programs that can rebuild cache, uncompression tools, system-checking utilities, steganography detection software, password recovery programs, and much more. For a list of some of the best computer forensic software programs, see the Timberline Technologies Web site at www.timberlinetechnologies.com/products/forensics.html. Also, NTI provides several free forensic tools at www.forensics-intl.com/download.html.
On the Scene
Building a Forensic Workstation
You can build your own forensic workstation using either a portable or a desktop computer instead of buying the prepackaged hardware/software combination. The system should be powerful enough to run forensic application software, and to avoid having to upgrade the equipment too soon, it should have the most powerful processor and most amount of RAM available (or at least that you can afford). To store evidence files that are created, you will also need a significant amount of hard disk space. It is not uncommon for computer forensic labs to have terabytes of hard disk space to store the evidence files, which will also need to be backed up on a regular basis in case of a hard disk failure or other problems.
The workstation should run an operating system compatible with your forensic application software. You might find it useful to set up a dual-boot configuration so that you can boot into either Windows or Linux, or you can run VMware (www.vmware.com) virtual machines to allow you to view an New Technology File System (NTFS) formatted disk, for example, from within the Linux operating system using a Windows virtual machine.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492768000157