IMT4114: Introduction Digital Forensics
"You have to be careful before you switch something off..." - Carl Stuart Leichter
Forensic Science is the application of scientific methods to establish factual answers to legal problems. (Digital forensics / edited by André Årnes. Wiley 2018)
An investigation is forensically sound if evidence is not destroyed or corrupted by accident or on purpose. An investigation should be built upon established processes and standards to give reasonable forensic soundness.
Evidence integrity is the degree that evidence has been preserved in its original form.
Chain of Custody
Evidence is worthless unless the chain of custody is proper! Acquisition, handling, analysis, and disposition MUST be properly documented. Otherwise the defence will argue that it might have been tampered with.
Locard's Exchange Principle
With contact between two items there will be an exchange of materials between them. Can (sort of) be applicable to digital forensics, even though the dynamics of digital evidence is different.
How evidence changes, disappears, is destroyed etc. regardless of ill intent.
- Who: Suspects, witnesses and victims
- Where: Relevant locations
- What: Facts of the crime
- When: Time of the crime (and other related events)
- Why: The motivation for the crime
- How: How the crime was committed
Decides if an expert testimony is scientifically valid and can properly be applied. The following bullet points apply
- Whether the theory or technique in question can be and has been tested
- Whether it has been subjected to peer review and publication
- Whether there is a known and acceptable error rate
- The existence and maintenance of standards controlling its operation
- Whether the theory or technique in question has been accepted by the scientific community
Digital forensics is the use of scientific methods to reconstruct digital events.
The Digital Forensics Process
Recognizing an incident.
Collection of data from digital devices using forensically sound techniques.
Order of Volatility
Collection of potential evdence should be prioritized according to the volatility of the data. For example: data stored on disk is less volatile than data stored in memory.
The tools used might not be perfect. To detect errors introduces by such tools one should use multiple tools to see if the same results are obtained.
Preparation and extraction of (potential) digital evidence from the collection phase.
Large amounts of useless data are no good to anyone. To reduce the number of files that have to be analyzed one could filter out known good files by their hash. Many lists of good file hashes are availeable.
Data might not be structured, and files might remain in unallocated harddrive space after their "deletion". File carving look for patterns or signatures that correspond to various file formats in such unstructured data. Interesting (potantially partial) data might be recovered in this manner.
Processing of information to determine the facts of an event.
Mapping incidents to a timeline is a powerful visual tool.
To speed up analysis one might do searches on large datasets. Searching for names, or using regexes that match things such as phone numbers could be acomplished quickly and could be very valuable to the analyst.
Techniques to make forensic analysis of digital evidence harder do exist. These techniques include, but are not limited to:
- Wiping tools
Sharing the results of the digital forensics process with interested parties.
Tracks are circles around the disk. Sectors are segments of a track, and are the smallest writeable data unit on a file system. Clusters are a sets of sectors, and are the smallest addressable data unit on a file system.
Slack space is the unused space that can be found at the end of sectors or at the end of clusters. Old data may be found here.
A partition on a hard drive contains a volume/file system (or a part of one).
Drives are now so large that deleted files are overwritten long after deletion. This leads to fossilization of data: files that are deleted but still availeable on disk.
Master Boot Record (MBR)
Contains boot code, disk signature, primary partition definitions (up to four). Replaced by GPT.
Guid Partition Table (GPT)
Replaces MBR. Backward compatible with MBR systems. Uses GUIDs (128 bits) to reference partitions. Allows for much larger disks.
Master File Table (\$MFT)
Information about every file (size/timestamps/permissions/content) is found in the MFT.
An MFT entry is 1024 bytes long. After storing metadata there is ~500 bytes left to point to the location of the file.
If the file content itself is sufficiently small (<500 bytes), it will be stored in its entirenty in the MFT as resident data as opposed to a link to the location of the non-resident file.
Logs hard drive transactions. Reconstruction of events based on logged IO may be used to recover encrypted data.
Alternate Data Streams
An NTFS file can have more than one data stream. In practice this means that files may contain more the primary data. In practice this can be used to hide data from users. This can be used for evil (by malware) or for good (by browsers adding an alternate stream marking a file as downloaded from the internet, thus triggering a warning if the user runs it).
UNIX File Systems
Much like NTFS, but file entries (inodes, comparable to an MFT entry) contain no filename. Filenames must be found from the directory structure.
A hardware write blocker should be used to make an image/copy of original hard drives. If one is not readily availeable the disk should be mounted in read only mode. To verify a true copy hashes of the original should be compared to hashes of the copy.
If encryption is suspected, encryption keys might be recovered from memory if the system is powered on.
Can be forged, so not to be blindly trusted.
Timestomping is a technique that modifies timestamps (modify/access/create).
The registry, pagefile.sys, hiberfil.sys.
/etc/passwd, /etc/shadow, /proc, /var/log
Mobile and Embedded Forensics
Methods can be classified with respect to the following categories.
- Abstraction layer
- At which level do we acquire data?
- Logical alterations
- Does the aquisition alter the data?
- Physical alterations
- Does the aquisition physically alter the device that data is being extracted rom?
- Can we do this again and obtain the same result?
- Is this pricey?
Using the device as intended while manually recording data.
Pulling data off the device using commands. Ex. Android ADB.
Obtaining data through low level debug interfaces.
Physically removing the memory chip and reading data off it.
Reading data off the circuit itself.
Collection of readily availeable information on actors.
Examples include DNS/reverse DNS lookups, WHOIS, IP geolocation databases as well as information that people give about themselves on social media.
Securing artifacts from nodes/wires.
Examples include ping, portscan, traceroute.
Computer forensics + internet forensics = local aquisition. Browser history, cache, cookies, bookmarks, download history of interest.
Web server logs, web application logs, cloud data are of interest.
An attacker tunnels through many computers in different jurisdictions.
Anonymisation networks and tunneling
ToR and similar services and make tracing almost impossible.
Many users might be behind a single public IP address due to NAT or VPNs. Which one did it?
Information from WHOIS or IP geolocation databases might be inacurate or wrong.
One should prepare for digital incidents. Enterprises will focus on being able to handle such incidents with minimum cost and disruption to profit-generating operations.
The Enterprise Digital Forensic Readiness Process
- Identify laws and regulations
- Risk assesment
- Identify scenarios that might happen
- Relate digital forensics to the existing enterprise capability
- Define an enterprise digital forensic policy
- (including policies related to outsourcing)
- Define procedures based on the policy
- Set up an organizational structure covering authority and responsibility
- (including roles with required skills)
- Train the foot soliders to prevent/reognize an incident
- Setup the infrastructure/requred tools
- Look back on what you have done so far, and evaluate if its good enough
Important things to consider are:
- Evidence handling procedures
- Law enforcement involvement
While law enforcement have guidlines and procedures, an enterprise should have an enterprise digital forensics prolicy detailing the following.
- The purpose of the policy
- Its scope
- Relevant laws/regulations
- Relations to other policies (like risk management/ordinary incident response)
A digital forensics process can include many people. This is the textbooks suggested responsibilities (closely linked to the digital forensics process).
- First Responder
- Secures the crime scene, secures physical evidence, identifies digital evidence
- Digital Forensics Specialist
- Further identification, collection
- Digital Forensics Analyst
- Digital Forensics Investigator
- Leading the investigation/overight, presentation
- Data Retention Specialist
- Makes sure that the evidence is retained properly
Insert obligatory this-section-has-not-been-rewieved-by-a-law-professional-disclaimer here.
The law is not only what's in the book (written legislation), but also based on what decitions have been made by courts in the past (judicial precedent). Jury trials.
To admit evidence: you have to argue why something should be allowed to be admitted. Strict rules about evidence classification and handling exist.
Cvil Law/Penal code
The law is all about what's in the book (written legislation). Legal precedent is only supposed to be partially used to help interpret the laws. Typically only the highest courts can set a precedent. Typically no juries.
You have to argue why something should not be allowed to be admitted. The judge(s) decide what can an cannot be used on a case-by-case basis. Few rules.
Aka. meta-law/law about law. Concerns how the legal process should work.
- Who has which responsibilites
- How decisions should be made
Convention on Cybercrime
Budapest Convention on Cybercrime signed 23 Nov 2001, effective 1 July 2004. Addresses copyright infringement, hacking, child pornography, and violations of network security.
Signatories agree to make nessecary changes to their laws to adhere to the convention.
Signed by 50+ countries (notable countries missing are Russia, India, Brazil).