1 Computer Forensics An Introduction Seamus E. Byrne Director, Forensics, KordaMentha For Bond University 29 March 2011
2 Disclaimer This presentation is made available by Seamus E. Byrne, an Australian legal practitioner, for educational purposes only. Content is not to be used as legal opinion or as a substitute to qualified matter-specific legal advice within your jurisdiction. All endeavours have been made to ensure content accuracy as at February 2011.
3 Your Presenter Seamus E. Byrne Bond Law Graduate, 2005 Director, Forensics, KordaMentha Australian Lawyer and Computer Forensics Expert (CISSP, CCE, EnCE) E-Discovery Advisor to S&P/ASX 200 and Fortune 500 companies Co-Author, LexisNexis Australia Federal Civil Litigation Precedents and Electronic Evidence (Second Edition)
4 Today Electronic Evidence Computer Forensics Definition Key Applications Personnel Tool Evolution Environments Stages
5 98% Documents stored in electronic form only
6 Electronic Documents Historical Perspective Industrial Revolution!! Typewriter Carbon paper Filing cabinet Information Revolution c. 1960! Mainframe computer Xerox photocopier Magnetic storage Information Revolution c.1985! Personal computer Computer networks Optical storage Information Revolution c. 1995-! Portable computing The Internet Solid-state storage
7 Electronic Documents Key Features Metadata or data about the data Easily copied to defy the physical concept of an authentic original Easily altered, even without human intervention, to blur integrity Easily deleted, and often, recovery may present an onerous task Easily mismanaged, particularly when the same electronic document is stored in, or synchronised to, many distributed locations The volume of electronic documents continues to increase
8 Understanding Data Storage - Hard Drives Hard Disk Drives (HDDs) are the most common primary data storage device for modern personal computers Spindle Platters Actuator (axis, arm and head) SATA Data Connector SATA Power Connector
9 Understanding Data Storage - Solid State Drives Solid State Drives (SSDs) are increasingly popular - no moving parts, greater reliability! Controller Flash Memory
10 Understanding Data Storage - Interface Connectors Internal SATA (Pictured) PATA/IDE SCSI SAS External USB Firewire esata
11 Understanding Data Storage Bytes are grouped into sectors Sectors are grouped into clusters A file system is used to store, organise and retrieve data in clusters A file system is located within a volume on a hard drive Multiple volumes can be stored on one hard drive using partitions
12 Understanding Data Storage Drive Partition Volume File System Cluster File
13 Understanding Data Storage - Common File Systems File Allocation Table (FAT) - Microsoft Windows (Legacy), Portable Storage New Technology File System (NTFS) - Microsoft Windows (Modern) Hierarchical File System (HFS) - Apple Macintosh Third Extended File System (ext3) - Linux Universal Disc Format (UDF) - Optical Storage Media (CD, DVD)
14 Understanding Data File Storage File A File B Index Table A A A B B B B B
15 Understanding Data File Deletion File A File B Index Table A A A B B B B B
16 Understanding Data Overwriting File A File B File C Index Table A A A C C B B B
17 Understanding Data Slack and Unallocated Space File A File B File C File D Index Table A A A Slack Unallocated C C D D B B
18 Understanding Data Formatting Index Table A A A B B B B B
19 Understanding Data Bits and Bytes Bit(s) Name Binary 1 Bit 0 or 1 4 Nibble 0000 8 Byte 0000-0000 16 Word 32 Double Word (Dword) 64 Quad Word (Qword) 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000
20 Understanding Data Bits and Bytes Volume Name Acronym 1000 B Kilobyte kb 1000 kb Megabyte MB 1000 MB Gigabyte GB 1000 GB Terabyte TB 1000 TB Petabyte PB 1000 PB Exabyte EB 1000 EB Zettabyte ZB 1000 ZB Yottabyte YB
21 Understanding Data Binary and Hex Computers understand numbers! Binary Represents 1 bit (0 or 1) Underpins our interaction with computer data Hexadecimal (Base16) Each hexadecimal character represents 4 bits or 1 nibble Uses A-F, 0-9
22 Understanding Data Converting Bin to Dec/Hex 128 64 32 16 8 4 2 1 0 0 0 0 1 0 1 0 Second Nibble Byte First Nibble Calculate the decimal value - (1x8)+(1x2) = 10 Identify the hexadecimal character using the Lookup Table = A
23 Understanding Data Converting Bin to Dec/Hex 128 64 32 16 8 4 2 1 1 0 1 0 1 0 1 0 Second Nibble Byte First Nibble Calculate the decimal value - (1x128)+(1x32)+(1x8)+(1x2)= 168 Identify the hexadecimal character using the Lookup Table = A2
24 Understanding Data ASCII American Standard Code for Information Interchange (ASCII) Traditional character encoding table for English language First released in 1963 Standard table consists of 128 characters (1-9, A-Z, etc.) - 7 bits Extended table consists of 256 characters - 8 bits = 1 byte
25 Understanding Data Converting Hex to ASCII Byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Hex 31 32 33 20 4d 61 72 69 6e 65 20 50 64 65 2e ASCII 1 2 3 M a r i n e P d e. Use the hexadecimal to ASCII Lookup Table
26 Electronic Documents Metadata Metadata comes in two types System metadata is stored independently by the file system and managed by the computer s operating system Application metadata is typically embedded as part of the electronic document and managed by a specific software application Metadata is the primary difference between an electronic document in its native, electronic form and the same electronic document printed to paper
27 Electronic Documents Metadata
28 Electronic Documents Application Metadata System Metadata System and Application Metadata
29 Electronic Documents Application Metadata
30 Electronic Documents Application Metadata Received: from mail96.messagelabs.com (216.82.254.19) by MEL-EX07-01.KordaMentha.local (10.2.20.41) with Microsoft SMTP Server id 8.2.213.0; Sat, 24 Jul 2010 00:44:29 +1000! X-VirusChecked: Checked! X-Env-Sender: vedelman@iconect.com! X-Msg-Ref: server-13.tower-96.messagelabs.com!1279896247!75406857!1! X-StarScan-Version: 6.2.4; banners=-,-,-! X-Originating-IP: [204.101.245.168]! X-SpamReason: No, hits=0.0 required=7.0 tests=mail larger than max spam size! Received: (qmail 12387 invoked from network); 23 Jul 2010 14:44:09-0000! Received: from iconect-08.user.start.ca (HELO mail.iconect.com) (204.101.245.168) by server-13.tower-96.messagelabs.com with SMTP; 23 Jul 2010 14:44:09-0000! Received: from mail.iconect.com ([192.168.1.5]) by mail.iconect.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 23 Jul 2010 10:44:05-0400! X-MimeOLE: Produced By Microsoft Exchange V6.5! Content-Class: urn:content-classes:message! MIME-Version: 1.0! Content-Type: multipart/mixed; boundary="----_=_nextpart_001_01cb2a75.7f913340"! Subject: ALSP Webinar - Data Mapping! Date: Fri, 23 Jul 2010 10:43:57-0400! Message-ID: <2CDC05C96142924A866FC5AA975954BB0463B547@ICEX0.corp.iconect.com>! X-MS-Has-Attach:! X-MS-TNEF-Correlator:! Thread-Topic: ALSP Webinar - Data Mapping! Thread-Index: AcsqdXs7cAYPZBLVSfSF4VOg5xqtBA==! From: Victoria Edelman <vedelman@iconect.com>! To: "Ahearn, Matthew J." <MJAhearn@Venable.com>, "Fletcher, Courtney" <cfletcher@mesirowfinancial.com>! Return-Path: vedelman@iconect.com! X-OriginalArrivalTime: 23 Jul 2010 14:44:05.0229 (UTC) FILETIME=[7FB4D9D0:01CB2A75]
31 Electronic Documents Application Metadata
32 Electronic Documents Application Metadata
33 Electronic Evidence Evidentiary Considerations Documentation - Maintain detailed notes for all observations and tasks undertaken, including any errors encountered and mistakes made Chain of Custody - Maintain detailed custody logs, documenting all custody transfers, from collection to Court to destruction Evidence Copies - Remember Locard s exchange principle - Collect and analyse without (or with minimal) alteration Best Practice - Guidelines for the Management of IT Evidence (HB171-2003), Standards Australia
34 Electronic Evidence Expert Opinion and Testimony How contentious is this matter? Do I require specialist expertise not readily possessed by the everyday information technology practitioner? Do I need to mitigate the risk of being unable to clearly explain the potential significance of electronic evidence?
35 Today Electronic Evidence Computer Forensics Definition Key Applications Personnel Tool Evolution Environments Stages Identification Preservation Analysis Reporting
36 Computer Forensics Definition The process of identifying, preserving, analysing and presenting electronic evidence in a manner that is legally acceptable in any judicial or administrative hearing (McKemmish, 1999) Also commonly referred to as digital forensics, e-forensics, forensic computing or forensic technology Applied to resolve uncertainty in relation to a digital event
37 Computer Forensics Why? Investigations Corporate Regulatory Insolvency Litigation Civil Criminal
38 Key Applications Civil Litigation Intellectual property (IP) infringement and theft Fraud and financial crime Contractual disputes Defamation and harassment Identity theft Misuse or unauthorised access to computing or Internet resources Electronic discovery (E-Discovery)
39 Key Applications Criminal Litigation Child pornography Serious fraud Drug trafficking Anti-terrorism
40 Key Applications Criminal Litigation s.3e Crimes Act 1914 (Cth) - Search and Seizure Three (3) conditions, seizure and removal s.3l(1a) - Permits Forensic Imaging Introduced per Cybercrime Act 2001 (Cth) Can secure for up to 24 hours to allow computer forensic experts to make copy Additional 72 hours can be requested s.3la - Assistance Orders R v ADJ [2005] VSCA 102 International Criminal Investigations May be facilitated by AFP or Interpol Subject to the Mutual Assistance in Criminal Matters Act 1987 (Cth)
41 Computer Forensics Standards and Guidelines ISO/IEC 17025:2005 Standard Forensic Laboratory (Electronic Evidence) Certification (NATA Technical Circular 9, 2008) - AFP now accredited! Guidelines for the Management of IT Evidence (HB 171-2003)
42 Computer Forensics Personnel Little clarity as to roles largely driven by lack of resources and expertise First Responders (Digital Crime Scene) Identification Preservation Fact Witness Computer Forensic Practitioners Analysis and Presentation Expert Opinion
43 Computer Forensics Personnel - The Ideal Candidate Traditionally, on the job experience was considered sufficient Should possess multi-disciplinary background May possess tertiary qualifications May possess industry certifications Information Technology - CompTIA, Microsoft, Cisco Information Security - Security+, CISSP Computer Forensics (Neutral) - CCE, CFCE Computer Forensics (Vendor Specific) - EnCE, ACE Must possess demonstrated experience
44 Computer Forensics Personnel - Education Industry certifications are generally held in high regard Many Australian and international universities have started to offer tertiary qualifications relevant to computer forensics However, there is a deficiency of quality practical training Education is also required for law enforcement officers and lawyers to better understand the significance of electronic evidence
45 Computer Forensics Personnel - Regulation Limited metrics to performance benchmark practitioners Certifications Case law No governing body in Australia or internationally. ANZFSS traditionally hesitant to classify computer forensics as a true forensic discipline
46 Computer Forensics Personnel - Licensing Licensing Legislators in the USA and Australia are increasingly confusing private sector computer forensic practitioners for private investigators. This has controversially required many to attain the relevant licenses to be a PI within the jurisdictions they operate. Queensland The Security Providers Act 1993 (Qld) does not state whether those working as consultants or employees in the Internet and computer security industry are required to hold a licence. The Act regulates the manpower and technical sectors of the security industry relating to the protection of people and physical property. This includes the installation and maintenance of physical security equipment.
47 Computer Forensics Personnel - The Expert How contentious is this matter? Do you require specialist expertise not readily possessed by the everyday information technology practitioner? Do you need to mitigate the risk of being unable to clearly explain the potential significance of electronic evidence?
48 Computer Forensics Personnel - Best Practice Forensic Laboratory Certification (NATA Technical Circular 9, 2008) 5.2 Personnel should hold a Bachelor qualification, or equivalent, in a field of science; must be competent in the preservation and analysis of electronic evidence; must possess a multi-disciplinary appreciation; and must document and satisfy on-going training and continued competency evaluation requirements. Guidelines for the Management of IT Evidence (HB 171-2003) [2.2.6] Ensure that personnel involved in the design, production, collection, analysis and presentation of evidence have appropriate training, experience and qualifications to fulfil their role(s). [3.5.2] Persons conducting analysis of IT evidence should be suitably qualified for the role they are performing.
49 Computer Forensics Tool Evolution Reliant on hardware and software tools to expedite and automate tasks Due to human element, potential for both inherent failure and user error Standard Disclaimer - This assignment has been performed with the assistance of computer hardware and software tools available to me as at the date of preparation of this report
50 Computer Forensics Tool Evolution First Evolution Tools were command-line driven and required substantial technical expertise Second Evolution Tools with a graphical user interface (GUI) Often criticised as Nintendo forensics by First Evolution practitioners Third Evolution (Today) Tools with distributed processing to better manage large volumes of data Specific tools for specific purposes - Windows Registry, mobile phones, etc. Virtualisation
51 Computer Forensics Tool Evolution - EnCase Industry standard tool for computer forensics Automated recovery of deleted files Automated conversion of multiple data sources to a single timezone EnScripts - Facilitates automated case processing Searches, bookmarking and data export to other forensic tools GUI Layout Left pane - Tree Right pane - Table Bottom left - Viewer Bottom right - Filters
52
53 Computer Forensics Environments - Lab Secure facility for electronic evidence storage and analysis At least one (1) room with audited access Full suite of tools in contrast to Fly-Away Kit Standard Operating Procedure (SOP) ACPO (UK) NIST (USA) IOCE, SWGDE (International)
54 Computer Forensics Environments - Fly-Away Large majority of computer forensic work is performed in the field A well-prepared fly-away kit is essential What should your fly-away kit contain?
55 Computer Forensics Lab Management - Handling Forensic Laboratory Certification (NATA Technical Circular 9, 2008) 5.8 Handling of test and calibration items must have a documented evidence control system that appropriately caters for both physical and electronic evidence (including receipt, handling, protection and storage); must have procedures to ensure the integrity of evidence under its control; and must have a secure area for overnight and/or long-term storage of physical and electronic evidence. Guidelines for the Management of IT Evidence (HB 171-2003) [3.4.2] Contemporaneous notes [3.4.4] Chain of custody [3.2.3] Establishing the authenticity of electronic records
56 Computer Forensics Lab Management - Results Forensic Laboratory Certification (NATA Technical Circular 9, 2008) 5.9 - Assuring the quality of test and calibration results must monitor the performance of tests/examinations by using quality control procedures appropriate to the type and frequency of tests/examinations undertaken; and must clearly identify case records that have been reviewed, including reviewer and date of the review. Guidelines for the Management of IT Evidence (HB 171-2003) [3.2.5] Establishing the reliability of computer programs [3.3.1] Correct operation
57 Computer Forensics Lab Management - Calibration Forensic Laboratory Certification (NATA Technical Circular 9, 2008) Equipment calibration intervals must check write blockers and data acquisition tools for functionality and verify their fitness for use, upon use. Guidelines for the Management of IT Evidence (HB 171-2003) [3.2.5] Establishing the reliability of computer programs [3.3.1] Correct operation NIST Computer Forensic Tool Testing (CFTT) Program
58 Computer Forensics Lab Management - Environment Forensic Laboratory Certification (NATA Technical Circular 9, 2008) 5.3 - Accommodation and environmental conditions must have documented procedures for the authorisation of access to areas, both physical and electronic, within the laboratory; and must maintain records for time spent in the laboratory by authorised persons. Guidelines for the Management of IT Evidence (HB 171-2003) No direct coverage
59 Today Electronic Evidence Computer Forensics Definition Key Applications Personnel Tool Evolution Environments Stages
60 Computer Forensics Identification Types of electronic evidence required for preservation and analysis Sources of electronic evidence containing the types required Locations of the potential sources of electronic evidence Identify sufficient electronic evidence to support your contentions, but not jeopardise your efforts or exceed legal constraints
61 Computer Forensics Identification - Types Business Records Documents, spreadsheets, presentations, databases and transaction logs Communications Web browsing activity, e-mail, instant messaging (IM), voicemail, calendar entries, call logs Multimedia Images, audio and video Artefacts Recently logged-on users - Event Logs Recently accessed data files and folders - Registry, Shortcut (Link) Files Recently connected removable devices - Registry, Shortcut (Link) Files, Event Logs Recently deleted data files - Recycle Bin, INFO2 Files Recently accessed web sites - History, Cookies, Cache
62 Computer Forensics Identification - Sources Personal Computers! Desktop and Notebook Removable Devices (Floppy, CD/DVD, USB) Computer Servers! File Internet (Web, E-mail) Database Remote Access Storage (NAS, SAN, Tape) Communication! Mobile Phone Smartphone and PDA GPS Navigation System Multifunction Printer Multimedia! Media Player (ipod) Digital Still/Video Camera Digital Voice Recorder Digital Video Recorder Gaming (PS3, XBox)
63 Computer Forensics Identification - Web Sources Social Networking! Facebook Hi5 LinkedIn MySpace Second Life Content Sharing! Google Blogger Google Docs Salesforce CRM YouTube Communication! IM (MSN, QQ) VoIP (Skype) Twitter BlackBerry Messenger Commerce! Share Trading Banking Auctions (ebay) Shopping (Amazon)
64 Computer Forensics Identification - Locations Location is both electronic and physical Synchronisation means the same data may be located in multiple locations and you must efficiently prioritise (e.g. BlackBerry = Outlook = Exchange) Virtualisation technology is used to allow multiple computers to transparently operate from one physical computer Physical location may mean a source is difficult or unlawful to access
65 Computer Forensics Identification - Real World Location! Commercial Residential Time! Available Day/Night Resources! Personnel Equipment Utilities Distractions! Police Lawyers Disgruntled Employees Emotional Family
66 Computer Forensics Identification Case Study
67 Computer Forensics Identification Case Study
68 Computer Forensics Identification Case Study
69 Computer Forensics Identification Case Study
70 Computer Forensics Identification Case Study
71 Computer Forensics Identification Case Study
72 Computer Forensics Preservation Once sources of digital evidence have been identified, steps should be taken to ensure that it is preserved for collection and analysis Preservation also includes understanding that some data may not be preserved Volatile data - Data that is no longer available after a short time or once computer loses power (e.g. temporary system data, RAM memory) Non-volatile data - Data that remains available even when computer loses power (e.g. user-created data stored on a hard drive)
73 Computer Forensics Preservation - Tools of the Trade Forensic Equipment! Forensic Computers Forensic Write Blockers Adapters, Cables, etc. Boot Disks and Dongles Wiped Storage Technical Equipment! Notebook, Pens, Pencils Computer Toolkit Digital Camera Handheld GPS (Time) Gloves, Torch, Batteries Transport! Evidence Bags Containers and Labels Portable UPS Select Spare Parts Legal Documents Safe Custody! Secure Storage Chain of Custody Logs
74 Computer Forensics Preservation - Types Physical Forensic Imaging Logical Forensic Imaging File Copy Purpose Exact copy of all data on a hard drive Includes all active and deleted data Includes all privileged and confidential data Exact copy of specific active data (e.g. all Microsoft Word documents on a hard drive returning search hits for the keyword wages ) Copy of specific active data (e.g. all Microsoft Word documents within a folder) Integrity Stored within an image Able to be verified using cryptographic hash (e.g. MD5, SHA-1, SHA-256) Stored within an image Able to be verified using cryptographic hash Unless a proven copy method is used, data is subject to alteration Notes Relatively slow but provides flexibility for detailed analysis Creation of forensic image for an average hard drive takes 60-180 minutes (40GB-250GB) Relatively fast but analysis is limited to active data collected Increasingly accepted as the default e-discovery collection type Fast but analysis is limited to active data collected
75 Computer Forensics Preservation - Methods Purpose Method Notes Dead Data is collected after the computer is disconnected from standard operation Computer is disconnected by pulling the plug or graceful shutdown Hard drive is connected via a write blocker to a forensic computer Alternatively, forensic boot disk may be used Computer date and time is verified via BIOS Traditionally accepted Does not allow for most encrypted and volatile data Live Data is collected with minimal disruption to the computer s standard operation Connection is made to computer whilst in operation, directly or via network Computer date and time is verified via operating system analysis Efficient for matters involving a large number of computers and limited forensic resources Reduces traditional liability issues with shutting down mission critical computers Allows for collection of most encrypted and volatile data Increasingly accepted as the default e- discovery collection method
76 Computer Forensics Preservation - Write Blocker
77 Computer Forensics Preservation - Duplicator
78 Computer Forensics Preservation - Live Boot CD
79 Computer Forensics Preservation - Mobile Phones
80 Computer Forensics Analysis Analysis generally involves the reconstruction of past electronic events What is the event? Who caused the event? When did the event occur? How did the event occur?
81 Computer Forensics Lab Management - Validation Forensic Laboratory Certification (NATA Technical Circular 9, 2008) Test and calibration methods and method validation is not required, at this stage, to attach an estimation of uncertainty measurement to nonnumeric test results; is encouraged, where possible, to have an understanding of the variability of their results; may need to consider uncertainty measurements attached to the measurement of time using the system clock. Guidelines for the Management of IT Evidence (HB 171-2003) [3.5.3] Completeness of evidence [3.2.2] Identifying the author of electronic records [3.2.3] Establishing the authenticity of electronic records [3.2.4] Establishing the time and date a particular computer electronic record was created
82 Computer Forensics Analysis - Casey s Certainty Scale Certainty Level Evidence Description Qualification C0 Contradicts known facts Incorrect C1 Highly questionable Highly uncertain C2 One source of evidence that is not protected against tampering Somewhat uncertain C3 One or more sources that are more difficult to tamper with Possible Insufficient evidence to support a firm conclusion C4 One or more sources that are protected against tampering Probable Verified by independent sources C5 One or more sources that are protected against tampering Verified by independent sources that are also protected against tampering Almost certain C6 Tamper proof and unquestionable Certain* Scale Copyright 2004 Eoghan Casey.
83 Computer Forensics Analysis - Case Study 1 John s purebred dog, Rex, became ill and was taken to Frank, a veterinarian Frank prescribed Rex some experimental medicine Rex s health deteriorated to the point where he was unable to breed John sues Frank for professional negligence As part of the discovery process, Frank provided a printout of his observation notes recorded in his computerised practice management system
84 Computer Forensics Analysis - Case Study 1 The observation notes state Treated Rex with experimental medicine Frank suspects that the observation notes were altered as his invoice only states Treated Rex with medicine You forensically analyse the database associated with the Frank s practice management software You recover and forensically analyse deleted backups of the database stored on Frank s computer server You identify that the practice management software has audit trail features The audit trail illustrates that the observation notes were actually changed after the commencement of legal proceedings
85 Computer Forensics Analysis - Case Study 2 John recently purchased Michael s business John has identified an anomaly between reports generated by the business computerised accounting system software and an invoice dated 1 January 2008 provided prior to purchase by Michael, as a paper printout John can find no record of the invoice in the accounting system The invoice also looks slightly different to invoices typically produced by the accounting system John believes that Michael may have forged the invoice
86 Computer Forensics Analysis - Case Study 2 You perform a keyword search for the term invoice and manually review the results to identify a folder on the hard drive named Unsorted Invoices The folder contains one (1) deleted Microsoft Excel spreadsheet You recover the deleted spreadsheet and identify that the spreadsheet is password-protected Using a password cracking utility, you identify the spreadsheet s password as secret123 You access the spreadsheet contents and it appears to match the printed invoice previously provided
87 Computer Forensics Analysis - Case Study 2 The spreadsheet s file system and document metadata reflects that the spreadsheet containing the invoice was created on 1 November 2008, 11 months after it was purportedly issued Document metadata reflects that the spreadsheet was created by the computer user Michael and was last printed on 1 November 2008 You analyse the Print Spool folder and recover deleted artefacts which support the contention that a copy of the spreadsheet was printed from the computer on 1 November 2008 You perform a timeline analysis of activity on the hard drive and analyse other available artefacts to verify operational reliability of the computer, including the computer clock s date and time
88 Computer Forensics Analysis - Case Study 3 Michelle is employed by John in a senior role in his business Michelle receives a lucrative offer from a competitor and resigns Two weeks after Michelle s resignation, John receives a number of phone calls from customers Each customer has received highly discounted offers from Michelle s new employer John calls his lawyer, and you, as a computer forensic practitioner
89 Computer Forensics Analysis - Case Study 3 You reconstruct web browsing activity from Michelle s former computer to reveal that she had spent a large part of time in her last fortnight on social networking websites The computer also revealed that Michelle had installed and used Evidence Eliminator software the day before she left. You identify that Michelle had tried to delete a number of personal e-mail messages and documents You reconstruct Windows Registry and relevant log files to identify that an Apple ipod (SN: 123456) was connected via USB to Michelle s computer a number of times in Michelle s last fortnight You analyse link (shortcut) files to identify that a file matching the file name of John s master customer database was accessed in the day before Michelle s departure
90 Analysis Searches Key Custodians or Sources Date Ranges File Types Search Queries Keywords Concept Searching Clustering De-Duplication Exact De-duplication (MD5 Hash Values = Digital Fingerprints for a File) Near De-duplication E-mail Threading
91 bus bus OR buses?
92 anonymise anonymise OR anonymize? anonym* OR unknown OR hidden?
93 toll toll NOT toll-free? toll AND [keyword] NEAR/25 [keyword]?
94 virgin (Virgin Blue OR virgin blue OR Bluey OR VBA) NEAR/25 [keyword]?
95 Analysis Searches Image Copyright 2009 Clearwell Systems Inc.
96 Analysis Data Recovery Images Copyright 2011 evidence-eliminator.com
97 Analysis Passwords and Encryption Commonly Passworded Files Microsoft Office Files (97-2003 Easy, 2007 Hard) Portable Document Format (PDF) Files ZIP (Compressed) Archives Defeating Passwords and Encryption Social Engineering Dictionary Attack Brute Force Attack Rainbow Tables
98 Analysis Windows Artefacts Registry - The configuration of the Windows operating system and installed software applications Recycle Bin - The storage location of deleted files Event Logs - System and user activity logs Restore Points - Automatic backups of the Registry and other key system files Shadow Copies - Previous versions of files stored by Windows Shortcut (Link) Files - A file that is a shortcut to another file. Contains metadata about the target file. Can be created by Windows automatically (e.g. in the Recent Documents folder) or user-created
99 Analysis USB Devices Universal Serial Bus (USB) Devices USB Keys USB External Hard Drives RIM BlackBerry Apple ipod, iphone and ipad Recorded each time a USB Device is connected to a computer Last connected Device Manufacturer Device Model Serial Number
100 Analysis USB Devices Image Copyright 2011 Nirsoft.
101 Analysis Shortcut Files and USB Devices
102 Analysis Internet Intelligence WHOIS searches can be performed to identify the registered operator of a Domain Name (e.g. www.seamusbyrne.com) or operator of an Internet Protocol (IP) address (e.g. 122.201.92.114) DNS Lookup searches identify the IP address(es) associated with a Domain Name
103 Analysis Internet Intelligence Image Copyright 2011 dnstools.com
104 Analysis Web Browsers History - The History data file or database records a user s web browsing activity Cache - The Cache data file or database stores a temporary copy of web pages that have been recently accessed on the user s computer so that they can be displayed faster in the future Cookies - Text files that are used by web servers to track or manage a user s web browsing activity on a specific web site Private mode browsing - Enables a user to easily undertake a web browsing session without permanently storing History, Cache or Cookies
105 Analysis Web Intelligence - Google Image Copyright 2011 google.com
106 Analysis Web Intelligence - Spokeo Image Copyright 2011 spokeo.com
107 Analysis Web Intelligence - Wayback Image Copyright 2011 archive.org
108 Analysis Email Parts of an Email Email Header - The envelope that contains the metadata Email Body - The email message content Attachments Important Notes Emails sent from Yahoo! Mail and Microsoft Hotmail/Live Mail can generally be traced to a public IP address - Google Mail (Gmail) cannot at this time Even with a public IP address - The email may only trace to an organisation (not a specific user) or even an Internet cafe
109 Computer Forensics Analysis Image Copyright 2009 Clearwell Systems Inc.
110 Analysis Email Tracing Images Copyright 2011 ip-adress.com
111 Analysis Email Tracking Image Copyright 2011 readnotify.com
112 Computer Forensics Presentation Report preparation Prepare in accordance with Court requirements No standard layout Understand the audience Avoid technical terminology overload Use an appendix wisely Court attendance Potentially months or years later
113 Computer Forensics Presentation HIS HONOUR: Mr Couper? MR COUPER: I'll call Mr Byrne, if your Honour pleases. HIS HONOUR: Yes. MR COUPER: We'll see if all this technology is what it's cracked up to be. HIS HONOUR: Is that what you're going to ask Mr Byrne? MR COUPER: More or less, your Honour.
114 Computer Forensics Further Reading Reference Materials DOJ, Search and Seizure Manual (USA) NIJ, Electronic Crime Scene Investigation: A Guide for First Responders (USA) ACPO, Good Practice Guide for Computer-Based Electronic Evidence (UK) BS 10008, Evidential Weight and Legal Admissibility of Electronic Information AS HB 171-2003, Guidelines for the Management of IT Evidence NATA, Technical Circular No 9 NIST, Computer Forensic Tool Testing Project (USA) Public Websites The Electronic Evidence Information Center Forensic Focus
115 Thank You If you have any questions or feedback regarding this presentation please contact Seamus E. Byrne Director, Forensics, KordaMentha sbyrne@kordamentha.com +61 3 8623 3438 +61 416 214 388!