Digital Forensics Tom Pigg Executive Director Tennessee CSEC
Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze /investigates data that can be retrieved from a computer s hard disk or other storage media Yields information about how a perpetrator or an attacker gained access to a network
Definitions Data recovery Recovering information that was deleted by mistake or lost during a power surge or server crash Uses computer forensics techniques to retrieve information that was lost Recover data that was intentionally deleted
Computer Investigations Computer investigations and forensics falls into two distinct categories Public investigations Private or corporate investigations Public investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines
Computer Investigations Private or corporate investigations Deal with private companies, Aren t governed directly by criminal law Governed by internal policies that define expected employee behavior and conduct in the workplace Investigations are usually conducted in civil cases
Digital Forensics Role of digital forensics professionals is to gather evidence to prove that a suspect committed a crime or violated a company policy
Investigation Plan Prepare a forensics workstation Obtain the evidence Make a forensic copy of the evidence Return the evidence to a secure container Process the copied evidence with computer forensics tools
A workstation Digital Forensics Lab A write-blocker device Setup Computer forensics acquisition tool Computer forensics analysis tool Target drive to receive the source or suspect disk data
Acquiring the Image First rule of Digital forensics Preserve the original evidence Conduct your analysis only on a copy of the data
Analyzing the Image Recover data from: Deleted files File fragments Complete files Slack Unpartitioned Space Voids between partitions Deleted files linger on the disk until new data is saved on the same physical location
Analyzing the Image Search for keywords of interest in the case Export the data important to the case Generate a report of your activities
Validating Data Most critical aspect of computer forensics Requires using a hashing algorithms Validation techniques CRC-32, MD5, and SHA-1 to SHA-512
Hash Algorithms Cyclic Redundancy Check (CRC) Mathematical algorithm that determines whether a file s contents have changed Not considered a forensic hashing algorithm Message Digest 5 (MD5) Mathematical formula that translates a file into a hexadecimal code value, or a hash value If a bit or byte in the file changes, it alters the digital hash
Hash Algorithms Three rules for forensic hashes: You can t predict the hash value of a file or device No two hash values can be the same If anything changes in the file or device, the hash value must change
Understanding File Systems File system gives OS a road map to data on a disk Type of file system an OS uses determines how data is stored on the disk When you need to access a suspect s computer to acquire or inspect data you should be familiar with the computer s platform
Understanding File Systems In Microsoft file structures, sectors are grouped to form clusters Storage allocation units of one or more sectors Clusters are typically 512, 1024, 2048, 4096, or more bytes each Hidden partitions or voids are large unused gaps between partitions on a disk Partition gap is unused space between partitions
Understanding File Systems Microsoft OSs allocate disk space for files by clusters, which can results in drive slack Unused space in a cluster between the end of an active file and the end of the cluster Can examine a partition s physical level with a disk editor: Norton DiskEdit, WinHex, or Hex Workshop
Compression NTFS provides compression Under NTFS, files, folders, or entire volumes can be compressed Most computer forensics tools can uncompress and analyze compressed Windows data
Encryption Encrypting File System (EFS) Implements a public key and private key method of encrypting files, folders, or disk volumes When EFS is used a recovery certificate is generated and sent to the local Windows administrator account except for MS Server 2008 Users can apply EFS to files stored on their local workstations or a remote server
Registry Registry A database that stores hardware and software configuration information, network connections, user preferences, and setup information For investigative purposes, the Registry can contain valuable evidence To view the registry you can use Regedit/Regedt32 or a forensics registry viewer
Virtual Machines Virtual machine Allows you to create a representation of another computer on an existing physical computer Many of the new digital forensics software will recognize VMs
Digital Forensics Tools EnCase FTK ProDiscover Helix Autopsy SleuthKit
Contact Information Dr. Thomas L. Pigg Professor of Computer Information Systems Jackson State Community College 2046 N. Parkway Jackson, TN 38305 (731) 424-3520 Ext. 201 tpigg@jscc.edu