The Basics of Digital Forensics PDF
Document Details
John Sammons
Tags
Summary
This book, "The Basics of Digital Forensics", is a primer for those getting started in the field. It covers key technical concepts, such as data types, file systems, and storage, as well as forensic labs, tools, and evidence collection procedures. The book also touches on the role of the forensic examiner in the judicial system.
Full Transcript
The Basics of Digital Forensics This page intentionally left blank The Basics of Digital Forensics The Primer for Getting Started in Digital Forensics John Sammons...
The Basics of Digital Forensics This page intentionally left blank The Basics of Digital Forensics The Primer for Getting Started in Digital Forensics John Sammons Technical Editor Jonathan Rajewski AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO SYNGRESS® Syngress is an imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Development Editor: Heather Scherer Project Manager: Danielle S. Miller Designer: Alisa Andreola Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA © 2012 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Sammons, John. The basics of digital forensics : the primer for getting started in digital forensics / John Sammons. p. cm. ISBN 978-1-59749-661-2 1. Computer crimes–Investigation. I. Title. HV8079.C65S35 2012 363.25'968–dc23 2011047052 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. For information on all Syngress publications visit our website at: www.syngress.com Typeset by: diacriTech, Chennai, India Printed in the United States of America 12 13 14 15 10 9 8 7 6 5 4 3 2 1 Dedication v For Lora, Abby, and Rae for making me a truly blessed and lucky man. To my mother Juanita, and my grandmother Grace. For the many sacrifices you made and the example you set … I miss you. This page intentionally left blank Contents vii PREFACE................................................................................................... xv ACKNOWLEDGMENTS............................................................................... xix ABOUT THE AUTHOR................................................................................. xxi ABOUT THE TECHNICAL EDITOR.............................................................. xxiii CHAPTER 1 Introduction.......................................................................... 1 Introduction........................................................................... 1 What Is Forensic Science?..................................................... 2 What Is Digital Forensics?..................................................... 2 Uses of Digital Forensics....................................................... 3 Criminal Investigations..................................................... 3 Civil Litigation.................................................................. 4 Intelligence...................................................................... 5 Administrative Matters...................................................... 6 Locard’s Exchange Principle................................................... 7 Scientific Method.................................................................. 7 Organizations of Note............................................................ 7 Scientific Working Group on Digital Evidence..................... 8 American Academy of Forensic Sciences........................... 8 American Society of Crime Laboratory Directors/ Laboratory Accreditation Board.......................................... 9 National Institute of Standards and Technology (NIST)....... 9 American Society for Testing and Materials (ASTM)............ 9 Role of the Forensic Examiner in the Judicial System............ 10 The CSI Effect................................................................ 10 Summary............................................................................ 10 References.......................................................................... 11 CHAPTER 2 Key Technical Concepts..................................................... 13 Introduction......................................................................... 13 Bits, Bytes, and Numbering Schemes................................... 13 Hexadecimal.................................................................. 14 Binary to Text: ASCII and Unicode................................... 14 viii Contents File Extensions and File Signatures...................................... 15 Storage and Memory........................................................... 16 Magnetic Disks.............................................................. 17 Flash Memory................................................................ 18 Optical Storage.............................................................. 18 Volatile versus Nonvolatile Memory................................. 18 Computing Environments..................................................... 19 Cloud Computing............................................................ 19 Data Types.......................................................................... 20 Active Data.................................................................... 20 Latent Data.................................................................... 21 Archival Data.................................................................. 21 File Systems....................................................................... 21 Allocated and Unallocated Space......................................... 22 Data Persistence............................................................ 22 How Magnetic Hard Drives Store Data.................................. 23 Page File (or Swap Space).............................................. 25 Basic Computer Function—Putting it All Together.................. 26 Summary............................................................................ 27 References.......................................................................... 27 CHAPTER 3 Labs and Tools................................................................... 29 Introduction......................................................................... 29 Forensic Laboratories.......................................................... 29 Virtual Labs.................................................................... 30 Lab Security................................................................... 30 Evidence Storage........................................................... 31 Policies and Procedures....................................................... 32 Quality Assurance................................................................ 32 Tool Validation............................................................... 33 Documentation............................................................... 34 Digital Forensic Tools.......................................................... 35 Tool Selection................................................................ 36 Hardware....................................................................... 36 Software........................................................................ 39 Accreditation....................................................................... 40 Accreditation versus Certification.................................... 42 Summary............................................................................ 43 References.......................................................................... 43 Contents ix CHAPTER 4 Collecting Evidence............................................................ 45 Introduction......................................................................... 45 Crime Scenes and Collecting Evidence................................. 46 Removable Media........................................................... 46 Cell Phones................................................................... 47 Order of Volatility............................................................ 49 Documenting the Scene....................................................... 49 Photography................................................................... 50 Notes............................................................................ 51 Chain of Custody................................................................. 52 Marking Evidence........................................................... 52 Cloning............................................................................... 52 Purpose of Cloning......................................................... 54 The Cloning Process....................................................... 54 Forensically Clean Media................................................ 55 Forensic Image Formats................................................. 55 Risks and Challenges..................................................... 55 Value in eDiscovery........................................................ 56 Live System versus Dead System........................................ 56 Live Acquisition Concerns............................................... 56 Advantage of Live Collection........................................... 57 Principles of Live Collection............................................ 58 Conducting and Documenting a Live Collection................ 58 Hashing.............................................................................. 59 Types of Hashing Algorithms........................................... 59 Hashing Example........................................................... 59 Uses of Hashing............................................................. 60 Final Report........................................................................ 61 Summary............................................................................ 61 References.......................................................................... 62 CHAPTER 5 Windows System Artifacts.................................................. 65 Introduction......................................................................... 65 Deleted Data....................................................................... 66 Hibernation File (Hiberfile.sys).............................................. 66 Sleep............................................................................. 67 Hibernation.................................................................... 67 Hybrid Sleep.................................................................. 67 Registry.............................................................................. 67 Registry Structure........................................................... 68 x Contents Attribution...................................................................... 69 External Drives............................................................... 70 Print Spooling...................................................................... 70 Recycle Bin......................................................................... 70 Metadata............................................................................ 72 Removing Metadata........................................................ 74 Thumbnail Cache................................................................. 75 Most Recently Used (MRU).................................................. 76 Restore Points and Shadow Copy......................................... 76 Restore Points............................................................... 76 Shadow Copies.............................................................. 77 Prefetch.............................................................................. 78 Link Files............................................................................ 78 Installed Programs......................................................... 79 Summary............................................................................ 79 References.......................................................................... 80 CHAPTER 6 Antiforensics...................................................................... 81 Introduction......................................................................... 81 Hiding Data......................................................................... 83 Encryption...................................................................... 83 What Is Encryption?........................................................ 83 Early Encryption.............................................................. 84 Algorithms...................................................................... 85 Key Space..................................................................... 86 Some Common Types of Encryption................................ 86 Breaking Passwords....................................................... 88 Password Attacks................................................................ 89 Brute Force Attacks........................................................ 89 Password Reset............................................................. 90 Dictionary Attack............................................................ 90 Steganography.................................................................... 92 Data Destruction................................................................. 94 Drive Wiping................................................................... 94 Summary.......................................................................... 100 References........................................................................ 100 CHAPTER 7 Legal................................................................................ 103 Introduction....................................................................... 103 The Fourth Amendment...................................................... 104 Contents xi Criminal Law—Searches without a Warrant......................... 104 Reasonable Expectation of Privacy................................ 104 Private Searches.......................................................... 105 E-mail.......................................................................... 105 The Electronic Communications Privacy Act (ECPA)........ 105 Exceptions to the Search Warrant Requirement............. 105 Searching with a Warrant................................................... 108 Seize the Hardware or Just the Information?................. 109 Particularity.................................................................. 109 Establishing Need for Off-Site Analysis.......................... 109 Stored Communications Act.......................................... 110 Electronic Discovery (eDiscovery)....................................... 111 Duty to Preserve........................................................... 111 Private Searches in the Workplace................................ 112 Expert Testimony............................................................... 113 Summary.......................................................................... 114 References........................................................................ 115 CHAPTER 8 Internet and E-Mail........................................................... 117 Introduction....................................................................... 117 Internet Overview............................................................... 117 Peer-to-Peer (P2P)........................................................ 119 The INDEX.DAT File...................................................... 120 Web Browsers—Internet Explorer....................................... 120 Cookies....................................................................... 120 Temporary Internet Files, a.k.a. web Cache................... 121 Internet History............................................................ 122 Internet Explorer Artifacts in the Registry....................... 123 Chat Clients................................................................. 124 Internet Relay Chat (IRC).............................................. 125 ICQ “I Seek You”......................................................... 125 E-Mail............................................................................... 126 Accessing E-mail.......................................................... 126 E-mail Protocols........................................................... 126 E-mail as Evidence....................................................... 126 E-mail—Covering the Trail............................................. 127 Tracing E-mail.............................................................. 127 Reading E-mail Headers................................................ 128 Social Networking Sites..................................................... 129 Summary.......................................................................... 129 References........................................................................ 130 xii Contents CHAPTER 9 Network Forensics............................................................ 131 Introduction....................................................................... 131 Social Engineering........................................................ 132 Network Fundamentals...................................................... 132 Network Types............................................................. 133 Network Security Tools...................................................... 135 Network Attacks................................................................ 135 Incident Response............................................................. 137 Network Evidence and Investigations.................................. 139 Network Investigation Challenges.................................. 141 Summary.......................................................................... 141 References........................................................................ 142 CHAPTER 10 Mobile Device Forensics................................................... 145 Introduction....................................................................... 145 Cellular Networks.............................................................. 146 Cellular Network Components....................................... 147 Types of Cellular Networks........................................... 148 Operating Systems............................................................ 149 Cell Phone Evidence.......................................................... 150 Call Detail Records....................................................... 151 Collecting and Handling Cell Phone Evidence................. 152 Subscriber Identity Modules.......................................... 154 Cell Phone Acquisition: Physical and Logical.................. 155 Cell Phone Forensic Tools.................................................. 155 Global Positioning Systems (GPS)...................................... 157 Summary.......................................................................... 161 References........................................................................ 161 CHAPTER 11 Looking Ahead: Challenges and Concerns......................... 163 Introduction....................................................................... 163 Standards and Controls..................................................... 164 Cloud Forensics (Finding/Identifying Potential Evidence Stored in the Cloud)............................................ 165 What Is Cloud Computing?............................................ 165 The Benefits of the Cloud............................................. 166 Cloud Forensics and Legal Concerns............................. 166 Solid State Drives (SSD).................................................... 167 How Solid State Drives Store Data................................ 167 The Problem: Taking out the Trash................................ 168 Contents xiii Speed of Change............................................................... 169 Summary.......................................................................... 170 References........................................................................ 171 INDEX.................................................................................................... 173 This page intentionally left blank Preface xv Seal Team Six tore the hard drives from Osama bin Laden’s computers. Some of Michael Jackson’s final words were captured on an iPhone. Google searches for chloroform played a central role in the trial of Casey Anthony. This list could go on and on. Digital forensics is used to keep us safe, to ensure justice is done and company and taxpayer resources aren’t abused. This book is your first step into the world of digital forensics. Welcome! Digital forensics is used in a number of arenas, not just in catching identity thieves and Internet predators. For example, it’s being used on the battlefields of Afghanistan to gather intelligence. The rapid exploitation of information pulled from cell phones and other devices is helping our troops identify and eliminate terrorists and insurgents. It’s being used in the multibillion-dollar world of civil litigation. Gone are the days when opposing parties exchanged boxes of paper memos, letters, and reports as part of the litigation process. Today, those documents are written in 1s and 0s rather than ink. They are stored on hard drives and backup tapes rather than in filing cabinets. Digital forensics helps combat the massive surge in cybercrime. Identity thieves, child pornographers, and “old school” criminals are all using and leveraging technology to facilitate their illegal activities. Finally, it’s being used in the workplace to help protect both companies and government entities from the misuse of their computer systems. INTENDED AUDIENCE As the title suggests, this is a beginner’s book. The only assumption is that you have a fundamental understanding or familiarity of computers and other digital devices. If you have a moderate or advanced understanding of digital forensics, this book may not be for you. As part of Syngress’s “Basics” series, I wrote this book more as a broad introduction to the subject rather than an all-encompassing tome. I’ve tried to use as much “plain English” as possible, making it (hopefully) an easier read. I’d like to emphasize that this is an introductory book that is deliberately limited in length. Given that, there is much that couldn’t be covered in depth or even covered at all. Each chapter could be a book all by itself. There are many wonderful books out there that can help further your understanding. I sincerely hope you don’t stop here. xvi Preface ORGANIZATION OF THIS BOOK The book is organized in a fairly straightforward way. Each chapter covers a specific type of technology and begins with a basic explanation of the technology involved. This is a necessity in order to really understand the forensic material that follows. To help reinforce the material, the book also contains stories from the field, case examples, and Q and A with a cryptanalyst as well as a specialist in cell phone forensics. Chapter 1 – Introduction What exactly is digital forensics? Chapter 1 seeks to define digital forensics and examine how it’s being used. From the battlefield to the boardroom to the courtroom, digital forensics is playing a bigger and bigger role. Chapter 2 – Key Technical Concepts Understanding how computers create and store digital information is a perquisite for the study of digital forensics. It is this understanding that enables us to answer questions like “How was that artifact created?” and “Was that generated by the computer itself, or was it a result of some user action?” We’ll look at binary, how data are stored, storage media, and more. Chapter 3 – Labs and Tools In “Labs and Tools,” we look at the digital forensic environment and hardware and software that are used on a regular basis. We will also examine standards used to accredit labs and validate tools. Those standards are explored along with quality assurance, which is the bedrock of any forensic operation. Quality assurance seeks to ensure that results generated by the forensic examination are accurate. Chapter 4 – Collecting Evidence How the digital evidence is handled will play a major role in getting that evidence admitted into court. Chapter 4 covers fundamental forensically sound practices that you can use to collect the evidence and establish a chain of custody. Chapter 5 – Windows System Artifacts The overwhelming odds are that you have a Windows-based computer on your desk, in your briefcase, or both. It’s a Windows world. (No disrespect, Mac peo- ple. I’m one of you.) With over a 90% market share, it clearly represents the bulk of our work. Chapter 5 looks at many of the common Windows artifacts and how they are created. Preface xvii Chapter 6 – Antiforensics The word is out. Digital forensics is not the secret it once was. Recovering digital evidence, deleted files, and the like is now common place. It’s regularly seen on such shows as NCIS and CSI. The response has been significant. They are now many tools and techniques out there that are used to hide or destroy data. These are examined in Chapter 6. Chapter 7 – Legal Although a “forensic” science, the legal aspects of digital forensics can’t be divorced from the technical. In all but certain military/intelligence applications, the legal authority to search is a perquisite for a digital forensics examination. Chapter 7 examines the Fourth Amendment, as well as reasonable expectations of privacy, private searches, searching with and without a warrant, and the Stored Communications Act. Chapter 8 – Internet and E-Mail Social networks, e-mail, chat logs, and Internet history represent some of the best evidence we can find on a computer. How does this technology work? Where is this evidence located? These are just a few of the questions we’ll answer in Chapter 8. Chapter 9 – Network Forensics We can find a network almost anywhere, from small home networks to huge corporate ones. Like computers and cell phones, we must first understand how things work. To that end, Chapter 9 begins with networking basics. Next, we start looking at how networks are attacked and what role digital forensics plays in not only the response, but how perpetrators can be traced. Chapter 10 – Mobile Device Forensics Small-scale mobile devices such as cell phones and GPS units are everywhere. These devices are in many respects pocket computers. They have a huge poten- tial to store evidence. Digital forensics must be as proficient with these devices as they are desktop computers. We’ll look at the underlying technology power- ing cell phones and GPS units as well as the potential evidence they could contain. Chapter 11 – Looking Ahead: Challenges and Concerns There are two “game-changing” technologies that are upon us that will have a huge impact on not only the technical aspect of digital forensics but the legal piece as well. The technology driving solid state hard drives negates much of the traditional “bread and butter” of digital forensics. That is our ability to recover deleted data. As of today, there is no answer to this problem. xviii Preface Cloud computing creates another major hurdle. In the cloud, data are stored in a complex virtual environment that could physically be located anywhere in the world. This creates two problems; from a technical standpoint, there is an alarm- ing lack of forensic tools that work in this environment. Deleted files are also nearly impossible to recover. Legally, it’s a nightmare. With data potentially being scattered across the globe, the legal procedures and standards vary wildly. Although steps are being taken to mitigate this legal dilemma, the situation still persists today. Being in its infancy, the digital forensics community still has work to do regarding how it conducts its business, especially in relation to the other more traditional disciplines. Chapter 11 will explore this issue. Acknowledgments xix Although my name may be on the cover, this book would not have been possible without the help and support of many people. First, I’d like to thank my family, particularly my wife Lora, and my two girls, Abby and Rae. Their patience, understanding, and willingness to “pick up my slack” while I wrote was invaluable. Thank you, ladies. Next I’d like to thank Nick Drehel, Rob Attoe, Lt. Lannie Hilboldt, Chris Vance, and Nephi Allred for sharing their expertise and experiences. I have no doubt their contributions made this a better book. My Chair, Dr. Mike Little, and my Dean, Dr. Charles Somerville, also helped make this book a reality. It would have been impossible for me to write this book and still do my “day job” without their support and assistance. Thank you, gentlemen. I’d like to thank my Editor, Heather Scherer, and my Tech Editor, Jonathan Rajewski, for keeping me on task and on point. Danielle Miller, my Project Manager at Syngress, deserves my thanks as well for putting up with my last minute editing. Many thanks go to Jennifer Rehme and Jonathan Sisson. Jennifer, as my GA, helped keep me afloat during the semester handling much of my grading and research for this book and other projects. Jonathan, a digital forensics student here at Marshall, created most of the graphics for this book. I have no doubt that each will be wildly successful and real contributors to the forensic science community. I wish you both nothing but continued success after graduation. Finally, I’d like to thank Angelina Ward for giving me this opportunity. This page intentionally left blank About the Author xxi John Sammons is an Assistant Profes- sor at Marshall University in Hunting- ton, West Virginia. John teaches digital forensics, electronic discovery, informa- tion security and technology in the Department of Integrated Science and Technology. He is also the founder and Director of the Appalachian Insti- tute of Digital Evidence. AIDE is a non-profit organization that provides research and training for digital evi- dence professionals including attor- neys, judges, law enforcement and information security practitioners in the private sector. Prior to joining the faculty at Marshall, John co-founded Second Creek Technologies, a digital forensics and electronic discovery firm. While at Sec- ond Creek, John served as the Managing Partner and CEO. John is a contract instructor for AccessData and is certified by them as both an instructor and exami- ner. He is a former Huntington Police officer and currently serves as an investigator for the Cabell County (WV) Prosecutors Office. As an investigator, he focuses on Internet crimes against children and child pornography. John is a member of the FBI WV Cybercrime Task Force. John routinely provides training for the legal and law enforcement communities in the areas of digital forensics and electronic discov- ery. He is an Associate Member of the American Academy of Forensic Sciences, the High Technology Crime Investigation Association, the Southern Criminal Justice Association, and Infragard. This page intentionally left blank About the Technical Editor xxiii Jonathan Rajewski (EnCe, CCE, CISSP, CFE, CSI, SANS Lethal Forensicator) is an Assistant Professor in the Computer & Digital Forensic program at Champlain College. Aside from his teaching responsibilities he is member of the Vermont Internet Crimes Task Force serving law enforcement and governmental entities. He is also a Director and Principle Investigator with the Senator Patrick Leahy Cen- ter for Digital Investigation. In his prior life he was a Global Senior Digital Forensic Consultant with Protiviti. He was recently honored as 2011 Digital Forensic Exam- iner of the Year by www.forensic4cast.com. His high degree of professionalism, passion, and experience in the detection and prevention of white-collar crime complements his ability to teach, manage, and conduct digital forensic investigations. Jonathan has a keen ability to articulate very technical topics and present in such way that’s understandable to both experienced and nontechnical audiences. Jonathan is also the author of the 2011->future Undergraduate Digital Forensic curriculum at Champlain College. Jonathan has served many high profile confidential clients and has worked along- side many governmental and corporate teams. Jonathan holds a B.S. in Economic Crime Investigation from Hilbert College and an M.S. in Managing Innovation & Information Technology from Champlain College. Jonathan resides in Vermont with his family. This page intentionally left blank CHAPTER 1 Introduction 1 Information in This Chapter: What Is Forensic Science? What Is Digital Forensics? Uses of Digital Forensics Role of the Forensic Examiner in the Judicial System “Each betrayal begins with trust.” —“Farmhouse” by the band Phish INTRODUCTION Your computer will betray you. This is a lesson that many CEO’s, criminals, politicians, and ordinary citizens have learned the hard way. You are leaving a trail, albeit a digital one; it’s a trail nonetheless. Like a coating of fresh snow, these 1s and 0s capture our “footprints” as we go about our daily life. Cell phone records, ATM transactions, web searches, e-mails, and text messages are a few of the footprints we leave. As a society, our heavy use of technology means that we are literally drowning in electronically stored information. And the tide keeps rolling in. Don’t believe me? Check out these numbers from the research company IDC: The digital universe (all the digital information in the world) will reach 1.2 million petabytes in 2010. That’s up by 62% from 2009. If you can’t get your head around a petabyte, maybe this will help: “One petabyte is equal to: 20 million, four-drawer filing cabinets filled with text or 13.3 years of HD-TV video.” (Mozy, 2009) The impact of our growing digital dependence is being felt in many domains, not the least of which is the legal system. Everyday, digital evidence is finding The Basics of Digital Forensics. DOI: 10.1016/B978-1-59749-661-2.00001-2 © 2012 Elsevier, Inc. All rights reserved. 2 CHAPTER 1 Introduction its way into the world’s courts. This is definitely not your father’s litigation. Gone are the days when records were strictly paper. This new form of evidence presents some very significant challenges to our legal system. Digital evidence is considerably different from paper documents and can’t be handled in the same way. Change, therefore, is inevitable. But the legal system doesn’t turn on a dime. In fact, it’s about as nimble as the Titanic. It’s struggling now to catch- up with the blinding speed of technology. Criminal, civil, and administrative proceedings often focus on digital evidence, which is foreign to many of the key players, including attorneys and judges. We all know folks who don’t check their own e-mail or even know how to surf the Internet. Some lawyers, judges, businesspeople, and cops fit squarely into that category as well. Unfortunately for those people, this blissful ignorance is no longer an option. Where law-abiding society goes, the bad guys will be very close behind (if not slightly ahead). They have joined us on our laptops, cell phones, iPads, and the Internet. Criminals will always follow the money and leverage any tools, including technology, that can aid in the commission of their crimes. Although forensic science has been around for years, digital forensics is still in its infancy. It’s still finding its place among the other more established forensic disciplines, such as DNA and toxicology. As a discipline, it is where DNA was many years ago. Standards and best practices are still being developed. Digital forensics can’t be done without getting under the hood and getting your hands dirty, so to speak. It all starts with the 1’s and 0’s. This binary language underpins not only the function of the computer but how it stores data as well. We need to understand how these 1’s and 0’s are converted into the text, images, and videos we routinely consume and produce on our computers. WHAT IS FORENSIC SCIENCE? Let’s start by examining what it’s not. It certainly isn’t Humvees, sunglasses, and expensive suits. It isn’t done without lots of paperwork, and it’s never wrapped up in sixty minutes (with or without commercials). Now that we know what it isn’t, let’s examine what it is. Simply put, forensics is the application of science to solve a legal problem. In forensics, the law and science are forever integrated. Neither can be applied without paying homage to the other. The best scientific evidence in the world is worthless if it’s inadmissible in a court of law. WHAT IS DIGITAL FORENSICS? There are many ways to define digital forensics. In Forensic Magazine, Ken Zatyko defined digital forensics this way: “The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper Uses of Digital Forensics 3 search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.” (Zatyko, 2007) Digital forensics encompasses much more than just laptop and desktop compu- ters. Mobile devices, networks, and “cloud” systems are very much within the scope of the discipline. It also includes the analysis of images, videos, and audio (in both analog and digital format). The focus of this kind of analysis is generally authenticity, comparison, and enhancement. USES OF DIGITAL FORENSICS Digital forensics can be used in a variety of settings, including criminal investi- gations, civil litigation, intelligence, and administrative matters. Criminal Investigations When you mention digital forensics in the context of a criminal investigation, people tend to think first in terms of child pornography and identity theft. Although those investigations certainly focus on digital evidence, they are by no means the only two. In today’s digital world, electronic evidence can be found in almost any criminal investigation conducted. Homicide, sexual assault, robbery, and burglary are just a few of the many examples of “analog” crimes that can leave digital evidence. One of the major struggles in law enforcement is to change the paradigm of the police and get them to think of and seek out digital evidence. Everyday digital devices such as cell phones and gaming consoles can hold a treasure trove of evidence. Unfortunately, none of that evidence will ever see a courtroom if it’s not first recognized and collected. As time moves on and our law enforcement agencies are replenished with “younger blood,” this will become less and less of a problem. BIND. TORTURE. KILL. The case of Dennis Rader, better known as the BTK killer, is a great example of the critical role digital forensics can play in a criminal investigation. This case had national attention and, thanks to digital forensics, was solved thirty years later. To all that knew him before his arrest, Dennis Rader was a family man, church member, and dedicated public servant. What they didn’t know was that he was also an accomplished serial killer. Dennis Rader, known as Bind, Torture, Kill (BTK), murdered ten people in Kansas from 1974 to 1991. Rader managed to avoid capture for over thirty years until technology betrayed him. After years of silence, Rader sent a letter to the Wichita Eagle newspaper declar- ing that he was responsible for the 1986 killing of a young mother. The letter was received by the Eagle on March 19, 2004. After conferring with the FBI’s Behavioral Analysis Unit, the police decided to attempt to communicate with BTK through the media. 4 CHAPTER 1 Introduction In January 2005, Rader left a note for police, hidden in a cereal box, in the back of a pickup truck belonging to a Home Depot employee. In the note, he said: “Can I communicate with Floppy and not be traced to a computer. Be hon- est. Under Miscellaneous Section, 494, (Rex, it will be OK), run it for a few days in case I’m out of town-etc. I will try a floppy for a test run some time in the near future-February or March.” The police did the only thing they could. They lied. As directed, they responded (via an ad in the Eagle) on January 28. The ad read “Rex, it will be ok, Contact me PO Box 1st four ref.numbers at 67202.” On February 16, a manila envelope arrived at KSAS, the Fox affiliate in Wichita. Inside was a purple floppy disc from BTK. The disc contained a file named “Test A.rtf.” (The.rtf extension stands for “Rich Text File”). A forensic exam of the file struck gold. The file’s metadata (the data about the data) gave investigators the leads they had been waiting over thirty years for. Aside from the “Date Created” (Thursday, February 10, 2005 6:05:34 PM) and the “Date Modified” (Monday, February 14, 2005 2:47:44 PM) were the “Title” (Christ Lutheran Church) and “Last Saved By:” (Dennis). Armed with this information, investigators quickly logged on to the Christ Lutheran Church web site. There they found that Dennis Rader was the presi- dent of the church’s Congregation Council. The noose was tightening, but it wasn’t tight enough. Investigators turned to DNA to make the case airtight. Detectives went on to obtain a DNA sample from Rader’s daughter and com- pared it to DNA from BTK. The results proved that BTK was her father. On February 25, three days after the DNA sample arrived at the lab, Rader was arrested, sealing the fate of BTK. He is currently serving ten consecutive life sentences (Witchita Eagle). Civil Litigation The use of digital forensics in civil cases is big business. In 2011, the estimated total worth of the electronic discovery market is somewhere north of $780 million (Global EDD Group). As part of a process known as Electronic Discovery (eDiscovery), digital forensics has become a major component of much high dollar litigation. eDiscovery “refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case” (TechTarget, 2005). In a civil case, both parties are generally entitled to examine the evidence that will be used against them prior to trial. This legal process is known as “discovery.” Previously, discovery was largely a paper-based exercise, with each party exchan- ging reports, letters, and memos; however, the introduction of digital forensics and eDiscovery has greatly changed this practice. The proliferation of the computer has rendered that practice nearly extinct. Today, parties no longer talk about filing cabinets, ledgers, and memos; they talk about hard drives, spreadsheets, and file types. Some paper-based materials may Uses of Digital Forensics 5 come into play, but it’s more the exception than the rule. Seeing the evidentiary landscape rapidly changing, the courts have begun to modify the rules of evi- dence. The rules of evidence, be they state or federal rules, govern how digital evi- dence can be admitted during civil litigation. The Federal Rules of Civil Procedure were changed in December 2006 to specifically address how electroni- cally stored information is to be handled in these cases. Digital evidence can quickly become the focal point of a case, no matter what kind of legal proceeding it’s used in. The legal system and all its players are struggling to deal with this new reality. Intelligence Terrorists and foreign governments, the purview of our intelligence agencies, have also joined the digital age. Terrorists have been using information technology to communicate, recruit, and plan attacks. In Iraq and Afghanistan, our armed forces are exploiting intelligence collected from digital devices brought straight from the battlefield. This process is known as DOMEX (Document and Media Exploitation). DOMEX is paying large dividends, providing actionable intelli- gence to support the soldiers on the ground (U.S. Army). MOUSSAOUI It’s well documented that the 9-11 hijackers sought out and received flight train- ing in order to facilitate the deadliest terrorist attack ever on U.S. soil. Digital forensics played a role in the investigation of this aspect of the attack. On August 16, 2001, Zacarias Moussaoui was arrested by INS agents in Eagan, Minnesota, for overstaying his visa. Agents also seized a laptop and floppy disk. After obtaining a search warrant, the FBI searched these two items on September 11, 2001. During the analysis, they found evidence of a Hotmail account ([email protected]) used by Moussaoui. He used this account to send e-mail to the flight school as well as other aviation organizations. For those not familiar with Hotmail accounts, it’s a free e-mail service offered by Microsoft, similar to Gmail and Yahoo!. They’re quite easy to get and only require basic subscriber information. This information is essentially meaningless, because none of the information is verified. During the exam of Moussaoui’s e-mail, agents were also able to analyze the Internet protocol connection logs. One of the IP addresses identified was assigned to “PC11” in a computer lab at the University of Oklahoma. The investigation further showed that Moussaoui and the rest of the nineteen hijackers made extensive use of computers at a variety of Kinko’s store locations in other cities. Agents arrived at the Kinko’s in Eagan hoping to uncover evidence. They were disappointed to learn that this specific Kinko’s makes a practice of erasing the drives on their rental computers every day. Now forty-four days after Moussaoui’s visit, the agents felt the odds of recovering any evidence would be somewhere between slim and none. They didn’t bother examining the Kinko’s computer. The Eagan store isn’t alone. Other locations make a routine practice 6 CHAPTER 1 Introduction of erasing or reimaging the rental computers as well. This is done periodically, some as soon as twenty-four hours, others as long as thirty days. The drives are erased to improve the performance and reliability of the computers as well as to protect the privacy of its customers (Lawler, 2002). Administrative Matters Digital evidence can also be valuable for incidents other than litigation and mat- ters of national security. Violations of policy and procedure often involve some type of electronically stored information, for example, an employee operating a personal side business, using company computers while on company time. That may not constitute a violation of the law, but it may warrant an investigation by the company. THE SECURITIES AND EXCHANGE COMMISSION (SEC) In 2008, while the economy was in the beginning of its historic downward spiral, the Securities and Exchange Commission (SEC) should have been policing Wall Street. Instead, many of them were spending hours of their days watching porno- graphy. Computer forensics played heavily in this administrative investigation. In August 2007, the SEC’s Office of the Inspector General (OIG) officially opened an investigation into the potential misuse of governmental computers. The OIG was alerted to a potential problem after firewall logs identified several users that had received access denials for Internet pornography. The SEC firewall was con- figured to block and log this kind of traffic. The logs showed that this employee attempted to visit sites such as www.thefetishvault.com, www.bondagetemple.com, www.rape-cartoons.com, and www.pornobaron.com. On September 5, 2007, the OIG notified the Regional Director that one of his employees was the focus of an investigation regarding the misuse of their govern- ment computer. On September 19 this same employee reported that her laptop hard drive suddenly crashed. She was issued a replacement drive and went back to work. A forensic analysis of her hard drive found 592 pornographic images (in her temporary Internet files) along with evidence that she had attempted to bypass the SEC’s Internet filters. The scope of this investigation eventually expanded considerably, identifying several more employees or contractors that were viewing pornography on their governmental computers while at work. After further investigation, the OIG found that: A Regional Staff Accountant received over sixteen thousand access denials for pornographic web sites in a single month. A Senior Counsel for the Division of Enforcement accessed pornography from his SEC laptop computer on multiple occasions. His hard drive contained 775 pornographic images. A Senior Attorney at Headquarters downloaded so much pornography that he literally ran out of disk space. Organizations of Note 7 The report went on to list the policies that prohibited these behaviors. It says in part: “SECR 24-4.3 TK IIIC, provides that ‘[m]isuse or inappropriate personal use of government office equipment includes the creation, download, viewing, storage, copying, or transmission of materials related to gambling, weapons, terrorist activities, and any other illegal activities or activities otherwise prohibited etc’ id at 3. The cover memorandum to SEC employees accompanying SECR 24-4.3 states that employees are prohibited from “accessing materials related to illegal or prohibited activities, including sexually explicit materials.” In the end, as this was not considered to be a crime, the entire matter was referred to the SEC administration for disposition (U.S. Securities and Exchange Commission). LOCARD’S EXCHANGE PRINCIPLE Locard’s exchange principle says that in the physical world, when perpetra- tors enter or leave a crime scene, they will leave something behind and take something with them. Examples include DNA, latent prints, hair, and fibers (Saferstein, 2006). The same holds true in digital forensics. Registry keys and log files can serve as the digital equivalent to hair and fiber (Carvey, 2005). Like DNA, our ability to detect and analyze these artifacts relies heavily on the technology available at the time. Look at the numerous cold cases that are being solved as a result of the significant advances in DNA science. Viewing a device or incident through the “lens” of Locard’s principle can be very helpful in locating and interpreting not only physical but digital evidence as well. SCIENTIFIC METHOD As an emerging discipline in forensic science, digital forensics is undergoing some expected growing pains. As of today, digital forensics lacks the vast foundation and long-term track record set by forensic DNA. DNA is now considered by many to be the “gold standard” of the forensic sciences. Digital forensics simply lacks the years of development, testing, refining, and legal challenges DNA has undergone since its inception. Plotting the course forward are several organizations that are looked on to estab- lish the protocols, standards, and procedures that will push digital forensics ahead. The following sections provide more information on these important organizations. ORGANIZATIONS OF NOTE There are several organizations that make significant contributions to the disci- pline of digital forensics year in and year out. These organizations not only set standards and establish best practices, they provide leadership as well. Examiners 8 CHAPTER 1 Introduction should be familiar with these entities, the roles they play, and the contributions they make. As professionals, it’s our responsibility to participate in one or more of these organizations. Scientific Working Group on Digital Evidence http://www.swgde.org/ Standards and techniques are an essential part of valid and accurate forensic science. They are its foundation, its core. Along with other federal agencies, the FBI has supported the formation and efforts of a wide range of Scientific Working Groups (SWGs) and Technical Working Groups (TWGs) (Federal Bureau of Investigation). These collaborative groups draw their members from “forensic, industrial, commercial, academic and in some cases international communities” (Federal Bureau of Investigation). Some examples include the Scientific Working Group for DNA Analysis Methods (SWGDAM) and the Scien- tific Working Group for Firearms and Toolmarks (SWGGUN). Digital evidence has now joined the party with the formation of SWGDE. Formed in 1998, the Scientific Working Group on Digital Evidence (SWGDE) is made up of “federal government agency, state or local law enforcement agency involved in the digital and multi-media forensic profession” (Scientific Working Group on Digital Evidence). The mission of SWGDE is as follows: “Brings together organizations actively engaged in the field of digital and multimedia evidence to foster communica- tion and cooperation as well as ensuring quality and consistency within the for- ensic community” (Scientific Working Group on Digital Evidence). American Academy of Forensic Sciences http://www.aafs.org/ The American Academy of Forensic Sciences (AAFS) is considered the premier forensic organization in the world. Members of the Academy work for the National Institute of Standards and Technology (NIST) and National Academy of Sciences (NAS). The directors of most federal crime labs are members of AAFS. Members of AAFS are also active in the various Scientific Working Groups includ- ing SWGDE. The Academy plays a critical role in developing consensus standards of practice for the forensic community. The Forensic Science Education Programs Accreditation Commission (FEPAC) was a creation of AAFS to ensure quality forensic science education and back- ground for future forensic scientists. The AAFS has approximately six thousand members and is divided into “eleven sections spanning the forensic enterprise.” The Academy comprises “physicians, attorneys, dentists, toxicologists, physical anthropologists, document examiners, psychiatrists, physicists, engineers, criminalists, educators, digital evidence experts, and others” (American Academy of Forensic Sciences). Organizations of Note 9 The Digital & Multimedia Sciences section represents digital forensics. As of November 3, 2010, the Digital Evidence section had 103 members. Despite the name, the reach of the AAFS is truly global, representing over sixty countries around the world (American Academy of Forensic Sciences). American Society of Crime Laboratory Directors/Laboratory Accreditation Board http://www.ascld-lab.org/index.htm ASCLD/LAB (pronounced as-clad lab). The ASCLD is to forensic laboratories what Underwriters Labs is to household products. ASCLD/LAB is the “oldest and most well known crime/forensic laboratory accrediting body in the world.” ASCLD/ LAB accredited labs are the “gold standard” in the world of forensics. A lab becomes accredited only after successfully meeting all of the standards and requirements set forth in the ASCLD/LAB accreditation manual. These requirements and standards cover every aspect of a lab’s operation and must be strictly followed. Adherence to these standards must be thoroughly and completely documented (American Society of Crime Laboratory Directors/Laboratory Accreditation Board). National Institute of Standards and Technology (NIST) http://www.nist.gov/itl/ssd/computerforensics.cfm National Institute of Standards and Technology (NIST) was founded in 1901 and is a part of the U.S. Department of Commerce. It was the first federal physical science research laboratory. Some of NIST’s areas of focus include bioscience and health, chemistry, physics, math, quality, and information technology (National Institute of Standards and Technology). NIST is heavily involved in digital forensics. Some of the programs and projects include: National Initiative Cyber Security Education (NICE)—A national cyber- security education program teaching sound cyber practices that will improve the country’s security. National Software References Library—A collection of known software file signatures that can be used by examiners to quickly exclude files that have no investigative value. This would include things like operating system files. This can really reduce the time spent on an examination. Computer Forensic Tool Testing—Intended to develop testing methodo- logies and standards for forensic hardware and software. (National Institute of Standards and Technology) American Society for Testing and Materials (ASTM) http://www.astm.org/Standards/E2763.htm Another major player in the development of standards is ASTM. ASTM is a global organization that has developed approximately twelve thousand standards that 10 CHAPTER 1 Introduction are used to “improve product quality, enhance safety, facilitate market access and trade, and build consumer confidence.” ASTM, founded in 1898, comprises about 30,000 members broken into 141 committees. The Forensics Sciences committee, known as E30, is further divided into several subcommittees. The Digital and Mul- timedia Evidence subcommittee is known as E30.12 (ASTM). ROLE OF THE FORENSIC EXAMINER IN THE JUDICIAL SYSTEM The digital forensics practitioner most often plays the role of an expert witness. What makes them different than nonexpert witnesses? Other witnesses can only testify to what they did or saw. They are generally limited to those areas and not permitted to render an opinion. Experts, by contrast, can and often do give their opinion. What makes someone an “expert?” In the legal sense, it’s someone who can assist the judge or jury to understand and interpret evi- dence they may be unfamiliar with. To be considered an expert in a court of law, one doesn’t have to possess an advanced academic degree. An expert sim- ply must know more about a particular subject than the average lay person. Under the legal definition, a doctor, scientist, baker, or garbage collector could be qualified as an expert witness in a court of law. Individuals are qualified as experts by the court based on their training, experience, education, and so on (Saferstein, 2011). What separates a qualified expert from a truly effective one? It is their ability to communicate with the judge and jury. They must be effective teachers. The vast majority of society lacks technical understanding to fully grasp this kind of testi- mony without at least some explanation. Digital forensic examiners must carry out their duties without bias. Lastly, a digital forensics examiner must go where the evidence takes them without any preconceived notions. The CSI Effect It seems that everyone either does or has watched one or more versions of the popular TV series CSI. These shows and others like it tend to convince jurors that some form of forensic science can solve any case. In other words, they now expect it. These unreasonable expectations can lead to incorrect verdicts. The jury could acquit a guilty defendant simply because no scientific evidence was presented, the presumption being that if the defendant was guilty, there would be some kind of scientific evidence to prove it (Saferstein, 2011). SUMMARY In this chapter we looked at what forensic science, particularly digital forensics, is and is not. Forensic sciences aren’t the fast-paced crime-solving dramas that we watch on television, but a scientific method of collection, investigation and analysis used to solve some kind of legal problem. Digital forensics isn’t limited to computers. It encompasses any kind of electronic device that can References 11 store data. These devices include cell phones, tablets, and GPS units just to name a few. Digital forensics is applicable well beyond criminal investigations. It’s used rou- tinely in civil litigation, national and military intelligence matters as well as the private sector. There are multiple organizations that help establish the standards and best prac- tices used in digital forensics. These organizations include the American Academy of Forensic Sciences, the Scientific Working Group on Digital Evidence, and ASTM. As a practitioner, communication skills are extremely important. You will spend a significant amount of time explaining your findings to police officers, attorneys, and clients. Most important, you must be able to explain these things to judges and juries. All of these stakeholders must be able to understand your methods and findings. Like all scientific evidence, digital evidence can be quite confusing and overwhelming. With this kind of testimony, it’s very easy to lose people. Losing a judge or jury in a trial can have disastrous consequences such as having your findings ignored or misunderstood. References American Academy of Forensic Sciences. (n.d.). About AAFS. Retrieved February 4, 2011, from: http://www.aafs.org/about-aafs ASTM. (n.d.). ABOUT: ASTM. Retrieved February 23, 2011, from: http://www.astm.org/ABOUT/ aboutASTM.html ASTM. (n.d.). E30. Retrieved February 23, 2011, from: http://www.astm.org/COMMIT/SUBCOMMIT/ E30.htm ASTM. (n.d.). Overview: ABOUT: ASTM. Retrieved February 23, 2011, from: http://www.astm.org/ ABOUT/overview.html Carvey, H. (2005, January 27). Locard’s Exchange Principle in the Digital World: Windows Incident Response. Retrieved February 23, 2011, from: http://windowsir.blogspot.com/2005/01/locards-exchange- principle-in-digital.html Federal Bureau of Investigation. (n.d.). Scientific Working Groups: Federal Bureau of Investigation. Retrieved February 19, 2011, from: http://www.fbi.gov/about-us/lab/swgs Lawler, B. A. (2002, September 4). Government’s Response to Court’s Order on Computer and Email Evidence. Retrieved September 13, 2011, from FindLaw.com: news.findlaw.com/hdocs/docs/ moussaoui/usmouss90402grsp.pdf McKendrick, J. (2010, May 12). Size of the Data Universe: 1.2 Zettabytes and Growing Fast: ZDNet. Retrieved February 23, 2011, from: http://www.zdnet.com/blog/service-oriented/size-of-the- data-universe-12-zettabytes-and-growing-fast/4750 Regional Computer Forensics Laboratory. (n.d.). RCFL: Regional Computer Forensics Laboratory. Retrieved February 4, 2011, from: http://www.rcfl.gov/ Saferstein, R. (2006). Criminalistics: An Introduction to Forensic Science (College Edition). Upper Saddle River, New Jersey: Prentice Hall. Scientific Working Group on Digital Evidence. (n.d.). Scientific Working Group on Digital Evidence— About Us. Retrieved February 4, 2011, from: http://www.swgde.org Stuart, J., Nordby, J. J., & Bell, S. (2009). Forensic Science: An Introduction to Scientific and Investigative Techniques. February 20, 2009 (3rd ed.). Boca Raton, FL: CRC Press. 12 CHAPTER 1 Introduction U.S. Army. (n.d.). Document and Media Exploitation (DOMEX): 2010 Army Posture Statement. Retrieved February 23, 2011, from: https://secureweb2.hqda.pentagon.mil/vdas_armyposture statement/2010/information_papers/Document_and_Media_Exploitation_%28DOMEX%29.asp U.S. Department of Justice. (2009). RCFL Annual Report for Fiscal Year 2009. Washington, DC: U.S. Department of Justice. Zatyko, K. (n.d.). Commentary: Defining Digital Forensics. Retrieved February 19, 2011, from: http:// www.forensicmag.com/node/128 CHAPTER 2 Key Technical Concepts 13 Information in This Chapter: Basic Computer Operation Bits & Bytes File Extensions and File Signatures How Computers Store Data Random Access Memory Volatility of Data The Difference Between Computer Environments Active, Latent, and Archival Data The Difference Between Allocated and Unallocated Space Computer File Systems INTRODUCTION Intimate knowledge of the inner workings of a computer is critical for the digital forensics practitioner. It’s this knowledge that permits us to conduct a thorough examination of the evidence and render an accurate opinion. Simply put, we can’t do our job without it. Not all processes and hardware hold the same value foren- sically. Memory and storage play a major role in almost any examination. The pro- cessor or CPU, by contrast, plays little if any role. This chapter takes a broad look at some of the technical details of basic computing. Its focus will be on the major areas that impact an investigation. There is no substitute for the mastery of this material. Our responsibilities as an expert witness include explaining technical subject matter in a way that the average person is able to understand. BITS, BYTES, AND NUMBERING SCHEMES To the computer, things are pretty black and white. It’s all about the 1s and 0s. Computers use a language called binary. In binary, there are only two possible outcomes: a 1 or a 0. Each 1 or 0 is called a bit. In mathematical terms, binary is classified as a base 2 numbering system. In comparison, we use a base 10 numeral system known as decimal. Decimal uses numerals 0–9. To speed things up, The Basics of Digital Forensics. DOI: 10.1016/B978-1-59749-661-2.00002-4 © 2012 Elsevier, Inc. All rights reserved. 14 CHAPTER 2 Key Technical Concepts computers work with larger collections of bits. These larger chunks of data are called bytes. A byte is made up of eight bits. It looks like this: 01101001. How do bytes relate to letters and numbers? Each letter, number, space, and special character is represented by a single byte. For example, using the ASCII character set 01000001 represents an uppercase “A,” while a lowercase “a” is 01100001. Let’s do a little experiment so that you can see this in action. Open a new text document (using a plain text editor, not a word processing application like MS Word) on your computer and type the phrase “Marshall University Digital Forensics.” Now, count all the letters and spaces. Next, save and close the new text file to your desktop. Right click on the file and select properties. What’s the file size? It should be 26 bytes, which is also the exact number of letters and spaces. To get a broader perspective, let’s look at all of the binary necessary to represent our sample phrase “Marshall University Digital Forensics”: 0100110101100001011100100111001101101000011000010110 110001101100001000000101010101101110011010010111011 0011001010111001001110011011010010111010001111001001 0000001000100011010010110011101101001011101000110000 1011011000010000001000110011011110111001001100101011 0111001110011011010010110001101110011 At first glance, that’s a little tough to read, no doubt. Fortunately, there is a shorthand that we can use to make this more readable. This shorthand is called hexadecimal. Hexadecimal Hexadecimal, or hex, is a base 16 system that is an expedient way to express binary numbers. Hex is expressed using the numerals 0–9 and the letters A–F. An upper- case “M” is expressed as 4D in hexadecimal. A lowercase “a” is 61. Quite often you will see a hexadecimal number expressed with the prefix 0x. This prefix or the suffix “h” is used to designate or identify it as a hexadecimal or base 16 num- ber. Here is the same phrase (Marshall University Digital Forensics) expressed in hexadecimal: 4d 61 72 73 68 61 6D 6C 20 55 6E 69 76 65 72 73 69 74 79 20 44 69 67 69 74 61 6D 20 46 6F 72 65 6E 73 69 63 73 If you look closer, you’ll see the number “20” repeated throughout the string. The number “20” in hex represents a space. Binary to Text: ASCII and Unicode So how do these 1s and 0s end up as As and Bs? Computers use encoding schemes to convert binary into something humans can read. There are two File Extensions and File Signatures 15 encoding schemes we need to be concerned with, ASCII and Unicode. ASCII, the American Standard Code for Information Interchange, is the encoding scheme used for the English language. ASCII defines 128 characters, of which only 94 are actually printable. The rest are control characters used for spacing and processing. In contrast, Unicode is intended to represent all of the world’s languages and consists of thousands of characters (Unicode Inc., 2010). So, how is this relevant to digital forensics? In many instances, examiners must look at the data at the “bit” and “byte” level to find, extract, and interpret the evidence. This is most evident in a process called file carving. File carving is done to locate and mine out files from amorphous blobs of data, like the unal- located space (also known as drive-free space). The first step in the file carving process is to identify the potential file. Normally, the file is identified by the header, if it has one. Once the footer is found, the file can be extracted through a simple copy and paste as long as it is continuous. A fragmented file is far more difficult to recover (Casey, 2011). Having the ability to interpret binary and hex makes file carving possible. FILE EXTENSIONS AND FILE SIGNATURES Fundamentally, files are strings or sequences of bits and bytes. Identifying a file can be done in a couple of different ways. File extensions are the most common. As users, we usually identify the file type by the file extension, if the system is configured. An operating system can be set such that file extensions are hidden. File extensions are the suffixes added to the end of a computer file name, indicating its format. Examples would include.docx and.pptx (for the latest versions of Microsoft Word and PowerPoint, respectively). For our purposes, a file extension isn’t the most reliable way to identify it. The file extension is very easily changed, requiring only a mouse click and a couple of key- strokes. You can try this yourself. In Windows, simply right click on the file name and rename it, changing the extension. Let’s say we change the extension of a Word file to that of an image, JPEG for example. This is easily accomplished. On a Windows machine, simply click, slight pause, click again. On a Mac, it’s click + Return. What happens when we try to open that file? Nothing. It won’t open. Change it back and it opens right up. Some people will attempt to take advantage of this ability to change file exten- sions as a way to conceal data, hiding them in plain sight. Forensically, this approach is not very effective. Forensic tools identify files based on the header, not the file extension. Many tools will even separate out those files whose header does not match the extension, making them easily discovered. This comparison is generally known as file signature analysis. Figures 2.1 and 2.2 illustrate what happens when a file extension is changed. 16 CHAPTER 2 Key Technical Concepts FIGURE 2.1 Here we’ve changed the file extension on “Smoking Gun.docx” to.mp3. Note that the icon has changed. Graphic courtesy of Jonathan Sisson. FIGURE 2.2 Here is the hexadecimal view of “Smoking Gun.mp3.” Note the highlighted file header showing this is actually a Word document. Graphic courtesy of Jonathan Sisson. STORAGE AND MEMORY Where and how data are stored and written is one of the major fundamental concepts that must be learned. There is more that one way to write data. Today, data are generally created in three different ways: electromagnetism, micro- scopic electrical transistors (flash), and reflecting light (CDs, DVDs, etc). Sto- rage locations inside a computer serve different purposes. Some are for the short term, used to temporarily hold the data that the computer is using at the moment. The other is for more permanent, long-term keeping. Storage and Memory 17 Magnetic Disks Most drives in today’s computers read and write data magnetically. They will render each particle either magnetized or not magnetized. If the particle is mag- netized, it’s read as a 1. If not, it’s read as a 0. The drives themselves are usually made up of aluminum platters coated with a magnetic material. These platters spin at very high speeds. The platters spin in the neighborhood of 7,000 rpm to 15,000 rpm. The speed could even be greater for high-end drives. These heavy- duty drives are typically found in servers or professional grade workstations. From a forensic standpoint, faster drive speeds can result in faster acquisitions. Let’s look at the major parts of a standard hard drive. The platters revolve around a small rod called a spindle. The data are physically written to the platter using a read/write head attached to an actuator arm, which is powered by the actuator itself. The actuator arm moves the head across the platter(s), reading and writing data. The read/write head floats on a cushion of air. The read/write head, as it’s called, is barely floating above the platter surface, at a height less than the dia- meter of a human hair. These devices are really pretty amazing. Figure 2.3 shows FIGURE 2.3 The inside of a typical magnetic drive. 18 CHAPTER 2 Key Technical Concepts us the inside of a typical magnetic drive. We can clearly see the platters, actuator arm, and the read/write head. Flash Memory Flash memory is used in a wide range of devices. Thumb drives and memory cards provide reliable storage in a very portable package, allowing us to take more pictures and take our files on the road. Unlike other kinds of memory, flash memory retains our data even without electricity. Flash is made up of transistors. Each transistor is either carrying an electric charge or it isn’t. When the transistor is charged, it is read as a “1”; without a charge it’s read as a “0.” Flash based hard drives are starting to become more and more common. Unlike magnetic drives, flash drives are solid state, meaning that they have no moving parts. They are often referred to as an SSD or “Solid State Drive.” They offer several significant advantages including increased speed, less susceptibility to shock, and lower power consumption. SSDs will play a major role in computing and digital forensics going forward. Although these devices offer improved performance, they also present a major challenge to digital forensics. We’ll take a deeper look at the momentous chal- lenge presented by SSDs in Chapter 11. Optical Storage Optical media read and write data using a laser light along with a reflective material incorporated into optical discs. Optical discs are made of a polycarbo- nate base covered by a thin layer of aluminum. The disc is then coated with a clear acrylic material for protective purposes. During the manufacturing pro- cess, the disc’s surface is embossed with tiny bumps. This series of bumps form one long, single, spiral track. A laser projects a highly focused beam of light onto the track. The light is reflected differently from the bumps and the spaces in between, called “lands.” This change in reflectivity is what the system reads as binary (Brain). The most common types of optical storage media include CDs, DVDs, and Blu-ray discs (Brain). Volatile versus Nonvolatile Memory Memory and storage are two terms that are somewhat synonymous when it comes to computers. They both refer to internal places where data are kept. Memory is used for the short-term storage, while storage is more permanent. No matter what you call it, there is a significant difference between the two, especially from a forensic perspective. That difference lies in the data’s volatility. Data in RAM exist only as long as power is supplied. Once the power is removed (i.e., the machine is turned off), the data start to disappear. This beha- vior makes this kind of memory volatile. In contrast, files saved on your hard drive remain even after the computer is powered down, making it nonvolatile (Cooper, 2004). Computing Environments 19 RAM stores all the data that are currently being worked on by the Central Proces- sing Unit (CPU). Data are fed from the RAM to the CPU, where they are executed. Traditionally, forensic analysis of a computer focused on the hard drive, as much of the evidence can be found there. Today, we’re finding that’s not always the case. Some instant messaging applications, for example, don’t write to the hard drive unless the logging feature is turned on. AOL Instant Messenger and MSN fall into that category. So, if logging is off (which it is by default), the only evidence will be found in RAM while the machine is running. COMPUTING ENVIRONMENTS Not all computing “environments” are created equal. There are substantial differ- ences between them. We can encounter individual computers, networks of various sizes, or even more complex systems. These disparities will have a significant impact on your collection process, where you look for data, the tools you will use, and the level of complexity required. An accurate clarification of the environ- ment is useful to have right from the start of an investigation, even before you respond to a scene. Environments can be broken down into four categories: stand-alone, networked, mainframe, and the cloud. A stand-alone computer is one that is not connected to another computer. These are the easiest to deal with and investigate. Possible locations for evi- dence are reasonably confined. Stand-alone systems are routinely encountered in residences such as apartments and houses. A networked computer is connected to at least one other computer and potentially many, many others. This escalates the complexity as well as the places evidence could be found. We now can see files and artifacts normally found on the local machine spread out to servers or other machines. This environment introduces a variety of variables into the equation. Even though networks are more commonly found in a business setting, they are found more and more in homes. Unlike a stand-alone machine, a mainframe system centralizes all of the com- puting power into one location. Processors, storage, and applications can all be located and controlled from a single location. Cloud Computing You may not be familiar with the term “cloud computing,” but if you use Gmail, Facebook, or Twitter, you’re already using it. Cloud computing is a hot topic these days, garnering much attention from both the IT and business communities. This “new” model of computing is very similar in many respects to the mainframe systems of old. Like the mainframe, the computing resources are moved from the local machine to some other centralized place. The cloud model presents some very interesting features that make it attractive to businesses, especially from a cost perspective. The cloud offers software along with computing infrastructure and platforms on an elastic, pay-per-use model. This affords companies the luxury of only paying for what they use. 20 CHAPTER 2 Key Technical Concepts Technology behemoths such as Microsoft, Google, and Amazon are just three of the companies that are jumping on the bandwagon offering cloud services. Cloud services include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). All of these are delivered over the Internet. In the cloud, customers only pay for the resources they actually use, just like the way we pay for our water and electricity. IaaS With IaaS, organizations outsource their hardware needs to a service provider. This would include everyday hardware needs such as servers, storage, and the like. The associated costs for running and maintaining the hardware are paid by the provider. PaaS Programmers develop their software to function in specific computing environ- ments (operating system, services, etc.). PaaS gives developers the ability to rent the environment (hardware, operating systems, storage, servers, etc.) on an “as-needed” basis. PaaS provides excellent flexibility in that the operating system can be modified or upgraded frequently. SaaS In the cloud, SaaS provides applications on demand to customers over the Internet. These applications are hosted and maintained by the service provider. The cloud represents a huge challenge to the digital forensic community, from both a technical and a legal standpoint. Technically, the cloud presents a very complicated, virtualized environment that frustrates if not downright negates many routine forensic procedures. Legally, it can be a jurisdictional nightmare. In the cloud, data know no bounds. The evidence can literally be in the next state or a foreign country halfway around the globe. We’ll look closer at the cloud and its impact on forensics in Chapter 11. DATA TYPES Data can be lumped into three broad categories: active, latent, and archival. Looking at data in this way helps in clarifying their location, how they’re accounted for by the file system, how they can be accessed by the user, and so on. It also helps to narrow down the cost and effort required to recover the data in question. Active Data Active data are the data that we use every day on our computers. The operating system “sees” and tracks these files. You can locate these files using Windows Explorer. These are the files that reside in the allocated space of the drive. These data can be acquired with standard forensic cloning techniques. File Systems 21 Latent Data Data that has been deleted or partially overwritten are classified as latent. These files are no longer tracked by the operating system and are therefore “invisible” to the average user. Go looking for one of these files with Windows Explorer and you won’t find it. A bit stream or forensic image is required to collect these data. Archival Data Archival data, or backups, can take many forms. External hard drives, DVDs, and backup tapes are just a few examples. Acquisition of archival data can range from simple to extremely complex. The type and age of the backup media are major factors in determining the complexity of the process. Backup tapes can present some very big challenges, especially if they were made with software or hardware that is no longer in production. Tapes are created using specific pieces of hardware and software. These same tools will be needed to restore the data into a form that can be understood and manipulated. Where it gets really exciting is when the hardware and software are no longer in produc- tion. It could be an older version of the software is no longer available or the company is no longer in business. This is known as legacy data. What do you do if you no longer have and can’t get access to the necessary tools to restore the data? Sometimes eBay can save the day. FILE SYSTEMS With all the millions or billions of files floating around inside our computers, there has to be some way to keep things neat and tidy. This indispensible func- tion is the responsibility of the file system. The file system tracks the drive’s free space as well as the location of each file. The free space, also known as unallo- cated space, is either empty or the file that previously occupied that location has been deleted. There are many different types of file systems. Some of the most commonly encountered by forensic examiners include FAT, NTFS, and HFS+. Let’s take a closer look: File Allocation Table (FAT) is the oldest of the common files system. It comes in four flavors: FAT12, FAT16, FAT32, and FATX. Although not used in the latest operating systems, it can often be found in flash media and the like. The New Technology File System (NTFS) is the system used currently by Windows 7, Vista, XP, and Windows Server. It’s much more powerful than FAT and capable of performing many more functions. For example, “NTFS can automatically recover some disk-related errors, which FAT32 cannot,” it provides better support for larger hard drives, and better security through permissions and encryption (Microsoft Corporation). 22 CHAPTER 2 Key Technical Concepts Hierarchical File System (HFS+) and its relatives HFS and HFSX are used in Apple products. HFS+ is the upgraded successor to HFS. This newer versi