Fundamentals of Digital Forensics - Theory, Methods, and Applications PDF
Document Details
University of Skövde
2018
Joakim Kävrestad
Tags
Summary
This textbook, "Fundamentals of Digital Forensics," by Joakim Kävrestad, details the theoretical foundations and practical methodologies used in digital crime investigations. It delves into the examination of computer systems, artifacts, and evidence to aid in crime investigations, both in the public and private sectors. Created by an experienced examiner with a focus on real-world forensic tools and techniques.
Full Transcript
Joakim Kävrestad Fundamentals of Digital Forensics Theory, Methods, and Real-Life Applications Fundamentals of Digital Forensics Joakim Kävrestad Fundamentals of Digital Forensics Theory, Methods, and Real-Life Applications 123 Joakim Kävrestad School of Informatics University of Skövde Skövde...
Joakim Kävrestad Fundamentals of Digital Forensics Theory, Methods, and Real-Life Applications Fundamentals of Digital Forensics Joakim Kävrestad Fundamentals of Digital Forensics Theory, Methods, and Real-Life Applications 123 Joakim Kävrestad School of Informatics University of Skövde Skövde, Sweden ISBN 978-3-319-96318-1 ISBN 978-3-319-96319-8 (eBook) https://doi.org/10.1007/978-3-319-96319-8 Library of Congress Control Number: 2018948608 © Springer International Publishing AG, part of Springer Nature 2018 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Preface Fundamentals of Digital Forensics presents and discusses the fundamental building blocks of computer forensics in a practical and accessible manner. Building on Guide to Digital Forensics: A Concise and Practical Introduction, it presents a theoretical background discussing forensic methods, artifacts, and constraints pri- marily relating to computer forensic examinations in the context of crime investi- gations. Further, the book discusses artifacts and methodology in a practical manner that introduces forensic tools that are commonly used in forensic examinations in law enforcement as well as in the corporate sector. The book was written to fulfill a need for a book that introduces forensic methodology and sound forensic thinking combined with hands-on examples for common tasks in a computer forensic examination. The author of Fundamentals of Digital Forensics has several years of experience as a computer forensic examiner with the Swedish Police and is certified as an AccessData Certified Examiner. He is now working as a university level lecturer and researcher in the domain and as a forensic consultant. To further ensure that the content provided in this book is relevant and accurate in the real world, the book has been developed in close relation with the Skövde Office of the Swedish police in general and Jan-Åke Pettersson in particular. Thank you ever so much for your help! Fundamentals of Digital Forensics is intended for students that are looking for an introduction to computer forensics and can also be used as a collection of instructions for practitioners. The aim is to describe and explain the steps taken during a forensic examination with the intent of making the reader aware of the constraints and considerations that apply during a forensic examination in law enforcement and in the private sector. Upon reading this book, the reader should have a proper overview of the field of digital forensics and be able as well as motivated to start the journey of becoming a computer forensic expert! Skövde, Sweden Joakim Kävrestad v Contents Part I Theory 1 What Is Digital Forensics?............................... 3 1.1 A Forensic Examination............................ 4 1.2 How Forensics Has Been Used....................... 6 1.3 Questions and Tasks............................... 7 References............................................ 8 2 Cybercrime, Cyber Aided Crime and Digital Evidence.......... 9 2.1 Cybercrime...................................... 10 2.2 Cyber Aided Crime................................ 10 2.3 Crimes with Digital Evidence........................ 11 2.4 Questions and Tasks............................... 12 References............................................ 12 3 Computer Theory...................................... 13 3.1 Secondary Storage Media........................... 13 3.2 The NTFS File Systems............................ 14 3.3 File Structure.................................... 15 3.4 Data Representation............................... 16 3.5 Windows Registry................................. 17 3.6 Encryption and Hashing............................ 19 3.7 Memory and Paging............................... 21 3.8 Questions and Tasks............................... 22 References............................................ 22 4 Notable Artifacts....................................... 23 4.1 Metadata........................................ 23 4.2 EXIF Data...................................... 24 4.3 Prefetch........................................ 25 4.4 Shellbags....................................... 26 4.5.LNK Files...................................... 27 4.6 MRU-Stuff...................................... 28 4.7 Thumbcache..................................... 31 vii viii Contents 4.8 Windows Event Viewer............................. 32 4.9 Program Log Files................................ 34 4.10 USB Device History............................... 34 4.11 Questions and Tasks............................... 37 References............................................ 37 5 Decryption and Password Enforcing........................ 39 5.1 Decryption Attacks................................ 39 5.2 Password Guessing Attacks.......................... 41 5.3 Questions and Tasks............................... 46 References............................................ 46 6 Collecting Evidence..................................... 47 6.1 When the Device Is Off............................. 48 6.2 When the Device Is On............................. 49 6.3 Live Investigation: Preparation........................ 49 6.4 Live Investigation: Conducting....................... 51 6.5 Live Investigation: Afterthoughts...................... 55 6.6 Questions and Tasks............................... 55 References............................................ 55 7 Analyzing Data and Writing Reports....................... 57 7.1 Setting the Stage.................................. 57 7.2 Forensic Analysis................................. 59 7.3 Reporting....................................... 62 7.3.1 Case Data................................ 63 7.3.2 Purpose of Examination...................... 64 7.3.3 Findings.................................. 65 7.3.4 Conclusions............................... 67 7.4 Final Remarks.................................... 69 7.5 Questions and Tasks............................... 70 Part II Put It to Practice 8 Collecting Data........................................ 73 8.1 Imaging........................................ 73 8.2 Collecting Memory Dumps.......................... 78 8.3 Collecting Registry Data............................ 80 8.4 Collecting Video from Surveillance.................... 80 8.5 Process of a Live Examination........................ 81 8.6 Questions and Tasks............................... 83 References............................................ 83 Contents ix 9 Indexing and Searching................................. 85 9.1 Indexing........................................ 85 9.2 Searching....................................... 87 9.3 Questions and Tasks............................... 91 10 Cracking............................................. 93 10.1 Password Cracking Using PRTK...................... 94 10.2 Password Cracking Using Hashcat..................... 98 10.3 Questions and Tasks............................... 102 11 Finding Artifacts....................................... 105 11.1 Install Date...................................... 105 11.2 Time Zone Information............................. 106 11.3 Users in the System............................... 106 11.4 Registered Owner................................. 108 11.5 Partition Analysis and Recovery...................... 108 11.6 Deleted Files..................................... 111 11.6.1 Recovering Files Deleted from MFT............. 111 11.6.2 File Carving............................... 112 11.7 Analyzing Compound Files.......................... 113 11.8 Analyzing File Metadata............................ 113 11.8.1 NTFS Time Stamps......................... 114 11.8.2 EXIF Data................................ 115 11.8.3 Office Metadata............................ 115 11.9 Analyzing Log Files............................... 116 11.10 Analyzing Unorganized Data......................... 118 11.11 Questions and Tasks............................... 121 References............................................ 121 12 Some Common Questions................................ 123 12.1 Was the Computer Remote Controlled?................. 123 12.1.1 Analysis of Applications...................... 124 12.1.2 Scenario Testing............................ 125 12.2 Who Was Using the Computer?....................... 126 12.3 Was This Device Ever at Site X?...................... 128 12.4 What Device Took the Picture and Where?.............. 128 12.5 Where Was the Documents Created?................... 130 12.6 Questions and Tasks............................... 132 13 FTK Specifics......................................... 133 13.1 FTK: Create a Case................................ 133 13.2 FTK: Preprocessing................................ 136 13.3 FTK: Overview................................... 140 13.4 Registry Viewer: Overview.......................... 147 x Contents 14 Open-Source or Freeware Tools........................... 153 14.1 Prefetch Parser by Erik Zimmerman.................... 153 14.2 Shellbags Explorer by Erik Zimmerman................. 153 14.3.lnk File Parser by Erik Zimmerman................... 154 14.4 Thumbcache Viewer............................... 155 14.5 USBDevview by NirSoft............................ 156 14.6 Autopsy........................................ 158 14.6.1 Get Going................................ 158 14.6.2 Autopsy Overview.......................... 161 14.6.3 The Image Gallery.......................... 166 14.6.4 Communications............................ 168 14.6.5 Timeline................................. 169 14.7 Registry Explorer................................. 170 Part III Memory Forensics 15 Memory Management................................... 175 15.1 Array, Record and String............................ 177 15.2 Linked Lists..................................... 177 15.3 Questions and Tasks............................... 178 Reference............................................. 178 16 Volatility............................................. 179 16.1 What Is Volatility Made up from?..................... 179 16.2 How to Get Volatility.............................. 180 16.3 Basic Usage..................................... 181 16.4 Volshell........................................ 182 References............................................ 183 17 Memory Analysis in Criminal Investigations................. 185 17.1 Questions and Tasks............................... 190 18 Malware Analysis...................................... 191 18.1 Questions and Tasks............................... 196 Appendix A: Solutions........................................ 197 Appendix B: Useful Scripts.................................... 207 Appendix C: Sample Report (Template).......................... 215 Appendix D: List of Time Zones................................ 219 Appendix E: Complete jitsi Chat Log............................ 223 Index...................................................... 229 Introduction This is a book written for the sole reason that when I wanted to hold a course on digital forensics, I could not find a textbook that seemed to fulfill my requirements. What I needed a book to cover was: Sound forensic thinking and methodology A discussion on what computer forensics can assist with Hands-on examples My answer to my own needs was, well, to write my own book. It has become obvious to me that writing a book that fulfills those demands is not a very easy task. The main problem lies within making proper hands-on examples. For that reason, I decided to put emphasis on what digital forensics is at its very core, and to make this piece of literature relevant worldwide, I have tried to omit everything that only seems relevant in a certain legislation. That being said, this is the book for you if you want to get an introduction to what computer forensics is, what it can do, and of course what it cannot do. It did feel good to use some sort of well-known forensic software for the examples in this book. Since forensic software can be quite expensive, I decided to use two options interchangeably. The first collection of tools are the proprietary AccessData Forensic Toolkit that was chosen for the sole reason that AccessData provides the ability to get certified, free of charge, at the time of writing. Using the predecessor of this book in teaching shows that this book can in fact be used to prepare for the AccessData certification test. Further, this book uses a collection of various open source or otherwise free tools that can accomplish the same as the proprietary AccessData tools. This book begins with setting the stage for forensics examinations by discussing the theoretical foundation that the author regards as relevant and important for the area. This section will introduce the reader to the area of computer forensics and introduce forensic methodology as well as a discussion on how to find and interpret certain artifacts in a Windows environment. The book will then take a more practical turn and discuss how’s and why’s about some key forensic concepts. Finally, the book will provide a section with information on how to find and interpret several artifacts. It should at this point be noticed that the book does not, by far, cover every single case, question, or artifact. The practical examples are rather here to serve as demonstrations of how to implement a forensically sound xi xii Introduction way of examining digital evidence and use forensic tools. Throughout the book, you will find real-world examples where I provide examples on when something was used or important in a real-world setting. Since most computers targeted for a forensic examination are running some version of Windows, the examples and demonstrations in this book are presented in a Windows environment. Being the most recent flavor of Windows, Windows 10 was used. However, the information should to a very large extent be applicable for the previous version of Windows. Also, most chapters in the book come with a “Questions and tasks” section. Some are questions with a right or wrong answer, and some are of more exploratory nature. Whatever the case, answers or discussions are found in Appendix A— Solutions. Complementing the book, there are video lectures covering most of the book content available for viewing at YouTube: https://www.youtube.com/playlist? list=PLEjQDf4Fr75pBnu8WArpeZTKC9-LrYDTl. Happy reading! Part I Theory Now that the book has kept you interested this far it is time to discuss what digital forensics actually is. This will be done in a very theoretical manner but I have tried to keep it short. This part begins with an overview of what digital forensics and cybercrime is, before discussing some computer theory that is necessary for a forensic examiner to be familiar with and highlight how to find and interpret forensic artifacts that the author deems to be common and important. The final chapters will discuss how to collect digital evidence in a structured manner, how to analyze digital information and write forensic reports. What Is Digital Forensics? 1 So then, what is digital forensics? Well, the most simple explanation could be that it is the examination of digital storage and digital environments in order to determine what has happened. “What has happened” in this context could be whether or not a crime was committed, whether or not someone remote controlled a certain com- puter, when a picture was taken or if a computer was subject to intrusion. That being said, it can be basically anything. However, looking at the target of some actual forensic investigations it is evident that saying “What has happened” is not covering the entire field of computer forensics since forensic examiners also look into what is currently happening. There have, for instance, been several cases in Sweden and globally were forensic examiners monitored network traffic in order to capture data that was later used to identify sexual predators. There are also situations when forensic examiners, during house searches, record what is currently happening on a computer. The case of using digital forensics to monitor activity in real time may be even more apparent in the corporate world where it is common to examine intrusion attempts and malware behaviors as it is happening. Looking to the scientific community, Reith et al. (2002) described digital forensics in the following way: Digital forensics is a relatively new science. Derived as a synonym for computer forensics, its definition has expanded to include the forensics of all digital technology. Whereas computer forensics is defined as “the collection of techniques and tools used to find evi- dence in a computer Today, this definition seems a bit old, but it does hold a few key aspects. To begin with, it describe that computer forensics is a collection of techniques and tools. While those are defiantly two important aspects, this definition does not fit my personal beliefs as it kind of omits the methodology and mind-set that, for me, is the foundation of digital forensics. However, it does capture that digital forensics extends to all digital technology and that is an important aspect as today, © Springer International Publishing AG, part of Springer Nature 2018 3 J. Kävrestad, Fundamentals of Digital Forensics, https://doi.org/10.1007/978-3-319-96319-8_1 4 1 What Is Digital Forensics? important evidence may be found in everything from thumb drives to computers or the cloud. A more recent description is found on www.forensiccontrol.com (2017): Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics follows a similar process to other forensic disciplines, and faces similar issues. What is noticeable in this description is that it determines the tasks involved during a forensic investigation: collecting, analyzing and reporting. It also describes that computer forensics is comparable to other forensic disciplines and that does suggest that methods used and conclusions drawn during a computer forensic investigation should face the same scrutiny as an analysis of a fingerprint or DNA test. The rest of section will discuss each of these, beginning with establishing a model that could be used to describe a digital forensic examination. 1.1 A Forensic Examination As we just established, the foundation of digital forensics is that it is the practice of collecting, analyzing and reporting on digital data. It does, for sure, also impose that there is some data that we target for examination and a reason for the examination. It does also impose that, unless we do the examination for the fun of it, there is someone that we should report back to. I have collected those aspects and formed the very abstract model as shown in Fig. 1.1 that does try to summarize the named aspects in a graphical way. Figure 1.1 reflects the discussed processes and the inputs or outputs that should be present in each process. From top to bottom, Collect should be the process of collecting digital evidence. I would also say that in this process you do target a person or a data source that would commonly be a device. Having a person as a target would be the normal state in a criminal investigation where you have someone that is suspected of a crime. You would then, after getting a search warrant, start searching for devices that belong to the suspect. In a cor- porate setting, it could be more common to target a device rather a person, and it would all depend on the reason for doing the investigation. In this process, it is important to mention that in order to collect the correct data you need a proper order. The order in this case would include the target person or devices to collect data from, but it should also include the reason for the investi- gation, at least on an abstract level. This is because you would look for vastly different data sources if you are investigating a suspected malware attack of a child abuse case. It is also important to know if you should prepare to collect information from volatile data sources such as memory circuits or only need to care about static media such as hard drives. Another technical consideration is if you should expect encrypted data or not. While there will be a more detailed technical discussion on 1.1 A Forensic Examination 5 Fig. 1.1 Overview of forensic processes data collection later in this book it is important to mention that you need to come prepared. The preparation steps should help you determine what to expect and should at least include figuring out the reason for the forensic examination and a background check on the person from whom you are collecting data. The process of Analyzing data is more concerned with finding out what has happened in a digital environment or what was done using a digital device. In a corporate environment, a forensic expert would normally be quite free to conduct whatever examinations she wants. However, with a precise question the exami- nation will without doubt be more efficient. It is worth mentioning that the input to this phase is commonly found in a discussion between the person ordering the examination and the forensic expert. Also, it is common that new questions and follow-up questions will arise during the investigation. As one example, during an 6 1 What Is Digital Forensics? investigation of a computer during a drug case the initial request was to find out if the computer had been involved in any activities related to selling drugs online. The investigation clearly showed that it had been, but a large portion of the evidence was found in folders shared among several computers. In this case, a follow-up question was to determine who, more than the computer owner, had access to the folders in question. As a final note, it is important to mention that, in a criminal investigation, depending on the local legislation the questions that are taken as input to this process may be more or less important in setting the rules of what the forensic expert is allowed to do. In the final process, reporting, the findings from the analysis are reported. The purpose of this step is mainly to report well-grounded answers to the questions given to the examiner in the previous step. In this step, it is very common that new questions will arise in light of the provided answers, and for that reason the last two steps are commonly iterative. It is also worth mentioning that it is of great importance that the conclusions drawn in this step are actually conclusions that are backed up by the findings during the examination. Each of the phases and con- siderations relating to each phase will be discussed in greater detail in Chaps. 4 and 5. 1.2 How Forensics Has Been Used To deepen the introduction on the concept of digital forensics, this final section of the first chapter is dedicated to describing two criminal cases and one corporate case that the author has been involved with. The intention is to continue the introduction to the area with some examples of how digital forensics and forensic methods have been used in reality. The first case was a case where a person (A) got suspected of computer intrusion by having tricked the victim (B) into giving up the credentials to his Web site. A had then used the credentials to modify B’s website in malicious ways and later destroy it completely. This case started with a report to the police, and since B has very good indications of the actual identity of A, a house warrant was issued, A got arrested, and his computers got seized. In this case, the forensic examination was done by the author of this book. What is interesting about this case is that the police investigators did not know anything about computer crimes and the forensic examiner had to assume the role of co-investigator. In the first interrogations with A, is became evident that A had been in contact with B using chat clients. As such, the first forensic task was to map the communication between A and B by searching for usernames related to B. The result of this process was that it became evident that A had contacted B and said that he was a Web designer who offered to aid B with his Web site. After some communication, A managed to trick B into giving away the credentials to said Web site. 1.2 How Forensics Has Been Used 7 The second step in the forensic examination was to actually find evidence of A being involved in the malicious modifications to B’s Web site. In this case, searching for URLs and HTML code related to B’s Web site revealed that there were modified versions of B’s Web site located on A’s computer. Moreover, one of the modifications to B’s site involved including pictures with sexual content on the Web site. By using forensic tools to search for identical pictures, it was revealed that the pictures did not only reside on A’s computer but was also taken with A’s iPhone, resulting in A being convicted of computer intrusion. Another criminal case where the forensic involvement was much smaller but played an important role was in a murder case where the suspect had shot a person. There were some pieces of evidence pointing to the suspect, but he was given alibi by his girlfriend who said that he was at home at the time of the crime. Home in this case was about 90 min away from the murder site, by car. In this case, the suspect’s telephone was examined and the IMEI number of the phone was identified. It was then possible to get records displaying what IMEI numbers had been connected to the mobile towers in close proximity to the murder site at the time of the murder. Turning out, the suspect’s phone was connected to a mobile tower very close to the murder site, at the time when he said that he was at home. This was a key piece of evidence that led to the suspect being sentenced to lifetime in prison for murder. A final example from the corporate sector was a case when an employee of a company was suspected of placing a Trojan horse in the company network. The employment had been terminated, and the suspicion was that the employee had placed a Trojan horse to get back at the company for sacking him. The Trojan horse was detected and analyzed by the company’s IT department, and it was evident that it was configured to send information to an IP address located close to where the former employee lived. Since search warrants and tracing IP addresses are off limits for companies, other actions had to be taken. After careful examination of how the Trojan horse got inserted into the network, it seems as if it had been copied from a USB stick. It was also possible to determine the unique identifier for the USB stick. A USB device that was issued by the company and used by the employee was examined, and the unique identifier was the same as for the USB stick that was used to distribute the malware. When the employee was confronted with the evidence he admitted to having injected the Trojan horse, and a civil lawsuit was filed. 1.3 Questions and Tasks Here are the questions for the first chapter, and for these questions you may benefit from answering them in a group discussion! 1. Consider in what types of criminal investigations that computer forensic experts may be involved and in what way. 2. Consider when a computer forensic expert may be needed in a corporate environment. 8 1 What Is Digital Forensics? 3. Brainstorm on what types of devices may be interesting to a computer forensic expert. 4. To whom are the findings of a computer forensic examination of interest? References Forensic Control. (2017). Beginners guide to computer forensics. Available online: https:// forensiccontrol.com/resources/beginners-guide-computer-forensics/ (Fetched: 2017–07-06). Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1–12. Cybercrime, Cyber Aided Crime and Digital Evidence 2 Before dwelling deeper into forensics, it seems reasonable to have a discussion on what signifies cybercrime. Or, maybe more importantly, how and when digital evidence comes into play during criminal investigations. I choose to include this discussion due to the fact that during my work as a forensic examiner, I was often faced with the misconception that my daily work was with cybercrime in the sense of computer hacking and that sort of things. In reality, digital evidence is present in crimes of almost every kind. Even so, it can be of importance to understand the different roles of digital evidence in different types of crimes. On the topic of cyber and cyber-related crimes, one could divide the types of crimes in the following way: Cybercrime Cyber aided crime Crimes with digital evidence. To further understand the difference of these different categories, a short dis- cussion on what a crime actually is would be useful. To begin that discussion, it is interesting to look at what Rogers wrote back in 2000. He uses the traditional approach of means, motive and opportunity to discuss cyber criminals. In this discussion, motive is the reason for why someone is committing a crime. Take defrauding for example, the common motive for defrauding someone is to earn money. Means would be the tools used to commit the crime, and opportunity could be described as the possibility to commit the crime. One could argue that a crime begins in motive and that the means and opportunity are mere results of the easiest way to achieve what is wanted as motive. So, for a crime to happen there has to be means, motive and opportunity. Further, there has to be someone who is committing the crime, a criminal. And someone who is targeted by the crime, a victim. Finally, there is some kind of relationship between the criminal and the victim, something is happening between them. It should be noted that this is a simplified view that is not always 100% © Springer International Publishing AG, part of Springer Nature 2018 9 J. Kävrestad, Fundamentals of Digital Forensics, https://doi.org/10.1007/978-3-319-96319-8_2 10 2 Cybercrime, Cyber Aided Crime and Digital Evidence accurate, but it is good to have this basic notion of what a crime is in order to dwell deeper into what a cyber or cyber aided crime would be. 2.1 Cybercrime Looking at what a true cybercrime could be, Interpol (2018) provides the following definition; Advanced cybercrime (or high-tech crime)—sophisticated attacks against computer hard- ware and software Going from that definition, one could say that cybercrimes are crimes where computers are used to do crimes at other computers. This would include, for instance, computer intrusions or denial of service attacks. This gives that cyber- crimes are crimes that can only be committed by someone who has a fair knowl- edge on how computers work. Looking to the discussion on means, motive and opportunity for a crime and applying those to cybercrime, it is reasonable to say that for a crime to be a true cybercrime, the means and opportunity would involve computerized tools and knowledge for a crime to be cyber. This discussing becomes important when an investigation is trying to find suspects, as the knowledge needed to commit a crime would be part of the suspect’s profile. That, however, is not a topic to be discussed in a book about computer forensics. 2.2 Cyber Aided Crime A much broader category of crimes would be cyber aided crimes. As discussed by Interpol (2018), those are traditional crimes that make use of the Internet in some way. This is exemplified by Kävrestad (2014) who studied the difference between online and offline fraud. In that study, the process of a fraud was modeled as shown in Fig. 2.1. In brief, Fig. 2.1 depicts that a fraud is when a fraudster deceives a victim into giving up something of monetary value. For this to be possible, there has to be a delivery method for the actual fraud. The delivery method can be e-mail, telephone or real-life contact. What decides if a fraud is online or offline was found to be how the delivery is carried out, an online fraud will be carried out using digital means of communication and an offline fraud would use offline means of communication. This distinction is important because it helps the forensic expert or the investigator to understand how a crime was committed and thus, how to best investigate it. That is, where to look for evidence. Looking at how crimes are committed today, most crimes have been around for a long time and are committed by criminals that does not necessarily hold any high grade of computer skills. However, the use of computers created a new arena where 2.2 Cyber Aided Crime 11 Fig. 2.1 Model of a fraud (Kävrestad 2014) it appears convenient to embark on criminal activities such as frauds, drug trades, child abuse or whatever. As such, the criminals are not typically computer experts, rather, the online and offline fraudsters and drug dealers are the same type of criminals. This view is further discussed by Rogers (2001), who described different types of computer criminals. On the topic of online fraudsters, he argued that online fraudsters are simply fraudsters that commit their crimes online. The same can be said about criminals that sell drugs online and that are involved in child exploitation crimes and a wide range of other criminals. They are committing traditional crimes and have traditional motives, but they see the opportunity to commit the crimes from the comfort of their own house, using the internet. Also, as of today, the means to commit the crimes become owning a computer and most people have a computer already. 2.3 Crimes with Digital Evidence It goes without saying that a forensic expert can look for, and expect to find, digital evidence in cybercrimes and cyber aided crimes. Actually, it is interesting to notice how a lot of information that was extremely hard or even impossible to come by in offline crime is quite often captured when the crimes are committed in an online environment. Consider, for example, a drug trade. A traditional drug trade would involve two people meeting in the streets to exchange drugs and money. Often times, there would not be a single trace of that transaction ever taking place unless it was monitored. However, doing the very same trade online would involve e-mail or chat between the buyer and seller as well as a digital transaction of money. This digital communication and money transaction will leave digital traces that can be uncovered and used as evidence. 12 2 Cybercrime, Cyber Aided Crime and Digital Evidence As an end to this brief cybercrime discussion, we should not forget how digital evidence can play a big role even in crimes that are totally offline. Thing is, in modern society it is very hard to do anything without leaving digital traces. Even if you are doing something totally offline, in the heat of the moment or whatnot, there is a great chance that there can be digital evidence to support what happened. This can involve communication logs that can show what the criminal did after the crime was committed. Maybe he looked up punishments for the crime he committed or even talked to some friend about what he did? I have even seen an example where a cell phone was used to tie a suspect to a crime scene, when the cell phone was not even used, it was just present! 2.4 Questions and Tasks The task for this chapter is to get hold of two verdicts, then read them and consider how digital evidence what used in the cases. Try to get one verdict about a tradi- tional cybercrime such as hacking or copyright infringement and one about something unrelated to the digital world, such as theft. In Sweden, you can call a local court and have them send you verdicts over e-mail and you are often able to find verdicts online, just make sure you do not break any local laws! References Interpol. (2018). Cybercrime. Available online: https://www.interpol.int/Crime-areas/Cybercrime/ Cybercrime. Fetched April 9, 2018. Kävrestad, J. (2014). Defining, categorizing and defending against online fraud. Rogers, L. (2000). Cybersleuthing: Means, motive, and opportunity. Available online: http://www. sei.cmu.edu/library/abstracts/news-at-sei/securitysum00.cfm. Fetched May 1, 2017. Rogers, M. K. (2001). A social learning theory and moral disengagement analysis of criminal computer behavior: An exploratory study. Doctoral dissertation, University of Manitoba. Computer Theory 3 Up until this point, we discussed what computer forensics is and pretty much concluded that is it about examining and deducing what happened on a computer or in a computer system. That is all well and good but to move on further you do need a bit of background knowledge. The intent of this book is not to provide you with a summary of computer science. Rather, I expect you to have a fair “know-how” on computer stuff. But there are a few areas that I found that IT people commonly do not know that much about, but that are important to a computer forensic expert. Those areas are covered, in brief, here. Note that each sub-section is an overview. For a complete understanding—follow the references! 3.1 Secondary Storage Media Secondary storage media refers to media where data is stored for long-term preservation. This is in contrast to primary memory, which includes random-access memory and cache memories, which is used for short-term storage. Secondary storage includes hard drives, CD/DVD, USB flash drives and memory cards. This discussion refers mainly to hard drives but is also (commonly) applicable for USB flash drives and memory cards. The first thing that is important to know is the physical size of the storage media. This is because it is important to know that you can account for all the storage area on a computer. Say that you find a computer that appears to have a “C:\” partition of 200 GB but a physical examination of the hard drive reveals that it is supposed to be able to house 250 GB of data. This could mean that there is another hidden partition present on the hard drive or that the hard drive was reformatted. Either way, the remaining 50 GB may contain valuable evidence. This is also a good place to comment on how hard drive formatting is commonly handled by the operating system. It is easy to assume that if you repartition your hard drive, the existing data is overwritten. That is, most times, not the case. Rather, © Springer International Publishing AG, part of Springer Nature 2018 13 J. Kävrestad, Fundamentals of Digital Forensics, https://doi.org/10.1007/978-3-319-96319-8_3 14 3 Computer Theory the hard drive is made up from sectors and clusters that can be allocated to a file or a partition. When you partition a hard drive you create a master boot record or GUID partition table (other versions exist as well, but seems rare) that contains a partition table. The partition table houses information about partitions on the hard drive including starting and ending sector for each partition. If you resize your partitions, the only thing that will happen is that the partition table gets updated. The actual data on the hard drive is often unaffected. While this makes the data that was on the hard drive inaccessible by the operating system, it is still possible to recover it using forensic tools. It should also be mentioned that it is quite common that a hard drive that may appear empty is just reformatted. When a hard drive is reformatted, it happens every so often that only the partitioning table is removed. The partitions, that we will discuss next, still remain on the disk. The reformatting only made it possible for the computer to put new data in the sectors that made up the partitions. But until that happens, the old data is still fully readable and the partitions can be recovered using forensic tools. Further information on hard drives and partition tables is beyond this book, but a good source of information is available at www.ntfs.com/ntfs (NTFS 2017). 3.2 The NTFS File Systems As we just discussed hard drives and partitions, the next logical step becomes discussing file systems. A file system is essentially a structure used to control how data is stored and retrieved on a storage device and is the common content of a partition. So to make things clear: a hard drive contains partitions, a partition commonly contains a file system and a file system is used to structure data. I am saying that a partition commonly contains a file system because that is not always the case. For instance, a partition may contain some semi-organized data such as swap space, that is the case for swap partitions in the world of Linux—but that is another story. As for the file system, there are several different file systems out there such as ext4 (common on Linux), NFS (common for network storage) and FAT32 (com- mon on surveillance video and thumb drives). However, we will dig into the NTFS file system that is used on moderns Windows-based computers for the sole reason that NTFS is the most common encounter for a forensic examiner and this book is aimed at examinations of Windows-based computers. As previously discussed, the partitions are stated in the partition table found in the master boot record. Next, a partition formatted with the NTFS file system begins with a metadata file called the partition boot sector. What we need to know about this file is that it contains the Master File Table (MFT) that is basically a dictionary of all files and folders on the NTFS partition. The most important content, for a forensic examiner, in the MFT is the file records. All files and folders on the partition have one! For each file or folder on the partition, the MFT record contains 3.2 The NTFS File Systems 15 information about the name and the actual file data. However, a MFT record cannot be bigger than 1024 bytes so files that are bigger than about 600 bytes (about 400 bytes are reserved for file name and such) cannot reside in the record. In these cases, the MFT record describes what clusters on the hard drive that house the file (Guidance Software 2016). Files contained in the MFT are called resident, and files not contained in the MFT are called non-resident. Before we move on you should also know that there is a backup MFT, commonly located at the end of the partition (TechNet 2017). So how are files created and deleted? Well, when you create a file or folder it will get a MFT record. If the file is small enough, it will be stored in the MFT and if it is too big the computer will allocate clusters and store the file in the clusters. When you delete the file, it is actually the MFT record that gets deleted and the data in the allocated clusters remains there until they are overwritten. This allows a forensic examiner to recover deleted files using forensic tools. Do note that there is a technology known as trim that overwrites clusters that are unallocated by the MFT, this is quite commonly used for SSD hard drives. 3.3 File Structure To be able to recover and understand files, you need to know a little bit about how files are commonly structured. You should know that a file does not need to follow a certain structure so what you read here is not always the case. Well then, the common structure of a file is that it begins with a header containing metadata and then comes the actual data and finally a trailer. The metadata commonly contains what is called a file signature that tells the computer what kind of file the file is, such as a JPEG or PDF. By knowing this, you can search a hard drive for headers and trailers to find files even if they are deleted from the MFT. You can do this by searching for the hexadecimal or alphanumerical file signature depending on your software. An example of a file signature is given in Fig. 3.1, which shows the file sig- nature for a JPEG file. The left-hand side shows the file offset in hexadecimal (not relevant at the moment), the middle column shows the file data in hexadecimal and the right-hand side shows the file data in alphanumerical format. As you can see, the file begins with FF D8 FF E0 and this is what you would search for if you wanted to look for deleted JPEG files. You could also search for JFIF which is part of the alphanumerical file signature. Another example is given in Fig. 3.2, which shows a part of the header for a PDF file. In this case, you would search for 25 50 Fig. 3.1 Header of a JPEG file 16 3 Computer Theory Fig. 3.2 Header of a PDF file 44 46 2D or %PDF-1.4 since that is the file signature for a PDF file in hexadecimal and alphanumerical. It is also worthwhile to mention that there are different approaches on how to store files. Most file formats, including plain text files and many picture formats, store files as plain files. However, some files including Microsoft Office files and compressed file formats such as ZIP are stored as compound files. Compound files are files that maintain some structured storage approach of their own (Microsoft 2017-1). That means that there is a local file structure within the compound file. This is the common case for compressed files. What is special about compound files is that they cannot be fully examined when they are in their “packed” state. Instead, they must be unpacked to be fully analyzed. The reason is that the data in the compressed state is represented in a different way than in the original, unpacked state. 3.4 Data Representation This section contains a very brief discussion on how data is stored and represented in a computer system. This is simply to make you understand that the data may have different meaning depending on how you interpret it. To begin, the data stored on any storage media is stored in binary, with zeroes and ones. You may group the bits into groups of eight called bytes and a byte may also be represented with two hexadecimal signs. To make life complicated, different applications may store data in different order. To begin, when we are looking at a single byte, containing 8 bits, the order is always the same. You interpret the bits with the leftmost bit having the highest significance and the rightmost having the lowest, as depicted in Fig. 3.3. That is all well, but when you have a data set consisting of more than one byte we get in trouble. There are two ways to store consequent bytes. The first is called big-endian, storing bytes with the biggest end first making the first byte the most significant. In contrast, we have little-endian storing data with the smallest end first, reading from left to right (Cohen 1980). To give an example—consider the word “troll” in little- and big-endian in Fig. 3.4. That is that on binary and hexadecimal representation. You should just know that depending on what kind of data you are looking at you may want to look at it in binary or hexadecimal. 3.4 Data Representation 17 Fig. 3.3 Bits and values Fig. 3.4 Example of little- and big-endian The final part on data representation is that you should know that computers have different ways of representing characters, called different ways of encoding data. While I have no intention of discussing different ways of encoding text or data you should know that different ways of encoding data exists, such as ASCII, UTF-8 and UTF-16. What the encoding decides is basically how a sign is represented in binary or hexadecimal code. For instance, the letter “A” is represented as “feff0041” in UTF-16 and as “41” in ASCII, using hexadecimal code. The reason for why this is important is that if you open a data set that is encoded in ASCII with a program that expects something else, the result will we screwed up. 3.5 Windows Registry The Windows registry is a hierarchical database that stores information about users, installed application and the windows system itself (Microsoft 2017-2). That makes it a very important place for forensic examiners to look and something for this book to provide an overview of. To begin, the Windows registry is a tree structure where each node in the tree is called a key and every key may have a value or sub-keys. A registry tree can be as deep as 512 keys (Microsoft 2017-2). The values that a key can contain are just arbitrary data, and it is up to the application that stored the value to decide the format and how it is to be interpreted. The registry is made up of several files, so-called hives (Guidance Software 2016). Each hive contains a set of data, the hives that are most commonly of interest to a forensic examiner are called SAM, SECURITY, SYSTEM and SOFTWARE. There is also another file associated with each user called NTUSER.dat. There is one NTUSER.dat for each user on the system, and this file is located in the user directory (…\Users\). The other registry hives are located in the …\System32\config\folder. You may extract 18 3 Computer Theory Fig. 3.5 Regedit overview the hives and analyze them with a forensic tool, such as AccessData Registry Viewer or Registry Explorer as done in later sections of this book. You may also examine the registry of a running Windows system through the built-in utility regedit. In Fig. 3.5, presenting an example of regedit, you can see that it presents the registry hives in a format that is a bit different than you may think. This is because regedit shows the registry as seen by the running computer. HKEY_- CURRENT_USER contains the data stored in NTUSER.dat for the current user and data from the other hives is present in HKEY_LOCAL_MACHINE. In the picture, you can see that there are several keys in the tree at the left and some values in the pane at the right. In this case, the values are located under the key “Control” that in turn is a sub-key to the key ControlSet002 that is in the SYSTEM hive. As you may understand, the registry can be a huge database and many programs store data in the Windows registry. It is strongly suggested to work with the registry to learn what kind of information that can be found in it. The rest of this section will cover each registry hive and the information found, in brief. NTUSER.dat is a hive that stores information about a specific user account. This hive can, for instance, contain information such as the user’s browser settings and history and data related to user applications. SOFTWARE is the go-to hive for information related to applications. This includes data stored by Windows and data stored by other applications. A common piece of information to fetch here is the Windows version and install date, located in the sub-key \Microsoft\WindowsNT\CurrentVersion. This key will also tell you 3.5 Windows Registry 19 Fig. 3.6 Time zone information in the registry the registered owner of the computer and it is surprisingly common that a real name is set here. Note that dates are commonly not stored in human-readable format. For instance, the install date is stored as a UNIX time stamp—seconds that have passed since midnight on the first of January in 1970—this needs to be converted. SYSTEM will contain information about the system including USB devices that have been connected to the system, time zone settings and information about networks that the computer has been connected to. An example is given in Fig. 3.6 that shows you time zone information stored in the key \SYSTEM\ControlSet001 \Control\TimeZoneInformation\TimeZoneKeyName. The SAM and SECURITY hives are protected by the Windows system and cannot be browsed using regedit on a running computer. However, extracting them from a forensic image and browsing them using a forensic tool is no problem. The SAM hive basically stores information about users. Examining this hive you can, for instance, find the users on the local machine, information about when they last logged on, when each account was created and password hashes. Finally, we have the SECURITY hive that stores some information about the system, perhaps mainly the system audit policy and the Syskey that you will need in addition to the SAM hive if you need to crack user passwords. 3.6 Encryption and Hashing There are tons of good books for you to read if you want to get down and dirty with encryption and hashing, but for the purpose of this book I will just discuss the terms very briefly at an abstract level. Encryption and hashing are cryptographic tech- niques used to hide data. Understanding how this works is crucial for a forensic expert because, well, criminals usually do not want their data to be found and analyzed. Also, in modern computers, encryption and hashing are usually built-in, fundamental parts of the normal computer behavior making encrypted data a nor- mal part of the forensic examiners daily work. 20 3 Computer Theory Beginning with encryption, encryption is the process of taking some data set and a key, run it through an encryption algorithm and then you get a ciphertext that is not readable. To get you up to speed on the terminology, the data you input is called (P)laintext, then we have the (K)ey and the resulting (C)ipher text. It is common to describe the encryption process as an equation, like so: PþK ¼ C The ciphertext can be reverted to the plaintext by the process of decryption, in which you pass the algorithm the ciphertext and the key, like so: CþK ¼ P The process just described is called symmetric key encryption or just symmetric encryption. This is because the same key is used for both the encryption and decryption. This introduces a problem when you want to share encrypted infor- mation with someone. In this case, you need to share the key on beforehand because the receiving person will need the key for decryption. To meet this demand, there is an encryption type called asymmetric key encryption or asymmetric encryption that uses one key for encryption and another key for decryption, like so: Encryption : P þ K1 ¼ C Decryption : C þ K2 ¼ P To use asymmetric encryption you would generate a key pair with a public and private key. The public key (K1) is used for encryption and the private key (K2) is used for decryption. You would then send out the public key and anyone who want to send you encrypted information, and they would encrypt it using your public key. The only key that can be used to decrypt something encrypted with your public key is your private key, you keep that to yourself. Asymmetric encryption has several other usages, well beyond the scope of this book. Hashing is a cryptographic technique that is used more for storage of sensitive data and validating data integrity than sharing encrypted information. A hash algorithm is basically a one-way function that takes a (P)lain text as input and produces a (H)ash value or digest. What is important about a hash function is the property of it being one-way, meaning that it is impossible to derive the P from the H. The hash function can be described like so: P!H For a hash algorithm to be considered secure, it must have the following properties: Collision resistant meaning that there is only one H for each P Irreversible meaning that it is impossible to derive P from H. 3.6 Encryption and Hashing 21 The two main usages for hashes are storing some kinds of sensitive data, like passwords, and to fingerprint data in order to ensure data integrity. In terms of ensuring data integrity hashing is used as a fingerprint. If you want to send someone a message, you can create a hash value for the message and send the message and the hash to the recipient. The recipient can then hash the message and compare his hash value to the one you sent to him. Since the hash algorithm is collision resistant, matching hashes will ensure that the message was not altered. In terms of storing passwords, they are commonly stored in a hashed format, and this is the case in the Windows operating systems. When a user wants to log in, she will submit her password to the system and the system will run what she enters through the hashing algorithm and compare that hash value to the one stored in the user database. If the hashes match, the password must be correct and the user is allowed to enter the computer. 3.7 Memory and Paging Finishing up the part on computer theory, I just want to mention some things about the memory and paging. The memory is an extremely valuable piece of information for the one reason that this is where the computer stores information relating to what it does at the moment. Also, the memory is emptied every time the computer restarts so the content in memory relates only to what the computer was up to since the last reboot. This makes information in the memory extremely good because it is hard for a suspect that was arrested sitting in front of his computer to claim that someone else was responsible for the information found in the computer memory. Further, when you are viewing encrypted data in a decrypted format, the decrypted version of the data is temporarily stored in memory—this makes the memory a good place to find encrypted information in a decrypted state. During my personal forensic work, I found passwords, encrypted e-mails and several pieces of incriminating evidence in memory. Before leaving this topic, I want to mention that whenever the computer needs to hold more data in memory than the memory can hold, part of the memory is stored on the hard drive. This is a process called paging. On Windows systems, the “paged-out” parts of the memory are stored in the file called “pagefile.sys” and it can contain the same type of information as the memory. There are several methods on how to examine computer memory and that topic is explored in Sect. 3.3 of this book. However, it should be noted that, to some extent, the data in memory can be treated like a big blob of unstructured data, similar to slack space or unallocated space. In that regard, whatever techniques presented for searching in and recon- structing files from such spaces can be applied to memory data as well. 22 3 Computer Theory 3.8 Questions and Tasks Here are the questions for this chapter. 1. Brainstorm on what secondary storage media devices there are that can be of interest during a forensic investigation. 2. What happens when you delete a file from a NTFS file system and how can you recover deleted files? 3. What is meant with resident and non-resident files? 4. Why do you need to know the difference between little- and big-endian? 5. Use regedit to find out what time zone your computer is set to use. 6. What is hashing and what signifies a secure hash algorithm? References Cohen, D. (1980). ON holy wars and a plea for peace. IETF. Available online: https://www.ietf. org/rfc/ien/ien137.txt. Fetched July 6, 2017. Guidance Software. (2016). EnCase Computer Forensics II. Guidance Software. Microsoft. (2017-1). Compound files. Available online: https://msdn.microsoft.com/en-us/library/ windows/desktop/aa378938(v=vs.85).aspx. Fetched July 6, 2017. Microsoft. (2017-2). Structure of the registry. Available online: https://msdn.microsoft.com/en-us/ library/windows/desktop/ms724946(v=vs.85).aspx. Fetched July 6, 2017. NTFS. (2017). NTFS—New technology file system designed for Windows 10, 8, 7, Vista, XP, 2008, 2003, 2000, NT. Available online: http://www.ntfs.com/ntfs.htm. Fetched July 6, 2017. TechNet. (2017). File systems. Available online: https://technet.microsoft.com/en-us/library/ cc938949.aspx. Fetched July 6, 2017. Notable Artifacts 4 Following the discussion on computer theory, it is important to have a discussion on some of the more notable forensic artifacts that can be of great importance during a forensic examination. A forensic artifact is basically a piece of information that holds forensic value. Quite often the forensic artifacts are pictures, word documents, text messages or some other information where the importance is quite evident. A picture showing drugs will always be a picture showing drugs. However, in a Windows operating systems there are several artifacts that track the usage of the computer in a way that can be of great interest for a forensic examiner. What is interesting, and often problematic, about those artifacts is the fact that Microsoft provides little or no documentation about how those pieces of information actually work. Thus, the function of the artifacts described in the remaining of this chapter has been examined, tested and understood with experience. The chapter is written based in Windows 10 version 1709, and there may be some differences in how the artifacts work in earlier and later versions of Windows. It is important that you, as a forensic expert, ensures that you understand the artifacts that you use to draw conclusions on your own, and research is necessary if you are uncertain. In combination to this chapter, Chap. 8 presents even more artifacts in a more hands on manner, including guides on how to find them using forensic tools. The rest of this chapter is devoted to descriptions and explanations of common important forensic artifacts. 4.1 Metadata One of the single-handed, most important sources of forensic information is metadata. Metadata is basically information about information and most objects, such as files and folders on a computer system will also have metadata. On a computer running Windows and the NTFS file system, the file system will record metadata for every file created on the computer. The metadata will include © Springer International Publishing AG, part of Springer Nature 2018 23 J. Kävrestad, Fundamentals of Digital Forensics, https://doi.org/10.1007/978-3-319-96319-8_4 24 4 Notable Artifacts information such as when the file was created and last modified and who created it. Several file types will store additional metadata. For instance, Microsoft Office files will store information about the author name, title of the document, how many times it has been modified and more. The author name is the name that was registered as the owner of the office application that was used to first create the document in question. To view file metadata in Windows, you can open the properties menu and select the “details” tab; however, this view will only provide a subset of the metadata that is actually stored. However, most forensic software’s will parse and present all available metadata. A more practical discussion on what the metadata can tell you is provided in Chap. 11. 4.2 EXIF Data EXIF data is metadata stored in pictures and deserves a section of its own because of its great importance for computer forensic experts. It is very common for a forensic examination to include looking for certain pictures, and when finding interesting pictures, a given follow-up question is to determine where, when and with what device the pictures were taken. This is done by examining the pictures EXIF data. EXIF data was originally developed to help photographers record when they took a certain picture, what camera they used and what settings the used (Mansurov 2018). However, the data stored as EXIF data is also very valuable to a forensic examiner. First off, it is up to the camera manufacturer to decide what information to store as EXIF data and it is often possible for a user to turn off the storage of this information. Also, websites commonly exclude EXIF data when pictures are published online. However, when you find interesting pictures on a computer, it is often possible to find important information about it by examining the EXIF data. You may access this data, as you would any other metadata put there are also special built parsers and forensic tools available for EXIF data analysis. Among the more important pieces of information that can be recorded as metadata is Camera make and model Device name Time when the picture was taken GPS coordinates describing where the picture was taken Serial number of the device that took the picture Name of the person who took the image. Note that the information stored in the EXIF data is, of course, the information that was available to the device. If the user configure the device name to be “Jacksons Iphone,” then that will appear in the device name field. Figure 4.1 shows sample metadata including EXIF data viewed through Windows. 4.3 Prefetch 25 Fig. 4.1 Picture metadata including EXIF data 4.3 Prefetch Prefetching, in Windows terminology is the process of bringing data and code pages into memory before it is needed. The idea is to track normal application usage and load the data that an application usually needs during runtime when the application is loaded. This process was implemented to increase performance of applications that used is a similar manner every time it is used (Nair 2012). Prefetch data is stored in prefetch files located in the “Prefetch” folder under the system root (commonly c:\Windows). The most significant function of the prefetch files, from a forensic perspective, is that they contain information about how many times an executable was run, and when it was last run. The file name of a prefetch file begins with the name of the executable followed by a hash of the location where the executable is stored. For instance, a prefetch file for FTK imager could be named “FTK IMAGER.EXE-1B23CEFA.pf”. If there is a second instance of FTK imager installed somewhere else there would be a second prefetch file with the same executable name but another hash value. There will be a “modified” time stamp for the prefetch file and that time stamp reflects the last runtime of the application, as the prefetch file is updated when the application is executed. The data in the prefetch file contains information about how many times the application 26 4 Notable Artifacts was used, what hard drive it resides on, and what files and directories it referenced. The data format is somewhat cumbersome to read but there are several good and free to use parser available including one by Erik Zimmerman that is presented in Chap. 14. 4.4 Shellbags Next topic to handle is shellbags. Shellbags are used to store information about GUI settings for explorer, that is used to browse files and folders on a Windows-based computer. That means that they store information about what preferences a user sets for viewing certain directories. This can, for instance, be how to list files in the directory. To further explain the use of shellbags, if you browse to a folder and set viewing options to “detailed list,” then close the folder and browse back to it you will notice that your setting are still there. This is shellbags working for you. The forensic significance of these artifacts comes from the fact that a shellbag for a certain folder is created when a user is actually viewing that folder. Thus, the existence of a shellbag for a certain folder is a very good indication that the user in question has visited that particular folder. Also, the shellbags are stored in NTUser.dat and another user-specific file called UsrClass.dat, located in …/ AppData/Local/Microsoft/Windows/UsrClass.dat. That makes the shellbag data user specific. On a third notice, it seems as if shellbags are not deleted and can therefore serve as evidence of deleted folders and since they collect information about network shares, mounted encrypted volumes and removable media, they can provide information about that as well. Further, experiments done by the author indicates that for Windows 10 version 1709, UsrClass.dat is the best source of shellbag data. However, both locations should be examined. As said, shellbags are stored in registry in the following keys USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags However, the names of the shellbag keys are numbers and the values of the keys are in binary format making manual interpretation hard. It is more feasible to use a tool designed to parse shellbags, and there is one made my Erik Zimmerman that will parse out shellbag information from a registry hive. The tool is called “Shellbags Explorer” and is presented in Chap. 14. Sample output from this tool is presented in Fig. 4.2. As shown in Fig. 4.2, there are traces of the computer being used to browse several folders on several drives. Also, in the right pane there are time stamps that provide additional information. “Created on” would reveal the first time that a folder was visited and “Modified on” should be updated if the user makes changes 4.4 Shellbags 27 Fig. 4.2 Shellbags Explorer sample output to the appearance of a certain folder. Except for being useful for criminal forensics shellbags can also be useful in intrusion detection to, for instance, reveal if a user account was compromised and used in an enumeration attempt. In such a case, the shellbags would reveal an unusual pattern in folder visits. For instance, shellbags indicating visits to system folders that a user would not normally visit in a limited time period could indicate an enumeration attack. 4.5.LNK Files Continuing on the topic of exploring what files and folders that were accessed using the computer subject to examination, there are some neat artifacts called.lnk files. In essence,.lnk files are shortcuts within Windows. From a regular users’ point of view, they are most commonly used to access applications and placed on the user desktop. The common case is that when you install an application, the actual executable is placed somewhere down under the “c:\program files” directory and a. lnk file is located on the users desktop. However, there are several other reasons why the operating system would create.lnk files that makes them useful during forensic examinations. For instance,.lnk files are created whenever a user opens a file, local or remote (Magnet Forensics 2014). The.lnk files are created in different locations, and.lnk files created when a user opens files are located in the path [userhomefolder]\AppData\Roaming\Microsoft \Windows\Recent. As for the information located in the files, they are named tar- getfilename.lnk. For instance, the name of a.lnk file related to a file called “test.txt” would be “test.txt.lnk”. What makes.lnk files very interesting for forensic exam- iners are that they are not deleted when a remote drive containing the target file is removed, or when a file is deleted. That makes them a good source of information 28 4 Notable Artifacts about network storage, removable storage and deleted files. As for the actual content of the.lnk files, they will include information about: The location of the target file, i.e., the file path. The time the link was created and last updated meaning when the target file was first and last accessed. Information about the device where the target file is stored. If this is a local device, the volume serial number and type will be included. If the device was a remote device, the name of the share will be included. As much of the data contained in.lnk files is in a format that is hard to interpret manually, it is handy to use some tool to parse.lnk files. Several forensic softwares contain support for interpreting and presenting.lnk file data in a tidy format. Those softwares include Internet evidence finder from Magnet Forensics and sleuthkit/ Autopsy. There are also several tools built especially for the purpose of analyzing. lnk files including LECmd by Erik Zimmerman, presented in Chap. 14. 4.6 MRU-Stuff The final artifact described here that relates to accessing files and folders is more of a collection of different keys in the Windows registry that can be called most recently used (MRU) keys. They are exactly what the name suggests, namely keys describing when something was last accessed. There are MRU keys for a whole lot of things scattered across the Windows registry. In general, the keys containing MRU information can be identified by having MRU included in its name. Most MRU keys contain one entry called “MRUlist” or “MRUListEx” and then several entries named with numbers or letters. Whenever an event that is tracked by a MRU key occurs, an entry will be placed in the MRU key, named with a letter or number. The letter or number will tell you in what order the event first occurred and was recorded in the MRU key. However, “MRUlist” and “MRUlistex” will describe when the event occurred last. As one example, consider the example in Fig. 4.3 where the key “Map Network Drive MRU” is examined. In this case, there is only one entry called “a” that tells us that a network drive located at \\VBOXSVR\VMDShare was mounted to the system. “MRUlist” will tell us that it was the last mounted network drive. If another network drive was to be mounted, it would be given the MRU entry “b” and added as number one in “MRUlist”, as in Fig. 4.4. Fig. 4.3 Map Network Drive MRU 4.6 MRU-Stuff 29 Fig. 4.4 Map Network Drive MRU again Fig. 4.5 Map Network Drive MRU yet again Then, if \\VBOXSVR\VMDShare was to be mounted again, “MRUlist” would be updated to reflect that. This is demonstrated in Fig. 4.5, using Windows built-in regedit. To complicate matters a bit more, the MRU keys containing the entry “MRU- ListEx” works in a similar manner but looks quite different. Instead of naming the values with letters, numbers are used and the data format is in hexadecimal. For this reason, using a Registry Explorer that is capable of interpreting this data is very handy. Examples of such tools will be given in Sect. 4.2. However, even if the format of these MRU keys is different, they work in the same way. Whenever an event occurs, an entry is created with a number. The order of the events is recorded in numbers stored in DWORD (four bytes) format in “MRUListEx”. The order in “MRUListEx” can tell in what order the events recorded in the listing appeared. As an example, consider Fig. 4.6 that shows the MRU key for opened.txt files. Fig. 4.6 RecentDocs\.txt in Registry Explorer 30 4 Notable Artifacts Table 4.1 Listing of MRU keys and their function Key path Purpose Software\Microsoft\Windows In this key, there are sub-keys for a multitude of \CurrentVersion\Explorer\RecentDocs\* file extensions. Each sub-key tracks the most recent files that were opened by the user on a by file-type basis Software\Microsoft\Windows This key tracks the most recent network drives \CurrentVersion\Explorer\Map Network that were mapped as network drives by the Drive MRU computer Software\Microsoft\Windows The values recorded here are recorded when a \CurrentVersion\Explorer\ComDlg32 file is saved using the “Save as” dialogue \OpenSavePidlMRU Software\Microsoft\Windows This key tracks recently used applications and \CurrentVersion\Explorer\ComDlg32 the folder paths used by these applications to \LastVisitedPidlMRU open a file. After testing done by the author at Windows 10 version 1709, it appears as if only applications used to open files using the file explorer (i.e., when the user clicked “Files ! open” and browsed for a file) are tracked. So, these keys will not tell you what applications that were used, rather what applications that were used to open files using the method just described. Also, if you right click a file and select “open with X”, this action will not be tracked by this key Software\Microsoft\Windows This key will track the most recent stuff the user \CurrentVersion\Explorer\RunMRU typed into the “Run” dialogue Software\Microsoft\Office\* This key will hold sub-keys for different version of Microsoft Office and then for the different office applications. Digging down this sub-key you can find a multitude of MRU information relating to the usage of office applications As seen in “MRUListEx”, the entry with number 3 reflected the last recorded event, in this case a text file being opened. Further, Fig. 4.6 shows that the values are recorded in hexadecimal format but the software used to examine this key can interpret that the name of the file referenced in the entry is “last saved.txt”. The name of the software is Registry Explorer and will be described in Sect. 4.2. Now that you know how to read MRU keys, the next step is to find them. Table 4.1 provides a listing of some noticeable MRU keys located in NTUser.dat on Win- dows 10 version 1709 and a description of what they do. Note that many keys exist on many versions of Windows but there may be minor differences from different Windows versions. 4.7 Thumbcache 31 4.7 Thumbcache Moving on to an artifact with a different use than the prior, namely the thumbcache. The thumbcache is a Windows feature with the purpose of making previewing of pictures quicker. When you list the content of folder in Windows containing pic- tures, the icons will be miniatures of the pictures. To mitigate the need of reading all picture and turning them to miniatures every time such folder is viewed, Windows stored the miniatures as thumbnails when they are first created. The thumbnails are stored in database files called thumbcaches located in the folder [userhomefolder] \AppData\Local\Microsoft\Windows\Explorer. The thumbcache database files are called thumbcache_x.db where x is the thumbcache for a certain folder listing mode. There are two things that are particularly neat about the thumbcache from a forensic perspective. First, they contain the actual thumbnails produced when a user is viewing the content of a folder and that is a fact that makes them quite smooth to analyze. Second, they are not deleted and therefore thumbnails of pictured that was deleted or stored on a storage device that is removed are still there. As the thumbcache is stored in a database format, you need a program that is able to interpret the database in order to view them. One such viewer is Thumb- cache Viewer that was used to produce the thumbcache example in Fig. 4.7 and that is further presented in Chap. 14. As shown in Fig. 4.6, the thumbnails are stored with arbitrary file names and it appears as if there are no easy ways to deduce the original file path of a thumbnail. One way to map the thumbnails to actual paths is by examining the Windows internal search database called Windows.edb, located in the folder [systemroot] \ProgramData\Microsoft\Serach\Applications\Windows. The attempt to map can be done in, for instance, Thumbcache Viewer. Fig. 4.7 Thumbcache example 32 4 Notable Artifacts 4.8 Windows Event Viewer As we declared in the beginning of this book, digital forensics is about figuring out what a computer was used for. What can actually be seen as the golden ticket to that goal is to built-in Windows Event Viewer, the internal logging tool in Windows. As stated by Microsoft Technet (2018), Event Viewer “maintains logs about program, security, and system events on your computer.” As such, it is a great place to figure out what happened on a computer. Windows event logs are commonly analyzed using Event Viewer, built into Windows. The actual logs are stored in files, and there can be loads of different log files. Looking at Event Viewer, shown in Fig. 4.8, you will notice that the logs are classified into “Windows Logs” and “Application and Service logs”. The log files under “Windows logs” are the most commonly used and work as follows: Application: logs sent from applications are located here. Windows applications logs will usually end up here, and logs from other applications may end up here. It is up to the application developer to decide how logging is managed. System: Logs sent by system components will end up here. Security: Security event such as user logons will end up here. Further, for the application and service logs, there are log files for virtually everything that is built into Windows and it is possible to browse those logs on an application by application basis. Fig. 4.8 Windows Event Viewer 4.8 Windows Event Viewer 33 Fig. 4.9 Windows log entry Next thing to know about the actual entries in the log files is that they can be of different types. The logs filed under Security will be audit logs that can be Audit Success or Audit Fail. The other logs will concern how applications and hardware perform and can be information, warning or error. What may be of more forensic interest is how to understand what kind of events the logs actually describes. A log entry is shown in Fig. 4.9. As shown in Fig. 4.9, every log entry comes with a set of attributes. First, the keyword will describe the log type as described above and it is followed by a time stamp indicating when the entry was written. Next is the source indicating where the log came from. This can be some Windows process as in this case, or some application. Then the log has an event ID, and the event ID will classify the event into some category. Actually, many events that are logged have predetermined event ID’s enabling a forensic examiner to search for interesting event ID’s in order to identify events of interest for a forensic examination. Some of the more inter- esting event ID’s from a forensic standpoint are listed in Table 4.2. Table 4.2 Some Event ID’s of forensic interest Event Description ID 4624 Tracks user logons, the log entry will contain a logon type that will tell you if the user logged on locally or remotely and more. Type 2 indicated a local logon and 10 indicates a remote logon 4634 Tracks user logoffs 4116 Tracks time changes and will describe the name of the user account that changed the time settings 11707 This event tracks software installations 34 4 Notable Artifacts As for analyzing the log files, using Event Viewer seems like a well-working option, it is possible to extract log files from a computer and import them into Event Viewer on another computer used for analysis. The log files are located in [Sys- temRoot]\Windows.old\System32\winevt\Logs. 4.9 Program Log Files While on the topic of log files, it should be noted that logs from applications that do not log to Event Viewer can be just as useful as those located in Event Viewer. As such, a log file is basically a listing of how an application behaved and there for troubleshooting purposes. However, from a forensic standpoint the log files can provide a wealth of information. For instance, the author of this book used log files to uncover chat messages lots of times. Also, log files have been well used to document upload and download history that can be a key piece of evidence in, for instance, copyright of illicit picture cases. A good rule of thumb is to go look for application logs whenever there is a suspicion of an application being involved in a case. Also, the application folders holding log files can hold additional information about how the user used the application. As for where log files are stored, it is impossible to provide a golden rule as the decision is up to the application creators. However, a very common place to find application logs is the user AppData folder ([UserHomeFolder]\AppData). Another common location of log files is in the application folder located under [SystemRoot] \ProgramData. Interpreting the log files can also be cumbersome and does not follow a standard practice as they can be structured in any way that you can imagine. However, experimenting with a program to see what logs they output during a known use case can help. This practice is further described in Sect. 4.2. 4.10 USB Device History In modern-day usage of computers, it is extremely common to use USB devices to store data. As such, being able to detect and examine how USB devices have been connected to a computer can be very important during a forensic examination. Fortunately, Windows will track quite a few events in relation to USB devices being connected and disconnected from a computer. Identifying what USB devices that have been connected to a computer running Windows would involve combine information from three sources: setupapi.dev.log, the registry and the system logs. Setupapi.dev.log is a log file located in the folder [SystemRoot]\Windows\INF. It logs events related to installation and uninstallation of devices, and when a USB device is inserted, it is installed before use making this log file one source of information. Figure 4.10 shows the beginning of an entry relating to a USB stick being inserted. 4.10 USB Device History 35 Fig. 4.10 USB entry in setupapi.dev.log As shown in Fig. 4.10, the first line shows that a device is being installed and one could use the term “USBSTOR\Disk&Ven” to search for events relating to USB storage devices. Following that line is the device vendor, in this case Kingston followed by the product name, in this case DataTraveler 3.0. It should, however, be noted that vendor name and product name is up to the manufacturer to specify, and it is quite common that they do not; instead, these fields may hold more generic information. For the purpose of tracking the USB device, the most important piece of information revealed is the device serial number, residing at the end of the first line. In this case, it is 08606E694934BEA1B7057E9D&0. The same information can be found through the Windows system logs, with event ID 20001, as shown in Fig. 4.11. Fig. 4.11 USB installation in Event Viewer 36 4 Notable Artifacts Having gathered the information from the above-described logs, additional information can be found in the Windows registry. Using USB thumbs will leave several traces in the registry, all in the system hive. The first point of interest is the sub-keys to ControlSet001\Enum\USBSTOR. This key will hold sub-keys for dif- ferent vendor and product name combinations that in turn contains sub-keys for the different USB devices that have been connected. The sub-keys will have the device serial numbers as name. This information can serve as a confirmation or alternative path to reveal the information that we just found using logs. There are several other places in registry where similar information can be found, but what would be the next step is to figure out the mount point that was used for the USB drive. The first place to look is the registry key called MountedDevices. This key will hold useful information about devices that have been mounted to the system. As shown in Fig. 4.12, it actually shows that the USB drive that we are tracking was last mounted as drive letter E: However, it should be noted that if a new device is assigned the same drive letter, the value for the drive we are tracking will be changed to something like “\??\Volume….” And the ability to track what drive letter it once used is gone. However, the presence of the device serial number in any of the values under MountedDevices will show that the device in question was once mounted to the system. As a final mark, upon finding a USB thumb drive, it is good practice to capture the serial number from that device in order to be able to tie that drive to the computer that is subject to examination. Note that the examples relating to USB device history were created using a computer running Windows 7. However, as discussed by Arshad et al. (2017), the artifacts are the same for Windows 10. Fig. 4.12 MountedDevices registry key 4.11 Questions and Tasks 37 4.11 Questions and Tasks 1. What is file metadata end EXIF information? 2. Prefetch, Shellbags,.lnk file and MRU data will provide insight into how a computer system was used. How and why are these artifacts on interest during a forensic examination? 3. How can thumbcache help detect pictures that have been deleted from a computer? 4. Why would a forensic examiner care about Windows internal and program specific log files? 5. Discuss when it can be important to detect if a certain USB device has been connected to a computer. References Arshad, A., Iqbal, W., & Abbas, H. (2017). USB storage device forensics for Windows 10. Journal of forensic sciences. Magnet Forensics. (2014) Forensic analysis of LNK files. Available online: https://www. magnetforensics.com/computer-forensics/forensic-analysis-of-lnk-files/. Fetched: March 22, 2018. Mansurov, N. (2018). What is EXIF data? Available online: https://photographylife.com/what-is- exif-data. Fetched March 12, 2018. Nair, R. (2012). What is app launch prefetching and how does it help? Available online: https:// social.technet.microsoft.com/wiki/contents/articles/13011.what-is-app-launch-prefetching-and- how-does-it-help.aspxaspx. Fetched: March 13, 2018. TechNet. (2018). Event viewer. Available online: https://technet.microsoft.com/en-us/library/ cc938674.aspx. Fetched March 26, 2018. Decryption and Password Enforcing 5 A common task during any forensic examination is to attempt to decrypt encrypted data in different forms ranging from encrypted files or folders to encrypted com- munication such as e-mail and chat or even complete hard drives that have been encrypted, full disk encryption (FDE). As a forensic examiner, it is vital to have some know-how on how to crack encrypted files and passwords. The methods for breaking encryption and hashing can roughly be divided into two different methods —decryption attacks and password cracking. The rest of this section will describe them both. Before dwelling into the interesting parts there is some terminology that we need to understand, as repetition from the discussion on encryption, the encrypted data is called cipher (Denoted C) and the readable version of the data is called plaintext (denoted P). The password, or key, used in the encryption and decryption process is denoted as K. During a forensic examination, we usually find a cipher and we need to figure out K in order to get the readable plaintext. Hashing is commonly used to store plaintext (P) in an unreadable format called digest (H). From a forensic standpoint, we can usually get hold of the digest and want to figure out the plaintext. The rest of this chapter will provide a theoretical background to approaches used for cracking. It is accompanied by a practical description on the topic, presented in Chap. 10. 5.1 Decryption Attacks A decryption attack is where you attack the encryption or hashing algorithm or implementation of it in order to deduce the plaintext from the cipher or digest. Using this kind of attack will save you the trouble of trying to guess the password, a time-consuming approach. However, the most commonly used algorithms do not suffer any weaknesses that make an attack against the algorithm feasible. There are algorithms that are considered to be cracked, but in a forensic context you are © Springer International Publishing AG, part of Springer Nature 2018 39 J. Kävrestad, Fundamentals of Digital Forensics, https://doi.org/10.1007/978-3-319-96319-8_5 40 5 Decryption and Password Enforcing usually limited in time meaning that for an attack to be considered to be successful it must be successful within the provided time scope. For that reason, being able to crack an algorithm in matter of years or months is commonly not good enough. You should, however, know about the existence of this approach because every so often you stumble upon s