1 / 39

Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal

Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal. Evidence preservation Hashing Bit by bit copying of the data to another hard drive. Process transparency Documenting the chain of custody Checking for evidence integrity.

dperry
Télécharger la présentation

Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Acquisition and Examination of Forensic Evidence MADS 6697, Louai Rahal

  2. Evidence preservation • Hashing • Bit by bit copying of the data to another hard drive • Process transparency • Documenting the chain of custody • Checking for evidence integrity

  3. Digital evidence is defined as any digital data that contains reliable information that can support or refute a hypothesis of an incident or crime (Arnes, 2018) Chain of custody refers to the documentation of acquisition, control, analysis, and disposition of physical and electronic evidence (Arnes, 2018) “Metadata, or data about data, contains information about data objects. For example, the metadata associated with a digital photograph can contain the time of taking the photo, the geographical location, and the camera used. The analysis of metadata is an important activity throughout the forensic process, as metadata can contain information that is key to solving a case” (Arnes, 2018)

  4. First Respondent Mistake “a detective at the crime scene allegedly tried to unlock the mobile phone of the suspect. While doing so, he repeatedly entered incorrect PIN and PUK codes to unlock the SIM card. This led to data relevant to the case being erased. The defense team argued that the police investigation destroyed critical evidence that would have been relevant to the case” (Arnes, 2018) https://www.wral.com/news/local/video/9359162/

  5. Science: Falsifiability, Replication

  6. “ The documentation activities begin from the moment the investigator starts handling the digital devices that will be “touched” during the investigation phases. The documentation enables reproducibility of results and traceability from the physical object’s origin to the final evidence presentation. This calls for thorough documentation throughout the digital forensic process ” (Arnes, 2018) A process is replicable when a repetition of the same process leads to the same results

  7. Analysis of a digital forensics investigation. • Identify 3 mistakes made by the investigator. https://www.youtube.com/watch?v=1BVG6cmPlPk

  8. If a digital forensics investigation fails to prove that a person is guilty, it does not necessarily mean that the person is not guilty

  9. Live systems: systems that are running and are at the time of identification potentially holding evidence that may be lost or hard to acquire if the system is shut down. Dead systems: systems not running. Any data in temporary storage areas such as cache, main memory, running processes, or active application dialogues on a computer will normally be lost when the system is powered down. Arnes (2018)

  10. Arnes, 2018

  11. turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

  12. turning on a system that was initially turned off might also lead to evidence loss. At boot time, a PC, mobile phone, or media player executes boot activities that can overwrite previously cached data Arnes (2018)

  13. Marcella and Guillossou, 2012

  14. Marcella and Guillossou, 2012

  15. Marcella and Guillossou, 2012

  16. Create a notepad file and insert one word in it: Hello. Convert the ASCII characters to hexadecimal characters. You can use any hexadecimal calculator. Add the hex signature for a .txt file to the beginning of your hex code. Open your file with a hexadecimal editor. The hex code in the file reader should match with the hex code you created manually. Marcella and Guillossou, 2012

  17. Allocated/Unallocated areas • 10001010101010101010101010101………………00101011010100001010101 • Allocated to file file1.txt • When file1.txt is deleted • 10001010101010101010101010101………………00101011010100001010101 • The data for file1.txt will continue to be available till it gets overwritten

  18. Example of a recovered Image Arnes, 2018

  19. Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367

  20. Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? “imagine research into a product which revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence”

  21. Ethics Case Study: During a digital forensics investigation, a deficiency was discovered in a software that claims to permanently wipe data. Should the results of the investigation be published ? http://www.forensicfocus.com/index.php?name=Content&pid=367 • Discuss the case from the perspectives of: • Categorical Imperialism • Utilitarianism • The ethics of care

  22. 4 sentences Sentence 1: Digital Forensics Case you will be writing about. Sentence 2: How was the evidence identified, collected, and reported. If not enough details found describe how the evidence should have been identified, collected, safeguarded, and reported. Sentence 3: How was the evidence safeguarded. If not enough details are provided, describe how the evidence should have been safeguarded Sentence 4: What ethical concerns and issues does the case raise.

  23. Imaging “The process of making an exact copy (bit by bit) of the original drive” Hash Values are admissible to court “the government’s expert witness testified that no two dissimilar files will have the same hash value” The law prohibits the distribution of forensic images of child pornography files “The Adam Walsh Child Protection and Safety Act […] prohibited the defense from obtaining copies of the child pornography evidence”

  24. National Institute of Standards and Technology • Criteria of reliability of a forensic tool • The tool shall make a bit-stream duplicate or an image of an original disk or partition • The tool shall not alter the original disk • The tool shall be able to verify the integrity of a disk image file • The tool shall log I/O errors • The tool’s documentation shall be correct

  25. Files and File System Forensics • Data on Disk: 10001010101010101010101 • A sector: 512 bytes • A cluster: 2 or more sectors • File: data that resides on clusters

  26. First few bytes: File header The file header contains the file signature File content

  27. To make the investigation of files easier, files are read in hexadecimal format

  28. Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA

  29. Which of the following is NOT a valid hexadecimal String: ABCDEFG 101010101 999999AAAA

  30. https://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdfhttps://digital-forensics.sans.org/media/hex_file_and_regex_cheat_sheet.pdf

  31. Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data IF 30 30 30 is found in a .word file, how would it be interpreted? IF 30 30 30 is found in a .gif file, how would it be interpreted?

  32. Physical Extraction: Independent of Operating System Checking file signatures Based on file signatures interpret data Examine partition table to know which files sectors are allocated and which ones are not allocated

  33. “Ryan Jaye created two partitions on his on his 80 GB hard drive […] 20 GB were dedicated to his child pornography collection. When Ryan Jaye became suspicious that he had been discovered, he decided to delete the second partition[…] Luckily for law enforcement, when a partition is deleted, the data within that partition remains until it is overwritten”

  34. Logical Extraction: • Search strategies specific to the File System • NTFS: Master File Table • Slack

  35. Logical Extraction: • Slack • A sector is 512 bytes. What if the file size is 200 bytes? • The remaining 312 bytes are slack spaces • The OS uses slack as RAM slack and DRIVE slack • RAM slack is NOT volatile. • DRIVE slack: ‘storing old information that was once available on the storage device’

  36. Logical Extraction: • Slack • A sector is 512 bytes. What if the file size is 200 bytes? • The remaining 312 bytes are slack spaces • The OS uses slack as RAM slack and DRIVE slack • RAM slack is NOT volatile. • DRIVE slack: ‘storing old information that was once available on the storage device’ • Which Slack space will most likely contain data from deleted files?

  37. Filtering with Hashing: “file hashes may be used to eliminate duplicate data” “Hash values may also be compared to datasets that contain known hash values for specific files” • Create three or four or n copies of a notepad file (file1.txt) in a new folder • Create other notepad files • Hash all files in the folder • Create a python script that checks all the hashes of all the files in a folder and that deletes all duplicated of (file1.txt) in a new folder. Use handout from class 5 and use the code below: • import os • os.remove(“file.txt")

More Related