Seizing, imaging, and analyzing digital evidence
step-by-step guidelines
Abstract
Hiding and obfuscating their identities and digital evidence are now common activities for many malicious hackers. This coupled with anti-forensic and anonymizing techniques, such as encryption and proxy relays, have made the aims of the digital investigator more difficult to achieve. It is simple to make errors which cause vital evidence to remain undetected, or worse having found it go on to contaminate it through poor practice. This chapter suggests best practices to help obtain exhibits and uncover obfuscated evidence while maintaining its integrity for submission in court.
Introduction
There are a number of approaches that can be taken when creating and subsequently executing a plan for a forensic investigation. Those that are selected, or created, are done so largely subjectively. However, there are certain criteria which should be followed both in terms of meeting best practice, complying with laws and regulations, and also ensuring any evidence discovered remains admissible in court. It is the purpose of this chapter to offer guidance in how to meet these aims, and in addition to discuss some of the more insightful methods used when searching for incriminating evidence. Further, it is intended to provide the examiner with an overall view of the processes. From what needs to be considered when applying for a search warrant, through to how to seize and acquire evidence appropriately. Finally it is discussed how to apply inventive methods to uncover crucial evidence via forensic analysis, including evidence that may have been obfuscated via anti-forensic techniques.
Establishing Crime
Forensic evidence is usually gathered by a search of a suspect’s premises and seizure of the relevant equipment. To do this legally it is typically necessary to obtain a search warrant. The details of this process differ depending on the laws of the country and the jurisdiction in which the alleged offence took place; however, in most instances warrants are supplied by a judge who has been convinced that enough evidence exists to justify its issue. For example, in the UK a judge needs to be satisfied that there are “reasonable grounds” for believing that an offence has occurred (Crown, 1984). Normally this offence would be listed under the computer misuse act. In the United States, the process is similar with the fourth amendment’s inclusion of the term “probable cause” being cited (FindLaw, 2014). It is beyond the scope of this work to fully explore what is meant by both “reasonable grounds” and “probable cause” but in either case it is clear that significant evidence is need, and that the request to search a premises is not based on simply a suspicion or a hunch. Further, the evidence must support the assumption that a crime has been, is being, or will be committed or orchestrated from the premises.
Collecting Evidence for a Search Warrant
Evidence that cybercrime has been committed can be collected in various ways dependent upon the crime being committed, with the crimes usually falling into one of the following four broad categories:
• Piracy: The reproduction and dissemination of copyrighted material.
• Malicious Hacking: The act of gaining illegal, unauthorized access to a computer system. This includes Phishing and identity theft.
• Child Pornography: The distribution, owning or viewing of child pornography.
• Financial: The purposeful disruption of a company’s ability to conduct electronic commerce.
Regardless of the type of cybercrime committed, it is necessary to associate the suspect with the crime. The following sections discuss the techniques, tools, and methods for performing this.
Reported by a Third Party
Parties who are suspected by a member of the public of having committed cybercrime can be reported to law enforcement. The criminal act could be discovered as a result of a work place audit or security monitoring program. Alternatively, it could be made by an individual who has become aware of criminal activity in a social context, either online via social media or in person.
Identification of a Suspects Internet Protocol Address
A public Internet Protocol (IP) address uniquely identifies every device directly connected to the Internet. IP addressing employs a 32 bit (IPv4) or 128 bit (IPv6) hierarchical addressing scheme. The IP address is used by intermediary routers to make a decision on which path data packets should take from source to destination. When an IP address is used to potentially identify a suspect it has usually been assigned to the suspect by their Internet Service Provider (ISP) to their perimeter router. For a home user this would typically be housed on their premises. Their IP address remains encapsulated within the packets of data that constitute a communication session, and it uniquely identifies the public facing interface of that router. Identifying an IP address in a malicious communication is sufficient evidence to govern the issuing of a search warrant and arrest. However, there are some issues with this method of identification, the most notable being the use of IP spoofing and anonymizing proxy relay services. These are discussed in the following.
IP Spoofing
IP spoofing is a process whereby a malicious hacker manually crafts data packets with a false source IP address. This not only hides their true IP address but also allows them to impersonate another system. The limitation is that it cannot be used in an attack which relies on a return communication from the victim to the attacker, for example, to take control of or view data from, the victim’s machine. As a result it is a popular attack method for denial of service attacks which render a system inoperable by either overwhelming the system with a large quantity of packets, or by specifically crafting a packet which causes the service to terminate.
Anonymizing Proxy Relay Services
Anonymizing proxy relay services, such as Tor (2014), offer privacy and anonymity of origination. This is achieved by a using encryption and a relaying algorithm respectively. The Tor algorithm selects a random path from the source to destination via specific network nodes that have chosen by a supporting community to form part of the relay service. The connections between these nodes are encrypted in such a way that each node only has the IP address of the nodes it is immediately connected to. While the communication between the exit node and the final destination is not encrypted the original source IP address is still guarded behind multiple layers of encryption, one for each node. The final destination will only be aware of the IP address of the exit or final node used by the service, not the originating host of the message. This means if the logs of a server which has been compromised are examined; they will not reveal the details of an attacker using Tor, but rather the exit node of the Tor relay.
While proxy relay services such as Tor offer malicious hackers anti-surveillance and anonymity of origination, they also carry some drawbacks. Firstly they are slower than using the Internet conventionally; this is due to the additional nodes traversed (three in the case of Tor). These nodes can be in different countries and of poor quality and thus both the route and throughput becomes suboptimal. Second they can be difficult to configure, this is especially true if connectivity is not required through a web browser, as is the case with Internet Relay Chat (IRC), which although becoming less popular with the general public continues to remain a communication channel for malicious hackers. Lastly, they rely on the malicious party remembering to engage the service before each and every malicious operation, they only to need to forget on one occasion for their identity to be compromised. This is widely believed to have been the principal method by which Hector Xavier Monsegur, otherwise known as Sabu, from the hacking fraternity LulzSec was identified in 2011. He allegedly logged into an IRC channel just once without using an anonymizing service. It is reported that the FBI then requested records from the ISP responsible for that IP address, which revealed his home address (Olson, 2012).
Intrusion Detection Systems, Network Traffic and Firewall Logs
Intrusion Detection Systems (IDS) are employed to monitor network traffic and detect malicious activity. This is usually achieved by matching the contents of the network traffic to already known malicious activity (the signature), if a match is discovered an alert is generated. It is common to perform network traffic capture in parallel with the network intrusion detection; this allows for subsequent investigation of the traffic which caused the alert, with the view to discovering more detail concerning the attack, including the IP addresses involved. Firewall and system logs too capture IP addresses and can hold information regarding malicious activity. Thus the information supplied by these systems can offer incriminating evidence relating to both the source of the breach and the severity of the crime, which could be sufficient to issue a warrant for search or arrest.
Interviews with Suspects
Interviews of suspects following arrest can also be used to gain sufficient grounds for a search warrant where other involved parties are identified. For example, it is widely documented that subsequent to his arrest Sabu turned informer for the FBI, supplying information which subsequently led to the arrest and seizure of equipment from other members of LulzSec (Olson, 2012).
Analysis of Suspects Media
Evidence that incriminates a suspects allies in cybercrime can sometimes be found through the process of forensic investigation of their media storage, or via access to Virtual Private Servers (VPS) being used. Again this evidence may be sufficient to lead to a warrant for seizing the equipment of collaborating parties (see Chapters 6 and 8).
Doxing
To allow for group collaboration certain black hat hacking fraternities organize their attacks publically via online communication channels such as IRC and Twitter. This information is often deeply self-incriminating; however, as long as the true identification of the author is hidden behind an alias, they remain anonymous and thus safe. Hence one of the principle objectives in identifying a malicious party is often to associate them with their online persona, e.g., IRC handle, nickname, or twitter username. In digital forensic and hacking communities there is a term “doxing” which discusses how this can be achieved. Doxing is a term derived from the words document and tracing and essentially is the process of collecting information about Internet users which they would rather not be known, and of which they are probably not aware they have made available publically. Performing a successful “dox” involves gathering information such as, full name, date of birth, usernames, email accounts, home addresses, phone numbers, personal images and of course the online nicknames and handles of an individual. The techniques and practices necessary to perfect doxing involve a deep understanding of search engine operators, and how to collect together information from online sources such as social media, online advertising or anywhere else where information may have been published or leaked. They involve intelligent methods of cross referencing information between sources to build a profile of the suspect. Again, for the cyber investigator the aim here is to associate the incriminating evidence published via an alias with the suspect true identify with a view to gain a search and/or arrest warrant.
Collecting Evidence
Once a search warrant has been granted, evidence of the suspected crime needs to be obtained; there are strict guidelines for how equipment should be seized, digital images acquired and evidence stored. These guidelines can vary dependent upon the jurisdiction of where the suspected crime took place, however, they all share processes related to the physical requirements, e.g., preservation of evidence. These will be discussed in the following sections.
Seizing Equipment
It is essential that strict guidelines surrounding the seizure of equipment are adhered to. Data on computer equipment is both dynamic and volatile and seizing equipment incorrectly can lead to accidental deletion, modification or contamination of the evidence. The following section offering guidance in this process has been created in part from the Association of Chief Police Officers (ACPO) reference “Good Practice Guide for Computer-Based Electronic Evidence” (7Safe, 2007).
Initially, the area needs to be secured, meaning only law enforcement agents should be present in the area surrounding the equipment. All people unfamiliar with the process should be kept back from the equipment to reduce the risk of accidentally compromising the evidence. The area should be photographed and video recorded accurately, ensuring as much detail as possible is captured regarding how the equipment is connected. In addition all connections should be labeled to ensure the equipment can be successfully reconnected as it was, at a later time.
If the computer system appears powered off, this should be first confirmed. The unit could be in sleep mode, or a blank screen saver could be giving the impression that it is powered down. All lights should be examined to see that they are not lit, for example, hard drive monitoring lights. If after careful examination it is considered to be in sleep mode then it should be treated as powered on, see the following paragraph. If it is confirmed as switched off it should not be powered on as doing so will immediately compromise the validity of the evidence and allow the suspect repudiation on the grounds that there has been interaction with the media by law enforcement. After ensuring that all cables, connections and system equipment has been labeled and recorded as previously discussed, the system and all the peripherals and surrounding equipment can be disconnected and seized. If the system is a laptop then the battery should be removed to ensure that it is entirely powered down, and cannot be accidently turned on.
If the computer is powered on it is considered to be “live.” Images on the screen should be photographed, once this has been done there are then two possible paths available. The computer can be turned off, to prevent any contamination of the evidence. If this option is chosen then it is advisable to unplug the system, or disconnect the battery if it is a laptop, rather than take the usual actions of shutting down the system from within the operating system. This is intended to not only limit the interaction with the live system, but also to address the possibility that the malicious party has set the machine to delete files on shutdown. However, turning off a live system can result in losing crucial ephemeral evidence stored in volatile RAM, for example decryption keys and remnants of conversations in chat rooms and on social media. The alternate approach is to acquire the contents of RAM from the live system by extracting a memory dump. The details of when and how this should be done are discussed in the RAM acquisition section which follows. With the RAM acquisition complete the system can be powered down in the manor previously described.
Finally, all equipment seized must be recorded using unique identifiers and have exhibit tags attached. All actions taken in the area at the time of the seizure should be documented. All reasonable efforts should be taken to prevent inadvertent operation of equipment, e.g., placing tamper proof tape over USB ports, and as previously discussed ensuring the batteries are removed from laptops. Tamper-proof tape should also be used on containers to ensure that the evidence is not modified or damaged during transport. Any subsequent movement of this evidence must be check-in, check-out documented to preserve the chain of custody.
Search for Written Passwords
The nondisclosure of passwords for both encryption and authentication can be a source of frustration for forensic analysts. 256-bit encrypted files using complex passwords cannot be cracked in a meaningful timeframe. Understandably, suspects are often not obliging in giving up these passwords. In the UK “The Regulation of Investigatory Powers Act 2000” makes it a criminal offence to “fail to disclose when requested a key to any encrypted information.” However, the usual defense against this is for the suspect to claim to have forgotten their password. In these circumstances there is little that can be done by law enforcement. Ironically, if the suspect later admits to knowing the password and reveals it, they can be charged with the offence of originally withholding it. However, as most malicious hackers understand the need for independent, unique and complex passwords to ensure privacy, then it is possible that the password is too difficult for them to remember; hence it could be written down. All papers in the area should be seized as these may contain passwords. Books should be seized too, as one common practice is to insert written passwords within their pages. Other common hiding places should also be considered, e.g., under the mattress of a bed. Finding hard copies of passwords is sometimes the only method of deciphering encrypted data from the media.
Forensic Acquisition
The most fundamental stage to ensuring the evidence remains omissible is to ensure the original image does not get altered during the process. This section discusses how to maintain the integrity of the evidence during the creation of an image from the media.
RAM
There is an inherent risk involved in acquiring a memory dump, thus a risk assessment should be performed to establish the potential benefit against the risk for the given situation. If it is both required and relatively safe then it may be performed, however, extreme care should be taken to both limit, and explain, the acquisition footprint which will be left on system. While courts are beginning to accept that a footprint will be introduced (Wade, 2011), it is essential that the correct tools and methods are used and that the entire process is documented, preferably video recorded, to reduce the likelihood that the acquisition footprint becomes the undoing of a case. Some applications such as chat room, malware and cryptography programs may employ anti-memory dumping technologies designed to prevent data being read from protected areas of RAM. These protection mechanisms data dump garbage, e.g., random values or zeroes instead of the valid contents of memory. Other applications utilize anti-debugging protection that can cause a system to lock or reboot on an attempt to read protected RAM. Due to the development of these anti-forensic methods it is desirable to use a memory-capturing tool that operates in “kernel” rather than “user” mode. Kernel mode allows unrestricted accesses to the underlying hardware, e.g., RAM, and is less likely to compromise the evidence through a system crash, nor will it provide false evidence (Anson, et al. 2012). The tools selected should also leave as small a footprint as possible, and operate in read only mode. Most RAM acquisition tools are portable, usually taking the form or a USB device and require no installation, again, to limit the footprint. Once the memory dump has been taken the computer should be shut down using the methods previously discussed.
Image
It is essential that the process of forensically analyzing the media does not introduce any contaminants from the investigator. Interacting with storage media without appropriate precautions will cause data to be written to the media and potentially invalidate the evidence. In order to reduce the likelihood of this happening forensic analysis should not be performed on the actual media storage device seized but should instead be performed on an image, that is a sector-by-sector replica of the media. There are many software tools to allow an image to be acquired from the media, and it is not within the scope of this work to discuss them individually. However, it is recommend that the selected tool should boot from a live CD/DVD and that the evidence is mounted by the tool in “read only” mode to reduce the likelihood of accidently writing to it. Further re-assurance that the evidence has not been contaminated can be provided through the use of write blockers. Write blockers are devices which are placed in line between the system being used to analyze the media and the media storage device itself. They allow read commands to be passed through to the media storage device, but block write commands. Write blockers are readily available and allow for the attachment to and from a variety of different interfaces, e.g., USB, Firewire, SCSI, and SATA controllers. Finally when an image has been acquired it should be verified as an exact copy by comparing the hash values of the two images. Hash values are a fixed sized bit string created by passing data through a cryptographic hash function. Any modification of the evidence, however small, will change its hash value. If the hash files of the acquired image and that of the media being investigated are different then either the image is invalid, or the evidence itself has been compromised.
Forensic Analysis
A forensic investigator is usually given some remit into the purpose of the investigation, for example, what crime the suspect may be responsible for. Often though, the information shared may not be so specific. The reason for an investigator being given a narrow remit is to prevent the potential for prior knowledge bias. For example, an investigator may simply be asked to supply evidence that the profile of a machine is one which is setup up for malicious hacking, or they may be asked to find evidence to support the supposition that a particular online persona and the suspect are one and the same. In such circumstances it is often desirable to ensure that the evidence found is without bias, and that it is found independently of case specifics (see Chapter 8).
While the focus of the forensic investigation will be governed by the remit presented, in most cases the digital evidence collected will be composed of one or more of the artifacts listed in Table 7.1.
Table 7.1
Digital Evidence Categories
| Address books and contact lists | Configuration files | Databases |
| Audio files and voice recordings | Process | Documents |
| Backups to various programs | Log files | Email and attachments files |
| Bookmarks and favorites | Organizer items | Registry keys |
| Browser history | Page files | Events |
| Chatting log | Network configuration | Hidden and system files |
| Calendars | Digital images | Videos |
| Compressed archives | Cookies | Virtual machines |
| Kernel statistic and modules | System files | Temporary files |
| Videos | Printer spooler files | Type of used applications |
The methods for how these artifacts are discovered will be discussed in the following sections.
Anti-forensics
Malicious hackers are becoming increasingly aware of forensic analysis methods. As a result they often implement counter measures to prevent an investigator harvesting useful evidence. This practice is referred to as anti-forensics, or sometimes counter forensics. In essence the practice involves eliminating or obfuscating evidence relating to criminal activity or malicious intent. With this in mind, the primary focus of this section is to discuss hard disk media storage forensics, with a focus on identifying where to uncover evidence stored in obscurely formatted areas of the media; areas which are either immune to anti-forensics or which simply may not have been considered by the suspect. Typical forensic analysis techniques are also discussed briefly in this section, and due to the increasing tolerance of courts in accepting RAM analysis as admissible, this too is discussed (see Chapter 8).
RAM Analysis
If a RAM dump was taken from the image then it should be analyzed on a separate machine to avoid evidence contamination. There are many tools which can be used for RAM analysis; worthy of note is the tool Volatility, which is gaining a reputation as the principle open source command line tool for this purpose (Ligh, et al. 2014). Tools such as Volatility allow for the analysis of data such as:
• Running and recently terminated processes
• Memory mapped files
• Open and recently closed network connections
• Decrypted versions of programs, data, and information
• Cryptographic key passphrases
• Malware
Data Carving and Magic Values
One of the principle methods of RAM analysis is achieved via a method referred to as “data carving.” Carving is the process of looking for patterns in the data, sometimes referred to as “magic values.” These values are indicative of a certain type of data being in memory. For example Skype v3 messages start with the data “l33l,” so any area of RAM with these characters has a likelihood that a Skype message follows. Similarly TrueCrypt (2014) passphrases contain the magic value “0x7d0.” File types existing in RAM (as well as in media storage, or traversing a network) can be identified by their magic values too. On finding the data of a particular type the data carving process may continue, depending on the type of data discovered, to extract and present the data in a way that it becomes more intelligible to forensic analyst. For example, it may be necessary to organize the data based on field boundaries, to separate these out and identify them. In most instances, the forensic examiner can be abstracted from the detail of these processes by the forensic tools. However, one of the principle benefits of open tools such as Volatility is they allow the forensic examiner to code their own modules, allowing the freedom to carve out data of a certain type not available natively. This can then be made available for the benefit of the open source community (see Chapter 6).
Media Storage Forensics
This section focuses on both the known and obscure practices and processes of analyzing media storage devices for forensic evidence. Included here is brief synopsis into the structure and format of a hard disk, to give some background context to the subsequent sections.
The Structure and Format of a Hard Drive
Hard disks are composed of one or more spinning magnetic film coated disks called platters. Each platter is divided into concentric bands called tracks; tracks located at the same area of each platter are collectively referred to as a cylinder. Each track is dived into sectors with each track having an identical amount of sectors regardless of its position on the platter, thus sectors are more densely populated at the center of the platter. A sector is the smallest possible area of storage available on a disk and is typically 512 bytes in size. Information is read and written onto the sectors using heads which generate magnetic fields as instructed by the disk controller, which in turn receives its instructions from the file and operating systems. Although both sides of the platter are used to store information, one side of one of the platters is used for track positioning information; this information is coded at the factory and it used to align the heads when moving between tracks and sectors. The number of sectors and tracks and their positioning is set at the factory using a process referred to low level formatting. Low level formatting is only performed once and is not performed by the user of the hard disk after purchasing, although the term low level format (LLF) is sometimes erroneously used to describe the process of re-initializing a disk to its factory state.
The way in which the computer communicates with a hard disk is set via the computer’s Basic Input Output System (BIOS). It is within the BIOS that the addressing scheme, e.g., logical block addressing (LBA), is set for the drive. A logical block address is a 28-bit address which maps to a specific sector of a disk. It should be noted that while LBA is the most widespread addressing scheme, others are common, e.g., the older cylinder, head, sector (CHS), or the up and coming globally unique identifier (GUID) addressing scheme.
Partitions
Partitions are the divisions of a hard drive; each partition can be formatted for use by a particular file system. Within current IBM PC architecture it is possible to have up to four partitions, one of which can be an extended primary partition. An extended partition can be subdivided further allowing for the creation of an additional 24 logical partitions as shown:
Primary partition #2
Primary partition #3
Primary partition #4
Logical partition #2
Logical partition #3
…
…
Logical partition #24
One of the primary partitions will be flagged as the active partition and this is the one which will be used to boot the computer into an operating system. Creating the first partition on the drive will result in the creation of the master boot record (MBR) which, amongst other responsibilities, holds information concerning the partitions.
Master Boot Record
The MBR is stored on the first sector of the hard disk and is created along with the first partition on the drive. It is loaded into memory as one of the first actions during system start up. The MBR is comprised of a small section of operating system independent code, a disk signature, the partition table and an MBR signature. The disk signature is a unique four byte identifier for the hard drive, that is to say it should be unique for each drive attached to a system. It is used for purposes such as identifying the boot volume, and associating partitions and volumes with a specific drive. The MBR signature, sometimes referred to as the magic number, is set to value 0xAA55, which simply identifies it as a valid MBR. The partition table informs of the start position and length of each partition on the hard disk. During system start up the MBR code is executed first, and is responsible for parsing the partition table and identifying which partition is marked as active. Once the active partition is identified control is passed to that partitions boot sector, sometimes referred to as the volume boot record (VBR). The VBR is created when the drive is high level formatted for the use with a particular operating system.
The VBR and BIOS Parameter Block
The VBR contains the operating system specific code necessary to load the operating system, along with a BIOS parameter block (BPB) which describes the partitions file system format, e.g., the number of tracks per sector and the number of sectors per cluster. Clusters, often referred to as allocation units or AUs, are the smallest storage area accessible by the operating system. The file system allocates multiple sectors, e.g., eight, to an individual cluster to reduce the overhead of disk management, this results in faster read and write speeds but also results in some disk space being wasted when storing files, or parts of files, which are smaller than the cluster size. This wasted space in the clusters is referred to as slack space.
File System
Numerous file systems exist which support numerous different operating systems, each works differently yet all have the same primary aim; namely to manage how files and directories are stored, indexed, written and read. Along with the VBR they are created at the point at which the drive is formatted, and are loaded during the boot process from the VBR. Examples of file systems are NTFS, FAT32, ext4, XFS, and btrfs. Detailed discussion of file systems is beyond the scope of this chapter.
File Table
File tables hold information about each and every file, including its location, size, permissions, time stamps and whether it has been deleted, i.e., has the space been marked for re-use. This information itself is recorded in special files used by the file system, and therefore the file table itself will have a self-referencing entry. With NTFS the two files used to store this information are $MFT and $Bitmap, the former holds the information concerning the files and later concerning which clusters are used and unused.
Searching for Evidence
There are many forensic tools available to allow forensic analysis, some are proprietary, and others are on free or open source licenses. Proprietary tools such as Encase (Guidance Software, 2014) and FTK (Access Data, 2014) are used extensively by law enforcement, with freeware open source tools such as Autopsy (Carrier, 2013) gaining popularity with independent investigators and consultants. Individual tools have their own sets of strengths and weaknesses and it is not the intention to compare them here. However, they do carry some similarities in terms of functionality and operation, and the objectives of the investigation are the same regardless of the tool or tools selected. Thus the discussion in this section then will cover how artifacts are discovered and uncovered from hard drives and will not focus on the practicalities of how the tools are used to achieve this (also see Chapters 6 and 8).
Keyword and Phrases Search
The primary tool of most investigative forensic software is its search facility. Searching can be performed for a word or phrase which is pertinent to the investigation. The word or phrase could match on the hard drive as ASCII text or may form part of a composite file. Composite files are those which rely on an application to render its information, for example, zip files, email files, Microsoft Office and Adobe documents; most investigative tools can render the formats for most common composite files. Searches can also be used to find files themselves by matching keywords against their file names. Particular composite file types can be identified and catalogued too, for instance, image files such as jpeg, bmp, and png files. These searches should be performed using the files magic numbers which were discussed earlier. This prevents malicious parties hiding a files true purpose by changing its extension. Most forensic tools offer a facility to mark any evidence you find of consequence and associate it with a case. Some also allow the ability to view files using inbuilt native applications which would not write to the evidence, thus maintaining its integrity (see Chapter 6).
Recovering Deleted Information
The deletion of files, folders, and partitions is not necessarily permanent and can often be recovered. Recovery of files, folders, and partitions is briefly discussed here.
Recovering Deleted Files and Folders
The deletion process for files and folders involves simply marking the clusters used by the deleted file or folder as unallocated in the file table. Until the clusters are physically overwritten the data in the file or folder remains accessible in the unallocated clusters. Most forensic tools will allow for identification and recovery of deleted files where the clusters have not yet been overwritten.
Recovering Deleted Partitions
Deleting partitions makes the data inside them unavailable to the operating system; however the data itself is not destroyed at the point of deletion and can often be recovered. Information concerning which sectors the deleted partition used to occupy are recorded in the partition table held in the MBR. Most tools will parse the information in the partition table, allowing the examiner to see the names of partitions, deleted or otherwise, and which sector they start and end at. Using this information the VBR, or backup VBR, for any individual partition can be located. The location differs depending on the file system used, but is well documented for all common file systems. Once located, most tools will parse the information in a VBR allowing the examiner to rebuild the deleted partition.
Where Evidence Hides
The following sections will discuss some of the more intricate hiding places that exist within Microsoft Windows operating systems. Some of these places may get overlooked in a forensic examination, and yet they frequently hold much sort after forensic evidence.
Registry
The registry is responsible for holding system settings and configuration information for all aspects of the Windows operating system and installed software. In modern Windows operating systems the registry is composed of five files stored in the folder Winntsystem32config, namely Default, System, Security, Software and Sam, with another file Ntuser.dat being present for each user of the system (Nelson, et al. 2010). Their purpose is shown in Table 7.2.
Table 7.2
Registry Files
| Registry File | Registry Files Purpose |
| Default | Holds the computers system settings |
| System | Holds additional system settings |
| Security | Holds the computers security settings |
| Software | Holds settings for installed software and related usernames and passwords |
| Sam | Holds user account information |
| Ntuser.dat | Holds user specific data, e.g., desktop and recently used files |
On a live system the registry can be examined and modified using the registry editor regedit. Regedit combines the information stored in the files into hives, a format designed to make their information more accessible to the user. This information is organized within handle keys, referred to as HKEY’s which in turn contain sub-keys and associated values (name, type, and data). These keys are HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU), HKEY_CURRENT_USER (HKCU), HKEY_CLASSES_ROOT (HKCR), and HKEY_CURRENT_CONFIG (HKCC). The function of each of these keys is shown in Table 7.3 (Nelson, et al. 2010).
Table 7.3
HKEY Functions
| HKEY | HKEY Function |
| HKLM | Contains the systems installed hardware, software and boot information |
| HKU | Contains the settings for all currently active user profile of the system |
| HKCU | A symbolic link to HKU for your user id, i.e., the account you are logged in with |
| HKCR | A symbolic link to an HKLM key containing file type and extension information |
| HKCC | A link to HKLM for the hardware profile is use |
Most investigators will use a tool which allows them to carve data from registry files and present it in a view adapted for investigation. Although the registry of most Windows systems is large and complex and a full discussion of it would be beyond the scope of this work, some key areas which could be of interest to forensic examiners are shown in the following table which has been summarized from Access Data’s quick find registry chart (AccessDataGroup, 2010):
| NTUser.data | Sam | System |
| Chat rooms visited | Installed application list | Pagefile |
| IE-Auto logon, passwords, typed URLs | Last access of applications | Systems IP address, default gateway |
| Start-up programsa | System boot programs | Mounted devicesb |
| EFS certificate thumbprint | Wired/Wireless connections | Storage media information |
| Outlook and POP3 passwords | Shared folders list | Removable media information# |
| Most recently used lists (see following) | Last logon time for user | Computers name |
| FTP access | Registered owner | System’s configuration settings |
a Particularly useful for detecting Trojans.
b Use to associate any discovered evidence on removal storage with the PC.
Most Recently Used Lists
Most recently used (MRUs) are designed as a convenience for the user. When certain user input fields are revisited then users can either see the previous entered information in a list, or it may be autocompleted while typing. These lists are mostly extracted from the NTuser.dat. Examples of MRU lists include: mapped network drives, media player, windows which have been opened saved or copied, applications opened in run box, Google history, recently accessed documents, and search terms used in search box.
LastWrite Time
Every time a key is accessed, created, deleted, or modified the time is recorded. This is referred to as the “LastWrite” time. This allows an investigator to create a timeline of activity, for example, when a USB hard drive was last inserted, when a piece of software was installed, and so on.
Hiberfil.sys
Hibernation is a feature employed by modern Windows operating systems to allow the system to be entirely shutdown and yet maintain its last working state when powered back up. This is performed by copying the systems RAM into a file at the time when the system is put into hibernate, and restoring it from the file when the machine is restarted. This file is called hiberfil.sys and is located in the root of the drive, usually labeled C:, and its size reflects the amount of system RAM available. As you would expect it is possible to extract potentially vital evidence from this file, in much the same way as it can be with RAM analysis. The structure of the file is not well documented at the time of writing; with only a limited number of tools which can carve the file. Worthy of note again however, is the volatility tool which includes a plugin, imagecopy, allowing hiberfil.sys to be converted into a raw image. This image can then be analyzed using Volatility, or other tools, to find evidence, e.g., passwords, digital certificates, and malware.
Pagefil.sys
In order to allow the operating system access to larger amounts of RAM than is physically available to it, a paging file is employed. When the Windows operating system needs more RAM than is available, some of it can be written to a page file before being released and freeing physical memory. When the information in the page file is required by a running process, it is retrieved back into memory from the file. Since the file contains data which has been held in RAM, it can be an invaluable source of evidence for the examiner, e.g., contraband images, passwords, digital signatures, and so forth. All of the previously mentioned forensic tools, e.g., Encase, FTK and Autopsy are capable of carving the pagefil.sys file to allow viewing and extracting of evidence from it.
System Volume Information Folders
Operating systems from XP onwards have a feature call system restore. System restore holds a “snapshot” of the state of important operating system e.g., Windows, files on a hard drive at any given time. If something goes wrong with the PC, a failed installation of some software for instance, which causes the PC to become inoperable or unstable, it can be “rolled back,” that is to say restored to this snap shot. The previous versions of the files would be recovered and the PC should become functional again. The native default behavior is that these snapshots are created on Windows 7 once a week and at the start of a software installation process. Alternatively they can be set manually. System restore has a fixed amount of space which is used for storing the restore points and will save as many as it can into that space on a round robin basis, with the oldest restore points being overwritten with the latest ones. The amount of space is configurable, but is 15% as a default in Windows Vista and 7.
From a forensic perspective these snapshots may contain copies of files which have subsequently been deleted or modified. Of significance when considering this is that copies of files which have become encrypted may still exist in system volume information folders in an unencrypted state. Thus, while it is often infeasible to decrypt certain files, it may be possible to find a copy of them unencrypted in the system volume information folders. The snapshots include backups of the registry, Windows system files (in the Windows folder) and the local users profile. The users profile contains artifacts including any files stored in the “My Documents” area, application settings, internet favorites, the user’s desktop (including any files saved to it), internet cookies, links to shared folders, and the recycle bin. The later can be particularly lucrative as the suspect may have emptied the live system’s recycle bin yet be unaware that the files are still captured in recycle bin in the system volume information folders. System volume information folders sit on the root of the hard drive within a folder named “System Volume Information.” Within this folder a separate volume copy set exists for each of the restore points created. Many forensic tools are capable of parsing the information in system volume information folders natively. Alternatively, the folders can be mounted as drives manually. The process for doing this is well recognized, with a step-by-step procedure documented in Microsoft’s knowledge base article kb309531 (Microsoft, 2013). Once the volume has been mounted it can be captured and analyzed in the same way as physical drive, as previously discussed.
Chapter Summary
This chapter offered guidelines and direction for forensic examiners. It discussed considerations necessary when forming the case for a search warrant, i.e., that it is necessary to show that there is either “reasonable grounds” or “probable cause” that an offence has, is or will be taking place. Methods of how to do this such as associating the alleged crime with the suspects IP address, social media accounts or IRC handle are discussed; as are the difficulties that can be encountered when attempting to do so. Following on from this best practice in seizing of evidence is proffered; this includes how to avoid contaminating digital evidence and minimizing the acquisition footprint. The use of write blockers is discussed for media storage devices and the need for a risk reward analysis prior to RAM forensics is highlighted. In order to offer context, the structure and format of hard drives is documented; including the physical structures, e.g., platters and heads, along with the logical structures such as sectors and clusters. How file systems and operating systems make use of the media is also described, e.g., file tables and master and volume boot records. In the final section some of the more fertile search areas for forensic evidence are emphasized along with how the data in these areas are formatted, and how it can be rendered. The Windows registry, hiberfil.sys, pagefile.sys, and the system volume information folders are discussed to this end.