Please follow all Instructions in the initial paper

profileJohn_matt
chapter_6.docx

What Are You Looking For?

The variety of operating systems, application programs, and storage methods available today means that when it comes to looking for evidence there are a multitude of places to look. Digital evidence can be found in numerous sources, including stored data, applications used to create data, and the computer system that produced the activity. Systems can be huge and complex, and they can change rapidly. Data can be hidden in many different locations and formats. After you find such data, you may have to process it to make it readable by people.

Discovering Evidence Using Connectors

In recent years, manufacturers have developed branded forensic workstations that provide external native connectors for a variety of media, such as Serial ATA (SATA), SCSI (Small Computer System Interface), flash media, and the older IDE (Integrated Drive Electronics) drives. SATA hard drives are more commonly used by individuals, while SCSI hard drives are more likely to be found in a corporate environment.) As a forensic investigator, you will encounter and work with many different types of media. You may also encounter connectors that hook up FireWire to SATA, SCSI, or IDE, and that hook up USB to SATA, SCSI, or IDE. A forensic investigator will determine what media the suspect has been using to store data and will have a variety of connectors on hand to aid the investigation.

connector

The part of a cable that plugs into a port or interface to connect devices. Male connectors are identified by exposed pins. Female connectors are identified by holes into which the male connector can be inserted.

The general discovery process is the same whether you are working with a SATA, SCSI, or IDE drive. You should adapt your techniques to suit the hardware you encounter.

To begin the discovery process for a drive, copy the image file onto your forensic workstation and then process it using one or several different forensic tools such as FTK, Encase, or ProDiscover.

Network Activity Files

Let's use an example case that involves the Internet and pictures. During your career as a forensic investigator, you may be called upon to investigate situations where an employee has illegally accessed and downloaded pictures of proprietary designs from a competitor's internal Web site and then used these designs in his or her own work.

After the forensic image has been added to your forensic computer, open your forensic software and start a case. Figure 6.1 shows the New Case Wizard from the AccessData Forensic Toolkit (FTK).

Figure 6.1: AccessData's Forensic Toolkit New Case Wizard

When a user logs on to a Windows XP, Vista, or Windows 7 system for the first time, a directory structure is created to hold that individual user's files and settings. This structure is called the profile. The profile creates a directory that has the same name as the user, along with various other folders and files.

Because this case involves searching for images that were downloaded from the Internet, the forensic investigation can begin by adding the entire image of the suspect computer to the FTK case. The image can then be preprocessed and evidence from the entire hard drive reviewed. Evidence from the folders where these files may be stored can be added to the case, as illustrated in Figure 6.2.

Figure 6.2: Adding evidence to a case in FTK

Before a browser downloads a web page, it looks in the Temporary Internet Files folder to see if the information is already stored there. This increases the speed at which the page will load. Web browsers cache web pages that the user visited recently. This cached data is referred to as a temporary Internet file, and it is stored in a folder on the user's hard drive. All of the HTML pages and images are stored on the computer for a certain amount of time, and they are deleted when the temporary Internet file reaches a certain size.

cache

Space on a hard disk used to improve performance speed by storing recently accessed data so that future requests for that data can be served faster locally.

temporary Internet files

Copies of all HTML, GIF, JPG, and other files associated with the sites a user has visited on the Internet.

Sometimes, while a user is viewing web pages, files can be written to the user's hard disk without the user's knowledge. For example, many sites contain Trojan horse programs that automatically download objectionable material (files) to a user's computer without the user's knowledge.

Trojan horse program

In computers, a type of program or code that appears to be legitimate or harmless, but contains malicious or harmful instructions that may allow unauthorized users access to the victim's computer system.

When working with web pages, it's important to keep in mind that a web page is not usually a single graphics file. A web page is a collection of multiple photos and graphics files that are displayed together as a single web page. Forensic investigators see each element that makes up a web page. This can be very important when reviewing graphics information, because the investigator needs to put the evidence into context. The user may have visited a single web page, yet the forensic application may show dozens and dozens of photographs in the Internet History. An untrained person might think the user had downloaded dozens of individual photos, yet the truth is only a single web page was visited.

Figure 6.3 shows how the information in the Temporary Internet Files folder can be viewed using forensic software.

Figure 6.3: FTK displaying information found in the Temporary Internet Files folder

Warning 

Information found in the Temporary Internet Files folder could have been unintentionally downloaded by the suspect. For example, some courts have determined that the existence of files automatically stored in a cache is not sufficient to convict a defendant of possessing or procuring child pornography. Other circumstances need to be evaluated to distinguish between unintentional and intentional acts. Such evaluations should consider the history of the files, their origin and use, and the control that the defendant had over the files.

In Firefox for Windows, the directory storing temporary Internet files is called Cache and is found in the following location: C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\random_characters.default\Cache

Tip 

In the path above, username is the Windows username of the suspect computer. random_characters is a series of random characters. The Application Data folder is hidden by default. To view this folder, go to Tools ➤ Folder Options, select the View tab, and then mark ''Show Hidden Files And Folders'' before proceeding.

In Internet Explorer, the location for temporary Internet files varies depending on the version of Windows used on the system. For Windows 7 or Windows Vista, the Temporary Internet Files directory resides in: C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\ or C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\

Tip 

Note that on PCs, Temporary Internet Files may be located on hard drivers other than the C drive. Forensic investigators should search all drives for Temporary Internet Files.

For systems that use Windows XP or Windows 2000, the Temporary Internet Files directory is located in: C:\Documents and Settings\username\Local Settings\Temporary Internet Files\

Forensic investigators may also find evidence in the browser's History folder. The History folder contains a list of links to web pages that the user visited. Figure 6.4 shows an example of data contained in the History folder. It also shows why this file may contain little or no data. The Internet Options dialog box in Internet Explorer includes Browsing history settings. The user can specify how long the list of visited Web sites should be kept. The default setting is generally 20 days. Computer users can change this setting to a shorter period, or set the browser to erase the entire history when the browser is closed.

Figure 6.4: Internet Explorer History list and Internet Options Browsing history settings

The Cookies folder is similar to the History folder. It holds cookies —information stored by Internet sites that were visited by the user. A number of utilities work with forensic software to display the contents of a cookie in an easily readable format. One such utility is DCode, which you can download from http://www.digital-detective.co.uk/downloads.asp.

cookie

Small text file placed on a computer's hard drive as users browse Web sites. Each cookie file contains a unique number that identifies users to the Web site's computers upon the user's return to the site.

Flash cookies (also called Local Shared Objects, or LSOs) are files placed on your computer by a Flash plugin. These cookies are stored in central system folders and are protected from deletion. Cookie deletion settings in the browser don't affect LSOs. LSOs are used like standard browser cookies. The primary differences are that Flash cookies hold 25 times more data than standard browser cookies and never expire. Flash cookies are easily identifiable by their .sol file extension. The default storage location for LSO files is operating system-dependent. LSO files may be stored at: \Users\username\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\.

Unfortunately, conventional forensic software used to analyze Internet history may not find these files, and the forensic investigator may have to dig deeper to recover Flash cookie data. Once recovered, you can parse .sol files into a more readable form using the SharedObject Reader plugin, which can be downloaded from http://code.google.com.ezproxy.umuc.edu/. From this web page, search for "SharedObject Reader" to locate the plugin.

Many applications create temporary files when the application is installed and when a file is created. These files are supposed to be deleted after installation is finished or when a document is closed—but sometimes this doesn't happen. For example, each time you create a document in Microsoft Word, the software creates a temporary file (with a .tmp extension) like those shown in Figure 6.5. The Properties dialog box indicates that the tmp7201.tmp file was created on September 09, 2010. Temporary files may provide useful evidence.

Figure 6.5: Temporary file listing and properties

If, during your examination of the computer, you find no history files, temporary Internet files, or temporary files in the expected folders, the data has likely been stored somewhere else, so you'll need to dig deeper to uncover any hidden evidence.

Some additional file types that you may want to look for during a forensic investigation include:

· Files in strange locations

· Files with strange names

· Files that start with a period (.) and contain spaces

· Files that have changed recently

MAC time attributes are extremely useful to the forensic investigator and assist in investigating and understanding system behavior, as well as following user activity with regard to a certain file. These time attributes are attached to any file or directory in UNIX, Windows, and other file systems. Microsoft, depending on the version of the operating system, calls these time attributes LastWriteTime, LastAccessTime, and CreationTime, or Created, Modified, and Accessed, as shown in Figure 6.5.

MAC time

Set of time stamps associated with a file. The time stamps describe the last time the file was modified (mtime), accessed (atime), and created (ctime).

Various other available tools provide similar types of information. For example, you can use X-Ways Trace (available from X-Ways Software Technology AG at http://www.x-ways.net/trace/) to analyze a drive to locate information about Internet-related files. Such tools can be useful in gathering evidence regarding sites visited, last date visited, and cache filenames.

Activity Log Files

A device's log files contain the primary records of a user's activities on a system or network and can provide valuable information to the forensic investigator. For example, authentication logs document accounts related to a particular event, along with the IP address of the authenticated user. These files also contain date and time stamps, username, and the IP address where the request originated. Application logs may also yield valuable evidence to the forensic investigation because they record the time, date, and application identifier. When an application is used, it produces a text file on the desktop system containing the application identifier, the date and time the application was started, and how long the application was in use.

Operating systems logs may also reveal vital evidence. Logs from operating systems document system related events, such as types of devices used, errors, reboots, and much, much more. As a forensic investigator, you'll want to analyze operating system logs to identify patterns of activity along with any unusual patterns or events. Network device logs, such as firewall and router logs, should also be examined as a part of any forensic investigation. These logs may provide vital information or evidence about the user's activities on the network. The information gathered from network device logs can also be used to support the evidence gathered from logs provided by other systems.

One of the most important pieces of information that a log file may reveal is how an attacker entered a network and the source of illicit activities. For example, log files from servers and Windows security event logs on domain controllers can attribute activities to a specific user account.

E-mail Headers

E-mail headers are another source that forensic investigators should examine during the investigative process. Consider the following example. Several employees in a company report that they received e-mail messages from the support team requesting information to update a database. The e-mail instructs the user to send his logon and password information back to the sender. Because IT staff would never request such information from users, you suspect this is an attempt by an intruder to gain sensitive information. In this instance, one of the first items you may want to look at is the e-mail header. Figure 6.6 shows an example of an e-mail header.

Figure 6.6: E-mail header

e-mail header

Data at the beginning of an electronic message that contains information about the message.

The e-mail header shows the path the message took from its first communication point of origin until it reached the recipient. The first point is the IP address of the e-mail sender as assigned by his or her Internet service provider (ISP). Analyzing an e-mail header can provide valuable information to the forensic investigator regarding the source of the illicit request. In the following sections, we'll analyze the lines in the e-mail header to illustrate how to read and interpret this data.

IP address

A unique identifier for a computer or device on a TCP/IP network.

Before communication can begin, a software or device driver must be installed on the computer and a common method of communication or protocol determined. In simple terms, a protocol is the language that computers use to talk to each other. For example, if I speak and understand only English and you speak and understand only French, communication isn't going to be very effective because neither of us knows what the other is saying or how to effectively talk to each other. The same holds true for computers.

protocol

A set of rules and conventions that govern how computers exchange information over a network medium.

Computers need addresses and protocols to communicate. An IP address is an identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination.

Transmission Control Protocol/Internet Protocol (TCP/IP) network

A network that uses the TCP/IP protocol.

IP addresses come in two kinds: IPv4 and IPv6 (older and newer versions of the same TCP/IP protocol). An IPv4 address is 32 bits, or 4 bytes, long and is a decimal number between 0 and 255, which is expressed as four octets in dotted decimal notation. For example, 192.00.132.25 is a valid IPv4 address. An IPv6 address is 128 bits, or 16 bytes, long represented using 16 hexadecimal digits (numbers 0 through 9, and letters A through E or a through e). FE80:3043:3B5B:B0D9:B388 is a valid IPv6 address.

Because of its routing ability, TCP/IP is the standard protocol of choice for most networks. TCP/IP breaks data into smaller units called packets. Devices called routers then pass the packets across the networks by reading the headers to determine if each packet belongs to the router's network or if it should be passed on to another network. This is similar to sending a letter, where the zip code indicates the letter's final destination. For example, when a person sends a letter from California to New York, the letter may be transported to various post offices before it actually arrives in New York. If the zip code on the letter does not match the zip code for the area in which it arrives, the letter is forwarded on until it reaches its final destination.

packet

Unit of information routed between an origin and a destination. A file is divided into efficient-size packets for transmission.

router

Device (or software) that determines the next network point to which a packet should be forwarded on the way to its destination.

As a forensic investigator, you should also be familiar with e-mail and web protocols other than TCP/IP. Each part of the TCP/IP protocol suite contains important information for investigators. For example, within a network, an investigator can map an IP address to the Media Access Control (MAC) address. The MAC address identifies a specific piece of hardware, such as an individual network card. Criminals can use special software to change the MAC address of hardware to pretend to send or receive messages using a fake address (or the real address of some other hardware). Also, criminals can use low-level custom code to send messages over different paths and in different sequences (for example using UDP datagrams) that are reassembled at the recipient's end. A working knowledge of the TCP/IP stack and various protocols is required for a forensic investigator to be able to intercept and reassemble this type of message. Following is a list of the most common web protocols that you're likely to encounter.

1 Domain Name Service (DNS) resolves the names that users type into a web browser to their proper network addresses. DNS is most commonly used by applications to translate domain names of hosts to IP addresses.

2 File Transfer Protocol (FTP) performs basic interactive file transfers between hosts, allowing files to be uploaded and downloaded.

3 Simple Mail Transfer Protocol (SMTP) supports basic message delivery services between mail servers.

4 Post Office Protocol (POP) is used to retrieve e-mail from a mail server. It downloads the messages to the client, where they are then stored.

5 Internet Message Access Protocol (IMAP) allows e-mail to be accessed from computers at various locations (for example, home, office, while traveling, and so forth) without the need to transfer messages or files back and forth between computers.

6 HyperText Transfer Protocol (HTTP) is a low-overhead web browser service protocol that supports the transport of files containing text and graphics.

7 Multimedia Internet Message Extensions (MIME) is a type of communications protocol that supports binary, audio, and video data transmission.

UDP datagram

A message sent using the User Datagram Protocol (UDP), a network protocol used on the Internet. UDP allows applications to send datagrams to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths.

The above information is a lot to absorb but it's necessary to understand for an investigator to make sense of the e-mail header (Figure 6.7).

Figure 6.7: E-mail header

When a user sends an e-mail message, the message is transmitted to a forwarding server or an ISP's mail server. The mail server adds a Received: field to the header of the e-mail message. The message will then be passed through additional mail servers before reaching its final destination. As the message is transferred from server to server, each mail server adds its own Received: field to the message header on top of the one from the last server. The e-mail message shown in Figure 6.7 has six Received: fields, meaning that it passed through six e-mail servers before reaching the recipient.

Reading the header from the bottom up, the information on the bottom line starts with an X. This entry is added by the sender's mail server, which records the time (in coordinated universal time, or UTC) the message was received by the mail server from the sender: 06 Jun 2010 01:13:40.0710 (UTC). Moving up in the header, the next X entry shows Internet Mail Service and an ID (5.5.2657.72). This information indicates that the sender's mail server uses Internet Mail Service and assigned a unique ID to the message. The Received: entry, found several lines above, shows when the next server in the relay received the message. As you follow the information up through the message header, you can trace the path the message traveled through the mail servers (in this case, at wellsfargo.com). The entry at the top was inserted by the last server in the relay before the message was delivered to its destination.

This header comes from Microsoft Outlook 2010. To view header information:

· Open the e-mail (the e-mail opens on the message tab).

· Click on the File tab.

· Click on Properties.

You should now see the header as shown in Figure 6.8. (Note: the process may be different depending on which version of Microsoft Outlook you're using.)

Figure 6.8: Microsoft Outlook E-mail message Properties dialog box

E-mail addresses and messages are stored in a file within the mail program's folder. These types of files usually have a .pst or .pab extension. Depending on your e-mail software, the steps may vary on how to expose the e-mail header. The following link offers instructions for some of the more popular programs: http://www.spamcop.net/fom-serve/cache/19.html

Deleted Files

The Recycle Bin, present in Windows operating systems, is another place where forensic investigators may find useful data. Many users do not realize that files sent to the Recycle Bin are not automatically deleted. In reality, the Recycle Bin acts as a halfway house for deleted files, so that files can be undeleted by a user upon demand. The Recycle Bin includes information such as the original location of files before they were deleted and date and time of deletion. When the Recycle Bin is emptied, this information record is deleted along with the other files. Forensic investigators may still be able to recover a deleted file's contents if they have not been overwritten.

Many people mistakenly believe that when they delete something from their computers, they actually erase all the information in the file. This is not necessarily true. When a file is deleted, the first character of the filename is changed to a hex E5. Chapter 2, "Preparation—What to Do Before You Start," discusses file systems and explains that a file system keeps a table of contents of the files on the disk. When a file is requested, the table of contents is searched to locate and access the file. When a user deletes a file, the actual file is still there, but the table of contents ignores it. The Davory data recovery utility is a great tool that allows forensic investigators to recover deleted files from a drive (see Figure 6.9). The Davory data recovery is available for download from X-Ways Software Technology AG at http://www.x-ways.net/davory/.

Figure 6.9: Davory data recovery

As you can see, the Davory utility recovered 3,905 files that were supposedly deleted. This example illustrates that with a little careful digging, you can find information about a file (and sometimes even the file itself), even when that file has been deleted or moved.

Tip 

Remember, the data in deleted files isn't actually erased from the disk. When a file is deleted, the operating system deletes the pointers to the file and shows the space occupied by the file's data as available, but the data is still there, until other files begin to overwrite it.

Attempts at Password Cracking

As a forensic investigator, you should know what to look for when a system has been hacked. Let's examine a scenario that involves password cracking to access systems.

Note 

Passwords are used for many purposes. Many users don't create complex passwords, or have trouble remembering more than one. Thus, many users create one easy-to-remember password and use it for everything.

Often, an attacker captures the password file before cracking it. On a computer running early Windows versions, passwords are stored in a file with a .pwl extension and one is created automatically for each user. On a computer running Windows XP, Vista, Windows Server 2003, or Windows Server 2008, the password file is stored in a database called the Security Accounts Manager (SAM). On a Windows 7 computer, the password file is stored in the Credentials Manager. A popular way of obtaining passwords is to use a method called a brute force attack. Several programs use this method to obtain passwords. Some of the popular brute force programs include L0phtCrack, Crack, and John the Ripper. If you search the Internet for password-cracking tools, you might be amazed at how much information you can find. So, where do you find evidence on a computer that's been hacked or otherwise compromised? The log files are always a great place to start a forensic examination.

brute force attack

An attack that systematically tries every conceivable combination until a password is found, or until all possible combinations have been exhausted.

All operating systems come with the ability to audit and log events. In Figure 6.10, a Windows computer has been set up to log successful and failed attempts at logons.

Figure 6.10: Event Properties dialog box for a Logon Failure attempt

By examining the log, you can clearly observe that there were several failed attempts to log on an administrator made within one minute. As a forensic investigator, seeing this many failed attempts in such a short time period should alert you that someone could be trying to crack the password. Administrators frequently set the lockout threshold at three to five failed attempts. At the threshold point, the account locks and will thwart further attempts to crack it.

Note 

Password-cracking programs have legitimate uses. For example, when a network administrator suddenly quits, is fired, or dies, a password-cracking program can allow an authorized person access to the Administrator account.

In addition to those named above, there are several other logs you can review to aid your investigation and find evidence of a computer's activity. On older Windows operating systems, most of these logs are stored in the C:\Windows\Security\Logs directory. On Windows Vista and Windows 7 computers, the logs are stored in the c:\Windows\Logs directory. In Linux, the security logs are located in the /Var/Log/ directory. This directory contains a record of all root access allowed and all denied access. Other logs are stored in /Var/Adm/Syslog, /Var/Admmessages, and /Var/Adm/Kernel.

Log files also reside on routers and intrusion prevention and detection systems, so you should be prepared to examine all of these files as a part of a forensic investigation. Telltale signs often appear in logs, offering strong indications that something is amiss. When you are examining security logs to trace an attempt to crack the Administrator password, look for long entries of random characters, password changes, and repeated occurrences of three dots (...). These are all suspicious items and should raise a flag to forensic investigators to dig deeper. Look through all log files to make sure you understand what has happened to a system.

Often perpetrators use tools such as port scanners to find open ports on a system and then upload a remote access program to take control of that system. The longer they remain undetected, the longer a hijacked system can be used as a conduit. When this happens, you may find evidence of illicit activity in the log files.

port scanner

Program that attempts to connect to a list of computer ports or a range of IP addresses.

As a forensic investigator, you should educate yourself about recent exploit scripts and newly discovered vulnerabilities. Remaining current helps you identify popular means of attack. Become familiar with how systems work, what services are running, when log entries are created, and what those log entries represent. Evidence is frequently found in these files, so you'll use them often during your career.

Tip 

In forensics, we're also concerned with how to crack passwords that a user placed on a system or documents on a system (e.g., a password-protected Word document). This topic is covered in Chapter 7, "Passwords and Encryption."

How People Think

When searching for the evidence you need, understanding how people think can be helpful. A powerful tool available to the forensic investigator is the ability to understand motives—that is, the reasons a suspect committed a crime. Understanding how criminals think makes it possible for you to discover, analyze, and reconstruct the events leading to a crime.

According to experts, criminal behavior often emerges from a combination of environmental, psychological, and biological factors. Certain characteristics (such as short attention span, lack of impulse control, and poor home life) may predict future criminal behavior. Although most crimes are committed by young men in their teens and twenties, this is not always true where computer crimes are concerned.

So, what motivates criminal activity?

· Financial Gain Many cybercriminals are motivated by financial gain. Identity theft, theft of trade secrets, credit card fraud, medical insurance fraud, and extortion are generally motivated by greed. In the United States, the poor economy owing to the recession that started in 2008 has been blamed for increases in criminal offenses.

· Anger or Revenge Anger, jealousy, and resentment are powerful motives. Disgruntled or dishonest employees as well as former employees, saboteurs, and extortionists often commit crimes of revenge. Revenge is also often cited as a motive in cyberbullying. For example, Lori Drew, a Missouri mother, was convicted in a landmark cyberbullying case. Prosecutors said that Drew's actions were motivated by a desire to humiliate 13-year-old Megan Meier for saying "mean things" about Drew's teenage daughter. Meier committed suicide shortly after a cyberbullying incident.

· Power Activists may want to force a course of action that suits their agenda. To accomplish this, they may deliberately cause damage—for example, by mounting a denial of service (DoS) attack—simply to garner attention or notoriety. DoS attacks can completely shut down and paralyze a network. High-profile sites are frequently targets for DoS attacks. Nation-states and terrorists may try to weaken the economy or digital infrastructure of a country in order to render its defenses less effective against physical attacks. In December 2009, a sophisticated, coordinated cyberattack was launched against 34 companies, including powerhouses such as Google, Adobe, and Northrup Grumman. Two independent, anonymous sources pointed to China as the source for these attacks.

· Addiction, Curiosity, Boredom, Thrill-Seeking, Intellectual Gain, and Recognition Many people who create viruses or worms are highly intelligent and are simply seeking an intellectual challenge. Other hackers who have committed computer intrusions report they were motivated by a desire to test a computer's security. Still others report that they were interested in earning a reputation for their skills and becoming well known. Regardless of the motivation, these activities are still illegal and may cause immeasurable damage to the systems they affect.

· Sexual Impulses Active and passive pedophiles, serial rapists, and serial killers might commit cybercrimes.

· Psychiatric Illness Personality disorders such as schizophrenia, bipolar disorder, aggression, and depression can motivate a person to hide their illness online, where they can interact without physical contact. Personality theorists have suggested that cyber criminals exhibit characteristics of psychiatric illnesses such as narcissism and antisocial personality disorder.

When searching for data, forensic investigators must realize that users who want to store data and hide its actual content from others may do so in many ways. One of the most common methods is to hide data by changing the file-name and the extension associated with a file so that it doesn't look suspicious. Although it can be difficult to determine if an original filename has been changed, most forensic software can detect a change made to the file extension. An altered file extension is detectable through a method called signature analysis. Although searching for text strings is the main method for obtaining digital evidence, using various types of forensic software, you can search on the evidence and perform signature analysis at the same time. Basically, signature analysis computes any hash value discrepancies between a file's extension and the file's header. When these two do not match, it's generally an indication that you should analyze the file in more detail. For example, those seeking to hide child pornography might change the extensions of such pictures from .jpg to .txt in an attempt to hide the content. Signature analysis can be used to identify such files.

signature analysis

Technique that uses a filter to analyze both the header and the contents of the datagram, usually referred to as the packet payload.

Picking the Low-Hanging Fruit

The concept of low-hanging fruit comes from the idea that it is easier to go after information that is readily available than to dig for deeply rooted information. Cybercriminals may walk away from a system that is too hard to break or takes too long to get into. In some instances, grabbing the low-hanging fruit for the cybercriminal may be nothing more than choosing the easiest part of the system to deal with at the time.

The cybersecurity field is rife with low-hanging fruit. When a company doesn't install patches for operating systems, or enforce sound password and logoff policies, it leaves its systems vulnerable to attack. Some people (generally those with less than honorable intentions) believe that if you leave your system unprotected, you deserve to be hacked. And it will happen, because low-hanging fruit is the easiest to grab. More employees will attempt to access a network folder called private than a folder named data.

As a forensic investigator, you'll have to determine whether the low-hanging fruit provides enough evidence for your case. Let's start with an area that might provide the evidence you need without an extreme amount of investigative work. This is evidence that is readily available, such as computer and log files, especially when dealing with unsophisticated criminals. People tend to treat their work computers as their own private storage facilities despite the fact that they are merely the company's computers that they're assigned to use. What people keep in their computers can be incredible—everything from their sexual preferences to evidence of crimes.

Although you should strive to have more than enough evidence, you might be able to use low-hanging fruit to get the information you need. It is at least a good place to start.

Hidden Evidence

In the first section of this chapter, we explored the types of evidence you can look for on a computer. What happens when you can't find any evidence but you know it's there? Chances are it's either hidden, or somewhere in the trace evidence. (We cover trace evidence in the next section.)

Metadata

There are various types of hidden evidence, starting with document metadata. Virtually all applications produce some type of evidence that ordinary users don't know about. For example, as a Microsoft Word document is written and changed, changes are normally tracked. To view this information, simply click the file and then choose Properties (see Figure 6.11).

metadata

Data component that describes other data. In other words, it's data about data.

Figure 6.11: Metadata for a Microsoft Word document

The information in the Properties dialog box can be especially useful to a forensic investigator. For example, let's say you are dealing with a situation in which a system was compromised and intellectual property was stolen. If a criminal is unsophisticated, you could very well end up with a good lead just by looking at the properties of the new documents. Metadata can be found in most Word, Excel, and PowerPoint documents. However, because metadata has become a known issue, there are ways to delete it. Microsoft released a tool that removes personal or hidden data that might not be immediately apparent when you view a document in a Microsoft Office XP or 2003 application. This tool is called rhdtool.exe, and resides at http://www.microsoft.com/downloads/. Note that this add-in is not compatible with 2007 and 2010 Office systems. The Document Inspector feature in the 2007 and 2010 Office systems replaces this add-in.

Although some metadata is readily accessible through the user interface in each Microsoft Office program, other metadata is accessible only through extraordinary means (for example, opening a document in a low-level, binary file editor such as HexEditor).

Metadata Tips

A criminal might try to hide information by backdating a document created in Microsoft Word—setting the system clock back and then saving the document. Upon a closer look, a forensic investigator can easily uncover the truth. When looking at file directory details, watch for discrepancies between the creation or modified date shown in Windows and time/date stamps in the metadata. For example, Windows might show a Last Modified Date of March 18, 2008, while metadata embedded in the document itself may show a later date. The meta-data might also show a different author.

Metadata also tracks total editing time for each document. When a document is surreptitiously backdated, total editing time indicated can be unusually high and indicate that a document was edited for months or even years instead of the hours or days you would normally expect to see. Unusually high editing time is a red flag to a forensic investigator, and may indicate that a document has been tampered with or is a forgery.

Steganography

The next method for hiding data we look at is steganography. Steganography is a special kind of cryptography that makes the presence of secret data undetectable. It encrypts an original plaintext message into a digital file. The least significant bit of each byte in the image or other data is replaced with bits from the secret message. Such a message can be hidden in a sound file, a graphics file, or in unused spaces on a hard disk. Someone who saves pornography to a hard disk may choose to hide evidence using this method. In some instances, steganography can be used as a means for covert communication among terrorists. Three of the more popular steganography programs include Hide and Seek, Stealth (both of which run on Windows-based systems), and Steganographic File System (SFS), which works on UNIX file systems.

steganography

Process of passing information in a manner that hides the existence of one message inside another file or message.

HTML Documents

You can readily view all the code for a web page simply by opening a web page and choosing the View Source option from the View menu on the toolbar (or right-click anywhere on the web page and choose View Source). Figure 6.12 shows the source code for http://www.msn.com.ezproxy.umuc.edu/index.html.

Figure 6.12: Source code for the home page on www.msn.com

Most web pages are written in HTML. Figure 6.12 gives you an idea how easy it would be to hide messages or data in web page coding. For example, say a perpetrator was stealing company secrets and wanted to allow a competitor company to access them. The perpetrator could set up his or her own Web site and hide the information in the source code. The competitor could then easily retrieve that information.

Hiding Documents by Changing Names, Properties, or Locations

Most operating systems allow users to hide files based on extensions. Using this feature is as simple as changing the properties of a directory to Hidden on the General tab in the properties in Windows. An untrained eye might never see system files or even the extensions associated with files if the user chose to hide them.

You can hide UNIX directories by putting them in existing directories that have many files, such as in the /dev directory on a UNIX implementation, or by making a directory that starts with three dots (...) instead of the normal single or double dot. To superficially hide files on a UNIX computer, put one dot in front of the file (for example, .myfile). This prevents the file from showing up in the output of a file listing. To see all hidden files, use the ls command with the -a parameter, like this: ls -a.

Hidden Disk Partitions

Data can be concealed in hidden disk partitions. We'll use the example of a multiboot system , in which, essentially, one operating system is hidden from another. One of our laptops (Computer A) is set up for dual booting (two operating systems). It can boot to either Windows Vista or SuSE Linux. When you view the system in Windows, the Linux partition doesn't show up, mainly because Windows doesn't understand the Linux file system. So, Windows acts as though the Linux system isn't there. If a bootloader is set up to recognize the other operating system, you are given a choice of which operating system to use after a computer boots. This lets you know that more than one operating system is installed. However, some operating systems allow you to choose which operating system to boot to without user interaction. Simply choose the default operating system to boot when you do the setup. For example, another one of our computers (Computer B) dual boots either Windows 7 or Windows Server 2008. An ordinary user would not know that Windows Server 2008 is installed because we configured the system not to display the operating systems at boot time. This is another example where an untrained person might have no idea that hidden data exists. So, we can store files on the Windows 7 drive while booted to Windows Server 2008, and hide the directory so other users have no clue the files are even there. In this instance, the evidence you may be looking for as a forensic investigator could be stored partially on one partition and partially on another partition. If space allows, users seeking to hide could actually install more than two operating systems.

multiboot system

System that can boot, or start, and then run more than one operating system (though only one at a time).

Covert Channels and Other Hiding Places

Several other methods, such as covert channels , can be used to hide data. A tool such as Loki can transmit valuable data in seemingly normal network traffic. Loki is a Trojan horse that looks like a stream of pings but instead provides a back door to the computer on which the client is installed. After the client is installed, it allows communication to occur without being controlled by a security mechanism.

covert channel

Method whereby an entity receives information in an unauthorized and obscure manner.

Suspects can also hide data in white space in documents, behind graphics in documents, and in host protected areas (HPAs) on drives. These areas on a hard drive are created specifically to allow manufacturers to hide diagnostic and recovery tools, but computer savvy people can use them to hide data as well.

Real World Scenario

Tales from the Trenches: Hidden Evidence

While many technical methods exist for hiding data (examples include steganography, encryption, and digital watermarking), some cases that you work will involve data that was hidden using techniques so simple that any average Microsoft Office user could use them.

I once worked on a case involving two coworkers who transferred information to each other by embedding short messages at the end of Word documents. They changed the color of the text to white so that the message was white text on a white background and remained invisible to anyone who saw the document.

Another simple technique is to use a nonstandard font to write a Word document. The person receiving the document knows which font is needed to view the text and has that font loaded on their computer. Anyone without that font would see only "garbage" on their screen when they viewed the document.

This last technique was used by an illegal drug supplier. He took a photograph of a handwritten sign that contained the instructions and location of how and where a drug transaction was to take place. The drug dealer hoped that anyone monitoring or "sniffing" his network traffic would be unable to "read" the message. A forensic examiner using the search functionality in any forensic utility would not see the message. The examiner would have to use the graphics function in the tool to see such a message.

These and many other techniques for finding hidden data are taught in various computer forensic courses. For additional information about this type of training, please visit Neil's Web site at http://www.trcglobal.com.

Trace Evidence

Trace evidence is a term that applies to all physical evidence that may be circumstantial evidence in the trial of a case. Trace evidence, although often insufficient on its own to make a case, can corroborate other evidence or even prompt a confession. Tracing some piece of data present at a crime scene to its origin can assist in arrest and conviction. Similarly, finding some trace of data from a victim or crime scene on a suspect's computer can strongly impact a case.

trace evidence

Traces of data either left behind or found with a criminal that can be used to prove that a crime was committed.

Computer evidence is often found in file slack and in unallocated file space called slack space. Sometimes a good portion of a computer's hard disk may contain data fragments from word processing documents, or almost anything that has occurred in the past. This space can be a valuable source for computer evidence because of the large volume of data involved and because most everyday computer users are oblivious to it. In Figure 6.13, a utility called Karen's Disk Slack Checker was used to check slack space on a hard disk. As you can see, there is quite a bit of stuff here.

Figure 6.13: Karen's Disk Slack Checker

slack space

The space on a hard disk between where a file ends and where the disk storage cluster ends.

Slack space results from the way data is written to disks. Operating systems normally write in clusters. Clusters are made up of blocks of sectors. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for each file. For example, if the cluster size is 32KB and you create a file that is 2KB in size, that file is allocated 32KB of space. This means that 30KB is unused. That's a lot of slack space! Let's go a bit further and say that you create a 31KB file. You decide that you no longer need the file and delete it. At some point in the future, you create another file that is 4KB. When the system goes looking for a location to write this new 4KB file, it finds the space where the old 31KB file that you supposedly deleted resides, and places the data there. Now you have 4KB of new data plus the remainder of the old data in the same space. To recover that data, you can extract trace evidence from the first file in the new file. These pieces of files or file fragments can hold a good amount of information.

On computers running a Microsoft Windows operating system, large quantities of evidence can be found in the Windows swap file. In Windows XP, Vista, Server 2003, and Server 2008 this file is named PAGEFILE.SYS by the operating system. On Windows 7 and Windows Server 2008 R2 computers the swap file is called READYBOOST.SFCACHE. This is a memory management function within the Windows operating environment. It uses space on the hard drive to swap data in and out of memory to make better use of RAM. Swap space also resides on computers running Linux. When you install the operating system, you specify a Linux swap file partition size.

swap file

Space on the hard disk used as the virtual memory extension of a computer's actual memory.

Trace evidence also appears in backups. Although this option is frequently forgotten, backups can be a great source of information in forensic investigations. Most companies make some type of backup rotation and perform full backups at least once per quarter. Even though files may have been deleted from an individual computer, they may still be available on backups. Third-party service providers frequently back up e-mail and generally keep backups for some period of time. Again, even though files may be gone from a computer, in most cases, e-mail systems are backed up. As a forensic investigator, you can (and should) find out how long messages are kept because you may be able to recover information valuable to your investigation.

Fax buffers, printer buffers, and USB drives also hold trace data and should be examined for evidence as well. USB drives offer another source of trace evidence to forensic investigators. Often people put one or two files on a USB drive and forget about them. USB drives can be imaged and then processed.