Science and the Detective Topics Presentation
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
18 Computer Forensics Andrew W. Donofrio
© Jeff Tuttle/epa/Corbis All Rights Reserved
LEARNING OBJECTIVES
After studying this chapter, you should be able to:
• List and describe the hardware and software components of a computer. • Understand the difference between read-only memory and random-access memory. • Describe how a hard disk drive is partitioned. • Describe the proper procedure for preserving computer evidence at a crime scene. • Understand the difference between and location of visible and latent data. • List the areas of the computer that will be examined to retrieve forensic data. • Relate various areas found on the computer where a user’s Internet activities can be investigated. • Describe how e-mails, chat, and instant messages on the Internet can be traced and recovered. • List and describe three locations where investigators may pinpoint the origin of a hacker. • Describe the types of services offered by modern mobile devices, such as cell phones, and the potential investigative value they have.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
1 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
THE BTK KILLER
Dennis Rader was arrested in February 2005 and charged with committing ten murders since 1974 in the area around Wichita, Kansas. The BTK killer, whose nickname stands for “bind, torture, kill,” hadn’t murdered since 1991, but resurfaced in early 2004 when he sent a letter to a local newspaper taking credit for a 1986 slaying. Included with the letter were a photocopy of the victim’s driver’s license and three photos of her body. The BTK killer was back to his old habit of taunting the police. Three months later another letter surfaced. This time the letter detailed some of the events surrounding BTK’s first murder victims. In 1974, he had strangled Joseph and Julie Otero along with two of their children. Shortly after committing those murders, BTK had also sent a letter to a local newspaper in which he gave himself the name BTK. In December 2004, a package found in a park contained the driver’s license of another BTK victim along with a doll whose hands were bound with pantyhose and that was covered with a plastic bag.
The major break in the case came when BTK sent a message on a floppy disk to a local TV station. “Erased” information on the disk was recovered and restored by forensic computer specialists, and the disk was traced to the Christ Lutheran Church in Wichita. The disk was then quickly linked to Dennis Rader, the church council president. The long odyssey of searching for the BTK killer was finally over.
Since the 1990s, few fields have progressed as rapidly as computer technology. Computers are no longer a luxury, nor are they in the hands of just a select few. Technology and electronic data are a part of everyday life and permeate all aspects of society. Consequently, computers have become increasingly important as sources of evidence in an ever-widening spectrum of criminal activities. Moreover, on the corporate side, issues of regulatory compliance, such as HIPPA and Sarbanes Oxley, and problems of employee misconduct have made IT investigations and data forensics a necessary component of a company’s security program.
Police investigators frequently encounter computers and other digital devices in all types of cases. As homicide investigators sift for clues, they may inquire, for example, whether the method for a murder was researched on the Internet, whether signs of an extramarital affair can be found in e-mails or remnants of instant messages (which may provide a motive for a spouse killing or murder for hire), or whether threats were communicated to the victim before a murder by an obsessed stalker. Arson investigators may want to know whether financial records on a computer show a motive for an arson-for-profit fire. A burglary investigation would certainly be aided if law enforcement could show that the proceeds from a theft were being sold online—perhaps through eBay or a similar online auction site.
In addition, the use of computers poses some threats of its own. The accessibility of computers to children and the perception of anonymity in online interactions has given sexual predators a way to seek out child victims online. The vulnerability of computers to hacker attacks is a constant reminder of security issues surrounding digitally stored data. Finally, the fact that computers control most of our critical infrastructure makes technology an appetizing target for would-be terrorists.
Computer forensics involves the preservation, acquisition, extraction, analysis, and interpretation of computer data. Although this is a simple definition, it gets a bit more complicated. Part of this complication arises from technology itself. More and more devices are capable of storing electronic data: cell phones, personal digital assistants (PDAs), iPods, digital cameras, flash memory cards, smart cards, jump drives, and many others. Further complicating matters is the cross-pollination of devices. Cell phones now have the same capabilities of personal computers, and personal computers are often used to facilitate communications. Methods for extracting data from these devices each present unique challenges. However, sound forensic practices apply to all these devices. The most logical place to start to examine these practices is with the most common form of electronic data: the personal computer.
From Input to Output: How Does The Computer Work?
HARDWARE VERSUS SOFTWARE
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
2 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Andrew W. Donofrio is a retired detective lieutenant from the prosecutor’s office in Bergen County, New Jersey, and is a leading computer forensics
examiner for Bergen County, with more than twenty-three years experience in the field of law enforcement. He has conducted hundreds of forensic
examinations of computer evidence and frequently lectures on the subject throughout the state, as well as teaching multiday courses on computer forensics
and investigative topics at police academies, colleges, and corporations throughout the United States. Mr. Donofrio now owns Cyberology consultants,
which provides IT investigation, computer and network forensic, and business continuity and disaster recovery planning services.
Before we get into the nuts and bolts of computers, we must establish the important distinction between hardware and software. Hardware comprises the physical components of the computer: the computer chassis, monitor, keyboard, mouse, hard disk drive, random-access memory (RAM), central processing unit (CPU), and so on (see Figure 18-1). The list is extensive, but generally speaking, if it is a computer component or peripheral that you can see, feel, and touch, then it is hardware.
hardware The physical components of a computer: case, keyboard, monitor, motherboard, RAM, HDD, mouse, and so on; generally speaking, if it is a computer component you can touch, it is hardware.
FIGURE 18-1 Cutaway diagram of a personal computer showing the tangible hardware components of a computer system.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
3 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Courtesy Tim Downs
Software, conversely, is a set of instructions compiled into a program that performs a particular task. Software consists of programs and applications that carry out a set of instructions on the hardware. Operating systems (e.g., Windows, Mac OS, Linux, Unix), word-processing programs (e.g., Microsoft Word, WordPerfect), web-browsing applications (e.g., Internet Explorer, Safari, Firefox), and accounting applications (e.g., Quicken, QuickBooks, Microsoft Money) are all examples of software.
software A set of instructions compiled into a program that performs a particular task; software consists of programs and applications that carry out a set of instructions on the hardware.
It is important not to confuse software with the physical media that it comes on. When you buy an application such as Microsoft Office, it comes on a compact disc (CD). The CD containing this suite of applications is typically referred to as software, but this is technically wrong. The CD is external computer media that contains the software; it is a container for a set of instructions and a medium from which to load the instructions onto the hard disk drive (i.e., the hardware).
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
4 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
HARDWARE COMPONENTS
COMPUTER CASE/CHASSIS
The case is the physical box holding the fixed internal computer components in place. Cases come in many shapes and sizes: a full upright tower chassis, a slim model sitting on a desktop, or an all-in-one monitor/computer case like the iMac. For our purposes, the term system unit is probably most appropriate when describing a chassis seized as evidence. The term system unit accurately references the chassis, including the motherboard and other internal components.
POWER SUPPLY
The term power supply is actually a misnomer because it doesn’t actually supply power—the power company does that. Rather, a computer’s power supply converts power from the wall outlet to a usable format for the computer and its components. Different power supplies have different wattage ratings. The use or, more specifically, the components of the computer dictate the appropriate power supply.
MOTHERBOARD
The main circuit board in a computer (or other electronic device) is referred to as the motherboard. Motherboards contain sockets for chips and slots for add-on cards. Examples of add-on cards are the video card to connect the computer to the monitor, a network card or modem to connect to an internal network or the Internet, and a sound card to connect to speakers. Sockets on the motherboard typically accept things like random-access memory (RAM) or the central processing unit (CPU). The keyboard, mouse, CD-ROM drives, floppy disk drives, monitor, and other peripherals or components connect to the motherboard in some fashion through a wired or wireless connection.
motherboard The main system board of a computer (and many other electronic devices), which delivers power, data, and instructions to the computer’s components; every component in the computer connects to the motherboard, either directly or indirectly.
SYSTEM BUS
Contained on the motherboard, the system bus is a vast, complex network of wires that carry data from one hardware device to another. This network is analogous to a complex highway. Data is sent along the bus in the form of ones and zeros (or, to be accurate, as electrical impulses representing an “on” or “off” state); this two-state form of data is known as binary computing.
READ-ONLY MEMORY (ROM)
This rather generic term describes special chips on the motherboard. ROM chips store programs called firmware, used to start the boot process and configure a computer’s components. Today’s ROM chips, termed flash ROM, are a combination of two types of chips used in past motherboard technologies. The first was known as the system ROM, which was responsible for booting the system and handling the “assumed” system hardware present in the computer. As the system ROM, generally speaking, could not be altered, and because as technology matured changes to the “assumed” hardware were more common, a different type of chip was introduced. The complementary metal-oxide semiconductor (CMOS) was a separate chip that allowed the user to exercise setup control over several system components. Regardless of how this technology is present on the motherboard, it can be referred to as the BIOS, for basic input-output system. The operation of the BIOS is relevant to several computer forensic procedures, particularly the boot sequence. It is the set of routines associated with the BIOS in ROM that initiates the booting process and enables the computer to communicate with various devices in the system such as
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
5 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
disk drives, keyboard, monitor, and printer. As this chapter will make clear, it is important not to boot the actual computer under investigation to the original hard disk drive. This would cause changes to the data, thus compromising the integrity of evidence. The BIOS allows investigators to control the boot process to some degree.
CENTRAL PROCESSING UNIT (CPU)
The central processing unit (CPU), also referred to as a processor, is essentially the brain of the computer. It is the main (and typically the largest) chip that plugs into a socket on the motherboard. The CPU is the part of the computer that actually computes. Basically, all operations performed by the computer are run through the CPU. The CPU carries out the program steps to perform a requested task. That task can range from opening and working in a Microsoft Word document to performing advanced mathematical algorithms. CPUs come in various shapes, sizes, and types. Intel Pentium chips and Advanced Micro Devices (AMD) chips are among the most common.
central processing unit (CPU) The main chip within the computer, also referred to as the brain of the computer, which handles most of the operations (i.e., code and instructions) of the computer.
RANDOM-ACCESS MEMORY (RAM)
This is one of the most widely mentioned types of computer memory. Random-access memory (RAM) takes the burden off the computer’s processor and hard disk drive (HDD). If the computer had to access the HDD each time it wanted data, it would run slowly and inefficiently. Instead the computer, aware that it may need certain data at a moment’s notice, stores the data in RAM. It is helpful to envision RAM as chips that create a large spreadsheet, with each cell representing a memory address that the CPU can use as a reference to retrieve data. RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are lost once power is taken away from the computer. RAM takes the physical form of chips that plug into the motherboard; SIMMs (single inline memory modules), DIMMs (dual inline memory modules), and SDRAM (synchronous dynamic random-access memory) are just a few of the types of chips. Today’s
computers come with varying amounts of RAM: 2 to 4 GB (gigabytes) is the most common capacity.1
random-access memory (RAM) The volatile memory of a computer, where programs and instructions that are in use are stored; when power is turned off, its contents are lost.
INPUT DEVICES
Input devices are used to get data into the computer or to give the computer instructions. Input devices constitute part of the “user” side of the computer. Examples include the keyboard, mouse, joystick, and scanner.
OUTPUT DEVICES
Output devices are equipment through which data is obtained from the computer. Output devices are also part of the “user” side of the computer, and provide the results of the user’s tasks. They include the monitor, printer, and speakers.
FIGURE 18-2 An inside view of the platter and read/write head of a hard disk drive.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
6 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Corbis RF
HARD DISK DRIVE (HDD)
Generally speaking, the hard disk drive (HDD) is the primary component of storage in the personal computer (see Figure 18-2). It typically stores the operating system (e.g., Windows, Mac OS, Linux, or Unix), the programs (e.g., Microsoft Word, Internet Explorer, Open Office for Linux, etc.) and data files created by the user (i.e., documents, spreadsheets, accounting information, the company database, etc.). Unlike RAM, the HDD is permanent storage and retains its information even after the power is turned off. HDDs work off a controller that is typically part of the motherboard, but sometimes take the form of an add-on (expansion) card plugged into the motherboard. The most common types of HDD controllers are integrated drive electronics (IDE), small computer system interface (SCSI), and serial ATA (SATA). Each HDD type has a different interface that connects it to the controller. Regardless of the type of controller, the data is stored in basically the same fashion. HDDs are mapped, or formatted, and have a defined layout. They are logically divided into sectors, clusters, tracks, and cylinders (see the section Storing and Retrieving Data).
hard disk drive (HDD) Typically the main storage location within the computer, which consists of magnetic platters contained in a case (usually 3.5” long in a desktop computer and 2.5” in a laptop) and is usually where the operating system, applications, and user data are stored.
CLOSER ANALYSIS OTHER COMMON STORAGE DEVICES
Although the HDD is the most common storage device for the personal computer, many others exist. Methods for storing data and the layout of that data can vary from device to device. A CD-ROM, for example, uses a different technology and format for writing data than a smart media card or USB thumb drive. Fortunately, regardless of the differences among
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
7 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
devices, the same basic forensic principles apply for acquiring the data. Common storage devices include the following:
CD-R/RW (Compact Disc—Record/Rewrite) and DVD-R/RW (DVD—Record/Rewrite) Compact discs (CDs) and digital video discs (DVDs) are two of the most common forms of external data storage. They are used to store a wide variety of information, such as music, video, and data files. They are discs made largely of plastic, with an aluminum layer that is read by laser light in a CD/DVD reader. Blu-Ray discs have also emerged in the market offering larger storage capacity than their predecessor optical media. In addition to larger storage capacities, Blu-Ray discs are read by a blue laser light instead of the red laser that reads CDs and DVDs. Different optical media are encoded in different ways, making the job of the forensic examiner difficult at times.
USB Thumb Drives and Smart Media Cards These devices can store a large amount of data—some as much as 64 GB. They are known as solid-state storage devices because they have no moving parts. Smart media cards are typically found in digital cameras, mobile devices, and PDAs, but USB thumb drives come in many shapes, sizes, and storage capacities.
Tapes Tapes come in many different formats and storage capacities. Each typically comes with its own hardware reader and, sometimes, a proprietary application to read and write its contents. Tapes and thumb drives are typically used for backup purposes and consequently have great forensic potential.
Network Interface Card (NIC) Very rarely does one encounter a computer today that doesn’t have a NIC. Whether they are on a local network or the Internet, when computers need to communicate with each other, they typically do so through a NIC. NICs come in many different forms: add-on cards that plug into the motherboard, hard-wired devices on the motherboard, add-on cards (PCMCIA) for laptops, and universal serial bus (USB) plug-in cards, to name a few. Some are wired cards, meaning they need a physical wired connection to participate on the network, and others are wireless, meaning they receive their data via radio waves.
PUTTING IT ALL TOGETHER
A person approaches the computer, sits down, and presses the power button. The power supply wakes up and delivers power to the motherboard and all of the hardware connected to the computer. At this point the flash ROM chip on the motherboard (the one that contains the BIOS) conducts a power-on self test (POST) to make sure everything is working properly.
The flash ROM also polls the motherboard to check the hardware that is attached and follows its programmed boot order, thus determining from what device it should boot. Typically the boot device is the HDD, but it can also be a CD or USB drive. If it is the HDD, the HDD is then given control. It locates the first sector of its disk (known as the master boot record), determines its layout (i.e., (partition[s]), and boots an operating system (e.g., Windows, Mac OS, Linux, or Unix). The person is then presented with a computer work environment, commonly referred to as a desktop.
Now ready to work, the user double-clicks an icon on the desktop, such as a Microsoft Word shortcut, to open the program and begin to type a document. The CPU processes this request, locates the Microsoft Word program on the HDD (using a predefined map of the drive called a file system table), carries out the programming instructions associated with the application, loads Microsoft Word into RAM via the system bus, and sends the output to the monitor by way of the video controller, which is either located on or attached to the motherboard.
The user then begins to type, transferring data from the keyboard into RAM. When finished, the user may print the document or simply save it to the HDD for later retrieval. If printed, the data is taken from RAM, processed by the CPU, placed in a format suitable for printing, and sent through the system bus to the external port where the printer is connected. If the document is saved, the data is taken from RAM, processed by the CPU, passed to the HDD controller (i.e., IDE, SCSI, or SATA) by way of the system bus, and written to a portion of the HDD. The HDD’s file system table is updated so it knows where to retrieve that data later. In actuality, the boot process is more complex than this, and the forensic examiner must possess an in-depth knowledge of the process.
The preceding example illustrates how three components perform most of the work: the CPU, RAM, and system bus. The
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
8 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
example can get even more complicated as the user opens more applications and performs multiple tasks simultaneously (i.e., multitasks). Several tasks can be loaded into RAM at once, and the CPU is capable of juggling them all. This allows for a multitasking environment and the ability to switch back and forth between applications. All of this is orchestrated by the operating system and is written in the language of the computer—ones and zeros. The only detail missing, one that is important from a forensic standpoint, is a better understanding of how data is stored on the hard disk drive. This is discussed next.
Quick Review
• Computer forensics involves preserving, acquiring, extracting, and interpreting computer data. • Software programs are applications that carry out a set of instructions. • The central processing unit (CPU) is the brain of the computer—the main chip responsible for doing the actual computing. • The motherboard is the main circuit board within a computer. • Read-only memory (ROM) chips store programs that control the boot (startup) process and configure a computer’s components. • Random-access memory (RAM) is volatile memory, which is frequently lost when power is turned off. Programs are loaded into RAM because of its faster read speed. • The hard disk drive (HDD) is typically the primary location of data storage within the computer.
Storing and Retrieving Data
Before beginning to understand how data is stored on a hard disk drive (HDD), it is first important to understand the role of the operating system (OS). An OS, such as Windows, Mac OS, Linux, or Unix, is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. Each OS supports certain types of file systems that store data in different ways.
operating system (OS) The software that provides the bridge between the system hardware and the user; the OS lets the user interact with the hardware and manages the file system and applications. Some examples are Windows (XP, Vista, and Windows 7), Linux, and Mac OS.
FORMATTING AND PARTITIONING THE HDD
Generally speaking, before an OS can write to an HDD, it must first be formatted. But even before it can be formatted, a partition must be defined. A partition is nothing more than a contiguous set of blocks that are defined and treated as an independent disk. This means that a hard disk drive can hold several partitions, making a single HDD appear as several disks.
partition A contiguous set of blocks that are defined and treated as an independent disk.
Partitioning a drive can be thought of as dividing a container that begins as nothing more than six sides. We then cut a hole in the front of the container and insert two drawers and the hardware required to open and close them. We have just created a two-drawer filing cabinet and defined each drawer as contiguous blocks of storage. A partitioning utility such as Disk Manager or fdisk defines the drawer or drawers (i.e., partitions) that will later hold the data on the HDD. Just as the style, size, and shape of filing cabinet drawers can vary, so too can partitions.
After a hard drive is partitioned, typically it is formatted. (At this point this would be high-level formatting, not to be confused with low-level formatting, which is generally done by the manufacturer of the HDD.) The formatting process initializes portions of the HDD and creates the structure of the file system. The file system can be thought of as the system for storing and locating data on a storage device. Some of the file system types are FAT12 (typically on floppy disks), FAT16 (older DOS and older Windows partitions), FAT32 (Windows file systems), NTFS (most current Windows systems—2008
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
9 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Windows 7, and XP), EXT2 and EXT3 (Linux systems), and HPFS (some Macintosh systems).
Each of these file systems has a different way of storing, retrieving, and allocating data. In summary, a drive is prepared in three processes: low-level formatting (typically done by the manufacturer, dividing the platters into tracks and sectors), partitioning (accomplished through a utility such as fdisk or Disk Manager, defining a contiguous set of blocks), and formatting (i.e., initializing portions of the disk and creating the file system structure). The process is a bit more technical and detailed than this, but at the conclusion of these basic steps, the drive is logically defined. (We say “logically” because no real divisions are made. That is, if you were to crack open the HDD before or after partitioning and formatting, to your naked eye the platters would look the same.)
MAPPING THE HDD
As shown in Figure 18-3, HDDs contain several platters stacked vertically that are logically divided into sectors, clusters, tracks, and cylinders. Sectors are typically 512 bytes in size (a byte is eight bits; a bit is a single one or zero). (Currently, work is being done on hard disk drives with increased minimum sector sizes, in an effort to increase drive performance. However, at this time 512 bytes is still the standard for most hard disk drives.) Clusters are groups of sectors; their size is defined by the file system, but they are always in sector multiples of two. (Although an NTFS partition does permit a one- sector-per-cluster scenario, such a scenario is not usually chosen.) A cluster, therefore, consists of two, four, six, or eight sectors, and so on. (With modern file systems, the user can exercise some control over the number of sectors per cluster.) Tracks are concentric circles that are defined around the platter. Cylinders are groups of tracks that reside directly above and below each other.
sector The smallest addressable unit of data by a hard disk drive; generally consists of 512 bytes.
byte A group of eight bits.
bit Short for binary digit; taking the form of either a one or a zero, it is the smallest unit of information on a machine.
cluster A group of sectors in multiples of two; cluster size varies from file system to file system and is typically the minimum space allocated to a file.
FIGURE 18-3 Partitions of a hard disk drive.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
10 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Additionally, the HDD has a file system table, or map, of the layout of the defined space in that partition. FAT file systems use a file allocation table (which is where the acronym FAT comes from) to track the location of files and folders (i.e., data) on the HDD, whereas NTFS file systems (used by most current Windows systems—Vista, XP, and Windows 7) use, among other things, a master file table (MFT). Each file system table tracks data in different ways, and computer forensic examiners should be versed in the technical nuances of the HDDs they examine. It is sufficient for our purposes here, however, to merely visualize the file system table as a map where the data is located. This map uses the numbering of sectors, clusters, tracks, and cylinders to keep track of the data.
One way to envision a partition and file system is as a room full of safe-deposit boxes. The room itself symbolizes the entire partition, and the boxes symbolize clusters of data. In order to determine who rented which box, and where each renter’s property is, a central database is needed. This would be especially necessary if a person rented two boxes located in opposite ends of the room (this would be noncontiguous data on the HDD). The database tracking the locations of the safe-deposit boxes is much like a file system table tracking the location of data within the clusters.
This example is also useful for understanding the concept of reformatting an HDD. If the database managing the locations of the safe-deposit boxes were wiped out, the property in them would still remain; we just wouldn’t know what was where. It is the same with the hard disk drive. If a user were to wipe the file system table clean—for example, by reformatting it—the
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
11 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
data itself would not be gone. Both the database tracking the locations of the safe-deposit boxes and the file system table tracking the location of the data in the cluster are maps—they are not actual contents. (Exceptions exist with some file systems, such as an NTFS file system, which stores data for very small files right in its file system table, known as the master file table).
Quick Review
• The computer’s operating system (OS) is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. • Formatting is the process of preparing a hard disk drive to store and retrieve data in its current form. • A sector is the smallest unit of data that a hard drive can address. A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors. • A FAT is a file allocation table. It tracks the location of files and folders on the hard disk drive.
Processing the Electronic Crime Scene
Processing the electronic crime scene has a lot in common with processing a traditional crime scene. The investigator must first ensure that the proper legal requirements (e.g., search warrant, consent, etc.) have been met so that the scene can be searched and the evidence seized. The investigator should then devise a plan of approach based on the facts of the case and the physical location. The scene should be documented in as much detail as possible before disturbing any evidence and before the investigator lays a finger on any computer components. Of course, there are circumstances in which an investigator may have to act quickly and pull a plug before documenting the scene, such as when data is in the process of being deleted.
DOCUMENTING THE CRIME SCENE
Typical crime-scene documentation is accomplished through two actions: sketching and photographing. The electronic crime scene is no different. First, the scene should be sketched in the style of a floor plan (see Figure 18-4), and then overall photographs of the location should be taken. In the case of a network, a technical network sketch should also be included if possible.
After photographs have been taken of the overall layout, close-up photographs should be shot. A close-up photograph of any running computer monitor should be taken. All the connections to the main system unit, such as peripheral devices (e.g., keyboard, monitor, speakers, mouse, etc.), should be photographed. If necessary, system units should be moved delicately and carefully to facilitate the connections photograph (see Figure 18-5). Close-up photographs of equipment serial numbers should be taken if practical.
FIGURE 18-4 Rough sketch made at a crime scene with necessary measurements included.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
12 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
LIVE COMPUTER ACQUISITION
At this point, investigators must decide whether to perform a live acquisition of the data, perform a system shutdown (as in the case of server equipment), pull the plug from the back of the computer, or do a combination of these things. Pulling the plug should always be done by removing the plug from the back of the computer. If the plug is removed from the wall, a battery backup (UPS) might be in place, causing an alert to the system and keeping the unit “powered on.” Several factors influence this decision. For example, if encryption is being used and by pulling the plug the data will encrypt, rendering it unreadable without a password or key, pulling the plug would not be prudent. Similarly, if crucial evidentiary data exists in RAM and has not been saved to the HDD, the data will be lost. Hence, if power to the system is discontinued, another option
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
13 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
must be considered. Regardless, the equipment will most likely be seized. Exceptions exist in the corporate environment, where servers are fundamental to business operations.
FIGURE 18-5 Back of a computer showing all connections.
A computer can be found in several states. Among these is live (i.e., running or powered on) and dead (i.e., not running or powered off). The traditional approach for dealing with a live, running computer in computer forensics was to pull the plug from the back. By doing this, the examiner froze the data in time, thus preventing any additions or modifications to the hard disk drive contained within. Although this methodology still has its limited place, several traits of today’s computer technology and some evidentiary considerations necessitate consideration of performing a live examination prior to disconnecting power. By examining one of many instances in which a live examination might be considered, we can get a good view of how this process works.
Let’s say an investigator responds to the scene of a missing 14-year-old girl. The investigator notices a laptop computer on a desk in the girl’s bedroom. Closer scrutiny reveals that the laptop is live and what appears to be an instant message conversation is on the screen. Additionally, what can be seen of the conversation discusses a meeting with what appears to be an older man. The investigator needs to start the process of identifying the individual in the conversation. Almost simultaneously, the investigator needs to preserve the evidence that probably exists only in RAM. Here a consideration of
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
14 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
“order of volatility” must be made. The fact that the investigator needs to work with the computer system means that changes to the data (i.e., the electronic crime scene) will be made. Considering order of volatility allows the investigator to develop a sequence of steps that will limit the effects of each change on the subsequent steps and collection methods, thus affording the collection of the greatest amount of unaltered evidentiary data. In this example steps might be completed in the following order:
1. Photograph all sections of the conversation screen to document the conversation in the same form the user sees. Merely scrolling through the conversation to afford photographing the entire conversation is minimally intrusive and limited (and arguably inconsequential) changes will occur. 2. Depending on his or her own skill level, the investigator may want to acquire the contents of RAM at this point. This would be accomplished by running a controlled application that the investigator already possesses and that is designed for such a purpose. Of course, the resulting content needs to be written somewhere, and it should not be written to the computer’s hard drive. Rather, the examiner should use a clean piece of media that can handle the size of the output. There are several options for this. 3. Next, the investigator may want to consider copying the text and pasting it to a new document or utilizing a save command in the chat application to save the conversation in text format. Again, this conversation should not be saved to the hard dive of the system being examined. 4. If the investigator feels that encryption is being used, he or she may consider imaging the entire hard drive in this live environment. Because shutting the computer with an encryption in place renders the hard drive’s contents unreadable without a password, it may be a good idea to get an image of the hard drive while it is still decrypted. This requires special response tools and external media that can handle the large image size.
This is just one way to approach this and other live examinations. The order of steps can also be debated among forensic examiners. The following questions are important for the forensic examiner to consider:
1. What is the type of case I am investigating? 2. What is the evidence I seek? 3. How best can I completely acquire that evidence without contaminating other aspects of the “electronic crime scene”? 4. In what order should I take those steps? (order of volatility) 5. Do I have the training, education, experience, equipment, and tools to accomplish this, or do I need assistance?
Finally, the only perfect crime scene is one that has not been entered. The minute investigators enter a crime scene there will be changes to the environment, but obviously, entering the physical crime scene is a necessary function of evidence collection. Processing it should be done in a certain order so that, for example, the collection of fingerprints won’t prevent the proper collection of blood, hair, fiber, and so on. The same applies to the electronic crime scene.
After the photographs and sketches are complete and, if appropriate, the live examination has been performed, but before disconnecting the peripherals from the computer, a label should be placed on the cord of each peripheral, with a corresponding label placed on the port to which it is connected. A numbering scheme should be devised to further identify each system unit if several computers are at the scene (Figure 18-6). The combination of sketching, photographing, and labeling should adequately document the scene, prevent future confusion about which component went with which system unit, and facilitate reconstruction if necessary for lab or courtroom purposes.
FIGURE 18-6 Back of a computer with each component correlated with its port through the use of a labeling scheme.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
15 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
FORENSIC IMAGE ACQUISITION
Now that the items have been seized, the data needs to be obtained for analysis. The number of electronic items that potentially store evidentiary data are too vast to cover in this section. The hard disk drive will be used as an example, but the same “best practices” principles apply for other electronic devices as well.
Throughout the entire process, the computer forensic examiner must use the least intrusive method. The goal in obtaining data from an HDD is to do so without altering even one bit of data. Because booting an HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created. However, the BIOS of the seized computer sometimes interprets the geometry of the HDD differently than the forensic computer does. In these instances, the image of the HDD must be obtained using the seized computer. Regardless, the examiner must ensure that the drive to be analyzed is in a “write-blocked,” or read-only, state when creating the forensic image. Furthermore, the examiner needs to be able to prove that the forensic image he or she obtained includes every bit of data and caused no changes, or writes, to the HDD.
To this end, a sort of fingerprint of the drive is taken before and after imaging. This fingerprint is taken through the use of a Message Digest 5 (MD5)/Secure Hash Algorithm (SHA), or similar validated algorithm. Before imaging the drive the
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
16 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
algorithm is run and a 32-character alphanumeric string is produced based on the drive’s contents. The algorithm is then run against the resulting forensic image; if nothing changed, the same alphanumeric string is produced, thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process.
Message Digest 5 (MD5)/ Secure Hash Algorithm (SHA) A software algorithm used to “fingerprint” a file or contents of a disk; used to verify the integrity of data. In forensic analysis it is typically used to verify that an acquired image of suspect data was not altered during the process of imaging.
A forensic image of the data on an HDD (as well as on floppy disks, CDs, DVDs, tapes, flash memory devices, and any other storage medium) is merely an exact duplicate of the entire contents of the drive. In other words, all portions of the drive are copied, from the first bit (i.e., one or zero) to the last. Why would investigators want to copy what appears to be blank or unused portions of the HDD? The answer is simple: to preserve latent data, which is discussed later in the chapter. It suffices to say here that data exists in areas of the drive that are, generally speaking, unknown and inaccessible to most end users. This data can be valuable as evidence. Therefore, a forensic image—one that copies every single bit of information on the drive—is necessary. A forensic image differs from a backup or standard copy in that it takes the entire contents, not only data the operating system is aware of.
Many forensic software packages come equipped with a method for obtaining the forensic image. The most popular software forensic tools—EnCase, Forensic Toolkit (FTK), Forensic Autopsy (Linux-based freeware), and SMART (Linux-based software by ASR Data)—all include a method for obtaining a forensic image. All produce self-contained image files that can then be interpreted and analyzed. They also allow image compression to conserve storage. The fact that forensic imaging results in self-contained, compressed files allows many images from different cases to be stored on the same forensic storage drive. This makes case management and storage much easier (see Figure 18-7).
Quick Review
• Aspects of a computer that should be photographed close up at an electronic crime scene include (1) the screen of any running computer monitor; (2) all the connections to the main system unit, such as peripheral devices (e.g., keyboard, monitor, speakers, mouse, etc.); and (3) equipment serial numbers. • Evidentiary considerations may require the investigator to perform a live examination prior to disconnecting power. • Two situations in which an investigator would not unplug a computer at an electronic crime scene are (1) if encryption is suspected, and thus pulling the plug would reencrypt the data, rendering it unreadable without a password or key, and (2) if data exists in RAM that has not been saved to the HDD and will thus be lost if power to the system is discontinued.
FIGURE 18-7 Screen shot of EnCase software. EnCase is a common forensic software application capable of imaging and assisting in the analysis of data.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
17 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Courtesy EnCase, www.encase.com
• The primary goal in obtaining data from an HDD is to do so without altering even one bit of data. To this end, a Message Digest 5 (MD5)/Secure Hash Algorithm (SHA) takes a “fingerprint” of a hard disk drive (HDD) before and after forensic imaging.
Analysis of Electronic Data
Analysis of electronic data is virtually limitless and bound only to the level of skill of the examiner. The more familiar an examiner is with computers, operating systems, application software, data storage, and a host of other disciplines, the more prepared he or she will be to look for evidentiary data.
Because computers are vast and complex, discussing each area, file, directory, log, or computer process that could potentially contain evidentiary data is beyond the scope of one chapter—and may be beyond the scope of an entire book. What follows are some of the more common areas of analysis. While reading this section, reflect on your own knowledge of computers and consider what other data might be of evidentiary value and where it might be found.
VISIBLE DATA
The category of visible data includes all information that the operating system is presently aware of and thus is readily
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
18 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
accessible to the user. Here we present several common types of visible data considered in many investigations. This list is by no means exhaustive and can include any information that has value as evidence.
visible data All data that the operating system is presently aware of and thus is readily accessible to the user.
DATA/WORK PRODUCT FILES
One place to find evidence is in documents or files produced by the suspect. This category is extremely broad and can include data from just about any software program. Microsoft Word and WordPerfect word-processing programs typically produce text-based files such as typed documents and correspondence. These programs, and a host of other word-processing programs, have replaced the typewriter. They are common sources of evidence in criminal cases, particularly those involving white-collar crime.
Also relevant in white-collar crime and similar financial investigations are any data related to personal and business finance. Programs such as QuickBooks and Peachtree accounting packages can manage the entire financial portion of a small to midsize business. Similarly, it is not uncommon to find personal bank account records in the computer that are managed with personal finance software such as Microsoft Money and Quicken. Moreover, criminals sometimes use these programs as well as spreadsheet applications to track bank accounts stolen from unsuspecting victims. Computer forensic examiners should familiarize themselves with these programs, the ways in which they store data, and methods for extracting and reading the data.
Advances in printer technology have made high-quality color printing both affordable and common in many homes. Although this is a huge benefit for home office workers and those interested in graphic arts, the technology has been used for criminal gain. Counterfeiting and check and document fraud are easily perpetrated on most home computers. All that is required is a decent ink-jet printer and a scanner. Including the computer, a criminal could set up a counterfeiting operation for less than $1500. Examiners must learn the graphics and photo-editing applications used for nefarious purposes. Being able to recognize the data produced by these applications and knowing how to display the images is key to identifying this type of evidence.
SWAP FILE DATA
When an application is running, the program and the data being accessed are loaded into RAM. A computer’s RAM is much faster than the “read” speed of the hard disk drive, and that’s why the programs are loaded here—for fast access and functioning. RAM, however, has its limits. Some computers have a gigabyte or two of RAM, and still others as much as four to eight gigabytes. Regardless of the amount, though, most operating systems (Windows, Linux, and so on) are programmed to conserve RAM when possible. This is where the swap file comes in. The operating system attempts to keep only data and applications that are presently being used in RAM. Other applications that were started, but are currently waiting for user
attention, may be swapped out of RAM and written to the swap space on the hard disk drive.2
swap file A file or defined space on the HDD used to conserve RAM; data is swapped, or paged, to this file or space to free RAM for applications that are in use.
For example, a manager of a retail store may want to type a quarterly report based on sales. The manager starts up Microsoft Word and begins his report. Needing to incorporate sales figures from a particular spreadsheet, he opens Microsoft Excel. Depending on what is running on the computer, the original Word document may be swapped from RAM to the swap space on the HDD to free up space for Excel. As the manager goes back and forth between the programs (and maybe checks his e-mail in between) this swapping continues. Data that is swapped back and forth is sometimes left behind in the swap space. Even as this area is constantly changed, some of the data is orphaned in unallocated space, an area of the HDD discussed later in this chapter.
A swap file or space can be defined as a particular file or even a separate HDD partition, depending on the operating system
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
19 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
and file system type (e.g., FAT, NTFS, EXT2, etc.). For Windows systems either the swap file Win386.sys or pagefile.sys is used, depending on the specific Windows version and file system type. Linux and current Mac OS systems can create partitions just for swapping data in and out of RAM. Data in the swap space can be read by examining the HDD through forensic software or a utility that provides a binary view, such as Norton Disk Editor or WinHex (see Figure 18-8).
FIGURE 18-8 As a user switches between applications and performs multiple tasks, data is swapped back and forth between RAM and the computer’s hard drive. This area on the hard drive is referred to as either swap space or a paging file.
TEMPORARY FILES
Any user who has suffered a sudden loss of power in the middle of typing a document can attest to the value of a temporary file. Most programs automatically save a copy of the file being worked on in a temporary file. After typing a document, working on a spreadsheet, or working on a slide presentation, the user can save the changes, thus promoting the temporary copy to actual file status. Temporary files are created as a sort of backup on the fly. If the computer experiences a sudden loss of power or other catastrophic failure, the temporary file can be recovered, limiting the amount of data lost. The loss is limited, but not altogether prevented, because the temporary file is not updated in real time. Rather, it is updated periodically, depending on the application’s settings. The default interval in most programs is every ten minutes.
temporary files Files temporarily written by an application to perform a function or to provide a “backup” copy of a work product should the computer experience a catastrophic failure.
Temporary files can sometimes be recovered during a forensic examination. Additionally, some of the data that may have been orphaned from a previous version may be recoverable, if not the complete file. This is true even when a document has been typed and printed but never saved. The creation of the temporary file makes it possible for some of this “unsaved” data to be recovered during analysis.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
20 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Another type of temporary file valuable to the computer investigator is the print spool file. When a print job is sent to the printer, a spooling process delays the sending of the data to the printer. This happens so the application can continue to work while the printing takes place in the background. To facilitate this, a temporary print spool file is created; this file typically includes the data to be printed and information specific to the printer. There are different methods for accomplishing this, and thus the files created as a result of this process vary. It is sometimes possible to view the data in a readable format from the files created during the spooling process.
LATENT DATA
The term latent data includes data that is obfuscated (not necessarily intentionally) from a user’s view. It includes areas of files and disks that are typically not apparent to the computer user but that contain data nonetheless. Latent data is one of the reasons a forensic image of the media is created. If a standard copy were all that is produced, only the logical data (i.e., that which the operating system is aware of) would be captured. Getting every bit of data ensures that potentially valuable evidence in latent data is not missed.
latent data Areas of files and disks that are typically not apparent to the computer user (and often not to the operating system) but contain data nonetheless.
Once the all-inclusive forensic image is produced, how is the latent data viewed? Utilities that allow a user to examine a hard disk drive on a binary (ones and zeros) level are the answer. Applications such as Norton Disk Editor and WinHex provide this type of access to a hard disk drive or other computer media. Thus these applications, sometimes also referred to as hex editors (for the hexadecimal shorthand of computer language), allow all data to be read on the binary level independent of the operating system’s file system table. Utilities such as these can write to the media under examination, thus changing data. Consequently, a software or hardware write-blocker should be used.
A more common option in data forensics is to use specialized forensic examination software. EnCase and Forensic Toolkit for Windows and SMART and Forensic Autopsy for Linux are examples of forensic software. Each allows a search for evidence on the binary level and provides automated tools for performing common forensic processing techniques. Examiners should be cautious, however, about relying too heavily on automated tools. To merely use an automated tool without understanding what is happening in the background and why evidentiary data may exist in particular locations would severely impede the investigator’s ability to testify to the findings.
SLACK SPACE
Slack space is empty space on a hard disk drive created because of the way the HDD stores files. Recall that, although the smallest unit of data is one bit (either a one or a zero), an HDD cannot address or deal with such a small unit. In fact, not even a byte (eight bits) can be addressed. Rather, the smallest unit of addressable space by an HDD is the sector. HDDs typically assign sectors in 512-byte increments, whereas CD-ROMs allocate 2,048 bytes per sector.
If the minimum addressable unit of the HDD is 512 bytes, what happens if the file is only 100 bytes? In this instance there are 412 bytes of slack space. It does not end here, however, because there is also minimum cluster requirement. As you may recall, clusters are groups of sectors used to store files and folders. The cluster is the minimum storage unit defined and used by the logical partition. It is because of the minimum addressable sector of the HDD and the minimum unit of storage requirement of the volume that we have slack space.
Minimum cluster allocation must be defined in sectors in multiples of two. Thus, a cluster includes two, four, six, or eight sectors or more. Returning to our initial example of the 100-byte file, suppose an HDD has a two-sectors-per-cluster volume requirement. This means that the HDD will allocate a minimum of two 512-byte sectors (a total of 1,024 bytes) of storage space for that 100-byte file. The remaining 924 bytes would be slack space (see Figure 18-9).
To illustrate this point, let us expand on the previous example of safe-deposit boxes. The bank offers safe-deposit boxes of a
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
21 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
particular size. This is the equivalent of the HDD’s clusters. A person wanting to place only a deed to a house in the box gets the same size box as a person who wants to stuff it full of cash. The former would have empty space should he or she desire to place additional items in the box. This empty space is the equivalent of slack space. But what if the box becomes full and the person needs more space? That person must then get a second box. Similarly, if a file grows to fill one cluster and beyond, a second cluster is allocated. The remaining space in the second cluster is slack space. This continues as more and more clusters are allocated to accommodate the size of the growing file.
There are actually two types of slack space: RAM slack and file slack. Ram slack occupies the space from where the actual (i.e., logical) data portion of the file ends to where the first allocated sector in the cluster terminates. File slack, therefore, occupies the remaining space of the cluster. RAM slack is a concept that was more relevant in older operating systems. Remember that the minimum amount of space the HDD can address is the 512-byte sector. Therefore, if the file size is only 100 bytes, the remaining space must be padded. Some older operating systems pad this area with data contained in RAM. This could include webpages, passwords, data files, or other data that existed in RAM when the file was written. Modern Windows operating systems pad this space with zeros, but some examinations may still yield valuable data in this area.
file slack The area that begins at the end of the last sector that contains logical data and terminates at the end of the cluster.
FIGURE 18-9 Slack space illustrated in a two-sector cluster. Cluster sizes are typically greater than two sectors, but two sectors are displayed here for simplicity.
Let us go back to the 100-byte file with the two-sectors-per-cluster minimum requirement. Following the end of the logical data (i.e., beyond the 100 bytes), the remaining 412 bytes of that sector is RAM slack; the additional 512 bytes completing the cluster is then file slack. See Figure 18-10 for a visual depiction. The question now becomes, What can I expect to find in slack space, and why is this important? The answer: Junk—valuable junk.
FIGURE 18-10 File slack.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
22 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
File slack, on the other hand, can contain a lot of orphaned data. To illustrate this point, let’s take the 100-byte file example a bit further. Let’s say that before the 100-byte file was written to the HDD, occupying one cluster (two sectors totaling 1,024 bytes), a 1,000-byte file occupied this space but was deleted by the user. When a file is “deleted,” the data still remains behind, so it is probably a safe bet that data from the original 1,000-byte file remain in the slack space of the new 100-byte file now occupying this cluster. This is just one example of why data exists in file slack and why file slack may be valuable as evidence.
In one final attempt to illustrate this point, let us again build on our safe-deposit box analogy. Suppose a person rents two safe-deposit boxes, each box representing a sector and the two combined representing a cluster. If that person places the deed to her house in the first box, the remaining space in that box would be analogous to RAM slack. The space in the second box would be the equivalent of file slack. The only difference is that, unlike the empty spaces of the safe-deposit box, the slack space of the file probably contains data that may be valuable as evidence.
The data contained in RAM and file slack is not really the concern of the operating system. As far as the OS is concerned, this space is empty and therefore ready to be used. Until that happens, however, an examination with one of the aforementioned tools will allow a look into these areas, thus revealing the orphaned data. The same is true for unallocated space.
FIGURE 18-11 A simplistic view of a hard drive platter demonstrating the concept of unallocated space.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
23 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
UNALLOCATED SPACE
Latent evidentiary data also resides in unallocated space. What is unallocated space, how does data get in there, and what is done to access this space? If we have an 80 GB hard drive and only half of the hard drive is filled with data, then the other half, or 40 GB, is unallocated space (see Figure 18-11). Returning to our safe-deposit box analogy, if the entire bank of safe- deposit boxes contains 100 boxes, but only 50 are currently in use, then the other 50 would be the equivalent of unallocated space. The HDD’s unallocated space typically contains a lot of useful data. The constant shuffling of files on the HDD causes data to become orphaned in unallocated space as the logical portion of the file is rewritten to other places. Some examples of ways in which data can become orphaned are through fragmentation, during the creation of swap files or swap space, or in the process of deleting files.
unallocated space The unused area of the HDD that the operating system file system table sees as empty (i.e., containing no logical files) but that may contain old data.
DEFRAGMENTING
Defragmenting an HDD involves moving noncontiguous data back together. Remember that the HDD has minimum space reservation requirements. Again, if the file requires only 100 bytes of space, the operating system may allocate much more than that. If the file grows past what has been allocated for it, another cluster is required. If, however, a different file occupies the next cluster in line, then the operating system will have to find another place for that additional data on the drive. In this scenario, the file is said to be fragmented because data for the same file is contained in noncontiguous clusters. In the case of the HDD, the shuffling of files causes data to be orphaned in unallocated space.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
24 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Ultimately fragmentation of numerous files can degrade the performance of an HDD, causing the read/write heads to have to traverse the platters to locate the data. Defragmenting the HDD rearranges noncontiguous data into contiguous clusters. Building yet again on our safe-deposit box analogy, if our renter eventually needs to store more property than her original box can hold, the bank will rent her a second box. If, however, all the boxes around hers are occupied and the only free one is in another section of the room, then her property is “fragmented.” The bank would have to “defrag” the safe-deposit boxes to get the property of users with more than one box into adjacent boxes.
SWAP FILE/SWAP SPACE
Recall that a computer uses the HDD to maximize its amount of RAM by constantly swapping data in and out of RAM to a predetermined location on the HDD, thus freeing valuable RAM. The constant read and write operations of RAM cause a constant change in the swap file—WIN386.swp or pagefile.sys—in Windows or in the swap space on a Linux system. Data can become orphaned in unallocated space from this constant swapping to and from the HDD.
DELETED FILES
The deletion of files is another way that data becomes orphaned in unallocated space. Data from deleted files can manifest itself in different ways during a forensic examination. The actions that occur when a file is deleted vary among file systems. What is fairly consistent, though, is that generally the data is not truly removed. For example, consider what happens when a user or program deletes a file in a Windows operating system with a FAT file system. When a file is deleted, the first character in the file’s directory entry (i.e., in its name) is replaced with the Greek letter sigma. When the sigma replaces the first character, the file is no longer viewable through conventional methods and the operating system views the space previously occupied by the file as available. The data, however, is still there.
This example doesn’t account for the actions of the Windows Recycle Bin. When the Windows operating system is set up to merely place the deleted file in the Recycle Bin, the original directory entry is deleted and one is created in the Recycle folder for that particular user. The new Recycle folder entry is linked to another file, the info or info2 file, which includes some additional data, such as the location of the file before its deletion should the user wish to restore it to that location. Detailed discussions of the function of the Recycle Bin are beyond the scope of this chapter, but suffice it to say that, even when the Recycle Bin has been “emptied,” the data usually remains behind until overwritten. Although Windows NTFS partitions and Linux EXT partitions handle deleted files differently, in both cases the data typically remains.
What if a new file writes data to the location of the original file? Generally speaking, the data is overwritten. This is, of course, unless the new file only partially overwrites the original: If a file that occupied two clusters is deleted, and a new file overwrites one of the clusters, then the data in the second cluster is orphaned in unallocated space. Of course, yet a third file can overwrite the second cluster entirely, but until then the data remains in unallocated space.
Let us once again look to our safe-deposit box analogy. If, for example, the owner of two safe-deposit boxes stopped renting them, the bank would list them as available. If the owner didn’t clean them out, the contents would remain unchanged. If a new owner rented one of the boxes, the contents from the former owner would be replaced with the new owner’s possessions. The second box would therefore still contain orphaned contents from its previous owner. The contents would remain in this “unallocated box” until another renter occupies it.
Quick Review
• The types of computer evidence can be grouped under two major sub-headings: visible and latent data. • Visible data is data that the operating system is aware of, and thus is easily accessible to the user. It includes any type of user-created data, such as word-processing documents, spreadsheets, accounting records, databases, and pictures. • Temporary files created by programs as a sort of on-the-fly backup can prove valuable as evidence. Data in the swap space used to conserve valuable RAM within the computer system can also yield evidentiary data.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
25 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
• Latent data is data that the operating system is not aware of. The constant shuffling of data through deletion, defragmentation, swapping, and so on, is one of the reasons data is stored in latent areas. • Latent data can exist in both RAM slack and file slack. RAM slack is the area from the end of the logical file to the end of the sector. File slack is the remaining area from the end of the final sector containing data to the end of the cluster. • Latent data might be found in unallocated space—space on an HDD that the operating system sees as empty and ready for data. • When a user deletes files, the data typically remains behind, so deleted files are another source of latent data.
Forensic Analysis of Internet Data
It’s important from the investigative standpoint to be familiar with the evidence left behind regarding a user’s Internet activity. A forensic examination of a computer system reveals quite a bit of data about a user’s Internet activity. The data described next would be accessed and examined using the forensic techniques outlined in the previous sections of this chapter.
INTERNET CACHE
Evidence of web browsing typically exists in abundance on the user’s computer. Most web browsers (e.g, Internet Explorer and Firefox) use a caching system to expedite web browsing and make it more efficient. This was particularly true in the days of dial-up Internet access. When a user accesses a website, such as the New York Times home page, the data is fed from that server (in this example, that of the New York Times), via the Internet service provider and over whatever type of connection the user has, to his or her computer. If that computer is accessing the Internet via a dial-up connection, the transfer of the New York Times home page may take a while because the data transfer rate and capabilities (bandwidth) of the telephone system is limited. Even with the high-speed access of a fiber or cable connection, conservation of bandwidth is always a consideration. Taking that into account, web browsers store, or cache, portions of the pages visited on the local hard disk drive. This way, if the page is revisited, portions of it can be reconstructed more quickly from this saved data, rather than having to use precious bandwidth to pull it yet again from the Internet.
This Internet cache is a potential source of evidence for the computer investigator. Portions of, or in some cases entire, visited webpages can be reconstructed. For security purposes, modern Internet browsers take steps to clear out, or erase, the web cache. But in some cases, even after having been deleted, these cached files can be recovered (see the section on deleted data). Investigators must know how to search for this data within the particular web browser used by a suspect.
Internet cache Portions of visited webpages placed on the local hard disk drive to facilitate quicker retrieval when the webpage is revisited.
INTERNET COOKIES
Cookies provide another area where potential evidence can be found. To appreciate the value of cookies you must first understand how they get onto the computer and their intended purpose. Cookies are placed on the local hard disk drive by websites the user has visited, if the user’s web browser (such as Internet Explorer) is set to allow this to happen. Microsoft Internet Explorer places cookies in a dedicated directory. Websites use cookies to track certain information about its visitors. This information can be anything, such as history of visits, purchasing habits, passwords, and personal information used to recognize the user for later visits.
cookies Files placed on a computer from a visited website that are used to track visits to and usage of that site.
Consider a user who registers for an account at the Barnes and Noble bookstore website, then returns to the same site from the same computer a few days later. The site will then display “Welcome, [User Name].” This data was retrieved from the
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
26 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
cookie file placed on the user’s hard disk drive by the website during the initial visit and registration with the site.
It is helpful to think of cookies almost like a caller ID for websites. The site recognizes and retrieves information about the visitor, as when a salesperson recognizes a caller from a caller ID display and quickly pulls the client’s file. Cookie files can be a valuable source of evidence. In Internet Explorer, they take the form of plain text files, which can typically be opened with a standard text viewer or word-processing program. The existence of the files themselves, regardless of the information contained within, can be of evidentiary value to show a history of Web visits. A typical cookie may resemble the following: [email protected]. From this we can surmise that someone using the local computer login rsaferstein accessed the forensic science website. It is possible that the cookie was placed there by an annoying pop-up ad, not a website the user visited, but considered against other evidence in the computer data, the presence of a particular cookie may have corroborative value.
INTERNET HISTORY
Most web browsers track the history of webpage visits for the computer user. This is probably done merely for convenience. Like the “recent calls” list on a cell phone, the Internet history provides an accounting of sites most recently visited, with some storing weeks’ worth of visits. Users can go back and access sites they recently visited just by going through the browser’s history. Most web browsers store this information in one particular file; Internet Explorer uses the index.dat file. On a Windows system, an index.dat file is created for each login user name on the computer.
Internet history An accounting of websites visited; different browsers store this information in different ways.
The history file can be located and read with most popular computer forensic software packages. It displays the uniform resource locator (URL) of each website, along with the date and time the site was accessed. An investigation involving Internet use almost always includes an examination of Internet history data.
FIGURE 18-12 The Internet history displays more than just web-browsing activity. Here we see Microsoft Word documents and a picture accessed on the current day.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
27 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
In some respects, the term Internet history is wrong because it doesn’t encompass all of these files’ functions. Several browsers—Internet Explorer, for one—store other valuable evidence independent of Internet access. It is not uncommon to see files accessed over a network listed in the history. Similarly, files accessed on external media, such as CDs or thumb drives, may also appear in the history. Regardless, the Internet history data is a valuable source of evidence worthy of examination (see Figure 18-12).
BOOKMARKS AND FAVORITE PLACES
Another way users can access websites quickly is to store them in their bookmarks or Favorite Places. Like presetting radio stations, web browsers allow users to bookmark websites for future visits (see Figure 18-13). A lot can be learned from a user’s bookmarked sites. You may learn what online news a person is interested in or what type of hobbies he or she has. You may also see that person’s favorite child pornography or computer hacking sites bookmarked.
bookmark A feature that enables the user to designate favorite sites for fast and easy access.
FIGURE 18-13 Bookmarks or favorite places can be saved for quick access in most web browsers.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
28 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Copyright © 2013 by Pearson Education, Inc. Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the USA and other
countries. Screen shots and icons reprinted with permission from the Microsoft Corporation. This book is not sponsored or endorsed by or affiliated with
the Microsoft Corporation.
In Internet Explorer the favorite places are kept in a folder with link files, or shortcuts, to particular URLs. They can be organized in subfolders or grouped by type. The same is true for the Firefox web browser, except that Firefox bookmarks are stored in a document written in hypertext markup language (HTML), the same language interpreted by the web browsers themselves.
Quick Review
• Places where a forensic computer examiner might look to determine what websites a computer user has visited recently are the Internet cache, cookies, and the Internet history. • The history file can be located and read with a forensic software package. Another way to access websites that have been visited is by examining bookmarks and favorite places
Forensic Investigation of Internet Communications
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
29 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Computer investigations often begin with or are centered on Internet communication. Whether it is a chat conversation among many people, an instant message conversation between two individuals, or the back-and-forth of an e-mail exchange, human communication has long been a source of evidentiary material. Regardless of the type, investigators are typically interested in communication.
ROLE OF THE IP
With all of the computer manufacturers and software developers out there, some common rules are necessary for computers to be able to communicate on a global network. Just as any human language needs rules for communication to be successful, so does the language of computers. Computers that participate on the Internet, therefore, must be provided with an address known as an Internet protocol (IP) address from the Internet service provider to which they connect.
FIGURE 18-14 Two computers communicating by sending data to each other’s IP address via the Internet. An IP address is assigned to each computer by its respective Internet service provider.
Richard Saferstein, Ph.D.
IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from 0 to 255. A typical IP address might look like this: 66.94.234.13. Not only do IP addresses provide the means by which data can be routed to the appropriate location, but they also provide the means by which most Internet investigations are conducted (see Figure 18-14). Thus the IP address may lead to the identity of a real person. If an IP address is the link to the identity of a real person, then it is quite obviously valuable for identifying someone on the Internet.
To illustrate, let’s assume that a user of the Internet, fictitiously named John Smith, connects to the Internet from his home by
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
30 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
way of a Verizon FIOS connection. Verizon in this case would be responsible for providing Smith with his IP address. Verizon was issued a bank of IP addresses with which to service its customers from a regulatory body designed to track the usage of IP addresses (obviously so no one address is used by two different users at the same time).
Suppose that Smith, while connected to the Internet, decides to threaten an ex-girlfriend by sending her an e-mail telling her he is going to kill her. That e-mail must first pass through Smith’s Internet service provider’s routers (in this case, Verizon’s) on its way to its destination—Smith’s girlfriend. The e-mail would be stamped by the servers that it passes through, and this stamp would include the IP address given to Smith by Verizon for his session on the Internet.
An investigator responsible for tracking that e-mail would locate the originating IP address stamped in the e-mail header. That IP address could be researched using one of many Internet sites (e.g., www.centralops.net) to determine which Internet service provider was given this IP as part of the block it was assigned for serving its customers. The investigator then files a subpoena with the Internet service provider (i.e., Verizon) asking which of its customers was using that IP address on that date and time.
IP addresses are located in different places for different methods of Internet communications. E-mail has the IP address in the header portion of the mail. This may not be readily apparent and may require a bit of configuration to reveal. Each e-mail client is different and needs to be evaluated on a case-by-case basis. For an instant message or chat session, the provider of the chat mechanism—AOL, Yahoo, and so on—would be contacted to provide the user’s IP address.
E-MAIL, CHAT, AND INSTANT MESSAGING
E-mail files can be read by a number of clients, or software programs. Two of the most popular ways to access, read, and store e-mail in today’s Internet environment, however, are Microsoft Outlook and through an Internet browser. Some people even use a combination of the two.
If an e-mail account is linked through Microsoft Outlook, then the e-mail is stored in a compound file (i.e., a file with several layers). Typically, compound files exist for received e-mail (i.e., the inbox), sent e-mail, and deleted e-mail. Users can also create new categories (shown as folders in Outlook) and categorize saved e-mail there. Most computer forensic software applications can view, or mount, these compound files so that the e-mail can be seen, including any file attachments. These files can also be imported into a clean copy of Microsoft Outlook (i.e., one not attached to an account), and the e-mail can be viewed there. Investigators must also be aware that, in a computer network environment, the user’s Outlook files may not reside on his or her workstation computer but rather on a central mail or file server.
Most accounts offer the ability to access e-mail through a web-based interface as well. This way, users can access their e-mail remotely from other computers. For e-mail accessed through a web browser, the information presented earlier on Internet-based evidence applies. The Web interface converts the e-mail into a document suitable for reading in a web browser. Consequently, web-based e-mail is sometimes found in the Internet cache. This is particularly true of free Internet e-mail providers such as Hotmail and Yahoo.
Much of the evidence from Internet communication is also derived from chat and instant message technology. This is particularly true in the world of child sexual exploitation over the Internet. Various technologies provide chat and instant messaging services. Most chat and instant message conversations are not saved by the parties involved. Although most of the software does allow for conversation archiving, it is typically turned off by default. Therefore, conversations of this nature typically exist in the volatile memory space of random-access memory (RAM).
Recall that RAM is termed volatile because it holds data only while the computer has power. Unplugging the computer will cause the data located in RAM to be lost. If, however, chat or instant message conversations occurred that are relevant as evidence, even if the computer was turned off, thus erasing the data in RAM, all may not be lost. Remember that there is an interaction between the computer system’s RAM and the hard disk drive. RAM is a commodity, and therefore the computer’s operating system makes an effort to conserve it as much as possible. This is done by swapping/paging that information back and forth into the swap space or paging file. Therefore remnants of chat conversations are often found in the swap space or
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
31 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
paging file during a forensic examination of the hard disk drive. These remnants, however, are typically fragmented, disconnected, and incomplete. Therefore, if the chat or instant message is still present on the screen (and thus probably still in RAM), the investigator needs a method by which to preserve and collect it.
A detailed discussion of capturing volatile data from RAM is beyond the scope of this chapter, but considerations for dealing with a live (running) computer have been discussed in the section Live Computer Acquisition in this chapter. Note that several commercial forensic software packages can capture this data. Similarly, Linux-based tools can accomplish this as well. The examiner may even be able to export the data remotely to another device. Regardless of the method, the data must be acquired.
Furthermore, many programs such as AOL Instant Messenger, Yahoo Messenger, and mIRC (Internet Relay Chat) create files regarding the rooms or channels a user chatted in or the screen names with which a user sent instant messages. Each application should be researched, and the computer forensic examination should be guided by an understanding of how each functions.
Webextra 18.1
Follow the Trail of an E-mail as It Travels Through the Internet www.mycrimekit.com
HACKING
Unauthorized computer intrusion, more commonly referred to as hacking, is the concern of every computer administrator. Hackers penetrate computer systems for a number of reasons. Sometimes the motive is corporate espionage; other times it is merely for bragging rights within the hacker community. Most commonly, though, a rogue or disgruntled employee with some knowledge of the computer network is looking to cause damage. Whatever the motivation, corporate America frequently turns to law enforcement to investigate and prosecute these cases.
hacking Frequently used as a slang term for performing an unauthorized computer or network intrusion.
Generally speaking, when investigating an unauthorized computer intrusion, investigators concentrate their efforts in three locations: log files, volatile memory, and network traffic. Logs typically document the IP address of the computer that made the connection. Logs can be located in several locations on a computer network. Most servers on the Internet track connections made to them through the use of logs. Additionally, the router (i.e., the device responsible for directing data) may contain log files detailing connections.
Similarly, devices known as firewalls may contain log files listing computers that were allowed (or that merely attempted) access to the network or an individual system. Firewalls are devices (taking the form of either hardware or software) that permit only requested traffic to enter a computer system or, more appropriately, a network. In other words, if a user didn’t send out a request for Internet traffic from a specific system, the firewall should block its entry unless previously configured to allow that traffic through. If the log files have captured the IP address of the intruder, then revealing the user behind the IP is the same process as for e-mail. Investigating a computer intrusion, however, does get a bit more complicated.
firewall Hardware or software designed to protect intrusions into an Internet network.
Frequently, in cases of unlawful access to a computer network, the perpetrator attempts to cover the tracks of his or her IP address. In these instances, advanced investigative techniques may be necessary to discover the hacker’s true identity. When an intrusion is in progress, the investigator may have to capture volatile data, or data in RAM. The data in RAM at the time of an intrusion may provide valuable clues to the identity of the intruder or, at least, about his or her method or tools of attack. As in the case of an instant message or chat conversation, the data in RAM needs to be acquired.
Another standard tactic for investigating intrusion cases is to document all programs installed and running on a system in
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
32 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
order to discover any additional malicious software installed by the perpetrator to facilitate entry. The investigator uses specialized software to document running processes, registry entries, open ports, and any installed files.
Additionally, the investigator may want to capture live network traffic as part of the evidence-collection and investigation process. Traffic that travels the network does so in the form of data packets. In addition to data, these packets also contain source and destination IP addresses. If the attack requires two-way communication, as in the case of a hacker stealing data, then data needs to be transmitted back to the hacker’s computer using the destination IP address. Once this is learned, the investigation can focus on that system. However, care must be taken to ensure that the destination IP address does not belong to an unwitting and previously compromised computer under the control of the hacker. Moreover, the type of data that is being transmitted on the network may be a clue to what type of attack is being launched; whether any important data is being stolen; or what types of malicious software, if any, are involved in the attack.
Quick Review
• IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from 0 to 255 • IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most Internet investigations are conducted • An investigator tracking the origin of an e-mail seeks out the sender’s IP address in the e-mail’s header. Chat and instant messages are typically located in a computer’s random-access memory (RAM). • Tracking the origin of unauthorized computer intrusions, or hacking, requires investigating a computer’s log file, RAM, and network traffic. • A firewall is a device designed to protect against intrusions into a computer network.
Mobile Forensics
This section could just as well be titled Cell Phone Forensics, but because of the technological advances in mobile technology, handheld devices are much more than just phones. There truly has been cross-pollination between traditional computers and cell phones. In addition to traditional cell phone services, mobile devices offer many services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation.
CLOSER ANALYSIS
The following is a list of the more common services available on today’s mobile devices, along with several examples of the potential evidentiary value they hold:
1. Short Message Service (SMS)—Text Messaging Text messages are another form of communication. They can be used to establish a link between two people simply by showing they have “messaged” each other. There have been cases where a person has entered a business to commit robbery while a lookout remains in a vehicle parked outside, and text messages were used to communicate between the two. 2. Multimedia Message Service (MMS) Can be thought of as text messaging with attachments such as video clips, sound files, or pictures. In one particular case, an individual took a video of himself sexually assaulting an incapacitated girl, and then sent the video clip to friends via MMS. 3. Contact Lists and Call History The names, phone numbers, addresses, and/or e-mail addresses of people who are associated with the owner of the mobile device and the log of recent contacts he or she has had are generally available and are of use in an investigation. 4. Calendars, Appointments, and Tasks This information may provide evidence of a suspect’s actions on a particular date. 5. Internet Access/Internet History/Internet Communication Much like a traditional computer, Internet activity can be of great evidentiary value. For example, it may link a suspect to a specific social networking site or screen name in a child sexual exploitation case. Often, mobile devices contain the same Internet artifacts as computers, such as
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
33 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
cookies, browser history, and bookmarks. 6. Digital Camera / Video There have been numerous cases where individuals have exploited this technology to take surreptitious, candid photographs of unsuspecting women in malls and stores. 7. E-mail Full e-mail access and clients (i.e., e-mail software) are available on most mobile devices, offering another source of potential evidence. 8. Global Positioning System (GPS) and Map Data Many devices, such as the Droid and iPhone, offer full GPS capabilities. The information in these applications can be extremely valuable in documenting the travel history of a suspect.
The list of services available for mobile devices, although comprehensive, is certainly not exhaustive. It should be apparent, however, that aside from size and structure, little distinction can be made between the services offered by a computer system and those of a mobile device. As such, forensic examinations of mobile devices have much in common with computer forensics, at least in principal. Although there is a great deal of standardization in the computer market, the same is not true in the world of mobile devices. The operating systems that run mobile devices vary from manufacturer to manufacturer and device to device. Moreover, their inherent remote capabilities and constant connection and communication with service providers make collection and preservation difficult.
Recall from our early discussion that one of the principal goals in electronic evidence collection and analysis is to avoid alteration of data. With mobile devices, which are constantly registering their location with the service provider and potentially receiving GPS location updates, protecting against alteration is challenging. Compounded by the fact that many mobile devices offer remote kill and clear capabilities, investigators have their hands full. It may seem logical to merely shut the mobile device off to preserve data, but this is typically not recommended because it can clear out unsaved data existing in volatile memory (much like a computer’s RAM contents).
Leaving the mobile device running but placing it in something that will block its communication is the preferred method. A Faraday shield is frequently used for mobile device evidence collection. Such a shield, often designed by mobile forensics manufacturers, will prevent the device from communicating (in or out) with the service provider. It has also been observed that other devices, such as the type of unlined paint can typically used for collecting arson-related evidence, can work as well. However, the effectiveness of alternatives should be tested in advance.
Another consideration in the collection of these devices is maintaining power so that the device can be transported, stored, and ultimately analyzed. Mobile forensics manufacturers provide battery devices that can be used to keep a unit running while it is being transported to the lab. The investigator, if possible, should always seize the mobile device’s charger and any associated cables. Because of the lack of standardization mentioned earlier, chargers and cables vary greatly between devices, and it is nearly impossible for examiners to stock every one.
Ultimately, data from the mobile device must be extracted and analyzed. Unlike computer forensics, however, the approach to mobile devices is more complicated. This complication arises because of the divergent ways that different devices store and manage data. Moreover, manufacturers vary in the type of memory used to store data, involving a combination of expansion cards and internal memory structures (RAM/ROM). Similarly, operating systems vary between devices. The Motorola Droid, for example, uses the Google’s Android Operating System, while today’s iPhone uses Apple’s iPhone operating systems, typically referred to as iOS. The two vary in their partition, file, and directory structure. These are just two of the overwhelming number of devices on the market and thus encountered by investigators. Consequently, mobile device examiners need a multitude of equipment and a significant amount of knowledge.
There are numerous approaches to mobile forensics data extraction and analysis. Extraction of data can be done on the physical level, generally affording the greatest amount of total data collection but also, at times, presenting challenges in analysis. Extraction can also be done on a logical level, which limits the data acquired, but the data is often easier to analyze. The examiner generally makes these determinations based on the type of case, evidence sought, his or her own training, and the technological limitations of the mobile device or the tools available for analysis. It is the experience of most mobile forensic examiners that a lab needs to be equipped with several varied tools for acquisition and analysis.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
34 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
Quick Review
• Mobile devices offer many of the services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation. • Leaving a mobile device running but placing it in something that will block its communication is the preferred method for preserving data on a mobile device. • Complications arise in extracting and evaluating data from mobile devices because of the variety of ways that different devices store and manage data.
CHAPTER REVIEW
• Computerforensics involves preserving, acquiring, extracting, and interpreting computer data. • Software programs are applications that carry out a set of instructions. • The central processing unit (CPU) is the brain of the computer—the main chip responsible for doing the actual computing. • The motherboard is the main circuit board within a computer. • Read-only memory (ROM) chips store programs that control the boot (startup) process and configure a computer’s components. • Random-access memory (RAM) is volatile memory, which is lost when power is turned off. Programs are loaded into RAM because of its faster read speed. • The hard disk drive (HDD) is typically the primary location of data storage within the computer. • The computer’s operating system (OS) is the bridge between the human user and the computer’s electronic components. It provides the user with a working environment and facilitates interaction with the system’s components. • Formatting is the process of preparing a hard disk drive to store and retrieve data in its current form. • A sector is the smallest unit of data that a hard drive can address. A cluster usually is the minimum space allocated to a file. Clusters are groups of sectors. • A FAT is a file allocation table. It tracks the location of files and folders on the hard disk drive. • Aspects of a computer that should be photographed close up at an electronic crime scene include (1) the screen of any running computer monitor; (2) all the connections to the main system unit, such as peripheral devices (e.g., keyboard, monitor, speakers, mouse, etc.); and (3) equipment serial numbers. • Evidentiary considerations may require the investigator to perform a live examination prior to disconnecting power. • Two situations in which an investigator would not unplug a computer at an electronic crime scene are (1) if encryption is suspected, and thus pulling the plug would reencrypt the data, rendering it unreadable without a password or key, and (2) if data exists in RAM that has not been saved to the HDD and will thus be lost if power to the system is discontinued. • The primary goal in obtaining data from an HDD is to do so without altering even one bit of data. To this end, a Message Digest 5 (MD5)/Secure Hash Algorithm (SHA) takes a “fingerprint” of a hard disk drive (HDD) before and after forensic imaging. • The types of computer evidence can be grouped under two major subheadings: visible and latent data. • Visible data is data that the operating system is aware of and thus is easily accessible to the user. It includes any type of user-created data, such as word-processing documents, spreadsheets, accounting records, databases, and pictures. • Temporary files created by programs as a sort of on-the-fly backup can prove valuable as evidence. Data in the swap space used to conserve the valuable RAM within the computer system can also yield evidentiary data. • Latent data is data that the operating system is not aware of. The constant shuffling of data through deletion, defragmentation, swapping, and so on, is one of the reasons data is stored in latent areas. • Latent data can exist in both RAM slack and file slack. RAM slack is the area from the end of the logical file to the end of the sector. File slack is the remaining area from the end of the final sector containing data to the end of the cluster. • Latent data might be found in unallocated space—space on an HDD that the operating system sees as empty and ready for data.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
35 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
• When a user deletes files, the data typically remains behind, so deleted files are another source of latent data. • Places where a forensic computer examiner might look to determine what websites a computer user has visited recently are the Internet cache, cookies, and the Internet history. • The history file can be located and read with a forensic software package. Another way to access websites that have been visited is by examining bookmarks and favorite places. • IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number from 0 to 255. • IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most Internet investigations are conducted. • An investigator tracking the origin of an e-mail seeks out the sender’s IP address in the e-mail’s header. Chat and instant messages are typically located in a computer’s random-access memory (RAM). • Tracking the origin of unauthorized computer intrusions, or hacking, requires investigating a computer’s log file, RAM, and network traffic. • A firewall is a device designed to protect against intrusions into a computer network. • Mobile devices offer many of the services that are offered by computers and other devices. These devices can provide a vast amount of useful and evidentiary data in an investigation. • Leaving a mobile device running but placing it in something that will block its communication is the preferred method of choice for preserving data on a mobile device. • Complications arise in extracting and evaluating data from mobile devices because of the variety of ways that different devices store and manage data.
KEY TERMS
bit 469
bookmark 485
byte 469
central processing unit (CPU) 465
cluster 469
cookies 483
file slack 478
firewall 487
hacking 487
hard disk drive (HDD) 466
hardware 463
Internet cache 483
Internet history 483
latent data 477
Message Digest 5 (MD5)/Secure Hash Algorithm (SHA) 474
motherboard 465
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
36 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
operating system (OS) 468
partition 468
random-access memory (RAM) 465
sector 469
software 464
swap file 476
temporary files 477
unallocated space 480
visible data 475
REVIEW QUESTIONS
1.
Computer forensics involves the ______________,______________, ______________, ______________, and ______________ of computer data.
2.
True or False: Hardware comprises the physical components of the computer. ______________
3.
______________ is a set of instructions compiled into a program that performs a particular task.
4.
(ROM, RAM) chips store programs used to start the boot process.
5.
The term used to describe the chassis, including the motherboard and any other internal components of a personal computer, is ______________.
6.
True or False: The motherboard is a complex network of wires that carry data from one hardware device to another. ______________
7.
True or False: The first thing you should do when you encounter a computer system in a forensic investigation is to connect the power supply and boot the system. ______________
8.
RAM is referred to as volatile memory because it is not ______________.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
37 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
9.
The brain of the computer is referred to as the ______________.
10.
The ______________ is the primary component of storage in a personal computer.
11.
Personal computers typically communicate with each other through a(n) ______________.
12.
The computer’s ______________ permits the user to manage files and applications.
13.
A hard drive’s partitions are typically divided into ______________, ______________, ______________, and ______________.
14.
A(n) ______________ is a single one or zero in the binary system and the smallest term in the language of computers.
15.
A(n) ______________ is a group of eight bits.
16.
A group of sectors, always units in multiples of two, is called a(n) ______________.
17.
An exact duplicate of the entire contents of a hard disk drive is known as a(n) ______________.
18.
All data readily available to a computer user is known as ______________ data.
19.
A(n) ______________ file is created when data is moved from RAM to the hard disk drive to conserve space.
20.
Most programs automatically save a copy of a file being worked on into a(n) ______________ file.
21.
The existence of ______________ data is why a forensic image of the media is created.
22.
The smallest unit of addressable space on a hard disk drive is the ______________.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
38 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
23.
The two types of slack space are ______________ slack and ______________ slack.
24.
______________ slack is the area from the end of the data portion of the file to the end of the sector.
25.
The portion of a disk that does not contain stored data is called ______________.
26.
True or False: Defragmenting a hard disk drive involves moving noncontiguous data back together. ______________
27.
True or False: A portion of a “deleted” file may be found in a computer’s unallocated space. ______________
28.
A(n) ______________ takes the form of a series of numbers to route data to an appropriate location on the Internet.
29.
A user’s hard disk drive will ______________ portions of webpages that have been visited.
30.
A(n) ______________ is placed on a hard disk drive by a website to track certain information about its visitors.
31.
E-mails have the ______________ address of the sender in the header portion of the mail.
32.
True or False: Chat and instant messages conducted over the Internet are typically stored in RAM storage. ______________
33.
When investigating a hacking incident, investigators concentrate their efforts on three locations: ______________,______________, and ______________.
34.
Devices that permit only requested traffic to enter a computer system are known as ______________.
35.
A(n) ______________ is a device that can prevent a mobile phone from communicating with a service provider.
36.
True or False: Extracting and analyzing data from mobile devices is complicated because manufacturers of these devices
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
39 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
store and manage data in a variety of ways. ______________
APPLICATION AND CRITICAL THINKING
1.
If a file system defines a cluster as six sectors, how many bits of information can be stored on each cluster? Explain your answer.
2.
Criminalist Tom Parauda is investigating the scene of a crime involving a computer. After he arrives, he photographs the overall scene and takes close-up shots of all the connections to the single computer involved, as well as photos of the serial numbers of the computer and all peripheral devices. Tom then labels the cord to each peripheral device, then disconnects them from the computer. After making sure that all data in RAM has been saved to the hard disk drive, he unplugs the computer from the wall. What mistakes, if any, did Tom make?
3.
You are investigating a case in which an accountant is accused of keeping fraudulent books for a firm. Upon examining his computer, you notice that the suspect uses two different accounting programs that are capable of reading the same types of files. Given this information, where would you probably begin to search for latent data on the computer and why?
4.
You are examining two computers to determine the IP address from which several threatening e-mails were sent. The first computer uses Microsoft Outlook as an e-mail client and the second uses a web-based e-mail client. Where would you probably look first for the IP addresses in each of these computers?
ENDNOTES
1.
A megabyte (MB) is approximately one million bytes; a gigabyte (GB) is approximately one billion bytes, or 1,000 megabytes.
2.
Actually, the more appropriate term is probably paging as opposed to swapping. This is because entire programs are typically not swapped in and out of
memory to the swap space; rather, pages of memory are placed there.
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
40 of 41 7/8/17, 12:07 AM
PRINTED BY: [email protected]. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.
APPENDIX I GUIDES TO THE COLLECTION OF PHYSICAL EVIDENCE—FBI
Amount Desired
Specimen Standard Evidence Send By
Abrasives Not less than one ounce
All Registered mail or equivalent
Ammunition (Live Cartridges)
US Department of Transportation regulations and the following guidelines must be followed when shipping live ammunition:
• Package and ship ammunition separately from firearm(s). • The outside of the container must be labeled “ORM-D, CARTRIDGES, SMALL ARMS.” • The Declaration of Dangerous Goods must include the number of package(s) and the gross weight in grams of the completed package(s).
Anonymous Letters and Bank Robbery Notes
Documentary evidence: It should not be folded, torn, marked, soiled, stamped, written on, or handled unnecessarily. Protect the evidence from inadvertent indented writing. Mark documents unobtrusively by writing the collector’s initials, date, and other information with a pencil. Whenever possible, submit the original evidence to the laboratory. The lack of detail in photocopies makes examinations difficult. Copies are sufficient for reference file searches.
Registered mail or equivalent
Bullets (projector without cartridge) (Live Cartridges)
All found
Forensic Science: From the Crime Scene to the Crime Lab https://jigsaw.vitalsource.com/api/v0/books/9781323284162/print?from...
41 of 41 7/8/17, 12:07 AM