DFI Focus Areas

--- title: 'DFI Focus Areas' disqus: hackmd --- DFI Focus Areas === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 90%; display: block; } </style> ## Table of Contents [TOC] 01 Intro to Forensics --- ### Definition of Digital Forensics - digital forensics - application of comp science and investigative procedures for legal purpose - involves the analysis of digital evidence after proper search authority, chain of custody, validation with math, use of validated tools, repeatability, reporting and possible expert presentation ### Chain of Custody - chain of custody - route evidence takes from time found until case closed/goes to court ### Public vs Private Investigator - private sector - involve private company policy violations and litigation disputes - policies are published and maintained to reduce litigation - public sector - need search warrants before seizing evi - involve govt agencies resp for criminal investigations and prosecution ### Case Law - when statutes (law passed by legislative body) dont exist, **case law** used - allow legal counsel to apply prev similar cases to current to address ambiguity in laws - examiners must know recent court rulings on search & seizure in electronic env ### Potential Challenges for Investigator - for private - distinction between personal & company comp property can be difficult - **bring your own device (BYOD)** env - some state that if u connect personal device to business network, it falls under same rules as company property - law enforcement officers shld follow proper procedure when acquiring evi - digital evi can be easily altered by overeager investigator - info can also be pwd protected so need use forensics tools 02 Understanding Investigation --- ### Rule of Computer Forensics - always preserve original evidence - do all analysis on a copy of orig evi - windows tools require write-blocking device when acquiring data from **FAT or NTFS** file systems - use systematic approach - assessing case - planning investigation - securing evidence - conducting investigation - gathering evi - completing case - critique case ### Chain of Evidence Form - evi custody form helps document what has been done with orig evi and forensics copies - AKA **chain of evi form** - 2 types - single evi form - list ea evi on separate page - multi evi form - includes - model/serial num of comp component - evi recovered by - name of investigator who recovered evi - chain of custody starts here - date and time evi taken into custody ### Common Investigation Cases #### Internet Abuse Investigations - need - org's internet proxy server logs - suspect comp's ip addr - suspect comp's disk drive - preferred comp forensics analysis tool - recommended steps - use standard forensic analysis techniques and procedures - use appropriate tools to extract all webpage url info - contact network firewall admin and request proxy server log - compare data recovered from analysis to proxy server log - continue analysing comp's disk drive data #### Employee Termination Cases - majority of inves work for termination involves employee abuse of corporate assets - incidents that create hostile work env are prodominant types of cases investigated - viewing porn in workplace - sending inappropriate emails - orgs must have appropriate policies in place - consult hr dept #### Email Abuse Investigations - need - electronic copy of offending email with msg header data - if avail, email server log records - for email systems that store user's msgs on central server, access to server - access to comp so can perform forensic analysis on it - preferred forensics tool - recommended steps - use standard techniques - obtain electronic copy of suspect's and victim's email folder/data - for web-based email inves, use tools like FTK'S internet keyword search option to extract related email addr info - examine header data of all msgs of interest to inves #### Industrial Espionage Investigations - all suspected such cases shld be treated as criminal investigations - very common - staff needed include - **computing investigator** - resp for disk forensics examinations - **tech specialist** - knowledgable of suspected compromised technical data - **network specialist** - can perform log analysis and setup network sniffers - **threat assessment specialist** - typically an attorney - guidelines for inves - determine if inves involves industrial espionage incident - consult corporate attorneys and upper management - determine what info needed to substantiate inves - generate list of keywords for disk forensics and sniffer monitoring - list and collect res for inves - determine goal and scope of inves - initiate inves after approval from management - planning considerations - examine all email of suspected employees - search internet newsgrps or msg boards - initiate phy surveillance - examine facility phy access logs for sensitive areas - determine suspect location in relation to vuln asset - study suspect's work habits - collect all incoming and outgoing phone logs - steps for inves - gather all personnel assigned to inves and brief on plan - gather res for inves - place surveillance systems at key locations - discreetly gather extra evi - collect all log data from networks and email servers - report regularly to management and corporate attorneys - review inves's scope with management and corporate attorneys ### Public vs Private Investigation - public sector need search warrants before seizing digital evi - deal with crminal and private cases (eg. abuse of res) 03 Data Acquisition --- ### 3 Evidence Storage Formats - data in forensics acquisition tool stored as **image file** - image file in 1 of 3 formats - raw format - proprietary formats - advanced forensics format (AFF) - newer #### Raw Format - possible to write bit stream data to files - sequence flat file - in past only do bit by bit copy to media same size or bigger to create evi - advantages - fast data transfers - ignores minor data read errors on src drive - most comp forensics tools can read raw format - eg. .dd - disadvantages - need same storage amt as orig disk/data - tools may not collect marginal (bad) sectors - due to low threshold of retry reads on weak media spots on drive #### Proprietary Formats - features - can compress image files - save space - can split img into smaller segmented files - provide integrity check for split data - can integrate metadata into img file - disadvantages - cannot share img between diff tools/vendors - file size limit for ea segmented volume - usually 650mb - can adjust up/down at limit of 2gb - expoer witness format is unofficial standard - default for guidance software encase - eg. ex01, e01 #### Advanced Forensics Format (AFF) - open src acquisition format - design goals - compressed or uncompressed img files - no size restriction for disk to img files - provide space in img/segmented file for metadata - simple design with extensibility - open src for multiple platforms and OS - vendors have no implementation restrictions on this format - possible future standard - internal consistency checks for self auth - file ext use `.afd` for segmented img and `.afm` for AFF metadata ### 4 Acquisition Methods - types of acquisitions - static - live #### Disk-to-Image File - most common method - most flexible - can make more than 1 copy - copies are bit for bit replications of orig drive - prodiscover, encase, ftk, SMART, sleuth kit, x-ways, ilookIX - tools that perform disk to img - read disk to img file as if orig disk #### Disk to Disk - when disk to img copy not possible - tools can adjust disk's geometry config - eg. track, sectors etc. - encase, snapcopy, safeback #### Logical or Sparse Acquisition - collecting evi from large device can take several hours - reasons to use these methods - time limited - logical acq. captures only specific files of interest to case - eg. only investigate outlook - sparse acq. collects fragments of unallocated/deleted data - for large disks - for PST or OST mail files, RAID servers - up to several tb ### Write-Blocking Device - prevents writes to hard disk - any tool that permits read only access to data storage devices w/o compromising integrity of data - software enabled blkers - typically run in shell mode (windows cli) - eg. pdblock from digital intelligence - hardware options - ideal for gui forensic tools - prevent windows/linux from writing data to blocked drive - act as bridge between suspect drive and forensic workstation #### Using Write-Blocker - can navigate to blked drive with any app - no prob accessing blked drive's apps after write-blker installed - discards written data - from os if data copy successful - connecting tech - firewire - usb 2.0 and 3.0 - sata, pata and scsi controllers ### 4 Validation Techniques - needs **hashing algo utility** - validation techniques - CRC-32 - MD5 - SHA-1 - SHA-512 #### Windows Validation Methods - windows have no builtin algo tools - use 3rd pt utilities - hex editors like win hex - commercial comp forensics programs have builtin validation features - ea program has own technique - prodiscover's .eve files contain metadata in acq. file or segmented files including hash val for suspect drive/partition - raw format img files dont have metadata - separate manual validation recommended for all raw acquisitions ### Remote Acquisition - can remotely connect to suspect comp via network conn and copy data from it - remote acq. tools vary in config and capabilities - some need manual intervention on remote suspect comps to initiate data copy - tools like encase, prodiscover allow remote acq. - drawbacks - antivirus, antispyware and firewall tools can be configed to ignore remote access programs - access can be blked - suspects can easily install own security tools that trigger alarm to notify them of remote access intrusions - connecting remotely allows to - preview suspect's drive remotely while in use or powered on - perform live acq. (AKA smear as disk data being altered while comp active) while comp's comp powered on - encrypt conn between suspect and examiner - copy suspect's comp ram while comp on - use optional stealth mode to hide remote conn from suspect while data previewed/acquired - other funcs - capture volatile system state info - analyse current running processes on remote system - locate unseen files and processes that might be running malware/spyware - remotely listen and view ip ports - run hash comparisons on remote system to search for trojans and rootkits - create hash inventory of all files on system remotely to establish baseline if it gets attacked - negative hash search capability 04 Digital Forensics Tools --- - Consult your business plan to get the best hardware and software for your DF investigation - Maintain a software library on your lab. Keeps useful software drivers ### Forensic Tools Functions - all comp forensic tools (hardware and software) perform specific funcs - funcs grped into 5 categories - acquisition - validation and verification - extraction - reconstruction - reporting #### Acquisition - making copy of orig drive - acq. subfunctions - phy data copy - logical data copy - logical partition - data acq. format - raw data format - gui acq. - remote, live (logon) and memory acq. - 2 types of data copying methods used - phy copying of entire drive - logical copying of disk partition - formats for disk acq. vary - from raw data to vendor-specific proprietary - can view contents of raw img with hex editor ![](https://i.imgur.com/Pe2YToQ.png) - creating smaller segmented files is typical feature in vendor acq. tools - segmented files are smaller and hence can be stored in smaller media - remote acq. of files is common in larger orgs - popular tools like accessdata and encase can do remote acq. of forensics drive imgs on network #### Validation and Verification - validation - way to cfm that tool is functioning as intended - ensure integrity of data copied - verification - prove that 2 sets of data are identical by calculating hash or using similar method - related process if **filtering** - involves sorting and searching through inves. findings to seperate good and suspicious data - subfunctions - hashing - ensure data not changed - CRC-32, MD5, SHA-1 - filtering - separate good files and files that need to be investigated - based on hash val sets - analysing file headers - check on change file type - discriminate files based on types - national software reference lib (NSRL) has compiled list of known file hashes - for variety of OS, apps and imgs - validation and discrimination - many comp forensics programs include list of common header vals - can see whether file ext is incorrect for file type - most tools can identify header vals #### Extraction - recovery task in digital inves. - most challenging to master - recovering data is 1st step in analysing inves.'s data - subfunctions - data viewing - diff tools provide diff way of viewing data - keyword searching - good func but if wrong keyword used may produce noise - speeds up analysis for investigators - decompressing - carving - reconstructing fragments of files - decrypting - potential prob for inves. - password recovery tools have feature for generating password lists - AKA password dict atk - if pwd dict atk fails, can run brute force atk - bookmarking/tagging #### Reconstruction - recreate suspect drive to show what happened during crime or incident - or to create copy of suspect drive for other inves. - methods - disk to disk copy - partition to partition - image to disk - image to partition - rebuilding files from data runs and carving - to recreate img of suspect drive, - copy img to another location/partition/phy disk or vm - simplest method use tool to make direct disk to img copy - linux dd command - prodiscover - voom technologies shadow drive #### Reporting - perform forensic disk analysis and examination, need to create report - subfunctions - bookmarking/tagging - log reports - document inves. steps - report generator - use this info when producing final report ### Types of Tools #### GUI Tools - can simplify inves. - simplified training for beginner examiners - most put tgt suite of tools - advantages - ease of use - multitasking - dont need learn older OS - disadvantages - excessive res requirements - eg. ram - inconsistent results - because of type of OS used - eg. 32 bit vs 64 bit - create tool dependencies - inves. may want to use only 1 tool - refuse to change - shld be familiar with more than 1 type of tool #### Hardware Tools - technology changes rapidly - hardware eventually fails - schedule equipment replacements periodically - when planning budget consider - amt of time for workstation to be running - how often it fails - consultant and vendor fees - support h/w - anticipate eq replacement - more u use, more eq will break ### Validating Tools - impt for evi u recover and analyse to be admitted in court - test and validate software to prevent damaging evi ### Validation Protocols - always verify results by doing same tasks with other tools - use at least 2 - retrieving and examination - verification - understand how forensics tools work - 1 way to compare results and verify new tool is using disk editor like hex workshop or winhex - disk editor can view data on disk in raw format - dont have flashy interface - still reliable - can access raw data - comp forensic examination protocol - perform inves. with gui tool - verify results with disk editor - compare hash with both tools - digital forensics tool upgrade protocol - ensure evi data wont be corrupted, we need to - test - new releases for tools - os patches and upgrades - if find prob, report to forensic tool vendor - dont use tool until prob fixed - use test hard disk for validation - check web for new editions, updates, patches and validation tests for tools 05 Evidence Processing --- ### Disk Partitions - partition is logical drive - windows OS can have 3 primary partitions and extended partition that can contain 1 or more logical drives - **partition gap** - unused space between partitions - can be used to hide data ![](https://i.imgur.com/mmJXMqa.png) ![](https://i.imgur.com/qlbNz5f.png) - **partition table** is table maintained on disk by OS describing partitions on disk - key hex codes used by OS to identify and maintain file system - is in **master boot record (MBR)** - located at sector 0 of disk drive - precedes 1st partition - MBR stores info abt partitions on disk and their locations, size and other impt items - identify how and whr OS is located so it can be booted into comp's main storage/RAM - in hex editor, can find 1st partition at offset 0x1BE - file system's hex code is offset 3 bytes from 0x1BE for 1st partition - sector addr of whr this part. start on drive is offset 8 bytes from 0x1BE - num of sectors assigned to part. are offset 12 bytes from pos 0x1BE ![](https://i.imgur.com/guw7zEz.png) ### RAM and File Slack - microsoft os allocate disk space for files by clusters - results in **drive slack** - unused space in cluster between end of active file and end of cluster - drive slack includes - **ram slack** - portion of last sector used in last assigned cluster - **file slack** - unused space allocated for file - unintentional side effect of FAT16 having large clusters was that it reduced fragmentation - as cluster size increased ![](https://i.imgur.com/mO2OYCN.png) - following the above image, to determine ram and file slack size, - determine allocated space and document size - os allocated 32,000 bytes of data (assumed) - 64 sectors since one sector is 512 bytes - 64 * 512 = 32,768 - (SectorsRequired) = (FileSize) / (SectorSize) = Round up (SectorsRequired) - document size is 5000 bytes - since document size is 5000 bytes, you need a total of 10 sectors to store - 10 * 512 bytes = 5120 bytes for 10 sectors - 5120 - 5000 = 120 bytes which is size of ram slack - derive file slack by File Slack = total allocated size - document size - ram slack - 32,768 - 5,000 - 120 = 27,648 bytes ### Clusters - cluster sizes vary according to disk drive size and file system - clusters made up of sectors ![](https://i.imgur.com/CVvP5ul.png) - Number of Cluster Required to Store a File - (FileSize) / (ClusterSize) = Round Up (ClusterRequired) ### File Allocation Table (FAT) - file allocation table (FAT) - file structure db that microsoft originally designed for floppy disks - FAT db typically written to disk's outermost track and contains - filenames - dir names - date and time stamps - starting cluster num - file attributes ![](https://i.imgur.com/Jhs6dyH.png) ![](https://i.imgur.com/k6tVFT4.png) - cluster make up of sectors - one sector is 512 bytes - cluster num is logical addr in os ### NTFS File System - nt file system (NTFS) - introduced in windows nt - pri file system for win8 or later - improvements over FAT - provides more info abt a file - gives more control over files and folders - on NTFS disk, - 1st data set is **partition boot sector** - next is **master file table (MFT)** - ea file rep by record here - ntfs results in less file slack space - clusters smaller for smaller disk drives ![](https://i.imgur.com/4aBTkNh.png) ![](https://i.imgur.com/A6RsmZJ.png) #### Master File Table (MFT) - master file table contains info abt all files on disk - including system and file os uses - all files and folders stored in separate records of 1024 bytes ea - in mft, 1st 15 records reserved for system files - records in mft are called **metadata** - ea record contains file or folder info - info divided into **record field** containing metadata - record field referred as **attribute id** #### Resident vs Non-Resident Files - files/folders stored in 2 ways in MFT record - resident - small files <512 bytes - all file metadata and data stored in MFT record itself - non-resident - files larger than 512 bytes - stored on drive's partitions (AKA data runs) - each mft records starts with a header to identify which way it's stored as - mft links non-resident files with file on disk partion using **logical cluster numbers (LCN)** - LCN addr assigned to file when 1st data written to non-resident files - LCN then becomes file's **virtual cluster number (VCN)** #### MFT Structure for File Data ![](https://i.imgur.com/LiTlkIf.png) ![](https://i.imgur.com/WZrLo2u.png) ![](https://i.imgur.com/dXyx7Bn.png) ![](https://i.imgur.com/EHClmqD.png) - for header of all mft records, record fields of interest are - offset 0x00 - mft record identifer file - offset 0x14 - length of header - indicates whr next attribute starts - eg. `38 00` > `00 38` = 56 bytes - offset 0x1C to 0x1F - size of mft record - offset 0x32 and 0x33 - update sequence array - stores last 2 bytes of 1st sector of mft record - used as checksum for record integrity validation ![](https://i.imgur.com/vmwTC7f.png) ![](https://i.imgur.com/JjFhgHe.png) - standard info attribute - create date and time - last modified date and time - last access " - record update " 06 Analysis and Validation --- ### Scope Creep - **scope creep** - when inves. expands beyond orig description - due to unexpected evidence - attorneys may ask investigators to examine other areas or more evi - increase time and res needed to extract, analyse and present evi - document extra time spent on recovering extra evi - scope creep more common now - criminal inves. needs more detailed examination of evi just before trial - helps prosecutors fend off atks from def attorneys - new evi discovered often isnt revealed to proscution - more impt for prosecution teams to ensure they analysed evi exhaustively before trial ### Hex Editors - common functions - hashing - bit shifting #### Hashing for Validation - some tools have limitations for hashing so use advanced hex editors for data integrity - advanced hex editors have features not in forensic tools - hashing specific files or sectors - with hash val, use tool to search for suspicious file that might have name changed to look unsuspecting - winhex provides md5 and sha-1 hashing algo ### Data Hiding Techniques - data hiding - changing/manipulating file to conceal info - techniques - hiding entire partitions - use disk management - changing file exts - setting file attributes to hidden - change file sig - bit shifting - shift 1 bit to left - use encryption - pwd protection #### Hiding Files using OS - change file ext - tools check file headers - compare file ext to verify - if there's discrepancy, tool flags file as possible altered file - other hiding technique by selecting hidden attribute in file's properties dialog box in windows #### Hiding Partitions - use windows `diskpart remove <letter>` command - can unassign partition's letter which hides it from file explorer - use `diskpart assign <letter>` to unhide - other disk mannagement tools - partition magic - partition master - linux grand unified bootloader (GRUB) - to detect whether partition hidden, - acc for all disk space when examining drive - analyse all disk areas containing space u cannot acc for - in prodiscover, hidden partition appears as highest avail drive letter in bios - other tools have own methods to assign drive letters ![](https://i.imgur.com/gtomsIF.png) #### Making Bad Clusters - data hiding technique in FAT is placing sensitive data in free/slack space on disk partition clusters - involve old utilities like norton diskedit - can mark good clusters as bad so os consider them unusable - only way to access by changing back to good cluster with disk editor - diskedit runs only in ms-dos and can only access FAT-formatted disk media #### Bit-Shifting - some user use low lvl encryption program that changed order of binary data - makes altered data unreadable - to secure file, users run assembler program AKA macro to scramble bits - run another program to restore scrambled bits to orig order - bit shifting changes data from readable code to data that looks like binary exe code - winhex includes bit shifting feature #### Examining Encrypted Files - to decode encrypted file, - supply pwd/passphrase - many encryption programs use tech called **key escrow** - designed to recover encrypted data if users forget pwd or if user key corrupted after system failure - key sizes of 2048bits to 4096bits make breaking them impossible with current tech - OR try to make suspect reveal encryption passphrase #### Recovering Passwords - pwd cracking tools avail for handling pwd protected data - some integrated into tools - standalone tools - last bit - accessdata prtk - ophcrack - john the ripper - passware - brute force atks - use every possible letter, number and char - need a lot of time and processing power - brute force atks require convertinng dict pwd from plaintxt to hash val - needs more cpu cycle time - dictionary atk - use common words in dict - use variety of langs - many programs can build profiles of suspect to determine pwd - many pwd-protected OS and app store pwd in form of md5 or sha hash vals - rainbow table - file containing hash vals for every possible pwd generated - no conversion needed - faster than brute force/dict atk - salting pwds - make pwd cracking difficult - alter hash vals with extra bits added to pwd - make cracking more difficult ### Steganography and Watermarking - **steganography** - greek word for hidden writing - hiding msg only for intended recipient - **steganalysis** - detecting and analysing stego files - **digital watermarking** - developed as way to protect file ownership - usually not visible when using stego - way to hide data is use stego tools - many are freeware/shareware - insert info into variety of files - if encrypt plaintxt file with pgp and insert encrypted txt into stego file, cracking encryped msg is very dificult - steganalysis methods - stego only atk - only have converted covered file to analyse - known cover atk - has both covered file and converted covered file to analyse - known msg atk - when hidden msg revealed ltr - chosen stego atk - stego tool used - chosen msg atk - steganalyst generates stego-obj from some stego tool/algo of chosen msg 07 Digital Forensics Lab --- ### Training and Certifications - update skills through training - thoroughly research requirements, cost and acceptibility in area of employment - address min skills for conducting comp inves. at many lvls - international association of comp investigative specialists (IACIS) - created by police officers who wanted to formalise creds in comp inves. - candidates who complete IACIS test designated as **certified forensic computer examiner (CFCE)** - accessdata certified examiner (ACE) certification - open to pub and priv sectors - specific to use and mastery of accessdata ultimate toolkit - exam has knowledge based assessment (KBA) and prac skills assessment (PSA) - other training and certifications - ec-council - sysadmin, audit, network, security (SANS) institute - expensive - defence cyber investigations training academy (DCITA) ### Digital Forensics Lab - digital forensic lab - whr u conduct inves. - store evi - house equipment, hardware and software - shld be secure so evi not lost/corrupted/destroyed - provide safe and secure phy env - secure facility shld preserve integrity of data - keep inventory control of assets - know what u have/dont have - know when to order more - min requirements - small room with true floor-to-ceiling walls - door access with locking mechanism - secure container - visitor's log - ppl working tgt shld have same access lvl - brief staff abt security policy #### Auditing Forensics Lab - auditing ensures proper enforcing of policies - shld include inspecting following facility components - ceiling, floor, roof and exterior walls of lab - doors and door locks - visitor logs - evi container logs - end of every workday, secure any evi not process in workstation ### Selecting Basic Forensic Workstation - depend on budget and needs - use less powerful workstations for mundane tasks - use multipurpose workstations for res-heavy analysis tasks - identify env - hardware platform - os - police labs have most diverse needs for comp inves. tools - lab may need legacy systems and software to match what's used in community - small, local police dept might have 1 multipurpose pc and 1/2 general purpose pc - can use pc with firewire, usb3 or SATA hard disks to create lightweight, mobile forensic pc 08 Crime and Incident Scene Processing --- ### Digital Evidence - digital evi - any info stored/transmitted in digital form - diff between doc evi and digital evi - doc evi always visible on its face - US court accept digital evi as phy evi - treated as tangible obj - eg. scientific working grp on digital evi (SWGDE) set standards for recovering , preserving and examining digital evi - tasks performed with digital evi - identify digital info/artifacts that can be used as evi - collect/preserve/document evi - analyse/identify/organise evi - rebuild evi or repeat situation to verify that results can be reproduced reliably ![](https://i.imgur.com/PumUMSF.png) ### Rule of Evidence - consistent practices help verify work and enhance cred - handle evi consistently - comply with state's rules of evi or federal rules of evi - eg. security and accountability control for evi - evi submitted in criminal case can be used in civil suit - vice versa - keep current on latest rulings and directives on collecting, processing, storing and admitting digital evi - digital evi diff from phy since changed more easily - only way to detect changes by comparing hashes - most courts interpret comp records as hearsay evi - hearsay is second hand/indirect evi - evi of statement made other than witness - digital records admissible if business record #### Computer Records - 2 types of comp records - comp generated records - data maintained by system - not created by human - eg. log files - comp stored records - data created by human saved on comp - eg. spreadsheet/word doc - comp and digital records must be shown to be authentic and trustworthy to admit into court - comp gen records authentic if program creating it is functioning correctly - no bugs - exception to hearsay rule - collect evi according to proper steps to ensure it's authentic - when attorneys challenge digital evi, they raise issue whether comp gen records are altered or damaged - one test to prove comp stored records are auth is demonstrating that a specific person created them - eg. file metadata to see author - HOWEVER records recovered from slack space/unallocated disk space usually dont identify author - process of establishing digital evi's trustworthiness originated from **best evidence rule** - best evi rule states - to prove content of written doc/recording/photo, the orig is required - allow dupe when its produced by same impression as orig - not always possible to produce orig - eg. when cannot use orig evi - network servers - cannot remove from network to acquire evi since will cause harm to business/owner (innocent) - data can be admitted in court as long as bit-stream copies of data created and maintained - though not best evi #### Properties - 5 props - admissible - authentic - complete - reliable - believable ### Collecting Evidence in Private-Sector Incidents - use inventory db too understand what hardware/software needed to analyse policy violation - corporate policy statement abt misuse of digital assets - allow corporate inves. to conduct **covert surveillance** - survelliance on someone w/o person noticing it - access company systems w/o warrant - companies must display warning banner and publish policy - state that they reserve the right to inspect comp assets at will - corporate inves. shld know what circumstance they can examine employee's comp - every org must have well-defined process describing this - if inves finds employee guilty of a crime - employer can file criminal complaint with police - inves. shld immediately report to corporate management - employers interested in enforcing company policy, not seek and prosecute employees - corporate inves. concerned with protecting company's assets - if discover evi of crime during company policy inves. - determine whether incident meets elements of law - inform management of incident - stop inves. to ensure dont violate 4th amendment restrictions on obtaining evi - work with corporate attorney on how to respond to police req for more info ### Storing Digital Evidence - media used to store evi depends on how long u need to keep it - cd, dvd, dvd-r, dvd+r, dvd-rw - ideal - capacity - up to 17 gb - lifespan - 2 to 5 years - magnetic tapes - 4mm DAT - capacity - 40 to 72 gb - lifespan - 30 years - costs - drive - $400 to $800 - tape - $40 - super digital linear tape (super DLT or SDLT) - designed for large RAID data backups - can store > 1tb - smaller SDLT drives can connect to workstation through SCSI card - dont rely on media storage method to preserve evi - make 2 copies of every img to prevent 2 imgs - after determine that incident has digital evidence, identify the info/artifacts that can be used as evi ### Preparing for a Search - steps - Identify Nature of Case - private or public sector - dictates how u proceed and types of assets/res to use - Identify type of os or digital evi - for law enforcement - difficult since crime scene not controlled - identify os/device by estimating size of drive on suspect comp - how many devices to process at scene - determine os/hardware involved - determine whether u can seize comps/devices - type of case and location of evi - can u remove the evi? - law enforcement inves need warrant to remove comps from scene and transport to lab - if removing comps will irreplacably harm business, shldnt be taken offsite - extra complications - file stored offsite accessed remotely - avail of cloud storage - cannot locate physically - stored on drives with multiple subscribers - determine res needed to acquire evi and tools to speed data acquisition if not allowed to take comps - use extra technical expertise - specialised help to process incident/scene - specialists in - OS - RAID servers - db - educate specialists in inves. techniques too prevent evi dmg - determine tools needed - after info gathering on incident/scene - create **initial resp field kit** - lightweight and easy to transport - create **extensive resp field kit** - all tools u can take to field - extract only items needed when at scene 09 Cellular Mobile Networks --- ### How do Cellphones contact base Stations #### Cellular Division - cellular device can comm with another - cells in hex shapes - preferred than square or circle as covers entire area w/o overlapping ![](https://i.imgur.com/V83sOAF.png) - each cell assigned multiple frequencies corresponding to diff radio base stations - phone connects to specific base station based on their location and strongest signal strength - http://www.emfexplained.info/?Page=25196#:~:text=Mobile%20phones%20work%20by%20sending,as%20mobile%20phone%20base%20stations. #### What Happens... - when phone turns on ![](https://i.imgur.com/dO7HPpi.png) - when place call ![](https://i.imgur.com/aHuvZo4.png) - determine if there's coverage in area > verify if have sufficient signal strength to make call > establish conn with nearby base station > base station establishes call until user hangs up or signal too weak ### MTSO (Mobile Telephone Switching Office) - mobile telephone switching office (mtso) - contains switching eq for routing mobile phone calls - handles entire cell network - controls **handoff** - process of transferring ongoing call or data session from one channel (cell) to another channel (cell) - comm with PSTN (public switch telephone network) - landline network - brain of cell phone network - mtso evaluates signal strength between device and network - tell device/network to make appropriate adjustments to transmission ![](https://i.imgur.com/4JokKd1.png) ### Handoff - handoff - process of transferring ongoing call or data session from one channel (cell) to another channel (cell) - if signal on channel from tower weakens during a call, another tower and handoff needed - if no other tower with stronger signal, call dropped ![](https://i.imgur.com/FEf32Jr.png) ### iDen, CDMA and GSM #### iDen - 2g - integrated digital enhanced network - based on tdma - iden phones can support sms msgs, voice mail and data networking eg. vpn, internet and intranets - allow users to take advantage of **PTT (push to talk)** walkie talkie tech - half duplex - used by - sprint - shutdown in 2013 - at&t - verizon #### CDMA - 2g/3g - code div multiple access - uses spread spectrum tech - spreads info contained in particular signal of interest over greater bandwidth than orig - assigns code to ea piece of data passed across spectrum - newer tech still uses orig tdma concept - deemed more superior to fdma and tdma - cannot carry voice and data at same time - every comm channel uses full avail spectrum - 2 channels - encoding - decoding - spread spectrum - channels spread across entire freq range instead of 1 dedicated one - 1850 mhz - 1990 mhz ![](https://i.imgur.com/FxQ9rBc.png) ##### CDMA Family - cdmaOne (2g) - orig cdma system - cdma2000 - 3g - evolved from cdmaone - fam of tech for 3g cellular comm for transmission of voice, data and signals - 1xRTT (voice), 1xEV-DO (3g wireless standard data) - W-CDMA - 3g - borrows ideas from cdma - use gsm tech and evolve into UMTS (universal mobile telecomms service) #### BitPIM Software for CDMA - is open src cross platform that allows u to view and manipulate data on many cdma phones - include phonebook, calendar, wallpapers, ringtones and filesystem - analyse most qualcomm cdma chipset based phones - PIM = personal info management #### Qualcomm for CDMA - founded in 1985 by multinational semiconductor and telecomms eq company - created CDMA and components in 1990s - orig built base stations, chipsets and phones - owns patent on CDMA chipset tech #### GSM - 2g - based on TDMA - 70%-80% of phones - digital cellular tech for transmitting mobile voice and data services - established in 1987 as standard - avail in >212 countries - global systems for mobile comm with freq 850-1900mhz - uses SIM tech ![](https://i.imgur.com/A06ytH5.png) ### Cellular PIN #### Mobile Identity Number (MIN) - 10 digit - more with country code - assigned by carrier - used for phone identification - eg. (303)866-1010 - 2 parts - MIN 1 - 24 bit number after area code - MIN 2 - area/mobile subscriber code - can be ported #### Electrical Serial Number (ESN) - unique 32bit number assigned to ea TDMA or CDMA (non GSM) device - like mac addr - uses 14 bit code for manufacturer code - since 8bit almost exhausted ![](https://i.imgur.com/uEe03md.png) #### Mobile Equipment ID (MEID) - rpelace soon exhausted ESN for CDMA devices - all fields are hex vals - RR - regional code - global administered - XXXXXX - 000000 - for small quantities of test/prototype mobiles - 000001 - FFFFFE - reserved for regional admin bodies or mobile manufacturers - subject to industry agreement - ZZZZZZ - manufacturer assigned to unique id device - C - check digit - not tramistted over air ![](https://i.imgur.com/TpDbzgs.png) #### International Mobile Equipment Identity (IMEI) - unique 15 digit code to identify indiv GSM mobile to mobile network - displayed on phones dy dialing code `*#06#` ![](https://i.imgur.com/YcYttBd.png) ![](https://i.imgur.com/YASPtMQ.png) ###### IMEI Checksum Verification - 3 steps - starting from right, double every other digit - sum digits - note that 14 is 1 + 4 not +14 - check if sum is divisible by 10 ![](https://i.imgur.com/YMOsc4B.png) ![](https://i.imgur.com/FeWVvfn.png) #### International Mobile Subscriber Identity (IMSI) - global unique identifier - 56 bit - unique in every network - allowed for auth of device to network - 3 parts - MCC - mobile country code - 3 digits - all MCC is assigned by ITU internation telecomm union in recommendation E.212 - internaitonal identification plan for public networks - MNC - mobile network code - 2 digits - MSIN - mobile station identification num - 10 digits ![](https://i.imgur.com/ja3PXES.png) ![](https://i.imgur.com/S1sUv1N.png) 10 Android --- ### Android OS - is open src phone platform based on linux kernel - developed by google, now maintained by open handset alliance - is grp of 47 companies tgt to produce better mobile experience ### Android Architecture - apps - builtin and user's apps - app framework - written in java to provide standard platform and api - work as toolkit used by all apps - libraries - includes - sqlite - c/c++ libs - 3d graphics - is whr core android platform power comes from - android runtime - **Dalvik VM (DVM)** and Libs (Java 5 Std Edition) - designed to run in env with limited batt/memory and cpu - DEX files (bytecode) run in this env - linux kernel - provides many useful device drivers and - process management - memory management - networking and security in core infrastructure - robust and well proven ### Data Acquisition on Android - DS (paraben) performs these actions - before acq - `AndroidService.apk` installation pkg written to `/data/local/tmp` folder - `com.paraben.service` service installed to sys folder - after acq - installed service uninstalled automatically - installation pkg removed - does not dmg the device 11 iOS --- ### IPhone Architecture #### How does it Work? - iphone has 2 processors - 1st works on GSM conn - phone calls - 2nd has mac os - **device seizure (DS)** - software in paraben AKA E3 platform - can acquire 2nd part of data - acquisition done in 2 steps - mac os img received from device - mac os img parsed and investigated #### Partitions - os partition - 500mb - uses HFSX - ext of HFS plus file system - currently updated to apple file system (APFS) - data partition - focus on investigation - contains user data and files ### 4 Layers ![](https://i.imgur.com/Da50Syx.png) #### Core Layers - core os and services layer contains these fundamental interfaces - those used for accessing files - low lvl data types - bonjour services - network sockets #### Core Services - mostly c-based - include tech/frameworks like - core foundation - AKA CF - low lvl routines - eg. facilitate internalisation - CF network - eg. socket - sqlite - access to POSIX (portable os interface) threads and unix sockets #### Media Layer - OpenAL - audio mixing and recording - video playback - img file formats - Quartz - core animation - OpenGL ES - graphic rendering #### Cocoa Touch (UI) - manage multi-touch events and controls - use accelerometer - view hierarchy - localisation - i18n - use of embedded camera ### Acquisition in iOS - use paraben's device seizure (DS) acquisition wizard to acquire evidence #### iPhone/iPad/iTouch Advanced - used with most ios devices - backup of user oriented files - this plugin uses itunes to create backup of device - doesnt access pri file system (sys files) of device - recovers deleted dta - allows logical acq of backup from iphones #### iPhone/iPad/iTouch Acquisition - acquires the following data - address book - sms history - call history - imessages - calendar - notes - file system - maps bookmarks/history/directions - mac addr ### .plist File - .plist files - used to store various types of data - file storage containing info on cache, history and config settings - is usually plaintxt .xml file or binary file - need to be examined for evidence - valuable repo for historical system and user specific configs and actions ### EXIF File - exchangeable img file formats (exif) - standard that specifies formats for systems handling img and sound files like cams, scanners etc. - use exif reader ![](https://i.imgur.com/pFdblpE.png) #### Images - ea img associated with 2 files - img viewed on iphone screen - thumbnail ![](https://i.imgur.com/CDRmzAA.png) - iphone dont name img using data and timestamp - named in numerical order - eg. IMG_0065.jpg, IMG_0066.jpg - thumbnails too - eg. IMG_0065.thm - images stored in same folder ### .db Files - A DB file is a database file used on mobile devices such as Android, iOS, and Windows Phone - (from mr boris) 12 Rooting and Jailbreaking --- ### Rooting in Android - equal to jailbreaking - unlock os so can install unapproved apps, delete unwanted bloatware, update os, rpelace firmware and customise anything - allow user to gain root user priv - no restrictions on system settings - android allow sideloading w/o rooting by default - install app from non-android market ### Jailbreaking in IOS - require modification on os settings - form of priv esc via hardware/software exploits - enable installation of 3rd pt apps - phone will work with app store - can still call after jailbroken ### Impacts of Jailbreaking - escape the restrictions from device limitations - gain unrestricted device access - warnings - warranty void - error and perf issue - not tested > unstability ### Motivation for End Users - more app sources - access unauth apps - pirated software - firefox in iphone - remove vendor-installed SW (bloatware) - improve perf - inc avail memory - ram/rom (mmc) - access restricted hardware res - eg. bluetooth on kindle fire - perform system tweaking ### Tools Used - iphone - JailbreakMe - easiest way to free device - fully customisable, themeable - Redsn0w - Evasi0n - android - ADB - old sch - need drivers, scripts, SU apk - z4root - from android 2.3 - SuperOneClick - need adb - flashing recovery and custom ROM - motochoppper - android 4.32 Practical: Encase --- ### Encase Display Panes - tree pane - show structured view of evidence - table pane - view subfolders and files in specific folder - view pane - display contents of item ![](https://i.imgur.com/OzViuFm.png) ### Evidence GPS - provide precise location of evi using 6 codes - PS - phy sector num - LS - logical sector num - CL - cluster num - SO - sector offset - distance in bytes from beginning of sector - FO - file offset - distance in bytes from beginning of file - LE - length - num of bytes in selected area ![](https://i.imgur.com/qB87Juh.png) Practical: Paraben --- ### Display Panes ![](https://i.imgur.com/x3Ni68J.png) - case content - sub folders - actual content of selected file ### Encase VS Paraben - type of files that can be acquired by each - encase - device hard disk/usb, NTFS, FAT etc. - paraben - mobile device/ereader/iphone backup etc. ###### tags: `DFI` `DISM` `School` `Notes`