←All Posts Posted on June 26, 2015 By Andre Ross
In the modern world, we’re continually being bombarded with news of data security breaches and lost data. It’s no surprise then that businesses are increasingly calling on the services of a Computer Forensic specialist to investigate problems.
A computer forensic investigator is heavily reliant on his or her knowledge, experience, expertise, diligence, and in some cases, even plain curiosity. There are various specialist areas within the forensics field, but the underlying process is similar for all of them, and there are four key steps to a process.
Firstly the forensic investigator will collect information and make observations. This phase involves forensic data collection and examination. It includes verifying the integrity and authenticity of the evidence and working out the most effective approach. It will also mean performing routine tasks to restore deleted data, decrypt protected files, handle special files, filter out irrelevant data, and extract embedded metadata. It may also include keyword searches to focus on certain items, a preliminary review of system configuration and usage, as well as data visualisation and constructing timelines to find hints and stand out facts.
Secondly, the computer forensic investigator will form a hypothesis to explain their observations. While gathering information about the event under investigation, a forensic expert develops possible explanations for what he/she sees in the evidence. Although this is essentially conjecture, it’s influenced by the knowledge and experience of a computer forensic specialist and must be based on facts rather than any preconceived notions or personal prejudices.
The third stage is to evaluate the hypothesis. The success of a forensic analysis will depend on how thoroughly the initial assumption is tested. It’s, therefore, crucial to consider other plausible explanations and include tests that attempt to disprove the hypothesis. If experiments and observations don’t support the initial premise, it gets revised, and further tests need to be performed.
The final stage is to draw conclusions and communicate the findings of the investigation. Once a probable explanation of events relating to a crime has been established based on the facts, the computer forensic expert must effectively convey the results of their work to decision-makers. It involves tailoring the information to its audience via appropriate use of language, visualisations, charts, and so on.
Computer forensics is a science and is based on the principles of repeatable processes and reliable evidence. Employing scientific methodology provides protection against drawing incorrect conclusions. You should, therefore, be wary of any computer forensic practitioners and researchers who describe digital forensics as being an art rather than a science.
Computer forensic experts are often deal with different computing platforms, Windows, Mac OS, and open-source Linux and UNIX systems being the main ones. From a forensic point of view, these operating systems have significant differences in their file structures, user accounts, operations and handling of digital artefacts. Even the same flavour of operating system may have substantial variations from version to version. Windows 95 differs significantly from Windows 10 for example as does Ubuntu Linux 14.04 from 18.04. In Computer Forensics, this is vitally important, because the connection between data and the user impacts the evidence found during the investigation.
Despite other systems gaining momentum, Widows remains the most commonly used operating system. All of the Windows variants together account for around 80% of the desktop OS market. This trend is unlikely to change anytime soon.
Windows XP introduced the New Technology File System (NTFS), and it is still used in the latest versions of the OS. NTFS replaced the old File Allocation Table (FAT) system though this may still be used in USB flash drives and other external storage devices.
FAT is a relatively simple file system, using a table to keep track of all of the data stored on the disk. NTFS uses a more sophisticated ‘metadata’ system, essentially a series of files that describe what’s on the disk. It describes or places data in context, without being part of the primary focus of the user.
A computer forensic expert will always pay particular attention to metadata. Metadata falls into two categories: file system metadata and application (or file) metadata. Examples of file system metadata include; $MFT or Master File Table, $MFTMirr which is a partial backup of MFT, $LogFile transaction logging files, $Volume containing disk volume information such as label, identifier and version, $Bitmap containing the allocation status of all clusters, and $Boot containing the OS boot record etc.
Application metadata is different as it’s found within the files to which it refers (such as Microsoft Office files, Adobe PDF files, JPEGs and so on). This information is generally placed or recorded by the application used to create or work with the file. In most cases, therefore, it’s non-OS specific. An MS Word File or Document can be created on Apple OS X or MS Windows for example and still contain the same application metadata recording date and time created, user name, number of edits and so on. This information can provide valuable insights for the computer forensic investigator. For example, how many times the file has been edited, which user created a document or the precise GPS location where a JPEG photograph file was taken.
You might think of artefacts as things that are stored in museums, but in a computer forensics context, they are what tracks system or user activity. When a user starts up and begins to use a computer system, many artefacts are generated that forensic examiners can use to reconstruct the individual’s actions. Systems running Windows, for example, create a wealth of such data usage artefacts, and they can be the key to unlocking many forensic puzzles. However, the computer forensic specialist needs to be able to find and correctly interpret them.
For example, a look into the Windows registry’s SAM, SECURITY, SOFTWARE, SYSTEM, and NTUSER.DAT sections can provide a plethora of information about user account activities that have taken place on a system. A glance at the ‘File Created’ timestamp for a user’s ‘Documents and Settings’ folder and the associated NTUSER.DAT file, for example, can reveal when the user account was first created on the system. Looking at the Last Written timestamp of a user’s NTUSER.DAT file can also be used as an indication of the last date and time a user logged off of the computer. So, comparing NTUSER.DAT Last Written timestamps with the date and time the system was last shut down (which can be found in the \SYSTEM \CurrentControlSet \Control \Windows \ShutdownTime subkey) could indicate which user last switched off the computer.
It is easy to see that the Windows registry is crucial in computer forensic examination, as almost any user activity leave a trace there. However, it isn’t the only source of information. Windows-specific event logs (stored in .evt format) are one of the primary sources of detail regarding user and system activities.
Link files (.LNK file extension) are another valuable source of information. These are shortcuts that point to another file or folder. They can be created by users for convenient access to particular items, but often Windows creates link files automatically in an attempt to assist the user and speed up operations. Windows OS places these link files in different locations, including on a user’s Desktop, Start Menu, and Recent folders, as well as in ‘Application Data’ areas and Windows Restore Points. The presence of a link file can, therefore, serve as an indication that a user has opened a particular file or folder.
The Recycle Bin sometimes called Recycler or Recycled depending on the version of Windows, can yield useful information too. Users will commonly think that they deleted a file when what they did is send the file to the Recycle Bin. Since in reality, this is just another folder in Windows, when a file is moved to the Recycle Bin it isn’t deleted. Instead, the pointer to the file is updated to reflect the file’s new location. It will stay there until the bin is emptied.
When you open a folder in Windows Explorer, you’ll usually see thumbnail images of the files or folders stored there. These are stored as Thumbs.db files and will also save the ‘last modified’ timestamps of the related files, which again can be useful for investigators.
A computer forensic investigator will often encounter cases that involve the use of removable storage, specifically USB devices. These cases may typically involve the theft of intellectual property, the possession of inappropriate material, fraud or computer intrusion. The Windows registry and setupapi.log each contain a wealth of information relating to USB devices that have been connected to a system, dates and times, their types, and even their serial numbers.
Restore Points, and Shadow Copies are another valuable source of forensic evidence. Windows system restore points are automatically created when a significant change occurs to the system, such as the installation of software. They can also be generated on a predefined schedule, or manually created by the user. These restore points contain information about registry settings and other Windows OS-specific system information. The Windows Shadow Copy, also known as Volume Snapshot Service (VSS) is a way of taking a backup copy of files and folders even when they’re in use. These can be manually or automatically generated and can take up to 15% of total hard drive space. The Previous Versions feature scans files and folders and saves a copy when their content varies from that of the last scan. This allows a user to right-click on a file and quickly recover the previous version of a file or document. All of this information can, of course, be a valuable source of forensic evidence when the original file has been corrupted or removed.
Volatile memory – usually called Random Access Memory or RAM – is the computer’s working space. It may contain critical information such as unsaved documents, passwords or encryption keys. But this information is lost when a computer loses power, is shut down or rebooted. As with Registry Analysis, Log Files Analysis or File System Analysis, memory analysis requires a specialist skillset that not every computer forensic expert possesses.
There are thousands of forensic artefacts in the Windows OS and the above examples, not an exhaustive list, are given for illustration only. Each new Windows OS introduces original digital artefacts. A computer forensic specialist must, therefore, keep his/her knowledge up-to-date.
File systems define how and where data are stored. While current forensic tools do an excellent job of reading and interpreting common file systems, a computer forensic examiner still needs a good understanding of how a given file system functions. This understanding plays a crucial role in the likelihood of data being retrieved during digital forensic examination, as manual data recovery may be required where forensic tools fail.
File systems and data structures can be overwhelming, particularly when there are very different file systems involved. Understanding them requires a computer forensic expert to be dedicated to maintaining current knowledge.
Modern Mac systems use the HFS Plus or HFS+ file system which is an upgrade from the original Mac OS Hierarchical File System (HFS). Like NTFS in Windows, HFS+ also uses metadata files to keep track of the volume. The metadata for files and folders created on HFS+ is stored in structures called balanced tree structures or simply B-trees. These B-trees are special files, not visible to a user, called the attributes, extents overflow, and catalog files. As well as B-trees the HFS+ file system has three additional special data structures, also invisible to users, the allocation bitmap, the startup file and the file system journal, if enabled. The latest Apple hardware use Apple File System (APFS), which replaces HFS Plus. The new file system presents unique challenges to forensic examiners.
Most current Linux systems now use the Ext4 file system, which superseded Ext3 and Ext2. Many other file systems are available via the Linux kernel, however, including ReiserFS, XFS, and JFS. Most current flavours of UNIX use UFS2 or Z File System (ZFS).
Ext4 uses index nodes or inodes to represent file system objects like files and directories. Each inode stores the attributes and disk block location(s) of the object. Attributes include metadata such as timestamps and file permissions. The disk block location is used for specifying the location of blocks of data stored on a hard drive. Ext4 introduced “Extents” which replaced the traditional block mapping scheme utilised by the earlier ext2 and ext3 file systems. An extent is a group of contiguous physical blocks. There can be four extents stored in one inode. When there are more than four extents representing a file, the additional extents are recorded in an Htree, which is similar to Apple’s B-tree.
The UNIX ZFS file system is unique and differs significantly from other file systems. ZFS is more than just a file system because it combines the two separate roles of volume manager and file system. Traditional file systems could only be created on a single disk at a time. If there were two hard disks, then a separate file system would have to be created for each one. In software RAID setups other file systems are tricked into thinking that they are dealing with a single disk. ZFS overcomes this problem so that a file system can easily spread across several drives. ZFS’s awareness of the physical layout of the disks requires a different approach from the computer forensic investigator when identifying and recovering deleted files.
On top of all this, Mac and *nix operating systems have a different user and file management mechanism, different system and user activity logs. Each OS has its own, unique set of digital artefacts. Mac systems, for example, use ‘plists’ in place of Windows registries while *nix systems use plain text configuration files as well as XML files.
Many Windows forensic examiners have never used Linux or UNIX based computer systems. Additionally, there’re many computer forensic examiners with no exposure, understanding or experience dealing with servers. Servers are very different to desktop computers in their functionality and require from a computer forensic specialist yet another set of skills involving understanding of computer networks, server system administration and much more. Even within server infrastructure, performing forensic examination of an email server differs significantly from acquiring data and analysing a database server or dealing with a domain controller server.
In the past few years, computer forensic experts have seen a considerable increase in requirements to analyse data from mobile phones (including smartphones), other mobile devices such as tablets, and various embedded systems like GPS car navigation systems, Internet of Things devices and so on. With advances in technology, these devices get smaller, more portable, increasingly interconnected and more widespread. The latest industrial machinery, for example, is likely to have some computer control built-in as are most new vehicles.
The examination and extraction of information from these devices presents unique challenges for the computer forensic specialist. Not least because there is a plethora of mobile and embedded devices available commercially. Most of these devices use a heavily modified or proprietary operating system. They may also use specially modified file systems for data storage, and different applications, services, and peripherals from mainstream computer systems. These devices may be supported to some degree by the available forensic equipment, or they may not be supported at all. There is also usually a significant lag time before newer devices become sufficiently supported by forensic tools.
The type of information contained within mobile devices and the way they are being used is constantly evolving. Older mobile phones held a limited amount of information such as the phonebook, call history and text messages. However, modern devices can contain not only these details but also emails, digital photographs, private videos, calendar items, memos, address books, passwords, and even credit card numbers. Mobile devices are increasingly being used to access the Internet, communicate, exchange documents, take and share photos and video, connect to social networks, take notes, draw sketches, and much more besides. Today, these devices are used in much the same way as laptop computers were over the past decade, but now they fit in a pocket. This means they are often carried with a person everywhere and can be used to determine a person’s whereabouts at a particular time by examining metadata, like timestamps and GPS location, attached to text messages, photos and notes and by looking at wireless connection history.
The data from an exponentially growing number of mobile applications can contain plenty of relevant information that may not be automatically collected by available forensic software tools.
By design, mobile devices have multiple ways to connect. They can communicate via cellular phone networks, Bluetooth, infrared and wireless networks. For this reason, isolation of the device from its networks is a critical step before attempting data acquisition or forensic examination of these devices. Isolation of the device prevents the addition of new data or changing of existing files through incoming calls and text messages, as well as the potential destruction of data through remote access or remote wiping via a ‘kill signal’.
Digital forensic investigators must be able to properly extract and analyse digital material and prevent spoliation of evidence. Thus, specialisation is becoming more and more necessary to examine mobile devices or embedded systems.
Sometimes mobile or embedded devices are damaged or have been locked with encryption and are beyond the forensic examiner’s abilities to access by bypassing or cracking the protection. In these cases, JTAG and chip-off forensics are among the alternative solutions that offer examiners avenues for more in-depth data access. These two disciplines require specialisation, because the forensic examiner must have a good understanding of modern electronic devices’ configurations, their memory types, how they manage data internally, where memory chips are located, and how to identify JTAG connectors on the motherboard of a device. Additionally, solid skills for repair, disassembling, and electronic chip removal is crucial to carry out these techniques properly.
JTAG (Joint Test Action Group) forensics is a process that combines an advanced data collection technique and forensic analysis of the extracted raw data. The collection involves using Test Access Ports (TAPs) on a device and interacting with the chip at a program level to extract the raw data held in the internal storage. JTAG is usually a preferred method with electronic devices that are still operational but from which data is inaccessible using standard forensic tools.
If a device is damaged, but the memory chip is functional, the chip-off method is probably the only chance to obtain data from the device. Chip-off forensics is an advanced digital data extraction and analysis technique which involves de-soldering the chip from the circuit board and then acquiring the raw data from it using highly specialised equipment. There is a significant risk of damaging the chip – and therefore losing the data – with this procedure.
Network forensics can seem intimidating to the computer forensic specialist who traditionally specialises in OS and file system forensics. Compared to a relatively small number of file systems, there are a myriad of network protocols. In addition to the file systems described previously – Windows FAT32 and NTFS; UNIX/Linux ext2, 3, 4; UNIX UFS2 and ZFS, or Mac HFS+ – on any given network investigators may encounter Ethernet, ARP, DHCP, IPv4 or IPv6, TCP, UDP, ICMP, TLS/SSL, SMTP, SNMP, SMB, IMAP, POP3, DNS, HTTP, FTP, RTP, 802.11b/g/n/ac and many other protocols.
However, there is no guarantee that a given network protocol will match the documented specifications. In addition, as Internet technology is constantly changing, new features are added to protocols to reflect those changes, old protocols are adapted and adjusted to suit the latest technology. Vendors are not required to strictly adhere to these standards, so they often implement the protocol in their own way. Some protocols are developed as a future-proof option with specific functions or fields unused, reserved for future use, or re-purposed by manufacturers of network equipment. Sometimes they can be used by hackers to hide data or commands too.
Unsurprisingly network forensics tools often lag behind these changes and may not accurately interpret a captured network packet. It is crucial, therefore, for a forensic examiner to understand the lowest levels of network operations to be able to produce and accurately explain his/her findings in court.
Network forensics professionals need to be highly skilled and have considerable expertise because it is impossible to always rely on tools to correctly interpret results and testify in court. In a recent web piracy case in the Federal Court, an investigator with a German-based firm was heavily criticised for failing to interpret log files correctly.
Adding to the problem for investigators is the existence of a wide variety of network devices, including routers, switches, network bridges, firewalls, application servers, and more. Each device has its own underlying operating system with unique configuration, interface, and functionality. It is practically impossible for a forensic expert to be familiar with all protocols and network devices without specialising.
Many genuine computer forensic experts prefer to refer to themselves as computer forensic examiner, computer forensic investigator, digital forensic specialist, DFIR (Digital Forensic and Incident Response) specialist, or even jokingly ‘forensicators’.
Computer forensic companies make considerable marketing efforts to set themselves apart from the rest, often claiming to be the leading experts, the best, reputable, certified, most reliable or somehow ‘court accepted’ or even ‘court-approved’.
The job of a computer forensic examiner is to produce accurate results based on the principles of repeatable processes and reliable evidence.
An expert in a legal matter is someone who has specialised knowledge in a particular subject area and has relevant qualifications or training in the field. However, the court must decide each time whether the person is qualified as an expert in a particular case.
A forensic specialist who has been previously called to testify as computer forensic expert in a specific court case doesn’t automatically qualify as a court-accepted, or approved expert in all legal matters, courts or jurisdictions.
As we’ve seen above, there are many distinct areas of computer forensics that require almost entirely different skillsets and specialisation. It’s unlikely that any person can be proficient in all of these areas.
Put simply this means that if someone has been used as a computer forensic expert in court previously, they’re not necessarily qualified to do so in all cases. The whole idea of having a court-approved/accepted computer forensic expert goes against the principles and scientific method of forensic discipline. It’s impossible to nominate a person as an expert and give him or her a blank authority to decide what is true and isn’t true.
The same applies to computer forensic certifications. These are beneficial – especially to newcomers to demonstrate their newly learned skills – but don’t in themselves make an expert. Aside from which, there are many computer forensic experts around that have no forensic certifications, simply because these weren’t in existence at the time when these experts reached an advanced level of knowledge and skills.
Thankfully, the legal system has enough checks and balances in place to weed out the snake oil sales and marketing people of the computer forensic investigator’s world.