MRCET DEPARTMENT OF IT

UNIT-III

COMPUTER FORENSICS ANALYSIS AND VALIDATION

3.1 Determining What Data to Collect and Analyze

Examining and analyzing digital evidence depend on the nature of the investigation and the amount of
data to process. Criminal investigations are limited to finding data defined in the search warrant, and civil
investigations are often limited by court orders for discovery. Corp.- rate investigators might be searching
for company policy violations that require examining only specific items, such as e-mail. Therefore,
investigations often involve locating and recovering a few specific items, which simplifies and speeds
processmg.

In the corporate environment, however, especially if litigation is involved, the company attar- nay often
directs the investigator to recover as much information as possible. Satisfying this demand becomes a
major undertaking with many hours of tedious work. These types of invest- ligations can also result in
scope creep, in which an investigation expands beyond the original description because of unexpected
evidence you find, prompting the attorney to ask you to examine other areas to recover more evidence.
Scope creep increases the time and resources needed to extract, analyze, and present evidence. Be sure to
document any requests for add- tonal investigation, in case you must explain why the investigation took
longer than planned, why the scope widened during the course of the investigation, and so forth.

One reason scope creep has become more common is that criminal investigations increasingly require
more detailed examination of evidence just before trial to help prosecutors fend off attacks from defense
attorneys. Because defense attorneys typically have the right of full discovery of digital evidence used
against their clients, it's possible for new evidence to come to light while complying with the defense
request for full discovery. However, this new evidence often isn't revealed to the prosecution; instead,
the defense uses it to defend the accused. For this reason, it's become more important for prosecution
teams to ensure that they have analyzed the evidence exhaustively before trial. (It should be noted that
the defense request for full discovery applies only to criminal cases in the however, depends on whether
it's an internal corporate investigation or a civil or criminal investigation carried out by law
enforcement. In an internal investigation, evidence collection tends to be fairly easy and straightforward
because corporate investigators usually have ready access to the necessary records and files. In contrast,
when investigating a criminal cyber- stalking case, you need to contact the ISP and e-mail service.

COMPUTER FORENSICS Page 48

MRCET DEPARTMENT OF IT

Some companies, such as AOL, have a system set up to handle these situations, but others do not. Many
companies don't keep e-mail for longer than 90 days, and some keep it only two weeks.

An employee suspected of industrial espionage can require the most work. You might need to set up a
small camera to monitor his or her physical activities in the office. You might also need to plant a
software or hardware key logger (for capturing a suspect's keystrokes remotely), and you need to engage
the network administrator's services to monitor Internet and network activities. In this situation, you might
want to do a remote acquisition of the employee's drive, and then use another tool to determine what
peripheral devices have been accessed.

1. For target drives, use only recently wiped media that have been reformatted and
inspected for computer viruses. For example, use ProDiscover Secure Wipe Disk, Digital
Intelligence PDWipe, or White Canyon Secure Clean to clean all data from the target drive you
plan to use.

2. Inventory the hardware on the suspect's computer and note the condition of the computer
when seized. Document all physical hardware components as part of your evidence acquisition
process.

3. For static acquisitions, remove the original drive from the computer, if practical, and then
check the date and time values in the system's CMOS.

4. Reco
rd how you acquired data from the suspect drive note, for example, that you created a bit-
stream image and which tool you used. The tool you use should also create an MD5 or SHA-1 or
better hash for validating the image.

5. When examining the image of the drive's contents, process the data methodically and
logically. List all folders and files on the image or drive. For example, FTK can generate a
Microsoft Access database listing all files and folders on a suspect drive. Note where specific
evidence is found, and indicate how it's related to the investigation.

6. If possible, examine the contents of all data files in all folders, starting at the root directory of
the volume partition. The exception is for civil cases, in which you look for only specific items in
the investigation.

7. For all password-protected files that might be related to the investigation, make your best effort
to recover file contents. You can use password recovery tools for this purpose, such as Access
Data Password Recovery Toolkit (PRTK), NTI Password Recovery, or Pass ware Kit Enterprise
COMPUTER FORENSICS Page 49
MRCET DEPARTMENT OF IT

1. Identify the function of every executable (binary or .exe) file that doesn't match known hash
values. Make note of any system files or folders, such as the System32 folder or its content, that are
out of place. If you can't find information on an executable file by using a disk editor, examine the
file to see what it does and how it works.

1. Maintain control of all evidence and findings, and document everything as you progress through
your examination. ps to locate specific message Refining and Modifying the Investigation Plan In
civil and criminal cases, the scope is often defined by search warrants or subpoenas, which specify
what data you can recover. However, private sector cases, such as employee abuse investigations,
might not spec- ify limitations in recovering data. For these cases, it's important to refine the
investigation plan as much as possible by trying to determine what the case requires. Generally, you
want the investigation to be broad enough to encompass all relevant evidence, yet not so wide-
ranging that you waste time and resources analyzing data that's not going to help your case.

Of course, even if your initial plan is sound, at times you'll find that you need to deviate from the
plan and follow where the evidence leads you. Even in these cases, having a plan that you
deliberately revise along the way is much better than searching for evidence haphazardly.

Suppose, for example, an employee is accused of operating an Internet-based side business using
company resources during normal business hours. You use this timeframe to narrow the set of data
you're searching, and because you're looking for unauthorized Internet use, you focus the search on
temporary Internet files, Internet history, and e-mail communicate- ion. Knowing the types of data
you're looking for at the outset helps you make the best use of your time and prevents you from
casting too wide a net. However, in the course of reviewing e-mails related to the case, you might
find references to spreadsheets or Word documents containing financial information related to the
side business. In this case, it makes sense to broaden the range of data you're looking for to include
these types of files. Again, the key is to start with a plan but remain flexible in the face of new
evidence.

3.1.1Using Access Data Forensic Toolkit to Analyze Data

So far, you have used several different features of FTK; this section goes into more detail on its
search and report functions. FTK can perform forensics analysis on the following file systems:

• Microsoft FAT12, FAT16, and FAT32

COMPUTER FORENSICS Page 50

MRCET DEPARTMENT OF IT

Microsoft NTFS (for Windows NT, 2000, XP, and Vista)

 Linux Ext2fs and Ext3fs

FTK can analyze data from several sources, including image files from other vendors. It can also
read entire evidence drives or subsets of data, allowing you to consolidate large volumes of data
from many sources when conducting a computer forensics analysis. With FTK, you can store
everything from image files to recovered server folders on one investigation drive.

FTK also produces a case log file, where you can maintain a detailed record of all activities during
your examination, such as keyword searches and data extractions. This log is also handy for
reporting errors to Access Data. At times, however, you might not want the log feature turned on. If
you're following a hunch, for example, but aren't sure the evidence you recover is applicable to the
investigation, you might not want opposing counsel to see a record of this information because he or
she could use it to question your methods and perhaps discredit your testimony. (Chapter 15 covers
testimony issues in more detail.) Look through the evidence first before enabling the log feature to
record searches. This approach isn't meant to conceal evidence; it's a precaution to ensure that your
testimony can be used in court.

FTK has two options for searching for keywords. One option is an indexed search, which catalogs
all words on the evidence drive so that FTK can find them quickly. This option returns search
results quickly, although it does have some shortcomings. For example, you can't search for
hexadecimal string values, and depending on how data is stored on the eve- dense drive, indexing
might not catalog every word. If you do use this feature, keep in mind that indexing an image file
can take several hours, so it's best to run this process overnight.

The other option is a live search, which can locate items such as text hidden in unallocated space
that might not turn up in an indexed search. You can also search for alphanumeric and
hexadecimal values on the evidence drive and search for specific items, such as phone numbers,
credit card numbers, and Social Security numbers. Figure 9-1 shows the hits found during a live
search of an image of a suspected arsonist's laptop. You can right-click a search hit to add it to
your bookmarks, which includes the result in your final report.

COMPUTER FORENSICS Page 51

MRCET DEPARTMENT OF IT

3.2 Validating Forensic Data

t . .Acces5Data FTK 1,51.2 DEMO VERSION -- CAV:ork `, Fires

tart er, E c i i t V i e w T o o l s H e l p

Overview Search

Mend Live 9 Search

2 Query: "Phyre
Search aI ! tern 4ASCII/Unieode, Car
Type it 1 Hit -- [El_9(XRC4SY5]
Search T
:* Fireitart
T ext
111ASCI Hit-- Ihrlew.g00,003]
 1 Hit [1141,,,ag 0005] Firin
Unic -- Offset 181 CO [448) -- __Hey
2{ -- [hrlessAg eon's.] Firedartg
Max Has 1 Eb•1 [154etiia e0008] Firedart4
Searc Hit -- 111,,,Ariphri1n1 FirederFp

0 0
.1.1)0 V 40 HEi
4
61 74 3d GC 6e 6f 77 65-64 Od Oa St 53 74 6e at=f1owed•-X-
1 20 2d 49 6e 66 60 3E, 20 20-0d Oa Od 5tn 65 79 20 -WO:
5 Oa 48 = 4 b 6 9 6 e - 6 7 2 1 2 0 -.-•Ecy 72 20 50
0 6 5 7 2 lb 20 3a 29 20 77 75 75-71. OMMI:Kj_ag! ec
7a 7a 7a 7a 7a 75 70 21 Od Oa 49 27- 7a 7a 7a g wuzal====
1 6e 61 20 ga,,,
6d 20 67 60 Ce S2 65 20 69 6e 20 53
1

::art @ 418,

1 ,17r
1=1 (,-_; • • : tmail - Deleted
Full Path
Firestarter \NO NAME -FAT 32\WIN D OWS
Recycle Ext
dbx
File Tyn
Outlook
CrEgory

%Applic FirestareANCI NAME -FAT 32%.W1 N D dbx si A ve

ItemesIbx 171 (3 Hotrnail -
OWS,•Applic Fire_starter \NO NAME -FAT 32 \ dbx Outlook •-=:•:•;:iA --.' ••••s-
Sent I tenis_dbx
WIND OWS %AppIc Firestarter \ND NAME -FAT E • m a i l E a i l
q
32 WI N D OWS Vspphe Firestaner \ND NAME E-rnal Mena_ E
inboxdbx
'FAT 32\WINDOWSkApphc Firm-tarter \ NO ail EmadMetsa.., E
NAME -FAT 32\W1ND OWS%Applic -•
r

.11 timed p Plecked Total Fire startelitiO eAik1F-FAT32RAIHDOWSLApplication tlataIkte Mit

Fig: Validating Forensic Data

One of the most critical aspects of computer forensics is validating digital evidence because
ensuring the integrity of data you collect is essential for presenting evidence in court. Chapter 5
introduced forensic hashing algorithms, and in this section, you learn more about validating an
acquired image before you analyze it.

Most computer forensic tools such as ProDiscover, X-Ways Forensics, FTK, and Encase provide
automated hashing of image files. For example, when ProDiscover loads an image file, it runs a
hash and compares that value to the original hash calculated when the image was first acquired.
You might remember seeing this feature when the Auto Image Checksum Verification message
box opens after you load an image file in ProDiscover. Computer foren- sits tools have some

COMPUTER FORENSICS Page 52