Before you begin your media examination, create a hash of the copy you made of the original media. Does it agree with the hash of the original? If so, you may proceed. If not, find out why. Perhaps you mounted the copy and allowed some writes to occur. Or perhaps the copy process was flawed. In any case, don’t start the analysis until you have a clean copy (an exact copy of the original media, with the same hash).
checksum
Checksum or hash sum is a method to detect errors in transmission or storage of data to determine if data has been altered. A checksum or hash performs a mathematical calculation on the data involved before it is sent to calculate a unique value conditioned by the content of the data itself. This calculation is repeated following reception of the data and if the two values agree it’s assumed that the received data is identical to the sent data (even a change in a single bit will cause the hash or checksum value to change).
Most computer forensic tool sets include utilities that create device copies and calculate checksums where appropriate. If you are using the UNIX operating system, you can obtain and use the md5sum utility to calculate checksums. Most Linux distributions include the md5sum utility as part of their command-line environment, but if yours is missing for some reason, check with the primary distribution download site for your Linux version to find a copy (thus, for example, you can download this utility through links on the ubuntu.com site at https://help.ubuntu.com/community/HowToMD5SUM). If you would like a Windows version of the utility, go to http://www.etree.org/md5com.html.
The next sections discuss how to approach media analysis. The actual analysis process is part science and part art. You must develop a sense of where to look first, and then possess the technical skills to extract the information. We’ll focus on the high level overview here, as opposed to detailing specific actions you take with individual tools. Chapter 8 covers such tools, so we’ll save those details and recommendations until then.
Knowing Where to Look
There is no easy answer to the question “Where do I look for evidence?” As with any investigation, not all evidence is clear or easily available. Some evidence is subtle, and some may be deliberately hidden or damaged. The specific type of evidence you are searching for depends on the goal of your investigation. If you are looking for evidence in a music CD pirating case, you will likely be searching for stored sound files. If you are gathering evidence in an e-mail fraud case, you will likely look at activity logs and e-mail-related files.
Let’s get back to our credit card investigation example. Where should you look for credit card numbers? You know key credit card data includes the card number, expiration date, and possibly card owner information. That kind of information could be stored in a spreadsheet or a database. You search the hard disk for files that resemble the filenames you found on the white board. Unfortunately, you found nothing in the file system, deleted files, or in slack space. (The space on a hard disk where a file ends and the disk storage cluster ends is referred to as slack space, which is discussed in more detail in Chapter 6, “Extracting Information from Data”.)
Where do you look next? In this investigation, you will look at removable and external media. We’ll rejoin that investigation a little later.
You must be comfortable with the operating system running on the suspect computer. You might be using UNIX-based forensic tools, but if the suspect media is an image of the primary drive from a Windows computer, you’d better be comfortable with Windows as well. Default locations for files differ dramatically among various operating systems. In fact, file location defaults can even be different between releases in the same operating system family. Know the operating system with which you are working.
Activity logs and other standard files are commonly stored in default locations on many systems. Always look in those default locations for logs and configuration files. This step alone can tell you about the suspect. If all logs and configuration files live in the default locations, it is likely that the suspect did not implement security. On the other hand, if you find several applications using nonstandard paths and file storage locations, your suspect may have hidden incriminating files well.
Use every means at your disposal to understand what the suspect was trying to do with the computer. Consider all the supporting evidence uncovered so far. This is where documentary evidence you collect at the scene might be helpful. As you work through different types of evidence, your forensic tool set can help by flagging unusual data on the suspect media.
Good forensic tools help you by providing access to areas of a computer that can be used to hide data. But before you look for hidden data, look at the evidence that you can get to easily. Depending on what you are seeking, you might find it helpful to look where the suspect has been surfing on the Web. Look at the history and cache files for each web browser on the system, and then look at the cookies as well. Although web browsers allow you to look at some historical data, get a tool designed to explore web browser activity. Likewise, look into e-mail correspondence for each e-mail client installed on the computer.
Make absolutely sure you have the legal authority to examine a system. You may be allowed to look for only certain type of files or activity. Do not exceed your authority.
As mentioned previously, we’ll discuss specific forensic tools in Chapter 8. For now, let’s look at a few of the different types of tools you’ll need in the computer forensic process.
Viewers
file viewer
A utility that provides thumbnail images of files. Such tools are useful for scanning a group of files visually.
File viewers provide small images of file contents. These programs scan a directory for files that match your criteria and show what is in those files. Viewers are great for finding pictures or movie files. Although most use a file’s extension to identify graphics files, some more sophisticated tools can look at a file’s header to identify it as a graphics file.
Some viewers also handle nongraphics file types, such as word processing files. The advantage of a viewer tool is that it provides visual representations for the files it finds. This can make scanning for inappropriate pictures far easier than looking at images individually.
Extension Checkers
extension checker
A utility that compares a file’s extension to its header. If the two do not match, the discrepancy is reported.
Another useful forensic tool is an extension checker. This type of tool compares a file’s extension with its actual data type. One favorite method for hiding data from casual users is to change the file extension. For example, if you want to hide the image file named blueangels.jpg, you could rename it to blueangel.db, or even something totally obscure, such as br.549. An extension checker utility looks at the extension and compares it to the file’s actual header. Any discrepancies are reported as exceptions.
Unerase Tools
unerase tool
A utility that assists in recovering previously deleted files. In some cases, files can be completely recovered. At other times, only portions of a file can be recovered.
Most people are familiar with unerase tools to recover deleted files. These tools have been around the DOS and Windows worlds for years. On older Windows versions, a simple unerase tool can recover files easily. Newer operating systems complicate this process, but files placed in the Recycle Bin can often be recovered with the help of forensic utilities, even if the Recycle Bin has been emptied. File-recovery utilities, available for nearly all file systems in use today, help in identifying and restructuring deleted files.
Searching Tools
searching tool
A tool that searches for patterns (mostly string patterns) in large file collections.
Forensic examiners must often search large numbers of files for specific keywords or phrases. Several searching tools support such large-scale searches. An investigation may turn up certain words or phrases that can identify evidence. Searching for known IP addresses, e-mail addresses, or people’s names can link bits of evidence together.
Wading through a Sea of Data
The first thing you will notice when you start to use the tools discussed in the previous section is the enormous volume of results that they return. No matter how narrowly you define the scope of your activities, you end up with more data than you can use. Your job is to sift through that data and to extract only pertinent information.
Log files provide great audit trails for system activity. They can tell you nearly every event that occurred within a specific scope. For example, web server log files can keep track of every request from and response to web clients. However, most applications allow for minimal logging to avoid performance impacts. Before you spend too much time looking through log files, be sure you understand what level of detail each application log contains.
A couple of tools can make analysis of log files easier:
Log file scanner Log scanner utilities do little more than scan log files and extract events that match a requested event pattern. For text log files, a simple text search utility could provide a similar result in some cases. Most log file scanners make this process easier by allowing queries for specific times that involve certain events.
Log-based IDS This type of intrusion detection system (IDS) provides a convenient method to analyze multiple log files. When searching for activity consistent with a network intrusion, let the IDS look at log files and highlight suspicious activity. This information is not helpful for every investigation, however.
In some cases, you can use tools to help analyze data. In other cases, you must physically examine all of that data yourself. In either case, one of the more difficult aspects of computer forensics is the process of separating the evidence that matters from everything else.
Sampling Data
Sometimes you will find that the volume of data is so large that there is no feasible way to examine it all. Some log files contain so much detail that it is nearly impossible to use it all. You might be able to process it, but the amount of useful evidence can be overwhelming.
Any time you have more data than is practical, consider taking samples of such data. You can use data sampling for input and output data. For example, suppose you are analyzing a large drive with more than a million photos. Your job is to find out if there are any images of classified equipment. One way to approach this task is to use a viewer utility on an arbitrary collection of pictures. Determine whether patterns exist. If you find from looking at samples of 25 pictures that files are organized by department, you can use this additional information to narrow your search.
On the other end of the spectrum, suppose your search yields 5,000 pictures of classified equipment. You would not want to submit all 5,000 pictures as evidence. Too much evidence can be overwhelming if presented all at once. Instead of submitting all 5,000 pictures, you may want to select a representative sample to submit, along with information describing the remaining pictures in that group. All 5,000 pictures could be entered as evidence, but only the sample needs to be presented. The same approach applies to log file entries. Whenever a large volume of data or large number of redundant data exists, use a representative sample to present the whole data set.