Chapter 11
Forensic Computing and How People Can Be Tracked
Forensic computing is the area of computing that collects and analyzes digital data and reports findings that are used as admissible evidence in a legal proceeding to either prove or disprove an element in a legal action. Digital evidence is any information that is stored or transmitted in a digital form that provides probative information about an action or inaction of a party in a legal action. Probative information is information that tends to prove a purported fact.
The computer forensic investigator gathers digital data at the request of attorneys and the court, which determine if the digital data is authentic and relevant to the legal action. The computer forensic investigator uses forensic techniques to collect and analyze the digital data, ensuring that the process does not interject misleading results and that the analysis is based on scientific fact. In this chapter you will learn about what actions can be taken legally to access information on your work or home devices and what data can be exposed.
Is your computing device safe?
The presumption is that what you do on your computing device is private; however, that’s not necessarily true.
–Your internet activities are stored in your browser history on your computing device. The internet service provider that you use has a log that identifies your computing device and the IP address temporarily assigned to your computing device while you search the internet. That IP address is also stored with the IP address of websites you visit.
–Websites you visit store the IP address that you use to access the website, along with other information gathered during your visit that identifies you.
–Your email provider (i.e., Yahoo, Gmail) retains your emails for a specific length of time.
–Chats and postings on social websites are also retained for a specific period of time.
–Friend lists are also stored by social websites.
–Nothing is private if you use your work computing device because your employer owns the computing device and has the right to access it at any time without notifying you. The IT department can access the computing device over the network even when you think the computing device is locked.
The presumption should be that nothing on your computing device is private, even if you’re not surfing the internet. Technically, information on your computing device and the device itself can be seized by law enforcement if there is suspicion of a violation of law. The computing device can then be searched by a computer forensics investigator whose job it is to gather evidence, which you will learn about in this chapter.
Usually, law enforcement must have a suspicion that your computing device contains evidence related to a violation. The suspicion is presented to a judge in a request for a search warrant. If law enforcement presents sufficient probable cause, the judge will issue a search warrant that clearly defines what law enforcement can search. Regardless if you are home or not, law enforcement agents will enter your home, present the search warrant, and leave with your computing device(s). The computing device(s) may be returned to you after the legal matter is settled, which could take years.
Law enforcement may also execute a search warrant for information about you and activities performed on your computing device to ISP, cloud providers, social websites, and other organizations that may have information about you and your activities. In these situations, you probably will not be told of these searches.
The search warrant is valid if the request for the search warrant is filed in good faith; the information for the probable cause to search is based on reliable information; the warrant is issued by a neutral judge; and the warrant must specifically must state the place to be searched and items to be seized.
There are exceptions to the search warrant requirement. A search can be conducted if you give permission for the search. The plain view doctrine allows law enforcement agents to search and seize evidence that is clearly in sight without a search warrant. However, this is usually to preserve the evidence, referred to as an exigent circumstance. For example, a computing device lying on the seat of a car that is stopped in relation to a burglary probably can be seized but a search warrant is probably required to search the computing device. Once the computing device is in the hands of law enforcement, the evidence is protected but a proper search warrant is required to examine the evidence.
The federal government can request secret authority to gather information about an individual or organization with permission from the Foreign Intelligence Surveillance Court (FISC). Although there are records of proceedings, these records are not made public. FISC warrants are good for a year and authorize the collection of bulk information related to foreign targets but can include communications between the foreign target and a U.S. citizen.
U.S. customs agents can conduct a search without a warrant and without suspicion that a crime has been committed. For example, a U.S. customs agent can take your laptop when you cross the border and send it to a computer forensics investigator for examination even if you are not a suspect in a criminal proceeding.
Besides law enforcement, some information on your computer device may be accessed by programs and apps running on your computing device. This includes the operating system. You probably gave permission to collect the information when you agreed to the terms of use. This is the legal document that few read when installing a program or app, right before clicking “I agree.”
Protecting Your Computing Device
You can attempt to protect your computing device by using the lockout feature that requires authentication to unlock the device. Randomly generated passwords are a good option to prevent unlocking the computing device; however, it also makes it difficult for you to remember the password. Biometric readers are a better alternative, or encrypting data on your computer. The triple data encryption standard (3DES) is currently the strongest encryption method.
A locked computing device and encrypted data may not prevent law enforcement from gaining access to the computing device and data. Law enforcement agents can obtain a court order requiring you to unlock the device and decipher the data. Efforts are currently being made to require computing device manufacturers and developers of encryption software to provide law enforcement with access to the computing device and encrypted data. This is currently being decided in the legal system.
Destroying data on a drive isn’t as easy as deleting a file. Deleting a file simply tells the operating system that space held by the file is available and can be overridden. You never really know if all parts of the file are overridden the next time another file is saved to the drive. As you’ll learn in this chapter, a computer forensics investigator has tools that can try to piece together pieces of deleted files.
One of the better ways to ensure that files are no longer readable is to reformat the drive. Reformatting sets storage areas on the drive to zero, making all existing data unreadable. Doing so removes everything from the drive and can take time to finish reformatting.
The Legal Environment
Legal action can be taken if there is a violation of law. There are two general classifications of law: criminal law and civil law. Criminal law defines rules of society created by the government. Violating a criminal law means that the government can take action against the individual that might result in a fine or incarceration. Civil law also defines rules of society created by the government but private parties can bring action against an individual, although the government may also bring civil action. The result of civil law action is monetary and there is no incarceration.
In a criminal action, the prosecutor employed by the government files a criminal complaint in the court against an individual referred to as the defendant. The criminal complaint accuses the defendant of violating a specific criminal law. The prosecutor must present evidence that proves beyond a reasonable doubt that the defendant violated the criminal law. The defendant usually is represented by another attorney called a defense attorney who presents evidence that the defendant did not commit the crime.
In a civil action, there isn’t a prosecutor. The plaintiff is the party bringing the legal action against the defendant. The plaintiff presents evidence that supports the claim that the plaintiff incurred an injury caused by the violation and that the defendant violated the law. The injury can be physical, psychological, or monetary. The plaintiff is successful if the preponderance of the evidence reasonably proves that the defendant violated the law. There are two important distinctions between the civil action and the criminal action. In a civil action, the plaintiff must have been injured related to the violation. Also, reasonable proof—not proof beyond a reasonable doubt—is necessary.
Another type of civil action is to request that the court take action against a defendant, such as stopping the defendant from doing something that will cause the plaintiff injury. This is referred to as an injunction. In actions asking the court to intervene, the individual making the request is called a petitioner. The request is called a petition. The defendant is called the respondent. Both parties present evidence and the court makes a ruling.
Criminal Trial
A criminal trial is the legal proceedings where both the prosecutor and the defense attorney plead their case. The defendant can choose to have a jury trial or a trial heard by a judge. In a jury trial, impartial members of the community are assembled to hear the evidence. The jury is the judge of fact. They consider the evidence and determine if the evidence is factual and if the sum of all the evidence proves beyond a reasonable doubt that the defendant committed the crime. The judge in the jury trial is the judge of law and decides if the proceedings, evidence, and everything else related to the case adhere to law. The judge, for example, can rule that a piece of evidence does not conform to the rules of evidence, leading to the evidence not being presented a trial. In a trial heard by a judge, there is no jury. The judge is the judge of the law and decides if evidence is fact and if the summary of the evidence proves beyond a reasonable doubt that the defendant committed the crime.
Each state and the federal government have their own laws and rules for legal proceedings. Generally, there are three categories of criminal violation. The most serious is commonly referred to as a felony. These are very serious crimes that usually—but not always—result in a minimum term of incarceration. The less serious category of crime is commonly called a misdemeanor that can result in a fine and/or incarceration. An infraction, sometimes called a disorderly person, is the minimum type of criminal offense that usually results in a fine but could result in less than a year of incarceration. Infractions are adjudicated usually in municipal court, the judge taking on the role of the jury and at times in a general sense as the defense attorney.
Crimes higher than an infraction are referred to as an indictable offense because of the seriousness of the charges and the consequences if the defendant is found guilty. An indictment is a form of accusation by a grand jury. A grand jury is an impartial assembly of the community who hear the prosecutor’s evidence. The grand jury decides if a crime was committed and if there is likelihood that the defendant committed the crime. If both answers are yes, then the grand jury returns an indictment accusing the defendant of committing the crime. The case then proceeds to trial. No indictment occurs if the prosecutor’s evidence does not prove a crime has been committed and that the defendant is likely to have committed the crime. It is critical to understand that only a minimum amount of evidence—not beyond a reasonable doubt—is necessary to prove there is likelihood that the defendant committed the crime.
Civil Trial
A civil trial is similar to a criminal trial. The plaintiff’s attorney is like the prosecutor who must provide evidence that proves the accusation. The defense attorney disproves the accusation by challenging evidence presented by the plaintiff or by presenting additional evidence that refutes the plaintiff’s accusation.
Civil action usually is based on a violation of an agreement between the plaintiff and the defendant. The agreement is called a contract. Some contracts are verbal contracts and others are written. Contracts can be the basis for business transactions following the rules contained in the Uniform Commercial Code. The Uniform Commercial Code defines rules that states have adopted as law.
Trials are costly. Both plaintiffs and defendants may pay more in litigation costs than the monetary value awarded at trial. Therefore, other legal alternatives are taken to avoid trial.
–Settlement: A settlement in an agreement to resolve the issue amiably is brought about by the plaintiff’s attorney and the defendant’s attorney.
–Fact-finding: Fact-finding is where an independent third party determines the facts of the case by reviewing the evidence. This provides a basis for a settlement.
–Mediation: Mediation is where an independent third party called a mediator attempts to bring both sides together to achieve a settlement.
–Arbitration: Arbitration is a process where the plaintiff and the defendant present evidence to an arbitrator who then defines the terms of a settlement. Arbitration is usually binding and findings must be adhered to by both sides. There are no options to bring the case to court.
–Summary judgment: A summary judgment is a process whereby the plaintiff and the defendant both present evidence to a judge and the judge then rules based on the evidence without a trial. In many cases, evidence is submitted in writing to the judge without going to court.
Decisions and Appeals
Decisions in a jury trial are made by the jury. In a criminal trial, all jurors must agree on the verdict. In a civil trial, a majority or a super majority of jurors must agree. A majority is one more than half, such as seven jurors in a jury of twelve. In some states, a supermajority of jurors is necessary to reach a decision. A supermajority is 2/3 of the whole, such as nine jurors in a jury of twelve.
Here are types of decisions that can be made in a trial.
–Compromise verdict: A compromise verdict is the decision made by the members of the jury after listening to each juror’s opinion. Collectively, jurors agree on the conclusion.
–Directed verdict: A directed verdict is when the judge orders the jury to return a specific verdict (guilty or not guilty) because no reasonable jury could reach a contrary decision. The jury must follow the order of the court.
–Deadlock: A deadlocked jury, sometimes referred to as a hung jury, occurs when the jury is unable to reach a verdict after extended deliberation. In such cases, the judge may order a mistrial, giving the case back to the prosecutor or plaintiff to request a retrial.
–Mistrial: A mistrial occurs when a material error occurs in the proceedings that jeopardizes the integrity of the trial. The trial stops and the prosecutor or plaintiff may request a retrial.
–Acquittal: An acquittal is a verdict that states the evidence presented does not prove the charges. It does not mean that the party is innocent. It means there wasn’t sufficient evidence to convict. In a criminal case, the same charges cannot be brought because the U.S. Constitution prohibits double jeopardy.
–Dismissal: The judge may dismiss charges with or without prejudice. “With prejudice” means that the same charges cannot be refiled. “Without prejudice” means that the same charges can be refiled.
A judicial decision can be appealed if a party feels that the decision is flawed by errors in the proceedings. A trial is a forum for a legal contest that has many rules. There are rules governing how the trial is conducted—rules of evidence, and rules based on precedents (past rulings). Sometimes, the judge must interpret laws, and those interpretations might be flawed.
Any time an attorney feels the other attorney, a witness, or even the judge violates a rule, the attorney voices an objection and the judge decides if the rule was broken or not. After the trial is over, the attorney can challenge the verdict in an appeal to the appellate court. The attorney states the objection and then provides evidence to support the claim along with how the faulty ruling negatively affected the outcome of the trial. The appellate court reviews the argument and evidence and decides to let the original verdict stand or overrule the verdict, sending the case back to the judge who oversaw the trial for further review or to hold a new trial.
If the attorney disagrees with the appellate court’s decision, then the attorney can appeal to the next highest court. In state cases, each state has an equivalent of a Supreme Court. In federal cases, cases are heard at the U.S. District Court and can be appealed to the U.S. Supreme Court. Judges on the highest court hear arguments as to why the appellate court’s decision is incorrect. A final decision is then made in the case.
Evidence
Evidence is fact that supports or contradicts a belief, such as whether or not an individual has violated the law. The prosecutor or the plaintiffs have the burden of proof to provide evidence that supports claims made in the case.
Evidence must be authenticated to ensure that the evidence is genuine and not a forgery. For example, before an eye-witness to an event can testify, evidence must be provided to show that the witness was actually at the event. Likewise, a copy of a document will not be admissible as evidence if the original is available. If the original is unavailable, then evidence must be provided that the copy is an actual representation of the original.
The chain of custody is a technique used to ensure that the evidence collected is not tampered with throughout the legal proceedings. The evidence is identified and placed in a sealed container, and the investigator collecting the evidence initials the sealed container and records the evidence in a log. Each time the evidence is touched, an entry is made in the log. There is a paper trail of the evidence to ensure no one has tampered with the evidence.
There are different types of evidence. These are:
–Direct evidence: Direct evidence is evidence provided by a witness who has direct knowledge of the fact, such as a witness that saw the defendant fire the gun.
–Indirect evidence: Also referred to as circumstantial evidence, indirect evidence is evidence that can infer a conclusion. For example, the gun was found on the floor; the defendant was in the room; the defendant’s fingerprints were on the gun; and gunshot residue was on the defendant’s hand. This leads a reasonable person to believe that the defendant fired the gun.
–Hearsay evidence: Hearsay evidence is presented when a witness testifies as to what another person said to the witness. The witness does not have any firsthand knowledge that the statement is true. Hearsay evidence with few exceptions is not permitted in a legal proceeding.
–Testimonial evidence: Testimonial evidence is an assertion made by a witness under oath under penalty of perjury.
–Physical evidence: Physical evidence is a material object, such as a spent bullet from a gun.
–Scientific evidence: Scientific evidence is facts determined in nature or determined from experiments in a controlled environment. The burden of proof for scientific evidence is with the presenter of the evidence. For example, a technician who performed a ballistic test on a firearm must clearly present the scientific basis for the test; prove that testing methodology followed scientific principles; and that the findings were consistent with the underlying science.
–Expert evidence: Expert evidence is testimony given by an individual who by training or experience is competent enough to draw a technical conclusion based on scientific evidence.
A Computer Forensics Investigation
Today, advances in technology and the ubiquitous use of technology, especially cell phones, have become key ingredients in the pursuit of the truth in criminal proceedings. Emails, phone calls, text messaging, internet activity, the files on computers used by all parties including the victim’s, geolocation, public and private security systems, cameras and public surveillance systems, and evidence found on computers and other devices have changed the nature of the evidence used. This leads to the solution of crimes or civil disputes to the point where attorneys today are expected to understand and utilize the basics discussed in the remainder of this chapter.
The objective of computer forensics is to identify digital evidence for a legal case. Digital evidence can be on a computing device such as a hard disk or USB stick, or digital evidence in motion such as data transmitted over a computer network. The computer forensics investigator must collect and preserve digital data to ensure its authenticity. Furthermore, the computer forensics investigator analyzes digital evidence and then provides expert testimony on the digital evidence. Attorneys and the courts determine if the evidence is relevant to the case.
For example, a suspect might be defrauding an online merchant. A computer forensics investigator may be called in to conduct a digital forensics investigation. The investigation begins by examining the vendor’s website’s log. The log contains the IP address of computers used to visit the website. Most IP addresses identify an internet service provider, not the suspect’s computer. However, the internet service provider’s activity log contains the date, start time, end time, and the MAC address of the customer’s computer who had access to that IP address. The MAC address is the media access control address that uniquely identifies a network device: the customer’s computer. This digital evidence is sufficient for law enforcement to obtain a search warrant to seize the suspect’s computer when the computer forensics investigator examines the computer’s MAC address. If it matches, then there is a digital link between the suspect’s computer and the vendor. Authorities still have to prove that the suspect used the computer to defraud the vendor or in a manner, supported by other evidence, to prove the case.
Records are retained for various lengths of time. ISP IP logs are kept for approximately six months. Records of calls and cell tower usages are held for a year. Text message content is retrained for upwards of five days. Website visits are held for about ninety days. This may vary by carrier.
The focus of digital forensics investigation is frequently a hard drive. The initial step is for the computer forensics investigator to write protect the evidence drive before acquiring data from the evidence drive. The evidence drive is the drive that contains evidence related to the legal case. The forensic investigation only uses a copy of the evidence drive to look for evidence and never the original drive. The original drive is preserved, enabling other investigators to conduct further study that confirms or challenges the evidence.
The next step is to analyze the data. There are a number of ways to analyze data; the most common is to perform a keyword search looking for words and phrases related to the subject of the legal case.
The last step is to identify evidence and present the evidence, explaining how you found it, what you found, and how it relates to the legal case. Findings are presented in a written report. Many computer forensics tools automatically generate a basic report that is transformed into the official evidence report. The official evidence report contains information specifically related to the legal case. The basic report from the computer forensics tool contains information specifically related to the evidence gathered from data from the evidence drive. Once the final report is written and reviewed, the report, the copy of the evidence drive, and the evidence drive are submitted as evidence—usually to the legal team who requested the computer forensics investigation or directly to the court.
Types of Computer Forensics Investigations
There are two types of computer forensics investigations: public investigations and private investigations. A public investigation is typically a criminal investigation conducted by law enforcement to prove that the target of the investigation has committed a crime. Sometimes the prosecutor hires an independent computer forensics investigator to connect the computer forensics examination of computing devices related to the case. This happens when the prosecutor’s offices and related law enforcement agencies lack the capability to perform a computer forensics investigation. Defense attorneys also use independent computer forensics to gather computer forensics evidence that counters the prosecutor’s findings.
Many private investigations involve civil litigation, where the plaintiff attempts to prove injury caused by the defendant. The result is usually a monetary penalty. It is rare that civil litigants appear in court. Most civil litigations are settled out of court directly by attorneys or through mediation.
Other private investigations are internal investigations within an organization. A corporate attorney may suspect an employee of an impropriety and request a computer forensics investigation to provide evidence to support the suspicion. The results may clear the employee or lead to the employee’s termination. In some cases, results may be turned over to law enforcement for criminal action. In most situations, the goal is to stop the offending practice and not to bring expensive litigation.
Tools of Computer Forensics
Computer forensics tools are software tools and hardware tools. Computer forensics software tools are grouped together in a software suite that collectively are used to acquire evidence data, process evidence data, search evidence data, and automatically produce a report that describes these tasks. A popular computer forensics software suite is called EnCase. There are times when additional forensics software tools are required because the computer forensics software suite lacks such tools. For example, not all computer forensics software suites contain a steganography tool. A steganography tool is used to identify hidden text in a picture file.
The computer forensics workstation is a computing device that has the computing power to acquire and analyze computer forensics evidence. A computer forensics workstation must have large amounts of memory and disk space and a powerful processor to store and analyze large data files. Disk space is used to temporarily store an exact copy of the evidence disk drive. Memory is used to analyze evidence data.
In addition to computer forensics software, special hardware is required to conduct a computer forensics investigation. The computer hardware enhances the workstation’s capabilities. Two common enhancements are extra bays and ports used to connect the evidence drive to the workstation to acquire evidence data. Another common enhancement is a write blocker. A write blocker prevents the operating system from writing over the evidence drive. Operating systems normally write data to a disk drive and overwrite portions of the disk drive that contain deleted data. However, a computer forensics investigation requires that the contents of a disk remain intact and preserved throughout the legal proceedings. A write blocker ensures that the operating system does not accidentally overwrite data on the drive that might be recovered, even if erased, by the forensics team.
Legal Consequences of Computer Forensics
It is critical that a computer forensics investigation be conducted with utmost care. Any deviation from acceptable evidence-gathering practice may result in exclusion of the evidence from the proceedings—and without computer forensics evidence, the case itself may be dismissed. Therefore, the computer forensics investigator must prove beyond a reasonable doubt that the computer forensics evidence was gathered legally and appropriately.
The computer forensics investigation must be authorized. The Fourth Amendment of the U.S. Constitution prohibits unreasonable search and seizure. Before the computer forensics investigator touches a computing device that is the target of the investigation, the computer forensics investigator must be authorized to gather computer forensics evidence from the computing device.
Attorneys usually address the legality of a computer forensics investigation before the computer investigator is brought into the investigation. However, the computer investigator must confirm there is legal authorization for the examination of the computing device. The owner of the computing device can give written permission to conduct the examination. This is frequently the situation in private investigations where the organization owns the computing device used by employees. However, if the owner does not give permission, then the legal team needs to obtain a warrant from the courts, which is common in criminal cases and in civil cases where the petitioner doesn’t own the computing device. The legal team must provide evidence to the court that the computing device is likely to contain evidence that is critical to the legal proceedings. Either side in the legal action can request the court’s authorization to access and examine the computing device. The warrant, if granted, specifies the conditions to seize and analyze the computing device.
The plain view doctrine gives law enforcement the right to seize a computing device without a warrant if the computing device is in plain sight and if a law enforcement officer sees the computing device being used to violate the law. For example, law enforcement might be inside a suspect’s home responding to a disturbance and see child pornography on the screen of a computing device. The computing device is in plain view and the officers have a right to seize the computing device without a warrant. Once the computing device is in custody, officers can request a search warrant to search the device.
Once the computer forensics investigator has proper authorization to examine the computing device, then proper methods must be used to ensure that the computer forensics evidence was accurately reproduced and proper procedures were followed to ensure the verifiability of the evidence that was analyzed. Any doubt that the proper procedures were used might cause the evidence to become non-admissible in the legal proceeding.
Proper procedures require that the chain of custody be documented. The chain of custody identifies who has custody of a piece of evidence from the time evidence is gathered from the original source to the time evidence is legally destroyed or returned to the owner of the evidence. For example, a police investigator takes possession of a computing device from the owner of the computing device. Acquiring the evidence is documented in detail. The police investigator turns over the computing device to the police officer who is responsible for the evidence room. This too is documented by both officers. The evidence room is a secured location within the police facility. A police investigator may retrieve the computing device from the evidence room to turn it over to the computer forensics investigator. Both the removal of the computing device from the evidence room and giving it to the computer forensics investigator are documented.
Documentation of the chain of custody is usually in an evidence log and on the evidence itself. The evidence (computing device) is usually in a sealed envelope. Each person taking custody of the evidence documents that the envelope was sealed and untampered. If the person breaks the seal, then that person reseals it, documenting why the seal was broken and what was done to the evidence by that person.
Let’s say that the computer forensics investigator broke the seal; removed the computing device; made a copy of evidence data on the computing device; then replaced the computing device in the packet and resealed it. The computer forensics investigator provides detailed documentation on what was done to the computing device and by whom when the computing device was no longer in the packet. This maintains the integrity of the chain of custody.
Furthermore, the computer forensics investigator must verify that the copy of the evidence data is an accurate copy. This is accomplished by using a technique called hashing. Hashing is a mathematical calculation that measures the length of data and produces a hash value. Hashing is performed on the evidence data and on the replication of the evidence data. If both have the same hash value, then it is safe to say that the copy is the same as the evidence data. The hashing can be performed by anyone using the same tool and the same data, and the result will be the same hash value.
It is critical that the computer forensics investigator avoid unintended consequences that might bring doubt on the results of the investigation. The computer forensics workstation must be maintained. Storage space for evidence data must be cleaned of data from previous investigations. Preferably, a new storage device is used for every evidence data acquisition. The computer forensics workstation must be compatible with the target computing device, operating system, and computer applications. Computer forensics workstations can be a field-kit or a laboratory workstation. A field-kit is a portable computer forensics workstation that can be brought to the remote location to gather evidence. The laboratory computer forensics workstation is designed for analysis of the evidence data.
It is critical that computing devices be packaged in anti-static evidence bags to prevent accidental static discharges that might affect the computing device. Any disruption of the evidence data makes the evidence data invalid and cannot be used in the case.
Conducting a Computer Forensics Investigation
There are commercial forensics software suites such as EnCase, Forensics Toolkit, and ProDiscover that are purchased from vendors who specialize in developing forensics software to meet the needs of professional computer forensics investigators. Open-source forensics software suites such as Autopsy and Digital Forensics Framework are available at no cost from the internet.
In addition to computer forensics software suites, there are computer forensics utilities that focus on a single aspect of a computer forensics investigation. These include FTK Imager, dcfldd, and dd, which enable the computer forensics investigator to obtain an image of an evidence drive. An image is an exact copy of the drive.
Preserving Data Using Write Blockers
It is critical that data be preserved during the forensic investigation. Any indication that the data is different from the evidence data can lead the entire evidence data to be excluded from the case. Even if it appears that it might have been changed without it actually changing, the courts may doubt the accuracy of the evidence and therefore discount the evidence data.
For example, the computer forensics investigator creates an image of the evidence data on the computer forensics workstation. The accuracy is verified by the hash value. The computer forensics investigator uses a hex editor to read the copy of the evidence data on the investigator’s device. This is accomplished by the hex editor copying the copy of the evidence data into computer memory.
The computer forensics investigator can now change hexadecimal values in memory using the hex editor without jeopardizing the integrity of the copy of the evidence data. However, this changes if the computer forensics investigator inadvertently saves the changed copy in memory to the copy of the evidence data on the computer forensics workstation. The copy of the evidence data is now considered corrupted and can no longer be used for the investigation. The computer forensics investigator must document the error and then acquire another copy of the original evidence data, assuming it is available. If it is unavailable, then the computer forensics investigation into the computing device cannot continue.
A write blocker is used to prevent overriding evidence data or a copy of the evidence data. There are two types of write blockers: hardware and software. Hardware write blockers are computing devices placed between the evidence drive that contains the evidence data and the forensics workstation. The software write blocker is a software component of a forensics suite that disables the capability to save anything to the evidence drive.
Software built into the computer forensics suite automatically documents the chain of custody with the evidence drive by recording who accessed it, when, and why it was accessed. Each computer forensics investigator is assigned a logon to access the computer forensics suite. The computer forensics suite is used to access the evidence drive. Each access—and attempted access—is time-stamped and stored in a log. Before granting access to the evidence drive, the computer forensics investigator must provide a reason for the access. This too is stored in the log. Any attempt to save to the evidence drive is recorded with sufficient information to help identify the person who made the attempt.
There are various types of hardware write blockers. One of the most common is to connect the evidence drive to the hardware write blockers using a USB port and then to the computer forensics workstation. The hardware write blocker, however, must be able to access different types of interfaces to connect to different types of hard drives.
An alternative to the USB connection is to use a hard drive docking station. A hard drive docking station enables you to place the evidence drive into the docking station that is a hardware writer blocker. The hard drive docking station is connected to the computer forensics workstation. Professional-grade hardware write blockers contain switches used to activate or deactivate the hardware blocker. This enables you to set up a hard drive for read-only or for read/write access.
Some hard drive writer blockers are hard drive duplicators. A hard drive duplicator is a hardware device that copies one hard drive to another hard drive by using a mirroring process where it copies sector by sector, ensuring that each piece of evidence data location is replicated. Hard drive duplicators are fast.
Hashing
Hashing is a mathematical technique used to ensure that a copy of a file is exactly the same as the original files. A hashing program uses a hashing algorithm on the original file to arrive at a hash value. A copy is made of the file and the same hashing program uses the hashing algorithm on the copy of the file to create another hash value. If both has values that are the same, then it is said that the copy is exactly the same as the original.
It is critical that the device used to copy the hard drive also performs hashing to ensure that files are copied without any changes. The image copy of the evidence drive must have the same hash value as the evidence drive. Any difference indicates that the image copy is not a copy of the evidence drive.
There are two commonly used hash algorithms used in computer forensics. These are MD5 and the secure hash algorithm (SHA). The MD5 algorithms have vulnerabilities that are not found in the SHA. The MD5 is at risk for a remote possibility of a collision. A collision happens when two different files produce the same hash value when using the same hash algorithm. The SHA uses a large hash value, making the hash value less likely to encounter a collision.
Hexadecimal Level of Investigation
The computer forensics investigator needs to examine the contents of the evidence drive. The physical content of the evidence drive is in the form of magnetic settings in the medium. Each setting is the logical equivalent of a binary value. The computer forensics investigator must be able to translate these settings into meaningful information. For example, the computer forensics investigator uses a tool such as a hex editor to convert the data to readable text.
As you learned from Chapter 2 and Chapter 3, data is stored as a binary value of a series of 0s and 1s. Binary values are numbers in the binary number system. You use the decimal number system that has ten digits of 0 through 9. When you add 1 to 9, you carry over the value one place to the left. This appears as 10. The binary number system has two digits. When you add 1 to binary 1, you carry over the value one place to the left. This appears as 10. It looks like ten but the equivalent decimal value is 2 because there are only two digits in the binary number system.
Computer forensics investigators rarely work at the binary level of evidence data. However, they do work at the hexadecimal level of evidence data. Hexadecimal is also a numbering system similar to the binary number system and the decimal number system. In hexadecimal there are 16 digits. The first ten digits are the same as the decimal number system (0–9). Letters A, B, C, D, E, and F are used to represent the last six digits of the hexadecimal number system.
It is important to keep in mind that a mathematical value can be represented in any number system without changing the value itself. It simply looks different. The same mathematical operations (addition, subtraction, multiplication, division) can be performed in any number system without changing the results of the operation. Hexadecimals are used by assembly language programmers for many good reasons having to do with bits and bytes and 16 digits, but mainly because binary numbers quickly become unwieldy because of the number of digits needed to represent a number in binary. It is much easier for humans to read and manipulate hexadecimals, but it does not matter to a computer.
Data can be clandestinely manipulated at the binary level. However, there are simply too many digits for the computer forensics investigator to work with, so a tool called a hex editor (such as Hex Workshop) converts the binary values to hexadecimal values and then translates hexadecimal values into its equivalent ASCII character (see Chapter 2). As you learned in the first three chapters, keyboard characters and characters not found on the keyboard are represented by a number, which is stored in the evidence data. The hex editor makes it easy for the computer forensics investigator to visualize the evidence data.
There are commercially available hex editors and open-source hex editors. Hex Workshop is a commercial hex editor. The hex editor selected for a computer forensics investigation must be able to open very large evidence data files without crashing. The hex editor must enable the user to search by sectors. Figure 11.1 shows the Hex Editor Neo.
Offset: Locating Data
There can be what seems to be an endless amount of evidence data that is examined by the computer forensics investigator. Typically a small amount of data is suspicious. The computer forensics investigator must locate the suspicious data and quickly identify its location in reports and in presentations to the legal team and the court while keeping intact the evidence data. The computer forensics investigator cannot simply present suspicious evidence data. Instead, the computer forensics investigator must show how to locate the evidence data in the evidence drive. The best way to accomplished this is by using an offset.
Offset is a concept that is critical to understand evidence data. Imagine a screen filled by evidence data represented in hexadecimal numbers. You found suspicious data at a particular location. The challenge is to identify the location so anyone reading your computer forensics report can find that data. A data location is identified using an offset.
An offset is a measure of the “distance” from a point in a file or disk drive from another point. This is much like telling someone to drive 5.5 miles down the road to reach a house. The offset specified in a file or disk drive is in bytes, not miles. A byte is eight binary digits. So the computer forensic report will say that the suspicious data is located at perhaps 1,512 bytes from the beginning of the file.
Since bytes are relatively difficult to count—just too many 0s and 1s—the offset is usually noted in hexadecimal values and the hex editor is used to find the location. Once the location is found, the hex editor is used to examine the evidence data at that location. The actual hexadecimal value can be examined or the ASCII character associated with the hexadecimal value is reviewed. Both appear in the hex editor.
Keep in mind that the computer forensics investigator must be prepared to prove that the hex editor accurately located the suspicious data using the offset. That is, the hex editor counted the offset from the specified location the same way as anyone could have counted the offset at the same starting point. The hex editor simply found the suspicious point a lot faster than the computer forensics investigator could by counting hexadecimal values until the offset is reached.
Mounting: Hiding Data
The forensic specialist needs to make sure that they locate all the data on the computer. Some of it may be hidden even unknowingly by the user. The data on a computer is stored on the hard drive (disk drives). Drives are represented by a letter or some other identifier on the screen that is used to access the content of the drive. However, the drive identifier may refer to a logical drive rather than a physical drive. The logical drive must be made “visible” using a process called mounting. The drive may seem not to exist if the drive is not mounted—but does exist and contains data.
Let’s take a closer look. A hard disk is logically divided into sections. Each section is called a partition and is listed in a partition table that the operating system reads before accessing a partition. Think of a partition as a “logical disk,” each being treated as a hard disk.
Although the partitioning process creates partitions on a hard disk, partitions are not visible to the operating system and to the user until the partitions are “mounted.” A partition can be made invisible to the operating system and to the user by unmounting the partition. Data on the partition remains intact, but effectively hidden until the partition is mounted.
A similar process occurs when a USB drive is inserted into a computing device. The operating system recognizes the USB drive and mounts it, making the USB drive available to the operating system and user.
Each partition has a unique name. Running the fdisk command in the Windows command prompt displays all storage devices including partitions. Recall that you can find the Windows command prompt by simply clicking on the search magnifying glass on the Windows command bar at the bottom of your Windows 10 screen and start typing in “command prompt” and clicking on Command Prompt. Entering the umount command at the command prompt, followed by the name of the partition causes the partition to unmount and become invisible. Similarly, the USB has a partition name and can be made invisible to the operating system by using unmount. The mount command, however, is used to make the partition (USB) visible. A computer forensics investigator needs to control partitions to ensure the integrity of the evidence data on an evidence drive.
Bit Shifting
Data is encoded in a set of binary digits, each referred to as a bit. Bits are logically grouped into bytes (8 bits) or larger groupings. Collectively the group’s value represents data. The ASCII value is a widely used example of how groups of bits form meaningful information. Programs that read a file start with the first bit, logically break bits into groups, read the group’s value, and then do something such as displaying a character on the screen.
The presumption is that data begins with the first bit of the file. A suspect hiding data may have devised a program to begin to store data several bits from the beginning of the file. This is referred to as bit shifting. For example, data begins with the third bit from the beginning of the file rather than the first bit. Reading from the first bit is misleading and probably produces unreadable data.
The computer forensics investigator can use tools in the computer forensics workstation to designate the bit position to begin reading data. By shifting the bit location, the computer forensics investigator is able to locate the hidden data on the evidence drive. Figure 11.2 shows how shifting a bit one position changes the character from a percentage to capital J.
Bit Flipping
Another technique that may be used to mislead a computer forensics investigation is to change the bit setting. A bit is set to either 0 or 1. A program interprets the bit setting of each bit in the logical group as data, such as a character on the keyboard. The presumption is that the settings actually represent data.
However, reversing the setting of the bit—changing 0 to 1 and 1 to 0—hides the data. Here’s how this works. A program such as Word writes data to a file. The file is then changed by another program reversing the bit settings. Strange characters appear on the screen when Word reads the file. It appears this is not a Word file, or the file is corrupted and unreadable.
The same program that reversed the bit settings is used to reverse the bit settings again, restoring the file to its original bit value. Word can read the file and display the data as intended. The computer forensics investigator must consider that the bit flip technique was used if what seems to be readable data is unreadable. Figure 11.3 shows how flipping bits for the capital letter J results in a strange symbol when the flipped bits are displayed.
Live Data Acquisition
Data stored on an evidence drive is permanent. However, data can be placed in volatile storage such as random access memory, where data is lost once power is removed from the computing device. Therefore, the computer forensics investigator must perform a live acquisition of evidence data without causing the data to be lost.
Live data acquisition is also used to minimize the effect encrypted evidence data has on the computer forensics investigation. Encryption is a technique used to transform data into an unreadable form. A cipher is used to decipher encrypted data into a readable form. Deciphered data is typically stored in memory immediately before a program reads the data. Therefore, the readable data is usually data that is stored in memory. Accessing live data in memory circumvents the issue of encrypted data.
The FTK Image tool is used to acquire live data from memory. It is critical that the evidence computing device remains under power and connected to the forensics workstation that is running the FTK Image tool. The FTK Image tool copies the content of the evidence computing device’s memory and stores the contents in a file on the forensics workstation. This process is referred to as a memory dump. The memory dump file can be opened in the forensics workstation using a variety of programs including the hex editor. The computer forensics investigator can scroll through the contents or use a search feature of the program to locate a specific character pattern.
Also critical to making a live acquisition is identifying all processes that were running when the live data was acquired. Forensics workstation tools are available to copy the list of processes that are running. There are programs running on a computer that run in the background without you knowing. These are referred to as processes. Some processes are run by the operating system or other applications. Other processors are run clandestinely. The list of processes that are running gives the computer forensics investigator a glimpse of what is going on when the computer device is working.
You can test this out yourself on a PC. Here’s how to do it.
- Press Ctrl-Alt-Delete keys simultaneously.
- Select Start Task Manager.
- Select Processes to see a list of programs running on the computer.
Remote Acquisition
Remote acquisition is the technique of capturing evidence data without physically being in possession of the evidence computing device. There are a number of techniques that can be used for this purpose. However, each requires the evidence computing device and the computer forensics workstation to be on the same network.
One remote acquisition technique is to access the evidence computing device using the device’s Internet Protocol (IP) address. The computer forensics investigator might be able to use the IP address to remotely log on to the evidence computing device. This is a common technique during investigations where the computing device is owned by the organization that authorized the investigation. The organization has the legal right to access its computing devices without notifying the user of the device. However, this technique is challenging to use if the target of the investigation owns the computing device, because the target must authorize access except when the courts grant access.
Another remote acquisition technique is to intercept data en route to the evidence computing device. Data is transmitted in the form of electronic envelopes called a packet. Each packet has the IP address of the sending and destination computing device. Packets travel from the sending computing device over a data network through a series computing devices called a router or switcher that directs the packet to the destination computing device. Forensics software directs packets for the target destination computing device to the forensic workstation and sends them to the target computing device.
Remote acquisition of evidence data requires a reliable network access. Any disruption in data acquisition might question the authentication of all data acquired during that session. Remember that the computer forensics investigator must prove that acquired evidence data was not modified or corrupted in any way. Questionable evidence data is likely to be considered invalid and not admissible in the legal action.
Deleted Data
Data deleted from a computing device may not be removed from the device. On many computing devices, the user can place a file in the trash and then go into the trash and recover the file intact. The user can also empty the trash, presumably deleting the file from the computing device and making it unlikely that the user can retrieve the file.
Deleting a file from a computing device makes the space available to the operating system to be used to save newly saved data. The file remains relatively intact until a new file is saved, at which time a piece or the whole file might be overwritten, truly making it impossible to recover the file. This occurs when all space that contains pieces of the file is replaced with new data.
A file is stored in pieces, with each piece stored in a portion of the disk called a sector. At the end of each sector is data that tells where to find the sector that contains the next piece of the file. The last sector contains data that indicates it is the end of the file. The operating system retrieves each piece of the file, recreating the entire file.
Not all sectors are overwritten when a new file is saved to the device. Some sectors remain and contain pieces of the deleted file. Computer forensics workstations have tools that enable the computer forensics investigator to locate sectors containing a deleted file and then reassemble the file from available sectors.
Anti-Forensics Tools
Anti-forensics tools are programs that make it difficult for the computer forensics investigator to retrieve and analyze evidence data. Anti-forensics tools enable users to store data in unsuspected areas of the device, leading the computer forensics investigator to presume no evidential data exists on the device.
A common technique is to change information in file headers. A file header is a piece of a file that tells the computing device the kind of file that is attached to the file header. Anti-forensics tools enable the user to change information in the file header in an attempt to mislead the computer forensics workstation into believing that the file does not contain evidence data.
Let’s say that the evidence drive is being searched for compromising videos. The computer forensics workstation searches the evidence drive for video files. The computer forensics workstation ignores the file extension since file extensions can easily be modified. Instead, file headers are examined. The file header contains data that identifies the file as a video file. However, an anti-forensics tool can be used to change the data, indicating that the file contains something other than a video.
Another technique used by anti-forensics tools is to store the evidence data in unlikely spaces on the evidence drive. A file is divided into pieces, with each piece stored in a section of the sector. A sector is a fixed size. Typically, the last piece of a file doesn’t completely fill the last sector. There is space available, referred to as slack space. An anti-forensics tool can use slack space to store pieces of the evidence file, making it extremely challenging to recover the evidence file without knowing the location of the slack places.
Although a computer forensics investigation tends to focus on evidence data files, the focus of the investigation can be searching for an executable file. An executable file contains instructions for the operating system to perform tasks. An executable file is commonly referred to as a program or an application.
Anti-forensics tools can hide an executable file from both the operating system and computer forensics workstations by either packing the executable file into an existing executable file using a tool called a packer or combining the executable file with an existing executable file using a tool called a binder. In both cases, only the existing executable file is recognized by the computer forensics workstation and the operating system.
Changing metadata that is associated with a file is another technique used to counter the computer forensics investigation. Metadata is data that describes data. The file name, file extension, date/time the file was changed, size of the file, and access rights to the file are metadata. Access rights designate if the file is read-only or can be changed.
An anti-forensics tool can be used to change the date/time when the file was changed, for example, which can misdirect a search or mislead an analysis of the data contained in the file. The computer forensics investigator may be looking for a file that was changed on a particular date/time. Changing the metadata timestamp on the file may not raise suspicion.
Still other anti-forensics tools monitor activity on the evidence drive for signs of a computer forensics investigation. Once detected, files are automatically deleted and the evidence drive is reformatted, making it nearly impossible to recover any files on the evidence drive. Even if files can be retrieved, the computer forensics investigator must prove the integrity of evidence data, knowing that the anti-forensics tool attempted to make the data unreadable.
Data encryption is the best way to hide data from a computer forensics investigation. Bits that comprise data are scrambled using an encryption key following an encryption algorithm. Computer forensics investigators will find it challenging to decipher the encrypted file without knowing the decipher key.
Cell Phones
A cell phone is a computing device that stores information similarly to other computing devices. Today, cells phones contain a variety of information that might be of interest to a computer forensics investigation, including text messages, images, contact lists, location history, emails, and purchasing and banking information.
Computer forensics workstations are capable of extracting information from a cell phone, including information that the user deleted and tried to remove by resetting the cell phone to factory settings. GPS location is usually of particular interest to computer forensics investigators because the data records the exact location of the cell phone at a particular date and time.
Data gathered from a cell phone is usually supported by data provided by the cell phone service provider. A record of every cell phone activity is recorded by the cell phone service provider in an electronic log. Each entry in the log uniquely identifies the cell phone and the cell tower that processed the transmission. A cell tower is a radio transceiver that has a specific reception area. The signals from cell phones are received by the cell tower and then forwarded using a landline to the cell phone service provider’s technical center to complete the transmission.
Law enforcement officials with permission from the courts can track a cell phone live by monitoring activities of a specific cell phone tower. Even without knowing the cell phone’s GPS position, transmissions can be monitored by cell phone towers and can be used to find the relative position of the cell phone.