PRESERVING AND RECOVERING DIGITAL EVIDENCE

FILE SYSTEMS• NTFS: (New Technology File System) is a proprietary file system

developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of Windows NT family. improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk space utilization, plus additional extensions, such as security.

• FAT: File Allocation Table (FAT) is a computer file system architecture and a family of industry-standard file systems utilizing it. The FAT file system is a legacy file system which is simple and robust. It offers good performance even in light-weight implementations, but cannot deliver the same performance, reliability and scalability as some modern file systems.

FORENSIC ANALYSIS OF FILE SYSTEMS• Digital Investigations : A digital investigation is a

process where we develop and test hypotheses that answer questions about digital events. This is done using the scientific method where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible.

• Digital evidence: It is a digital object that contains reliable information that supports or refutes a hypothesis.eg: a port no. Through which intrusion is been done is an evidence.

DIGITAL CRIME SCENE INVESTIGATION PROCESS

In this case, we have a digital crime scene that includes the digital environment created by software and hardware. The process has three major phases, which are system preservation, evidence searching, and event reconstruction.

SYSTEM PRESERVATION PHASE• We try to preserve the state of the digital crime scene.

The actions that are taken in this phase vary depending on the legal, business, or operational requirements of the investigation. For example, legal requirements may cause you to unplug the system and make a full copy of all data.

• The purpose of this phase is to reduce the amount of evidence that may be overwritten. This process continues after data has been acquired from the system because we need to preserve the data for future analysis.

EVIDENCE SEARCHING PHASE• The theory behind the searching process is fairly simple.

We define the general characteristics of the object for which we are searching and then look for that object in a collection of data. For example, if we want all files with the JPG extension, we will look at each file name and identify the ones that end with the characters ".JPG.“

• Most searching for evidence is done in a file system and inside files. A common search technique is to search for files based on their names or patterns in their names. Another common search technique is to search for files based on a keyword in their content

EVENT RECONSTRUCTION PHASE• The last phase of the investigation is to use the

evidence that we found and determine what events occurred in the system.

• Event reconstruction requires knowledge about the applications and the OS that are installed on the system so that you can create hypotheses based on their capabilities. For example, different events can occur in Windows 95 than Windows XP, and different versions of the Mozilla Web browser can cause different events.

STORAGE FUNDAMENTALSStorage Layer: Physical, Data classification, Allocation units, Storage space management, Information classification, Application-level storage

PHYSICAL LAYER

• The lowest level of file storage is the physical layer, which is always present, regardless of the operating systems or file systems that are on the hard drive.

• The machine will read and write to the hard drive in blocks (sectors). Most operating systems that you will run across will read and write in 512-byte chunks.

THE DATA CLASSIFICATION LAYER• Just above the physical layer lies the partitioning scheme set up

by the operating system. This scheme allows the user to segregate information in the interest of security (operating system on its own partition), file system optimization (smaller partitions may speed file system access), or just plain organization (keeping work and music archives separate, for example).

• On Unix installations created on servers (web servers or email servers), different types of data are kept in separate partitions. This allows the operating system to run reliably, regardless of how quickly the mail spool or log files are filled by traffic.

THE ALLOCATION UNITS LAYER• The next level of file system storage refers to the blocking, or the allocation

method, used by the operating system.

• The size of each allocation unit depends on three variables: the type of file system, the size of the partition, and the knowledge of the system administrator.

• Each file system defines its own scheme for laying out data on the storage medium.

• Most use a block size that is optimized for the size of the partition. Table 10-3 shows the most common sizes for allocation units. The FAT standards migrated from inefficient static values (4KB per block) to a sliding scale. Developers have attempted to strike a balance between a large number of small blocks, a scheme that uses space more efficiently, and a smaller number of large blocks, where the file system may be faster during search and transfer operations.

THE STORAGE SPACE MANAGEMENT LAYER

• This layer manages the thousands of allocation units present on a file system, where the allocation unit is the smallest addressable chunk of data that the operating system can handle.

• Think of this as a map that shows you which parking spots are occupied in a huge garage. On FAT file systems, there are two of these maps, and they are kept in sync by the operating system.

• Other file systems will split a partition into sections and will maintain a single mapping table for each section.

THE INFORMATION CLASSIFICATION ANDAPPLICATION-LEVEL STORAGE LAYERS

• The top two layers of the file system storage model consist of directories and files.

• These are the levels that are familiar to most users. These layers are defined by the operating system in use on that partition. Several types of files are significant to a forensic investigation:

• Operating system and utility files• Operating system configuration files• Application and support files• Application configuration files• User data files

HARD DRIVES EVIDENCE HANDLING• Photograph the computer and scene.• If the computer is off do not turn it on.• If the computer is on photograph the screen.• Collect live data - start with RAM image (Live Response

locally or remotely via F-Response) and then collect other live data "as required" such as network connection state, logged on users, currently executing processes etc.

• If hard disk encryption detected (using a tool like Zero-View) such as full disk encryption i.e. PGP Disk ? collect "logical image" of hard disk using dd.exe, Helix - locally or remotely via F-Response

• Unplug the power cord from the back of the tower - If the computer is a laptop and does not shut down when the cord is removed then remove the battery

• Diagram and label all cords• Document all device model numbers and serial

numbers• Disconnect all cords and devices• Check for HPA then image hard drives using a

write blocker, Helix or a hardware imager

• Package all components (using anti-static evidence bags).

• Seize all additional storage media (create respective images and place original devices in anti-static evidence bags).

• Keep all media away from magnets, radio transmitters and other potentially damaging elements. Collect instruction manuals, documentation and notes.

• Document all steps used in the procedure.

CHALLENGES IN EVIDENCE HANDLING• Digital evidence is information found on a wide

range of electronic devices that is useful in court because of its probative value. It's like the digital equivalent of a fingerprint or a muddy boot.

• However, digital evidence tendered in court often fails to meet the same high standards expected of more established forensics practices, particularly in ensuring the evidence is what it purports to be.

TECHNOLOGY CHANGES EVIDENCE

• This is not the first time that technology has impacted the way evidence is gathered and presented in courts. And it's not the first time that there have been problems in the way new evidence is used.

• The special properties and technical complexity of digital evidence often makes it even more challenging, as courts find it difficult to understand the true nature and value of that evidence.

CYBER EVIDENCE• It is increasingly common for criminal trials to rely on digital

evidence. And, regrettably, it is not uncommon for innocents to be convicted and guilty people acquitted because of digital evidence.

• The evidence might be compelling at first glance, but it could be misleading. The defendant may also have limited financial resources to rebut the evidence. The defence lawyers might also misread the evidence.

• Forensic analyses and evidence presentations are sometimes confounded by inexperienced investigators and communicators, which is further exacerbated by faulty case.

GETTING IT RIGHT• Digital forensics is still in its infancy, and it is more of an art

form lacking broad scientific standards to supports its use as evidence.

• There is a need of new tools and processes capable of locating and recovering sufficient evidence from larger data sets quickly, efficiently and thoroughly. Forensic tools are often commercial products, thus profit-driven rather than science-based, and do not fulfil real forensic needs.

• "There is nothing more deceptive than an obvious fact." –Sherlock Holmes. This also applies to digital forensics, where forensic researchers have too often encountered cases of investigator bias and a laziness when seeking the truth.

EVIDENCE HANDLING PROCEDURE.• Before examining the contents of a hard drive,

record information about the computer system.• Take digital photographs of the system and the

media that is being duplicated.• Fill out an evidence tag for the original media and

for the forensic duplicate.• Label all media appropriately with an evidence

label.• Store the best evidence copy in the evidence

locker.

• An evidence custodian enters a record of the best evidence into the evidence log. Each access to the best evidence is also entered into the log.

• All examinations on the forensics copy are performed on a forensic copy, the working copy.

• An evidence custodian ensures that backup copies of the best evidence are created.

• An evidence custodian ensures that all disposition dates are met. The dates are assigned by the principal investigator.

• An evidence custodian performs a monthly audit to ensure all of the best evidence is present, properly stored, and labelled.