Computer Forensic Extraction

The Forensics Process

There are a number of digital forensic frameworks in use by private companies and law enforecement agencies. The one discussed here is one of the simplest. All the other are variations on this theme, making sub-divsions of certain steps to create additional stages or looping around to emphasise the iterative nature of some steps i.e Evidence assessment may reveal evidence which in turn exposes new evidence which may trigger further evidence assessment.

Notice that each step has been created in line with a specified principle. These ‘principles’ are in line with the principles used to support the gathering, examination, documentation and reporting on digital evidence

1. Policy & Procedure Development

Principle

Computer forensics requires specially trained personnel in sound digital evidence recovery techniques.

As the primary aim of any digital forensics investigation, is to allow others to follow the same procedures and steps and still end with same result and conclusions, considerable effort must be spent on developing policies and standard operating procedures (SOP) in how to deal with each step and phase of the investigation.

2. Evidence Assessment

Principle

All sources of possible digital evidence should be thoroughly assessed with respect to the scope of the case. This will help establish the size of the investigation and determine the next steps.

Special attention should be given to reviewing the scope of search warrant(s) and other other legal authorisations to establish the nature of hardware and software to be sezied, other potential evidence sought together with the circumstances surrounding the acquisition of the evidence to be examined.

3. Evidence Acquisition

Principle

Digital evidence is fragile and can be easily altered, damaged, or destroyed by improper handling or examination. Even the act of opening files can alter timestamp information destroying information on when the file was last accessed. So special precuations are needed to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion.

######

Other Considerations:

Do other forensic processes need to be performed on the evidence e.g. DNA analysis, fingerprinting etc.
Decide if other avenues of avenuses of investigation need to be pursued e.g sending a preservation orderto an Internet service provider (ISP), identifying remote storage locations, obtaining e-mail
Establish the nature of potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, financial records
Decide whether if additional information regarding the case is required (e.g., aliases, e-mail accounts, e-mail addresses, ISP used, names, network configuration and users, system logs, passwords, user names). This information may be obtained through interviews with the system administrator, users, and employees.
Other non-computer equipment that might be used in forgery or fraud cases, such as laminators, credit card blanks, check paper, scanners, and printers. In child pornography cases consider digital cameras.
The skill level of those involved. Skilled users may used advanced techniques to conceal or destroy evidence (e.g., encryption, booby traps, steganography).

Special Considerations

Fully document the hardware and software configuration of the examiner system as well as the digital devices being examined. This includes boot settings, the exact hardware configurations, log on passwords etc
Verify that the hardware and software of the examiner’s system is working properly so as to be sure that anything found by the examiner is not due to mis-configuration of the examiner’s equipment.
Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
Identify and obtain storage devices required to ‘image’– make an exact copy -the original data, so that forensic examination can be conducted on a copy rather than the original.

######

4. Evidence Examination

Principle

The same general forensic principles apply when examining digital evidence as they do to any other crime scene. However, different types of cases and media may require different methods of examination. Only trained personnel should conduct an examination of digital evidence.

It is important to make a distinction.:-

Extractionrefers to the recovery of data from whatever media the data is stored on.
Analysisrefers to the interpretation of the recovered data and placement of it in a logical and useful format, answering such questions as how did it get there, where did it come from, and what does it mean?

Separating the forensic examination this helps the examiner in developing procedures and structuring the examination and presentation of the digital evidence.

Step 1 Preparation

Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted. These should be checked to make sure they are ‘forensically clean’ so that investigators can be sure any evidence belongs to case being investigated, rather than leftover from other cases.

Step 2 Extraction

This is the actual process of extracting the data from digital devices. There are two different types of extraction, physical and logical.

Physical extractionphase: identifies and recovers data across the entire physical drive without regard to file system.
Logical extractionphase: identifies and recovers files and data based on the installed operating system(s), file system(s), and/or application(s).

Physical Extraction

Data is extracted at the physical level without regard to any file systems present on the drive. Essentially, any image is made and then subjected to the following methods: keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.

Keyword searching: Performing a keyword search across the physical drive can be useful as it allows the examiner to discover & extract data that may not be accounted for by the operating system and file system.
File Carving: Using file utility programs to scan the physical drive and help recover and extract useable files and data that may not be accounted for by the operating system and file system.
Looking at the Partition Table: The partition structure will help identify the file systems present and determine if the entire physical size of the hard drive is accounted for. (i.e If there is a 1Tb hardisk present, but partion table only shows 900Gb then where is the missing 100Gb?)

Logical Extraction

Data is from the drive is based on the file system(s) present on the drive. This will involve an examination of active files, recovering deleted files, looking at file slack (i.e unusual space between files) and unallocated file space: May contain remnants of deleted files not found during the recovery process. Steps may include:

Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location.
Data reduction to identify and eliminate known files through the comparison of calcu-lated hash values to authenticated hash values.
Extraction of files pertinent to the examination. Methods to accomplish this may be based on file name and extension, file header, file content, and location on the drive.
Recovery of deleted files.
Extraction of password-protected, encrypted, and compressed data.
Extraction of file slack and unallocated space

Step 3 Analysis

Analysis is the process of interpreting the extracted data to determine their significance to the case. Various analytical methods exist, examples of which include:-

Timeframe,
Data hiding,
Application and file,
Ownership and possession.

Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investiga-tive leads, and/or analytical leads.

#####

Timeframe Analysis

Timeframe Analysis is useful in determining a sequence of events on digital systems which can be used a part of associating usage of the computer to an individual(s) at the time the events occurred. Two principal methods used are:

Examining the time and date stamps contained in the file system metadata (e.g. last modified, last accessed, created, change of status) to link files of interest to the time-frames relevant to the investigation. An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed.
Reviewing system and application logs that may be present for example error logs, installation logs, connection logs, security logs, etc. for example, security logs may indicate when a user name/password combination was used to log into a system.

File time stamps have to be compared to the time values contained in the BIOS, not just that returned by the operating system which can be easily altered by the user.

Data Hiding

Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent. Methods used to reveal possible hidden data include

Comparing file headers to the corresponding file extensions to identify any mismatches i.e. the file extension doesn’t match the application supposed to have used to create. Mismatches may indicate that the user intentionally hid data.
Steganography: Hiding secret messages or data within ordinary messages or data within ordinary messages or pictures.
Gaining access to a host protected area (HPA) – a separate password protected area. The presence of user-created data in an HPA may indicate an attempt to conceal data.

Application & File Analysis

Many programs used by the owner and files created by them, can provide insight into the capability both of the system and the knowledge of the user. Results of this analysis may indicate additional steps that need to be taken in the extraction and analysis processes. Examples include:

Reviewing file names for relevance, naming conventions and patterns
Identifying the number and type of operating systems
Examining the user’s default storage locations for applications and the file structure of the drive to determine if files have been stored in their default or an alternate location
Looking at the file contents
Examining user configuration settings
Correlating the files to the installed applications, to discover whether there are missing applications, applications without files.
Reviewing relationships between files. For example, correlating internet history to cache files and e-mail files to email attachments.

Ownership and Possession

In most cases it is essential to identify the individuals who created, modified, or accessed a file. It is also important to establish ownership and that they knew they possessed the questioned data.

The other methods of analysis can help establish ‘knowledgeable possession’. Other evidence can be gained from:

Fixing the subject at a computer and particular time and dates discovered from timeframe analysis can help establish ownership
File names and naming conventions discovered in application and file analysis may be of value.
If application and file analysis show files are stored in user created folder rather than default folders can indicate ‘planned action’.
Hidden data revealed in hidden data analysis can indicate deliberate attempts to avoid detection and conceal activities.
Passwords discovered in hidden data analysis to access to encrypted or password protected files may show possession or ownership.
Finally, the contents of files from application and file analysis can indicate ownership if they refer to specific users.

#####

Step 4 Conclusion

Single pieces of evidence from one source will probably be insufficient to reach a definite conclusion. Conclusions have to be based on all evidence in the round, including the associations between each part of the evidence.

5. Documentation & Reporting

Principle

The investigator must document completely and accurately their each step in thier investigation from the start to the end. The aim is to allow others following the steps outlined in the documentation to reproduce the investigation and reach the same conclusions.

#####

Investigator’s Notes

Notes taken in the investigation must be ‘contemporaneous’ i.e. made at the same time as the investigation proceeds. The notes are used as the basis for the report. notes should include:

Notes taken with the case investigator, together with the initial request for assistance and a copy of the search warrant.
Notes of what happened when and why to allow others to reproduce the investigation
Any irregularities discovered in the course of the investivation and how they were treated.
Additional information regarding network connections, authorised users, passwords and user agreements found.
Notes on the digital devices themselves with regards hardware and any software installed.
Other information on remote storage, remotes user access and any offsite backups taken.

Investigator’s Report

This is the report given to the investigator who taking into account the findings will decide on what happens next. Forming the basis for use in possible legal proceedings, the report is formal in tone. With a definite structure defined by departmental policy and procedures. It should though include:

Identity of the reporting agency (i.e. the organisation that is submitting the report).
Essential information, such as the case numbe, the case investigator and the name of the person writing the report.
Date of receipt of the investigation request and the date when the report was written.
A detailed list of all items submitted along with the request
Description of steps and tools used in the analysis and how erased files were recovered.
Name of the investigator together results and conclusions.

Investigator’s Findings

The findings are based on what is described in the report. these are what should be found, if someone else reproduce the investigation and may include:

Specific files related to the initial request.
All other files, including any deleted files found that support the findings.
Internet-related evidence, such as web site traffic analysis, chat logs, cache files, e-mail, and news group activity.
Results of string searches, keyword searches, and test string searches.
Results from data analysis and graphic image analysis.
Techniques used to hide or mask data, e.g. encryption, steganography, hidden attributes, hidden partitions, and file name anomalies.

#####

This article is based on the ARTICLE published HERE.