i

NICA Tool: Extract and Correlate Evidences in Computer Forensics by Alicia Castro B.S. Computer Engineering, University of Louisville, 2003

A Thesis Submitted to the Faculty of Graduate School of the University of Colorado at Colorado Springs In partial fulfillment of the Requirements for the Degree of Master of Engineering in Software Engineering Department of Computer Science 2010

ii

Copyright by Alicia Castro 2010 All rights Reserved

iii

This thesis for the Master of Engineering degree by Alicia Castro has been approved for the Department of Computer Science

by:

Dr. Edward Chow (Advisor)

Dr. Jugal Kalita

Dr. Xiaobo Zhou

_______________ Date

iv NICA Tool: Extract and Correlate Evidences in Computer Forensics by Alicia Castro (Master of Engineering, Software Engineering) Thesis directed by Professor C. Edward Chow Abstract Computer forensics is a fast growing field. The technology is advancing faster than some U.S. laws can keep up with. Probable cause, search warrants, and focus of search when dealing with computers, software, and Web content have been compared to traditional searches. Since computers contain so much information, it is possible to uncover incriminating information that cannot be used due to the limits of search warrants. The motivation behind the search and seizure laws will be examined in relation to the computer forensic field. This thesis examines the close relationship between the constitution and other important laws about search and seizure of computers and digital evidence. It is very important to understand the connection between the legality of the act of getting the evidence and proving that a crime was committed. This thesis also developed a new forensic tool named NICA Forensic Tool that will help the investigator to gather more detailed information about sites visited with date and time stamp. Also if there is any doubt that the user logged into the computer or was the one that download or visited those sites the tool will search for other login activities from programs like Skype, Outlook and Instant Messenger. The tool helps reduce the doubt about whether there is the intention to commit a crime and simplify the tedious data collection and processing.

This thesis is dedicated to my husband Dean my children: Christina, Richard and Christopher

vi

Acknowledgements

I would like to express my appreciation to my advisor Dr. Edward Chow for his constant support and guidance. Special thanks to my advisory committee: Dr. Xiaobo Zhou, and Dr. Jugal Kalita. My gratitude also goes to Patricia Rea, who helped to keep track of my time and all the paperwork needed in order to graduate on time. Special thanks to Dean, Marlon and Rebecca that helped me editing this thesis. The most special thanks go to my best partner and friend, my husband Dean, who helped me and support me through all this long process.

vii

TABLE OF CONTENTS Table of Figures..................................................................................................................x Chapter 1 Forensics Legal Issues Overview .......................................................................1 1.1 Introduction ...........................................................................................................1 1.2 Related Work .........................................................................................................3 1.3 Search and Seizure ................................................................................................4 1.4 Electronic Communications Privacy Act (ECPA) ................................................8 1.5 Wiretap Statute ....................................................................................................16 1.6 Pen/Trap Statute ..................................................................................................19 1.7 USA PATRIOT ACT ..........................................................................................20 1.8 Colorado House Bill Amendment .......................................................................23 1.9 Roles of Computer Forensic ................................................................................24 1.10 Computer Forensic Investigation ................................................................27

Chapter 2 Related Work....................................................................................................31 2.1 Forensic Tool Requirements................................................................................31 2.1.1 2.1.2 Basic Customer Requirements ............................................................31 Purpose ...............................................................................................32

2.2 Project Scope .......................................................................................................32 2.3 Software System Perspective ..............................................................................33 2.3.1 Operating Environment ......................................................................33

Chapter 3 Designing of the NICA Computer Forensic Tool ............................................34 3.1.Objectives of the Computer Forensic Tool Design .............................................34 3.2 Design of the Forensic Tool ................................................................................35 3.3 Brief Introduction to the Essential Registry Key Information ............................35 3.4 Understanding the Actors ....................................................................................37

viii 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 User Profile .........................................................................................37 Internet Explorer .................................................................................42 Mozilla Firefox ...................................................................................51 Google Chrome ...................................................................................53 Skype ..................................................................................................54 Outlook ...............................................................................................56 Instant Messenger ...............................................................................57

3.5 Understanding the Data Flow ..............................................................................61 Chapter 4 External Tools used with NICA Forensic Tool ................................................64 4.1 Internet Explorer Cache View (IECacheView) ...................................................65 4.2 Internet Explorer History Viewer (IEHistoryView) ............................................66 4.3 MozillaCacheView ..............................................................................................68 4.4 ChromeCacheView..............................................................................................70 4.5 SQLite..................................................................................................................71 4.6 Microsoft Log Parser ...........................................................................................72 4.7 Outlook Redemption ...........................................................................................75 Chapter 5 Cracking a Criminal Case Using the NICA Forensic Tool ..............................77 5.1 Criminal Case Statement .....................................................................................77 5.2 Computer Forensics Analysis ..............................................................................78 5.3 Finding Evidence .................................................................................................79 5.4 Analysis of Evidence Found ................................................................................87 5.5 Evidence Math .....................................................................................................88 5.6 Relevant Evidence ...............................................................................................91 Chapter 6 NICA Forensic Tool Analysis .........................................................................92 6.1 Functionality Analysis .........................................................................................92

ix 6.2 Performance Analysis ..........................................................................................93 6.3 Usage Evaluation .................................................................................................93 Chapter 7 Lessons Learned ...............................................................................................98 Chapter 8 Future Directions ..............................................................................................99 Chapter 9 Conclusions ....................................................................................................100 References ........................................................................................................................103 Appendix A US Criminal Code 2705 .............................................................................108 Appendix B Users Manual ............................................................................................113 Product ............................................................................................................113 Scope/Purpose: ................................................................................................113 Users Data Flow.............................................................................................114 Conventions ....................................................................................................114 Installing the software .............................................................................................115 System Requirements (General) .....................................................................115 Information/resources required in the process of installation .........................116 Deploying the Forensic Tool ...................................................................................116 NICA Forensic Tool GUI: .......................................................................................116

Table of Figures

Figure1. Registry key for users (SID). ...............................................................................42 Figure 2. Internet Explorer location of the cookies files. ..................................................44 Figure 3. IE location of the History file containing web site information .........................45 Figure 4. IE location of the Internet Files containing web sites info and index.dat files. .46 Figure 5. IE TypedURL information location. ..................................................................47 Figure 6.Index.dat file header. ...........................................................................................49 Figure 7.Index.dat file size.................................................................................................49 Figure 8.Location of the hash table....................................................................................50 Figure 9.Begining of the hash table. ..................................................................................50 Figure 10.Files downloaded from the web. .......................................................................50 Figure 11.Mozilla Firefox profiles information .................................................................52 Figure 12.Google Chrome files location. .........................................................................54 Figure 13.Instant Messenger Menu default settings. .........................................................58 Figure 14.Windows Live Messenger keys location. ..........................................................59 Figure 15.Data Flow Diagram. ..........................................................................................61 Figure 16.IE History file content. ......................................................................................66 Figure 17.Google Chrom SQLite Database Structure. ......................................................69 Figure 18.Location of Mozilla Firefox Cache files. ..........................................................69 Figure 19. Location of Google Chrome Cache files. .........................................................70 Figure 20.Log Parser architecture diagram. .......................................................................72 Figure 21. Log parser output to the console. ....................................................................74 Figure 22.Log parser output to a data grid .........................................................................75

xi Figure 23. Enter New Case Information. ...........................................................................80 Figure 24.Run parser to get activity entries. ......................................................................80 Figure 25.User profile and timeline for activities. .............................................................81 Figure 26.Mark items that seem suspicious. ......................................................................81 Figure 27.Enter the preferred time frame between activities. ............................................82 Figure 28.View the suspicious activities and surrounding activities that were marked. ...83 Figure 29.Right click to get details of outlook activities selected .....................................84 Figure 30.Mark items by pattern on the Outlook grid. ......................................................85 Figure 31.Search evidence between two Outlook users. ...................................................85 Figure 32.Report displayed activities that comply with the pattern selected. ...................86 Figure 33.Select and mark activities by defined keywords. ..............................................86 Figure 34.Display the amount of activities found. .............................................................87 Figure 35 Histogram analyzing the data from fig.28 .........................................................89

Chapter 1 Forensics Legal Issues Overview

In order to better understand computer forensics legal issues, one needs to understand the fundamentals about search and seizure laws, electronic communications privacy act, wiretap statue, pen/trap status and the PATRIOT act. Computer Forensics or investigators need to apply these laws to their daily investigative work. There is a strong relationship between the legal issues related to forensics and the use of forensic tools. Evidence must be collected in a way that is legally admissible in a court case.

1.1

Introduction

For years the police have entered homes and offices, hauled away filing cabinets full of records, and searched them back at the police station for evidence. In Fourth Amendment terms, these actions are entry, seizure, and search, respectively, and usually require the police to obtain a warrant. Modern-day police can avoid some of these messy steps with the help of technology: They have tools that duplicate stored records and collect evidence of behavior, all from a distance and without the need for physical entry. These tools generate huge amounts of data that may be searched immediately or stored indefinitely for later analysis. Meanwhile, it is unclear whether the Fourth Amendments restrictions apply to these technologies: Are the acts of duplication and collection themselves seizure? Before the data is analyzed, has a search occurred? Today, tools can detect heat released from buildings, recreate images displayed on distant computer

2 monitors, determine what is typed on a keyboard by listening to the distinct sounds of the key presses, and eavesdrop on Wi-Fi Internet communications traveling through the air. Handheld GPS units can monitor and store our movements around town, and web browsers keep detailed records of the websites we have visited. Tomorrow will surely bring new tools that are more invasive, easier to use, and able to work from greater distances (Ohm, 2005). Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. New court rulings are issued that affect how computer forensics is applied. The important point for forensics investigators is that evidence must be collected in a way that is legally admissible in a court case (CERT, 2008). Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases. Documents maintained on a computer are covered by different rules, depending on the nature of the documents. Many court cases in state and federal court have developed and clarified how rules apply to digital evidence. The Fourth Amendment of the US Constitution (and each states constitution) protects everyones right to be secure in their person, residence and property from search and seizure (Computer Forensics, 2008). Thus like any other crime scene, rules apply to obtaining search warrants to search and seize computers, computer files, and disks.

1.2

Related Work Computer Forensics in Forensics Computer Forensics in Forensics (Peisert, 2008) paper explains the relation

between seize and seizures laws, forensic investigation rules and the use of the forensic tools and/or forensic analysis. I actually used this paper as a guide for my thesis. I was attracted and puzzle by the ambiguity of the laws and I wanted to investigate more about it. Also the steps and structure that the forensic analysis needs to follow was of a lot of interest and of course the use of forensic tools, that in this case was the creation and use of a forensic tool. Discipline of Internet Forensic In Discipline of Internet Forensic (Berghel, 2003) paper is a brief explanation of the correlation of seizes and seizure and computer forensic tools and explains that an internet forensic specialist needs to know as much or more that a hacker. So actually a forensic specialist kind of needs to be a hacker to understand how the tools work. Even though this paper focus more on network tools and netscan tools, the general theory about having a knowledge how computers works is a fact to create and understand how a forensic tool works.

Next Generation Digital Forensics Next Generation Digital Forensics (Roussev, 2006) paper exposes the need of new forensic tools and strategies. Investigators have more and complex cases, there is a feeling that forensic tools now are not up to the new challenges. Even though this paper

did not apply to my thesis, I found out that cybercrime is going up and getting more sophisticated and forensic tools are lagging behind.

Secure Audit Logs to Support Computer Forensics

In Secure Audit Logs to Support Computer Forensics (Kelsey, 1999) paper uses the audit log as a forensic tool. It assumes that audit log entries detect an intrusion; like record the opening of a door, removal of a tamper resistant coating, access of a normally secret files etc. The main objective is to detect intrusion and provide audit capabilities. This solution could be efficient for detecting hacking or intrusion, but this thesis objective is about getting information of users that have a user profile already in the computer

1.3

Search and Seizure

In computer forensics the search and seizure Fourth Amendment has played a fundamental roll. The fourth amendment states: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized (Wegman, 2004).

5 The Fourth Amendment is part of the Bill of Rights which guards against unreasonable searches and seizures. It was ratified as a response to the abuse of the writ of assistance which was a type of general search warrant in the American Revolution. It specified that any warrant must be judicially sanctioned for a search or an arrest in order for such a warrant to be considered reasonable. Warrants must be supported by probable cause and be limited in scope according to specific information supplied by a person. It only applies to governmental actors and to criminal law (IST 432- Computer Forensic). An example would be if a warrant is issued for child porn on an individuals computer, but finds records of embezzlement, the embezzlement records could not be used in a court of law. The exception is if the police could justify obtaining a warrant to search the computer for records of embezzlement. The Fourth Amendment interposes a magistrate as an impartial arbiter between the defendant and the police. The magistrate may issue a search warrant if the magistrate or judge is convinced that probable cause exists to support a belief that evidence of a crime is located at the premises. The officer must prepare an affidavit that describes the basis for probable cause and the affidavit must limit the area to be searched and evidence searched for. The warrant thus gives the police only a limited right to violate a citizens privacy. If the police exceed that limited right, or if a warrant is required, but the police have not first obtained one, then any evidence seized must be suppressed (U.S. Department of justice 2002). The issue of suppression driven by a determination of whether the Fourth Amendment has been correctly followed by the police is often the determining factor in criminal cases (Wegman, 2004).

6 Search warrants give only limited authority to the police to search. The search should be no more extensive than necessary as justified by probable cause. Thus, if the probable cause indicates that the contraband is located in a file on a CD, this would not justify seizing every computer and server on the premises. The extent of the search is tailored to the probable cause. If the police wish to seize a computer for analysis at a later time, the probable cause statement should demonstrate the impracticality or danger of examining the computer on the premises; hence the need to confiscate it and analyze it off-site (Wegman, 2004). Another question facing law enforcement is when to notify the target of a search. Normally the target is notified at the time a physical search is made. However, the USA PATRIOT Act amended Title 18, Sec.3103a of the United States Code to permit delayed notification. Law enforcement may now delay notification of the target for up to 90 days, with another delay possible upon a showing of good cause. In order to obtain authority for delayed notification, an investigator must show a need for the delay (IST 432Computer Forensic). Reasons include danger to the life or safety of an individual, risk of flight from prosecution, witness or evidence tampering, or that immediate notice would seriously jeopardize the investigation. Another legal issue in computer forensic cases is how much time the police may have to analyze a computer after seizing it. Federal Rule of Criminal Procedure 41 (c) (1) gives the police ten days after issuance of the warrant to serve it. But there is nothing in the Federal Rule of Criminal Procedure about how long the police may keep and analyze the computer. As a practical matter, the search of a computer in police custody

7 should be done as quickly as possible. This is especially important if the computer is needed for the operation of a business (Wegman, 2004). In the United States Supreme court case of Illinois v. Andreas, 463 U.S. 765 (1983), the Court held that a search warrant is not needed if the target does not have a reasonable expectation of privacy in the area searched. The loss of a reasonable expectation of privacy, and therefore the loss of Fourth Amendment protection is extremely important because much information is transmitted to networks and to the internet. If circumstances suggest the sender had no reasonable expectation of privacy, then no warrant is required by the police in order to obtain that information (Wegman, 2004). Examples would be blogs, website posts, and websites themselves. Public computers like library computers are not covered under the expectation of privacy. No warrant is needed when the target consents to a search of his/her computer. No warrant is needed where a third party, such as a spouse, parent, employer or co-worker consents to the search, so long as the third party has equal control over the computer (USA Dept. of Justice, 2009). An example would be if a married couple shared a computer in their home. The wife could consent to a search without the husbands consent and vice versa. Agents should be especially careful about relying on consent as the basis for a search of a computer when they obtain consent for one reason, but then wish to conduct a search for another reason. In two recent cases, the Courts of Appeals suppressed images of child pornography found on computers after agents procured the defendant's consent to search his property for other evidence. In United States v. Turner, 169 F.3d 84 (1st Cir. 1999), detectives searching for physical evidence of an attempted sexual assault obtained

8 written consent from the victim's neighbor to search the neighbor's "premises" and "personal property." Before the neighbor signed the consent form, the detectives discovered a large knife and blood stains in his apartment, and explained to him that they were looking for more evidence of the assault that the suspect might have left behind. While several agents searched for physical evidence, one detective searched the contents of the neighbor's personal computer and discovered stored images of child pornography. The neighbor was charged with possessing child pornography. On interlocutory appeal, the First Circuit held that the search of the computer exceeded the scope of consent and suppressed the evidence. According to the Court, the detectives' statements that they were looking for signs of the assault limited the scope of consent to the kind of physical evidence that an intruder might have left behind. By transforming the search for physical evidence into a search for computer files, the detective had exceeded the scope of consent. (Concluding that agents exceeded scope of consent by searching the computer after the defendant signed a broadly-worded written consent form, because agents told the defendant that they were looking for drugs and drug-related items rather than computer files containing child pornography) (USA Dept. of Justice, 2009).

1.4

Electronic Communications Privacy Act (ECPA)

Congress has responded to the changing technological landscape. The most important federal statutes affecting computer forensics are the Electronic Communications Privacy ACT (ECPA), the Wiretap Statute, the Pen/Trap Statute and the USA PATRIOT Act (Wegman, 2004). Enacted in 1986, the Electronic Communications Privacy Act sets

9 provisions for the access, use, disclosure, interception and privacy protections of electronic communications. Violations of the ECPA may result in criminal penalties and civil remedies, including punitive damage. This act was written to expand the wiretapping provisions to wireless telephony (cellular) and email communications. The ECPA works to prohibit unauthorized interceptions or disclosure of electronic communications. According to the US code electronic communications means any transfer of signs, signals, writing images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce, thereby making much of the desired content of possible forensics searches out of reach (IST 432- Computer Forensic). In more detail, the ECPA covers communications via pager, cellular and wireless telephony, browser requests, internet downloads, chat room traffic, voice mail and emails when transmitted by common carriers in interstate commerce. ECPA prohibits unlawful access and certain disclosures of communications contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure (IST 432- Computer Forensic). Computer forensics is affected a great deal by the ECPA. There are prohibitions in place against unlawful access to stored communications which include probing into RAM or disk drives for information in source or destination computer or during transit while the communication temporary intermediary storage such as on a server. Such a law may affect the searching of certain protected material; however, there are some exceptions under the ECPA. Currently the ECPA has not been updated to accommodate

10 the Internet. Investigators have sought to use technologies which collect much more information than pen registers or trap and trace devices under the authority of this law. It should be strengthened to protect citizens privacy in electronic communications (IST 432- Computer Forensic). There are certain critical exceptions to ECPA. If the situation falls within an exception, the communications may be disclosed (18 U.S.C. & 2511(1) (18 U.S.C & 2702(b). Where an individual lacks an expectation of privacy law enforcement officers do not need a warrant to listen in. ECPA will not bar intercepting the communications in these instances. Where one has an expectation of privacy is not always clear. If I set up a rendezvous with an acquaintance in a secluded public park in the middle of the day, sitting on a solitary park bench, do we have an expectation of privacy? According to DOJ, this inquiry embraces two discrete questions. First is whether the individual's conduct reflects "an actual (subjective) expectation of privacy (IST 432- Computer Forensic). Secondly is whether the individual's subjective expectation of privacy is "one that society is prepared to recognize as 'reasonable'" (IST 432- Computer Forensic). In most cases, the difficulty of contesting a defendant's subjective expectation of privacy focuses the analysis on the objective aspect of the Katz test, i.e., whether the individual's expectation of privacy was reasonable (IST 432- Computer Forensic). Courts foraying into cyberspace must shift their focus away from the two-prong Katz expectation of privacy test in order to preserve the values underlying the Fourth Amendment. In developing a new framework for expectation of privacy analysis in cyberspace, courts should focus on the historic context of the Fourth Amendment and the intent of its Framers. Government monitoring and analysis of click stream data is closely

11 analogous to the general searches which the Founding Fathers sought to curtail in enacting the Fourth Amendment. Both types of searches are indiscriminate, exposing lawful activity along with contraband or unlawful action. Also both are incredibly intrusive, exposing intimate details about the lives of citizens to government scrutiny. A new rule needs to be established which recognizes that click stream data may be protected by the Fourth Amendment. Not because that the protection fits well with expectation of privacy analysis as developed by the Court in recent years, but rather because government click stream analysis is precisely the type of search the Framers intended to be subject to the Amendment's limitations (Winn, 2008). Courts addressing this question should apply the normative analysis set forth by the Supreme Court in Smith v. Maryland instead of the rigid two-prong Katz test. The Court in Smith recognized that the two-prong Katz expectation of privacy test will sometimes provide an inadequate index of Fourth Amendment protection. In such situations, the Court explained, courts must undertake a normative inquiry to determine whether Fourth Amendment protection was appropriate. This normative inquiry asks a very simple question. Should an individual in a free and open society be forced to assume the risk that the government will monitor her as she engages in the activity at issue? Courts employing the normative inquiry "must evaluate the 'intrinsic character' of investigative practices with reference to the basic values underlying the Fourth Amendment" (Winn, 2008). Unlike the two-prong test, which assumes that society has already reached an objective conclusion about the proper amount of protection a particular activity deserves, the normative test acknowledges that society has not reached

12 a consensus about the proper level of protection a certain activity warrants. In that case, the activity can be evaluated against constitutional norms (Winn, 2008). Application of Smith's normative inquiry to click streams reveals that Internet users should retain an expectation of privacy in click streams, because this data is precisely the type of information the Framers sought to protect against arbitrary government intrusion. The Fourth Amendment was intended to limit government searches which held the potential to intrude into the intimate details of the private lives of citizens. Courts must recognize a legitimate expectation of privacy in the intimate records of our online activity in order to satisfy these constitutional norms (Winn, 2008). The passage of the Fourth Amendment was the Framers' reaction to overly intrusive searches and seizures conducted by British and colonial authorities. Prior to the Amendment's passage, the colonists were plagued by the use of general warrants and writs of assistance which authorized law and customs enforcement officers to enter and search any building suspected of housing contraband (Winn, 2008). The searches conducted using these devices were broad and abusive, and occurred without particularized suspicion. The raids were led by executive officials with unlimited discretion (Winn, 2008). For example, the New Hampshire Council once allowed search warrants for "all houses, warehouses, and elsewhere in this Province", and the Pennsylvania Council once required a weapons search of "every house in Philadelphia" (Winn, 2008). Far from being isolated instances, such searches were widespread (Winn, 2008). In response to these abuses, the Framers sought to limit the power of government actors to search or seize persons, houses, papers, and effects. The invasion the Framers

13 sought to prohibit was not merely the physical intrusion upon a "person" or "house." Instead, "the amendment's opposition to unreasonable intrusion ... sprang from a popular opposition to the surveillance and divulgement that intrusion made possible" (Winn, 2008). As one scholar explained, "The objectionable feature of general warrants was their indiscriminate character" (Winn, 2008). In addition to any contraband or unstamped goods that the generalized searches uncovered, the entirety of a person's private life was exposed to prying government eyes. This sort of indiscriminate search stripped the colonists of privacy without adequate justification, exposing them to the arbitrary and potentially despotic acts of government officials (Winn, 2008). Monitoring and analysis of click streams by government officials is closely analogous to colonial general searches because it exposes the intimate lives of Web users, fails to discriminate between lawful and unlawful activity and grants enormous discretion to front-line executive officials. As with general searches of colonial homes, click stream searches will unnecessarily reveal private information to government view, even when this information pertains to lawful activity. For example, law enforcement agents monitoring click streams could learn that an outwardly heterosexual man spends time entertaining homosexual fantasies online in an adult chat room, or that a high-profile political leader used the Internet to reserve a spot in an addiction recovery center. While such conduct is certainly legal, it is also intensely private. Allowing government agents to expose the conduct of the innocent in order to pursue the guilty contradicts the purpose and intent of the Fourth Amendment (Winn, 2008). On a more general level, the broad and arbitrary intrusion occasioned by a click stream search is contrary to "the most basic values underlying the Fourth Amendment"

14 (Winn, 2008). Although the use of general warrants and writs of assistance undoubtedly motivated the Framers in drafting the Amendment, they did not intend its protection to be limited to the narrow purpose of outlawing general searches. Instead, the Amendment was intended to protect citizens against the type of arbitrary invasions by government into the lives of citizens which general searches typified. As one commentator explained: While the history of the Fourth Amendment reveals many facets, one central aspect of that history is pervasive: controlling the discretion of government officials to invade the privacy and security of citizens, whether that discretion be directed toward the homes and offices of political dissentients, illegal smugglers, or ordinary criminals.(Winn, 2008) Similarly, the Supreme Court has repeatedly recognized that the harm the Fourth Amendment seeks to prevent is not the tangible invasion of one's person, papers, effects, or home, but rather the intangible invasion upon the sanctity and privacy of those objects occasioned by an unreasonable search or seizure (Winn, 2008).

The indiscriminate nature of click stream searches illustrates their incompatibility with the values upon which the Fourth Amendment was based. As one scholar argued: The first problem with indiscriminate searches is that they expose people and their possessions to interferences by government when there is no good reason to do so. The concern here is against unjustified searches and seizures: it rests upon the principle that every citizen is entitled to security of his person and property unless and until an adequate justification for disturbing that security is shown. The second problem is that indiscriminate searches and seizures are conducted at the discretion of executive officials,

15 who may act despotically and capriciously in the exercise of the power to search and seize. This latter concern runs against arbitrary searches and seizures; it condemns the petty tyranny of unregulated rummages. (Winn, 2008) Absent an expectation of privacy in click stream data, law enforcement agents will be free to rummage through our online lives, revealing intensely private conduct. The Founding Fathers found the ability to conduct such arbitrary and suspicion without reason searches to be one of the most offensive aspects of general warrants and writs of assistance. This was clearly intended such searches to be illegal. Allowing such intrusions into private cyberspace activity merely because an outdated expectation of privacy test would find assumption of risk or the absence of a subjective expectation of privacy in click stream data does intense violence to the values underlying both the Fourth Amendment and a free society. Yet this is exactly the result that will be reached if courts continue to cling to Katz's two part test.

Once an expectation of privacy is established in click stream data, traditional Fourth Amendment principles regulating the reasonableness of searches and seizures can easily be applied. The traditional test of reasonableness, which balances the nature and quality of the intrusion upon an individual's Fourth Amendment interests against the importance of the governmental interests alleged to justify the intrusion, is perfectly suited for cyberspace. This test allows courts to protect against overly extensive and indiscriminate intrusion into online lives while also acknowledging that a sufficiently compelling governmental interest may justify such searches. This is the question that should be getting asked in every click stream search. However, it will never be asked

16 until courts loosen their vise grip on the two-prong Katz test and decide that Internet users should retain a legitimate expectation of privacy in click stream data (Winn, 2008). ECPA is a highly nuanced example of public policy. Congress felt that information stored on a network deserved varying levels of privacy protection, depending on how important or sensitive the information was. Accordingly, in Title 18, section 2703 of the U.S Code ECPA created five categories of sensitivity. The more sensitive the category, the greater the justification the government must show in order to obtain the information from a third party (usually the system administrator). The most sensitive information consists of the content of un-retrieved communications such as email that has resided in electronic storage for 180 days or less. After one hundred eighty days the information is considered stale and not deserving of the top category of protection, so does not require a full search warrant for access (Bui, Enyeart, and Luong, 2003). The least sensitive category includes only basic information such as the name of the subscriber and how bills are paid. To obtain that information, the government needs only an administrative subpoena. An administrative subpoena can be issued by a government agency on its own, without prior approval by a court. For example, the FBI could issue an administrative subpoena for good cause. That subpoena could later be challenged, and if a court later decided that good cause did not exist then information obtained under that subpoena would be suppressed (Bui et al. 2003). 1.5 Wiretap Statute

The Wiretap Statute (Title III) was amended 2001. While ECPA regulates government access to stored computer information in the hands of third parties, the Wiretap statute

17 deals with direct surveillance or real time interception of electronic communications by government agents. Wiretaps most commonly affect telephone conversations (IST 432Computer Forensic). Wiretap requires special judicial and executive authorization. An application for interception may not be filed unless it is first authorized by the attorney general or a specially designated deputy or assistant. The application must identify the officer authorizing the application. Attached to the government application should be the authorization, as well as copies of the attorney generals designations of those Department of Justice officials who have been authorized to approve wiretaps. Unlike traditional search warrants, a federal magistrate judge is not authorized to issue a wiretap. Only a federal district or circuit court judge may issue a wiretap. The application must contain a full and complete statement of the facts and circumstances relied upon to support a belief that an interception order should issue. The issuing judge must determine that there exists probable cause to believe that particular communications concerning the alleged offenses will be obtained through interceptions of communications. Before an interception order may issue, the judge must find: Probable cause for belief that a particular enumerated offense is being committed. Probable cause for belief that particular communications concerning that offense will be obtained through interception. Besides a sufficient factual predicate like probable cause, the Fourth Amendment requires that every search be reasonable. As with any other search, whether an electronic search is reasonable depends upon balancing the degree of intrusion against the need for it. Thus, because an order to surreptitiously intercept private conversations is such an intrusive search, the application for interception must show more than mere probable

18 cause, it must also show necessity. The application must contain a full and complete statement as to whether other investigative procedures have been tried and failed, or the reasons why such procedures reasonably appear to be unlikely to succeed or to be too dangerous if tried. The issuing judge must find that normal investigative procedures have been tried and failed or reasonably appear unlikely. A wiretap may issue only for particular crimes. The application must contain a full and complete statement regarding the details as to the particular offense that has been, is being, or is about to be committed. The issuing judge must find probable cause to believe those particular crimes are being committed, have been committed, or are about to be committed by an individual. The identities of persons to be intercepted must be particularly described in the application and order. The nature and location of the communication facilities to be intercepted must be particularly set forth in the application and order. The application must contain a particular description of the type of communications sought to be intercepted. The issuing judge must determine that there exists probable cause to believe that particular communications concerning the alleged offenses will be obtained through interceptions of communications. The application and order must set forth either that interception will cease after the particular communication sought is first intercepted or that interception will continue for a particular time period. Requirements of the Fourth Amendment is to prevent the execution of the overbroad general warrant abhorred by the colonists which results in a general, exploratory rummaging in a persons belongings. Given the intrusive nature of an interception order, the Wiretap Act incorporates a number of provisions which circumscribe the scope of the warrant and guard against law enforcement officers generally rummaging through phone calls. The order for interception must contain a

19 provision requiring the officers to execute the order in a manner whereby the interception of calls not particularly described and not otherwise subject to interception will be minimized. Similarly, no order may be entered authorizing interception for a period of time longer than necessary to achieve the objective, but in no event shall the authorization exceed thirty days (Monnat & Ethen, 2004). Three U.S. federal statutes govern the interception, accessing, use, disclosure and privacy protections of electronic and wire communications. The U.S. Electronic Communications Privacy Act (ECPA, 18 U.S.C. 2701-2712) of 1986 covers stored communications. Real-time interception, as in wireless networks, is covered by the Pen/Trap Statute, 18 U.S.C. 3121-3127, centered in addressing information (like 802.11 protocol headers), and by the Wiretap Statute ("Title III"), 18 U.S.C. 25102522, centered in the contents of communication.

1.6

Pen/Trap Statute

The Pen/Trap Statute was amended in 2001. The Pen/Trap Statute, 18 United Sates Code Sec. 3121-3127, provides for a less intrusive form of government surveillance than wiretap statue; it authorizes the installation of pen registers and trap and trace devices. A pen register records only dialing, routing and addressing information regarding outgoing electronic communications. Electronic communications include telephone, computer, telegraph and telex communications. A trap can trace device records the same information regarding incoming electronic communications. The significant fact regarding both becomes that the content of communications is not

20 recorded. Only information such as telephone numbers of incoming and outgoing calls is recorded. Because these devices record less sensitive private information the legal burden upon the government is significantly less than with a wiretap. Court orders for a pen/trap device require only a statement by the investigator that is the investigators belief that the information likely to be obtained is relevant to a criminal investigation. A recitation of probable cause is not necessary, nor is it necessary to attest to the many other requirements necessary to obtain a wiretap order or a search warrant (Wegman, 2004). To obtain an order, applicants must identify themselves, identify the law enforcement agency conducting the investigation and then certify their belief that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by the agency. The law prohibits unlawful monitoring and disclosure of the content of communications. It also mandates law enforcement to follow proper procedures to review electronic communications, such as the search and seizure electronic evidence procedures detailed in the Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations document by the US DOJ, specifically sections III and IV, focused on electronic communications and surveillance.

1.7

USA PATRIOT ACT

On October 26, 2001 President Bush signed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act). This Act was overwhelmingly passed by Congress shortly

21 after the events of September 11, 2001. It expands the governments investigative power. This Act has become very controversial drawing criticism from both Conservatives and Liberals who question whether the Act goes too far. Perhaps the most controversial provision of the PATRIOT Act is the so-called sneak and peek authority conveyed in Section 213 of the Act. This Section provides delayed notification to the targets of searches. The Act modifies the U.S. Criminal Code, Title 18, Sections 3103a and 2705. These modifications allow the government to delay notification of physical searches for up to ninety days. Extensions may be given for good cause. However, the delayed notification provision is restricted to cases where the government demonstrates an urgent need for delay, including situations where the life or physical safety of an individual is in jeopardy or to avoid the destruction of evidence. Excerpts of Section 2705 are reproduced in Appendix A.

Delayed notification is not an entirely new element in federal criminal law. It is the norm in wiretap cases, as noted above, has been used and upheld in the seminal U.S. Supreme Court case of Dalia v. U.S. in 1979. In that case federal investigators entered a home, searched and implanted a hidden microphone pursuant to a search warrant. Notice was delayed until the surveillance ended. What is new about the PATRIOT Act is that it provides for delayed notification in ordinary physical searches. In the past delayed notification has been used only in connection with electronic surveillance (Waxman, 2004). The Act also makes it easier for law enforcement to install an electronic surveillance device. Formerly, a wiretap order or pen register order had to be obtained in

22 the jurisdiction in which the device was to be installed. Internet communications typically involve Internet service providers (ISP) located in many jurisdictions. Sections 216 and 220 allow devices to be installed anywhere in the U.S.A. Section 225 of the Act is of particular importance to computer forensic investigators and providers of information to the government. It gives immunity from civil lawsuits to any person who provides technical or other assistance in obtaining electronic information pursuant to a court order or valid request for emergency assistance. The PATRIOT Act contains numerous other provisions expanding the scope of forensic investigations. However, it also contains a sunset provision. Under this provision the Act will terminate on December 31, 2005, unless Congress votes to extend it. The sunset provision does not apply to the entire Act. Significant sections, including those authorizing delayed notification, national wiretap and pen register orders will not sunset automatically. The Obama administration supported the revisions to the law as approved by the committee and on Feb 2010, it was extended for one more year. The three sections of the Patriot act that would stay in force: o Authorize court approved roving wiretaps that permit surveillance on multiple phone o Allow court approved seizure of records and property in anti-terrorism operations o Permit surveillance against a so called lone wolf, a non-US citizen engaged in terrorism who may not be part of a recognized terrorist group.

23 Computer forensics is specifically supported by the PATRIOT Act. Section 816 authorizes the expenditure of $50 million for the creation and support of regional computer forensic laboratories. These laboratories will conduct investigations and also train investigators (Wegman, 2004). 1.8 Colorado House Bill Amendment

Effective April 30, 2010 House Bill 10-1201 CRS 16-3-310. Oral advisement and written consent prior to search of a vehicle or a person during a police contact. (1) (a) Prior to conducting a consensual search of a person who is not under arrest, the persons effects or a vehicle, a peace officer shall comply with paragraph (b) of the subsection(1). (b) A peace officer may conduct a consensual search only after articulating the following factors to, and subsequently receiving consent from, the person subject to the search of the person with the apparent or actual authority to provide permission to search the vehicle or effects. The factors are: (I) The person is being asked to voluntarily consent to a search; and (II) The person has the right to refuse the request to search (c) After providing the advisement required in paragraph (b) of this subsection(1), a peace officer may conduct the requested search only if the person subject to the search voluntarily provides verbal or written consent. Other evidence of knowing and voluntary consent may be acceptable, if the person is unable to provide written or verbal consent.

24 (2) A peace officer providing the advisement required pursuant to subsection (1) of this section need not provided a specific recitation of the advisement, substantial compliance with the substance of the factors is sufficient to comply with the requirement (3)If a defendant moves to suppress any evidence obtained in the course of the search, the court shall consider the failure to comply with the requirements of this section as a factor in determining the voluntariness of the consent. (4) This section shall not apply to a search conducted pursuant to section 16-3103 C.R.S. a valid search incident to or subsequent to a lawful arrest, or to a search for which there is a legal basis other than voluntary consent. This shall include, but not be limited to, a search in a correctional facility or on correctional facility property, a detention facility, county detention facility, custody facility, juvenile correctional facility of any mental health institute or mental health facility operated by or under a contract with the department of human services, a community corrections facility or a jail or a search of a person subject to probation or parole by a community supervision or parole officer when the person has consented to search as a term and condition of any probation or parole. (House Bill 10-1201, 2010) 1.9 Roles of Computer Forensic

The issue most related to computer forensics has to do with wire-tapping and warrant gathering. The bill changes the ability of the government to delay the notification of a warrant by up to ninety days after the search. In the past, it had been possible to delay notification when doing surveillance such as wiretaps, since it would be pointless to listen in on a conversation when the parties involved know of the surveillance. This was

25 upheld in the case Dalia v. U.S., where a wiretap was used and notification was delayed. The change in the PATRIOT Act, however, extends this ability to actual physical searches, including the search of computers. This can theoretically be very helpful, as it is can be an easy process to remove data from a hard disk, but combined with the ability of not needing a warrant in terrorist matters can be a very infringing ability. The USA PATRIOT Act also allows investigators to act prior to actually obtaining a warrant, as long as the individual involved personally feels that a threat is inherent. It also prevents third parties who aid in the surveillance from being liable in a civil case. This, however, can be conflicting. There could theoretically be times where a government agent feels there is a threat and elicits the help of another, but then the third party might not be protected if a warrant is not granted in the future. This is definitely an issue that is relevant to computer forensics, as an ISP may grant access to a government official, only to then be held liable for granting that access in the future (IST 432Computer Forensic).

Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the targets. This process of identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner is not much different from traditional forensic science. The only difference is that the former focuses on digital evidence, whereas the latter focuses on physical evidence. Casey defines digital evidence as: Any data stored or transmitted using a computer that support or refute a theory of how an offence occurred or that address critical elements of the offence such as intent or

26 alibi. Digital evidence includes computer generated records such as outputs of computer programs and computer-stored records such as email messages. It is important to criminal investigations because it can be used as proof of crime, connection or alibi. However, handling digital evidence is challenging because the evidence can be easily hidden, manipulated or altered. Moreover, it is difficult to attribute certain computer activities to an individual especially in a multi-access environment. Similar to physical evidence digital evidence provides only a partial view of what may have happened. (Lim & Khoo, 2008) The field of computer forensics has become a critical part of legal systems throughout the world. As early as 2002 the FBI stated that fifty percent of the cases the FBI now opens involve a computer (Reyes & Wiles, 2007). However, the accuracy of the methods and therefore the extent to which forensic data should be admissible is not yet well understood. Therefore, it is not yet safe to make the kinds of claims about computer forensics that can be made about other kinds of forensic evidence that has been studied more completely, such as DNA analysis. The accuracy of DNA analysis is well understood by experts, and the results have been transformational both in current and previous court cases. DNA evidence has been instrumental in convicting criminals, and clearing people who have been wrongly convicted and imprisoned. DNA evidence condenses to a single number (alleles) with a very small, and will depend on probability of error. On the other hand, computer forensic evidence has matured without foundational research to identify broad scientific standards, and without underlying science to support its use as evidence. Another key difference between DNA and computer forensic data is that DNA evidence takes the form of tangible physical objects created by physical events.

27 Contrast these to computer objects that are created in a virtual world by computer events (IST 432- Computer Forensic). The technology of computers and other digital devices is evolving at an exponential pace. Existing laws and statutes simply cannot keep up with the rate of change. Therefore, when statutes or regulations do not exist, case law is used. Case law allows legal counsel to use previous case similar to the current one because the laws do not yet exist. Each new case is evaluated on its own merit and issues (Nelson, Phillips, Enfinger & Steuart, 2008). 1.10 Computer Forensic Investigation

When conducting a computer investigation for potential criminal violations of the law the legal processes one follows depends on local custom, legislative standards and rules of evidence. In general, however, a criminal case follows three stages: complaint, investigation and prosecution. A criminal case begins when someone finds evidence of an illegal act or witnesses an illegal act. The witness or victim makes a complaint to the police. Based on the incident or crime, the complainant makes allegations, an accusation or supposition of fact that a crime has been committed. A police officer interviews the complainant and writes a report about the crime. The police department processes the report and the departments upper management decides to start an investigation, or log the information into a police blotter. The police blotter provides a record of clues to crimes that have been committed previously. Criminals often repeat actions in their illegal activities, and these habits can be discovered by examining police blotters. This historical knowledge is

28 useful when conducting investigation especially in high technology crimes (Nelson et al. 2008). The investigator assigned to the case should be a specialist in retrieving digital evidence or computer forensic expert. After the investigator builds a case the information is turned over to the prosecutor. When conducting a computer investigation for a business, remember that businesses must continue with minimal interruption from an investigation. Because businesses usually focus on continuing their usual operations and making profits, many in a private corporate environment consider an investigation and apprehension of a suspect secondary to stopping the violation and minimizing damage or loss to the business. Law enforcement officers often find computers and computer components as they are investigating crimes, gathering other evidence or making arrests. With digital evidence, it is important to realize how easily key data such as last access date, can be altered by an overeager investigator who is first at the scene. The U.S Department of Justice (DOJ) lays out a procedure in a manual that reviews proper acquisition of electronic evidence. The authenticity and integrity of the evidence examined will be of critical importance. The first step is to establish a chain of custody policy for your organization. The goal of the policy is to ensure that each piece of evidence collected is accountable to an individual until it is either returned to its original owner or disposed of (Reyes & Wiles, 2007). Computing investigations demand that you adjust procedures to suit the case. For example, if the evidence for a case includes an entire computer system and associated

29 storage media, such as floppy disks, cartridges, tapes and thumb drives, an investigator must be flexible when accounting for the entire item. Some evidence is small enough to fit into an evidence bag. Other items, such as the monitor and printer are too large. To secure and catalog the evidence contained in large computer components an investigator can use large evidence bags, tape, tags, labels and other products available from police supply. Be cautious when handling a computer component to avoid damaging the components, or coming into contact with static electricity which can destroy digital data. For this reason, an investigator needs to use antistatic bags when collecting computer evidence. An investigator might consider using an antistatic pad with an attached wrist strap as well. Both help prevent damage to computer evidence. Computer components require specific temperature and humidity ranges also. If it is too cold, hot, or wet, computer components and magnetic media can be damaged. Even heated car seats can damage digital media. Placing a computer on top of a two-way car radio in the trunk can damaged magnetic media. When collecting computer evidence, an investigator must have a safe environment for transporting and storing it until a secure evidence container is available (Nelson et al. 2008). In traditional, old fashioned cases, a detective would receive information from a reliable informant that contraband, for example drugs, are located at a premises. The detective would prepare a statement describing the informants reliability and that the informant had recently observed drugs at the premises. The detective would take the affidavit to a judge, who would determine whether probable cause existed. If that determination was positive, the judge would sign the search warrant authorizing the detective to search for and seize a specific type and quantity of drugs at that premises.

30 The detective would then go to the location and execute the warrant (Skibell, 2003). However, in computer forensics cases there is added complexity. The contraband might consist of child pornography, or records of drug sales. This information might be located on a laptop computer, but it might also be located on a network server in another state or in a foreign country. The information might be located on a hard drive, a diskette or a CD. The contraband information might be very difficult to recognize, it could be encrypted, misleadingly titled or buried among a large number of innocent files (Weigman, 2004). It could take considerable time to identify the contraband. As noted above, a search warrant gives only limited authority to the police to search. The search should be no more extensive than necessary, as justified by probable cause. Thus, if the probable cause indicates that the contraband is located in a file on a CD, this would not justify seizing every computer and server on the premises (Brenner 2002). The extent of the search is tailored to the extent of the probable cause. If the police wish to seize a computer and analyze it at a later time, the probable cause statement should demonstrate the impracticality or danger of examining the computer on the premises hence the need to confiscate it and analyze it off-site.

31

Chapter 2 Related Work The work of this thesis bases itself upon previous work in the forensic fields, particularly the open source forensic tools Galleta and Pasco were used as a very basic reference. 2.1 Forensic Tool Requirements

Design a forensic tool that captures user information from any of the three more popular web browsers like Internet Explorer, Mozilla Firefox and Google Chrome, to obtain detailed evidence of date and time of accessed sites and the frequency of access to the same sites. Also capture more supporting information that correlates the times between sites visited and any other login activities like Skype, Instant Messaging or Outlook. A time line report should be generated to correlate all the information collected and weighted as relevant evidence or discarded as it is not relevant.

2.1.1 Basic Customer Requirements

Investigate the computer forensic techniques for improving the accuracy of the evidences on web accesses by correlating the events in the other logs. Due to the increasing cyber threats and potential insider attacks, it is critical to validate that web accesses are indeed generated by the person of interest and not planted by others.

32

2.1.2

Purpose

The web accesses are typically captured by the cookie files on the client side and the access logs on the server side. The web accesses of a person can be verified by correlating the login period in system access logs. It can also be supported by the access logs of other applications such as, email, instant messaging or Skype. Of interest in computer crime evidence collections are The date and time of the access to a certain site. The frequency of the access. Other supporting evidences that the person is using the same machine. The collaborating evidences that the web site has corresponding access records.

Investigate how to weigh the different support evidences and related practices by District Attorneys Office Investigators Office

2.2

Project Scope

Develop a .NET windows form application that can be used by the investigators or the forensic technician. The application will allow for the requesting and reporting of the case related forensic information.

SQLlite will be used to store the case information. The web interface will be developed using the Microsoft Development Suite (Visual Studio C#).

33

2.3

Software System Perspective

This application will assist the investigator with information about the users browser activities and history, any other activities using Outlook, Skype and instant messaging. The information collected can be used to find out the frequency of a user visiting a particular web site, the history of the user visiting that web site, and other login activities that could be used as evidence against the user. A thumb drive with the Forensic Tool on it will be given to investigators; they can run the tool from the thumb drive on the computer that an alleged crime was committed on, open a case, and view/save the reports Features: Report tool: Investigators will have the ability to run reports as needed. These reports will include a timeline for each activity on the browsers, IM, Skype or Outlook. Printing: Case can be saved and then printed Database: All data input can be saved into a database Entry: New entries can be added to the database through the New case->save Reload: Reports can be run on previously saved cases.

2.3.1

Operating Environment

The system will be using Windows XP, SQLite, NET 3.5 and a C# compiler.

34

Chapter 3 Designing of the NICA Computer Forensic Tool

It is very important to know the primary players because based on that, we can select the actors that will be part of the forensic application. The application will look for user profiles. Getting the user profiles requires an understanding of how the registry works .The information gathering task involves getting the information about the cookies, temporary files and history from the web browsers, login information and date/time stamps that Skype, Outlook or Instant Messenger stored. More detailed information is offered throughout this chapter.

3.1.

Objectives of the Computer Forensic Tool Design

The forensic tool application looks into the user profile directory, to find out how many users profiles exist on the computer to be investigated, then finds the surfing history, typed URLS, cookies, and numbers of visits to a particular site. To accomplish this objective the forensic tool will look into the cookies files, internet temporary files, internet history files and cache files. Also the forensic tool will look into the logins and activities for Skype, Outlook and Instant Messenger if any of them are installed on the machine to be investigated. The information collected will be used to generate a report with timeline by date and time of each activity. This application cannot replace the final analysis of an investigator and his/her conclusion about the evidence compiled.

35

3.2

Design of the Forensic Tool

Statistics have important information. Studies by different companies have shown that Internet Explorer is used for 32% of the web users, Firefox 46.4% and Chrome 13.6%. Internet Explorer and Firefox are the most common browsers. Because of the popularity of these browsers, they were selected to be players for this application. Also Instant Messaging is said to be one of the most popular forms of internet communications today beating out email thanks to the lack of spam and instant feedback. Microsoft Instant Messenger and Skype were also selected as players for this application because their popularity and the video properties that Skype provides. Outlook is the most frequently used email program by companies. A lot of forensic are being done to computers used by employees, so it is very important to get information from Outlook.

3.3

Brief Introduction to the Essential Registry Key Information

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exist on the system and the ports that are being used. A registry hive is a group of keys, sub key and values in the registry that has a set of supporting files that contains backups of its data. The registry is a database used to store computer and user specific settings. Portions of the registry can be saved as files

36

and reloaded for use as necessary. The supporting files for all hives except HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on Windows XP. The supporting files for HKEY_CURRENT_USER are in the %SystemRoot%\Profiles\Username folder. There are five registry hives: HKCR - Abbreviated from the registry key name HKEY_CLASSES_ROOT. HKCR stores information about registered applications, such as Associations from files Extensions and OLE object Class IDs tying them to the applications used to handle these items. HKCU - Abbreviated from the registry key name HKEY_CURRENT_USER.

HKCU stores settings that are specific to the currently logged in user. The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the users; the same information is reflected in both locations. HKU - Abbreviated from the registry key name HKEY_USERS. HKU contains subkey corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine. HKCC - Abbreviated from the registry key name HKEY_CURRENT_CONFIG. HKCC contains information gathered at runtime; information stored in this key is not permanently stored on the hard disk, but rather regenerated at boot time. HKPD - Abbreviated from the registry key name HKEY_PERFORMANCE_DATA. HKPD provides runtime information of performance data provided by either the operating system kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API (Yang, 2008).

37

Computer accounts, user accounts, groups, and other securityrelated objects are security principles. Security Identifiers (SIDs) uniquely identify security principles. Each time Windows XP or Active Directory creates a security principle, they generate a SID for it. Windows XP's Local Security Authority (LSA) generates SIDs for local security principles and then stores them in the local security database. The Domain Security Authority generates SIDs for domain security principles and then stores them in Active Directory. SIDs is unique within their scope. Every local security principle's SID is unique on the computer. And every domain security principle's SID is unique within any domain in the enterprise. What's more, Windows XP and Active Directory never reuse a SID, even if they delete the security principle to which that SID belonged. Thus, if you delete an account and then add it back, the account gets a new SID.

3.4

Understanding the Actors

3.4.1

User Profile

A user profile describes the desktop computing configuration for a specific user, including the users environment and preference settings. A profile is created the first time that a user logs on to a computer running Windows Server 2003, Windows XP, Windows 2000, or Windows NT Workstation. A user profile is a group of settings and files that defines the environment that the system loads when a user logs on. It includes all the user-specific configuration settings, such as program items, screen colors, network connections, printer connections, mouse settings,

38 and window size and position. Profiles are not user policies and the user has a profile even if you don't use Group Policy. Depending on how you manage your network, you or a user can define the desktop settings. The following user profiles are available in Windows Server 2003, Windows XP Professional, and Windows 2000 Professional (TechNet, 2010):

Local User Profile. Created the first time that a user logs on to a computer, the local user profile is stored on a computer's local hard disk. Any changes made to the local user profile are specific to the computer on which the changes are made.

Roaming User Profile. A copy of the local profile is copied to, and stored on a server share. This profile is downloaded every time that a user logs on to any computer on the network, and any changes made to a roaming user profile are synchronized with the server copy upon logoff.

Mandatory User Profile. A type of profile that administrators can use to specify particular settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by the user to desktop settings are lost when the user logs off.

Temporary User Profile. A temporary profile is issued any time that an error condition prevents the users profile from being loaded. Temporary profiles are

39 deleted at the end of each session - changes made by the user to their desktop settings and files are lost when the user logs off.

A primary goal of user profiles is to separate each users settings and data from that of other users and the local computer (Technet2, 2010). A user profile consists of a registry hive and a set of profile folders stored in the file system.

Registry hive. User profiles take advantage of the hive feature to provide roaming profile functionality. The user profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on. The NTuser.dat hive maintains the users environment preferences when the user is logged on. It stores those settings that maintain network connections, Control Panel configurations unique to the user such as the desktop color and mouse, and applicationspecific settings. The majority of the settings stored in the registry is opaque to user profiles settings and are owned and maintained by individual applications and operating system components (Technet2, 2010). A set of profile folders stored in the file system. User profile files are stored in the file system in the Documents and Settings directory, in a per user folder. The user profile folder is a container for applications and other operating system components to populate with subfolders and per-user data, such as shortcut links, desktop icons, startup applications, documents, configuration files and so forth. Windows Explorer uses the user profile folders extensively for special folders such as the users desktop, start menu and my documents folder (Technet2, 2010).

40

The NICA Forensic Tool application presented in this thesis uses the log parser to query the registry for the information we need to find (user information and application information). When log parser is executed it returns a logrecordset. We first iterate thru the logrecordset to get the NTUSER.DAT path from the registry key (HKLM\system\controlse001\control\hivelist) for every user (see table 2). Next we get the ProfileImagePath (usually it will be like %SystemDrive%\Documents and Setting\UserName) from the logrecordset; then we get the user SIDs for each user profile that contains the pattern S-1-5-21 %. NICA Forensic Tool not only checks the currently logged in user but it also checks all other users on the computer. With all the users SIDs we can iterate thru the registry one user at a time and make them active so that we can gain access to the HKCU which would not normally be available. Once active we then proceed to get all the users application settings that will be used later.
string iQuery = @"SELECT * FROM '\HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST' WHERE PATH LIKE '%S-1-5-21%'"; // Execute the query LogRecordSet oRecordSet = oLogQuery.Execute(iQuery, oREGInputFormat); String iSIDValue = string.Empty; List<String> iLoggedUsers = GetLoggedUsers(); UserProfile iUserProfile = new UserProfile(); // Browse the recordset do { if (iUserProfile.KeyName == String.Empty) {

iUserProfile.KeyName = oRecordSet.getRecord().getValue("KeyName").ToString();

41

iUserProfile.LastWriteTime = Convert.ToDateTime(oRecordSet.getRecord().getValue("LastWriteTime").ToString()); iUserProfile.RegistryKeyPath = Convert.ToString(oRecordSet.getRecord().getValue("Path")); switch (oRecordSet.getRecord().getValue("ValueName").ToString()) case "ProfileImagePath": { { }

iUserProfile.ProfilePath = oRecordSet.getRecord().getValue("Value").ToString(); iUserProfile.UserName = iUserProfile.ProfilePath.Replace(iProfilesDirectory + "\\", ""); iUserProfile.Logged=iLoggedUsers.Contains(iUserProfile.UserName); if (File.Exists(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT")) {

FileInfo iFileInfo = new FileInfo(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT"); iUserProfile.CreatedTime=iFileInfo.CreationTime; iUserProfile.ModifiedTime = iFileInfo.LastWriteTime; iUserProfile.RegistryFileSize = iFileInfo.Length; } } break;

Table 2. Using Log parser Local Profile - Existing User

The user logs on. Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to get the path to the users profile (see Fig. 1).

The users registry hive NTUSER.DAT is mapped to the HKEY_CURRENT_USER portion of the registry.

42 The users %userprofile% environment variable is updated with the value of the local profile folder. When the user logs off, the profile is saved to the local hard disk of the computer

Figure1. Registry key for users (SID).

3.4.2

Internet Explorer

During Forensic analysis it is often relevant to parse the information in IE cookies files into a human readable format. Cookies aid forensic analysts during the investigation by providing insight to a suspects internet activity. Internet Explorer stores its data in one key and has three subkey within it that holds the majority of useful information

HKCU\software\Microsoft\InternetExplorer\Main: stores the users

settings in Internet Explorer. It contains information such as search bars, start

43 page, form settings, etc. HKCU\software\Microsof\InternetExplorer\TypedURLs: stores all URLs

that a user has typed into the address field of the web browser. HKCU\software\Microsoft\InternetExplorer\DownloadDirectory: displays

the last directory used to store a downloadable file from Internet Explorer (Farmer, 2008)

IE stores data in: the drive\Documents and Settings\user\profile folders Folders = Favorites, cookies, history, and Temporary Internet Files Registry stores Typed URLs, Passwords and protected Storage information

NICA Forensic Tool gets the paths for the IE Cache, IE History and IE Cookie of the application. For each application we define the name, exe file and the three paths. The input type is KEY because the information is kept in the windows registry, the output is type S that means single value.

IE Cookies:

The IE cookie file format: after visiting a website such as www.securityfocus.com a cookie will be generated on the users pc that looks similar to the following (Jones, 2003): ssfocus---variable home ----- value of the variable

44 securityfocus.com/---website that issue the cookie 0----contains flags 1238799232----the most significant integer for expiration time for the cookie 29570658-------the least significant integer for expiration time for the cookie 1484443312--- the most significant integer for creation time 29552553-------the least significant integer for creation time After visiting a website, a cookie will be generated on the users computer. This cookie contains the information meant to be saved on the client from the web server, the domain name that is responsible for this cookie, and the relevant time/date stamps. The file will be created in the users IE cookie directory: C:\Documents and Settings\<username>\Cookies (see Fig. 2).

Figure 2. Internet Explorer location of the cookies files.

45

IE History

History tracks the websites visited by the user and includes date/time info in C:\Documents and Setting\<username>\Local Settings\History (see Fig. 3). The History folder contains a master index.dat file that tracks the History The History folder displays icons that represent the weekly/daily history activity. Each of these folders contain an index.dat file

Figure 3. IE location of the History file containing web site information

IE Temporary Internet Files Located at drive C:\Documents and Settings\user\Local Settings\ (see Fig.4). Contains an index.dat file that records the URL, Filename, Username and Content info Provides information about browser activity even if the user deletes their Temporary Internet Files Review the Temporary Internet Files for cached Internet emails

46 Outlook = read ~.htm or main~.htm

Figure 4. IE location of the Internet Files containing web sites info and index.dat files.

Registry Typed URLs

Most URLs that you visit are saved in the History folder. However, Internet Explorer also saves the last 25 URLs that you typed in the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (see Fig.5) The lowest numbered entry is the most recent site visited (url1, url2, url3, etc)

47

Figure 5. IE TypedURL information location.

Index.dat file Index.dat is a file used by the Internet Explorer web browser. The index.dat file functions as an active database, which runs as long as a user is logged on in Windows. It functions as a repository of redundant information, such as web URLs, search queries and recently opened files. Its role is similar to that of an index file in the field of databases, where a technique called indexing stores the contents of a database in a different order to help speed up query responses. Similarly when the auto complete function is enabled in Internet Explorer, every web address visited is sorted in the index.dat file, allowing Internet Explorer to attempt to find an appropriate match when a user types in an edit field. Separate index.dat files exist for the Internet Explorer history, cache, and cookies The index.dat file contains a header that harbors important information about the files properties. Specifically the header will contain the index.dat file length, the HASH table offset and the internet cache directory names (Jones, 2003). (See Fig.6)

48 The first field we notice is the file size. The file size is given in the file header immediately following the NULL (0x00) terminated version string. (See Fig. 7) Immediately following the file size is the location of the HASH table. The HASH table is an array of data that contains entries pointing to the relevant activity data within the index.dat file. Bytes 0x20 0x23: Location of hash table.(see Fig. 8) Hash table is used to store the actual entries Beginning of hash table (see Fig.9):

After the HASH table offset is a listing of directories that this index.dat file uses to store the locally cached files on the users computer (Jones, 2003). These directories contain the files that were actually downloaded from the web (see Fig. 10).

o Size: 0x00394000 3751936 o Hash Table: 0x00005000 o Directories: (null-terminated, 0x50)

49

Figure 6.Index.dat file header.

Figure 7.Index.dat file size.

50

Figure 8.Location of the hash table.

Figure 9.Begining of the hash table.

Figure 10.Files downloaded from the web.

51

3.4.3

Mozilla Firefox

Firefox stores a users personal information such as bookmarks, extensions, and user preferences in a unique profile stored in files within a special folder on your pc. The first time you start Firefox, it will automatically create a default profile; additional profiles can be created using the profile manager. Profile folders are placed in a common location by default but are named randomly for additional security (e.g. xxxxxx.default is the profile folder name for the default profile, where xxxxxx represents a random string of characters). The NICA Forensic Tool will only search up to 5 profiles for any given user. Starting in Firefox 3 a new file format is used to record browser history information. Rather than storing this information in a flat file using the mork file format, the information is kept in a SQLlite database (MozillaZine, Profile Folder, 2009).

Firefox stores most of its data in files instead of the registry; it is easy to find, in individual folders and it is very easy for a user to wipe the folders securely. It stores personal information such as bookmarks, extensions and user preferences in a unique profile, called Profile

Files in Profile.ini

NICA Forensic Tool gets the path for History, Cache and Cookies of the Firefox application. For each application we define the name, exe file and the three paths. The input type is INI because Firefox does not use the windows registry; the information can

52

only be retrieved thru the INI file. Firefox keeps the INI file in the Application Data or Local Application Data directory, the source path is [ApplicationData] + \\Mozilla\\Firefox.

Firefox History Files File location: C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\zb0sttcz.default\places.sqlite (see Fig.11). The following registry path is will tell us if Mozilla Firefox is installed and where the Mozilla Firefox info is contained: (Musings, 2007) HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox (see Fig.12)

Figure 11.Mozilla Firefox profiles information

53

3.4.4

Google Chrome

Google Chrome is a web browser developed by Google. The name is derived from the graphical user interface frame or Chrome of web browsers. As of April 2010, Chrome was the third most widely used browser. File location: C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage (see Fig 12). Google Chrome stores the browser history in a SQLite database. The database file that contains the browsing history is stored under the Default folder as History and can be examined using any SQLlite browser there is (such as sqlite3). The available tables are download, presentation, urls, keyword search terms, segment usage, visits, Meta and segments. The most relevant tables for browsing history are the urls table that contains all the visited URLs, the visits table that contains among other information the type of visit and the timestamps and finally the downloads table that contains a list of downloaded files (Brainfold, 2010).

54

Figure 12.Google Chrome files location.

NICA Forensic Tool get the paths for History, Cache and Cookies of the Google Chrome application. For each application we define the name, exe file and three paths. The input type is DIR because Firefox does not use the windows registry; the information only can be retrieve thru the DIR file. Google Chrome keeps the DIR file on the Local Application Data directory (C:\Documents and Settings [USERNAME] Local Settings\Application Data\Google\Chrome).

3.4.5

Skype

Skype is communications software that allows users to communicate with each other in real time using VoIP, video chat or text chat. It is unique among other IM applications in that Skype runs over a decentralized peer to peer (P2P) network rather than routing all

55 communications packets through a central server or cluster of servers ( ISO Consensus Paper: Skype, 2009) For windows systems, Skypes functionality can be managed at a number of levels. Skype configuration and policy settings are maintained in the following hierarchy: o HKEY_LOCAL_MACHINE Registry Keys o HKEY_LOCAL_USER Registry Keys o XML configuration. Files in C:\Documents and Settings\<username>\Application Data\Skype\ Skype software uses a number of files to store data. These files relate mainly to historical information, call histories, file transfers, messaging sessions, etc. They also cache user profiles. The interpretation of these log files can yield a significant amount of information about communications that have taken place through the software. Information available in log files This section details the information available for extraction from Skype logs. Note that the sequence number allows the order of events to be determined, without relying on the resolution of the timestamp. The timestamps give date and time to a resolution of one second. File-naming convention

Files are stored with a .dbb extension with the filename consisting of a string describing the contents followed by a number which indicates the record length (e.g. call256.dbb, chatmsg512.dbb etc). The minimum record length observed is 256 bytes, with files seen up to 16384 bytes. Items are stored in the smallest length format possible

56 with blank padding to fill any space remaining in the record. Therefore it is quite common to have multiple files with the same prefix and different record lengths. Skype Log File Analysis Skype Log File Analysis

call*.dbb Call history chatmsg*.dbb Chat history profile*.dbb Details of user profiles transfer*.dbb Details of file transfers chat*.dbb Chat history contactgroup*.dbb Unknown user*.dbb Local user's profile voicemail*.dbb Details of voicemail messages (no contents)

NICA Forensic tool get the path of the Skype Activity. For each application we define the name, exe file target path, Input Type is DIR, and the source path is [ApplicationData] + \\Skype

3.4.6

Outlook

Email is one of the most common ways people communicate. From internal meeting requests, distribution of documents and general conversation one would be hard pressed to find an organization of any size that does not rely on email. Studies have shown that more email is generated every day than phone conversations and paper

57

documents combined. Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email.

What is a PST file? A PST file (personal storage file) is Microsoft Outlooks file format for email storage. This single file, is a compound file, like a ZIP file, and can contain thousands of emails, contacts, tasks, and calendar entries. To view the contents of a PST file, the file can be mounted in Outlook or specialist forensic tools such as EnCase. PST files are important, if not critical, in forensic and electronic discovery investigations as they provide one of the primary storage methods for email within companies. NICA Forensic tool gets the path to the Outlook applications PST file. For each application we define the name, file target path: target name is Microsoft Outlook, Input Type is KEY (registry key), and the source path is HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles, value name is 001f6700 (works for outlook 2003-2007) and the output type is L for List Value. 001f6700 is a subkey and it contains a byte array that when converted and parsed gives you the path to the PST file.

3.4.7

Instant Messenger

MSN Messenger has the ability to keep an indefinite log of all conversations.

58

In MSN Messenger select the Tools menu, Options... menu item, and then the Messages tab. At the bottom of the dialog is an item labeled: Message History. Select it and your conversations will be recorded in the directory listed in the box below (see Fig 13). When conversations are saved in the listed directory you'll find several files, typically one per person that you've had a conversation with. The files will all end with ".XML".

Figure 13.Instant Messenger Menu default settings.

There is not a way that I know of to retrieve the IM messages unless logging has been enabled. Conversations, when not being archived, may never even hit the disk, so

59

there's nothing to be recovered. There might be small, tiny chances that some memory swapping happened and that a fragment landed on disk, but again the chances are small and it was probably immediately overwritten. The same tiny chance applies for any equipment that the conversation traveled through (Notenboon, 2004). Instant messaging applications can provide strong evidence in certain cases (Farmer, 2008). Windows Messenger, MSN Messenger and Windows Live Messenger generally utilize any of the three following keys:

HKEY-CURRENT-USER\software\Microsoft\Messenger Service HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger (See Fig. 14) HKEY_LOCAL_MACHINE\Software\MICROSOFT\Messenger Service

Figure 14.Windows Live Messenger keys location.

NICA Forensic Tool passes the parameters thru the code of where to look for the files: C:\\Documents and Settings\<username>\Local Settings\Application

60 Data\Microsoft\Messenger; what files to look for: ContactsLog.txt; where to output the results: save the information in the database. This one was the most challenging because there was not any information available about how to get the information that we need. I had to look into several files and through a lot of trial and error; I found the one that contained the information needed. Once all information is gathered in the dataset the program then saves the information in the SQLite database.

61

3.5

Understanding the Data Flow

Figure 15.Data Flow Diagram.

62

The application allows for creating a new case (1) or opening an existing one (4). For a new case the user needs to enter the properties of the case (2), like Case ID number, charges associated with the case, forensic analyst or investigators name and a short description that identifies the case or any relevant notes. Save the case (3) to the database. Once saved, the case status is set to open automatically (4) and the user can execute the parser tool (5). When the parser tool is executed, the application gets the user profile by reading the value Names of the windows registry. For each user profile found (6) we check, if this is the logged in user it means the active user (7). If it is not the logged in user, we get the Hive file (NTUSER.DAT) of the user corresponding to the HKU key of the actual user of the name declared in the User Profile (8) then we proceed to obtain the paths of the folders and/or files that we are going to evaluate (9). This process is based in a series of parameters established for each applications activity. The search of the paths and folders and files is done by: Key (window registry), DIR (in a specific location, like the ones for Google Chrome Browser and Skype) and INI (that contains a section where we can find the paths to follow, like Firefox Browser). Before we read the target paths, the program verify if the application is installed under the sub key software\Microsoft\CurrentVersion\App Paths\ (Skype path is located under software\Skype\Phone. To read from a non active user, the reading is done under HKU\[username], otherwise HKLM. Once the information is gathered, if it is a non active user (10) we get the Hive File (11). This process repeats itself until we reach the last user in the user profile list. Once the data for the users is obtained, we establish a list of jobs considering the particularities of each application and tools to be used (12). This list is displayed to the

63

investigator before proceeding to execute the parser. When the parser is executed, we clean the pre-existing data in the database (12) and a principal thread is sent to the job list (14). This thread is in charge of searching the job list and serves each one of the jobs contained in the list (15) and executes another thread in the background (16). If the analysis is finished with the internal process (17) then execute the corresponding method thru delegation (18), where we proceed to create a dataset that contains the tables (19), extract the data from the activity of the target application, store it temporarily in the dataset (20), when the process ends the data is stored in the database (21). When we use the tool for parsing (17) an asynchronous thread executes the tool (22) and evaluates if the alternative process is ended (23). The external tools create xml files containing the activity of the applications; tools add non valid tags or non-standard characters, so before an xml file is created (24) it has to be sanitized (25) and then save the data in the database (26) until the job list is done (27). After the parser has been executed (29) you can see all the activities displayed in the viewer (28).

64

Chapter 4 External Tools used with NICA Forensic Tool

Microsoft Log Parser is distributed by Microsoft; Outlook Redemption was developed by Ditrimty Streblechenko and can be downloading for free from his web site dimastr/redemption. IECacheView, IEHistoryView, MozillaCacheView and ChromeCacheView are utilities developed by Nir Sofer, who is the owner of NirSoft. Nirsoft is a web site that provides more than a hundred free utilities. The Log parser and outlook redemption tools are .dll libraries integrated in to the forensic tool. ChromeCacheView, IEHistoryView, IEChacheView and MozillaCacheView are utilities that are executed thru the program. The parameters and the paths to the applications are directed thru the code with the help of the log parser. The Utilities generate an xml report that needs to be sanitized, and then the xmlreader reads the XML files and saves the information in the SQLite database. ChromeCacheView, IECacheView and MozillaCacheView are utilities used in the NICA Forensic Tool to read the cache folder. The cache folder contains Web page content that is stored on the hard disk for quick viewing. IEHistoryView reads the Internet History. Internet History is a record of all the sites visited. SQLite is an open source ADO.NET database. It is used to save all the case information and reports. It was selected as the database choice because it is serverless, compact size and primarily because it is used by Mozilla Firefox and Google Chrome to record the cookies, history, bookmark, password and users information.

65

Outlook Redemption is used to access and manipulate MAPI profiles and accounts. Microsoft Log Parser is used to slice and dice log file types. It can process and query all the common logs formats and can address the file system and the registry as well. 4.1 Internet Explorer Cache View (IECacheView)

Internet Explorer Cache View is a small utility that reads the cache folder of Internet Explorer, and writes the content to a file that is the read in to the Forensic Tool. For each cache file, the following information is captured and displayed: Filename, Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number of Hits, File Size, Folder Name, and full path of the cache filename. NICA Forensic Tool calls the IECacheView utility and passes the parameters of where to look for the files: C:\\Documents and Settings\<username>\Local Settings\Temporary Internet Files; what files to look for: folder Temporary Internet Files; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

Advantages over the 'Temporary Internet Files' viewer of Windows The reasons that Forensic tools used IECacheView instead of reading the information directly from the Temporary Internet files are: IECacheView displays only the list of cache files, while the cache view of Windows displays a mix of cookies and cache files, IECacheView allows you to filter the cache files by file type (image, text,

66

video, audio, or application), allows you to view the cache files of another user or from another disk, while with the Windows viewer; you can only watch the cache of the current logged-on user. IECacheView displays some columns that are not displayed by the cache viewer of Windows: Content Type, Number of hits, Sub-folder name, and the full-path of the cached filename.

4.2

Internet Explorer History Viewer (IEHistoryView)

Each time that you type a URL in the address bar or click on a link in Internet Explorer browser, the URL address is automatically added to the history index file (See Fig. 16).

Figure 16.IE History file content.

67

When you type a sequence of characters in the address bar, Internet Explorer automatically suggests to you all URLs that begin with the character sequence that you typed (unless the AutoComplete feature for Web addresses is turned off). However, Internet Explorer doesn't allow you to view and edit the entire URL list that it stores inside the history file. The location of the history folder is different from one operating system to another. On Windows 2000/XP, the History folder is located inside the "Local Settings" folder of your user profile. For Example: C:\Documents and Settings\Administrator\Local Settings\History. The "Local Settings" folder is hidden by default, so you won't see this folder unless your system is configured to display hidden files and folders.

NICA Forensic Tool calls the IEHV utility and passes the parameters of where to look for the files: C:\Documents and Settings\Administrator\Local Settings\History; what files to look for: folder History; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database. The Typed URLs List Most URLs that you visit are saved in the History folder. However, Internet Explorer also saves the last 25 URLs that you typed in the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs By default, IEHistoryView doesn't display the URLs list from the Registry, but with the Forensic tools parameters were pass to enable this feature. The URLs list in the Registry are captured and displayed, in addition to the list of all URLs stored in the History folder.

68

4.3

MozillaCacheView

Mozilla Cache View is a small utility that reads the cache folder of Firefox/Mozilla Web browsers, and writes the content to a file that is the read in to the Forensic Tool. For each cache file, the following information is captured and displayed: URL, Content type, File size, last modified time, last fetched time, expiration time, fetch count, server name, and more. Starting in Firefox 3 a new file format is used to record browser history information. Rather than storing this information in a flat file, the information is kept in a SQLlite database (See Fig.17).

Figure 17.Goggle Chrome SQLite Database Structure Firefox stores most of its data in files instead of the registry, easy to find, in individual folders and it is very easy for a user to wipe the folders securely. This is a nice

69

feature for users but a nightmare for computer forensics because there is not an easy way to retrieve the deleted information.

Using MozillaCacheView The cache folder of Mozilla Firefox is located under: C:\Documents and Settings\[User Name]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[Profile Name]\Cache (See Fig 18)

Figure 18.Location of Mozilla Firefox Cache files.

NICA Forensic Tool calls the MozillaCacheView utility and passes the parameters of where to look for the files: C:\Documents and Settings\<username>\Local

70 Settings\Application Data \Mozilla\ Firefox\Profiles\zb0ttcz.default\cache; what files to look for: folder cache; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

4.4

ChromeCacheView

Chrome Cache View is a small utility that reads the cache folder of Google Chrome web browser, and writes the content to a file that is the read in to the Forensic Tool. For each cache file, the following information is captured and displayed: URL, content type, file size, last accessed time, expiration time, server name, server response, and more. Chrome Cache Folder location The cache folder for Google Chrome is located under [User Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache (See Fig 19)

Figure19. Location of Google Chrome Cache files.

71 NICA Forensic Tool calls the ChromeCacheView utility and passes the parameters of where to look for the files: C:\\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache; what files to look for: folder cache; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

4.5

SQLite

SQLite is an embeddable database system that uses flat files. It does not need to be started, stopped, configured, or managed like other SQL databases. It is lightweight, fast, and compact. And it works completely out of the box without any configuration. The entire database (definitions, tables, indices, and the data itself) is stored as a single crossplatform file on a host machine. This simple design is achieved by locking the entire database file during writing (Kristianto, 2009). Advantages of SQLite Some of the advantages are: zero configurations, serverless, single database file, stable cross platform database file, compact size, variable length records, and free with the public domain license.

Disadvantages of SQLite:

Some of the disadvantages are that in most cases database size is restricted to 2 GB, it Lock the whole file while writing, no caching mechanism, not very scalable.

72

4.6

Microsoft Log Parser

Microsoft log parser queries everything with SQL. It lets you slice and dice a variety of log file types using a common SQL-like syntax. It's an incredibly powerful concept, and the LogParser implementation doesn't disappoint. This architecture diagram from the LogParser documentation explains it better (See Fig.20).

Figure 20.Log Parser architecture diagram.

Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces, and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by using a SELECT query. Then, as the processed data comes out of the

73 pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output. Log parser consists of three components, which are: 1) input engine, 2) SQL query engine, and 3) output engine. The input engine and output engines are truly incredible and, combined, make this tool shine. When investigating network intrusions, you are faced with analyzing logs from many sources, none of them being compatible with the other. Log parser can accept most any common log format and output it into one of many formats of your choosing. When you are done, you can combine all your disparate logs into one common format for analysis. At any point in the process you can subject your logs to a query so that you narrow down the data to that which is relevant. While many GUI tools are out there that provide filters, even those that allow the user to build custom filters can't compare with the power of writing a custom SQL query in Log Parser. As an intrusion investigator / forensic examiner, you are tasked with mastering many tools to get your work done. It would be nice if we only had to master a couple of tools, but such will never be the case. We can however, limit the number of tools we have to use if we make careful selections. Whenever you can use one tool that will handle multiple tasks instead of multiple tools for the same number of tasks, that should be your tool of choice. Log parser fits this criterion as it can process and query all the common logs formats and can address your file system and your registry as well, including those of remote systems (Bunting, 2006).

Using Log parser

74 One of the cooler things about the Log Parser is that it is exposed via a COM interface so the tool can be scripted or called from your application (like Forensic Tool). It uses SQL queries that are very straightforward and very easy to use. It makes a programmers life easier because it helps to find registry key information without much hassle. NICA Forensic Tool uses the log parser to get all the SIDs that start with S-1-521 because they belong to the user profiles. Log parser is also use to find the logged in user and the users that are not logged in but have a user profile. These are some examples of how log parser can be used:

Open the command (cmd.exe) line interface in the root of the folder "C:\Program Files\Log Parser 2.2" wherein lies the executable "logparser.exe". From the command line interface, type in the following: logparser.exe -i:EVT -o:NAT "SELECT TimeGenerated, EventID FROM System (See Fig. 21)

Figure 21. Log parser output to the console.

75 Another output feature of log parser is its "DATAGRID" output. Instead of dumping the query to a screen, you can send it to a GUI interface. To send it to a datagrid, enter the following: logparser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM System" and you should see the following (see Fig. 22).

Figure 22.Log parser output to a data grid

4.7

Outlook Redemption Outlook security patches prevent users from listing out the internet headers from

the emails they receive; most of the header information is not accessible. Outlook Redemption is a regular COM object that allows access to any properties and methods available on an original outlook item, both blocked and not blocked. With Outlook Redemption you can make your code run unaffected by the Security Patches, access properties not exposed by the Outlook Object Model (internet message headers, sender e-mail address and hundreds more properties), Display Address Book,

76 Directly access the RTF body of any Outlook item, Import MSG, EML (RFC822) and TNEF files, Export messages to the MSG, EML, TXT, HTML, TNEF, iCal and vCard formats, Access and manipulate Outlook accounts (Outlook 2002 and above, RDO library),Create, access and manipulate MAPI profiles and accounts, Access MAPI stores, Access Outlook nicknames, Manage Junk Mail settings, Manage categories, Directly access message attachments as strings or as arrays without saving them as files first Redemption supports Outlook 98, 2000, 2002, 2003, 2007 and 2010-32 bit, (Streblechenko, 2010)

NICA Forensic Tool passes the parameters thru the code of where to look for the files: C:\\Documents and Settings\<username>\My Documents; what files to look for: Personal Folder .pst ; where to output the results: save the information in the database. With the basic information of where to look for the pst(s) the NICA Forensic Tool first loops thru all pst(s) one at a time, then within each pst it loops thru all messages in the pst and gathers the pertinent information including create and modified dates for the messages as well as attachments and saves this information in a dataset. Once all information is gathered in the dataset the program then saves the information in the SQLite database.

77 Chapter 5 Cracking a Criminal Case Using the NICA Forensic Tool

5.1

Criminal Case Statement

The legal process for computer investigations of potential criminal violations of the law depends on local customs, legislative standards and rules of evidence. In general a criminal case follows three stages: the complaint, the investigation and the prosecution. Complaint: Colorado Springs Police Department agents received information that an employee from All About Cats was downloading images of child pornography on his work computer. Investigation: A search warrant was executed at the All about Cats building. Agents conducted a preview examination of Does hard drive and discovered numerous image files of children engaged in sexually explicit conduct. During the investigation, Doe stated that he had about 13, 0000 images of child pornography, ranging in age from toddlers to teens. Prosecution: First Appearance court date is schedule for November 3, 2010.

The extent of the search is tailored to the extent of the probable cause. If the police wish to seize a computer and analyze it at a later time, the probable cause statement should demonstrate the impracticability or danger of examining the computer on the premises, hence the need to confiscate it and analyze it off-site. The forensic

78

technician considered that the investigation should be done on the premises since some networking connections to the server might be needed.

5.2

Computer Forensics Analysis

Examining and analyzing digital evidence depends on the nature of the investigation and the amount of data to process. Criminal investigations are limited to finding data defined in the search warrant, and civil investigations are often limited by court order for discovery. Investigations often involve locating and recovering a few specific items which simplifies and speeds processing. Although there are some basic principles that apply to almost all computer forensics cases, the approach taken depends largely on the specific type of case to be investigated. Mr. Does case requires gathering of email information, so the case will involve more than accessing network logs and email server backups to locate specific messages. The investigator may need to contact the ISP and e-mail service. Mr. Doe stated that he did not download any images, that those images were planted on his computer by an employee that was jealous of him and wanted to get him fired. NICA Forensic Tool that was designed as a helping tool to aid investigators on their daily fight against crime. NICA Forensic Tool is the chosen tool by the forensic technician; it is the perfect tool for this specific case, because at the moment, is the only free tool that provides a wide range of information

79

5.3

Finding Evidence Finding evidence is usually done by the forensic technician. He or she uses the

tools available and, more importantly their expertise in their area. Mr. Holmes is the forensic technician designated to find the evidence for this case. His first step is to insert the thumb drive with the NICA Forensic Tool on it and run the program. Then, he will enter a new court case number that has already been assigned as well as other information and notes important to the case: C021CR20103456, type of case: Child Pornography, investigators name: Holmes (See Fig. 23). The technician will run the parser to collect the information (See Fig. 24). Once it is done, the technician will open the viewer and select the user and timeline (See Fig. 25), select a date, view the activities and mark the ones that look suspicious or are important for evidence (See Fig.26). Then the preferred time frame between activities is selected; for this demonstration, we are using the 15 minute time frame. It will display activities that occurred 15 minutes before and 15 minutes after the previously selected suspected activity. The suspicious activities (See Fig.27) corresponding to the selected time frame will be displayed in a separate screen to facilitate the interpretation of the data (See Fig.28).

80

Figure 23. Enter New Case Information.

Figure 24.Run parser to get activity entries.

81

Figure 25.User profile and timeline for activities.

Figure 26.Mark items that seem suspicious.

82

Figure 27.Enter the preferred time frame between activities.

83

Figure 28.View the suspicious activities and surrounding activities that were marked.

Surrounding activities that require a login and/or no browser activities are colored in blue to get the investigators attention (See Fig. 28). A percent of probability will be displayed by the suspected activity previously selected. This case shows that there is an 83.68 % probability that the suspect committed the crime. Also, there is the option of right clicking any activity and getting more detailed outlook email information (see Fig 29). It will display information such the sender,

84

receiver, subject, received date and time, and sent date and time. Another outlook search option is viewing items by pattern (See Fig. 30); this option allows the investigator to search all the emails that were sent or received from/to a particular email address (See Fig. 31).The window viewer will display all the email activities between the email addresses already selected (See Fig 32). The information will be displayed in a date tree form. A specific date can be selected and will display the information by time order. Searching by keywords is another search option available for investigators (See Fig. 33). It is a very useful feature when a specific search is needed. For example, we can search for a particular word in any of the fields like subject, email address, website, instant messaging or Skype (See Fig. 34). The window viewer will display all the activities that are within the parameters in the pattern.

Figure 29.Right click to get details of outlook activities selected

85

Figure 30.Mark items by pattern on the Outlook grid.

Figure 31.Search evidence between two Outlook users.

86

Figure 32.Report displayed activities that comply with the pattern selected.

Figure 33.Select and mark activities by defined keywords.

87

Figure 34.Display the amount of activities found.

5.4

Analysis of Evidence Found On a specific date, evidence shows that the defendant visited the child

pornographic web site at 9:16 pm. The defendant states that someone planted the images, but he shows activities from Outlook sending emails to family members at 9:12 pm. Evidence also shows that he logged into his Skype account, using his password, at 9:21pm, and there are also several sites visited in the 15 minute window selected. In conclusion, there is strong evidence that the defendant visited the child pornographic site based on the following facts: Suspect logged in to Skype five minutes after he allegedly visited the site and he sent an email to a family member four minutes before. That information put him at his desk between 9:12 pm and 9:21pm. Also there is evidence that he previously visited this site at least five times on different dates and times. It can be stated that there is more evidence that he did it than there is that the images were planted.

88

5.5

Evidence Math We need to evaluate the evidence using statistics. We have two variables, Time

and Weight: the time that the activity occurred and the weight or points that we assign to each activity according to their proximity to the main suspicious activity. Lets assume that we want to look at the relationship between time and weight. We collect some information about the number of activities that occurred during a time period of 15 minutes. Time is measured in seconds, and Weight is measured in points using a 1-15 rating where a higher score means more relevant activities. Looking at the previous evidence data (See Fig. 28), we have the suspicious activity at 9:16 pm on 8/24/2010. We already selected the time frame of 15 minutes before the suspicious activity and 15 minutes after the suspicious activity. The windows viewer will display any existing activities between 9:01 pm and 9:36 pm. Observing the data, we find that we have two outlook activities at 9:12:10 pm 9:12:20 pm. The first activity occurred 4 minutes and 10 seconds before the suspicious activity and the second activity occurred 4 minutes and 20 seconds before the suspicious activity. Analyzing the data we have that the event time frame is +/- 15 minutes, so an activity 4 minutes away from the suspicious activity will get 12 points and then each additional second will be divide e.g. 10/60 = 0.1666, the first activity will be 12.16 points and the second activity should be 12 +(20/60) = 12.33 points. At the end we add the total points for each activity and divide by the amount of events/activities to get the average points. Then the average points are divided by the windows time frame and multiply by 100 to get the percent evidence weight. The math to calculate the evidence weight is: (Total Points/events = average points)

89

(Average points/time frame * 100 = evidence weight) The mean in our example is 10.77 and the standard deviation is 2.812. We can from the above statement, estimate that approximately 95% of the scores will fall in the range of 10.77-(2*2.812) to 10.77+ (2*2.812) or between 16.394 and 5.146 minutes. This kind of information is a critical stepping stone to enabling us to compare the performance of an individual on one variable with their performance on another, even when the variables are measured on entirely different scales

Figure 35 Histogram analyzing the data from fig.28

This correlation statistics method is used by several call centers in Colorado Springs to monitor their customer service response time.

90 We use the same methodology used by call centers because of the similarities between the metrics analogy of a call center and a computer user. Telephone calls arrive at random times and independent of each other, and a user visits sites, emails or chats at random times; each activity is independent of each other. Call center metrics are also used as a model to do our weighting of the metrics for the forensics tool. The top call center metrics are: Abandon rate and Average-Talk-Time (ATT) is the average amount of time agents talk to customers. Average Talk Time (ATT) & After Call Work (ACW) & Average Handle Time(AHT), Adherence & Shrinkage, Attendance & Punctuality, Service Level & Average Speed of Answer (ASA), First Call Resolution, Occupancy, Cost per Call (Contact), Turnover (Attrition), Call Quality. Each center decides the weight metric for each activity depending on the importance of the metric. If a call center has 20 criteria for a perfect call and the agent executes against 18 of the criteria well, then the agents score is 90%. The overall quality score for the contact center is the weighted average of all of an agents quality scores. Forensic tools use the same theory, but instead of using all the mentioned metrics, we give more weight to activities that are closer in time to the main suspected activity. The weight metric was based on the law enforcement criteria that the closer to the main suspected activity the better it is as supporting evidence.

91

5.6

Relevant Evidence

There is Inclusion and Exclusion Criteria weighted by the Investigators of the District Attorneys Office. Note that this is not an official statement, just an opinion based on hypothetical cases. Inclusion Criteria: There is more than one different activity e.g. visiting a web site and sending an email, and The time difference between activities should not be more than 15 minutes apart The more activities close in time, the more relevant the evidence is. The activities show that users history previously visited the same web site (very relevant)

Exclusion Criteria There is only one activity and no history of the user visiting the same web site There is more than one activity, but more than 15 minutes apart and no history of the user visiting the same web site

92

Chapter 6 NICA Forensic Tool Analysis

6.1

Functionality Analysis NICA Forensic Tool was designed as a tool to be used by investigators or forensic

analysts. It by no means, should be a substitute for the investigators experience. It will allow the investigators to find the specific suspected sites, times that they were visited and previous history; also it will provide information if any other applications like Skype, Instant Messenger or Outlook were used. NICA Forensic Tool uses external tools to help parse the cache files from IE, Mozilla Firefox and Google Chrome browsers and also to gain access and parse the Outlook pst files. The external tools just perform the function of parsing the related files; they do not do anything other than create an output which the NICA Forensic Tool then consumes. NICA Forensic Tool takes the output of the parsers and uses logic to determine what information is valuable, put that information in a database, and display any necessary output. All other tasks of the NICA Forensic Tool such as cookies, history file, Skype logs, instant messenger, all GUI displays for all information and all reports are completely the job of the NICA Forensic Tool.

With this information investigators can mark the suspicious activities and display and analyze the time between any of the activities. That information can be used as evidence. How relevant the information is will depend on the law enforcement policies, but it can be a very powerful tool.

93

6.2

Performance Analysis The performance analysis goal is to analyze a small portion of the system

independent of other components. For instance we are interested in studying the performance of the application independent of the type of memory or the size of its memory or the type of processor. I tested the performance of the NICA Forensic Tool on three different computers and obtained the following results:

Computer Name Computer 1 Computer 2 Computer 3

Activities IE, Firefox, Chrome, Skype, Outlook, IM, IE, Firefox, Outlook IE, Firefox, Outlook, IM

Entries 25,356 256 16,381

Total Time 5min, 10 sec 2 sec 2min, 12 sec

Table 1.NICA Forensic Tool Performance Analysis

The total time (see Table 1), depends on how many activities are stored on the computer and how many applications are installed. It can be as fast as two seconds or can take several minutes. It was difficult to find volunteers who wanted a forensic tool run on their computer.

6.3

Usage Evaluation

94 Possible Users of the NICA Forensic Tool Investigators: police investigators or DAs investigators searching for evidence to support an alleged criminal case.

Forensic Technician: those assisting law enforcement agencies in searching for digital evidence.

System Administrators from large corporations: those investigating if employees have broken any company computer/network usage policies.

Learning Difficulties and Technical Difficulties for the Users

NICA Forensic Tool is a new application. During the beginning, the user might have some challenges, but it is easy to use. A users manual is available to each user. It explains step by step each process needed to find and get the evidence needed. The evidence accuracy is an important key in courts of law, so users will be very motivated to find evidence for their case. Users Tasks

The actions that the user will perform with the program are: Copy the program to the suspected computer Create a New Case or Open a case if one has been previously saved. Run the parser to get the quantity of items that the program finds. Mark the suspected activities. Select the time window between activities.

95 Gather additional information by entering a keyword or dates. Mark the items by selecting keyword and/or dates Get the time line report by marking suspected activities that occurred in the time frame already specified and/or marked as suspicious activities by keyword and/or dates.

Users Informational Needs Users need to read the user manual to understand how the application works Users can save all the information and retrieve it as need it.

Users observations from testing the NICA Forensic Tool The NICA Forensic tool was tested by three different investigators; each investigator created a case number and used a different computer.

The first investigator report contained the following observations:

He recommended that the user manual have more images to guide him step by step. He used the 30 minute window setting between activities instead of the default value of 15 minutes. He stated that additional activities closer in time to the suspected activity make the evidence more convincing, but that 30 minutes is also reasonable. After he marked a suspected site, the time window activities report displayed the suspected activity and surrounding activities within the 30 minute time frame. He thinks that the information displayed is very valuable and useful in a court of law because the time was very specific. The report also contained detailed information

96 about the suspects logins and usage of other applications within the 30 minute time frame. The evidence found will at least create a doubt in the jurys mind when the evidence shows that the suspect was doing other activities almost at the same time that he/she visited the suspected site. He suggested the ability to print the report in a word document to make it easier to read.

The second investigator reported these observations:

She found that the user manual was very detailed in the step by step instructions and that she could skip some areas. She used the feature of marking by pattern; she wanted to find out if a suspect previously visited a specific site. Windows Time Activities displayed all the requested information. The investigator was pleased with the information found because it could be used in court to prove that the suspect had previously visited the sites. This type of information helps with the theory that the suspect had the intention to commit a crime. She wanted to know if there was a way to find if a suspect visited a site and then later deleted the file trying to cover up his/her crime. She would want this feature added to the NICA Forensic Tool if it was possible. Otherwise she found the information very useful and suggested putting it on the market.

The third investigator observations:

He chose to mark the items by keyword because he has experience looking for evidence in the outlook application. Marking items by keyword allows him to find emails that were sent back and forth between two users. The report displayed

97 information about the sender and receiver and what time each activity occurred. He also tested the feature of finding an email that contained a specific keyword in the subject. The report displayed the information found by date and time. He suggested a future enhancement would be to enable searching information on all the existing email applications like Hotmail, Gmail and Yahoo. Users Learning Preferences Users prefer a user manual, explaining the process step by step.

98

Chapter 7 Lessons Learned

I learned a great deal of information about the legal side of forensics and the technical part of forensics. On the legal side, I found out that the laws are very ambiguous, leaving the judges with a lot of room for interpretation of the law. I learned about all the new amendments to the PATRIOT act and to the search and seizure bill which affect the state of Colorado. In the technical part I did not know much about the windows registry keys, it is amazing how much information can be tracked using them. The information and potential evidence that reside in the Registry make it a significant forensic resource; uncovering this data can be crucial to any computer related investigation. Another big thing I learned about was the Microsoft log parser tool and how useful it can be for tracking daily activities. There are not any standard rules for computer forensics; a tool can be admitted in court in one county and may not be admitted in another county. Even Encase, which is the most popular tool for forensic investigations, sometimes has issues in court.

99

Chapter 8 Future Directions

Port the NICA forensic tool to different Operating systems. Right now, it only works for Windows XP. It just need some changes to adapt it to Windows 7, but it will take a little more work to be able work with MAC or Linux or UNIX. Because Microsoft Windows is the most common family of operating systems for the personal computer with about 90% of the market share, it was selected as the first choice. Add other networked applications, such as Yahoo, Facebook, and Twitter. Technology changes very quick and the NICA forensic tool needs to adapt and upgrade as fast as the technology. There will always be a need to upgrade to the latest technology to be effective in todays world. Make it available to a larger group of users and analyze the feedback for future improvements. The testing group was primarily law enforcement. It would be nice if a group of system administrators tested the tool, just to get a different perspective on the use of the tool. Keep up with the new features. It is incredible how new features can make it easier for the forensic world. Instant messenger is adding a feature called log search that lets the user search straight from the log viewer, or so that keeps a log file that this NICA forensic tool could use. The more logins and indexes we do in our computers, the more NICA Forensic tool can access the information.

100

Chapter 9 Conclusions

I have created a computer forensic tool called NICA Forensic Tool that captures and correlates evidence about web sites visited and related activities in Outlook, Skype and instant messenger. It simplifies the data collection and integrates the access and processing of log records in these networked applications. It analyzes the timing and relevance of the related events to provide a well-organized forensic report that can be admitted in courts for supporting the prosecuting of cases. The tool was tried internally by several law enforcements detectives and was requested by an Italian Interpol officer. It was found useful in dramatically simplifying the tasks of performing computer forensic searches in cyber related crimes, in particular, the pornography cases. It was also requested by system administrators to monitor employees to ensure they follow the employers rules pertinent to visiting restricted sites, engaging in unauthorized activities during working hours or participating in unauthorized email usage, or any other violation to the employers rules that could be tracked using the NICA Forensic tool. Forensic analysis of a computer system involves identifying suspicious objects or events and then examining them in enough detail to form a hypothesis as to their cause and effect. Much more cybercrime exists than law enforcement acknowledges or identifies, and there are many techniques that law enforcement is largely unaware of. Because the focus of law enforcement is on recovering files rather than discovering how the files entered the system, there is little emphasis on enhancing systems to collect such

101 data. None of the forensic techniques currently used in court are sufficient to justify claims that implicate a specific person. It is not enough to recover a deleted file or view a standard system log. One has to know the history of files and the events that led up to their creation, viewing, deletion and modification. A criminal conviction requires proving, beyond a reasonable doubt, that a person intentionally downloaded child pornography onto the schools or works computer. Images might appear on a disk without the computer user knowing about them for many reasons pop up- images on web sites may download files in the background and save them in the cache the images could be part of unsolicited spam email, another person may simply have downloaded them either to view the pornography themselves or to implicate someone else. Many forms of malware are capable of commandeering a computer in order to store and/or redistribute porn. Such malware would have explained the images as well as the corresponding changes to the browsers history. Forensic software used in the vast majority of court cases cannot make the distinction among these methods of file creation (Peisert & Bishop, 2007). In general, the goal of this thesis was achieved by getting the evidence with a timeline to prove that a defendant had the intention to commit a crime. The program will not make a distinction if someone planted the evidence, but if other login activities were done by the user at the same time or very close in time, it will help the investigator to demonstrate that there is relevant evidence positioning the defendant at that place and time of the criminal activities. NICA Forensic Tool helps the prosecutor providing relevant evidence; the rest is up to him/her.

102 There are a lot of open source forensic tools available. The most popular forensic tools are very expensive and available mostly to law enforcement agencies. There is no rule set established for capturing forensic evidence; the laws are very ambiguous. Computer Forensics is a relatively young area; it is changing too quickly, and our laws are lagging behind. The lack of standardization for forensic tools has allowed different tools to have different ways of generating the data and different formats for outputting the data.

103

References Berghel, H. (2003). The Discipline of Internet Forensics (Master's thesis, University of Nevada, 2003). Masters Abstracts. Retrieved June 1, 2010, from ACM Web site: http://portal.acm.org/citation.cfm?id=859687 Berson, T. (2005). Skype. In Skype Security Evaluation (p. 2). Retrieved from http:// security.utexas.edu/consensus/s (Brenner & Frederiksen, 2002) skype.html Brenner, S., & Frederiksen, B. (2002). Computer Searches and Seizures: Some Unresolved Issues. Michigan Telecommunications and Technology Law Review 8/ 39, 17, 12-19. Bui, S. & Enyeart, M. (2003). Issues in Computer Forensics (Master's thesis, Santa Clara University, 2003). Masters Abstracts. Retrieved from SCU Web site: http:// www.cse.scu.edu/~jholliday/COEN150sp03/projects/ Forensic%20Investigation.pdf Bunting, S. (n.d.). Log Parser (Microsoft) [Article]. Retrieved from Steve Bunting's Public PGP Key Web site: http://www.stevebunting.org/udpd4n6/forensics/ logparser.htm DownloadAtoZ. (n.d.). Outlook Redemption [Article]. Retrieved May 5, 2010, from downloadatoz Web site: http://www.downloadatoz.com/outlook-redemption/ Friedenberg, M., & Lall, J. (n.d.). In Penn state University (Ed.), Computer Forensics [Article]. Retrieved May 7, 2010, from Penn State Web site: http:// faculty.ist.psu.edu/bagby/432Portals/T2/IST%20432%2020Computer%20Forensics.htm

104

General Assembly State of Colorado. (n.d.). House Bill 10-1201 [Article]. Retrieved April 29, 2010, from Leg.State.CO Web site: http:// www.coloradoattorneygeneral.gov/sites/default/files/uploads/HB10-1201.pdf Jones, K. (2003, May 6). Forensic Analysis of Internet Explorer Acitivity Files [Presentation]. Retrieved June 8, 2010, from Santa Clara University Web site: http://www.foundstone.com/pdf/wp_index_dat.pdf Jones, K. (2003, May 1). Forensic Analysis of Microsoft Internet Explorer Cookie Files [White Paper]. Retrieved from http://sourceforge.net/projects/odessa/files/ ODESSA/White%20Papers/IE_Cookie_File_Reconstruction.pdf/download Kristianto, I. (2009, September 26). Use SqLite ADO.NET with C#. Retrieved May 2, 2010, from IvanKristianto Web site: http://www.ivankristianto.com/softwaredevelopment/visual-studio-net/howto-use-sqlite-ado-net-with-c/943/ Lim, N., & Khoo, A. (2009, June). Forensics of computers and Handheld Devices Identical of Fraternal Twins? Communications of the Acm, 52(6). Retrieved from ACM Portal Web site: http://portal.acm.org/ citation.cfm?id=1516080&dl=ACM&coll=DL&CFID=7006236&CFTOKEN=84 428524 Monnat, D. & Ethen, A. (2004, March). A Primer on the Federal Wiretap Act and its Fourth Amendment framework [Journal]. Retrieved May 2, 2010, from http:// www.monnat.com/Publications/Wiretap.pdf mozillaZine. (2009, October). Profile folder. Retrieved June 4, 2010, from Mozillazine Web site: http://kb.mozillazine.org/Profile_folder

105

mozillazine. (n.d.). Profiles.ini file. Retrieved June 2, 2010, from MozillaZine Web site: http://kb.mozillazine.org/Profiles.ini_file Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2008). Guide to Computer Forensics and Investigations (II ed.). Boston: Thomson Course Technology. NirSoft. (2009). ChromeCacheView. Retrieved from NirSoft.Net Web site: http:// www.nirsoft.net/utils/iehv.html NirSoft. (2009). MozillaCacheView. Retrieved from NirSoft.Net Web site: http:// www.nirsoft.net/utils/mozilla_cache_viewer.html NirSoft. (2009.). IEHistoryView v1.55. Retrieved June 5, 2010, from Nirsoft.Net Web site: http://www.nirsoft.net/utils/iehv.html Noteboon, L. (2004). Can I retrieve old MSN Messenger conversations? Retrieved June 3, 2010, from Ask Leo Web site: http://ask-leo.com/ can_i_retrieve_old_msn_messenger_conversations.html Notenboom, L. (2010, July 5). Are you sure theres no way to retrieve MSN Messenger history without archive messages selected? Retrieved July 10, 2010, from Ask Leo Web site: http://ask-leo.com/ are_you_sure_theres_no_way_to_retrieve_msn_messenger_history_without_archi ve_messages_selected.html Ohm, P. (2009). The Fourth Amendment Right to Delete. Harvard Law Review, 122(5), 2-6. Retrieved from Harvard Law Review Web site: http:// www.harvardlawreview.org/forum/issues/119/dec05/ohm.pdf

106

Peisert, S., Bishop, M., & Marzullo, K. (2006, February 1). Next Generation Digital Forensics. ACM Communications, 49(2), 44-47. Retrieved from ACM Web site: http://portal.acm.org/citation.cfm?id=1113034.1113074&coll Peisert, S., Bishop, M., & Marzullo, K. (2008, April). Computer Forensics in Forensis. Communications of the ACM, 42(3), 112-122. Retrieved from ACM Portal Web site: http://portal.acm.org/citation.cfm?id=1368521 Reyes, A., & Wiles, J. (2007). The Best Damn Cybercrime and Digital Forensics. Boston: Syngress Publishing Inc. Schneier, B., & Kelsey, J. (1999, May). Secure Audit Logs to Support Computer Forensics. Acm Communications, 2(2), 159-176. Retrieved from ACM Web site: http://portal.acm.org/citation.cfm?id=317089 Skibell, R. (2003). Cybercrimes and Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act. Berkeley Technology Law Journal, 18, 1-36. Retrieved from Law Berkeley Web site: http://www.law.berkeley.edu/journals/btlj/articles/ vol18/Skibell.web.pdf Skype Confidential. (Ed.). (2009). Skype Log File Analysis. Retrieved from Scribb Web site: http://www.scribd.com/doc/9676016/Skype-Log-File-Analysis Streblechenko, D. (n.d.). What is Outlook Redemption? Retrieved September 23, 2009, from Dimastr Web site: http://www.dimastr.com/redemption/ US Dept. of Justice. (n.d.). Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Retrieved September 2, 2009, from CCIPS Web site: http://www.cybercrime.gov/ssmanual/index.html

107

US-CERT. (2008). Computer Forensics. Retrieved from us-cert.gov Web site: http:// www.us-cert.gov/reading_room/forensics.pdf User:Peterl/Outlook Redemption. (2010, December 12). Retrieved May 4, 2010, from Outlook Redemption: http://en.wikipedia.org/wiki/User:Peterl/ Outlook_Redemption Wegman, J. (n.d.). COMPUTER FORENSICS: ADMISSIBILITY OF EVIDENCE IN CRIMINAL CASES [White Paper]. Retrieved June 3, 2010, from University of Idaho Web site: http://www.cbe.uidaho.edu/wegman/ Computer%20Forensics%20AA%202004.htm Wikipedia. (n.d.). Computer Forensics [Computer Forensics]. Retrieved from wikipedia.org Web site: http://en.wikipedia.org/wiki/computer_forensics Winn, P. (2008). Katz and the Origins of the 'Reasonable Expectation of Privacy' Test (Master's thesis, University of Washington School of Law, 2008). Masters Abstracts. Retrieved July 1, 2010, from SocialScienceResearchNetwork Web site: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1291870 Yang, H. (2008). Registry Hives. Retrieved May 7, 2010, from Herong's Tutorial Web site: http://www.herongyang.com/Windows/Registry-Hives-HKCR-HKCUHKLM-HKU-HKCC-HCPD.html

108

Appendix A US Criminal Code 2705

US Criminal Code 2705 was modified by Section 213 of the PATRIOT act.
2705. Delayed notice (a) Delay of notification.--(1) A governmental entity acting under section 2703(b) of this title may--

(A) where a court order is sought, include in the application a request, which the court shall grant, for an order delaying the notification required under section 2703(b) of this title for a period not to exceed ninety days, if the court determines that there is reason to believe that notification of the existence of the court order may have an adverse result described in paragraph (2) of this subsection; or

(B) where an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena is obtained, delay the notification required under section 2703(b) of this title for a period not to exceed ninety days upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result described in paragraph (2) of this subsection.

(2) An adverse result for the purposes of paragraph (1) of this subsection is--

(A) endangering the life or physical safety of an individual;

109 (B) flight from prosecution;

(C) destruction of or tampering with evidence;

(D) intimidation of potential witnesses; or

(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

(3) The governmental entity shall maintain a true copy of certification under paragraph (1) (B).

(4) Extensions of the delay of notification provided in section 2703 of up to ninety days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.

(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail to, the customer or subscriber a copy of the process or request together with notice that--

(A) states with reasonable specificity the nature of the law enforcement inquiry; and

(B) informs such customer or subscriber--

(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;

110 (ii) that notification of such customer or subscriber was delayed;

(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and

(iv) which provision of this chapter [18 USCS 2701 et seq.] allowed such delay.

(6) As used in this subsection, the term "supervisory official" means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency's headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney's headquarters or regional office.

(b) Preclusion of notice to subject of governmental access.--A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703(b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in--

(1) endangering the life or physical safety of an individual;

111 (2) flight from prosecution;

(3) destruction of or tampering with evidence;

(4) intimidation of potential witnesses; or

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

SEC. 213

AUTHORITY FOR DELAYING NOTICE OF THE EXECUTION OF A WARRANT.

Section 3103a of title 18, United States Code, is amended-(1) by inserting (a) IN GENERAL- ' before `In addition'; and (2) by adding at the end the following: (b) DELAY- With respect to the issuance of any warrant or court order under this section, or any other rule of law, to search for and seize any property or material that constitutes evidence of a criminal offense in violation of the laws of the United States, any notice required, or that may be required, to be given may be delayed if-(1) the court finds reasonable cause to believe that providing immediate notification of the execution of the warrant may have an adverse result (as defined in section 2705); (2) the warrant prohibits the seizure of any tangible property, any wire or electronic communication (as defined in section 2510), or, except as expressly provided in

112 chapter 121, any stored wire or electronic information, except where the court finds reasonable necessity for the seizure; and (3) the warrant provides for the giving of such notice within a reasonable period of its execution, which period may thereafter be extended by the court for good cause shown.

113

Appendix B Users Manual

This chapter is an explanation of the GUI and the information that the NICA Forensic Tool will provide to the investigator

Product

NICA Forensic Tool is designed to help forensic investigators in finding out if a crime was or was not committed. It is tailored towards web activities related to child pornography, Credit Card Fraud, Identify Theft, Industrial Espionage, Casual Hacks and others. This application will get the information needed to provide the investigator with the information about what web sites the user visited if the browsers used were: Internet Explorer, Google Chrome and/or Mozilla Firefox. Also it will collect information from outlook, Skype and Instant Message if they are installed on their computer. Finally it will provide the investigator with a timeline of information for each activity which will allow them to weigh the evidence.

Scope/Purpose:

This new tool is very easy to use, it is a windows form with a very user friendly GUI. It is accessible to everybody that has the system requirements to download the

114

application. It was designed to help forensic investigators, providing more information than just browser information; it supplies a timeline of activities and a weight of the evidence. Most of the information is retrieved from the registry keys that provide accurate information.

Users Data Flow

Conventions

Dates conform to ISO 8601 to avoid international ambiguity

115 Numbers conform to the IEEE convention that spaces separate every three digits and the decimal place should be represented by a dot. Each file has a similar look and feel. Several templates are necessary to cover the different programming languages. A new source file is created by running the appropriate template script and redirecting the output into a new file. Uniform code is used though out the application along with naming convention.

Installing the software

System Requirements (General)

Processor

600 MHz processor Recommended: 1 gigahertz (GHz) processor

1

Same

Same

RAM

192 MB Recommended: 256 MB

1

Same

256 MB

Available Hard Disk Space Operating System

1 GB of available space

Same

Same

Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or Windows Vista
3,4

Same

Same

For a 64-bit computer, the requirements are as follows: Windows Server 2003 Service Pack 1 x64

116
editions Windows XP Professional x64 Edition

CD-ROM Drive or DVD-ROM Drive Video

Required

Required Required

800 X 600, 256 colors Recommended: 1024 X 768, High Color 16-bit

Same

Same

Mouse

Microsoft mouse or compatible pointing device

Information/resources required in the process of installation

All the utilities are included in the application; there is nothing for the user to install.

Deploying the Forensic Tool

NICA Forensic Tool Application will be distributed to investigators using a thumb drive. They should extract the zip file to a location on the computer to be investigated like the hard drive (i.e. User desktop), Open the folder and run (double click) the forensicTool.exe file to launch the program. NICA Forensic Tool GUI:

File-> Open Case to create a new forensic case

117

Under the file tab, investigators have the choice to create a new case or to open an existing case. Also Save Case, Save Case As, or Exit the application.

If New Case is selected:

118 Enter case reference ID, usually cases numbers are C021CR2010002323, but it depends on the law enforcement department. Forensic Analyst is the name of the forensic investigator and Notes relevant to the case

Case will be saved if the case number was not created and saved before; otherwise it will send a message to the users stating that case already exists.

If case already exists - > Open case

119 Previous cases are saved in a table, using the SQLite database.

Find and select the case number to reload the case and run the parser

Parser - > Run Parser

120

Press Start to do the search or press cancel

In this case there are 3 user profiles in the computer, there are 15,883 entries in the IE cache file, 2726 history files, 923 cookies, 6 Firefox history files, 151 Firefox cache files, 71 Firefox cookies, 1189 Chrome history files, 788 Chrome cache files.

121

There is also Skype, Outlook and Windows Live Messenger entries if those programs are being run on the investigated computer.

Viewer allows the investigator to view user profiles, internet explorer, Firefox, chrome, Skype, outlook, windows live messenger and timeline activities for each user.

122

Viewer - > Internet Explorer - > History to view the History of the Internet Explorer

The IE History file contains the users URL, Title of the site, how many times the site was hit, date that file was last modified, expiration time, subfolder if there is any, and the user name. The title of the site give the name of the specific site and a little more information about the site, this feature helps investigators to glance faster to information

123 and find the suspected sites. E.g. url: Durango.org does not tell the investigator much information but the title name information: Colorado vacation: Colorado sightseeingDurango area gives more specific easy to read information.

The following procedures can be done with each of browsers: Internet Explorer, Firefox and Chrome and can be use on each grid that contains the history, cache and cookie file for each browser.

To find all the Internet Explorer visits to any Durango site, investigators needs to right click the activity select Mark items by pattern and enter Durango as keyword to be search

There are 5 items found that contains the keyword Durango

124

After the entries have been selected by the NICA forensic tools, it would be easier to display all the information found by itself. Go to Viewer -> Time Window Activities to view the suspected activities

Time Window Activities grid display the days and times that the suspect visited the sites that contain the keyword Durango. Eg on 4/28/2010 sites containing the keyword Durango was visited five times: at 8:47 am, 8:47 am, 10:37am, 10:43 am and 10:46 am.

125

If more information about the site is needed, right click and select properties. A window will display more information about the sites

126 Internet cache Files and cookie files

Viewer - >Internet Explorer - > Cache will display the Internet Explorer cache file. The information displayed is the file name that can be gif files, Content type that explains what type of file it is, like an image file, URL, the last time the file was created, the last time the file was modified, expiration time, how many times the file was hit, file size, subfolder location, the full path location and the user name.

127 Viewer - > Internet Explorer - > Cookies, displays the IE cookies information, like web site, modified time, last time it was accessed, created time, file name, missing file, file size and user name.

Viewer - > Firefox - > History

It display the URL information, last visited time, how many times the site was visited, reference (redirected links tracks), web site title, visit type, like link, typed URL and user name.

128

Viewer - > Firefox - > cache. Display the information in the Firefox cache files like file name, content type, url, file size, how many times the site was visited, last time the file was modified, last fetched, expiration time, server name,

server response, server time, server last time modified, content encoding, cache name, cache control, entity tag and user name.

129

Viewer -> Firefox - > cookies. Displays the information in the cookies files like, domain host, path, value, expiration time, last accessed time, secure, domain access, line Id and user name

Viewer - > Chrome - > History

130

It display chrome history files information like URL, last visited time, how many times it was visited, reference, title, visit type, redirect type and user name

Viewer - > Chrome - > cache. Displays the cache file information like file name, content type, url, file size, last accessed time, expiration time,

131

server name, server response, server time, server last modified, content, cache name, cache control, entity tag and user name

Viewer - > chrome - > cookies, displays the cookies information like domain host, path, value, expiration time, last accessed time, secure, domain access, line id and user name.

132

Skype Activities If Skype is installed in the investigated computer a list of activities will show on the viewer - > Skype. If it is not installed or does not have activities it will show zero activities

Record number, action type (chat message, outgoing call, incoming call, video) action time, Skype user, display name, (Skype user name is most of the time just a nickname not the name of the user), duration time for the current activity, the chat message (notice that calls messages could not be retrieved), chat ID,

133

Filename, Skype Account (when an account is set up, a username and password needs to be created. The Skype account is that user name) and User name (who logged into the computer). Also specific Skype activities can be found by right clicking and mark items by pattern to select information as with whom the suspected was having communication, what time and what days.

134

A total of activities will be shown

TimeWindowsActivitiesViewer will display all the activities that comply with the requested parameters. Dates, times and activities detail will be available for the investigator to help on the search for evidence.

135

Outlook Activities This viewer will display if Outlook has any activities

Folder Name, Sender Name, Sender email address, send to, copy to, blind copy to is some of the information that the viewer can display

136 Modified, last modification time, if the message was read or it is unread, submitted, deleted, auto forward, read receipt, size, and the .pst file (this is the outlook file where it stores the information). Note that the email message is not displayed. This NICA Forensic Tool is concerned about the time and other particular evidences like send to, the email message contents are not required for the functionality of the tool. Time information is needed for the timeline report and send to can be used as evidence to prove that the owner of the computer knows the receiver of the email.

Also Outlook specific activities could be found by right click on the Outlook activity grid select the specific activity of interest and select the mark items by pattern

137 Activities can be choose by sender name or email address. This feature will help the investigators to find all the outlook activities between a specific sender name and a receiver name.

The windows activity viewer will show all the days that the conditions met. Just select the day and a window will show each acitity by day

138

Instant Messenger The viewer is showing windows live messenger activities

Right click to mark items by pattern to select specific activities

139

Activities by account are being selected, and will be display by dates, times and activities description.

140 TimeLine Report This report shows all the combined information by date and time for each user found. In this case we have four users. Select a user that is under investigation; choose the date that you suspect that suspected activities occurred. If there is a suspect activity click to select and right click to open a dialog box to mark the selected item - > suspect items or malicious items

Then go to tools -> Time Window Setting

141

This feature will allow the investigator to select any other activity like Skype, outlook, IM or any visited to a site that is contain in the specific time frame. In this case, the time frame will be 15 minutes.

Go to Viewer -> TimeWindowActivities

142

A Time window will open showing all the activities around the previously marked suspected activity that are 15 minutes apart. Also will display the percent of probability that the alleged suspected commit the crime.

143

NICA forensic tool feature helps the investigators to get faster information from sites visited. Tools-> Browser Keyword List allow the investigator to enter a keyword for visited sites, like 1and1.

144

On the timeline viewer mark with defined keywords (already selected previosly)

A window will display the total amount of entries found with the specific parameters.

145

On the time window viewer will display with highlights all the dates and times that the site 1and1 was visited

Also if more information is needed for a specific activity, right click and select view properties. An open window will display all the details of the selected activity

146