m
 

 
 
  

 
Golden G. Richard III, Ph.D.
Dept. of Computer Science
Gulf Coast Computer Forensics Laboratory (GCCFL)À

§
  
à

 

Definition: ³Tools and techniques to recover,

preserve, and examine digital evidence on or
transmitted by digital devices.´
Devices include computers, PDAs, cellular phones,
videogame consoles«
Ô   à
Ô


a Computers increasingly involved in criminal and corporate
investigations
a Digital evidence may play a supporting role or be the
³smoking gun´
a Email
± Harassment or threats
± Blackmail
± Illegal transmission of internal corporate documents
a Meeting points/times for drug deals
a Suicide letters
a Technical data for bomb making
a Image or digital video files (esp., child pornography)À
a Evidence of inappropriate use of computer resources or
attacks
± Use of a machine as a spam email generator
± Use of a machine to distribute illegally copied software
ë 
a Identification of potential digital evidence
± Where might the evidence be? Which devices did the
suspect use?
a @

 




±  
 



± First, stabilize evidence«prevent loss and contamination
± If possible, make identical copies of evidence for
examination
a Ú


  
 




a Presentation
± ³The FAT was fubared, but using a hex editor I changed the first
byte of directory entry 13 from 0xEF to 0x08 to restore
µHITLIST.DOC¶«´
± ³The suspect attempted to hide the Microsoft Word document
µHITLIST.DOC¶ but I was able to recover it without tampering with
the file contents.´
a R
 
  

 

  
@  
 
Ô

 

tick«tick«tick«

³Dear Susan,
It¶s not your
fault«

Π 






   



 

wireless connection

Volatile
computing
Living room Basement/closet
@  
 
 



a When making copies of media to
be investigated, must prevent
accidental modification or
destruction of evidence!

a Write blockers: Use them.

Always.

a dd under Linux
a DOS boot floppies
a Proprietary imaging solutions
à



write blocker
Ô  

Ô 
 

a ‰now where evidence can be found

a Understand techniques used to hide or
³destroy´ digital data
a Toolbox of techniques to discover hidden
data and recover ³destroyed´ data
a Cope with HUGE quantities of digital data«
a Ignore the irrelevant and target the relevant
^   

 
a Undeleted files, expect some names to be incorrect
a Deleted files
a Windows registry
a Print spool files
a Hibernation files
a Temp files (all those .TMP files!)À
a Slack space
a Swap files
a Browser caches
a Alternate partitions
a On a variety of removable media (floppies, ZIP,
Jazz, tapes, «)À


à

 
a Many digital forensics tools and techniques
are quite complex«
a Very difficult to cover in a short lecture
a To illustrate investigative procedures for
digital forensics, a fact vs. fallacy approach
a Fallacy: User attempting to hide evidence
believes one thing«
a Fact: But in fact«
a Look at a few fact vs. fallacy scenarios«
a Then, one more advanced topic
      


a Users often mistake normal deletion of files for
³secure´ deletion
a Deleted files recoverable using forensics tools
a Why?
a Filesystem makes a small change in its bookkeeping
info to mark a file as deleted
a Data associated with file is NOT erased
a Example: FAT32 (Windows), first character of
filename is changed to 0xEF in directory entry to
³delete´ file
a Forensics software changes one character in
directory entry, file reappears
a To prevent recovery, must perform secure overwrite
of the file or physically destroy the media

      
a ³childporn.jpg´ ü ³winword.exe´
a Renaming files is an ineffective defense against
digital forensics investigation
a Technique # 1:
± Most file types (e.g., JPEG image) have a structure that can
be recognized directly, regardless of the filename a user
chooses
± e.g., JPEG files contain 0x4a464946 or 0x45786966 in the
first block of the file
a Technique # 2:
± Cryptographic hashing provides a mechanism for
³fingerprinting´ files
± File contents is matched quickly, regardless of name
± Hashes equivalent, file contents equivalent
± Think: fingerprints don¶t care about hair color«
V  


a Typical algorithms: SHA-1, MD5
a Example:

Ú

 
i

i 


ii

 
Ú

   
Ú
  
i

i 


ii
  

a Can automate checking of hashes

a Huge dictionaries exist with hashes for known files:
http://www.nsrl.nist.gov/index/prodname.index.txt
a «and known child pornography files
a Can quickly disregard known files and target the
interesting stuff
   
 
a Formatting a drive does not prevent recovery of
digital evidence
a In fact, format typically overwrites less than 1% of
drive contents
a Why does it take so long? Format is reading disk
blocks to determine if bad blocks exist
a Format wipes out directories, so names of files are
lost
a A lot of the data can still be recovered by sifting
through data that remains after the format operation
a For example, file carving tools reconstruct files by
examining the initial and terminal bytes of the file
a See digital forensics Technique # 1 under file
renaming fallacy
ë     
ë   

a Example # 1: Cutting a floppy into pieces

a Example # 2: Opening a hard drive, removing the
platters, throwing them into the trash
a Unless the damage is extreme, mutilation of
magnetic media is insufficient to prevent recovery
a Media can be reassembled and partial recovery
performed
a Even strong magnetic fields are insufficient«
a Older ³military grade´ degausser for erasing hard
drives was so strong that it bent the platters inside
the drive
a Your bulk tape eraser isn¶t going to do the job
a To destroy data: multiple overwrites (software) or
complete destruction of hardware
© 
!
à
 
 ^ ""   
a Fallacy: Use of web-based email rather than storing email
messages directly on a computer is safer (in terms of
thwarting recovery attempts)À
a It¶s not. Even if you never download the email and
immediately delete all messages on the server!
a Recently viewed web pages are stored in web browser¶s
cache
a Cache is often in a hard-to-find place«
a Internet Explorer ü Tools ü Internet Options ü Delete Files
clears the cache in IE
a See slide on recovery of deleted files for futility quotient
a Files stored in browser cache are not securely deleted when
the cache is cleared
a Browser cache mining tools bring recently viewed web
pages, including web-based email messages, back to life in a
flash
O 
 ""   
V  


  

a Illegal application installed«

a Fear ensues«
a Application is uninstalled« (Am I safe?)À
a «application files can still be undeleted, proving
application was installed
a Further steps to obscure installation: Securely
overwrite application files
a Now am I safe?
a Nope.
a Remnants of installation can likely still be found in the
Windows registry
a Basically, if a user installs software and wants to
permanently eradicate any traces, must securely
erase the entire drive or destroy the hardware

    
a On encrypted file systems, if file is ever printed and spool
directory isn¶t encrypted, fragments may be left behind
a On some systems (e.g., Windows 2000), a ³recovery agent´
is able to read all encrypted files
a For Windows 2000, this is the administrator account, thus
just need to break administrator password
a Problem: keys for truly secure encryption schemes are long
a Search for slips of paper
a Search for unencrypted password lists
a Search PDAs, phones, and organizers for passwords and
encryption keys
a Software or hardware keystroke loggers
a Van Eck radiation
a If the file can¶t be decrypted, the name of the file may still be
useful in prosecution
! # @$ 
@

How good are your passwords?

#


 
a ³Techniques for hiding information within other
information´
a Historical
± Tattoos
± Text on wood under wax layer on a wax tablet
± ³Invisible´ ink (e.g., writing with lemon juice)À
a Modern
± Much more sophisticated
± Employ powerful encryption techniques
± Hide documents w/in an image, video, or audio file
± Hidden documents can be harmless, or child pornography,
bomb plans, «
#
%&'À
#
%('À
#
%)'À

Slipped inside Statistical analysis

by ³stegdetect´ guesses
the 2nd cactus correctly that something
picture by is hidden. But jphide
³jphide´« uses Blowfish to
scramble the order of
embedded data, so
successful extraction is
very unlikely unless the
password is known.

Embedding in this case is not obvious (visually)«and image w/

embedded Golden is actually smaller (in bytes) than original
#
%*'À

Igniter

Core

This ³bomb´ diagram, however,

is not detected inside the cactus picture«
!   
 #à

 

 t

l tt  .
l /

t iti t 

Ú
t l
l i Ú 

l i

 l
l i lit

Õ
R
 
a Investigative needs vs. the right to privacy
a Search warrant laws, e.g., Fourth Amendment to the
U.S. Constitution
a Wiretap laws
a Chain of custody
a Admissibility of evidence in court: Daubert
± Essentially:
‡ Has theory or technique in question been tested?
‡ Is error rate known?
‡ Widespread acceptance within a relevant scientific community?
a Patriot Act
± Greatly expands governmental powers in terms of searching,
wiretap w/o prior notification
©   #  @

a We¶ve concentrated on the cool technology, but«
a The existence of sophisticated digital forensics
techniques is a great enabler for fascism
a Actively fight laws that don¶t appropriately balance
privacy with need for investigation
a Secure file deletion software
a Overwriting files with zeros is good enough unless a
tunneling electron microscope is available«
a Volatile computing
a Physical destruction of media
± Grind the media into powder
± Vats of acid or molten steel
O  
a Books
± à 

 Ú
Ú 
! Ú
" #
 @
$À
± Ú
%
  @  ! Ú
" # 
 &
$À
a Websites
± http://www.dfrws.org
‡ Lots of references related to digital forensics, including a link to an
interesting e-journal«
‡ http://www.ijde.org/ (International Journal of Digital Evidence)
± http://vip.poly.edu/kulesh/forensics/list.htm
‡ tons of stuff, including a bunch of online papers
± http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu
‡ Huge collection of forensics-related software
a Commercial digital forensics software
± Encase
± FT‰ (Forensics Tool ‰it)
± ILook (law enforcement only)À
± WinHex
 ?
@ 
 

 " 
http://www.cs.uno.edu/~golden/teach.html

§
  

Office: Math 346