In this week, we learn the different ways of extracting evidence and analysing them. We also touch on interpreting Windows event logs, which are generated from user activity and can provide valuable information about the actions a user took during an investigation.
Recovering Deleted Files
We’ve all heard that once you delete a file on a computer, it doesn’t truly get deleted and it stays somewhere on the computer till its overwritten. Where does it stay? 2 possible areas: the slack space
and unallocated space
. What do these spaces actually mean?
Slack Space
The internals of a hard disk drive (HDD) is illustrated in the image below.
Each HDD has multiple platters, each containing multiple tracks (or cylinders). Each track is made up of multiple sectors joined together, and each sector stores a fixed size of data (usually 512 bytes).
As that is the smallest unit of data a HDD can store, any file that is smaller than 512 bytes will still take up the entire sector. The remaining space left in the sector is called the slack space.
Some operating systems group multiple sectors together into a cluster and treat them as the smallest data size. For example, if the OS uses a cluster size of 4096 bytes, any file smaller than 4096 bytes will still be allocated 4096 bytes to store data. The remaining empty space is also called the slack space.
Unallocated Space
Unallocated space, as the term suggests, are clusters marked as “unallocated”. This means that the OS can directly write to the said cluster without any repercussions, as it either contains nothing or deleted data.
When files are deleted, the cluster containing the said data is only marked as unallocated, but the data is not wiped (i.e.: overwritten with zeroes). As such, we can use forensic tools to analyse unallocated space to potentially recover deleted files
Evidence Extraction
Now that we know how to recover deleted data, we can apply the following techniques on it to extract out properly-formatted files for further analysis.
- Manual Inspection
- File Signatures
- Metadata
- String & Keyword Searches
- File Carving
Manual Inspection
- Usually done when there is a small amount of data to analyse
- Why rely on tools when you can rely on your own eyes?
File Signatures
- Every file format starts with a signature, which is basically a predefined sequence of bytes
- For example, a PNG file’s signature is
89 50 4E 47 0D 0A 1A 0A
Metadata
- Contains information such as original filename, file size and hashes
- Hashes can be compared with a online database to look for known files
String & Keyword Searches
- Look for strings that appear in the mass of data that matches with certain keywords
- Not very effective as any form of encoding can prevent the said keyword from being found
File Carving
- Most files have a start of file marker (aka file signature) and a end of file marker
- File carving uses the said markers to extract out the data within them into a file
Analysis
Now that the data has been extracted, we can perform analysis on it to understand what the suspect was trying to do. The analysis methods covered in the slides are:
- Timeframe analysis
- Uncovering hidden data
- Application & file analysis
Timeframe Analysis
- Extract file modification timings from the metadata
- Use it to determine when events occurred in a computer system
Uncovering Hidden Data
- Data can be hidden in files in different ways, including:
- Steganography
- Mismatched file headers
- Password protection / Encryption
Application & File Analysis
- Infer additional information through files, through ways such as:
- Examining file contents
- Appearance of application-specific files
- Cache files (stores stuff like internet history)
Event Logs
Event logs are generated by the system when any action occurs. Windows maintains these 3 core event logs:
Event Log | What it Contains |
---|---|
Application | Activities related to user-installed programs |
Security | Activities related to authentication and security processes (changing user credentials, process execution and file and directory access) |
System | Activities from core OS components, such as Windows service events and driver loading and unloading |