Digital Evidence
- Information stored digitally for use in court
- Examples:
- Any digital document
- Word docx
- Internet history
- RAM content
Categories of Forensic Data
- Active Data β In use by OS; Not deleted
- Latent Data βΒ Not in use by OS but still exists; Logically deleted
- Archival Data β Data stored in offshore backups
Forensic Images
- File format to store bit-by-bit copy of original evidence
- File extensions:
E01,VMDK,OVF,DD
Image Format
- Complete Disk β Full disk snapshot, comprehensive, large size, contains slack
- Partition β Snapshot of a partition of a disk, kind of comprehensive, medium size, contains slack
- Logical β Snapshot of certain files, not comprehensive, small size, no slack
Imaging Process
- Connect hardware write blocker to prevent writes
- Use imaging tools like
dd,FTK Imager,EnCaseto obtain image
Crime Scene Tools
- Forensic software
- Large capacity storage drive
- Write-blockers
- Hardware adapters
- Digital camera (for documentation)
- Anti-static bags
- Evidence bags
Handling Live Systems
- Yank the plug β Prevents shutdown scripts from running; May corrupt system as not properly shut down
- Proper shutdown β Shutdown scripts will run, possibly erasing evidence; Wonβt corrupt system as its properly shut down
- Leave it up and running β Constantly on, preserves integrity; Tedious to do memory acquisition on large number of systems
Seizing Hard Disks
- Wear anti-static strap to protect equipment from electricity
- Ensure equipment is protected from magnetic fields
- Document internal storage devices
- Disconnect storage devices to prevent destruction/alteration of data
Chain of Custody
- Documents every move and access of evidence to prove the preservation of evidence in court
- Logs data such as
- Date and time of action
- Action type
- Person collecting/accessing the evidence
- Computer information (model, serial number)
- Disk drive information (size, manufacturer, serial number, heads, cylinders, sectors per track)
- Handling procedure
Bagging & Tagging
- Bagging β Protects against contamination and tampering
- Tagging β Associate bagged evidence with case
Transporting Evidence
- Keep evidence away from magnetic sources and high temperature
- Maintain chain of custody
Types of Extraction
- Manual inspection β Effective for small disks as its faster & provides increased confidence
- File signatures β Bypasses file extension renaming
- Timestamp & metadata β Contains MD5 hash, can be checked against a database to identify file
- String and keyword search β Look for patterns / names in filename / content
- File carving β Recover deleted files by looking at start and end signatures
Analysis of Data
- Timeframe βΒ Determines the sequences of events occurring on a computer system; Associate individual using computer at said timing
- Data hiding β Find data concealed through file extension mismatches, password protected files & steganography
- Application and file β Look through files to infer data from the user, i.e.: installed apps, internet history, correlating files together
MBR vs GPT
| Attribute | MBR | GPT |
|---|---|---|
| Max partitions | 4 primary or 3 primary + 1 extended | 128 primary |
| Max partition size | 2TB | 9.4 Zettabytes |
| Partition Addressing Method | Cylinder head sector | Logical block addressing |
| Size of a partition entry | 16B | 128B |
| Error Detection | None | CRC |
| Firmware interface support | BIOS | UEFI |