Storm’s Edge Technologies IT Consulting Company servicing the Dallas/Fort worth area. Services PC Support and Custom Built PCs Server Support and Custom Built Server Network Support Firewall Support Web Site Development/Hosting Custom Application Development Computer Forensics Disaster/Data Recovery Services
Contact Information Daniel A. FitzGerald P.O. Box 8995 Fort Worth, TX 76124 Email: Dan@StormsEdge.com Phone: 817.496.4956 Fax: 817.496.3435 Web: www.stormsedge.com
Overview Image Hard Drive Process Forensic Image Discovery Procedures Analyze Forensic Image Document Findings Forensic Process
Stage of the Forensic Process Document & Photograph Connect Drive to Write Block Connect PC to Write Block Create Forensic Image Secure Original Evidence Drive Allocate 1 Day Image Hard Drive
Stage of the Forensic Process Update Forensic PC Windows & Anti-Virus Forensic Software Select Forensic Software Encase Forensic Tool Kit Etc… Start the processing Allocate 2-3 Days for each Drive Process Forensic Image
Stage of the Forensic Process Obtain Forensic Reports Review Case Documents Determine Search Terms Develop Analysis Strategy Allocate at least 1 Week Discovery Procedures
Stage of the Forensic Process Analyze Registry Hives Determine Operating System Determine Time Zone of PC Determine Users of PC Analyze Event Logs Perform Search of Terms Allocate at least 1 Week Analyze Forensic Image
Stage of the Forensic Process Generate Registry Reports Operating System Time Zone Users Etc… Generate Event Log Reports Usage Patterns Time Changes Generate Search Term Results Allow 2-4 Days Document Findings
Forensic Timeline 1 Day - Image Hard Drive 2-3 Days - Process Forensic Image 1 Week - Discovery Procedures 1 Week - Analyze Forensic Image 2-4 Days - Document Findings Note: Timeline is based on a single average PC with a 250GB Drive Forensic Process - 21 Days
Computers or Spies? What can we determine from a PC Users Passwords Web-Sites viewed Documents opened Pictures viewed Age of PC Last Reboot Time What files have been accessed, deleted, modified, etc…
Computers or Spies? What can we determine from a PC Who created the document When documents were printed What software created the document What devices where used Who has used the PC What software has recently be used When the OS was installed The possibilities too numerous to list!
Integrating the PC Registry Files contain an abundant amount of information to include Usernames/Passwords for email, websites, and programs Internet Sites visited along with date/times Search Terms used on Google and other search engines. Recent file activity/access List of software installed
Integrating the PC Registry Files contain an abundant amount of information to include Screen Saver required Password User Logon Required or Not Date Windows was Installed Date each user last logged on. Etc…
Integrating the PC PC Event Logs can provide some insight into the use of a PC Change in System Time Boot/Startup Times Problems with drivers & devices Because the event logs generally cover a time period of several months they can provide a good history of activity.
Other Files INI files are used by programs to store information/configuration. Plain Text Safe for Export LNK (Short Cut) files will often provide insight to the users programs Start Menu will give you a list of the common program they run/access.
Alibi with a PC Establish who was using the PC UserID/Password Screen Saver w/Password User Specific knowledge like logging into MySpace web-site. Establish PC has the correct time Check BIOS date vs. windows date Check Event Log for time sync events
Alibi with a PC Determine Activity and Time File Dates (Creation, Access, Modified) Web-Site Activity Email Activity Printer Activity
Classified/Sensitive Data How to perform a Forensic Analysis when you can not possess the data. Identify who has secured the evidence Determine local policies in providing access Process the Forensic Image files Review any Sensitive Data on-site Generate Report Extract non-sensitive files for processing in your own forensic lab. Request a review and copy of the report to ensure no classified/sensitive data is exported.
Extracting Non-Sensitive Files Files to Extract for later processing Registry Files Event Logs INI Files LNK Files Access Database of all files FTK will create this as part of its normal processing of the Forensic Image Files. EnCase will need to export a CSV file.
What is … Slack Space – The area between the end of the file and the end of the cluster. Free Space – The area available to store data including areas where files were stored but have been deleted. Unallocated Space – The area of a device that is not covered by a partition. This would include any deleted partitions. Swap File – File used to cache memory to the hard drive Hibernation File – File used to store memory to the hard drive when hibernating
How Do I? Prove a USB Key was used on a PC Prove an Image was viewed Recover Deleted Files Determine if a user has opened a file Prove a file was copied/moved Find out when a file was deleted Demonstrate a PC was used remotely Show who created a file Etc…..