1. Damien Leake

2. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many data recovery techniques Process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media Hard drives, USB flash drives, DVDs Recovery may be required due to physical damage or logical damage to file system Digital evidence has to be authentic, reliably obtained, and admissible

3. Common Scenarios for Data Recovery Operating system failure Use LiveCD to copy all files to another disk Can be avoided by proper disk partitioning Disk-level failure Compromised file system or disk partition Repair file system, partition table, master boot record Hard disk recovery – one time recovery Recovering deleted files Often data is not removed, only the references to them in the file table

4. Data Reduction During Acquisition Ever larger hard drives make collecting data very time- consuming Data analysis can also take much longer if there are large amounts of data Known files Operating system and application files can often be disregarded when looking for documents File types Many file types can usually be ignored

5. Live Acquisition Debate: pull the plug or not when finding suspect’s computers For: minimizes disturbance to stored data Against: Critical data may be in RAM With full disk encryption, files are decrypted on the fly, with the decryption key stored in RAM Open ports, active processes Fully volatile OS: Knoppix Unsaved documents

6. Examining RAM Evidence cannot be recorded on a target machine without changing the state Logs, temp files, network connections opened/closed Critical data may be overwritten Analysis utilities may need to be loaded onto target system Usually, ram data is sent to another machine over a network connection These problems may be avoided if the target machine was running on a Virtual Machine

7. Virtual Introspection Process by which the state of a VM is observed from the Virtual Machine Manager or another VM on the system No current production tool, but research shows promise Can allow live system analysis of a VM May be possible for it to be undetected by target system Experienced cyber criminals may have safeguards that remove critical data from RAM upon breach detection

8. Virtual Introspection for Xen Xen is an open source Virtual Machine Manager Not as robust as some competitors Open source means that researchers can modify the VMM should that become necessary VIX is a suite of tools currently being developed for Xen Provides API for getting data from different VMs Pauses target machine, acquires data, un-pauses machine Ensures machine state is not modified

9. Future Work Support for multiple OS Currently, Linux 2.6 kernel is supported by VIX Need Windows and Mac OS support for widespread significance Analysis of the extent to which VI can be detected by the target VM Timing analysis, page fault monitoring Application of these techniques to VMware and other popular VM platforms

10. Database Forensics Standard forensics tools tend to be too time consuming to run on large databases Database tools to search logs are quicker Can return a lot of useful information But they may alter the database in ways that complicate the admissibility of the content in court New field of study with little literature

11. Mobile Device Forensics State of device at time of acquisition Password locks Remote data deletion Variety of operating systems Hard to build tools considered industry standard

12. FTK Mobile Phone Examiner Most commonly used tool in US Simple data acquisition Cable. Infrared, Bluetooth Does not alter any data on device Integration with Forensic Toolkit Perform analysis on multiple phones at once Reports are automatically court-usable

13. Oxygen Forensic Suite Popular tool with European law enforcement agencies Extracts all possible information Phone/SIM card data Contact list, caller groups, speed dials All calls sent/received/missed SMS, calendar events, text notes Can tap into LifeBlog and geotagging in Nokia Symbian OS phones

14. EnCase Neutrino Extension of company’s PC forensic software Claims to have the only extensively tested signal blocking technology Data acquisition starts with SIM card first, then searches the phone itself Easily returns device serial number, cell tower location, and manufacturer information

15. Anti-Forensics Avoid detection of events Disrupt collection of information Increase time spent on case

16. Attacking Data Data wiping Overwrite erased disk space with random data Many commercial tools do not do this properly and leave some of the original data Data hiding Encryption Using anonymous web storage Steganography Embedding data into another digital form (images, videos) Data corruption Aims to stop the acquisition of evidentiary data

17. Aims to make examination results unreliable in court Manipulate essential information Hashes Timestamps File signatures Compression bomb Compress data hundreds of times Causes analyzing computer to crash trying to decompress it Attacking Forensics Tools

18. Attack the Investigator Exhaust investigator’s time and resources Leave large amounts of useless data on hard drives Cases that take too long are more likely to be dropped

19. Summary Data forensics attempts to capture and analyze data for use in court proceedings Techniques involve traditional data recovery along with live acquisition of volatile data Relatively new field, with more research needed for databases, mobile devices, and virtual machines Analysis techniques will need to evolve as cyber criminals develop more sophisticated ways to hide their actions