Digital Forensics Anthony Lawrence

Overview Digital forensics is a branch of forensics focusing on investigating electronic devises. Important in for law enforcement and military. Often used as supporting evidence in murder cases, business fraud cases, and in particular in child pornography cases. Computer hard disk drives, ram, and cell phones are commonly analyzed.

Case Study In 1998 Julie Jensen died of a mysterious cause. Mark Jenson, Julie's husband consented to a search of their house to find potential causes. Investigators acquired and imaged the Jensens' computer. After analyzing the data on the computer, they found search history that showed searches for various murder methods including ethylene glycol poisoning, which was discovered to be the cause of her death. Someone had attempted to delete this search history but investigators were able to uncover it anyway This evidence was use in part to convict Mark Jensen of murdering his wife.

File System Basics Most modern file systems maintain a table to track which blocks are allocated to which files. The table entries contain metadata information about the file, like file type, size, access time, creation time, etc. Some of this information can be valuable in a forensic investigation. In most cases, when a file is deleted its entry is removed from the allocation table but the bits on the disk remain. This can allow an investigator to recover some deleted files.

Acquiring a Disk Image In a criminal investigation it is important that no data on the disk be modified. To do this investigators use write-protection tools to ensure that no data is written back to the disk. The best kind of image to have is a bit by bit copy. In the case of most hard drives this is easy to attain, but in other kinds of electronics (especially phones) it can be harder to get. There are many tools both proprietary and open source that allow you to image a disk drive.

Analysis Once an image has been aquired the data needs to be analyzed. It is easy to go though and search allocated files since the allocation table tells you all the important details of each file. A carving algorithm is used to recover unallocated files. Once all these files have been acquired the investigator will search the drive for certain file types (for example: all.jpg files in a child pornography case), or certain keywords that might be of interest.

Carving Often times there is a lot of valuable evidence in the unallocated space on a drive. For this a carving algorithm must be used to analyze the data. These carving algorithms will check for known file headers or patterns. Simple algorithms will look for a file heading or unallocated file start and size entries in the allocation table then assume that all data is part of that file until it finds another known header or reaches the full size of the file. More complex algorithms will search for fragmented files by adding parts and testing to see if the file still follows the correct patterns. The more complex the algorithms the better the results, but the longer it will take to process the data.

The Sleuthkit Open source libraries, command line tools, and gui. Reads raw and formatted disk images. Supports the NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 file systems Finds allocated and unallocated files. Shows all NTFS attributes. Can create timeline graphs using creation/modify/access times. Will show files hidden by rootkits.

Flash Memory In many cases data is stored in flash memory (solid state drives, phone memory cards, and built in memory). Flash memory has a special set of concerns the chief of which is the practice of wear leveling. Flash memory cells can only handle a limited number of reads and writes before they fail. Wear leveling is the practice of writing new data to cells that have not been written to recently instead of simply writing over the old data location. This way you don't have some cells die while others are barely used. This practice of wear leveling means that data will be more fragmented but also means that there could be old information that the user tried to overwrite still sitting in the memory.

Cell Phone Forensics Cell phones are becoming a more and more important part of people's lives and these phones are becoming more and more sophisticated. Cell phones analysis has special concerns. Because most phones are proprietary hardware and often proprietary software, it can be difficult or impossible to acquire a bit by bit copy of the memory. Even in cases when it is possible it can require you to modify the phone to get root access. This could invalidate the evidence in a court of law. It can also be difficult to analyze the data as the phone manufacturers might use non-standard file formats and the information may not be readily available. It is quite common for researchers to reverse engineer file formats so that investigators can use it.

Encryption The bane of forensic investigation. A well encrypted drive can be difficult or impossible to decrypt and analyze. Encrypted drives cannot even be carved into files since the encrypted data essentially looks completely random.

Questions?