1. Digital Forensics: Procedure and Tool Demonstrations 數位鑑識：程序和工具示範
Dr. Sheau-Dong Lang (郎小棟)
Visiting Professor (Sept. 16 – Oct. 26, 2016)
Department of Information Management
Chang Gung University 1

2. 演講大綱 (Outline) 處理數位證據(物)的程序 AccessData's FTK Imager (複製硬碟的工具)
X-Ways Forensics (鑑識檢查用的工具)
一個檢查報告的例子
寫鑑識(和檢查)報告的一些注意事項
Q&A

3. The Process of Handling Digital Evidence 處理數位證物的程序
Preservation
Identification
Extraction
Examination
Reporting
(1) 保存
(2) 識別
(3) 抽取
(4) 檢查
(5) 報告/解釋
Crime Scene
犯罪現場
Courtroom 法庭

4. 處理數位證物的程序2
Preservation (保存): acquiring evidence without tampering, chain of custody (監管鏈), transport and storage, collecting data within legal constraints (e.g., according to a search warrant 搜索令)
Identification (識別): labeling each item of evidence, bagging and tagging, identifying with case number, descriptions, date/time of collection, signatures of handlers

5. Forensic Disk Imaging 符合鑑識標準的硬碟複製
Use tools (such as AccessData’s FTK Imager) to make a bit-stream duplicate (位元串流複製) of the hard disk, verify matching hashes, then save the acquired image file(s) to a “server” or “forensic station” before examination
Use of a “write blocker” between the suspect’s hard disk and the examiner’s forensic computer to prevent any modifications (write operations) to the subject’s disk

6. Tableau Forensic Bridge (about US $300)
Subject Drive原本
Write Blocker

7. Touch Screen Forensic Imager
触摸屏式硬盤複製器 Tableau TD3
複製器 (US $2150) 原本
複製本
Imaging to a local hard drive

8. AccessData’s FTK Imager: A (Free) Commercial Drive Imaging Tool
Connect the “subject drive” to the forensic computer using a hardware write-blocker.
Start FTK Imager using “Run as administrator”
Under the File menu, choose "create disk image" > "physical drive", then select the appropriate physical drive for the subject drive to image. (Be sure to choose “physical drive” for imaging flash/hard drive but choose "logical drive" for imaging a floppy disk).
Click “Finish,” then click “Add” and choose the "dd" (Raw) format or “E01” (compressed) format, save the image file to a folder and under a file name on your forensic computer. Be sure your computer has enough disk space for the image file.
Enter “0” for Image Fragment Size (MB) if a single image file (no fragmentation) is desired, then start the imaging process. This will take less than a minute for a floppy drive but longer for a flash/hard drive depending on its size.
When the imaging process is completed, you will see
an image file in dd format with extension .001, or one or several files with extensions E01, E02, etc., created in the folder of your Windows computer under the file name you entered. and
a text log file with the same file name with the .txt extension that contains both the MD5 and SHA1 hash values of the image.

9. AccessData’s FTK Imager:
Options under the File Menu

10. AccessData’s FTK Imager: Under File > Add All Attached Devices
Select “Add All Attached Devices” to show both physical and logical drives connected to a live Windows system:

11. AccessData’s FTK Imager: Explore the File System
Browsing the file system of the E: Drive:

12. AccessData’s FTK Imager: Some Useful Features
Additional Notes:
FTK Imager may be used to "mount" an acquired image (as a drive or drives, depending on whether the image contains multiple partitions)
FTK Imager Lite is a portable tool since it can be run from a flash drive (i.e., without installing on the host computer)
FTK Imager may be used to convert an image file from one format to another image format
FTK Imager may be used to browse all connected drives, and "export" files/folders even when they are considered "locked" on a live system
FTK Imager maybe use to capture the RAM of a live Windows system (which can be “analyzed” using Volatility ( or Memoryze (
FTK Imager version User Guide:

13. 處理數位證據的程序3/4
3/4. Extraction/examination (抽取/檢查): authenticating evidence using hashes (MD5, SHA-1), using tools and established procedures for data analysis, keyword searches (關鍵字搜索), hex and graphics viewer, establishing timeline of events, corroborating evidence, attempting to answer the 5W1H questions of who-what-when-where-why-how (何人，何事，何 時，何地，為何，如何)

14. Forensic Workstation (數位鑑識工作平台) FRED from Digital Intelligence
All FRED (Forensic Recovery of Evidence Device) systems include the UltraBay, front panel connections, and removable drive trays
Acquire data directly from evidence drive with integrated write-blockers
Prices of various models range from $6000 to $11500

15. A Hypothetical Case 一個假想案件
You are working as a forensic examiner intern in a computer forensics service company. A local firm UCF (Universal Consulting Firm) had requested your company to perform forensic examination of a thumb drive left behind by an ex-employee after resigning from the firm. The ex-employee, Mr. Shark Byte, was alleged to have been running online bingo games in the office during normal business hours in the months of April and May of Complaints from several colleagues sent to the office manager alleged that Mr. Byte profited from cheating on the bingo games through the game software’s manipulation.
The firm UCF’s IT support personnel had examined Mr. Byte’s office computer equipment but could not find any evidence related to bingo games except for the contents of an encrypted drive. After several meetings with the office manager and UCF’s Human Resource department, and refusing to give up the password for the encrypted drive, Mr. Byte resigned in early June of However, UCF was interested in pursuing legal action against Mr. Byte for allegedly abusing company time organizing and playing bingo games at work

16. A Hypothetical Case, cont’d 一個假想案件，繼續
UCF’s IT folks found a thumb drive left on Mr. Byte’s office bookshelf after his departure. The thumb drive is of black color without any label of the make or model. UCF’s IT department had examined the condition of the thumb drive, then submitted the drive to your company seeking assistance in recovering evidence that may be relevant to the case under investigation.
Your company’s intern supervisor had conducted a quick preview of the drive by connecting the drive through a hardware write-blocker to a forensic workstation. After the preview, your supervisor identified a FAT16 partition (of sectors) on the image of particular interest. The FAT16 partition was acquired and saved in the raw (dd) format, with the acquired image’s hash values verified.

17. X-Ways User Interface
X-Ways User Manual,

18. X-Ways File and Folder Icons and Interpretation

19. 假想案件的檢查
Under Case data, select File > Create New Case, then select File > Add Image, to import the acquired image file

20. 假想案件的檢查
To look for (filter in) pictures, select under Type, click on Picture (see below), then select Activate:

21. 假想案件的檢查
To look for embedded data, select under Specialist, click on Uncover embedded data in various types (see below), then select Activate

22. 假想案件的檢查
See below result (after finding one additional file)

23. 假想案件的檢查
Select an item, right click, choose “Explore recursively” to see all decendant files/folders

24. 假想案件的檢查
Open the file “?eet.doc”

25. 假想案件的檢查
When viewing Joe.zip > Joe.doc, encounter a password-protected file:

26. 假想案件的檢查
Select Bad clusters, scroll the area to find some text that appears to be a message from “Shark” to “Joe”, see below:

27. 假想案件的檢查
Select Volume slack, scroll the area to find some text that appears to be a password “2102OgniB”, see below:

28. 假想案件的檢查
Under Specialist, select “Gather Slack Space”:

29. 假想案件的檢查
Scroll down the slack space, find some text that appears to be another password “OgniB2102”, see below:

30. 假想案件的檢查
Using the password “OgniB2102” opened the password-protected file “Joe.doc”, see below:

31. 假想案件的檢查
Export the directory structure of the partition (right-click, select “Export Subtree”):

32. 假想案件的檢查
Select the image (FAT16Partition.E01), Explore recursively, then sort the type, locate the file "Balance.ods“, which may be viewed by Microsoft Excel:

33. 假想案件的檢查
Under Search > Simultaneous Search, enter three keywords (one word per line): Joe Shark Byte; found multiple hits:

34. 處理數位證據的程序5/6
Reporting/documentation (報告/記載): actions taken during investigation, the findings, composing forensic reports
Interpretation (解釋): testifying and presenting in the court; as an examiner or as expert by rendering opinions if needed.
See attached sample “examination” report for the above hypothetical case (檢查報告的例子).
A template for writing “forensic report” is also attached ( 一個鑑識報告的規格).

35. 鑑識(和檢查)報告的一些注意事項 和Q&A
鑑識(檢查)報告通常必須按照一定的規格(但是各機構可能都不同)
鑑識(檢查)報告通常都先經過同業評審(peer review) 、和主管批准，然 後才正式提出
鑑識檢查報告通常用第一人稱(我，或者這個檢查員)
鑑識檢查報告是用來報告找到的有關數位證物，包括用的工具和一些重 要的檢查步骤；但是報告決對不能“指名道姓”說某人在某時做了某件 事(You can never put a person behind the computer keyboard)
用在刑事案件的鑑識報告通常只報告“事實”，檢查員不表示意見 (opinion)
Thank You!
Q&A