1 Determining What Data to Analyze

!  Examining and analyzing digital evidence depends on:

!  Nature of the case
!  Amount of data to process
!  Search warrants and court orders
!  Company policies
Analysis and Validation
!  Scope creep
!  Investigation expands beyond the original description
COMP 2555: Principles of Computer Forensics
Autumn 2014
[Link]

L11: Analysis and Validation

2 Approaching Computer Forensics Cases
3 Using AccessData Forensic Toolkit

!  Process the data methodically and logically !  Supported file systems: FAT12/16/32, NTFS, Ext2fs, and
!  Basic steps for all computer forensics investigations Ext3fs
!  List all folders and files on the image or drive !  FTK can analyze data from several sources, including
image files from other vendors
!  If possible, examine the contents of all data files in all folders
!  Starting at the root directory of the volume partition
!  FTK produces a case log file
!  For all password-protected files that might be related to the !  Searching for keywords
investigation !  Indexed search
!  Make your best effort to recover file contents !  Live search
!  Identify the function of every executable (binary or .exe) file !  Supports options and advanced searching techniques, such as
that doesn’t match known hash values stemming, phonics, synonyms and fuzzy search
!  Maintain control of all evidence and findings, and document !  Analyzes compressed files
L11: Analysis and Validation

L11: Analysis and Validation

everything as you progress through your examination !  You can generate reports
!  Using bookmarks
4 Validating with Hexadecimal Editors
5 Validating with Forensics Programs

!  Advanced hexadecimal editors offer many features not !  Commercial computer forensics programs have built-in
available in computer forensics tools validation features
!  Such as hashing specific files or sectors !  Using hash values to discriminate data
!  AccessData has a separate database, the Known File Filter
!  Hex Workshop provides several hashing algorithms (KFF)
!  Such as MD5 and SHA-1 !  Filters known program files from view, such as [Link], and
identifies known illegal files
!  KFF compares known file hash values to files on your
!  Hex Workshop also generates the hash value of selected evidence drive or image files
data sets in a file or sector !  Periodically, AccessData updates these known file hash values
and posts an updated KFF

L11: Analysis and Validation

L11: Analysis and Validation

6 Data Hiding Techniques
7 File Manipulation

!  File manipulation !  Easiest method to hide data on a live file system

!  Filenames and extensions !  Change the name or extension of the file in question
!  Hidden property !  Change the name to a very common one
!  Segmentation !  Many malwares run as [Link], which is a very common
process name in Windows
!  Disk manipulation
!  Change the extension and place in a folder with similar
!  Hidden partitions files
!  Bad clusters !  Name your file as [Link] and place in WinNT/
!  Encryption System32
!  Bit shifting !  This folder is full of .dll files
!  Steganography !  Even the very experienced system administrators do not
know the names of all dll files
L11: Analysis and Validation

L11: Analysis and Validation

!  Rootkits !  File signature analysis
!  Identifying a file by looking inside it
8 File Manipulation (contd.)
9 File Manipulation (contd.)

!  Using the hidden property of files !  File segmentation

!  Almost every file system allows a file to be specified as !  Back in the old DOS days, a large file must be split to be able
hidden to carry in floppy diskettes
!  Windows: check box in file properties to specify as hidden !  Split a file into multiple segments of arbitrary size
!  Unix: any file name starting with a dot is hidden !  Store each segment in a separate location
!  Not difficult to detect !  In the disk drive
!  As an alternate data stream
!  Either change system settings to display all files
!  In the registry
!  ls -a
!  …

L11: Analysis and Validation

L11: Analysis and Validation

10 Hiding Partitions
11 Hiding Partitions (contd.)

!  Delete references to a partition using a disk editor

!  Re-create links for accessing it
!  Use disk-partitioning utilities
!  GDisk
!  PartitionMagic
!  System Commander
!  LILO
!  Account for all disk space when analyzing a disk
L11: Analysis and Validation

L11: Analysis and Validation

12 Marking Bad Clusters
13 Bit-shifting

!  Common with FAT systems !  Old technique

!  Place sensitive information on free space !  Shift bit patterns to alter byte values of data
!  Use a disk editor to mark space as a bad cluster !  Make files look like binary executable code
!  To mark a good cluster as bad using Norton Disk Edit !  Tool
!  Type B in the FAT entry corresponding to that cluster !  Hex Workshop
!  WinHex
!  In Linux, associate good blocks with the bad blocks
inode

L11: Analysis and Validation

L11: Analysis and Validation

14 Using Steganography to Hide Data
15 What’s Common Between These?

!  Greek for “hidden writing”

!  Steganography tools were created to protect
copyrighted material
!  By inserting digital watermarks into a file
!  Suspect can hide information on image or text
document files
!  Most steganography programs can insert only small amounts
of data into a file
!  Very hard to spot without prior knowledge
!  Tools: S-Tools, DPEnvelope, jpgx, and tte
L11: Analysis and Validation

L11: Analysis and Validation

16 Both Has This In There!!
17 Rootkits

!  A collection of tools and utilities that masks the presence of

malicious activity in a system
!  An attacker may devote a whole lot of time in compromising a
system
!  Would want to keep the obtained privileges as long as possible
!  Replace system binaries to report that everything is normal
!  Example: listing processes will not show processes created by the
attacker
!  Hook APIs
!  Example: filter the output of common programs
!  Rootkits operating at the kernel level are very dangerous

L11: Analysis and Validation

L11: Analysis and Validation

!  The core functionality of the operating system is questionable

18 Rootkits (contd.)
19 Recovering Passwords

!  Detection involves obtaining multiple perspectives of !  Techniques

the problem and look for inconsistencies !  Dictionary attack
!  Look for known rootkit files !  Brute-force attack
!  Use different tools to obtain running process lists !  Password guessing based on suspect’s profile
!  Different tools generate the lists using different techniques !  Many systems do not directly store passwords, but their
Rootkit processes may show up on one
! 
hashes
!  Analyze installed services (both running and halted) !  Knowing the hash can make recovery attempts faster
!  Analyze registry for errant services
!  Tools
!  Analyze system from a remote system
!  AccessData PRTK
!  Some hooked APIs can be bypassed this way
!  Advanced Password Recovery Software Toolkit
!  Use tools to monitor system files added/deleted
L11: Analysis and Validation

L11: Analysis and Validation

!  John the Ripper
!  Prevention is better than cure!
20 Performing Remote Acquisitions
21 References

!  Remote acquisitions are handy when you need to image !  Ch 9: B. Nelson, A. Phillips and C. Steuart, Guide to
the drive of a computer far away from your location Computer Forensics and Investigations. ISBN:
!  Or when you don’t want a suspect to be aware of an ongoing 978-1-435-49883-9
investigation
!  Remote acquisition software follow a client-server
model to exchange information
!  Server component runs on suspect machine providing a
portal into it
!  Client component talks to the server and pulls the
information to the target machine

L11: Analysis and Validation

L11: Analysis and Validation