Project #2 Information is not finished.
(1-2 pages in length) that summarizes possible locations of valuable digital forensic information, as well as collection and storage options in laymen’s language. For each location described, include a short description of the following:
- Area
- Types of data that can be found there
- Reasons why the data has potential value to an investigation in general, and for this case in particular
- The locations to be addressed are: USB sticks, RAM and swap space, and operating system hard disks.
Also describe possible digital evidence storage formats (raw, E01 (ewf), and AFF), the advantages and disadvantages of each, and how digital forensic images are collected (local and remote, memory and disk) and verified.
Image files can be created using different software and hardware tools in different standard formats. What are some of the common formats and software used to create the images?
The importance of hash functions was introduced in the context of validating the acquired electronic evidence but what exactly is a hash function and are there other uses for hash functions during the forensic process?
A hash function is a mathematic algorithm that receives an input of varying size and produces a unique output or message digest of characters of a fixed length. Given a fixed input the hash function will always produce the same output or message digest. However, a change of a single byte in the input will produce an entirely different message digest of characters.
What makes a hash “secure”?
There are many different hash functions available such as MD5, SHA-1, SHA-256, etc. Which of the hash functions are recommended or are part of published government standards?
Are some hash functions stronger or more secure than others?
Hash functions are used during many different forensic activities. What are these activities other than the initial acquisition and image validation?
Regardless of whether you are performing a live or static/dead acquisition, is it always necessary to perform a bit-by-bit copy of the entire drive?
If not, how does this impact your ability to verify and validate the acquisition?
Do you create a bit-by-bit clone of the disk or create a single image file that represents the source disk?
Some of the choices facing the forensic analysts are as follows: (1) create a bit-by-bit clone of the original source, (2) create a single image file from the original source, or (3) allow the examiner to select the files and folders from the source to be acquired. Since a hash can be calculated for an entire drive or a single file, the examiner will still be able to validate the acquisition.What are some of the features that may exist within common forensics software tools for creating multiple image files? Why might it be necessary or desirable to create multiple image files during acquisition?
What does it mean to sterilize forensic media?
What is the difference between formatting and wiping?
Before acquisition of electronic evidence, the device that will store the acquired electronic evidence must be clean and free of any data and files that are not part of the investigation. Often times, new hard drives come prepared with drivers and utility software or perhaps a hard drive is being reused from some initial purpose.
According to the US Department of Justice, forensically clean is defined as “digital media that are completely wiped of nonessential and residual data, scanned for viruses, and verified before use.” But, what is the difference between formatting and wiping?
Are there different types of formatting and wiping that may result in a disk drive that is more or less “clean”?
Both formatting and wiping make it appear as if all files and content are removed from the disk. However, they are very different processes. What is the difference?
Formatting may not actually physically remove any of the files at all. Wiping is an entirely different process that is meant to ensure that the files have actually been removed or overwritten with blank or initialization data, such that they are unrecognizable and cannot be recovered.
However, is destruction of a drive the only truly reliable method of removing all files and data from a hard drive?
What is “swap space” and how might the volatility of this source of electronic evidence compare with that of disk storage or RAM? How might RAM and swap space differ by operating system, such as Windows and Linux?
Since swap space is just an extension of RAM temporarily stored on the hard disk, swap space should also be included in investigations and treated similarly to RAM.
In terms of malware analysis and detection, there are many forms of malware that only exist in memory or RAM. Overlooking acquisition of volatile memory may result in overlooking critical evidence.
What tools are available to perform volatile analysis?
Do these tools differ by operating system or are some tools available for multiple operating systems? Regardless of the tool, it is critical that the examiner understand how the tool may affect volatile memory and/or disk
. For example, does the tool require that driver be installed on the target device? If so, how may this affect the investigation and digital evidence?
What steps must a forensic analyst take before imaging a disk drive? Once an analyst takes possession of a drive, what preparation is needed before imaging the disk?
The detailed steps or operating system commands will vary by system, but the process will be similar. Assuming the drive is a physical one, not a shared “cloud” drive, and the analyst performs a live imaging process in Linux, the drive must not be mounted.
Some drives are very large. Therefore, the destination drive for the backup must have enough space to accommodate the drive being imaged. In addition, the operating system used to create the image must support image files greater that the size of the drive.
What are some of the specific Linux operating system commands used to create an image? How do you mount and unmount a drive in Linux?
Where does a forensic analyst or investigator look for and find electronic evidence?
Evidence can be located on more than one device and is certainly not limited to visible files on the device.
What are some of the methods that cyber criminals use to hide electronic evidence such that it is not easily found?
Certainly images, documents, and e-mail files will be typical targets of your search based on the warrant, but what about other files and computer artifacts?
Criminals can easily change file extensions, hide files in hidden disk partitions, and place files on devices such as iPods, USB sticks, etc.
If a smartphone is part of your electronic evidence do you limit your search for messages to e-mail and SMS text message or do you look within applications for messages and text as well?
What additional skills may the investigator need to effectively search within application data for evidence?
An investigator must be mindful that evidence can be found in files directly created by the user (such as images and documents) as well as those files an artifact created by the operating system and application software such as Internet search history, cached printed documents, and other metadata.
Should an investigator scan and search volatile memory and perhaps even the Windows Registry as well?
Hypothetical two-page report about The USB stick may contain intellectual property that you can use to prove the suspect’s guilt, or at least establish intent. Security personnel recovered the stick from the suspect’s desk drawer the night before. You take possession of the stick, recording the physical exchange on the chain-of-custody document prepared by the security officers. Your team’s policy is, when practical, to use multiple tools when conducting digital forensic investigations, so you decide to image the USB stick using both Linux and Windows tools.
Describe an Imaging of a USB drive using Linux tools
One to two-page memo responding to questions about imaging procedures RAM and swap acquisition–live, local computer and Forensic imaging over a network
Explain the use of image the USB stick using both Linux and Windows tools. Explain methods of acquisition.
- Assuming that this is a criminal case that will be heard in a court of law, which hashing algorithm will you use and why?
- What if the hash of your original does not match your forensic copy? What kinds of issues could that create? What could cause this situation?
- What if your OS automatically mounts your flash drive prior to creating your forensic duplicate? What kinds of problems could that create?
- How will you be able to prove that your OS did not automatically mount your flash drive and change its contents prior to the creation of the forensic copy?
Image files can be created using different software and hardware tools in different standard formats. What are some of the common formats and software used to create the images?
The simplest image format is referred to as a raw bit-level copy of the original using software tools such as Unix/Linux dd. Another popular format is Advanced Forensics Format (AFF).
Why is this format often preferred?
What are the disadvantages to the AFF format?
Electronic evidence is not limited to those physical digital devices we see and touch, such as computer hard disks, tablets, and smartphones. Any virtual or physical device connected to the Internet, whether local or remote, may contain relevant electronic evidence.
Examples include web applications, web application accounts and databases, e-mail accounts, cloud storage such as Dropbox or Google Drive, remote backup services such as Carbonite, network traffic capture, and activity logs. These are all examples of remote sources for electronic evidence that may require performing the acquisition process remotely from the forensic workstation to an Internet service or application component, as opposed to a local, physical device connection.
How do you isolate the data or source system you would like to capture when it may exist in an Internet environment where you cannot control change and the data or source system is potentially shared amongst many users?
What Are the most prevalent and common forensic tools and techniques up to this challenge? Is the forensic examiner’s knowledge of the Internet up to this challenge?
How large of a disk will you need in order to create a forensic image of electronic evidence from the Internet (where essentially no storage limits exist)?
What limitations do common digital forensic tools have regarding capturing Internet artifacts? Many of the popular tools are primarily designed to acquire and analyze local, physical evidence. What challenges might these limitation present to the investigator and how are these challenges overcome?
What valuable electronic evidence can be found in RAM?
How does this type of electronic evidence and its acquisition differ from electronic evidence found on disk? What happens to RAM evidence if the computer is powered off?
Procedures that specify powering off the target device before acquisition may result in the destruction of valuable electronic evidence such as cryptographic keys, passwords, active network connections, running processes, etc., that are sometimes found in RAM. Some or all of these items may be vital to the investigation and should therefore be considered for acquisition.
What are some special considerations when acquiring electronic evidence from RAM?
RAM is volatile, even more so than disk. Software programs used to acquire RAM from the target must make every effort to not modify what currently exists in RAM on the target. The goal is to create a “forensically sound memory snapshot” from RAM (Gruhn & Freiling, 2016).
What are some techniques and considerations for accomplishing this?
