1
Basic Computer Forensics for the
Private Investigator
Presented by
Steven M. Abrams, M.S., P.I., IEEE
Computer Forensics Examiner
Steve Abrams & Company, Ltd. 1558 Ben Sawyer Blvd., Suite C
Mt. Pleasant, SC 29464
(843) 813-1996 steve@SteveAbrams.net
This presentation is online at
2
Steve Abrams, M.S., P.I.,
Curriculum Vitae
•Advanced Degrees in Computer Science
•20+ Years in Software and Hardware Design
•Trained and Certified in Computer Forensics at the
North Carolina Justice Academy and GMU2002 •Licensed Private Investigator, South Carolina
•Memberships: High Technology Crime Investigation Association, Institute of Electrical and Electronic Engineers, SCALI, High Tech Computer Network, Fraternal Order of Police, South Carolina
3 Computer Forensics - The search for, and the collection of, evidence from computer systems in a standardized and well documented manner to maintain its admissibility and probative value in a legal proceeding.
"Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20-gallon trash container. A typical computer holds information people once stored in wallets, cameras, contact lists,
calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and
4
5
KNOW THE LAW...
The US DOJ maintains a website with guidelines and case law pertaining to seizing and searching computers. It's the best
place to start putting together a legal case that will be based on
evidence obtained from a computer system.
The US DOJ website is:
http://www.usdoj.gov/criminal/cybercrime/searching.html
They also have a wealth of "cyber-crime" information online at:
6 KNOW THE LAW...
Under the law, electronic data storage devices (PCs, PDAs, etc.) treated like an opaque container.
7 KNOW THE LAW...
Who can give consent?
In a domestic situation, either spouse (or any adult who resides in the home) can give consent to search a computer that is generally accessible to anyone in the home.
“The watershed case in this area is United States v. Matlock, 415 U.S. 164 (1974). In Matlock, the Supreme Court stated that one who has “common authority” over
premises or effects may consent to a search even if an absent co-user objects.”
However, any password protected files cannot be included in the search if the person granting consent does not know the password. (There are certain exceptions.) See United States v. Block, 590 F.2d 535, 541 (4th Cir. 1978)
“Courts have not squarely addressed whether a suspect’s decision to password-protect or encrypt files stored in a jointly-used computer denies co-users the right to consent to a search of the files under Matlock. However, it appears likely that encryption and password-protection would in most cases indicate the absence of common authority to consent to a search among co-users who do not know the password or possess the encryption key.”
8 KNOW THE LAW…
Who can give consent?
In a office situation, the employee may be entitled to a
reasonable expectation of privacy that precludes the employer from being able to grant consent to search the employee’s
computer, even if it is company property.
This makes authorized use policies and TOS banners important to establish that the employee understands the privacy policy of his employer and grants consent to search his computer and
electronic files (including email).
9 KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic
Communications.
The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
“Electronic communication”
Most Internet communications (including e-mail) are electronic communications.
18 U.S.C. § 2510(12) defines “electronic communication” as
any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature, transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign
commerce, but does not include
(A) any wire or oral communication;
(B) any communication made through a tone-only paging device; (C) any communication from a tracking device . . . ; or
10 KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic
Communications.
The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22
Exceptions
f) The ‘Accessible to the Public’ Exception, 18 U.S.C. § 2511(2)(g)(i)
11 KNOW THE LAW...
Several Federal Statutes Apply to the Searching of Electronic Information Systems, and especially to Electronic
Communications.
Electronic Communications Privacy Act (ECPA)
ECPA regulates how the government can obtain stored account information from network service providers such as ISPs. Whenever agents or prosecutors seek stored e-mail,
account records, or subscriber information from a network service provider, they must comply with ECPA.
14
15
A trained computer forensic
examiner can:
Make forensic duplicate drive images and document all files on the hard drive and the procedures used to obtain them.
•Use only DOS utilities or Linux DD to make forensic copy.
•NEVER ALLOW A MACHINE TO BOOT INTO WINDOWS!
•Windows updates timestamps on ALL files it touches!!
•Forensic copy preserves source drive above all else.
•Use MD5 File Hash to Verify Copy.
•Take Lots of Digital Pictures, Document everything!
16
A trained computer forensic
examiner can:
Recover deleted files.
Recover data from a reformatted
drive.
Recover data in
file slack
and
17
What is File Slack?
The DOS file system file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be
represented with 16 bits.
Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM).
This set an arbitrary limit on disk storage devices of 512x32767 = 16MB.
To accommodate larger drives the concept of “clusters”
18
What is File Slack?
FAT16
Clustering up to 128 sectors of 512 bytes allowed the
original 16 bit FAT (FAT16) to handle devices up to 2GB.
FAT32
19
What is File Slack?
With clustering came file slack.
RAM Slack
If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the
file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is
written. It can contain any data that you were working on since you last booted the PC. Such as emails, word
20
What is File Slack?
Drive Slack
Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack,
subsequent whole sectors in the last cluster are left as is
with whatever data was written there previously.
21
Forensic Software
•Byte Back •Digit •Drive Spy •EnCase•Forensic Tool Kit (FTK)
•Gdisk •Ghost
•DriveWorks
•Linux DD (SMART)
•Hash Keeper
22
Internet Sources of
Forensic Software
www.lostpassword.com - collection of password recovery tools for Windows and application software.
http://stud1.tuwien.ac.at/~e9227474/english.htm - Irfanview, a GUI tool with graphics viewers for every graphics file
format, still and video. Only $10 registration fee!
www.data-sniffer.com - forensic tool kit ($140) includes graphics viewers and file slack viewer.
23
A trained computer forensic
examiner can:
Work with File Hashes
A file hash is a mathematical calculation made from every byte in a file. It creates a unique digital
fingerprint for that file.
Using File hashes a forensic examiner can: Quickly locate and catalog every (graphic) file on a PC hard drive, and flag child pornographic images using a national database of known images. Identify known system and software files that can safely be ignored. KFF - Known File Filter
NIST, INORP Databases of File Hashes
24
Case 1: Adultery by Computer
Forensic recovery was used to find evidence that a
husband’s “hunting” trips were actually sexual encounters arranged by computer. Husband hunted women online.
Investigation Methods:
1) Live Forensic Investigation to find “buddies list”. 2) Forensic copy of hard drive was analyzed by
Access Data’s FTK.
25 DISCLAIMER:
Working with email and electronic communications
1) Offline content (on the Hard Drive) is Fair Game.
2) Never go online to get a subject’s email Without:
a) Written Permission, or b) a Court Order
3) Yahoo! Messenger leaves a complete log file on the Hard Drive, shows all message traffic.
26
Case 1: Adultery by Computer
ALL EVIDENCE WAS FOUND LEGALLY:
•WITHOUT GOING ONLINE TO HIS EMAIL ACCOUNT •WITHOUT ADDING ANY “SPY SOFTWARE” TO HIS SYSTEM
Copies of emails are often left in file slack. Files on the hard drive are fair game, and won’t get you busted for wiretap violations.
Many popular communications programs leave log files on the hard disk with details of all electronic communications.
27
Forensic Recovery
Seizure
Take pictures to
document area
around the
computer.
You may find
removable media, or
clues to your
28
SSA/OIG Sue Hermitage 6
Bypassing/cracking system and
application passwords
BIOS PW?
• Default/backdoor pws
• AMI = 589589, amisw, ami
• Award = AWARD_SW, AWARD_PW, condo, j262
• Jumper?
• Remove drive
Access Data Password Recovery Toolkit
29
Forensic Recovery
-Physical Copy
Tip #2: Work from
DOS or Linux.
Add a clean slave drive to subject’s computer, or
remove hard drive(s) and copy on your system.
Do a physical copy
30
Forensic Recovery
-Physical Copy
Tip #3: Don’t assume
system will boot first
from the floppy drive.
Always go into setup first
and make sure the system
will boot first from where
you expect it to.
31
Live Forensic Investigation
Take screen shots to
preserve evidence.
•
In this case documented
“buddies list”
in ICQ
and Yahoo! Messenger.
•
Used FTK to find
emails to / from same
buddies. And their
33
A trained computer forensic
examiner can:
MS OFFICE FORENSICS
Every PC leaves a unique electronic fingerprint on every MS Office document it creates. (“GUID”) The “GUID” is unique to the PC and the logged in user.
We can examine these documents to determine on which machine a document was created, and when and by whom it was created.
“GUIDClean.exe allows users to detect, display and modify the Global Unique Identifiers (GUID) that some MS Office products (Word and Excel) place in user's documents. An
34
35
A trained computer crime
investigator can:
Trace and validate email messages stored on the hard drive.
With a court order we can get additional information from the internet service providers to help ascertain the source and author of the email.
36
Sam Spade
37
Sam Spade Tools
Sam Spade is an Internet Sleuthing
Environment that allows access to about 20 UNIX net tools from MS-Windows.
Shareware! From www.samspade.org (current version 1.14)
Ping nslookup whois IP Block whois
dig traceroute finger SMTP VRFY
web browser website download DNS zone transfer
Usenet cancel check keep-alive website search
email header analysis email blacklist query
39
Case 2: Forged Email Evidence
In a custody hearing, the court was presented with emails and attached pornographic images that made it appear the wife had been soliciting sex over the Internet. Custody of the 3 year old child was given to the husband and his
mother (paternal grandmother). The wife denied she sent
the emails and said it was not her in the photo.
40
A trained computer forensic
examiner can:
Recover passwords from most Windows application software, and those used by Windows 9x, Windows NT, and Novell Netware servers.
Decrypt encrypted data and messages.
Password Recovery Toolkit
Access Data - PRTK, Distributed Network Attack
PRTK is dictionary based.
41
Case 3: Hidden Financial Records
In preparation for divorce proceeding, the wife brought me her husband’s home office computer Hard disk for forensic examination to locate financial records and child
pornography.
Evidence: Examination of the hard drive located a series of Quicken files and hidden Excel spreadsheets containing financial records. The spreadsheets recorded his actual cash receipts, the Quicken files his deposits and what he reported as income. During discovery PRTK was used to access password protected quicken files, after the court
ordered all financial documents be turned over to the wife’s attorney.
Cash receipts exceeded reported income by over $552,000.
42
43
A trained computer forensic
examiner can:
Find evidence of files left
behind by hackers.
44
A trained computer forensic
examiner can:
Locate and identify all
Locate and identify all
"mal-ware"
"mal-ware"
(viruses,
(viruses,
worms, Trojans, and other
worms, Trojans, and other
malicious software) on the
malicious software) on the
hard drive.
45
