Benefit from Our Service: Save 25%
Along with the first order offer - 15% discount (with the code "get15off"), you save extra 10% since we provide 300 words/page instead of 275 words/pageThis report concerns the computer forensics methodology and the best practices in producing the solid court evidence. There are numerous ways of hiding the suspect or disguising any digital evidence of a wrongdoing. The task of computer forensics investigator is to retrieve the information retaining a verifiable and reproducible trace of actions that prove the digital evidences authenticity. Such evidence has a substantial probative value and can facilitate the prosecuting counsels work. Thus, explanations of various approaches used in the datas distortion or hiding, as well as the full reconstruction, are provided. Since the target audience for this report possesses rather limited computer knowledge, all technical concepts are explained in terms as simple as the subject allows. In order for the prosecuting counsel to understand how certain types of evidence can be recovered, the report presents a custom case of suspects USB pen drive. Given the limited scope of this report, examples cover only one software tool selected among all computer forensics instruments.
Digital forensics employs the variety of methods applied on the target item that may contain evidence. Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence (Noblett, Pollitt, and Presley 2000). While stand-alone monitors and disassembled boards can present scarce amount of usable data, the storage media is highly valuable evidence base. The most useful object in digital forensics, however, is a running PC that contains the fullest possible set of traces. The technique known as live-box forensics gives investigators access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive (Cummings 2008). The recent decades IT progress brought a number of new portable devices, such as smartphones and tablets, which can produce the substantial evidence as well as PCs. Though the architecture of new gadgets differs from the traditional computers design, forensics approach to such devices …takes into account existing techniques of computer and cell phone forensic examination adapting them to specific Android characteristics, its data storage structure, popular applications and the conditions under which the device was sent to the forensic examiner (Simao et.al 2012). Thus, the scope of modern computer forensics covers all types of devices that operate digital data in any way.
Among all the variety of items that may constitute digital evidence, the most valuable information can be obtained from the storage media. The assumption is that the evidence file is disguised, deleted, dispersed, or hidden. In most cases storage retains some traces that can lead to the data restoration. The effectiveness of it depends on many factors, including the number of re-writes over the original file since it was deleted. The traces never can be sufficient to ensure the recovery absolutely. In modern computers, it is almost never possible to run time backwards given a set of traces, and identify a unique history that led to the traces found (Cohen 2012). However, architectural redundancy of stored data formats provides the possibility to reconstruct information in most cases.
The ways in which information can be hidden are multiple. The most obvious course of action for suspect is to set the hidden file operating system attribute on any files he is intended to hide. In order for the investigator to see and access this information, file explorer must be configured to display system and hidden files. The only prerequisite for such settings is the system access with administrator privileges, which can be easily arranged in the investigation lab. Another type of files that prevent easy access to the information is represented by encrypted or password protected files. However, there are number of tools capable of heuristic analysis or brute-force password cracking, which can be successfully applied to such files. This approach usually requires a considerable amount of machine time, which can be reduced by distributed computing. Generally, most of the digital forensics tools offer the comprehensive automated analysis, which means that the forensic lab must be equipped with high-performance computer hardware.
More complex ways to prevent the data access involve tampering with the file. The file extension can be changed simply by editing the filename associating an inappropriate application with it. Obviously, all attempts of this application to open the altered file will fail. Another and still more sophisticated way of file camouflaging requires file headers and/or footers to be changed. File headers and footers contain the brief summary of the file, as well as security hash values or checksums that are used by operating system to ensure the files integrity. Headers and footers can be altered and then hash values can be recalculated by the suspect using software tools that are widely available. It would be impossible to open such a file by any application that is traditionally associated with the file type. However, the files main body contains certain patterns that are specific to the particular file type. Therefore, digital forensics investigator will be able to re-produce original file headers and footers by means of the software similar to that of suspects. Sometimes, criminals write the data stream directly onto the disk bypassing the file system. It means that no recognizable form of file structure can be spotted, whether deleted, hidden, or altered. In order to retrieve such information, the whole disk surface must be scanned for characteristic patterns. Once found, the suspicious raw data blocks are duplicated to some external file and subjected to further analysis.
One of the practices used to disguise data is steganography, which implies hiding the information in a picture of any digital image form. This technique is often used by suspects to hide the incriminating data. Digital forensics specialists can discover the hidden part even if the picture appears original and the ghost data is dispersed through the whole image file. Again, one of the approaches is using the files hash value and comparing it to the original picture. When the difference is found, the number of complex recalculations can reveal and reassemble the addition. It is the one of most sophisticated data concealments method implying exceptional digital forensics skills necessary to dig up evidence. However, there are number of tools that effectively disclose the hidden data including the …set of image forensic techniques capable of detecting global and local contrast enhancements and histogram equalization (Mahalakshmi, Vijayalakshmi, and Priyadharsini 2012).
The following example demonstrates the use of WinHex application to restore evidence from USB pen drive of a suspect. Initially, WinHex was created as data recovery tool, facilitating the number of in-depths interactions with storage media. Recent versions, however, contain certain add-ons developed specifically for the investigations purposes. It is the case with majority of forensics software, as …many so-called forensic tools were created for users outside the forensic field (Phillip, Cowen, and Davis, 2009, p. 53). Apparently, such tools are used by both criminals and investigators. WinHex is an advanced binary editor that provides access to all files, clusters, sectors, bytes, and bits inside the computer (WinHex 2013). WinHex is also capable of automatic files recovery, as well as the whole nested directory structures. WinHex provides the possibility to edit both the FAT32 and NTFS boot sectors as well as partition tables, which is useful during the in-depths storage reconstruction.
WinHex can recognize and gather text directly from a computer memory or a disk; it facilitates the forensic examiners search for leads in the form of text, e-mail messages, and documents. WinHex is also able to calculate hash values of any file, disk, and partition. There is a MD5 message digest algorithm that allows producing hash values up to 128-bit encryption standard. As mentioned above, the hash value of any file on a seized computer system can be matched against the original files hash value. The vast majority of files are always authentic (system files, application files etc.). The hash value matching restricts the search to a limited number of files narrowing the scope of investigation and saving the time.
One of the most often used features of WinHex is the deleted files recovery. There are number of hints that may suggest the existence of such files on storage. For instance, the investigator may analyze the thumbs.db file, which is created by Windows whenever the thumbnail view is used. This hidden file is never updated by the operating system when files are deleted. Consequently, there is a chance to recover evidence from the otherwise innocent-looking storage media. Another feature of WinHex allows concatenating parts of the file that was deliberately split by the suspect.
There are much more advanced features available in WinHex. Sometimes, criminal organizations run the fully-fledged IT infrastructure including RAID (Redundant Array of Independent Disks) storages containing black accounting and other evidences of wrongdoing. The information on RAID is spread on all participating disks allowing for one or even more disks failure without the data loss. In order to prevent the access to information, criminals can deliberately ruin the RAID structure. It will result in situation when all the disks are intact but useless, as it is impossible to read any consistent data from it. WinHex can help in this case as well providing the opportunity to re-assemble the RAID storage.
A rather limited set of WinHex capabilities will be utilized for the purpose of this report. The USB pen drive in question will be subjected to the number of manipulations in order to reveal the evidence. The sequence of operations is fully documented, as …the requirements of the judicial system dictate that evidence must possess a verifiably high level of integrity…before items can be accepted as evidence in court (Zimmerman 2010).
First of all, the spare media copy must be created in order to mitigate the risk of accidentally loosing the information. Since we often work at a physical level, it is possible to alter evidence accidentally. Whenever possible, protect your original physical evidence by working with a digital copy so that if you do make a mistake, you can wipe the analysis drive, restore your image once again, and continue your analysis (Kruse and Heiser 2002, p. 14). The USB drive should be copied as image rather than on the file system level. It means that the storage media is replicated as an exact digital sequence of the whole drive. The Diagram 1 shows the process of spare copy creation by means of Clone Disc option.
By scrolling down the drives contents, investigator can see the number of deleted files. They are represented by the question mark pictogram, sometimes missing the first letter of a filename. Eventually, there is a deleted file that raises suspicion, which is conveniently named evidence1.bat (Diagram 2). The number of actions can be invoked by right-clicking on the file. As shown on the Diagram 2, the Recover/Copy option is selected, extracting and restoring the file for further analysis.
Diagram 2
The detailed file information is available in separate window, which can be opened by double-clicking the file. The content in a form of hexadecimal values sequence is supplemented with more readable interpretation (Diagram 3). It can serve the purposes of investigation as most files usually contain portions of clear text. The suspicious file extension .bat is at odds with the word/document.xml string that is present in the files body. The extension of recovered file can be changed to .doc by means of any file manager application revealing the perfectly readable MS Office file full of evidence.
Diagram 3
There are multiple tools suitable for the computer forensics purposes, both commercial and open-source. Some experts believe that proprietary commercial applications are not transparent enough to ensure the authenticity of produced results. Such tools often do not present the whole trace of data reconstruction, or do not allow the verification of such traces. In order for the investigation to be fully accountable, open-source applications are often more preferable. By publishing source code through open source extraction tools, the digital forensics community can examine and validate the procedures used to produce digital evidence (Carrier 2003 p.8). With all the advantages and drawbacks, digital investigations practice successfully employs both types producing solid and reliable evidence.