Although I’m specialising primarily in information security, I’ve been studying digital forensics, for personal and intellectual reasons. Although I’m by no means an expert, and don’t aim to become one, being skilled enough happens to be very useful for incident response, investigation and attribution. For example, we might want to determine who compromised a network, what methods were used, and how similar events could be prevented in future.
Early last year, I managed to do some practice investigations with a colleague on some USB drives, using Guidance Software’s EnCase Forensic Edition and AccessData’s Forensic Toolkit. (see my other blog) Other tools are available, but these in particular are the definitive, reliable and most commonly used, judging by what I’ve since heard and read from numerous experts. EnCase also has the advantage of allowing investigators to preview storage volumes, and therefore triage cases where the workload is heavy.
Our knowledge was still fairly limited at the time, and we followed just the general methodology for an investigation, following the arrival of evidence at the lab. When completing any forensic challenges, it’s strongly advised to try stuff from a reputable and trusted source, to avoid any nasty legal problems.
Preparing the Image
What we examined was a storage device, which could be a hard drive, smartphone, PDA, USB drive, MP3 player, memory card, camera, etc. hypothetically retrieved from a crime scene or provided by a client. Basically, if it can be connected to the workstation, it can be analysed. In this case, we worked on a discarded USB drive.
We connected the drive to a workstation and added it to the case file. If this was a criminal investigation, we’d have first set a write blocker to prevent anything being written to the device, thereby preserving the integrity of the evidence. The original storage volume itself can’t be extensively analysed either, because we’d risk altering the evidence. Instead, we must work with an image of the storage volume.
Until our experiments, we used FTK to create the image before looking at it with EnCase. The first couple of attempts produced multiple image files, and the directory containing them had a different hash value to the original, so a mistake was made somewhere. As it turned out, FTK imager was breaking it into manageable segments instead of a single large image.
Another important point to remember is we were examining low capacity devices up to 1GB. In real life investigations where volumes of around 500GB are common, imaging and hashing would take far longer, depending on the computing resources available. A very expensive system would also be required for routinely managing and archiving evidence, namely a large RAID array and EnCase Enterprise Edition.
The USB drive also didn’t have the operating system and application files, which would normally be present on hard disks being investigated, but we could make good assumptions about the computers the device was connected to, based on the file types and metadata.
Creating the Perfect Image
Once we corrected the imaging problem, we loaded the file in EnCase by clicking the Acquire option at the top menu. We were successful, and the directory tree showed identical file structures of both the original and image volumes. We also made sure the image was an exact replica by hashing that and the original device using the MD5 algorithm. This process takes some time, but produced two identical hash values.
Now that we had an image proven (beyond reasonable doubt) to be an exact replica, we could work on it. The original device is stored in a secure location, and any future access to it carefuly recorded. Anyone who questions the evidence later on should be able to look at the imaged volume and be certain it’s exactly what’s on the original by again hashing the two, and also view the audit trail of who accessed the original. If this was a commercial data recovery business, the hash values would quickly solve any argument regarding whether a recovery operation was fully completed.
Even though everything was deleted and conventional file viewers would show the USB drive as empty, everything stored on it over the past four years was found almost instantly by EnCase. We saw the file structure and graphical representations of the data blocks revealing exactly which ones were storing data, unallocated and overwritten.
It’s possible that EnCase would still find them if I’d taken further steps to erase the data, but according to a recent paper in the Journal of Digital Forensics, investigators could have major problems recovering data from the new SSDs found in recent netbooks and laptops, because of the constant read/write operations of the OS.
All this is just an early step in what could be a very long and thorough investigation, and there are countless ways of using the recovered data to build an accurate picture of whatever incident. Entire books have been published on all this, and it’s almost impossible to condense into a blog post. I also neglected to make contemporaneous notes, hence the lack of detail here, so that’s another lesson learned.
If we are looking for incriminating images, we could open a gallery that would lay out all the recovered image files. This feature can be useful for several reasons: It could give a quick indication of the nature and extent of the case, whether the images were in fact inadvertently downloaded thumbnails, and whether a suspect made an attempt to conceal those images. If we’re lucky, the EXIF and metadata can present other important information, such as when an image was created, where a photo was taken and what camera was used. Perhaps most importantly, there’s a way to match some images to online identities.
Following on from that, it’s possible to go deeper and determine how many people were using the computer, whether malware was retrieving files without their knowledge, and maybe activity on the local network. There should also be various files revealing online activity and connections to remote services such as webmail accounts.
EnCase can also build a timeline, which is equally useful for several reasons in addition to compiling a report. Firstly, it helps in building a reconstruction of past events. It can reveal a pattern of activities consistent with the behaviour of certain criminals, or it can show an inconsistency that suggests somebody or something else was involved. For example, it could provide evidence that a person was using a hard drive or device during a given period.