Digital Forensics Prep Sheet

Cheatsheet Content

### Introduction to Digital Forensics - **Definition:** Branch of forensic science for collecting, analyzing, documenting, and presenting digital evidence related to computer crime in a court of law. Goal: determine *what* was done, *when*, and *by whom*. - **Scope Expansion:** Originally computer forensics, now covers all digital data storage devices (mobile phones, IoT, digital cameras, storage media, etc.). - **Cyberattack Investigations:** Also involves investigating cyberattacks: ransomware, phishing, SQL injection, DDoS, data breach, cyberespionage, compromised accounts, unauthorized network access. - **Investigation Requirements:** - Rigorous standards for cross-examination in court. - Acquiring data (static & volatile) forensically soundly. - Using court-accepted tools for analysis. - Presenting findings in an official report. - Incorrect implementation risks damaging evidence, making it inadmissible. - **Challenges:** Digital forensics is a rapidly evolving field due to fast-paced computing changes and a broad scope across many disciplines. - **Technical Goal:** Investigate crimes involving digital devices, extract digital evidence forensically for court. ### Objectives of Digital Forensics Investigation - Finding legal evidence in computing devices and preserving its integrity for court. - Preserving and recovering evidence using court-accepted technical procedures. - Attributing actions to their initiators. - Identifying data leaks within an organization. - Assessing damage from data breaches. - Presenting formal reports for court. - Providing expert testimony. ### Cybercrime - **Definition:** Any illegal activity committed using a computing device or computer networks (e.g., the Internet). - **US DOJ Definition:** "Any criminal offense committed against or with the use of a computer or computer network." - **Motivations:** - **Financial Gain:** Stealing bank access codes, ransomware. - **Other Motivations:** Interrupting service (DDoS), stealing confidential data (consumer/medical info), unlawful copyrighted material exchange, cyber espionage (corporate/military secrets). - **Sources of Attack:** - **Insider Attacks:** Most dangerous. Attacks from employees, former employees, third-party contractors, or business associates with legitimate access. Economic espionage is an example. - **External Attacks:** Originate from outside, usually by skilled hackers. Can penetrate networks from other countries or use insider intelligence. - **Categories based on Device Usage:** - **Weapon:** Device used to commit a crime (e.g., DDoS, ransomware). - **Target:** Device is the victim of a crime (e.g., unauthorized access). - **Facilitator:** Device stores incriminating data or aids criminal communication. ### Types of Cybercrime - **Malware Distribution:** Malicious software (viruses, worms, Trojans, spyware, ransomware, rootkit, scareware, adware) causing damage, data corruption, or information theft. - **Ransomware Distribution:** Encrypts user files/drives, demands ransom for access restoration. - **CryptoJacking:** Covertly uses a user's computer to mine cryptocurrencies, consuming CPU resources. - **Hacking:** Unauthorized access to computing devices or networks, often exploiting vulnerabilities to steal information or spy. - **SQL Injections:** Exploiting database vulnerabilities via web forms to extract confidential information. - **Pharming:** Redirects users from legitimate to fraudulent websites, often by infecting the target computer with malware. - **Phishing:** Deceptive messages (SMS, email, URLs) appearing genuine to trick users into revealing sensitive information (e.g., banking details, login credentials). - **E-mail Bombing and Spamming:** - **Email Bombing:** Flooding a server/account with large volumes of emails to cause a crash. - **Spamming:** Unsolicited commercial emails, often containing malicious links (e.g., phishing sites, malware hosts). - **Identity Theft:** Stealing and illegally using personal information. - **Cyberstalking:** Harassing/threatening individuals online via email, chat, or social media. - **Illegal Internet Network Use:** Spreading illegal content (hate speech, terrorism) or selling illegal services/products (child pornography, drugs, weapons). - **DDoS Attacks:** Overwhelming an online service with traffic from multiple sources (botnets) to make it unavailable. - **Social Engineering:** Using psychological manipulation (e.g., phone calls, computing devices) to trick individuals into divulging sensitive information. - **Software Piracy:** Unauthorized use, downloading, and distribution of copyrighted material (movies, games, software, books). ### Digital Forensics Categories Grouped by source of digital evidence: - **Computer Forensics:** Oldest type. Investigates evidence from desktops, laptops, storage devices (HDDs, SSDs, thumb drives, SD cards), RAM, OS, and application logs. Main activity: recovering deleted data for evidence. - **Mobile Forensics:** Acquires evidence from mobile devices (phones, smartphones, tablets, wearables) capable of communication (GSM, 3G, 4G) and often location-aware (GPS). Growing importance due to mobile technology proliferation. - **Network Forensics:** Monitors and analyzes network traffic to extract evidence (e.g., identify attack sources, detect intrusions). Deals with volatile (live) data, often captured in real-time. - **Database Forensics:** Analyzes data and metadata in databases (SQL Server, Oracle, MySQL) to identify who accessed what and uncover malicious activities. - **Forensics Data Analysis:** Analyzes corporate structured data to prevent/discover financial fraud. Looks for meaningful patterns and compares with historical data to detect misuse of resources. - **Other Subbranches:** E-mail forensics, cloud storage forensics, application-specific forensics (web browser), file system forensics (NTFS, FAT, EXT), hardware device forensics, multimedia forensics (text, audio, video, images), memory forensics (RAM/volatile memory). ### Digital Forensics Users Used across all sectors and businesses due to widespread computing and internet usage: - **Law Enforcement:** - Aids agencies in applying law, protecting society from crime. - Detects offenses, links individuals to illegal actions. - Not limited to cybercrimes; applicable to traditional crimes involving digital evidence (e.g., mobile phones, laptops at crime scenes). - Requires adherence to predefined methodology (collecting, preserving, analyzing, presenting). - Investigation procedures depend on jurisdiction; a search warrant is often needed to seize hardware. - **Civil Litigation:** - Used by business corporations for e-discovery to find incriminating digital data for civil/criminal cases (e.g., policy violations, theft, fraud, bribery, tax evasion, espionage, embezzlement, email harassment, discrimination, sabotage). - Outcome can lead to employee termination, warnings, or prosecution. - Also applies to personal cases like family problems and divorce. - **Intelligence and Counterintelligence:** - Used by agencies to combat terrorism, human trafficking, organized crime, drug dealing. - Uncovers information about criminal organizations by investigating digital devices, monitoring networks, and utilizing Open Source Intelligence (OSINT) from public sources (social media) about persons/entities of interest. ### Digital Forensics Investigation Types Categorized by who initiates the investigation: - **Public Investigations:** - Involve law enforcement agencies. - Conducted according to country or state law for criminal cases. - Follow legal guidelines and typically involve three stages: complaint, investigation, and prosecution. - **Private (Corporate) Sector Investigations:** - Conducted by enterprises for policy violations, litigation disputes, wrongful termination, or leakage of secrets (industrial espionage). - No specific laws; procedures depend on internal company rules but often align with public investigations. - Cases can be transferred to court, becoming official criminal cases. - **Policy Importance:** Clear, comprehensive policies (especially computer usage policy) reduce litigation, clarify employee responsibilities, and make forensics easier. - **Key Principle:** Treat private investigations as if they will go to court to ensure strict procedures and protect organizational assets. ### Forensics Readiness - **Definition:** An organization's ability to collect, preserve, protect, and analyze digital evidence in a forensically sound manner WITHOUT disrupting current operations, to minimize investigation costs. - **Benefits:** - **High Response to Incidents:** Clear e-discovery processes enable prompt action and evidence acquisition during incidents (data breaches, info leaks). - **Compliance with Regulations:** Helps meet government requirements for digital evidence collection and preservation in legal disputes, reducing costs and speeding resolution. - **Strengthening Organizational Security:** Improves preparedness for internal/external security incidents, allows quick attack identification (e.g., monitoring endpoints for malware). - **Minimizing Internal Attacks:** A good plan deters malicious insiders, as they fear being caught. - **Increasing Security Posture:** Enhances reputation, builds customer trust in data protection, and assures investors of secure investments. ### Electronic Discovery Reference Model (EDRM) - **Definition:** A popular standard (www.edrm.net) for improving e-discovery and information governance. - **Purpose:** A conceptual standard outlining phases for recovering and discovering digital data during investigations, litigation, or similar proceedings. - **Phases:** 1. **Identification:** Locating potential sources of Electronically Stored Information (ESI) and determining its scope, breadth, and depth. 2. **Preservation:** Ensuring ESI is protected against inappropriate alteration or destruction. 3. **Collection:** Gathering ESI for further use in e-discovery (processing, review). 4. **Processing:** Reducing ESI volume and converting it into formats suitable for review and analysis. 5. **Review:** Evaluating ESI for relevance and privilege. 6. **Analysis:** Evaluating ESI for content, context, key patterns, topics, people, and discussions. 7. **Production:** Delivering ESI to others in appropriate forms using suitable delivery mechanisms. 8. **Presentation:** Displaying ESI to audiences (depositions, hearings, trials) in native/near-native forms to elicit information, validate facts, or persuade. ### Digital Evidence - **Prevalence:** Traces of online activity (socializing, emails, browsing) remain on computing devices for years. - **Undeletable Data:** Users often wrongly assume deletion permanently erases data. Data can typically be restored even after formatting drives multiple times. - **Forensic Recovery:** Advanced tools can wipe data, but often traces remain, allowing investigators to recover essential evidence for criminal cases. - **Definition:** Electronically Stored Information (ESI) acquired from digital devices (hard drives, mobile phones, tablets, storage media) in a systematic way for court use. ### Digital Evidence Types Categorized by who created them: 1. **User-Created Data:** Anything a human user produces with a digital device. - **Examples:** Text files (MS Office docs, IM chats, bookmarks), spreadsheets, databases, audio/video files, digital images, webcam recordings, address books, calendars, hidden/encrypted files, previous backups (cloud/offline), account details (usernames, passwords), emails/attachments, webpages, social media accounts, cloud storage. - **Metadata:** User-created files often contain metadata (author name, organization, computer name, creation date/time, comments). Can be produced intentionally or automatically (GPS coords, camera type, resolution). Metadata is crucial for investigation. 2. **Machine/Network-Created Data:** Data automatically generated by a digital device. - **Examples:** - **Computer Logs:** Windows OS (Application, Security, Setup, System, Forward Events, Applications, Services Logs). - **Router Logs:** Includes ISP-stored web browsing history. - **Configuration Files and Audit Trails.** - **Browser Data:** History, cookies, download history. - **Instant Messenger History and Buddy Lists:** (Skype, WhatsApp). - **GPS Tracking Info History:** From GPS-enabled devices. - **Restore Points** (Windows), Temporary files. - **Device IP and MAC Addresses:** Including LAN broadcast settings. - **Applications and Windows History** (e.g., recently opened files). - **Registry Files** (Windows OS). - **System Files** (hidden and ordinary). - **Printer Spooler Files.** - **Hidden Partition and Slack Space:** Can conceal user information. - **Bad Clusters, Paging, and Hibernation Files.** - **Memory Dump Files, Virtual Machines.** - **Surveillance Video Recordings.** ### Locations of Electronic Evidence Digital evidence is found in almost all digital-aware devices, not just hard drives. - **Common Devices to Investigate:** Desktops, Laptops, Tablets, Servers, RAIDs, Network devices (hubs, switches, modems, routers, wireless access points), Internet-enabled home devices (smart appliances), IoT devices, DVRs/surveillance systems, MP3 players, GPS devices, Smartphones, PDAs, Game consoles (Xbox, PlayStation), Digital cameras, Smart cards, Pagers, Digital voice recorders, External hard drives, Flash/thumb drives, Printers, Scanners, Fax machines, Copiers, Fixed/cordless phones (calls, messages, numbers), Answering machines, Backup tapes. - **Other Sources:** Digital devices can also contain fingerprints, DNA, and other identifiers relevant to an investigation. ### Challenges of Acquiring Digital Evidence Criminals destroy/hide evidence, and device seizure laws vary. - **Obstacles:** - **Locked Computers:** Password, access card, or dongle protected. - **Digital Steganography:** Concealing data within images, videos, audio, file systems, or plain sight (e.g., MS Word docs). - **Encryption:** Obscuring data, making it unreadable without a password. - **Full Disk Encryption (FDE):** (e.g., BitLocker) protects entire drives. - **Strong Passwords:** Time-consuming and expensive to crack. - **File Renaming/Extension Changes:** (e.g., DOCX to DLL) to hide file type. - **Evidence Destruction Attempts:** Wiping hard drives securely using software. - **History Removal:** Clearing web browser history, disabling system/application logging. - **Physically Damaged Digital Media:** Requires repair before data recovery. - **Sensitivity of Digital Evidence:** Improper handling (heat, cold, moisture, magnetic fields, dropping) can destroy it. - **Easy Alteration:** If a computer is ON, volatile memory must be acquired quickly. If OFF, it must remain OFF. - **Lack of Standardized Cyberlaws:** Laws vary by state/country, problematic with border-crossing cybercrimes. - **Data Ownership Issues:** Encrypted data on suspect devices where ownership is denied makes decryption difficult. - **Criminal Savvy:** Most criminals are not "tech-savvy." While some use privacy techniques, they may not implement them perfectly, leaving openings for investigators. ### Who Should Collect Digital Evidence? - Only trained professionals with expertise and knowledge to handle sensitive data without destruction. - **Required Skills:** - **Analytical Thinking:** Ability to correlate events/facts in a crime. - **Solid IT Background:** Broad knowledge of IT technologies, hardware, OS, applications (not necessarily detailed, but general understanding). - **Hacking Skills:** Think like a hacker, understand attack techniques and cybersecurity concepts. - **Communication and Organizational Skills:** Documentation skills for organizing findings, presenting to team, attorneys, judges. - **Understanding of Legal Issues:** Pertaining to digital crime investigations. - **Technical Skills:** Data recovery and acquisition, technical report writing. - **Online Searching and Information Gathering:** Ability to use publicly available sources. ### Chain of Custody - **Definition:** Integral part of digital forensic investigation. - **Requirement:** Clearly declares how digital evidence was discovered, acquired, transported, investigated, preserved, and handled by different parties. - **Goal:** Ensure integrity of digital evidence by tracking all contact from acquisition to court presentation. - **Consequence of Failure:** Jeopardized chain of custody makes evidence useless in court. - **Documentation:** Requires an audit log tracking movements and possessors of evidence. Proves evidence was not altered and no external evidence was planted. - **Questions Answered by Chain of Custody:** - What is the digital evidence? (Description) - Where was it found? (Location, device state ON/OFF) - How was it acquired? (Tools, preservation steps) - How was it transported, preserved, and handled? - How was it examined? (Tools, techniques) - When was it accessed, by whom, and why? - How was it used during the investigation? ### Digital Forensics Examination Process - No single standard methodology, but all approaches divide work into four main phases: 1. **Seizure:** - Physical evidence (digital device) is seized and transferred to forensic lab. - Requires proper permission (e.g., court warrant). - Device types: laptop, tablet, mobile phone, external HDD, USB flash drive, wearable, desktop PC. - On-scene examination by trained technician for sound acquisition/preservation. - If computer is running, acquire volatile memory (RAM) if possible. - **Modern practice:** Emphasizes acquiring volatile memory while PC is running (contains cryptographic keys, chat logs, unencrypted content, process info). - RAM acquisition must be documented; tools used may cause minor changes. 2. **Acquisition:** - Deals with computing secondary storage (HDD, SSD, thumb/tape drive) and volatile memory (RAM). - Forensic examiner duplicates suspect hard drive (bit-to-bit image) to create a complete image. - Crucial to have multiple copies; analysis is done on a copy to keep original intact for verification. - Uses hardware duplicators or software imaging tools (e.g., Linux `dd` command). 3. **Analysis:** - Investigate contents of acquired forensic image using specialized tools (e.g., EnCase, Sleuth Kit, Volatility, Forensic Toolkit). - Recovers hidden, deleted, encrypted files, IM chat logs, internet browsing history, deleted emails. - Uses **hash signature analysis** to identify notable files or exclude known ones. - Forensic tools perform keyword searches for relevant information. - Incriminating evidence is analyzed to reach conclusions and presented in a formal report. 4. **Reporting:** - Examiner produces a structured report of findings, typically for non-technical audiences (attorneys, judges, juries). - Writing style, terminology, and fact presentation are crucial. - Evidence (mostly digital) should be presented with the report. - **General content of forensic report:** - Summary of key findings. - Description of tools (hardware/software), their function, and version. - Method used to acquire digital evidence. - Description of digital evidence (image content) and artifacts found (browsing history, email history, USB registry analysis, deleted files); screen captures are preferred. - Explanation of technical terms for non-technical understanding (e.g., "unallocated disk space," "Host Protected Area"). - Conclusion of investigation. - Original suspect hard drive and digital copies (images) presented with report to court. ### Data Representation - Computers store, process, and represent digital data uniquely. - **Numbering Systems:** - **Decimal (Base-10):** Everyday system (0-9 digits). - **Binary (Base-2):** Computer language (0s and 1s), follows decimal rules but uses powers of two. - **Hexadecimal (Base-16):** (Hex) Uses 16 symbols (0-9, A-F), where A-F represent 10-15. ### Computer Character Encoding Schema Converts binary numbers to readable text. - **ASCII (American Standard Code for Information Interchange):** - Older standard, still widely supported. - Uses 7 bits (128 values), limited ability to represent all global languages, punctuation, and symbols. - **Unicode:** - Widely used, provides a unique number for every character from any international language. - Supported by major OS, software, mobile devices. - **File Carving:** - Understanding data storage is crucial. - Technique to extract and open files from unallocated disk space or raw datasets, even without original programs. - Effective for recovering deleted files and fragments from wiped/damaged hard drives. ### File Structure - Digital files are sequences of bits with a specific encoding scheme (file format). - **File Extension vs. Signature:** - Users identify file types by extension (e.g., .docx, .xlsx). - Investigators cannot rely on extensions alone (easily changed for concealment). - Must check **file signature (header)** to determine the true file type. - **File Signature Examples (first 20 bytes):** - PDF: `25 50 44 46` - DOCX, PPTX, XLSX: `50 4B 03 04 14 00 06 00` - PNG: `89 50 4E 47 0D 0A 1A 0A` - **File Trailer Examples (at end of file):** - PDF: `25 50 44 46 0A 25 25 45 4F 46` - DOCX, PPTX, XLSX: `50 4B 05 06` - PNG: `49 45 4E 44 AE 42 60 82` - **Tools:** `HxD` (hex editor) can be used to examine file signatures. - **Data Stream Concealment:** Alternate Data Streams (ADS) can be used to hide data within files on NTFS file systems. Forensic tools are needed to detect and examine them. - **Deletion of ADS:** `clear-content normal.txt -stream secret` or `remove-item normal.txt -stream secret` in PowerShell can remove alternate data streams. ### Digital File Metadata - **Definition:** Data about data. Files contain metadata; some directly integrated, others stored separately. - **Content:** Describes the file it's associated with. - **Examples:** Author name, organization, computer name, date/time created, comments, GPS coordinates (for images), camera type, resolution. - **Forensic Importance:** - Crucial for investigations to track file authors, usage, etc. - Metadata can be manipulated by offenders to remove evidence or mislead. - Forensic experts uncover tampering. - Tools facilitate easy extraction and searching of metadata. ### Timestamps Decoder (Tool) - **Importance:** Timestamps (last access, modified, creation dates) are critical metadata. - **Decoding Need:** Timestamps can be encoded in specific ways (e.g., Windows registry binary values needing ASCII translation). - **Tools:** Use a "decoder" tool to interpret these. - Example: [epochconverter.com/hex](https://www.epochconverter.com/hex) for Unix hex timestamps. - Example: `DCode™ – Timestamp Decoder` (digital-detective.net) as a digital forensic software. ### Hash Analysis - **Definition:** Crucial in digital forensics for proving data integrity. - **How it Works:** A hash function converts digital data (image, file) into a fixed-string unique value. Cannot be generated by other data. - **Purpose:** Calculate hash values of all acquired digital evidence (e.g., hard disk images, single files) to prove it has not been tampered with. - **Usage in Investigations:** - **First Use:** Verify the acquired forensic image before analysis begins (e.g., when making duplicate copies). - **Second Use:** Verify data integrity and forensic processing at the end of the examination. - **Tools:** Hash generator tools. - **Algorithms:** MD5 and SHA-256 are common cryptographic hash algorithms. - **Windows:** PowerShell can generate file hashes. ### Data Storage on HDD - **HDD:** Main permanent (nonvolatile) storage, uses magnetic technology. - **Shapes:** Fixed (internal) and external (connected via USB/eSATA). - **Platters:** Data stored on round metal disks covered magnetically. Hard disks contain multiple platters. - **Structure:** - Platters have **tracks**, rings divided into **sectors**. - Each track has the same number of sectors. - A hard disk can have millions of sectors. - Common sector size: 512 bytes (newer file systems up to 4 KB). - **Partitions:** Logical storage units on a disk, treated as separate drives. Allows different file systems (FAT, NTFS) and separation of OS/user data. - **Clusters:** File systems organize hard disks using clusters (groups of sectors). - **Cluster Size:** Smallest unit of disk space used to hold a file. Varies (4 to 64 sectors) depending on file system and partition size. - A single cluster holds data from only one file. - **Slack Space:** If a file is smaller than its allocated cluster, the remaining space in that cluster is called slack space. - Can contain incriminating data or remnants of previously deleted files, recoverable for evidence. - **Tools for Slack Space:** "Disk Slack Checker" (e.g., Karen's Power Tools Ptslack) can calculate available slack space. ### Host Protected Area (HPA) and Device Configuration Overlay (DCO) - **HPA:** A reserved area on HDD created by the manufacturer, inaccessible to user, OS, or BIOS. Contains diagnostic/recovery utilities and sometimes boot sector files. - **DCO:** A reserved area on HDD (not on all models), located after the HPA partition. - **Coexistence:** HPA and DCO can coexist; DCO must be created before HPA. - **Forensic Importance:** Both HPA and DCO survive full disk formats, making them ideal for concealing incriminating data. - **Accessibility:** Computer forensics suites and hardware acquisition tools can access and image these areas. ### Data Recovery Considerations - **HDD Data Recovery:** When a file is deleted, only its pointer is removed, marking space as free. Data is only overwritten when the OS needs to write new data to that location, making recovery often feasible. - **SSD Data Recovery:** More difficult than HDD, sometimes impossible. - SSDs use the **TRIM command** to instantly delete file data when a user deletes a file, freeing the location for new data. - OS implementations of TRIM vary: some execute immediately, others at regular intervals. This immediate deletion makes SSD data recovery challenging. ### File Systems - **Purpose:** Mechanism (logical construction map) for the OS to track files within a partition. - **Windows OS:** Uses either FAT or NTFS. - **FAT (File Allocation Table):** - One of the oldest file systems (FAT12, FAT16, FAT32, FATX). - Used by older Windows versions (e.g., Windows NT). - More portable than NTFS; commonly used on digital cameras, SD cards, smartphones, USB drives, embedded devices. - Readable across different platforms easily. - **NTFS (New Technology File System):** - Proprietary file system by Microsoft for modern Windows OS (Windows 8, 10, Server editions). - Created with formatting a volume: Master File Table ($MFT), $Bitmap, $LogFile. - **$MFT (Master File Table):** Describes all files on volume (names, timestamps, stream names, cluster numbers, indexes, security identifiers, attributes like "read only", "compressed", "encrypted"). - **$Bitmap:** Array of bits indicating whether a cluster is used (allocated) or free. - **$LogFile:** Contains transaction log of file system metadata changes. - **Data Streams:** Files composed of data streams. - **Primary Stream:** Holds actual user data. - **Alternative Data Stream (ADS):** Can contain hidden data. - Examiners should search all data streams on NTFS partitions for hidden data. - **Advantages over FAT:** Supports larger file sizes, file encryption feature. ### Reference - Nihad A. Hassan, Digital Forensics Basics: A Practical Guide Using Windows OS, Apress, 2019