Investigation of digital evidence in computer and mobile phone - Urachada Ketprom Digital Forensics Technology Laboratory 6 March 2011
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Investigation of digital evidence in
computer and mobile phone
Urachada Ketprom
Digital Forensics Technology Laboratory
6 March 2011
icon source: Thaiforensic.com
•Digital Forensics Technology
Laboratory
Definition of Digital Forensics:
The use of scientifically derived and proven methods
toward the preservation, collection, validation,
identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital
sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping
to anticipate unauthorized actions shown to be disruptive
to planned operations.”
Source: DFRWS technical report, “A Road Map for Digital Forensic Research,” November 6th, 2001.
Outline • Digital evidence – Easy to create, copy, modify – Hard to destroy (logically) – Evidence integrity • Forensics Process – Acquisition, Analysis, Answering/Reporting – Chain of custody • Forensics Methodology – Forensics Tools – Mobile phone
•Evidence at the crime scene
• Handling electronic evidence at the crime
scene normally consists of the following
steps:
– Recognition and identification of the evidence.
– Documentation of the crime scene.
– Collection and preservation of the evidence.
– Packaging and transportation of the evidence.
Source: US Department of Justice, “Electronic Crime Scene Investigation,
A Guide for First Responders”, July 2001
Picture Source: thestarshow.com,
•Computer (1)
• Description: A computer system typically consists of a
main base unit, sometimes called a central processing
unit (CPU), data storage devices, a monitor, keyboard,
and mouse. It may be a standalone or it may be
connected to a network. There are many types of
computer systems such as laptops, desktops, tower
systems, modular rack-mounted systems,
minicomputers, and mainframe computers. Additional
components include modems, printers, scanners,
docking stations, and external data storage devices.
– For example, a desktop is a computer system consisting of a
case, motherboard, CPU, and data storage, with an external
keyboard and mouse.
– Potential Evidence: Evidence is most commonly found in
files that are stored on hard drives and storage devices and
media.
Source: US Department of Justice, “Electronic Crime Scene Investigation,
A Guide for First Responders”, July 2001
•Computer (2)
• User-Created Files
– User-created files may contain important
evidence of criminal activity such as address
books and database files that may prove
criminal association, still or moving pictures
that may be evidence of pedophile activity,
and communications between criminals
such as by e-mail or letters.
Address books. Internet
E-mail files. bookmarks/favorites.
Audio/video files. Database files.
Image/graphics files. Spreadsheet files.
Calendars. Documents or text files.
•Computer (3)
• User-Protected Files
– Users have the opportunity to hide evidence
in a variety of forms.
• For example, they may encrypt or password-
protect data that are important to them. They
may also hide files on a hard disk or within other
files or deliberately hide incriminating evidence
files under an innocuous name.
Compressed files. Misnamed files.
Encrypted files. Password-protected files.
Hidden files. Steganography
Evidence can also be found in files and other data areas
created as a routine function of the computer’s operating
system.
•Computer (4)
• Computer-Created Files
Backup files. Log files.
Configuration files. Printer spool files.
Cookies. Swap files.
Hidden files. History files. System files.
Temporary files.
• Other Data Areas
Bad clusters. Other partitions.
Computer date, time, and password. Reserved areas.
Deleted files. Slack space.
Free space. Software registration information.
Hidden partitions. System areas.
Lost clusters. Unallocated space.
Metadata.
•Mobile Phone (1) • Current mobile phone is more than a phone: Personal Digital Assistant (PDA), Smart phone Description: A personal digital assistant (PDA) is a small device that can include computing, telephone/fax, paging, networking, and other features. It is typically used as a personal organizer. A handheld computer approaches the full functionality of a desktop computer system. Some do not contain disk drives, but may contain PC card slots that can hold a modem, hard drive, or other device. Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention.
•Mobile Phone (2) • Potential Evidence: Address book. Appointment calendars/information. Documents. E-mail. Handwriting. Password. Phone book. Text messages. Voice messages.
•Evidence Integrity • Integrity check can be done by using cryptographic hashing functions • Hashing Function – MD5: 128 bits (32 hex numbers) – SHA-1: 160 bits (40 hex number) A hash algorithm (alternatively, hash "function") takes binary data, called the message, and produces a condensed representation, called the message digest. (http://csrc.nist.gov/groups/ST/hash/)
•MD5 collision A collision is when you find two files to have the same hash. Source: Access Data, “White paper MD5 collisions, the effect on computer forensics”, April 2006
•Forensics Process
•Forensics Process • Acquisition • Analysis • Answering/Reporting – AAAs step
•Acquisition • Prepare a forensic copy (i.e., an identical bit-for-bit physical copy) of the acquired digital media, while preserving the acquired media’s integrity. • Preserve evidence • Why?
•Acquisition
• Prepare a forensic copy (i.e., an identical
bit-for-bit physical copy) of the acquired
digital media, while preserving the
acquired media’s integrity.
• Preserve evidence
• Why?
– Acquisition is the most important process of
all 3 steps.
– Tampered evidence will not be admissible in
court.•Analysis • Examine the forensic copy to recover information. • Analyze the recovered information. • Data to be analyzed will be different for different tool. Not one tool fits all.
•Usual file to be analyzed • Header • Tail • Content • Etc.
•Answering/Reporting • Develop a report documenting any pertinent information uncovered. • Report only facts and findings. • DO NOT insert any opinions.
•Chain of custody
– Chain of custody
• All officers who take possession of evidence
must sign the chain of custody record
(evidence tag/receipt)
• Security of device throughout transportation
– Transportation
• Vehicle used (Police/Military Radios
interference etc, Magnets in speakers in boot
of vehicles)
• Sealed in approved evidence bag
• Use of faraday bag if necessary•Forensics Methodology
•Mobile phone
•Forensic Methodology
• RF Isolation on scene
• Screened Radio Frequency (RF) bag
(Faraday bag)
• Scene faraday solutions
Basic Ramsey Box
With built in videoFARADAY EXAMINATION ROOM – PROFESSIONAL OPTION
Specifications:
• +/- 1Mhz to 10Ghz filtering
•Bi-lock doors (for entry and exit)
•Filtered Air Conditioning
•Filtered Electricity
•Optical fiber provides the network
connectivity.
Photograph courtesy of: NSW Police, SEEB, Sydney, Australia•Forensic Methodology
Hardware Visual Examination
Always conduct a Logical extraction first – Manuscript/Contemporaneous
before attempting a hex dump notes
– Photographic, still/video
•Logical extraction using off the shelf – Audio
tried and tested tools SIM Card
– SIM Card Seizure
– CeLLeBrite, CellDek, XRY,
Paraben etc – Phonebase2, USIM Detective,
CeLLeBrite, .XRY
Removable Media
•Memory dump/Hex extraction using
CeLLeBrite PA, XACT (forensically non- – EnCase, FTK Imager etc
invasive proven devices) first. Then
flasher type boxes, Shu HWK (none-
forensic invasive solutions)•Mobile phone forensic tools
• No one tool fits all
• Device Seizure, Pilot-Link, GSM.XRY,
OPM, Mobiledit, TUL2PG etc.
Note: only Device Seizure works
On Blackberry 7750,7780Example: Paraben’s Device Seizure
Acquisition
•Analysis
•Report generation
•Sample Report
•Sample Report
•References
• Wayne Jansen, Rick Ayers, “Guidelines on Cell Phone Forensics,
Recommendations of the National Institute of Standards and Technology ”,
National Institute of Standards and Technology,Gaithersburg, MD 20899-8930,
May 2007
• US Department of Justice, “Electronic Crime Scene Investigation: A Guide for First
Responders”, July 2001
• John (Zeke) Thackray, “Presentation title: Mobile Forensics or Authenticated
Copying Where is the separation?”, HTCIA 2009
• Rick Ayers, Wayne Jansen, Ludovic Moenner Aurelien Delaitre, “Cell Phone
Forensic Tools: An Overview and Analysis Update”, National Institute of Standards
and Technology,Gaithersburg, MD 20899-8930, March 2007You can also read
