Lakhasly

King Abdulaziz University
Faculty of Computing and Information
Technology
Diploma in Cybersecurity
CYB 260_Digital Forensics
Learning Objectives:
At the end of this chapter, you will be able to:
• Determine what data to analyze in a digital forensics investigation
• Explain tools used to validate data
• Explain common data-hiding techniques
CYB -260 2
Chapter 6: Evidence analysis
Topics
• Fundamentals of Forensic Data Acquisition
• Understanding Storage Formats for Digital Evidence
– Raw Format
– Proprietary Formats
• Advanced Forensic Format
• Determining the Best Acquisition Method
• Contingency Planning for Image Acquisitions
• Strategies for Preparing Digital Evidence Image Files in Various Forensic Scenarios
• Validating Data Acquisitions
CYB -260 3
Determining What Data to Collect and Analyze
Determining what data to collect and analyze in digital forensics varies based on the investigation type and data volume.
Criminal investigations are confined to data specified in the search warrant, while civil investigations are typically limited by
discovery court orders. In the private sector, investigations might focus on specific items like emails for company policy
violations, streamlining the process.
However, in cases involving or anticipating litigation, extensive data recovery might be requested, leading to extensive work and
possible scope creep. This creep occurs when investigations expand unexpectedly, necessitating documentation of additional
investigative requests. In criminal cases, detailed evidence examination is crucial to prepare for defense strategies, as defense
teams have full discovery rights and might use newly found evidence to their advantage. This emphasizes the need for thorough
evidence analysis by prosecution teams before trials, a principle applicable only in criminal cases in the United States
CYB -260 4
Determining What Data to Collect and Analyze:
Approaching Digital Forensics Cases
Approaching digital forensics cases requires a customized plan based on the specific nature of each case. This planning
involves defining the investigation's goals, scope, required materials, and tasks. The approach varies considerably depending on
the case type:

1. E-mail Harassment Case: This might involve simple tasks like accessing network logs and e-mail server backups to find
   specific messages. However, the approach varies based on whether it's an internal investigation or a legal matter involving
   law enforcement. In internal cases, access to records is usually straightforward. For criminal cases, coordination with ISPs
   and email services is necessary, noting that many organizations don't retain emails for extended periods.


2. Industrial Espionage Investigation: This type of investigation is more complex and requires thorough preparation. Before
   starting, ensure the organization has clear rules on usage and privacy rights. Methods may include setting up surveillance
   cameras, using keyloggers for capturing keystrokes, engaging network administrators for monitoring internet activities, and
   remotely acquiring the employee's drive data. Additionally, tools may be employed to check for accessed peripheral devices.
   Each case type demands a distinct set of strategies and tools, underscoring the importance of tailoring the investigation
   approach to the specific circumstances and legal boundaries of each case.
   CYB -260 5
   Determining What Data to Collect and Analyze:
   Approaching Digital Forensics Cases (cont..)
   For conducting digital forensics investigations, adhering to a set of standard practices is crucial for ensuring the integrity and
   reliability of the findings.
   These practices typically include the following steps:


3. Preparation of Target Drives: Use media that has been recently wiped, reformatted, and inspected for viruses. Always
   inspect and clear media of any malware before use. When using network storage media, implement standard network security
   practices like access control lists, secure routers, and firewalls. Tools like X-Ways Security, Digital Intelligence PDWipe, or
   WhiteCanyon SecureClean can be used for wiping target media.


4. Inventory of Suspect's Hardware: Document the physical hardware components of the seized computer, noting its
   condition.


5. Static Acquisitions: If feasible, remove the original drive from the computer and check the system's CMOS for date and time
   values.


6. Data Acquisition Record: Document the method used for data acquisition from the suspect drive, including the creation of a
   bit-stream image and the tool used, ensuring it creates an MD5 or SHA-3 hash for validation.


7. Methodical Data Examination: Process the image data logically and methodically.
   CYB -260 6
   Determining What Data to Collect and Analyze:
   Approaching Digital Forensics Cases (cont..)


8. File and Folder Listing: Use forensic tools like Autopsy to generate lists of all files and folders on the suspect’s drive in
   various formats. Note the location of specific evidence and its relevance to the investigation.


9. Comprehensive Data Examination: Examine all data files in all folders, starting from the root directory, unless limited by a
   search warrant or discovery demand.


10. Password-Protected Files: Attempt to recover contents from all relevant password-protected files using tools like
    OSForensics Password Recovery and Decryption, AccessData PRTK, or Passware Kit Enterprise.


11. Executable File Analysis: Identify the function of every unknown executable file. Note any system files or folders that seem
    out of place and examine unknown executables to understand their functionality.


12. Evidence Control: Maintain strict control over all evidence throughout the investigation to ensure its integrity and
    admissibility.
    Following these steps meticulously is vital for the successful and credible completion of a digital forensics
    investigation
    CYB -260 7
    Determining What Data to Collect and Analyze:
    Refining and Modifying the Investigation Plan
    In digital forensics, specifically in civil, criminal, and private-sector investigations, the scope of data recovery varies. Legal cases
    are often guided by search warrants or subpoenas, defining the extent of permissible data retrieval. In private-sector cases, like
    employee misconduct investigations, these limits may not be explicit, necessitating a more refined investigation plan.
    The aim is to ensure the investigation is comprehensive enough to cover all relevant evidence without being excessively broad,
    which could lead to a waste of resources. A flexible approach is essential, as initial plans might need to be adjusted based on
    new evidence. For instance, investigating an employee suspected of using company resources for personal purposes initially
    focuses on internet usage data but may expand to include financial documents if such evidence is discovered. The key lies in
    starting with a structured plan while being adaptable to new findings.
    CYB -260 8
    Determining What Data to Collect and Analyze:
    Using Autopsy to examine file system
    As mentioned in chapter 4, autopsy (Fig.1) is a comprehensive
    digital forensics platform used for investigating activities on
    computers and other digital devices. It functions as a graphical
    interface to The Sleuth Kit® (TSK) and incorporates various
    other digital forensics tools. Utilized by professionals in law
    enforcement, military, and corporate sectors, Autopsy is
    versatile, supporting tasks from computer investigations to
    photo recovery from camera memory cards. The platform is
    designed with both in-built and third-party modules, each
    catering to specific forensic needs.
    CYB -260 9
    Fig1. Autopsy Welcome Screen
    Determining What Data to Collect and Analyze:
    Using Autopsy to examine file system (cont..)
    Essential Features of Autopsy:
    • Event Timeline Visualization: Provides a sophisticated interface for chronological event analysis, complete with
    instructional videos.
    • File Integrity Checking: Identifies and segregates files based on their known security status, filtering out harmful or
    irrelevant files.
    • Targeted Keyword Discovery: Includes a search mechanism for finding specific terms within files, aiding in focused data
    examination.
    • Internet Usage Extraction: Gathers internet usage details including browsing history and saved web data from major
    browsers like Firefox and Chrome.
    • Deleted File Recovery: Uses PhotoRec to salvage files from areas of storage not actively in use, enhancing data recovery
    efforts.
    • Analysis of Multimedia Metadata: Retrieves detailed metadata from images and video files, offering insights into
    multimedia content.
    • Security Threat Scanning: Scans for potential security risks using the Structured Threat Information Expression (STIX)
    framework. CYB -260 10
    Determining What Data to Collect and Analyze:
    Using Sleuth Kit to examine file system
    The Sleuth Kit® (TSK) (Fig.2) is a sophisticated toolkit
    consisting of both a library and command-line utilities
    aimed at assisting in the analysis of disk images for
    forensic purposes. Its primary functionality centers
    around the examination of volume and file system
    data. With its adaptable plug-in framework, TSK offers
    the flexibility to add extra modules for in-depth analysis
    of file contents and to facilitate the creation of
    automated forensic systems. This toolkit is not only
    integral to larger digital forensics applications but is
    also efficient for direct evidence retrieval in its
    standalone form.
    CYB -260 11
    Fig. 2: The Sleuth Kit in Kali Linux.
    Determining What Data to Collect and Analyze:
    Using Sleuth Kit to examine file system (cont..)
    Essential Attributes of The Sleuth Kit (TSK):
    • In-depth Volume and File System Examination: At its core, TSK excels in detailed scrutiny of volume and file system
    structures.
    • Expandable Design: The tool’s architecture allows for the integration of additional modules, enhancing its analytical
    capabilities.
    • Broad System Support: TSK is compatible with a range of partition types and file systems, including but not limited to DOS,
    BSD, and Mac partitions, Sun slices, GPT disks, and file systems like NTFS, FAT, ExFAT, UFS 1/2, and ext2/3/4.
    • Versatile Disk Image Analysis: It is equipped to handle various disk image formats, such as raw (dd), Expert Witness
    (EnCase), and AFF.
    • Forensic Image Requirement: For analysis, TSK necessitates a forensic image, usually in formats like .dd or .E01, which
    can be created with tools such as AccessData FTK Imager.
    Additional Elements of TSK:
    • Accessibility for Download: Users can download TSK for their investigative needs.
    • Comprehensive Resources: TSK offers detailed documentation and a record of its evolution and updates.
    • Clear Licensing Details: The toolkit provides explicit licensing information, guiding users on the legalities of its usage.
    CYB -260 12
    Validating Forensic Data
    In digital forensics, the validation of forensic data is a pivotal process. This involves confirming the integrity of digital evidence,
    which is crucial for its admissibility in court proceedings. The validation process typically includes the use of hashing techniques
    to verify that the data collected remains unchanged from its original state.
    Key Points:
    • Essentiality of Data Integrity: The core of digital evidence validation lies in ensuring the unaltered state of the data from the
    point of collection to its presentation in legal settings.
    • Use of Hashing in Forensics Tools: Forensic tools commonly incorporate hashing functions to create unique digital
    signatures for image files, facilitating the validation of data integrity.
    • Limitations of Forensics Tools: Despite their utility, these tools may have limitations in their hashing capabilities,
    necessitating the use of more advanced methods.
    • Role of Hexadecimal Editors: Advanced hexadecimal editors are often employed to overcome the limitations of standard
    forensic tools, offering a more thorough means of ensuring data integrity. These editors allow for a detailed examination and
    validation of data at a granular level.
    CYB -260 13
    Validating Forensic Data:
    Validating with Hexadecimal Editors
    In digital forensics, validating forensic data is a crucial process, especially when dealing with files that may have been altered or
    renamed to appear innocuous. Advanced hexadecimal editors play a vital role in this process due to their capabilities that
    extend beyond those found in standard digital forensics tools. These editors offer specific features like hashing individual files or
    sectors, which is essential for identifying and validating particular files, such as known contraband images.
    Key Points:
    • Advanced Features of Hexadecimal Editors: Unlike standard forensic tools, advanced hexadecimal editors can hash
    specific files or sectors, providing a more targeted approach to data validation.
    • Importance in Forensic Investigations: Mastery of these tools is crucial for forensic analysts, particularly when searching
    for specific files that might be disguised under different names.
    • Hash Value Utilization: By using the unique hash value, which remains consistent despite changes in file names, analysts
    can locate and verify suspicious files. This consistency in hash values is key to identifying files with identical content.
    • Efficiency of Hexadecimal Editors: Acquiring hash values using a full-featured hexadecimal editor can be faster and more
    efficient compared to traditional digital forensics tools.
    • Example of a Hexadecimal Editor - WinHex: WinHex is an example of such a tool, offering multiple hashing algorithms like
    MD5 and SHA-2. It’s useful for validating specific files or sectors, verifying data integrity, and ensuring accuracy in sparse
    acquisition scenarios. This tool's capabilities are critical for precise and efficient forensic analysis
    CYB -260 14
    Validating Forensic Data:
    Using Hash Values to Discriminate Data
    In the realm of digital forensics, using hash values to discriminate data is a critical method for identifying specific types of files
    within evidence drives or image files. Tools like AccessData's Known File Filter (KFF) and databases like the NIST National
    Software Reference Library (NSRL) are instrumental in this process. They provide updated hash values for a range of files,
    aiding in the detection of both legal and illegal content.
    Key Points:


13. AccessData's Known File Filter (KFF): This is a hashing database exclusive to the Forensic Toolkit (FTK) by AccessData.
    It serves two primary functions:
    • Filtering Known Program Files: KFF filters out common program files (e.g., winword.exe) to focus on more relevant
    data.
    • Identifying Illegal Files: The database contains hash values of known illegal files, such as child pornography,
    enabling it to compare these values with files in the evidence to identify suspicious content.
    CYB -260 15
    Validating Forensic Data:
    Using Hash Values to Discriminate Data (cont..)


14. Regular Updates of KFF: AccessData periodically updates the KFF with new hash values, ensuring the database remains
    current and effective in identifying known illegal files.


15. NIST National Software Reference Library (NSRL): Maintained by the National Institute of Standards and Technology,
    NSRL provides a comprehensive database of file hash values. It covers various operating systems, applications, and image
    files. However, it does not include hash values for known illegal files.


16. Integration with Other Forensic Tools: Digital forensic tools like X-Ways Forensics, OSForensics, and Forensic Explorer
    can import the NSRL database. These tools can then perform hash comparisons to identify known files, thereby
    streamlining the process of sifting through large volumes of data.


17. Application in Forensics: These tools and databases are crucial in forensic investigations for efficiently discriminating
    between irrelevant data and potential evidence, especially in cases involving large volumes of digital data.
    CYB -260 16
    Validating Forensic Data:
    Validating with Digital Forensics Tools
    Validating digital evidence through commercial digital forensics tools is an essential process in ensuring the integrity of image
    acquisitions. These tools typically generate MD5 and SHA-2 hash values for data within image files, facilitating the verification
    of data authenticity. This process is crucial in maintaining the reliability of digital evidence for legal proceedings.
    Key Points:


18. Built-in Validation Features: Commercial digital forensics tools come equipped with features that validate image
    acquisitions by generating hash values, particularly MD5 and SHA-2.


19. AccessData FTK Imager: This tool, when set to Expert Witness (.E01) or SMART (.S01) format, provides options for
    hashing all data. It then includes a report within the image file listing the MD5 and SHA-2 hash values.


20. Autopsy’s E01 Verifier: Similar to FTK Imager, Autopsy includes a feature for verifying Expert Witness image files.
    CYB -260 17
    Validating Forensic Data:
    Validating with Digital Forensics Tools (cont..)


21. Image File Verification Process: When an image file is opened in a forensics tool, another hash (MD5 or SHA-2) is
    computed for the copied data. This hash is compared with the original to verify the image file's correctness. A mismatch in hash
    values indicates potential corruption of digital evidence, prompting the need for reacquisition or careful reporting.


22. Handling Raw Data Acquisitions: For raw data acquisitions like dd images, which can’t store the original image hash,
    forensic tools often generate a separate text file detailing the acquisition and its hash value.


23. Practical Application: An example involves using WinHex to hash an image file and compare it with the original hash value
    calculated by FTK Imager. This process is part of verifying the integrity of a specific image file, demonstrating the practical steps
    in ensuring data validation in digital forensics.
    CYB -260 18
    Addressing Data-Hiding Techniques
    Hiding Files by Using the OS - Hiding Partitions
    Data hiding is a technique used to conceal information within a digital environment. It involves various methods that manipulate
    or change files and their attributes to make them difficult to detect. These techniques range from altering file extensions and
    utilizing hidden file attributes to more complex methods like bit-shifting, encryption, and password protection. Understanding
    these methods is crucial for digital forensic investigators, as identifying and analyzing hidden data can be pivotal in an
    investigation.
    The following table (Table 1) categorizes these data-hiding techniques, describes the methods used to hide the data, and
    outlines the forensic approaches employed for their detection and analysis.
    CYB -260 19
    Addressing Data-Hiding Techniques
    Hiding Files by Using the OS - Hiding Partitions
    CYB -260 20
    Data-Hiding Technique Method Detection and Analysis
    Changing File Extensions Altering the file extension (e.g., from .xlsx to .jpg) to
    mask the true nature of the file.
    Forensic tools verify file headers against extensions;
    discrepancies are flagged for further analysis.
    Using Hidden Attributes Setting file properties to 'Hidden' in the OS, making
    them invisible in normal file explorations.
    Forensics tools and enabling the view of hidden files in OS
    settings can reveal such files.
    Hiding Partitions Unassigning a partition's letter using tools like
    diskpart, making it unseen in File Explorer.
    Investigators should check for unexplained gaps in disk space
    using forensic tools or hex editors to find hidden partitions.
    Bit-Shifting Altering file data at the binary level to obscure
    content.
    Requires advanced analysis with forensic tools capable of
    interpreting the binary data and recognizing patterns.
    Encryption Using cryptographic methods to make data
    unreadable without the correct key or passphrase.
    Forensic analysis may detect encrypted files, but decrypting
    them requires the encryption key or password.
    Password Protection Setting files or volumes to require a password for
    access.
    While forensic tools can identify password-protected files,
    accessing the content requires the password or bypass
    methods.
    Table 1: Techniques for Hiding Data and Forensic Analysis
    Addressing Data-Hiding Techniques:
    Understanding Steganalysis Methods
    Steganography, derived from the Greek term for "hidden writing," is the practice of concealing messages within other non-secret
    text or data, making the message noticeable only to the sender and intended recipient. Steganalysis is the counterpart to this,
    involving the detection and analysis of such covert messages. Digital watermarking, a related concept, serves to establish file
    ownership and can be overt, as with copyright notices, or covert for steganographic purposes. Despite appearances, files with
    digital watermarks will have different hash values than their unaltered counterparts. Steganalysis methods are critical for
    deciphering hidden information and are particularly challenging when the content is encrypted before being concealed.
    CYB -260 21
    Addressing Data-Hiding Techniques:
    Understanding Steganalysis Methods
    CYB -260 22
    Steganalysis Method Description Use-Case
    Stego-only Attack
    Analysis is limited to the file suspected of containing
    steganography, akin to a ciphertext-only attack in
    cryptography.
    Applicable when only the suspicious file is available, making it a
    challenging approach.
    Known Cover Attack Requires access to both the original file and the stego-
    file for comparative analysis to detect any alterations.
    Useful when the original media is available, allowing for direct
    comparison to reveal hidden messages.
    Known Message Attack
    Utilized when the hidden message has been
    uncovered, easing the process of analyzing additional
    stego-content.
    Effective when the message is already known, simplifying the
    deciphering of new messages.
    Chosen Stego Attack Involves the use of a known steganography tool and its
    outputs to understand the hiding technique.
    Used when the steganography tool is known, allowing analysts to apply
    decryption techniques.
    Chosen Message Attack
    A proactive method where analysts create stego-
    content to identify patterns and apply this knowledge to
    suspected steganography.
    Helps in identifying patterns and configurations in stego-media, useful for
    analyzing unfamiliar stego-content.
    Table 2 outlines various steganalysis attacks, each with its own context and methodology. These techniques range from
    challenging scenarios, where little is known about the steganography, to more informed approaches that leverage known tools
    or messages to decipher hidden conten
    Table 2: Steganalysis Methods: Techniques and Contexts for Uncovering Hidden Data
    Addressing Data-Hiding Techniques:
    Examining Encrypted Files
    Encryption serves as a robust method for securing data, making it unreadable without the correct decryption key or passphrase.
    Advanced encryption programs like PGP or BestCrypt transform data into a form that unauthorized users cannot decipher. To
    access the encrypted content, one must have the appropriate passphrase. In the absence of this passphrase, decrypting the
    content is a formidable challenge, with key escrow being a potential but limited solution. Key escrow is incorporated into some
    commercial encryption software to allow recovery of data under certain conditions, such as forgotten passphrases or system
    failures, and can sometimes be used by forensic examiners. The complexity of encryption schemes, with key sizes ranging from
    128 to 4096 bits, renders brute-force attacks impractical using current technology. Although quantum computing may change
    this landscape in the future, many encryption schemes currently remain secure against commercially available decryption tools.
    CYB -260 23
    Addressing Data-Hiding Techniques:
    Examining Encrypted Files (cont…)
    Key Points on Encryption in Digital Forensics:
    • Complexity of Decryption: With the rise of sophisticated encryption, decrypting files without the passphrase is highly
    challenging.
    • Key Escrow in Encryption Programs: Some encryption programs include key escrow to recover data, which forensic
    examiners may leverage.
    • Limited Resources for Cracking Encryption: The resources required to break advanced encryption schemes are often
    beyond the scope of many organizations.
    • Large Key Sizes: Encryption with large key sizes (128 to 4096 bits) is secure against brute-force attacks with today's
    computing power.
    • Quantum Computing: While quantum computing holds potential for breaking current encryption, it has not yet rendered
    existing schemes obsolete.
    • Current Unbreakable Schemes: Several current encryption methods cannot be broken with the tools that are commercially
    available.
    Forensic examiners must consider these factors when encountering encrypted data, and where possible, negotiate with the
    involved parties to obtain the necessary decryption keys.
    CYB -260 24
    Addressing Data-Hiding Techniques:
    Recovering Passwords
    Password recovery is an increasingly significant aspect of digital forensics. To access protected data, forensic analysts often
    turn to password-cracking tools, which range from those integrated into forensic suites like OSForensics to standalone
    applications such as Last Bit, AccessData PRTK, ophcrack, John the Ripper, and Passware. These tools employ a variety of
    attack methods, including brute-force attacks that try every possible combination, and dictionary attacks that test passwords
    from a list of common words in various languages. Additionally, some tools support hybrid attacks that use personal information
    to guess passwords, and rainbow tables, which are precomputed hash values for a vast number of potential passwords, to
    expedite cracking.
    CYB -260 25
    Addressing Data-Hiding Techniques:
    Recovering Passwords
    Key Points on Password Recovery in Digital Forensics:
    • Dictionary and Brute-Force Attacks: Utilize common words or exhaustive character combinations to find passwords.
    • Hybrid Attacks: Combine dictionary/brute-force methods with personal data to construct likely passwords.
    • Hash Values: Passwords are often stored as MD5 or SHA hash values, adding a layer of complexity to the cracking process.
    • Rainbow Tables: Offer a quicker alternative by using precomputed hash values to match passwords.
    • Salting Passwords: A security measure that adds random data to passwords before hashing, significantly increasing
    difficulty for cracking.
    • Understanding Encryption: Researching the specific encryption method used by the system or application is critical, as it
    may reveal vulnerabilities that can be exploited to crack the password.
    Forensic analysts must be equipped with these tools and techniques to effectively tackle password-protected data during their
    investigations. Understanding the underlying encryption methods and staying abreast of the latest security measures like salting
    are also essential for successful password recovery.
    CYB -260 26
    Class activity
    CYB -260 27
    Choose the correct answer, Explain your answer.


24. What is the primary purpose of using digital forensics tools like Autopsy and The Sleuth Kit (TSK)?
    A) To enhance the graphical user interface of operating systems B) To conduct deep web searches C) To recover and
    analyze digital evidence D) To design digital forensics course curriculums


25. Which of the following is NOT a method used in steganalysis?
    A) Stego-only attack B) Known message attack C) Chosen stego attack D) Quantum decryption attack


26. In digital forensics, what is the main function of hexadecimal editors?
    A) To design and implement encryption algorithms B) To perform detailed data validation beyond the capabilities of standard
    forensic tools C) To create digital forensic reports automatically D) To conduct online investigations


27. Which tool is specifically used for validating data in digital forensics?
    A) WinHex B) Autopsy's E01 Verifier C) AccessData FTK Imager D) OSForensics


28. What is the significance of hash values in digital forensics?
    A) They are used to enhance the speed of the forensic software. B) They serve as unique identifiers to verify the integrity of
    data. C) They are passwords used to encrypt confidential files. D) They are used to track the geographical location of digital
    evidence.
    Chapter Summary
    CYB -260 28
    • Determining essential data for collection and analysis in digital forensics cases.
    • Strategic approach to handling digital forensics investigations.
    • Using Autopsy for data validation and integrity checks.
    • Collecting and analyzing hash values with Autopsy for data integrity.
    • Importance of validating forensic data for legal admissibility.
    • Utilizing hexadecimal editors for detailed data validation.
    • Employing digital forensics tools for data validation and verification.
    • Addressing various data-hiding techniques in digital investigations.
    • Detecting and revealing hidden files and partitions using OS tools.
    • Applying steganalysis methods to uncover hidden messages in files.
    • Implementing password recovery strategies to access encrypted data