CP Digital Evidence Locations And Computer Forensics Introduction
Digital Evidence Locations&Introduction toComputerpForensicsDon MasonAssociate DirectorObjectivesAfter this session, you will be able to:Define “digital evidence” and identify typesDescribe how digital evidence is stored incomputersIdentify devices and locations where digitalevidence may be foundDefine basic computer and digital forensicsIdentify and describe the essential principles,tools, and trends in digital forensicsSpecial AcknowledgmentsJustin T. FitzsimmonsSenior Attorney, NNDAA National Center forProsecution of Child AbuseSSergeanttJJoshhMMoulinliCommander, Southern Oregon High-TechCrimes Task ForceDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 1
Advancing TechnologyComputer / Digital TechnologyPersonal computers, at work and at homeDigital camerasWeb camsCamera and video cam cell phonesDocument and image scannersDigital recording and duplicating devicesLarge digital storage capacitiesPortable mediaHow Digital Evidence isStoredData is written in binary code -- 1’s and 0’sThese 1’s and 0’s are grouped together inblocks of 8, called “bytes.”yFor example, the sequence “10001111“10001111””represents the letter “O”.Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 2
How Data is StoredTrackSectorClusters are groups ofsectorsDigital EvidenceInformation of probative value that isstored or transmitted in binary form andmay be relied upon in courtDigital EvidenceInformation stored in binary format butconvertible to– e-mail, chat logs, documents– photographs (including video)– user shortcuts, filenames– web activity logsEasily modified, corrupted, or erasedCorrectly made copies indistinguishablefrom originalDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 3
The InternetThe InternetWorld Wide Web (the Web)E-mailInstant messaging (IM)Webcam/ Internet Telephone (VoIP)Peer--toPeerto-peer (P2P) networksLegacy Systems NewsgroupsTelnet and File transfer (FTP) sitesInternet Relay Chat (IRC)Bulletin boardsWeb 2.0Interactive Internet communitiesSocial networksBlogs“Wikis”Video or photo sharing sitesOnline role-playing gamesVirtual worldsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 4
Cloud ComputingCloud ComputingBasically, obtaining computing resourcesfrom someplace outside your own fourwalls, and paying only for what you use– Processing– Storage– Messaging– Databases– etc.Ex: Google docsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 5
What Kinds of ComputersCan Be on the Internet?MainframesLaptopsPersonaldigital devicesCell PhonesPersonal computersInternet ConnectivityHomePCsInternet ServiceProvider (ISP)Telephonedialin lineNetworkNetworkCable modemconnectionHigh-speeddata linkDSL lineNetworkNetworkNetworkNetworkInternet AddressingEvery network / host (and each homecomputer connected to the Internet) has aunique numeric Internet protocol (IP)address num1.num2.num3.num4num1 num2 num3 num4e.g., 172.20.53.229Nearly all hosts and networks also havecorresponding domain names that areeasier for humans to remember and usee.g., www.ncjrl.org or oag.state.gov.usDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 6
Why Addressing MattersThe Internet is a packetpacket--switched networkThe component parts of a communication(i.e., the packets) sent to another host maytravel by different pathsEach packet makes one or more “hops”along the network on the way to itsdestinationWhat’s in a Packet?An IP data packetincludes– routing information (where itcame from, where it’sgoing)gg)– the data to be transmittedReplies from the receivinghost go to the packet’ssource address– here, 01110110110001001010100.Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 7
Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 8
Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Packet SwitchingISP.COM, a/k/a172.31.208.99AGENCY.GOV,a/k/a 10.135.6.23Computer & Internet UsesRemote gital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 9
Why It Matters HowComputers, Networks,and the Internet WorkgImmense amount of digitaldata created,,transmitted, storedSome created by humansA lot necessarily created by machines “inthe background”Digital EvidenceUser--createdUser– Text (documents, ee-mail, chats, IM’s)– Address books– Bookmarks– Databases– Images (photos, drawings, diagrams)– Video and sound files– Web pages– Service provider account subscriber recordsDigital EvidenceComputer--createdComputer– Dialing, routing, addressing, signaling info– Email headers– Metadata– Logs, logs, logs– Browser cache, history, cookies– Backup and registry files– Configuration files– Printer spool files– Swap files and other “transient” data– Surveillance tapes, recordingsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 10
Forms of evidenceFiles––––––Present / Active (doc’s, spreadsheets, images, email, etc.)Archive (including as backups)Deleted (in slack and unallocated space)Temporary (cache, print records, Internet usage records, etc.)Encrypted or otherwise hiddenCompressed or corruptedFragments of Files– Paragraphs– Sentences– WordsSources of EvidenceOffender’s computer–––––accessed and downloaded imagesuser log filesInternet connection logsgbrowser history and cache filesemail and chat logsHand--held devices (embedded computer systems)Hand– digital cameras– PDAs– mobile phonesMore Sources of EvidenceServers– ISP authentication user logs– FTP and Web server access logs– Email server user logs– LAN server logsOnline activity– IP addresses of chat room contributorsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 11
Digital Devices /Locations Where DigitalEvidence May be FoundMainframes, Desktops, LaptopsHard DrivesDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 12
Solid State DrivesRemovable MediaUSB Storage DevicesDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 13
Digital CamerasConvergent DevicesMore Digital DevicesDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 14
And Still MoreMoreMoreDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 15
MoreMoreMoreVehicle “black boxes”– Event data recorders– Sensing and diagnosticmodules– Data loggersDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 16
MoreInfiniti G359.5 GB hard driveCadillac CTS40 GB hard driveMoreDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 17
MoreMoreEvidence Containers?Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 18
More ContainersRoom in virtual worldCell Site Location DataDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 19
“True GPS”“Handset solution”– The data is “inside the box”– Involves search of the deviceGPS devicesComputer ForensicsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 20
Computer Forensics“preservation, identification, extraction,documentation, and interpretation ofcomputer media for evidentiary and/or rootcause analysis”Usually prepre--defined procedures followedbut flexibility is necessary as the unusualwill be encounteredWas largely “post“post--mortem” but is evolvingComputer/Digital ForensicsSub branches / activities / steps– Computer forensics– Network forensics– Live forensics– Software forensics– Mobile device forensics– “Browser” forensics– “Triage” forensicsBasic Computer Forensics¾Seizing computer evidence¾bagging & tagging¾Imagingg g seized materials¾Searching the imagefor evidence¾Presenting digital evidencein courtDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 21
Myth v. FactMythFact– A computer forensicanalyst can recoverany file that was everdeleted on a computersince it was built.– The analyst canrecover a deleted file,or parts of it, fromunallocated file spaceuntil the file systemwrites a new file ordata over it.Myth v. FactMyth– Metadata (“data aboutdata”) is the allknowing, all seeing,end all piece of info ona file.Fact– Metadata does containuseful informationabout a file but it islimitedlimited.E.g.:– Author– MAC times– File name, size,location– File propertiesMight contain revisions,comments, etc.Metadata – basic examplesDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 22
Metadata – Track changesMetadata – CommentsEXIF dataExchangeableImage FileFormatEmbeds datainto imagescontainingcamerainformation,date and time,and more69Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 23
Basic steps – 3 A’sAcquiring evidence without altering ordamaging originalAuthenticatingg acquired evidence byshowing it’s identical to dataoriginally seizedAnalyzing the evidence withoutmodifying itAcquiring the evidenceSeizing the computer: Bag and TagHandling computer evidence carefully–––––Chain of custodyEvidence collectionEvidence identificationTransportationStorageMaking at least two images of each evidencecontainer– Perhaps third in criminal case – for discoveryDocumenting, Documenting, DocumentingPreserving digital evidenceThe “Forensic Image” or “Duplicate”A virtual “snapshot” of the entire drive))))Every bit & byte“Erased” & reformatted dataData in “slack” & unallocated spaceVirtual memory dataDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 24
Write BlockersHard drives areimaged usinghardware writeblockers73Authenticating the evidenceProving that evidence to be analyzed isexactly the same as what suspect/partyleft behind– Readable text and pictures don’tdon t magicallyappear at random– Calculating hash values for the originalevidence and the images/duplicatesMD5 (Message(Message--Digest algorithm 5)SHA (Secure Hash Algorithm) (NSA/NIST)What is a Hash Value?An MD5 Hash is a 32 character string that lookslike:Acquisition Hash:3FDSJO90U43JIVJU904FRBEWHVerification Hash:3FDSJO90U43JIVJU904FRBEWHThe Chances of two different inputs producingthe same MD5 Hash is greater than :1 in 340 “Unidecillion: or 1 000Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 25
Hashing Tools – hphttp://www.fileformat.info/tool/md5sum.htmhtt //http://www.slavasoft.com/hashcalc/index.hlft/h h l /i d htmAlso, AccessData’s FTK Imager can bedownloaded free athttp://www.accessdata.com/downloads.htmlMD5 Hash128-bit (16128(16--byte) message digest –a sequence of 32 characters“The quick brown fox jumps over the lazyd ”dog”9e107d9d372bb6826bd81d3542a419d6“The quick brown fox jumps over the www.miraclesalad.com/webtools/md5.phpMore Examples ofHash ValuesDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 26
File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at02/21/02 06:40:56PM.The computer system clock read: 02/21/02 06:40:56PM.Evidence acquired under DOS 7.10 using version 3.19.File Integrity:Completely Verified, 0 Errors.Acquisition Hash:88F7BA9EBE833EEDC2AF312DD395BFECVerification Hash:88F7BA9EBE833EEDC2AF312DD395BFECDrive Geometry:Total Size12.7GB (26,712,000 ns:CodeType0C FAT32XStart Sector Total Sectors Size026700030 12.7GBDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 27
What happens when yourename a file?fil ?Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 28
Or Rename The ExtensionDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 29
“Hashing” an b07c0063cf35dc268b19f5a449e5a97386(single pixel changed using Paint 57f330fb06c16d5872f5c1decdfeb88b69cbcAnalyzing the evidenceWorking on bitbit--stream images of theevidence; never the original– Prevents damaging original evidence– Two backups of the evidenceOne to work onOne to copy from if working copy alteredAnalyzing everything– Clues may be found in areas or filesseemingly unrelatedPopular Automated ToolsEncaseGuidance rensic Tool Kit (FTK)Access DataDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 30
Validation of ComputerForensics ToolsSubjecting EnCase to Daubert analysis1. Subject to testing criteria- NIST 2004 study http://www.ojp.usdoj.gov/nij/pubssum/200031 htmsum/200031.htm- Lab-specific testing2. Subject to peer review and publication- Featured in a number of articles andforensics/incident response books3. High known or potential rate of error?Validation of ComputerForensics Tools4. General acceptance within the scientificcommunityCase law/judicial notice of prior Dauberthearingshiiin otherth jjurisdictionsi di tiSanders v. State, 191 S.W.3d 272 (2006)Williford v. State, 127 S.W.3d 309 (2004)Use in law enforcement and corporate/privatesectorsTaught in academic institutionsEnCase and Legal ChallengesState v. Cook, 777 N.E.2d 882 (Ohio App.2002)Williford v. State, 127 S.W.3d 309 (Tex.App 2004)App.Taylor v. State, 93 S.W.3d 487 (Tex. App.2002)Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 31
Analysis (cont.)Existing Files– Mislabeled– HiddenDeleted Files– Trash Bin– Show up in directory listing with σ in place of firstletter“taxes.xls” appears as “σ“σaxes.xls”Free SpaceSlack SpaceSwap SpaceFree SpaceCurrently unoccupied, or “unallocated”spaceMay have held information beforeV l bl source off dValuabledatat– Files that have been deleted– Files that have been moved duringdefragmentation– Old virtual memorySlack SpaceSpace not occupied by an active file, but notavailable for use by the operating systemEvery file in a computer fills a minimum amountof space– In some old computers, this is one kilobyte, or 1,024bytes. In most new computers, this is 32 kilobytes, or32,768 bytes– If you have a file 2,000 bytes long, everything after the2000th byte is slack spaceDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 32
How “Slack” Is GeneratedFile A(In Memory)File Asavedto disk,on top ofFile BFile AFile B(On Disk)File AoverwritesFile B,creatingslackFile A(Now OnDisk)Remains ofFile B (slack)Slack space: the area between the end of thefile and the end of the storage unitRecall how data is storedOther sources mined forTransient Data¾ Browser cache, history, cookies¾ Residual chat data¾ Activity logs¾ Registry & registry backup filesFind the Golden NuggetsDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 33
Sources of Digital GoldInternet HistoryTemp Files (cache, cookies etc )Slack/Unallocated spaceBuddy Lists, chat room records, personal profiles, etc News Groups, club listings, postingsSettings, file names, storage datesMetadata (email header information)Software/Hardware addedFile Sharing abilityEmailSelected “Trends”in DigitalgForensics“Browser” Forensics“Triage” ForensicsBrowser ForensicsWeb browsers (e.g. Microsoft Internetp, Mozilla Firefox,, Safari,, Opera)p )Explorer,maintain histories of recent activity,even if not web relatedDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 34
Internet HistoryComputers store Internet history in anumber of locations including:––––TemporaryInternetTI tt filesfilWindows RegistryBrowser / Search Term historyCookiesThis information is browser specific103Temporary Internet FilesTyped URL’sDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 35
Internet NavigationSearch StringsHistoryDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 36
Cookies“Triage” ForensicsAlso occasionally referred to as “rolling”forensics, or “on-site preview”Image scanEEspeciallyi ll usefulf l ini “k“knockk & ttalk”lk” consenttsituations or in screening multiplecomputers to determine which to seizeCaveat: Not all agencies are equipped ortrained yet to do this.“Triage” Forensics - StepsAttach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:.doc.jpg (.jpeg).mpg (.mpeg).avi.wmv.bmpDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 37
“Triage” Forensics - StepsPull up thumbnail views - 10-96 images at a timeRight click on image, save to CD or separatedrive.Determine file structure or file path.“Triage” ForensicsIncreasingly important, as the number andstorage capacities of devices rapidly grow.But does NOT enable a comprehensiveforensically sound examination of anydevice on the //craigball.com/pg– E.g., What Judges Should Know AboutComputer Forensics (2008)Digital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 38
ww.ncjrl.orgDigital Evidence Locations; Computer Forensics IntroductionHandling Child Pornography Cases, February 4-5, 2010Copyright 2010 National Center for Justice and the Rule of Law – All Rights ReservedPage 39
-- Computer forensics Computer forensics -- Network forensics Network forensics - Live forensics -- Software forensics Software forensics -- Mobile device forensics Mobile device forensics -- "Browser" forensics "Browser" forensics -- "Triage" forensics "Triage" forensics ¾Seizing computer evidence
Types of Evidence 3 Classification of Evidence *Evidence is something that tends to establish or disprove a fact* Two types: Testimonial evidence is a statement made under oath; also known as direct evidence or prima facie evidence. Physical evidence is any object or material that is relevant in a crime; also known as indirect evidence.
INTRODUCTION TO DIGITAL EVIDENCE & FORENSICS/WHAT IS CYBER CRIME? DIVIDER 9 Professor Donald R. Mason OBJECTIVES: After this session, you will be able to: 1. Define "cyber crime"; 2. Define and describe "digital evidence"; 3. Identify devices and locations where digital evidence may be found; 4. Define basic computer and digital .
Digital inclusion is defined in various ways and is often used interchangeably with terms such as digital skills, digital participation, digital competence, digital capability, digital engagement and digital literacy (Gann, 2019a). In their guide to digital inclusion for health and social care, NHS Digital (2019) describe digital
law enforcement professionals and first responders with step-by-step guidance in this crucial first phase of the . Topics include five key facts about digital evidence, criminal uses of digital evidence, identifying digital evidence, legal considerations, executing the digital search warrant, packaging and transporting digital evidence .
law enforcement professionals and first responders with step-by-step guidance in this crucial first phase of the . Topics include five key facts about digital evidence, criminal uses of digital evidence, identifying digital evidence, legal considerations, executing the digital search warrant, packaging and transporting digital evidence .
Creating a digital evidence forensic unit. Presenting digital evidence in the court-room. Because of the complex issues associated with digital evidence examination, the Technical Working Group for the Exami-nation of Digital Evidence (TWGEDE) rec-ognized that its recommendations may not be feasible in all circumstances. The
about evidence-based practice [2] Doing evidence-based practice means doing what the research evidence tells you works. No. Research evidence is just one of four sources of evidence. Evidence-based practice is about practice not research. Evidence doesn't speak for itself or do anything. New exciting single 'breakthrough' studies
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence actions taken should not change thatUpon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence,
