Overview of Digital Forensics

©2012 Digital Intelligence, Inc. All rights reserved.

NCSTL Training

Charles M. Giglia - Digital Intelligence

August 2012

What is Digital Forensics

� Science for the examination and analysis of digital trace evidence

� Typically conducted “Post

Mortem”

©2012 Digital Intelligence, Inc. All rights reserved.

Mortem”

� Live and Network forensic collections/exams more accepted

� Fragility and longevity of digital evidence

Digital Forensics

� Autopsy of the computer

� Not only the what and wherebut the who, how and why

©2012 Digital Intelligence, Inc. All rights reserved.

but the who, how and why

� Scientific approach

� Defensible process

� Results in opinion/expert testimony

� Controlled scope

Digital Forensics

� Identification

� Preservation

� Recovery

©2012 Digital Intelligence, Inc. All rights reserved.

� Recovery

� Reconstruction

� Analysis / Interpretation

Digital Evidence

� Digital evidence likely present in every case

� Computers

� Cell Phone - Smart Phones - iStuff

©2012 Digital Intelligence, Inc. All rights reserved.

� Telephones

� Automobiles

� Copy Machines

� Refrigerator

� Etc.

Forensic Methods

� Matches other forensic

disciplines

� Allows exact duplication of

the original evidence

©2012 Digital Intelligence, Inc. All rights reserved.

the original evidence

� Involves both data recovery

and analysis

� Governed by valid laboratory

principles

Seizing Digital Evidence

� Limit access

� Protect the original

� Duplicate to create

©2012 Digital Intelligence, Inc. All rights reserved.

� Duplicate to create

“forensic safety net”

� Live forensic analysis a

reasonable option –

when necessary

Other Forensic Evidence

Recognize that other

forms of evidence such

as latent prints,

Questioned

©2012 Digital Intelligence, Inc. All rights reserved.

Questioned

Documents, DNA or

trace evidence may be

present and must be

preserved.

When to involve a Specialist

� What makes a specialist?

� Earlier is better

� Contaminating the evidence

©2012 Digital Intelligence, Inc. All rights reserved.

� Contaminating the evidence

� Fighting the “fear factor”

� Live evidence

� Network forensics

� Recovering from errors

Processing Digital Evidence

� Examine known files

�Data elimination/reduction

� Recover erased/deleted files

©2012 Digital Intelligence, Inc. All rights reserved.

� Recover erased/deleted files

� Examine slack, unallocated, swap space

� Examine the nature of how the computer was being used

� Linking removable media back to the computer

Data Recovery

� Depending on the type of case, the evidence will be found in

©2012 Digital Intelligence, Inc. All rights reserved.

will be found in different areas on the drive

� May require manual reconstruction

Analyzing Digital Evidence

� What does it all mean?

� Written report of findings

� Articulation

©2012 Digital Intelligence, Inc. All rights reserved.

� Facts vs. Opinion

Current Cases

� Serial Killers

� Identity Theft

� Cyber stalking

©2012 Digital Intelligence, Inc. All rights reserved.

� Cyber stalking

� Child pornography

� Wireless theft

� Economic crimes

Case Application

©2012 Digital Intelligence, Inc. All rights reserved.

Cyber Stalking

� 3.4 million cases of stalking per year

�13% of female college students report stalking

©2012 Digital Intelligence, Inc. All rights reserved.

�Approx. 25% of all harassment/stalking cases

involve cyber component

� Social Networks, chat rooms, emails, and GPS devices

Cyber Stalking

� Cellphone GPS tracking

� Listening devices

� Vehicle tracking

©2012 Digital Intelligence, Inc. All rights reserved.

� Vehicle tracking

� Spyware software

Child Pornography

©2012 Digital Intelligence, Inc. All rights reserved.

http://www.familysafemedia.com/pornography_statistics.html

Child Pornography

©2012 Digital Intelligence, Inc. All rights reserved.

http://www.familysafemedia.com/pornography_statistics.html

Social Networks

� Facebook

� MySpace

� Twitter

©2012 Digital Intelligence, Inc. All rights reserved.

� Twitter

� Craigslist

� Pinterist

� Xanga

� Bebo

Social Networks

©2012 Digital Intelligence, Inc. All rights reserved.

Specific Tools?

Computer Evidence

Where the

Evidence is

©2012 Digital Intelligence, Inc. All rights reserved.

Evidence is

Other Media

� Thumb/Flash drives

� CD/DVD/Blu-Ray

� Attached storage (wired and wireless)

©2012 Digital Intelligence, Inc. All rights reserved.

� Attached storage (wired and wireless)

� Unattached Storage – “Cloud”

� iPhones and Smart phones

� GPS

� Copiers

� Digital Cameras

� Portable – Tablets, ipod/pad, Mp3 players

Types of Evidence

� Constant change in the evidence

�Unlike most other physical evidence

� New Technologies make it difficult to

©2012 Digital Intelligence, Inc. All rights reserved.

� New Technologies make it difficult to identify evidence

� Including unique adaptors and connectors for

drives and media

Types of Evidence

©2012 Digital Intelligence, Inc. All rights reserved.

Types of Evidence

©2012 Digital Intelligence, Inc. All rights reserved.

Initial Analysis

� Review active user files

� Review system generated files

�Log files

©2012 Digital Intelligence, Inc. All rights reserved.

�Log files

� Review Internet activity

�History

�Cache

�Bookmarks

Active File Issues

� File Location

�Common Locations

� My Documents

Desktop

©2012 Digital Intelligence, Inc. All rights reserved.

� Desktop

� Link files

� Encryption

� Metadata

� Internal

�External

Metadata

� Data about the file

� External: Path, Name, OS dates

� Internal: Dates, Author(s), Title,

©2012 Digital Intelligence, Inc. All rights reserved.

� Internal: Dates, Author(s), Title,

�Not all files have internal data

�MS Office – Most common

�EXIF

©2012 Digital Intelligence, Inc. All rights reserved.

Metadata

� MS Word

©2012 Digital Intelligence, Inc. All rights reserved.

Internet Cache

� Internet activity

�Downloaded Content

�History

©2012 Digital Intelligence, Inc. All rights reserved.

�History

�Bookmarks

�Passwords

� Web based email

� Online chats

Unallocated Space

� Area of the drive not allocated to active or system files

�500 GB drive – 250 GB of files = ~250 GB

©2012 Digital Intelligence, Inc. All rights reserved.

�500 GB drive – 250 GB of files = ~250 GB

unallocated space

� When a file is deleted the space becomes part of unallocated space

� Previously deleted files can be “carved” out

Unallocated Drive Space� Raw data

©2012 Digital Intelligence, Inc. All rights reserved.

Registry Analysis

� System/software configurations/events

� User preferences / history

�USB Device History

©2012 Digital Intelligence, Inc. All rights reserved.

�USB Device History

�Usernames and Passwords

Hard drive connected via USB

©2012 Digital Intelligence, Inc. All rights reserved.

Challenges in the Field

� Types of evidence

� Volume of evidence

� Changing laws

©2012 Digital Intelligence, Inc. All rights reserved.

� Changing laws

� Training and certifications

�Tool vs. foundational

Questions

Charles M. GigliaDigital Intelligence, Inc.17165 W Glendale DrNew Berlin, WI 53151

©2012 Digital Intelligence, Inc. All rights reserved.

email: cgiglia@digitalintelligence.comtel : 262.782.3332www.digitalintelligence.com