Digital Forensics

David Papargiris, EnCE,

DFCP,GCFA,CCE

Director Digital Forensics

Evidox Corporation

EDMOND LOCARD

French forensic pioneer

Locard’s Exchange Principle

"Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent

witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he

breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and

more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of

the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong,

it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can

diminish its value."

Locard’s Exchange Principle

* The Illustrated guide to Forensics - True Crime Scene Investigations By Dr. Zakaria Erzinclioglu

Increase in Cybercrimes

• First time Cybercrime surpassed

traditional crimes.

• Increase of computers in houses

• Increase in pay-off (Ex. Bank Robbery)

• Crimes being committed through

computers

How Times Have Changed

• It took 38 years for 50 Million users to use the

radio.

• It took 13 Years for 50 Million users to use a

television.

• It took 4 years to have 50 million users on the

internet.

• It took 9 months for 100 million users to register on Facebook.(1.11 billion March 2013)

(www.tactweet.com)

When was first Computer Monitor and Mouse Available

CYBER CRIME INVESTIGATIONS

Case Examples

CASE EXAMPLES

• DENNIS RADER

THE “BTK KILLER”

• Killed 10 in 30 years

• Sent floppy disk to police

• Contained metadata

source: www.wikipedia.com

9) Volume D\Unallocated Clusters\C384554-385932

Ventus International Agency Letter dated 12-13-00 to John Hancock

Dec. 18, 2000 Gd.Pl.

To: John Hancock Life Insurance Company, Boston, MA 02117

Ref: Edward Cxxxxx VS xxxxxxx in ATTLEBORO DISTRICT COURT,

Attleboro, MA 02703, Docket # 00xx SC xxxx,

(see attachment)

Gentlemen!

Based on our two-year observation, your Company TOP insurance

underwriters of LONGTERM CARE INSURANCE DEPARTMENT at Boston,

MA, indicates’ that there may evaluate Insurance Applications

under influence of DRUGS- MARIJUANA (Marihuana). With-in your

building there is also intensive DRUG TRAFFICING going for

years! We also noticed that do to heavy volume of applicants,

you allow your underwriters evaluate The Cases OUT SITE your

Home Office on their free time and weekends at their homes in

order to increase Department Productivity or Deadlines!

• Convicted for murders of

co-workers

• Internet searches related to faking mental illness

©2010 Office of Massachusetts Attorney General Martha Coakley

MICHAEL “MUCKO” MCDERMOTT

Serial Killer Caught By His

Own

Internet Footprint

By Peter Shinkle

St. Louis Post-Dispatch

6-17-2001

Travis decided it was a good idea to

point authorities to the decomposing

body of an undiscovered victim near

West Alton, Missouri, by sending

directions to the local paper St. Louis

Post-Dispatch, which was later found to

have come from Expedia.com. Maury Travis

Leon v. IDX Systems - A case relying heavily on computer forensic analysis in determining that the plaintiff despoiled evidence by deleting 2,200 files from his IDX-issued laptop computer during the pendency of litigation in which the plaintiff was suing his employer, the defendant, for placing him on unpaid leave, alleging violations of the anti-retaliation provision of the False Claims Act, Title VII, the Americans with Disabilities Act ("ADA"), and Washington state law.

Civil Case Examples

Berryman-Dages v. Gainesville - A case in which a non-party who was subpoenaed for examination of computers, laptops, hard drives, etc., to aid in showing that the plaintiff was demoted due to discrimination based on gender and sexual orientation

http://infosecusa.com/computer-forensics-civil-cases

Webb v. CBS - In this case the defendant, CBS, was compelled to hire a computer forensics expert to examine the plaintiffs' personal computer and review the results due to the plaintiffs' failure to comply with their discovery obligations under the Federal Rules of Civil Procedure, for providing misleading statements in depositions and false affidavits to the court about the existence of discoverable information, for their counsel's active concealment of confidential CBS documents, and for violation of the court's order closing discovery.

Civil Case Examples

Bimbo Bakeries v. Botticella - A case that relied on the use of computer forensics to determine if the appellant, a VP of Operations, copied company confidential files onto his personal computer before leaving his job to work for a competitor

http://infosecusa.com/computer-forensics-civil-cases

EXIF & GEO TAGGING

©2007 Office of

Massachusetts Attorney

General Martha Coakley

©2007 Office of

Massachusetts Attorney

General Martha Coakley

Defining Digital Forensics

Digital forensics is the controlled process of identifying, preserving, analyzing, and

presenting findings related to the existence or significance of data stored on digital storage

media, computers, and other devices for use in court.

DEFINING DIGITAL FORENSICS

• Science – Some procedures repeatable

– Imaging

• Art – No two examinations are the same

– Two examiners should get same data

DIGITAL FORENSICS ART OR SCIENCE?

• We can recover everything

• It’s quick and easy

• A ‘shoestring’ budget is sufficient

• Data will never change during an exam

DIGITAL FORENSICS MYTHS

Hard Drive Storage

How does a computer system load and store

data?

Allocated and unallocated space

Slack Space

Slack Space

Think of a vcr Tape.

• Create duplicate of the media

• Verify that the image is an exact duplicate

• Backup the image

• Place original into evidence

• Use forensic software to conduct analysis

DIGITAL FORENSICS BASIC PROCEDURES

FORENSIC PROCESS

• Documenting the evidence

• Is the system running (Memory)

• Checking the BIOS on computer Systems

• Conducting the bit by bit image of the media

• Why do we conduct bit by bit images

• Solid State Hard Drives

Write Blockers

• 2 Types of write blockers

• Hardware

• Software

Write Blockers

Solid State Hard Drives

Encase & Example of Solid State Drives

Deleted Folder

Preview of Drive 2 Minutes Later

Garbage Collection

Authenticating Evidence

Hash Values

• A hash value is a digital fingerprint of a block of data (file, string, contents of media, etc.)

• The chances of two different files having the same hash value are 1in 2^128

• One in approximately 340 billion billion, billion, billion

• In other words, if the hash values are the same, then there’s a 99.99999% chance that the files are the same

Better than DNA

AUTHENTICATING EVIDENCE

What Happens When You Rename a File

Or Rename The Extension

File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02

06:40:56PM.

The computer system clock read: 02/21/02 06:40:56PM.

Evidence acquired under DOS 7.10 using version 3.19.

File Integrity:

Completely Verified, 0 Errors.

Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC

Verification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC

Drive Geometry:

Total Size 12.7GB (26,712,000 sectors)

Cylinders: 28,266

Heads: 15

Sectors: 63

Partitions:

Code Type Start Sector Total Sectors Size

0C FAT32X 0 26700030 12.7GB

Digital Forensic Stages

IDENTIFY

PRESENT

PRESERVE

RECOVER

Example

In Explorer Window

Deleted View

Digital Forensic Equipment

Imaging Device

Forensic

Workstation &

Storage

System

Mobile Devices

GPS’s

QUESTIONS

David Papargiris Director Digital Forensics

Evidox Corporation David@Evidox.com

617-654-9060