Overview of Digital Forensics
©2012 Digital Intelligence, Inc. All rights reserved.
NCSTL Training
Charles M. Giglia - Digital Intelligence
August 2012
What is Digital Forensics
� Science for the examination and analysis of digital trace evidence
� Typically conducted “Post
Mortem”
©2012 Digital Intelligence, Inc. All rights reserved.
Mortem”
� Live and Network forensic collections/exams more accepted
� Fragility and longevity of digital evidence
Digital Forensics
� Autopsy of the computer
� Not only the what and wherebut the who, how and why
©2012 Digital Intelligence, Inc. All rights reserved.
but the who, how and why
� Scientific approach
� Defensible process
� Results in opinion/expert testimony
� Controlled scope
Digital Forensics
� Identification
� Preservation
� Recovery
©2012 Digital Intelligence, Inc. All rights reserved.
� Recovery
� Reconstruction
� Analysis / Interpretation
Digital Evidence
� Digital evidence likely present in every case
� Computers
� Cell Phone - Smart Phones - iStuff
©2012 Digital Intelligence, Inc. All rights reserved.
� Telephones
� Automobiles
� Copy Machines
� Refrigerator
� Etc.
Forensic Methods
� Matches other forensic
disciplines
� Allows exact duplication of
the original evidence
©2012 Digital Intelligence, Inc. All rights reserved.
the original evidence
� Involves both data recovery
and analysis
� Governed by valid laboratory
principles
Seizing Digital Evidence
� Limit access
� Protect the original
� Duplicate to create
©2012 Digital Intelligence, Inc. All rights reserved.
� Duplicate to create
“forensic safety net”
� Live forensic analysis a
reasonable option –
when necessary
Other Forensic Evidence
Recognize that other
forms of evidence such
as latent prints,
Questioned
©2012 Digital Intelligence, Inc. All rights reserved.
Questioned
Documents, DNA or
trace evidence may be
present and must be
preserved.
When to involve a Specialist
� What makes a specialist?
� Earlier is better
� Contaminating the evidence
©2012 Digital Intelligence, Inc. All rights reserved.
� Contaminating the evidence
� Fighting the “fear factor”
� Live evidence
� Network forensics
� Recovering from errors
Processing Digital Evidence
� Examine known files
�Data elimination/reduction
� Recover erased/deleted files
©2012 Digital Intelligence, Inc. All rights reserved.
� Recover erased/deleted files
� Examine slack, unallocated, swap space
� Examine the nature of how the computer was being used
� Linking removable media back to the computer
Data Recovery
� Depending on the type of case, the evidence will be found in
©2012 Digital Intelligence, Inc. All rights reserved.
will be found in different areas on the drive
� May require manual reconstruction
Analyzing Digital Evidence
� What does it all mean?
� Written report of findings
� Articulation
©2012 Digital Intelligence, Inc. All rights reserved.
� Facts vs. Opinion
Current Cases
� Serial Killers
� Identity Theft
� Cyber stalking
©2012 Digital Intelligence, Inc. All rights reserved.
� Cyber stalking
� Child pornography
� Wireless theft
� Economic crimes
Case Application
©2012 Digital Intelligence, Inc. All rights reserved.
Cyber Stalking
� 3.4 million cases of stalking per year
�13% of female college students report stalking
©2012 Digital Intelligence, Inc. All rights reserved.
�Approx. 25% of all harassment/stalking cases
involve cyber component
� Social Networks, chat rooms, emails, and GPS devices
Cyber Stalking
� Cellphone GPS tracking
� Listening devices
� Vehicle tracking
©2012 Digital Intelligence, Inc. All rights reserved.
� Vehicle tracking
� Spyware software
Child Pornography
©2012 Digital Intelligence, Inc. All rights reserved.
http://www.familysafemedia.com/pornography_statistics.html
Child Pornography
©2012 Digital Intelligence, Inc. All rights reserved.
http://www.familysafemedia.com/pornography_statistics.html
Social Networks
� MySpace
©2012 Digital Intelligence, Inc. All rights reserved.
� Craigslist
� Pinterist
� Xanga
� Bebo
Social Networks
©2012 Digital Intelligence, Inc. All rights reserved.
Specific Tools?
Computer Evidence
Where the
Evidence is
©2012 Digital Intelligence, Inc. All rights reserved.
Evidence is
Other Media
� Thumb/Flash drives
� CD/DVD/Blu-Ray
� Attached storage (wired and wireless)
©2012 Digital Intelligence, Inc. All rights reserved.
� Attached storage (wired and wireless)
� Unattached Storage – “Cloud”
� iPhones and Smart phones
� GPS
� Copiers
� Digital Cameras
� Portable – Tablets, ipod/pad, Mp3 players
Types of Evidence
� Constant change in the evidence
�Unlike most other physical evidence
� New Technologies make it difficult to
©2012 Digital Intelligence, Inc. All rights reserved.
� New Technologies make it difficult to identify evidence
� Including unique adaptors and connectors for
drives and media
Types of Evidence
©2012 Digital Intelligence, Inc. All rights reserved.
Types of Evidence
©2012 Digital Intelligence, Inc. All rights reserved.
Initial Analysis
� Review active user files
� Review system generated files
�Log files
©2012 Digital Intelligence, Inc. All rights reserved.
�Log files
� Review Internet activity
�History
�Cache
�Bookmarks
Active File Issues
� File Location
�Common Locations
� My Documents
Desktop
©2012 Digital Intelligence, Inc. All rights reserved.
� Desktop
� Link files
� Encryption
� Metadata
� Internal
�External
Metadata
� Data about the file
� External: Path, Name, OS dates
� Internal: Dates, Author(s), Title,
©2012 Digital Intelligence, Inc. All rights reserved.
� Internal: Dates, Author(s), Title,
�Not all files have internal data
�MS Office – Most common
�EXIF
©2012 Digital Intelligence, Inc. All rights reserved.
Metadata
� MS Word
©2012 Digital Intelligence, Inc. All rights reserved.
Internet Cache
� Internet activity
�Downloaded Content
�History
©2012 Digital Intelligence, Inc. All rights reserved.
�History
�Bookmarks
�Passwords
� Web based email
� Online chats
Unallocated Space
� Area of the drive not allocated to active or system files
�500 GB drive – 250 GB of files = ~250 GB
©2012 Digital Intelligence, Inc. All rights reserved.
�500 GB drive – 250 GB of files = ~250 GB
unallocated space
� When a file is deleted the space becomes part of unallocated space
� Previously deleted files can be “carved” out
Unallocated Drive Space� Raw data
©2012 Digital Intelligence, Inc. All rights reserved.
Registry Analysis
� System/software configurations/events
� User preferences / history
�USB Device History
©2012 Digital Intelligence, Inc. All rights reserved.
�USB Device History
�Usernames and Passwords
Hard drive connected via USB
©2012 Digital Intelligence, Inc. All rights reserved.
Challenges in the Field
� Types of evidence
� Volume of evidence
� Changing laws
©2012 Digital Intelligence, Inc. All rights reserved.
� Changing laws
� Training and certifications
�Tool vs. foundational
Questions
Charles M. GigliaDigital Intelligence, Inc.17165 W Glendale DrNew Berlin, WI 53151
©2012 Digital Intelligence, Inc. All rights reserved.
email: [email protected] : 262.782.3332www.digitalintelligence.com