Forensics

Logging

Chain of custody logging

It is imperative that the whereabouts of the evidence is logged along with who has worked on it, at what time and what has been done.

A proposed layout for this log is included in Appendix A.

Approach

If a computer is used to log forensic work then these logs/databases must also be secure from tampering for example using encryption.

The fundamental rule in Forensics is that the original evidence should not be altered in any way. This means that all work should be done on a copy of the computers hard-disk/storage devices.

Generating File-system fingerprints

To prove that no alterations are made to the file-system of the evidence computer it is important to fingerprint all files on the system before doing any other work. This fingerprint can then be compared to another fingerprint taken after all work is concluded to conclude that no alterations have been made to the evidence.

Taking a Backup

Direct connection of the seized hard disk drive in a sterile computer.
Booting seized computer from sterile media.

If the backup has to be performed using the evidence computer then it is possible that opening the machine will also be prohibited, if this is the case then an alternative method will have to be employed, backup through the parallel port is the most likely option because the vast majority of computers have Bi-directional capable parallel ports and USB will be difficult to employ from a boot disk.

If the machine is on at the point of approach then it should not be turned off, memory dump utilities could be used to retrieve vital data held in volatile RAM. This may include RAM drives amongst other valuable information.

The way the machine is shutdown may also be important in preserving evidence.

Workstation Analysis

Take Bios information. The physical size of the drive as reported in the bios should be known for comparison to partition sizes and incase drive overlay software is in use(on-track etc.)
Record system time relative to the current GMT. This could be useful in calibrating the date-stamps held in files/logs.
Look for obvious physical signs on the system, signs of upgrades removed etc.
Log hardware/serial numbers contained physically.

Non Intrusive Hard Disk Analysis

Taking the image of the disk will yield the highest risk as it should be the only time that we have to work on the original disk. If the disk has to be imaged while still in the original machine then it is imperative that booting from that disk is disabled.

Take a duplicate of the hard-disk using sector imaging software such as Ghost preserving all data on drive including slack from files that may have been deleted, all work should be done on the duplicate copy of the drive. Look for other partitions such as a unix or other partition that would not show up in Windows utilities.
Booting from a sterile floppy disk; take a directory of all files and folders(including system & Hidden) on the drive with dates, times and attributes.
Booting from a floppy disk; take an index of all files on the disk using a function such as CRC check to ensure that any changes can be tracked and also allows duplicate files to be identified.
View contents of any deleted files on the hard disk(change first character to an identifiable character e.g ‘-‘ .
Vew contents of slack file space and unallocated space.
Find any ‘.PWL’ files and decrypt if applicable as passwords used for logging on may be used for other purposes.
Run Virus Killer in a Search only mode.
Look for the absence of files associated with normal use.
Look for fragmentation interspersed with ‘0’s or other uniform data that would be associated with a file wiping program.
Auto-start scripts, keys and programs are examined for any attempt to sabotage data.
Attempt to crack password protected or encrypted files.

Intrusive Hard Disk Analysis

Action	Likely Consequences
Booting the machine from it’s own hard-disk	Bootlog.txt modified Scandisk run Swap-file overwritten Startup programs run Modified dates on system files change Registry updates

Rename the swap file so that information will be preserved.
Rename the startup folder.
Boot the machine in ‘Step by Step confirmation mode’.
Assess function of programs.

When not in use it may be a good idea to disconnect the machines hard disk to prevent it being used by accident.

Technique

Finding Concealed files

Check the recycle bin.
Check disk for recoverable files.
Check disk for evidence of file streaming(NTFS).
Check media files for evidence of Steganography.
Search for encrypted files.
Check for files with hidden attribute set.

Finding Evidence of usage

Examine any ‘.CHK’ files used by scandisk.
Rename and Examine the Windows swap file.
Examine any log files
Check Windows recent documents.
Check recent files in applications used for opening/editing.
Check Internet browser History. (will reveal sites visited and searches)
Check Internet browser cache.
Check temporary files.
Check Internet browser bookmarks.
Check E-mail client files
Examine Newsgroups/logs
Retrieve OS version/info and registered user information
Check Database files

Tools

Function Recuired

Program Identified

Hex Disk/File editor.

Bitstream disk imaging program

File identifier

Undelete program

Unformat

File indexer

Various bootable media

External backup device

Memory Editor

Anti-virus boot disk

Hardware probe

Registry Dump Program

NTFS Data-stream detection

Event Log Dump

Event Log Analyser

PTS Disk Editor, XVI32, Hexpert

DD(GNU/Linux)

None found, may develop one

Norton Utilities

Forensic Tool Kit, MD5Sum, Hashkeeper, Modified Grabber

Win9x, NTFS Dos, Trinux, olntpwre, Maxtor/WD/Seagate/IBM bootdisks(for bios limited PC’s)

CD Writer, Laplink

Wadeware memory viewer, Acmeview

NAI

Msd?

Samdump

Crucial ADS, Forensic Tool Kit

DumpEVT

NTLast

Password Recovery Tools

There are lots of different password crackers but I would expect that these programs are the most common in use.

Program

Password Recovery Tool

Zip

Arj

NT Password

Windows 9X Password

Cached Passwords

Cute FTP

Eudora Email

ICQ

MS Access

MS Word

MS Excel

WS-FTP

FZC

YAAC

L0pht Crack

007 Wasp, Glide, PWLview

Snadboy Revelation

Cute FTP cracker

Eudora Cracker

ICQ Pass, ICQ Information

Accesskey

Lostpassword

WS-ftp Cracker

As renaming file extensions is a common method of hiding files it would be interesting to develop a program that holds a database of common file signatures(for example !bm at in the bmp file header), that could search through all files on the hard disk, this could also be useful for searching through cache swap and ‘.CHK’ files to re-assemble files.

It may be interesting to run the system in a virtual environment such as Vmware.

Forensics Checklist

Initial Examination of machine.

Procedure	Detail	Done
Physical Examination of System	Describe the state of the machine;On/off/sleeping, damage, missing components, noise
Complete Chain of Custody Log	Create a unique ID for any evidence worked on. (e.g. Manufacturer&S/N)

Additional steps for a machine already turned on.

Procedure	Detail	Done
View memory of machine, backup to sterile media if possible.	Do not back up to the machines hard disk or any other media that may be used in evidence.
View CMOS memory, save to sterile media if possible.	This may be useful for many reasons including the possibility of a BIOS password being stored.
Shutdown machine	This can be done through the normal procedure for the O/S or through physically switching machine off. With a Windows 95 machine the normal shutdown deletes the swap file by setting it’s size to 0 bytes. Windows 98/ME do not delete the swap. In other O/S such as Unix, switching off the machine may cause unrecoverable damage to the file-system. A restart with bootable sterile media in the drive may be more appropriate if there could be an unknown CMOS password and opening the case is not an option.

Examining CMOS Information

Procedure	Detail	Done
Disconnect hard-drive IDE cable.	If this is possible, it negates the risk that the drive may boot when the machine starts. Some machines such as many Compaq’s store CMOS data on the hard disk so this step would not be possible. If this is the case the Hard-disk could be installed as a non booting device in a sterile machine and the CMOS sector examined with a disk editor.
Boot machine with bootable sterile media in drive. Enter CMOS setup. Usually F1, F2, F9, F10, Delete or Ctrl+alt+Esc.	If the hard-drive is still connected then be very careful of the possibility that it may be the first boot device. If CMOS is password protected then it may be retrievable at a later stage by using a CMOS dumping program
Retrieve CMOS information	In particular CMOS Type/Version. Date/Time relative to GMT Hard Drive information Boot Order
If CMOS cannot be entered, the boot order not verified then it would be preferable to move the hard disk to another sterile, computer.

Creating Working copy of Evidence

Procedure	Detail	Done
Boot machine from Sterile bootable media.
Verify reported HDD size against reported value in CMOS	If these are different then there may be drive overlay software in use that could mean an invalid copy of the hard-disk.
Take working copy of Hard-disk	Take a bit-stream copy of the hard disk using the ‘disk-copy’ option in Norton ghost or the ‘dd’ program in Unix.
Identify and tag copy of the hard-disk.	Record the time and date that copy was taken.

Identify Hard-disk information

Procedure	Detail	Done
Connect Working copy(s) as the only drive(s) in the computer.
Boot Computer from sterile media.
Take unique file identifications.	There are several different possibilities for this but for compatibility with the ‘grabber’ database it would be nice to take the ‘FIPS-180’ sha and the CRC of each file on the hard disk including hidden files. All of this information should be stored on sterile media.
Take directory Structure	A command such as tree redirected to a file would achieve this.
Take complete listing of all files	Make sure Hidden and system files are shown. Retrieve the maximum information possible including names, file attributes, sizes, owners(if applicable) and created, modified and accessed dates.
View contents of archived files	Attempt to decrypt if necessary. Save directory listings from these.
Search for deleted files	If they cannot be restored it may at least be possible to save fragments of them, this could be useful in comparisons to for example the grabber database.
Check for File streaming	NTFS only
Search for fragments in file slack space.	Fragments from overwritten files may be found here.
Note Files that may be relevant to the case.	Identify by extension or suspicious filenames or locations.
Examine contents of Scandisk ‘CHK’ files	These may be complete files, if their headers can be identified then simply renaming the file extension may restore them.

Note files that may be relevant to the user	Email files Internet Cache Cookies ‘My Documents’ folder TXT, DOC, RTF, WPS, XLS, MDB, PPS, EML files JPG, JPEG, GIF files MPG, MPEG, AVI, RM, RAM, MOV,VIV files Bookmarks/favourites Address List Task List Encrypted Files PWL/Password files
View/Search contents of Swap File	Rename or save the swap-file elsewhere for later examination
View/search contents of the registry	A DOS based registry editor would be ideal, it is possible to do limited searching using a text editor.
The following is most easily achieved by booting into safe mode Windows
Identify Programs	Especially file editors and viewers that may be relevant to the case. Identify which of these programs are actually used and investigate them more thoroughly. Check which files these programs have used/viewed recently. Check for Internet related browsers, email, newsgroup, FTP etc.
Uncover cached passwords	Since people tend to use the same passwords for different programs this may be useful.

Registry Keys Relevant to recent usage

Key

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Save Directory

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

HKEY_CURRENT_USER\Software\WinZip\directories

HKEY_CURRENT_USER\Software\WinZip\filemenu

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download directory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Url History

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\MS Exchange Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

HKEY_USERS\