This report concerns the computer forensics methodology and the best practices in producing the solid court evidence. There are numerous ways of hiding the suspect or disguising any digital evidence of a wrongdoing. The task of computer forensics investigator is to retrieve the information retaining a verifiable and reproducible trace of actions that prove the digital evidence’s authenticity. Such evidence has a substantial probative value and can facilitate the prosecuting counsel’s work. Thus, explanations of various approaches used in the data’s distortion or hiding, as well as the full reconstruction, are provided. Since the target audience for this report possesses rather limited computer knowledge, all technical concepts are explained in terms as simple as the subject allows. In order for the prosecuting counsel to understand how certain types of evidence can be recovered, the report presents a custom case of suspect’s USB pen drive. Given the limited scope of this report, examples cover only one software tool selected among all computer forensics instruments.
Digital forensics employs the variety of methods applied on the target item that may contain evidence. “Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence” (Noblett, Pollitt, and Presley 2000). While stand-alone monitors and disassembled boards can present scarce amount of usable data, the storage media is highly valuable evidence base. The most useful object in digital forensics, however, is a running PC that contains the fullest possible set of traces. “The technique known as live-box forensics gives investigators access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive” (Cummings 2008). The recent decade’s IT progress brought a number of new portable devices, such as smartphones and tablets, which can produce the substantial evidence as well as PCs. Though the architecture of new gadgets differs from the traditional computers’ design, forensics approach to such devices “...takes into account existing techniques of computer and cell phone forensic examination adapting them to specific Android characteristics, its data storage structure, popular applications and the conditions under which the device was sent to the forensic examiner” (Simão et.al 2012). Thus, the scope of modern computer forensics covers all types of devices that operate digital data in any way.
Among all the variety of items that may constitute digital evidence, the most valuable information can be obtained from the storage media. The assumption is that the evidence file is disguised, deleted, dispersed, or hidden. In most cases storage retains some traces that can lead to the data restoration. The effectiveness of it depends on many factors, including the number of re-writes over the original file since it was deleted. The traces never can be sufficient to ensure the recovery absolutely. “In modern computers, it is almost never possible to “run time backwards” given a set of traces, and identify a unique history that led to the traces found” (Cohen 2012). However, architectural redundancy of stored data formats provides the possibility to reconstruct information in most cases.
The ways in which information can be hidden are multiple. The most obvious course of action for suspect is to set the “hidden file” operating system attribute on any files he is intended to hide. In order for the investigator to see and access this information, file explorer must be configured to display system and hidden files. The only prerequisite for such settings is the system access with administrator privileges, which can be easily arranged in the investigation lab. Another type of files that prevent easy access to the information is represented by encrypted or password protected files. However, there are number of tools capable of heuristic analysis or brute-force password cracking, which can be successfully applied to such files. This approach usually requires a considerable amount of machine time, which can be reduced by distributed computing. Generally, most of the digital forensics tools offer the comprehensive automated analysis, which means that the forensic lab must be equipped with high-performance computer hardware.
More complex ways to prevent the data access involve tampering with the file. The file extension can be changed simply by editing the filename associating an inappropriate application with it. Obviously, all attempts of this application to open the altered file will fail. Another and still more sophisticated way of file camouflaging requires file headers and/or footers to be changed. File headers and footers contain the brief summary of the file, as well as security hash values or checksums that are used by operating system to ensure the file’s integrity. Headers and footers can be altered and then hash values can be recalculated by the suspect using software tools that are widely available. It would be impossible to open such a file by any application that is traditionally associated with the file type. However, the file’s main body contains certain patterns that are specific to the particular file type. Therefore, digital forensics investigator will be able to re-produce original file headers and footers by means of the software similar to that of suspect’s. Sometimes, criminals write the data stream directly onto the disk bypassing the file system. It means that no recognizable form of file structure can be spotted, whether deleted, hidden, or altered. In order to retrieve such information, the whole disk surface must be scanned for characteristic patterns. Once found, the suspicious raw data blocks are duplicated to some external file and subjected to further analysis.
One of the practices used to disguise data is steganography, which implies hiding the information in a picture of any digital image form. This technique is often used by suspects to hide the incriminating data. Digital forensics specialists can discover the hidden part even if the picture appears original and the ghost data is dispersed through the whole image file. Again, one of the approaches is using the file’s hash value and comparing it to the original picture. When the difference is found, the number of complex recalculations can reveal and reassemble the addition. It is the one of most sophisticated data concealment’s method implying exceptional digital forensics skills necessary to dig up evidence. However, there are number of tools that effectively disclose the hidden data including the “…set of image forensic techniques capable of detecting global and local contrast enhancements and histogram equalization” (Mahalakshmi, Vijayalakshmi, and Priyadharsini 2012).
The following example demonstrates the use of WinHex application to restore evidence from USB pen drive of a suspect. Initially, WinHex was created as data recovery tool, facilitating the number of in-depths interactions with storage media. Recent versions, however, contain certain add-ons developed specifically for the investigation’s purposes. It is the case with majority of forensics software, as “...many so-called ‘forensic tools’ were created for users outside the forensic field” (Phillip, Cowen, and Davis, 2009, p. 53). Apparently, such tools are used by both criminals and investigators. WinHex is an advanced binary editor that provides access to all files, clusters, sectors, bytes, and bits inside the computer (WinHex 2013). WinHex is also capable of automatic files’ recovery, as well as the whole nested directory structures. WinHex provides the possibility to edit both the FAT32 and NTFS boot sectors as well as partition tables, which is useful during the in-depths storage reconstruction.
WinHex can recognize and gather text directly from a computer memory or a disk; it facilitates the forensic examiner’s search for leads in the form of text, e-mail messages, and documents. WinHex is also able to calculate hash values of any file, disk, and partition. There is a MD5 message digest algorithm that allows producing hash values up to 128-bit encryption standard. As mentioned above, the hash value of any file on a seized computer system can be matched against the original file’s hash value. The vast majority of files are always authentic (system files, application files etc.). The hash value matching restricts the search to a limited number of files narrowing the scope of investigation and saving the time.
One of the most often used features of WinHex is the deleted files’ recovery. There are number of hints that may suggest the existence of such files on storage. For instance, the investigator may analyze the thumbs.db file, which is created by Windows whenever the thumbnail view is used. This hidden file is never updated by the operating system when files are deleted. Consequently, there is a chance to recover evidence from the otherwise innocent-looking storage media. Another feature of WinHex allows concatenating parts of the file that was deliberately split by the suspect.
There are much more advanced features available in WinHex. Sometimes, criminal organizations run the fully-fledged IT infrastructure including RAID (Redundant Array of Independent Disks) storages containing ‘black’ accounting and other evidences of wrongdoing. The information on RAID is spread on all participating disks allowing for one or even more disks’ failure without the data loss. In order to prevent the access to information, criminals can deliberately ruin the RAID structure. It will result in situation when all the disks are intact but useless, as it is impossible to read any consistent data from it. WinHex can help in this case as well providing the opportunity to re-assemble the RAID storage.
A rather limited set of WinHex capabilities will be utilized for the purpose of this report. The USB pen drive in question will be subjected to the number of manipulations in order to reveal the evidence. The sequence of operations is fully documented, as “...the requirements of the judicial system dictate that evidence must possess a verifiably high level of integrity...before items can be accepted as evidence in court” (Zimmerman 2010).
Related Technology essays
- Computer Interfaces Development History
- Mobile Computing
- Trusted Platform Module (TPM) and its components
- The iPad Mini
- Effects of Technology on the Social of Development of the Youth
- Log Files
- Web Based Payment Technologies
- Christiane Paul
- New IT Technologies: Evaluation and Implementation
- Technological Growth in Imaging Timeline