Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Computer Forensics Data Recovery and Evidence
Collection and Preservation
September 7, 2011
Data Recovery
What is Data Recovery?
Role of Backup in Data Recovery
Data Recovery Solution
Hiding and Recovering Hidden Data
What is Data Recovery
Usually data recovery means that data that is lost is
recovered – e.g., when a system crashes some data
may be lost, with appropriate recovery procedures
the data is recovered
In digital forensics, data recovery is about
extracting the data from seized computers (hard
drives, disks etc.) for analysis
Role of Backup in Data Recovery
Databases/files are backed up periodically (daily,
weekly, hourly etc.) so that if system crashes the
databases/files can be recovered to the previous
consistent state
Challenge to backup petabyte sized databases/files
Obstacles for backing up
- Backup window, network bandwidth, system
throughout
Current trends
- Storage cost decreasing, systems have to be online
24x7
Next generation solutions
- Multiple backup servers, optimizing storage space
Data Recovery/Backup Solution
Develop a plan/policy for backup and recovery
Develop/Hire/Outsource the appropriate expertise
Develop a system design for backup/recovery
- Three tier architectures, caches, backup servers
Examine state of the art backup/recovery products and
tools
Implement the backup plan according to the policy and
design
Recover Hidden Data
Hidden data
- Files may be deleted, but until they are overwritten,
the data may remain
- Data stored in diskettes and stored insider another
disk
Need to get all the pieces and complete the puzzle
Analysis techniques (including statistical reasoning)
techniques are being used to recover hidden data and
complete the puzzle
Reference:
- http://www.forensicfocus.com/hidden-data-analysis-
ntfs
Evidence Collection and Data Seizure
What is Evidence Collection
Types of Evidence
Rules of Evidence
Volatile Evidence
Methods of Collection
Steps to Collection
Controlling Contamination
What is Evidence Collection
Collecting information from the data recovered for further
analysis
Need to collect evidence so that the attacker can be found
and future attacks can be prevented and/or limited
Collect evidence for analysis or monitor the intruder
Obstacles
- Difficult to extract patterns or useful information from the
recovered data
- Difficult to tie the extracted information to a person
Types of Evidence
Testimonial Evidence
- Evidence supplied by a witness; subject to the perceived
reliability of the witness
- Word processor documents written by a witness as long
as the author states that he wrote it
Hearsay
- Evidence presented by a person who is not a direct
witness
- Word processor documents written by someone without
direct knowledge of the incident
Rules of Evidence
Admissible
- Evidence must be able to be used in court
Authentic
- Tie the evidence positively to an incident
Complete
- Evidence that can cover all perspectives
Reliable
- There should be no doubt that proper procedures were
used
Believable
- Understandable and believable to a jury
Additional considerations
Minimize handling and corruption of original data
Account for any changes and keep detailed logs
Comply with the 5 basic rules
Do not exceed your knowledge – need to understand what
you are doing
Follow the security policy established
Work fast / however need to be accurate
Proceed from volatile to persistent evidence
Do not shut down the machine before collecting evidence
Do not run programs on the affected machine
Volatile Evidence
Types
- Cached data
- Routing tables
- Process table
- Kernel statistics
- Main memory
What to do next
- Collect the volatile data and store in a permanent storage
device
Methods of Collection
Freezing the scene
- Taking a snapshot of the system and its compromised
state
- Recover data, extract information, analyze
Honeypotting
- Create a replica system and attract the attacker for further
monitoring
Steps to Collection
Find the evidence; where is it stored
Find relevant data - recovery
Create order of volatility
Remove external avenues of change; no tampering
Collect evidence – use tools
Good documentation of all the actions
Controlling Contamination
Once the data is collected it should not be contaminated,
must be stored in a secure place, encryption techniques
Maintain a chain of custody, who owns the data, data
provenance techniques
Analyze the evidence
- Use analysis tools to determine what happened
Analyze the log files and determine the timeline
Analyze backups using a dedicated host
Reconstruct the attack from all the information collected
Duplication and Preservation of Evidence
Preserving the Digital Crime Scene
- First task is to make a compete bit stream backup of all
computer data before review or process
- Bit stream backups (also referred to as mirror image backups)
involve the backup of all areas of a computer hard disk drive or
another type of storage media, e.g., Zip disks, floppy disks,
Jazz disks, etc. Such backups exactly replicate all sectors on a
given storage device. Thus, all files and ambient data storage
areas are copied. Bit stream backups are sometimes also
referred to as 'evidence grade' backups and they differ
substantially from traditional computer file backups and
network server backups.
- http://www.forensics-intl.com/def2.html
Make sure that the legal requirements are met and proper
procedures are followed
Digital Evidence Process Model
The U.S. Department of Justice published a process model in the
Electronic Crime Scene Investigation: A guide to first responders
that consists of four phases: -
1. Collection; which involves the evidence search, evidence
recognition, evidence collection and documentation.
2. Examination; this is designed to facilitate the visibility of
evidence, while explaining its origin and significance. It involves
revealing hidden and obscured information and the relevant
documentation.
3. Analysis; this looks at the product of the examination for its
significance and probative value to the case.
4. Reporting; this entails writing a report outlining the examination
process and pertinent data recovered from the overall
investigation.
https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf
Standards for Digital Evidence
The Scientific Working Group on Digital Evidence (SWGDE) was established
in February 1998 through a collaborative effort of the Federal Crime
Laboratory Directors. SWGDE, as the U.S.-based component of
standardization efforts conducted by the International Organization on
Computer Evidence (IOCE), was charged with the development of cross-
disciplinary guidelines and standards for the recovery, preservation, and
examination of digital evidence, including audio, imaging, and electronic
devices.
The following document was drafted by SWGDE and presented at the
International Hi-Tech Crime and Forensics Conference (IHCFC) held in
London, United Kingdom, October 4-7, 1999. It proposes the establishment of
standards for the exchange of digital evidence between sovereign nations
and is intended to elicit constructive discussion regarding digital evidence.
This document has been adopted as the draft standard for U.S. law
enforcement agencies.
http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Verifying Digital Evidence
Encryption techniques
- Public/Private key encryption
- Certification Authorities
- Digital ID/Credentials
Owner signs document with his private key, the Receiver decrypts
the document with the owner’s public key
Owner signs document with the receiver’s public key, Receiver
decrypts the document with his private key
Standards for Encryption
- Export/Import laws
http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20-
%20exploring%20validation,%20verification%20and%20certification.pdf
Conclusion - I
Data must be backed up using appropriate policies,
procedures and technologies
Once a crime ahs occurred data ahs to be recovered
from the various disks and commuters
Data that is recovered has to be analyzed to extract
evidence
Evidence has to analyzed to determine what
happened
Use log files and documentations to establish the
timeline
Reconstruct the attack
Conclusion - II
Standards and processes have to be set in place for
representing, preserving, duplicating, verifying,
validating certifying and accrediting digital evidence
Numerous techniques are out there; need to
determine which ones are useful for the particular
evidence at hand
Need to make it a scientific discipline
Links
Data Recovery
- http://www.datatexcorp.com/
- http://www.forensicfocus.com/hidden-data-analysis-ntfs
Digital Evidence
- http://faculty.ncwc.edu/toconnor/426/426lect06.htm
- http://www.itoc.usma.edu/Workshop/2006/Program/Pres
entations/IAW2006-07-1.pdf
- http://www.e-evidence.info/index.html
- http://www.digital-evidence.org/
- http://findarticles.com/p/articles/mi_m2194/is_3_73/ai_n
6006624/pg_1
- http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/
Presentations/DigitalEvidence.pdf
Links: Preserving Digital Evidence
Preserving Digital Evidence
- http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
(standards)
- https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf (process)
- http://www.logicube.com/logicube/articles/cybersleuth_collect
ing_digital_evidence.asp (hard drive duplication)
- http://www.crime-scene-
investigator.net/admissibilityofdigital.html (digital
photographs)
- http://faculty.ncwc.edu/toconnor/426/426lect06.htm
- http://www.freepatentsonline.com/7181560.html (US Patent)
- http://www.mediasec.com/downloads/veroeffentlichungen/tho
rwirth2004.pdf (survey)
- http://www.forensics-intl.com/def2.html (bit stream backup)
Links: Verifying Digital Evidence
Verifying Digital Evidence
- http://esm.cis.unisa.edu.au/new_esml/resources/publica
tions/digital%20forensics%20-
%20exploring%20validation,%20verification%20and%20
certification.pdf (verification and validation)
- http://www.forensicmag.com/articles.asp?pid=21
- http://www.forensicmag.com/articles.asp?pid=28
(accreditation, parts 1 and 2)