Alternate Data Storage Forensics

VISIT US AT Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site.

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS

For readers who can't wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably.

SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information.

....~ii li

SYN~RESS

®

This Page Intentionally Left Blank

~!

~I~

~

10114~~'T|m~~~

~ ~i ~

~

~ ii~i~

~ i:

:i ~ ! ..... ~ i

~~~ ....

i~!~:~!~!:~¸~!i~',¸~

~

~

~

~.....

i

Tyler Cohen Amber

Schroader

ii ¸

i~

....

i~~

i ! .........

/

,i

ii

........

i~~ii!i...... ~iii!:,~

.....

!~ i~:~ i : ~ ,~:::~: ~

~:~: :~:~

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively "Makers") of this book ("the Work") do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and W I T H O U T WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, "Career Advancement Through Skill Enhancement®," "Ask the Author UPDATE®," and "Hack Proofing®," are registered trademarks of Elsevier, Inc. "Syngress: The Definition of a Serious Security Library"TM,"Mission CriticalTM, '' and "The Only Way to Stop a Hacker is to Think Like One TM'' are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY

001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER

HJIRTCV764 PO9873D5FG 829KM8NJH2 CDF476857U CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T

PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Alternate Data Storage Forensics Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1234567890 ISBN 13:978-1-59749-163-1

Publisher: Amorette Pedersen Acquisitions Editor: Andrew Williams Cover Designer: Michael Kavish

Copy Editor: Audrey Doyle Page Layout and Art: Patricia Lupien Indexer: Nara Wood

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected].

ntri buti ng Authors

Tyler C o h e n (CISSP) is employed by Computer Science Corporation contracted as a researcher and developer for the Department of Defense Cyber Crime Center. Her specialty is digital forensics and intrusions. She is considered an expert in hacking and conducting forensic exams with the iPod and other alternative media devices. She presents her expertise at various conferences all over the country some of which include the Department of 1)et:ense Cyber Crime Conference, International High Technology Crime Investigation Association and The California District Attorney's Cyber Crime Conference.

Kevin Cardwell (CEH, ECSA, LPT) works as a flee-lance consultant and provides consulting services for companies throughout the US, UK and Europe. He is an Adjunct Associate Professor for the University of Maryland where he participated in the team that developed the Information Assurance program for Graduate Students which is recognized as a Center of Excellence program by the National Security Agency (NSA). He is an Instructor and Technical Editor for Computer Forensics, and Hacking courses. He has presented at the Blackhat USA Conference. Kevin spent 22 years in the U.S. Navy, during this time he tested and evaluated Surveillance and Weapon system software, some of this work was on projects like the Multi-Sensor Torpedo Alertment Processor (MSTRAP), Tactical Decision Support System (TDSS), Computer Aided Dead Reckoning Tracer (CADP, T), Advanced Radar Periscope Discrimination and Detection (ARPI)D), and the Remote Mine Hunting System (RMHS). He has worked as both software and systems engineer on a variety, of Department of Defense projects and was selected to head the team that built a Network Operations Center (NOC) that provided services to the command ashore and ships at sea in the Norwegian Sea and Atlantic Ocean. He served as the Leading Chief of Information Security at the N O C for six years prior to retiring from the U.S. Navy. During this time he was the leader of a 5 person Red Team.

Kevin holds a Master's degree from Southern Methodist University, and is a member of the IEEE and ACM. Kevin currently resides in Cornwall, England. Paul Crowley is the founder and lead developer at InfinaDyne. InfinaDyne is one of a small number of companies publishing software specifically targeted at the forensic examiner. Paul has been working in the software development field since 1975. His career includes experience that spans computer hardware from the very smallest home video game console to the largest IBM mainframes. Paul began working with CD recording technology in 1994 and is one of a small number of respected authorities on this technology. The first CD data recovery software product was written by Paul and has led the market for such tools since 1997. InfinaDyne has been offering CD and DVD Forensics training classes since 2005 and has held classes in the U.S. and Australia. Attendees at these classes have included members of the FBI, US Department of Defense, and the Australian Federal Police.

Michael Gregg (CISSP, CISA, MCSE, MCT, C T T + , A + , N+, Security+, CNA, CCNA, CIW Security Analyst, CCE, CEH, CHFI, DCNR ES Dragon IDS, TICSA) is the founder and Chief Operating Officer of Superior Solutions, Inc., a Houston-based IT security consulting firm. Superior Solutions performs security assessments and penetration testing for Fortune 1000 firms. Michael is responsible for working with organizations to develop cost effective and innovative technology solutions to security issues and for evaluating emerging technologies. Michael supervises client engagements to ensure high quality solutions are developed for software design issues, systems administration concerns, policy development, and security systems testing. Michael has more than 20 years experience in the IT field and holds two associate's degrees, a bachelor's degree, and a master's degree. He has written or co-written a number of other books including Que's Certified Ethical Hacker Exam Prep 2 and Inside Network Security Assessment by Sam's publishing. He is the author of Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network (Syngress, ISBN: 1597491098). He is a member of the American College of Forensic Examiners, the vi

Independent Computer Consulting Association, and the Texas Association for Educational Technology.

Kevin O'Shea is currently employed as a Homeland Security and Intelligence Specialist in the Justiceworks program at the University of New Hampshire. In this capacity, Mr. O'Shea supports the implementation of tools, technology, and training to assist law enforcement in the investigation of crimes with a cyber component. In one of Kevin's recent projects, he was a technical consultant and developer of a training program for a remote computer-forensics-viewing technology, which is now in use by the state of New Hampshire. He also has developed a computer-crime-investigative curriculum for the New Hampshire Police Standards and Training. /

Thomas Ralph graduated cure laude from Case Western Reserve University School of Law, where he served as editor on the school's Law Review. In 1998, after serving as legal counsel at MassHighway, Mr. Ralph joined the Middlesex District Attorney's Office, where he performed trial work in the District and Superior Courts. Mr. Ralph became Deputy Chief of the Appeals Bureau, Captain of the Search Warrant Team, and Captain of the Public Records Team. Mr. Ralph has appeared dozens of times in the Massachusetts Appeals Court and Supreme Judicial Court. In 2005, Mr. Ralph became an Assistant Attorney General in the New Hampshire Attorney General's office. His responsibilities there included spearheading the New Hampshire Attorney General's Cybercrime Initiative, an innovative program for processing and handling electronic evidence that has received national recognition, and overseeing complex investigations into the electronic distribution of child pornography. Amber. Schroader has been involved in the field of computer forensics for the past sixteen years. During this time, she has developed and taught numerous courses for the computer forensic arena, specializing in the field of wireless forensics as well as mobile technologies. Ms Schroader is the CEO of Paraben Corporation and continues to act as the driving force behind some of the most innovative forensic technologies. As a pioneer in the field, Ms Schroader has been key in developing new technology to help Vii

investigators with the extraction of digital evidence from hard drives, e-mail and, hand held and mobile devices. Ms Schroader has extensive experience in dealing with a wide array of forensic investigators ranging from federal, state, local, and corporate. With an aggressive development schedule, Ms Schroader continues to bring new and exciting technology to the computer forensic community world wide and is dedicated to supporting the investigator through new technologies and training services that are being provided through Paraben Corporation. Ms Schroader is involved in many different computer investigation organizations including The Institute of Computer Forensic Professionals (ICFP), HTCIA, CFTT, and FLETC.

James "Jim" Steele (CISSR MCSE: Security, Security+) has a career rich with experience in the security, computer forensics, network development, and management fields. For over 15 years he has played integral roles regarding project management, systems administration, network administration, and enterprise security management in public safety and mission-critical systems. As a Senior Technical Consultant assigned to the NYPD E-911 Center, he designed and managed implementation of multiple systems for enterprise security; he also performed supporting operations on-site during September 11, 2001, and the blackout of 2003. Jim has also participated in foreign projects such as the development of the London Metropolitan Police C3i Project, for which he was a member of the Design and Proposal Team. Jim's career as a Technical Consultant also includes time with the University of Pennsylvania and the FDNY. His time working in the diverse network security field and expert knowledge of operating systems and network products and technologies have prepared him for his current position as a Senior Digital Forensics Investigator with a large wireless carrier. His responsibilities include performing workstation, server, PDA, cell phone, and network forensics as well as acting as a liaison to multiple law enforcement agencies, including the United States Secret Service and the FBI. On a daily basis he investigates cases of fraud, employee integrity, and compromised systems. Jim is a member of HTCC, NYECTF, InfraGard and the HTCIA.

viii

Craig W r i g h t (CISSP, ISSAP, ISSMP, CISA, CISM, CCE, GNSA, G7799, GWAS, GCFA, (;LEG, GSEC, GREM, GPCI, MCSE and GSPA) has personally conducted over 1,200 IT security related engagements for more than 120 Australian and international organizations in the private and government sectors and now works for BDO Kendall's in Australia. In addition to his consulting engagements Craig has also authored numerous IT security related articles as well as being involved with designing the architecture for the world's first online casino (Lasseter's Online) in the Northern Territory. He has also designed and managed the implementation of many of the systems that protected the Australian Stock Exchange. He also developed and implemented the security policies and procedural practices within Mahindra and Mahindra, India's largest vehicle manu(acturer.

ix

This Page Intentionally Left Blank

Contents Chapter 1 Digital Forensics and Analyzing Data . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 The Evolution of Coiiiputer Forensics . . . . . . . . . . . . . . . . . .2 Phases of lligital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . 4 C ollec ti o 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 I’reparatioii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1)ifficulties W h e n Collecting Evidence froin Nontraditional Devices . . . . . . . . . . . 10 Hardware 1 )ocumentation Ilifficulties . . . . . . . . . . .15 11it5cu 1ti ec W 11t‘n C 011 ect i ng Ilata from 1t.i id Arrays. SAN. and NAS Devices . . . . . 17

11iffic u 1ties W h en C: o11ecti ng l h t a from Virtual Machines . . . . . . . . . . . . . . . . . . . 19 1)ifficulties W h e n Conducting M e m o r y Acquisition and Analysis . . . . . . . . . . . . . . . 19 Exa 111i n a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Utility of Hash Sets . . . . . . . . . . . . . . . . . . . . . . . . . 22 I>ifliculties Assoc.iated with Esmiining a Sycteni with Full Disk Encryption . . . . .23 A1t er n a t ive Foren sic I’ 1-0c esses . . . . . . . . . . . . . . . . . .24 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Aiialysis of 1‘ Single (:oniputer . . . . . . . . . . . . . . . . . 27 Analysis of .I 11 Eiiterprise Event . . . . . . . . . . . . . . . . .30 Tools for 1)ata Analy4c . . . . . . . . . . . . . . . . . . . . . . . 32 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Keferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 2 Seizure of Digital Information

. , . . . . . . . . . . 39

I tit roduc ti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Iligitd Evidence . . . . . . . . . . . . . . . . . . . . . . . . .

40

43

lligital Evidence Seizure Methodolo&? . . . . . . . . . . . . . . . 46 . xi

xii

Contents Seizure M e t h o d o l o g y in D e p t h

...................

48

Step 1: Digital Media Identification . . . . . . . . . . . . . . Step 2: Minimizing the C r i m e

50

Scene by Prioritizing the Physical Media . . . . . . . . . .

50

Step 3: Seizure o f Storage Devices and Media . . . . . . To Pull the Plug or N o t to Pull the Plug, That Is the Question . . . . . . . . . . . . . . Factors Limiting the Wholesale Seizure o f Hardware . . . . . . Size o f Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Privacy C o n c e r n s

.............................

51 52 54 54 55 56

Delays R e l a t e d to Laboratory Analysis . . . . . . . . . . . . . . Protecting the T i m e of

57

the Most Highly Trained Personnel

................

58

T h e C o n c e p t o f the First R e s p o n d e r . . . . . . . . . . . . . . .

61

O t h e r Options for Seizing Digital Evidence . . . . . . . . . . . . . R e s p o n d i n g to a Victim of a C r i m e W h e r e Digital Evidence Is Involved . . . . . . . . . Seizure Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Previewing O n - S c e n e Information to D e t e r m i n e the Presence and Location of Evidentiary Data Objects . . . . . . . . . . . . . . . . . . . . . . Obtaining Information from a R u n n i n g C o m p u t e r . . . . Imaging Information O n - S c e n e . . . . . . . . . . . . . . . . . . . Imaging Finite Data Objects O n - S c e n e ............ Use of Tools for Digital Evidence Collection . . . . . . . . . C o m m o n Threads within Digital Evidence Seizure . . . . . . . D e t e r m i n i n g the Most Appropriate Seizure M e t h o d . . . . . . .

62

69 70 72 73 76 78 81

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

83

65 66

Works Cited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Solutions Fast Track

88

..............................

Frequently Asked Questions

........................

Chapter 3 Introduction to Handheld Forensics . . . . . . . .

90

93

Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W h a t Is the H a n d h e l d Forensic Impact? . . . . . . . . . . . . . . . .

94 95

Digital Forensic Foundations . . . . . . . . . . . . . . . . . . . . . File System Differences . . . . . . . . . . . . . . . . . . . . . . .

95 96

Contents

...

xiii

Static versus Active . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Storage Capacity Differences . . . . . . . . . . . . . . . . . . .98 Iiiiagiiig Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 99 Evidence (hllection . . . . . . . . . . . . . . . . . . . . . . . . . . 100 First Responder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Chllcction to Handling . . . . . . . . . . . . . . . . . . . . . . . . 104 Pl)A Hmdling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Cellular Hxidling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Evidence I’reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Maintain the Ilevice . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Maintain a Forensic l h t a Connection . . . . . . . . . . . . . . . . 110 Forensic (;rack Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Analysis ,I nd IXeporting . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 4 PDA, Blackberry, and iPod Forensic Analysis 113 Introductioii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1’1lA Background Information . . . . . . . . . . . . . . . . . Components of 3 PI>A . . . . . . . . . . . . . . . . . . . . . . . . PDA Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Investigative Methods . . . . . . . . . . . . . . . . . . . . . . . . . Step 1 : Esaminatioii . . . . . . . . . . . . . . . . . . . . . . . . . . Step 2: Identification . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3: Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 4:Ilocuiiiei~tation . . . . . . . . . . . . . . . . . . . . . . . . PIlA Investigative Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 levice Switched O n . . . . . . . . . . . . . . . . . . . . . . . . . . Ilevice S\vitched Off . . . . . . . . . . . . . . . . . . . . . . . . . . llevicc in its (:radle . . . . . . . . . . . . . . . . . . . . . . . . . . . Ilevice not in its Cradle . . . . . . . . . . . . . . . . . . . . . . . . Wireless (:onnection . . . . . . . . . . . . . . . . . . . . . . . . . . Expansion (:arc1 in Slot . . . . . . . . . . . . . . . . . . . . . . . . Expansion Sleeve llemoved . . . . . . . . . . . . . . . . . . . . . . . . Ikployiiig 1’1 >A Forensic Tools . . . . . . . . . . . . . . . . . . . . . 1’1IA Securc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P1IA Seizure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 11t ro du ct io n to t h e Blackberry . . . . . . . . . . . . . . . . . . . . .

114 . 114

114 114 115 115 116 116 116 137 117 117 117 118 118 118

118 119 119 119 119 120

~iv

Contents

O p e r a t i n g S y s t e m o f the B l a c k b e r r y . . . . . . . . . . . . . . .

120

B l a c k b e r r y O p e r a t i o n and S e c u r i t y

120

...............

Wireless S e c u r i t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S e c u r i t y for Stored Data

120

..........................

121

Acquisition of Information Considerations ..........

121 121

D e v i c e is in the " o f f " State

122

Forensic E x a m i n a t i o n o f a B l a c k b e r r y

................

.....................

D e v i c e is in the " o n " State . . . . . . . . . . . . . . . . . . . . . .

122

Password P r o t e c t e d

122

...........................

Evidence Collection

..........................

122

Unit Control Functions ........................

123

I m a g i n g and Profiling

.........................

123

Attacking The Blackberry

.........................

123

S e c u r i n g the B l a c k b e r r y ( R I M ) . . . . . . . . . . . . . . . . . . . . .

124

I n f o r m a t i o n H i d i n g in the B l a c k b e r r y ( R I M ) . . . . . . . .

124

B l a c k b e r r y ( R I M ) Signing A u t h o r i t y Tool

124

..........

i P o d Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The iPod

..................................

i P o d Features

.............................

T h e i P o d as O p e r a t i n g S y s t e m

................

Drive F o r m a t s - Apple H F S + O r FAT32 . . . . . . . . . T h e i P o d S y s t e m Partition . . . . . . . . . . . . . . . . . . . . . . Application Formats

........................

124 125 126 127 128 128

129

Misuse o f an i P o d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

130

i P o d Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

130

Timeline Generation ..........................

131

Lab Analysis

133

................................

Remove Device from Packaging T h e iPod restore process T h e iPod and W i n d o w s The Registry

.................

.......................

..........................

...............................

setupapi.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T h e i P o d and L i n u x User Accounts

.............................

.................................

133 134 136 136 137 138 138

D e l e t e d Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

i P o d T i m e Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

Contents

xv

Registry Key (:ontaining the iPod’5 USB/Fire\vire Serial Number . . . . . . . . . . . . . . . . . 139 iPod Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 1)iskInternals Music Recovery . . . . . . . . . . . . . . . . . . . 140 Recover M y il’od . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 1111 ‘ind the il’od . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Sunimary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . 146

Chapter 5 E-mail Forensics ........................

147

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Where to Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 E-niail Terniinoloby . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Here is ‘in example HELO exchange . . . . . . . . . . . . 149 Functions of E-niail . . . . . . . . . . . . . . . . . . . . . . . . 150 Archive Tvpes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Server Storage Archives . . . . . . . . . . . . . . . . . . . . . . 151 Lotus Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Novel1 (;roupWise . . . . . . . . . . . . . . . . . . . . . . . . . 152 Locd Level Archives . . . . . . . . . . . . . . . . . . . . . . . . 152 Ingredient\ of E-niail . . . . . . . . . . . . . . . . . . . . . . . 154 M‘iilbos Arc-hive . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Other Assockited Files of the Archive . . . . . . . . . . . . 155 Mess‘ige . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Attachnlel1t\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Forensic Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Processing L o c ~ lMail Archives . . . . . . . . . . . . . . . . . . . . . 158 Step 1 -Accluisition Outlook PST file . . . . . . . . . . . . . . 158 Step 2-l’rocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Using I’araben’s E-mail Examiner . . . . . . . . . . . . . .1 59 Using MS Outlook for l’rocessing Outlook Express Files . . . . . . . . . . . . . . .162 Processing Server Level Archives . . . . . . . . . . . . . . . . 163 Step 1 Acyiisition . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Step 2 I’rocessing . . . . . . . . . . . . . . . . . . . . . . . . . . 164 U h g 0nTrac.k I’owerControls . . . . . . . . . . . . . . . . . . 164

xvi

Contents Using Paraben's N e t w o r k E-mail E x a m i n e r ( N E M X ) Deleted E-mail Recovery

.....

....................

166 168

Eudora Mail ..............................

169

Outlook PST

169

.............................

Network Archives ..........................

169

C h a p t e r 6 Router Forensics . . . . . . . . . . . . . . . . . . . . . . . Introduction Network

171

...................................

Forensics

172

..............................

172

T h e H a c k i n g Process . . . . . . . . . . . . . . . . . . . . . . . . . .

172

T h e I n t r u s i o n Process

172

S e a r c h i n g for E v i d e n c e

......................... ..........................

An Overview of Routers

173

.........................

174

W h a t Is a R o u t e r ? . . . . . . . . . . . . . . . . . . . . . . . . . . . .

174

The Function of a Router

174

The Role of a Router R o u t i n g Tables

......................

.........................

174

..............................

Router Architecture

175

..........................

176

Routing Protocols ............................ RIP

176

....................................

177

OSPF ................................... Hacking Routers

...............................

Router Attacks

Denial-of-Service Attacks R o u t i n g Table P o i s o n i n g

Chain of Custody

Incident Response Summary

......................

179

.......................

180 .........

181

181

............................

182

.......................

............................. ..............................

...............................

.....................................

S o l u t i o n s Fast T r a c k

178

............................

Volatility o f E v i d e n c e Case R e p o r t s

178

.......................

Attacks and Persistent Attacks

Investigating Routers

Compromises

178

..............................

Router Attack Topology

Hit-and-Run

177

.............................

Frequently Asked Questions

.......................

182 183 184 184 185 185 186

Contents

Chapter 7 Legal Issues of Intercepting WiFi Transmissions

xvii

. . . . . . . . . . . . . . . . . . . 189

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 WiFi Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Authentication and Privacy in the 802.11 Standard . . . .192 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Understanding WiFi R F . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Scanning I
Chapter 8 CD and DVD Forensics

. . . . . . . . . . . . . . . . . .209

Physical (:haractei-i\tics of C1) and DVD Media . . . . . . . . .210 (:1) Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 (:I 1 Sizes and Shapes . . . . . . . . . . . . . . . . . . . . . . . . . . 214 (:I) and 1)VI) Types . . . . . . . . . . . . . . . . . . . . . . . . . . 225 C1) and 1)VI) (:olol-s . . . . . . . . . . . . . . . . . . . . . . . . . 215 c:l)-l< 1)yec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Information Storage on <:lh and IIVDs . . . . . . . . . . . . 219 <:I) and IIVI) Organization andTerininology . . . . . . . .220 Border Zonc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Lead I I1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Lead O u t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 1 Philips (:I1 Text . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 1 ILZone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Soriv Cl) Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 TOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

xviii

Contents

Track ................................... C D a n d D V D Sectors R-W

222

.........................

222

Subchannels ............................

CD and DVD Differences CD-ROM

M a n u f a c t u r i n g Process

Inside a C D - R O M

Drive

224

...................... ................

......................

226 228 230

External Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .

233

Drive Firmware ..............................

234

C D and D V D Logical Structure W r i t i n g to a C D or D V D L o g i c a l File S y s t e m s

..........................

C D a n d D V D File S y s t e m s Red Book Audio HSG Joliet UDF HFS+

.....................

..........................

239 241 241

...................................

243

..............................

244

...................................

247

......................................

249

.....................................

E1Torito

235

240

................................

Rock Ridge

235 237

...................................

ISO-9660

HFS

....................

......................

251

...................................

251

Space A l l o c a t i o n by C D a n d D V D File S y s t e m s . . . . . . . . .

252

D i s c Accessibility P r o b l e m s

253

........................

I S O - 9 6 6 0 / J o l i e t File S y s t e m s . . . . . . . . . . . . . . . . . . . . UDF

File S y s t e m s . . . . . . . . . . . . . . . . . . . . . . . . . . . .

253 254

O t h e r File S y s t e m s

...........................

254

Forensic Binary Images

...........................

254

Reproducing

Forensic Images

Collecting CD and DVD Evidence

................... ..................

256 256

Recognizing CD and DVD Media ................

257

Collection Considerations

257

......................

M a r k i n g Discs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

258

T r a n s p o r t i n g Discs . . . . . . . . . . . . . . . . . . . . . . . . . . . .

259

Documenting

a n d F i n g e r p r i n t i n g Discs

O f f i c e r Safety

...............................

............

259 260

P r e p a r i n g for D i s c E x a m i n a t i o n . . . . . . . . . . . . . . . . . . . . .

260

Forensic H a r d w a r e . . . . . . . . . . . . . . . . . . . . . . . . . . . .

261

Contents

Forensic Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forensic Work5tation . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I >isc Triagc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 9 MP3 Forensics

.........................

262 262 263 264

269

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Why Is 211 iPod Considered Alternative Media? . . . . . . . . .271 Iriiagirig a n d Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Hardware vs . Nonhardware Imaging . . . . . . . . . . . . . . . . .273 l<enioving the Hard Ihive . . . . . . . . . . . . . . . . . . . . . . 273 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Types of il’ods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 File Types Supported . . . . . . . . . . . . . . . . . . . . . . . . . . 280 File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 “Hacking Tools” and Encrypted Home Directories . . . . . . .280 Evidence: Normal vs . Not Nornlal . . . . . . . . . . . . . . . . . . 281 Uncovering What Should Not Be There . . . . . . . . . . . 289 Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Sunitnary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Index

.........................................

295

xix

This Page Intentionally Left Blank

Chapter 1

Chapter 1

•

Digital Forensics and Analyzing Data

Introduction Digital forensics is probably the most intricate part of the cyber crime investigation process. It is often where the strongest evidence will come from. Digital forensics is the scientific acquisition, analysis, and preservation of data contained in electronic media whose information can be used as evidence in a court of law. The practice of Digital Forensics can be a career all in itself, and often is. Other times it is a subset of skills for a more general security practitioner.Although the corporate digital forensic practitioner is not a law enforcement officer, it is a wise practice to follow the same procedures as law enforcement does when performing digital forensics. Even in a corporate environment, the work one performs can quickly make it to a courtroom. Regardless if the case is civil or criminal the evidence will still be presented the same.

The Evolution of Computer Forensics Traditional digital forensics started with the seizure of a computer or some media. The drives and media were duplicated in a forensically sound manner bit by bit. Way b a c k ~ i f there is such a thing in computer technology~the forensic duplication would be combed through using a hex or disk editor application. Later the forensic applications and suites evolved and automated some of the processes or streamlined them. The forensic practitioner would undelete files, search for temporary files, recover e-mail, and perform other functions to try and find the evidence contained on the media. Today there are more user-friendly programs that present data in a GUI, and automate much of the extremely technical work that used to require in-depth knowledge and expertise with a hex editor. There is also a wealth of hardware to make the practice even more conducive, but the reality is the processes thus far have not changed that much. From the time of those first primordial seizures to today, a set of Best Practices has emerged; the attempt is to provide a foundation for the work performed under the heading Digital Forensics: •

Do not alter the original media in any way.

•

Always work on a duplicate copy, not the original.

Digital Forensics and Analyzing Data

•

Chapter 1

3

m The examination media must be sterile as to ensure that no residual data will interfere with the investigation data. []

The investigator must remain impartial and report the facts.

For the most part, best practices and methodology have remained unchanged since the origins of digital forensics. The system is documented; the hard drives are removed and hooked to a write-blocking device. The imaging utility of choice was used to create a torensic image, and the forensic application of choice is used for examination. The Best Practice.~ were not viewed as guidelines; but as absolutes. This has worked well to date, but some elements are beginning to become dated. Although these best practices have served as a cornerstone for the current procedure, many of the elements of the best practices are beginning to fall behind the technology curve and may need to be changed or adjusted. Unlike other forensic sciences, digital forensics subject matter continues to evolve, as do the techniques. Human fingerprints may be changing and evolve over time, but it won't be noticeable to the fingerprint specialists in their lifetime. The trace chemicals in a piece of hair may change, but the hair itself is going to stay pretty much the same. The techniques may evolve, but the subject matter does not noticeably. Digital evidence on the other hand continues to change as the technology does. Operating systems and file systems will progress and change. Realistically, operating systems change nearly every five years. Storage arrays continue to grow larger and larger as the technology improves, magnetic data density increases, and the price points come down. Flash media drives continue to grow larger in capacity and smaller in form factor. The volume of devices with potential storage for evidence has grown exponentially and will continue to. Gaming systems, digital audio player, media systems, Digital Video Recorders--the list continues to grow. The boom in the digital camera market created a tremendous volume of devices and analysis need that traditionally were in the reahn of photographic examiners, not the computer geek. As the assortment of potential evidence sources continues to grow, the methodologies need to expand greatly. For example, a cellular phone normally needs to stay powered on to retain all the data. If the device stays on it may connect to a wireless network.To ensure the device is isolated from the network the investigator will need to use a Faraday d e v i c e ~ b u t in reality by removing the device from the network we actually change the data on the device. The device will make a note to itself of the details of going off the network.

www.syngress.com

l

Chapter 1

•

Digital Forensics and Analyzing Data

In the pages that follow I will address some of the difficulties that occur and how some of the technologies and best practices are falling behind the technology curve. These include not only technical challenges but the procedural challenges.

Phases of Digital Forensics Traditional digital forensics can be broken down into four phases. Some of the work performed may overlap into the different phases, but they are very different: •

Collection

•

Examination

•

Analysis

•

Reporting

Collection is the preservation of evidence for analysis. Current best practices state that digital evidence needs to be an exact copy~normally a bit stream copy or bitfor-bit duplication~of the original media. The bit stream copy is then run through a cryptographic hashing algorithm to assure it is an unaltered copy. In modern digital forensics often this is done by physically removing the hard drive from the device, connecting it to a write blocking unit, and using a piece of forensic software that makes forensic duplicates. Examination is the methodical combing of the data to find the evidence. This includes work such as document and e-mail extraction, searching for suspicious binaries, and data carving. Analysis is the process of using the evidence recovered to work to solving the crime. The analysis is the pulling together of all the bits and pieces and deciphering them into a story of what happened. Report is the

Digital Forensics and Analyzing Data ° Chapter 1

phase where all the other phases are documented and explained.The report should contain the documentation of the hardware, the tools used, the techniques used, and the findings. All the individual phases have their own issues and challenges. .............................C!.!I!!:: ......

i i il ii~.. Here are some great resources on Computer Incident Handling and Digital ,~

Forensics"

NIST "Computer Security Incident Handling Guide SP800-61 http://csrc, n ist.gov/pu bl ications/n istpu bs/800-61/sp800-61 .pdf NIST "Guide to Integrating Forensic Techniques into Incident Response"SP800-96 http:/Icsrc.nist.govlpublicationslnistpubs1800-961sp80096.pdf National Institute of Justice- Forensic Examination of Digital Evidence: A Guide for Law Enforcement www.oj p. usdoj.gov/n ij/pu bs-su m/199408.htm RFC Guidelines for Evidence Collection and Archiving www. faqs. o rg/rfcs/rfc3227, html

Collection Traditional digital forensics best practices are to make a full bit stream copy of the physical volume. This normally entails physically removing the hard drives from the suspect system, and attaching the drive to another system for forensics duplication. A forensic image is a bit-by-bit copy of the original media. It copies all the data on a storage device, including unused portions, the deleted files, and anything else that may have been on the device. The suspect hard drive should be protected from alteration (remember the procedure?) by a hardware solution, a software solution, or both. The hardware solution is normally either a write-blocker or a hardware imaging device. A write-blocker blocks the write commands from the examination system that some operating systems would normally perform. Software solutions entail mounting the suspect drive or device as read-only by the operating system. The data must be unaltered and the chain of custody must be maintained. Where practical, all the work should be performed on a copy; the originals need to be preserved and archived. To be able to ensure the data is unaltered, the original drive and the imaged drive are hashed and the hashes are compared to ensure that an exact bitby-bit copy has been acquired. www.syngress.com =,-

~1

Chapter 1 • Digital Forensics and Analyzing Data

Digital evidence needs to be: •

Admissible: It must confbrm to certain legal rules before it can be put before a court.

•

Authentic: The data must be proven to relate to the incident. This is where additional documentation is important.

•

Complete: It must be impartial and tell the entire account.

•

Reliable: There can be nothing relative to the collection and handling of the evidence that could create any doubt. Chain of Custody procedures become crucial.

•

Believable: The reports and documentation must present everything so it is believable and understandable by a judge or jury.

www.syngress.com

Digital Forensics and Analyzing Data

•

Chapter 1

Any digital evidence collected must meet these requirements. The challenge that is surfacing is the admissibilit> There are the traditional rules and best practices that concentrate on data from static or powered down systems. As we will see next, there are issues where this approach is either diCficult, impossible, or may leave large amounts of data behind.Challenges to collecting the data for analysis can be getting the files off the systems, and once they are off the system. Does the system have some way of connecting external storage or is there even physical access to do so? If there is no physical access, how long will it take to move the data off the system to work with it? An option may be to work with the data on the system, but is there enough storage on it to be able to duplicate and analyze it? If the system was compromised, can the use of the utilities and binaries on it be trusted? Most likely not. The next option is to move the data off via the network connection. H o w large is the network link to n~ove the data off?. If the data cannot be worked onsite, do you have the storage to transport it.: 1)o you have the storage to work with it later? Do you have systems powerCul enough to comb and query through all the data? Are all the systems in the same data Cel~ter, or do you have to travel or have multiple teams working simultaneously? There are a multitude of questions, and SOlne preplanning can be essential. Incidents at a large business or other large network can aggravate these issues, and can be extremely complex. The cyber crime responder will almost surely find a variety of systems running a multitude oC operating systems. The devices can encompass nearly everything and anything. The most important step when responding to a large cyber crime incident is to take a few minutes and first figure out what kind of systems you are dealing with. It's worth the time to gather any available documentation, such as network diagrams and system configurations. The key early on is to avoid tunnel vision. There can be a multitude of systems that need data to be recovered fiom them, needing possibly as many ways to get at the data. It is easy to fall into the trap oC centering on the first system Cound to be compromised or involved, when that system may be the tip of the iceberg. If all the concentration of the investigation is centered on the first system, then all the other evidence may be missed initially. Or if the retention times of logs or volatile data are too short, then the data may be gone forever. Just like a lost hiker searching f~or the path, work in circles out from the point of" discovery. From that initial machine of interest, begin to look outward, concentrating on access paths that lead to it. Do not forget physical paths to a systenl--access controls and video surveillance is present in most data centers or oCfices, aild physical access logs definitely should be reviewed.

7

3

Chapter 1

•

Digital Forensics and Analyzing Data

Preparation An assortment of tools are needed, both hardware and software. If you have the opportunity, try and get as much information as possible before you go to the machines. If it is in your native environment, preplan what is required for a normal engagement, and for the contingencies. A few extra phone calls or extra minutes to gather extra tools can save hours later trying other acquisition methods or struggling with inadequate hand tools. It can also help you determine if you need additional resources, or if it is over your head. If you are in a corporate environment you should have the specifications for the critical systems available to assist law enforcement in working with your systems if you are not going to do the acquisitions in-house. Most likely this information should be available for disaster recovery or hardware failure issues. Be sure to have enough drives or storage to hold all the forensic images that will be collected. The drives should be prepared beforehand. The preparation should entail wiping the drive so that there is no data that could contaminate the data collected. It also eliminates the allegation that there could be data planted or that the evidence collected was tainted. A log should be kept that documents the preparation of the storage media. A federal law enforcement officer appears at a data center to assist in a cyber crime investigation. He states to tke corporateforensics person kandling tke case, "I'm kere to pick up the server. "Tke corporateforensics person stares at kim blankly, and tken asks, "Did you bring a box truck and a few more men and maybe a few small boys to kelp?" "H&y?" asks tke officer. "Because tke 'server' is seven racks if you include tke storage array!" Considering many middle of the road personal computers today are shipping with 400 GB drives, the full bit stream copying or imaging is becoming a hardware and time commitment. Something to consider" hardware-based imaging solutions such as the Logicube MD5 require a target drive larger than the evidence drive. Currently the choice would be a 500 GB or 750 GB drive. Encounter a 750 GB drive, and the collection needs to be done with a solution that allows the image to span media. One Terabyte single drives will enter the consumer market in 2007. The point is a plan B should always be considered or prepared in case the primary method .just won't work. An interesting trend to watch is the growth of storage media. The concept of Moore's Law as it relates to processing power is well known. Hard drives since their introduction in 1956 took 35 years to reach 1 gigabyte. One gigabyte is routinely carried in digital cameras and cell phones today. The 500 giga-

Digital Forensics and Analyzing Data ° Chapter 1

9

byte or half a terabyte drive took 14 more years to make it to the consumer market. It only took two more years to double and reach the one terabyte mark [PC World]. As this trend continues the volume of data to examine will explode. W h e n it comes to being prepared for response, a Linux machine is a must-have. Some people will like a Mac, and they work well in this situation also. A system that can perform a SMB and NFS mounts, run netcat, ftp, and scp can be invaluable. A Windows system can do these things also, but they need far more third-party software to do so. A * nix base system will also have the ability to m o u n t a wider variety of file systems. Once the data is recovered, all the native *nix tools will be available to search and manipulate the data.

A final consideration is that data may need to be preserved in order of volatility. The most volatile data needs to be preserved first. This applies to running systems for the most part, but the way in which we approach live systems will become more important in the near future; but more on that later. An example of an order of recovery of system data according to volatility looks like this: Live s y s t e m i n f o r m a t i o n This includes memory, the routing table, AP, P cache, and a process list. The concern with live system information is that it is difficult or impossible to image the system m e m o r y or other live data with altering the original data. www.syngress.com

10

Chapter 1 • Digital Forensics and Analyzing Data

•

Virtual m e m o r y Swap space or paging files

•

Physical disks The physical hard disks of a system

•

B a c k u p s O£fline back-up media such as magnetic tape or other media: It is extremely possibly the data you are looking for may not be on the system today, but it was there yesterday and is on last night's backup.

The multitude of potential systems and devices that may be encountered during a cyber crime investigation requires the creation of a large and flexible toolkit. This toolkit needs to include not only the hardware and software to deal with a variety of devices, but the investigator's own toolkit of tricks and procedures to deal with them. This toolkit should include resources to turn to when the forensic practitioner is in a situation beyond their skills.

Difficulties When Collecting Evidence from Nontraditional Devices We have witnessed an explosion in the growth of storage media, but we have also seen the continuing development of alternative storage media. The diversity of devices and storage formats continues to be a challenge. These can include, but are not limited to, the following.

Hard Drive Inte~Caces The first issue, though not really new, has expanded with the popularity of SATA and other technologies. For the most part, hard drives were either IDE or SCSI. IDE was either 3 1/2 or 2 1/2. With the marvels of technology we now have drives with the 1.8 inch interface. There is the addition of SATA, in both 3 1/2 and laptop sizes, which luckily use the same connectors. Then there are all the SCSI adapters. There is also Fiber channel, but we will save that for later. In the absence of a drive adapter, there is always network acquisition at the cost of time. Then again there are only a bazillion network cards to try and build boot disks or scrounge drivers for. The best way to be ready for the different drive interfaces is have a selection of drive adapters on hand. The cost of most of them is relatively inexpensive. Most of the adapters allow the use of a standard IDE write-block device, or once adapted, mounted read-only. As always be sure to test and validate a configuration before using it on an actual acquisition. If the drive cannot be adapted to a writeblock, there is always the option of a network or USB acquisition. www.syngress.com

Digital Forensics and Analyzing Data

•

Chapter 1

11

Mp3 and Digital Entertainment Systems Mp3 players such as iPods continue to increase in storage capacity and capabilities. Many have the ability to act as a personal organizer. Most devices also have the ability to act as portable storage. In addition, malware has been created to use devices like iPods to steal data from systems. Most of these devices can be treated like an external hard drive. Although many of them have a small hard drive and can be disassembled and the drive removed for acquisition, this can be tedious and difficult. A solid strategy is to acquire them though their interface, which is normally USB. As with an external drive they can be write-block through hardware solutions or mounting the drive, and read-only through the operating system.

Phones and PDAs Nearly everyone is carrying a cell phone today, if not several. The line between the cell phone and the PDA has blurred. Similarly, the line between a cell phone, PDA, or computer has again blurred. It is not u n c o m m o n for a device to have over 1 GB of storage, and can be a gold mine of data and evidence. Just be sure you legal process paperwork or privacy policies are addressed during seizure. The data on devices www.syngress.com

12

Chapter 1

•

Digital Forensics and Analyzing Data

that run on battery can be extremely volatile, and they may need to be processed quickly or kept on a power supply. Special care must also be taken to avoid data corruption on wireless-enabled devices, so a Faraday device should be considered. Mobile phones are probably one of digital forensics' biggest conundrums. The sheer volume of manufacturers, chipsets, and operating systems (many of them proprietary) makes it impossible to gather data from all the devices through the same process. It is often impossible to acquire a full physical dump of all the storage on a device. A logical dump of the information is all many software packages can provide. Some software packages require the installation of an applet or driver to provide for the acquisition. Due to the fact that connectivity to the device requires the device to be powered up, nearly all acquisitions are live acquisitions. The acquisition of the device will change the data. The volatility of the data on a mobile device also contradicts the traditional realm of digital forensics as the acquisition is similar to a network forensic capture since it is a snapshot at a specific moment in time. It is highly likely that if the device was reacquired that data would be different, and in turn the hashes of the data would be different. At least any of the memory cards in the device can be acquired in a traditional manner. A cell phone or wireless-enabled PDA should be isolated via a Faraday device. The wireless device should also have an auxiliary power source if the batteries will not maintain the unit until it can be processed. This is especially important because some devices will panic and scan for the network when isolated, using its power reserve faster than normal. Due to the volatility issue presented by power and wireless networks the device should be processed as soon as possible. The practitioner will also find there is no silver bullet for phones and PDAs. An extensive toolbox of software and cables will be needed if a variety of devices is encountered. Lastly if all else fails, the data on the devices can be documented by manually examining them and photographing the screens as the exam progresses.

Flash Memory Many devices use flash memory. Mp3 players, digital cameras, cell phones, USB drives, and handhelds are examples. During evidence collection and seizure be sure to look carefully for pieces of media. Formats like Mini SD are extremely small. Also be sure to look for the hardware that may go with the media. Some formats like xD are used in a limited number of devices. Flash memory can be challenging as there are already many formats and more are being created. The density continues to improve as does data storage in general, so some flash media is becoming quite large.

Digital Forensics and Analyzing Data • Chapter 1

Flash m e m o r y card readers for a variety of" formats are a must. Luckily they are relatively inexpensive to keep n~ost of the formats on hand. There are some forensic versions available that are built read-only, which helps reduce the potential issues, but a normal card reader can be used with any of the other procedures to protect the data integrity.

Gaminy Machines Modified or '~modded ~ game consoles like an Xbox, Xbox 360, or PS2 can be a source of evidence. For example: An Xbox with a rood chip and Xbox Media center can be a powerful system used to store video, music, or other data. The system can act as a server or a client. N o n m o d i f i e d systems use a proprietary file system, not supported by more forensic applications. W h a t can make the triage of" the system tricky is that it is or-ten difficult to tell.from the exterior if" the machine has been modified.This is an example where some traditional investigative intelligence and triage may reduce the forensic practitioner's workload.

www.syngress.com

13

14

Chapter 1

•

Digital Forensics and Analyzing Data

Gaming system should absolutely be considered during the evidence seizure process. The can be treated and handled basically as any other PC during acquisition and examination as they used the same basic hard drive busses.

GPS Global Positioning System receivers are fairly commonplace in many vehicles or handheld units. They can provide valuable information in the form of historical locations or waypoints. Some of the more advanced units combine cellular radios to allow for tracking or other data uses. These hybrid units, like many other devices, continue to blur the lines between traditional drives classification. So for the digital forensics practitioner, what procedure should be used? An agency's GPS procedure or their cell phone procedure? A GPS will likely require some homework before tackling. There will often be drivers or manufacturer-specific software required to interface with the device. If there is no other way to extract data from the device, like a cell phone, a manual exam taking pictures may be required.

Digital Video Recorders From TiVo or a MythTV system to commercial camera system digital video recorder (DVR), the D V R continues to find its place in homes as part of entertainment systems, or in businesses as part of the security system. Many commercial DV1Ks use proprietary file systems or data formats. They may require a volume of file carving or manual analysis. A TiVo, which in addition to having Wi-Fi network capability and transferring data to other PCs, now also allows some limited Internet functions. Commercial digital video recorders may also use special codecs for playback; research your devices before attacking them. DV1Ks should also be considered during the evidence seizure process. They can be treated and handled basically as any other PC during acquisition and examination since they used the same basic hard drive busses. A common issue with the examination of commercial DVRs is to ascertain the format their video files are in. Some research into the device and the codecs used should be started early when faced with one.

PBX and VoIP Systems The line between the traditional PBX and the everyday IT sever has virtually vanished. The evolution of Voice Over Internet Protocol (VOIP) utilizing PCI-based

Digital Forensics and Analyzing D a t a , Chapter 1

interface cards and software designed to work on nonproprietary operating systems have made the PBX just another server. Examples are an Asterisk server running on a Linux system, or YATE on a Windows system. Voicemail servers and Interactive Voice Response systems are following suit. The trend of expanding V O I P services on commodity hardware coupled with the expansion of security research into V O I P protocols may make the telephony equipment a more prevalent target of cyber crime. The maturing of V O I P and the attention it is receiving from security researchers means it will also receive attention from blackhats and crackers. W h e n approaching these systems, remember there can be many interfaces to communications networks beyond Ethernet such as P S T N and ISDN. The documentation of the connections is always important, but probably even more so when dealing with a telecom device as there will likely be more than usual. Like many other systems in the nontraditional arena, a PBX will require some research to aid in making sound decisions about how to approach it. A PBX based on a traditional server can be approached like any other server, but a legacy commercial PBX can be a very specialized piece of equipment requiring special skills. ........ ::::::::::::::::::::::: .... .................................................................... ................................................................ ................................................................................

~!~i~!~i~i~!~i~ii~i~i~i~i~i~i~!~i~i~!~i~ii~i~i~{i!~i:~}!i~{~i~i~: .....%!!!iiiiii!i!iiii!i!iiii{iiii!iiiiiiiiii~!iiii~i/~::i~

'~i i i 'i i i i i{i i!i;~i i i i i i i iResources i i i ~i

'! i~ ii!iiiiiiilililiiii>>>~

~,~,~4!i~ :

:.::::::::: ........

for Alternative Media Forensics: www. M ulti mediaforensics.comwww.Phone-forensics.com Phone Forensics Yahoo Group

Hardware Documentation Difficulties D o c u m e n t i n g hardware configuration is a tedious but essential part of the forensic process. The magnitude of-documentation is in direct correlation to number and type of devices being acquired. What we, as examiners, cannot afford to forget are the various aspects to documenting hardware. Within the documentation process itself, all the system configurations need to be documented, including the installed hardware and BIOS settings, such as the boot device. Another essential aspect of hardware documentation are the time settings of the system and the system clock of" each device. The system time needs to be documented and compared to the actual time. The time zone setting may also be crucial w h e n creating timelines or other analysis. The presence of a N T P time server should

www.syngress.com

15

16

Chapter 1 • Digital Forensics and Analyzing Data

be noted. Remember, a system on a Microsoft Windows domain will sync its time with the domain controller, but the time by default can be off by 20 seconds and function properly. Traditional forensics dictates that all the identifying labels and numbers are documented. Often pictures of all sides and labels are taken as part of the documentation process. This can also be extremely difficult with large systems. It could potentially take a day to unrack and photograph all the systems in a rack. Depending on the approach taken to acquire data from a system, the complete detailed hardware documentation may need to occur after the acquisition is done. If the system is live it most likely will not be desirable to shut down a complex system to document it, and then restart it to perform an acquisition. If you have the opportunity, look at a blade server enclosure and the servers in a datacenter in one day. Consider how to document each of the blades as you would a typical PC. Then think about the fact that a typical rack can often hold six enclosures holding 16 blade servers. I would hope the IT staff has some decent documentation to work from. If you can verify from their existing documentation instead of working from scratch, you can save a lot of time. A large storage system is probably another example of an instance where the devices will need to be documented after they are acquired unless the physical option is used. This is because it may not be practical to image each drive individually. Once the storage system's logical image is complete, the drives can be removed from the enclosure and documented. The documentation of rack after rack of hard drives can be even more daunting than even blade servers. The network topology and any systems that directly interface with the system such as through NFS or SMB mounts should also be documented. If the investigation expands, it may be necessary to increase the documentation of the surrounding network to encompass the switches, routers, and any other network equipment. In the case of an intrusion any of these paths could be the source of the compromise. A final item to document is the console location if one exists. Even today, not all unauthorized access happens through a network connection.. Complete and clear documentation is key to a successful investigation. If the incident leads to litigation the report created from the documentation will make a valuable reference for the examiner. Complete documentation will help to remove any doubt cast by the defense or other party in a civil matter.

Digital Forensics and Analyzing Data ° Chapter 1

17

Difficulties When Collecting Data from Raid Arrays, SAN, and NAS Devices Enter the corporate or government arena and now the 500 GB hard drive becomes multiterabytes or petabytes storage systems. Faced with a 20 terabyte SAN, the complexity of obtaining a forensic image of the physical drives and reassembling the logical volume is considerable. Add the logistics of storing the forensic images or owning the storage hardware "just in case" is not always very practical. So for sake of argument, let's say you were able to image and hold the 20 terabyte SAN array, and maybe reassemble it into a logical volume; how much computing power and time does it take to search that volume of data? The era is approaching where a better triage process needs to occur so the evidence that is pertinent to the investigation is collected first.The adoption of more parallel operations needs to occur. The examination and analysis phases need to begin as the systems triaged as less important continue to be acquired and imaged.This in time will make the examination and analysis processes more efficient, and allows investigations to complete in a timelier manner. Depending on the goals of the investigation, often an entire system may not be entirely necessary. If there is a single individual under investigation for financial fraud, then it may likely not be of value or necessary to image 20 terabytes of storage on a file server that affects 20(1 other employees. It is more efficient to triage the area where the individual had access and start with that data.

RAID A Redundant Array of Independent Disks and Network Attacked Storage are used to hold large volumes of data and often provide some level of redundancy. A R A I D uses multiple disks to provide redundancy or performance enhancements over a single disk. As it applies to forensics, the R A I D appears as one logical disk, but spans multiple physical disks. If the individual physical disks are removed and imaged separately, the R A I D must be reassembled using the forensic software later in order to get the useful data. It is often much simpler to perform an acquisition of the logical drive. If your organization policies require it, after the logical acquisition a physical acquisition of all the drives can be performed. A note about R A I D array reassembly" Be sure to get the raid controller configuration. It can save you tremendous amounts of time later if the assembly of the physical images is performed.

www.syngress.com

18

Chapter 1

•

Digital Forensics and Analyzing Data

SAN Storage area networks (SAN) like NAS are challenging not only because of the size, but the technology involved. The two predominant SAN types are fiber-channel and iSCSI. The positive thing about SANs is that they are divided into logical unit numbers (LUN). If the data relevant to the investigation is restricted to a single system, then the L U N allocated to that system may be the only part of the SAN that needs to be acquired. Linux tends to be the logical choice to use as an imaging platform since there are not many fiber-channel write blocks at the time of this writing. An important point is to make sure the host bus adapter (HBA) is supported, iSCSI SANs can normally be attached via the network adapter. If time is more of an issue than budget, there are iSCSI HBAs with Linux support available to offload some of the processing from the CPU. The HBAs have an onboard SCSI Application Specific Integrated Circuit, which would provide a considerable performance gain. The greatest challenge when working with a SAN is sheer storage to copy the data to. Vendors are building great solutions like multiterabyte portable R A I D enclosures to assist with this issue. Another option is to use software that allows the spanning of target media during an acquisition. The hardware to deal with large storage systems can be expensive. A multiterabyte portable raid and a fiber channel write-block can run well over $10,000.

NAS Network attached storage (NAS) devices are appliances with the sole purpose of providing data storage. A NAS can be a challenge to obtain a forensic image from since they run limited services and protocols. If they can be acquired forensically through an attached system, then that may be the preferred option. Otherwise the NAS may need to be disassembled and imaged drive by drive. There are many NAS devices designed and marketed for the home or small business user. They are no longer just in the realm of the enterprise. Fortunately for the cyber crime investigator, the storage capacities are not yet that extremely large--but that will change with time. So how do we follow the traditional best practices again when there is no real practical way to access the drives directly and take physical images? The other very real consideration with large storage systems is there is a large investment into the hardware. Since there is a large investment it would be logical to assume that system is attached to a system that is at least marginally important. For a business that needs its systems running to generate revenue, it may again become a business decision to limit the scope of work to limit the downtime.

Digital Forensics and Analyzing Data • Chapter 1

19

Difficulties When Collecting Data from Virtual Machines Virtual machines residing on a host system are commonplace for a variety reasons, from Enterprise virtual servers to nefarious purposes on a blackhat's machine. Virtualization applications have n~atured to the extent that reliable systems can be built for production machines, not just development and testing work as in the past. What can make virtual machines interesting is they could conceivably be a host of one operating system hosting lnultiple virtualization platforms, each with multiple virtual machines of different operating systems. The forensic practitioner is faced with the specter of multiple OSs, and the complexity of each of the virtualization applications on a single system. Add a B.AI1) or external storage and one may desire a change of" prot~ession. Luckily most of the major forensic suites support the most popular virtual disk formats, making the acquisitions a bit easier. Virtual machines can also be imaged live just like a physical system it" a live system is encountered. A static or dead acquisition depends on the tool choice. One option is to export the virtual disk tile from the host machine's image and m o u n t the virtual disk file as a drive. Another choice is to use a tool like VmWare Disk mount utility. It allows the virtual disk to appears as a drive attached to the system, and then can be imaged with the tool of" choice it~not natively supported. The reality is the virtual disk is very similar to a dd image with solne additional data.

Difficulties When Conducting Memory Acquisition and Analysis M e m o r y analysis is becoming nlore needed and c o m m o n on running systems. Especially as systems can be compromised without ever accessing the disk the only artifact may be in lnemory. Com~nercial products like Core Impact do it, so it is conceivable that the product or its technology can be used for nefarious purposes. There are multiple examples of malware such as the Witty W o r m that are m e m o r y resident only. This and other potentially valuable pieces of investigative data will be missed if we continue to examine only systems that have been shut down. The volume of data that is m e m o r y resident today is over a hundred times larger than the entire hard drive fion~ the 198()s. It's another example where the accepted procedures and best practices are lagging behind the technology curve.

www.syngress.com

ZO

Chapter 1 • Digital Forensics and Analyzing Data

....~iiiiiii i!~An excellent paper on memory acquisition and analysis by Mariusz Burdach is 'iiii{iiiiii~ available on his Web site, http://forensic.seccure.net/pdf/mburdach_ !!i!i!i!i!i!i!i!i!!id!i!i!iig !i!i:~ita I_forensics_of_physica I_memory. pdf.

Avoid calling a m e m o r y acquisition an "image." It is not a true image in the traditional forensics sense. This is because without specialized hardware it is not really possible to create a bit by image of the system m e m o r y without affecting some part of it. In a way it is similar in concept to the Heisenberg uncertainty principle: w h e n an electron's location is measured, it is moved. W h e n m e m o r y is acquired, it is normally changed. Most * nixess allow the acquisition of m e m o r y fairly easily, because the system sees m e m o r y as a file like everything else. The staple dd or any of its forensic variants like dc_flddcan be used to create a m e m o r y acquisition. Microsoft Windows allows access to the physical m e m o r y object but requires Administrative privileges to access it. There are tools available that allow the m e m o r y to be acquired; the versions of dd compiled for Windows are the most common. There are also tools and scripts available to assist in analyzing the dump. A note: there have been security enhancements in Windows XP 64-bit, Windows 2003 Server SP1, and Windows Vista.These versions of the operating systems block all user mode access to the physical memory. The future appears to be hardware-based devices such as a dedicated PCI card [hwmem] or through the IEEE 1394 firewire interface [fwmem], but even though the concepts and prototypes have existed for years there are no readily available commercial products. The apparent advantage of hardware solutions is the decreased impact on the running system. For this reason, the hardware solutions will most likely emerge as the favored method. There is currently a debate, and will continue to be for some time, over the practice of m e m o r y acquisitions. IT is seen by many as contaminating the evidence. Others see it as obtaining all the data and evidence available. The often-used defensive analogy is in a physical crime scene, and the crime scene unit enters the area to recover fiber and fingerprints. Their actions and movements are documented to prove they did as little contamination as possible. In the digital realm many feel if the same care is taken to document all the actions taken then the contamination is controlled and documented.

Digital Forensics and Analyzing Data ° Chapter 1

21

My personal opinion is I would rather have the data and have to fight to admissibility later than lose potentially key data and investigative intelligence.

Examination Examination consists of the methodical sifting and combing of the data. It may consist of examining dates, metadata, images, document content, or anything else. Many forensic practitioners use the same step-by-step process for their examination; key word search, obtain web histories, search unallocated space, search file slack. It all depends on what the goal of your investigation consists of. Remember forensics is just an aspect of the larger investigation. Since the needs of the exam may change with the investigation I believe the traditional forensic menu used by many is becoming impractical. The Nintendo Forensics practice of running some keyword searches and some scripts written by others is probably missing lots of key evidence. The larger volumes of data require better triage methods while streamlining the process to allow for deeper inspection of key areas like the Windows registry. The increased use of tools such as hashes to filter known files along with other tools to sort the files for focused examination can help speed the examination process when facing a huge amount of data.

www.syngress.com

22

Chapter 1 • Digital Forensics and Analyzing Data

Utility of Hash Sets Hash sets are precompiled lists or databases of k n o w n file hashes. For instance all the files associated with an application install or a series of illegal images are hashed with a cryptographic algorithm and the resulting hashes are put into an indexed collection. D u r i n g an examination, the hashes of the application set are compared to all the hashes of the files found on the system. A matching hash mathematically nearly guarantees the file is a file associated with the application regardless of its name. Hashes traditionally have been used to find k n o w n suspicious files such as malware, cracker tools, or illegal images. Just as hash sets can be used to look for k n o w n bad things, through the same process they can be used to locate k n o w n good or benign files. By using hash sets to locate the files that are not related to the investigation or are unchanged operating system files, for example, they can filter out the noise. Dependant on the triage of a case, a hash set of k n o w n operating system files can quickly filter out a quantity of files that in all likelihood do not need to be examined. For instance an incident where there is not believed to be a compromise of the system would not initially need to search or examine all the driver files. The use of hashes to filter out k n o w n files k n o w n to be unaltered from the hardware vendor can greatly reduce the volume of information to be examined and in turn the time to examine a system. The files left behind are either altered or files in user space that will probably be where the real evidence or information lies. ......................

..,~ ..#iiiii!iiii~.,~.,

':!iiiiiiiiii i~~' 'The creation OT personal hash s e t s as part of the preparation task can be a ~!~,~,!~!:~!~= , ~time saver later. Creating hash sets of all of an organization's gold or s t a n :~ i~ !i!~ i:!~ ii~ '!i~ ': ' dard images of workstations and servers used for new installs necessitates only altered or added files to be analyzed. The files of internal applications can also be hashed and sets created to also help filter out files that would not be included in more mainstream hash sets.

Digital Forensics and Analyzing Data ° Chapter 1

23

Difficulties Associated with Examining a System with Full Disk Encryption An increasingly common issue is full disk encryption. This will change how hard drives are acquired. As the issues of lost and stolen laptops continue to impact organizations, many IT departments are turning to full- or partial-disk encryption to protect data. For the forensic practitioner, this usually means the data of interest will be in the encrypted portions of" the drive. If all the data of interest is encrypted, traditional forensic practices will be useless. The choices are to perform a live image of" the system with the encrypted storage mounted, if" possible, or unencrypt the drive after acquisition. As are many other issues in contemporary digital forensics, this is another area where the best practices and procedures are trailing the technology. Which solution you use should be evaluated and your own procedures created. In a crunch, the live system image will almost always be faster.

Trusted Platform Module (TPM) The Trusted Platform Module is another emerging technology that will enhance existing encryption schemes. The TPM is a chipset being installed in newer machines that stores keys, passwords, and certificates. The chipset provides for hardware-based encryption functionality that may prove to be a challenge. A suggested methodology for dealing with drives that have been encrypted with full disk encryption follows: •

Image in state traditionally

•

Restore the acquired image back to a sanitized target disk

•

Decrypt the target disk

•

Acquire the decrypted target disk

•

Analyze the decrypted disk as normal

This methodology, although significantly increasing the time required and doubling the required storage, leaves the original unaltered and maintains a forensic image of the original. It sounds simple, but the challenge is the third step. Decrypting the drive may take the a few (;ray super computers and the code breakers of the NSA if" the encryption is strong and the key unavailable. In lieu of those resources, the normal tricks of password cracking can be used. The requirement for complex

www.syngress.com

~4

Chapter 1 • Digital Forensics and Analyzing Data

passwords and the volume of passwords the average user must remember has rekindled the trend of written down passwords. When searching for passwords look for hiding places within an arms length. R e m e m b e r to check for passwords during incident response and seizure phases. Another trick is to use the other evidence found to create a dictionary to use for a brute force attack. R e m e m b e r that the hash of the original encrypted drive will not match the unencrypted drive. They are different data sets and need to be documented as such.

Alternative Forensic Processes A newer concept, at least in name is fast forensics. Fast forensics is defined as "those investigative processes that are conducted within the first few hours of an investigation, that provides information used during the suspect interview phase. Due to the need for information to be obtained in a relatively short time frame, fast forensics usually involves an on site/field analysis of the computer system in question."[nw3c] The implementation of fast forensics creates a need for some additional resources and procedures to perform some examination and initial analysis functions outside of the lab. The focus is to provide some important intelligence to provide the investigators key pieces of evidence or leads to use in interviews or other searches. Some fast forensics techniques utilize Linux or other forensic boot disks to perform on-scene searches or document extraction. The boot disks run in memory only and mount the hard drives as read only so as not to corrupt the evidence.

Analysis Every cyber crime incident will involve at least some analysis of data retrieved from systems. Some will consist of only a few small files from a system or two, or may range to terabytes from many machines. The core of an investigation could consist of a single piece of media or it may consist of thousands of hard drives. The trick lies in the analysis that will put all the pieces together. The analysis of an entire cyber crime event can be far more complex than the analysis of any of the systems themselves; the sum of the parts is truly greater than the whole. It can be likened to a symphony. Any single instrument may be difficult to play, but to bring all the pieces together is far more complex. The cyber crime investigator needs to build a toolbox of utilities to analyze the data from a myriad of systems and be able to correlate the data into a complete, coherent picture.

Digital Forensics and Analyzing Data • Chapter 1

25

The analysis of the digital tbrensic process is the phase where we look deeper into the data. The analysis is the sum of all the data applied toward the resolution of the incident. An example of" an analysis tbllows. A n intellectual property tlt~'/t case didn't yield much until the data from a bunch ol°systems were pulled to~ether. The file server audit loo~s z~l,ere reviewed and the user list it prot, ided was used to query the proxy server/q~s, l/~ett the log,files for those uses were reviewed a short list was created by fi~cusiny, on u~ebmail and fi~rum traffic. The short list u,as used to triage and prioritize the exams ¢?flthe user H,orte,;tations. The exams of the workstations quickly revealed the individual u, hen the t~eebmail mes:~'aees were pulled from the internet cache, and recreated. During the analysis phase it is imperative to tie in any other investigation intelligence that has been gathered. It is in this phase that the data from multiple systems or sources is pulled together to create as complete a picture and event reconstruction as possible. There is a difference in evidence for court and evidence to find the next piece for the investigation. A piece of evidence discovered may not be strong enough to stand on its own, but may be the item that provides the next lead. Another factor that is a challenge is that analysis of large amounts of data takes time. In the heat of" an incident or a large high profile investigation it is often difficult to manage the expectation o~-management. It can take huge amounts of time to import logs into various applications. It can take hours to move and copy data between storage systems. Be prepared to explain why it may take days to get some preliminary answers. It could take weeks or months to have all the data combed, all the I's dotted and the T's crossed, especially in an incident that may effect customer data and have reporting requirements.

Continued

www.syngress.com

26

Chapter 1 • Digital Forensics and Analyzing Data

just as the investigation of a cyber crime event can involve any of a variety of systems or devices, it can involve a single machine or thousands. The addition of multiple systems complicates the analysis process as the data from the many examinations is pulled together.

Digital Forensics and Analyzing Data

°

Chapter 1

27

Analysis of a Single Computer Most cyber crime investigations involve the examination of a system or device, and most start with the exam of a single computer. The focus of the exam can be as diverse as the tasks the computer can be used for.

Metadata Metadata is data about data. Examples are the author of a Word document, or the creation date of a spreadsheet. A resource for an overview of Microsoft Office Metadata is Microsoft KB223396. Dependant on the scope or type of investigation, do not discount the importance of metadata. A case that got its big lead from document metadata was the B T K case. The B T K killer sent the Wichita TV station K SAS a floppy disk with a message contained in a document. A forensic exam of the floppy disk revealed a file and some deleted files. The file metadata of the Test Art.rtf showed the file was last saved by user Dennis and listed the name of a church. A search for the church's Web site revealed the President of the congregation was Dennis P,.ader, who was eventually convicted of the B T K murders. [Stone 1

Exchanseable Image File Format Exchangeable Image File Format (EXIF) is metadata contained in an image file, and though it varies among devices it can provide valuable information such as the make and model of the camera that took the image. The EXIF can also reveal if an image has been altered with a graphics program. The EXIF data can be used to tie an image back to a specific model camera or cell phone with a camera.The EXIF data also often will have a date and time stamp of w h e n the image was taken or altered. There are several EXIF formats, therefore the data can vary slightly. Also be aware, not all devices will propagate all the data.

Binary and MalueareAnalysis Some binary and malware analysis ability is a requirement. The initial step is to identify any malware that maybe on a system. This is often achieved through either being identified by hash sets, or not filtered by a hash set. Once a file that is suspicious is identified there are two major methods for analyzing it: statically and dynamically. Static analysis entails searching the binary for text strings or identi~ing if the file was packed. Packing an executable compresses the file, normally to make reverse engineering more difficult. www.syngress.com

28

Chapter 1 • Digital Forensics and Analyzing Data

Dynamic analysis uses behavioral analysis to identify the malware or its actions. T h e file is placed in a safe environment such as a test network or virtual machine. T h e file is then executed and its actions observed in a zoo for software. Items like network traffic generated or files accessed are noted and used to analyze the binary.

It is important to identify malware on a system to establish its presence or absence. If malware exists but can be identified and its actions documented, the trojan defense can be countered. If it is documented, no malware exists; again, the trojan defense can be countered.

Deleted Items A strength of forensic applications is the ability to recover deleted files in entirety or at least the artifact that it existed. W h e n an operating system deletes a file it does not remove the data. It only changes the pointer to the file to tell the file system that the file no longer exists and the space is available for new data. Forensic applications then

Digital Forensics and Analyzing Data • Chapter 1

29

identify the deleted files that still exist or display the artifact that they once did exist. Deleted files may affect the culpability of a suspect by demonstrating willful actions to hide their actions.

Data Car;,in Files of different types have pieces of data at the beginnings and ends that define what the file is. These pieces of dam are called the headers and footers. Using the signatures of the headers and footers the applications and tools are able recover or carve files or pieces of files out o£ the cr;~;9 that ends up on storage media. Files that contain plain text characters can have the words carved out of their remnants. Data carving can be time consuming and tedious. It can also be rewarding because evidence can be recovered that would otherwise been missed.

E-mail Anal),sis The analysis of e-mail has a burden of-legal process in addition to the technical challenges. For law enforcement agents, the legal process is dependent on the state of the data. For the private sector, the proper policies need to be implemented and reviewed by attorneys to address the expectation of privacy issues. There is far more analysis that can be performed on e-mail than just header analysis. E-mail analysis can depend on whether the data are stored on the server or the client. Do not overlook the utilities included in the server or client platform for search and advanced search functions. There are also normally import and export functions included that allow the data to be analyzed in other applications. For example, a Microsoft Outlook PST can be exported to Excel for analysis. Once in Excel summary reports such as a pivot table count can be run to find trends. ...........................

: =.iii!iiiiiiiiiiiii ~: i~:iiiiiiiiiiiiiiifiiiifiiii!iiiiiiiiiiilfiii!iii!ilfliiiii ~

%ii i i i i i i i i i i i i {!ii i i i }i i i i7:i!'i¸i

~!i~i!:~:i~;i!~ ' !i!i!i~i:~'powerful commercial tool to analyze many types of e-mail formats is Paraben Forensics Email Examiner. In addition to the ability to work with many e-mail file formats, it has the ability to recover deleted e-mail, and perform advanced searches on a wide variety of e-mail formats from multiple vendors.

www.syngress.com

30

Chapter 1 • Digital Forensics and Analyzing Data

Analysis o£ an Enterprise Event The examination o£ a single machine can be complex and time consuming, but it can also be the tip of" the iceberg. The complexity o£ a single workstation exam can be multiplied hundreds or thousands o£ times over. The likelihood of* multiple operating systems and architectures and the additional burden o£ potentially complex network configurations can task even highly skilled practitioners. Additional tools are needed to help correlate the data from all the individual systems and devices into a comprehensive Form where it can be digested and analyzed. A series o£ log files can take on a whole new meaning when presented graphically. Examples of these are system flow charts and event timelines.

System Flow Charts A flow chart, or other graphical representation o£ the network, can show which systems were impacted and when based on the analyzed data (see Figure 1.1). The chart would show the data excerpt o£ an IP address From the firewall log. Next it could show the snippet o£ a directory transversal From the Apache logs, and so Forth. It becomes valuable especially when explaining the incident to nontechnical individuals.

Figure 1.1 System Flow Chart Attacker •t 0..1. t. i

Port Scans 192. t68.10.100

~ii i~i i i i ti i i i ~i i i i i!~!=

Port Scans t92..16.8.1,0.101 Launches SSH Brute Force. Attack

Uses System to Attack 192. !! 68.20.100

Port Scans 192.168.20.1 O0

Digital Forensics and Analyzing Data • Chapter 1

Beyond the usefulness of the graphical representation of the traffic, a system flow chart w h e n compared to a network diagram may help point out areas that may have been affected but not yet identified. Graphical documents tend to work well w h e n explaining results to nontechnical management or if the events lead to litigation, attorneys, and juries.

Timelines A timeline graph of the incident or the analysis can be a valuable report. It can help display the entire progression of what analysis was done w h e n on what system (see Figure 1.2). It is often easier to look at a chart and see the progression of an incident instead of sifting through a hundred e-mails later. Also a timeline could show what systems were impacted w h e n based on the analysis data. The chart would show the data excerpt of an IP address from the firewall log. Next it could show the snippet of a directory transversal from the Apache logs, and so forth.

Figure 1.2 Timeline Graph 10! 15/200,6 SSH Brute Force Attck Begins

ii

10/t6/2006 Account Accessed

10/17/2006 Database Copied

i

i i~

[-" 10/15/2006

i

~O/16/2006 10/15/2:006 Port Scan detected

f/

:1

10/17/2006

/

10ft8/2006

! O/16/2006

Privledge Escala~on

Timelines are useful to lay out the progression of events as they unfolded. They also are useful to highlight gaps in activity. These gaps in activity may be where some evidence was missed or there was activity not yet uncovered. As mentioned before graphical documents tend to work well w h e n explaining results to nontechnical management or if the events lead to litigation, attorneys, and juries.

31

32

Chapter 1

•

Digital Forensics and Analyzing Data

Tools for Data Analysis There are as many ways to analyze the data as there are log files. There are tradeoffs to any of them, whether it is cost, performance, or complexity. Often tools that are used on a daily basis by system administrators to perform proactive troubleshooting and tuning can be the same tools used for reactive analysis. Normally as the tolls increase in performance, they also increase in cost and/or complexity. Some of the tools are G R E R P E R L scripts, Excel, SQL, and commercial network forensics tools.

GREP G R E P is an indispensable tool and an essential skill for the incident responder or forensics practitioner. The G R E P command simply searches a file or files for a pattern. The power is in the flexibility of the patterns that can be created or the ability to recursively search directory structures of files. G R E P is licensed under the GPL, so its cost is nothing, and G R £ P exists natively on virtually every *nix operating system, and has been ported to everything else. For the novice, there are many Internet sources on how to craft G R E P patterns. An important limitation to remember is G R E P works on text-based files, and will not be able to search every file that may be encountered. If you are dealing with large text-based log files then G R E P is extremely useful.

Spreadsheets If you are a more visual person, you are more comfortable in a graphical user interface (GUI), and your log files are relatively small, then a spreadsheet may be an option. Spreadsheets have the ability to sort, count, and manipulate your data. Another bonus is the ability to create visual graphs and charts based on you data, to explain to management, law enforcement, the prosecutor, or the jury, later. Simple functions can be created to display items like unique IP addresses or counts of IP addresses. If the log files are fairly small then the uses are limited only by your ability to create formulas or manipulate the data.

Databases If your log files are large, another available tool is databases. Databases are used on a daily basis to store and report on data, so why not for log files involved in cyber crime incident? The database used is a matter of budget and expertise. Some issues to

Digital Forensics and Analyzing Data

•

Chapter 1

33

keep in mind are the overhead involved in the essential aspects of the database like primary keys. This additional data will add to the storage requirements. An advantage of SQL databases are that the ways to analyze and report the data are limited only by your creativity. Additionally the SQL database allows correlation of logs from various systems once they are loaded into tables. Load in all the systems logs and query to find everywhere an IP address has gone or attempted to go. Finally, since SQL queries are a standard, they can be easily explained to those familiar to SQL. The disadvantages of" an SQL database are that they can require huge volumes of" storage if you have large log files and want to perform correlation. Complex queries of large databases can also require a lot of processing power or time. Correlation and reporting can take even larger amounts of computing power or time. The flexibility and power of the SQL database makes it an invaluable tool to crunch through massive amounts of'log files and correlate them into a comprehensive report.

Snort Snort can be used to analyze capture files, not just real-time traffic. It is useful to parse out attack signatures from captures where an IDS system may not have been. An added benefit is that Snort can be used to parse out traffic that may not traditionally be an attack but may be valuable to an investigation such as login attempts. Since Snort is an open source application, its cost is low. Snort also has a supportive user community, and it is well documented. There are plenty of resources to assist in creating custom signatures.

Security Event Manasement SFstems Many organizations have begun to install Security Event Management (SEM) Systems to compile and correlate all the logs from the various systems. The SEMS may well be the fhture of analysis tools for the network. A SEMS can quickly correlate data from the various security appliances and systems. SEMS are valuable in analyzing data through the correlation and reporting. A caveat to the SEMS reporting is that the logs received or displayed often are altered. The logs often are truncated or normalized so original raw logs will need to retrieved and preserved from the originating system. Many SEMs are still plagued by performance issues as they struggle to deal with the deluge of data streaming from systems. The databases often have performance issues in large implementations.

www.syngress.com

34

Chapter 1 • Digital Forensics and Analyzing Data

If a SEMS is implemented well and operating in an enterprise, it is an excellent resource to assist in triaging affected systems early in an incident.

Reporting At the end of examinations and analysis comes perhaps the most tedious but arguably the most important phase. The report is compilation of all the documentation, evidence from the examinations, and the analysis. The report needs to contain the documentation of all the systems analyzed, the tools used, and the discoveries made. The report needs to have the dates and times of the analysis, and detailed results. It should be complete and clear so the results and content are understood perhaps years down the road. The report may be the most important phase of digital forensics. If the report is incomplete, or does not accurately document the tools, process, and methodology, all the work may be for nothing. Reporting will vary depending on the needs of your organization, but in most cases the minimum must include the documentation of the devices that were examined, the tools used, and the factual findings. Even if a procedure was used and yielded nothing of value it should be documented not only for completeness, but to demonstrate that the examination covered all the bases. Perhaps the greatest challenge after all the other hurdles of acquisition, examination, and analysis is how to present it all in a manner that cannot be questioned. There is a very real risk that some newer forensic techniques have not yet been challenged in a court room.

ment that all the software used was properly licensed. It may not be necessary to go into great detail about the licenses, but close that hole early. ................................ ::::::::::::::::::::::::::::::::

In a corporate environment, there is often a need for multiple reports~the forensic analysis report and the report created for executive management at the minimum. A challenge is in the midst of an important or high profile investigation, management will want updates and answers. Often when the incident involves volumes of data, one is being asked for answers when it is premature to give them. A strategy may be to provide a "shiny thing" to distract them long enough to get some results. The shiny thing may be just a statistical report and a high-level overview of the

Digital Forensics and Analyzing Data

•

Chapter 1

35

occurrence such as the acquisition of I0 systems for a total of 7.5 terabytes of data that is now being examined and analyzed. Other ways of presenting the data in reports are timelines and a flow chart of accesses. A timeline report of a forensic examination of a system would display the dates and times of file accesses. A timeline report of data from disparate systems would show the steps taken during the investigation or analysis. The flow chart would show details of the impact or interaction with a system such as the traffic through a firewall, and then the access to a server.

www.syngress.com

36

Chapter 1

•

Digital Forensics and Analyzing Data

Summary In the introduction, we discussed the current best practices, and how the current best practices may be negatively impacted by ever-changing technology. The greatest challenge for the forensic practitioner going forward will be at times forging ahead without best practices to back them up. The same tasks will need to be accomplished in a more diverse and volatile environment. It is becoming the norm that devices may not be completely imaged because it is sometimes impossible to take a complete physical image. It may also be impractical to take an entire physical image of a multiterabyte SAN array. The sheer volume of diverse devices and formats will make it extremely more difficult for the forensic practitioner to be an expert on it all. It will also create an ever-increasing need for continuing education. The tool kit required to work in digital forensics is not like the handyman's toolbox; it has become the mechanic's large toolchest. A refreshing trend is the increasing focus of academia into the research of the digital forensics field. There also has been an increase in academic programs specifically for digital forensics, bridging the gap between traditional computer science and IT degree programs and criminal justice curriculums. The last piece of w i s d o m ~ k n o w when to ask for help.

References [nw3c] www.nw3c, org/ocr/courses_desc, cfm [PCWorld] Pcworld.com 1/5/2007. Hitachi Introduces 1-TB Hard Drive. http"//news.yahoo, com/s/p cworld/20070105 / tc_p cwo rld/article / id, 127104 / article.html [Richard Austin] To Catch a Thief." Digital Forensics in Storage Networks. Storage Networking Industry Association. www.snia.org/education/tutorials/2006/fall/security/To-Catch-A-Thief-S ecuritylV, pdf [hwmem] Brian Carrier and Joe Grand. www.digital-evidence.org/papers/tribblepreprint.pdf [fwmem] Adam Boileau. www.securityassessme nt. c o m/files / p res e ntatio ns / ab_firewire_rux2 k6-final, p df [Stone] Randy Stone. Computer Forensics and the Arrest of BTK. www.nlectc.org/training/nij2005/StoneMarriottl.pdf

Digital Forensics and Analyzing Data

*

Chapter 1

37

Solutions Fast Track The Evolution of Computer Forensics V------dThe technology is changing faster than forensic best practices. gl The volume of data is increasing extremely rapidly. gl The drive diversity continues to grow. gl Some data are increasingly volatile.

Phases of Digital Forensics gl Data storage diversity requires many tools and procedures. v----el The increased data storage requires large target storage devices. v------d The time requirement for collection will continue to increase. v------d More data collected equates to more data to sift through. gl The increased use of-techniques to reduce the data of interest should be employed. gl The increase in the data available can simplify the final analysis, or it can just create a bigger haystack to hide the needle in. r---el The analysis of the entire incident is far more complex than the examination of any single system. v------d Reporting is possibly more important than ever as the techniques and procedures must be more finely documented because of potential impacts on volatile data. gl A poor report can make the best cyber crime investigation appear a disaster.

r

www.syngress.com

38

Chapter 1 °

Digital Forensics and Analyzing Data

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the "Ask the Author" form.

Q" Is specialized equipment required for proper digital forensics? A" Yes. The debate continues as to the requirement for formal digital forensics training, but t r a i np~!~.ire o " 'p:i , er processes and methods is required. Q" What is the most i i~ ~~ t

,~i

part of digital forensics? ~.........

A" The procedures a n ~ e t h ; d ~ are the foundation. If they are solid, the rest will follow, ~~ ....... ~i:i~ ~g .....

• Will one peice of forensic~oftwar~No ~ r y t h i n

..N~

eed?

A: You can never have enough tools in the ~ o l b o x . ~ t being said, the major ":.. i'.,.: @¢ forensic suites should do most of the f u n ~ ~ s t~!~average digital forensics practioner may need. It is also a best practice to b a ~ ~........E~N~ your findings with a second ...... tool, so more than one may well be needed.

www.syngress.com

Chapter 2

39

40

Chapter 2 , Seizure of Digital Information

Introduction Computers and digital devices are employed by the majority of people in the U.S. for myriad business and personal uses. Because of the wide acceptance of computers in our daily lives, it is reasonable to conclude that people will use a computer to assist them in the commission of crimes, record aspects of crimes on a computer, and use computers to store the fruits of their crimes or contraband. Any of the computers involved in the situations just discussed will likely contain upwards of hundreds of thousands of pieces of information stored in a digital format, including operating system files, program files, user documents, and file fragments in drive free space. While the challenge for the laboratory examiner is to find the relevant data objects on a hard drive or other media, a greater challenge exists for the on-scene responders and investigators: H o w can the information be collected from the scene and brought to a location where it can be examined? Does all the hardware on-scene need to be seized as evidence, or will an exact copy of the information serve the purposes of an investigation? Are there other seizure options to be considered?

Continued

Seizure of Digital Information

•

Chapter 2

41

What we consider to be evidence has a dramatic effect on how we view the electronic crime scene. The current model of digital evidence seizure is focused on physical hardware, which is appropriate in most situations. However, as we move forward from this point in time, factors such as the size of media and full-disk encryption will impact the ability to seize all the hardware on-scene for later analysis at a forensics laboratory. Other options besides wholesale hardware s e i z u r e ~ R A M recovery, on-scene imaging of hard drives, and imaging of select files~need to become part of the basic toolkit of on-scene responders. But the acceptance of other options for digital evidence seizure will not be a spontaneous event. The legal framework, the established workflows of existing computer forensic best practices, and the fear of the unknown will all play a part in determining how quickly the digital evidence seizure methodologies are adjusted to accept other options besides wholesale hardware seizure. The community of people that respond to, investigate, and prosecute crimes that have a digital evidence component is a very diverse population with different frames of reference and different technical understanding. If one group decides to unilaterally implement a change in practices or policy, the ripple effect is felt across the entire system~which is what makes bridgino~ the 2aps such an important part of considering and implementing any change resulting from advances in technology. As the author and a member of the greater crime-with-a-cyber-component-community, I hope this work serves to create discussion between the disparate communities on the appropriateness of both the familiar and innovative methods to seize digital evidence. To these ends, I have organized the following pages to guide the reader through a number of topics relating to both the existing method of digital seizure and the innovative options available for on-scene responders. First, we will examine some of the framework surrounding the legal view of evidence, then we will address how the current digital evidence seizure methodology evolved, and afterward we'll take a look at www.syngress.com

42

Chapter 2 • Seizure of Digital Information

each of the seizure steps individually. This work is not intended to be a step-by-step guide for digital evidence seizure, but many of the current best practices are examined, and some common pitfalls are discussed. Following the discussion of the current method of seizure, we will explore some of the reasons why the wholesale seizure of hardware on-scene may become problematic in the future. Finally, we will discuss a number of options available for seizure of information, including the on-scene preview of information, the seizure of data held in the computer's RAM, on-scene imaging of entire hard drives, and the on-scene imaging of specific data objects. ~iiiiiiiii!iii

~RNING i'iii}i!~ ' In the sections that follow, we will primarily be discussing criminal proce~ii'~~'i'~i dures, as I would hope that the civil procedures would follow the guidelines ~iiiii!!iii~set forth by the criminal side of the house. Many civil procedures often turn into criminal events, and vice versa, so it's probably wise to be working each case as if it were destined for criminal court. Further, most of my work has been as a bridge between the technical community and that of law enforcem e n t - a n d it is from this viewpoint that the chapter is written. Obviously, criminals may actually steal a computer or other device directly--but the focus of this chapter is not on the physical theft of hardware. Instead, we target how information held within the storage medium can be processed into evidence. Here, I will colloquially refer to computers and hard drives when discussing digital information. I do realize many types of digital devices and media contain data, but it is often too cumbersome to individually point out each item or specify each situation. This chapter focuses more specifically on the seizure of digital evidence when that evidence relates to a static event, such as receiving a harassing email or seizing a computer that contains child pornography. An analysis and discussion of recovering information and evidence from a more dynamic event, such as a Denial-of-Service attack or a network intrusion are included in Chapter 5, "Router Forensics". Although much of what is discussed in the following sections still apply to network forensics, please note that I am purposely minimizing the points that apply to it. Finally, l am not a lawyer, nor do l play one on TV. The intent of this chapter is to provide investigators, prosecutors and private sector personnel with options and discussion topics related to the collection of digital evidence. Any conclusions or recommendations in this chapter that may resemble legal advice should be vetted through legal counsel. Always check with your local jurisdiction, local prosecutors, and local forensics laboratory as to their preferred method(s) of digital evidence collection.

Seizure of Digital Information

•

Chapter 2

43

Defining Digital Evidence Black's Law Dictionary--the Bible fbr legal definitions--provides several definitions fbr evidence (Nolan, 1990). One of the definitions reads "Testimony, writings, or material objects offered in proof of an alleged fact or proposition." I have to say it is rather refreshing to have a generally straightforward and concise legal definition; generally, I don't equate straightforward and concise with legal...well.., anything. The definition does provide a good launching point for our discussions on how digital information is viewed in the criminal justice system. Black's definition of evidence as applied to digital evidence can be viewed in two ways. First, we can examine the computer itself as the evidence. This is clearly the case when the computer is the actual instrument of the crime, such as w h e n the physical parts of the computer are used to commit a c r i m e - - f o r example, I hit you over the head with a keyboard. Colloquially, most law enforcement investigators and prosecutors will call the computer itself evidence even in cases where information on the computer relates to a given crime. As one investigator told me: "Everything seized at a crime scene is evidence until someone tells me it's not." In this sense, w h e n the computer itself is seized at a crime scene or through a warrant, it is considered by many to be evidence. Building on the view of the computer as evidence, many assert that the information on the computer requires the original computer to view the contents. In other words, the original c o m p u t e r - - a l o n g the lines of how the best evidence rule requires the "original" whenever possible--may have an impact on how the information on the computer was actually viewed by the suspect. This is a valid viewpoint because many forensic software packages will not provide a view that is exactly as the suspect would have seen it. Too many different programs may show a given file, image, movie, or e-mail in a particular manner. The computer forensic analysis programs will often use a generic viewer capable of displaying any number of different formats. For example, Access Data's FTK has a generic format in which all e-mails would be displayed regardless of the program in which they were created. The generic format provides all the same information that would have been shown in the original email, but it clearly is shown in a very different format than what the suspect would have seen. An e-mail viewed through the AOL e-mail program will include all the banners, advertisements, and formatting that make up the AOL look and feel of the user's experience. The e-mail itself will contain a number of standard fields, such as the e-mail header and the body of the message. The AOL program places these fields www.syngress.com

~,4

Chapter 2 • Seizure of Digital Information

in a particular "package." However, that same e-mail viewed in FTK, though containing the same content, would lack the AOL packaging. In court, the examiner may be asked "Is this exactly what the suspect saw?" and the obvious answer is " N o - - b u t . . . " And it is within this "but..." that the court may suggest that the evid e n c e ~ t h e complete computer and information as a unified p a c k a g e ~ b e brought forth in front of the court. A second way to view Black's definition is that the information, or data objects, contained on the digital storage medium are the "testimony, writings, or material objects" offered in proof of an alleged fact. This viewpoint makes the computer nothing more than a device that is used to access the information, and the components of the computer that store digital information nothing more than mere physical containers that house information~similar to a file cabinet or briefcase. Arguments can be made that only the desired information can be seized as evidence. The ramifications of this change in focus from hardware-as-evidence to informationas-evidence are far reaching. If we do propose there is a distinction between the data objects and the physical container, we need to examine the legal framework within which we operate and seize information to determine if it is permissible to seize either the physical hardware or the information, or both. Rule 41 of the Federal Rules of Criminal Procedure (FRCP), titled "Search and Seizure" provides a definition for property, stating that "'Property' includes documents, books, papers, any other tangible objects, and information" (FRCR Rule 41(a)(2)(A)). Within this definition is our first inclination that, in fact, the legal system views both storage containers and information as property. W h e n we move forward in the F R C P into the discussions on seizure, we see that persons or property are subject to search or seizure and that a warrant may be issued for any of the following: (1) evidence of a crime; (2) contraband, fruits of crime, or other items illegally possessed; (3) property designed for use, intended for use, or used in committing a crime; or (4) a person to be arrested, or a person who is unlawfully restrained (FR.CR Rule 41 [c]).

.~!i!iiiiiiiiiiiiiii!ili~: .. A number of legal documents will prove helpful in the coming discussions. "iiiiiii~ The Federal Rules of Evidence (FRE) addresses the manner in which evidence i:~ii~!~i~i~i~can iil be presented in a federal court. The Federal Rules of Criminal Procedure (FRCP) provides the guidance for bringing an accused through the process of arrest and trial. The Computer Crime and Intellectual Property Section within

Seizure of Digital Information

•

Chapter 2

the Criminal Division of the United States Department of Justice publishes a document titled Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (Manual). The Manual provides a very thorough review of a number of issues related to working with digital evidence~particularly as it relates to federal case law. Obviously, the depth of the information contained in the FRE, FRCP, and the Manual is well beyond the scope of this chapter, but l recommend that anyone interested in this field become familiar with these documents. Absent from the following discussions is talk of state law. Although many states will retain the ability for their own courts to be the "final say" regarding procedural or evidentiary matters, many states have adopted rules very similar to the FRE and FRCP.

O f interest to our discussion here is that property includes information, and that search and seizure is authorized, with a warrant, for property that is evidence of a crime. The next logical conclusion being that warrants can be issued for information that is evidence of a c r i m e - - b u t do the courts interpret using specific files or data objects as evidence, or should the focus be on the physical storage devices? Here, we consult the United States I)epartnlent of Justice's C o m p u t e r Crime and Intellectual Property Section's document titled SearchiFze, a~ld Seizing Computers alld Obtaitling

Electronic Evide~lce itl Crimillai Illz,cs@atiolls (Manual)" "The most important decision agents must make when describing the property in the warrant is whether the sizable property according to Rule 41 is the computer hardware itself, or merely the information that the hardware contains (pg. 61) .... if the probable cause relates in whole or in part to information stored on the computer, the warrant should focus on the content of the relevant files rather than on the storage devices which may happen to contain them." The Manual references United States v. Gawrysiak (972 F. Supp. 853, 860 [D.N.J. 1997], aff'd, 178 F.3d 1281 [3d Cir. 1999]) which upheld the seizure of "...records [that] include information and/or data stored in the form of magnetic or electronic coding on computer media . . . which constitute evidence" of enumerated federal crimes (Manual, pg. 62) .... The physical equipment merely stores the information that the agents have probable cause to seize. Although the agents may need to seize the equipment in order to obtain the files it contains and computer files do not exist separate from some storage medium,

45

46

Chapter 2

•

Seizure of Digital Information

the better practice is to describe the information rather than the equipment in the warrant itself (pg. 65)..." The guidance from the Manual is that the Rules on Criminal Procedure, and the interpretation of the same in the courts, points to the difference between the information held in data objects and the physical container (hard drive, flash media) in/on which the data resides. This provides some positive reinforcement to those that make the claim that the data itself is the evidence and that the computer or storage device is merely a vessel. The preceding discussions regarding the computer as the evidence versus the data as the evidence has a dramatic effect on how we "seize" or "collect" evidence both at the scene and in the forensics laboratory. If your viewpoint is that the computer is the evidence, then your seizure methodology will be focused on the collection of the computer itself at the scene of the crime. If your viewpoint is that the information is the evidence, then you may be more inclined to attempt to locate and retrieve the information-as-evidence, with less care as to the eventual fate of the hardware. Further, you may be more inclined to call your "computer forensic" efforts simple "evidence collection" and remove the requirement for expert classification at trial. The important point here is that there are options to be considered, examined, and discussed within the c o m m u n i t y ~ o p t i o n s that have the ability to significantly change the entire approach to computer seizure and analysis.

Digital Evidence Seizure Methodology The proliferation of personal computers changed how computers were involved in criminal issues. In the past, computers were often used primarily as the attack platform or target of the a t t a c k ~ n o w the more personal use of computes creates a situation where the computer is the storehouse of evidence relating to almost every type of crime imaginable. The result is that more computers are involved in some manner in crime and that more computers need to be examined for information of evidentiary value. But before they can be examined, they must be seized. Previously, the highly trained computer specialist would attend to each seizure personally; however, the proliferation of computers and their use in criminal endeavors made personal attention to each case impractical. In some areas of the country, one specialist may serve an entire region. It is clearly unreasonable to believe that one specialist will be able to perform each seizure and complete the examination of the digital evidence for every crime with a cyber component. To fill this

Seizure of Digital Information

°

Chapter 2

47

apparent gap in need versus capability, state and local law enforcement agents have become involved in recovering digital evidence from a crime scene where a computer is directly involved. N o t only are state and local investigators faced with dealing with a new type of crime, but they are also asked to perform the seizures of digital evidence. The on-scene responders/investigators often know very little about computers and often have not been instructed on how to "properly" seize digital information. Existing seizure protocols for physical items are used, resulting in a focus on the seizure of the computer h a r d w a r e ~ s o m e t i m e s the entire computer, including the monitor, printers, keyboard, and so on are seized and packaged for delivery to the lab. Over time, it became accepted to use the seizure methods focused on the seizure of the physical harchvare for the seizure of disital information. Let's take a look at the flow of a general seizure of a personal computer. ..... ....

:ililiiiiii!iiiiiiii'ili'i :i!iiiili!!i!ii ~

'!~

A number of other authors have nicely addressed the larger digital investigative model. Most notably, Carrier and Spafford present a "digital crime scene" model that exists within the physical crime scene (Carrier, 2003). Generally, these models present a complete framework for digital investigations, from incident response preparation right through to the examination and analysis of the seized information. Although this holistic viewpoint may be relevant to the administrator responsible for the entire operation, these models hold less applicability to the actual on-scene seizure of the relevant information, which is the focus of this chapter.

The current manner of seizure of computer hardware expects that the on-scene responder has a general knowledge about c o m p u t e r s I t o the level o f " T H I S is a keyboard, THIS is a mouse, T H E R E is no 'any' key," and so on. Better yet, the responder should have basic training on digital evidence collection, or, at the very minimum, be able to consult a guide on best practices, such as the USSS Best Practices Guide (USSS, 2006) or the NI l First Respo~der's Guide (NIJ, 2001). Next, the responder would arrive at the scene, secure the scene physically, and begin to assess how the digital evidence is involved. The responder would take steps to secure the digital crime scene, which may include inspecting the devices for physical booby-traps and isolating the devices from any networks. The responder then seizes as many physical

www.syngress.com

|8

Chapter 2 • Seizure of Digital Information

containers~physical media including hard drives, CDs, DVDs~as necessary to ensure the seized items reasonably include the information with probative value. The seizure of the hardware/physical containers involves labeling all wires connected to the computer or devices, and photographing the scene---paying specific attention to the labeled connectors. The physical items are seized, documented, packaged, and prepared for transport to an offsite facility for examination. At the offsite facility, possibly the local police agency or a state/regional forensic laboratory, the seized physical containers are examined for data objects with evidentiary value. If found, these data objects are usually included in a forensic findings report and are printed out or copied to other media and then provided to the investigator and prosecutors. Figure 2.1 outlines the steps of the traditional method for seizing computer hardware.

Figure 2.1 Traditional Seizure Methodology

That sounds pretty straightforward, doesn't it? For the most part, the preceding reflects the general process that the wide majority of law enforcement agencies follow when it comes to the seizure of digital evidence. As you can see, the general methodology reflects a focus on the seizure of the physical items. Further, the preceding model shows that a division exists between the investigators / on-scene responders and the forensic laboratory/examiners.

Seizure Methodology in Depth Unfortunately, current seizure methodology does not adequately prepare our investigators to respond to scenes that are more complicated than a single machine sitting

Seizure of Digital Information • Chapter 2

49

alone in a bare room. The fact is that the world is a messy place. Our responders need to understand that they need to have a methodology in place that allows them to work through more complicated scenes, such as finding dozens of computers or dozens of pieces of removable media or hundreds of" CDs. The steps presented in Figure 7.2 are representative off current seiz~re methodoloo~f, but the steps ha~e been crafted to provide a hio~her level ,¢uidance about approachino~ nonstandard seizure scenes. Specifically, the "Seize All Hardware and Media" step shown in Figure 2.1 has been replaced by a series of three steps that help guide the responder through identifying all the digital media on-scene, minimizing the crime scene through prioritization, and then seizing the hardware and media that have the highest probability of containing the relevant evidence.

Figure 2.2 Seizure Methodology Featuring Minimization ~(ii~i!i!i!i!i%~:

....

_~

<.~ . . . . .

~

physi::,_~ls~:er~<~

. . . . . .

~-

s~:er-~

-

T

.

~ F ~ , ~ r

I

Minimize Digitai Media

Hiiiiiii ,,,

Identification

;4s

'

"

T

IR

!!

" .... -

-

-"

packagetor

T ~

Ill

........

SetTect

_ "

the Crime

Scene by Prioritizingthe

......

At ft'~e lap _qlI

Seizure of

data

"

is

Storage

Devices and Media

Physical Media .........................

:t

We begin our seizure methodology at the scene, where a warrant for digital evidence is being served. It is assumed in the following that the scene has been physically secured, and the responder has a safe working environment. It is also assumed that the responder has a properly drafted warrant that identifies the information to be seized and outlines that an offsite examination of the media may be required if the situation makes the on-scene seizure infeasible.

www.syngress.com

50

Chapter 2

*

Seizure of Digital Information

Step 1" Digital Media Identification The first step is to begin to canvas the scene in an attempt to locate the digital media that you believe has the highest probability of containing the evidentiary information described in the warrant. If the suspect has one computer sitting in his bedroom and another in a box in the attic, I'd bet my money that the information I'm after is the one in his bedroom. Taking a step beyond the simple situations, one needs to also consider removable media such as flash drives and CDs or DVDs. Flash drives are often held as personal file cabinets and may contain information of a personal nature. Look for flash drives on key chains, watches, in cameras, and just about a n y w h e r e ~ flash media can be unbelievably small. Another strategy is to look for media that contains backups of files from on-scene computer(s). If the information is important, you can be sure it will be backed up somewhere. Where can digital media be found? The answer is pretty much anywhere. Locating very small, but very large storage media could be a significant issue when conducting a search. Be sure to balance the perceived technical expertise of the suspect versus the type of crime versus where you expect to find the relevant information. For example, it is fairly well documented that obsessive collectors of child pornography will gather tens-of-thousands of pictures of children being victimized. In this type of case, it would be most logical to be looking for a hard-drive or optical disks, given the amount of storage required. At this point in time, obtaining such large amounts of storage on flash media would be difficult, however. On the other hand, the same collector may be accused of taking pictures of children being victimized, and in this case the search should definitely focus on small flash media-type storage cards that could be used in a digital camera and/or be used to store and hide coveted images. Documentation is part of every step, so this won't be the last time you see it mentioned. Nevertheless, it's worth mentioning here as a reminder. While conducting the search for digital media, it may be appropriate to narrate your movements into a voice recorder and to photograph the found media in place before moving it.

Step 2" Minimizing the Crime Scene by Prioritizing the Physical Media After all the digital media is identified, an effort must be made to determine which storage devices or pieces of media have the highest probability of containing the

Seizure of Digital Information ° Chapter 2

51

information described in the warrant. Why? Because at some point it time, it will be impractical to seize all the digital devices, removable media, and storage media at a crime scene. At the current time, it may be possible to walk into a residence and only find one computer and maybe a few CDs. In this situation, the minimization of the physical media is all but done for y o u ~ y o u have in front of you only a few pieces of media that may contain the informational evidence. But technology is enabling homeowners to easily build rather complicated networks that may include wireless storage devices, multiple operating systems, shared Internet connections, integration with traditional entertainment media, and integration with home appliances and devices. Downloadable and burnable movies and music are generally an accepted technology, greatly increasing the amount of- optical media found in homes. Based on the availability of technology, on-scene responders will be faced with multiple computers, storage devices, and dozens to hundreds of pieces of media~all adding up to terabytes of information. The responder must make some tough decisions about where she believes the information will most likely be found. One suggestion is to prepare a prioritized ranking to help decide which storage devices and pieces of media should be seized for offsite review. The prioritized ranking is also critical in deciding which devices or pieces of media are previewed o n - s c e n e ~ o n e of the options we'll be discussing later in this chapter.

Step 3" Seizure of Storage Devices and Media The seizure itself is rather straightforward. After the scene is secured and it is determined that the hardware must be seized, the investigator begins by labeling all the connections/wires attached to the computer. Be meticulous in the labeling of wires and thorough in your documentation. It's a good practice to label both the end of" a cable and place a matching label where the cable connects~for instance, label a Monitor's VGA Cable t31 and label the computer's VGA port as BI'; label the monitor's power cable plug as B 2 and label the wall outlet as B 2'. Photograph as many relevant objects and seizure steps as you see fit~digital photos are basically free and can be burned to disk and added to the case file. Don't forget to remove the sticky labels from the power outlets once they have been photographed. After the computer has been labeled, documented, and photographed, disassemble the components and prepare the computer case for shipment. Best practices state that an unformatted floppy disk should be placed in the floppy drive with a piece of evidence tape sticking out like a flag. The presence of the disk in the floppy drive may www.syngress.com

i2

Chapter 2 • Seizure of Digital Information

prevent an accidental boot to the hard drive--but the new trend from computer and laptop manufacturers is to omit the standard floppy drives entirely, so this recommendation may be deprecated over time. Other options available to prevent an accidental boot are to unplug the power to the hard drive in a desktop machine and remove the battery from a laptop. Some recommend placing evidence tape over the external drives, including the floppy drive and any C D / D V D drives. When transporting, be careful not to drop, or otherwise jar or shock, the computer, as this may result in damage to the hard drive and possibly the motherboard. When transporting, keep the storage devices away from heat and strong magnetic fields, such as high-powered radios and big trunk-thumping subwoofers. 'i

i

!!!"~iii'i"YRegardless of what hardware seizure methodology is written here or con'~'~'~'~'~' tained in any of the other published guides, always check with the laboratory ~iji!ii!i~i, or department that is going to process the seized hardware. Most have preferred methods for hardware seizure and transportation.

To Pull the Plug or Not to Pull the Plug, That Is the Question I always wondered where the phrase pull the plug originated. I can picture a stressed out, overworked computer forensic technician on the phone with an on-scene responder, attempting to guide them through a proper shutdown and then a controlled boot process~prompting the following exchange: R.esponder: It says to hit any key. Forensic Tech: Uh-huh. Responder: Hang on .... U m . . . where is the any key? Forensic Tech:You've got to be kidding me .... Just pull the @ # $ @ # % plug, wrap it in tape, and bring it to me! Since that first hypothetical exchange~which still gives me a chuckle when I think about i t ~ t h e mantra from the forensic community has been to pull the plug from the back of the machine, regardless of the state of the machine--on, off, writing to the drives, or anything else. I have no doubt that, across the board, the simplest most teachable method of seizure that will generally preserve most of the data and evidence is to pull

Seizure of Digital Information • Chapter 2

53

the plu~from the back of the machine. Pulling the plug and prepping it For transfer to an examination lab is the only option that is reasonably teachable in a Few hours to first responders of any skill level. But, surely, we need to be able to do something other than pull the plug. We cannot possibly make advances in this field if*we limit all officers and agents to a methodology based on the lowest common denominator. The most pressing issue relating to pull-the-plug is that some operating systems (OSes) really like to be shut down properly. Rapid power loss in some OSes can actually corrupt the operating system's kernel or the central module of the system. UNIX, Linux, and Macintosh operating systems are the most vulnerable, but some Windows-based OSes, such as a Windows 2000 server, should be shut down properly. Moore (2005) presents a good review olc the proper shutdown method (shutdown versus pull-the-plug) For different operating systems based on the operating system's ability to recover from rapid power loss. Obviously, if you intend to shut down the machine properly, you must determine the OS. To determine the OS and to initiate a proper shut down sequence, you need to manipulate the computer's mouse and/or keyboard, but manipulating the mouse/keyboard will change data on the suspect's machine.You say "But I'm not allowed to change data on the suspect's machine!"That may be the guidance given, but it is more appropriate to take the position: "I will do the most appropriate and reasonable actions during seizure to ensure I retain as much of the relevant information as possible. Here is the documentation of* my actions." The Focus here is on reasonableness and the documentation o£ actions. Also, it is important to key-in on the retention olc the relevant inflormation, which includes the information of potential evidentiary value and should not include the Registry changes made to indicate that a shutdown occurred. Simply put, moving the mouse to determine the OS and starting a shutdown sequence did not place 5,000 images of child pornography on the computer's hard drive. However, pulling the plug on a Linux system may actually impact the ability to recover those same images. There is no one correct answer to the pull-the-plug question. If you have the skill and knowledge to determine the operating system of the suspect computer and you determine that the operating system and other data could be damaged by pulling the plug, then shut the machine down properly. Document your actions and explain clearly and knowledgeably how you prevented damage to the computer, and possibly to the evidentiary information, by following a shutdown procedure. Show how your actions preserved the evidence, as opposed to corrupting it. If you have the skill and document the steps you Followed, you have solid Footing on which to defend your www.syngress.com

54

Chapter 2 ° Seizure of Digital Information

actions. If you do not possess such skill, or if the more advanced techniques are not working in a given situation or on a particular piece of hardware, then by all means, pull the plug.

Factors Limiting the Wholesale Seizure of Hardware Earlier we contrasted the historic seizure context versus the current context and discussed how the historic context placed a focus on the on-scene seizure of data objects, as compared to the current situation where the focus of the on-scene activities is to seize all the physical containers. The question I pose to you is this" Are we heading in the right direction by focusing on the seizure of the physical hardware (the container items) rather than focusing on the seizure of the relevant information (data objects)? Earlier seizures of digital evidence focused on data objects because it was impractical to attempt to image an entire server, based on the high costs of storage media. I suggest we are heading toward a similar impracticality~although this time our inability to seize all the information is based on a number of different factors, including massively large storage arrays, whole disk encryption, the abundance of non-evidentiary information on media and related privacy concerns, and the time involved in laboratory forensic analysis. At some point in the future, the process by which we image entire pieces of media for forensic analysis will become obsolete (Hosmer, 2006). I suggest we make the distinction that there other options beyond wholesale seizure available to our responders. We need to train our responders to have the ability to perform on-scene data preview, full data-image, and imaging of only the relevant data objects. Further, we need to begin to change the wholesale seizure paradigm n o w ~ f o r all responders not just the specialists~before we are faced with a greater volume of cases we are ill prepared to address.

Size of Media Storage devices are getting b i g ~ v e r y big. Now, at the end of 2006, it is quite c o m m o n for a single hard drive to contain 100 gigabytes of information~roughly equivalent to a library floor of academic journals. It is very achievable for the home user, both technologically and financially, to put together a 2-terabyte storage a r r a y ~ an array that could house the complete works within an entire academic research

Seizure of Digital Information * Chapter 2

library (SIMS, 2003). Storage is relatively cheap, and people are taking advantage of the extra space by storing music, movies, and creating mirrored backups (RAID 1 arrays).The typical crime that involves a computer won't include a multi-hundred terabyte server, but showing up at a crime scene with a 200-gigabyte destination drive and finding a 1.5-terabyte RAIl) will certainly have a negative impact on your ability to create an on-scene image of the data. What exactly happens when the full 1.5 TB RAID and 200 DVDs are seized and brought back to the forensic laboratory for analysis. Do you actually have the hardware and software to acquire and process that much data? If the laboratory is not a regional or state lab, but a small laboratory set up at the local agency, the answer might be yes--but processing the case might use the entire budget set aside for target drives for the entire year for that one case. Once the data is examined, does the jurisdiction or local policy dictate that the imaged data be archived? At some point, the ability to seize and process e~er),Htitlg will exceed the budget set aside for the purchase of forensic processing computers, target drives, and archival media and will also exceed the time available for tbrensic examiners to process the case.

Disk Encryption A number of" encryption programs exist now that provide whole disk encryption, a common one being PGP from pgp.com. These types of encryption programs encrypt all the data on the hard drive and are generally transparent to the user; meaning that one password in the startup sequence "unlocks" the contents for viewing and editing. O f course, looming on the horizon is the Windows Vista operating system, purported to incorporate BitLocker l)rive Encryption tied to the Trusted Platform Module cryptographic chip in the higher-end versions of the operating system. Whole disk encryption has some serious implications for law enforcement when performing seizures. First, it" a whole disk encryption is enabled on a running computer, and the computer is shut down or the power is removed, there is a very good chance that the data on the drives will be unrecoverable without the proper key. Responders may need to determine if a whole disk encryption program is enabled before shutting down / pulling-the-plug on a computer during seizure. If one is present, bringing the computer back to the lab for analysis may be futile. One of the best chances to retrieve the evidentiary information is when the machine is running and the user has access to the files. Second, the implementation of the TPM chip may lock the drive so the data nlay only become available on a specific machine. This would prevent an image of the drive t}om being booted in another computer or

55

~6

Chapter 2 • Seizure of Digital Information

viewed with a computer forensics program. The use of disk encryption is forcing law enforcement to have other data seizure options available beyond the seizure of physical hardware.

Privacy Concerns Personal computers often contain myriad information about a person's life, including financial, medical, and other personal information, information related to their job (such as work products), and even information owned by several people, possibly a spouse, family member, or roommate. It's unclear how the criminal and civil courts would view a challenge from an impacted third party regarding the seizure of a common computer. However, if" that third party maintained a blog or Web site, their information may be protected from seizure under the Privacy Protection Act (PPA) (42 U.S.C. ~ 2000aa). The PPA was specifically developed to provide journalists with protection from warrants issued to obtain information about sources or people addressed in their publications. The PPA reads "...it shall be unlawful for a government officer or employee, in connection with the investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication." The PPA may not protect the person that possesses the information if" that person is suspected of committing the criminal offenses to which the materials are related. Simply put, if you committed a crime and you have publishable information related to that crime on your computer, that information most likely will not be protected under the PPA. However, the PPA may protect the interests of a third party that uses or stores data on a computer, and may possibly protect the information of the accused if the information does not relate to the crime being investigated. The potential situations of co-mingled evidentiary data and publishable materials, each owned by a separate person do sound unlikely if you only consider a single computer. But what if you consider a network addressable storage device located in a home network? For example, let's say that such a storage device exists at the scene of a seizure. Every member of the household stores information on the device, and little Susie's unposted blog entries on her life-as-a-brainy-15-year-old-girl are located on the storage device commingled with the information described in the warrant. Although you may seize the storage device, you may also be involved with other court proceedings related to the violation of the PPA~civil, and possibly criminal, proceedings where you are the defendant!

Seizure of Digital Information • Chapter 2

57

The Secret Service ran across a similar situation in the case of Steve Jackson Games, Inc. v. Secret Service (SteveJackson Games, Inc. v. Secret Service, 816 E Supp. 432 [W.D.Tex. 1993]). The Secret Service seized two computers from the company, believing that the company's system administrator had stored evidence of a crime on company computers. The day after seizure, the Secret Service learned that the computers contained materials intended for publication; materials that belonged to the company. Regardless, the Secret Service did not return the computers until several months had passed. The district court ruled that the Secret Service had in fact violated the PPA and awarded Steve Jackson Games $50,000 in damages and $250,000 in attorney's fees. The story or-this raid goes well beyond the short summary provided here. The raid and the trial play a significant role in hacker mythology and also played a part in the formation of the Electronic Frontier Foundation (Sterling, 1994). Nonetheless, the moral of" the story is that the Secret Service was not prepared to seize the specific information described in the warrant when they learned of the tobe-published materials present on the seized hardware. It's not known how the Secret Service would have changed their seizure methodology if they knew about the publishable materials before they served the w a r r a n t ~ b u t , for example, if they didn't have the capability of solely seizing the relevant data objects, the Secret Service might have had no other option but to seize the hardware. This example goes to show that having other seizure options available may be a critical skill that determines the success of an investigation.

Delays Related to Laboratory Analysis If investigators of" crimes involving a computer rely completely and absolutely on their computer forensic laboratory for the processing of their seized hardware in search of evidence, they are at the mercy of" the timing dictated by the laboratory. From my experience, a computer forensic laboratory can process anywhere from 30 to 60 cases per examiner per year; possibly more depending on the types of" cases they work and their equipment, but considering most forensic laboratories are government agencies, I doubt they are operating year after year on the most current computers available. To make matters worse, the increase in the size of" storage media has far outpaced the increases in processor power. The same $500 that could afford a 100MB drive in 1991 can now put a 750GB drive in your pocket. Compare that to a 50-MHz Intel from 1991, next to a 3-GHz processor in today's fastest computers, and you'll see that the cost effectiveness of hard drives grew 125 times faster than that of processors from 1991 to the present (Gilder, 2006). Depending on the backlog www.syngress.com

58

Chapter 2

•

Seizure of Digital Information

at the laboratory, investigators can be faced with waiting up t o - - a n d o v e r ~ a year for the results of their examination to be returned from the lab. I am unable to specifically quantify how delays in the forensic examination are impacting investigations and prosecutions, but I can offer my opinion that delays in the processing of digital evidence are one of the most significant impediments in investigations and prosecutions that have a digital-evidence nexus. Given the opportunity to perform an on-scene seizure of the relevant information versus being forced to wait one year for the results from the laboratory, the choice will be clear for many investigators. However, there are difficulties and challenges in seizing the information o n - s c e n e ~ b u t these challenges must be weighed against the time delay in receiving the processed evidence. One investigator I interviewed about this type of situation described a child pornography possession case where there was a chance that the accused possessor was also creating and distributing images of child sexual abuse. Unfortunately, the investigator had no means to preview the digital information on-scene, nor back at the department, nor did the investigator have the ability to perform a digital information analysis in-house. The computer was sent off to a computer forensics laboratory, where it sat in the queue behind other just-as-important cases. Because the information could not be reviewed, the investigator had no evidence to substantiate the drafting of an arrest warrant for either the possession of child pornography or the child sexual abuse. In such cases, any delay caused by a backlog at a forensics laboratory not only impacts an investigation, but also has a direct effect on a (potential) victim and continued victimization.

Protecting the Time of the Most Highly Trained Personnel Digital devices have become almost completely ubiquitous in our current society. The legends of"convergence" are slowly coming true, where the line between computers, cell pones, cameras, and so on is now fuzzy and may disappear altogether in the future. IPv6 looms on the horizon and promises to equip every device, from cars to toasters, with an IP address. How do we find the time to train our law enforcement community in an entirely new set of skills? What is the balance between knowing enough and making a specialist out of everyone? Determining whether the individual data objects with evidentiary value are seized or the storage media is seized will likely depend on the technical prowess of

Seizure of Digital Information • Chapter 2

59

the responding investigator. The best situation would be to have a team of highly trained digital evidence seizure specialists respond and then properly prepare a Windows computer for seizure. The reality is that there will never be enough computer specialists to respond to every crime s c e n e ~ l e t alone a "team" of t h e m ~ t o seize every piece of information or computer involved either directly or peripherally in a crime. Looking forward, we can anticipate that the number of computers and other electronic devices requiring seizure and examination to surely increase. Clearly, from all accounts of the situation, the current methodology has its flaws. Delays in the examination of seized digital media are frustrating investigators and are impacting prosecutions. Although we clearly need more computer forensic specialists, do we have the resources~specifically the personnel, time, and m o n e y - - t o train and equip enough specialists to meet the current demand for seizures and exams? What about future demands? From what I have observed, I don't believe we have anywhere near the number of qualified personnel to address the current issues, let alone what the future will hold. Nor do I believe that the existing infrastructure can support the required increase in the number of computer forensic examiners or specialists. Most agencies fight for the addition of a single position~so I'm doubtful that the system will suddenly change and begin hiring scores of new personnel. The situation comes down to a simple law of economics: productivity will only be increased by adding more people or making existing people more efficient. We don't really have the ability to throw more people at the problem, so the only option is to do more with the people we have. As it pertains to cyber crimes and crimes with a high-technology component, this means we cannot continue to rely on computer specialists for every aspect of an investigation that involves a computer. Every law enforcement agent, from on-scene responders to detectives performing investigations, now have a duty to begin to pick up the slack that has created the conflict between the large--and g r o w i n g ~ n u m b e r of crimes with a high-technology component and the relatively small number of specialists available to work these types of cases. We need to consider the computer specialists and the computer forensic laboratories as a finite resource, and any constructive work performed in the field by patrol officers or detectives reduces the strain on the forensic system. With this view, the most valued resource is the time o/the highest-trained individuals. The general scenario of protecting the time of the most highly trained individuals so that they may focus on the most important issues is not a new concept. Those trained in hazardous material response work under a pyramid-like distribution of www.syngress.com

50

Chapter 2 , Seizure of Digital Information

knowledge; the wide base of the pyramid consists of awareness-level trained people, while the small tip of the pyramid consists of highly trained specialists. Not only are these training levels generally accepted within the hazardous material response community, but they are codified in 29 CF1K 1910.120(q)(6).The training code establishes the general level of knowledge, the hours of required training, and what can be expected from responders that have achieved each of the training levels. Because the different training levels are clearly defined, each responder on-scene understands their role and, more importantly, the role of other responders. Those with awareness-level training are taught to basically recognize that something bad has happened, call for help and watch from a distance with binoculars. Operations-level training prepares responders to respond in a defensive fashion, without attempting to stop the release. Technician-level responders are trained to attempt to stop hazardous material release, and specialist-level responders usually have specific knowledge pertaining to a particular chemical.At each level, the responder receives more training to be better prepared when responding to a scene. At the current time, it would not be practical to attempt to regulate or codify the training requirements or duties of those involved in digital evidence seizure, but it is important to recognize that people of different training levels will likely approach seizure in different ways (see Figure 2.3). The seizure methodology that is developed for the knowledge level of the nontechnical responder is in direct conflict with the best possible seizure scenario. Any seizure methodology adopted by an agency must be fluid enough to allow a minimally trained responder and a highly trained responder to both seize the digital information in the manner most applicable to their knowledge level.

Figure 2.3 Digital Evidence Seizure Mo~i~'nled _

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

www.syngress.com

Seizure of Digital Information, Chapter 2

61

The Concept of the First Responder W h o exactly is the "First Responder" reCerenced in numerous digital evidence seizure guidelines and reports? Is the first responder simply the person that happens to be on-scene first? If yes, the11 the first responder could be any line officer. IC every first responder needs to be trained to seize digital evidence, and we acknowledge that the seizure methodolog T will be necessarily fluid based on the responder's technical knowledge, you begin to see the problems involved with designing one particular training for first responders. A second issue is the number of" hours of training that could be allotted for first responder training. Will the administration of an organization allow their personnel to take a half-day course on digital evidence seizure? Probably. Realistically, though, what could you cover in four hours of instruction? I would guess the limit would be the recognition of" digital evidence. So, would a two- or three-day training be sufficient to cover the recognition of digital evidence plus the seizure of-digital information? Possibly, but would the people attending that training still be considered first responders or would the additional training necessitate they become specialists in this area? I am doubtful an agency's administration would agree to send every line officer to a three-day training to be first responders. We are clearly caught in a catch-22. All line officers need to be able to seize digital evidence, but the first responder-level of training may not fully equip the officers to seize the evidence. The level olc training required to more completely understand the digital evidence seizure process may involve multiple days otc training, and multiple days or-training on a single topic will most likely not be provided to all line officers. Untbrtunately, it is not as simple as identifying one cadet in the academy that will specialize in investigating crimes with a cyber component, and putting this cadet through weeks of" specialized training. The ubiquity of computers and digital evidence make the training of one single person insignificant~ everyone's expertise needs to be raised to allow the specialists to focus on more technically challenging crimes. There will be no clear-cut answer to this dilemma, but a number otc factors could help mitigate the issue. First, law enforcement officers need more training in general computer skills. During a law enforcement officer's daily work, which is more likely? Arrest a suspect, be involved in a shooting, or spend some time working at a computer? The answer is a n o - b r a i n e r ~ c o m p u t e r s are an integral part of the law enforcement landscape and most officers cannot go a day without having some level

www.syngress.com

52

Chapter 2 • Seizure of Digital Information

of mission-critical interaction with a computer. However, the general level of computer knowledge among law enforcement personnel is low, and use of a computer is rarely a focus of academy setting. Providing law enforcement with basic, fundamental computer skills would not only impact their views toward digital evidence, but would also positively impact their daily work activities. Second, all law enforcement personnel should receive basic awareness-level training on digital evidence.Awareness-level training need only cover the basics of a computer and where digital evidence may be stored. It is important for all officers to recognize that storage media, particularly flash-based media, may be no larger than a postage stamp, yet possibly contain several gigabytes of information. Understanding that many seemingly single-purpose devices, such as cell phones or mp3 players, may contain other types of information~for example, documents may be stored on an mp3 player~will have important investigative implications far beyond simple search and seizure concerns. Perhaps the next time a drug dealer is arrested with a PSP, you may want to search him for a small flash media card--as a dealer, his contact list might be accessed from the flash card on the PSE Until a more uniform level of basic knowledge and awareness is reached among law enforcement, it is hard to speculate how the increased awareness will benefit investigations. But as the saying goes, you miss 100 percent of the shots you don't take, and more appropriately, you miss 100 percent of the evidence you don't look for. Third, any seizure methodology developed and/or adopted by an agency must be fluid to allow for seizures to be conducted by both minimally trained individuals as well as highly trained specialists. Do you want to put your specialist on the spot when he breaks protocol to perform a function that is technically more appropriate? Conversely, do you want the specialist to be on-scene at every warrant service, arrest, or vehicle search? There must be options within the methodology that allow each officer to act reasonably according to their skill level.

Other Options for Seizing Digital Evidence The wholesale seizure of the physical storage device/media is arguably the most common form of seizure practiced by law enforcement responders today. The question remains, are there other options besides the seizure of physical devices that are available to responders? If yes, are these methods of seizure within the reach of anyone but the most technical of responders?

Seizure of Digital Information • Chapter 2

63

For a long time, up to and including today, many in the forensics community place little faith in the ability for responders on-scene to deal appropriately with the computers they may encounter. The direction was simply "Don't touch the keyboard. Pull the plug and send everything to the lab." In many cases, the forensics side of the house is correct to protect against the possible corruption or destruction of data by taking this hard-line approach~particularly based on the technology of yesterday~ but at what cost? Although the computer forensics community might have intended to do the most good by promulgating the pull-the-plug mantra, we need to examine how disempowering the on-scene responders may affect the overall forensic process, from seizure through analysis to investigation and ultimately prosecution. The latest Search and Seizure (?/ Computers and Obtaining Digital Evidence (Manual), published by the Department of Justice supports the proposition that the seizure of digital evidence should be an incremental process, based both on the situation and the training level of the responder. The Manual describes an incremental approach as a search strategy (pg. 221) for the seizure of digital evidence from a functioning company where the wholesale seizure of all the computers from the company would be impractical. The Manual provides the following steps in its incremental approach" 1. After arriving on-scene, Agents will attempt to identify a systems administrator or similar person who would be willing to assist law enforcement in identifying, copying and/or printing out copies of the relevant files or data objects defined in the warrant. 2. If there are no company employees available to assist the Agent, the Agent will ask a computer expert to attempt to locate the computer files described in the warrant and will attempt to make electronic copies of those files. It is assumed that if the Agent is an expert, he/she would be able to proceed with the retrieval of the evidence. .

°

If the Agent or expert are unable to retrieve the files, or if the onsite search proves infeasible for technical reasons, then the next option is to create an image of those parts of" the computer that are likely to store the information described in the warrant. If imaging proves impractical or impossible for technical reasons, then the Agent is to seize those components and storage media that the Agent reasonably believes includes the information described in the warrant.

www.syngress.com

64

Chapter 2 • Seizure of Digital Information

The Manual has a focus on Federal law enforcement and the incremental search strategy is described in the context of responding to a functioning business where evidence of a crime may reside on the business's systems~hence, the focus in the Manual on gaining assistance from the business's systems administrator. Even though, realistically, you are not going to ask the suspect for help in retrieving the files of interest, there is good reason to expand this incremental search strategy to the search and seizure of digital information that resides on non-business systems. First, many home users set up networks similar to what would be present in a small business. Second, the amount of storage on a home network may exceed the amount of storage used for business purposes, as home users are more likely to possess large music and movie files. Lastly, current and impending technologies such as whole disk encryption make the offsite analysis of storage media impractical, if not impossible. A mechanism must be developed now that enables responders to pull evidence off of a running system before these types of systems are in widespread use. Otherwise, we may be changing the paradigm a few years too late. Although the change in focus from hardware-as-evidence to information-as-evidence may be a radical departure from how many people currently view digital evidence, it is not exactly a new viewpoint. In fact, the change to a focus on the information as evidence may be a renaissance of sorts; the computer crime investigators of yesterday knew nothing other than the retrieval of relevant information from servers and networks. Much of the investigation of computer crime in a historic context related to examining events that occurred within a network infrastructure. In his book from the pre-World-Wide-Web year of 1990, Spectacular Computer Crimes, Buck Bloombecker discusses numerous computer crimes, most of which involve attacks on the network infrastructure (virus, worm) or schemes that were enabled by the presence of a network infrastructure, such as stealing unauthorized computer time or manipulating the wire transfer system to steal bank funds. Crimes with a cyber component changed dramatically following the personal computing revolution, which was hand-in-hand with the rise of the World Wide Web. Prior to the 1990s, few people with personal computers used them solely for personal purposes. Prior to the 2000s, few people were providing personal information about themselves for the world to view. So it's not surprising that when we take a look backward, we see that the investigation of cyber crime involved incident response tasks, like pulling logs and records off of servers and other infrastructurelevel digital devices, and less often concerned the seizure of a personal computer. Wholesale duplication of servers was impractical, storage costs were high, and so it

Seizure of Digital Information • Chapter 2

65

was cost prohibitive to attempt to pull together the necessary equipment to image the entire server. Although the investigators of the time were breaking new ground, they knew enough to document their actions, make best efforts not to change the data objects with evidentiary value, and image the relevant data objects so they could be printed or referred to at a later date. Responders to network intrusion events were faced with no other option but to seize the relevant data objects~which is still the case today.

Responding to a Victim of a Crime Where Digital Evidence Is Involved There is an old saying that all politics are local politics. Although I'm not quite convinced of the particular weight of that adage, I do believe that all crime is local crime. The Internet may have created a global community, but crime, even crimes committed over the Internet, will be reported to a local agency. It is imperative that local agencies have the ability to field a complaint regarding a crime with a cyber component and be able to respond appropriately. I have heard horror stories where complaints of e-mail harassment, auction fraud, and other crimes with a cyber component were just ignored by a local agency.Yes, a statement was taken and a report prepared, but no follow-up investigation was conducted. Worse, I have heard of agencies telling victims that the investigation of their complaint involved the seizure of their machine for forensic analysis, and that the analysis might take over a year to complete. I think it's pretty obvious why the complaint was dropped. The unfortunate part of the situation is that the responding officer (or local agency) places an improper focus on the technology and loses sight of the crime that occurred. Often, the technology used is secondary and of little relevance. It could be quite possible that harassing statements in an e-mail might be coming from someone the victim already knew. If the harassment occurred through some other non-seizeable, non-virtual means (for example, spray paint on a car), the officer would most likely follow up with a knock-and-talk with the suspect. The follow-up on the email harassment should use the same logic. Does the investigation need to be focused on tracing an e-mail to its source when you already have a good idea as to who sent the e-mail? It is important that investigators do not switch off their investigative skills because a computer is involved. When responding to a victim, the focus must be on having the victim provide the law enforcement officer with something that substantiates their complaint~a print-out of the harassing e-mail with full header information, a cut-and-paste www.syngress.com

56

Chapter 2 • Seizure of Digital Information

printout of the IM conversation where their child was sexually solicited, or a screenprint of a disturbing Web page.Any information that can be provided by the victim to a responding officer will increase efficiencies in the entire investigative process. The officer will be able to read the e-mail header and get preservation orders out to the ISPs; the detectives will be able to begin working the case, rather than securing another statement from the victim; and the computer forensics system won't be burdened by yet another machine requiring examination~particularly for data objects that could have reasonably been obtained on-scene. Cases occur where the victim's computer must be seized. Harassments in e-mail or chat (when logging) that violate a protective order may have to be seized, depending on the situation. If a spouse or roommate finds child pornography on a computer, the computer should be seized since it contains contraband. But barring these unavoidable circumstances, the seizure of victim computers is often unnecessary and contributes to the logjam at the digital forensic laboratories. W h e n communicating with a victim, be sure you let them know to not delete anything on their system until their complaint has gone through the entire process. Also be quite sure to document the steps the victim took to provide you with the substantiating evidence. If you had to assist the victim in any way--maybe you showed them how to see full headers on an e-mail, for e x a m p l e ~ m a k e sure those actions appear in the documentation. Make a note of the system time on the computer, and verify that the evidence contains a time and date stamp, and that the time and date make sense to the victim. Lastly, be responsive to the victim's needs. Many crimes with a cyber component~particularly frauds and thefts~will have an international component that makes the apprehension of a suspect and reimbursement to the victim nearly impossible. Be sympathetic and provide the victim with any resources that can assist them in dealing with banks, credit card companies, and creditors, such as a properly written police report. They have already been victimized; don't let your actions lead to a prolonging of the victimization.

Seizure Example Here we will examine an example of a digital seizure to help explore the options available to on-scene responders. Let's start by saying that Sally receives a harassing email from an anonymous sender. She believes it is a former co-worker named Sam, who has harassed Sally using non-computer-based methods before. The officer follows the guidance discussed in the "Responding to a Victim of a Crime Where Digital Evidence Is Involved" section and instructs Sally to print off a copy of the er

w w w , syngress.com

Seizure of Digital Information • Chapter 2

67

mail showing the full header information. Sally prints off the e-mail as substantiating proof to back up her complaint, and the officer leaves the scene with a statement from Sally and a copy of the harassing e-mail. You notice that Sally was not told that her computer would need to be seized and held for a y e a r - - w h i c h would, in effect, cause Sally to drop her criminal complaint and also drop her opinion of the police. Instead, the officer leaves the victim scene with a statement, and some level of" proof to back up the complaint, which allows the investigation to proceed without undue hardship to the victim. The investigator then uses the information contained in the e-mail header to contact the e-mail provider, legal paperwork is sent to the provider looking for the account holder's information, and finally the e-mail is traced back to Sam's Internet service provider (ISP) account. Wc now have a general confirmation that the e-mail was sent from a computer connected to Sam's ISP a c c o u n t ~ a l t h o u g h this could be any number of computers at Sam's house and possibly even be a neighbor using Sam's wireless access. The investigator drafts a search warrant affidavit looking specifically for the information that is relevant to this cast--specifically a preserved copy of the sent e-mail. The investigator is carefhl to focus the search warrant on the information to be seized, and does not focus on the containers or storage media in which the information may reside. The investigator t-urther notes that an incremental approach will be used, which dictates that onsite seizures will occur w h e n possible, but that factors yet to be determined may necessitate that all digital storage devices and media that may reasonably contain the sought at-ter evidence may be seized for offsite review. The investigator serves the warrant and finds a single computer at Sam's home. The system is on and, according to the suspect, has a Windows XP operating system. Based on the suspect's assertion that the computer is password-protected, and he has not given the password out to anyone, it is reasonable to believe that the computer is used solely by its owner. At this point, the on-scene investigator is staring at a glowing monitor with a happy desktop picture of calming fields and clouds, but the investigator is now t~aced with a tk'w tough decisions. The computer appears to be running Windows XR which corroborates the suspect's statement. Windows XP can survive a rapid power loss, so pulling the plug is an option, but pulling the plug means that the entire computer would need to be brought back to the computer forensics laboratory for examination. The investigator knows that the backlog at the computer forensics laboratory is approaching six m o n t h s ~ w a y too long to determine if" the suspect is stalking the victim. In six months, the stalking could escalate if www.syngress.com

68

Chapter 2 • Seizure of Digital Information

there is no police intervention (depending on the type of stalker), and the victim could be physically assaulted. Further, the investigator knows that Windows XP is equipped with the Windows Encrypted File System, a seldom-used folder and file encryption system that, if enabled, would make the recovery of the information on the system very difficult without the suspect's cooperation. The investigator thinks of other options at his disposal. The investigator could use a software preview tool in an attempt to locate the information stated in the warrant. In this case, Sam uses Microsoft Outlook as his local e-mail client, and a .pst file containing all the Outlook-related folders would exist on the system. This .pst should contain an e-mail in the sent items folder that matches the e-mail received by the victim. If the investigator had reason to believe there was information stored in the R A M that would be relevant to the case, the investigator could dump the R A M for later analysis. This might be the scenario if the investigator notices a draft of another e-mail currently on the screen. If the e-mail is found in the .pst during a preview, the entire drive could be imaged, or just the .pst could be imaged if the investigator has reason to believe that imaging the entire drive would be difficult. In this example, maybe the investigator would decide to pull-the-plug and deliver it to the lab. Maybe the investigator believes there is enough evidence based on the victim's complaint to have the suspect come to the station for a talk about what is going on. But maybe the investigator's hair on the back of his neck rises up when talking to the suspect and the investigator gets a gut reaction about the level of urgency regarding the case. Maybe the on-scene preview and securing the .pst provides the investigator with enough evidence to take the suspect into custody. The important point is that without additional options to review the digital data, the investigator's hands are tied. In line with the incremental approach described in the Manual, the investigator may have other options available besides wholesale seizure, such as" •

Previewing information on-scene

•

Obtaining information from a running computer

•

On-scene seizure of information through the complete imaging of the media

•

On-scene seizure of information through the imaging of a specific data object

Seizure of Digital Information ° Chapter 2

69

In the next section, we take a look at the preceding options and discuss how each fits into the larger picture of responding to and investigating crimes with digital evidence.

Previewing On-Scene Information to Determine the Presence and Location of Evidentiary Data Objects The on-scene responder must make conclusions about where the information described in the warrant is most likely to be present on the storage device or media. In the case of a C D or DVD, the preview is much less complicated, as the chances of inadvertently writing to a piece of optical media are much lower than if they were working with magnetic-based media. With a C D or a DVD, the responder could use a forensics laptop running any number of computer forensic tools to quickly acquire and examine the contents of a C D or DVD for review. A similar process could be conducted for flash-based media, although a greater level of care may need to be taken to ensure the media is not changed. Here, flexibility is once again a critical characteristic. Previewing a few pieces of optical media on-scene may be appropriate, but greater numbers of media may need to be taken off-scene for review at the laboratory. Technology exists that enables responders to preview the data on the storage media in an effort to locate the information described in the warrant. These "forensic preview software" packages, now in their infancy, are becoming more accepted within the community that investigates crimes involving a computer. The most c o m m o n preview software packages come on C D and are essentially a Linux operating system that runs completely in the R A M and does not require any resources from the hard drive(s). Several of these disks are in current use by law enforcement, including Knoppix, Helix, and Spada. Several controlled boots will need to be performed to ensure the correct changes are made to the BIOS to direct the computer to boot from the CD. Although best practices should be determined locally, I recommend that the power to all the hard drives in desktop computers be disconnected and that laptop hard drives be removed while controlled boots are conducted to determine how to change the boot sequence in the BIOS. Further information on using controlled boots to examine and change BIOS and C M O S information can be found in the seizure procedures in the publication Forensic Examination oflDigital Evidence: A Guide fi~r Lau, Enfi~rce,nent (NIJ, 2004). r

www.syngress.com

70

Chapter 2 • Seizure of Digital Information

Once the system is booted to the forensic preview software, the computer's hard drives can be mounted, or made available, in Linux as read-only. Once mounted, the preview software will provide the responder with an interface to either search for the desired information through keyword searches, or the responder can navigate through the directory tree in an attempt to locate a given file or directory. If the information described in the warrant is located during a preview, the responder may choose to image the specific data object, file, or folder where the information is located. The responder may also choose to seize the entire hard drive, now that the preview has provided him with a greater level of comfort that this particular "container" includes the desired information. Over time, these forensic preview software packages will continue to evolve and develop as the problems with wholesale seizure become more evident and the need to focus the seizure of individual data objects from a digital crime scene becomes more apparent. It is hoped that the evolution of these tools will include the addition of features and special characteristics that make a tool "law enforcement specific." The lack of law enforcement specific features, such as intuitive interfaces, audit trail recordkeeping, and the production of evidence-quality data, are often an impediment to the adoption of commercial software by the law enforcement community (ISTS, 2004).

Obtaining Information from a Running Computer If the investigator encounters a computer that is running, and the investigator believes there is information of evidentiary value stored in the computer's active memory, or RAM, there are options available that allow for the R A M to be recovered. For example, let's examine a situation where an investigator shows up on-scene at a location where a suspect has been chatting online with a minor or undercover officer. When the officers arrive at the scene, the suspect quickly closes the chat window. By default, many chat programs do not keep a log of the chat sessions and almost all of the actual chat activity happens in a portion of the program running in the computer's RAM. Without being able to obtain a dump,or download of the RAM, there would be little chance to obtain any information from the suspect's computer about the chat session that just occurred. Chatting is not the only type of data that would be held in RAM. Passwords, unsaved documents, unsaved drafts of e-mails, IM conversations, and so on could all be held in the RAM, and in no other place on the computer. The investigator needs to make a decision if the information described in the warrant would reasonably be found in the R A M of the computer.

Seizure of Digital Information ° Chapter 2

71

If the warrant describes information related to proof of embezzlement, there may be little reason to believe that the data held in the R A M would be relevant to the case. That is not to say that it isn't possible~but the responder needs to go through the process of determining the locations that have the highest probability of containing the information described in the warrant. Even if the suspect had worked on a relevant file and remnants of the same existed in the R A M , it would be logical to conclude that the file would be saved onto more permanent media, such as the hard drive. O n the other hand, if the warrant detailed information related to inappropriate chat or instant messaging sessions, the R A M of the running computer would be the primary, and most likely the only, location where the information described in the warrant could exist. In this case, the use of a program such as Helix to " d u m p " the R A M to the responder's storage device would be a very high priority (Shipley, 2006). Be careful about what you wish for, however, as the R A M dump could include several gigabytes of semi-random information. Pieces of documents, Registry keys, API calls, and a whole host of other garbage will be interwoven into a gigantic text file. Minimization still is a factor even when the R A M has been identified as being one of the locations where relevant data could e x i s t ~ i f the data might reside elsewhere, it may be more productive to go that route than to attempt to carve it from the R A M dump. S E A R C H , a national law enforcement training organization, recently published a primer on the collection of evidence from a running computer, which involves using preview software to obtain the contents of the R A M from a running machine before seizure (Shipley, 2006). SEARCH's article represents a departure from the norm in that the article recognizes that changes to the computer operating system will occur when a USB drive is inserted into the machine in order to receive the contents of the RAM. However, the important point highlighted by the S E A R C H article is that the changes are known, explainable, and do not affect any information that has evidentiary value. "Hold on," you say, "moving the mouse and/or inserting a USB device will change the information on the suspect's drive, and that is strictly forbidden!" In response, I say that there are many in the investigative and legal communities that see little issue with a law enforcement agent performing operations that changed data on a suspect's hard drive or other m e d i a ~ a s long as the agent acted in a reasonable manner and documented their actions appropriately. The firm and absolute stance that data cannot be changed needs to be examined to determine if our cases have been negatively affected by the promulgation of bad advice. www.syngress.com

72

Chapter 2 • Seizure of Digital Information

Imaging Information On-Scene Imaging of an entire hard drive on-scene is fairly common among the more technically savvy digital crime scene responders~even more so for private sector investigators that often face cases where the hard drives need to be examined, but the business in question is not comfortable with letting the original drive out of their possession. In both of these cases, the analysis of the imaged drive usually occurs back at the laboratory. Rarely do you hear of a drive being both imaged and previewed on-scene~although such a process may actually address a number of concerns about the use of preview software to review the information on a drive while o n - s c e n e ~ specifically, performing a preview of the evidence on the original drive. While the acquisition of an image of a drive on-scene may be fairly common among the more technically skilled, usually for corporate crimes, we find there is little use of this technique by less skilled personnel for low-level crimes. However, there are a number of good reasons to perform imaging on-scene for most computer crimes. First, as mentioned earlier, previews of the evidence can be performed on the imaged copy with less worry about the investigator inadvertently damaging information on the original hard drive. Second, in those instances where outside concerns prevent the seizure of the physical media, such as PPA concerns, third-party data, and multiple users of the computer, the imaging of the hard drive provides another option for the on-scene investigators.

Continued

Seizure of Digital Information • Chapter 2

Imaging Finite Data Objects On-Scene In the current law enforcement climate, there is little discussion of the seizure of particular pieces of information. Generally, the entire computer is seized--and the seized computer is usually called "evidence." The data contained within the computer are reviewed at a later date for any files or other pieces of information that can help prove or disprove a given premise. From an outsider's perspective, it would appear as if the seizure of the entire computer is the preferred method of obtaining the evidentiary information, but we've established that imaging on-scene is fairly well accepted within the digital investigative community. So, are there other options that include the seizure oi" a finite lmnlber of data objects as evidence? If" we can image the entire hard drive on-scene, there is an argument that we can image sections of it. We routinely ask companies and ISPs to do .just that when we ask them to preserve evidence of a c r i m e ~ r a r e l y do we seize the ISP's servers, nor do we ask them to provide an image of the entire server so a computer forensics exam can be performed. Are there reasons why we can't use the same logic when responding to a suspect? The larger question is whether this type of seizure is appropriate. Are there circumstances when a finite amount of information is needed to prove guilt, and the seizure of" the original hard drive is not an option? This discussion is very similar to the previous discussion regarding imaging the entire drive onscene in situations where the physical media cannot be seized. There may also be situations where a finite piece of inCormation would suCfice to move the case forward. In these situations, the seizure of a finite number oE data objects may be a viable option ibr responders. www.syngress.com

73

74

Chapter 2 • Seizure of Digital Information

In our case example discussed earlier, where Sam is accused of stalking Sally, let's assume that an arrest warrant hinged on the presence of the harassing e-mail on Sam's computer. If the preview of the computer showed that the e-mail in question existed on Sam's computer, and the investigator had the ability to image the .pst file that contained the e-mail, the investigator could take Sam into custody at this time and have all the evidence needed to wrap up the case. There would be no need to add yet another machine to the computer forensic backlog, and the investigation could be wrapped up immediately, rather than having to wait weeks to months for a completed forensic review. ......#iiiiiii

iiiiiiili~iii The focus on the seizure of data objects discussed within the other options iiiiiiii~iii section does not transfer well to the seizure of computers suspected of con'~{~iiii~i~itaining child pornography. It is strongly recommended that guidance on the seizure of computers containing child pornography be obtained from the Internet Crimes Against Children (ICAC) Task Forces. This network of 46+ law enforcement agencies specializes in the investigation and prosecution of crimes against children facilitated by computer. Additional information about ICAC can be found at www.icactraining.org.

I can hear you yelling "WAIT! What if I think he might have child pornography on his computer?" Good question. If the warrant for the case specifies that the investigator can search for and seize the sent e-mail in question, then it would be hard to justify why the investigator spent all day looking through the suspect's vacation pictures for possible images of child pornography. A warrant for the seizure of a given piece of information that results in the seizure of a computer, or other digital storage device, does not give the law enforcement agent carte blanche to look through every file on the computer.As it relates to the child pornography question, if the investigator believes there is evidence of child pornography on the computer, the investigator is better off obtaining a warrant for the suspected child pornography rather than to search for evidence of one crime under the pretenses of another crime. That is not to say there aren't instances when you may stumble across evidence of a different crime when reviewing digital information. Should the occasion arise when you are looking for one type of information under a specific warrant, and inadvertently find evidence of another crime, the legal guidance is that you should

Seizure of Digital Information • Chapter 2

75

immediately stop the review and obtain a second warrant to search for evidence of the second crime. It is theoretically possible that you could finish examining the computer under the first warrant, and not specifically search for items pertaining to the newly discovered crime. However, that strategy is not recommended. But do we have the tools necessary to enable us to copy-off only the relevant data objects? Can this be done within a reasonable time frame? From a technologist's viewpoint, the technology is often more flexible than the legal framework within which the technology operates. The current technology allows us to search very rapidly through thousands of pages of information for keywords, a feat that would be all but impossible with paper records. But much of the specialized computer forensic tools are designed to be used in a forensic laboratory environment and not for onscene response. These powerful forensic tools often require a fair amount of time to analyze and process the information on a target drive. Often, these laboratory examinations involve tools that may take hours to complete a given function, and the review of information often involves hours of pouring through documents and graphics. If we consider that "time" is one of the most limiting factors when conducting on-scene analysis, there is definitely a conflict between the best technical analysis that could be performed and the time frame in which a reasonable on-scene analysis should be completed. The seizure of data objects from large servers while in the course of investigating network intrusion cases is fairly common and accepted, but it is difficult to tell if the seizure of" data objects will become more common in the everyday investigator's response toolkit. Although there appears to be a general legal and technological framework within which data object seizure can occur, it is still difficult to swallow the fact that the original evidence will be left behind. The use of this technique on business computers and networks Follows the argument that the business is a disinterested third party, and that if relevant data is missed, the investigator can go back and retrieve additional information because the business has no desire to interfere with the investigation. But would a spouse or roommate constitute a disinterested third party with regards to data on their computer? Can we develop tools that give the investigator a greater level of comfort regarding the thoroughness of the on-scene previewing/review? These questions, and others that will spring from discussions like this, will shape the way in which this technique, and the other options presented earlier, become accepted or rejected by the digital evidence response community.

www.syngress.com

76

Chapter 2 • Seizure of Digital Information

Use of Tools for Digital Evidence Collection Where the computer forensics of yesterday relied on vary basic tools that allowed manual manipulation of the seized data objects, we have since developed tools that assist in the acquisition, organization, and examination of the data. Both the ubiquity of" electronic information and the sheer volume of seized digital information have necessitated the use of tools to assist in the investigative process. Hardware and software write blockers and hard-drive duplication devices have reduced the chances of damaging the information on source drives. Tools beyond simple hex editors and command-line scripts were developed to assist the examiner in performing keyword searches, sorting data objects by file type and category, and scouring the source disk for file remnants in file slack space and drive free space. Tools like Autopsy Browser, SMART, iLook, Encase, and Forensic Toolkit are dramatic departures from manual command-line searching and have had a significant impact on the efficiency in which large volumes of data are examined. These tools have also increased the accessibility of digital evidence to those outside of the closed circle of highly trained forensic examiners. The way in which digital information is analyzed has changed over the years obviously driven by the ever-increasing amount of information stored digitally. But other changes have been driven by the increase in our knowledge of how to work with digital evidence~most notably in the development of tools to assist in different phases of the investigative and forensic process. The use of software and hardware tools by on-scene responders can begin to address how we work toward achieving a greater level of data object seizure. Current tools, such as ImageMasster and Helix, begin to enable an on-scene responder to image an entire drive and to seize the contents of the RAM. Other tools in this domain provide some capacity to preview the contents of a suspect drive and to image only the necessary information, as has been the case for years in the incident response disciplines. Some will argue that no one should use a tool if they cannot explain exactly what the tool is doing. In the computer forensics realm, this often translates to "no one should use a tool if they cannot perform, by hand, the operations that the tool is performing." There is a fair amount of disagreement on this position. The law enforcement community commonly uses tools where they can explain the basic principal, but not the exact manner in which the tool is accomplishing its task. For example, when an officer is trained on the use of the radar gun, she is taught the principals of the Doppler Effect and how the tool records the very precise timings

Seizure of Digital Information • Chapter 2

77

between the sending of a radar impulse and the receipt of" the reflected radar energy. The officer would also be shown how the unit is tested and calibrated to ensure reliability. In this way, the officer understands generally how the tool w o r k s ~ i t is not reasonable to instruct them on how to construct the device, nor should the officer be required to manually calculate how the speed of a vehicle is determined from recorded radar signals in order to be a proficient operator of the tool. That is not to say that we should be able to use any tool without accountability. Tools that are used in the seizure or analysis of digital evidence must be tested. This testing is commonly performed by the organization using the tool~since the tool must be tested within the parameters of the agency's protocols~but larger tool verification efforts are underway at the National Institute for Standards and Technology (NIST). NIST has created tool testing specifications for disk imaging tools, physical and software write blockers, and deleted file recovery programs. A number of products have been tested under this program, and the results look very promising. Almost all of the programs or devices tested actually work as purported. That's not to say there are not issues with the NIST program. Technology changes faster than the standards development and tool testing processes, and the overall number of standards developed through the NIST program has been, unfortunately, small. However, placing tools at the disposal of the greater law enforcement community has some significant impacts related to the overall model that we follow when working with digital evidence" If we are able to train officers/investigators on the proper use of" a given tool, and the tool has passed muster through testing under a given protocol, whether at their local agency or at the NIST, then the officer/investigator is empowered to take an active role in the recovery of digital evidence and in the investigation on the whole. It is clear that we do not have all the answers to the technological hurdles worked out, but the technology is often not the limited factor, as was discussed earlier. Understanding that the technology will forever be changing and advancing, the legal community must begin to play an active role in providing the technologists with direction and boundaries. The technologists need to heed the legal guidance, examine how" future issues will affect law enforcement, and begin designing tools that will provide a critical edge to the good guys.

www.syngress.com

78

Chapter 2 • Seizure of Digital Information

Common Threads within Digital Evidence Seizure The landscape of potential seizure environments is complicated and variations are nearly infinite. The level of knowledge of the on-scene responders includes a wide range of skills and abilities. Because the seizure process will be greatly impacted by the particular hardware and software arrangements and knowledge of the on-scene responder, it is not possible to present one correct way to seize digital evidence, unfortunately. What does exist is a continuum of methods mapped against the complexity of the scene versus the skill of the responders. There are, however, basic threads that tie any seizure process together. The first thread is that you must be able to explain what steps you took to arrive at a particular destination. It does not matter if you come out of a building with a floppy disk or an entire network, you should be able to replicate each step in the process. If you were presented with an exact replica of the scene, you should be able to refer to your notes and do everything exactly the same from arriving on-scene, to collecting the evidence, to walking out the door. In order to achieve this level of enlightenment, there are two sub-threads: (1) Document everything~and I mean everything. Have one person process the scene while the other one writes down every single, mindnumbing step. The documentation should be as complete as practically possible. If one is working alone in the seizure process, consider using a voice recorder and narrate each step for later transcription. The exact steps taken in the process become doubly important if and when the target computer is manipulated in any way--for instance, moving the mouse to deactivate the screen-saver, or initiating a shutdown sequence. (2) Confucius is attributed to saying: "To know that you know what you know, and that you do not know what you do not know, that is true knowledge." Translated for relevance for the second sub-thread here, it means that if you don't know what you are doing (or worse, what you just did...), or aren't really comfortable with determining the next steps, stop, and revert to a less technical seizure method, or seek assistance from someone more qualified.Your knowledge will be judged by your ability to know what you don't k n o w - - w h e n to s t o p ~ o v e r the knowledge you do possess. The second thread is that you should seek the seizure method that best minimizes the digital crime scene. If you can reasonably come up with an " a r e a " ~ meaning drive, directory, file, and so o n - - w h e r e you believe the evidence will be located, it makes the most sense to look in that specific location for the digital evi-

Seizure of Digital Information • Chapter 2

79

dence. Limiting or minimizing the crime scene has different implications based on whether the search for digital evidence is occurring on-scene, at the station, or back at the forensic laboratory. On-scene, minimization may include excluding professionally produced and labeled CDs from the seizure. Minimization may also include the use of software tools to preview the contents of a computer for a specific data object. Offsite minimization efforts may include searching only certain keywords or examining only a given file type. Even given our ability to search for and find most anything on a computer, we must remember that not every fact is relevant, and analyses that are 100-percent comprehensive do not exist. At the heart of minimization is the ability to know when to stop while looking for digital evidence. The third thread is that whatever is seized as having potential evidentiary value must be authenticated by the court before it can be admitted into the case. The ability for the court to authenticate the evidence is a significant issue related to digital evidence. Authentication is governed by the Federal Rules of Evidence Rule 901 (28 U.S.C.), which states "The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims."The salient point of the definition for our discussions is that digital evidence can be authenticated by providing evidence that shows that it is in fact what it is purported to be. I realize that is a bit of cyclical l o g i c ~ s o let's break down the authentication process further for clarification. Evidence presented to the court can be authenticated a number of ways, including the identification of distinctive characteristics or by merely what type of evidence it is, as is the case for public records. Evidence may also be authenticated by way of testimony to the fact that the matter in question is what it is claimed to be. Courts have upheld the authentication of documents based on testimony (U.S.v. Long, C.A.8 [Minn.] 1988, 857 F.2d 436, habeas corpus denied 928 F.2d 245, certiorari denied 112 S.Ct. 98,502 U.S. 828, 116 L.Ed.2d 69). However, in the past, computer forensics has relied less on the testimony of those performing the on-scene seizure and more on the testimony of the computer forensic technician. Where the on-scene responder would be able to testify as to where the hardware was located before seizure, the computer forensic technician would take the position to defend their laboratory techniques. The computer forensics community chose to address the authentication issue by creating exact duplicates of the seized digital information and proving mathematically that the copied information was an exact copy of the seized i n f o r m a t i o n ~ a n d the courts have supported www.syngress.com

80

Chapter 2

•

Seizure of Digital Information

the position that a duplicate of the information can be submitted in lieu of the original when it can be proved that the duplicate is the same extant as the original (U.S. v. Stephenson, C.A.5 [Tex.] 1989, 887 E2d 57, certiorari denied 110 S.Ct. 1151, 493 U.S. 1086, 107 L.Ed.2d 1054). As it relates to our options for seizure discussed earlier, there are two salient points for discussion. The first is that the seized data~whether from a R A M dump or as a result of the creation of an image of the drive or file~may be authenticated by the testimony of the investigator that retrieved the evidence from the suspect machine. If the case involved a child pornography photograph, and the investigator saw the photograph during a preview, the investigator may be able to assert that the recovered photograph is the same photograph he saw during a preview. The second point is that the creation and matching of mathematical hashes provides a very high level of proof that the recovered data is an exact copy of the original. Mthough the best evidence rule states that the original should be provided whenever possible, U.S. v. Stephenson, noted earlier, shows that an exact duplicate is satisfactory when circumstances limit the production of the original evidence in court. Hard drives, the most commonly encountered type of storage media, are mechanical devices, and all mechanical devices will fail at some point--perhaps after days, months, or decades~ but they will fail. By working off of a copy of the seized drive, and presenting the same in court, the investigator is reducing the chances of completely losing all of the data on the seized drive. Taking steps to reduce the complete loss of the digital information relating to the case is but one of the reasons to justify the use of exact copies over the original data. The final thread is the admissibility of the evidence. The admissibility of evidence is based on the authentication, and the authentication is based on the proof that the seized object is materially unchanged~proof that can be accomplished by showing a complete chain of custody (u. s. v. zink, C.A.10 [Colo.] 1980, 612 F.2d 511). For digital evidence, the proof that the data is what it purports to be and is unchanged has been accomplished by both testimony and use of the cryptographic hash algorithms. Similar to how the forensic laboratory technician uses the hash function to show that the entire seized drive was copied accurately, the on-scene responder can refer to their detailed notes to testify as to the location of the seized information and show that the hash functions proved that the integrity of the data was not compromised during imaging.

Seizure of Digital Information

°

Chapter 2

81

Determining the Most Appropriate Seizure Method Clearly, there will be cases where the most appropriate action is to seize all the physical hardware at a suspect's locatio~. Perhaps it is the only option that the minimally trained responder has at their disposal. Maybe the forensic preview software didn't support the graphics card for the computer. It's possible that additional keyword searches need to be performed or items need to be carved from drive free space, and both would be better performed in a controlled laboratory environment. There are any number of reasons why the on-scene responder will choose to seize the physical container, and that's ok! The important point is that the most appropriate method of seizure is chosen to match the responder's skill level, and that it appropriately addresses the type of crime. The minimization stage may provide the investigator with the places--computers, storage media, and so o n - - t h a t have the highest probability of containing the desired information. A preview on-scene may verify that the information exists. In cases of child pornography possession, the on-scene preview may allow the investigator to take the suspect into custody right at that m o m e n t - - o r at least have some very frank discussions about the material found on the computer. The case may be provided to a prosecutor with just the previewed images, and discussions of sentences and pleas can occur immediately, instead or" having to wait for a complete forensics examination. If" the case is referred to trial, the full forensic analysis of the seized computer can be conducted at that time. On the other hand, maybe a full examination of-the data should be conducted to determine if the suspect has produced any new images ot~child pornography--information that is critical in determining if an active victimization is occurring and is critical to the overall fight against this type of crime. This simph' scenario _~ho1/~.~boll, the incremental approach and the seicure options discussed earlier are needed so as to c~,etl bc~in to ~Wt a fi~othold on crimes with a cyber component, but that circumstance.; ma)~ ti~lw' inve_~tiwtors to throu~ out the incremental approach in fat, or ~?[a complete examination. There are a few other key points relating to physical seizure. The first is that the entire computer will be needed by the laboratory to determine the system time and other settings related to the motherboard. Ifyou plan on only seizing the hard drive, imaging the hard drive on-scene, or only imaging relevant information, follow the methodology outlined by NIJ in the Foren.~ic Examination qlCDiyital Evidence (NIJ, 2004) to use controlled boots to record the system time versus a trusted time source. www.syngress.com

82

Chapter 2 • Seizure of Digital Information

The second key point is that there are many computers and laptops that do not allow for easy access to the hard drives~which would make any attempts to image on-scene impractical and, as a result, require seizure of the hardware. For example, some laptop designs require the majority of the laptop to be disassembled to gain access to the hard drive. I strongly recommend that the disassembly of laptops or other hardware take place in a controlled laboratory or shop environment~there are just way too many little pieces and screws, often with unusual head designs, to be attempting a disassembly on-scene. In these cases, the physical seizure of the computer itself may be required even if you came prepared to image on-scene. The third key point is that there may be other nondigital evidence that could reside with the physical computer. Items such as sticky notes can be found stuck to a monitor; passwords or Web addresses can be written in pencil or marker on the computer enclosure; or items may be taped to the bottom of a keyboard or hidden inside the computer itself. I remember one story of a criminal that hid his marijuana stash inside the computer; the wife asserted that he had child pornography on the computer and the computer e x a m i n e r ~ a n d wire--were amazed when bags of marijuana were found inside the computer enclosure. One last note: Don't turn off the investigative part of your brain while conducting the seizure. Use all the investigative techniques you learned in the academy and employ during the execution of physical search warrants.You will get much further in the case if you use information from one source (computer/suspect) to gain more information from the other source (suspect/computer)~but remember that Miranda rights may be applicable when having discussions with the suspect.

Seizure of Digital Information

•

Chapter 2

83

Summary There is no doubt that the investigators of tomorrow will be faced with more digital information present in greater numbers and types of devices. Seizing the relevant evidentiary information is, and will continue to be, a critical step in the overall computer forensics process. The current view that the physical hardware is the evidence has now been joined by a different view that the information can be regarded as evid e n c e ~ w h e t h e r the hardware or information is viewed as evidence has a dramatic effect on how we "seize" or "collect" evidence both at the scene and in the forensics laboratory. A number of factors may limit the continued wholesale seizure of the physical hardware. The storage size of the suspect's computer hard drive or storage network may exceed an investigator's ability to take everything back to the forensics laboratory. Full disk encryption, now released as part of the Windows Vista operating system, may foil an investigator's ability to recover any data without the proper encryption key. Further, concerns over commingled and third-party data, covered by the Privacy Protection Act, may impact the ability of an investigator to seize more data than specified in the warrant. Lastly, the increasing amount of seized digital evidence is having an effect on the ability of many of the computer forensics laboratories to complete forensic analyses in a timely manner. Both investigations and prosecutions may be suffering because of delays in the processing of digital evidence. While the existing seizure methodology is focused on the seizure of hardware, investigators need to be able to select the most appropriate option for seizure according to the situation and their level of technical expertise. There are other seizure options that could be considered by the digital evidence response community. On-site previews using Linux- or Windows-based bootable CDs allow an investigator to review the contents of a suspect's computer in a relatively forensically sound manner. Techniques exist to dump the R A M of a suspect's computer to attempt to recover any information that may be stored in R A M but not written to disk, such as passwords, chat sessions, and unsaved documents. Imaging on-scene is yet another option available to investigators. Full disk i m a g i n g ~ w h e r e a complete bit-by-bit copy of a hard drive is created on a black drive--is more common and is currently used by a fair number of investigators. Less common is the imaging of select data objects that have evidentiary value. While still controversial, there appears to be a legal and technological framework that makes the imaging of data objects a viable option.

www.syngress.com

B4

Chapter 2 • Seizure of Digital Information

Clearly, there will always be more digital evidence than we can process within our existing organizational and governmental structures. More trained examiners in the field does not always equate to more trained examiners in the understaffed laboratories nor out in the field. The time of the most highly trained personnel is one of our most precious resources. There is no possible way that the limited number of specialists can process electronic evidence at every scene. Not only would they not be able to cover every scene, the laboratory work would undoubtedly suffer. In order to protect the time of the most highly trained and specialized people, those with less technical knowledge need to receive some level of training that allows them to perform a number of duties normally performed by the specialist. In this way, knowledge and high-technology investigative skills are pushed-down to all levels of responder. That is not to say that trainingforfirst responder isn't plagued with probl e m s ~ t h e knowledge required to properly deploy advanced tools often exceeds the amount of time allotted for such training. We're caught in a Catch-22: all line officers need to be able to seize digital evidence, but the first responder level of training may not fully equip the officers to seize the evidence, and the level of training required to more completely understand the digital evidence seizure process may involve multiple days of training, and multiple days of training on a single topic will most likely not be provided to all line officers. The level of training will affect the responder's use of technology, and the technology encountered will dictate whether the responder's level of training is appropriate in a given situation. There will be cases where the most appropriate action is to seize all the physical hardware at a suspect location. Perhaps it is the only option that the minimally trained responder has at their disposal, or maybe the technology encountered is so complex that none of the responders know exactly how to handle the seizure. As it stands now, the forensic collection and analysis system works~sometimes tenuously, and frequently at a snail's pace~however, we will undoubtedly continue to face more change: change coming in the way of new devices, higher levels of inter-connectivity, and the ever-increasing amounts of data storage requiring examination. Will the existing manner in which we go about seizing and examining digital information be sufficient in five years? Ten years? Are there changes we can institute now in the way we address digital evidence that will better position us to face the coming changes? I hope throughout this chapter that I made myself clear that I am not advocating any one seizure methodology over a n o t h e r ~ t h e critical take-away point is that we

Seizure of Digital Information • Chapter 2

85

need to provide our responders with options to choose the appropriate seizure method based on their level of technical skill and the situation at hand. I have found in my work with law enforcement in New Hampshire, as well as throughout the nation, that crimes that involve a computer closely map to crimes that do not involve a computer~all of it part of the migration of traditional crime into the digital medium. If we expect our law enforcement agents to be responsive to traditional crimes with a high-technology component, we must provide them with the appropriate tools and procedures to enable them to actually investigate and close a case. Asking investigators to send each and every case that involves a computer to a forensic laboratory for review is not a sustainable option. If we don't "push down" technical knowledge to investigators and line officers, the specialists will quickly become overwhelmed and investigations will grind to a h a l t ~ a situation that has already begun to occur across the country. The volume of computer forensic exams is only one factor that is driving us toward changing our approach to digital evidence seizure. As outlined in the previous pages, whole disk encryption, personal data and Privacy Protection Act concerns, and massively large storage arrays are all playing a part in the move to minimize the amount of information seized from a suspect machine. The landscape is quickly changing, and designing solutions to problems of today will not prepare us for the challenges of tomorrow. It is hoped that the change in focus away from the wholesale seizure of digital storage devices and media, in the appropriate situations, will better prepare our law enforcement agents and private sector investigators for the new technologies and coming legal concerns that the future holds.

Works Cited Association of Chief Police Officers and National High Tech Crime Unit. 2004. Good Practice Guide for Computer based Electronic Evidence, Version 3.0. Available on the Internet at www.acpo.police.uk/asp/policies/ Data/gpg_computer_based_evidence_v3.pdf (12/2006). Bloombecker, Buck. Spectacular Computer Crimes" HThat They Are and How They Cost American Business Ha![a Billion Dollars a Year. 1990. Homewood, IL: Dow-Jones Irwin.

www.syngress.com

86

Chapter 2

•

Seizure of Digital Information

Carrier, B. and E. Spafford. "Getting Physical with the Digital Investigation Process." InternationalJournal of Digital Evidence. Volume 2, Issue 2, 2003. Available at www.ijde.org (12/2006). Computer Crime and Intellectual Property Section (CCIPS), Criminal Division. "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." United States Department of Justice. Washington, DC. 2002. Gilder, G. "The Information Factories." Wired Magazine. Volume 14, Number 10, 2006. ISTS. "Law Enforcement Tools and Technologies for Investigating Cyber Attacks: Gap Analysis Report." Institute for Security Technology Studies, Dartmouth College. Hanover, NH. 2004. ISTS. "Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Research and Development Agenda." Institute for Security Technology Studies, Dartmouth College. Hanover, NH. 2004. Meyers, M. and Rogers, M. "Computer Forensics"The Need for Standardization and Certification." International lournal of Digital Evidence. Volume 3, Issue 2, 2004. Available at www.ijde.org (12/2006). Moore, Robert. Cybercrime: Investigating High-Technology Computer Crime. Anderson Publishing, LexisNexis Group. 2005. National Institute of Justice (NIJ). Forensic Examination of Digital Evidence:A Guide for Law Enforcement. Office of Justice Programs, U.S. Department of Justice, Washington, DC. 2004. National Institute of Justice. Electronic Crime Scene Investigation'A Guide for First Responders. Office of Justice Programs. U.S. Department of Justice. NIJ Guide Series. Washington, DC. 2001. National Security Agency Information Assurance Solutions Technical Directors. Information Assurance Technical Framework, Release 3.1. 2002. Available at www.iatf.net/ffamework_docs/version-3_l/index.cfm. Nolan, Joseph R. and Jacqueline Nolan-Haley. Black's Law Dictionary, Sixth ed. St. Paul, MN: West Publishing Company. 1990.

Seizure of Digital Information

°

Chapter 2

87

School of Intbrmation Management Systems (SIMS)."How Much Information?" University of California Berkeley. 2003. Available on the Internet at www2.sims.berkeley.edu/research/projects/how-much-info2003. Shipley, T. and H. Reeve. Collecting, Evidence from a Running Computer: A Technical and Ley,al Primer fi}r the Justice Community. SEARCH, The National Consortium for Justice Inf'ormation and Statistics. Sacramento, CA. 2006. Available on the Internet at www.search.org/files/pdf/CollectEvidenceRun Computer.pdf (12/06). "Scientific Working Group on Digital Evidence (SWGDE) and International Organization on Digital Evidence. Digital Evidence Standards and Principles." Forensic Science Communications. Volume 2, Number 2, 2000. Federal Bureau of Investigation. U.S. Department of Justice. Washington, DC. Sterling, Bruce. "Hacker Crackdown." Project Gutenburs,. Champaign, IL. 1992. Available on the Web at www.gutenberg.org/etext/101. Technical Working Group for Electronic Crime Scene Investigation, Office of Justice Programs. Electronic Crime Scene Investisation'A Guide for First Responders. U.S. Department of'Justice, National Institute of Justice. NIJ Guide series, NCJ 187736. Washington, DC. 2001. United States Secret Service (USSS)."Best Practices for Seizing Electronic Evidence." 20{}6. Available on the Internet at www.secretservice.gov/electronic_evidence.shtml (12/20(}6). United States Department of Justice. Federal Guidelines for Searchiny, and Seizin£ Computer,;. United States Department of Justice. Washington, DC. 1994. Federal Rules of'Evidence (FRE) are available at judiciary, house, gov/media/pdfs/printers/108th/evid2004.pdf. Federal Rules of-Criminal Procedure (FRCP) are available at

judiciaw.house.gov/media/pd£s/printers/108th/crim2OO4.pdf.

www.syngress.com

38

Chapter 2

•

Seizure of Digital Information

Additional Relevant Resources Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 US, 579 (1993).

Noblett, M., M. Pollit, and L. Presley. "Recovering and Examining Computer Forensic Evidence." October Forensic Science Communications. Volume 2, Number 4, 2000. Federal Bureau of Investigation. U.S. Department of Justice. Washington, DC. Duerr, T., N. Beser, and G. Staisiunas. "Information Assurance Applied to Authentication of Digital Evidence." Forensic Science Communications. Volume 6, Number 4, 2004. Federal Bureau of Investigation. U.S. Department of Justice. Washington, DC. Brown, C. and E. Kenneally. "Risk Sensitive Digital Evidence Collection." Digital Investigation. Volume 2, Issue 2, 2005. Elsevier Ltd. Available on the Internet at www.sciencedirect.com/science/journal/17422876. Brenner, S.W. and B.A. Frederiksen. "Computer Searches and Seizures: Some Unresolved Issues." Michigan Telecommunications Technical Law Review. Volume 8, Number 39, 2002. Joint Administrative Office/Department of Justice Working Group on Electronic Technology in the Criminal Justice System. "Report and Recommendations." 2003. Available on the Internet at www.fj c. gov / p ubli c / pdf .nsf/l oo kup / Co mp lnDr. pdf/ $ fil e / Co mp lnDr. pdf (12/06). Wright, T. The Field Guide for Investigating Computer Crime: Parts 1-8. 2000-2001. Available on the Internet at www.securityfocus.com/infocus/1244 (12/2006).

Solutions Fast Track Defining Digital Evidence V---d The term data objects is used in this chapter to refer to discrete arrangements of digital information logically organized into something meaningful.

Seizure of Digital Information ° Chapter 2

Digital evidence can be viewed as either the physical hardware or media that contains the relevant data objects or the data object itself. How the evidence is v i e w e d ~ t h e physical container versus the information itself~impacts the method of seizure.

Digital Evidence Seizure Methodology gl The current seizure methodology employed by many law enforcement agencies focuses on the seizure of physical hardware. gl A revised methodology should provide high-level guidance about approaching non-standard crime scenes such as digital media identification, minimizing the crime scene by prioritizing the physical media, and the seizure of storage devices and media. v------d Whether to pull the plug or shut down properly is a difficult problem facing this community. The answer lies in the technical ability of the responder versus the complexity of the situation.

Factors Limiting Wholesale Seizure of Hardware Several factors may limit our future ability to seize all the physical hardware. These factors include the size of media, disk encryption, privacy concerns, and delay related to laboratory analysis.

Other Options for Seizing Digital Evidence gl Based on factors that may limit future hardware seizure, we must educate our responders now about the other seizure options available. v------d These seizure options include preview of information on-scene, obtaining information from a running computer, imaging information on-scene, and the imaging of finite data objects on-scene.

Common Threads within Digital Evidence Seizure gl A number of common threads tie all seizure methods together.

89

90

Chapter 2

•

Seizure of Digital Information

Responders must be able to explain the steps taken during seizure. Documentation and knowing limitations is key. gl The seizure method should include minimization efforts. gl Any items seized must be able to be authenticated in court. Seized items must be admissible in court.

Determining the Most Appropriate Seizure Method V---dThe most appropriate seizure method will be based upon the knowledge and training of the responder, as compared with the type of crime and the complexity of the crime scene. v------d The incremental approach and the seizure options discussed herein are needed in the fight against crimes involving digital evidence~however, there will be circumstances that force investigators to seize and analyze all hardware.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the "Ask the Author" form.

Q" What is your opinion on the certification of personnel? Can't we fix all the admissibility of evidence once personnel are cerproblems regarding e ~ tiffed? A: Certification of personal is, ~ In' ..... lnion, counterproductive. One of the more commonly seen certif~,ons is vi ~rc.n~ p ertification. These trainings are generally ed training, not that they useful as long as the training ce!~ at t h e ~ are certified in the use of a to~ " A n o ~ ~ " "p~nas , tain a certification ' ' t~se types of organizathrough an independent cert~ .~r~ be nber of = ~eo~ can advertise their level tions exist and they do provide a means by x aching out for assistance of knowledge and skill, which is rather handy ~vestleatine crimes with a across jurisdictional boundaries, as often occurs whJ ,.

i@

Seizure of Digital Information • Chapter 2

91

cyber component. However, it is highly unlikely that the court system will give carte-blanche acceptance to a particular certification. If you were to testify as an expert, your certifications may assist you in passing muster as an expert witness, but the certification won't be an automatic bye onto the stand. Some last thoughts on certifications: Let's assume for a minute that Congress took up this issue and passed a law requiring that all computer forensic examiners must be a Certified Forensics Guru. As soon as the first person achieves the certification, it means that everyone else, by default, is not certified. Forensics personnel would need to spend time working on obtaining the certification, time that should be spent on existing cases. Finally, how would such an overarching certification affect onsite acquisition, live-forensic previews, and the seizure of digital evidence? Although there may be some benefits to such a certification, the negatives, particularly related to empowering all law enforcement to play a role in investigating crimes with a cyber component, appear to outweigh the potential positive affects.

Q: Is

the seizure of data objects or evidence preview relevant when a computer or other device is actually stolen?

A In the instance where the digital device was actually stolen, or generally when I

the hardware or media represent the instrumentality or fruits of a crime, then it is again appropriate, without question, to seize the physical hardware or media. In these cases, the hardware or storage media may itself be the "evidence" and there may not ueces,~arily be a ~leed to examine data objects on the computer or device (CCIPS, 2001). These types of seizures show why it is important to understand exactly how the computer was used in committing the criminal act. It is important to remember that not all crimes that involve a computer will necessarily involve digital evidence. What is worse is that many of these seized devices are needlessly processed by an overtaxed computer forensic system. As discussed earlier, remember to keep computers and digital devices in perspective, and look to use digital evidence only when appropriate.

www.syngress.com

This Page Intentionally Left Blank

Chapter 3

93

~4

Chapter 3 • Introduction to Handheld Forensics

Digital Forensics The field of digital forensics has long been centered on traditional media like hard drives. Being the most common digital storage device in distribution it is easy to see how they had become a primary point of evidence. However, as technology brings digital storage to more and more devices, forensic examiners have needed to prepare for a change in what types of devices hold a digital fingerprint. Cell phones and PDA (Personal Digital Assistant) devices are so common that they have become standard in today's digital examinations. (See Chapters 4 and 9 for more details on PDAs, iPods, and more.)

However, as you can see from these definitions, the scope of how they impact forensics is one that is very new and very different. These small devices carry a large burden for the forensic examiner, with different handling rules from scene to lab and with the type of data being as diverse as the suspects they come from. Handheld devices are rooted in their own operating systems, file systems, file formats, and methods of communication. Dealing with this creates unique problems for examiners. Performing a forensic exam on a cell phone or PDA takes special software and special knowledge of the way these devices work, as well as where possible evidence could be stored. Having a basis of knowledge to build on in order to start adding these types of devices into your forensic examination will help you not only be more comprehensive in your methods, but also gain new insight to your suspect.

www.syngress.com

Introduction to Handheld Forensics. Chapter 3

95

What Is the Handheld Forensic Impact? Many people have asked me, Why is the handheld device so important in my tbrensic processing? My answer is somewhat simple. They are the only devices that your suspect can have with them at all times based on their size, and they have immediate access to them 24?7 because they are immediate boot cycle devices. In addition, these are the devices that typically hold all our dirty little secrets with colorful pictures and descriptive text messages. They are a vault of evidence for the forensic examiner. A lot of handheld devices are traded on popular auction sites online as people are always looking for the latest gadget they can show off. We gathered a variety of these devices for testing purposes and tbund that 80 percent of them retained the user's information on the device. The information ranged from complete address books, work related e-mails, to pictures that were of intimate moments. Surprisingly as we contacted the people who belonged to the devices most of them had no idea that the data was retained on the device, let alone recoverable. Dirty little secrets were ripe for the taking for a trained fbrensic examiner. These things make it so the handheld devices can carry some of the most crucial pieces of evidence in your forensic examination. The digital fingerprint on a handheld device is much larger than most assume. So now that we know how important a device can be in forensic processing, it is important to have a good understanding of how handheld forensics impacts the four main foundations of digital forensics.

Digital Forensic Foundations A sound forensic foundation is no different than other forensic foundations when dealing with handheld devices: 1. Evidence Collection 2. Evidence Preservation 3. Analysis 4. Reporting These foundations are the core to dealing with all types of traditional digital devices. However, when it comes to the nontraditional devices like handhelds, these foundations change regarding how a forensic examiner would apply them.

www.syngress.com

~6

Chapter 3 • Introduction to Handheld Forensics

There are certain levels of groundwork that have to be put into play to establish these foundations. The easiest way to understand and bring handheld forensics into your examination process is to compare and contrast what digital forensics has been dealing with for years in regard to hard drives and media, and show how handheld forensics are different. Table 3.1 breaks down each area of traditional forensics vs. the nontraditional in the areas of storage through examination.

Table 3.1 Comparison Table Traditional and Nontraditional Forensics Hard Drive and Media Forensics (Traditional) ,

Storage device requiring

Embedded system device

Device is static

Device is active

file system .

3.

Handheld Forensics (Nontraditional)

Larger built-in storage capacity Smaller on-board storage capacity Forensic acquisition" bit Forensic: active memory imaging stream imaging

4.

File System Differences •

Hard Drive and Media Forensics~Storage device requiring a file system

•

Handheld Forensics~Embedded system device

As you can see, data on a handheld device is stored and handled differently from that on a hard drive. A hard drive has static memory, but a handheld device has active memory; a hard drive has large storage capacity, but a handheld device has very limited storage capacity; and so on. Because of this, the forensic processing of the data must be handled differently. Typically you will seize a hard drive or other piece of media and you know it will contain data associated with one of a few different file systems. These file systems can range from FAT, NTFS, to EXT2, but the base principle is the same; a file system manages the data. Handheld devices are designed differently. They might have items associated or attached to them that have file systems, like media cards. But overall the data itself is bound to the actual device to gain its structure. To clarify, according to whatis.com, an embedded system is some combination of computer hardware and software, either fixed in its capability or programmable. It is specifically designed for a particular type of application device. The impact of this design in forensics is dramatic because the

Introduction to Handheld Forensics • Chapter 3

97

tools the examiner uses must understand not only the operating system on the device that chooses h o w the data is stored, but also the design of the device to the chip set level to gauge h o w much storage is available on the device. Beyond this, the tool must understand h o w to communicate with the device in order to gain access at a low enough level to acquire all data available on that device for evaluation. An excellent example of this can be found in the earlier Palm OS PDA devices. These devices typically used a type of Dragonball processor as one of the main components on the device. This processor would determine the true capacity of the R O M (Read Only Memory) section of the device. The operating system would see a size that was reflected as smaller than what was actually writable to the device by the processor. The processor would set the size of m e m o r y allocation for the operating system to see, when in fact the device had more usable space that could be used by the savvy user. For the forensic examiner, it was crucial they used tools that would be able to communicate to the processor itself as opposed to the OS on the device in order to get all the potential evidence from the unit. The embedded nature of the device is what causes the extra steps to go into effect with the forensic processing.

Static versus A c t i v e •

Hard Drive and Media Forensics~Device is static

•

Handheld Forensics~Device is active

W h e n we say a device is static we do not mean that the device does not have the ability to change. Static means that, after the proper forensic procedure has been performed and followed, the device itself has no risk of changing while seized. In hard drive and media forensic a variety of different write protection devices are used to prevent this static state from changing. However, with a handheld device it is active even after proper seizure protocols have been followed. To best understand the handheld device, I have always compared it to a very popular game, Tetris. The object of" the game is to match up blocks into a solid line design that then disappears from the display. The handheld device is somewhat similar as it is actively moving around data on the device to form solid lines of storage to ensure optimal use of its limited storage capabilities. This active system is part of what makes the handheld devices harder to deal with in forensics. In addition, a vast majority o ( h a n d h e l d devices are also active wireless points ranging from the different cellular communication networks, to Bluetooth, to 802.11. They are all actively receiving some type of data. This makes the preservation

www.syngress.com b,=

98

Chapter 3 • Introduction to Handheld Forensics

foundation of forensics increasingly difficult, but not impossible as we will see walking through the seizure of these devices later.

Storage Capacity Differences •

Hard Drive and Media Forensics~Large built-in capacity

•

Handheld Forensics~Smaller on-board capacity

If there is one thing that has impacted the field of digital forensics more than anything else, it would have to be the dramatic change in cost and capacity of storage. It used to be that a gigabyte of storage would have cost around $5.00 per gigabyte. Now, at times, it is under $1.00 per gigabyte. The average consumer has gone from a standard hard drive of 8 gigabytes in size to not being able to find a drive under 80 gigabytes. This is 10 times the growth that was expected, and has made some paradigm shifts occur with hard drive and media processing. Besides the processing power needed to create a forensic image of the staggering amounts of hard drive space available to the average consumer, the man hours and ability to sift through the mountains of data associated with this much storage has become almost impossible to combat. Handheld devices also have changed in their capacity, but not at the same dramatic rates as hard drives. Their on-board capacities have increase from 8 megabytes to over a gigabyte based on the storage structure of the device, which has had a huge r

www.syngress.com

Introduction to Handheld Forensics ° Chapter 3

99

impact on these small devices. Don't heave a sigh of relief with these small capacities, however.The counter to this is that the handheld systems require less space for one file than a hard drive would. The change is back to the core with the file systems on the devices and h o w they function. If you are never given a large space to live in you will find the most efficient m e t h o d of using it. Since hard drives have always been larger, they have never had to account for their data as closely as that on the handheld device. Storage may be a race to see w h o can store what in a certain size, but the power will still remain in how the data will be put to this storage.

ImagingTechniques •

Hard Drive and Media Forensics~Forensic acquisition: Bitstream image

•

Handheld Forensics~Forensic acquisition:Active m e m o r y image

This is probably the largest point of comparison and the one that is the hardest to comprehend for the seasoned forensic examiner. Bitstream image is considered to be a bit-for-bit copy of all data associated with the media device, including all allocated and unallocated data. I This is a fundamental difference between a forensic image and a backup image that might be made using conventional software. The other t'undamental difference is that a forensic image is verifiable and can be rechecked fbr accuracy. Active m e m o r y image is similar to a bitstream image as it is copying allocated and unallocated data. Where it ditFers from a traditional bitstream image is that there is more data available on the device either reserved by the manufacturer or encrypted and locked from access, making it inaccessible to the examiner. These unique characteristics are where you see the properties associated with imaging the devices change. Another reason it is referred to as an active m e m o r y image is based on the fact the data itself is constantly moving and being reallocated. This prevents the verification step of the hash value from serving the same purpose. It is still verification to an image; however, it is a verification of an image at just one point and time. Another way to think of this type of image is through the term snapshot forensics. A snapshot of the device is taken and that is the point of" verification for the examiner. This is discussed more later in the chapter.

www.syngress.com

00

Chapter3 • Introduction to Handheld Forensics

Evidence Collection Collection is a very sensitive area for forensics because if this stage is not handled properly the rest of the forensic process is not needed. Good collection tools and techniques are crucial to having good viable forensic evidence. The basic rules of collection are somewhat simple in regards to handhelds: 1. Always know what you are looking for. This comes to point a lot with handheld devices. There is a very diverse range of devices that can easily blend into the environment. Cell/mobile phones in particular are designed to be almost a digital chameleon. Devices are now starting to look like everyday items such as pens, watches, and even makeup cases. The potential is endless and with so many different things to look for, our digital collection process just has gotten harder. Figure 3.1 An Example of How Modular Devices Have Become

Introduction to Handheld Forensics

°

Chapter 3

The phone shown in Figure 3.1 is a good an example of how modular devices have become" a multiposition camera was a major selling point for this particular device. ,

Always remember, multiple points of evidence are available. Handheld devices are rarely seen alone. Most of the time they will be seized as accessories to larger desktop or laptop systems. However, we now even accessorize our accessories. Figure 3.2 shows an example of a standard handheld media card. Notice the forin factor being smaller then a fingerprint. However, the fingerprint it holds can make or break a case.

Figure 3.2 An Illustration of How Small the Media Associated with Handhelds Have Become

In addition to the digital points of evidence, it is important to remember that biological evidence also exists. With handheld devices, especially with the excessive contact, they have the suspects biological "ports," imprints of the suspect's person can still be found on the devices. Always handle with care and consult a specialist in the appropriate forensic discipline for forensic advice associated with the collection and handling.

101

102

Chapter 3 • Introduction to Handheld Forensics

Taking these somewhat simple collection principles and applying them for everyone that gets involved in the collection process can be very difficult. Most of" the time, digital evidence is now collected in the field by what have come to be known as first responders.

First Responder Typically, first responders are not directly trained in the field of digital evidence, so it is important to get them the basic procedures and protocols to best provide a forensic lab with the most viable evidence. However, doing so in a manner that is applicable to their skills and interests is somewhat difficult. To make things easier for most first examiners when dealing with handheld evidence, the handling and collection process has been broken down by device type. This is a very general method but has been found to be helpful to make sure the proper handling is done. ....~;iii!ii: .......................

....~iiii!iiiiiiiiiiii!!i ~',:,iiiiiiiiiiii'~iiiiiiiiiiiiiiiiiiii';

NolE

..............

ii!!i!iiiii!i!iii!ii i~il~j{~{iij~i~i~,A first responder is an individual first in contact with a forensic scene.

Simple cards, like the one shown in Figure 3.3, have been designed so that the first responder can carry them on their person. Each card is separated by the type of handheld device.

Figure 3.3 PDA Devices: The Front of the First Response Card

www.syngress.com

Introduction to Handheld Forensics • Chapter 3

Figure 3.4 PDA Devices" The Back of the First Response Card

Figure 3.5 Cell/Mobile Devices: The Front of the First Response Card

103

104

Chapter 3

•

Introduction to Handheld Forensics

Figure 3.6 Cell/Mobile Devices" The Back of the First Response Card

These evidence-handling cards are provided free by Paraben Corporation to departments or organizations to help them educate and facilitate the proper evidence handling of handheld devices. Requests should be sent to [email protected].

Collection to Handling With handheld devices, the first interaction with the device can be the most crucial. To understand the crucial points of handling associated with each handheld device, they have been broken down here into step-by-step instructions.

PDA Handling .

Maintain the power on the device. The power on the device is what allows the device to maintain the data associated with it. Most of the PDA devices maintain potential evidence in R A M (random access memory) and without power, this memory is cleared on the device. There are a variety of devices that are now designed to help maintain power to a handheld device without

www.syngress.com

Introduction to Handheld Forensics • Chapter 3

105

a physical power supply. Most of these devices are battery powered and can be purchased through a forensic software provider or through a retail store. Figure 3.7 shows an example of" one of the commercially available power supplies for phones and PI)A devices. The different tips can be attached based on the model.

Figure 3.7 A Commercially Available Power Supply for Phones and PDA Devices

2. Gather all accessories, manuals, cables, and such. R e m e m b e r that even our accessories have accessories nowadays, and it is important that all items that can potentially be associated with the devices are gathered as well. There are a lot of accessories that will affect the device's ability to run without them being present. It is important to remember that when in doubt you should take it with you. 3. Wireless devices need special handling. With all wireless devices, it is important to remember that you have to do your best to block the wireless signal from connecting to the device. This is discussed more in the cellular

www.syngress.com

106

Chapter 3 • Introduction to Handheld Forensics

evidence handling section. However, some PDA devices do have the ability to turn the wireless functionality off through a simple switch or through the device interface. Depending on what type of device you are working with, this does have a risk of changing data on the device; it is recommended to follow the Faraday rules that are associated with cellular device handling as the best practice.

Cellular Handling .

Maintain power on the device. Most cellular devices are not as power dependent as the PDA device is, however they can also be sensitive to power. Power helps the device maintain the last state it was left in by your suspect, so for example if your suspect has entered a PIN code into the cell phone, the device will remain authenticated as long as you maintain the same state on the device.

2. Control the wireless to the device. Wireless access of a cellular device can create a rather tricky situation when dealing with it in the field. If the device is still actively receiving signals from the tower, there is a risk that additional phone calls, text messages, or even damaging applications from another source involved could be received by the phone, which all could ruin your potential evidence. To protect the device from these types of risks, the use of Faraday technology typically is deployed. The principle of a Faraday device is to act as a cage for wireless signals. The Faraday cage will cause the signals from the device to bounce back onto the device, preventing it from escaping. Figure 3.8 is an example of a first responder bag for handheld devices that acts as a Faraday cage. 3. There are other options besides commercial bags that can be used as a Faraday cage by first responders, but depending on the type of materials used and the type of device it is enclosing ,you will receive varying results.

Introduction to Handheld Forensics ° Chapter 3

Figure 3.8 An Example of a Wireless Protection Bag for Cell and PDA

107

Devices

4. Gather all potential accessories. W h e n in doubt, teach first responders to take anything and everything. There are a large variety of accessories that are designed to connect or communicate with a cell phone W h e n in doubt, it is always better to seize the device and sort through these accessories in a controlled lab environment to determine their forensic viability. 5. Cellular devices have a very unique seizure issue associated with their cables. Each cellular cable can be proprietary or unique to the device. So, if the cable is available on scene it is strongly recommended that it be seized. There are excellent third-party cable kits (see Figures 3.9 and 3.10) that have been put together by forensic as well as commercial companies that are also reco m m e n d e d to be part of your standard lab equipment.

www.syngress.com

108

Chapter3 , Introduction to Handheld Forensics Figure 3.9 An Example of a Comprehensive Cable Kit (Device Seizure Toolbox) for PDA and Cell Devices

Figure 3.10 An Example of a Cable Provided with the DataPilot Cable Kit

The preceding guidelines are based on available testing and devices that were available when this publication was put together. As technology evolves, so will the techniques required to deal with that technology in forensics.

Evidence Preservation Typically, the preservation stage is associated with the actual processing of the evidence. Each forensic examiner will process evidence in a different manner since they were taught or based on their own organization's associated standard operating pro-

www.syngress.com

Introduction to Handheld Forensics • Chapter 3

109

cedures. Following is a list of guidelines to follow in evidence preservation to aid in the proper process despite the type of tool that is used. Preservation is based primarily on retaining consistent results that are verifiable through m e t h o d and end content. This part of processing is what makes digital forensics more than just the use of sofiware but the formulation of a process. The following are recommendations for establishing a proper preservation process in a lab environment.

Maintain the Device T h e device will always be in an active, volatile state and it is i m p o r t a n t that as little information as possible change oll that device. O n c e a device arrives in a lab, it is i m p o r t a n t that it be checked tor power and to make sure the wireless signal, if applicable, is still being blocked. For most lab environments, it would be difficult to make the entire lab a Farada T cage so smaller Faraday devices typically are used see Figure 3.1 1.

Figure 3.11 The StrongHold Box Is an Excellent Lab Tool for Processing Cell and PDA D e v i c e s

www.syngress.com

110

Chapter 3 • Introduction to Handheld Forensics

These types of devices are more convenient than using a bag system once the device itself is required to interact with a computer system for a forensic acquisition. Part of maintaining a device is also having a realistic expectation of what can be maintained. One of the differences between processing a static digital evidence item such as a hard drive and processing an active item such as a handheld device is that the active item will have the risk of the hash verification changing. The hash verification that typically is done at the end of the acquisition process is used to prove that the process is repeatable and to mathematically prove that the data has not changed. However, with handheld devices the system is constantly actively processing data and there is a risk that the data itself might change. This change would then also affect the hash value. This is where the step of maintaining the device comes into play. Once an acquisition is completed, the device acquisition file can be verified and the analysis stage can begin.At the end of the analysis stage, a reverification of the data that has already been acquired can be performed and then that can be used to show that the analysis process did not affect the acquisition file. This is commonly referred to as snapshot forensics. Imagine the shift in paradigms that would need to take place for the traditional hard drive forensic examiner who has always based examinations on the basis that data is static and does not change without being altered by an outside force.

Maintain a Forensic Data Connection There are a lot of different methods by which a handheld device can talk to another device. Cables, Bluetooth, IrDA are a few, but a lot of these connection options also hold pitfalls for the forensic examiner. Sometimes the easiest option for connection to a device can be a Bluetooth or IrDA connection; however, these connections are not considered to be traditionally forensic either. Both of these types of connections allow for an open communication port on the evidence device. Once this port is open, a variety of things can happen to the device. An example of this is with a typical Bluetooth connection on a phone.The connection opens the device to be modified by programs that call through that communication port. The write protection through some of the wireless options is not available, forcing a hard position for a forensic examiner. Can they verify with absolute certainty that no one else utilized that open communication method to alter the evidence? For some devices, this is the only communication method available and this acts as a short level justification. Most devices, however, have other options that are considered to be more forensically

www.syngress.com

Introduction to Handheld Forensics • Chapter 3

111

sound. Cable communication is always best for connection in a forensic acquisition with a handheld device because it maintains the device better. It also is verifiable in court based on the communication protocols written for the device and cable.

Figure 3.12 An Example of the Proprietary Connections That Are Found for Cell and PDA Devices

Forensic Grade Tools There are many tools that are available in the commercial market for handheld data use. These tools vary in function t~'rom phone book downloads to ring tone transfer tools and each have their place in consumers' toolkits. However, the use of c o m m e r cial tools that have not been forensically validated in handheld forensics can be a dangerous game. 1. Always test your tool and make sure you have a verification m e t h o d in place for the data it provides. 2. Check the source or" your tool; make sure it comes from a provider that is willing to support you in court.

www.syngress.com

112

Chapter 3 °

•

Introduction to Handheld Forensics

Understand your tool's limits and what it was designed to do. Never rely on just one tool for all your examinations. The use of a primary and secondary tool is always recommended to make sure you receive the best evidence possible.

Preservation is about a process and a process is simply thinking through what you need to accomplish and making sure the road you take is the best one. With all handheld devices, there will be many deviants in the road that will frustrate and annoy any examiner, but the evidence they provide can make or break a case with something as simple as a text message.

Analysis and Reporting Analysis and reporting is based primarily on the tools that are used by your particular lab. Before starting any examination process, I always have recommended to find out as much as possible about what you are about to examine. W h e n dealing with handheld devices, there are a couple very good Web resources that will allow you to look up information on the particular devices so you will have a better understanding of what you can expect in your evidence: www.phonescoop.com www. wire 1e ss- fo re nsi cs. c o m www.phonefinder.com Details on particular tools can be found in other manuscripts or from the manufacturers themselves. Handheld forensics is more than just a new forensic discipline, it is a new lifestyle choice for the field of" digital forensics. With new devices coming out everyday and more and more of the population switching to the handheld addiction, this area of digital evidence will only grow and expand with time.

Bibliography Kovacich, Dr. Gerald L. and William C. Boni. High-Technology-Crime Investigators Handbook Working in the Global Information Environment. Butterworth Heinemann, 2000.

Chapter 4

113

114

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

Introduction In this chapter we will discuss the concept of conducting a forensic investigation on data that has been read, stored or manipulated on some type of mobile device. The techniques for investigating a mobile device are similar to that of our more traditional storage devices; however, there are some notable differences that we need to be aware of while collecting potential evidence. Chapter 9 also provides more detail on iPod forensics.

PDA Background Information A PDA is a handheld computing device that combines a multitude of functions and features. These features include things like computing, telephone, fax and Internet. Additionally, the PDA can and most often does contain some form of networking or other form of connectivity capabilities. Today a PDA is a powerful device it can function as a cellular phone, fax sender, web browser and a personal organizer. These devices have reached such a level of power, and functionality they are in essence a mini-computer.

Components of a PDA The PDA device has several components that we will discuss now. There are many components that can be part of the PDA. O u r intent here is to just discuss some of the more c o m m o n ones. The first component of the PDA is the Micro-Processor; all PDA devices have to have some form of a Micro-Processor. This is similar to any micro-processor, the only difference is the processor has a restriction on the size it can be. Another component of the PDA is some form of input device, one of the most c o m m o n means of input is the touch screen. In addition to these components, an essential component is the operating system that is running the software for the PDA device.

PDA Forensics As discussed previously the concept of PDA forensics is very similar to the procedures and methodologies that are used with any form of forensics. W h e n we discuss PDA forensics there are investigative methods that you should use w h e n it comes to performing a forensic investigation of a PDA.

www.syngress.com .

.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

115

Investigative Methods There are four main steps when it comes to performing a forensic investigation of a PDA. These four steps are idel~tificd as follows" l.

Examination Identification

3.

Collection

4. D o c u m e n t a t i o n We start off be securing the evidence. It is essential that we follow a process that has been approved by some form of'legal counsel to secure the PDA. W h e n we seize the PDA we have to ensure we take the PI)A, docking cradle and external m e m o r y cards. This is probably one of the n~ost difficult things to control and requires that you conduct a thorough search for any and all m e m o r y cards. With the size of m e m o r y cards today there is al~ extensive amount of evidence that you would be lnissing if you miss just one 111en~ory card. O n c e you secure the evidence the next step is to acquire the evidence as with any collection of" evidence you will have to create an exact image to preserve the crime scene. O n c e we have acquired the image it is time for us to examine the evidence. This is where we can apply our tools on the evidence and look for potc~ltial evidence for our investigation. O n c e we have examined the evidence then \re llave to present the evidence, this step is usually completed by compiling an exte~sive report based on our investigation thus far. O u r job as a forensic ex:aminer is not ~ver, because it is your responsibility as the examiner to maintain the evidence, this consists of keeping it in a secure location, and unlike other devices, you have to c~lsure the PI)A renlains charged so that data and information is maintained in a co~stant state. N o w let's discuss the four main steps in more detail.

Step 1" Examination In the examination step of PI)A fbrensics we first need to understand the potential sources of the evidence, with a PI)A these sources can be the device, the device cradle, power supply and any other peripherals or media that the device being examined has came into contact with. In addition to these sources you should also investigate any device that has synchrollizcd with the PDA you are examining.

w w w , syngress,com

116

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

Step 2" Identification In the identification step of PDA forensics we start the process by identifying the type of device we are investigating. Once we have identified the device we then have to identify the operating system that the device is using. It is critical to our investigative process that we determine the operating system; furthermore, once we have identified the operating system it is important to note that it is possible, that the device could be running two operating systems. During the identification process there are several interfaces that can assist us; these are the cradle interface, the manufacturer serial number, the cradle type and the power supply itself.

Step 3" Collection During this part of our forensic investigation it is imperative that we collect data and potential evidence from the memory devices that are part of or suspected to be part of the PDA we are investigating. There are a multitude of these types of devices, so we will limit our discussion to just a few. The SD, M M C semiconductor cards, micro-drives and universal serial bus (USB) tokens. These SD cards range in size from a few Megabytes (MB) all the way up to several Gigabytes (GB). Today, the USB tokens can range from a few MBs themselves all the way up to multiple GBs. In addition to seizing and collecting the memory devices we also have to collect the power leads, cables and any cradles that exist for the PDA. Extending our investigation process further it is imperative that we collect all the types of information. This information consists of both volatile and dynamic information; consequently, it is imperative we give the volatile information priority while we collect evidence. The reason for giving this information priority is because anything that is classified as volatile information will not survive if the machine is powered off or reset. Once the information has been captured it is imperative that the PDA be placed into an evidence bag, and maintained at stable power support throughout.

Step 4" Documentation As with any component in the forensic process, it is critical that we maintain our documentation and "chain of custody." As we collect our information and potential evidence, we need to record all visible data. Our records must document the case number, and the date and time it was collected. Additionally the entire investigation area needs to be photographed. This includes any devices that can be connected to the PDA, or currently are connected to the PDA. Another part of the documentation r

www, syngress,com

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

117

process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing. Within this report you need to annotate the state and status of the device in question during your collection process. The final step of the collection process consists of accumulating all of the information and storing it in a secure and safe location.

PDA Investigative Tips W h e n it comes to the PDA device, there are several things we need to consider while carrying out an investigation. These devices can be managed and maintained by your suspect at all times. Adding further complications is the fact that with PDA devices they have immediate access 24 hours a day, and 7 days a week. Another thing that makes your job as an investigator more challenging is PDAs are immediate boot cycle devices. Having said that, it is important to remember these devices typically contain a plethora of" information t'or the examiner, and are a vault of evidence for the forensic examiner.

Device Switched On W h e n you are beginning your investigation process, and discover that the PDA that you are wanting to process for evidence is in the " o n " mode, it is imperative that you act immediately, and get power to the PDA, so that it will not lose the volatile information that could quite possibly be essential to our evidence collection process.

Device Switched Off If the device is in the off state, you leave the device in this state then switch the device on and take a picture of the device. Additionally you need to note and record the current battery charge.

Device in its Cradle Avoid any further communication activities with the device. R e m o v e any connection from the PC device. It is important to note that there is a possibility that a sophisticated suspect might have a "tripwire" device and once you disconnect the PC this could activate the device which in turn could run a script that might erase potential evidence. Despite this possibility, you have to disconnect the device to continue the investigation.

r

www.syngress.com

118

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

Device not in its Cradle If the device is not in the cradle our investigative requirements are made much simpler, because there is no danger of a "tripwire" being triggered. With the device being out of its cradle, we simply seize the cradle and any cords associated with it.

Wireless Connection Avoid any further communication activities if at all possible. Eliminate any wireless activity by placing the device into an envelope that can isolate the device. This envelope needs to also provide anti-static protection, so that the device is not damaged.

Expansion Card in Slot Do not initiate any contact that requires taking components off of the device, or requires you to open the device in any way. This includes any and all peripheral devices and/or media types of cards.

Expansion Sleeve Removed The first thing to accomplish is you have to seize the sleeve itself, additionally, seize any and all related peripherals and media cards.

www, syngress,com

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

Deploying PDA Forensic Tools W h e n we are conducting a forensic investigation, there is no shortage of tools available for us. Investigating handheld, or PI)A devices do not offer as many tool choices as a typical forensic investigator will have.

PDA Secure O u r first tool to discuss is the tool PDA Secure.This tool offers enhanced password protection, along with encryption, device locking and data wiping. The PDA secure tool allows administrators greater control over how handheld devices are used on networks. Additional features of the tool are it allows you to set a time and date range to monitor information such as; network login traffic, infrared transmissions and any applications being used.

PDA Seizure PDA Seizure is a comprehensive tool that assists us in seizing the PDA. It allows the data to be acquired viewed and reported on. The tool works only within a Windows environment. This tool can extract the random access m e m o r y (RAM,) and read only m e m o r y (ROM). The tool has an easy to use graphical user interface (GUI), and includes the tools that are needed to investigate the files that are contained within the PDA. PDA Seizure provides multi-platform support, and the forensic examiner can acquire and examine information on PDAs for both the Pocket PC and Palm OS platforms. The PDA Seizure tool has a significant amount of features, this includes forensic imaging tools, searches on data within acquired files, hashing for integrity protection of acquired files and book-marking capability to assist the examiner in the organization of information.

EnCase EnCase is one of the most popular commercial forensic tools available, and this tool can be used to acquire information and evidence from a PDA. The EnCase tool can acquire images, and also consists of tools that allow for us to conduct complex investigations efficiently and accurately.

119

120

Chapter 4

•

PDA, Blackberry, and iPod Forensic Analysis

Introduction to the Blackberry The Blackberry is also known as a RIM device. The device is equipped with the RIM software implementation of proprietary wireless-oriented protocols; furthermore, the device is supported by the RIM Blackberry Message Center. The Blackberry (RIM) device shares similarities to the PDA devices we discussed earlier; however, the Blackberry (RIM) device is always-on, and participating in some form of wireless push technology. As a result of this the Blackberry (RIM) does not require some form of desktop synchronization like the PDA does. This unique component of the Blackberry (RIM) device adds a different dimension to the process of forensic examination, and in essence this portability can be the examiners greatest ally.

Operating System of the Blackberry The current version of the Blackberry OS has numerous capabilities and features. These features include; over the air activation, ability to synchronize contracts and appointments with Microsoft Outlook, a password keeper program to store sensitive information and the ability to customize your blackberry display data.

Blackberry Operation and Security The Blackberry (RIM) device has an integrated wireless modem; this allows the device to communicate over the BellSouth Intelligent Wireless Network. The Blackberry (RIM) device uses the Blackberry Serial Protocol. This protocol is used to backup, restore and synchronize the data that is communicated between the Blackberry (RIM) handheld unit and the desktop software. This protocol comprises simple packets and single byte return codes. The device uses a strong encryption scheme that safeguards confidentiality, and authenticity of data. It keeps data encrypted while in transit between the enterprise server and the device itself.

Wireless Security The Blackberry (RIM) has a couple of transport encryption options. These options are the Triple Des (Data Encryption Standard) or AES (Advanced Encryption Standard. Those who want to implement the most secure method will elect to encrypt with the AES algorithm. The Blackberry has another feature that is referred to as the Password Keeper, this feature offers the capability of securely storing password entries on the devices, these could consist of banking passwords, PINs, etc. This critical and important information is protected by AES encryption.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

121

Security for Stored Data There are several capabilities available on the Blackberry device when it comes to securing the data that is stored there. The first option we will discuss is the capability to make password authentication ~na~datory through the customizable IT policies on the Blackberry Enterprise Server. An additional method of protection from unauthorized parties is the Fact that there is no staging of data between the server and Blackberry device where data is dccrypted.

Forensic Examination of a Blackberry Since the Blackberry (RIM) is all always-on, push messaging device information can be pushed to it at anytime. It is i ~ p o r t a n t to note that this information that is pushed does have the potential or overwriting any data that possibly was previously deleted. The problem is compou~lded by the fact that without warning there are a multitude of" applications that ~ a x receive information, and make the attempts by the forensic investigator to recover il~tbr~ation and an unaltered file system much more difficult. The first step in prescrvi~g the intormation is to eliminate the ability of the device to receive this data push. Ifpossible you could turn the radio off, or a better solution is to take the device to a~ area where the signal cannot be received, this possibly can be achieved by puttillg the device inside of" a filing cabinet drawer, but your mileage will vary here. (,)nc might think, "I'11 just turn it of'if'This would be a serious mistake! The Blackberry (t~,IM) device is not really "off" unless power is removed for an extended period, or the u~it is placed in storage mode; furthermore, once the unit is powered back o~ any items that were in the queue waiting to be pushed to the device could possibly be pushed before you could stop them. As mentioned previously, and we will reiterate it here, it is quite possible that a change to state such as a power off of-the Blackberry could result in a program being run on the unit that will allow the device to accept remote commands via email.

Acquisition of Information Considerations The considerations for the Blackberry (RIM) device are similar in some ways to the PDA devices, but there are some differences, so let's take a look at the considerations you have to make when acquirillg evidence from the Blackberry (RIM) device.

www.syngress.com

122

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

Device is in the "off" State If the unit is off at the time of acquisition, the investigator needs to take the unit to a shielded location before attempting to switch the unit on. If a shielded location is not readily available, you might have success using a safe or other room that can block the signal well enough to prevent the data push. One thing to consider is having a unit available that you can use to walk the network and area to test the coverage, and look for weak coverage areas to use.

Device is in the "on" State If the device you are examining is in the "on" state then as outlined and detailed above, you need to take the device to a secure location and disable or turnoff the radio before beginning the examination.

Password Protected One thing that has to be considered when it comes to password protection is the fact that the password itself is not stored on the device, the only thing that is stored on the device is a hashing of the plain text password. This storage is similar to the storage used by the majority of operating systems out there.

Evidence Collection To collect evidence from the Blackberry we have to violate the traditional forensic methods by requiring the investigator to record logs kept on the unit that will be wiped after an image is taken. There are several different log files that we want to collect evidence from; Radio Status, this log lets us enumerate the state of the devices radio functions; R o a m and Radio, thus log has a buffer of up to 16 entries usually, records information concerning the tower, channel etc, and will not survive a reset; Transmit/Receive, records gateway information, and type and size of data transmitted; Profile String, this contains the negotiation with the last utilized radio tower. Once the log information is extracted and enumerated then the image will be taken. If you do not require or need the log information then the image can be acquired immediately.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

123

Unit Control Functions The logs are reviewed by using the unit control functions; there are several functions we will discuss. The first function is the Mobitex2 Radio Status, this provides information on the Radio Status, Roam and Radio Transmit or Receive and Profile String. The second control function is the Device Status; it provides information on memory allocation, port status, file system allocation and C P U WatchPuppy. The third control function is the Battery Status, and as the name implies it provides information on battery type, load, status and temperature. The last control function we will discuss is the Free Mere, this provides information on memory allocation, C o m m o n Port File System, WatchPuppy, OTA status, Halt and Reset.

Imaging and Profiling When you are conducting a t-orensic examination of a Blackberry (RIM) device we need to conduct imaging and profiling. This is accomplished by extracting the logs from a developed image; acquiring an image of a bit-by-bit backup using the Blackberry (RIM) Software I)evelopment Kit (SDK). The SDK is available from www.blackberry.com and is essential for the forensic examiner when investigating a Blackberry (RIM) device. The SI)K utility dumps the contents of the Flash R A M into a file. Once the Flash R A M is dumped it can be examined and reviewed using traditional methods with your Faw~rite hex editor or other tool. In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and n~odel of the investigated unit.

Attacking The Blackberry We have several tools and methods available that allow us to attack the Blackberry, The first tool is the Blackberry Attack Toolkit, and this toolkit along with the BBProxy software can be used to exploit website vulnerabilities.The second tool is the Attack Vector, this tool links and tricks users by downloading malicious software to the Blackberry. The last method we will discuss is the method of hijacks, or as it is sometimes referred to blackjacks. As the name implies this allows someone to hijack a legal users Blackberry (RIM) and replace them on the network with potentially harmful devices.

www.syngress.com

124

Chapter 4

•

PDA, Blackberry, and iPod Forensic Analysis

Securing the Blackberry (RIM) We have several things we can do to secure the information on the Blackberry (RIM) device. The first thing we can do is clean the Blackberry (RIM) device memory, and we can protect stored messages on the messaging server.You can encrypt the application password as well as the storage of if it on the Blackberry (RIM) device; furthermore, you can protect storage of user data on a locked Blackberry device by limiting the password authentication attempts. It is possible to set a maximum of 10 attempts to gain access to the device. Additionally, you can use AES technology to secure the storage of the password keeper and password entries on the Blackberry device.

Information Hiding in the Blackberry (RIM) W h e n it comes to hiding information in the Blackberry (RIM) device we have several places we can hide information.You can create hidden databases; you can hide information in partition gaps. Data can be hidden in the gap between the Operating System/Application and file partitions.

Blackberry (RIM) Signing Authority Tool This tool helps the developers protect their data and intellectual property. It enables the developers to handle access to their sensitive Application Program Interfaces (APIs). The tool provides this protection by using public and private signature keys. It does this by using asymmetric cryptography to validate the authenticity of the request; furthermore, the signing tool allows developers to exchange API information in a secure manner and environment.

iPod Forensics Apple computers produce three separate digital media players all bearing the iPod brand. Whether the original iPod, the iPod Nano or an iPod shuffle, all of these devices have the capability not only to play music but also to act as a storage device. The capability to store digital data coupled with the iPods popularity will result in the forensic analysis of these devices becoming more common. (Also, see Chapter 9 for more on iPod forensic analysis.) Consequently, ,the National Institute of Standards and Technology (NIST) have developed guidelines for PDA forensics (Jansen & Ayers, 2004) to address this issue.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

125

The secret is to treat the iPod as you would treat any other suspect hard drive being analyzed. Treat it with the respect and care it deserves and remember it is evidence.

The iPod The Apple iPod family currently comprises five generations of devices for the primary units and two generations of ancillary models. These are listed below. •

First Generation iPod October 2001 saw the first release of the Apple iPod. This device connected using a FireWire,jack and introduced the Apple physical scroll wheel. This device used the original form factor and is the classic iPod design.

•

Second Generation iPod Implemented the large hard drive (10 Gb and 20 Gb), introduced the touch sensitive wheel and put a cover on the FireWire port but was otherwise physically the same as the first generation iPod.

•

Third Generation iPod The third generation introduced a central row of touch sensitive buttons and a dock connector port. The primary connection was still FireWire but USB was introduced for data syncing.

[]

Fourth Generation iPod The fourth generation of the iPod introduced the photo viewer. The color the display was introduced at this stage. Either FireWire or USB could be used.

[]

Fifth Generation iPod The next generation introduced a video function and lyrics support. This version has no AC adapter universal block or A / V included and must be purchased separately. The latest edition (generation 5.5) features a brighter display, the ability to search and the longer video battery. Fifth generation iPods use only USB with FireWire connections relegated to charging only.

The ancillary iPods include the following models: •

iPod mini The iPod mini is a slimmer version of its original cousin.These devices use either USB or FireWire connections using either a 4 or 6 GB hard drive. This device implements a scroll wheel with integrated buttons. There are two generations o£ iPod minis, iPod mini connections are made using either USB or FireWire.

•

iPod Nano The iPod nano implements a flash m e m o r y storage system. These devices are otherwise similar to the fifth generation iPod in many

www.syngress.com

126

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

respects. The iPod nano uses USB connections with FireWire for charging only. •

iPod shuffle Again there are two generations with the iPod shuffle. All these devices implement flash memory instead of hard drive storage. The iPod shuffle uses USB connections and the later models implement USB through the docking function alone.

iPod Features The iPod supports a variety of file formats including Protected AAC, AIFE MP3, WAV, M4A/AAC LC and Apple Lossless audio file formats. From the introduction of the fifth-generation iPod a number of video formats are also supported. These include the .m4v and .mp4 MPEG-4 (H.264/MPEG-4 AVC) file formats. Additionally, iTunes has the capability to translate Windows W M A formatted files to an iPod format as long as they are not copy protected. The iPod is not currently able to play copy protected W M A files. Additionally, the iPod is unable to play MIDI, Ogg Vorbis and FLAC multimedia formats. It is however possible to translate MIDI files to another format using iTunes, iTunes will not transfer songs from the iPod to a computer because of perceived Copyright and other legal issues. A number of third-party products have been created to circumvent the iPod's copy protection. Current iPod's have the inclusion of a limited PDA functionality. Macintosh users have been altered synchronise schedules and contacts in their address book and iCal using iSync. From the release of iTunes version 5.0,Apple has integrated the ability to synchronise contacts and schedules from iTunes to the iPod. Contact maintained in either Microsoft Outlook or Outlook express may be synchronise with the iPod in this manner. Mozilla calendar files use the same format as the iPod. So although there is no automated method to synchronise Mozilla data, these files may be copied to the iPod manually. In with this functionality however, the inability to add or update entries on the iPod itself limits the functionality of the iPod as a PDA. From a forensic perspective, this does not diminish the ability to capture data (including calendar entries and schedules) from the device.

www.syngress.com

PDA, Blackberry, and iPod Forensic Analysis ° Chapter 4

127

The iPod as Operating System The iPod can run as a small portable computer system, iPodLinux is a gClinux-based Linux distribution (see http://ipodlinux.org/Main_Page for details), iPodLinux is a specifically designed kernel capable of running on a number of the iPod devices. Wikipedia (http://en.wikipedia.org/wiki/IPodLinux) details a list of compatible devices and known issues. One of the primary components of iPodLinux is podzilla and podzilla 2. The podzilla applications provide iPodLinux with an iPod like interface, video playback with sound and the support for a large number of music file extensions. Using iPodLinux, the iPod can play AAC, MP3 and basic O G G sound file formats. Depending on the hardware capability of the specific iPod, the audio recording capabilities under iPodLinux said to be at much higher quality than Apple's firmware. IPodLinux also supports the ability to play a number of games such as D o o m and D o o m II and many games for the Nintendo Game Boy (with the appropriate addon software such as iBoy).

www.syngress.com

128

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

btClinux stands for "MicroController Linux", and is pronounced "you-seeLinux". >Clinux supports up to the version 2.6 kernel, laClinux (http://uclinux.org/) has support of a number of compiler programs such as the standard C + + library rich run correctly under podzilla. As such, an attacker could create and compile middleware or other code of interest to the forensic analyst which can be stored on the iPod.

Drive Formats- Apple HFS+ Or FAT32 The drive format used by the iPod hard drive is dependent on the computer system to which the iPod is initially synchronised. If the iPod is initially synchronised with a Mac machine, the iPod will be formatted using the Apple HFS+ file system. Where the iPod is initially connected to a Windows host, the iPod drive will be formatted with the FAT32 file system. When conducting a forensic analysis of the iPod is important to know which type of system the iPod has been synchronised with. This information also provides the analyst with some background information as to the use and history of the device. Knowledge of the format used will generally make it easier to match the iPod device to the host and has been synchronising with. It is important to remember that just because the output has initially synchronised with either a Windows or Mac host, but it may also have been used on other machines. The iPod writes data from the beginning to the end of the drive before returning to the beginning. This is a valuable feature for the forensic analyst as the use of this wear- levelling technique makes the overwriting of files less likely. Being that the FAT32 file system does not maintain records of file ownership, the HFS+ file system (which maintains ownership metadata) is the preferred format from a forensic perspective. Unfortunately, the HFS+ file system is somewhat less common than the FAT32 file system.

The iPod System Partition The System Partitions of either the Windows or Macintosh format iPod demonstrate that there is no user identifiable data stored in this partition. The data contained in this partition is associated with the running of iPod and includes: •

The iPod embedded Operating System.

•

The images used during the operation of the device such as the Apple logo and the "Do Not Disconnect" screen image.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

•

The system fonts used for the display of the text on the device.

•

Games and other applications copied to the device

129

Where iPodLinux has been installed user data may exist in the system partition. Installing iPodLinux will change the hash value for the System Partition. This is because iPodLinux modifies the boot loader in the System Partition. The boot loader allows the iPod user to select either the official Apple embedded operating system or the iPodLinux operating system. The system files for iPodLinux are maintained in the iPod Data Partition. However, the changes to the boot loader require the System Partition to be modified changing the hash value of the system partition.

Application Formats Music and other file formats are stored on a variety of locations within the iPod. Accessories exist little alley iPod to be used for a variety of functions. Applications and accessories may be loaded using either the native iPod operating system or iPodLinux. These applications allow for the storage of a variety of files including voice recordings, digital camera photo storage and electronic games.

www.syngress.com

130

Chapter 4 , PDA, Blackberry, and iPod Forensic Analysis

These files can be easily found by searching the drive for the text strings B E G I N : V C A R D and B E G I N : V C A L E N D A R . This entry indicates the beginning of the respected file types. The data remains after the entries are deleted.

Misuse of an iPod Like any other digital storage device, the iPod may hold incriminating evidence. In its native format the iPod may contain calendar entries related to a crime or other event of interest. Additionally, contact information stored on the device may be relevant to an investigation. The iPod is also capable of creating voice recordings. As such, recordings of meetings may be recovered. Coupled with photographs or other substantiation the iPod could be a rich source of evidence to the investigator. With its large hard drive, the iPod is the ideal storage location for music that violates Copyright, and with the newer devices pornographic pictures.

iPod Investigation W h e n an iPod is found at a crime scene, the first respondent should wait for the advice of a forensic specialist. This is essential to ensure that the site of the evidence is documented correctly. Either explicitly document the location of the iPod and anything around it or preferably photograph the site. Leave the device in its current state until it is thoroughly investigated. It is possible that the point could be boobytrapped with a delete command or wipe function. This is particularly relevant when the device has been configured with iPodLinux. There are tools under iPodLinux that can be set to wipe the hard drive of the iPod if it is disconnected from the charger or computer without a special code being entered. Note the state of the iPod. If it is connected to another system, check whether it is mounted. If it is, the screen of the iPod will display message saying "Do Not Disconnect". In this case it is necessary to unmount the device prior to disconnecting the computer. On a Mac this may be achieved by dragging the icon of the iPod to the trash can on the Mac desk top. Note the name of the iPod as it is displayed on the desktop before unmounting it. Simply disconnecting or on plugging the computer could damage disk sectors on the iPod. For this reason this should be avoided. If the iPod is connected to a Windows machine, it may be mounted by clicking the "Unplug or eject hardware" icon generally located on the task bar on the bottom right of the screen. On a

www.syngress.com

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

131

Windows machine the chances of the corruption resulting from disconnecting the iPod are less than on a Mac. W h e n collecting the iPod specify the connections and cabling as well as all the details of machine connected to (if it was connected). Ensure that this information is kept with the device. The iPod should be stored like a hard drive. This is it should be stored in an antistatic bag in an environment where both temperature and humidity are controlled. It should also not be exposed to excessive vibration. Never store the iPod near a magnetic source such as a speaker. It is important to maintain a strong chain of custody throughout the process. The iPod is unlike some other embedded devices in that it does not need to be connected to a power supply while in storage. If the battery drains over time, the information will not be lost from the hard drive. With hard drive models, it may be more effective to extract the hard drive from the iPod for processing. This will allow the use of an external hardware write blocker. The difficulty is that imaging the hard drive correctly requires both a high level of technical skill and specialised hardware. An iPod stores the name of the computer which it initialised with on the drive. This information may be used to link the device to other computers and consequently suspects. Although it is recommended that the iPod is imaged before doing any other tests, it is possible to determine the tbrmat of" the drive from the iPod itself. This is achieved by selecting: "Settings >", "About >". If the iPod is formatted for a Windows system scrolling down in the "About" display will state "Format" W i n d o w s " towards the lower section of" the screen. If" this is not displayed, it is likely that the device has been formatted using the H F S + format and that the iPod was initially connected to a Mac.

Timeline Generation The iPod is designed t o only be linked to one system at a time. As a result, a series of likely connection times to a system can be established. The identified times associated with connection events may also be discovered on the linked system. The times will reflect the system time or" the linked system (not that as displayed on the iPod). Time entries of primary concern to the forensic analyst may be found in the following files" m \ i P o d _ C o n t r o l \ D e v i c e \ S y s l n f o - the modified time of the file records w h e n the iPod was last restored.

www.syngress.com

132

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

•

\iPod C o n t r o l \ i T u n e s \ i T u n e s C o n t r o l - the creation time of the file records w h e n the iPod was initialised using iTunes.

•

\iPod Control\iTunes\Devicelnfo .9 the modified time of the file records w h e n the iPod was last connected to iTunes. All music files located under \iPod C o n t r o l \ M u s i c \ - the creation times of the files records w h e n these files were copied from the linked system to the iPod. The modification times for these files provides further evidence linking the iPod and the Windows system and helps to create a timeline of actions/activity.

These times provide evidence of connection times to the linked system. If the Windows host is available, it may be possible to correlate these times to events on this computer as well.

www.syngress.com

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

133

Lab Analysis W h e n analysing the iPod, it is important to be familiar with the tools used in the analysis. A variety of tools such as Access Data's Forensic tool kit (FTK), the Sleuthkit/Autopsy browser, Blackbag Technologies' Macintosh forensic software (MFS) or Encase forensic edition are more than adequate for this task., it must be noted, however, that the tool must be matched to the device. For instance, Blackbag MFS is designed exclusively for the Mac environment and the Sleuthkit/Autopsy browser requires specialist consideration to work with the Apple file system. It is also necessary to ensure that the necessary connectors are in place. Depending on the type of" iPod, either FireWire or USB connections may be required. Ideally the forensic analyst will disassemble the iPod and remove the hard drive for analysis. Disassembly allows for the use of a hardware write blocker. It is generally considered best practice to disassemble the device. By activating the device it is possible to either alter the drive thus damaging the evidence or to set off a booby trap. It is not difficult to configure a wipe program to run on the system boot-up using iPodLinux. Such a tool could destroy valuable evidence before the forensic investigator could get to it.

Remove Device from Packaging W h e n receiving an iPod for fbrensic imaging is important to document every step. First, remove the iPod from the packaging. Carefully note with the state of the machine, the model and the interfaces. Photograph and document everything to ensure the chain of custody records are complete. Depending on the actions that the investigator intends to take there are two possible courses 1

Work on the iPod as is (not recommended for hard drive models), or

2

Disassemble the device and extract the hard drive.

It is always possible to reassemble the device after the drive has been imaged. For this reason it is better to duplicate the hard drive first. This is a little more difficult in the non-hard drive models such as the iPod nano. In this case it may be more practical to copy the device assembled. W h e n working on assembled device (including when the device has already been imaged and reassembled) the fbllowing steps are recommended:

www.syngress.com

134

Chapter 4

• PDA,

Blackberry, and iPod Forensic Analysis

1

Ensure that the battery is charged. Leave the iPod on the charger until the battery is fully charged,

2

Turn on the iPod,

3

Note any device settings and document these,

4

Based on whether the iPod has been connected to a Windows or Mac host, the subsequent stages will differ.

NbTE i~il~ii!i!ii~i~i!~!Iti is i m p o r t a n t t o r e m e m b e r t h a t t h e iPod is in effect an external storage ~~i~i~i~f~!~i~i~!~i,'~i~i~i~i,'~i~di~i~i~i~!e v i c e. A It h o u g h it h a s e xt r a f u n cti o n a l ity (s u c h a s a l i rn it e d PD A f u n ct i o n) ....i!,::,,~i~!~ t h a n a s i m ple external hard drive, it does have t h e c a p a b i l i t y t o act as a hard ..~'.. drive. E v e r y t h i n g t h a t applies to t h e forensic analysis of a hard drive also

applies to an iPod.

The i Pod restore process The iPod restore process does not clear the hard drive of the iPod. Using a restore process copies new data to the iPod which makes it appear as if it was erased and reloaded. However, only the file pointers are erased. Unless data was specifically overwritten by the restore process it will still be available for recovery. The Microsoft restore process is detailed in the following stages: 1. An unformatted, corrupted, or Mac HFS+ formatted iPod is connected to the Windows computer and Windows automatically loads the drivers. 2. The iPod Updater software loads then prompts the user to format the iPod. O n selecting "Restore" the following occurs: a.

N e w Partition tables are written to the iPod hard drive

b. A replacement System Partition is created on the iPod and loaded with required data c. A new Data Partition and File Allocation Table for the FAT32 Data Partition is created d. \iPod Control and \iPod Control\Device directories are created on the iPod hard drive

www.syngress.com

PDA, Blackberry, and iPod Forensic Analysis e.

•

Chapter 4

The \iPod_Control\I)evice\Preferences file is created containing binary data The \ i P o d _ C o n t r o l \ l ) e v i c e \ S y s l n f o file is created.This file contains technical data about the iPod in text format

.

W h e n the iPod is connected to the Power Adapter the operating m e m o r y is reloaded.

o

o

The iPod is now re-connected to the host system and either iTunes automatically loads, or it is manually run. The iTunes iPod Setup Assistant will prompt the user allowing them to set the name on the iPod. If a name is set and " N e x t " is selected then the name will be entered in the l)cvicelnf'o file. If the cancel is selected, the iPod Setup Assistant will then set the device name to the default, " I P O D " . The file will thus contain either the nanle entered by the user or " I P O D " . If the name is stored it is recorded with the username and computer name used in configuring the iPod within iTunes.The following procedure then occurs: a.

bo

The \iPod_Control\iTunes directory is made and the files Devicelnfo, iTunesControl, iTunesEQPresets, iTunesPrefs, and winPrefs are produced in this directory. The \ i P o d _ C o n t r o l \ M u s i c directory is created with subdirectories named sequentially from F(!0 through to F49.

These entries are reflected in the \Windows\setupapi.log file on the Windows host used to configure the iPod with a second entry from the iPodService.exe program which also records the USB serial number of the iPod.The creation time of the \iPod Control\iTunes\I)evicclnfo on the iPod reflects the time value in the \Windows\setupapi.log file on the Windows host used to configure the iPod.

135

136

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

The iPod and Windows It is possible to set iPod to read-only mode within Windows XP (SP2) by changing the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlset\ Control\StorageDevicePolicies. Setting this key to the hex value of 0x00000001 and restarting the computer will stop write access to any USB storage devices effectively rendering them as read only. Setting the value to 0x00000000 and restarting the computer enables write access (Andersen & Abella 2004).

The Registry The Windows registry contains significant amounts of information to the forensic analyst. O f primary concern in investigating iPods are" 1. The keys created by the connection of the iPod to the Windows computer, and 2. The last write times indicating the last time the registry keys were changed.

www.syngress.com

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

137

An iPod creates a series of registry keys when it is connected to the Windows computer.These can be found under H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ E n u m \ U S B S T O R \ in the registry. Located under U S B S T O R will be found a key that identifies a disk device presenting the vendor identifier "Apple", the product identifier "iPod", and a revision code. This information can be used to match the host computer and iPod being investigated. The last write time for this key indicates the first time that the iPod connected to the Windows host. Under this in the registry is a further key corresponding to the serial number of the iPod USB connection, followed by "&0". This value will match the value of FirewireGuid on the iPod contained in the \iPod_Control\Device\Syslnfo file. The last write time associated with this key is the last time that the iPod connected to the Windows host.

/~'~ !i!~ i,~':i~'~ ,i',~!~~ i~ i~ :fiRemember ,~:'./,' that the iPod does not update file times and that these will reflect the create and modify time stamps of the computer to which the iPod "~':i'. is pa i red.

setupapi.log The Windows file, setupapi.log (in the Windows installation directory) records all driver installations that after the system has booted. O n the first time that an iPod is connected to a Windows system, the connection event will be recorded in this file. The information in this file will match with the last write times of a series of registry keys related to the iPod. This file is also useful in reconstructing the sequence of connection events the iPod and the host system. This is as this file lists the driver installations. If iTunes is also installed, each occasion that an iPod connection occurs after boot will be recorded. If however iTunes is not installed, than only the driver installation will be recorded. Also, if the iPod has been connect to the host prior to its being booted, the drivers will load during boot-up and will not be recorded even if iTunes is installed. In any event, this file provides a means to reconstruct events that have occurred on the host and also associated a particular iPod with a particular computer at a given time.

www.syngress.com

138

Chapter 4

•

PDA, Blackberry, and iPod Forensic Analysis

The iPod and Linux The following procedure may be used to mount the iPod under Linux (Ubuntu used for this example): 1

Disable auto-mounting of removable media devices by selecting the "System" menu from the top of the screen, then "Preferences", then "Removable Drives and Media".

2

W h e n the following window opens up click to remove the check marks by each item then select "OK".

3

Locate the iPod within the Linux device tree as follows: a. Right click in a clear area of the Linux desktop to open up a menu and select "Open N e w Terminal", b. Enter " i s / d e v / s d * " to list of all the SCSI drives on the system. c. Connect the iPod to the computer. d. Wait 20 seconds for the computer to recognise the iPod. e. Retype " i s / d e v / s d * " to get an updated list of all SCSI drives on the system and note the new listings which belong to the iPod.

4

Depending on the application you can now mount the iPod in read only mode.

Note" The apple file system is required to be loaded into the Linux kernel in order to mount an iPod initialized using a Mac.

User Accounts W h e n an iPod has been setup using iTunes, a file \iPod_Control\iTunes\Devicelnfo is created which contains user name and computer information. This information may be used to identify the user and computer which initialised the iPod. If this file contains the word " I P O D " then the software was restored to the iPod without having been connected to iTunes.

Deleted Files The iPod deletes file pointers rather than actually erasing the file. Coupled with the iPod's sequential file writing technique that starts from the beginning of the drive

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

and adds data to the end before returning to the beginning, recovery on an iPod can be a simple process.

i Pod Time Issues The manner in which the device records time is one of the most crucial aspects of any digital forensic analysis. To be able to link the deletion, access or alteration of the file to a particular user is necessary to be able to determine the time w h e n the event occurred. The iPod has an internal clock but unfortunately the standard embedded operating system does not update file times. O n iPodLinux however, the system clock updates file access times. It is important to remember this differentiation in times. The native iPod operating system will record the time is associated with the computer it is connecting to. Where an alternative operating system such as iPodLinux is involved, however, the time will be set through the iPod's internal clock. ....

.................

....

Ti[ It is important to remember that the file create and modify times as they appear on the iPod reflect the timestamp associated with the pared c o m ::::......... puter. Although the iPod has an internal clock it does not use this to update or modify the time stamps associated with a file which it stores. This can be useful in proving that a particular iPod was connected to a host machine.

Registry Key Containing the iPod's USB/Firewire Serial Number The file" \ i P o d _ C o n t r o l \ D e v i c e \ S y s l n f o file is created on the iPod w h e n system software is restored or the iPod is initialised. This file contains valuable data about the iPod. Another significant file \ i P o d _ C o n t r o l \ i T u n e s \ D e v i c e l n f o is created after iTunes has linked the iPod with a computer. The name of the user and computer involved in linking the iPod and iTunes will be stored in this file. Where iTunes is running on Windows, a record will be created in both the registry and setupapi.log file with a reference to the USB / Firewire serial number presented in the Syslnfo file on the iPod.

www.syngress.com

139

140

Chapter 4 • PDA, Blackberry, and iPod Forensic Analysis

iPod Tools In addition to the standard drive imaging tools, several products specifically designed for use with the iPod had been produced. Two of the more common tools include "Music Recovery" from Disklnternals and "Recover My iPod" by GetData.

Disklnternals Music Recovery "Music Recovery" from Disklnternals is designed to recover any type of music files from a hard drive, iPod, USB-flash drive or CD/DVD. It is available in shareware format from: http'//www.diskinternals.com/music-recovery/. Music Recovery comes with an integrated media player to preview the files prior to recovery. Disklnternals provides native support for the iPod but does not run on Mac or Linux. The software works to recover lost files and data from damaged disks, inaccessible drives and also works with corrupt or damaged partition tables. Although Music Recovery only runs on Windows hosts, it has support for several file systems including: °

•

NTFS 4 & 5,

•

Linux Ext2 & Ext3,

•

MacOs &Apple HFS,

•

Iso9660, and

•

UDE

Recover My i Pod "Recover My iPod" allows the user to recover lost or deleted music, video and photos including .m4a, .mp3, .mov, quicktime and jpeg file formats. The product is available from GetData at http'//www.recovermyipod.com/.The software supports all versions of the iPod including the iPod, iPod shuffle, iPod Mini and iPod Nano. The product recovers data after an iPod Reset or Restore. It is important to remember that Recover My iPod will not run on a MAC. This software will recover data and files from iPod even when a "Drive Not Formatted" message appears or if the iPod is not recognized by the computer. In this case it is necessary to connect to the "Physical Drive". Although not as effective as a hardware write blocker, "Recover My iPod" mounts the iPod drive in read only format.

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

141

"Recover My Files" is a more complete recovery tool from GetData. This tool allows for the searching of Computer drives and also iPods. Both products support a "deep scan" and "fast search" mode.

DD and the iPod To image in iPod which is mounted under Linux type "dd if=/dev/sda o f = / m n t / h d b l / i P o d . i m a g e '' (where the iPod is connected as device/dev/sda).This command will duplicate the entire iPod drive to the image file. If you only require a section of the drive then substitute sda with the section you need. Change iPod.image to the filename of the image that you wish to use as evidence.The entire process may take some time. Do not assume that nothing is occurring as imaging often takes a long time. Type " m d 5 s u m / d e v / s d a " to generate a checksum for the entire drive and record this value.

www.syngress.com

142

Chapter 4

•

PDA, Blackberry, and iPod Forensic Analysis

Summary The chapter started with an introduction to the Personal Digital Assistant device, and how the technology of today has pretty much provided us with a handheld computer. We continued the discussion with a look at the concept of PDA forensics. And how many of the same things that have to be considered in forensics on normal systems; however, we discussed some of the difference that had to be considered when performing forensics on PDA devices. Once we had covered the considerations you have to make when it comes to PDA forensics we moved on and discussed the methods of investigating a PDA. We talked about securing the evidence, and how the PDA, docking cradle and any external memory cards should be seized. The next method we discussed was the acquiring of the evidence, we covered how we have to create an exact image of the evidence, and once we have secured and acquired the evidence we need to go on and examine the evidence we have acquired. We continued in the chapter talking about the forensic examination considerations when confronted with a Blackberry (RIM) device. We concentrated on how the Blackberry (RIM) has similarities to the PDA, but one way that they do differ is the Blackberry (RIM) does not require synchronization to receive a significant amount of information. The Blackberry (RIM) is always on, and to make our task a little more difficult it is in a state where it is susceptible to receiving push technology updates at any time; therefore, we discussed how it is imperative that we take this into account when preparing to examine the Blackberry (RIM). We also discussed in this chapter the software that is available to assist us when we are examining the Blackberry (RIM), an excellent package of software is the Software Development Kit (SDK) from Blackberry themselves. We also discussed some of the ways and tools available to attack the Blackberry (RIM), we discussed the Blackberry Attack Toolkit, the Attack Vector, and the forms of hijacking or blackjacking as it is called. Finally, we wrapped up this chapter by discussing the methods of securing the Blackberry (RIM), we did this by discussing the Blackberry Signing Authority Toolkit that provides tools to help developers protect their data and intellectual property, and uses asymmetric cryptography to authenticate information.

Notes Andersen, S & Abella, V (2004)," Changes to functionality in Microsoft Windows XP service

PDA, Blackberry, and iPod Forensic Analysis

•

Chapter 4

143

pack two" http"//www, micro so ft. corn/technet/prodtechnol/winxppro/maintain/sp2otech, mspx Knaster, S. (2004)"Hacking iPod and iTunes" John Wiley & Sons. Jansen, w., & Ayers, P,.. (2004) "Guidelines on PDA forensics (Draft Special Publication 800-72 ed)." National Institute of Standards and Technology

Solutions Fast Track PDA Forensics gl PDA Forensics is very similar to forensics of any system. gl With the PDA being a handheld type of computer, you process data and information the same as you do w h e n investigating a PC.

Investigative Methods of PDA Forensics Vd Prior to investigating the PDA we have to secure and acquire the evidence. gl There are four steps to investigating a PDA: •

Examination

•

Identification

•

Collection

•

Documentation

PDA Investigative Tips gl If the device is in the " o n " state you have to preserve the state by supplying adequate power. If the device is in the "off" state, leave it in that state, switch on the device, not battery and photograph the device. gl If device is in the cradle avoid any communication activities.

r

www.syngress.com

144

Chapter 4

•

PDA, Blackberry, and iPod Forensic Analysis

gl If wireless is "on" eliminate any activity by placing the device in an envelope, anti-static and isolation bag.

Deploying PDA Forensic Tools gl PDA Secure is a tool that provides enhanced password protection, encryption and data wiping. v------d PDA Seizure allows PDA data to be acquired, viewed and reported on. gl EnCase provides many tools that allow investigators to conduct complex investigations efficiently?

Introdution to Blackberry The Blackberry device is similar to the PDA when it comes to forensics. The Blackberry device is a push technology device that does not require synchronization with a PC

Operating Systems of the Blackberry gl The operating system of the Blackberry (RIM) device has multiple features such as: •

Over the Air Activation

•

Ability to Syncronize Contacts and Information

•

Password Keeper

•

Customized Display

Blackberry Operations and Security Capabilities gl The Blackberry device uses the Blackberry Serial Protocol to backup, restore and synchronize data between the Blackberry and the desktop software. gl The protocol comprises simple packets and single byte return codes. gl The Blackberry offers two encryption algorithms for protecting dat:

PDA, Blackberry, and iPod Forensic Analysis • Chapter 4

•

Triple DES

•

AES

145

Forensic Examination of a Blackberry gl The Blackberry device is an always-on and information can be pushed at any time. r---d The first step in conducting an examination of a Blackberry is to isolate the device. This can be achieved by placing the Blackberry in an area where it cannot receive the push signal.

Attacking the Blackberry gl

The "attack vector" links and tricks the users by downloading the malicious software.

g--d "Blackjacks" or "hijacks" programs will takeover a Blackberry device, and

replace them with malicious devices.

Securing the Blackberry gl Clean the Blackberry memory. Limit password authentication. r---d Use AES to protect information

www.syngress.com

146

Chapter 4

*

PDA, Blackberry, and iPod Forensic Analysis

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the "Ask the Author" form.

Q" When conducting a forensic investigation of a PDA, what is the first step in the process? A" As with any forensic examination, the first step is to have permission to seize the evidence that is required for your investigation.

Q What sort of tools do I use to conduct a forensic examination of a PDA? I

A: Most of the forensic tools that work with images will create an image of a PDA file system, the commercial software product EnCase has this capability as does many others. :~~',

Q: lt

l am preparing to c o ~ ~ n charge to the device? ~ ~ .....

in~stigation of a PDA, why must I maintain the

A: Similar to our regular~>C[~the P ~ i c e has ................. atile and non-volatile information, and ifthe power j n o t ~ n t a i : a possibility you could lose information. Q" Isn't a PDA and a Blackberry the same thing? A" It is not uncommon to make this assumption, and thai.are similarities, but there are also many differences.The Blackberry is an always-on device that can be pushed information at any time, and unlike the PDA, the Blackberry does not require synchronization with a PC; Q" How would I get access to log files on the Blackberry? A" Some of the best tools for conducting an investigation of a Blackberry come from Blackberry themselves. There is a Software Development Toolkit (SDK) that can access and collect log files and other information.

Chapter 5

147

148

Chapter 5 • E-mail Forensics

Introduction E-mail or electronic mail has become a mainstay in today's society. According to the PEW Internet and American Life Project in a February-March 2007 survey, 71% of American adults use the Internet. In addition, they found 91% send or read e-mail. However, just because people use it does not mean they know how it works. Many individuals have no idea how the e-mail system works. In asking random people of varying degrees of geekdom how e-mail worked, I was shocked by some of the answers: "I know there must be the e-postal service out there that sorts through the mail and makes sure it gets to the right places." "E-mail is just one more way we get tracked by our bosses and forced into longer work times." (Said while typing on his BlackBerry, a common handheld email device) "I do get joke emails and then I print them and mail (snail mail) them to my family. Some of those jokes are very funny." There was a small percentage that did know how e-mail worked, which gave me some hope I was not alone in the universe when it came to being a geek. However, this also brought some interesting thoughts to mind. Because people are generally poorly informed on how it works, they don't know how it stores data and thus what is there. Eureka we have evidence.

Where to Start? Before you can start examining e-mail archives, you have to first understand the special language that is used when talking about e-mail. Just like the new acronyms that have become part of our everyday jargon like "1o1" or "rofl", e-mail has unique words that are used to describe the smaller scale ingredients of the e-mail.

E-mail Terminology IMAP: Internet Message Access Protocol is a method to access e-mail or bulletin board messages that are kept on a mail server making them appear

and act as if they were stored locally. MAPI: Messaging Application Program Interface is a MS Windows interface

that allows you to send e-mail from inside an application. Typical applica-

E-mail Forensics • Chapter 5

149

tions that work with this option are word processors, spreadsheets, and graphic applications. SMTP" Simple Mail Transfer Protocol receives outgoing mail from clients and validates source and destination addresses. It also sends and receives email to and from other SM TP servers.The standard SMT P Port is 25 H T T P " Hypertext Transfer Protocol is typically used in web mail and the message remains on the web mail server. E S M T P : Enhanced S M T P is protocol extensions to the S M T P standard. P O P 3 : Post Office Protocol 3 is a standard protocol for receiving e-mail that deletes mail on the server as soon as the e-mail has been downloaded by the user. The standard port for P OP 3 is 110 C: Carbon Copy is a field in the e-mail header that directs a copy of the message to go to another recipient e-mail address. B C C : Blind Carbon Copy is a field that is hidden from the receiver but allows for a copy of" the message to be sent to the e-mail address in this field. H E L O : Communication command from client to server in SMT P e-mail delivery.

Here is an example HELO exchange S : 220 CS-

250

C-

MAIL

S : 250 C:

www. e x a m p l e , c o m

HELO

Hello

Postfix

mydomain.com

FROM:<[email protected]> Ok

RCPT

S : 250

ESMTP

mydomain.com

TO: Ok

C : DATA S-

354

End

C-

Subject-

C-

From-

C-

To-

data test

with

.

message

[email protected]

[email protected]

C: C-

Hello,

C-

This

C-

Goodbye.

is

a test.

C:

www.syngress.com

150

Chapter 5 S:

250

C:

QUIT

S : 221

•

Ok:

E-mail Forensics queued

as

12345

Bye

Used only if server does not respond to E H L O E H L O " H E L O C o m m a n d in E S M T P clients N N T P " N e t w o r k News Transfer Protocol is used for newsgroups similar to standard e-mail. Headers are usually downloaded first in groups. The bodies are downloaded w h e n the message is opened. Each of these items will help you to understand the e-mail archives and become one with its evidence value. Once you understand the terminology, it is important to also understand the functions.

Functions of E-mail E-mail, as a general rule, is designed to make communication faster between individuals. Most e-mail will allow you to do a variety of things to help you facilitate it. •

From:

•

Send and receive mail

•

Forward, CC, & B C C mail

•

Allow attachments to be sent and received

•

Save mail to disk

•

Store c o m m o n l y used addresses

•

Sort mail into predefined folders

Each of these actions will create changes that you will have in your evidence and must be considered in the processing.

Archive Typ es The next step is that you have to k n o w what you are looking for. There are two main archive types; a local archive and a server storage archive. Most of the time, these archives will become intertwined with one another as they are not always autonomous so you will have to look for multiple tiers of the archive. An example of this can be found with the Microsoft Exchange archives. The main archive is found in a Priv.edb file. The of'fline storage of the EDB file is a PST

E-mail Forensics • Chapter 5

file and the offline storage for a PST file is an O S T file. As you can see, these layers into your final goal of the proper evidence collection can end up becoming rather messy. Each type of archive will store data differently and e-mail makes up one of the largest types of proprietary files in the binary world.

Server Storage Archives What is a server storage archive? Server storage archives are any archive that has mixed storage for all of the clients that exist on a server. Examples of these types of archives include" MS Exchange (.EDB .STM), Lotus Notes (.NSF .ID), GroupWise (.DB), etc.

MS Excflan e W h e n dealing with MS Exchange, it is important to remember some helpful hints. 1. Do not deal with an active Exchange server.You will want to make sure that whenever possible the Exchange server is not actively being accessed. There are many disputes to take it offline to do your image or not. O n e of the most successful methods is to do a backup of the server. This will maintain the best date structure for the data. °

Always gather all the data files associated with the server. There is more than one file associated with Exchange email, so it is important to make sure you gather them all as part of your acquisition. Typically, you will find a PRIV.EDB file, PUB.EI)B file, and a PP, IV.STM file.These files are what create the complete archive. Although your tools might not open these files directly they will still need the reference data while they are opening the main archive. Depending on the version of Exchange you are dealing with, the files available might vary.

i:ili!:i!ii:i:i:!i!iiiii!~iiiiii!iiiiii~ili~ilG~iiiiiii4

N ......

Watch for administrators that might change the names of the file. The Priv.edb data will be found in the larger of the two files.

.

Beware of backups and offline storage. O n e of the biggest headaches in dealing with server e-mail is the fact that a lot of times backups will be part of your forensic process. It is still very c o m m o n for backups and archives of

151

152

Chapter 5

•

E-mail Forensics

the enterprise mail servers to exist on tape. This can be problematic as it is a specialty to be able to process tapes. If you are not familiar with restoring tapes, it is always recommended that you go to a specialist and have them process them for you.

Lotus Notes I have always classified Lotus Notes at a higher level archive because it is typically used in an enterprise environment. It can be easy to gather the evidence from this type of" archive but difficult to extract. 1. Gather the *.NSF file 2. Gather the associated *.ID file for the archive. This is the encryption key that will allow you to open encrypted mail that is stored.

Novell GroupWise This is not as c o m m o n of" a network archive as the prior mentioned archives, however, it is still Found in many Forensic cases. There are a couple keys to dealing with a GroupWise mail archive. 1. Do not change the structure. This may seem like an odd hint but GroupWise is not the same as the others where all the mail can typically be Found in one file. It is a tad more obsessive compulsive than the other archives and it breaks its mail into post offices. This means you have to make sure the acquisition is done on the entire directory and the structure remains intact, otherwise your chances of processing through the mail located in these post offices is slim. 2. Ngwguard.db is the key file for the GroupWise structure. It is typically stored in the root of mail directory and tells GroupWise about each user account and where they are located. Other key files include gwcheck.db and wphost.db however the entire directory must be intact to do examination.

Local Level Archives What is a local storage archive? Local storage archives are any archives that have an archive format independent of a mail server. Examples of these types of archives include" .PST, .MBX, .DBX, etc.

www.syngress.com

E-mail Forensics • Chapter 5

153

The local level archives are m u c h more diverse and can be somewhat more difficult to deal with as they are controlled more by the end user. There are still some helpful hints w h e n dealing with local archives. 1. Always make sure you gather the entire archive. Just like with network level archives, the local archives can also be broken into multiple files that are used to store the data. Each or-these files contains potential evidence and must be processed. 2. Beware the web-mail. Web-mail is very difficult to deal with as part of forensic evidence because in most cases, there is no offline archive. The data for a lot of-the more popular web-mail by default is stored completely online making it difficult for a forensic examiner. If you are dealing with a web-mail archive, consult your council on the case as to the best way to approach and gain access to the servers that might contain that data.

Figure 5.1 Example of an E-mail Archive Card that is provided free from Paraben Corporation.

www.syngress.com

154

Chapter 5

•

E-mail Forensics

This card shows you the types of files that are typically associated with the e-mail archives so w h e n you are doing seizures or examinations, you know what you should be looking for. To request cards (up to 25 per organization) e-mail [email protected]

Ingredients of E-mail There are some main components that will make up a mail archive. Each of these has a mutual dependence similar to if you were taking ingredients and making a cake. You could not make a proper cake without flour and eggs. With e-mail, you cannot have a proper e-mail message without a header, body, and encoding which all comes together in a single archive.

Mailbox/Archive Message Header Body Encoding Attachments Each of these ingredients to the e-mail archive will effect your forensic examination. As part of your processing in forensics, a M D 5 or other hash value will be generated as a mathematical fingerprint for the file. With e-mail archives, the problem exists that it is not just one piece or file that you are looking at but a collection of data inside.

www.syngress.com

E-mail Forensics ° Chapter 5

155

Mailb ox Archive This is the storage center or post office for the e-mail. T h e e-mail archive is a unique file that allows for allocated and unallocated data to live within a single logical file. In fact, during one test, I created a 1 GB PST file then proceeded to delete all messages and deleted t h e m from the deleted items folder. T h e file remained 1 GB and the email I deleted was all recovered by a forensic program.

Other Associated Files of the Archive Some of the other files found in an e-mail archive include the table of contents files. These files act as a directory of the details of the mail messages. It is important to make sure w h e n processing an e-mail archive that you process it with its associated table of contents or index file to receive the proper forensic results. Some of the c o m m o n items that are stored in the table of contents or index files are: •

Main Status

•

Unread

•

Read

•

Forwarded

•

Redirected

•

Flagged

•

Deleted

Message Header The e-mail header is the envelope of the e-mail containing such information as: •

Sender E-mail Address

•

Receiver E-mail Address

•

Subject

•

Time of Creation

•

Delivery stamps

•

Message Author

www.syngress.com

156

Chapter 5 • E-mail Forensics

•

C C - C a r b o n Copy

•

BCC

All of this information can be available to you as part of your forensic analysis, but 100% of this type of data will not be found on all e-mail messages.

Body The body is the letter of the message or the primary content.

Encoding The encoding acts as a universal translator for the email. This is what allows different mail programs to pass data to one another even though they are not the same.

Encoding Types MIME: Multipurpose Internet Mail Extensions is a protocol that allows non-ASCII files like video, audio, graphics, to be included in the e-mail message. In order for it to work, both sender and receiver must be able to support MIME. Most commonly used in local e-mail archive applications. U U C O D E : U N I X format for attachment encoding B I N H E X : Mac format for attachment encoding

Attachments These are the extra items that come as supplements to the body. From pictures to files, the attachments of the e-mail archive are endless. Typically analysis of the e-mail attachments has to be done with separate tools that understand the variety of proprietary files that can be sent as attachments.

Breakdown EXAMPLE MIME-Version: From:

I. 0

Cpt Picard

To- Beverly Crusher <[email protected]> Subject::

Pictures of my neck in zip file

Content-Type:

multipart/mixed;

Content-Type:

text/plain

Attached

is the file neck.zip,

boundary=boundarystring

which has been base64 encoded.

- -boundarystring Content-Type-

--boundarystring

application/octet-stream;

name= "neck. zip"

E-mail Forensics • Chapter 5

Content-Transfer-EncodinqContent-Disposition-

157

base64

attachmentl filename:"neck.zip"

H52QL•D6AJFBALJHL•HK•LNS8•J••SNLJKNLFDLSHFLSHDLFSHLKDNC8•9SA•IHN3•FNSA8•HLDBJSUF93H

FSLBNCOISAY890EYOAHFLNC739HFOEBOASHOFHSODIY8930...

OAIHOFIDHF8920DFNSOFNDOSGU03UQAFLASNFDLIU03WQJFOSIFH0319AHFDALHFNB: --boundarystring--

Q" Does

this message have an attachment?

A: Yes it is a file names neck.zip

Q" Was

there anyone C C in this message?

A: Answer" N o there is ilo C C in the header. This is a very simple example of an e-mail but it allows for an illustration of the basic components of the e-mail.

Forensic Acquisition There are many tools that can process through e-mail archives. Each tool has its positive and negative points and those should be evaluated prior to purchase. However, no matter which tool you purchase, you will want to insure that you test properly and understand how it goes about its forensic validation. Since there is no standard available on how to process all the different proprietary mail formats, each tool can receive slightly different results in the processing. Here are some helpthl tests for your e-mail examination tools. 1. H o w does it compute the hash value? Before you cross validate your tools, it will be important to find out if they are both using the same premise for validation. Some tools do not include all of the components of" the mail message in the computation of the hash value. Generally the hash should include the header, bod> and when applicable the attachment. It has become c o m m o n for the attachn~ent to also be extracted and hashed independently as well. 2. Was the tool designed for forensics? The processing of mail for forensics is a different process then just reading the mail archive.Your tool of choice should be able to recover deleted data from the archive as well as recover the deleted data t}om the archive.

www.syngress.com

158

Chapter 5 ,

•

E-mail Forensics

C o m p a n y support. The company should be willing to support you as a forensic examiner with good d o c u m e n t a t i o n explaining the process their application uses for processing as well as support for court purposes if it is required.

The following examples are processed using different tools and show what the end results should be. For complete information on any tool, please contact the vendor of the tool for that information.

Processing Local Mail Archives T h e two most c o m m o n e-mail archives available on local systems are O u t l o o k Express and O u t l o o k PST files. They are both typically found on the desktop system o f the users.

Step 1-Acquisition Outlook PST file Typically, you will do a traditional bit-stream image of the entire drive and then extract the PST file from the drive image. When extracting the PST file from the image, it is important to use multiple tools.There are many good virtual mounting programs available that allow you to mount your acquired drive and then extract a copy of the data from that drive. This is one of the better methods for extraction since some of the common methods built into the automated forensic suites will not extract a usable PST file.

Step 2-Processing O n c e the file is extracted, you can select your tool for processing the proprietary email archive into usable messages, i will use two tools below to illustrate the differences that can be found in processing.

E-mail Forensics • Chapter 5

159

Using Paraben~S E-mail Examiner Paraben's E-mail Examiner is designed to process a wide variety of e-mail archives. One of those is Outlook PST files.To process the files with this tool, a separate import engine was designed. The E-mail Examiner is shown in Figure 5.2 and the PST Converter is shown in Figure 5.3.

Figure 5.2 Paraben's E-mail Examiner

www.syngress.com .

.

.

.

160

Chapter 5 • E-mail Forensics

Figure 5.3 Paraben's PST Converter

After you have selected the file to import, you are left with a variety of options for the actual processing of the archive. Each of the options listed in the screen shot will affect what you see as the ending data. The recovery of deleted messages through this engine works for both deleted and deleted-deleted data. However, once the mail archive is processed, the data that was recovered from deleted processing does not get tagged as being different from any of the other mail messages. It is important to remember this so you can look for other details that would tell you that those messages were recovered from that space such as the path. Once the files are processed, the details will be displayed for you as seen in Figure 5.4.

E-mail Forensics • Chapter 5

161

Figure 5.4 Processed Files

There are many things that you will notice once the archive is processed from deleted data recovery to messages with attachments.

www.syngress.com .

_

.

162

Chapter 5

°

E-mail Forensics

Using MS Outlook for processing Outlook Express files Some people prefer to use tools that are the mail clients for processing the data associated with the archive. This can be problematic because these tools are not specifically designed for forensics. So, much of the deleted data would be missed in the processing.To illustrate this I have processed the same archive (Outlook Express) with both the mail application (Figure 5.5) and a forensic application (Figure 5.6).

Figure 5.5 Mail Application

According to the mail application there is no data in the e-mail archive. Once the forensic tool has processed the archive, a variety of messages were recovered.

www, syngress.com

E-mail Forensics • Chapter 5

163

Figure 5.6 Processing with Forensic Tool

Processing Server Level Archives. As discussed previously, there are many different files to look for when processing a server level archive. D e p e n d i n g on which mail server was used, you will need to gather different data as previously discussed.

Step 1 Acquisition The acquisition stage for a server archive is different than with the smaller local stores as you do not typically do a bit-stream image and then extract the archive. Instead, in most cases you can just acquire the appropriate files where the archive data is stored. Although this is not a traditional forensic method, it is very c o m m o n based on the structt~re o~ the network archive and size.

r

www.syngress.com .

.

.

.

.

.

164

Chapter 5 • E-mail Forensics

Step 2 Processing There is not a wide range of tools available for network level archives. Most tools are not design specifically for forensic processing, so you are limited in your choices of tools if you want to stay just in forensic software. However, you do have other tool options available that are designed for restoring archives for review.

Using OnTrack PowerControls "Ontrack PowerControls is a simple, yet powerful software tool for copying, searching, recovering and analyzing email and other mailbox items directly from Microsoft Exchange server backups, un-mounted databases (EDB) and Information Store files." www.ontrackpowercontrols.com PowerControls is one of the better tools available for processing MS Exchange files. It recovers both active and deleted data and can work on a variety of versions of MS Exchange. Figures 5.7, 5.8, and 5.9 show the data that has been processed.

www.syngress.com

E-mail Forensics • Chapter 5

165

Figure 5.7 Process MS Exchange PRIV.EDB file.

Figure 5.8 The Display of an Individual Account in the MS Exchange File

www.syngress.com .

.

.

.

.

.

.

.

166

Chapter 5 • E-mail Forensics F i g u r e 5.9 Convenient Message Viewer for the Review of the Content Data in the E-mail Arch ive

Using Paraben's Network E-mail Examiner (NEMX) N E M X is also a tool that can be used to process MS Exchange archives as well as Lotus Notes, and GroupWise. Built into the tool is a corruption repair utility that will also save some time in processing by attempting to bypass corruption and moving on to read the rest of the archive allowing to keep the data in its original state. Figures 5.10, 5.11, and 5.12 show some examples from processing a MS Exchange PR.IV.EDB file.

www.syngress.com

E-mail Forensics ° Chapter 5

t

Figure 5.10 A Fully Processed MS Exchange File Including Server Level Information

Figure 5.11 Tree View of the Data Typically Associated with an MS Exchange Priv.edb File

p~-

www.syngress.com

168

Chapter 5 • E-mail Forensics

Figure 5.12 Opening of the Data Associated with the User Account in the MS Exchange File

Deleted E-mail Recovery The recovery of deleted e-mail messages can vary greatly on the e-mail client that was being used. Typically, you will find a couple weeks of deleted data that can still be recovered from an archive. Here are a few examples of how deleted e-mail works.

www.syngress.com

E-mail Forensics • Chapter 5

169

Eudora Mail In Eudora, messages for deletion are tagged for deletion and are no longer visible in the mailbox. These messages, however, are still in the "trash" folder and remain there until explicitly instructed to empty the trash folder.

Outlook PST In Outlook, data is taken from the active part of the archive to a recycling bin. From that point, the recycling bin is emptied based on the user's preferences. Once it is emptied, it will go into the unallocated space of the mail archive. Here it can sit for a period of weeks. Depending on tile size of the archive the recovery of this data will vary greatly.

Netwo rk Arc hives Depending on the network level archive, you will have a variety of results on deleted mail recovery. It is c o m m o n to recover a good percentage of deleted e-mail. Overall, the processing of e-nlail can be made simple by following guidelines and having the proper expectations. "I know my e-mail goes through my computer, but beyond that I don't know and I don't care as long as it goes. H o w would I know? My clock on my VC1K still blinks." (Survey Participant) N o w that you know more than the average bear w h e n it comes to e-mail, you are well on your way to becoming an e-mail forensic examiner. Always remember to keep learning, as this type of information changes constantly.

www.syngress.com

This Page Intentionally Left Blank

Chapter 6

171

172

Chapter 6 • Router Forensics

Introduction This chapter examines router and network forensics. This chapter is important as many attacks will require the analyst to look for information in the router or require network forensics. This requires you to have an understanding of routers and their architecture. It is important to understand where they reside within the OSI model and what role they play within network communications. Anytime you work with forensic evidence it is critical that the concept of chain of custody be understood. How evidence is handled, stored, accessed, and transported is critical, because if basic control measures are not observed the evidence may be ruled inadmissible in court.

Network Forensics Network forensics can best be defined as the sniffing, recording, and analysis of network traffic and events. Network forensics are performed in order to discover the source of security incidents and attacks or other potential problems. One key role of the forensic expert is to differentiate repetitive problems from malicious attacks.

The Hacking Process The hacking process follows a fixed methodology. The steps a hacker follows can be broadly divided into six phases: 1. Reconnaissance 2. Scanning and enumeration 3. Gaining access 4. Escalation of privilege 5. Maintaining access 6. Covering tracks and placing backdoors

The Intrusion Process Reconnaissance is considered the first preattack phase. The hacker seeks to find out as much information as possible about the victim. The second preattack phase is scanning and enumeration. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Access can be gained in many different ways. A hacker may exploit a router vulnerability or maybe www.syngress.com

Router Forensics • Chapter 6

173

social engineer the help desk into giving him a phone number for a modem. Access could be gained by finding vulnerability in the web server's software. Just having the access of an average user account probably won't give the attacker very much control or access to the network. Theretbre, the attacker will attempt to escalate himself to administrator or root privilege. Once escalation o£ privilege is complete the attacker will work on ways to maintain access to the systems he or she has attacked and compromised. Hackers are much like other criminals in that they would like to make sure and remove all evidence of their activities, which might include using root kits to cover their tracks. This is the m o m e n t at which most forensic activities begin.

Searching for Evidence You must be knowledgeable of each of the steps of the hacking process and understand the activities and motives of the hacker.You many times will be tasked with using only pieces of" information and playing the role of" a detective in trying to reassemble the pieces of" the puzzle. Information stored within a computer can exist in only one or more predefined areas. Information can be stored as a normal file, deleted file, hidden file, or in the slack or free space. Understanding these areas, how they work, and how they can be manipulated will increase the probability that you will find or discover hidden data. Not all suspects you encounter will be super cyber criminals. Many individuals will not hide files at all; others will attempt simple file hiding techniques.You may discover cases where suspects were overcome with regret, fear, or remorse, and attempted to delete or erase incriminating evidence after the incident. Most average computer users don't understand that to drop an item in the recycle bin doesn't nlean that it is permanently destroyed. One c o m m o n hiding technique is to place the information in an obscure location such as C ' \ w i n n t \ s y s t e m 3 2 \ o s 2 \ d l l . Again, this will usually block the average user from finding the file. The technique is simply that of placing the information in an area of the drive where you would not commonly look. A system search will quickly defeat this filtile attempt at data hiding. Just search for specific types of files such as bmp, tif, doc, and xls. Using the search function built into Windows will help quickly find this type of information. If" you are examining a Linux computer, use the grep command to search the drive. Another technique is using file attributes to hide the files or folders. O n a Macintosh computer, you can hide a file with the ResEdit utility. In the wonderful world of Windows, file attributes can be configured to hide files at the command

www.syngress.com

174

Chapter 6

•

Router Forensics

line with the attrib command. This command is built into the Windows OS. It allows a user to change the properties of a file. Someone could hide a file by issuing attrib +h secret.txt. This command would render the file invisible in the command line environment. This can also be accomplished through the GUI by right-clicking on a file and choosing the hidden type. Would the file then be invisible in the GUI? Well, that depends on the view settings that have been configured. Open a browse window and choose tools/folder options/view/show hidden files; then, make sure Show Hidden Files is selected. This will display all files and folders, even those with the +h attribute set. Another way to get a complete listing of all hidden files is to issue the command attrib/s > attributes.txt from the root directory. The attrib command lists file attributes, t h e / s function list all files in all the subdirectories, and > redirects the output to a text file. This text file can then be parsed and placed in a spreadsheet for further analysis. Crude attempts such as these can be quickly surmounted.

An O v e r v i e w of Routers Routers are a key piece of networking gear. Let's know the role and function of a router.

What Is a Router? Routers can be hardware or software devices that route data from a local area network to a different network. Routers are responsible for making decisions about which of several paths network (or Internet) traffic will follow. If more than one path is available to transmit data, the router is responsible for determining which path is the best path to route the information.

The Function of a Router Routers also act as protocol translators and bind dissimilar networks. Routers limit physical broadcast traffic as they operate at layer 3 of the OSI model. Routers typically use either link state or hop count based routing protocols to determine the best path.

The Role of a Router Routers are found at layer three of the OSI model. This is known as the networking layer. The network layer provides routing between networks and defines logical

Router Forensics • Chapter 6

175

addressing, error handling, congestion control, and packet sequencing. This layer is concerned primarily with how to get packets from network A to network B. This is where IP addresses are defined. These addresses give each device on the network a unique (logical) address. P, outers organize these addresses into classes, which are used to determine how to move packets f'rom one network to another. All types of protocols rely on routing to move int-ormation from one point to another.This includes IP, Noven's IPX, and Apple's I)l)P. R o u t i n g on the Internet typically is performed dynamically; however, setting up static routes is a form of basic routing. Dynamic routing protocols constantly look t-or the best route to move information from the source to target network.

Routing Tables Routers are one of" the basic building blocks of networks, as they connect networks together. Routers reside at layer 3 of" the OSI model. Each router has two or more interfaces. These interfaces join separate networks together. W h e n a router receives a packet, it examines the IP address and determines to which interface the packet should be forwarded. O n a small or uncomplicated network, an administrator may have defined a fixed route that all traffic will follow. More complicated networks typically route packets by observing some Corm of metric. R o u t i n g tables include the following type of information: •

B a n d w i d t h This is a c o m m o n metric based on the capacity of a link. If all other metrics were equal, the router would choose the path with the highest bandwidth.

•

C o s t The organization may have a dedicated T1 and an I S D N line. If the ISDN line has a higher cost, traffic will be routed through the T1.

•

D e l a y This is another c o m m o n metric, as it can build on many factors including router queues, bandwidth, and congestion.

•

D i s t a n c e This metric is calculated in hops; that is, how many routers away is the destination.

•

L o a d This metric is a measurement of the load that is being placed on a particular router. It can be calculated by examining the processing time or C P U utilization.

•

R e l i a b i l i t y This metric examines arbitrary reliability ratings. N e t w o r k administrators can assign these numeric values to various links. www.syngress.com

176

Chapter 6 • Router Forensics

By applying this metric and consulting the routing table, the routing protocol can make a best path determination. At this point, the packet is forwarded to the next hop as it continues its journey toward the destination.

Router Architecture Router architecture is designed so that routers are equipped to perform two main functions: process routable protocols and use routing protocols to determine best path. Let's start by reviewing routable protocols. The best example of a routed protocol is IRA very basic definition of IP is that it acts as the postman of the Internet~its job is to organize data into a packet, which is then addressed for delivery. IP must place a target and source address on the packet. This is similar to addressing a package before delivering it to the post office. In the world of IR the postage is a TTL (Time-to-Live), which keeps packets from traversing the network forever. If the recipient cannot be found, the packet can eventually be discarded. All the computers on the Internet have an IP address. If we revert to our analogy of the postal system, an IP address can be thought of as the combination of a zip code and street address. The first half of the IP address is used to identify the proper network; the second portion of the IP address identifies the host. Combined, this allows us to communicate with any network and any host in the world that is connected to the Internet. Now let us turn our attention to routing protocols.

Routing Protocols Routing protocols fall into two basic categories, static and dynamic. Static, or fixed, routing is simply a table that has been developed by a network administrator mapping one network to another. Static routing works best when a network is small and the traffic is predictable. The big problem with static routing is that it cannot react to network changes.As the network grows, management of these tables can become difficult. Although this makes static routing unsuitable for use on the Internet or large networks, it can be used in special circumstances where normal routing protocols do not function well. Dynamic routing uses metrics to determine what path a router should use to send a packet toward its destination. Dynamic routing protocols include Routing Information Protocol (RIP), Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), and Open Shortest Path First (OSPF). Dynamic routing can be divided into two broad categories: link-state or distance vector dynamic routing protocols, which are discussed in greater detail later in the chapter.

Router Forensics • Chapter 6

RIP R I P is the most c o m m o n routing protocol that uses a hop count as its primary routing metric. R I P is considered a distance vector protocol.The basic methodology of a distance vector protocol is to ~]~ake a decision on what is the best route by determining the shortest path. The shortest path is c o m m o n l y calculated by hops. Distance vector routing is also called routing by rumor.

OSPF OSPF is the most c o m m o n link state routing protocol and many times, it is used as a replacement to R I E Link state protocols arc properly called Dijkstra algorithms, as this is the computational basis of their design. Link state protocols use the Dijkstra algorithm to calculate the best path to a target n e t w o r k . T h e best path can be determined by one or more metrics such as hops, delay, or bandwidth. Once this path has been determined, the router will inform other routers as to its findings. This is how reliable routing tables are developed and routing tables reach convergence. Link state routing is considered more robust than distance vector routing protocols. One reason is because link state protocols have the ability to perform faster routing table updates.

www.syngress.com

177

178

Chapter 6 ° Router Forensics

Hacking Routers Full control of a router can often lead to full control of the network. This is why many attackers will target touters and launch attacks against them. These attacks may focus on configuration errors, known vulnerabilities, or even weak passwords.

Router Attacks Routers can be attacked by either gaining access to the router and changing the configuration file, launching DoS attacks, flooding the bandwidth, or routing table poisoning. These attacks can be either hit-and-run or persistent. Denial of Service attacks are targeted at routers. If an attacker can force a router to stop forwarding packets, then all hosts behind the router are effectively disabled.

Router Attack Topology The router attack topology is the same as all attack topologies. The steps include" 1. Reconnaissance 2. Scanning and enumeration 3. Gaining access 4. Escalation of privilege 5. Maintaining access 6. Covering tracks and placing backdoors

Router Forensics • Chapter 6

179

Den ia I-of-Service Attacks Denial-of-service (DOS) attacks Fall into three categories: []

D e s t r u c t i o n . Attacks that destroy the ability of the router to function.

w Resource consumption. tions simultaneously. •

Flooding the router with many open connec-

B a n d w i d t h c o n s u m p t i o n . Attacks that attempt to consume the bandwidth capacity of the router's network.

DoS attacks may target a user or an entire organization and can affect the availability of target systems or the el~tire network. The impact of DoS is the disruption of normal operations and the disruption of normal communications, it's much easier for an attacker to accomplish this than it is to gain access to the network in most instances. Smur£ is an example of a c o m m o n DoS attack. Smurf exploits the Internet Control Message Protocol (ICMP) protocol by sending a spoofed ping packet addressed to the broadcast address and has the source address listed as the victim. O n a multiaccess network, many systems may possibly reply. The attack results in the victim being flooded in ping responses. Another example of a DoS attack is a SYN flood. A SYN flood disrupts Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This large number of half-open T C P connections fills the buffer on victim's system and prevents it f?om accepting legitimate connections. Systems connected to the Internet that provide services such as H T T P or S M T P are particular vulnerable.

www.syngress.com

180

Chapter 6

•

Router Forensics

DDoS attacks are the second type of DoS attack and are considered multiprotocol attacks. DDoS attacks use ICMP, UDP, and T C P packets. One of the distinct differences between DoS and DDoS is that a DDoS attack consists of two distinct phases. First, during the preattack, the hacker must compromise computers scattered across the Internet and load software on these clients to aid in the attack. Targets for such an attack include broadband users, home users, poorly configured networks, colleges and universities. Script kiddies from around the world can spend countless hours scanning for the poorly protected systems. Once this step is completed the second step can commence. The second step is the actual attack. At this point the attacker instructs the masters to communicate to the zombies to launch the attack. I C M P and U D P packets can easily be blocked at the router, but T C P packets are difficult to mitigate. TCP-based DoS attacks comes in two forms: •

These attacks complete the 3-way handshake to establish a connection. Source IP address can be determined here.

•

C o n n e c t i o n l e s s . These packets SYN are difficult t trace because source

Connection-oriented.

An example of a D D O S tool is Tribal Flood Network (TFN). T F N was the first publicly available UNIX-based DDoS tool. T F N can launch ICME Smurf, UDP, and SYN flood attacks.The master uses U D P port 31335 and T C P port 27665.TFN was followed by more advanced DDoS attacks such as Trinoo. Closely related to TFN, this DDoS allows a user to launch a coordinated U D P flood to the victim's computer, which gets overloaded with traffic. A typical Trinoo attack team includes just a few servers and a large number of client computers on which the Trinoo daemon is running. Trinoo is easy for an attacker to use and is very powerful in that one computer is instructing many Trinoo servers to launch a DoS attack against a particular computer.

Routing Table Poisoning 1Kouters running 1KIPvl are particularly vulnerable to routing table poisoning attacks. This type of attack sends fake routing updates or modifies genuine route update packets to other nodes with which the attacker attempts to cause a denial of service. Routing table poisoning may cause a complete denial of service or result in suboptimal routing, or congestion in portions of the network.

r

www.syngress.com

Router Forensics

•

Chapter 6

181

Hit-and-Run Attacks and Persistent Attacks Attackers can launch one o£ two types of attacks, either-hit a n d - r u n or persistent. A hit-and-run attack is hard to detect and isolate as the attacker injects only one or a few malformed packets. With this approach, the attacker must craft the attacks so that the results have sonde lasting damaging effect. A persistent attack increases the possibility for identification of the attacker as there is an ongoing stream of packets to analyze. However this attack lowers the level of complexity needed by the attacker as they can use much less sophisticated attacks. Link state routing protocols such as O S P F are more resilient to routing attacks than R I R

Investigating Routers W h e n investigating routers there are a series of built-in commands that can be used for analysis. It is unadvisable to reset the router as this may destroy evidence that was created by the attacker. The following show commands can be used to gather basic information and record hacker activity m

Show access list

m

Show clock

u

Show ip route

m

Show startup conf]gurati()n

www.syngress.com

182

Chapter 6 • Router Forensics

•

Show users

•

Show version

Chain of Custody The chain of custody is used to prove the integrity of evidence. The chain of custody should be able to answer the following questions" •

W h o collected the evidence?

•

H o w and where is the evidence stored?

•

W h o took possession of the evidence?

•

H o w was the evidence stored and how was it protected during storage?

•

W h o took the evidence out of storage and why?

There is no such thing as too much documentation. One good approach is to have two people work on a case. While one person performs the computer analysis, the other documents these actions. At the beginning of an investigation, a forensic analyst should prepare a log to document the systematic process of the investigation. This is required to establish the chain of custody. This chain of custody will document how the evidence is handled, how it is protected, what process is used to verify it remains unchanged, and how it is duplicated. Next, the log must address how the media is examined, what actions are taken, and what tools are used.Automated tools such as EnCase and The Forensic Toolkit compile much of this information for the investigator.

Volatility of Evidence W h e n responding to a network attack, obtaining volatile data should be collected as soon as possible. Although all routers are different, you will most likely be working with Cisco products as Cisco has the majority of the market share. Cisco routers store the current configuration in nonvolatile ram (NVRAM). The current configuration is considered volatile data and the data is kept in R a n d o m Access Memory (RAM). If the configuration is erased or the router powered down all information is lost. R.outers typically are used as a beachhead for an attack. This means the router may play an active part in the intrusion. The attacker uses the router as a jumping off point to other network equipment.

www.syngress.com

Router Forensics • Chapter 6

183

W h e n starting an investigation you should always move from most volatile to least volatile. The first step is to retrieve R A M and N V l k A M . T o accomplish this you may use a direct connectiol~ to the console port using R j - 4 5 - R j - 4 5 rolled cable and an R,J-45-to-DB-9 female 1)TE adapter. In instances when a direct connection is not available a remoter session is the ~ext preferred method. Insecure protocols such as FTP should not be used; an encrypted protocol Secure Shell (SSH) is preferred.You should make sure to capture both volatile and nonvolatile configuration for comparison changes and documentation purposes. Cisco touters have multiple modes, so to gain privilege mode the password must be known by the analyst.

Case Reports Case reporting is one of" the most important aspects of computer forensics. Just as with traditional forensics everything should be documented. Reporting should begin the minute you are assigned to a case. Although it may sometimes seem easier to blindly push forward, the Failure to document can result in poorly written reports that will not withstand legal scrutiny. Let's face it, not all aspects of computer forensics are exciting and fun. Most of us view paperwork as drudgery. It is a somewhat tedious process that requires an eye for detail. Don't allow yourself this Fallacy. In the end, the documentation you keep and the process you follow will either validate or negate the evidence. The report is key in bringing together the three primary pieces of forensics: acquisition, authentication, and analysis. The case report will be the key to determining one of the following actions: •

Employee remediation

•

Employee termination

•

Civil proceedings

•

Criminal prosecution

W h e n the investigation is co~nplete a final written report is prepared. Some of the items found in this report will include: •

Case Sunnnary

•

Case Audit Files

•

Bookmarks

www.syngress.com

184

Chapter 6

•

Router Forensics

•

Selected Graphics

•

File Location Path

•

File Location Properties

Although this is not an all-inclusive list it should give you some indication of what should be included. Depending on the agency or corporation, the contents of the report will vary. What is consistent is that anyone should be able to use the logs and the report to recreate the steps performed throughout the investigation. This process of duplication should lead to identical results.

Incident Response Incident response is the effort of an organization to define and document the nature and scope of a computer security incident. Incident response can be broken into three broad categories that include: •

Triage. Notification and identification

•

A c t i o n / R e a c t i o n . Containment, analysis, tracking

•

Follow up. Repair and recovery, prevention

Compromises Before a compromise can be determined, investigators must be alerted that something has happened. It is best if the alert function is automated as much as possible. Otherwise, the sheer volume of log information would be overwhelming for an employee. Even with a high level of automation someone must still make a judgment regarding the validity of the alert. Once an attack has been validated it is important to reduce the damage of the attack as quickly as possible and work to restore normal business functions.

Router Forensics • Chapter 6

185

Summary In this chapter, we reviewed how touters can play an important part in forensics. Readers were introduced to routed protocols such as IP and we discussed how routed protocols work. In many ways, IP acts as a "postman" since its job is to make the best effort at delivery. In a small network or those that seldom change, the route that the IP datagrams take through the network may remain static or unchanged. Larger networks use dynamic routing. Administrators use routing protocols such as R i P for dynamic routing. We also looked at how attackers attack routers and how incident response relates to routers and router compromises.

Solutions Fast Track Network Forensics gl N e t w o r k forensics is the process of examining network traffic for the purpose of discovering attacks and malicious events. N e t w o r k forensics is commonly performed with a sniffer or packet capture tool.

Overview of" Routers [-¢I Routers are designed to connect dissimilar protocols. gl Routers deal with routing protocols. [---¢I C o m m o n routing protocols include R I P and OSPE

Hacking Routers gl Routers can be attacked by exploiting misconfigurations or vulnerabilities. [-----d Routers need to have logging enabled so sufficient traffic is captured to aid in forensic investigations.

www.syngress.com

186

Chapter 6 • Router Forensics

Incident Response Monitoring for incidents requires both passive and active tasks. Incident response requires development of a policy to determine the proper response.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www. syngress.com/solutions and click on the "Ask t h e A u t h o r " form.

Router Forensics • Chapter 6

187

Q:Where do touters reside in relationship to the OSI model? A: Routers are a layer 3 device. Q:Do routers pass physical addresses? A: No, not by default since routers are layer 3 devices and physical addresses are found at layer 2. Q:What do routers do with broadcast traffic? A: Routers block physical broadcast traffic. Q:Why target routers?

A" Routers can sometimes be overlooked by security professionals since so much time is placed on securing workstations and servers. Q:What is the first thing an attacker does when targeting a router? A" An attacker must first identi~} the device and be able to verify it is a router. With this done the attacker must next determine the version and model of the router. Q:What is the most important preplanning aspect of router forensics? A: You must make sure good policies and procedures are in place that specify adequate logging is taking place. Q:What type of skills are required for incident response? A" Incident response requires technical skills, investigative skills, and leadership skills. Q ' H o w would you best define the incident response process? A" Incident response is the process o£ detecting a problem, determining its cause, minimizing the damage.

www.syngress.com

This Page Intentionally Left Blank

Chapter 7

189

190

Chapter 7

•

Legal issues of Intercepting WiFi Transmissions

Introduction W i F i ~ a n acronym for wireless fidelity (wireless)~encompasses a number of standards that enable computers and other devices to connect wirelessly to local area networks. The proliferation of WiFi devices is a success story in standards development and represents a market that generates over $750 million per quarter in sales worldwide (Infonetics Research). Most computer systems, particularly laptops, are shipped with WiFi-compliant hardware and software as a standard feature. For example, even the least expensive laptop available at Wal-Mart is WiFi equipped. Further, the equipment necessary to set up your own W A N ~ w i t h existing computers and existing Internet service~can be obtained for less than $100. A number of organizations have chosen to make WiFi access freely available to any who would wish to connect. Dartmouth College offers free WiFi over its entire campus; Panera Bread and many Comp USA stores throughout the nation offer free WiFi access; Bradley International Airport in Connecticut and Ft. Lauderdale Airport in Florida provides free WiFi access. WiFi is a technology that is far from being in use only by the technologically advanced early adopters, and is now clearly mainstream in its adoption and use.

In this chapter, we will attempt to highlight the technology behind the WiFi explosion and how various federal laws may or may not apply to eavesdropping on WiFi communications.

WiFi Technology WiFi fits in a family of standards developed under the IEEE (I-triple-E) or The Institute of Electrical and Electronics Engineers. The IEEE is a standards body that developed the 802 family of standards. These standards describe a framework~physical media and the working characteristics~that would enable two or more devices to communicate within a network. Most notable of" these standards is the 802.3 standard, the specification for Ethernet. The Ethernet standard describes a method of www.syngress.com

Legal Issues of Intercepting WiFi Transmissions

•

Chapter 7

191

physical comnmnication in a local area network (LAN).A wide majority of computer networks now employ Ethernet as their communication standard; ahnost every computer sold includes an Ethernet jack for connecting to an Ethernet network. The success of the 8{t2.3 standard is quite likely responsible for the massive proliferation of computing networks in businesses, schools, and government Eacilities. A similar explosion in growth and success is occurring with the 802.11 standard Erom IEEE. The 8112.11 standard is a family of specifications for wireless local area networks (WLANs). Similar to the 8(t2.3 standard, it specifies the m e t h o d ofphysical communication between devices on the n e t w o r k i b u t where the 802.3 standard addresses communication over a physical link through cabling, the 802.11 standard addresses communication between devices over infrared and radio frequency (RF) transmissions. Although the use of infrared has been beneficial in some instances I short range wireless printing f'or exanlple--its use has been dwarfed by the use of radio frequency transmissions. In order to connect to a WLAN, each device on a WiFi network must possess a wireless card, or an 8()2.11 complaint radio transceiver. Some computers may have a built-in wireless card, whereas others may need to attach one through a P C M C I A or a USB interface. Within this wireless card is a transceiver tuned to a particular frequency, a frequency dictated by the 802.11 standard. Another device called an access point serves as the bridge between the devices on the wireless network and the wired local area n e t w o r k . T h e network owner configures the access point, and options for authentication and security are a v a i l a b l e i m o s t security features are disabled by default. The access point and the wireless card in a computer (or other device) communicate with one another to transfer both data and network management information over the chosen radio frequency.

www.syngress.com . . . .

192

Chapter

7 •

Legal Issues of Intercepting WiFi Transmissions

Authentication and Privacy in the 802.11 Standard It is important to note that within the 802.11 standard, both authentication (who is allowed to connect to the network) and privacy (who is allowed to view information off the network) are both addressed. However, users of WiFi devices rarely take the necessary steps to properly configure their WiFi network. Wireless networks are different than a physical-wired network. To join a physical network, one must have physical access to the network in order to connect to it. Therefore, physical security plays a significant role in authenticating users in physical network. Wireless networks, on the other hand, do not stay neatly contained within the walls of a b u i l d i n g ~ who's allowed on a W L A N is handled through authentication. Authentication is defined in the 802 standard as " T h e service used to establish the identity of one station as a m e m b e r of the set of stations authorized to associate with another station." (ANSI/IEEE Std 802.11, 1999 Edition (R2003)) Therefore, there must be a way to limit access to any particular W L A N ~ a n d indeed there is. O n e manner is to limit access through MAC address authentication. In this process, the access point holds a list of authorized MAC addresses. N e t w o r k interface cards with M A C addresses on the authorized list will be allowed to connect to the W L A N . If you're not on the list, the access point won't let you in. ......~:iiiiliiiii~i!i

.........................

iiiiii i

!i~.i[.!............M .. e d i a access control (MAC) addresses are unique numbers associated with n e t w o r k interface card, including wireless n e t w o r k interface c a r d s ~ .....~:, .!~i .i'~.i.i.ii.i.i.ii.!.i.ii.i.i.ieach .i!.Sii ..~..".~~'"~~'~i~'~i~iunique ~i~' is a relative term here as a n u m b e r of software utilities exist to change the M A C address of a n e t w o r k interface card.

Encryption is another m e t h o d used to control authentication. W L A N s can be set up to use a number of encryption schemes, W E P and W P A being the two most c o m m o n . Encryption controls authentication by limiting the decryption of W L A N signals. Authorized users must possess the appropriate secret key to decrypt the s i g n a l ~ a n d in fact must have the proper credentials even to connect to the access point at all. O n e would assume that equipment by default would enable either M A C access control or one of the encryption schemes to help the user manage authentication. However, this is not the case. Most access points' default configuration falls under

Legal Issues of Intercepting WiFi Transmissions • Chapter 7

193

what the 802.11 standard calls Open System Authentication. In this scheme any device that requests authentication can receive authentication and be added to the WLAN. Even though more secure manners exist for a u t h e n t i c a t i o n - - M A C filtering and e n c r y p t i o n ~ o p e n system authentication is described as default setting for 802.11 devices in the 8()2.11 standard.

Privacy In a wired LAN, privacy is controlled by the routing of information. Routers and switches on a LAN control the flow of information so that devices on a LAN get only data sent through their cable that is specifically addressed to them or is broadcast data addressed to all devices. Therefore eavesdropping on a wired network can be very difficult, usually requiring some level of physical access to the network a n d / o r direct access to the device of interest. For example, if someone were to listen to data traffic on the cable anywhere between computer X and the network switch, the eavesdropper would be able to view only traffic specifically sent to computer X. Within a W L A N , data is sent to all devices attached to the W L A N over R.F transmissions--data is not limited to traveling in specific cables to a particular computer. Since the P,.F can't be contained, a much higher level of access to data intended for any of the machines in a W L A N can be achieved without physical access to the network. Additionally, the radio waves from the access points will often exceed the limits of" the room or building where they are installed and intended for use. The 802.11 standard directly addresses this issue with rather strong language for a technology standard"

Any IEEE 802.11-compliant [station] may hear all like-[physical] IEEE 802.11 traffic that is within range. Thus the connection of a single wireless link (without privacy) to an existing wired LAN may seriously degrade the security level of the wired LAN .... To bring the functionality of the wireless LAN up to the level implicit in wired LAN design, IEEE 802.11 provides the ability to encrypt the contents of messages. This functionality is provided by the privacy service .... IEEE 802.11 specifies an optional privacy algorithm, WEP that is designed to satisfy the goal of wired LAN "equivalent" privacy. The algorithm is not designed for ultimate security but rather to be " a t least as secure as a wire .... " If the privacy service is not invoked, all messages shall be sent unencrypted.

www.syngress.com

194

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

As noted earlier in the authentication discussion, a method to keep all information private is built into the standard. Most access points are equipped with a number of encryption schemes that would allow the user to encrypt the data between the access point and the wireless card in their computer.The most c o m m o n encryption schemes are W E P and WPA. However, as is the case with the open system authentication, the default privacy setting is open with all information being sent in clear text. Important to note is that the standard states that any 802.11 compliant station/device may hear all 802.11 traffic within range.

Legal Issues of Intercepting WiFi Transmissions

•

Chapter 7

195

Understanding WiFi RF The F C C regulates the ownership o r t h e P,F spectrum. If-the F C C issues a license to a particular person or organizatio~, the F(;( ~ nmst closely regulate the output wattage of" the licensee and the licensee's neighbors to ensure that there is no interf)rence on either licensee's area olcoverage. To illustrate this point, we can examine the celltdar industry.: Each cellular carrier obtained the rights to particular fiequencies ill particular >,,eographic areas allocated tor use by. cell phone communications. N o other carrier can use a licensed trcquencv~ within the .,.~,eographic area of the licenseeiparticularly i f t h e lice~lsee's transmissions are interfered with.

What makes the 8(.)2.11 so available and so ubiquitous is its use of" an unlicensed portion of the radio frequency spectrum set aside for industrial, scientific, and medical (ISM) use. Users of the unlicensed ISM band do not need to purchase rights or ownership of a particular frequel~CV-"l~ersons operating ISM equipment shall not be deemed to have any vested or recognizable right to the continued use of any given frequency, by virtue ofairy prior equipment authorization a n d / o r COlnpliancc with the applicable rules." ( 4 7 C F R 18.11 l(a)) Instead, the unlicensed bands are open to all as long as certain conditions are 1net. These conditions include limiting the output watta,,e > , and all devices usin>~, this band must not cause interference with other devices on the band. It is crucial to note that WiFi devices are not the only devices using the ISM band. Cordless phones, renlote car starters, baby monitors all use this small section of unlicensed spectrunl. Most importantly, there is no license holder that can prohibit others fion~ trespassing on their spectrum holdings. In summary, it is generally accepted that the ISM bands are open to the general public.

www.syngress.com

196

Chapter 7

•

Legal Issues of Intercepting WiFi Transmissions

Scanning RF The airwaves are full of signals in a variety of frequencies; television broadcasts, emergency services radio dispatches, FM radios, pagers, and cellular telephones are just a few of these signals. We are all technically always receiving these signals whenever the energy hits our bodies, but in order to make sense of the signals, we need special equipment to decode or interpret the signal. To make sense of a broadcast television signal, for example, we need a television. Generally speaking, a device designed to be tunable to a wide variety of frequencies for the intent of listening in on any communications is called a scanner. There are scanners that focus on voice communicat i o n s ~ a fire/police scanner for example would enable someone to listen in on the communications of their local emergency services. There are scanners that focus on video feeds~for example there is a specialized scanner that attempts to listen in on security cameras that send their images to the main security panel via a radio link. Some of these types of communication use more complicated protocols, or specific codified languages, that enable two or more electronic devices to communicate with one another. Digital protocols are demonstrative of this in that the analog signal (a sine wave) is modulated to form approximately-square peaks and valleys that represent l's and O's of a digital message. One who eavesdrops on a digital message may be able to pick up sounds on the given frequency, but the human ear would not be able to make sense of the garbled series of tones. Many police transmissions are now digitally encoded, and often encrypted, as a mitigating measure against scanning and eavesdropping. Prior to 1992, it was legal to purchase scanning equipment capable of listening in on cellular phone conversations. In 1992, Public Law 102-556, the Telephone Disclosure and Dispute Resolution Act, was passed, amending the Communications Act of 1934. The act, which is codified at 47 U.S.C. ~ 302a(d), prohibits the authorization, manufacture, and import of scanning equipment capable of." (A) Receiving transmissions in the frequencies allocated to the domestic cellular radio telecommunications service, (B) Readily being altered by the user to receive transmissions in such frequencies, or (C) Being equipped with decoders that convert digital cellular transmissions to analog voice audio. Given that Congress chose to regulate cellular monitoring equipment there now appears to be a reasonable expectation of privacy by users of cellular phones that

Legal Issues of Intercepting WiFi Transmissions

*

Chapter 7

197

their conversations will not be readily susceptible to monitoring by the general public. Further, the cellular carriers themselves enhanced cell phone users' expectation of'privacy by phasing-in protocols that cause cellular phones to hop around, a group of" frequencies, thus making scanning of any one particular cellular phone or phone call very difficult. Therefbre, any electronic monitoring o£ cellular telephone conversations without appropriate legal authorization would constitute an unconstitutional search in violation of the Fourth amendn~ent (see Fourth amendment discussion later).

However, as was discussed in the Authentication and Privacy sections of this document, 802. l lx does not b), default employ any specific protocols designed to secure communications between parties. Where the Telephone Disclosure and Dispute Resolution Act restricted the scanning of cellular communications through criminalizing the sale or pu.rchase of-equipment that could intercept cellular communications, the equipment needed to scan or eavesdrop on WiFi transmission is not illegal to o w n ~ i n fact it is the same equipnmnt needed to connect to any wireless network, which is clearly not illegal to own. Further, the ISM band on which 802.1 lx com.municates is not protected b x.., a specific law highlighting its frequency; but there is a case to be lnade that some existing laws do provide eavesdropping prohibitions.

Eavesdropping on WiFi The knowledge a.nd skill required to eavesdrop on WiFi transmissions is not prohibitive, and the technology, both hardware and software, is readily available. A nuinber of software products are available that both find and listen in on WiFi transmissions. For the most part, these software packages are completely legitimate network analyzers used by network administrators to debug networks and to find access points that have been installed illegitimately on the network. www.syngress.com

198

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

Every communication over the W A N that is not encrypted can be grabbed from the airwaves and viewed. MAC authentication applies only to devices that wish to connect to the network~limiting who connects to a network does keep the overall network safer, particularly the information on other devices on the network, but does nothing to prevent people from intercepting unencrypted transmissions. Transmissions must have some level of encryption as a guard against any 802.11equipped device from viewing the contents of the transmission.

Legal Framework To best understand the legality of WiFi eavesdropping, we must look at how existing laws relate to WiFi technology. As we shall see, federal statutes relating to the interception of various types of electronic communications do not appear to govern the interception of WiFi transmissions.

The Electronic Communications Privacy Act (ECPA) Although WiFi transmissions fall within the meaning of electronic communications as defined in ECPA, unless the signals transmitted by WiFi devices are encrypted, they are accessible to the general public. Therefore, ECPA does not govern the interception of nonencrypted WiFi signals that are not sent by a common carrier. WiFi transmissions would fall within the meaning of " electronic communications" under ECPA. ECPA prohibits the interception of any electronic communications, regardless of the physical media of transport (U.S.C. 18 ~ 2510). ECPA defines electronic communication as "...any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce..." Courts have historically adopted a broad definition of what constitutes interstate commerce. Therefore the use of WLANs to transmit data, particularly if connected to the Internet, would be considered "electronic communications" within the meaning of ECPA. A computer trespasser is defined as a person who accesses a protected computer without authorization and thus, has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer (U.S.C. 18 2510). It is interesting to note, as with the CFAA, that this definition makes no provisions for wireless eavesdroppers where no access is required. Anyone who "Intentionally intercepts, endeavors to intercept, or procures any other person to

Legal Issues of Intercepting WiFi Transmissions

•

Chapter 7

199

intercept or endeavor to intercept, any wire, oral, or electronic communication;" is in violation o f E C P A (U.S.C. 18 .~ 2511 (l)(a)). Although WiFi transmissions (all within ECPA's definition of electronic c o m m u nications, ECPA excludes electronic communications that are readily accessible to the general public from the ambit o ( t h e statute. Many of the attributes of typical WiFi transmissions make them readily accessible to the general public.Therefore, ECPA does not appear to govern most WiFi transmissions. First, WiFi transmissions are not scrambled or encrypted. The default setting for 802.11 standard is open system authentication with no encryption.Therefore, in a default setting with no encryption enabled, 802.11 WiFi networks do not meet these criteria. Next, WiFi transmissions are not transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication. The 802.11 standard is a public standard. Further, the hardware and software required are neither controlled nor restricted items and the hardware in fact often is included as a standard feature of many computers. In fact, the only applicability of ECPA to WiFi transmissions is to those transmissions that are transmitted over a communication system provided by a c o m m o n carrier. A c o m m o n carrier is a con~pany that provides communication service for hire to the public. Some c o m m o n carriers operate WiFi networks and would be protected under ECPA. However, when the WiFi network in question is operated by a private citizen or other entity not involved in providing communication service, ECPA does not apply. See Andersen Consultitty, LLP v. l.;OP, 991 E Supp. 1()41 (N.D. Ill. 1998) (defendant did not provide electronic communication service to the public and therefore could not be sued under ECPA).

Telecommunications Act The Telecommunications Act also does not appear to govern WiFi interceptions because WiFi communications can be available to the general public. The Telecommunications Act states: " N o person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning o£ such intercepted communication to any person . . . . This section shall trot apply to the receit,ino~, di~,ulo~ino~,publishing, or utiliziny, the contents otcart), radio communicatiotl ldtich is transmitted by any station &r the tt.;c o[ the o~eneral public..." 47 U.S.C..~ 61)5 (emphasis added).

www.syngress.com

200

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

Computer Fraud and Abuse Act The C o m p u t e r Fraud and Abuse Act (CFAA) does not appear to apply to the intercept of WiFi signals as the Act is focused primarily on accessing (Kern, 2004) computer systems. Although there does not appear to be any case law directly on point, passively monitoring a WiFi communication would not seem to involve accessing the person's computer as the term is generally understood. The first six major statutory violations are centered on unauthorized access to a computer system, and the seventh concerns making threats of damage against a protected system (the following items are paraphrased for brevity): 1. Intentional access to a computer with sensitive government information. 2. Intentional access to a computer, without authorization or exceeds authorized access and obtains financial information from a financial institution or card issuer, any U.S. government files, or information from protected computer related to interstate or foreign commerce. 3. Intentionally, without authorization, accesses any nonpublic computer of a department or agency of the United States. 4. Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, in order to commit or further a fraud 5. Accesses to a protected computer and knowingly disseminates malicious code or causes damage, reckless or otherwise, or attempted access that would have caused loss of $5000 or more, physical harm, modification of medical treatment, a threat to public safety, or damage to a government system. 6. Knowingly, and with intent to defraud, traffics in any password or similar information through which a computer may be accessed without authorization, if (A) Such trafficking affects interstate or foreign commerce; or (B) Such computer is used by or for the Government of the United States. °

With intent to extort any money or other thing of value, any person who transmits any communication containing any threat to cause damage to a protected computer.

Legal Issues of Intercepting WiFi Transmissions

•

Chapter 7

201

Eavesdropping on WiFi ca.l~ be done in a passive manner with no outgoing data emitting from the eavesdropping computer. No connection to an access point is required to capture data carried on the radio frequency transmissions. Therefore each section of the CFAA that mentions access (items 1-6) would specifically exclude WiFi eavesdropping.

Fourth Amendment Expectation of Privacy in WLANs Although Congress has chosen not to prohibit the interception of WiFi traffic via statute, cyber cringe investigators, as law enforcement officers, still are prohibited by the Fourth A m e n d m e n t fron~ e~gaging in unreasonable searches.The constitutional protection against unreasonable searches cxtends only to those areas in which the subject of the search has exhibited an actual (subjective) expectation of privacy and that expectation is one that society i.s prepared to recognize as "reasonable" (Kat2p. United States, 389 U.S. 347, 361 (1967)). Although an individual has a constitutionally,protected expectation oF privacy in his home,"[w]hat a person knowingly exposes to the public, even i~ his own home or oCfice, is not a subject of Fourth Amendment protection" (Kat.-, 389 U.S. at 351). " T h e Fourth A m e n d m e n t protection of the hon~e has never been extended to require law enforcement officers to shield their eyes when passing by a home on public thoroughfares" (Cal!fiornia v. Ciraolo, 476 U.S. 2(117, 213 (1986)). " N o r does the mere fact that an individual has taken measures to restrict s o ~ e views of-his activities preclude an officer's observa-

www.syngress.com

202

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

tions from a public vantage point where he has a right to be and which renders the activities clearly visible" Id. (citing United States v. Knotts, 460 U.S. 276, 282 (1983)). The question becomes, then, whether an expectation of privacy in electronic communications transmitted via WiFi would be reasonable, in a Fourth Amendment sense. Although this issue has not been decided yet, the better view appears to be that such an expectation of privacy would not be reasonable in a Fourth Amendment sense. It is a basic function of WiFi transmissions that, at the option of the WiFi user, they may be encrypted and therefore effectively shielded from public view. Therefore, if a user chose not to shield his WiFi transmissions from public view through the built-in encryption~specifically specified in the WiFi standard--courts would likely conclude that the WiFi user had foregone any reasonable expectation of privacy (see United States v. Granderson, 182 F. Supp. 2d 315,321-22 (2001) defendant had no reasonable expectation of privacy when conducting drug activities behind a boarded-up window that had a slot between the boards since the defendant easily could have shielded his activities from public view by taking simple and obvious steps).

Legal Issues of Intercepting WiFi Transmissions • Chapter 7

Summary WiFi, as defined by the 802.11 standard, is clearly a technology that is empowering millions to break free from the bounds of a wired inErastructure. The convenience and personal freedom aEforded by a wireless connection has fueled the enthusiasm for home networking and has cut the cost of employing networks in underfunded organizations like churches and schools. However, there is a cost in the loss of privacy of data transmitted across the wireless network if users do not take steps to encrypt the transmissions. The 802.11 standard clearly articulates that additional privacy measures, primarily authentication measures such as MAC filtering and encryption, are needed to prohibit any other 8()2.11 equipped device from connecting to the wireless access point. The 802.11 standard further articulates that encryption such as W E P and WPA must be used to protect the privacy of data on the WLAN; however, the default in the sett i n g ~ a n d the resulting default setting on most wireless devices~has the privacy/encryption feature disabled. Out-of-the-box, the device is vulnerable to eavesdropping and additional actions usually are required of the new owner to enable the security f~eatures. But one would think that eavesdropping on electronic communications would be decidedly illegal. Under the currently-existing federal statutes discussed earlier, this does not appear to be the case. The Electronic Communications Privacy A c t , 18 U.S.C. 2510, does not appear to govern most WiFi communications not owned by a communications carrier, because the communications are "readily accessible to the general public" unless security measures were taken to secure otherwise wide open communication. After reviewing the applicable laws, we see that the WiFi is positioned at a confluence of a number of technical and legal issues that make the situation rather unique. The 8(12.11 communications standard allows for wide-open, unencrypted data communications; over an unlicensed t~requency band; for which the technology to intercept the communications is not only readily available, but often unavoidable; and for which common carrier involvement is rare. It does not appear that WiFi interception are specifically addressed by the laws presented earlier~and even where WiFi interception might technically fall within the ambit of a statute, WiFi transmissions seem to be implicitly excluded elsewhere. For example, 47 U.S.C. 6115 clearly states: " N o person not being authorized by the sender shall intercept any radio communication and divulge or publish the exis-

203

204

Chapter 7

,,

Legal Issues of Intercepting WiFi Transmissions

tence, contents, substance, purport, effect, or meaning of such intercepted c o m m u n i cation to any person." But, as discussed earlier, the statute does not apply to c o m m u nications that are transmitted by any station for the use of the general public. Similarly, the C o m p u t e r Fraud and Abuse Act, 18 U.S.C. ~ 1030, is primarily concerned with "accessing" a "system" without proper authorization. However, eavesdropping on WiFi requires no connection or access to a computer system. Since the c o m m o n understanding of the term "access" suggests a two-way communication, a hand-shake, or some level of mutual interaction, then passive monitoring would not be a form of access. Since WiFi communications are available to the general public, most WiFi signals are lawfully open to interception under the applicable federal statutes discussed previously.

www.syngress.com

Legal Issues of Intercepting WiFi Transmissions • Chapter 7

205

Regardless of the legality of WiFi eavesdropping, the public should be advised that the 802.11 family of standards places network authentication and information privacy in the hands of the network owner. Steps beyond the default install must be taken to ensure the privacy or-your data and the security of your network. It is not clear that WiFi users would have any legal recourse it" somebody eavesdropped on communications that the user had implicitly invited the world to listen to by leaving the door wide open.

Works Cited 47 U.S.C: Communication Act of 1934 47CFP,,18.111 (a); Title 47--Telecommunication Chapter I, Federal Communications Commission, Part 18 Industrial, Scientific, And Medical Equipment, Subpart A General Information, Sec. 18.111 General operating conditions, (a) Kern, Benjamin D. 2(I(i4. Whacking, Joyriding and War-Driving: Roaming Use of Wi-Fi and the Law. Santa Clara Computer and High Technology Law Journal. Infonetics Research's quarterly market share service, available at www.beerfiles.com.au/content/view/1334/0/

Solutions Fast Track WiFi Technology WiFi is a colloquial term referring to a wireless conmmnication technology described in the IEEE's 8(i)2.11 body of standards. V-,,'l WiFi covers both infrared and RE as mediums for communication--but

most WiFi devices operate in the 2.4GHz or 5GHz lq.F bands. gl

WiFi access points use an open system architecture as their default settings~ therefore additional measures such as encryption must be configured to control network access, authentication, and privacy.

www.syngress.com

206

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

Understanding WiFi RF 802.11 WiFi networks use an unlicensed band of the RF spectrum set aside for industrial, scientific and medical (ISM) use. The ISM band generally is considered open to the general public.

Scanning RF Scanning is a well-documented practice of listening to RF transmissions. EI A specific piece of legislation made the manufacture and sale of equipment to monitor cellular communications illegal. There is no legislation that criminalizes the manufacture, sale, or possession of equipment to monitor or intercept W i F i ~ i n fact the same equipment used to connect to a WiFi network is used to monitor traffic on a WiFi network.

Eavesdropping on WiFi A legal framework exists around the legality of both wiretaps and unlawfully accessing computer systems~including the Telecommunications Act, The Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. Applicable federal statutes do not appear to govern eavesdropping on private WiFi communications.

Fourth Amendment Expectation of Privacy in WLANs Although Congress has chosen not to prohibit the interception of WiFi traffic via statute, cyber crime investigators, as law enforcement officers, are still prohibited by the Fourth Amendment from engaging in unreasonable searches.

Legal Issues of intercepting WiFi Transmissions • Chapter 7

207

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to w w w . syngress.corn/solutions and click on the "Ask the Author" form.

www.syngress.com

208

Chapter 7 • Legal Issues of Intercepting WiFi Transmissions

Q" Are you stating in this article that we have the green-light to go and start intercepting WiFi signals? A: No. Sorry. The point of this chapter was to show how federal statutes that govern the interception of other types of electronic communications do not squarely address WiFi technology. Further, and perhaps more important, it appears that many state wiretap laws would criminalize the interception of WiFi signals. So although the discussion here shows that the federal statutes discussed here may not address WiFi eavesdropping, the interception of WiFi may be criminalized by your State's wiretap or other laws.You should consult with your local prosecutor before attempting to eavesdrop on WiFi signals.

Chapter 8

209

210

Chapter 8 • CD and DVD Forensics

Physical Characteristics of CD and DVD Media Little has changed in Compact Disc (CD) physics since the origin of CD audio discs in 1980. This is due in part to the desire to maintain physical compatibility with an established base of installed units, and because the structure of CD media is ideal for this function. Digital Versatile Discs (DVDs) are an evolutionary growth of CD's with slight changes. It is important to understand that both CDs and DVDs are electro optical devices. There are no magnetic fields in the reading or recording of these discs, therefore, they are immune to magnetic fields of any strength, unlike hard drives Due to its immunity to magnetic fields, CD and DVD media is unaffected by Electromagnetic Pulse (EMP) effects, X-rays, and other sources of electromagnetic radiation. The primary consideration with recordable CD media (and to a lesser extent, manufactured media) is energy transfer. It takes a significant amount of energy to affect the media that the writing laser transfers to the disc. Rewritable discs (Compact Disc - 1KeWriteable [CD-1KW], Digital Versatile Disc - Rewriteable [DVD-1KW], and Digital Versatile Disc - 1Kewriteable [DVD+RW]) require even more energy to erase or rewrite data. This is in direct contrast to floppy disks and hard drives, which can be affected by electromagnetic devices such as Magnetic Resonance Imaging (M1KI) machines, some airport X-ray scanners, and other devices that create a strong magnetic field. CDs and DVDs are also immune to EMPs from nuclear detonations. It is important to understand that CD and DVD media is read with lig,ht, and recordable discs are written with heat. Using an infrared (ILK) laser, data is transferred to a CD or DVD onto a small, focused area that places all of the laser energy onto the target for transfer. It should be noted that all CD and DVD media are sensitive to heat (i.e., above 120F/49C), and recordable media is sensitive to IlK, ultraviolet (UV), and other potential intense light sources. Some rewritable media are affected by E P R O M erasers, which use an intense UV light source. Various forensic alternative light sources can provide sufficient energy to affect optical media, especially if it is focused on a small area It is not necessarily a question of heat but one of total energy transfer, which can result in heating. Both CD and DVD media are organized as a single line of data in a spiral pattern. This spiral is over 3.7 miles (or 6 kilometers [km]) in length on a CD, and 7.8 miles (or 12.5 km) for a DVD. The starting point for the spiral is towards the center

CD and DVD Forensics • Chapter 8

211

of the disc with the spiral extending outward. This means that the disc is read and written from the inside out, which is the opposite of how hard drives organize data. With this spiral organization, there are no cylinders or tracks like those on a hard drive. (The term "track" refers to a grouping of data for optical media.) The information along the spiral is spaced linearly, thus following a predictable timing. This means that the spiral contains more information at the outer edge of the disc than at the beginning. It also means that if this information is to be read at a constant speed, the rotation of the disc must change between different points along the spiral. All optical media is constructed of layers of" different materials (see Figure 8.1).

Figure 8.1 CD-R Construction

This is similar to how all optical media discs are constructed. The differences between different types of" discs are m CD-RThe •

•

•

dye layer can be written to once.

C D - R O M The reflector has the inforn~ation manufactured into it and there is no dye layer. C D - R W The dye is replaced with multiple layers of different metallic alloys. The alloy is bi-stable and can be changed many times between different states. D V D DVD's are constructed of two half-thickness discs bonded together, even when only one surf;ace contains information. Each half disc contains the infbrmation layer ti.6 Millimeter (ram) fiom the surface of the disc.

DVD media consists of two halt'--thickness polycarbonate discs, each half containing information and constructed similarly to CD media. I)VD write-once recordable media uses a dye layer with slightly different dyes than those used for C1)R media, but otherwise are very similar physically. Manufactured DVD media has the

www.syngress.com .

.

.

.

.

212

Chapter 8

•

CD and DVD Forensics

information manufactured into the reflector and no dye layer is present. Rewritable DVD media uses bi-stable alloy layers similar to those for CD rewritable media. As seen in Figure 1.1, the differences between manufactured, write-once, and rewritable media are identical between CD and DVD media. The key to all recordable media types is the presence of a reflector with the ability to reflect laser energy. Data is represented by blocking the path to the reflector either by dye or a bi-stable metallic alloy. The bottom of a CD is made of a relatively thick piece of polycarbonate plastic. Alternatively, the top is protected by a thin coat of lacquer. Scratches on the polycarbonate are out of focus when the disc is read, and minor scratches are ignored completely. It takes a really deep scratch in the polycarbonate to affect the readability of a disc. However, even a small scratch in the lacquer can damage the reflector. Scratching the top of a disc can render it unreadable, which is something to consider the next time you place a disc on your desk top-down "to protect it." A DVD has polycarbonate on both sides; therefore, it is difficult to scratch the reflector.

CD Features There are a number of distinct areas on the surface of a CD or DVD. Moving from the inside to the outside of the disc, the following areas are illustrated in Figure 8.2: •

A Spindle hole

•

B Clamping ring

•

C Stacking ring

•

D Mirror band

•

E Beginning of data area

•

F End of data area, slightly inside the outer edge of the disc

CD and DVD Forensics ° Chapter 8 F i g u r e 8.2 Areas on a CD o r DVD

F i g u r e 8.3 Batch N u m b e r on a CD-R

T h e C D standard has specific measure~nents for all of these areas; approximately 99 percent of C1)s (manu~cttlrcd or recordab].e) meet these standards. D V D measurements are similar to those for Cl)s and are considered identical.

www.syngress.com

213

214

Chapter 8 • CD and DVD Forensics

The stacking ring is used to keep the surfaces of discs separate when stacked on a spindle. Without the stacking ring, the lacquer surface of one disc would adhere to the polycarbonate surface of the one above it. This is especially true in high humidity environments. The stacking ring and proper alignment of stacked discs is important for transporting discs. Some manufactured CDs contain identification in the mirror band, which identifies the contents of the disc. In the case of recordable or rewritable media, this is a batch number or a date code. This number is of limited value to forensic examiners, because it does not uniquely identify the disc and generally does not clearly identify the manufacturer of the disc. When considering marking discs for identification purposes, it is suggested that you avoid the data area of the disc and place such markings in the clamping ring area of the disc. Using solvent-based markers in the data area can dissolve the lacquer and destroy the reflector.

CD Sizes and Shapes CDs and DVDs come in a variety of sizes and shapes. The following are the standard sizes: •

120mm/5.25 inches

•

80mm/3.15 inches

•

Business card

Business card discs have a data area slightly smaller than that found on 80mm discs, and are rectangular in shape with either square or rounded ends. Technically, these are not specified in the standards; however, they are fairly common. Some retail stores sell recordable business card-size discs. After the initial introduction of CDs, it was found that discs could be machined into different sizes after manufacture. The variety of shapes that can be found is as wide as your imagination~one creative machining company produced a CD in the shape of a rooster. At this point, it is rare to find other sizes of DVDs; however, it is possible to develop them. The only critical aspect is the balance of the disc to prevent vibration as the disc is read. A high-speed drive may rotate the disc at speeds above 5000 Revolutions Per Minute (RPM); any slight unbalance causes vibration and noise.

www.syngress.com

CD and DVD Forensics

•

Chapter 8

215

CD and DVD Types Choosing the right type of disc depends on a number of factors, including the quantity of data being recorded, any additional data that must be added in the future, and how long the data must be accessible. Not all users can read a DVD as easily as a CD. Therefore, for compatibility with the largest number of users, writing data to a CD makes the most sense. Because DVD recordable and rewritable discs are physically more robust than C D - R and C D - R W discs, this can be an important consideration. The choice between write-once and rewritable media is not as simple as it seems. Rewritable C D - R W discs hold less data (i.e., approximately 570 megabytes [MBI instead of" 7(}0MB when used with most applications). Additionally, all rewritable media (CD and DVD) have significant problems over long periods of time. Chances are that information written to a rewritable disc may not be readable six months or a year after the disc has been written. If the data has value after six months, using rewritable media is not recommended. Transferring data from one computer to another or short-term backups are ideal uses for rewritable media. Permanent archives, family photographs, and other such applications should only be written to write-once media. Choosing between D V D - R and D V D + R discs should be guided by the intended use of the disc. There is some evidence that D V D - R discs are more compatible with consumer DVD recorders than I ) V D + X discs, however, there are consumer players that will only read D V I ) + R discs. D V D - R discs are often the best choice for compatibility if the disc being produced contains data files. Early I ) V D - R O M drives can generally read DVD-R. discs but are incapable of" reading I ) V I ) + R discs. DVD writers that only write D V D + R / R W discs will read I ) V D - R discs.

CD and DVD Colors C D - R O M discs and audio and an aluminum reflector; Playstation® was originally light, but transparent to the

CDs are typically manufactured with clear polycarbonate however, this is not the only possibility. When the Sony released, all of its discs were black (opaque to visible IR laser light used to read the disc).

W h e n C D - R discs originally appeared, the reflector was always gold and the dye added a greenish cast to the data side (or bottom) of the disc. However, today C D - R discs can be found with silver or gold reflectors and various dye colors that give the www.syngress.com

216

Chapter 8 • CD and DVD Forensics

data side of the C D - R disc anything from a green tint to a yellow tint to a blue tint and various other shades of these colors. The specific colors are dependent on the dye formulation being used. There are a number of different dyes and many possible changes in exact formulation that give rise to the number of different colors. Some C D - R discs have a silver reflector and the dye is a very faint yellow. U n d e r some conditions, these discs are nearly indistinguishable to the human eye from manufactured C D - R O M or C D audio discs. M e m o r e x ® released black C D - R discs that were inspired by the Sony Playstation® discs. C D - R W discs generally have a silver reflector and a dull silver data side. D V D - R discs originally had a silver reflector and a purplish tint on the data side. Today, D V D - R and D V D + R discs come in a wide variety of colors with different dye formulations. Nearly all of the reflectors for D V D - R and D V D + R are silver. D V D - R W discs appear similar to C D - R W discs, with a silver reflector and a dull silver data side. D V D + R W discs come in a variety of colors, but most have a silver reflector and a dull silver data side. Some can be hard to tell apart from manufactured D V D - R O M discs. The reasons for all of the different color dyes and reflectors are primarily cost, performance, and licensing. Today, there are no really expensive dyes in use, because a small difference in cost per disc can add up w h e n you are producing millions of discs. Annually, over a half a billion recordable discs are used each year. The performance of a dye is directly related to how the disc can be written in terms of speed and laser power. It is also a factor in the longevity of a disc. Finally, licensing terms affect this, because the dyes have been patented. For the most part, the cost difference between a lower cost license and a higher cost license can be significant depending on the number of discs being manufactured. Silk screened labels are not exclusive to manufactured discs; it is c o m m o n to silk screen C D - R blanks. Some software product distribution discs in retail packaged software products are silk screened C D - R blanks that have been duplicated with the last session left open. This means that the discs can be added to. It used to be easy to tell a recordable disc from a manufactured disc. Today, media comes in a wide variety of colors. Similarly, manufacturers have a slightly different motivation; some are producing discs that intentionally appear to be manufactured discs. Unless you have a lot of experience with such discs, it is not safe to assume that an investigator can tell the difference between a recordable disc and a manufactured

CD and DVD Forensics • Chapter 8

217

disc. It is recommended that you do not attempt t o exclude discs from being collected as evidence based on their appearance. Creating a policy of"collect everything" ensures that less experienced people are not faced with decisions regarding which discs to use.

CD-R Dyes The original development of CI)-P,, discs required a bi-stable dye that could be changed from transparent to opaque by a laser. The first CD-P,. manufacturer, Taiyo Yuden, met this requirement by developing and patenting a cyanine organic dye. Cyanine refers to a f'amily of organic polymer dyes that were originally formulated in 1986 fbr use in photography and spectroscopy. The term "organic" in this case refers to the use of chains of carbon and hydrogen atoms in the dye. The dye formulation that Taiyo Yuden created remains transparent until an IR laser heats it, at which point it changes color and is less transparent, thereby resulting in recordable CD media. C D - R technolow began in the early 199()s and Sony released the first CD recorder in 1993. Although the estimated life of the original cyanine organic dye was approximately l(I years, it is not clear if this was actually tested. Discs that were recorded in 1995 are still readable it they have been kept away from heat and UV light. Since then, additional types of dyes have been developed, some with different properties. Also, dye developments have allowed the recording speeds to increase with dyes that are tar more sensitive than the original. It is often claimed that phthalocyanine dye is more stable than the original cyananine, and has a life of 1()(i years. While some testing has been done regarding this, it is unclear whether phthalocyani~e dye is more stable than its claim of 100 years. The following table summarizes the types of dyes and their visible characteristics. They are listed in the order they appeared in C D - R media.

www.syngress.com

218

o

n~

.0

U

&

r~

c

E

C 0

Chapter 8 • CD and DVD Forensics

www.syngress.com

C

~ i..L~

,

2rv~ rO r~

,

,

0

G)

c

"0 L~

-0 L~

~c

t--

c

•

"~

_C

,

c-

L~

~

L~

C

.~

c

(~

I--

N

~U

t--

E

-0

rn

c

(~ c°'"

0

I--

Z

"~

"~

._.~

N

0

,~

c

c

N

"~

0

U

nn

•

CD and DVD Forensics

•

Chapter 8

"Formazan" is a hybrid Cyanine/PhthaloCyanine dye that was developed by Kodak.The appearance of the data side of" a C D - R depends on the combination of dye color and reflector color. Thus, a blue dye and a gold reflector results in a green appearance on the bottom of the disc. DVDs exhibit similar characteristics, but the dye formulations are not usually disclosed by the manufhcturers. While (~I)--t~, technology was jointly shared between Sony, Philips, and Taiyo Yuden iI1 tile early 1990s, the recordable media market has become far more competitive. Today a small change in dye formulation can make a difference in writing speed or other perfbrmance characteristics, and therefore are of significant benefit to media mal~uFacturers. The result is that there is less sharing of information about I)VI) dyes than there is for C I ) - R dyes.

Information Storage on CDs and DVDs The information on discs is represented by pits and latlds in manufactured discs. Extremely tight fbcusing of the laser is used to differentiate between different heights of" the reflector in the disc. The reflection from a land is in focus and in phase, whereas the reflection lCrom a pit is out of" phase. CD and DVD drive optics are designed to detect these differcnccs. Recordable media replaces physical pits with organic dye (such as Cyanine) that can be made to be opaque (or less transparent) by the application of heat. Instead of the light being reflected differently, there is a distinct contrast between a land on a recordable disc where the light is reflected strongly, and a pit where the light is reflected less strongly. The sin~ilaritv between an out-of'-f'ocus/out-of-phase pit and an opaque spot allowed CD recordable media to be read by C D - R O M drives and audio players, even though the player was designed long before recordable media existed. Rewritable media uses a slightly different technique, since the organic dye is a one-way transformation from transparent to opaque. Instead, a metallic alloy is used that has two states: crystallittc and ,~Jorplto~4_~. In a crystalline state, the alloy is more reflective than in the amorphous state: therefore, it can be used in the same manner as the pits and lands or organic dye. The difference is that additional laser power can "anneal" the alloy to return to a crystalline state. Therefore, a drive that can be used with rewritable discs has three separate power levels: read, u~rite and erase. Rewritable discs typically have one-third the reflectivity of'write-once recordable media. However, the contrast difference between a pit and a land on rewritable media is similar. Adjustments to drives in order to read rewritable discs were primarily the adjustment of~the sensitivity during reading. Drives that could automati-

219

220

Chapter 8 • CD and DVD Forensics

cally cope with the adjustments could read rewritable media, but those that could not were unable to read rewritable media. When a disc is read, the transition between lands and pits and pits to lands is represented on binary. The spacing between these transitions serves to fill in binary zeros between the ls and is represented by the length of a pit. Pits come in eight sizes from 3T to 11T, where T is a unit of time. The ability of digital systems to measure time precisely allows for the determination of exactly how many binary 0s occur between each binary 1 transition. Decoding this t i m e - - w h i c h is the length of a p i t ~ is how the data on the disc is read. Encoding on a disc uses 14 bits to represent each 8 data bits. Each group is required to have individual 1 bits with two or more 0 bits following. The encoding of this is called Eight into Fourteen Modulation (EFM). The spacing of the 1 bits in the EFM encoding preserves the clocking of the data by not allowing either too long or too short a run of binary zeros. The translation from EFM encoding back to data bytes when reading the disc is done with a simple lookup table where each legal pattern of 14 "raw" bits from the disc has a corresponding 8-bit data byte. (This was designed circa 1980 with 8-bit 1 M H z microprocessors being common.) Complex signal processing was not required for reading CDs and is not required for reading DVDs. In the early 1980s, such signal processing was possible but too expensive for wide adoption in consumer electronics devices. Today, such signal processing is more common and less expensive, however, it is not required to read CDs and DVDs.

CD and DVD Organization and Terminology It is important to have understand the terminology used with this technology. The following is a description of the various terms that you are likely to encounter.

Border Zone A Border Zone is the area on a DVD that contains the real content of the disc,

whether it is data files, music, or videos. It is roughly equivalent to a track on a CD. A manufactured DVD is always composed of a single border zone; however, recordable discs can have multiple border zones. In some documentation, a border zone is also called a RZone. While there is no Table of Contents (TOC) on a DVD, the drive can return information in the form of a T O C by listing border zone information.

CD and DVD Forensics • Chapter 8

221

Lead In The lead in serves as a container for the T O C for a session on a CD. Sony-style C D text information is also recorded in this area. Originally, this was used to help calibrate the laser and mechanical components of the drive for reading the disc. The first (or only) session on a disc has 7,500 sectors (14.65MB) reserved for the lead in; subsequent sessions have 4,500 sectors (9 MB) reserved for the lead in. Using "Disc At O n c e " recording the T O C and other lead-in information is written first in this area, whereas using "Track At O n c e " recording in this area is reserved and written after the session is closed. For multi-session recording, a pointer is placed in the lead-in area to indicate the next writable location on the disc. If and w h e n the disc is finalized or closed, this pointer is recorded as either 0 or 24 bits of binary ls. Both formats have the same effect of preventing further information from being added to the disc.

Lead Out The lead out of the disc indicates the end of the C D disc or the end of a session on the disc. O n e use of the lead-out area is to tell an audio player to stop playing the disc. This area is made up of a group of sectors written at the end of the disc. The lead out for the first session is 6,750 sectors (13.5 MB) and all subsequent sessions have a lead-out of 2,250 sectors (4MB).

Philips CD Text Philips developed a technique in 1997 by which lyrics and other information could be stored on audio discs without interfering with the audio samples. Approximately 31 MB of data can be stored on a disc using this technique. This is not in c o m m o n use today, unlike Sony C D Text, which stores only the disc name, artist name, and track titles.

RZone R Z o n e is an alternate term for a border zone.

Sector Each C D sector contains 2,048 bytes of user data for data tracks and 2,352 bytes of audio samples for audio tracks.

www.syngress,com

222

Chapter 8 • CD and DVD Forensics

Session A session is a group of one or more tracks recorded on a CD at the same time. This corresponds to a border zone on a DVD. Multi-session discs have more than a single session, which is usually a userrecorded disc that has been written to multiple times.

Sony CD Text Sony developed a technique in 1997 by which the album title, artist name, and track titles could be stored in the lead-in area of an audio disc, which allows a m a x i m u m of approximately 15KB of data to be stored on a disc. Most commercial audio discs produced by Sony have this, as well as many discs produced by other manufacturers.

TOC The T O C is recorded in the lead in for a session and contains only some information about the type of track (audio or data), the session number, and the starting address of the track. There is one T O C per session; therefore, multi-session discs have several independent TOCs. Unclosed sessions do not have a T O C , which is why an unclosed session cannot be read on a C D - R O M drive. The T O C is a list of tracks on the disc. DVDs do not have a T O C ; however, the information can be constructed from information about border zones.

Track A track is a single collection of data (audio or video) on a CD. It is c o m m o n to have multiple (up to 99) tracks on a CD. O n a DVD, a border zone (or R Z o n e ) is similar to a C D track with the exception that it is rare to find DVDs with multiple border zones. M1 manufactured DVDs have only a single border zone.

CD and DVD Sectors There are several different types of sectors found on CD media. The most basic and original form is CD Audio or CD-DA:

CD and DVD Forensics • Chapter 8

•

C D A u d i o 2352 bytes

•

CD-DA

223

588 16-bit stereo audio samples

Technically, audio discs contain "subcode blocks," not sectors. However, since circa 1996, most CD drives and all I)VD drives read audio subcode blocks and return the information as a 2,352-byte sector. Each subcode block is composed of 98 frames. For data formats, these sectors are composed of 98 subcode frames. Aside from the main data, subchannels P through I47 are available. P and Q have defined purposes and hold information to assist in determining the difference between "gap" and program material (the music) for audio discs, and also for holding information such as the time in the current track. Subchannels P- through W can be used in several different ways: •

Graphics for C D + G karaoke discs

•

Text information for Philips C D - T E X T

•

Other information

The next format introduced was C D - R O M Mode 1. Mode 1 was developed in 1988 with the introduction of the C D - R O M format. Each sector also contains 2,352 bytes, but much of that is used for control and error correction information.

12 Bytes Sync

4 Bytes Header

2,048 Bytes User Data 4 EDC

8 Bytes Reserved

276 Bytes ECC

Devices such as C D - i ® and the Kodak P h o t o C D ® player were introduced following Mode 1. Additional features on CDs were required to utilize the technology and the XA format was introduced. XA discs come in two formats" Mode 2 Form 1 and Mode 2 Form 2. The Mode 2 Form 1 sector layout looks very similar to that for M o d e i"

12 Bytes Sync

4 Bytes Header

8 Bytes Subheader

2,048 Bytes User Data 4 EDC

276 Bytes ECC

Mode 2 Form 2 frees up additional space in the sector for greater density, but sacrifices the second level of error correction provided by the E C C data"

12 Bytes Sync

4 Bytes Header

8 Bytes Subheader

2,324 Bytes User Data 4 Spare

DVD sectors are much simpler, because there was no audio format to build on.

www.syngress.com

224

Chapter 8 • CD and DVD Forensics

2,048 Bytes User Data DVD sectors are composed of data frames on the physical disc. Information other than the 2,048 bytes of user data is not accessible. A DVD data flame contains 4 bytes of ID, 2 bytes of ID Error Correction Code (ECC), 6 bytes of copyright management information, 2,048 bytes of user data, and 4 bytes of Error Detection Code (EDC). Sixteen such data flames are assembled into a single 32K E C C block. It is not possible to access DVD data frames (also called E C C blocks) with consumer DVD drives.

R-W Subchannels CDs can have up to 80 additional bytes of data in the tL through W subchannels associated with each sector. For a full 80-minute disc (700 MB) this can provide more than 27 MB of additional data storage capability. The data stored in the R through W subchannels is invisible to most CD applications; therefore, it does not interfere with other uses. There are two defined uses for data for audio discs: []

C D + G G r a p h i c s for Karaoke Discs The R e d Book standard and its extensions define the content of the tL through W subchannel data for playing low-resolution graphics while playing music at the same time. This was originally used to display images on a television synchronized with Karaoke music.

•

Philips C D - T E X T Philips defines the content of the R through W subchannels to provide a means of storing text information with music. The primary application of this was to store the lyrics with the music, but it was

never adopted. Aside from these documented uses, the P~ through W subchannels can contain any other data that the creator of the disc wants to add. There are standards for how this data can be arranged and still be compatible with various C D + G players and other devices. The tL through W subchannels supply bits 5 through 0 in each byte of the 96-byte sector data. The terminology used in the Philips standards documents is as follows: •

Each group of 6 bits (R through W) is called a SYMBOL.

•

A group of 24 SYMBOLS is called a PACK.

•

A PACKET is composed of four PACKS.

CD and DVD Forensics • Chapter 8

225

For error correction and detection purposes, the PACK data is interleaved across eight PACKS on the disc. This reduces the effects of physical damage to the disc and allows for better error correction by spreading out the effects of a physical defect across multiple PACKS. Since there are four packs to a sector, de-interleaving all of the packs for a sector requires reading three consecutive sectors. C D / D V D Inspector version 3.{i and later (available from Infadyne www.infinadyne.corn) can de-interleave this i~formation and the write file containing all of the P,. through W subchannel information to a file. This is done on a track-by-track basis using the Copy Sectors tool. Because the P,, through W subchannel information only stores 6 bits for each symbol, there are two methods by which it can be decoded. The first is to use the standard C D - T E X T 6-bit character set and translate the information to standard American Standard Code for Information Interchange (ASCII). This results in the largest amount of text that can be stored in the P,. through W subchannel area, but restricts the text to letters, numbers, and some punctuation symbols. The other technique for decoding the I~ through W subchannel information translates the 24 6-bit symbols into 16 8-bit ASCII characters, which is capable of containing any data. C D / D V I ) Inspector can also output the 6-bit symbols as is without translation, with or without de-interleaving.

www.syngress.com

226

Chapter 8 • CD and DVD Forensics

Figure 8.4

R-W

Subchannel

Pack

De-interleave

o ~ 2 3 4 s 6 7 8 9 10 1~ 12 13 14 is 16 17 18 ~9 20J21 22 23 Sector

+1, Pack 3

Sector

+1, Pack 2

-

-

23

-

-

22

-

-

21

-

-

20

-

Sector

+1, Pack

Sector

-

19

- -

18

1

+1, Pack 0 _

0

Sector

iector

1

2

3

4

5

6 17

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

+0, Pack 3

+0, Pack 2 ,

Sector

16

- -

15

- -

14

- -

13

- -

12

- -

11

- -

10

- -

9

- -

8

- -

7

- -

6

- -

5

- -

4

- -

3 2

-

0

1

+0, Pack 1

0

Sector

17

- -

- -

- -

1

2

3

4

5

6

7

9

10

11

12

13

14

15 J16

17

18

19

20

21

22

23

+O, Pack 0

CD and DVD Differences The principle difference between CD and DVD media is density. CD media is designed to be read with a 780 nanometers (nm) laser and the physical features on a disc are 1 to 1.5 wavelengths in width.Alternatively, DVD media is designed to be www.syngress.com

CD and DVD Forensics • Chapter 8

227

read with a 630-650 nm laser and the physical features are correspondingly smaller (see Figures 8.5 and 8.6).

Figure 8.5 CD Media at 30,000x

Figure 8.6 DVD Media at 30,0000x

Note that the spacing of the pits and lands does not change across the radius of the disc. This means there is more information stored at the outer edge than there is at the inner edge. The track pitch is the distance between the "wraps" of the spiral. CDs can have a track pitch from 1,5()(11tto 1,700 nm, or about two wavelengths. As detailed above, CD media is organized into subcode blocks that contain 2,352 bytes. Each subcode block consists of" 98 contiguous frames containing synchronous (SYNC) subcode information (including addressing), user data, and two levels of Cross-interleaved Xeed-Solomon Code (CIRC) that detects and corrects errors in both audio and data discs. Some C D - R . O M data formats contain an additional R.eed-Solomon Product Code (t~S-PC) that detects and corrects severe errors that are beyond the capability of the f'rame level C I R C . ir_.

www.syngress.com _ _ .

228

Chapter 8 • CD and DVD Forensics

Conventional data discs use additional KS-PC; however, more specialized discs (e.g., Video Compact Discs [VCDs]) do not use 1KS-PC in order to take advantage of the additional space in the data sectors. This allows more bytes per second to be transferred to the computer. While it is convenient to think of CD media as being broken up into sectors, it is misleading when talking about the low-level organization of a disc, because there is a considerable amount of interleaving of sector data. To minimize the effects of physical damage, the data is stored with redundancy over a large physical area and a single sector's worth of data is spread over the distance of three sectors. This is both a positive and a negative aspect. It helps minimize the effects of physical damage to the disc; however, when a sector is damaged beyond the ability of the redundancy to correct it, three sectors are rendered unreadable. DVD media was not built on a foundation of audio players as is the case with C D - R O M technology. There is a single data format on DVD media and all sectors contain 2,048 bytes of error-corrected data.To reduce the overhead that is present on CDs, DVDs use a different mechanism whereby 16 data frames are grouped together in a single E C C block. Each data frame contains a 2,048-byte user data sector as well as some control information. This reduces the overhead considerably without sacrificing the error-correction capabilities. It implies that a DVD drive is reading and buffering at least 16 data frames (or user data sectors) at a time, whereas early C D 1KOM drives would read and buffer only a single sector at a time. The result is that DVDs have significantly more capacity than they would if the same methods for CDs were used.

CD-ROM Manufacturing Process C D - R O M and CD audio discs are manufactured by creating a glass master disc, which is then mechanically reproduced to form stamped polycarbonate discs. Aluminum is then deposited on the stamped surface to reflect the laser. The aluminum is protected by a thin coating of lacquer, usually cured by UV rays from a high intensity Xenon flash lamp. The glass master is made in much the same way as a printed circuit board or integrated circuit mask. A piece of glass is coated with a photosensitive compound, which is then exposed to a laser in much the same way a recordable disc is written to. The actual machine is called a laser beam recorder, and differs from a consumer writer in one very important a s p e c t - the glass master is blank when the process starts. Consumer "blank" recordable discs are not really blank before they are used.

CD and DVD Forensics • Chapter 8

229

They contain a spiral pattern that the consumer writer follows to write the data. This spiral pattern is called a pre-~roo~c. After the laser beam recorder has exposed the photosensitive c o m p o u n d on the glass master, the glass master is "developed" using a solution of sodium hydroxide, which washes away the areas that were exposed to the laser. This forms tiny pits in the surface in a spiral pattern, which become the information on the final disc. This is identical to the process used to create printed circuit boards. The glass master is then placed into a vacuum chamber where a molecules-thick layer of silver is deposited onto the disc. This is then called a metalized o~lass master. The metalized glass master is then immersed into a tank of nickel sulfamate where an electroforming technique is used to deposit a layer of metallic nickel onto the silver surface of the disc. This takes approximately two hours, and w h e n complete, the nickel is removed from the disc and becomes the father disc. The father disc is a negative (reverse) impression or what is used to form the disc. The father disc is then put back into the electroforming tank where another layer of nickel is deposited. After approximately two hours, this new layer of nickel is removed from the father disc resulting in the mother disc, which is used to create

stampers. Stampers are made from the mother disc, and are used to form the final polycarbonate discs. The term "stamper" is inherited from the phonograph record industry; vinyl records were stamped whereas CDs and DVDs are injection molded. Polycarbonate is taken in the form of small beads and heated in an injection molding machine with the stamper. The result is a 5.25-inch or 120ram disc that has the pits and lands impressed oi1 one side. This polycarbonate disc is then coated with a very thin layer of aluminum on the side with pits and lands. This is done with an electrostatic technique called sputtering (or metallization). A coating of clear lacquer or sealant is then put over the aluminum to protect it. The disc is then ready have a label silk-screened onto it. P, ecordable discs are manufactured in a similar manner, only a layer of dye is put down before the reflector and gold or silver is used instead of aluminum. Rewritable discs are made the same way, only multiple vacuum deposition steps are used to get the layers of metallic alloy. Both write-once recordable and rewritable discs have a pre-groove, which is stamped into the polycarbonate. This pre-groove is a sine wave pattern that the writer can follow to maintain tracking on the disc when writing. In addition to providing a path for the laser to follow, this pre-groove has information encoded into it www.syngress.com

230

Chapter 8 • CD and DVD Forensics

using frequency and phase modulation. The effect is changing the spacing of the curve (see Figure 8.7). Figure 8.7 Frequency-modulated Pre-groove

The information in the pre-groove for C D - R discs is the time coding along the spiral from 0 to 63, 74 or 80 minutes. This information is called Absolute Time in Pre-Groove (ATIP). For C D - R W discs, this was expanded on to include other information about the disc such as the laser power level that is suggested for writing and the minimum and maximum speeds for writing. For DVD media, a combination of dedicated areas on the disc as well as ATIP is used to present information about the disc to the writer.

Inside a CD-ROM Drive Figure 8.8 illustrates how the actual mechanism in a C D - R O M drive (or other similar device) functions. It is interesting to note that the mechanism used in a 1982 audio player is very similar to that used in a current D V D + / - writer. Figure 8.8 CD Optics Diffraction Grating

Pola rizi n g Beam Splitter

Collimator V~ wave lens plate

Focusing lens Actual focal point

Laser Diode Concave lens Cylindrical lens Photodetector array

www.syngress.com

Disc

CD and DVD Forensics ° Chapter 8

The laser diode is a small electronic part that emits a light in the I R spectrum when an electric current is passed through it.The first step is to pass this through a diffraction grating, which acts as a filter to isolate only the correct frequency. While the laser itself is brightest at the center frequency (i.e., 780 nm for CDs, 650 nm for DVDs), there are other frequencies present. The transmission diffraction grating removes all but the center frequency of the laser. The polarizing beam splitter then divides the laser into multiple beams. O n e is the reference beam, which is directed towards the photodetector array. Three other beams are directed through the remaining optics and to the disc. The main center area is used to read the data, while two smaller areas straddle the center area and are used to maintain radial tracking. The collimator lens, quarter-wave plate, and focusing lens are used to focus these three areas on the disc. The actual focal point is below the surface of the disc where the pits and lands that make up the data content of the disc are located. Focus is maintained by moving the focusing lens to account for minute differences in the disc shape and distance from the sled. After being reflected by the disc, the three areas are reflected back through the lenses and towards the photodetector. The four areas (three from the disc and one reference) are then used to control tracking and focus with the use of four photodetectors in an arrav. All of the optical components described above are contained on the sled, which is the part that is moved to access the disc. The laser diode, lenses, and beam splitter are all contained here, as well as coils for moving the focusing lens. The same tracking technique is used w h e n writing, where the main area is writing data and the two smaller areas are used to maintain tracking and read the pre-groove oi1 a recordable disc. Figure 8.9 shows a close-up of" the sled assembly. As you can see, there is a large flexible cable connecting the sled to the circuit board, which has signals from the photodetector and to the laser and focusing coil. The two silver rails are the guides along which the sled moves as it accesses the full radius of the disc. It moves along the rails by the tracking motor.

www.syngress.com

231

232

Chapter 8

•

CD and DVD Forensics

Figure 8.9 Sled Assembly

As can be seen in Figure 8.9, the sled (or laser pickup assembly) is a relatively small part of the overall device. It is moved across the surface of the disc by the tracking motor while the disc drive motor or spindle motor rotates the disc

Figure 8.10 Inside a CD-ROM Drive

www.syngress.com

CD and DVD Forensics • Chapter 8

233

As mentioned previously, the spacing of the lands and pits remains constant across the surface of the disc. CD audio players and early C D - R O M drives were designed to maintain a constant rate of information being read from the disc, which requires the rotation of the disc to be controlled to correspond to the radius where the lens is placed. The disc rotates more slowly when the lens is positioned at the outer edge than when the lens is close to the center. This requires the spindle motor to be more closely controlled than in other devices such as floppy disks or hard drives, which rotate at a constant speed. The technique of accessing the disc in this manner is called Constant Linear Velocity (CLV). The data passing by the laser is kept at the same speed even when there is more data present at the outer edge of" the disc. At the same time that the C I) drive read speed exceeded 14x, a different technique for reading discs appeared called Constant Angular Velocity (CAV), where the disc is rotated at the same speed regardless of the positioning of the laser. This forces the drive electronics to adjust for the different data rates as the laser is moved across the radius of the disc. When writing to the disc, a modification of this technique called Zoned CAV is often implemented, where the disc is rotated at several different fixed speeds depending on the radius the laser is positioned at. This limits the amount of variation in the data rate that the drive electronics have to adjust for. In modern drives there is usually one additional motor, which opens and closes the tray or otherwise moves the disc in and out of the drive. This is not available for notebook drives or for smaller CI) and DVD players.

External Interfaces All current computer CI) and 1)VD drives have two interfaces: digital data/control bus and analog audio. Sometimes a drive has both. These drives also often have a front-mounted headphone jack as well as a rear-facing analog output connector. The audio interfaces are active when the drive is playing an audio track under either manual or computer control. Today. most drives have ATA Packet Interface (ATAPI) or Serial ATA (SATA) connections only. Adapters to convert between this and other interfaces such as SATA, FireWire, Universal Serial Bus Version 2 (USB2), or Small Computer System Interface (SCSI) are common. Along with the gradual phasing out of the parallel ATA interface, it is expected that there will be more SATA drives in the future. This will lead to bridge adapters that will convert this interface to FireWire and USB2. While the highest performing interface today is still SCSI, there are no CD or DVD drives that implement any of the high-performance SCSI interfaces. N o r is www.syngress.com

234

Chapter 8 • CD and DVD Forensics

there any real need for this, because the maximum data rate for CD and DVD drives is far below the capabilities of these implementations. This could change with BluRay and DVD HD drives, but it is unlikely that there will be a resurgence of SCSI in the near future. Native implementations of SATA and FireWire 800 without adapters are the choice for high-performance devices in the future. The data interface for a drive has little effect on the data transfer rate (or speed) of the drive. This was only a problem with USB 1.1 drives where they were limited to a maximum data rate of about 6x. Today's data interfaces significantly outperform the ability of the drive to read from the media. The performance of the parallel IDE bus is more than adequate when used with modern DMA implementations. Some people believe that the FireWire interface is superior for data transfer than USB2, because of higher speed and/or better negotiation on the bus. While this may be important for hard drives that can reach a significantly greater transfer rate, it is not important for CD and DVD drives with lower data transfer rates.

Drive Firmware It is important to understand the complexity of reading CDs and DVDs. There is a significant amount of processing that is done by the drive, between reading the pits and lands from the disc and sending data to the computer. This differs significantly from how hard drive and floppy disk data is treated, where only a small amount of post-processing is required. Floppy disk controllers in the late 1970s and early 1980s were constructed with discrete logic chips where individual gate-level integrated circuits were assembled together on a circuit board. While today a single chip accomplishes this task, the actual processing performed has not changed significantly. The first CD-R.OM drive that was sold to consumers had 4K to 8K of firmware controlling the operation of the drive. Much of the processing was accomplished by a Large Scale Integration (LSI) chip that was custom made for decoding CD data. The amount of circuitry involved was between 10 to 100 times that of a floppy disk controller. Originally, CD writers had 64K to 128K of firmware on masked R.OM (not upgradeable) chips. Today a DVD + / - writer has as much as 8 MB or 16 MB of firmware on flash memory chips, which can be upgraded by the end user. This allows for changes and bug fixes after the drive has been released. With this much firmware, such problems occur regardless of the amount of testing done by the drive manufacturer. www.syngress.com

CD and DVD Forensics • Chapter 8

235

The drive firmware is a specialized program to control the functioning of the drive and interacts with the LSI chip that decodes the pit and land information from the laser. There is no provision for feeding the raw information back to the computer directly~everything has to go through the drive firmware. This means that whatever limitations are built into the drive firmware are limitations as to what can be done with the disc in the drive. There is no way to bypass this. Some people have attempted to construct mechanisms by which CDs can be read without a drive and without these limitations. To date, there has been little success in this area with CDs, and none with DVDs outside of specialized university projects.

CD and DVD Logical Structure The logical structure of a Compact Disc (CD) or a Digital Versatile Disc (DVD) involves various writing techniques and the logical organization of data within a file system.

W r i t i n g to a CD or DVD Writing to a C D or DVD can be done using any of the following writing strategies" T r a c k - a t - o n c e The

most

c o m m o n form of C D recording for data discs.

D i s c - a t - o n c e The most c o m m o n way to create audio discs and DVDs. I n c r e m e n t a l R e c o r d i n g or Packet W r i t i n g Used with drag-and-drop

writing software. This is also the most c o m m o n way for non-movie DVDs to be recorded.

Incremental recording (or packer writing) is often confused with the Universal Disk Format (UDF) file system. U D F can be written using any of" the writing methods listed above, and incremental recording can be used with any file system. Track-at-once refers to writing a track and then turning off" the laser, which Forces a break in the sector encoding, thereby resulting in two unreadable sectors on the disc. A gap (usually 150 sectors in length) is then written, which inserts 2 seconds of silence between each track. The Table of Contents (TOC) is constructed from the track information, and is written automatically w h e n the writing session is closed. Disc-at-once writes the T O C first, and then writes each track. There is no gap between tracks and no unreadable sectors are created, thus allowing complete control of the T O C .

www.syngress.com

236

Chapter 8 • CD and DVD Forensics

Incremental recording allows you to sequentially write small amounts of data to a disc without the 150-sector gap. It is commonly used for drag-and-drop writing software, which allows you to use write-once and rewritable media. There is some overhead with incremental recording on Compact Disc Recordable ( C D - R ) and Compact Disc - ReWriteable [CD-RW] media. This overhead consumes 7 sectors for each "packet" of information. In general, 7-sector packets are the size of a CD-P,. media file, and C D - R W media files are a fixed size of 16 sectors (32 KB). Most software uses 16-sector packets on DVD rewritable media. There are no packet boundaries on write-once DVD media, thus, it is difficult to determine the size of a packet. Multiple sessions can be recorded with any of these recording techniques; however, it is unusual for Disc-at-once to be used for multiple sessions. Disc-at-once is called "Session-at-once" when used with multi-session recording. All writing to optical media is done using the same laser that is used for reading, except at a higher power level. The laser changes the dye from transparent to opaque, or changes the metallic alloy in rewritable media from crystalline to amorphous or amorphous to crystalline. A change to the dye is a one-way irreversible change, whereas metallic alloy can be changed between its two states an average of 1,000 times. W h e n either Track-at-once or incremental writing are used, write-once media can be used multiple times. While theoretically it is possible to write over an area that was previously written to, drive firmware does not allow it, because it would result in an unreadable disc. The primary use of rewritable media is with incremental writing; however, it can also be written using Track-at-once or Disc-at-once. After the disc is formatted, you can replace a single packet anywhere on that disc. While two passes were originally required to erase and replace the original data, today a single-pass rewrite is possible, which allows existing information to be overwritten directly, fully replacing the existing data. Recovering data from a rewriteable disc is not possible once a full erase has been performed, because there is no data written in inter-track spaces. A full erase consists of writing over the entire surface of the disc, leaving no traces of the previous data. This is different from the quick erase operation, which leaves the data on the disc intact.An unmodified consumer drive cannot access the data on a quick-erased disc, but a modified drive can. (Instructions on how to modify a drive are located in Appendix A.)

www.syngress.com

CD and DVD Forensics • Chapter 8

The technique for using a modified drive is to place a different disc in the drive that is as close to the subject disc as possible. In most cases, this different disc must be completely formatted tbr use with drag-and-drop writing software; however, you do not have to use the same software as was used for the subject disc. Place the formatted disc into the modified drive and use the magnetic spindle clamp to secure it. Press the drive tray button to open and close the tray, to inform the drive that a disc change has occurred. Wait until the disc has stopped spinning and then replace it with the subject disc. Be sure to put the magnetic spindle clamp back on the disc.

Logical File Systems A file system is a mechanism for partitioning and allocating space to individual files, and provides the means to identi~ and access files. File Allocation Tables (FATs) and N e w Technology File Systems (NFTSes) are c o m m o n l y used with PC hard drives. The purpose of a file system is to provide a generic mechanism to store files. These file systems do not define the contents ot: the files. While it is possible to use FATs and NTFSes for rewritable CDs and DVDs, they are not optimized for the unique characteristics of rewritable media; they are designed for hard drives and other media that does not issue a penalty for repeatedly rewriting the same sectors. For manufactured and write-once discs, FATs and NTFSes are not suitable because of the read-only nature of the media. The file systems that are used on CDs and DVDs are completely separate from those used on hard drives. W h e n C D - R O M s were first released, there were some specialized discs that did not use any standard file system. These were mostly used in "vertical market" applications such as automobile repair and aircraft maintenance. The standard file system for CDs is called ISO-9660 and was defined in 1989. The standard file system for DVD discs is called U D E which is part of an ongoing standards process that began in 1996. Some software for writing DVD discs only writes U D E while others write U D F and I S ( ) - 9 6 6 0 . T h e actual specifications for DVD video and DVD audio discs require that you use a restricted form of U D F (version 1.01) and ISO-9660 simultaneously. Macintosh computers can use either ISO-9660 discs or their own Hierarchical File System (HFS) and HFS+ format discs, which are the same file systems that are used on hard drives. CDs were originally used for storing and playing audio. For this purpose, it was not necessary to name the songs and the technology at the same time, and did not provide reasonable ways for consumer electronics devices to display song titles.

237

238

Chapter 8 • CD and DVD Forensics

Therefore, the first file system used on CDs was a collection of tracks pointed to by the TOC. Beginning with Windows 95, Microsoft began showing tracks on audio CDs as if they were files on a disc; thus files were called Track 1.cda, Track 2.cda, and so on. These files are created by Windows and do not actually hold the audio information on the disc. Instead, they contain the control information that enables the Windows CD player application to play the track when double-clicked. It is important to understand that there are no fries or file systems on an audio disc. There is only the track data that the T O C provides pointers to. In 1997, So W and Philips defined CD Text, which allows for storing textual information on audio CDs. However, even with this information, these audio discs do not contain a fde system. Philips CD Text information stores lyrics within the audio track information, using the same space that is used for Karaoke graphics. Sony CD Text information is stored in the lead-in area, and consists of the album, the artist, and the track names. Sony CD Text is commonly used on Sony discs and on home-created audio discs. Philips CD Text is not used today. Another difference between hard drives and CD and DVD drives is the lack of partitions. When PC-based hard drives were first introduced and M S - D O S 2.0 was released, a partition table was defined to identify separate areas on the disk that could be used for different purposes. With CD media, a single CD contains single-purpose information. Even without a partition table, it is possible to store multiple file systems on a single CD or DVD, because each file system has the ability to use different areas of the disc to point to the file system control information. Additionally, on a multi-session disc, each session can contain different file systems; however, incompatible structures such as Compact D i s k - Read Only Memory (CD-1KOM) and Compact Disk Read-Only Memory/Extended Architecture ( C D - R O M XA) cannot be present on the same disc. The High Sierra Group (HSG) file system (defined between 1985 and 1987) was the first file system designed for CDs. The original Microsoft CD EXtension (MSCDEX) program supported both HSG and ISO-9660 format discs. ISO-9660, which was adapted from HSG and adopted as a standard in 1988, was the first widely accepted CD file system intended to be used by any computer that a C D - R O M drive could attach to (e.g., all numeric data is represented in big-endian and little-endian forms that are compatible with Intel and Motorola processors). ISO-9660 replaced HSG completely; no applications for creating HSG discs remain.

CD and DVD Forensics • Chapter 8

239

American Standard Code for Information Interchange (ASCII) 8-bit file names are allowed with ISO-9660. However, for increased interoperability, file names are restricted to 8 characters with a 3-character extension (commonly know as "8 dot 3"), which mirrors many minicomputer and microcomputer operating systems (OSes) of the 1980s. M S C D E X did support some non-Western languages (e.g.,Japanese and Chinese), which was dependent on a technique called Multi-Byte Character Set (MBCS) and required inserting special "shift" codes into file names. This support was unique to Microsoft. In 1995, ISO-9660 was enhanced with the addition of the Joliet file system, which allows for 16-bit Unicode character file names with a maximum of 64 characters. The Joliet file system more readily supports character sets such as Japanese and Chinese, because each character is assigned a unique code. Support for Joliet and Unicode character file names is standardized and is present in different OSes other than Windows. The UDF file system was defined in 1996, and supports Unicode character file names of up to 255 characters. It also supports files that are more than 4 GB in size (a limitation of" ISO-966(} and Joliet). Due to this limitation, UDF was the default choice for DVD media. Today, the first version of UDF is still used for DVD video and DVD audio discs. The Macintosh platform has used the HFS file system since the inception of the Macintosh computer. During OS 8, the HFS+ file system was defined, which extends HFS by adding 255-character Unicode file names.The Macintosh platform is unique in that the same file system is used for both hard drives and optical media. Although the HFS and HFS+ file systems are not ideal for CDs and DVDs, they make creating discs easier than PCs running Windows.

CD and DVD File Systems The following table indicates the types of file systems that are on CDs and DVDs.

Type

Platform

Long File Names?

Large Files (Over 4GB)

Typical Use

Red Book

All

N/A

N/A

Audio

HSG

All

No

No

Early CD-ROM

ISO-9660

All

No

No

Data files Continued www.syngress.com

240

Chapter 8

,,

CD and DVD Forensics

Type

Platform

Long File Names?

Large Files (Over 4GB)

Joliet

Windows

Yes

No

Data files, Unicode file names

Rock Ridge

Linux

Yes

No

Data files

HFS

Mac

No (31 chars)

Yes

Macintosh

HFS+

Mac

Yes

Yes

Macintosh, Unicode file names

UDF

Windows/Mac

Yes

Yes

Windows, Macintosh, DVDs, Unicode file names

Typical Use

In the chart above, "All" refers to conventional PC-type computers as well as other systems, such as embedded control systems (e.g., HVAC, elevators, and so on) and U N I X - based minicomputers. The following describes each of these file systems in more detail.

Red Book Audio Red Book Audio is defined by the Philips/Sony "Red Book" standard (also known as IEC 908), and is the specification that all audio CDs follow. The first version of this standard appeared as part of the patent on CD technology in 1982. It does not define a file system as such, because audio CDs do not have files; they have music tracks. In the original specification, tracks are identified by a number from 1 to 99. In 1997, Sony released an extension of this specification that defined a method by which text information could be stored on the disc to further identify tracks by name. This began to fulfill some of the requirements for a file system, but remains extremely primitive. So W and other record labels use the Sony definition of CD Text, which is also supported by many home CD recording tools. Each track contains subcode blocks of 588 stereo 16-bit audio samples, which are played at 44.1 KHz. Each subcode block represents 1/75 th of a second of playing time.

CD and DVD Forensics • Chapter 8

241

Part of the original Red Book standard was Compact Disc + Graphics (CD+G), which was a way to display graphics on a television while playing a music CD. The graphics are low-resolution (24(11 x 320) and can only be drawn slowly, but are suitable for displaying Karaoke lyrics on a screen while music is playing. This information is stored in the R through W subchannels associated with the audio samples. For each subcode block of 588 samples, there is a total of 96 bytes of graphics information. In 1997, Philips defined an extension to this specification to store textual information on the disc. This information is placed in the same R through W subchannels that are used for C D + G graphics and has the same limitations; only approximately 30 MB of'information can be stored with audio.

HSG The HSG formulated the first definition of a file system for C D - R O M discs, which was viewed as a major step for standardization, because previously there was no standard file system, which meant that C D - R O M s could not be produced for multiple computer platforms. The original support for C D - R O M s for the Microsoft Disk Operating System (MS-DOS) included support for both HSG and ISO-9660 discs. HSG is still supported by Windows 95; however, it is very difficult to find a HSG format C D - R O M today.

ISO-9660 ISO-9660 was adapted from the original HSG definition in 1988, and adopted as an international standard under the International Standards Organization (ISO).The principle differences between the two are the inclusion of time zone information and additional identification fields. The European Computer Manufacturer's Association (ECMA) standard 119 is an exact copy of the ISO-9660 standard; however, unlike the ISO-966(I standard, it can be downloaded from the ECMA Web site for free at www. ecma-inter national, org. ISO-966{) is currently the most widely supported file system interchange standard that is supported by most computers and other systems with CD drives (e.g., an elevator control system with a C D - R O M drive probably supports the ISO-9660 file system). This is generally true even when a proprietary or real-time operating system is being used. All personal computers since 1.990 support the ISO-9660 file system. The ISO-9660 file system is designed for the 8-bit ASCII character set. Some attempts have been made by Microsoft and others to support the use of alternate www.syngress.com

Z42

Chapter 8 • CD and DVD Forensics

character sets, but this is not part of the standard and has differing levels of success when used in non-Microsoft environments. There are only three structures that define the ISO-9660 file system: the volume descriptor, the path table, and the director}, entry. The volume descriptor must be located at the 16 th sector from the beginning of the track and points to all other structures. This means that for the first session on a disc starting at sector zero, the volume descriptor is located in sector 16. For a session starting at sector 40526, the volume descriptor is located at sector 40526 + 16 (or 40542). The volume descriptor contains many important data items (e.g., the date the disc was created, and an area that can be filled in with an application identifier). If there are hex digits 01 43 44 30 30 31 01 in the contents of sector 16, there is an ISO-9660 file system on the disc. If the ISO-9660 file system is present, then for 17 characters at offset 814 (32E in hex) the creation date of the disc is present in the form of." •

4-digit year

•

2-digit month

•

2-digit day of month

•

2-digit hour of day

•

2-digit minute

•

2-digit seconds

•

1-digit tenths of a second

•

1-digit hundredths of a second

•

1-byte time zone offset from Generic Mapping Tools (GMT) in 15-minute increments. This can be positive or negative.

This time is always "local," reflecting the time zone that was set on the computer when the disc was created. Offset 575 (23F in hex) for 128 bytes is the application identifier. Many CD writing applications insert information here to indicate the software that created the disc. The root directory consists of a list of directory entries concatenated together in one or more sectors. The beginning sector number is at offset 160 (A0 in hex) in the

CD and DVD Forensics • Chapter 8

243

volume descriptor as a 4-byte integer in little-endian format. The length of the root directory is at offset 168 (AS in hex) as a 4-byte integer in little-endian format. By convention, the ISO-9660 file names are limited to 8 characters, with a 3character extension separated by a period. Directory names are not allowed to have extensions. N o t all writing software respects these limits and can extend the file name to as many as 212 characters. File names only use upper-case letters, numbers, and a small number of special characters. Again, not all writing software respects this, so it is not unusual to find an ISO-9660 file system with lower-case letters in the file names. ISO-9660 files must be less than 4 GB in size; however, this is often restricted by writing software of less than 2 GB. This limitation of ISO-9660 restricts the usefulness of DVD media. This is not a tCactor for DVD video and DVD audio discs, because the m a x i m u m file size is limited to less than 1 GB for those formats. The directory entries for ISO-966() contain the last time the file was modified. Because the ISO-9660 file system is not intended to be updated, the creation time of the file on the disc is always equal to the last modified time and no last access time is recorded. Until the advent of drag-and-drop recording, it was unusual to find an ISO-9660 file system where all of the files were not stored in a single contiguous range of sectors. While this is provided for in the ISO-9660 specification, it is rarely done. Currently, only drag-and-drop writing software creates fragmented files in ISO-9660 file systems. This is significant for forensic examiners because, even in cases where part of a disc has been destroyed, your ability to recover the contents of the remainder of the disc is excellent. Even without a directory, just examining the disc for file headers on sector boundaries is usually good enough to recover most c o m m o n file types (e.g., Microsoft Office documents, digital photographs, and others). Using some type of "data carving" tool on the content of the disc should be sufficient for this.

Joliet Joliet is an extension of ISO-966() that was defined by Microsoft for the Windows 95 operating system and uses a parallel directory structure to enable both standard ASCII file names and longer Unicode file names. The definition of the Joliet extension specifically addresses using up to 64-character Unicode file names and removing the restriction on a m a x i m u m directory depth of eight levels. Some writing software extends this further to allow the file www.syngress.com

!44

Chapter 8 • CD and DVD Forensics

name to be over 100 characters in length, which appears to function correctly with current versions of Windows. The volume descriptor for Joliet is required to be in a sector following an ISO9660 volume descriptor in sector 16; usually in sector 17, 18, or 19. This volume descriptor contains 8 bytes of the sector containing the hex values 02 43 44 30 30 31 01. The same fields that are defined for the ISO-9660 volume descriptor in sector 16 are also found in this descriptor. The application identifier consisting of 64 16-bit Unicode characters is located at offset 575 (23F in hex) for 128 bytes.This content can be considerably different from that in the ISO-9660 volume descriptor. Directory entries that are used for Joliet and ISO-9660 are almost identical. The only difference is that the file names are composed of 16-bit Unicode characters rather than 8-bit ASCII characters. The number of files and the content of the files are usually identical between the ISO-9660 and Joliet directory structures. Most writing software does not support having different content, only changing the content of the file names to correspond to the requirements for the different file systems. However, this is not always the case. It is easy to create a disc with different content using freely available tools such as the "mkisofs" program. The result is that it is important to treat the separate directory structures as separate file systems. Discs using the Joliet file system have characteristics similar to the ISO-9660 file system discs, in that the files are almost always contiguous. This means that even without directory information available, it is possible to recover all of the files from those areas of the disc that are readable.

Rock Ridge In 1993, the System Use Sharing Protocol (SUSP) was defined for supporting extensions to ISO-9660. A specific implementation of this protocol is " R o c k Ridge," which deals specifically with extending the ISO-9660 file system to support Portable Operating System Interface (POSIX) attributes (e.g., user and group ID, permissions, and symbolic links for files). R o c k Ridge also supports unlimited length file names. POSIX is not commonly used today, because only Linux is considered to be a mainstream POSIX-compliant OS. Other POSIX-compliant OSes are Solaris from Sun Microsystems, Advanced IBM U N I X (AIX) from IBM, and Hewlett-Packard U N I X (HPUX) from Hewlett-Packard. Windows N T used to have a POSIX subsystem, but it has been discontinued. The mkisofs program and its derivatives are the usual source of discs used with R o c k Ridge extensions. Commercial U N I X systems www.syngress.com

CD and DVD Forensics • Chapter 8

245

also use Rock Ridge extensions, and have disc-writing software specific to individual manufacturers. SUSP extensions are identified by two-letter codes, and each file or directory can have as many extensions as needed. The most common R o c k Ridge SUSP extensions are N M (NaMe) and PX (PosiX). A complete list of defined SUSP extension codes is shown below. SUSP and Rock Ridge extensions are ignored by Windows and Macintosh OSes. The underlying Berkeley Software Distribution (BSD) core of OS X may be capable of using R o c k Ridge extensions. Discs with Rock Ridge extensions are mastered by software, which writes the files in a contiguous manner. Thereibre, without a valid directory, it is possible to separate the files based on header information. Each SUSP extension has a two-character identifier followed by the length of the extension. The extension codes and their meanings are shown below. Code

Description

AA

Apple extensions

CE

Continuation of extension data

CL

Child link

ER

Extension reference

ES

Extension selector

NM

Alternate (long) name

PD

Padding field

PL

Parent link

PN

POSIX device number

PX

POSIX file attributes

RE

Relocated directory

SF

File data in sparse format

SL

Symbolic link

SP

SUSP indicator

ST

SUSP terminator

TF

Additional POSIX time stamps

If you are manually examining an IS0-9660 directory structure with R o c k Ridge extensions, the most important extension types are CE, NM, and TE CE www.syngress.com

246

Chapter 8

•

CD and DVD Forensics

extensions are not usually present, but should be recognized because they point to continued data in other sectors. The format of a CE extension is:

CE

28

1 Sector number

Offset

Length

The sector number, offset, and length are all expressed as combined big-endian and little-endian values with the little-endian value first. Each occupies 8 bytes; thus a value of 100 appears (in hex) as 64 00 00 00 00 00 00 64. The format of an N M extension is"

NM

Len

1

Flags

N a m e characters

If bit 0 (hex 01) is in the flags, the name is continued into the next N M extension entry. Bits 1 and 2 (hex 02 and 04) indicate that the name applies to the "." and ".." directory entries, respectively. The remainder of the flags are either reserved or not significant. The format of a TF extension is:

TF

Len

1

Flags

Timestamp

data ...

The flags specify what timestamps are present: Bit

Timestamp

Creation timestamp is present Modification timestamp is present Last access timestamp is present Attribute c h a n g e timestamp is present Backup timestamp is present Expiration timestamp is present Effective timestamp is present Timestamps are in long (17-byte) form The timestamps are recorded in the extension in the order that they are listed in when multiple flags are set. If bit 7 of the flags is not set, the short 7-byte form of the timestamp is present (i.e.,YMDHMSZ [Year, month, day, hour, minute, second, zone]) in binary. If bit 7 of the flags is set, the long 17-byte form of the timestamp is present, which is Y Y Y Y M M D D H H M M S S T H Z in character form. For forensic purposes, it can be assumed that if Apple extensions are not present, a Macintosh user program did not create the disc.An exception to this is some OS X www.syngress.com

CD and DVD Forensics • Chapter 8

247

programs that operate at the "native" BSD level. In any event, these would not be considered ordinary Macintosh user programs. The description of" the SUSP extensions is in the Institute of Electrical & Electronics Engineers (IEEE) P1281 SUSP document (see SUSP112.doc). Rock Ridge extensions are documented in the IEEE P1282 R o c k Ridge Interchange Protocol (RP,,IP) document (see RRIP112.doc). Both of these documents can be downloaded from the InfinaI)yne public File Transfer Protocol (FTP) server at ftp://ftp, cdrpro d. c o m / p ub.

UDF The Optical Storage Technology Association manages the development of" the UDF standard, which is an ongoing process that began with the release of the UDF 1.0 specification in 1995. This specification is an outgrowth of" the development of ISO13346 standard. The only PC file system for optical media that is completely updatable is UDE Even on write-once media, the deletion of" files is supported. This is a significant difference from the other file systems previously described. UDF is part of the definition of the DVD video and DVD audio disc formats. It is also used in digital cameras that record directly to CDs, stand-alone DVD recorders, and I)VD camcorders. The first consumer exposure to UI)F was in 1997 with the release of C D - R W drives that could write incrementally using a technique called packet u~ritin~. Unfortunately, in the beginning, much of" the UDF writing software did not have good error recovery, which led to a negative impression of packet writing in general. The situation has not improved much since 1997. It is common to find UDF discs that have "lost" files or directories and UDF discs with serious logical errors in the file system. Often, these discs are unreadable using the original software and Microsoft Windows. UDF file systems can utilize either 8- or 16-bit characters for file names, thus reducing space requirements when ASCII file names are used. Multi-byte characters are not used with UI)F; therefore, there can be compatibility issues with Microsoft Windows versions 95, 98, 98SE, and ME. File names can be up to 255 characters regardless of" the character set being used. There is also no limitation on the depth oC the directory structure. However, if" an excessively deep directory structure is used, there are serious performance issues on optical media.

www.syngress.com

~48

Chapter 8

•

CD and DVD Forensics

Files can have multiple timestamps under U D F (e.g., a full set of created, last modified, and last accessed times are available). For rewritable media, this shows an accurate last access time to each file. The last access time is generally not updated for write-once media, but it can be depending on the writing software. There are many different versions of U D F and not all of them are compatible with each other (e.g., the version required for DVD video discs is 1.02, which limits files to a m a x i m u m of 1 GB in size. This limitation does not exist with other versions of U D E which limits files to 264-1 bytes in length. Other aspects of U D F change between versions; therefore, it is important to either use software that is independent of the specific U D F version, or to have the correct reader software installed on your computer. Files can be fragmented for all versions other than 1.02. This means that the content of the file can be placed in more than a single range of sectors on the disc. This is important for forensic users, because nearly all CDs written using other file systems have contiguous files. U D F uses a complicated set of descriptors to identify the volume and point to the information that defines it. The "anchor" for a U D F volume is a sector k n o w n as the Anchor Volume Descriptor Pointe (AVDP). This sector is identified by bytes 02 00 in the first 2 bytes; the last 4 bytes have a little-endian integer equal to the sector n u m b e r . T h e AVDP can be found in any of a number of areas on a disc" •

Sector 256

•

Sector512

•

Last written sector on the disc .91

•

Last written sector on disc 256

•

256 sectors after the beginning of the track

•

512 sectors after the beginning of the track

Once the AVDP has been found, there is a sector number and length (in bytes) of the volume recognition sequence at offset 16 (10 hex). This serves the same purpose as sector 16 on an ISO-9660 file system and describes the file system. There are several important values in this area that should be formatted using a forensic disc examination tool: The date and time w h e n the disc was initially created This is not the date and time w h e n the content was written to the disc, because most U D F r

www.syngress.com

•

CD and DVD Forensics

•

Chapter 8

249

writing software supports incrementally adding files to the disc after it has been formatted. []

An application identifier that says which application created this U D F file system.

m The name given to the disc when it was formatted. This may be different from what is displayed by Microsoft Windows, and may reflect a different intent for the disc than the more up-to-date name shown by Windows. For forensic examiners, it must be clarified that while files can be deleted on write-once media, the actual file is not deleted; it just drops from the directory structure. Given the potentially fragmented nature of files, it is not a simple matter to use a data-carving tool to locate deleted files on the disc. Forensic software that supports the U D F file system must be capable of searching out these deleted files and reestablishing them for the user to access. O n rewritable media, it is possible for the writing software to reuse space originally occupied by a deleted file. However, there is a very low limit as to the number of times a particular spot on rewritable media can be updated; usually an average of" 1,000 times. This means that if a user keeps updating a file (i.e., writing to it, deleting it, and writing to it again) it would quickly wear out that area on the disc. The result is that it is unusual to find U D F writing software that will reuse deleted space on a disc before all of the never-used space has been used once. This serves to maximize media life, and is an important consideration for the authors of disc writing software. For forensic examiners, this is a significant advantage over hard drives, because until the user fills the entire disc, nothing will be overwritten and the entire history of content of the disc is available. It is rare to find contiguously recorded files on U D F discs.Just examining file headers generally will not produce valid, intact files.You must use a forensic tool specifically designed to handle U D F discs, especially w h e n there are problems with the file system. If you do not use such a tool, you are going to have a difficult time processing discs using the U D F file system.

HFS This file system was originally incorporated into the Apple Macintosh OS version 2.1 in September 1985, and is one of the few cases where a hard drive file system was implemented for optical media directly.

www.syngress.com

250

Chapter 8 • CD and DVD Forensics

The original way to create an HFS C D - R O M disc in the late 1980s and early 1990s was to copy the data to an external hard drive that was between 500 MB and 1 GB in size, being careful not to exceed the capacity of a CD (650 MB at the time.) This disk was set up with the exact content that the C D - R O M had. The hard drive content was then copied to tape for mastering the C D - R O M . This technique was replaced by Macintosh-specific C D mastering software using the Asarte Toast program. HFS supports 31-character file names using the ASCII character set. N o provision for characters outside of the ASCII character set exists. HFS has been updated with HFS+, which provides for longer, non-ASCII file names. Since this is a hard drive file system, files can be fragmented. Depending on how the disc was created, the amount of fragmentation can be considerable. In general, however, if the disc is mastered in the usual way, there will be no fragmentation on the disc. Even though this file system was defined in 1985, it was designed to manage large files that exceed 4 GB; therefore, there is no limitation on using this file system for DVD media or larger capacity discs. Each file has a complete set of created, last modified, and last accessed timestamps. These times are expressed as big-endian binary integers in number of seconds. Unfortunately, HFS is not well suited for optical media. It has the fixed knowledge of 512-byte sectors built into it. This means that each C D or DVD sector contains four 512-byte HFS sectors.Additionally, file allocations are done based on allocation blocks, which can be any power-of-2 multiple of 512. C D and DVD media 2,048-byte allocation blocks are possible, but 4,096 and 8,192 are common. Due to the multiple sector and block sizes, it is difficult to examine an HFS file system with just a hex display of the sectors. HFS has a limited amount of text information in the file system control structures. The name of the disc is contained in the Master Directory Block, which is found in sector 0. Also in sector zero are the Partition Maps, which contain the name of the software that created the disc. It is unusual but possible to find a multi-session HFS disc. The Macintosh system does not treat multi-session discs the same way that Microsoft Windows does; therefore, the usefulness of such discs is limited. The most c o m m o n HFS discs in the USA are AOL discs that contain ISO-9660, Joliet, and HFS file systems. All of these are contained in track 1 of the disc.

CD and DVD Forensics • Chapter 8

Some forensic software can process HFS CDs and DVDs. Since the software for creating discs that have only the HFS file system on them is not c o m m o n for the Microsoft Windows or Linux environments, these discs are generally restricted to users with Macintosh computers.

HFS+ The HFS file system was extended to H F S + with the introduction of OS 8.1 in 1997. H F S + file names extend to a m a x i m u m of 255 characters and stores them in Unicode rather than 8-bit ASCII characters. H F S + moves the name of the disc from the Master Directory Block to the top level of the directory tree. Untbrtunately, this is not easy to find; therefore, determining this without software to interpret the H F S + file system is not practical.

El Torito The E1Torito standard closely interacts with file systems. E1Torito was originally defined as a way for computers (not just P C - t y p e machines) to be able to boot from C D - R O M discs. Prior to this, booting was restricted to floppy diskettes and hard drives. What E1Torito does is define a set of control structures so that it is possible to have a single C D - R O M disc bootable on many different hardware architectures. This means that a single disc can be booted on both PCs and Macintosh computers as long as all of the required information is present for both platforms. The E1Torito standard requires the use of sector 17 to contain the boot volume descriptor, which points to the booting catalog, which in turn points to bootable images. These images can be emulated floppy diskettes, emulated hard drives, or a m e m o r y image. Each entry in the booting catalog refers to a specific hardware platform (e.g., Intel x86, PowerPC, Macintosh, and so on). For each platform, there can be one or more bootable entries as well as additional non-bootable entries. The non-bootable entries can, in theory, be used as a primitive file system by the bootable programs. A bootable entry then identifies the emulated media type, the starting sector of the image, and the number of sectors in the image. This is then used w h e n booting from the emulated image in the same way a real floppy diskette or hard drive is booted. N o n - e m u l a t e d entries are handled differently and do not make a portion of the disc appear. Instead, the entire image is brought into memory.

251

252

Chapter 8 • CD and DVD Forensics

The result is that it is relatively easy to take a bootable floppy diskette, transfer the files to a C D - R , and be able to boot from the copy on the C D - R . Many different writing programs assist with doing this, and provide the ability to read in a floppy diskette and place it into a disc image. Because it is c o m m o n to find computers without floppy disk drives, this can be extremely helpful.

Space Allocation by CD and DVD File Systems One of the more basic jobs of a file system is to allocate space on the media. O n hard drives, this is often accomplished with a bit map or other allocation table, because the information must be updated. O n CDs and DVDs, the requirements are different because the media is read-only. FAT and N T F S space allocation is managed on a cluster basis, a cluster being a group of sectors. This helps to minimize fragmentation. This is not necessary on readonly file systems, because there is no updating of files. Another difference is that hard drive sectors are 512 bytes in length and C D and DVD sectors are 2,048 bytes in length. This means there is already a grouping equivalent to four hard drive sectors w h e n allocating C D and DVD space. ISO-9660 does not define any space allocation information, because it is by definition a read-only file system. Files are stored contiguously on the disc and cannot be modified. Space for files and the file system control information are allocated on a sector-by-sector basis w h e n the file system is created. Joliet and R o c k Ridge are extensions to ISO-9660 and do not change how space is allocated. U D F can be the same as ISO-9660 w h e n the file system is read-only, or it can require some degree of space allocation information w h e n a rewritable disc is used. In both cases, U D F allocates space on a sector-by-sector basis.This can result in fragmentation but usually does not because of how space on rewritable media is used. In general, the entire disc is written to before any deleted space is "reclaimed" for use. The reason for this is that rewritable discs have a limited number of write/erase/write cycles for each sector.Therefore, it is optimal to spread the write/erase/write cycles over the entire surface of the disc. It should be noted that rewritable media is not generally rewritten at the sector level but at the packet level. A packet is a group of sectors just like a cluster, but is not used for allocation purposes by any of the drag-and-drop file systems. www.syngress.com

CD and DVD Forensics • Chapter 8

253

HFS and HFS+ use a completely different strategy for allocating space, which is to be expected because it was first defined for hard drive use. HFS knows that all sectors are 512 bytes and these are grouped into allocation blocks. Each allocation block consists of a power-of-two number of sectors (usually 2K, 4K or 8K) to accommodate the 2K CD sector size. There is an allocation block bit map that represents free and allocated allocation blocks on the media. The most c o m m o n way to construct HFS and HFS+ file systems for CDs and DVDs is to build the file system when the disc is mastered. At the beginning of CD recording, there were no CD-specific tools for creating HFS file systems; therefore, the procedure was to create the file system on a hard drive, test it completely, and then write it to a CD. It was possible then for the file system to contain fragmented files, free space, and other hard drive artifacts.

Disc Accessibility Problems Many issues can develop that make files, subdirectories, and entire discs inaccessible to the user.This occurs frequently with U D F discs, but can happen with any file system w h e n updating is supported. From a forensic standpoint, this is useful because, as files become inaccessible, they are left in their original state and not altered or deleted later.This can give the torensic examiner a w i n d o w into the previous state of the data on the disc.

ISO-9660/Joliet Fi le Systems Because of the simplicity of" these file systems, it is unusual to find a disc with a damaged file system that prevents access to one or more files. However, discs such as these can have readabilitT issues that prevent critical parts of a disc from being read, which can mean the disc is inaccessible under normal circumstances. C D / D V D Inspector can usually bypass these types of problems through a combination of using alternative sources of information and by searching (e.g., Microsoft Windows normally uses the path table to locate directories. If the path table is not readable, Windows cannot access the disc. C D / D V D Inspector can navigate through the directory structure by using information in the directory, not referencing the path table.Therefore, the disc is completely accessible under C D / D V 1 ) Inspector. A forensics examiner may encounter a disc with a large amount of space that is unaccounted for by the Disc Map tool. With ISO-9660 and, optionally, Joliet file systems on this disc, is a clear indication that either there is another file system (such as

www.syngress.com

Z54

Chapter 8 • CD and DVD Forensics

HFS or HFS+) present on the disc that may not be readable, or possibly that the disc was created using the mkisofs tool. In the latter case, it is possible that there were files added to the disc that are not represented in the directory. Additional work is required to gain access to that data using the Copy Sectors or Sector Display tool.

UDF File Systems U D F file systems are more complicated than ISO-9660 or Joliet. Because of this complexity, these file systems are often logically corrupted or broken in such a manner as to lose one or more files or even an entire directory. This usually happens because of software errors, but can also be caused by errors w h e n updating rewritable sectors on a disc. Most of the software for writing discs using the U D F file system is focused on creating updatable discs on either write-once or rewritable media. The maturity of this software is approximately that of the FAT file system w h e n the IBM PC AT was released in 1985. There were few tools for the average user to recover from errors on floppy diskettes and file system errors were common. Today, there are only a small number of tools for repairing or recovering files from damaged U D F file systems, and they have not achieved wide market penetration. For the forensic examiner, the problems with U D F file systems are significant. W h e n files are "lost," the user often does not realize that there is an intact copy of the file on the media that can be recovered. This can be important w h e n other copies of the file have been deleted from the disc. There are very few tools that allow you to regain access to lost files, and only C D / D V D Inspector couples this capability with other forensic features.

Other File Systems Logical damage to other file systems is extremely rare. Because these other file systems are less frequently encountered, it is almost certain that an examiner will never encounter problems with HFS and other file systems.

Forensic Binary Images Typically, a binary image of a hard drive is immediately created w h e n a forensic examination begins. This is done to stem the possibility of the hard drive contents being altered during examination. As long as this binary image is an exact bit-for-bit copy of the original hard drive, it can be used as a substitute for the hard drive itself. www.syngress.com ,.=

~1

CD and DVD Forensics • Chapter 8

255

There are many tools that can be used to create a binary image file from a hard drive. Copying sectors from the hard drive to some other type of media (including another hard drive) is all that is required. It is common practice to perform validations on a hard drive and its image contents to make sure that they are identical. Using a hash value such as Message Digest 5 (MD5) or Secure Hashing Algorithm 1 (SHA1) can validate that this has been done. This has also been attempted with Compact Disc (CD) and Digital Versatile Disc (DVD) media, often using the same image file format. There are those in the forensic community that believe it is possible to create a binary image file that is identical to those created with hard drives; however, this is overlooks several important aspects of how such discs are written. Compact D i s k - Read Only Memory ( C D - R O M ) data discs and commercially produced DVDs can be imaged easily, because they contain one type of sector that begins with sector zero and extends to an endpoint on the disc. User-recorded discs are commonly based on the R e d Book audio and can be imaged fairly easily. User-recorded data discs are either multi-session or written with drag-and-drop software. If these types of discs involve multiple tracks, mixing the types of sectors is possible. User-written multimedia discs can involve multiple types of sectors in a single track (e.g., it is common to mix XA Mode 2 Form 1 sectors with 2,048 bytes per sector with XA Mode 2 Form 2 sectors with 2,352 bytes per sector). Many recording applications use multiple tracks where, unlike manufactured discs, the area between tracks is not readable. This presents a problem when treating a CD as a contiguous span of sectors. The Table of Contents (TOC) for a disc provides an index into the different tracks. There is no corresponding data for hard drives, which only contain the sector data. The disc T O C also provides an indication of whether the track contains R e d Book audio or data sectors, which is required to properly read the contents of the disc. Determining what types of sectors are present in a track can be accomplished by examining other control information for the sectors or by examining the file system. DVDs only have a single type of sector; however, multi-session recording is possible. The index of border zones for a disc is similar to the T O C for a CD, and is required to properly process a multi-session DVD. In order to construct a binary image of a CD or DVD, each track sector must be on the disc along with an index indicating the type of track (for CDs) and the original starting location of the track. www.syngress.com

256

Chapter 8 • CD and DVD Forensics

C D / D V D Inspector 3.0 allows you to make a binary image file of any disc, which can later be run against that image file without the disc being present. While the image file format is specific to C D / D V D Inspector, coordination with other tools is expected.

Reproducing Forensic Images In the case of hard drives, a forensic binary image of a drive is reproducible. As long as the contents have not been altered, every image taken of a hard drive is identical as long as the scope is limited to hard drives, flash memory, and other magnetic media. This is not always the case with CD and DVD media, where reading from a disc with different drives can produce different results. This can result from different implementations of error correction strategy in the drive firmware and the hardware controlling the laser and optics. With some drives, it is possible to obtain non-reproducible results from successive imaging, which can be observed with some Pioneer DVD writers on packet-written Compact Disc 1Kecordable (CD-1K) discs. Assuming that it will always be possible to create identical forensic images from reading CD or DVD media is problematic, and calls into question evidence or forensic lab procedures should the MD5 or SHA1 hash value of such images not match. It is strongly recommended that you not attempt to compare forensic images or forensic image hash values unless the examiner is fully aware that mismatches can be "normal." A recommended procedure is to either work from the original media or to work from a single image file. When working with the original media, use proper procedures to avoid contamination by software that does not belong on a forensic computer. When working from an image file, use before and after hash values to verify that the image has not been altered. Do not attempt to re-image the media and compare images or image hash values.

Collecting CD and DVD Evidence The following sections address the number of specific considerations needed for handling and collecting Compact Disc (CD) and Digital Versatile Disc (DVD) evidence. These sections also describe how to recognize CD and DVD media, how to protect yourself while collecting this evidence, and what precautions need to be followed in order to preserve it.

CD and DVD Forensics • Chapter 8

257

Recognizing CD and DVD Media In many cases, it is not necessary to collect manufactured discs that contain evidence that can only be stored on recordable discs. Due to differences in color, do not separate manufactured media from recordable media. If it is necessary to limit the number of discs being collected and time does not permit any analysis of the discs, it may be necessary to select discs based on their appearance. This should be avoided whenever possible. As part of the InfinaDyne C D and DVD Forensics class, students are given a disc that has been created with a clear laser-printed color label and that intentionally looks like an America Online (AOL) disc. If inserted into a computer with Windows, this disc behaves like an AOL distribution disc. Depending on the types of cases you work on, it is possible that you will encounter such a subterfuge. The question is not whether you were able to recognize the disc as recordable, but whether or not a colleague with less experience will be able to make that identification. It is strongly recommended that you collect every disc containing evidence. Do not to be fooled into thinking that every disc contains incriminating evidence; this is exceedingly rare.

Collection Considerations As mentioned previously, CDs are resistant to scratches on the data side, but the top surface can be easily damaged. If the top surface of a disc is scratched, there is no way to recover the data and the disc is rendered unreadable.Touch only the edges of the outer rim and center hole; to avoid contamination, do not touch the fiat surfaces. CDs are manufactured with a "stacking ring" near the center of the disc, which serves to keep the bottom of one disc away from the top of the disc below it w h e n stacked on a spindle. The lacquer on the top of a disc can become sticky even under ordinary environmental conditions, and is exacerbated in humidity. W i t h o u t the alignment provided by a spindle, if two discs are placed on top of each other, the lacquer may stick to the bottom of the disc placed on top of the other disc; separating the discs can also remove the reflector from the bottom disc, which can lead to a loss of evidence. Fastening discs together with rubber bands or tape can also destroy them. R u b b e r bands bend the edges of discs, thus deforming them. Tape can adhere to the top surface of a disc and, when removed, also remove the reflector from the disc. Some types of plastic wrap can also adhere to the lacquer and remove the reflector. For

www.syngress.com

258

Chapter 8

•

CD and DVD Forensics

these reasons, it is not recommended to wrap discs in plastic or tape, and they should not be secured by rubber bands. Ideally, discs are stacked on their original spindles. This is the best way to package discs, but may not always be practical. If the discs cannot be stacked on a spindle, they should be arranged in a stack in a paper bag and the bag taped to hold the discs in place. Properly stacking discs will also preserve fingerprint evidence.

Marking Discs As mentioned previously, discs are not impervious objects; both polycarbonate and the lacquer coating can absorb humidity and other chemicals. It is recommended that you use water-based markers for writing on discs because of the following: •

Ballpoint and rollerball pens will damage the data area of a disc.

•

Sharpie brand markers are rated unsafe by their manufacturer because they are alcohol-based, and should be avoided in order to preserve evidence.

•

Markers that are solvent-based will dissolve the lacquer coating and destroy the reflector beneath it. Such markers can also damage the polycarbonate. While it is generally safe to use solvent-based markers in the clamping ring area of a disc, it is not recommended.

[]

Other markers that are not clearly identified as solvent-based or water-based can pose a substantial risk to the data area of a disc. If there is a solvent odor when the cap is removed, the marker should not be used on evidence discs.

•

Labels can be applied to discs; however, if the adhesive is not the right type for CD use, a label can peel off of the disc, which will interfere with the disc when it is being used. R e m o v i n g such a label would likely peel the reflector from the disc, thus destroying it. The adhesive may also interact with the lacquer and possibly destroy the reflector.

www.syngress.com

CD and DVD Forensics • Chapter 8

259

It is generally safe to write anywhere on the top surface of a disc with waterbased markers (sold as water-based markers and as specially labeled " C D Markers"). Avoid writing in any area that already contains markings. Writing using a waterbased marker in the clamping ring area of the disc is always safe. Using labels that are placed in the clamping ring area is also safe, and will not affect the balance of the disc. These labels are commonly available and can be laser printed.

Transporting Discs As mentioned previously, discs are sensitive to excessive heat (over 49C/120F) and ultraviolet (UV) light. Care must be taken to keep discs out of the sun and out of a potentially hot car interior. Additionally, prevent discs from receiving excessive vibration, as it can erode' the surface of a disc if it comes into contact with other objects.

Documenting and Fingerprinting Discs At some point, it nlay be necessary to collect evidence (e.g., fingerprints and surface markings) from a disc. Photographing the surface of a disc to document surface markings is recommended, because in order to process the data on the disc, it may be necessary to clean it, which can compromise the surface markings. The environment inside a C1) or I)VD drive is not conducive to successfully processing fingerprints. This mea~s that fingerprints must be processed in such a manner as to not destroy the readability of the disc. Developing fingerprints with powder and photographing the results is compatible with this objective. It is possible to remove residual powder from a disc completely, even by washing the disc in plain water. We do not recommend using any cyanoacrylate (superglue) processes, which would likely leave artifacts on a disc and affect readability. Shielding the bottom of the disc can eliminate these artifacts, but excludes processing the bottom of-the disc. Any use of tape-based fingerprinting processes will destroy discs. If portions of the reflector have been removed by lift tape, it is not possible to recover the information that was written on that area or-the disc and may prevent the disc from being read. H o w to document a disc depends on the specific procedures for your laboratory. It is not recommended that you place rectangular labels on individual discs, because they can cause serious out-of-balance conditions in m o d e r n high-speed drives. If labeling individual discs is required, we recommend using "hub labels," which are small circles that go in the center of the disc covering the clamping ring. Hub labels are specifically designed for use on CDs and DVDs, and are compatible with the www.syngress.com

260

Chapter 8

*

CD and DVD Forensics

high-speed drive environment. Most other label adhesives are not compatible with this environment, and can result in the label peeling off inside the drive. Another procedure is to take a digital photograph of the label side of a disc; markings that are placed by the person writing the disc or the user of the disc can be useful as evidence. Some automated systems for processing discs take a photograph of each disc as it is being processed. After fingerprint processing and the proper documentation of any evidence on the disc, light cleaning can be done to remove residual materials and/or contaminants (e.g., powder from fingerprint processing and substances such as cocaine) from the surface of the disc. This should be done without using any cleaning solvents.

Officer Safety CDs and DVDs are often found in areas where there are biological, chemical, and drug hazards. Polycarbonate and lacquer both absorb water and other substances, which means it is not safe to handle discs that have been exposed to hazardous substances. It is important to note that such contamination is unlikely to affect the readability or usability of a disc. Powders and liquids can contaminate discs in ways that make it hazardous for an officer to collect that disc. However, when the source of contamination is carefully removed in the laboratory, the result is a perfectly readable disc. Be aware that when put into a drive, any contaminated disc will be spun off the disc and flung into the air. It is not recommended that discs be cleaned in the field. While special handling considerations may apply to contaminated discs, evidence can be destroyed by improperly cleaning a disc; fingerprints and other trace evidence can also be lost. W h e n polycarbonate fractures, sharp fragments can be produced. Broken discs can be a significant hazard, because of sharp edges and because of tiny sharp fragments no larger than a grain of sand. Handling cracked or broken discs can result in a serious hazard if you cut yourself on broken discs or other contaminants in the collection environment.

Preparing for Disc Examination In order to conduct an examination of the digital evidence on Compact Disc (CD) or Digital Versatile Disc (DVD) media, you must have the proper hardware, software, and workstation.

CD and DVD Forensics • Chapter 8

Forensic Hardware It is recommended that you have two separate devices: a reliable Compact Disc ReWritable (CD-RW) drive and a recent DVD writer that can read both DVD+ and D V D - media. Recent writers should also be compatible with Digital Versatile Disc Plus Recordable (DVD+R) I)L (dual layer) media. While it may seem counterintuitive, you must use a writer-type device, because reader devices do not access open sessions on discs. This means that any incomplete drag-and-drop discs would not be accessible with a reader. Worse still, a multi-session disc that has been closed at least once and written to again with drag-and-drop writing software, will only show the finalized content; anything added after that would be invisible. It is not necessary to use a write-blocker device with a CD or DVD writer, because writing software that Cunctions without prompting is not present in Microsoft Windows. Before it will write to a disc, the CD writing capability present in Windows XP requires considerable effort on the part of the user. This writing capability also does not utilize rewritable media, such as CD-P,.W discs, making it difficult to write to a CI) or DVI) without significant user interaction. If necessary, you can disable the Windows XP CD writing capability by opening the "My Computer" window and right-clicking the drive to be changed. Select the Recording tab and uncheck the "Enable CD recording on this drive" option. ( Microsoft has indicated that they will be incorporating the ability to use rewritable CD and DVD media into the Windows Vista program. If this happens, it may not be as easy to disable writing.) Hardware and software write-blocking tools are available to prevent modification to evidence discs. (For more information contact InfinaDyne.) We have found that the Plextor 12x writers are the most capable for reading problematic CD-P, and CD-P,W discs. These drives are no longer available from Plextor, but can still be obtained on eBay. Our recommendations for reading DVD media are Plextor and Pioneer. Using the Pioneer Axx and l xx series of DVD writers for processing C D - R media, we saw non-reproducible Message Digest 5 (MD5) hash signatures when reading Compact Disc Recordable (CD-R) discs written with DirectCD and other Universal Disk Format (UDF) drag-and-drop writing software. We recommend having Ivory soap (bar; not liquid) and distilled water available for cleaning discs. Using ammonia-based cleaners (e.g., glass cleaners) can "fog" poly-

261

262

Chapter 8

•

CD and DVD Forensics

carbonate and render a disc completely unreadable. (Read the entire E r r o r ! R e f e r e n c e s o u r c e n o t found, section before using any of these products.) Scratch filling products and disc buffing tools can help, but must be used with caution, because they can increase uncorrectable error rates or cause other types of errors.

Forensic Software There are several alternatives for collecting evidence from CDs and DVDs. Unfortunately, most forensic software does a poor job, either because it is based strictly on Microsoft Windows capabilities and Microsoft Windows file system implementations, or because it has limited support for CD and DVD file systems. The AccessData Full Tune-Up Kit (FTK) product has an imaging component (derived from the shareware ISOBuster product) that does a good job of collecting data from CDs and DVDs with any of the commonly supported file systems. The Guidance Software EnCase product has minimal support for CDs and DVDs, but can utilize the InfinaDyne C D / D V D Inspector product to process discs that it does not directly support. The ILook Investigator product has some capabilities beyond EnCase in its native form, but does not support all CD and DVD file systems correctly, nor can it deal with UDF discs that have logical errors. Other products (e.g., those from NTI) do not properly implement all of the possible CD and DVD file systems to any great extent. In general, they only support ISO 9660 and various extensions such as Joliet. InfinaDyne's C D / D V D Inspector can be used with both EnCase and FTK to collect evidence from CDs and DVDs. It can also be used with other products, although testing and certification has not been done.

Forensic Workstation A forensic workstation is one that is qualified for use in processing evidence, meaning it has" •

Proper Basic Input Output System (BIOS) configuration

•

No conflicting software

•

No contaminating data

CD and DVD Forensics • Chapter 8

•

The time and date synchronized properly

•

Properly licensed software

263

For the BIOS configuration, it is important to check the order of the boot devices for a forensic workstation, to ensure that you cannot inadvertently boot from an evidence CD or DVD. Doing so would seriously compromise the integrity of the workstation. In this case, no conflicting software specifically refers to drag-and-drop writing software. Products such as DirectCD, Drag2Disc, InCD, DLA, and abCD have no place on a forensic workstation; they are all invasive and difficult to disable completely. They will potentially modify rewritable media if they are present; in some cases, they will modify write-once media. This modification is unacceptable for processing evidence. The same conditions for contaminating data apply for CD and DVD processing as for hard drive processing. The workstation should not have any data from any other cases accessible. Exceptions to this can be made when other case files are present on a lab network server; however, care must be used to ensure that no crosscontamination is possible. C D / D V D Inspector generally shows the timestamp information from when the disc was written, because CD and DVD file systems contain the time zone as part of the timestamp information rather than the time zone setting on the workstation. However, when copying files from a CD or DVD, the workstation time zone setting is referenced to make the file times relative to the local time on the workstation. All software involved in processing evidence needs to be properly licensed. Anecdotal evidence of testimony has been excluded because it was based on unlicensed software.

Validation The hardware, software, and workstation all need to be validated before evidence processing can be done with confidence. The validation of a writer consists of installing the drive either in the workstation itself or in an external case, connecting the workstation, recognizing the writer by the workstation and software, and finally the successful examination of a known disc. Under normal circumstances, the MD5 signature value computed by C D / D V D Inspector should be compared to that determined by other software. Due to differ-

www.syngress.com

264

Chapter 8 • CD and DVD Forensics

ences in how MD5 signatures are computed for multiple track discs, it is recommended that you use a single-track data disc for this purpose. The completion of all of these steps also validates that C D / D V D Inspector software and the workstation are capable of processing discs correctly using that writer. During the class, this validation is accomplished using one of the supplied discs where the MD5 signature for the disc is known.The instructor may also supply other information about the disc.

Disc Triage When an examiner is given a number of discs to be processed, it is reasonable to order them in decreasing readability to get the most easily read discs processed, and then make the results available as soon as possible. Following this, the less readable discs are then processed. Using this process makes the most effective use of both the examiner's time and the workstation time. At this point, it is assumed that all of the initial documentation gathering has been done on the collected evidence, or that it is being done as each disc is initially examined. All of the following procedures assume that the disc can be cleaned of all foreign materials and any labeling of the disc can be destroyed by the cleaning process. The first clue to a disc being difficult to read is the degree of physical damage to the disc. This is not to say that apparently undamaged discs will always be easy to read; however, it is fairly clear that any disc that is heavily scratched, cracked, or damaged in any way is going to be more difficult to read. These should be put aside for later attention. At this time, it is also reasonable to attempt to clean any. discs that are dirty or contaminated. The first rule is that if the disc is not obviously dirty or contaminated, do not clean it. Secondly, perform light cleaning only. If stubborn dirt is present, it will be impossible to read the disc. Care must be taken in handling contaminated discs. Take special precautions with discs that are cracked, because they may break, leading to sharp pieces of polycarbonate that can puncture the skin. As a first step, rinse discs with distilled water to remove surface dirt, possible drug contamination, grease, and/or oils, and so forth. Dry the disc with a soft lint-free cloth. If rinsing the disc does not remove all foreign materials, use a diluted solution of pure soap (e.g., Ivory) and distilled water and a soft lint-free cloth, preferably not woven. This specifically excludes using any detergent, dish soap, or detergentbased liquid soap; such products can react with the lacquer, label, or polycarbonate

CD and DVD Forensics ° Chapter 8

265

in undesirable ways. Wipe across the surface of the disc in a straight line, not a circular motion. O n e technique that is quite effective to protect the reflector of the disc during cleaning is to place it upside down in a .jewel case, which will hold the disc securely enough while it is being cleaned. After this treatment, any contaminants that didn't come off in the drive may require significant effort that can damage a disc. Attempt to process the disc before proceeding with any further cleaning efforts. At this point, discs that are scratched or otherwise damaged after cleaning should be put aside. The second phase of the triage operation is to begin examining a disc with C D / D V D Inspector while allowing it to continue for no more than five minutes. If C D / D V D Inspector has not gathered the directory intbrmation from the disc in five minutes, the disc should be put aside, because it requires more extensive work. All of the discs that gathered the directory information within five minutes can then be processed to completion. Next, an evaluation can be done to determine if sufficient evidence has been found or if additional discs must be examined. If so, the undamaged discs that took more than five minutes with C D / D V D Inspector should be processed. It can take significant amounts of time For C D / D V D Inspector to process a disc that has readability problems. While some or all of the files oi1 the disc may be recovered, it can take days to do so. It can take an equal amount of time to copy the information From a disc. Therefore, it is appropriate to skip any disc that takes more than five minutes to be examined, and put it aside for later processing early in the triage process. If sufl~cient evidence is collected without processing such discs, this may not be necessary. Later, if such problematic discs must be processed, the examination of the disc should be left to run as long as it takes. At this point, you are left with the discs that have stubborn dirt or physical damage. If any of these discs are partially readable and not physically damaged, you should process them with C D / 1 ) V I ) Inspector before continuing. It might also be helpful to attempt to make a copy of these discs. Discs that are physically damaged, especially with damage to the reflector, should not be put into a drive until these problems are addressed. All of the techniques for working with discs from this point on can damage them. If a disc is partially readable, all of the evidence should be collected before continuing. R e m o v i n g stubborn dirt usually requires that you use some type of" solvent. There are specific C D and DVD cleaning solutions that can help; try them first, as they are least likely to have damaging effects. I)o not use any type of cleaner based on organic www.syngress.com

266

Chapter 8 • CD and DVD Forensics

or petroleum solvents; such solvents will remove the lacquer and reflector and can "eat" the polycarbonate. Ammonia-based cleaners designed for glass or other surfaces can be used; however, first test the cleaner on non-evidence discs. Some ammonia products can fog the polycarbonate and render the disc unreadable. All of these cleaning agents can destroy any markings on the top surface of the disc. Aside from cleaning, discs with scratches can sometimes be fixed with buffing tools, which fall into two broad categories: the consumer units for less than $50.00, and the commercial units that can range from $800.00 to $1,000.00 or more.The consumer devices are safe when used properly. Be sure to follow the directions and buff the correct side of the disc. O f primary concern is damaging the disc by removing too much material; as such, consumer devices don't remove too much and are reasonably priced. Commercial buffing systems can remove "enough" material to eliminate scratches completely, and can also remove considerable amounts of polycarbonate from a disc. This can introduce aberrations and distortions into the shape of the disc. Use such machines with great care; it is possible to take a disc that is 50 percent readable and make it 100 percent unreadable. It is recommended that you gather all possible information from such discs before using a commercial-grade buffing system. Scratch filling products can also be helpful when there are deep scratches. However, it must be clearly understood that CDs and DVDs are read with infrared light and not visible light. Therefore, scratch fillers can appear to have hidden scratches in visible light and be utterly opaque to infrared light. Selecting a scratch filler product that performs well can be difficult. Testing by Media Sciences (www.mscience.com) has found that several of these products actually make the problem worse. Discs where portions of the reflector are missing should be handled extremely carefully to prevent further damage. One suggestion is to apply a label to the disc to "lock down" the remaining portion of the reflector and prevent further peeling. Such peeling can occur when the disc is being read in a high-speed drive. Applying a fullcircle CD label can prevent this from happening. Discs that are cracked or broken in half can be processed, but it may require the disc swap process described below. The first step is to stabilize the cracked area or to rejoin the broken halves. It is recommended that you use one of the clear discs on the end of a spindle to protect the discs. Glue the top of the cracked disc or halves onto the end piece. Many common office adhesives will work, but avoid strongly solvent-based products like rubber cement and contact cement. White glue will prob-

CD and DVD Forensics • Chapter 8

267

ably work, although the drying time may be longer than with other adhesives. After gluing, the disc will be thicker than a standard disc and may require a modified drive in order to be read. Discs with portions of the reflector missing, with cracks, or otherwise damaged may not be able to be read in an ordinary drive, because all drives must read the Table of Contents (TOC) from the disc in order to "mount" the disc. This is how the drive determines that there is a valid disc inserted rather than a piece of cardboard. If the T O C in the lead-in cannot be read, the disc cannot be read in an ordinary drive. This is where the "disc swap" technique comes into play using a modified drive. The technique is also required for quick-erased discs. Swapping discs requires that you have a disc as close to the subject disc as possible. The type (e.g., C D - R , CD-RW, D V D - R , DVD-RW, D V I ) + R , DVD+lZW) and color (e.g., dye formulation) are important, because the drive measures the "replacement" disc and determines how to read it. When you swap in the subject disc, these parameters are retained. If" the replacement disc is not a good match, there will be problems reading the subject disc. It is not necessary that the exact dye be matched, but it is recommended that it be matched visually. This should result in a good match of reflectivity and contrast. For write-once discs, the replacement disc should have the same track arrangement and at least as much data written to the disc as the subject disc. If you have no idea what was written onto the subject disc, you can guess; you may have a singletrack data disc that is completely full (700 MB for a CD, 4.3 GB for a DVD). For rewritable media, the replacement disc should be completely formatted. The swap technique for this type of disc is as follows: u

Put the replacement disc into the modified drive and use the tray button to indicate to the drive that the disc has been changed.

•

Wait until the disc stops spinning. Attempting to stop the disc before it stops spinning can result in serious cuts. Polycarbonate spinning at high speed is very sharp.

•

Remove the replacement disc and put the subject disc in the drive. Replace the magnetic clamp. Do not touch the tray button; the idea is to not inform the drive that the disc has been changed.

Due to the hazards of exposing the drive laser, this information should only be used by qualified persons. Failure to take proper precautions can result in serious eye damage, even blindness.

www.syngress.com

268

Chapter 8 • CD and DVD Forensics

If this disc swapping technique does not work with a disc, or the disc is too badly damaged to place into a drive, all is not lost. InfinaDyne has several contacts in the academic c o m m u n i t y that may be able to assist with discs that are otherwise unreadable. O n e system that has come to our attention can work with as little as one-eighth of a disc. Using such equipment should be a last resort and will incur significant delays and expenses.

Chapter 9

269

270

Chapter 9 ° MP3 Forensics

Introduction I remember when I got my first boombox, circa 1983. It was sea-foam green and had two tape decks and a radio. It came with batteries and was so small and portable that I could take it with me everywhere I went. Then there was my first Walkman, the size of a brick, with giant, spring-loaded headphones. And after that, my first portable CD player, which cost almost a month's wages back in 1990. Today, of course, portable music players are commonplace and mundane. Although five years ago having white iPod headphones on meant you were hip and stylish, now it just means you like to listen to tunes. But more and more, the iPod is becoming a medium to store not just music, as we will see. At a conference, I had a conversation with a federal agent about a child pornography case that he had worked on. He and his colleagues had raided the suspect's home as usual, but noticed that the suspect was strangely unalarmed and even smirking as the agents copied all the data from his computers. He continuously proclaimed his innocence. The agent remembered a presentation I had given about iPods being used to store data and noticed that the suspect had an iPod on his desk. According to the warrant served on the suspect, the agents were permitted to seize all electronic equipment capable of storing data. The agent picked up the iPod, and suddenly the suspect's demeanor and attitude c h a n g e d ~ h e turned pale and became agitated. Before the raid was finished, the suspect had confessed that he routinely erased his computers' hard drives after transferring all of his child pornography photographs to his iPod. The evidence resulted in a conviction. This section of the book will demonstrate how iPods can be used to store any type of data or information that can be stored on a regular personal computer. The data can be encrypted, hidden, and easily manipulated by the user. In this chapter, we will explore the ways to store, access, and find data stored on iPods, and the tricks people use to hide malicious data.

History In the late 1990s, digital music began to gain in popularity. The MP3 music format was portable and the sound quality was closer to that of compact discs than the analog tapes that had been used for decades prior could ever be. The MP3 format used compression so that the files were small in size and could easily be stored and listened to on a personal computer.

MP3 Forensics • Chapter 9

271

Before the paint had even dried on MP3 technology people had figured out ways to cheat the system. The new MP3 technology led to two of the first file-transferring networks: Napster and Gnutella, which allowed users to share and download music without purchasing it, leading to government and retail industry outrage and uproar. This was a gray area at first, since there were no laws on the books about file transt'erring or sharing f'rom peer-to-peer networks and individual users. Eventually Napster, Gnutella, and most other similar networks were shut down by government authority. Soon after MP3 technology caught on, the first digital media players became available, but there was still not a commercially viable way to legally purchase and download MP3s until 20(t0-2(i01, when Apple released the iPod and its iTunes online retail download service. Suddenly consumers had a very good way to legally purchase music and transfer it to their iPods or other digital media players. The digital music industry boomed, and since then it has become a powerful segment of the music business as a whole. Although there are many different brands and types of digital media devices, Apple's iPod accounts for more than 80 percent of" the digital media market, so this section of" the book will focus exclusively on the iPod.

Why Is an iPod Considered Alternative Media? iPods have standard file systems of either Apple's HFS+ or Microsoft's FAT32, which we will explore in greater detail later. These file systems are static because they are not continually transferring data like other types of file systems, such as cell phones, for instance. Because of their static nature, performing forensics on iPods is not substantially different t}om perf-orlning forensics on a regular computer hard drive. The difference between an iPod and a regular computer that makes an iPod an alternative media device is that the prinlary function of an iPod is as a music player. Only recently have iPods evolved into photo storage and video player devices. Because they are used for entertainment purposes, iPods might not be thought of as data repositories containing evidence. What follows is a detailed description of iPod forensics and the process that n~y colleagues and I perform on iPods to extract and analyze data contained on then~.

www.syngress.com

272

Chapter 9 • MP3 Forensics

Imaging and Hashing The first step in iPod forensics is to create an image of a device and hash it to ensure integrity. With digital evidence, we do not work on original evidence. Instead, we attempt to create a duplicate of the evidence. This duplicate can be an exact replica of all data contained on the device. There are two types of images: a physical image and a logical image. A p h y s i c a l i m a g e is a bit-for-bit copy of all data contained on a device, and a logical i m a g e is an image of the file system exactly as it appears on a device. Sometimes it may not be feasible to collect a physical image, and therefore a logical image is your only option. For example, you may have a warrant that will only allow you to copy a user's home directory. In that case, you would not be able to collect any data that was outside of the user's home directory. For forensic purposes, a physical image is always the preferred type. To preserve the integrity of the data, forensic examiners perform what is called a "hash" at every step of the way. A hash is a one-way mathematical algorithm that acts as a "fingerprint" of all data contained on a device. This ensures that the data has not been altered from its original state at any point during the imaging process. Hashes can be performed by using tools such as md5sum. The tool is applied to a file and returns a number that corresponds to a particular algorithm. Then the imaging is performed and the md5sum tool is rerun. If any part of that file is altered after the md5sum tool is rerun, the number will change, signifying a potential loss of evidence integrity. This will ensure that the data you are working on has not been altered. Another way to preserve the data is to use a write blocker. Write blocking a device will protect the device from any manipulation. It will essentially guard your evidence from being written to during imaging. This way, if you happen to make an error, your evidence will be protected. A write blocker typically comprises visible external hardware, such as Logibube's Forensic Talon or Intelligent C o m p u t i n g Solutions (ICS)'s Solo III. A hard drive is physically attached to one of these devices, which will ensure that no writes can be made to the evidence contained on that drive. Since iPods do not have IDE interfaces and use FireWire or USB, they cannot be synced to standard IDE imaging devices such as the Solo III without a USB adapter. Similarly, an iPod should not be synced into a forensic tower and imaged using a Windows-based tool. W h e n you plug any USB or FireWire device into a Windows machine, Windows will "touch" the device and change the files contained on the

MP3 Forensics • Chapter 9

273

device. One of the most important rules that forensic examiners must follow is not to alter evidence, including date and time stamps on evidence.

Hardware vs. Nonhardware Imaging You can image data using hardware and software operating systems. It is highly reco m m e n d e d that i f y o u have a hardware device that has a USB a n d / o r FireWire inter(ace, you should image tile data using the hardware device. Hardware devices write-block very well and they leave little room for error. An excellent hardware device is the Tableu Forensic USB Bridge, but others like it are available on the market. They are relatively inexpensive and user-friendly. A nonhardware solution, such as an operating system like Linux or 1)OS, can be configured to not automatically m o u n t a device when imaging. Linux is not a substitution for a write blocker, and is susceptible to human error.

Removing the Hard Drive It is possible to obtain an inla,~c~ by. removing the hard drive from an iPod if the iPod does not use flash memory. Please see the section "Types of iPods," later in this chapter, to see which ones contain hard drives. You can renlove a hard drive ffonl an iPod, but this is prohibitive because removing a hard drive could break the device.

Linux Another method you can use, but only if" absolutely necessary, is to employ an operating system such as Linux (or imaging.You can configure Linux to not automatically m o u n t a USB device when the device is plugged into your forensic tower.This means that in theor'> an iPod would remain untouched with files being unaffected when plugged in. This method allows for no write protection, however. If you make a lnistake, you could destroy your evidence. I suggest if" you use this method that you employ the Linux c o m m a n d dd or the I)CFL lab version, called DCt:LI)D, to image the device.The steps to perform this method follow. The first thing that you see is the f'disk output of" the device, with two partitions. In this case, the d e v i c e / d e v / s d d corresponds to the iPod device which is the target of the imaging process. The first entry in f'disk's output f o r / d e v / h a d corresponds to

www.syngress.com

274

Chapter 9 • MP3 Forensics

the hard drive of the host computer used in the imaging operation and can be safely ignored (see Figure 9.1).

It is important to remember that the whole point of imaging in this way is to not mount the device.You can do everything you need to image the device without mounting. The next step is to collect the MD5 hash of the device.You can perform this step in multiple ways, such as using another hashing tool or outputting an MD5 file to another directory. The following shows the command syntax for running the md5 checksumming utility "md5sum" on the target device "/dev/sdd" and storing the result in the file "/root/ipod.before.md5" (see Figure 9.2).

MP3 Forensics

•

Chapter 9

275

Next, you view t h e / r o o t / i p o d . m d 5 file to make sure the hash is valid (see Figure 9.3). In forensics, it is good to double-check your work at every point, especially w h e n there is no hardware write protection. The next step is to create an image file from the device. This example uses the Linux "dd" command to image the data (see Figure 9.4).The BS option stands for "block size". Block size can change as desired, and has no impact oi1 the data copied, except to optimize the throughput rate of the copy by copying that many bytes on each copy operation. The next two commands are the input file and the output file. It is important to double check that an iPod device is the input file and not the output file. Putting the iPod device as the " o f " parameter could alter the contents of the evidence drive!

www.syngress.com

276

Chapter 9 • MP3 Forensics

Figure 9.3 The "More" Command Displays the Contents of the File to the Screen

Figure 9.4 Imaging a Device

MP3 Forensics • Chapter 9

277

Figure 9.5 is an example of a completed dd function. Figure 9.5 A Completed dd Function

After the image is complete, perform another hash to ensure that the data has not been changed (see Figure 9.(>). Tile next step is to compare the two hashes (see Figure 9.7).

www.syngress.com

278

Chapter 9 • MP3 Forensics

Figure 9.6 Performing Another Hash

Figure 9.7 Comparing the Two Hashes

MP3 Forensics ° Chapter 9

As the previoius example shows, the before and after hashes of the iPod device are the same, which means nothing on the evidence drive was altered. Additionally, a hash of the forensic copy should be made to ensure that the hash of the image file is the same as the hash or the iPod. This proves that the image contains the exactly same data as the iPod and the "dd" of the drive worked correctly.

Registry Keys It" you are using a Windows-based imaging tool such as Guidance Software's EnCase, you can use a key in the Windows Registry to write-block a USB device that is plugged into a forensic tower. This will keep Windows from writing to evidence. Doing a Web search on "write blocking USB device" will give further information on the steps necessary to carry out this procedure. It is important to remember that using Linux or a Registry key edit for imaging is a last resort. It is always better to use a hardware write-blocking device.You can find many guides online that will detail the steps you need to follow if you choose to take this route.You can also go to www.windowsitpro.com/windowsstorage/ Article / Article I I) / 4438() / 4438( 1.h tml.

Types of iPods iPods come in many different physical and firmware versions. The first generation of-iPods became available to consumers in October 2001. They had a storage capacity of-up to 1(I GB. There have been many subsequent generations of the iPod. With each ~ew generation, features became enhanced, including the addition of" color screens, and video storage and playback capability. The storage capacity increased as well. Newer iPods can have storage capacities of up to 80 GB, using a Toshiba 1.8 hard drive. The iPod Mini debuted in January 20()4. The Mini was the first iPod available in various colors and was substa~tially smaller than other models. Storage capacity for the Mini was up to 6 C,B, using a l-inch Hitachi Microdrive. The iPod Nano was the new version of the Mini. It was even sleeker and smaller and came in either black o1 white. Current Nano models have a storage capacity of up to 8 GB, using flash memory. The Nano has the ability to store and show digital photographs and video via a color screen. The iPod Shuf'fle appeared in January 2005. The Shuffle used flash m e m o r y instead of" a hard drive. The first Shuffle was smaller than a pack of gum. Unlike the

www.syngress.com

279

280

Chapter 9

•

MP3 Forensics

other iPod models, it had no LCD display. The second-generation Shuffle was even smaller than its predecessor.

File Types Supported Currently, iPods support the following file types: Advanced Audio Coding (AAC), Protected AAC, MPEG Audio Layer III (MP#), Variable bit rate M P # (MP# VBR), Audible Audiobook, Apple Lossless, Audio Interchange File Format (AIFF), Windows Audio, and Compact Disc Digital Audio, JPG, JPEG, TIE TIFE GIE PNG, BMP, PSD, SGI, MPEG-4, and H.264.

File Systems A file system is what organizes a computer's operating system. We discussed file systems at length in previous chapters. The iPod uses two standard file systems: Microsoft's FAT32 and Apple's HFS+. The FAT32 file system is compatible with Apple Macintoshes and Windows PCs. HFS+ is writable only with Macintoshes. If a user has an iPod formatted with FAT32 and both a Macintosh and a Windows-based PC, he can read and write to the iPod using both file systems. Such a user can also write and read to the iPod using Linux. The iPod is essentially a storage device and you can configure it to use almost any file system. I have used the extended 2 and 3, as well as FAT16 file systems on my iPods.

"Hacking Tools" and Encrypted Home Directories At conferences, I like to show agents some worst-case scenarios. One of the things I like to show them is an iPod Shuffle that I have manipulated to act as a devious device capable of malicious activities. I repartition the hard drive so that there is enough capacity to install a bootable Linux distribution that contains various "hacking tools," including the popular Metasploit. The iPod control folder is left intact, along with all of the other folders needed for the iPod to function normally. I start the session by showing them the Shuffle connected to its iTunes library and playing music normally through speakers. I then plug the iPod into another machine and demonstrate how to boot it into Linux without touching the host machine. I

MP3 Forensics ° Chapter 9

281

show them how I can use Metasploit or another hacking tool to break into another machine and access data on that machine. I then explain to them how the host machine is never touched while I am hacking into it using the iPod and that all evidence of these activities is going to be found only on the iPod. The point of this exercise is to show that even if an iPod appears to act like it should, it may not in fact be what it seems. Mo.jopac is another hacking tool for use with the Windows operating system. Mojopac allows a hacker to use an iPod as a virtual Windows desktop. Plugging an iPod into the USB port on a Windows computer copies the applications on that computer's desktop and allows the iPod to become a working virtual machine. For more information or to purchase this tool, go to www.mo]opac.com. Another hacking technique using iPods is called "slurping." Slurping uses a tool called Slurp that captures documents, spreadsheets, and other files from the desktop of a computer using an iPod via the computer's USB port. This can be useful or malicious. For example, a malicious user could ask you whether she can use your computer to charge up her iPod using a USB port on your computer. Once the iPod is synced to the computer, Slurp captures all the documents and spreadsheets on your computer's desktop. The original article and code can be found at www.sharpideas, net/ pod_slurp ing. p hp.

Evidence: Normal vs. Not Normal W h e n conducting an exam, forensic examiners need to know the distinction between normal data files and evidence that is not normal. Depending on the firmware and version of a particular iPod, there may be some variance in this determination throughout an analysis. For example, on older iPods, the song-naming convention displays the entire name of a song plus the music file extension, whereas on newer iPods songs are displayed with a Cour-letter code in addition to the file extension. In Figure 9.8, you see the main directory structure of an iPod Nano, which contains the iPod_Control, Device, iTunes, Music, and Artwork main directories. The N e w Folder icon is not typical.

www.syngress.com

282

Chapter 9 ° MP3 Forensics

Figure 9.8 An iPod Nano's Directory Structure

The Device folder contains files with some important information about the iPod, such as the firmware version and serial number such as you see in Figure 9.9.

MP3 Forensics • Chapter 9

Figure 9.9 This is the sysinfo output. You can see the serial number of the device.

O n e or-the files that tbrensic examiners note is the iTunes DB file, which provides information about music tiles, including their file type, music category, and the location on the device.This file is controlled by the iTunes software (see Figure 9.10). If a user manually moved a file onto an iPod, it would not be listed in the iTunes 1)B file. The file is found in the iPod_Control/iTunes director>

283

284

Chapter 9

°

MP3 Forensics

Figure 9.10 An Example of the iTunes DB

The iPod Shuffle has a file called iTunes SD, which provides MP3 location and song title information. The shuffle is the only iPod which contains this file. There is an example in Figure 9.11.

r

m

..

www.syngress.com

MP3 Forensics • Chapter 9

Figure 9.11 An Example of the iTunesSD File

The iPod_Control directory is the control center of an iPod. It contains the Music and iTunes directories as you see in Figure 9.12.This is where all music files are stored by def~tult. All music files are dispersed into various directories, each named F # # such as vou see ii~ Fi,mre 9 13 Further investigation of the directories reveals the actual music files themselves. N e w e r versions of iTunes will condense MP3 or other digital music formatted songs into four-letter codes tbllowed b x.... an extension, as shown in Figure 9.14, and as discussed earlier.

285

286

Chapter 9 • MP3 Forensics

MP3 Forensics • Chapter 9

287

Figure 9.13 An Example of f## Music Directories

www.syngress.com

288

Chapter 9 ° MP3 Forensics

Figure 9.14 Example of an mp3 file on an iPod

When you are looking at digital photos or video files on an iPod, it is important to understand that the photos or videos themselves may be important evidence. The evidence could reside in plain sight on the iPod, or it could be hidden inside folders. For example, in a child pornography case, photo or video evidence might be in the default photo and video directories. Further investigation might be necessary to uncover hidden evidence. Other directories are the Contacts, Podcasts, and Notes directories. Different versions of iPods have slightly different directories. For example, the iPod Shuffle has the Shuffle DB but does not have a picture-viewing directory. If there are photos in a Shuffle directory, those photos were placed on the device manually, not using the iTunes software.

www.syngress.com

MP3 Forensics • Chapter 9

289

Uncovering What Should Not Be There Just because an iPod has been manipulated or changed from its factory configuration does not necessarily mean that there is suspicious activity going on. Many people like to change or hack their iPods. Sometimes it can be innocent, but other times it can be a telltale sign of malicious activity. Suspicious items to look for are things such as mismatched file extensions. An example is a .jpeg file with a .rap3 extension. Most forensic tools are able to detect such discrepancies by using signature analysis tools. These tools find files that have a header that is different from the extension.You can configure most forensic tools to add custom file signatures. Other suspicious items are hidden or improperly named files, which include files named something i n n o c u o u s - - f o r example, a photo that is named to look like an MP3 file. Additionally, files that should arouse suspicion could include those with blatantly outrageous names, such as "hax0r." Too many partitions indicate that an iPod is not set to the factory default and should be looked at carefully. A file system other than the standard FAT32 or H F S + installed on an iPod could indicate suspicious activity. For example, the image in Figure 9.15 appears to contain a normal iPod directory structure. However, there are a few unusual items that bear notice, such as a Knoppix directory and the syslinux.cf'g and ldlinux.sys files, which indicate that this iPod has some form of" Linux on it. Also of" note is the framework-2.5 directory. This directory contains the Metasploit hacking tool which can be found at www.metasploit.com. In this case, it happens to be D a m n Small Linux (DSL), a very small, bootable version of" the Linux operating system. There is also a slurp-audit directory, which is very suspicious.

www.syngress.com

290

Chapter 9

•

MP3 Forensics

Figure 9.15 A suspicious iPod

Figure 9.16 shows an example of an image disguised to look like an MP3 file. This is a simple and common way of attempting to hide evidence. Photos can be hidden in iTunes, which will load the disguised photo into its library and sometimes can be hidden as song files and placed into the F # # directories to avoid detection. The Music directory shows the standard F # # directories. In Figure 9.16, opening one of these directories reveals two deleted songs that have the older iTunes songnaming convention of writing the whole song. This shows that the user had a previous version of iTunes. Additionally, the file named Hidden.mp3 is suspicious because it is not using the correct naming convention of either the old version of iTunes or the new one. Also it is named Hidden.mp3 which is a suspicious name in of itself. It is also much smaller in size than the other regular music files, which indi-

www.syngress.com

MP3 Forensics • Chapter 9

291

cates that something, is wrong such as you see in Figure 9 16 In. Figure 9 16, there are two other files that are smaller in size than regular music files typically are. These files might be image files that a crafty user has attempted to hide as music files. Figure 9.16 Possible Suspect Music Files

Figure 9.16 is an example of the inside of an F # # directory. Looking at the hidden.lllp3 rite using a hex editor shows that the JFIF file header indicates that this is not an MP3 as it should be (see Figure 9.1.7).

www.syngress.com L

292

Chapter 9 • MP3 Forensics

Figure 9.17 Music file with suspect header

Another tactic that users employ to disguise files is to insert text within a music file. A hidden message such as " T h e cow jumps over the m o o n at n o o n " might be inserted into an MP3 file. The MP3 will still play normally, which makes it difficult to detect. In this case, the best way to detect text within an MP3 file is through keyword searches. It is also possible to get hashes of songs from Apple and compare them to the song hashes on the suspect device. This will not show up on signature analysis because the actual file header will still match its extension. Yet another way to hide photos is to make them cover art. With the color iPods, users can match cover art to music files. Default cover art is often included in songs purchased from iTunes. There are also Web sites that have current cover art. Users have the option of changing the cover art to suit their preferences, making it a good place to hide bad photos.

MP3 Forensics • Chapter 9

293

Analysis Tools Forensic examiners can use almost any forensic tool that supports FAT32 or HFS+ for analyzing iPods, including Guidance Software's EnCase, AccessData's FTK, Brian Carrier's Sleuth Kit, and Paraben's P2. All of these tools utilize similar functionality to carry out analysis. All have a relatively intuitive user interface. The Sleuth Kit is primarily for more advanced users and runs only on the Unix/Linux platform. All of these tools are commercially available; the Sleuth Kit is downloadable free of charge. Not all o£ these tools will support the HFS+ file system, so users may be limited by particular file system parameters. All of these tools are capable of rendering image files and text files, and they have keyword search capability. A forensic examiner would use these tools in the same manner as he would in performing a static harddrive analysis.

www.syngress.com

!94

Chapter 9 • MP3 Forensics

Summary This chapter of the book introduced and explained the file structure of the iPod and showed how evidence can be hidden within the iPod. In the field, I have seen everything from the standard iPod that stores only songs to completely tricked-out iPods running dual-booted operating systems full of exploits and hacks. From a law enforcement standpoint, it is very important that search warrants specify that all data storage devices, including iPods, should be acquired as potential evidence. The iPod might be the sole source of evidence that makes or breaks a case.

Index A Abella, V., 136 access

CD/DVD accessibility problems, 253-254 to computer, 204 eavesdropping on WiFi, 197-201 surfing neighbor's wireless network, 21i7 to WiFi comnmnications, 203 to WLAN, authentication for, 192-193 access point configuration of, 192-193 for connection to WLAN, 191 privacy and, 193-194 surfing neighbor's wireless network, 2()7 wardriving and, 21)1 AccessData Forensic tool kit, 133,182 Full Tune-Up Kit, 262,293 accessories cell phone, 107 PDA, 105 active device, 97-98 active memory image, 99 Advanced Encryption Standard (AES), 1211 alternative device collection of evidence from, 10-15 iPod as, 271 America Online (AOL) disc, 250,257 analysis anti-forensics, 25-26 of enterprise event, 29-31 in handheld forensics, 112 of iPod, 133

in MP3 forensics, 293 overview of, 24-25 phase of digital forensics, 4, 24-34 router forensics, 181-182 of single computer, 27-29 tools for data analysis, 32-34 Anchor Volume Descriptor Pointe (AVDP), 248-249 Andersen, S., 136 Andersen1 Cotts141tin2 L L P v. U O P , 199 anti-forensics, 25-26 AOL (America Online) disc, 250,257 Apple HFS+, Windows FAT32 vs., 127, 128 HFS+ file system, 280 iPod/iTunes, release of, 271 application formats, iPod, 129-130 architecture, router, 176 archives, e-mail e-mail local storage archives, 152-154 e-mail server storage archives, 151-152 torensic acquisition, 157-158 ingredients of e-mail, 154-157 local e-mail archives, processing, 158-166 types of, 150-151 ASCII, 250 ATA Packet Interface (ATAPI), 233 ATMs (automatic teller machines), 11 attachments, e-mail, 156-157 Attack Vector tool, 123 attacks on network, 186 on routers, 178-181, 187 attrib command, 174 authentication 295

~96

Index

in 802.11,192-193 of evidence, 79-80 automatic teller machines (ATMs), 11 AVDP (Anchor Volume Descriptor Pointe), 248-249 Ayers, P,.., 124

B backups, recovery of, 10 bandwidth, 175 batch number, CD, 213, 214 Battery Status, of Blackberry, 123 BCC (Blind Carbon Copy), 149 BellSouth Intelligent Wireless Network, 120 Best Practices, for digital forensics, 2-3 binary, analysis of, 27-28 binary image, 254-256 BINHEX, 156 biological evidence, 101 bitstream copy, 5 bitstream image, 99 Blackbag Technologies' Macintosh forensic software (MFS), 133 Blackberry (RIM) device attacking, 123 forensics, 121-123, 144-145 operating system of, 120 operation/security of, 120 PDA vs., 146 securing, 124 security for stored data, 121 Blackberry (RIM) Signing Authority Tool, 124 Blackberry (RIM) Software Development Kit (SDK), 123 Blackberry Attack Toolkit, 123 Blackberry Serial Protocol, 120 Black's Law Dictionary, 43-44

Blind Carbon Copy (BCC), 149 block size, 275 Bloombecker, Buck, 64 Bluetooth, 110 body, e-mail, 156 boot E1Torito for boot from CD-ROM discs, 251-252 process, controlled, 69 booting catalog, 251 border zone, 220 Bradley International Airport, CT, 190 broadcast traffic, 187 BTK killer, 27 buffing tools, 266 business card discs, 214

C cables cellular, seizure of, 107-108 for forensic data connection, 110-111 labeling of, 51 for router forensics, 183 California v. Ciraolo, 201 Carbon Copy (CC), 149 care of CDs/DVDs, 257-259 cleaning of discs, 264-266 Carrier, Brian, 47,293 CAV (Constant Angular Velocity), 233 CC (Carbon Copy), 149 CD Audio, 222-223 CD Text, Philips, 221,224, 238 CD Text, Sony, 222,238 CD+G, 224, 241 CD-DA, 222-223 CD/DVD CD-R dyes, 217-219

Index

C D - R O M drive, 230-233 C D - R O M manufacturing process, 228-23O colors, 215-217 differences between, 226-228 disc accessibility problems, 253-254 drive firmware, 234-235 external interfaces, 233-234 features of-, 212-214 information storage on, 219-22() logical file systems, 237-252 physical characteristics of, 210-212 R - W subchannels, 224-226 sectors, 222-224 sizes/shapes of, 214 space allocation by file systems, 252-253 terminology, 220-222 types of, 215 writing to, 235-237 CD/DVD forensics collection of evidence from, 256-260 disc triage, 264"268 forensic binary images, 254-256 forensic hardware, 261-262 forensic software, 262 forensic workstation, 262-263 validation of writer, 263-264 CD/DVD Inspector for binary image of disc, 256 CD/DVD examination with, 265 for CD/I)VD tbrensics, 262 disc accessibility problems, 253 R through W subchannel and, 225 validation before CD/DVD forensics, 263-264 CD-R color of, 215-216 construction of, 211 dyes, 217-219 C D - R O M disc

boot from, 251-252 construction of, 211 manufacturing process, 228-230 C D - R O M drive drive firmware, 234-235 external interfaces, 233-234 inside mechanism, 230-233 C D - R O M Mode 1,223 CD-RW choice of, 215 color of, 216 construction of, 211 CD-RW drive, 261 cellular industry, 195 cellular phone digital forensics of, 3 evidence collection/handling, 11-12, 106-108 first response cards, 103-104 forensic data connection, 110-111 forensics handling of, 106-108 handheld forensics issues, 94 monitoring/scanning transmissions, 196-197 CFAA (Computer Fraud and Abuse Act), 200-201,204 chain of custody, 172, 182 child pornography case, 270 Ciraolo, California v. , 201 CIRC (Cross-Interleaved Reed-Solomon Code), 227 Cisco routers, 182-183 cleaning, of discs, 261-262,264-266 clock, of iPod, 139 CLV (Constant Linear Velocity), 233 collection alternative media, 10-15 of Blackberry information, 121-122 in CD/DVD forensics, 256-260 description of, 5

297

~.98

Index

digital evidence requirements, 6-7 handheld forensics, 100-108 hardware documentation difficulties, 15-16 hashes, 6 in iPod forensics, 130-131 memory acquisition/analysis, 19-21 from NAS, 18 in PDA forensics, 115, 116 phase of digital forensics, 4, 5-21 preparation for, 8-10 from RAID, 17 from SAN, 18 from virtual machines, 19 See also digital information, seizure of collimator lens, 231 colors, of CD/DVD, 215-217 common carrier, 199 Communications Act of 1934, 196, 203-204 Comp USA, 190 Compact Disc. See CD/DVD compromises, 184 computer forensics, evolution of, 2-3 Computer Fraud and Abuse Act (CFAA), 200-201,204 computer trespasser, 198 computers as evidence, 43 information from running, 70-71 stolen, 91 connection, 110-111 Constant Angular Velocity (CAV), 233 Constant Linear Velocity (CLV), 233 convergence, of routing tables, 178 copy protection, 126 copying, 72-73 cost, 175 cover art, 292 cracked disc, 266-267

cradle, 117-118 crime scene, digital, 50-51, 78-79 criminal procedures, 42 Cross-Interleaved Reed-Solomon Code (CIRC), 227 cyanine organic dye, 217, 218

D Dartmouth College, 190 data carving, 29 connection, 110-112 push, 121 storage on alternative media, 11 See also digital forensics data objects defined, 88 description of, 81-82 as evidence, 44 location of evidentiary, 69-70 on-scene imaging of, 73-75 database, 32-33 D C F L D D command, 273 dd command, 141,273,275-277 DDoS (Distributed Denial-of-Service) attacks, 180 Defiler's Toolkit, 26 delay metric, 175 deleted data analysis of, 28-29 deleted e-mail recovery, 168-169 in e-mail archive, 158, 160 iPod and, 138-139 UDF file system and, 249 Denial-of-Service (DOS) attacks, 178, 179-180 descriptors, 248 Device Status, 123

Index

devices, alternative, 1()-15 digital evidence. See evidence, digital digital forensics analysis, 24-34 collection, 5-21 computer forensics, evolution of, 2-3 definition of, 2 examination, 21-24 Faraday device, 4 handheld forensics, 94 overview of, 36-37 phases of, 4-5 procedures/methodology for, 38 reporting, 34-35 digital information, seizure of best method for, 81-82, 90 digital evidence defined, 43-46 digital evidence, options for, 62-77 digital evidence seizure methodology, 46-54 evidence, options for seizing, 62-77 evidence seizure, common procedures, 78-80 hardware seizure, factors limiting, 54-62 media identification, 50 methodology overview, 48-49 overview oC 4()-42, 83-85 physical media prioritization, 50-51 seizure method, determining, 81-82 shutdown/boot process procedures, 52-54 of storage devices/media, 51-52 digital media player. See iPod; MP3 ~brensics Digital Versatile Disc (DVD), 211-212 See also CD/DVD digital video recorder (DVR), 14 I)ijkstra algorithms, 177 Direct Sequence Spread Spectrum (DSSS), 197

directories, iPod, 282-288 directory entry, 242 disassembly, of iPod, 133-134 "disc swap" technique, 267-268 disc triage, 264-268 disc-at-once, 235,236 disk encryption, 55-56 Disklnternals Music Recovery, 140 distance metric, 175 Distributed Denial-of-Service (DDoS) attacks, 180 documentation in digital evidence collection, 50, 78 of discs, 259-260 hardware documentation difficulties, 15-16 in PDA forensics, 115, 116-117 for router forensics, 182, 183-184 DoS (Denial-of-Service) attacks, 178, 179-180 drive adapters, 10 drive firmware, 234-235 drive formats, 127,128 drives, for data collection, 8-9 DSSS (Direct Sequence Spread Spectrum), 197 dual boot, iPod, 129 DVD writer, 234-235,261 DVD+R, 215,216 DVD + RW, 216 DVD-R, 215,216 DVD-RW, 216 DVR (digital video recorder), 14 dyes of CD-R discs, 217-219 colors of CDs/DVDs, 215-217 dynamic events, 42 dynamic routing, 176-177

299

100

Index

E eavesdropping legality of interception of WiFi, 208 scanning RE 196-197 on WiFi, 197-201 on WiFi, legal issues, 203-205 ECC (Error Correction Code), 224 ECMA (European Computer Manufacturer's Association), 241 EDC (Error Detection Code), 224 Eight into Fourteen Modulation (EFM), 220 E1Torito, 251-252 electronic communication, 198-199 Electronic Communications Privacy Act (ECPA), 198-199,207 E-Mail Archive Card, 153-154 e-mail archives, 158-166 acquisition of Outlook PST file, 158 MS Outlook for Outlook Express files, 162-163 OnTrack PowerControls, 164-166 processing with E-Mail Examiner, 159-161 server level archives, 163-164 E-Mail Examiner, 159-161 e-mail forensics analysis of e-mail, 29 archive types, 150-151 e-mail components, 154-157 e-mail terminology, 148-150 examination tools, 157-158 functions of e-mail, 150 local level archives, 152-154 local mail archives, processing, 158-166 NEMX for, 166-169 server storage archives, 151-152 EnCase. See Guidance Software EnCase encoding CD/DVD, 220

e-mail, 156 encryption Blackberry wireless security, 120 for eavesdropping protection, 198 evidence collection and, 55-56 examination of system with full disk encryption, 23-24 WiFi privacy with, 202,203 for WLAN, 192, 193-194 energy transfer, 210 Enhanced SMTP (ESMTP), 149 enterprise event, 30-31 entertainment systems, 11 Error Correction Code (ECC), 224 Error Detection Code (EDC), 224 escalation of privilege, 173 EseUtil.exe, 164 Ethernet, 190-191 Eudora, 169 European Computer Manufacturer's Association (ECMA), 241 evidence, digital collection in handheld forensics, 100-108 collection of CD/DVD evidence, 256-260 defined, 43-46 hardware seizure, factors limiting, 54-62 information from running computer, 70-71 iPod imaging and, 272-273 MP3 forensics, 281-292 on-scene imaging of finite data objects, 73-75 on-scene imaging of information, 72-73 on-scene information, previewing, 69-70 options for seizing, 89 overview of, 88-89 preservation in handheld forensics, 98, 108-110

Index

requirements of, 3, 6-7 seizure, common procedures, 78-8(), 89-90

seizure, common threads within, 78-80 seizure example, 66-69 seizure method, determining, 81-82 seizure methodology, 46-54, 89 seizure options, 62-65 tools for collection, 76-77 victim, responding to, 65-66 volatile, router forensics and, 182-183 Evidence Eliminator, 26 examination alternative fbrensics processes~ 24 of CI)/DVI), 26()-268 description of, 21 Cull disk encryption issues, 23-24 in handheld Corensics, 112 hash sets, utility of-, 22 in PDA fbrensics, 115 phase of digital forensics, 4 Exchangeable Image File Format (EXIF), 27 expansion card, 118 expansion sleeve, 118 extensions, o f R o c k Ridge file system, 245-246 external interfaces, CD/DVI), 233-234

F F # # directories, 285,287, 29(i)-29 l Faraday device cellular phone and, 3 for collection from cell phones/PDAs, 12 for control of wireless access to cell phone, 106 function of', 4 for handheld device maintenance, 109

fast forensics, 24 FAT, 252 FAT32 Apple HFS+ vs., 127, 128 for iPod, 280 father disc, 229 FATs (File Allocation Tables), 237 FCRP (Federal Rules of Criminal Procedure), 44-45 fdisk output, 273-274 Federal Communications Commission (FCC), 195 Federal Rules of Criminal Procedure (FCRP), 44-45 Federal Rules of Evidence (FRE), 44-45 FHSS (Frequency Hopping Spread Spectrum), 197 fiber-channel SAN, 18 Fifth Generation iPod, 125 File Allocation Tables (FATs), 237 file attributes, 173-174 file extensions, 289 file formats, 126 file names HFS, 250 HFS+, 251 ISO-9660, 243 UDE 247 file system of handheld devices/hard drives, 96-97 of iPod, 271,280 iPod forensics tools and, 293 purpose of, 237 See al.,0 logical file systems file types, supported by iPod, 280 files deletion/slack space, 41 hiding, 173-174 file-transferring networks, 271 fingerprint evidence, 258,259-260

301

302

Index

FireWire CD/DVD external interfaces, 233,234 iPod generations and, 125 firmware, drive, 234-235 First Generation iPod, 125 first responders cellular phone handling, 106-108 handheld forensics, 102-104 overview of, 61-62 PDA handling, 104-106 first response cards, 102-104 flash memory collection of evidence from, 12-13 of iPod Nano/Shuffle, 125-126, 279-280 floppy disk boot from, 251,252 controllers, 234 floppy drives, 52 flow chart, 35 footers, 29 forensic analysis programs, 43-44 forensic binary images, 254-256 forensic data connection, 110-111 Forensic Examination of Digital Evidence: A Guide for Law Enforcement (National Institute of Justice), 69 forensic image, 5 forensic preview software, 69-70 Forensic Talon, Longibube, 272 Forensic tool kit (FTK),AccessData, 133 Forensic Toolkit, 182 Formazan dye, 218, 219 Ft. Lauderdale Airport, FL, 190 Fourth Amendment, 197,201-202 Fourth Generation iPod, 125 fragmentation in HFS, 250 in ISO-9660 file system, 243 in UDE 248,249

FRE (Federal Rules of Evidence), 44-45 Free Mem, 123 frequency, 195 See also radio frequency Frequency Hopping Spread Spectrum (FHSS), 197 full disk encryption, 23-24 full erase, 236 Full Tune-Up Kit (FTK), AccessData, 262, 293

G gaming machines, 13-14 Gilder, G., 57 glass master disc, 228-229 Global Positioning System (GPS), 14 Gnutella, 271 Granderson, United States v., 202 GKEP, 32 Guidance Software EnCase for CD/DVD forensics, 262 features of, 119 with iPod, 136 for iPod forensics, 293 for PDA forensics, 146 for router forensics log, 182

H hacking process, 172-174 router, 178-181,187 tools for MP3 forensics, 280-281 handheld forensics analysis, reporting, 112 Blackberry forensics, 120-124 cellular handling, 106-108 digital forensics, 94

Index

evidence collection, 100-102 evidence preservation, 108-110 first responder, 102-104 forensic data connection, 110-I 12 foundation of, 95-99 impact of, 95 iPod forensics, 124-141 PDA, 114-119 PDA handling, 104-106 hard drive data collection from RAID, SAN, NAS devices, 17-18 file system of, 96-97,237 forensic binary image of, 254-255 with full disk encryption, 23-24 of iPod, removal of', 273 storage capacity of, 98-99 hard drive interfaces, 10 hardware for CD/DVD forensics, 261-262 for data collection, 8-10 documentation difficulties, 15-16 hardware seizure disk encryption, 55-56 first responders, 61-62 lab analysis delays, 57-58 media size, 54-55 overview or. 54, 89 privacy concerns, 56-57 stolen hardware, 91 technical staff requirements, 58-60 hardware-based imaging solutions, 8 hash sets, 22 hash values, 256 hashes in digital evidence collection, 72-73 e-mail archive forensics and, 154 e-mail forensic tools and, 157 handheld device verification, I l 0 iPod imaging, 272-279

overview of, 6 unaltered data collection, 5 hazardous substances, 260 header, e-mail, 155-156 headers, 29 heat, 210,259 Helix, 76 HELO, 149-150 hex editor, 2 HFS characteristics of, 249-251 description of, 249-251 file systems for CDs/DVDs, 240 for Macintosh platform, 237,239 space allocation by, 253 HFS+ features of, 251 file names with, 250 file systems for CDs/DVDs, 240 iPod forensics tools and, 293 iPod's use of, 280 for Macintosh platform, 239 space allocation by, 253 High Sierra Group (HSG) file system, 238,239,241 hijack, 123 hit-and-run attacks, 181 hop count, 177 host bus adapter (HBA), 18 hub labels, 259-260 Hypertext Transfer Protocol (HTTP), 149

ICAC (Internet Crimes Against Children), 74 ICMP (Internet Control Message Protocol), 179, 180 I CS (Intelligent Computing Solutions), Solo III, 272

303

304

Index

identification of digital media, 50 in PDA forensics, 115, 116 IEEE (Institute of Electrical and Electronics Engineers), 190-191 IEEE 802.11 standard authentication in, 192-193 eavesdropping on WiFi and, 199 overview of, 191 privacy in, 193-194 privacy of WiFi transmissions, 203-205 protocols and security, 197 standards of, 195 IEEE 802.1 la standard, 195 IEEE 802.1 l b standard, 195 IEEE 802.1 lg standard, 195 IEEE 802.3 standard, 190-191 ILook Investigator, 262 ImageMasster, 76 imaging Blackberry forensics, 122, 123 copying/hashes vs., 72-73 finite data objects on-scene, 73-75 hard drive forensics/handheld forensics, 99 iPod, hardware vs. nonhardware, 273-279 iPod forensics, 131, 141 MP3 forensics, 272-273 IMAP (Internet Message Access Protocol), 148 incident response categories of, 184 process, 187 incremental recording (packet writing), 235-236, 247 InfinaDyne, 268 See also CD/DVD Inspector Infonetics Research, 190 information hiding, 124

information storage, 219-220 infrared (IR), 191, 210 input device, PDA, 114 Institute of Electrical and Electronics Engineers (IEEE), 190-191 Intelligent Computing Solutions (ICS), Solo III, 272 interfaces, external, 233-234 International Standards Organization (ISO), 241 Internet Control Message Protocol (ICMP), 179, 180 Internet Crimes Against Children (ICAC), 74 Internet Message Access Protocol (IMAP), 148 intrusion process, 172-173 IP address, 175, 176 iPod application formats, 129-130 deleted files, 138-139 drive formats of, 128 family/generations of, 124-126 features of, 126 forensic investigation of, 130-136 generations of, 279-280 Linux and, 138 misuse of, 130 as operating system, 127-128 pod slurping, 11 registry key with USB/FireWire serial number, 139 system partition of, 128-129 time issues, 139 tools, 140-141 user accounts, 138 Windows and, 136-137 iPod forensics analysis tools, 293 evidence, normal vs. not normal, 281-292

Index

file systems, 280 "hacking tools", 28(i)-281 imaging, hardware vs. nonhardware, 273-279 imaging, hashing, 272-273 iPod for storage, 270 MP3 technology, development of, 270-271 search warrant, 294 static file systems of iPod, 271 types of iPods, 279-280 iPod Mini description of, 125 features olc, 279 iPod Nano description of, 125-126 directory structure of, 281-283 t'eatures of', ~79 iPod Shuffle description of, 126 features of, 279-28(i) as hacking tool, 280-281 iTunes SD file or', 284-285 iPod_Control director% 285-286 \iPod_Control\Device\Syslnfo file, 139 \iPod_Control\iTunes\Devicelnfo file, 139 iPodLinux description oL 127 System Partition and, 128-129 IX (infrared), l 91,210 IrDA, 110 iSCSI SAN, 18 ISM band, 195, 197 ISO (International Standards Organization), 241 ISO-966() description of, 241-243 disc accessibility problems, 253-254 file systems for CDs/DVDs, 239

history of, 238-239 space allocation by, 252 standard file system for CDs, 237 iTunes creation of, 271 evidence in, 290 features of, 126 iPod registry key and, 139 setupapi.log and, 137 iTunes DB file, 283-284 Ivory soap, 26 i, 264

Jansen, w., 124 Joliet file system description of, 243-244 disc accessibility problems, 253-254 features of, 239 file systems for CDs/DVDs, 240 space allocation by, 252

K Katz v. United States, 201 Kern, Benjamin D., 200 Knotts, United States v., 202

L labels on discs, 258,259 for documentation of disc, 259-260 laboratory analysis, 57-58 LAN (local area network), 190 lands C D / D V D differences in, 227 CD-P, OM drive and, 233

305

306

Index

information storage on CDs/DVDs, 219-220 laptop, 190 laser CD-P,.OM manufacturing process, 228-230 writing to CD/DVD, 235-236 laser beam recorder, 228-230 laser diode, 231 law enforcement computer skills of personnel, 61-62 digital forensics by, 2 expectation of privacy in WLANs, 201-202 lead in, 221 lead out, 221 legal issues eavesdropping on WiFi, 197-201 Fourth Amendment expectation of privacy in WLANs, 201-202 regulation of RE 195 of scanning frequencies, 196-197 WiFi, unique situation of, 203-204 legal recommendations, 42 light, 219-220,259 link state routing protocol, 177 Linux for digital forensics, 9 iPod forensics and, 138,289 iPod imaging with, 273-279 rapid power loss and, 53 live system image, 23 live system information, 9 load metric, 175 local area network (LAN), 190 local storage archives e-mail, 150-151 e-mail forensics, 152-154 processing, 158-166 log

of Blackberry, collection of, 122-123 for data collection, 8 for router forensics, 182 Longibube's Forensic Talon, 272 logical file systems, 237-252 on CDs/DVDs, list of, 239-240 disc accessibility problems and, 253-254 E1Torito, 251-252 HFS, 249-251 HFS+, 251 HSG, 241 ISO-9660, 241-243 Joliet, 243-244 overview of, 237-239 Red Book Audio, 240-241 Rock Ridge, 244-247 space allocation by, 252-253 UDE 247-249 logical image, 272 Lotus Notes, 152

M MAC address, 192 Macintosh forensic software (MFS), Blackbag Technologies, 133 Macintosh platform for digital forensics, 9 file systems for CDs/DVDs, 237,239 Windows vs., 127, 128 magnetic fields, 210 mailbox archive, e-mail, 155 malware, 27-28 MAPI (Messaging Application Program Interface), 148-149 marking, discs, 258-259 Master Directory Block, 250, 251 MD5 hash, 73,274-275 MD5 signature, 263-264

Index

md5sum, 272,274-275 media, optical, 69 media, physical crime scene prioritization of, 5()-51 seizure of', 51-52 size restrictions in evidence collection, 54-55 media card, of handheld device, 1()I Media Sciences, 266 memory acquisition/analysis, 19-21 memory devices, 116 message, e-mail component, 155-157 Messaging Application Program Interface (MAPI), 148-149 metadata, 27 metalized glass master, 229 metallic alloy, 219 Metasploit, 26, 28()-281 MFS (Macintosh torensic software), Blackbag Technologies, 133 Micro-Processor, of" PDA, 114 Microsoft Outlook Express files, 162-163 Microsoft Outlook PST file acquisition or; 158 deleted e-mail recovery, 169 E-Mail Examiner trot processing, 159-161 Microsoft Windows FAT32 file system, 280 file systems for CI)s/DVDs, 238 iPod and, 136-137,272-273 Mac vs., 127, 128 memory acquisition/analysis, 2() Microsoft Windows Vista, 55 MID I files, 126 MIME (Multipurpose Internet Mail Extensions), 156 mkiso[s tool, 244,254 mobile device. See handheld forensics mobile phone. See cellular phone

Mobitex2 Radio Status, 123 Mojopac, 281 Moore, Robert, 53 mother disc, 229 MP3 forensics analysis tools, 293 collection of evidence, 11 evidence, normal v,~'. not normal, 281-292 file systems, 280 "hacking tools", 280-281 imaging, hardware vs. nonhardware, 273-279 imaging, hashing, 272-273 iPod Eor storage, 270 MP3 technology, development of, 27 ()-271 search warrant, 294 static file systems of iPod, 271 types of iPods, 279-280 • See also iPod MP3 format, 270-271 MS Exchange corruption of archives, 164 e-mail torensics, 151-152 NEMX for processing archives, 166-169 OnTrack PowerControls for processing, 164-166 Multipurpose Internet Mail Extensions (MIME), 156 multi-session disc, 261 muhi-session HFS disc, 25() Music Recover> Disklnternals, 140-141 MythTV system, 14

N Napster, 271 NAS (Network Attacked Storage) devices, 17,18

307

308

Index

National Institute for Standards and Technology (NIST), 77, 124 NEMX (Network E-mail Examiner), 166-169 network archives, deleted e-mail recovery, 169 attacks on, 186 connection, data collection via, 7 documentation of, 16 routers of, 175 Network Attacked Storage (NAS) devices, 17,18 Network E-mail Examiner (NEMX), 166-169 network forensics definition of, 172 hacking process, 172 importance of, 186 intrusion process, 172-173 overview of, 185 searching for evidence, 173-174 network interface card (NIC), 192 network layer, 174-175 New Technology File System (NTFS), 237,252 Ngwguard.db, 152 NIC (network interface card), 192 NI.J First Responders Guide (National Institute of Justice), 47 Nintendo Forensics, 21 NIST (National Institute for Standards and Technology), 77, 124 * nix base system, 9 * nixess, 20 Nolan, Joseph R., 43 Novell GroupWise, 152 NTFS (New Technology File System), 237,252 NVRAM, 182-183

O "off" state, 117, 122 officer safety, 260 "on" state, 117, 122 on-scene investigation information imaging, 72-73 information preview, 69-70 OnTrack PowerControls, 164-166 Open Shortest Path First (OSPF), 177 Open System Authentication, 193 operating system of Blackberry, 120 of iPod, 128-129 iPod as, 127-128 iPod imaging with Linux, 273-279 of PDA, 114, 116 optical media, 69 Optical Storage Technology Association, 247 OSPF (Open Shortest Path First), 177 Outlook. See Microsoft Outlook Express files; Microsoft Outlook PST file

P packet writing (incremental recording), 235-236, 247 PACKS, 224-225 Palm OS PDA file system of, 96 PDA Seizure for, 119 Panera Bread, 190 Paraben Corporation E-Mail Archive Card, 153-154 E-mail Examiner, 29, 159-161 first response cards from, 104 Network E-mail Examiner, 166-169 P2,293 Partition Maps, 250

Index

partitions file systems for CDs/DVDs and, 238 of iPod, 132,289 passwords for Blackberry, 121,122,124 examination of TPM drive, 23-24 path table, 242 PBX system, 14-15 PDA (Personal Digital Assistant) components of, 114 evidence collection/handling, 11-12, 104-1 {)6

file system of, 96 first response cards, 102-103 forensic investigation, first step of, 146 forensic tools, 119 forensics, 114-117, 143-144 forensics handling of, 104-106 handheld forensics issues, 94 investigative tips, 117-118 iPod as, 126 mishandling, impact of, 118 PDA Secure, 119 PDA Seizure, 119 pens, 258-259 persistent attacks, 181 Personal Digital Assistant. See PDA personnel certification of', 90-91 digital evidence seizure, 46-47 skilled, time management of, 58-60 PEW Internet and American Life Project, 148 Philips CD Text, 221,224,238 photodetector, 231 photographs, 16, 292 phthalocyanine dye, 217, 218 physical disks, 1{) physical image, 272 physical partition, 132

Pioneer DVD writer, 256 pits CD/DVD differences in, 227 C D - R O M drive and, 233 information storage on CDs/DVDs, 219-220 Plextor 12x writers, 261 Pocket PC, 119 pod slurping, 11, 281 podzilla, 127 podzilla 2, 127 polarizing beam splitter, 231 portable music player. See iPod; MP3 forensics Portable Operating System Interface (POSIX), 244-247 Post Office Protocol 3 (POP3), 149 power supply Blackberry examination and, 121 for cellular device, 106 for handheld device, 104-105 for iPod, 131 for PDA, 116, 117 PPA (Privacy Protection Act), 56-57 pre-groove, 228-230 preparation, for collection, 8 - i 0 preservation, of evidence, 98, 108-110 privacy in 802.11,193-194 Fourth Amendment expectation of privacy in WLANs, 201-202 scanning frequencies and, 196-197 Privacy Protection Act (PPA), 56-57 PRIV.EDB file, 166-168 Profile String log, 122 profiling, 123 programs, forensic analysis, 43-44 PST Converter, 159-160 PST file. See Microsoft Outlook PST file pull-the-plug, 52-54

309

310

Index

Q quick erase, 236

R Rader, Dennis, 27 radio frequency (RF) 802.11 standard and, 191 spectrum, regulation of, 195 spectrum, scanning, 196-197 transmissions, privacy control and, 193-194 Radio Status log, 122 RAID (Redundant Array of Independent Disks), 17-18 RAM obtaining information from, 70-71 router volatile evidence, 182-183 rapid power loss, 52-54 Recover My iPod tool, 140-141 recovery, of deleted e-mail, 168-169 Red Book Audio description of, 240-241 file systems for CDs/DVDs, 239 forensic binary image of CD, 255 RedEdit utility, 174 Redundant Array of Independent Disks (RAID), 17-18 Reed-Solomon Product Code (RS-PC), 227-228 reflector, 265,266 registry key iPod forensics in Windows, 136-137 with iPod USB/FireWire serial number, 139 write blocking USB device, 279 reliability metric, 175-176 reporting documentation in PDA forensics, 115

in handheld forensics, 112 overview of, 34-35 PDA forensics, 117 phase of digital forensics, 4-5 in router forensics, 183-184 reproduction, of forensic images, 256 resources alternative media forensics, 15 on digital forensics, 5 on handheld forensics, 112 ICAC, 74 IEEE Web site, 191 on memory acquisition/analysis, 20 Recover My iPod link, 140 slurping, 281 write blocking USB device, 279 responders, 47-49 See also first responders restore process, iPod, 134-135 rewritable media CDs/DVDs, 215 disc swap technique for, 267-268 information storage on CDs/DVDs, 219-220 space allocation, 252 writing to CD/DVD, 236 RE See radio frequency RIM Blackberry Message Center, 120 RIM device. See Blackberry (RIM) device RIP (Routing Information Protocol), 177 Roam and Radio log, 122 Rock Ridge description of, 244-247 file systems for CDs/DVDs, 240 space allocation by, 252 routable protocols, 176 Router Audit Tool, 179 router forensics chain of custody, 182

Index

commands ~br, 181-182 overview of, 185 planning, 187 understanding of touters, 172 volatility of- evidence, 182-183 routers attacks, 178-181, 187 definition of, 174 function/role of, 174-175 router architecture, 176 routing protocols, 176-177 routing tables, 175-176 Routing Information Protocol (RIP), 177 routing protocols, 176-177 routing tables convergence of, 178 information in, 175-176 poisoning, 18() P,.-W subchannels, 223,224-226 lkZone, 221

S safety, handling of- discs, 260,264 Sam Juicer, 26 SAN (Storage Area Networks), 17.18 SATA drive, 1(1,233 scanners, 196 scanning, 196-197 scratch on CD, 212 CD/DVD forensics and, 262,264,265 methods for fixing, 266 scratch filling products, 266 SCSI, 233-234 SD cards, 116 SEARCH, 71 search, 173-174 search warrant, 49,294

searches, unreasonable, 201 Searchin~ and SeizinS Computers and Obtainin~ Electronic Evidence in Criminal Investigations (Manual), 45-46, 63-64 Second Generation iPod, 125 Secret Service, 57 sectors CD/DVD, 222-224 CD/DVD differences in, 227-228 definition of, 221 space allocation by CD/DVD file systems, 252-253 of UDF, 248 security authentication in 802.11,192-193 of Blackberry, 120-121,124 privacy in 802.11,193-194 Security Event Management Systems (SEMS), 33-34 SEMS (Security Event Management Systems), 33-34 serial number, 139 server storage archives e-mail, 150-152 Lotus Notes, 152 MS Exchange, 151-152 Novell GroupWise, 152 processing, 163-164 session, 222 setupapi.log, 137 shape, of CD/DVD, 214 Shipley, T., 71 signature analysis tools, 289 silk screened labels, 216 Simple Mail Transfer Protocol (SMTP), 149 single computer, analysis of, 27-29 size, of CD/DVD, 214 slack space, 41 Slacker, 26

311

312

Index

sled, 231-232 Sleuth Kit, 133,293 Slurp, 281 slurping, 11, 281 SMTP (Simple Mail Transfer Protocol), 149 Smurf, 179 snapshot forensics, 99, 110 Snort, 33 software for CD/DVD forensics, 262 for data collection, 9 for digital forensics, 38 forensic preview, 69-70 for HFS CD/DVD forensics, 251 license for use of, 34 for WiFi eavesdropping, 197-198 Solo III, ICS, 272 Sony CD Text, 222,238 Spafford, E., 47 Spectacular Computer Crimes (Bloombecker), 64 spreadsheets, 32 sputtering, 229 SQL database, 33 stacking ring, 214, 257 stampers, 229 state Blackberry examination and, 121-122 iPod forensics and, 130 static device, 97-98 static events, 42 static file system, 271 static routing, 176 Sterling, Bruce, 57 Steve Jackson Games, 57 storage Blackberry security for stored data, 121 capacity of hard drive/handheld device, 98-99

capacity of iPods, 279 information storage on CDs/DVDs, 219-220 iPod for, 270 Storage Area Networks (SAN), 17, 18 storage devices collection of evidence from nontraditional devices, 10-15 seizure of, 51-52 StrongHold box, 109 subchannels, R-W, 223,224-226 SUSP (System Use Protocol), 244-247 SYMBOL, 224 SYN flood, 179 system clock, 139 system flow chart, 30-31 System Partition, 128-129 System Use Protocol (SUSP), 244-247

T Table of Contents (TOC) border zone and, 220 definition of, 222 of e-mail archive, 155 file systems for CDs/DVDs, 238 forensic binary image of CD, 255 lead in as container for, 221 reading, 267 writing to CD/DVD and, 235 Tableu Forensic USB Bridge, 273 Taiyo Yuden, 217 TCP (Transmission Control Protocol), 180 Telecommunications Act, 199 telephone. See cellular phone Telephone Disclosure and Dispute Resolution Act, 196, 197 terminology CD/DVD, 220-222

Index

e-mail, 148-149 Tetris, 97 text, in MP3 file, 292 TF extension, 246 TFN (Tribal Flood Network), 18(i Third Generation iPod, 125 time for data analysis, 25 iPod issues, 139 time settings, 15-16 timelines, 31,35, 131-132 timestamp CD/DVD forensics and, 263 of Rock Ridge file system, 246 with UDE 248 Timestomp, 26 TiVo, 14 TOC. See Table of Contents tools anti-forensics, 25-26 for Blackberry forensics, 123, 124 for collection, 8-10 for data analysis, 32-34 t-or digital evidence collection, 76-77 For e-mail forensics, 157-158 for fbrensics examination, 21 for handheld forensics, 111-112 fbr iPod forensics, 133, 14(I-141 for MP3 forensics, 28(I-281,293 Paraben Forensics Email Examiner, 29 for P1)A f'orensics, 119, 146 for server level archive processing, 164 software for digital forensics, 38 TPM (Trusted Platfbrm Module), 23-24, 55 track, 222, 24ii track pitch, 227 track-at-once, 235,236 Transmission Control Protocol (TCP), 18()

Transmit/Receive log, 122 Transmogrify, 26 transportation, of disc, 259 Tribal Flood Network (TFN), 180 Trinoo attack, 180 Triple DES (Data Encryption Standard), 12O

Trojan defense, 28 Trusted Platform Module (TPM), 23-24, 55 tunnel vision, 7

U U3 Smart Drives, 13 pClinux, 127-128 UDF creation of, 239 description of, 247-249 disc accessibility problems, 254 file system for CDs/DVDs, 237,240 space allocation by, 252 UDR 18(~ ultraviolet (UV) light, 259 unit control functions, of Blackberry, 123 United States, Katz v., 201 United States ~. Granderson, 202 United States ~,. Knotts, 202 unreasonable searches, 201 (]OR Aitdersett Consulting L L P ~., 199 USB adapter, 272 USB connection CD/I)VD external interfaces, 233,234 iPod generations and, 125 USB tokens, 116 user accounts, iPod, 138 user-recorded discs, 255 USSS Best Practices Guide (USSS), 47 UUCO1)E, 156

313

314

Index

UV (ultraviolet) light, 259

V victims, 65-66 video formats, 126 virtual machines data collection from, 19 testing in, 28 virtual memory, 10 VmWare Disk mount utility, 19 Voice Over Internet Protocol (VOIP) system, 14-15 volatile data on cell phones/PDAs, 11-12 collection from PDA, 116 preservation of, 9-10 router forensics, 182-183 volume descriptor, 242,244

W wardriving, 201 water-based markers, 258-259 Web site resources. See resources web-mail, 153 WEP (Wired Equivalency Protocol), 193-194 whatis.com, 95 WiFi (wireless fidelity) access vs. passive listening, 204 eavesdropping on, 197-201 Fourth Amendment expectation of privacy in WLANs, 201-202 legality of interception of, 208 overview of, 203-204 proliferation of WiFi devices, 190 P,F spectrum, regulation of, 195 scanning RE 196-197

surfing neighbor's wireless network, 207 technology, 190-194 WiFi (wireless fidelity) technology, 190-194 authentication, 192-193 overview of, 190-191 privacy, 193-194 WEE 194 WiFi Protected Access (WPA), 194 Wikipedia, 127 Window Washer, 26 Windows. See Microsoft Windows Windows registry, 136-137 Wired Equivalency Protocol (WEP), 193-194 wired network, privacy control in, 193 wireless access, 106-107 wireless card, 191 wireless connection, 118 wireless devices, 105-106 wireless local area networks (WLANs) 802.11 for, 191 authentication, 192-193 eavesdropping on WiFi, 197-201 Fourth amendment expectation of privacy in, 201-202 privacy, 193-194 wireless modem, 120 wireless securiV, 120 wireless signal, 109 Witty Worm, 19 WMA files, 126 workstation, forensic, 262-263 worms, 19 WPA (WiFi Protected Access), 194 write blocker for CD/DVD forensics, 261 for data preservation, 272 for iPod imaging, 273

Index

registry key for write blocking USB device, 279 unnecessary, 261 write-once media, 215 writer, 263-264 writing to CD/DVD, 235-237 on discs, 258-259

X XA format, 223

Z Zoned CAM 233

315

This Page Intentionally Left Blank