Digital Forensics

Larry Daniel
 Introduction
• A recent research report from The Yankee
Group found that 67.6 percent of US households
in 2002 contained at least one PC
• The investigators foresee three-quarters of all
US households containing PCs by 2007.
 Introduction
• The UCLA study found that surprising numbers
of households have more than one PC.
• In cases where more than one PC is present,
the home computers are often networked.
• As of December of 2005, 71.4% of US
households have computers.
 Some Famous Criminal Cases
• Scott Peterson
– Internet history showing searches for dump sites.
• Michelle Theer
– Email and other documents. (Over 20 thousand
documents)
• Michael Jackson
– Internet history and Email.
• BTK Killer
– Used to trace letter back to church computer.
 Different Sides – Different Roles
• Prosecution Side
– Sworn Law Enforcement Officer
• Writes Search Warrants
• Receives Evidence Computers, etc.
• Acquires Images, Analyzes Data
• Presents findings to Prosecutors and Detectives
• May not be involved again until arrest is made or case goes
to trial.
 Different Sides – Different Roles
• Defense Side
– Private Expert
• Receives Evidence from Law Enforcement Agency.
• Consults with Attorney on Relevant Facts
• Active Member of Defense Team
• May Review Other Evidence to Enhance Computer Analysis
• May Interview Defendant
• May Work with Other Experts.
 Some Basics

The basic computer looks like these….

 Common Misteaks

Calling these monitors, CPUs, Hard Drives, etc.

 Monitors

• Newer LCD on Left

• Older Analog CRT on Right
– Nothing is stored in these. They just make pretty pictures.
CPU
• CPU – Central
Processing Unit
– Only performs calculations.
– Stores nothing.
– The “brain” of the
computer.
 Inside The Computer

• The Hard Drive stores the evidence…

 Inside The Computer
• Hard drives can hold thousands of
– Documents
– Pictures
– Music files
– Movies
– Passwords
– Emails
 Inside The Computer
• RAM – Random Access
Memory
– Only contains data while
the computer is turned on.
– Temporary processing
storage only used while
operating the computer.
– Is cleared when the
computer shuts down or re-
starts.
 Introduction
• A Digital, AKA Computer Forensics
investigation, involves four major areas:
– Acquisition
• Obtaining the original evidence.
– Preservation
• Protecting the original evidence.
– Analysis
• Finding relevant evidence.
– Presentation
• Presenting the evidence in court.
 Forensics Tools
– Encase Forensics Software
• Used by NC SBI, FBI, Air Force OSI, Scotland Yard, US
Navy, Fayetteville PD
• Most widely used forensics software in the world.
– Paraben Email Examiner
• Specially designed to recover email.
 Acquisition

– First contact with the original evidence.

• Most critical time for protecting the originals.
• Most likely time for police or others to damage or change
evidence.
• General rules MUST be followed to preserve and protect
evidence during this critical first response period.
• First point in establishing chain of custody.
 Digital Evidence
• Location not always obvious.
• Easy to conceal.
• Easy to miss.
• Easy to damage.
 Digital Evidence

Hard Drive CD-ROM Floppy Disk

 Digital Evidence

Picture Phones Blackberry iPod

 Digital Evidence

USB Drives Digital Cameras Smart Media

 Acquisition
• First responders should be trained to handle this
type of evidence.
• Digital evidence is fragile.
• Digital evidence is easily altered if not handled
properly.
• Simply turning a computer on or operating the
computer changes and damages evidence.
 Fragile Nature of Digital Evidence

• "The problem is the uninitiated police officer who will go in

and turn on a computer to look to see if it's worthwhile to
send the computer in for examination," said Peter Plummer,
assistant attorney general in Michigan's high-tech crime
unit.

"When you boot up a computer, several hundred files get

changed, the date of access, and so on," Plummer said.
"Can you say that computer is still exactly as it was when
the bad guy had it last?"

Source: AP Article from Computers Today www.technologysu.com – Email Section

 Fragile Nature of Digital Evidence

• The nature of computer based evidence makes it

inherently fragile. Data can be erased or changed
without a trace, impeding an investigator’s job to find the
truth.
• The efforts of first responders are critical to ensure that
the evidence is gathered and preserved in a simple,
secure, and forensically sound manner.

Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
 Fragile Nature of Digital Evidence

• Fragile data are those things stored on the hard drive but
that can be easily altered, especially by a first responder
trying to determine if an incident has occurred.
• These could include access dates on files or temporary
files. Once these files have been altered by a first
responder, there is no way to recover the original data.

Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
 Fragile Nature of Digital Evidence

• The simple act of turning a computer on can destroy or

change critical evidence and render that evidence
useless.
– Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

• Even the normal operation of the computer can destroy

computer evidence that might be lurking in unallocated
space, file slack, or in the Windows swap file.
– Computer Forensics, Computer Crime Scene Investigation, 2nd Ed. John R. Vacca
 Fragile Nature of Digital Evidence

• The next 3 slides demonstrate what happens

when you operate a computer.
– Evidence is modified.
– Evidence is destroyed.

Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations
Files In Original Condition
Files After Opening and Viewing

The last accessed date and

time changes any time a file
is opened and viewed while
the computer is in
operation.
Files After Saving

The last written date and

time changes any time a file
is saved or copied while the
computer is in operation.
Seizing Computer Evidence

General Guidelines
 General Guidelines for Seizing Computers and Digital Evidence

• Seizing a Stand-Alone Home Computer in a

Residence
• If the computer is “powered off”, DO NOT turn it
on.
• If the computer is “powered on”, do not allow the
suspect or any associate to touch it. Offers to
shut the computer down may be a ruse to start a
destructive program that may destroy the
evidence. This can be done with one keystroke.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• Before touching the computer,

place an unformatted or blank
floppy disk into the floppy disk
drive(s), document, videotape
and/or photograph the
computer system, and write
detailed notes about what is on
the computer’s screen.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• Photograph the back of

the computer and
everything that is
connected to it.
• Photograph and label the
back of any computer
components with existing
connections to the
computer.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• If you have a computer specialist on the scene,

he will have been trained to recognize the
operating system and will know the proper way
to shut down the computer system without
altering files or losing any evidence.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• If you do not have a computer specialist on

the scene, the safest way to turn off a Windows
98/95/3.1/DOS computer, is to Pull the plug from
the back of the computer. Pulling the plug could
severely damage the system; disrupt legitimate
business, and create officer and department
liability. It is especially important to have a
specialist available when dealing with business
computers, networked computers and
computers based on Macintosh, Windows NT,
and Unix/Linux operating systems.
Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• After shutting the computer down and powering

the computer off:
• Disconnect all power sources; unplug the power
cords from the wall and the back of the
computer. Notebook computers may need to
have their battery removed.
• Place evidence tape over each drive slot, the
power supply connector, and any other opening
into the computer. This should include sealing
the case itself

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 General Guidelines for Seizing Computers and Digital Evidence

• Only specially trained and qualified Computer Forensic

Investigators working in a laboratory setting should
analyze computers and other forms of digital evidence.
• The simple act of turning a computer on can destroy or
change lritical evidence and render that evidence
useless.
• The Maryland State Police Computer Forensics
Laboratory will not routinely accept digital evidence for
analysis if that evidence has been tainted though
handling by unqualified personnel.

Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit
 Preservation
• Once digital evidence is seized it must be
handled carefully to preserve and protect the
evidence.
– Everything should be tagged.
– No one should operate or preview any evidence on
writable media without proper tools and training.
– Forensically sound copies of all original evidence
must be made before analysis.
– Records must be kept.
 Analysis
• Analysis involves recovering and analyzing
evidence for relevance to the case.
– Accepted tools should be used.
– Search and analysis must be within the scope of the
warrant.
– Bench notes should be kept by the examiner.
 What are you looking for?
• E-Mail • PDF Files
• Pictures • Suspiciously Renamed
• Internet History Files
• Documents • Yahoo Messenger, AOL
• Spreadsheets Chat, MSN Messenger,
Internet Relay Chat
• Internet Chat Logs
• Many Others
• Financial Data
 Hiding The Evidence
• Deleting Files
• Deleting Internet History
• Formatting Drives
• Re-Partitioning Drives
• Physically Destroying
Hard Drives and Floppies
• Passwords
• Using On-Line E-Mail
– Hotmail
– Yahoo Mail
• IPods and personal
storage devices that can
be overlooked.
 Recovering The Evidence
• Find Deleted Files
• Un-Format Drives
• Rebuild Partitions
• Recover Passwords
• Find hidden files and folders.
• Re-construct web pages.
• Locate deleted Email
 Analysis
• Metadata
– Many types of files contain metadata.
• Metadata is information embedded in the file itself that
contains information about the file.
– Microsoft Office Documents
• Computer name
• Total Edit Time
• Number of editing sessions.
• Where printed.
• Number of times saved.
– Digital camera pictures.
• Make and model of camera
• Dates and times
Document Metadata
Picture Metadata
Internet History – Before Clearing
Internet History – After Clearing
 Presentation
• Court presentation for a jury must be simple and
straightforward.
– Timelines
– Emails
– Documents
– Pictures
How Computer Evidence is Used
– Verify Alibis
– Establish Relationships Between Defendant and
Victim or Accomplices
– Establish Documentation of Events
– Establish Mitigating Circumstances
– Documents for use by Forensic Psychologists
– Document Time Lines
 Discovery
• Officer’s investigator’s notes
• Forensic investigator’s bench notes
• Search warrant
• Forensically sound copies of all imaged media
• Forensics report
Questions?