Notes: Forensic Soundness, Anti-Forensics, and Acquisition Methods

Forensic Soundness and Anti-Forensics: Key Concepts, Practices, and Implications

  • Forensic soundness principle

    • Core rule: a forensics computer must not be connected to the Internet. If connected, it can be altered and no longer forensically sound.
    • If Internet access occurs, you must wipe the hard drive, reinstall the operating system, reinstall all programs, and reconfigure everything from scratch.
    • Consequences: if a case is active, opposing counsel can move to dismiss due to lack of forensically sound evidence; if closed, they can request reopening with new information, which can complicate outcomes.
    • Practical stance: never let a forensics workstation touch the Internet or be touched by unauthorized personnel.

  • Field-site and lab practices to preserve forensically sound data

    • Field procedure: bring mobile computers; only use these laptops for the acquisition process.
    • Never plug field laptops into the Internet.
    • Process: disconnect the target computer, sandbox it on the examiner’s notebook, and acquire the data using the examiner’s notebook (not the target’s own OS).
    • Rationale: acquire the hard drive directly to ensure integrity of the data and to avoid contamination or modification by the device’s own environment.

  • Anti-forensics: external OS boot and its implications

    • Anti-forensics technique: booting from an external operating system (e.g., via a thumb drive) so the host hard drive is not actively used as the running OS.
    • Result: you are not touching the host hard drive; artifacts (evidence) reside on the external medium, or in RAM, rather than on the host drive.
    • Caveat: even if the external OS is used, the device may still be on a network where the MAC address of the host hardware is visible on the network.
    • MAC address spoofing: attackers can spoof the MAC address to avoid direct attribution, complicating network forensics. Spoofing is possible, so investigators should consider how MAC spoofing affects attribution and traceability.
    • Important distinction: while the external OS approach can hide certain artifacts on the host drive, it does not erase all network-visible identifiers; the hardware MAC may still be detectable, or other artifacts may be left elsewhere.

  • Encryption and the challenge of accessing encrypted evidence

    • Encryption concept: encryption transforms clear text into ciphertext; without the key, the data cannot be used until decrypted.
    • BitLocker (example): can encrypt a file, a folder, or the entire drive. Encryption process: clear text → ciphertext via an encryptor using an encryption key; to recover, ciphertext → plaintext via a decryptor.
    • Key types:
    • Symmetric (single key): same key encrypts and decrypts.
    • Asymmetric (public/private key pair): public key encrypts, private key decrypts. Example: ciphertext C = E{ ext{pub}}(P), ext{ then } P = D{ ext{priv}}(C).
    • For forensics, ciphertext cannot be processed in its encrypted form; you need the clear text to perform analysis.
    • Access strategies when encryption is detected:
    • Live acquisition: capture data while the system is on to obtain clear text in RAM where possible.
    • If you shut the system off and encryption keys are not readily accessible, the data remains encrypted and may be inaccessible.
    • Brute force or guessing keys is often impractical; asking the user for the key is unlikely and not reliable.
    • Live acquisition rationale: if the system is on, RAM may contain plaintext data and keys, which can facilitate timely evidence collection.
    • Caveat: if encryption is actively used, turning off the machine can effectively render the data inaccessible due to encryption. Some systems employ boot-time or pre-boot authentication to prevent access without the key.
    • PointSec example: a full-disk encryption solution that operates in the boot sector and overlays partitions. If no passphrase is entered, the system remains inaccessible and ciphertext persists.
    • Boot-sector overlays: when engaged, partitions are hidden or replaced, blocking standard access to the underlying data.
    • Removing overlays requires the authentication step; otherwise, forensic access is blocked.
    • Practical takeaway: encryption defenses can prevent traditional forensics unless you can access plaintext via memory or obtain decryption keys legally, or use accepted memory-acquisition techniques.

  • Acquisition methods: static vs. live vs. logical

    • Static (physical) acquisition:
    • Remove the physical hard drive from the machine and make a sector-by-sector copy from sector 0 to the end.
    • Pros: yields the entire physical image, preserving all partitions and artifacts regardless of current OS state.
    • Cons: requires the drive to be removed and may be more disruptive in a live environment.
    • Live (dynamic) acquisition:
    • The computer remains powered and running; data is captured from active memory and disk while in use.
    • Pros: can capture data that might be volatile in memory and potentially access unencrypted data in RAM.
    • Cons: may only capture visible partitions (logical view); if partitions are misaligned or hidden, some data may be inaccessible (e.g., only the C: drive is captured in certain configurations).
    • Logical vs physical distinction:
    • Logical (dynamic) acquisition focuses on specific partitions or file systems as mounted by the running OS (e.g., C: drive).
    • Physical (static) acquisition copies the entire drive including all partitions, unmounted areas, and slack space.
    • Decision factors: encryption state, whether the system is live, and the need to preserve the entire physical media versus targeted data.

  • Forensic tools and standard practice references

    • Commonly used toolset discussed: EnCase-based forensic copy concept (referred to as a proprietary EnCase forensic copy in the transcript).
    • Alternate tools exist, but a standard workflow often centers on creating a validated disk image using a trusted forensic suite and verifying integrity with hash values.
    • Image creation objective: produce a forensically sound, verifiable copy that can be analyzed without altering the original evidence.

  • Field and lab workflow: artifacts, integrity, and legal considerations

    • Throughout all steps, maintain chain of custody and verify integrity of images (e.g., hash verification) to ensure admissibility in court.
    • The overarching aim is to prevent any animalistic or careless actions that could render evidence inadmissible due to questions about integrity or authenticity.
    • Ethical and practical implications:
    • Respect privacy and scope of seizure when collecting data.
    • Avoid actions that could inadvertently modify or destroy data.
    • Ensure all procedures comply with applicable laws and rules of evidence.

  • Connections to foundational principles and real-world relevance

    • Core principles align with digital forensics best practices: preserve evidence, avoid contamination, and document every action.
    • Real-world relevance: anti-forensics techniques (external boot, MAC spoofing, encryption) illustrate why examiners must plan for volatile data, encryption, and potential evasion strategies.
    • Understanding of memory forensics is essential when encryption is present, as RAM may contain keys or unencrypted data needed for analysis.

  • Mathematical and logical concepts in encryption and data access

    • Encryption and decryption relationships:
    • Symmetric key example: ciphertext C = E{K}(P), plaintext retrieval P = D{K}(C).
    • Asymmetric key example: public encryptor and private decryptor C = E{ ext{pub}}(P), \, P = D{ ext{priv}}(C).
    • Key types and their implications for data access and trust models:
    • Public-key infrastructure (PKI) enables secure key distribution but raises questions about key management during investigations.
    • Symmetric keys simplify decryption but require secure key storage and control.
    • Data states:
    • Plaintext vs ciphertext state depends on the presence of a valid key and the current power state of the system.
    • RAM is volatile and can contain plaintext or keys during live analysis; disk storage may contain ciphertext if encryption is active.

  • Practical implications and quick takeaways

    • Never connect a forensics workstation to the Internet; the integrity of the evidence and the case depends on it.
    • In fieldwork, isolate and sandbox the target, acquire data with your own equipment, and avoid using the target’s own OS for analysis.
    • Be aware of anti-forensics techniques and plan accordingly (e.g., account for memory-forensics, network identifiers, and potential encryption).
    • When encryption is detected, prioritize live memory acquisition to capture keys and plaintext where possible, while understanding limitations and legal constraints.
    • Understand the trade-offs between static and live acquisitions and choose based on case requirements and the encryption state of the target.

  • Summary of key terms

    • Forensically sound: a state where evidence has not been altered by improper handling or exposure to non-controlled environments.
    • Anti-forensics: techniques used to hinder or conceal forensic analysis (e.g., external OS boot, MAC spoofing, encryption).
    • Live acquisition: data capture while the system is running, often including RAM contents.
    • Static acquisition: offline, physical copy of the entire drive from sector 0 to the end.
    • Logical acquisition: copy of specific partitions or mounted file systems, not the entire disk.
    • BitLocker: Microsoft full-disk/file/folder encryption feature.
    • PointSec: boot-sector-based encryption that overlays partitions and requires a passphrase to unlock; can block forensics unless overlays are removed.
    • ExOne/EnCase forensic copy: a proprietary or standard image copy used in forensics workflows (image creation and validation).

  • Hypothetical scenario highlights

    • Anti-forensics via external OS: If a suspect boots a USB Linux live USB to perform activities while the internal drive remains untouched, the artifacts of activity may reside on the USB or RAM rather than on the hard drive. Investigators must still consider network identifiers and potential traces elsewhere.
    • Encryption and live capture: If BitLocker or PointSec is in use, a live acquisition may capture decrypted data in RAM, but once the system is shut down, encrypted data on disk remains inaccessible without the key.
    • Field-site network risk: Even if the local drive is isolated, the device might connect to a network and expose MAC/IP-level traces; spoofed MAC addresses can complicate attribution during network forensics.

  • Final takeaway

    • The integrity and admissibility of forensic evidence depend on maintaining a forensically sound environment, anticipating anti-forensics, choosing appropriate acquisition methods, and understanding how encryption and memory contents influence data access and analysis.