Basic Forensic Digital Analysis and Investigation Notes

Documenting the Scene

  • Preserve the Area:

    • Maintaining integrity, authenticity, and admissibility of digital evidence in cybercrime cases.
    • Ensuring essential information (metadata, access logs, hidden files) remains intact due to the volatile nature of digital data.
    • Supporting a reliable chain of custody.
    • Aiding in identifying perpetrators and victims.
    • Preventing contamination of evidence.
    • Ensuring compliance with legal standards and international protocols.

  • The Golden Rule in Crime Scene Investigation:

    • Do not contaminate, alter, move, or transfer any object unless properly documented, photographed, and marked.

  • Search Plan:

    • Strip Method
    • Double Strip Method
    • Grid Method
    • Wheel Method

  • Recognition, Collection, and Preservation of Evidence.

  • Ensuring the Protection of All Digital Evidence:

    • Record of the Pieces of Evidence Collected
    • Maintain the Chain of Custody
    • Signed by Witnesses

  • Chain of Custody Form:

    • Essential details include Date/Time, Lab Case #, Submitting/Requesting Agency, Agency Address, Contact Official/Investigator, Agency Case #, Nature of Crime/s, Contact #.
    • Description of Evidence (Manufacturer, Model #, S/N, condition, marks/scratches, distinguishing characteristics, etc.) also required.
    • Items must be signed and dated when received and released, including the reason for the change in custody.

Powered Off Devices

  • Procedure:
    • If a computer/device is powered off, tag it, and collect it for transpiration to the computer laboratory.

Powered On Devices

  • Procedure:
    • Never turn off a computer/device if it was powered on upon searching the crime scene.
  • Reasoning:
    • RAM (Random Access Memory) will be automatically erased, losing data regarding the offender's recent activity.

Random Access Memory (RAM)

  • Definition:
    • A form of memory that temporarily stores data and instructions the computer needs while it is powered on.
  • Function:
    • Allows the CPU to quickly access information instead of obtaining it from the HDD or SSD.

Incriminating Evidence

  • Searching for Evidence:
    • Do not immediately look for incriminating evidence unless you have the proper warrant in accordance with the rules on cyberwarrants.
  • General Rule:
    • In searching an area with a search warrant, you can only search and seize pieces of evidence, not the content of the device.

Switching Off Devices

  • When to Switch Off:
    • Only switch off equipment that is running when you have made sure that this is appropriate, according to the PNP ACG handbook.
  • Example:
    • A document that is open and visible may be encrypted when stored (i.e., Password Protected).

Incident Response - 3 Steps

  1. Image RAM
  2. Check for Encryption
  3. Authenticate

Image RAM

  • Data in RAM:
    • Everything done on your computer passes into RAM.
    • A large amount of RAM suggests a lot of data will be present when searching the device, provided it's powered on.
  • Forensic Image:
    • Copying bit-by-bit the content of RAM, as if cloning it.

How to Image RAM (Using FTK Imager)

  1. Open FTK Imager.
  2. Select "Capture Memory".
  3. Set the Destination path and filename for the memory dump.
  4. Choose to include the pagefile (pagefile.sys).
  5. Choose to create an AD1 file (memcapture.ad1).
  6. Click "Capture Memory" to start the process.
  7. Observe the Memory Progress, showing the destination and status.
  8. Once finished, a message "Memory capture finished successfully" will appear.

Alternative Tool: DumpIt

  • A one-click memory dumper.

  • Provides information such as address space size and free space size.

  • Requires confirmation to continue, creating a .raw file.

  • MS-DOS (MICROSOFT DISK OPERATING SYSTEM)

    • It is a text-based, command-line OS that was used before the creation of any other operating system.

Magnet AXIOM

  • A forensic platform for examining digital evidence.
  • Allows for filtering and refining results based on artifacts, content types, date/time, etc.
  • Capable of identifying various types of data, including:
    • Potential Browser Activity
    • Cloud Services URLs
    • Facebook URLs
    • Google Analytics URLs
    • Google Maps Queries
    • Google Searches
    • Malware/Phishing URLs
    • Social Media URLs
    • Chat logs
    • Emails

Remnants of RAM

  • Definition:
    • Data left in RAM after applications are closed, the user logs off, or the device is powered off (briefly).
  • Examples:
    • C:\hiberfil.sys (hibernation)
    • C:\pagefile.sys (throwing of excess files)
    • C:\Windows\memory.dmp (blue screen of death)

Integrity of Digital Evidence

  • Imperative:
    • Do not alter digital evidence during imaging, analysis, and custody (Chain of Custody).
  • Write Block Device:
    • Needed to write block device (forensic disk controller) keep the integrity.
      NB: In imaging RAM you do not need a write block device.

Write Blocker

  • Definition:
    • Any tool that permits READ ONLY ACCESS to data storage devices WITHOUT compromising data integrity.
  • Function:
    • Guarantees the protection of the data chain of custody when used properly.

Encryption Check (Using EDD - Encrypted Disk Detector)

  1. Run EDD.exe.
  2. The tool checks physical drives, logical volumes, and running processes for encryption.
  3. It identifies potential TrueCrypt or PGP encrypted volumes.
  4. The results are displayed, indicating whether encrypted volumes and/or processes were detected.

Image Hard Drive

  • If the computer/device has encryption, in order to capture mounted encrypted drive, perform live logical image
  • Live Logical Image:
    • A forensic copy of selected, active files and folders taken from a running (live) system—not the entire physical drive.

Creating a Disk Image with FTK Imager

  1. Select the source evidence type (Physical Drive, Logical Drive, etc.).
  2. Select the specific drive.
  3. Add an image destination.
  4. Select the image type (Raw (dd), E01, etc.).
  5. Provide evidence item information (case number, evidence number, unique description, examiner, notes).
  6. Select the image destination folder and filename.
  7. Set the image fragment size and compression level.
  8. Start the imaging process.
  9. Verify the image after creation to ensure integrity (MD5 and SHA1 hashes).

Authenticate

  • Hash Value:
    • One way to authenticate a piece of digital evidence is by its HASH VALUE, specifically, MD5 and SHA1 Hash.
  • Accuracy:
    • The possibility for two persons to have the same DNA is 100,000,000,000,000100,000,000,000,000 to 11.
    • An MD5 Hash has 340,000,000,000,000,000,000,000,000,000,000,000,000340,000,000,000,000,000,000,000,000,000,000,000,000 to 11 possibility.