Before you begin your media examination, create a hash of the copy you made of the original media. Does it agree with the hash of the original? If so, you may proceed. If not, find out why. Perhaps you mounted the copy and allowed some writes to occur. Or perhaps the copy process was flawed. In any case, don't start the analysis until you have a clean copy.
Most computer forensics tool sets include utilities that create device copies and calculate checksums where appropriate. If you are using the Unix operating system, you can obtain and use the md5sum utility to calculate checksums. You can find a Linux version of the md5sum utility at http://www.gnu.org/software/coreutils/ . If you would like a Windows version of the utility, go to http://www.etree.org/ md5com.html .
The next several sections discuss how to approach media analysis. The actual analysis process is part science and part art. You have to develop a sense of where to look first, and then possess the technical skills to extract the information. We'll focus on the high level here, as opposed to the specific actions you take with individual tools. Chapter 8 covers specific tools, so we'll save the details and recommendations until then.
There is no easy answer to the question 'Where do I look for evidence?' As with any investigation, not all evidence is clear and easily available. Some evidence is subtle, and some has been deliberately hidden or damaged. The specific type of evidence you are searching for depends on the goal of your investigation. If you are looking for evidence for a music CD pirating case, you will likely be looking for stored sound files. If you are gathering evidence in an e-mail fraud case, you will likely look at activity logs and e-mail- related files.
Let's get back to the credit card investigation. Where would you look for credit card numbers? You know the information to use credit card numbers includes the number, expiration date, and possibly card owner information. That kind of information could be stored in a spreadsheet or database data. You searched the hard disk for files that looked similar to the filenames you found on the white board. Unfortunately, you didn't find anything in the filesystem, deleted files, or in slack space. Where do you look next? In this investigation, you chose to look for removable media. We'll rejoin the investigation a little later.
You need to be comfortable with the operating system running on the suspect computer. You might be using Unix-based forensic tools, but if the suspect media is an image of the primary drive from a computer running Windows, you'd better be comfortable with Windows as well. Default locations for files are dramatically different among various operating systems. In fact, the file location defaults can be different between releases of the same operating system family. Therefore, know the operating system with which you are working.
Activity logs and other standard files are commonly stored in default locations on many systems. Always look in the default locations for any logs and configuration files. This step alone can tell you about the suspect. If all logs and configuration files live in the default locations, you can be confident the suspect either does not know about security measures or is too busy to implement security. On the other hand, if you find several applications using nonstandard paths and file storage locations, your suspect may have hidden files well.
Use every means at your disposal to understand what the suspect was trying to do with the computer. Consider all of the supporting evidence you have uncovered so far. This is where the documentary evidence you collected at the scene might be helpful. As you are working through the different types of evidence, your forensic tool set can help by flagging unusual data on the suspect media.
Good forensic tools help you by providing access to areas of a computer that can be used to hide data. But, before you look for hidden data, look for the evidence that you can get to easily. Depending on what you are looking for, you might find it helpful to look at where the suspect has been surfing on the Web. Look at the history and cache files for each web browser on the system. Look at the cookies as well. Although web browsers allow you to look at some historical data, get a tool designed to explore web browser activity. Likewise, look into e-mail correspondence for each e-mail client installed on the computer.
Make absolutely sure you have the legal authority to examine a system. You may only be allowed to look for a certain type of files or activity. Do not exceed your authority.
As mentioned previously, we'll discuss specific forensic tools in Chapter 8. For now, let's look at a few of the different types of tools you'll need in the computer forensics process.
File viewers provide small images of file contents. The programs scan a directory for files that match your criteria and show what is in the files. Viewers are great for finding pictures or movie files. Although most use a file's extension to identify graphics files, some of the more sophisticated tools can look at a file's header to identify it as a graphics file.
A utility that provide thumbnail images of files. Such tools are useful for visually scanning a group of files.
Some viewers also handle nongraphics file types, such as word processing document files. The advantage of a viewer tool is that it provides a visual representation of a file. This presentation can make scanning for inappropriate pictures far easier than looking at each one individually.
Another type of tool that is useful is an extension checker . This type of tool compares a file's extension with its actual data type. A favorite method of hiding data from casual users is to change the file extension. For example, if you want to hide the picture in the file named blueangels.jpg , you could rename the file to blueangel.db , or even something totally obscure, such as br.549 . An extension checker utility looks at the extension and compares it to the file's actual header. Any discrepancies are reported as exceptions.
A utility that compares a file's extension to its header. If the two do not match, the discrepancy is reported.
Most people are familiar with unerase tools that recover deleted files. They have been around the DOS and Windows worlds for years . On older versions of Windows, a simple unerase tool can recover files easily. Newer operating systems complicate the process. After you empty the Recycle Bin, you can recover files with the help of forensic utilities. File-recovery utilities, available for nearly all filesystems in use today, help in identifying and restructuring deleted files.
A utility that assists in recovering previously deleted files. In some cases, files can be completely recovered. At other times, only portions of the file can be recovered.
Forensic examiners often need to search a large number of files for specific keywords or phrases. Several searching tools support such large-scale searches. Each investigation may have certain words or phrases that can help identify evidence. Searching for known IP addresses or e-mail addresses of people's names can often link pieces of evidence together.
A tool that searches for patterns (mostly string patterns) in a large number of files.
The first thing you will notice when you start to use the types of tools discussed in the previous section is the enormous volume of results that are returned. No matter how narrowly you define the scope of your activities, you will end up with more data than is useful. Your job is to sift through all the data and extract the pertinent information.
Log files provide great audit trails of system activity. They can tell you nearly every event that occurred within a specific scope. For example, web server log files can keep track of every request from and response to web clients . However, most applications allow for minimal logging to avoid performance impact. Before you spend too much time looking through the log files, make sure you know the level of detail each application is generating.
One type of tool that helps make sense of large log files is a log file scanner. Log scanner utilities do little more than scan log files and extract events that match your requested event pattern. For text log files, a simple text search utility could provide a similar result in some cases. Most log file scanners make the process easier by allowing queries for specific times that involve certain events.
One type of intrusion detection system (IDS), log-based IDS, provides a convenient method to analyze multiple log files. When searching for activity that would be consistent with a network intrusion, let the IDS look at the log files and highlight any suspicious activity. This information is not helpful for every investigation, though. Sometimes, there are few tools that help lighten the load of looking at a lot of data.
In some cases, you may be able to use tools that help analyze the data. In other cases, you will have to physically look at all the data yourself. In either case, one of the more difficult aspects of computer forensics is in the process of extracting only the evidence that matters from everything else.
Sometimes you will find that the volume of data is so large there is no feasible way to consider it all. Some log files can contain so much detail that it is nearly impossible to use it all. You might be able to process it, but the amount of useful evidence can be overwhelming.
Any time you have more data than is practical, consider taking samples of the data. You can use data sampling for either input or output data. For example, suppose you are analyzing a large drive with over 1 million pictures. Your job is to find out if there are any pictures of classified equipment. One way to approach the task is to use a viewer utility on an arbitrary collection of pictures. Determine whether patterns exist. If you find from looking at samples of 25 pictures that the files are organized by department, you have some additional information to help narrow your search.
On the other end of the spectrum, suppose your search yielded 5,000 pictures of classified equipment. You would not want to initially submit all 5,000 pictures as evidence. Too much evidence can be overwhelming if it is presented all at once. Instead of submitting all 5,000 pictures together, you may want to select a representative sample to submit, along with information describing the remaining group pictures. All 5,000 pictures would be entered as evidence, but only the sample would be presented. The same approach applies to log file entries. Whenever a large volume of data or large number of redundant data exists, use a sample to represent the whole data set.