LECTURE 9:

DATA ANALYSIS AND

VALIDATION

References:
Guide to Computer Forensics and Investigations
Certified Ethical Hacker and Forensic Investigations
 Objectives

• Determine what data to analyze in a computer

forensics investigation
• Explain tools used to validate data
• Explain common data-hiding techniques
• Describe methods of performing a remote
acquisition
 Determining What Data
to Collect and Analyze

Examining and analyzing

digital evidence depends on: Scope creep
• Nature of the case
• Investigation expands beyond
• Amount of data to process the original description
• Search warrants and court
orders
• Company policies

Right of full discovery of digital

evidence
Analysis: Volatile Evidence
source: CHFI
Analysis: Volatile Evidence
source: CHFI
 source: CHFI
Analysis: Volatile Evidence

Guide to Computer Forensics and

6

Investigations
 Evidence
Analysis: Non-Volatile
source: CHFI

Guide to Computer Forensics and

7

Investigations
 Evidence
source: CHFI
Analysis: Network

Guide to Computer Forensics and

8

Investigations
 source: CHFI
Analysis: Files

Guide to Computer Forensics and

9

Investigations
 Approaching Computer
Forensics Cases
Some basic principles apply to almost all computer forensics cases
• The approach you take depends largely on the specific type of case you’re investigating

Basic steps for all computer forensics investigations

• For target drives, use only recently wiped media that have been reformatted and inspected for
computer viruses
• Inventory the hardware on the suspect’s computer and note the condition of the computer when
seized
• Remove the original drive from the computer
• Check date and time values in the system’s CMOS
• Record how you acquired data from the suspect drive
• Process the data methodically and logically
• List all folders and files on the image or drive
• If possible, examine the contents of all data files in all folders
• Starting at the root directory of the volume partition
• For all password-protected files that might be related to the investigation
• Make your best effort to recover file contents
• Identify the function of every executable (binary or .exe) file that doesn’t match known hash values
• Maintain control of all evidence and findings, and document everything as you progress through
your examination
 Refining and Modifying
the Investigation Plan
Considerations
• Determine the scope of the investigation
• Determine what the case requires
• Whether you should collect all information
• What to do in case of scope creep

The key is to start with a plan but

remain flexible in the face of new
evidence
 Using AccessData Forensic
Toolkit to Analyze Data

FTK can analyze data

Supported file systems: from several sources,
FAT12/16/32, NTFS, including image files
Ext2fs, and Ext3fs from other vendors

Searching for keywords

• Indexed search
FTK produces a case log • Live search
file • Supports options and
advanced searching
techniques, such as
stemming

You can generate reports

Analyzes compressed
files • Using bookmarks
 Validating Forensic
Data

One of the most critical Ensuring the integrity of

aspects of computer data you collect is essential
forensics for presenting evidence in
court

Computer forensics tools

have some limitations in
Most computer forensic performing hashing
tools provide automated
hashing of image files • Learning how to use advanced
hexadecimal editors is necessary
to ensure data integrity
 Validating with
Hexadecimal Editors
Advanced hexadecimal editors offer many
features not available in computer forensics
tools
•Such as hashing specific files or sectors

Hex Workshop provides several hashing

algorithms
•Such as MD5 and SHA-1
•See Figures 9-4 through 9-6

Hex Workshop also generates the hash

value of selected data sets in a file or sector

Using hash values to discriminate data

•AccessData has a separate database, the Known File
Filter (KFF)
•Filters known program files from view, such as
MSWord.exe, and identifies known illegal files, such
as child pornography
•KFF compares known file hash values to files on your
evidence drive or image files
•Periodically, AccessData updates these known file
hash values and posts an updated KFF
 Validating with Computer
Forensics Programs
ProDiscover’s .eve files
contain metadata that
Commercial computer includes the hash value
forensics programs have
built-in validation features •Validation is done
automatically

Raw format image files (.dd In AccessData FTK Imager

extension) don’t contain
metadata • When you select the
Expert Witness (.e01) or
• So you must validate raw the SMART (.s01) format
format image files • Additional options for
manually to ensure the validating the acquisition
integrity of data are displayed
• Validation report lists MD5
and SHA-1 hash values

Figure 9-7 shows how

ProDiscover’s built-in
validation feature works
 Performing Computer Forensic
Analysis: Forensic Workstations
Categories
•Stationary
Carefully consider what you •Portable Balance what you need and
need what your system can handle
•Lightweight

Police agency labs

•Need many options Private corporation labs
•Use several PC Keep a hardware library in
configurations •Handle only system types addition to your software
used in the organization library

Disadvantages
Advantages •Hard to find support for
problems Also need to identify what
•Customized to your needs
•Can become expensive if you intend to analyze
•Save money
careless

You can buy one from a

vendor as an alternative Having vendor support can Can mix and match
•Examples save you time and components to get the
•F.R.E.D. frustration when you have capabilities you need for
•F.I.R.E. IDE problems your forensic workstation
 Addressing Data-hiding
Techniques
File manipulation
• Filenames and extensions
• Hidden property

Disk manipulation
• Hidden partitions
• Bad clusters

Encryption
• Bit shifting
• Steganography
 Hiding Partitions
Delete references to a
partition using a disk
editor
• Re-create links for
accessing it

Use disk-partitioning
utilities
• GDisk
• PartitionMagic
• System Commander
• LILO

Account for all disk

space when analyzing a
disk
 Marking Bad Clusters

Marking Bad Clusters

• Common with FAT systems

• Place sensitive information on free space
• Use a disk editor to mark space as a bad cluster
• To mark a good cluster as bad using Norton Disk Edit
• Type B in the FAT entry corresponding to that cluster
 Bit-shifting

Bit Shifting

• Old technique
• Shift bit patterns to
alter byte values of
data
• Make files look like
binary executable
code
• Tool
• Hex Workshop
 Using Steganography to
Hide Data
Steganography tools were created to
protect copyrighted material
Greek for “hidden writing”
• By inserting digital watermarks into a file

Suspect can hide information on

image or text document files Very hard to spot without prior
• Most steganography programs can knowledge
insert only small amounts of data
into a file

Tools: S-Tools, DPEnvelope, jpgx,

Steghide etc.
 Recovering Passwords
Techniques

• Dictionary attack
• Brute-force attack
• Password guessing based on suspect’s profile

Tools

• AccessData PRTK
• Advanced Password Recovery Software Toolkit
• John the Ripper
 Recovering Passwords:
PRTK
Using AccessData tools
with password and
encrypted files
• AccessData offers a tool
called Password
Recovery Toolkit (PRTK)
• Can create possible
password lists from
many sources
• Can create your own
custom dictionary based
on facts in the case
• Can create a suspect
profile and use
biographical information
to generate likely
passwords
 Recovering Passwords
(continued)

Using AccessData tools with

password and encrypted files
(continued)

• FTK can identify known

encrypted files and those that
seem to be encrypted and
export them
• You can then import these files
into PRTK and attempt to crack
them
 Performing Remote
Acquisitions

Remote acquisitions are handy when you

need to image the drive of a computer far
away from your location
• Or when you don’t want a suspect to
be aware of an ongoing investigation
 Remote Acquisitions
with Runtime Software
Runtime Software offers the
Preparing DiskExplorer and HDHOST Making a remote connection with
following shareware programs for
for remote acquisitions DiskExplorer
remote acquisitions:

• DiskExplorer for FAT • Requires the Runtime Software, a • Requires running HDHOST on a
• DiskExplorer for NTFS portable media device (USB thumb suspect’s computer
• HDHOST drive or floppy disk), and two • To establish a connection with
networked computers HDHOST, the suspect’s computer
• a remote access program for
communication between two must be:
computers • Connected to the network
• The connection is established by • Powered on
using the DiskExplorer program • Logged on to any user account
(FAT or NTFS) corresponding to with permission to run non-
the suspect (remote) computer’s installed applications
file system. • HDHOST can’t be run surreptitiously
• See Figures 9-18 through 9-24
 Remote Acquisitions with
Runtime Software (continued)
 Remote Acquisitions with
Runtime Software (continued)
 Remote Acquisitions with
Runtime Software (continued)

Making a remote acquisition with

DiskExplorer

• After you have established a connection

with DiskExplorer from the acquisition
workstation
• You can navigate through the suspect
computer’s files and folders or copy data
• The Runtime tools don’t generate a hash
for acquisitions
 Summary

Examining and analyzing digital For most computer forensics

evidence depends on the nature of investigations, you follow the same
the investigation and the amount general procedures
of data you have to process

One of the most critical aspects of Data hiding involves changing or

computer forensics is validating manipulating a file to conceal
digital evidence information

Remote acquisitions are useful for

making an image of a drive when
the computer is far away from your
location or when you don’t want a
suspect to be aware of an ongoing
investigation