Your Digital Forensics Primer: How to Divine the Truth from the Data

The scene on television unfolds: the forensics team huddles around a state of the art computer station, in a room dimly lit with blue lights. Futuristic displays show the photos recovered from the criminal’s computer. The lead detective pauses dramatically, pointing to a photo. “Enhance that!” he says. Cue music…

As with many other things, real life digital forensics isn’t like television. The science of retrieving evidence from computers is time consuming, painstaking work, yet much more fascinating than fiction. Let’s discuss some basics about forensics tools and procedures.

The first thing we have to understand is what data is valuable to forensic analysts. Years ago, this was mostly limited to hard drives. Law enforcement would usually unplug and retrieve computers at crime scenes for analysis back at their office. Modern digital forensics involves a multitude of devices, including mobile phones, car media centers, and digital cameras. Many digital devices can provide clues about our behavior.

So why don’t we want to unplug computers scheduled for forensics anymore? We have to consider what important evidence is lost when we turn off a computer. We know that computers usually have a hard drive which stores data, but they also have memory (RAM), which stores data the computer is using when it’s turned on. When we turn off a computer for more than a few seconds, data in memory is wiped clean. Memory contains all kinds of things the computer was ‘thinking about’ recently while it was in use. This ‘live data’ can include files that were deleted, viruses, passwords and files which are encrypted on the hard drive, and a history of what programs and files were used. So, the first reason we don’t unplug computers is so that we don’t lose the contents of gigabytes of memory.

Many agencies are now taking steps to preserve memory from computers retrieved from crime scenes. This can include running a special tool to retrieve important things from memory, maintaining power to the computer, or even freezing the memory to slow erasure.

Another reason we don’t unplug computers is that full disk encryption is becoming more popular. A hard drive which is encrypted can be almost impossible to read without knowing a passphrase to unlock it. If the computer isn’t kept powered on, and the passphrase isn’t retrieved before it is shut off, the only other recourse may be getting the passphrase from the machine’s owner through a judge. That’s a legal gray area.

Now that we know which types of evidence we want to retrieve, let’s talk about how we retrieve the evidence!

A critical point in collecting evidence is maintaining a clear chain of custody. As with physical evidence, this means that we record everywhere our evidence has been, who has had access to it, and what may have changed in a repeatable way that can be proven in court. When we retrieve a hard drive, we immediately make exact copies of it to analyze, then store the original disk securely. Additionally, all of our analysis of the drive must be conducted through a ‘write blocker’, an electronic device which prevents anything we do from making a change to the evidence. We carefully document everything we do.

We can use a lot of different tools in our analysis, but we want to select ones that are recognized and admissible in court. Two popular commercial forensics suites that can read and analyze disks and memory are Guidance EnCase and AccessData FTK. However, there are also many other tools that can help us. Two popular free tools to analyze what’s hidden in memory are Volatility and Mandiant Redline.

Analyzing a device can be time consuming and tedious. We have to generate an accurate timeline of everything relevant that occurred. We might have to sift through days of routine changes to the computer or thousands of documents to find a clue. Files might be corrupted, partially overwritten, or missing parts we have to painstakingly reconstruct. Although deleted files are often recoverable, hard drives can be overwritten with disk wiping software, which may effectively make recovery impossible. We’ll run into dead ends.

When we do find something, however, it can be more interesting than just photos or documents. The Windows Registry is full of details about the history of the computer. We might discover which wireless networks the computer was connected to or which USB drives were connected to it. We could recover webpages viewed in ‘private browsing mode’. We have tools to search for keywords, or images that contain nudity. On other digital devices, we may find different information. For instance, car computers might tell us who was in the car, and where it went. The devices that surround us can tell a story. When discovered, analyzed, and presented properly, these findings can have great value in a court of law.

Interested in learning more about digital forensics? I recommend the books “Digital Forensics with Open Source Tools” by Cory Altheide and Harlan Carvey and “Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom” by Larry Daniel and Lars Daniel. Don’t be intimidated by the high price of commercial forensics tools. A great way to start using forensics tools is by downloading the free SANS SIFT Kit, a virtual machine with many free forensics tools installed. Make sure to find your local digital forensics organizations!

See more of my blogs on Motorola Solutions Fresh Ideas in Public Safety: https://communities.motorolasolutions.com/community/north_america/fresh_ideas/blog/2015/03/05/your-digital-forensics-primer-how-to-divine-the-truth-from-the-data