Contents

Overview of Digital Forensics Reporting

Digital Evidences Tools
Forensics

•Chapter 1: •Chapter 3: Data •Chapter 4: OS and •Chapter 8: Report

Understanding Acquisition Multimedia Writing & Expert
Digital Forensics Forensics Witness
•Chapter 2: Digital •Chapter 5:
Forensics Network Forensics
Investigation •Chapter 6: E-mail
Process & Social Media
Forensics
•Chapter 7: Various
Internet Forensics

1
Windows Forensics Analysis
OPERATING SYSTEM MARKET SHARE
FROM OCTOBER 2019 TO SEPTEMBER 2020
100

90
87.67
80

70

60

50

40

30

20

10
9.42 2.34 0.42 0.14 0.01
0
Windows Mac OS Linux Chrome OS Unknown BSD

• Data source: www.netmarketshare.com/operating-system-market-share.aspx

2
3
Searching for Evidence in Windows OS

• File system and the registry

• The key is to know where to look
• Do not use the suspect system itself to carry out a search for
evidence
• Using Windows to search and open files can change the file’s
metadata
• Such changes may cause evidence to be disallowed in court

4
Windows Forensics
• Windows Acquisition
• Windows Volatile Data Acquisition
• Windows Memory Acquisition and Analysis
• Windows File Systems and Registry
• Windows FAT File Systems
• Windows NTFS File System
• Windows Registry
• Windows Forensics Analysis
• Forensics Analysis Preparation
• Windows Artifacts
• Forensic Analysis Tools for Windows

5
Windows Volatile Data Acquisition
• Investigations in Windows involves:
• Acquiring the evidence
• Preserving the evidence
• Analyzing the evidence
• Reporting the evidence

6
Memory
• Volatile sources - can only be recovered while a system is powered
on.
• What kinds of evidence can you obtain from memory?
• Running processes and the system objects/resources with which they interact
• Active network connections
• Loaded drivers
• User credentials (which may be hashed, obfuscated, or even appear in clear text)
• Portions of non-volatile sources of evidence such as the registry, event log, and
Master File Table
• Remnants of previously executed console commands
• Remnants of clear-text data that is otherwise encrypted on disk
• Important data structures within the kernel that provide insight into process
accounting, behavior, and execution

7
Collect Volatile Data from Windows
• System information
• Processes information
• Network information
• Logged on users
• Clipboard contents
• Command history – doskey / history
• MACTime

8
Evidence in Memory
• Can provide the investigator
with a snapshot of volatile
memory
Pagefile.sys Hiberfil.sys Swapfile.sys

• Hold important • Used by Windows to • Used to store the

information shifted support the idle and other non-
from RAM hibernation feature active objects
• E.g.: Fragments of • Can store a wealth ejected from the
decrypted files can of information RAM memory
still reside there, about the running • Can store a wealth
and encryption keys machine of information
or passwords about the running
machine

9
Evidence in Memory (cont.)
• Pagefile - Pagefile.sys
• A key component of memory architecture in most modern OS
• Data within its virtual memory space may reside in non-contiguous
regions throughout the Pagefile or physical memory

10
Evidence in Memory (cont.)
• Hibernation Files - Hiberfil.sys
• Used by Windows to support the hibernation feature.
• Save the full contents of physical memory to a file on disk, and
powering-down the system.
• Upon powering up, Windows reads the contents of the hibernation
file and writes it back to memory, resulting in a restored and intact
user session.

11
Evidence in Memory (cont.)
• Swap file - Swapfile.sys
• A space on a hard disk used as the virtual memory extension of a
computer’s real memory (RAM).
• The least recently used files in RAM can be swapped out to the hard
disk until they are needed later so that new files can be swapped in
to RAM.

12
Evidence in Memory (cont.)
• Crash Dumps
• Serve as a sort of black box to help developers debug and
troubleshoot the conditions that led to the crash.
• 5 types of memory dumps in Windows 10:
1. Small memory dump (256 KB)
2. Kernel memory dump
3. Complete memory dump
4. Automatic memory dump (default option)
5. Active memory dump

13
Commands to Collect Volatile Data from
Windows
Tools Details
date /T; time /T System date and time
uptime When was the system rebooted
psinfo System information
ipconfig Network interface running in promiscuous mode
tasklist /svc; Look for unusual processes and services
psservices;
pslist
listdlls Currently loaded dlls
process explorer
psfile; openfiles View open files
netstat; fport Network connections
psloggedon; Logged in users
logonsessions
pclip View clipboard contents
Windows Event Viewer Logs
14
Memory Acquisition Tools
• Host-based
• winen.exe from Guidance Software
• MemoryDD from Mantech
• FTK Imager from Access Data
• Belkasoft Live RAM Capturer https://belkasoft.com/ram-capturer
• Remote
• F-Response by Agile Risk Management LLC
• FTK from Access Data

15
The Volatility Framework
• The open source framework for memory forensics and digital
investigations.
• Support for all flavours of Linux, Windows, MacOS and Android.
• Can analyse raw memory dumps, crash dumps, virtual machine
snapshots, VMware dumps, Microsoft crash dumps, hibernation files,
virtual box dumps, and many others.
• https://www.volatilityfoundation.org/
• https://github.com/volatilityfoundation/volatility/wiki
• A Python based toolkit can extract information from both Windows and
Linux/Unix memory images
• imageinfo, pslist, psscan, thrdscan, dlllist, modules, sockets, sockscan,
connections, connscan, hivelist, malfind
• vol.py –f memfile imageinfo
• vol.py –profile=WinXPSP3x86 connscan –f memfile

16
Tool: Volatility Framework (cont.)

17
Other Volatility Plugins
• Cryptoscan
• Based on “RAM IS KEY: EXTRACTING DISK ENCRYPTION KEYS FROM
VOLATILITY MEMORY” by Brian Kaplan
• https://cryptome.org/0003/RAMisKey.pdf
• Scans a memory image to recover truecrypt passphrases
• vol.py –profile= WinXPSP3x86 cryptoscan –f memfile
• Suspicious
• Displays the command line used in “suspicious” processes
• hivelist and hivescan
• Finds hive offsets in memory images

18
Google Rapid Response (GRR)
• GRR – GRR Framework
• https://grr-doc.readthedocs.io/en/latest/
• https://github.com/google/grr-doc
• An incident response framework, uses a client server architecture
• Focus on remote live forensics
• Client: Python agent for Linux, OS X and Windows
• Server: Ubuntu server 14.04 64 bit

19
Windows Forensics
• Windows Acquisition
• Windows Volatile Data Acquisition
• Windows Memory Acquisition and Analysis
• Windows File Systems and Registry
• Windows FAT File Systems
• Windows NTFS File System
• Windows Registry
• Windows Forensics Analysis
• Forensics Analysis Preparation
• Windows Artifacts
• Forensic Analysis Tools for Windows

20
File Systems
• File system is the place where you will find the “fingerprints”
of the parties that have used the system.
• Function: To effectively manage the available storage space
and index the files for more efficient access for the OS.
• Forensics Goal: To collect that data along with associated
metadata to prove intent.

21
Basic Concepts in Windows
• Clusters
• The basic storage unite of a disk
• The piece of storage that an OS can actually place data into
• Different disk formats have different cluster sizes
• Slack Space
• If they are not filled up which, the last one almost never is – this
excess capacity in the last cluster

22
File System – Space Management
• Cluster
• Computer stores data in a cluster.
• Cluster is like a container that contains data.
• 1 cluster = 4 sectors

23
File System – Space Management (cont.)
• Allocated cluster
• Allocated cluster is the cluster that is flagged as not available by the
Operating System.
• Simply put; that cluster contains active data.

24
File System – Space Management (cont.)
• Unallocated cluster
• Unallocated cluster is the cluster that is flagged as available by the
Operating System.
• The cluster may still contains data from previous deleted files.

25
File System – Space Management (cont.)
• Slack space
• Slack space is a cluster (or a portion of cluster) that is not being used
by the current data
• May contain no data at all, or data from previous deleted file

26
File System – Space Management (cont.)

27
Windows Directory Structure

28
What does a File System Do?
• Make a structure for an
OS to store files • File Allocation Table (FAT)
• FAT 12
• For users to access them • FAT 16
by name, location, date, • FAT 32
or other characteristics • exFAT
• File System Format: • NTFS, a file system for Windows NT/2K
• The process of turning a • NTFS4
partition into a • NTFS5
recognizable file system

29
FAT
• File Allocation Table - most widely used file system within Windows
• Default format used by media such as USB drives
• FAT File System Structure:
• The boot record
• The File Allocation Tables (FAT)
• The root directory
• The data area
• Limitations:
• Maximum file sizes
• Doesn’t support alternate streams
• No native encryption mechanism

30
Boot Record
• The first sector of a FAT 12 or FAT16 volume
• The first 3 sectors of a FAT32 volume
• Defines the volume, the offset of the other three areas
• Contains boot program if it is bootable

31
File Allocation Table
• A lookup table to see which cluster comes next
• File Allocation Table for FAT 16
• One entry is 16 bits representing one cluster
• Each entry can be:
• The cluster contains defective sectors
• The address of the next cluster in the same file
• A special value for “not allocated”
• A special value for “this is the last cluster in the chain”

32
How to Locate a File
• A directory entry that contains the file
• Find the first cluster in the directory (root or subdirectory)
• Find the chain of clusters that contain the data

33
File Deletion and Recovery under FAT
• Does not entirely remove the contents of that file from the
disk
• The system replaces the first character of the file name with
the hex byte code “E5h”
• Unallocate the clusters in FAT table
• Recover Folders in FAT Partition
• Searches through the unallocated clusters that had “.” and “..”
• Their directory entries were overwritten in the parent directory

34
System Format

Quick Format Full Format

• It zeros out the root • It writes the hex

directory entries character F6 or zeros to
• Zeros out the file the whole disk
allocation table entries
• The data area is not
touched

35
NTFS
• New Technology File System - much more widely used on
modern Windows operating systems these days.
• More stable and secure, and performs at greater speeds than
the FAT file system.
• NTFS is not as compatible with other operating systems as the
FAT file system is.
• Supports all sizes of clusters from 512 bytes up to 64 Kbytes
• Represents character strings in 16-bit Unicode
• Use 64 bits for addressing the clusters
• Master File Table

36
NTFS Volume Boot Sector
• Begins in the first sector of the partition, can use up to 16
sectors
• Contains:
• Information of volume label and size, the location of the key
metadata files
• Program code to load the OS

37
Master File Table
• A system file created during the formatting of NTFS volume
• Record every files & directories on the volume, including an
entry for itself
• Record 16 system files
• Each file record store attributes
• $File Record Head (first 42 bytes) – MFT number, sequence no, link
count, file type, size, etc.
• $STANDARD_INFORMATION – MAC time, file characteristics (hidden,
system, …)
• $FILENAME - Up to 255 characters
• $DATA or associated cluster addresses

38
Master File Table (cont.)
• Each directory stores:
• Index entries for each file in the folder
• File name, standard_information
• Directory content
• $INDEX_ROOT – contains the index entries
• $INDEX_ALLOCATION (when cannot fit)
• The addition data are stored in index buffers
• $INDEX_ALLOCATION stores index buffers’ locations

39
Metafiles What is happening when you create a file on NTFS volume?
• The $BITMAP file may be modified
• An allocated MFT record must be created for the file
• $MFT • An index entry must be created for the file name in the parent
• $MFTMIRR folder’s MFT record or index buffers
• Cluster extent entries must be created in the file’s MFT record if
• $LOGFILE the file is not contained within MFT (non-resident)
• $VOLUME
• $ATTRDEF
• $BITMAP What is happening when you delete a file on NTFS volume?
• $BOOT • Its cluster references in the $BITMAP file are changed to zero
• $BADCLUS • The MFT record for that file is marked for deletion
• Its index entry is deleted
• $SECURE • The entries below it are moved up, thereby overwriting the
• $UPCASE deleted entry
• $EXTEND • When creating a new record, NTFS overwrites deleted MFT
entries before creating new ones

40
Windows Registry
• Central hierarchical, configuration What can you possibly find from
database Registry Files?
• Operating system relies on it • Usernames and passwords for
programs, e-mail and Internet sites
• Contains information about: • A history of Internet sites accessed,
• Hardware including plug and play devices including date and time
• Users information, preferences • A record of Internet searches via
• Support multiple users Google, Yahoo, etc.
• List of recently accessed files
• Application information
• A list of programs installed on the
• Network information system
• Type “regedit” in the Windows Search.

41
Windows Registry Structure
• Structured in a
tree format, where
each node in the
tree is called a key.
Key
• A key can contain
other keys
(subkeys) in
addition to data
values.

42
 Windows Registry Structure (cont.)
Hive Name Contents
HKEY_CLASSES_ROOT Contains file association information (configuration
information that tells Windows which program to use
to open files).
HKEY_CURRENT_USER Stores configuration information (related to the
installed software and OS) to the currently logged-in
user.
HKEY_LOCAL_MACHINE Contains the majority of the configuration
information for currently installed programs and the
Windows OS itself.
HKEY_USERS Contains configuration information (user profiles) for
all active users on the system.
HKEY_CURRENT_CONFIG Does not store information itself; instead, acts as a
pointer to another registry key
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Hardware Profiles\Current).
43
 • Contains user account information for users and groups
SAM on the system
• Also contains hashed logon passwords

• Use of SAM
• Resolves user to SID
• Find out who is the last one logged in
• The last four characters in SID, also known as relative ID, or RID,
identifies specific users in the SAM file
• Identifying last logon using RID
• Windows stores the last logon time for a user
• Finding usernames from RID
• Determine last logon time for the RID

44
SYSTEM • Determine which control is active
• Find out time zone, mounted device

• Computer Name
• Device drivers and driver letter mappings
• The last known good configuration
• Setup information
• Hardware profile
• Finding USB last insertion and removal time
• USBSTOR under \Control\Set00x\Enum\USBTOR

45
Windows Event Log and USB Device
Tracking
• Identify the connection and disconnection events associated
with the device
• EventID 2003 associated with USB connected
• EventID 2100 / 2102, associated with USB disconnected
• https://www.techrepublic.com/article/how-to-track-down-
usb-flash-drive-usage-in-windows-10s-event-viewer/

46
SOFTWARE
• Contains a list of all installed programs and their settings
• Paths to application files and dirs.
• Use of SOFTWARE
• RegisteredOwner
• RegisteredOrganization
• ProductID
• ProductName
• InstallDate

47
Windows Registry Analysis (cont.)
• Digital forensic investigators can examine the Windows
registry using two methods:
The registry is contained
Live analysis
within a forensic image
• In this way, the computer • In this method, you can
forensic program will be access the registry as you
used to investigate do with any computer
registry files as you do using the Windows built-
when browsing in registry editor
files/folders using • e.g., when booting up
Windows File Explorer. from the suspect forensic
image

48
Windows Registry Analysis (cont.)

The registry is contained

Live analysis
within a forensic image
• It is necessary to know • Type “regedit” in the
where the registry files Windows Search
are stored
• Registry hives are located
in
Windows\System32\Config
folder

49
Acquiring Windows Registry
• We can use computer forensics tools to acquire Windows
registry files.
• We can also extract only the registry files from a live system
and store it separately for later analysis (referred as “Registry
Image”).
• Tool: AccessData FTK Imager

50
Tool: AccessData FTK Imager
1. Download AccessData FTK Imager and
install it into your USB thumb drive
2. Attach the USB drive that contains FTK
Imager to the suspect machine, open FTK
Image, and go to File menu ➤ Obtain
Protected Files
3. A new dialog appears; select where you
want to store obtained files, and check
the option “Password recovery and all
registry files”. Click the “OK” button.
4. A progress window will appear showing
registry files’ export progress
5. Upon finishing, the window will disappear
6. Go to the directory where you have saved
your registry files to see the results

51
Registry Examination
a) Automatic Startup Locations
b) Installed Program Keys in the Windows Registry
c) USB Device Forensics
d) Most Recently Used List
e) Network Analysis
f) Windows Shutdown Time

52
a) Automatic Startup Locations
• Some applications like antivirus software must run first to stop
any malicious software before Windows gets booted
completely
• Malicious software like keyloggers and botnets can add entries
to the Windows registry in order to launch automatically with
each Windows boot

53
List of autobooted programs can be
found in the registry keys
No Registry Key
1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServ
iceObjects
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Run
6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
8. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjec
tDelayLoad
9. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
10. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
54
List of autobooted programs can be found in the
registry keys (cont.)
No Registry Key
11. HKEY_LOCAL_MACHINE\Wow6432Node\Microsoft\Active Setup\Installed Components
12. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler
13. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
14. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
15. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
16. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
\Run
17. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
18. HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
Run (64 bit systems only)
19. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
20. HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
21. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
55
 Tool: Autoruns for Windows v13.96
• Autoruns: Portable utility to investigate all autorun programs
• This tool can be downloaded from
https://docs.microsoft.com/en-
us/sysinternals/downloads/autoruns

56
b) Installed Program Keys in the Windows
Registry
• Windows keeps records of all installed applications in the following
locations in the registry.
• Table below lists the Registry Keys That Hold Information About
Installed Programs (Current and Previous Leftover)
No Registry Key
1. HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL
2. HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\
UNINSTALL *
3. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\
CURRENTVERSION\UNINSTALL \**
4. HKEY _ CLASSES_ROOT \INSTALL ER\PRODUCTS\<PRODUCT CODE>\SOURCELIST\NET
5. HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INSTALL ER\PRODUCTS\<PRODUCT
CODE>\SOURCELIST\NET
*If the suspect’s machine has more than one user, each user will have his/her own set of
software installed on his/her own key under the (HKEY_CURRENT_USER) hive.
**For Windows X64 version.
57
Tool: RegScanner
• Nirsoft offers a free tool
called RegScanner
(www.nirsoft.net/utils/regsc
anner.html)
• A tool used to search the
Windows registry according
to specific search criteria
entered by the user

58
Tool: RegScanner (cont.)
• In the returned results, user can click any item in this list to go to
the associated value in RegEdit.
• Can export the found registry values into a .reg file.

59
c) USB Device Forensics
• Windows registry also stores important technical information for each
connected USB device such as vendor ID, product ID, revision, and serial
number
• E.g.: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Enum\USBSTOR
Key Location

Serial
Number

60
c) USB Device Forensics (cont.)

Product
ID

Vendor
ID

61
c) USB Device Forensics (cont.)
• E.g.:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

62
Tool: USBDeview
• Automate the process of finding information about the current
and previous USB connected devices.
• USBDeview doesn't require any installation process or
additional DLL files. Just run the executable file.
• https://www.nirsoft.net/utils/usb_devices_view.html

63
Tool: USBDeview (cont.)

64
Tool: USBDetective
• Processes USB device artifacts from Windows XP through
Windows 10.
• Support for live system, individual files/folders, and logical
drive processing.
• Need to upgrade to the professional paid version to use all
features.
• https://usbdetective.com

65
Tool: USB Forensic Tracker (USBFT)
• Extracts USB device connection artifacts from a range of locations within
the live system, from mounted forensic images, from volume shadow
copies.
• Extracted Windows system files and from both extracted Mac OSX and
Linux system files.

http://www.orionforensics.co
m/forensics-tools/usb-forensic-
tracker/

66
d) Most Recently Used List
• Many applications that run on Windows that have most recently
used (MRU) lists
• E.g.: Recently opened MS Office files, recently visited web pages
• Table below shows Common Windows Registry History List Keys:
Windows 10
No Registry Key
1. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
2. HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word*\User MRU\LiveId__\File MRU
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidl
MRU
4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPid
lMRU
5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
6. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
7. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Replace “Word” with “Excel,” “Access,” “PowerPoint,” “Outlook,”

67
d) Most Recently Used List (cont.)
Excel

68
 Other Tools to View Most Recently Used List
• ExecutedProgramsList
• List of programs and batch files
that have executed previously on
the target machine
• https://www.nirsoft.net/utils/
executed_programs_list.html
• OpenSaveFilesView
• List of files that have been previously
opened on the target machine using
the standard open/save dialog box of
Windows
• http://www.nirsoft.net/utils/open_s
ave_files_view.html

69
e) Network Analysis
• Registry lists all network cards that have been used, reveal the
wireless connection profile (name, IP address, subnet mask, DHCP).
• Date the connection was first created and the last date the
connection took place.
• Table below shows Common Windows Registry Keys for Storing
Network Connections
No Registry Key
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache\Intra
net
3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Wireless
4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\
Signatures\Unmanaged
5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

70
Revealing wireless connection (access point)
network properties

Wireless
connection details

71
f) Windows Shutdown Time
• Windows registry records when the system was last closed
down in the following registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows

• The shutdown
value is stored
using a binary
value

72
Tool: DCode
• To decode it to a readable
form, use a tool called
DCode from Digital
Detective
• www.digital-
detective.net/dcode

Time decoded
into a readable
format

73
Windows Forensics
• Windows Acquisition
• Windows Volatile Data Acquisition
• Windows Memory Acquisition and Analysis
• Windows File Systems and Registry
• Windows FAT File Systems
• Windows NTFS File System
• Windows Registry
• Windows Forensics Analysis
• Forensics Analysis Preparation
• Windows Artifacts
• Forensic Analysis Tools for Windows

74
Forensics Analysis Preparation
• Set time zone
• Start an analysis by looking at the partition table on the suspect
drive
• Retrieve deleted files
• Use data carving technologies to recover hidden data
• Create and examine MAC (modified, created, accessed) times
• Keyword search for terms related to your case
• Check for emails, pictures, Internet data
• Obtain evidence from registry, recycle bi, shortcuts, event logs,
etc.

75
Data/File Carving
• When a file is only partially recovered, regardless of the file
system, we can use file carving to attempt to recover the file
• File carving:
• Often used to recover data from a disk where there has been some
damage or where the file itself is corrupt
• Common method of data recovery when the file metadata has been
damaged
• To extract the data from a single file from the larger set of data
• Most often used to recover files from the unallocated space in a drive
• Reconstructing file fragments by scanning the raw bytes of the disk
and reassembling them - examining the header (the first few bytes)
and footer (the last few bytes) of a file

76
Forensics Analysis Preparation
• Set time zone
• Start an analysis by looking at the partition table on the suspect
drive
• Retrieve deleted files
• Use data carving technologies to recover hidden data
• Create and examine MAC (modified, created, accessed) times
• Keyword search for terms related to your case
• Check for emails, pictures, Internet data
• Obtain evidence from registry, recycle bi, shortcuts, event logs,
etc.

77
MAC Times
• Windows records the data • Linux records the data and
and time of a file: time of a file:
• Creation (Created) • Change/ctime (Last time the
• Last Modification (Modified) file’s inode was changed)
• The date that a file was last • Modification/mtime (Last
accessed (Accessed) time the file was written)
• Access / atime (Last time the
file was read)

78
Timeline Analysis
• Holistic view about the succession of events that have happened to
the system.
• Allows investigators to save their investigation time by reducing the
volume of data that needs to be investigated to a specific
timeframe
• Allows investigators to segregate evidence and arrange it
accordingly
• Used to cross-check other aspects of the investigations
• Helps the investigators to re-create the events of the crime and
trace back the steps of suspect/victim
• Expert hackers/criminals alter the data in their computer to alter
the timeline and throw the forensic investigators off track

79
Tool: Autopsy
• To generate a timeline of events for your case using
Autopsy, follow these steps:
1. Launch Autopsy and create a new case.
2. Load image file, Ch04.dd
3. Go to the Tools menu ➤ Timeline.
4. Autopsy will need some time (depending on the supplied
forensic image size) to populate the data for the
timeline.

80
Creating a Timeline Using Autopsy
(cont.)
4. After finishing timeline data population, Autopsy can present data
using three view modes: Bar chart, Detail mode, List mode

Counts

81
Creating a Timeline Using Autopsy (cont.)

Details
Lists

82
Timeline analysis in detail mode using
Autopsy 1

3
Date of File Activity

4 5

Result Viewer Content Viewer

83
Forensics Analysis Preparation
• Set time zone
• Start an analysis by looking at the partition table on the suspect
drive
• Retrieve deleted files
• Use data carving technologies to recover hidden data
• Create and examine MAC (modified, created, accessed) times
• Keyword search for terms related to your case
• Check for emails, pictures, Internet data
• Obtain evidence from registry, recycle bin, shortcuts, event logs,
etc.

84
Windows Recycle Bin Forensics
• Contains files that have been deleted by users but still exist
within the system.
• When a user deletes a file, Windows moves the subject file to
the recycle bin without deleting it permanently.
• Different versions of Windows have different recycle bin file
names and locations.
OS File System Recycle Bin Folder Location
Windows 95/98/ME FAT/FAT32 C:\RECYCLED\INFO2
Windows XP/NT/2000 NTFS C:\RECYCLER\%SID%\INFO
Windows Vista/7/8/10 NTFS C:\$Recycle.Bin\%SID%\

85
Example: Windows 10 Recycle Bin Forensics

• There are .docx and .png and .pdf files on the desktop.

• I delete them and then look at the contents of the recycle bin
and see those files that I just deleted.

86
Example: Windows 10 Recycle Bin Forensics (cont.)

• Run the command prompt as administrator and

view hidden files by typing dir /a and we
can see that $Recycle.Bin folder on the first
line.

87
Example: Windows 10 Recycle Bin Forensics (cont.)

• Enter into the folder, do dir /a again and then we see the
SID folders.

88
Example: Windows 10 Recycle Bin Forensics (cont.)

• We can see the users and their associated SIDs (security

identifiers) by entering
wmic useraccount get name,sid

• I’m currently logged in as fizaa, so that is the folder which my

recycle bin should be stored under.

89
Example: Windows 10 Recycle Bin Forensics (cont.)

• cd S-1-5-21-3660784980-185845555-2208055020-1001
• dir /a

90
Example: Windows 10 Recycle Bin Forensics (cont.)

• The $R file: actual recovery data for those files.

• The $I file: this represents the metadata of the file and when
was it deleted.

91
Example: Windows 10 Recycle Bin Forensics (cont.)
• For example, if I take $RU8IOLU.pdf file and copy it on to
D:\Forensics Lab\Ch 04 folder we will see that it is indeed the
original file that was deleted.

• It has been renamed with a random 6 character in front of

that the $R has been prepended.

92
Example: Windows 10 Recycle Bin Forensics (cont.)

• Look at one of the $I files by opening it up with notepad.

• We can see the original path and the file name that was
deleted as shown above.

93
Attributing an Action to Its Associated
User Account
• A suspect Windows PC can have more than one account.
• For each account on a Windows PC, there is a unique number
that distinguishes it called the SID.
• The MS-DOS command (wmic useraccount get name,sid)
can show us the available user accounts and their associated
SIDs of any Windows machine.

94
Web Browsing Activities
• Searching and examining
suspect web browsing activities
are a crucial step in forensic
investigation
• URLs that a user visited,
cookies and pages downloaded
and the time of access
https://www.sandiegouniontribune.com/sdut-chandra-
levy-computer-yields-data-on-park-condit-2010oct28-
story.html

95
Print
• Printing involves a spooling process
• The local print provider
• Writes the file’s content to a spool file (.spl) and creates a separate
graphics file (emf) for each page
• Tracks username, filename and data type in a shadow file (shd)
• Spooling protects a print job by saving it on disk

96
Print (cont.)
• For each print job, two files
are created
• .shd (shadow file) contains
information about the print
job
• The owner
• The printer
• The name of the file printed
• The fully qualified path
• The printing method (raw or
emf)
• .spl (spool file) contains file
contents with .emf pictures

97
Event Log Analysis
• Windows records important events (both hardware and
software events) that have happened to the system,
applications, or other services in what is called an event log.
• Recording events: low memory, failed login, etc.

98
Event Viewer using Windows 10 OS
• View logged events Event Viewer by going to Control Panel
➤ Administrative Tools ➤ Computer Management

99
Tool: FullEventLogView
• Displays all Windows event logs in one table
• View events stored on a local machine or a remote computer,
or examine an exported Windows log file
• An event list
can be
exported into
a TXT or HTML
file
• http://www.ni
rsoft.net/utils
/full_event_lo
g_view.html
100
Other Tools for Event Log Analysis
• Log parser
• Query Windows event log using the SQL query language
• www.microsoft.com/en-us/download/details.aspx?id=24659
• Log Parser Lizard GUI
• Query software tool; it uses SQL to query Windows event log, IIS log,
the registry, the file system, the active directory services, and more.
• www.lizard-labs.com/log_parser_lizard.aspx

101
Forensic Analysis Tools for Windows
Forensic Analysis
• Autopsy / Sleuthkit
• Encase
• FTK
• OSForensics
• ProDiscover
• Forensic Explorer

102
Forensic Analysis Tools in Common
Features include:
• Deleted files recovery including data
carving
• MAC times analysis
• Index search and live search
• Signature analysis
• Email analysis
• Hash analysis
• Graphics view
• Internet and website analysis
• Registry analysis, recycle bin,
shortcuts, and other Windows
artifacts analysis 103
Keyword Search
• Index search: data is indexed
prior to searching
• Raw/live search: searches
based on non-indexed, raw
data using regular expression

104
Bookmark / Tag
• Organize your analysis of a case in a
group of selected items
• Help to write reports
• How to create a bookmark
• Right-click and select Create Bookmark

105
Report Generation
• File  Report Wizard
• Includes
• Case Information
• Bookmarks
• Flagged Graphics
• File Management
• Supplementary files
• Location
• Custom graphic for the report

106
Autopsy
• Forensics Workstation
• Operating System Used: Windows 10 Operating System with
Autopsy Tool
• Suspect’s Drive image
• Files are analyzed to identify evidence that either supports or
contradicts a hypothesis or for signs of tampering to hide data from
investigators
• Objectives:
• To analyze the evidence image
• To generate report

107
Recuva
• A recovery program for Windows that is
able to undelete files that have been
deleted
• Link:
https://www.ccleaner.com/recuva/download
• Objective: To recover deleted files from a
Windows system
• Steps:
1. Start the tool and select the type of files you
want to recover. (E.g.: All Files)
2. Choose the location from where you want to
recover files. (E.g. E drive)
3. You will see the list of deleted files
4. Select the files you want to ‘recover’ and
click on the Recover button
5. Give the location where you want to store
the recovered files (E.g.: Downloads folder)
108
109
Linux Distributions
Server or enterprise
Desktop distributions Live-CD distributions
distributions
• Include a graphical • Used primarily for • A bootable version
interface and business of an operating
common applications, but system that is
applications, can also be used as loaded directly into
suitable for home a home server. RAM and functions
use. outside and
independently of
the target
computer’s
operating system.

110
Linux System Files
System File Contents
/etc/exports File systems exported to remote hosts; might include remote
drive mappings
/etc/fstab File system table of devices and mount points
/var/log/lastlog User’s last logon
/var/log/wtmp Logon and logoff history information
/var/run/utmp Current user’s logon information
/var/log/dmesg System messages log
/var/log/syslog System log, occasionally called system.log or kernel.log
/etc/shadow Master password file, containing hashed passwords for the local
system
/etc/group Group memberships for the local system
/etc/passwd Account information for the local system

111
Core top-level directories of a Linux
system
Directory Details
/usr Most applications and commands are in this directory or its subdirectories bin
(stands for “binary” and contains binary files required at boot time) and sbin
(which requires superuser permission to run the binaries in it).

/etc Most system configuration files are stored in this directory.

/home The home directories for all users, usually named after their usernames.

/root The home directory for the root user (superuser), which is kept separate from
other user home directories.
/dev Device files that act as stand-ins for the devices they represent. E.g. in Lab 3,
/dev/sda is the first non-IDE disk drive on the system, usually the main hard
drive.
/var Subdirectories such as log (often useful for investigations), mail
(storing e-mail accounts), and spool (where print jobs are spooled).

112
File Structures in Ext4
• Support for partitions larger than 16 TB
• Improved management of large files
• Flexible approach to adding file system features
• In UNIX and Linux,
everything is considered a • UNIX files are defined as
file objects
• Including disk drives, • Has properties and methods
monitors, tape drives, (actions such as writing,
network interface cards, deleting, and reading) that
system memory, and can be performed on it
directories
113
Components in Linux
A block is the smallest disk allocation unit in the UNIX/ Linux file
system and can be 512 bytes and up; block size depends on how the
disk volume is initiated.

Boot block Superblock Inode block Data block

• Bootstrap • Part of the • The first • Where

code— metadata data after directories
instructions • Specifies the the and files are
for startup disk superblock stored on a
geometry • An inode is disk drive
and available assigned to
space and every file
keeps track allocation
of all inodes unit
114
Inodes
• Contain file and directory metadata and provide a mechanism for linking
data stored in data blocks.
• When a file or directory is created, an inode is assigned that contains the
following information:
• The mode and type of the file or directory
• The number of links to a file or directory
• The UID and GID of the file’s or directory’s owner
• The number of bytes in the file or directory
• The file’s or directory’s last access time and last modified time
• The inode’s last file status change time
• The block address for the file data
• The indirect, double-indirect, and triple-indirect block addresses for the file data
• Current usage status of the inode
• The number of actual blocks assigned to a file
• File generation number and version number
• The continuation inode’s link
115
 Inodes (cont.)
• Filename and path  NOT in inode.
• Inodes contain modification, access,
and creation (MAC) times, not
filenames.
• An assigned inode has 13 pointers:
• Link to data blocks and other pointers
where files are stored.
• Pointers 1 through 10
• Link directly to data storage blocks in the
disk’s data block and contain block
addresses indicating where data is stored
on the disk.
• Direct pointers because each one is
associated with one block of data storage.
116
 Inodes (cont.)
• As a file grows, the OS provides up to
three layers of additional inode pointers.
• File’s inode, the first 10 pointers are called
indirect pointers
• Second layer: double-indirect pointers
• Last or third layer: triple-indirect pointers
• To expand storage allocation, the OS
initiates the original inode’s 11th pointer,
which links to 128 pointer inodes.
• Each pointer links directly to 128 blocks
located in the drive’s data block.
• If all 10 pointers in the original inode are
consumed with file data, the 11th pointer
links to another 128 pointers.
• The first pointer in this indirect group of inodes
points to the 11th block.
• The last block of these 128 inodes is block
138.
117
 Inodes (cont.)
• If more storage is needed, the 12th
pointer of the original inode is used to
link to another 128 inode pointers.
• From each of these pointers, another 128
pointers are created.
• This second layer of inode pointers is then
linked directly to blocks in the drive’s data
block.
• The first block these double-indirect
pointers point to is block 139.
• If more storage is needed, the 13th
pointer links to 128 pointer inodes.
• Each pointing to another 128 pointers
• Each pointer in this second layer points to
a third layer of 128 pointers.
118
Hard Link
• A pointer that allows accessing the
same file by different filenames.
• The filenames refer to the same
inode and physical location on a
drive.
• ln command to create a hard link.
• Requirement: All files pointing to
the same inode have to be on the
same physical drive, not on
another volume.

119
 Hard Link (cont.)
• ls –ia command: to view files and
their inode numbers
• Inside each inode  a field called link
count that specifies the number of hard
links.
• If two files have the same inode number, the
link count is two.
• If one file is deleted, the link count drops by
one.
• When the hard link count drops to zero, the
file is effectively deleted.
• ls -a command: to see the contents of
a directory
• . (“dot”): refers to the directory • Every subdirectory has a dot-dot
reference: corresponding parent
• .. (“dot-dot”), refers to the parent directory directory
• Both dot and dot-dot count as links, so most • Each one adds to the parent
directories have at least two hard links.
directory’s link count.
120
Symbolic Link
• Also known as “soft links” or “symlinks”.
• Pointers to other files and aren’t included in the link count.
• Can point to items on other drives or other parts of the network.
• Have an inode of their own, which is NOT the same as the inode of
the item they’re pointing to.
• Depend on the continued existence of the destination they’re
pointing to.
• Easy to identify on a running Linux system.
• Identify their destination by name and path.
• If a name and path no longer exist, the symbolic link stops working.
• ln -s command: create symbolic links.

121
Linux Forensics
• Utilities for imaging and basic disk analysis include:
Utility Details
dd and dcfldd Copies data from an input file or device to an output file or
device
sfdisk and fdisk Determines the disk structure
grep Searches files for instances of an expression or pattern

md5sum and sha1sum Create and store an MD5 or SHA-1 hash of a file or list of
files
file Reads file header information in an attempt to ascertain its
type, regardless of name or extension

122
Advantages & Disadvantages of Linux in
Forensics
• Advantages: • Disadvantages:
• Software availability and • The investigator may need to be
accessibility specially trained to use Linux
• Efficiency • Because Linux is an open-source
• Optimization and customization operating system, it is
• Support frequently updated

123
Recognizing Partitions in Linux
• The device is usually /dev/sda, /dev/sdb or so on. A device
name refers to the entire disk, and the device name will be as
follows:

/dev/hd* – IDE disks /dev/sd* – SCSI or SATA disks

• /dev/hda will be first IDE • /dev/sda will be first
hard disk SATA/SCSI hard disk
• /dev/hdb will be second • /dev/sdb will be second
IDE hard disk, and so on SATA/SCSI hard disk, and
so on

124
List Partitions Under Linux
• Type fdisk -l (lowercase L)

125
Hard Disk Analysis
• Steps:
• Make an image of the hard disk using dcfldd
• Use md5sum to collect information about the system time and date
• Mount the copy of the evidence into the file system
• Capture the drive’s forensics data
• Extract deleted inode (modification/access/change) times
• Combine evidence for timeline conversion
• Generate timeline

126
Data Collection
• Forensic Toolkit Preparation
• To find & collect any important data from a compromised system
• Toolkit is a pack of tools such as nc, dd datecate, pcat, dmesg and
others
• Investigator mounts the toolkit to a removable disk
• To avoid changing the compromised system’s metadata

127
Data Collection Using the Toolkit
Steps to collect data
1. Media mounting
• Mount the toolkit on the external media
• Calculate the hash value of the collected file
2. Collect the current date result, presented in UTC format
3. Cache tables
• Collect the MAC address cache table
• Collect the kernel route cache table
4. Collect information about current/pending connections and
open TCP/UDP ports

128
Data Collection Using the Toolkit (cont.)

Steps to collect data (cont.)

5. Acquire a physical memory image
6. List modules loaded to kernel memory
• Check which modules are currently loaded in memory
• Analyze file to detect the presence of an intruder
7. Collect info about all processes, open ports, files
8. Collect suspicious processes
9. Collect information about the compromised system
10.Gather information about the current time
129
Keyword Searching
• To search for signs of an intrusion, an investigator can use
tools:
• strings:
• Gathers all printable characters from image files
• grep:
• Gathers commands typed by an intruder, IP addresses, passwords, or even
decrypted parts of malicious code
• grep allows for sophisticated character-based data searches

130
Linux Digital Forensics Tools
GRR Rapid Response Remote live forensics for incident response
Mozilla InvestiGator Real-time digital forensics and investigation
platform
Radare2 Portable reversing framework
The Sleuth Kit Collection of tools for forensic analysis
Autopsy Forensic Browser Graphical interface to SleuthKit
Volatility Advanced memory forensics framework
guymager Forensic imaging tool
dcfldd Enhanced version of dd for forensics and security
rdd Forensic copy program

131
132
Multimedia Forensics
• Involves the set of techniques used for the analysis of
multimedia signals like audio, video, images
• Aims:
• Reveal the history of digital content.
• Identifying the acquisition device that produced the data.
• Validating the integrity of the contents.
• Retrieving information from multimedia signals.
• Basic branches of multimedia forensics:
• manipulation detection scenario
• identification scenario

133
E.g.: Image Forgery Detection
• Authenticity of digital images has an essential role
• Digital image forgery has been growing
• E.g.: Photo manipulation - used to deceive or persuade
viewers, or for improved storytelling
• Image forgery detection aims to verify the authenticity of a
digital image

134
Photo manipulation
• The mystery of
Myanmar’s
missing
umbrella

135
Photo manipulation (cont.)

A California lawyer is
facing license
suspension for
alleged deceptive
advertising by
Photoshopping
herself into cozy
pictures with
politicians and
celebrities on her
official website.
136
Image Authentication Approaches
Passive-blind image
Active image authentication
authentication
• Uses a known authentication • Identifies the copied region
code embedded into the image from the image’s pixels
content before the images are • Three categories:
sent through an unreliable • Image processing operation
public channel detection
• Verify the presence of such • Device-based image forgery
authentication code by detection
comparing with the original
• Format-based image forgery
inserted code
detection.
• E.g.: Digital signature &
watermarking
137
Active image authentication:
Digital Watermarking
• To hide a message
inside a digital
signal (e.g., an
audio, image, and
video) for various
purposes

138
Active image authentication :
Digital Signature
• To verify the authenticity
and integrity of a
document (e.g., an image)
• Digital signature is usually
implemented based on
public key cryptosystem,
such as RSA and ElGamal

139
Passive-blind image authentication :
Image Processing Operation Authentication
• Image processing operations that helps to identify the
forgeries:
Copy-Move Forgery Re-sampling
Blurring Detection
Detection (CMFD) Detection

The copied
regions may Identify blur
Check
range from inconsistencies
correlations in
background, in various image
image regions
object, creature regions
to letter

140
Copy-Move Detection
• Copying some regions in
the image and moving
the same to some other
region in the image
• In copy-move detection
post-processing
operation like blurring
is used to decrease the
effect of border
irregularities between
the two images

141
Blurring Detection
• Find the blurring,
enhancements, or
color changes and
illumination
changes in the
forged image
• Lighting
inconsistency in the
composite image
can be used for the
detection of image
tampering

142
Passive-blind image authentication :
Device-based Image Authentication
• Identifying the device used for its acquisition to determine
integrity and authenticity of a given image

Chromatic Color Filter

Sensor Noise
aberration Array (CFA)
Imaging sensors
used in capturing
devices tends to Check the
Identifying
introduce various wavelength of
correlation
defects and to the light
create noise in
the pixel values.
143
Passive-blind image authentication :
Format-based Image Authentication
• JPEG Compression Properties
• Image Parameter
• Image dimensions are used to
distinguish between cameras with
different sensor resolution
• EXIF Metadata Parameters
• The metadata, found in the JPEG
header, stores a variety of information
about the camera and image

144
Recognizing a Graphics File
• Graphics file is any picture or graphical depiction that has been
stored in digital format.
• It refers to photographs, drawings, or other graphics that don’t
include any motion or animation.
• A graphics program creates one of three types of graphics files:
bitmap, vector and metafile:
• Bitmap images: collection of dots or pixels, in a grid format that form a
graphic.
• Vector graphics: based on mathematical instructions that define lines,
curves, text, ovals, and other geometric shapes
• Metafile graphics: combination of bitmap and vector
• Two types of programs to work with graphics files:
• Graphics editors and image viewers

145
Common Terminologies
Pixel Bit Depth Resolution

• An abbreviation of • Number of colors • Sharpness and

the words “picture available for each clarity of an image
element” pixel in an image
• Number of pixels
combine together
to form an image

File Formats Image File Size Compression

• Particular way to • Expressed as the • Refers to the

encode information number of bytes method of making
for storage in a • It increased with image files smaller
computer file the bit depth of the so that less disk
pixel and number of space is used to
pixels comprising an store them
image
146
Bitmap Images
• Bitmap images store graphics information as grids of pixels, short
for “picture elements.”
• Each pixel contains programmable information that defines its color, size,
and location in the image.
• When enough pixels appear on the screen, mapped to x (horizontal) and y
(vertical) coordinates, an image appears.
• Also referred to as a raster image.
• Quality may be lost if raster graphics are scaled to a higher
resolution.
• Most images used on computers and the Internet are raster images.
• E.g. .jpg, .gif, .tif, .bmp, .png

147
Vector Images
• Generated from mathematical information stored in the
graphic, which instructs the program opening the image how
to display the position, width, length, direction.
• Preserve quality when image is enlarged
• Vector images are converted into raster graphics so that they
can be used on other systems.
• E.g. .ai (Illustrator), .psd (Photoshop)

148
Metafile Graphics
• Can contain a combination of bitmap/raster, vector, and can
have the characteristics of both file types.
• E.g.: Scanned photo (bitmap) with text (vector)
• Share the limitations of both:
• If you enlarge a metafile graphic, the area created with a bitmap
loses some resolution, but the vector-formatted area remains sharp
and clear.

149
Image File Formats
• File format is a particular way to encode information for
storage in a computer file.
• All images formats differ in their ease of use, the size of the
files they produce and their image quality.
Standard Image File Formats Non-Standard Image File Formats
File formats File extension File formats File extension
Joint Photographic Experts .jpg, .jpeg Targa .tga
Group (JPEG)
Raster Transfer Language .rtl
Graphics Interchange Format .gif
(GIF) Photoshop .psd
Tagged Image File Format .tif, .tiff
Illustrator .ai
(TIFF)
Bitmap .bmp Freehand .fh9
Portable Network Graphics .png Scalable Vector Graphics .svg
(PNG)
Paintbrush .pcx
150
Understanding Digital Photograph File
Formats
• Witnesses or suspects can create their own digital photos
• Examining the raw file format
• Raw file format or Exif format
• Referred to as a digital negative
• Typically found on many higher-end digital cameras

151
Understanding Digital Camera File
Formats (cont.)
• Examining the raw file format (cont.)
• Sensors in the digital camera simply record pixels on the camera’s
memory card
• Raw format maintains the best picture quality
• The biggest disadvantage is that it’s proprietary
• And not all image viewers can display these formats
• The process of converting raw picture data to another format is
referred to as demosaicing

152
Understanding Digital Camera File
Formats (cont.)
• Examining the Exchangeable Image File format
• Exchangeable Image File (EXIF) format
• Commonly used to store digital pictures
• When a digital photo is taken, information about the
device and settings are stored in the graphics file.
• GPS capability, latitude and longitude location data
might be recorded

153
Understanding Digital Camera File
Formats (cont.)
• Examining the Exchangeable Image File format
(cont.)
• EXIF format collects metadata
• Investigators can learn more about the type of digital camera and the
environment in which pictures were taken
• EXIF file stores metadata at the beginning of the file
• With tools such as Autopsy, ProDiscover, Exif Reader
• You can extract metadata as evidence for your case

154
Autopsy displaying metadata from an
Exif JPEG file

155
EXIFTOOL displaying metadata from
JPEG file

156
Data Compression
• Some image formats compress their data
• GIF, JPEG, PNG
• Others, like BMP, do not compress their data
• Use data compression tools for those formats
• Data compression
• Coding of data from a larger to a smaller form
• Types
• Lossless compression and lossy compression

157
Lossless and Lossy Compression
Lossless compression Lossy compression

• Reduces file size without • Permanently discards bits of

removing data information
• Produces an exact replica of • Produces an altered replica
the original data after it has of the data
been uncompressed • Commonly used to compress
• Commonly used for text, multimedia such as audio
data files, audio and images (MP3), video and JPEG files
• Utilities: WinZip, PKZip, • Utility: Lzip
StuffIt, and FreeZip

158
Locating and Recovering Graphics Files
• Built-in tools in some OSs
• Time consuming
• Results are difficult to verify
• Computer forensics tools

Image headers Reconstruct fragmented image files

• Compare them with good header • Identify data patterns

samples • If part of the file header has been
• E.g. An image that you suspect is a overwritten with other data, repair
JPEG file but you can’t display it, the damaged header
compare its file header with a • By rebuilding the file header, a
known JPEG file header to forensics analysis on the graphics file
determine whether the header has can be performed
been altered
• Use header information to create a
baseline analysis
159
Identifying Graphics File Fragments
• If a graphics file is fragmented across areas on a disk, you
must recover all the fragments before re-creating the file.
• Carving or salvaging
• Recovering all file fragments
• Computer forensics tools
• Carve from slack and free space
• Help identify image files fragments and put them together
• E.g. X-Ways Forensics, OSForensics, EnCase, and FTK
• Later, you can use Autopsy and Winhex to copy known data patterns
from files you recover and restore this information to view graphics
file

160
Repairing Damaged Headers
• Use good header samples (known graphic file formats)
• Each image file has a unique file header
• JPEG: FF D8 FF E0 00 10
• Most JPEG files also include JFIF string

161
Rebuilding File Headers
• Try to open the file first and follow steps if you can’t see its
content
• Steps
1. Recover more pieces of file if needed
2. Examine file header
• Compare with a good header sample
• Manually insert correct hexadecimal values
3. Test corrected file

162
Reconstructing File Fragments
• Corrupted data
• Extract possible data fragments to reconstruct files for evidentiary purposes
• Steps
1. Locate and export all clusters of the fragmented file
2. Determine the starting and ending cluster numbers for each fragmented
group of clusters
3. Copy each fragmented group of clusters in their proper sequence to a
recovery file
4. Rebuild the corrupted file’s header to make it readable in a graphics
viewer
5. Remember to save the updated recovered data with a .jpg extension

163
Identifying Unknown File Formats
• The Internet is the best source
• Search engines like Google
• Find explanations and viewers
• Popular Web sites
• www.fileformat.info/format/all.htm
• http://extension.informer.com/
• www.martinreddy.net/gfx/

164
Analyzing Graphics File Headers
• Necessary when you find files your tools do not recognize
• Use hex editor such as WinHex
• Record hexadecimal values on header
• Use good header samples

165
Tools for Viewing Images
• Use several viewers
• ThumbsPlus
• ACDSee
• QuickView
• IrfanView
• GUI forensics tools include image viewers
• ProDiscover
• EnCase
• FTK
• X-Ways Forensics
• iLook

166
Steganography and Steganalysis
• Forensics investigators must understand
• the basis behind steganography
• steganography techniques
• the means by which an adversary can defeat against steganographic
systems (steganalysis)
• Steganography is a form of data hiding in which a message
is hidden within another file
• Data to be hidden is the carrier medium
• The file in which the data is hidden is the steganographic medium
• Both parties communicating via steganography must use the
same stega application

167
Steganography and Steganalysis (cont.)
• Steganography is difficult to detect; the following clues may
indicate stega use:
• Technical capabilities or sophistication of the computer’s owner
• Software clues on the computer
• Other program files that indicate familiarity with data-hiding
methods
• Multimedia files
• Type of crime being investigated

168
Steganography in Graphics Files
• Steganography hides information inside image files
• Ancient technique
• Can hide only certain amount of information
• Two major forms: Insertion and Substitution
• Insertion: places data from the secret file into the host file
• Hidden data is not displayed when viewing host file in its associated
program
• You need to analyze the data structure carefully
• Example: Web page

169
Steganography in Graphics Files (cont.)
• Substitution: replaces bits of the host file with bits of data
• Usually change the last two LSBs
• Detected with steganalysis tools
• Usually used with image files
• Audio and video options
• Hard to detect

170
Steganography in Graphics Files (cont.)
• Substitution (cont.)
• E.g.: 8-bit graphics file, each pixel is represented by 8 bits of data
• The bits are prioritized from left to right, such as 11101100.
• The first bit on the left is the most significant bit (MSB), and the last bit on the
right is the least significant bit (LSB).

If only the last two LSBs in an image

is changed, it may not noticeable.

171
Using Steganalysis Tools
• Detect variations of the graphic image
• When applied correctly you cannot detect hidden data in most cases
• Methods:
• Compare suspect file to good or bad image versions
• Mathematical calculations verify size and palette color
• Compare hash values

172
Identifying Copyright Issues with
Graphics
• Steganography originally incorporated watermarks
• By inserting digital watermarks into a file
• Digital forensics investigators need to be aware of copyright
laws
• Work closely with the legal department to guard against copyright
violations
• Determine whether a photo is from a known copyrighted
source
• Copyright laws for Internet are not clear
• There is no international copyright law

173
Best Practices for Forensic Graphics
Analysis
Document the current
Methods of acquiring evidence should
condition of the
be forensically sound and verifiable
evidence
Should be captured using
hardware/software that is
capable of capturing a bit
Prevent exposure to
stream image of the
evidence that may be
original media
contaminated with
dangerous substances or
Preserve
hazardous materials
integrity

Use write blockers to In a proper directories

prevent the evidence and folders to ensure
from being modified no mixing of data from
difference cases.
Archived to media and maintained in a
manner consistent with departmental
policy and applicable laws
174
Video Forensics
• Techniques that utilize computers to process video content and
then apply the results to crime investigations.
• Surveillance camcorders are now almost ubiquitous in modern
cities.
• “traces used to be fingerprints, fibers, documents and the like, but with the
proliferation of multimedia data on the Web, surveillance cameras in cities,
and mobile phones in everyday life we see an enormous growth in
multimedia data that needs to be analyzed by forensic investigators”,
Worring and Cucchiara (2009)
• In video forensics, mining for criminal evidence in videos recorded
by a heterogeneous collection of surveillance camcorders is a
major challenge.

175
Scenario 1
• A group of thieves stole a car with an dragon logo and used it in a
bank robbery.
• The license plate number could not be seen in the video of the
crime scene because of the viewing angle problem.
• Therefore, detectives used a rotation, scaling, and translation
invariant object detection algorithm (RST-invariant) to search for
the dragon logo in videos recorded by the CCTV mounted in the
neighborhood of the crime scene.
• If the detectives can identify the car in some of the video clips and
see the license plate number clearly, then the search time can be
reduced significantly.

176
Scenario 2
• A lady was robbed and the CCTV in the area recorded the whole
incident.
• However, the CCTV mounted at the actual location of the robbery only
captured a profile of the thief.
• Therefore, the police analyzed the posture of the suspect and compared
it with the posture of all pedestrians recorded by the CCTVs in the area.
• Then, the posture that were closest to the suspect’s posture formed a
candidate set.
• Since the search space could be reduced significantly by comparing the
subject’s posture, the police only needed to check the height of the
subjects, the color of their clothes, and other features to identify the
suspect.
• Of course, a frontal shot of the suspect’s face would be the ideal view.
177
Scenario 3
• The general manager of a high-tech company was killed on the fifth floor
of the company’s building.
• The suspect took the elevator to the first floor and was picked up by a
white van.
• The CCTV at the front door of the building captured an image of the side
of the van, but did not provide any clue about the license plate number.
• Detectives checked the CCTVs captured by neighboring camcorders and
found a good shot of the license plate, but the characters were blurred
due to the distance.
• The police contacted a famous image processing laboratory, which used a
systematic method to distinguish the license plate number.
• The police then used the license plate number to identify the owner of
the van and traced his/ her cellular phone record.
• Based on the communications between the suspect and the person who
gave instructions, the police were able to solve the crime.
178
Scenario 4
• In the early hours of July 3, 2015, an old lady was hit by a
speeding car at the intersection of Jalan Satu and Jalan Dua.
• The car then sped away westbound along Jalan Dua.
• The police retrieved the surveillance videos captured by all
buses that were in the neighborhood during that period.
• They used these videos to analyze potential escape paths that
the suspects may take.

179
 Needed for Video Forensics Technologies
Rotation-Translation-
Blurred License Plate Scaling Invariant (RST- Trajectory Analysis on
Video Inpainting
Image Recognition invariant) Object Moving Objects
Recognition
• Under certain • A method for object • Event detection in a • As a video
condition, a suspect recognition that can large surveillance enhancement tool to
car or a human subject recognize patterns video database. repair digital videos.
grabbed from a video even when they are • Forensic cases involve • Used to transform
directly is usually deformed by objects that fell from cultural artifacts such
blurred. transformation of an elevated position. as vintage videos/films
• Appropriate rotation, scaling, and into digital formats.
image/video translation or a
processing technique combination of these.
must not modify the
content

180
 E.g.: Rotation-Translation-Scaling
E.g.: Blurred License Plate
Invariant (RST-invariant) Object
Image Recognition
Recognition

181
E.g.: Trajectory Analysis on
E.g.: Video Inpainting
Moving Objects

182
Audio Forensics
• Acquisition, analysis, and evaluation of audio recordings that
may ultimately be presented as admissible evidence in a court
of law or some other official venue.
• The principal concerns of audio forensics are:
i. Establishing the authenticity of audio evidence
ii. Performing enhancement of audio recordings to improve speech
intelligibility and the audibility of low-level sounds
iii. Interpreting and documenting sonic evidence, such as identifying
talkers, transcribing dialog, and reconstructing crime or accident
scenes and timelines
• Popular tools: Audacity, iZotope RX, Adobe Audition, and Pro
Tools
183
E.g.: Modern digital speech
enhancement technique
• Used for cleaning up a recorded surveillance recording prior to
preparing a transcript,
• Court may need to be convinced that the “enhancement”
could not have resulted in a change to the meaning or
interpretation of the recorded dialog.

184
Well-known forensic audio cases
• Assassination of President Kennedy.
• Interpretation of background sounds from cockpit voice
recorder (black box) data.
• The use of voice identification techniques for authenticating
recordings of Osama bin Laden and other terrorists.

185
Standard approach for assessing the
authenticity of forensic audio recordings
1. Physically observe the entire length of the audio recordings.
2. Document the total length and mechanical integrity of the
audio recordings.
3. Verify that the recording is continuous with no unexplained
stop/start sequences or erasures.
4. Perform critical listening of the entire tape.
5. Use nondestructive signal processing as needed for
intelligibility enhancement.

186
Audio Analysis
• Waveform analysis
• Waveform display reflects graphically the relationship between the
time and amplitude of recorded sounds and allows the identification
and comparison of record events on evidence.
• An unnatural waveform present in the audio or video signal may
indicate that an edit has been made.
• Spectographic analysis
• To display the recorded material in time, frequency, and amplitude.
• Its distinctive display is used to further study the effects of record
events.
• Scanning software
• To search for indicators of digital editing.

187
How Audio Analysis Of Gunshots Helps
Solve Crimes

Reference: https://www.wbur.org/hereandnow/2017/05/25/audio-analysis-gunshots
188
Summary
• To investigate digital evidence effectively, it is important to
understand how operating systems work and how they store
files.
• It is also important to authenticate related digital graphics,
videos and audios as these are popularly used as supporting
evidences.

189