UNIT II

EVIDENCE COLLECTION AND

FORENSICS TOOLS

Processing Crime and Incident Scenes – Working with

Windows and DOS Systems. Current Computer
Forensics Tools: Software/ Hardware Tools.
 Processing crime and Incident
scenes
• As the world becomes more global or “flat” in nature,
you need to be aware of how laws are interpreted in
other countries.
• As more countries establish e-laws and more
cases go to court, the laws must be applied
consistently.
• Cases of fraud and money laundering are becoming
more of a global or an international issue, and
crimes against consumers can originate from
anywhere in the world.
• Computers and digital evidence seized in one U.S.
jurisdiction might affect a case that’s worldwide in
scope.
• To address these issues, this chapter explains how to
 Identifying Digital
evidence
• Digital evidence can be any information
stored or transmitted in digital form.
• U.S. courts accept digital evidence as
physical evidence, which means that
digital data is treated as a tangible
object, such as a weapon, paper
document, or visible injury,
that’s related to a criminal or civil incident.
 …
• Courts in other countries are still updating
their laws to take digital evidence into
account. Some require that all digital
evidence be printed out to be presented in
court.
• Groups such as the Scientific Working
Group on Digital Evidence (SWGDE;
www.swgde.org) and the International
Organization on Computer Evidence
(IOCE; www.ioce.org) set standards for
recovering, preserving, and examining
digital evidence.
 …
… tasks that
Following are the general
investigators perform when working with
digital evidence:
• Identify digital information or artifacts that

can be used as evidence.

• Collect, preserve, and document evidence.
• Analyze, identify, and organize evidence.
• Rebuild evidence or repeat a situation to

verify that the results can be reproduced

reliably.
 …
.
• Collecting computers and
processing a criminal or incident
scene must be done systematically.
• To minimize confusion, reduce the risk of
losing evidence, and avoid damaging
evidence, only one person should collect
and catalog digital evidence at a crime
scene or lab, if practical.
 …
…
• An important challenge investigators face
today is establishing recognized standards
for digital evidence.
• For example, cases involving several police
raids are being conducted simultaneously
in several countries.
• As a result, you have multiple sites where
evidence was seized and hundreds of pieces
of digital evidence, including hard drives, cell
phones, memory sticks, PDAs, and other
storage devices.
 Understanding Rules of
Evidence
• you must handle all evidence consistently
• Apply the same security and accountability
controls for evidence for both state’s rules
of evidence or with the Federal Rules of
Evidence.
• evidence admitted in a criminal case might
also be used in a civil suit, and vice versa.
• As part of your professional growth, keep
current on the latest rulings and directives
on collecting, processing, storing, and
admitting digital evidence.
 …
..
• Digital evidence is unlike other physical
evidence because it can be changed more
easily. The only way to detect these
changes is to compare the original data
with a duplicate (But still it is complicated to
distinguish , so digital evidence requires
special legal consideration)
• Most courts have interpreted computer
records as hearsay evidence.(Hearsay is
any out-of-court statement presented in
court to prove the truth of an assertion)
 … ..
• Computer records are us ua ll y divided into
• computer-generated records and
• computer-stored records.
• Computer-generated records are data the system
maintains, such as system log files and proxy
server logs. They are output generated from a
computer process or algorithm, not usually data a
person creates
. Computer-stored records, however, are electronic
data that a person creates and saves on a
computer, such as a spreadsheet or word
processing document.
 ……
• Computer records……
must also be shown to
be authentic and trustworthy to be
admitted into evidence.
• Collecting evidence according to the proper
steps of evidence control helps ensure that
the computer evidence is authentic, as does
using established computer forensics
software tools.
• Courts have consistently ruled that
computer forensics investigators don’t
have to be subject matter experts on the
tools they use.
 …
.
• Agents and prosecutors occasionally
express concern that a printout of a
computer-stored electronic file might not
qualify as an original document, according
to the best evidence rule.
• In its most fundamental form, the original file
is a collection of 0s and 1s; in contrast, the
printout is the result of manipulating the file
through a complicated series of electronic
and mechanical processes.
 …
• To address this concern about original
evidence, the Federal Rules of Evidence
state:
• Instead of producing hard disks in court,
attorneys can submit printed copies of
files as evidence.
 Collecting Evidence in
Private-Sector Incident
Scenes
• A special category of private-sector
businesses includes ISPs and other
communication companies.
• ISPs can investigate computer abuse
committed by their employees, but not
by customers.
• ISPs must preserve customer
privacy, especially when dealing
with e-mail.
 …
• Patriot Act of 2001 ..
have redefined how
ISPs and large corporate Internet users
operate and maintain their records.
• ISPs and other communication
companies now can investigate
customers’ activities that are deemed to
create an emergency situation
,such as finding a bomb threat in an
e-mail message.
 …
…..
• Investigating and controlling computer
incident scenes in the corporate
environment is much easier than in the
criminal environment.
• In the private sector, the incident scene is
often a workplace, such as a contained
office or manufacturing area, where a policy
violation is being investigated.
• For example, most companies use a single
Web browser, such as Microsoft Internet
Explorer, Mozilla Firefox, or KDE Konqueror.
Knowing which browser a suspect used to
 …
..
• If a corporate investigator finds that an
employee is committing or has committed a
crime, the employer can file a criminal
complaint with the police.
• Employers are usually interested in
enforcing company policy, not seeking out
and prosecuting employees, so typically
they approve computer
investigations only to identify employees who
are misusing company assets.
 …
.. are, therefore,
• Corporate investigators
primarily concerned with protecting
company assets.
• If you discover evidence of a crime
during a company policy investigation,
first determine whether the incident
meets the elements of criminal law.
• Next inform management of the incident;
they might have other concerns, such as
protecting confidential business data that
might be included with the criminal
evidence.
 …
• …
After you submit evidence containing
sensitive information to the police, it
becomes public record.
• Public record laws do include exceptions
for protecting sensitive corporate
information; ultimately, however, a judge
decides what to protect.
 …
..
• One example of a company policy
violation involves employees observing
another employee accessing
pornographic Web sites.
• If organization need evidence , you could
start by extracting log file data from the
proxy server (used to connect a company
LAN to the Internet) and conducting a
forensic
examination of the subject’s computer.
 …
• .. your examination,
Suppose that during
you find adult and child pornography.
Further
examination of the subject’s hard disk
reveals that the employee has been
collecting child pornography in separate
folders on his workstation’s hard drive.
• In the United States, possessing child
pornography is a crime under federal
and state criminal statutes.
 Processing Law Enforcement
Crime Scenes
• To process a crime scene properly, you must
be familiar with criminal rules of search and
seizure.
• You should also understand how a search
warrant works and what to do when you
process one.
• A law enforcement officer can search for and
seize criminal evidence only with probable
cause.
• With probable cause, a police officer can
 Understanding Concepts and
Terms Used in Warrants
• Many computing investigations involve
large amounts of data, involved
terabytes of information. Unrelated
information (referred to as innocent
information) is often included with the
evidence you’re trying to recover.
• This unrelated information might be
personal and private records of innocent
people or confidential business
information.
 …
..
• When you find commingled evidence,
judges often issue a limiting phrase to
the warrant, which allows the police to
separate innocent information from
evidence. The warrant must list which
items can be seized.
• plain view doctrine The plain view
doctrine states that objects falling in the
direct sight of an officer who has the right
to be in a location are subject to seizure
without a warrant and can be introduced
into evidence.
 Preparing for a
Search
• Preparing for a computer search and
seizure is probably the most important
step in computing investigations.
• The better you prepare, the smoother
your investigation will be.
• The following sections discuss the tasks
you should complete before you search
for evidence.
 Identifying the Nature of the
•Case
If you can identify the computing system,
estimate the size of the drive on the
suspect’s computer.
• And how many computers you have to
process at the scene. Also, determine
which OSs and hardware might be
involved and whether the evidence is
located on a Microsoft, Linux, UNIX,
Macintosh, or mainframe computer.
• For corporate investigators, configuration
management databases make this step
Determining Whether You Can
Seize a Computer
• Law enforcement investigators need a
warrant to remove computers from a
crime scene and transport them to a lab.
• If removing the computers will irreparably
harm a business, the computers should
not be taken offsite, unless you have
disclosed the effect of the seizure to the
judge.
 …
.
• An additional complication is files stored
offsite that are accessed remotely. You
must decide whether the drives
containing those files need to be
examined.
• Another consideration is the availability
of online data storage services that rent
space, which essentially can’t be
located physically.
• The data is stored on drives where data
from many other subscribers might be
stored.
Obtaining a Detailed Description of
the Location
• Environmental and safety issues are the
primary concerns during this process.
• Some computer cases involve dangerous
settings, such as a drug bust of a
methamphetamine lab or a terrorist attack
using biological, chemical, or nuclear
contaminants.
• For these types of investigations, you must
rely on the skills of hazardous materials
(HAZMAT) teams to recover evidence
from the scene.
 Using Additional Technical
Expertise
• suppose you’re assigned to process a
crime scene at a data center running
Microsoft Windows servers with several
RAID drives and high-end UNIX servers.
• If you’re the leader of this investigation,
you must identify the additional skills
needed to process the crime scene, such
as how to acquire data from RAID servers
and how much data you can acquire..
 …
• RAID servers typically
. process several
terabytes of data, and standard imaging
tools might not be able to handle these
large data sets.
• When working at high-end computing
facilities, identify the applications the
suspect uses, such as Oracle databases.
You might need to recruit an Oracle
specialist or site support staff to help
extract data for the investigation.
• Finding the right person can be an even
bigger challenge than conducting the
investigation.
 Determining the Tools You
Need
• After you have gathered as much
information as possible about the
incident or crime scene, you can start
listing what you need at the scene.
• Using the right kit makes processing an
incident or crime scene much easier and
minimizes how much you have to carry
from your vehicle to the scene.
 …
.. field kit should be
• Your initial-response
lightweight and easy to transport. With
this kit, you can arrive at a scene,
acquire the data you need, and return to
the lab as quickly as possible.
some items you might need in
scene
lists the tools you might need
in an initial-response field
kit.
 …
.
• Keep in mind that digital evidence is
volatile. Develop the skills to assess the
facts quickly, make your plan, gather the
needed resources, and collect data from
the incident or crime scene.
• In some computing investigations,

responding slowly might result in the loss

of important evidence for the case.
Securing a Computer Incident or
Crime Scene
• If you’re in charge of securing a
computer incident or crime scene, use
yellow barrier tape to prevent by
standers from accidentally entering the
scene.
• Use police officers or security
guards to prevent others from
entering the scene.
• Access to the scene should be restricted
to only those people who have a specific
reason to be there.
 …
.. contain actual
• Computers can also
physical evidence, such as DNA
evidence or fingerprints on keyboards.
• Crime labs can use special vacuums to

extract DNA residue from a keyboard to

compare with other DNA samples.
• Evidence is commonly lost or corrupted
because of professional curiosity, which
involves police officers and other
professionals who aren’t part of the crime
scene processing team.
 …
….
• They just have a compelling interest in
seeing what happened.
• Their presence could contaminate the
scene directly or indirectly.
• You must protect all digital evidence, so
make sure no one examines a suspect’s
computer before you can capture and
preserve an image of the hard disk.
Working with Windows and DOS
Systems
Objectives
Explain the purpose and structure of file
systems
Describe Microsoft file structures
Explain the structure of New Technology File
System (NTFS) disks
List some options for decrypting drives
encrypted with whole disk encryption
 Objectives

Explain how the Windows Registry works

Describe Microsoft startup tasks
Describe MS-DOS startup tasks
Explain the purpose of a virtual machine
Understanding File Systems
File system
Gives OS a road map to data on a disk
Type of file system an OS uses determines
how data is stored on the disk
A file system is usually directly related to an
OS
When you need to access a suspect’s
computer to acquire or inspect data
You should be familiar with the computer’s platform
Understanding the Boot Sequence
Complementary Metal Oxide Semiconductor
(CMOS)
Computer stores system configuration and date and time information in the
CMOS When power to the system is off.
Basic Input/Output System (BIOS)
Contains programs that perform input and output at the hardware level.
Understanding the Boot Sequence
(continued)

Bootstrap process
Contained in ROM, tells the computer how to proceed
Displays the key or keys you press to open the CMOS setup screen
CMOS should be modified to boot from a
forensic floppy disk or CD
Understanding the Boot Sequence
(continued)
Understanding Disk Drives
Disk drives are made up of one or more
platters coated with magnetic material
Disk drive components
Geometry
Head
Tracks
Cylinders
Sectors
Understanding Disk Drives
(continued)

Properties handled at the drive’s hardware or

firmware level
Zoned bit recording (ZBR)
Track density
Areal density
Head and cylinder skew
Exploring Microsoft File Structures
In Microsoft file structures, sectors are grouped
to form clusters
Storage allocation units of one or more sectors
Clusters are typically 512, 1024, 2048, 4096,
or more bytes each
Combining sectors minimizes the overhead of
writing or reading files to a disk
Exploring Microsoft File Structures
(continued)
Clusters are numbered sequentially starting at
2
First sector of all disks contains a system area, the boot record, and a file structure
database
OS assigns these cluster numbers, called
logical addresses
Sector numbers are called physical addresses
Clusters and their addresses are specific to a
logical disk drive, which is a disk partition
Disk Partitions
A partition is a logical drive
FAT16 does not recognize disks larger than 2
MB
Large disks have to be partitioned
Hidden partitions or voids
Large unused gaps between partitions on a disk
Partition gap
Unused space between partitions
Disk Partitions (continued)
Disk editor utility can alter information in
partition table
To hide a partition
Can examine a partition’s physical level with a
disk editor:
Norton DiskEdit, WinHex, or Hex Workshop
Analyze the key hexadecimal codes the OS
uses to identify and maintain the file system
Disk Partitions (continued)
Hex Workshop allows you to identify file
headers
To identify file types with or without an extension
Master Boot Record
On Windows and DOS computer systems
Boot disk contains a file called the Master Boot Record (MBR)
MBR stores information about partitions on a
disk and their locations, size, and other
important items
Several software products can modify the
MBR, such as Partition Magic’s Boot Magic
Examining FAT Disks

File Allocation Table (FAT)

File structure database that Microsoft originally designed for floppy disks
Used before Windows NT and 2000
FAT database is typically written to a disk’s
outermost track and contains:
Filenames, directory names, date and time stamps, the starting cluster number,
and file attributes
FAT versions
FAT12, FAT16, FAT32, and VFAT
Examining FAT Disks (continued)
Cluster sizes vary according to the hard disk
size and file system
Examining FAT Disks (continued)

Microsoft OSs allocate disk space for files by

clusters
Results in drive slack
Unused space in a cluster between the end of an active file and the end of
the cluster
Drive slack includes:
RAM slack and file slack
An unintentional side effect of FAT16 having
large clusters was that it reduced fragmentation
As cluster size increased
Examining FAT Disks (continued)
Examining FAT Disks (continued)
When you run out of room for an allocated
cluster
OS allocates another cluster for your file, which creates more slack space on the
disk
As files grow and require more disk space,
assigned clusters are chained together
The chain can be broken or fragmented
Examining FAT Disks (continued)
Examining FAT Disks (continued)

When the OS stores data in a FAT file system, it

assigns a starting cluster position to a file
Data for the file is written to the first sector of the first assigned cluster
When this first assigned cluster is filled and
runs out of room
FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to
the current cluster
File becomes fragmented
Deleting FAT Files

In Microsoft OSs, when a file is deleted

Directory entry is marked as a deleted file
With the HEX E5 (σ) character replacing the first letter of the filename
FAT chain for that file is set to 0
Data in the file remains on the disk drive
Area of the disk where the deleted file resides
becomes unallocated disk space
Available to receive new data from newly created files or other files needing more
space
Examining NTFS Disks
New Technology File System (NTFS)
Introduced with Windows NT
Primary file system for Windows Vista
Improvements over FAT file systems
NTFS provides more information about a file
NTFS gives more control over files and folders
NTFS was Microsoft’s move toward a
journaling file system
Examining FAT Disks (continued)
Cluster sizes vary according to the hard disk
size and file system
Examining FAT Disks (continued)

Microsoft OSs allocate disk space for files by

clusters
Results in drive slack
Unused space in a cluster between the end of an active file and the end of
the cluster
Drive slack includes:
RAM slack and file slack
An unintentional side effect of FAT16 having
large clusters was that it reduced fragmentation
As cluster size increased
Examining FAT Disks (continued)
Examining FAT Disks (continued)
When you run out of room for an allocated
cluster
OS allocates another cluster for your file, which creates more slack space on the
disk
As files grow and require more disk space,
assigned clusters are chained together
The chain can be broken or fragmented
Examining FAT Disks (continued)
Examining FAT Disks (continued)

When the OS stores data in a FAT file system, it

assigns a starting cluster position to a file
Data for the file is written to the first sector of the first assigned cluster
When this first assigned cluster is filled and
runs out of room
FAT assigns the next available cluster to the file
If the next available cluster isn’t contiguous to
the current cluster
File becomes fragmented
Deleting FAT Files

In Microsoft OSs, when a file is deleted

Directory entry is marked as a deleted file
With the HEX E5 (σ) character replacing the first letter of the filename
FAT chain for that file is set to 0
Data in the file remains on the disk drive
Area of the disk where the deleted file resides
becomes unallocated disk space
Available to receive new data from newly created files or other files needing more
space
Examining NTFS Disks
New Technology File System (NTFS)
Introduced with Windows NT
Primary file system for Windows Vista
Improvements over FAT file systems
NTFS provides more information about a file
NTFS gives more control over files and folders
NTFS was Microsoft’s move toward a
journaling file system
Examining NTFS Disks (continued)

In NTFS, everything written to the disk is

considered a file
On an NTFS disk
First data set is the Partition Boot Sector
Next is Master File Table (MFT)
NTFS results in much less file slack space
Clusters are smaller for smaller disk drives
NTFS also uses Unicode
An international data format
Examining NTFS Disks (continued)
NTFS File System
MFT contains information about all files on the
disk
Including the system files the OS uses
In the MFT, the first 15 records are reserved for
system files
Records in the MFT are called metadata
NTFS File System (continued)
NTFS File System (continued)
MFT and File Attributes

In the NTFS MFT

All files and folders are stored in separate records of 1024 bytes each
Each record contains file or folder information
This information is divided into record fields containing metadata
A record field is referred to as an attribute ID
File or folder information is typically stored in
one of two ways in an MFT record:
Resident and nonresident
MFT and File Attributes (continued)
Files larger than 512 bytes are stored outside
the MFT
MFT record provides cluster addresses where the file is stored on the drive’s
partition
Referred to as data runs
Each MFT record starts with a header
identifying it as a resident or nonresident
attribute
MFT and File Attributes (continued)
When a disk is created as an NTFS file
structure
OS assigns logical clusters to the entire disk partition
These assigned clusters are called logical
cluster numbers (LCNs)
Become the addresses that allow the MFT to link to nonresident files on the
disk’s partition
NTFS Data Streams

Data streams
Ways data can be appended to existing files
Can obscure valuable evidentiary data, intentionally or by coincidence
In NTFS, a data stream becomes an additional
file attribute
Allows the file to be associated with different applications
You can only tell whether a file has a data
stream attached by examining that file’s MFT
entry
NTFS Compressed Files
NTFS provides compression similar to FAT
DriveSpace 3
Under NTFS, files, folders, or entire volumes
can be compressed
Most computer forensics tools can uncompress
and analyze compressed Windows data
NTFS Encrypting File System
(EFS)
Encrypting File System (EFS)
Introduced with Windows 2000
Implements a public key and private key method of encrypting files, folders, or
disk volumes
When EFS is used in Windows Vista Business
Edition or higher, XP Professional, or 2000,
A recovery certificate is generated and sent to the local Windows administrator
account
Users can apply EFS to files stored on their
local workstations or a remote server
EFS Recovery Key Agent

Recovery Key Agent implements the recovery

certificate
Which is in the Windows administrator account
Windows administrators can recover a key in two
ways: through Windows or from an MS-DOS
command prompt
MS-DOS commands
Cipher
Copy
Efsrecvr (used to decrypt EFS files)
Deleting NTFS Files
When a file is deleted in Windows XP, 2000, or
NT
The OS renames it and moves it to the Recycle Bin
Can use the Del (delete) MS-DOS command
Eliminates the file from the MFT listing in the same way FAT does
Understanding Whole Disk
Encryption
In recent years, there has been more concern
about loss of
Personal identity information (PII) and trade secrets caused by computer theft
Of particular concern is the theft of laptop
computers and other handheld devices
To help prevent loss of information, software
vendors now provide whole disk encryption
Understanding Whole Disk
Encryption (continued)
Current whole disk encryption tools offer the
following features:
Preboot authentication
Full or partial disk encryption with secure hibernation
Advanced encryption algorithms
Key management function
A Trusted Platform Module (TPM) microchip to generate encryption keys and
authenticate logins
Understanding Whole Disk
Encryption (continued)
Whole disk encryption tools encrypt each
sector of a drive separately
Many of these tools encrypt the drive’s boot
sector
To prevent any efforts to bypass the secured drive’s partition
To examine an encrypted drive, decrypt it first
Run a vendor-specific program to decrypt the drive