When I’m asked by new people I meet what I do to earn my living and I tell them Digital Forensics, I often receive a glazed-eye look or responses like,”That’s cool, so CSI stuff, right?” The short answer to that question is Yes, but with quite a few caveats that will be explored in a later post in this series. I like to refer to those caveats as the CSI Effect, in that yes, the forensic concepts on television are indeed similar to those in reality, but a case that takes just under an hour to solve may take days or even weeks in today’s world.
The steps in a digital forensic investigation depend on the media that is being analyzed and also the type of case. The first step, as was covered in Greg Kelley’s post “Identification of Relevant Sources of Data,” is to first identify the client’s needs and then determine where the electronic data in question is stored. The second step is to preserve that data and establish a chain of custody on the evidence. The third step is where the forensic analysis begins. The analysis itself is what I like to refer to as the “forensic greymatter” of an investigation…think of the forensic analysis stage as the central nervous system (CNS) of the human being – the human can’t properly function without its CNS, and a solid report of artifact findings is not going to happen without a fundamentally sound, “leave-no-stone-unturned” type of forensic investigation. So without further adieu, what items can be discerned from examining computers, servers, and other forms of digital storage media?
A forensic investigation can reveal information surrounding the integrity of the electronic evidence. It can show:
- The format date of the storage media — Think of the format date as the date when the drive was made available for files to be created (and subsequently modified/deleted) on it.
- The operating system installation date — If the operating system was installed a few hours before preservation of the media in question, spoliation may have occurred.
- What user accounts are on the computer and when each was created — This helps ensure that the proper media has been presented for computer forensic analysis and that the creation dates of the user accounts match the timeframes in question.
- If any users on the computer were utilizing virtual computing environments and what data exists in such environments,
- If the hard drive present in a computer at the time of imaging was (within a reasonable degree of certainty) the one that was shipped with the computer…
A forensic investigation can reveal evidence of data obfuscation and deletion. It can illustrate:
- If any programs designed to remove data from the computer were executed by a given user account and where such programs originated,
- Files deleted from the computer and when,
- The content of deleted files,
- E-mails deleted from the computer and their contents,
- If any user accounts were used to manipulate file create/access/modification times,
- If a user deleted his browsing history,
- If copies of deleted files exist on the local computer or possibly elsewhere…
A forensic investigation can reveal evidence of data exfiltration. It can reveal:
- If any USB devices were connected to the computer, the serial number of those devices, and date information as to when these devices were connected,
- If any CDs or DVDs were burned and when,
- If any files or folders were accessed from removable devices or CDs/DVDs,
- If any files or folders were accessed from network locations,
- File Transfer Protocol (FTP) access by a user,
- Credit card and phone numbers entered into the computer,
- External e-mail accounts used on the computer,
- If any cloud storage sites were accessed by the computer, and possibly listings of uploaded or downloaded files…
A forensic investigation can yield information as to if/how a computer was hacked, and as verification or refutation to the malicious software defense that “it was my computer virus that was conducting the illicit activities, not me.”
It can show:
- Networks to which the computer was connected,
- If/when a computer was compromised,
- How the computer was compromised,
- If any data escaped from the computer as a result of the hack…
A forensic investigation can also reveal these other miscellaneous items:
- If a document, e-mail, or photograph stored on the computer is authentic or has been modified,
- If a document was printed from the computer,
- The author of a document at a given point in time,
- Where a photo was taken, at what time, and from what kind of camera,
- Internet traffic that passed through a web server, and files downloaded from the server,
- Websites visited by a user, when each was visited, and the frequency of such visits,
- and a whole lot more…
But, digital forensics is not just limited to computers and servers; as cell phones have evolved to smartphones and smartphones have evolved into pocket-sized computers, they have progressively become capable of storing more and more data.
Facts that can be determined from examining a cell phone can include:
- If a phone has been wiped before being presented for acquisition,
- Contacts and phone numbers stored in the phone,
- Text messages, chat messages, and call logs (duration, date of call), both deleted and non-deleted,
- Websites visited by a smartphone browser,
- Cloud storage accounts set up to sync with the phone,
- E-mail synced with the phone,
- Applications installed on the device, including Skype-related history,
- Photos and videos stored on the device (these items are occasionally recoverable)…
The above cell phone list is also mostly true of tablet computers, with call logs being an exception.
Examination of removable media (such as flash drives, external hard drives, SD cards, floppy discs, and CDs/DVDs) can reveal:
- When the media was formatted,
- Files stored on these devices and when they were first created on the devices,
- Content of deleted files,
- The program used to burn a CD or DVD,
- Programs stored on these devices that may have been executed on a computer…
The above examples are just samples of the kinds of digital forensics cases Vestige is most often asked to investigate, but there are other areas as well. Entire books have been written that detail the types of artifacts that a given operating system (and file system) generates and what each means.
It is important to remember that digital forensic investigations take time, and time is always of the essence to all of our clients. Unfortunately, the “CSI Effect” has ingrained into mainstream America that a forensic investigation – digital or not – can be completed in its entirety in a little under one hour. In reality, the preservation phase of a digital forensic investigation normally takes at least one hour and analysis – depending on the type of matter and complexity of analysis – can take anywhere from one day to two or three weeks!
The second integral fact to remember in a forensic investigation is that sometimes the desired evidence simply does not exist on the computer. In most cases it does, but occasionally an analyst is unable to determine the exact cause or effect of an event that took place simply because the evidence detailing that information has already been overwritten by the computer itself. That is why the amount of time that passes between the incident occurring and preservation is so integral to a forensic investigation.
It is also important to understand that actions an untrained analyst takes with the evidence, may alter the very evidence that would help prove the case.
After completing forensic analysis, Vestige provides its clients a verbal report of its findings. Supplemental materials can include (but are not limited to) exhibits and/or written reports that Vestige is able to testify to in court.
I hope this has provided you with some insights into what information can be attained from a digital forensic investigation. Come back next week for more information in the realm of digital forensics and Electronic Evidence!
By Gene Snyder, GCFA, EnCE, ACE,
Forensic Analyst at Vestige
For more information CONTACT US