Computer Forensics Principles and Practices - PowerPoint PPT Presentation

About This Presentation
Title:

Computer Forensics Principles and Practices

Description:

Chapter 7: Investigating Windows, Linux, and Graphics Files ... Examine the contents of Linux folders ... The Linux file system includes the data structure as ... – PowerPoint PPT presentation

Number of Views:253
Avg rating:3.0/5.0
Slides: 33
Provided by: Robert97
Category:

less

Transcript and Presenter's Notes

Title: Computer Forensics Principles and Practices


1
Computer ForensicsPrinciples and Practices
  • by Volonino, Anzaldua, and Godwin

Chapter 7 Investigating Windows, Linux, and
Graphics Files
2
Objectives
  • Conduct efficient and effective investigations of
    Windows systems
  • Find user data and profiles in Windows folders
  • Locate system artifacts in Windows systems
  • Examine the contents of Linux folders

3
Objectives (Cont.)
  • Identify graphic files by file extensions and
    file signatures
  • Identify what computer forensics graphic tools
    and techniques can reveal and recover

4
Introduction
  • In many cases you may have gigabytes or even
    terabytes of data that must be searched for
    evidence. This chapter helps maximize efficiency
    of the search by showing default locations of
    file storage and hiding techniques of wrongdoers.

5
Investigating Windows Systems
  • Activities of the user result in user data
  • User profiles
  • Program files
  • Temporary files (temp files)
  • Special application-level files

6
Investigating Windows Systems (Cont.)
  • System data and artifacts are generated by the
    operating system
  • Metadata
  • Windows system registry
  • Event logs or log files
  • Swap files
  • Printer spool
  • Recycle Bin

7
Hidden Files
  • Files that do not appear by default are hidden
    files
  • These can be viewed through the following steps
  • Open Windows Explorer
  • Go to Tools Folder Options View Hidden
    files and folders
  • Select Show hidden files and folders
  • Click OK

8
Investigating Windows Systems (Cont.)
  • Data and user authentication weaknesses of FAT
  • Userids are not required
  • Only attributes are associated with files or
    folders
  • Data and user authentication improvements in
    NTFS
  • Separation of duties
  • Anonymity of the user

9
Investigating Windows Systems (Cont.)
  • Identify the operating systems of a target hard
    drive by
  • Operating system folder names
  • The folder for the Recycle Bin
  • The construction of the user root folders because
    of the differences in the way user data is kept

10
Finding User Data and Profiles in Windows Folders
  • Documents and Settings folder
  • Contains a user root folder for each user account
    created on the computer
  • Windows NT and above automatically install
  • Administrator
  • All users
  • Default user (hidden)

11
Finding User Data and Profiles in Windows Folders
(Cont.)
  • Data stored in the user root folder
  • Desktop settings, such as wallpaper,
    screensavers, color schemes, and themes
  • Internet customizations, such as the homepage,
    favorites, and history
  • Application parameters and data, such as e-mail
    and upgrades
  • Personal files and folders, such as My Documents,
    My Pictures, and so on

12
Finding User Data and Profiles in Windows Folders
(Cont.)
  • Some of the subfolders in the user root folder
    include
  • Application data (hidden)
  • Cookies
  • Desktop
  • Favorites
  • Local Settings (hidden)
  • My Documents
  • NetHood (hidden)

13
Location of User Root Folders
14
In Practice Temp Internet Files Provide Valuable
E-Evidence
  • Data stored in the Temporary Internet Files
    folder can be valuable supporting evidence, even
    if deleted
  • Statute 18 U.S.C. 2256(8) rules as pornography
    any data stored on computer disk that can be
    converted into a visual image

15
Investigating System Artifacts
  • Types of metadata
  • Descriptive describes a resource for purposes
    such as discovery and identification
  • Structural indicates how compound objects are
    put together
  • Administrative provides information to help
    manage a resource, such as when it was created,
    last accessed, and modified
  • Be alert for alternate data streams (ADS)

16
In Practice Searching for Evidence
  • Do not use the suspect system itself to carry out
    a search for evidence
  • Using Windows to search and open files can change
    the files metadata
  • Such changes may cause evidence to be disallowed
    in court

17
Investigating System Artifacts (Cont.)
  • Registry
  • Can reveal current and past applications, as well
    as programs that start automatically at bootup
  • Viewing the registry requires a registry editor
  • Event logs track system events
  • Application log tracks application events
  • Security log shows logon attempts
  • System log tracks events such as driver failures

18
Investigating System Artifacts (Cont.)
  • Swap file/page file
  • Used by the system as virtual memory
  • Can provide the investigator with a snapshot of
    volatile memory
  • Print spool
  • May contain enhanced metafiles of print jobs
  • Recycle Bin/Recycler
  • Stores files the user has deleted

19
Shredding Data
  • Third-party software packages can be used to
    delete data and actually overwrite the
    information, essentially shredding the data

20
Investigating Linux Systems
  • Windows can have many users with administrator
    access, but Linux has only one administrative
    account, called root
  • Root account has complete control of the system
  • In Linux, all devices, partitions, and folders
    are seen as a unified file system
  • A typical installation creates three partitions
    the root, boot, and swap partitions

21
Investigating Linux Systems (Cont.)
  • The Linux file system includes the data structure
    as well as the processes that manage the files in
    the partition
  • Linuxs virtual file system provides a common set
    of data structures
  • Superblock
  • Inode
  • Dentry
  • Data block

22
Investigating Linux Systems (Cont.)
  • Seven different file types available in Linux
  • Normal files
  • Directories
  • Links
  • Named pipes
  • Sockets
  • Block devices
  • Character devices

23
Investigating Linux Systems (Cont.)
  • Default Linux installations generally include
    system directories such as the following
  • /boot
  • /dev
  • /etc
  • /home
  • /lib
  • /lostfound
  • /mnt

/proc /root /sbin /tmp /usr /var
24
Investigating Linux Systems (Cont.)
  • Key Linux files and directories to investigate
  • /etc/passwd
  • /etc/shadow
  • /etc/hosts
  • /etc/sysconfig/
  • /etc/syslog.conf

25
Investigating Linux Systems (Cont.)
  • Deleted files
  • Check the Trash can for each login user for
    deleted files that can be recovered
  • Using grep to search file contents
  • Grep allows for sophisticated character-based
    data searches
  • Compressed files
  • Some Linux applications such as OpenOffice
    automatically compress data files

26
Graphic File Forensics
  • The investigator can use file signatures to
    determine where data starts and ends and the file
    type
  • File extension (such as .jpg) one way to identify
    a graphic file
  • A user can easily change the file extension, but
    the data header does not change
  • Forensic tools can resolve conflicts between file
    extensions and file types

27
Graphic File Forensics (Cont.)
  • The process of retrieving all relevant pieces of
    a file is called data carving or data salvaging
  • An investigator may have to reconstruct the data
    header using file signature information
  • Layered graphic files (such as Photoshop or
    Corel) can hide information behind layers
  • Graphics saved as JPEG, TIFF, GIF, or BMP do not
    have layers

28
Graphic File Forensics (Cont.)
  • Steganography is a form of data hiding in which a
    message is hidden within another file
  • Data to be hidden is the carrier medium
  • The file in which the data is hidden is the
    steganographic medium
  • Both parties communicating via steganography must
    use the same stego application

29
Graphic File Forensics (Cont.)
  • Steganography is difficult to detect the
    following clues may indicate stego use
  • Technical capabilities or sophistication of the
    computers owner
  • Software clues on the computer
  • Other program files that indicate familiarity
    with data-hiding methods
  • Multimedia files
  • Type of crime being investigated

30
In Practice Child Pornography
  • Hiding criminal content within innocent files
    can allow perpetrators such as child
    pornographers to exchange information
  • A scenario is described by which child
    pornographers can easily pass information to
    others in the ring

31
Summary
  • Search times can be reduced through the use of
    default folders and operating system artifacts
  • The skill level of the user will determine
    whether this is an effective use of time in the
    case

32
Summary (Cont.)
  • A savvy user can hide data through
  • Nonstandard file folders
  • Renaming file types
  • Using layered graphics
  • Masquerading data with steganographic techniques
Write a Comment
User Comments (0)
About PowerShow.com