Introduction to Digital Forensics
If you’ve turned on the television at all in the last few years, you’ve no doubt encountered at least one show about forensics. However, one of the fields of forensics that is rarely depicted is the ever-growing field of digital forensics. In a world where we are more and more dependent on our technological devices, digital forensics is becoming ever more important.
What is Digital Forensics?
Digital forensics refers to the tools and techniques used to recover, preserve, and examine digital evidence on or transmitted by digital devices.
Digital forensics is used in a number of cases, including:
- Criminal Investigations: Law enforcement can prosecute crimes that involve digital devices.
- Civil Litigation: Electronic data is sought, located, secured, searched, and used as evidence in a civil or criminal legal case. This process is known as Electronic Discovery or eDiscovery.
- Intelligence: Military or security agencies utilize digital forensics for security purposes.
- Administrative Matters: Employers can utilize digital forensics to discover employee misconduct or to monitor employee work activities.
- General: Individuals can use digital forensics to recover accidentally deleted files and to ensure privacy.
Types of Digital Evidence
Depending on the use case, digital evidence can be:
- Documents
- Emails
- Contraband images/videos
- Phone SMS messages
- Malicious software
- Evidence of networking between machines
Sources of Evidence
Likewise, the source of evidence is going to vary from case to case. Anywhere that data is stored can be a source of evidence, including:
- Computers
- Phones/Tablets
- Video Game Systems
- Copiers
- GPS Devices
- Digital Cameras
- Memory Cards
- CD/DVD/Floppy Disc
Computer Evidence
Computers tend to be one of the main sources of digital evidence. Evidence can be stored in any number of places on a computer, including:
- Undeleted files
- Deleted files: These tend to be located in the recycle bin
- Windows Registry: The plethora of data that keeps track of what is going on with the machine
- Print Spool Files: Files that keep track of recent print jobs.
- Hibernation Files: The data that the device temporarily keeps while the computer is hibernating.
- Temporary Files: Temporary files are kept for a limited time by Windows devices.
- Slack Space: The unallocated data for files on the system
- Swap Files: Files that handle the memory of the device.
- Browser Caches
- Hidden Partitions
- Removable Media
Phone Evidence
Phones also tend to provide a high percentage of the digital evidence obtained. As phones become more complex, the digital evidence that they contain becomes more similar to computers. Sources of digital evidence on phones include:
- Call History
- Text messages
- Deleted Text Messages
- Picture & Video
- Contact
- Location Information GPS
- Chat Sessions
- Calendar
- Voice Memo
- Documents
Dealing with “Deleted” Data
What exactly is deleted data? Digital forensics operates off the premise that data is very hard to kill. This means that when you “delete” something from your computer or phone, you may not be able to find it in your folders, but that doesn’t mean it’s gone. Deleted data on any kind of digital storage device is almost never completely gone.
When you delete a file, it tells the computer that the space is now available. However, the data will remain on the device until another file is written over it. This means that files may be present on your device long after you tell the computer to write over them.
Destroying Data
While the simple “empty trashcan” action doesn’t delete data, it doesn’t mean that data cannot be destroyed. There are several anti-forensics techniques that can be used to hide or destroy data on your device.
Hiding Data:
The first option is to simply hide the data. Like an intense game of hide-and-seek, this doesn’t destroy the data, but it does make it difficult to find. Techniques for hiding data include:
- Changing file names or extensions
- Deeply nesting files in unrelated directories
- Using steganography. This includes hiding files within files, creating compositions of two files, or using a carrier file (contains a secret message) or payload (embedded secret document).
- Using encryption. There are numerous encryption software options available, including Bitlocker, Apple Filevault, Truecrypt, Encryption software works best if the encryption password and key are strong.
Data Destruction:
The second option is to fully destroy the data. This can be accomplished one of two ways:
- Drive Wiping: Drive wiping is the act of overwriting data to make it unrecoverable. While this seems simple enough, drive wiping isn’t always as successful as you’d expect; many formatters do not fully erase all data during a drive wiping. In general, it only works if it is forensically secure and securely overwritten.
- Physical Destruction of the Device: You can’t pull data from a device that doesn’t exist. However, this isn’t as simple as throwing your computer out your window. To physically destroy a device, a military-grade degausser is used to destroy the magnetic drive used for storage, and/or thermite, a combination of rust, powered aluminum, and magnesium fuse, is used to destroy the metal of the device.
Recovering Evidence
In response to the anti-forensics techniques used to hide and destroy evidence, digital forensics has evolved several techniques for recovering evidence. Some of the things that are possible with digital forensics include:
- Recovery of:
- Deleted data
- Drives/Media in a “bad state”
- Determination of:
- If files were modified, created, deleted, or organized
- Which storage devices were attached to a specific computer
- Which applications were installed and uninstalled
- Which websites were visited
The only evidence that digital forensics is not able to access is media that is physically destroyed or securely overwritten.
Preservation of Evidence
Once digital forensic investigators identify evidence on a device, there are several steps that must be taken to preserve the evidence:
- Stabilize the data
- Make copies of the original evidence
- Ensure that original evidence is not modified.
- Store evidence in an environmentally controlled and safe location.
Order of Volatility of Evidence
When preserving evidence, digital forensics investigators focus on the volatile data first. Volatile data is data that can be deleted more easily. For example, when you unplug a machine, the memory (volatile) is usually destroyed while the storage (nonvolatile) is preserved.
When conducting an investigation, evidence is typically preserved in the following order:
- Memory
- Temporary file system/swap space
- Data on the hard disk
- Data contained on removal media
Cloning
One way to preserve data is by cloning. In cloning, digital forensics investigators make a bit-for-bit copy of the data on the hard drive. When done successfully, this process captures the unallocated space, deleted and partially overwritten files, and the file system. However, for cloning to be successful, there must be write blocking hardware or software to ensure that the original evidence is not altered.
File Carving
Once a digital forensic investigator has the cloned evidence, they may do analyses like file carving. File carving is the process of extracting data from unallocated space on a hard drive. This allows you to recover files or fragments when the metadata is destroyed.
File carving can be performed manually or with the use of a tool. Common identifiers are file headers and footers which can mark the beginning or end of a file. However, file carving becomes more challenging if the user used fragmenting to break up the file within the raw data.
Cold Boot Attack
Cloning and file carving are successful recovery techniques for nonvolatile data. However, for volatile data, a more direct approach, such as a cold boot attack, is needed. Cold boot attacks are used to capture volatile memory (RAM).
The RAM of a device can include:
- Running processes
- Executed console commands
- Passwords in clear text
- Unencrypted data
- Instant messages
- IP addresses
When a device is shut down, the data in RAM fades rather than disappears. Dissipation can be slowed if the RAM is cooled to -59oF. Therefore, the cold boot attack is the act of physically cooling the memory devices so that the data can be extracted before it disappears.
Digital Forensics Case Study: The BTK Killer
One of the most prevalent examples of a successful digital forensics investigation is that of the BTK Killer. Dennis Rader killed ten people as the “BTK Killer” in Kansas from 1974 to 1991. In 2004, he reemerged to taunt and communicate with the police. Rader sent police a floppy disk with a file, “Test A.rtf” that contained metadata. Digital forensic investigators were able to pull the metadata from the file and identify several key pieces of information, including the last modified date, the created date, the tile, and who it was saved by.
The document title included the name of Rader’s church, and the “last saved by” of the file contained his first name. Based on that information, police were able to find the church, acquire his daughter’s DNA, and compare the DNA to the previous crimes. The digital forensics in this case allowed police to apprehend the BTK Killer more than 30 years after he committed his crimes.