Computer Forensics

Week 1

hash-value the answer to everything!


  1. Your role as a computer forensics professional is to gather evidence from a suspect’s computer and determine whether the suspect committed a crime or violated a company policy.

  2. Court order = private sector // Search warrant = law enforcement

    • 4 corners of search warrant. Can and cannot do. If not on the warrant then you cannot get the data. Affidavit to give to judge to ask for a warrant.

    • Communications/emails, pictures, text.

      1. Evidence(smoking gun, person will likely be found guilty) Issue: Someone could have put it on their computer. Could’ve been adjusted, important where it came from. Challenge to identify who used the computer. Did the defendant or a friend/family member.  Friend/family member set up the defendant? How to put the defendant at the time of the creation of the item.

  3. Hardware imager (Write blocker): Image of control then get the result expected until firmware update. Get hash value, make sure it’s consistent

  4. Certifications: Some of the best don’t have any.

    • Written test & Practical component(DFCP)

    • pros

      1. Sets Standards: Expected level of knowledge.

      2. Marketability

    • cons

      1. Cert does not equal knowledgeable.

  5. It is important to always maintain an unbiased perspective and be objective in your fact-findings. The evidence you may find could be exculpatory.

Recording information

    1. Taking an image of a drive

      • Image of a drive: a bit stream image a data set of questions. Every bit of data since every since 1..0 since the last 1…0 is saved.

        1. Do not work on original evidence(But if you wait, you could lose valuable time to prove guilt or rescue a victim)

          • Forensic preview of a computer, barely leaves a footprint.

          • Take picture of environment and then do your examination.

          • Changes to the operating systems by installing a new usb and talking to the OS.(Measured)

          • Boot within a linux distro live cd to preserve evidence – Also collect RAM(because volatile) Before shutting down the computer, a live acquisition should be done to capture the RAM, too.

            1. Memory gets paged to the hard disk(efficiency, lack of resources

            2. Hibernation file – “dirty bit”, if windows did not shutdown properly.

          • Encrypted drives = Dead in the water most of the time.

          • You can have a preview of the hard drive but it does not see deleted files.

            1. Hex search to look for headers(4 bytes unique image for each type of image)

          • Best practice: Take an image first. Make a copy of the 1st image = working copy. How many images do i have to store if i return the computer.

  1. Hash collisions: In computer science, a collision or clash is a situation that occurs when two distinct pieces of data have the same hash value, checksum, fingerprint, or cryptographic digest. Collisions are unavoidable whenever members of a very large set are mapped to a relatively short bit string.

  2. Chain-of-Custody: Is the route the evidence takes from the time you find it until the case is closed or goes to court. It is what you say it is, establishes uniqueness. Name of people who touched it. Many cases are thrown out because the chain of custody can not be proved or has been broken. When this happens, there is a possibility that the evidence has been corrupted.

  3. MD5 hash algorithm: The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimalnumber. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. (NO, do not need a chain of custody if you have a md5 hash…Absolutely unique) We use chain of custody because people don’t understand md5 but understand signatures *Collisions have occurred using md5 but are rare. They can still be used to validate digital evidence. Byte by byte comparisons can be performed with MS-DOS Comp command or the Linux/UNIX command.
  4. Everything that can be seen through a GUI.(Deleting information off of your computer is simply removing the pointer that is pointing to that specific item) Forensics copy, get all the data = no. More things are needed.

Working on computers(Lab environment)

      1. Exculpatory(not guilty) and Inculpatory(guilty)

      2. Legacy copies – needs to be secure

      3. Fire safety

      4. 2 Computers (2-3 cases a month)(4 computers can be more appropriate)

        • 2 workstations (no internet access IMPORTANT. also for final project)
        • Outside access – for googling of course
        • Administration purposes
        • 3-4 computers doing forensic cases
    1. Digital evidence

      1. Electrostatic discharge.

        • Ground yourself
        • Use anti-electrostatic bags
      2. Package a computer goes into a seal.

      3. Because some cases involve computers running legacy OSs, older versions of tools often need to be used in forensics investigations. For example, Norton DiskEdit is an older tool that was last available on the Norton System Works 2000 CD,

Project 1: ProDiscover Software Intro

ProDiscover Basic is a free forensic tool. This tutorial will show you how to

  1. Start a new project
  2. Import an image file
  3. Search through the contents to find specific characters.
  4. Create a report.

Fullscreen capture 1222014 104128 AM

  •  Select File and then select New Project.

Fullscreen capture 1222014 104529 AM

  • Now go under Action–>Add–>select Image File.

Fullscreen capture 1222014 104542 AM

  • Select your image file. Mine is C2Prj06.eve
  1. What is .eve file extension? The EVE file type is primarily associated with ‘EmbeddedVectorEditor’. EVE is a general application for drawing vector diagrams.

Fullscreen capture 1222014 104555 AM

  • Go under images and select your file. These are the results of C2Prj06.eve.

Fullscreen capture 1222014 104726 AM

  • Notice the different headers such as, File Name, Size, File Extension, if it was deleted or not, the different creation/modified/accessed dates. Also, you can view the contents by selecting any of the files.

Fullscreen capture 1222014 104734 AM

  • Now we will search for certain characters. Begin by selecting the search function.(Magnify glass on the top left) You will notice several different options for searching the files.

Fullscreen capture 1222014 104759 AM

  • For this particular project we will use ASCII. In the corresponding box for, “Search for the pattern(s)” i input three names Antonio, Hugh Evans, and Horatio. Select the disk and then press OK.

Fullscreen capture 1222014 104804 AM

  • These are the results of the search.

Fullscreen capture 1222014 104844 AM


  • Now select REPORT on the left hand side, under your project folder. This will give you a summary that will include things such as, items of interest, hidden sectors, and the type of file system.

You are now finished with the Project 1: ProDiscover Software Intro !



Week 2


Data acquisition is the process of copying data. For computer forensics, it’s the task of collecting digital evidence from electronic media. The two types of data acquisition are static and live acquisitions. The future of data acquisitions is shifting toward live acquisitions because of the use of disk encryption with newer operating systems. The only shortcoming with live acquisitions is not being able to perform repeatable processes which are critical for collecting digital evidence. Making a second live acquisition while a computer is running collects new data because of dynamic changes in the OS. Your goal when acquiring data for a static acquisition is to preserve the digital evidence. You should also take steps to make sure you acquire an image that can be verified.

  1. Consistency of how the process is done

  2. Index: creates a database, so later on, info is easily searchable

    • Keyword search: Point in the right direction. Back end throughout the whole drive.

    • Index Keyword Search: Front end, checks your indexed information. May search for ASCII formatted words or Hex strings(form of the data, 99% of computers).

  3. Drawbacks

    • Restrictions…(limit to think outside of the box) Never going to be a best way to do things.

    • Example: Checklist… You have to have a control, that means using the same mouse,monitors, hard drive, etc..(Crazy but must be done. At least is law enforcement)

    • Could become outdated

  4. Pros

    • Consistent

    • Don’t forget things to do.

  5. You must be prepared for the unexpected, so you should always have a contingency plan for the investigation. A contingency plan can consist of anything to help you complete the investigation, form alternative software and hardware tools to other methods of approaching the investigation.

Contingency Planning for Image Acquisitions

You should also make contingency plans in case software or hardware doesn’t work or you encounter a failure during an acquisition. Many computer investigators don’t make duplicates of their evidence because they don’t have enough time or resources to make a second image. However, if the first copy doesn’t work correctly, having a duplicate is worth the effort and resources.

As a standard practice, make at least two images of the digital evidence you collect. If you have more than one imaging tool, such as ProDiscover Basic, FTK, and X-Ways Forensics, make the first copy with one tool and  the second copy with the other tool. Remember that Murphy’s Law applies to computer forensics, too: If anything can go wrong, it will.

Many acquisition tool don’t copy data in the host protected area (HPA) of a disk drive. For these situations, consider using a hardware acquisition tool that can access the drive at the BIOS level, such as ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica.

As part of your contingency planning, you must be prepared to deal with encrypted drives. A static acquisition on most whole disk encrypted drives currently involves decrypting the drives, which requires the user’s cooperation in providing the decryption key.

The biggest concern with whole disk encryption is getting the decryption key. In criminal investigations, this might be impossible because if a disk contains evidence supporting the crime, a suspect had a strong motivation to not supply the decryption key. Researchers at Princeton University have produced a technique to recover passwords and passphrases from RAM.

Understanding Storage Formats for Digital Evidence

Many computer forensics acquisition tools create a disk-to-image file in an older open-source format, known as raw, as well as their own proprietary format.

Raw Format (.dd)

Examiners performed a bit-by-bit copy from one disk to another disk the same size or larger. The advantages of the raw format are fast data transfers and the capability to ignore data read errors on the source drive. In addition, most computer forensic tolls can read the raw format, making it a universal acquisition format for most tools. One disadvantage of the raw format is that it requires as much storage space as the original disk or data set. Also, it might not collect marginal(bad) sectors on the source drive, meaning they have a low threshold of retry reads on weak media spots on a drive.

Proprietary Formats (ad1)

Proprietary formats typically offer several features that complement the vendor’s analysis tool, such as the following:
  1. The option to compress or not compress image files of a suspect drive, thus saving space on the target drive.
  2. The capability to split an image into smaller segmented files for archiving purposes, such as to CDs or DVDs, with data integrity checks integrated into each segment.
  3. The capability to integrate metadata into the image file, such as date and time of the acquisition, hash value (for self-authentication) of the original disk or medium, investigator or examiner name, and comments or case details.

One major disadvantage of proprietary format acquisitions is the inability to share an image between different vendors’ computer forensics analysis  tools. Another problem with proprietary and raw formats is a file size limitations for each segmented volume. Typically proprietary format tools produce a segmented file of 650 MB. Of all the proprietary formats for image acquisitions, the Expert Witness format is currently the unofficial standard. .E01 extension

Advanced Forensics Format (AFF)

This format was created by Dr. Simon L. Garfinkel. Files extensions include .afd for segmented image files and .afm for AFF metadata. This format has the following design goals.
  1. Creating compressed or uncompressed image files.
  2. No size restriction for disk-to-image files.
  3. Providing space in the image file or segmented files for metadata.
  4. Simple design with extensibility.
  5. Open source for multiple computing platforms and OSs.
  6. Offer internal consistency check for self-authentication.

Expect AFF to become a future standard for forensically sound acquisitions formats.

Determining the Best Acquisition Method

Typically, a static acquisition is done on a computer seized during a police raid, for example. If the computer has an encrypted drive, a live acquisition is done if the password or passphrase is available-meaning the computer is powered on and has been logged on by the suspect. Static acquisitions are always preferred way to collect digital evidence. For both types of acquisitions, data can be collected with four methods: creating a disk-to-image file(most common), creating a disk-to-disk copy(Use a write blocker because of potential registry changes), creating a logical disk-to-disk or disk-to-data file, or creating a sparse copy of a folder or file.

Creating a disk-to-image file is the most common method and offers the most flexibility for your investigation. Sometimes you can’t make a disk-to-image file because of hardware or software errors or incompatibilities. This problem is more common when you have to acquire older drives. For these drives, you might have to create a disk-to-disk copy of the suspect drive.

Collecting evidence from a large drive can take several hours. If your time is limited, consider using a logical acquisition or sparse acquisition data copy method. A logical acquisition captures only specific files of interest to the case or specific types of files. A sparse acquisition is similar but also collects fragments of allocated (deleted) data. An example of a logical acquisition is an e-mail investigation that requires collecting only Outlook .pst or .ost files.

If you can’t retain the original evidence drive and must return it to the owner, as in in discovery demand for a civil litigation case, check with the requester, such as your lawyer or supervisor, and ask whether a logical acquisition is acceptable. If not, you may have to refer the matter back to your lawyer or supervisor. When performing an acquisition under these conditions, make sure you have a good copy because most discovery demands give you only one chance to capture data. In addition, make sure you have a reliable forensic tool that you know  how to use.

  • Size is not an issue but speed is.

    • Image file bit for bit (.dd file is a fast way of imaging)

    • What are the advantages and disadvantages “.dd or file format” // universally accepted across different formats.

    • 500GB → 320GB image file will work because of free space.

    • (Expert Witness Format)E01 → E02 →.. E99→ EAB →  most common type of image file. Fairly widely accepted not as much as .dd. E01 is compressible,

      • disadvantage – limits the number of tools to analyze the data.

      • EWF in linux

Project 2: Sleuth & Autopsy Intro

What you will need for project 2:  Kali Linux & ProDiscover Basic

Origin 282014 101706 PM-001

1.  Start ProDiscovery Basic with the Run as Administrator option. We will be using Prodiscovery Basic to convert an .eve file to a .dd file.Origin 282014 101805 PM-001

2. Click Tools, Image Conversion Tools from the menu and then click Convert ProDiscover Image to DD.Origin 282014 101908 PM-001

3. Click browse and locate your .eve file, once found click Open.Origin 282014 102021 PM-001

4. For the Destination location, select an easy location to find your file. Click OK to convert. Now close ProDiscover Basic.Origin 282014 102118 PM-001

5. Open up your virtual machine and start Kali Linux.

Origin 282014 102244 PM-001

6. When your virtual machine has booted Kali Linux, copy the converted file to the Kali Linux desktop.Origin 282014 102352 PM-001

7. Go to Applications, Kali Linux, Forensics, then Forensic Analysis Tools, and click autopsy. Origin 282014 102445 PM-001

8. You should now see your Terminal open with Sleuth Kit and Autopsy open. Highlight ‘http://localhost :9999/autopsy‘, right click and click “Copy Link Address“. Simply clicking, “Copy” will not work.Origin 282014 102504 PM-001

9. Paste the link in your browser in the address bar. You should now be able to see the Autopsy Forensic Browser 2.24 with Open Case, New Case, and Help.Origin 282014 102616 PM-001

10. Go ahead and click New Case. Type the name of the case and your name as the Investigator.Origin 282014 102710 PM-001

11. Click Add Host.Origin 282014 102748 PM-001

12. Click Add ImageOrigin 282014 102819 PM-001

13. We will now add our image that we converted to .dd format. Click Add Image File.Origin 282014 102919 PM-001

14.  In the box under Location, type the directory you put your .dd file. If you are root and copied the file to your desktop then you could type something like this, “/root/Desktop/[NameofTheFileGoesHere]“. Under Type click Partition and under Import Method, click Copy. Then click next. (*note being in root is frowned upon due to security reasons)

Origin 282014 102942 PM-001

15.  Click OK.Origin 282014 102959 PM-001

16. In the Select a volume to analyze  or add a new image file dialog box, click the Analyze button.

Origin 282014 103033 PM-001

17. You can now see the different ways to analyze this image file. We will first start with File Analysis.Origin 282014 103041 PM-001

18.  Click Generate MD5 List of Files.Origin 282014 103053 PM-001

19. This is the results of clicking the ‘Generate MD5 List of Files’.Origin 282014 103143 PM-001

20. Clicking around you can see various images of deleted and not deleted files. In this picture you can see a deleted picture that we were able to recover. (*When we delete a file/picture/etc.. you are simply removing the pointer to that particular item.)Origin 282014 103206 PM-001

21. Sample of text we can’t completely see. 

Origin 282014 103220 PM-001

22. Click File Type, Click Sort Files by Type, and then click OK.

Origin 282014 103236 PM-001


23. Here we can see the results of Categories, Images, Files Skipped, and Number of Files.

Origin 282014 103252 PM-001

24. Lastly, click Image Details. you will now be able to see different information about the image. Explore and see what you can find !

You are now finished with the Project 2: Sleuth & Autopsy Intro !


by Bliss Drive Review