HOW TO: forensically examine a PC

CSI detectives can spray Luminol around the place to detect spots of blood that have been wiped clean but there’s no such wonder spray for hard drives.

I came across this fascinating area of IT a little while ago and decided to investigate HOW investigators actually approach computers in criminal forensics.

The first step a forensics investigator has to take with a suspect computer is to image its hard drive. Other storage media can also harbour evidence so CDs DVDs USB memory sticks and backup tapes might also be included. Even RAID arrays might have to be incorporated. An exact duplicate of the original is necessary from an evidence point of view so that it can be shown that nothing has changed after it was seized.

Choosing what to acquire

I use Encase 4.20 for Windows in this article to demonstrate concepts but the general idea is the same no matter which software is used. This is an awesome piece of software made by Guidance Software that facilitates all aspects of forensics IT work.

Other applications in this space are The Sleuth Kit and Autopsy (both open source). These two run on Unix and work together to provide a complete solution.

Report after a disk has been imaged

The traditional method of acquiring an image of a suspect source HDD is booting with a special Encase DOS boot disk and copy from drive to drive. There’s also a version called LinEn which is a 32-bit Linux based boot disk achieving the same goal with better performance. Encase provides a simple wizard to create or modify an existing startup disk. It can also be used to create a boot CD.

Options for an acquired image

For serious work however the FastBloc hardware write block device is the professionals choice. This sits between the hard drive source and destination; blocking all write access. It comes with Firewire and USB interfaces and using adapters can also fit PATA and SATA drives.

Fastbloc hardware write blocker

Drives can be imaged from disk to disk in the same system or over a network crossover cable. The Enterprise version can acquire images from live running systems over the network. To avoid potential abuse there’s a third system that controls who can acquire which systems and when called Secure Authentication for EnCase (SAFE). All network traffic in the Enterprise version is encrypted.

All imaged drives along with notes etc are contained in one evidence file. As an image in created CRC and MD5 hashes are automatically created to ensure that the data is identical to the suspect drive. Later in the process this can also be done manually to verify that the data hasn’t been altered.

Comparing MD5 hashes after acquisition

As a forensics tool looks at an imaged hard drive from the “outside” with the OS not running a thorough understanding of filesystems (both FAT and NTFS) is required as there can be “slack space” in sectors that can hide interesting data.

HPA (Host Protected Areas) or DCO (Device Configuration Overlay) are areas of hard drives where the manufacturer can store extended information. These areas can also be used by a sufficiently knowledgeable user to hide other data and so must of course also be investigated.

Disk view in Encase

Once the image is acquired the search for “artifacts” begin. This is forensics speak for evidence on the suspect system. Different operating systems and applications leave diverse traces of user activities not surprisingly Windows has a whole host of different ones. The Recycle bin is an obvious first stop for investigation as are Link files. Recent documents can also provide clues and the Temp folder can provide a wealth of information as most users don’t look here. Favorites temporary internet files Cookies and the History folder are also clear targets.

Main Encase view with deleted files

The swap file can be interpreted by Encase as can the hibernation file (laptops).

Powerful search functions for the whole drive are provided with GREP expressions. Picture gallery show image files (think child porn) Encrypting File System in Windows can be bypassed (with a retrieved key) IE history files can be accessed and shown in the timeline to establish web surfing patterns (think Google searches for “hijack flight”).

Timeline in Encase showing file accesses

File signature analysis is the process of comparing the file header to the file extension and thus spotting files that have had their extension changed to “hide” their true content. File hashes can also be compared to known suspect files so you can easily find “subseven” for instance even if program files have been renamed.

IT forensics is an interesting application of IT and if you ever need to find another job in IT you might consider pursuing it. There’s even a certification for this particular software: Encase Certified Examiner (EnCE).