Week 2 - Computer Forensics

Digital Forensics in Windows

Volatile vs. Non-Volatile Evidence

• Volatile Evidence: Data that disappears when the computer is powered off. It’s crucial to capture this evidence quickly.
  • Examples: RAM contents, unsaved documents, running processes, passwords in clear text, recent chat conversations, and network connections.
• Non-Volatile Evidence: Data that persists even after the computer is powered down. It’s often stored on hard drives, flash drives, and other storage devices.
  • Examples: Master File Table (MFT), Master Boot Record (MBR), Registry, logs, configuration files, application files, SWAP files, temporary files, data files, and unallocated space.

Volatile Evidence Artifacts

• Why they’re important: Volatile evidence provides a snapshot of what was happening on the computer at the time of the incident.

• Examples:

  • Running Processes: Tells us what programs were active.
  • Passwords in Clear Text: Could be stored in memory temporarily, especially for websites.
  • Unsaved/Open Files: Helps identify files that might have been edited or created but not saved.
  • Recent Chat Conversations: Reveals communication patterns and potentially incriminating content.
  • Network Connections: Shows what websites or devices the computer was connected to.

Non-Volatile Evidence Artifacts

• Why they’re important: Non-volatile evidence provides a more permanent record of the system’s configuration, usage, and files.
• Data Persistence: Even after the system is shut down, these data points remain.
• Example Storage Devices: Hard drives, USB drives, memory sticks, CDs, DVDs.

Non-Volatile Artifacts - Master File Table (MFT)

• Location: Inside the NTFS file system (used by Windows)
• Significance: Holds information about every file on the drive
  • File name
  • Size
  • Date and time stamps
  • Other attributes
• Deleted Files: Even when files are deleted, their entries in the MFT often remain, marked for later use. This allows for recovery.
• MFT Zone: NTFS reserves space for the MFT.

Non-Volatile Artifacts - Master Boot Record (MBR)

• Location: The very first sector (sector 0) of the hard drive.
• Function: Contains the “bootloader” code that tells the computer how to start the operating system.
• Identification: The last two bytes of the MBR are always “55AA.”

Non-Volatile Artifacts - Windows Registry

• Central Database: The Registry is a hierarchical database that stores important information about Windows.
• Information Stored:
  • Windows components’ configuration settings
  • Installed hardware, software, and applications
  • User-specific data
• Forensic Value:
  • Tracks system changes and software installations.
  • Helps build a timeline of events.
  • Stores user-specific data in a structured way.
• Tools for Registry Analysis: MUICache, Process Monitor, Registry Editor, Regshot, USBDeview, RegRipper

Activity 1 using RegShot Tool

• Hands-On: The slide likely directs you to an exercise using RegShot. This tool helps analyze the Registry by comparing snapshots.
• Purpose: To identify changes made to the registry, which can be helpful for forensic investigations.

Non-Volatile Artifacts - Event Logs

• Purpose: Logs store events that happen in the system. These can be related to the operating system, users, or other entities.
• Time Stamps: Logs are chronologically ordered with timestamps.
• Categories of Logs:
  • System Logs: Record events related to the operating system, both successful and unsuccessful.
  • Application Events: Log events triggered by applications (like start up, shutdown, or configuration changes).
• Recently Accessed Files: Keeps a record of files accessed recently.
• Commands: Stores commands executed by users during their sessions.
• Tools for Event Log Forensics: EvLog3.0 Analyzer, Windows EventLogAnalyzer, OSSEC, Syslogng, Log2timeline.

Non-Volatile Artifact - Configuration Files

• Created by the OS: Configuration files are generated by the operating system based on user commands.
• Forensic Value: Can reveal changes made to the system.
• MRU Keys: (Most Recently Used) These registry keys track the last visited folders and commands used in the “Run” menu.

Non-Volatile Artifact - Application Files

• Created by Programs: Files created by applications that users use for daily tasks (e.g., documents, spreadsheets, presentations).

Non-Volatile Artifact - Temporary Files

• Purpose: Temporary files are created by the operating system during tasks like installations or updates.
• Location: Typically found in the “%temp%” folder.
• Persistence: Sometimes, these files aren’t deleted, which can provide clues about activity.

Non-Volatile Artifact - SWAP Files

• RAM Expansion: When RAM runs low on space, the operating system creates a SWAP file on the hard drive to store data temporarily.
• Content: The SWAP file contains data that was initially stored in RAM.

Non-Volatile Artifact - Data Files

• Common Files: Includes all the regular files that users work with, such as documents, images, media files.

Non-Volatile Artifact - Unallocated Space

• Deleted Data: When files are deleted, their content isn’t immediately erased. It can remain in the unallocated space until overwritten.
• File Carving: Recovering files from unallocated space is called file carving.
• Hidden Data: Data might be hidden in:
• Slack space: Unused space within files.
  • Slack space refers to the unused space in a disk cluster or block that is partially filled by a file. When a file is stored on a storage device, it is saved in fixed-size clusters or blocks (e.g., 4 KB). If a file does not fill the entire cluster, the remaining space within that cluster is known as slack space.
• unallocated clusters: Unused blocks of space on the drive.

---

File System

• Methods for Acquiring Files
  • Disk-to-Image: The most common method. Creates a complete
  • Disk-to-Disk: Used when disk-to-image is not possible
  • Logical: Acquires only specific files of interest.
  • Sparse: Captures fragments of deleted or unallocated data.

FOR EXTRA KNOWLEDGE

• Learn About File Fragmentations

File Systems:

• NTFS (New Technology File System): The file system primarily used by Windows.
• FAT32 (File Allocation Table): An older file system still used for some devices and older computers.

Feature	FAT32	NTFS
Maximum file size	4GB	16TB
Fault tolerance	No	Automatic troubleshooting
Encryption	No	Available
Security	Less secure	More secure
File compression	No	Supports file compression

1. Maximum file size: The largest size a single file can be on the file system.
2. Fault tolerance: The ability to detect and correct errors to prevent data loss or corruption.
3. Encryption: The capability to secure files and folders so that only authorized users can access them.
4. Security: The level of protection provided to keep data safe from unauthorized access.
5. File compression: The feature that allows files to be stored using less space by reducing their size.

---

FAT32

• Default for Windows: FAT32 was the default file system for earlier versions of Windows.
• Maximum Drive Size: 8TB
• Forensic Applications: FAT32 is sometimes used by forensics experts to format acquisition media because it’s simple and reliable.

NTFS

• Enhanced security
• File encryption
• Disk compression
• Support for larger storage devices
• Fault tolerance
• Faster file retrieval

Case Study: NTFS Time Stamp Analyses

We will demonstrate this case study from the book :Practical Cyber Forensics An Incident-Based Approach to Forensic Investigations (chapter 2- Page- 42 to page- 49)

Timeline Analyses

• Connecting Events and Time: Timeline analysis helps determine the sequence of events on a computer by associating them with timestamps.
• Purpose: To build a chronological picture of activity.
• Timestamp Manipulation: Criminals might attempt to change timestamps to obscure their actions.

Demonstration: Recuva Tool

• Practical Exercise: This slide likely directs you to a hands-on demonstration using the Recuva tool, which can recover deleted files.
• Follow instruction in the class from the Book Practical digital forensics page 62-66

---

Digital Forensics in MAC

Mac file system

• History:
  • HFS (Hierarchical File System): Introduced in 1984.

    • HFS+ (Hierarchical File System Plus): Introduced later as an improvement.

    • APFS (Apple File System): Introduced in 2016, replacing HFS+. APFS is optimized for SSDs and has strong encryption.

• Key Features of APFS:
  • Sparse File Support: Efficient use of space.
    • 1-Nanosecond Timestamp Granularity: More precise timestamps.
    • 64-Bit Inode Numbers: Increased storage security and more files per volume.
    • File Cloning: Efficient file copying within the same volume.
    • Snapshots: Capture the state of the system at a particular moment.
    • Crash Safety: “Copy-on-write” metadata scheme protects against data loss.
    • TRIM Support: Optimizes SSD performance.
    • Space Sharing: Multiple volumes can share the same free space.
    • Full Disk Encryption: Data is encrypted by default.

Forensic Artifacts for macOS

• Artifacts: Objects or locations within a macOS system that contain relevant information. Categories of Artifacts:
  • System Artifacts: Information about system configurations, such as the operating system version, time zone, and MAC address.
  • User Profiles: Reords of user settings, including keychain, language, and recent documents.
  • Logs: System, network, and user logs that record events and activity.

System Artifacts

• Locations: The slide lists specific file paths within the macOS system where key artifacts are located.

• Examples:

  • OS Version: /System/Library/CoreServices/SystemVersion.plist
  • MAC Address: /private/var/log/daily.out
  • Timezone: /Library/Preferences/.GlobalPreferences.plist
  • Language: /Library/Preferences/.GlobalPreferences.plist
  • Startup Folders: /Library/LaunchAgents/, /Library/LaunchDaemons/, /System/Library/LaunchAgents/, /System/Library/LaunchDaemons/

User Profiles

• User Folder: The home directory for each user.
  • Desktop Files: ~/Desktop/
  • Downloads: ~/Downloads/
  • Library: ~/Library/
  • Documents: ~/Documents/
  • Deleted Files: ~/.Trash/
• Recent Folders: ~/Library/Preferences/com.apple.finder.plist
• Dock: ~/Library/Preferences/com.apple.dock.plist
• Recent Documents: ~/Library/Preferences/com.apple.recentitems.plist
• Safari Browsing History: /username/Library/Safari/History.plist
• Apple Mail: Desktop/Library/Mail
• USB Devices: /private/var/log/system.log

Keychain

• Password Management: The Keychain stores passwords and other sensitive information.
• Encryption: Passwords are encrypted, but other information might not be.
• Locations:
  • System Keychain: /Library/Keychains/
  • User Keychain: /System/Keychains/
• Information Stored: Apple IDs, Wi-Fi passwords, VPN credentials, FTP and SSH passwords, iTunes backup passwords, social network passwords, iWork document passwords, AirPort and TimeCapsule passwords, mail account passwords.

Logs

• System Logs: /private/var/log/asl/YYYY.MM.DD.U[XX].asl, /private/var/log/DiagnosticMessages/YYYY.MM.DD.asl, /private/var
• Shutdown Logs: /private/var/log/com.apple.launchd/launchd-shutdown.system.log
• Network Status: /private/var/log/daily.out
• Bootup Time: /private/var/log/System.log (search for “BOOT_Time”)
• Filesystem Logs: ~/Library/Logs/fsck_hfs.log
• VMWare Logs: /Library/Logs/VMWare

Tools for Mac Forensics

• Acquisition and Verification:

  • MacQuisition
  • Guymager (Kali/CAINE)

• Imaging:

  • Guymager
  • MacQuisition
  • APFS for Windows - Paragon Software (for image mounting)

• Other Tools:

  • OSXpmem
    • OSXcollector
    • FTK cli
    • Blacklight
    • Arsenal Recon (image mounting)
    • Plaso (Open Source) - timeline analysis
    • Plist Viewer (OSForensics)

Linux Forensics

---

In-Class Activities

Lab 2 DFEH