What type of acquisition is done if the computer has an encrypted drive and the password or passphrase is available?

Archival data

Archival data, or backups, can take many forms. External hard drives, DVDs, and backup tapes are just a few examples. Acquisition of archival data can range from simple to extremely complex. The type and age of the backup media are major factors in determining the complexity of the process.

Backup tapes can present some very big challenges, especially if they were made with software or hardware that is no longer in production. Tapes are created using specific pieces of hardware and software. These same tools will be needed to restore the data into a form that can be understood and manipulated. Where it gets really exciting is when the hardware and software are no longer in production. An older version of the software may no longer be available or the company is no longer in business. This is known as legacy data. What do you do if you no longer have, and can’t get access to, the necessary tools to restore the data? Sometimes eBay can save the day.

Launching field search

1.

If you are going to scan a USB device such as an external hard drive or thumbdrive device, make sure to run the USBToggle tool (to get this free tool, send an e-mail to [email protected] and request the USBToggle. Make sure to say you are reading this book). If you want to block all new devices being installed to be Read Only, then select Read Only. If you want to Disable all unused ports, the Select Disable Ports option should be selected.

Launch the tool from the USBToggle from the portable applications menu.

When you launch the USBToggle tool, an icon will appear in the right-hand lower toolbar. The toolbar icon will be in different colors to represent different functions (see Figure 4.38).

Green—All USB drives are open;

Yellow—New USB devices inserted will be write-protected;

Red—All USB ports are disabled.

You can now plug in any device.

With the portable applications menu, open select Field Search and click on it one time. This will bring up the End Users License Agreement page for field Search. DO NOT DOUBLE CLICK on the menu. If you do double click, the menu item will try to load multiple instances of the application and you will receive error messages. To fix this, simply press Ctrl-Alt-Del and choose the task manager. Click on field search and choose End task to cancel the other instances of the application.

Click on “Accept” to continue.

If possible, temporarily disconnect the computer from the Internet; reconnect after gathering your intelligence/evidence.

The main screen will appear (see Figure 4.39).

Run “Final Report”; Immediately run “Final Report.” Look at the header data on the report to determine when Windows® was last installed (see Figure 4.40).

Compare the report's created date/time against your watch for current time.

Look at the IDE Devices table in the report. If you see that USB or removable media have been connected to the computer, you may want to look for the media near the offender's workstation.

Select Basic Information in the comments field, and note any discrepancies in the system clock and local time. Save the report to your USB drive. Check that it actually made it to your USB drive. [Always check after each save to ensure the report is where you think it is (see Figure 4.41).]

Select MRU Sort the Most Recently Used by Last Access Date. This will give you a quick understanding of how the offender uses the computer. It may also give you an idea of drives or folders for closer scrutiny. Look for drives not physically present on the computer at the moment. This may reflect previous connection of USB or Firewire external media (see Figure 4.42).

Start “New Scan”; click on the “blank page” icon or select file “New Scan” (see Figure 4.43).

Select the drive to be scanned.

Select which drives you want to scan by checking the appropriate boxes.

Click on the “Options” tab to select scan options (see Figure 4.44).

Select the scan options you want. We recommend you begin with “Collect Images,” “Collect Internet History,” “Scan in ZIP archives,” “Collect link files,” and “Perform keywords search.” Be sure to enter the video file formats you wish to search for. Field Search will default to searching for

AVI

MPG

MOV

WMV

Click on the “Keywords Search” tab (see Figure 4.45).

Select the keywords to search for.

Enter any keywords or phrases or select predefined sets. You might add other terms or terms of importance to the local area or investigation. Make sure that after you create the keyword list you save the scheme so that you do not have to retype the keywords again.

Enter the file types to be searched (more file types add more time to the search). We recommend searching TXT, HTM, HTML, and LOG files at a minimum.

Click “Start Scan” to begin Scan.

The scan will start immediately. You can click on the drive letter after about 30 s and see the scan's progress.

The scan progress is displayed at the bottom of the screen. Note: It will appear that Field Search is doing nothing for about 30 s. Wait patiently; it is scanning the drive's directory tree. If you attempt to do anything while the directory tree is being scanned, you will get the dreaded “hour glass.” While the directory tree is being scanned, collect the information you need for the Basic Information section (e.g., computer type, model, etc.)

After approximately 30 seconds, you can begin to fill out the basic information. Describe the computer, giving a serial number if possible, and note any attached equipment. The comments field can be used to report findings as well as equipment.

To avoid formatting issues in the final report, it is best to limit your text entry so it fits inside the boxes as they first come up (see Figure 4.46).

You can now begin the process of digital triage forensics. Begin reviewing results and select items for inclusion in your report.

The order in which you review results is personal preference. DTF suggests you review the Image Gallery first and then the Keyword Search. Note: Do not review media or images until you see a green checkmark next to the drive letter (Field Search has finished scanning). Doing so could cause memory problems.

Check items for inclusion in the report by checking the box next to the item you want to include in the report (see Figure 4.47).

If you found Mozilla®-based browser Internet Histories and there were indications it was used to surf suspect sites, you may choose to conduct a second search with the “Check all file headers…” option selected.

Focus this search on the Documents and Settings folder only.

If you believe a Mozilla®-based browser may have text strings saved in the cache that contain important information, you may choose to conduct a second search with the “Search in files…” pane left empty. This will search every file in the folder for the keywords (see Figure 4.48).

Caution: choosing to do a second search on Mozilla®-based browsers can increase the amount of time Field Search requires to complete its task. You should do this only if it is warranted.

Run the report to see how it looks. Generally, you should have no more than 2-4 pages in the report. If you have more, you may have included too many examples of the suspect's computer use. Decide which elements best represent the suspect's usage and remove the remainder.

You can go back to the individual result pages and simply uncheck the boxes to remove items from the report.

To expedite review of selected images, URL records, Word Search findings, or Raw Scan records, change the Source to “Selected.”

To expedite the review of URL history records, click on the “checkbox” in the History tab.

Save Report when viewing the report: click on the small disk icon at the top of the page to save the report to removable media.

Select a report type: (see Figure 4.49)

Rich Text File (*.rtf)—this can be opened in Word® and edited.

Adobe Acrobat Document (*.pdf)—this cannot be edited, but can be read by almost any computer.

Make sure you save the report to your removable media.

Export information to the Excel® spreadsheet (see Figure 4.50).

We recommend you always export the Excel® spreadsheet. It takes only a few seconds and provides you with an extensive back-up set of data.

The above steps are suggested for the collection of intevidence. You can see from using this program that it is possible to capture intevidence from the suspect drive. This tool is a great step forward in the world of DTF tools. The operator can take complete control of the drive to be captured using the filters provided in the tool.

The next section will allow us to use a more powerful DTF tool to gather and perform analysis of digital media.

Other devices used by suspect

▪

What other devices do you own? (Laptops, PDA, smartphones, external hard drives, etc.)

How many cell phones do you have?

Where are they?

Which carriers do you use?

Have you taken photos or videos with the cell phones?

Where are the photos and videos saved?

How many desktop and laptop computers do you have?

Do you have other types of computer systems?

Where are the other devices?

When did you last use each device?

What did you use the devices for?

Does anyone else have access to them?

Who else has access?

When were the devices used by someone else?

Do you use your computers at your work for personal use?

How many work computers have you used for personal use?

Do you have an assigned computer?

Have you downloaded personal files with work computers?

How else do you use work computers for personal business?

Do any of these devices require passwords to use?

What are the passphrases?

Do you use your personal computers for business?

Simple File Copying

In some cases, copying files by dragging them from the evidence computer to an external hard drive may be appropriate. Such an instance usually occurs in a civil case where the only importance may be the content of the copied files and the computer user is not in debate. Simple file copying will alter the metadata of the files and if the evidence computer is live, then the data on that system will also be altered. In those situations where simply file copying is warranted, the use of specialized software to at least maintain the original metadata is advised. Yet, in the many civil cases and certainly in every criminal case, this is not an acceptable method for collecting electronic evidence.

Frequently, parties to litigation have agreed to custodians of specific computers and disputes as to the users have been concluded. However, there remains the possibility that a custodian of a computer may deny specific actions that occurred on his or her computer. In that instance, the examiner must now work to place a person behind the keyboard for the questioned instances of activity.

Using simple file copying of only user created files leaves little electronic evidence from which to work, besides the copied files. Unless the examiner copies data that bolsters user activity, such as event logs and registry hives, basic user created files, such as word processing documents, leave little for an examiner to investigate if the need arises after the fact.

Where a file copying utility will be used on a suspect’s computer, the choice of the tool should be one that has the most minimal impact on the files, such as a DOS application like “Upcopy” from Maresware (see Figure 1.1, Upcopy available freely from http://www.dmares.com). Among many of its features, Upcopy maintains the file’s metadata as well as verifies copied files through hashing and creating a log file.

For best practices of data collection, even in those civil electronic discovery instances where simple file copying is approved rather than a complete forensic collection of a hard drive, steps can be taken that will constitute a more complete collection. As an example, hard drives containing files for electronic discovery collection can be removed, connected to a forensic workstation, and copied using forensic applications.

Another option could be to boot the custodian computer to a forensic operating system using external boot media like a compact disk modified not to alter any evidence devices. Having access without risk of changing the files can allow collecting the files using a forensically sound process.

Collecting data haphazardly without a process may eventually cause problems should the veracity of the data collected be called into question. Copying files through any method such as drag and dropping files or using file copying software is the least comprehensive method of collecting data. Before you decide to copy files on a live computer, remember that you only have one chance to collect the evidence reasonably. Every other attempt on a live machine results in the original evidence being higher at risk of modification.

Abstract

This chapter considers ESI preservation issues with non-system electronic devices, including cell phones, tablet computers, laptop computers, and industrial portable devices such as external hard drives, flash drives, etc., on which ESI may be stored and/or moved on either a temporary or permanent basis. The chapter also considers the complexities related to adoption of so-called BYOD, or “bring your own device” practices in which the organization allows or requires employees to use their own electronic devices for carrying on the organization’s business. The authors discuss issues of forensic and legal concern with BYOD practices, both with and without prior written agreements. These include information control concerns (especially related to restricted or classified information) and litigation-hold access problems, when ESI subject to preservation is in the employee’s control rather than the organization’s. The reader is also alerted to Department of Labor regulations restricting access without a prior written agreement.

Forensics Analyst or Specialist

The forensic specialist has to be able to demonstrate impartiality and know the importance of data identification during the image capture and initial data gathering activities. The forensics specialist is the primary initial forensics person involved with the gathering of the evidence at the scene during the data capture actions conducted at the beginning of the forensics process.

The forensics specialist applies the basic techniques for bit-stream image capture actions since he is responsible for gathering evidence and collecting the data from the storage devices identified during the initial data identification activities when the forensics team is first deployed to the scene of the forensics event. This process is core to the proper chain of custody for the forensics evidence, hence the forensics specialist can easily “make or break” the actual outcome of any forensics case by their action during this initial phase of data gathering.

The forensics specialist needs to be extremely well versed in the processes of image capture from any type of data storage device, including cell and mobile phones, external hard drives, smartphones, personal data devices, SIM cards, cloud storage locations, SAN and network storage devices, network application appliances, logging servers, file servers, standard workstation and server machines, network devices with storage attached to them, and the other varied locations which retain data on the network. Every place data can be stored is a “potential” location the forensics specialist needs to be able to access and capture data for further investigation and evaluation by the forensics team members. The basic steps for the forensics specialist include the following, but are not necessarily limited to:

For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

Inventory the hardware on the suspect computer/device and note the condition of the computer when seized

Remove the original drive from the computer and then check the date and time values in the system’s CMOS.

Perform the bit-stream image capture of the entire dataset identified.

Conduct a cryptological “hash” of the dataset.

Notate the “hash” of the captured dataset for reference.

BitLocker to Go

BitLocker To Go is new in Windows 7 and builds on BitLocker by allowing users and administrators to encrypt removable media. Many of your end users have USB thumb drives, external hard drives, and other forms of removable media. BitLocker To Go allows for the encrypting of these devices for added security. Reading the data on an unencrypted removable media device is extremely easy and encrypting the device is the safest solution.

Devices encrypted with BitLocker To Go may be read from Windows XP and Windows Vista systems but these systems do not currently support writing back to the device. As more systems are migrated to Windows 7, this will be a viable option and can be enforced through Group Policy. In other words, an administrator can enforce that removable media be encrypted on Windows 7 hosts prior to functioning. This feature and other full disk encryption solutions are explained in Chapter 8, “Securing Windows 7.”

To enable BitLocker To Go on a removable device, right-click the device and select Turn on BitLocker as shown in Figure 1.75.

Encrypting Storage

A simple way to access someone’s data is to plug their storage device into another computer. While removing an internal hard drive from a computer is slightly more difficult and considerably more noticeable than walking off with an external hard drive or USB flash drive, once attached to a different computer, a thief is able to access your files without ever entering an account name or password. This is why file encryption is so important.

Encryption makes any data on a storage device useless to a thief. If one were to steal an encrypted drive, they would only be able to access the data using a key (such as a password), or by using the original computer that encrypted it. There are a number of free and commercial products that can be used to encrypt individual files, folders, or entire hard disks, including VeraCrypt (https://veracrypt.codeplex.com) and CipherShed (https://ciphershed.org/). In addition, some operating systems include features to encrypt local and removable drives.

BitLocker is an encryption tool that’s included with Windows Vista and higher versions. It will not encrypt individual files and folders, but it will encrypt entire drives. This not only includes drives on your computer, but also any external hard drives or USB flash drives you might have. In the following example, we’ll show you how to encrypt an USB stick:

Open File Explorer, and in the left-pane right-click on the drive letter for your USB stick.

Click Turn on BitLocker.

When the wizard appears, click on the checkbox to Use a password to unlock this drive. If you use a smart card, you could also use that feature to unlock the drive, which would require you to insert your smart card and enter your PIN to unlock the drive. If you were encrypting a fixed drive, you would select the option to automatically unlock when you log into Windows. After selecting to use a password, enter a password into the Type your password box, and then type it in again in the Retype your password box to confirm. Click Next.

On the How Do You Want To Store Your Recovery Key page, click Save the recovery key to a file. When the Save BitLocker Recovery Key dialog box appears, choose a location to save the file and then click Save. You have the option of using this to print the recovery key (password) when needed.

Click Next, and on the Are You Ready To Encrypt This Drive page, click Start Encrypting.

When Bitlocker encrypts the USB flash drive, it will add a program to it called bitlockertogo.exe, which is the BitLocker To Go Reader. This program is used to unlock the drive so you can read the data. If the drive is encrypted with a password, it will prompt you for it, and upon clicking the Unlock button, you’re then able to access the files.

The BitLocker To Go Reader is not required for reading an encrypted local drive, as the BitLocker feature on the operating system will handle this for you. If you’ve encrypted a local drive, and want to move it to another computer, you would need to decrypt the drive before installing it on another machine. To do this, you would right-click on the drive letter, click Turn Off Bitlocker, and follow the prompts.

To see which drives are encrypted on your machine, you can use the BitLocker Drive Encryption program in Windows. In Windows 8x and 10, you would search for “bitlocker” and then click BitLocker Drive Encryption. In Windows 7, click Start, click Control Panel, click System and Security, and then click Manage Bitlocker. Once it appears, you will see a list of your drives, and have the options to turn bitlocker off on encrypted drives, or turn it on when you want to encrypt a nonencrypted drive.

Backup Schedules

To create a scheduled backup, you must first make sure Windows Server Backup is installed in the Server Manager | Features | Add Features Wizard. Although you can create an ad hoc or one-time backup to a network share, internal disk, external hard drive, or DVD, you can only run scheduled backups using one or multiple external

Configuring & Implementing…

Configuring a Backup Schedule Using Windows Server Backup

Connect a USB 2.0 or IEEE 1394 external hard drive to your server.

Launch the Backup Schedule Wizard by navigating to Server Manager | Storage | Windows Server Backup | Backup Schedule.

Click Next to move past the Getting Started page.

On the Select Backup Type page choose Custom and click Next. This allows us to select the volume(s) we would like to back up.

On the Select Custom Backup Items page, select only the volume you would like to back up. In this example, we back up the C: drive.

On the Specify Backup Time page, you can choose to back up the server either at a specified time once per day, or multiple times per day. In this example, we chose Once a day at 11:00 p.m.(see Figure 7.23). Click the Next button to continue.

Select the USB 2.0 or IEEE 1394 disk or disks you would like to back up to and click Next. Warning: Completing this wizard will format your external hard drive. Make sure you do not have any important data on your external hard drive before continuing.

Click Next and then Finish to complete the Backup Schedule Wizard.

After the wizard formats your external hard drive, your backup schedule appears in the Windows Server Backup management tool, as shown in Figure 7.24.

USB 2.0 or IEEE 1394 drive(s). It is recommended that you use a drive that is at least 2.5 times the size of the volume you plan to back up.

In the following Sidebar, we will configure a backup schedule in Windows Server Backup to run to an external USB 2.0 or IEEE 1394 hard drive.

From the case files: the Windows registry and USBStor

In a small town outside Austin, Texas, guests at a local hotel called police after observing an individual at the hotel who was roaming around, mostly naked and appearing somewhat intoxicated. When the police arrived, they found the individual and determined that he was staying at the hotel. They accompanied him back to his room and were surprised by what they found. When the door opened, they discovered another individual in the room and a picture of child pornography being projected on the wall. The projector was attached to a laptop. Two external hard drives were found lying next to the laptop. The unexpected occupant said that the laptop was his but that the two external drives belonged to the other man and had never been connected to his laptop. All of the equipment was seized and sent for examination. Forensic clones were made of the laptop and both external drives. The initial examination of the external drives found both still images and movies of child pornography.

Next, examiners wanted to determine whether either of those drives had ever been connected to the laptop. The system registry file of the laptop was searched for entries in the USBStor key. Listings for external hard drives were discovered along with the hardware serial numbers from both external hard drives.

Next, examiners sought to validate their results. Using a lab computer system with a clean installation of Windows, they connected the defendants’ external drives to the lab system. A write blocker was connected between the drives and the system to prevent any changes or modifications to the clones of the external drives.

The lab computer’s system registry file was then examined and the USBStor keys showed the same external hard drive listings as the suspect’s, with matching hardware serial numbers. These results proved that the suspect’s external hard drives had, in fact, been connected to the laptop at one time. The suspect was eventually convicted of possession of child pornography.