Applying Digital Forensic techniques to AIM

Gareth Knight, FIDO Project Manager

Anatomy Theatre & Museum, King’s College London

15th August 2011

Data handling workflow

Acquire

Analyse

Appraise

Archive

Obtain data from depositor / donor

Examine the acquired data to locate user generated content

Appraise data to select data of potential value to the institution

Transfer selected data into digital repository for curation &

preservation

Acquisition

Data Acquisition Methods

Act of obtaining copy of digital data from depositor media and transferring into a managed environment for subsequent analysis:

1. File copy: Files are copied/moved from the donor’s media to AIM-owned storage, e.g. FTP, DVD-R, hard disk

2. Disk clone: Bit copy of files on source disk copied to mirror disk

3. Disk image: Bit copy of disk is created and stored as a file on other media.

Different HardwareDifferent Media

Is the disk installed in a computer?

Locate media reader &

create disk image

No Other

No

Does the machine possess appropriate

ports (e.g. USB/Firewire) to allow connection of an

external HD?

Yes

ATA/IDE or SATA

What type of connectors does it

have?

Install into portable disk

enclosure

Are you able to perform a network

capture?

Boot from media & perform imaging

Yes

Obtain appropriate

reader device

Are you able to boot from disk/optical media

& perform capture?

No Yes

Do you have permission to remove the disk from

the machine & is it physically possible ?

Perform capture via host system

Capture disk image

using network capture

No Yes

No Yes

Copy files to disk. Notify

donor that some content may be

missed

What type of media do you wish to image?

Removable media(e.g. floppy, CD-ROM, USB stick,

etc.)

Hard diskDecision tree for choosing capture

method

Analysis

7

Data held on a digital media

Content held on digital media serves many purposes:• Operating system files, e.g. Windows has 30,000+ after fresh install• Software: Applications, utilities, games, etc.• Log data: Windows Registry, browser cache, cookies, temp files• User-generated content: Documents, images, sound, emails, etc.

Different data layers available:1. Active data: Information readily available as normally seen by an

OS

2. Inactive/residual data: Information that has been deleted or modified• Deleted files located in unallocated space that have yet to be overwritten

(retrieved using undelete application)• Data fragments that contains information from a partially deleted file

(retrieved through carving)

Inactive data useful, but need to consider ethical issues

1. Analysis techniques foractive data

Common techniques:• Navigate directory structure to get a ‘feel’ for data

files held on disk• Search by:

• File name, e.g. *report*• File type, e.g. *.doc, *.pdf, etc.• Creation/modification date• Content type, e.g. word usage• File size

• Additional parameters configurable

Windows search easy to perform, but does not identify everything – investigation process can leave artefacts, e.g. thumbs.db behind

1. OSForensic Search UI for active filesSort by:

•Name,

•Folder,

•Size

•Type,

•Creation date,

•Modification date,

•Hash set,

•Foreground colour,

•Background colour

10

2. Recovering deleted files

Data files deleted by user continue to exist on disk!• filename is changed and occupied space is

simply labelled as ‘unallocated’, i.e. available for use.• May be recovered if the space has not been reallocated to new data.

However, likelihood of retrieving entire file decreases with usage of disk.

Recovering partial/complete files

Recoverable using Undelete\File recovery software to search unallocated space and relabel found files as available.

Recovering Data Fragments

Fragments of files may be recovered using Data carving technique - raw bits of disk analysed to identify recognisable patterns that may indicate a data file, e.g. header/footer, semantic information.

• Carving software designed to take a linear approach to locating data files – ineffective on fragmented disks

• Creates Franken-Files! – incomplete files, large files containing info from multiple sources, extracts embedded images from Powerpoints, etc

Img source: http://www.flickr.com/photos/jwthompson2/160835456/

2. OSForensic Deleted File UI

99-50% complete content

Data carving identifies data fragments, but frequently wrong about file type

3. Keyword Search

Scan the content of a disk, including all emails, documents and other

text content, to locate a particular search term.

•Commonly used by police to identify illegal content, e.g. bank numbers, telephone numbers, drug references, etc.

Archival use:•Does the disk contain reference to topic X?•What trends may be identified in use of concept – when did term appear and disappear?

4. Analysis of research behaviour

Hard disk contain large amount

of other information:• Web sites

visited/bookmarked for research

• Chat logs indicating discussion with colleagues

• Other digital media that may have been used to store data

This may be useful for

understanding researcher work

process, but be wary of the

ethical issues

What type of information do you

wish to locate on the drive?

Do you know what keywords should be

used?

Examine event logs for devices connected/

disconnected

What level of analysis are you permitted to

perform?

Contact/research donor

Perform search of active & inactive

(deleted) files

Do you have any additional criteria for

user content?Create & search index

Perform file search of specific file types

Data created/modifed before/after/between

a set dateSpecific objecttypes/formatsNone

Perform file search of common file types

Perform file search with additional date

parameters

Full searchIncluding active,

Deleted &fragments

Only readily available files (active files)

Available & deleted files

Specific information on a

topic User created

data files

Information about othermedia on which data

may be stored

YesNo

Decision tree for choosing

appropriate analysis method

Forensic Hardware

1) Desktop PC

Intel Pentium Dual Core E5800 CPU (3.20Ghz)

2GB DDR

500GB HD

Super multi DVD-RW

(2) USB Write Blocker

Prevents OS writing to connected devices

(4) Kryoflux USB

Floppy disk controller to enable attachment of disparate disk devices & forensic imaging

(3) Drive enclosure

Enables connection of internal ATA/SATA disks via USB

16

Thank You!

Gareth KnightCentre for e-Research, King’s College London

gareth.knight@kcl.ac.uk @gknight2000020 7848 1979

http://fido.cerch.kcl.ac.uk/ @jiscfido

Questions