In this chapter, well cover the following recipes:
- Identifying evidence sources
- Acquiring digital evidence
- Ensuring evidence is forensically sound
- Writing reports
- Digital forensic investigation: an international field
- Challenges of acquiring digital evidence from Windows systems
Digital forensics is an expansive term that can cover a multitude of subject areas. Broadly speaking, it refers to the investigation of crimes committed on, or with the use of, a computing device. Several years ago, this may have only been applicable to cases in which an investigator was looking at financial fraud, intellectual property theft, or similar cases where computers are, by definition, necessary in order to commit the crime.
In today's world however, the proliferation of digital devices is such that even a crime that seems to be unrelated to computing—a house burglary where jewellery is stolen, for example, or the abduction of a child walking home from school—can involve a whole host of digital evidence.
Digital evidence refers to anything relevant to an investigation that can be found on a digital device. Increasingly, digital devices can refer to almost anything around us - not only computers and phones, but also cars, televisions, refrigerators, and heating systems.
Digital forensics as a discipline does not deal solely with solving crimes. HR matters in companies, private or civil cases, as well as day-to-day data recovery, can all fall under the digital forensics bracket. It is reasonable to state, therefore, that not only is digital forensics a huge field, it is also expanding. For this reason, in this book, we have decided to focus on one particular aspect of digital forensics: the forensic analysis of Windows operating systems.
We could have chosen any number of operating systems as the subject of this book, not to mention the myriad smartphones and other connected devices that crop up in digital forensic investigations. Windows is, however, a popular choice of operating system for the average computer user, and for businesses — recent figures from NetMarketShare indicate that Windows takes up over 88% of the market. The following diagram demonstrates the market share of Windows as opposed to Mac, Linux, and other operating systems.
Regardless of whether you're working in law enforcement, in a digital forensics corporation, as an academic researcher in the field, or for yourself as a freelance investigator, the chances are that at some point you will come up against Windows systems.
Our goal in writing this book is to create a kind of cookbook, allowing you to dip in and out and use the recipes to aid in your investigations.
The range of available operating systems and programs that are frequently run on Windows machines makes it difficult to provide a full guide. This is particularly when we take into consideration the recent overhaul resulting in Windows 8, Windows 8.1, and Windows 10, which refer to programs as applications and look somewhat different from earlier versions both forensically and from a user experience point of view. To the best of our ability, we have tried throughout this book to highlight the most salient points in investigation and to discuss the broad implications of the changes in more recent versions.
Windows machines use NTFS, which used to stand for New Technology filesystem, although the acronym has now become obsolete. All versions of Windows run on NTFS as default.
The main thing to remember about NTFS is that everything is a file. The idea behind the filesystems creation was that it would be easily scalable, as well as being secure and reliable at all levels. This does present some unique challenges for forensic investigation and administrative usage, however knowing that any file can be located anywhere on the system makes it challenging to understand precisely what one is looking at when analyzing a machine.
The Master File Table (MFT) is the basis of the filesystem. In here, we find all the relevant information concerning files. It is worth noting that the first entry in the MFT is an entry that refers to the MFT itself, which can confuse people who are new to Windows filesystem analysis.
One of the most important elements in Windows investigations is the registry, where keys containing information regarding the configuration of the system, along with other forensic gems are stored. Tools such as RegEdit and RegRipper can be very useful in registry analysis, as can many of the more widely used general forensic programs, such as EnCase and BlackLight.
We will discuss the specifics of various investigative elements within the Windows NT filesystem throughout the book. For the moment, the most pertinent points to remember are that everything in NTFS is a file; that the master file table forms the base of the filesystem; and that the registry contains useful system configuration information.
As any digital forensic investigator will know, one of the main challenges posed by almost any case is the sheer amount of data and number of sources available to be worked through. A useful skill to have is the ability to look through the sources of evidence involved with a case and make a value judgement as to which will probably be the most useful.
From the beginning of the case, this can take the form of ascertaining which physical items to remove from a crime scene—computers and mobile phones are almost always seized, but what about USB sticks, smart televisions, and satellite navigation systems? How do you even get a WiFi connected refrigerator into a Faraday bag?
Jokes aside, once an investigator has identified the items from which they are going to attempt to extract evidence, the next hurdle is to work out which bits of evidence will be the most relevant, and where those can be found.
In Windows systems, there are several elements that will prove to be useful across many different types of investigations. While some will vary from case to case—looking for evidence of intellectual property theft or financial fraud will differ hugely from the sources you'd be locating in a child protection investigation, for instance on the whole, the following sources of evidence can generally provide useful information from which you can then extrapolate further.
In older Windows versions (around the time of XP and 2000), there were fewer programs to deal with, and therefore fewer sources of potential evidence, but there was also less room for confusion. XP was when Windows began to support the NT filesystem, which gave a boost to the previous FAT setup and allowed for more in—depth analysis of the system.
Prefetch files were introduced in XP, and swiftly became one of the most pertinent sources of evidence, which is still the case today. The aim from a user experience perspective was essentially to speed things up. Prefetch files take note of which programs are used most frequently and make sure that those programs are pre-loaded into the memory, so that when a user boots up a machine and then tries to access one of the programs, it will load more quickly. From a forensic point of view, this means that prefetch files provide a wealth of information regarding a user's general computer habits—which programs they use most often, and to some extent, how they are being used. Prefetch files are stored in the %SystemRoot%Prefetch directory and will be discussed in more depth in Chapter 7, Main Windows System Artifacts.
Subsequent Windows updates introduced increasingly complex elements, one of the most pertinent of which is BitLocker.
BitLocker provides full volume encryption and also includes a version for portable devices, called BitLocker To Go. Provided that the password is known, decryption of BitLocker information is relatively straightforward and can be performed using a range of forensic software, some of which will be detailed later in this book. The simplest way to ascertain whether a volume has been encrypted using BitLocker is to look for -FVE-FS- in the volume header. Once this has been determined and the password has been found or recovered, tools such as FTK or EnCase can be used to decrypt the information.
Around the same time BitLocker was introduced, with the release of Windows Vista, the way in which user accounts are structured within Windows also changed. This is mainly noticeable from the perspective of the user themselves, in that the main change is that many system-wide modifications that could previously be made by any user can now only be made by an administrator. This can also be an important point forensically, particularly in cases where a computer has multiple users, only one of whom has access to the administrative password.
Internet Explorer and its successor, Microsoft Edge, have been overhauled repeatedly throughout the years. We will take a much closer look at Edge later on in this book, however, for the moment, it is possible to say that there is a wealth of information to be found within internet browsers. Arguably one of the most important elements within Internet Explorer is the cache, which contains information regarding the pages a user has visited and any content that has been downloaded.
Private browsing is one of the most commonly misconceived options by the end users of Windows systems: while this may prevent other people in the household from uncovering a users secret internet habits, it is of course still open to forensic investigation.
Increasingly, we are seeing users becoming more aware of the level of information that can be gleaned using digital forensic methods, and in recent years, privacy options within operating systems, applications, and programs have become a growing concern for many computer users. This has led to a gradual yet steady rise in the installation and usage of alternative software such as the Tor browser, which purports to be able to prevent others from uncovering the true location of the end user. However, even these methods are not impervious to forensic investigation, as demonstrated at the Digital Forensics Research Workshop 2015 by Epifani et al.
Any attempt at obfuscation or extensive deletion of data should spark a level of suspicion in the mind of an investigator; anti-forensic methods are becoming more and more widespread, but so in turn are the methods forensic analysts can use to uncover the elements users were trying to hide.
The chain of custody in digital investigations is of paramount importance. Not only does it demonstrate who had access to the evidence at any given time, it also - at least in theory - shows what was done with the evidence after it was seized, and the measures that were taken to ensure its preservation and integrity.
For investigators who work in a team, for example in law enforcement agencies or within a corporation, there will generally be an already established process to follow, in line with the guidelines provided by the agency or company. For freelance and individual investigators (or for those who believe their company's acquisition procedure may need a bit of an overhaul), it is important to bear a few basic principles in mind.
The level of forensic soundness that you as an investigator will be required to demonstrate will probably depend, at least in part, on the nature of the case on which you are working. Civil cases, for example, will generally not require such a high level of evidential integrity as criminal investigations, since civil cases are less likely to end up in court. It is good practice, however, to get used to maintaining as high a level of forensic soundness as possible;"doing so means that, if in the future you specialize in more in-depth investigations, you will already you will already be used to setting the right level of groundwork for your forensic examinations.
Generally, it is sufficient when gathering evidence to image a device—that is, to create an exact copy of the data contained therein—and then to use this forensic image as the basis for your analysis, rather than conducting analysis on the physical device you have seized from the scene. Sometimes, you may also be required to verify both that the copy is authentic, and that the process you used to copy the data did not alter it in any way. Audit trails are a large part of this—if you can demonstrate where the data sources have been stored, in which devices, for how long, and who has had access to them, this should suffice.
Removing the source of digital evidence from the scene of the investigation is the first step in this process and must be done with care. Switching off or unplugging a machine, typing in a password, moving a mouse, or performing any other kind of interaction with an object encountered in the course of a crime scene investigation can have unpredictable effects on the outcome of the investigation. Sometimes, devices are set up to be wiped automatically when turned off; some will encrypt all data when a password is entered incorrectly.
In most cases, investigators will be encouraged to leave the source of evidence in the state in which it is found. For example, if a mobile phone is recovered from a scene, it may be placed in a Faraday bag, which will block electric fields and therefore prevent signals from coming through while the phone is being transported.
If there is no way to remove an item from a scene without somehow tampering with it—for example, if a desktop PC is plugged in and turned on, but needs to be taken away for analysis—the person tasked with the removal of the item should be expertly qualified to ensure that no changes happen except the ones that are absolutely necessary, and that any actions that take place are detailed within the audit trail.
It may sound like this is a relatively straightforward process—don't change anything unless you absolutely have to; if you do have to, ensure the person who is making the changes is qualified to do so; and keep a record of everything that happens. However, this is a broad overview of the basic general requirements for the sound preservation of evidence, and these will differ—sometimes quite widely—depending on local or national legislation. One of the most challenging things about being a specialist in computer forensics is that computer crimes often have an international flavor, and it is not unheard of for an investigation to span several continents, let alone states within a given country.
For this reason, it is of the utmost importance to verify the local legislative requirements when it comes to the identification, collection, preservation, and analysis of digital forensic evidence, particularly if the case on which you are working is likely to end up in court.
As with the chain of custody/audit trail mentioned in the preceding section, the style of report writing will no doubt vary based on legislative demands, company or agency guidelines, and individual investigator style. Once again, it makes sense to have a good grounding in the basics of digital forensic report writing, so that you have a flexible skill set within which to work.
Reports may also differ significantly depending on who is going to end up reading them. If you are investigating a civil dispute, your final report will probably not be written in highly technical language and may just include an overview in layperson terms of the methodology used and what was uncovered. If you are going to be called into court as an expert witness however, then a higher level of technical detail and a more in-depth demonstration of your investigative processes will no doubt be needed.
Broadly speaking, most digital evidence reports should include the following:
- Name, job title, and company of the senior investigating officer.
- Name, job title, and company of the digital forensics examiner (if different from the preceding one).
- A brief description of the case, including the nature of the activities under investigation.
- Name of the person or persons whose devices or data are under investigation.
- Start and end date of the investigation.
- Methodology used throughout the investigation, including but not limited to how evidence was identified, collected, preserved, and analyzed. This may also include details of any tools and processes used, as well as a copy of the chain of custody.
- An overview of the results of the investigation in line with the original activities specified at the beginning of the report, as well as any other relevant information that was uncovered in the course of the investigation.
- Screenshots, printouts, or other evidential items that demonstrate the results of the case.
- An analysis of the results, including any conclusions regarding guilt or innocence of the accused party.
- Any appendices, glossaries, or other information that may prove useful to the reader of the report.
Many forensic tools will generate their own reports in either digital or printable formats, in a number of different styles such as PDFs, Excel documents, or Word files. Some software packages, such as Nuix's Investigator Suite, include add-ons like Web Review and Analytics, which allow for multiple users to view or work on the same case. This can be very useful during an investigation, as it allows an administrator or senior investigator to allocate certain roles within a case, but it can also come in handy when compiling reports. Some users can be given access only to the final report, which they can enter into and look at the results that have been found and compiled into user-friendly graphs; if they have the correct permissions, they can then also take a further look at the evidence from this. The following diagram shows the dashboard of the Nuix Web Review and Analytics interface, which allows users to view and manage evidence in a forensic investigation.
As we have briefly discussed, one of the biggest challenges encountered by digital forensic investigators, whether in criminal or civil cases is the international nature of their investigative scope.
When investigating cases such as DDoS attacks (where a person or group of people flood a website or machine with requests in order to stop it from functioning), online credit card details theft, or bank fraud for example, it is likely that an investigator may find their suspects scattered all around the world. In a recent case involving the live streaming of child abuse from the Philippines, one of the main problems the investigators ran into was that the people who were watching the live streamed content were also subjects for investigation, but they were spread internationally and were difficult to track down due to so many of them using various methods of obfuscation. Laws around the world differ too: legislation in one country may create a legal loophole that causes havoc for a case and has implications on whether it is eventually brought to a conclusion or shelved.
The increasingly globalised nature of crime means that this is a problem we cannot ignore - it is not something that is going to go away. On the contrary, it looks set to only grow further with each passing year. Nowadays, our data is stored in the cloud—Nowadays, our data is stored in the cloud; people we interact with aren't just those we have met in real life, but instead people we would have previously termed strangers now increasingly form the basis of our social interactions; our bank accounts are accessible from almost anywhere in the world, often in multiple currencies. It is difficult enough to trace the actions and data trail of a single individual who is merely living life in the 21st century, let alone to attempt to investigate a large group of people, spread across diverse physical locations, who are making deliberate and sustained attempts to obfuscate data and hide themselves from view.
Strides ahead are being made, however. Various projects have sprung up over recent years which aim to address the specific challenges brought up by international investigations. One example is the EVIDENCE Project coordinated by Maria Angela Biasotti, an Italian lawyer who, in collaboration with colleagues across Europe, is seeking to develop a common understanding of electronic evidence and a more globally viable way of collaborating between territories, as well as a more standardized criminal investigation procedure around the world.
A laudable goal, and one that the EVIDENCE Project at least is moving swiftly towards; at the time of writing, a test implementation between several member countries is on the cards. However, at the moment, investigators are still faced with having to work on cases that have international data sources and implications.
Scoping out a case before taking it on is good practice regardless of its size or relative importance, but this becomes even more pertinent when international factors might be involved. These may have an impact on the time it takes to acquire evidence: for example, if you are looking to extract data from a server in another country, or even another state, you will need at least a basic understanding of the requirements necessary to gain access to it, and indeed whether this is even possible in the first place.
It is, of course, impossible to have an in-depth understanding of the various bits of legislation that are relevant to digital forensic investigations around the world. In reality, the best an investigator can do is to verse themselves as fully as possible in the laws of their own local area, and then seek advice when the need arises to work across borders.
Beyond the legislative elements, however, there are also the more mundane aspects of international investigation, such as linguistic analysis. Keyword searches are often where an investigation starts, or at least fall somewhere near the beginning—but if your case spans a multitude of countries, you may well end up at a loss for keywords.
Most of the larger digital forensics solutions, such as EnCase and Nuix Investigator, have multilingual keyword abilities built in, which is a huge help. Some can even scan the evidence you enter for you, and then bring back an analysis of the languages used within the case. You can then use this to form the basis of your investigation and to inform future searches. Slang is still a problem for many though, and criminals are increasingly becoming wise to this. While a thesaurus can bring back a number of synonyms for a given term relating to drug abuse, the exploitation of children, or financial fraud, it may not be able to include all the less formal terms people are using in their discussions.
Progress is being made, however, and much of the air time at digital forensics conferences and research groups is devoted to how we as investigators can increase collaboration and make it easier to investigate global cases.
One of the challenges of investigating Windows machines is the way that NTFS is set up. This means that it can be difficult to work out whether what you're looking at refers to a general property of the file system, or to a property that is specific to an application. The further along in your investigative career you are of course, the more adept you will become at making such distinctions, however, it is worth bearing in mind particularly for early career investigators.
Beyond the basic filesystem challenges, the way in which Windows systems are constantly updating can bring up further obstacles to digital forensic investigations. What worked on a machine running Windows 7 may not work on one that's running Windows 8.1; Windows 10 is a minefield of new and intriguing forensic elements (not to mention the increased privacy concerns it has brought up, leading to a rise in the number of users who are implementing their own data obfuscation and personal privacy measures). And heaven forbid you end up with a machine so old that modern forensic software has forgotten how to analyze it!
The way Windows 10 runs is of particular interest to forensic examiners, not just because it is being forcibly rolled out to users everywhere, but also because the structure of how things are organised has changed significantly. We will look at this in more detail towards the end of this book, where a full chapter will be devoted to the forensic analysis of machines running Windows 10, but broadly speaking, the difference from a forensic perspective comes from the fact that applications and programs don't just have different names; they work in a slightly different way. End users are increasingly looking for more lightweight, quick to run devices that make their work and personal lives easier, which means that, in turn, technology companies such as Microsoft are turning to collaborations with other entities and making the personal computer less of a single, standalone piece of equipment and more of a portal to data stored elsewhere. It is quite possible to seize a device where the documents are stored on Google Drive; voice and video call communications on Skype; Instagram is an application accessed on the PC rather than - or as well as - on a smartphone; Facebook isn't a website visited via an internet browser but an application in its own right.
Notwithstanding the legal challenges concerning international cloud data storage that we have already discussed, having such a wealth of separate applications to analyze makes cases much more complex. The fact that users can also add or create their own programs makes for an increasingly complex and often labyrinthine investigative methodology.
For this reason, it is becoming more and more necessary to narrow down an investigation as quickly as possible, working out which kinds of applications and services a user may require to perform the activity for which they are being investigated. Again, this is not always easy to do; we can but try!
Triage, international collaboration, and the technical understanding of investigators are all of paramount importance to digital forensic investigations, now more than ever before. In the Windows Forensics Cookbook, we hope to give you a base upon which you can build your own investigative techniques.
- https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0, accessed 07/02/2017
- https://dfrws.org/sites/default/files/session-files/pres-tor_forensics_on_windows_os.pdf, accessed 09/02/2017
- https://articles.forensicfocus.com/2016/05/02/the-investigative-challenges-of-live-streamed-child-abuse/, accessed 09/02/2017