EnCase also offers the option of collecting the hard drive without previewing first. This lets the examiner begin a collection without having to read the file system first. To begin collecting without previewing first, right-click the Read File System box and invert the selection, as shown in the following dialog.
8. Make your selection and click Next.
9. After the preview is complete, highlight the physical or logical volume within EnCase that you plan to acquire. If you selected only the logical drive in the preceding step, the only option available is to acquire the logical volume.
10. Click the Acquire button, and the After Acquisition dialog box, shown here, will appear. If you simply want to acquire the drive, select the Do Not Add radio button and click Next.
11. In the Options window, enter all the relevant evidence and case information.
As you develop your organization’s forensic procedures, keep in mind that many organizations stick to a common format for their naming of evidence files, one that ties in with their overall case management methodology.
12. Select the destination for the collected evidence. The size of the destination location should be at least equal to or greater than the size of the collected hard drive.
13. Select the appropriate compression radio button. The compression method you select will affect the speed of the acquisition and size of collected evidence. The fastest method for acquiring data is no compression because it does not require the processing overhead of compressing the data. The best method is the slowest because of the processing that needs to take place on the remote node to compress the data before transporting it back to the examiner’s workstation.
14. Click the Finish button and the acquisition process will begin.
The amount of time it takes to collect data from the remote machine is tied to a number of variables such as overall available network bandwidth, amount of allocated and unallocated data on the drive, and available host resources.
Remote Collection with ProDiscover
To perform a remote collection with ProDiscover, follow these steps:
1. Launch ProDiscover and create a new case.
2. Choose Connect To from the toolbar.
3. In the pop-up window that appears, enter the hostname or IP address of target machine and then click Connect, as shown in Figure 5-4. You will then have access to the remote file system.
4. Choose Capture Image from the toolbar and the Capture Image dialog box will appear, as shown here:
5. Specify which device you want to acquire from the Select Drive drop-down list.
6. Enter the appropriate evidence and case information.
7. Select a destination for the evidence.
8. Start the acquisition process by clicking OK.
Remote Collection with Paraben Enterprise
To perform a remote collection with Paraben Enterprise, follow these steps:
1. Launch the P2EE Captain module.
Figure 5-4 Connecting to a remote system
2. Select the agent name and choose the system you deployed earlier in the chapter.
3. Expand the agent tree in the left menu.
4. Click Storage.
5. Right-click the drive name and choose Acquire.
6. Choose the agent from which you will acquire data.
7. Select the physical drive if you want to create a forensic image.
8. Choose where you want to save the image and click OK.
Carrying Out a Successful Covert Collection
Covert, or secret, collections occur without the knowledge of the target or others—their existence is deliberately kept hidden. Covert acquisitions are possible but not in all cases, especially during business hours. Unlike remote analyses, remote collections potentially cause sustained hard drive activity and degrade performance on the remote machine. With that in mind, use these techniques to ensure the success of a covert collection:
• Perform remote collections in the evening when users are not working at their machines.
• Make sure company policy and culture require users to leave their machines turned on at all times as part of standard maintenance procedures.
• Collect at times when the suspect expects a lot of hard drive activity, such as during regular antivirus scans or recent security vulnerability announcements.
• Acquire only the media you need to support the investigation.
• Avoid acquiring laptops, if possible; their hard drives are slower and increased disk activity is apparent.
• Time your collection so it takes place when the suspect is going to be away from his or her desk for an extended period of time. Schedule an offsite meeting during the day and require that laptops remain in the office.
• Whenever possible, acquire the machine using a high-speed network connection; it will take much less time to acquire than it will on a slow WAN link.
If the machine is shut down during the acquisition process, you must start over the acquisition. In some cases, this may add many hours to the collection process, but probably not nearly as many as would going on-site with needed equipment.
Challenging the Authenticity of Network-collected Evidence
The process of collecting evidence across the network is, in essence, similar to the process of acquiring the evidence while physically connected to the media. However, a number of differences can cause problems, depending on the audience and the approach you take to collect the evidence. Collecting evidence across the network is still a fairly new concept with regard to traditional forensic collection techniques. Although remote collection is not a widespread technique, it is growing in popularity as more and more organizations adopt technologies with remote collection capabilities.
Beyond the relative newness of the approach, a few other challenges are present. Successfully using remote collection tools requires that you understand multiple operating systems and network environments. Two of the biggest challenges arising from network collections are being unable to authenticate the original acquisition data and legacy forensic policy and procedures.
Countermeasure: Protecting Against Attacks to Network-collected Evidence
Although collecting evidence across the network poses a number of challenges, in a number of cases, evidence collected across the network has been used successfully for litigation purposes both in the corporate and law enforcement arenas. In addition, a number of methods can be used to overcome the challenges:
• Ensure that all investigators are highly trained and understand exactly what is going on during the collection process.
• Work from a defined, repeatable procedure. In many cases, cross examiners will go after the investigator’s process, not necessarily the technology used.
• When you’ve completed collecting the media from across the network, have a trusted person on the remote end preserve the machine so it can be added into the formal evidence-collection process.
• Do your best to tie the collected evidence to the correct machine.
The Data Is Changing
To perform a remote network collection, the machine must be powered on and running. With the machine running, the data on the hard drive is, for the most part, changing constantly as the user or applications function normally.
Applications such as EnCase Forensic Edition allow an investigator to acquire a machine via a crossover cable, which could be considered a network collection. To carry out of this type of collection, the investigator must be in close proximity and have physical access to the target machine. In the context of this chapter, we refer only to remote network collections.
When you begin a network collection, the tool typically starts collecting at the first sector of the media and keeps going until the last sector, unless otherwise specified. When the acquisition is complete, the examiner or the tool will generate an MD5 hash of the acquired data to authenticate it. In many cases, that MD5 hash is used so another examiner can compare the acquisition of the original me
dia to your acquired version of the media. In the case of a network collection, you can’t collect the media from a running system and expect to get the same MD5 hash as the original since the hard drive data will have changed due to normal operations when it is collected a second time. Forensically sound evidence collection is discussed in Chapter 4.
Policies and Procedures
The second issue arising from network collections is dealing with existing policy and procedures. Depending on the maturity of the organization, it might take some time to adopt new polices around acquiring media via a network collection mechanism versus the traditional method of physically connecting to the media to acquire it and take the original media with you.
Remote network collections are growing in acceptance; however, it’s a good idea to keep your legal group involved so they can support you in the event a matter does arise and the evidence is needed for litigation purposes.
ENCRYPTED VOLUMES OR DRIVES
A challenge faced by many forensic examiners is dealing with encrypted data. In some cases, subjects will use encryption technology for both legitimate and/or illegitimate purposes. Regardless, investigating encrypted data is typically difficult and sometimes an impossible problem to overcome.
With network-enabled analysis and collection tools such as EnCase Enterprise, it’s now possible to overcome some of the challenges presented by encrypted volumes. Many encryption technologies make it easy to store and retrieve data from encrypted volumes of various sizes by mounting them as logical volumes on the host machine. For example, as shown in Figure 5-5, a mounted Stealth volume disk shows up as a logical drive on the host OS (we named the volume for demonstration purposes).
ProDiscover cannot perform mounted encrypted volumes.
When the encrypted volume is unmounted, you can no longer select it for investigation or collection. See Figure 5-6.
Figure 5-5 Selecting the mounted encrypted volume
Figure 5-6 Same machine with unmounted encrypted volume
By investigating the volume that hosts the encrypted volume, you can most likely find the encrypted file by its extension. In Figure 5-7, you can see the file called HEF Volume.sdv. When we examine the specific file within EnCase, we see all the data is encrypted.
If the subject has his or her encrypted drive mounted, it’s a fairly trivial task to analyze and acquire a remote machine’s mounted encrypted volumes. Follow the same process described previously in the sections on investigating and collecting remote systems. You’ll increase the odds of catching a suspect with his or her encrypted drives mounted by doing the following:
• Checking the last access times on the encrypted volume; this gives you an idea of when the suspect last used the volume.
• Understanding the characteristics of the encryption program. Find out if it mounts the volumes on startup and if an auto unmount feature is available.
During an investigation, look for encrypted files on the hard drive. Find one that is the same size as one of the mounted logical volumes on the remote machine; it is a good indication that the mounted volume is the encrypted one.
Figure 5-7 Encrypted file as seen within EnCase
USB THUMB DRIVES
Another challenge faced by many forensic examiners is dealing with external media such as USB thumb drives and FireWire IDE drives. These technologies are a great convenience but also a gigantic risk for corporations if not managed properly. Back in the day, it was pretty tough to smuggle lots of data out on floppy disks or on paper without drawing attention. In addition, you couldn’t burn a CD on most corporate computers, so walking data out on CD was not common. Now that external storage is readily available and easy to use, corporations find their intellectual property being removed from the office on a regular basis through thumb drives.
In the past, if you suspected an employee of stealing intellectual property or keeping inappropriate material on a thumb drive, it was quite difficult to view the contents of the USB device. And it was almost impossible to do it in a way that didn’t modify any of the time data stamps on the external media. With remote analysis and collection tools, you can now analyze and collect these external storage devices covertly.
A good way to find out whether a person has been using a USB device is to check the registry. Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR to learn what types of devices have been plugged into the system.
Figure 5-8 shows a machine with a USB storage device plugged in and initialized properly. These devices show up just like any other volume on the remote machine. At this point, you can connect to the volume and carry out a forensic investigation or remote collection without the suspect knowing.
Some USB thumb drives have a safety feature that hides part of the drive’s available storage. When conducting an investigation that includes a USB thumb drive, you should keep in mind that it could be a secure USB device and you may not be seeing all the data. Identify the manufacture of the device and then identify whether it is indeed a secure USB device.
Figure 5-8 Selecting a physical or logical volume of a USB thumb drive within EnCase Enterprise
PART III
FORENSIC INVESTIGATION TECHNIQUES
CASE STUDY: ANALYZING THE DATA
ACME Services was greatly concerned. Before the investigation began, they had no way of knowing how long Charlie Blink had been compromising banking accounts and how he was getting the information. They did know at this point that Charlie was using key logging software. However, they didn’t know the scope of his crimes.
Digging for Clues
Digging under the covers of the hard disk images, the real fun began. It wasn’t long before the examination revealed the specific tools Charlie used. The analysis also exposed the Web sites he was visiting, including information on defeating the security settings on the computers he was using in manufacturer forums. We discovered that Charlie was working with a small gang to install a stealth key logging program on the company’s computers, and he had manually visited the computers looking for bank account information. Later, Charlie’s methodology and behavior became an indicator used to search other images quickly for subsequent activity, including the use of web-based e-mail to deliver the logged keystrokes to himself. Charlie had written programs that allowed him to sift through the keylogger’s data quickly, finding only entries for which people were logging into banks. With his routine close to being automated, he enlisted the help of some friends to harvest his crop. The recovered date and time stamps of the recovered keystroke logs helped investigators tie the video surveillance cameras to the user at the computer, providing further evidence that the person leading this ring was in fact Charlie. Moreover, he had been capturing account information for more than two years in downtown New York City.
We’re Not Done. Yet.
After Charlie was arrested, the judge released him on bail, and, as a dog returns to its vomit, so a fool repeats his folly. The story wasn’t over. Our team wrote countermeasures to traverse the network and search for new instances of the key logging program. The software resurfaced on ACME Services’ computers shortly after Mr. Blink was released on bail. Subsequent coordination with the video surveillance cameras clearly showed Charlie was at it again. Using a downloaded cracking tool, L0phtCrack, on one computer, Charlie discovered the new administrator password and installed the key logging software with administrative rights on several others. When we put a stop to the key logging software, he shifted to hardware keyloggers. These physically hide in the back of the computer, sitting between the keyboard connection and the PS-2 connector. Software could not discover these, but our continued investigation into the browsing habits and recovery of deleted files tipped us off as to what Charlie was trying to learn and how to get ahead of him by installing preventive measures he had not researched.
Finally
After careful examination and thorough researching, we had enough evidence for the US Attorney’s Office to approach the judge and place Ch
arlie Blink behind bars.
CHAPTER 6
MICROSOFT WINDOWS SYSTEMS ANALYSIS
The Microsoft Windows operating system contains an ample amount of opportunities for forensic recovery of deleted documents, user activities, and system artifacts. This chapter focuses on common tasks the forensic examiner will perform in an investigation of a Windows system, and specifically the file systems to which it writes our evidence. For each task, we will discuss the data you can expect to recover and the tools you can use to recover it. Each task is meant to stand on its own, so you can refer to this book as a reference when you are performing your investigation.
This chapter does not offer an exclusive list of all possible forensic techniques for Windows operating and file systems, so this should not be your only source for forensic techniques.
WINDOWS FILE SYSTEMS
The Windows operating system has had two generations of file systems available to its users. The first file system, FAT (File Allocation Table), was used in earlier versions of the Windows/MS-DOS system and grew from a 12-bit file system called FAT12 to a 32-bit file system called FAT32. The second file system, NTFS, was introduced with Windows NT. Table 6-1 shows the Windows versions and the default file system present in each.
Hacking Exposed Page 13