Most digital activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes.
Recent research conducted by Berkeley scientists concluded that up to 93%1 of all information never leaves the digital domain. This means that the majority of information is being created, modified, and consumed entirely in digital form.
Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes. This article discusses the many types of digital evidence produced by a typical computer user, criminal or not, and demonstrates methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator. (Read Part 1 at www.dfinews.com/article/retrieving-digital-evidencemethods-techniques-and-issues-part-1).
The majority of computer users are not IT security specialists, so most of these obstacles are no more than simple annoyances that can be easily overcome by spending a little effort. The following sections will discuss these techniques in detail, recommending ways to overcome each of the obstacles, whenever possible.
Obscuring Information and Why It Works The most obvious way to hide information on a disk is giving a file of interest an obscure name or saving it to an unusual location. This trick is so obvious and provides so little protection that no reasonable security policy would ever let it pass; but why is it still being used by criminals; and, most importantly, why does it still work?
The answer is painfully simple: investigators are pressed for time due to the number of mobile phones, laptops, and seized hard drives to be analyzed. They often have twenty minutes to a few hours, max, in order to extract all possible evidence. To make things even more complicated, investigators are bound by strict rules. By breaking any one of the rules, investigators may invalidate all extracted evidence.
Retrieving Obscured Files: When the File Location Is Changed
One should not expect to find all user information sitting in the default folder or default location for a given type of file (e.g. Application Data or similar folder). Searching the entire hard disk is required in order to locate all unencrypted log and history files. This may produce a certain number of false positives (e.g. not every XML file is an MSN history file), so additional checks are often required (e.g. checking the existence of MessageLog.xsl next to an XML file).
In reality, locating any one of the files is an obvious exercise. As applications such as instant messengers or email clients have to have access to their working files, they store files’ locations somewhere in the Windows registry or in their own configuration files. One must know a lot about each application being analyzed, which includes literally hundreds of messengers, e-mail clients, peer-to-peer applications, and browsers. Under the time-constraints of a busy working environment, an automated solution is the only way to go.
Hidden and Inaccessible Files and Folders
Computer users often protect information by assigning file attributes and permissions preventing unauthorized access. Hidden and system files and folders are common place these days; these will be displayed and even highlighted by every forensic analysis tool in existence. Most forensic analysis tools can bypass security attributes and permission control management (but not encryption) set by the file system such as NTFS access control rights. Special attention should be paid to inaccessible files and folders; otherwise one can miss evidence in folders having access restrictions.
Attempts to destroy digital evidence are common. Such attempts can be more or less successful depending on the action taken, time available to destroy evidence, as well as the type of storage device (magnetic hard drive, flash memory card, or SSD drive).
Important evidence often ends up in the recycle bin. This is especially true for Windows PCs. Thus, deleted files can often be successfully retrieved by analyzing the contents of the Recycle Bin, a temporary storage they’re placed in before being erased.
If deleted files do not show up in the Recycle Bin, there is still a good chance to recover them by using one of the many commercial data recovery tools. The principle of deleted file recovery is based on the fact that Windows does not wipe the contents of the file when it’s being deleted. Instead, a file system record storing the exact location of that file on the disk is marked as “deleted.” The disk space previously occupied by the file is then advertised as available, but not overwritten with zeroes or other data (we’ll discuss the issue of SSD drives in a minute).
By analyzing the file system and/or scanning the entire hard drive looking for characteristic signatures of known file types, one can successfully recover not only files that were deleted by the user, but also discover evidence such as temporary copies of Office documents (including old versions and revisions of such documents), temporary files saved by many applications, renamed files, and so on.
Information stored in deleted files can be supplemented with data collected from other sources. For example, Skype stores its chat logs in the history database and keeps internal data that may contain chunks and bits of user conversations in the “chatsync” folder. The format is not officially disclosed, but there are tools available that can analyze such files. Thus, if a chatsync folder exists, there are definite chances to recover Skype chats even if one has failed to recover a deleted Skype database.
Formatted Hard Drives
Information from hard drives that were formatted by the user may be recoverable through data carving or by using a commercial data recovery tool. However, the recovery of formatted hard drives is iffy and depends on a wide set of parameters.
Full Format. There are two possible ways to format storage media in Windows: full and quick formats. While a quick format simply initializes the disk by creating a new (empty) file system on the partition being formatted, a full format also checks the disk for bad sectors.
From the name of it, one would assume that a full format is always destructive—which is not the case. Prior to Windows Vista (that is, in Windows 95/98/ME, NT4/2000, and XP) a full format operation did not zero the disk being initialized. Instead, Windows would simply scan the disk surface by reading it sector by sector. Unreliable sectors would be marked as “bad.”
This behavior changed with the release of Windows Vista. In Vista and Windows 7, a full format operation will actually wipe the disk clean, writing zeroes onto the disk and reading the sectors back to ensure reliability.
Quick Format. With the exception of SSD drives, a quick format is never destructive. Information from disks cleared with a quick format can usually be recovered by using one of the data recovery tools that support carving.
The Issue of SSD Drives
The information above applies to traditional (magnetic, spinning discs) hard drives and common flash memory such as USB sticks and memory cards. Solid-state drives (SSD) present an entirely new issue.
Solid-state drives represent a new storage technology. They operate much faster compared to traditional hard drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.
The culprit here is the TRIM command. Used to release space advertised as available by the operating system, the TRIM command effectively zeroes information as soon as it’s marked as deleted by the operating system. Write-blocking devices do not prevent the effect of the TRIM command. An experiment conducted by American researches demonstrated that a TRIM-enabled SSD completely wiped all deleted information in less than three minutes. 7,8,9
Traditional forensic methods fail when attempting to recover information deleted from SSD drives, or trying to recover anything from an SSD drive formatted with either a quick or full format. However, there are exceptions (and exceptions to exceptions).
Information may still be available if the TRIM command was not issued. This can happen if at least one of the many components does not support TRIM. The components include: version of the operating system (Windows Vista and Windows 7 support TRIM, while Windows XP and earlier versions typically don’t); communication interface (SATA and eSATA support TRIM, while external enclosures connected via USB, LAN, or FireWire don’t); the file system (Windows supports TRIM on NTFS volumes but not on FAT formatted disks; Linux, on the other hand, supports TRIM on all types of volumes including those formatted with FAT).
Carving means bit-precise, sequential examination of the entire content of the hard drive. Carving allows locating various artifacts that would not be available otherwise. The concept of carving is different from the concept of file recovery, even if such recovery is based on signature-search algorithms. With carving, investigators do not rely on files as they may be partially overwritten, fragmented, and scattered around the disk. Instead, carving looks for particular signatures or patterns that may give a clue that some interesting data can be stored in a particular spot on the disk.
Carving is truly indispensable when looking for destroyed evidence. Traditional hard drives may store bits of deleted data (or even entire files) for a long time after the file has been deleted. Sometimes even formatting the disk several times still leaves information that was originally stored on the disk.
Carving Text Data. Some binary and most text-only formats can be carved. Text information is probably the easiest to recover, as blocks containing text data are filled exclusively with numeric values belonging to a shallow range that represents letters, numbers, and symbols. When carving for text data, investigators have to take various languages and text encodings into account; the Turkish character set differs from Latin, and neither has anything in common with Arabic, Chinese, or Korean text.
There are also multiple ways to represent non-Latin languages. These are called encodings. Different encodings must be taken into account when looking for text in each supported language. By analyzing information read from the disk in context of a certain language and encoding, one can typically detect text information. In contrast, binary data is pretty much random. It is hence reasonably easy to detect the beginning and end of each text block by counting the number of characters that do not belong to a given language/encoding combination. Once a set threshold is met, the assumption is that the algorithm reached the end of a given text block.
Example of Data Carving. A good example of an application giving excellent results with carving is Skype v.3. Each message stored in its history files is preceded with four bytes (el three three el). This signature represents the beginning of each message. Note the important difference between a signature specific to a history file as a whole and a signature specific to an individual message. Once a file signature is lost (such as Miranda history files having a single signature “MIRANDA ICQ DB” at the beginning of the file), it will be very hard to realize that a particular bit stream belongs to a certain history file. However, even if a major part of a Skype history file is overwritten, one can still extract surviving messages as each and every individual message has a known permanent pattern.
Limitations of Data Carving. Not all data can be carved. Carving is based on characteristic signatures or patterns. For example, JPEG files typically have the “JFIF” signature in the beginning, followed by the file header. PDF files begin with “%PDF,” and ZIP archives start with “PK.” Some other files can be true binary (without a permanent signature in their header, for instance, QQ messenger or ICQ 98 history files). Text-based files can be an issue because of overwhelming amounts of plain text files that can be stored on the PC.
When Data Carving is Not Available
There are things computer users can do to make data carving impossible. There are numerous applications that can securely wipe information from hard drives. Special algorithms are developed that fill disk space previously occupied by sensitive information with cryptographically strong random data. In “paranoid” mode, sensitive information is overwritten several times to make even clean room type extraction impossible. If one such application has been used, data carving is impossible. However, it is possible to detect that a tool like that was used on a disk by performing a statistical analysis of disk data. The white noise contained in the overwritten location is not something that is normally stored on a hard drive, and there are tools that can detect this exact fact. By itself, this can hardly be considered evidence, but the fact can give a warning of unusual activities.
Another way of making carving useless is simply not storing evidence on a hard drive. Although inconvenient through the course of normal activities, this is still a common way to hide browsing or communication histories. If this is the case, only Live RAM analysis may help to recover some recent activities.
Most criminals are ordinary people and rather average computer users. More often than not, they believe in security-through-obscurity. They tend to sacrifice security for convenience. They are not normally trained IT security specialists, so they’re more than likely to miss one or more things, opening a way for investigators to break in and collect the required evidence by using methods described in this article. Read Part 3 of this article at www.dfinews.com/article/retrieving-digitalevidence-methods-techniques-and-issues-part-3.
- Digital Evidence & Computer Forensics, David Nardoni CISSP, EnCE.
- How to clear an unknown BIOS or CMOS password.
- Understanding hard reset.
- Google Searches Used in Murder Trial.
- Solving a Teen Murder by Following a Trail of Digital Evidence.
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update).
- TRIM and the Perceived Demise of Digital Forensics.
- Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Graeme B. Bell Richard Boddington.
- SSD firmware destroys digital evidence, researchers find.
Yuri Gubanov is the Founder and CEO of Belkasoft. He is a frequent speaker at industry-known conferences such as EuroForensics, CEIC, China Forensic Conference, FT-Day, ICDDF, and TechnoForensics, and an author of f-interviews.com, a blog in which he interviews key persons in digital forensics and security. firstname.lastname@example.org