Recent research conducted by Berkeley scientists concluded that up to 93%1 of all information never leaves the digital domain. This means that the majority of information is being created, modified, and consumed entirely in digital form. Most spreadsheets and databases never make it on paper, and most digital snapshots are never printed. There are many activities such as chats and social networking that are specific to digital and are even unimaginable outside of the virtual realm.
Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes. This article discusses the many types of digital evidence produced by a typical computer user, criminal or not, and demonstrates methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator.
Figure 1: Up to 93% of all information never leaves the digital domain.
It is hard to underestimate the importance of digital forensics. With many types of evidence only available in the form of digital files stored on a computer’s hard disk, getting access to this information is essential for today’s investigations.
Instant Messengers have become an important means of communication. Millions of people, regardless of their age, nationality, gender, and computer skills, spend a lot of time using them every day. That’s why more and more evidence can now be found in IM chat histories. To name a few, Live Messenger, ICQ, Yahoo! Messenger, AOL, Trillian, Skype, and Miranda IM are among the most commonly used. In China, QQ Messenger is very popular with almost a billion registered accounts.
Social networks are quickly becoming what “traditional” instant messengers were just a few years ago. More and more communication is migrating from public chat rooms and private messengers into online social networks. Communications extracted from social networks can be extremely valuable to forensic investigators.
Despite the rise of instant chats and social networks, e-mail is still a major carrier of important information, which is especially true for corporate environments. With many online and offline e-mail clients, it is too easy to overlook essential evidence without approaching it properly. Microsoft Outlook, Outlook Express, Windows Mail, Live Mail, Thunderbird, TheBat!, and many other e-mail applications are available on the market.
Peer-to-Peer and File Exchange Software
P2P and file exchange clients such as the popular Torrent exchange software may contain essential evidence, including illegal images or videos and stolen, copyrighted, and intellectual property. Information about files being downloaded, shared, and uploaded can be a substantial addition to the collected evidence base.
Multi-Player Online Games
Conversations occur between and during gaming sessions in many popular multi-player games such as World of Warcraft. Why not extend the evidence base by analyzing chat logs extracted from these games? A confession about a murder has already been made in a WoW chat.5
Still images and video files should be analyzed for their content. Forensic tools can help investigators automate the analysis by detecting things such as pornography, human faces, or scanned images of text documents saved as picture files.
Types of Digital Evidence
In this article, we’ll talk strictly about digital evidence available on a PC or, more precisely, on a computer’s hard drive and live memory dumps. This leaves the entire domain of mobile forensics aside, for a good reason: mobile forensics has its own techniques, approaches, methods, and issues.
Types of digital evidence include all of the following, and more:
- Address books and contact lists
- Audio files and voice recordings
- Backups to various programs, including backups to mobile devices
- Bookmarks and favorites
- Browser history
- Compressed archives (ZIP, RAR, etc.) including encrypted archives
- Configuration and .ini files (may contain account information, last access dates etc.)
- E-mail messages, attachments, and e-mail databases
- Hidden and system files
- Log files
- Organizer items
- Page files, hibernation files, and printer spooler files
- Pictures, images, digital photos
- Virtual machines
- System files
- Temporary files
Retrieving Logs and History Files
Logs and history files contain a great deal of essential evidence. Chat communications are often accompanied by timestamps and nicknames of the other parties, allowing investigators to discover who the respondent was. Determining the exact location and name of these files is an essential first step required to perform further analysis.
Figure 2: A typical set of communication products.
Recent versions of Windows typically keep user-created and application-generated data in AppData, Program Files, and Documents and Settings folders. In Windows Vista and Windows 7, the AppData folder does not have a fixed location on the disk, which further complicates the search. In addition, these systems maintain a virtualized storage for applications launched with lower than administrative permissions (AppData\Local\VirtualStore). These locations are commonly overlooked by investigators. Even the well-known Documents and Settings can bear different names depending on the default locale of a particular version of Windows. For example, it can be named “??? ?????????” or “Dokumente und Einstellungen” instead. Computer users can complicate the analysis even further by moving or renaming common files.
After you’ve found files of interest by analyzing Windows Registry and applications’ configuration files or performing a manual/automated search, you want to extract data out of them. To do so, you have to know the exact format of each of the source files. Today, thousands of different formats exist, calling for technical knowledge of format specifics—or simply for a tool to automate the task. Fortunately, many modern applications utilize well-documented formats that are easy to analyze. For example, SQLite databases are used by Skype and ICQ, the popular XML format is utilized by MSN messenger, Mirc chat uses simple text files, and so on. SQLite databases can be investigated with a free SQLite Database Viewer program, while XML files can be easily opened with Internet Explorer.
However, there are many more formats in existence that are much less forensic-friendly. The cryptic, mind-blowing “mork” format utilized by Firefox, or the proprietary PST format used by Outlook, or even Blowfish-encrypted OLE-containers used by QQ Messenger are just a few examples. This is exactly why forensic investigators prefer using automated forensic tools instead of manual search and extraction.
Computer users have an easy way to make investigations slower and more difficult. The following are just a few techniques used by criminals to slow down discovery:
- Changing the default location of the history files
- Moving or renaming the history file or folder
- Hiding and/or protecting history files with file system attributes and permissions
- Deleting history files
- Formatting the entire hard drive in an attempt to destroy evidence
- Encrypting the entire volume
- Not keeping history by disabling all logging (if supported by an application)
The majority of computer users are not IT security specialists, so most of these obstacles are no more than simple annoyances that can be easily overcome by spending a little effort. Even whole drive encryption, when implemented by an ordinary user, can usually be dealt with.
Part 2 of this article will discuss these techniques in detail, recommending ways to overcome each of the obstacles, whenever possible. Read Part 2 in the upcoming SUMMER issue of the DFI News Digital Magazine.
- Digital Evidence & Computer Forensics, David Nardoni CISSP, EnCE. http://www-scf.usc.edu/~uscsec/images/ DigitalEvidence&ComputerForensicsversion1.2USC.pdf
- How to clear an unknown BIOS or CMOS password. http://www.computerhope.com/issues/ch000235.htm
- Understanding hard reset. http://h10010.www1.hp.com/ewfrf/wc/document?lc=en&dlc=en&cc=us&docname=c...
- Google Searches Used in Murder Trial. http://ask.slashdot.org/story/05/11/12/167241/google-searches-used-in-mu...
- Solving a Teen Murder by Following a Trail of Digital Evidence. http://www.forbes.com/sites/kashmirhill/2011/ 11/03/solving-a-teen-murder-by-following-a-trail-of-digital-evidence/
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update). http://www.hermann-uwe.de/blog/ physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
- TRIM and the Perceived Demise of Digital Forensics. http://www.crowehorwath.com/folio-pdf/BIS12901_ ExpertPositioningArticle_lo.pdf
- Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Graeme B. Bell Richard Boddington. http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
- SSD firmware destroys digital evidence, researchers find. http://news.techworld.com/security/3263093/ssd-fimware-destroys-digital-...
Yuri Gubanov is the Founder and CEO of Belkasoft. He is a frequent speaker at industry-known conferences such as EuroForensics, CEIC, China Forensic Conference, FT-Day, ICDDF, and TechnoForensics, and an author of f-interviews.com, a blog in which he interviews key persons in digital forensics and security. firstname.lastname@example.org