Most such activities leave definite traces, allowing investigators to obtain essential evidence, solve criminal cases, and prevent crimes. Part 1 of this article discussed the many types of digital evidence produced by a typical computer user, criminal or not. This article will continue the discussion of methods and techniques available to extract that evidence out of the original PC and into the hands of a forensic investigator that began in Part 2.

Encrypted Volumes
Disk encryption tools such as BitLocker, PGP, and TrueCrypt set industry standard in the area of whole disk encryption. Any of these tools can provide strong, reliable protection, offering a perfect implementation of strong crypto. Normally, an investigator will need to know the original plain-text password protecting the encrypted volume. With many users selecting long, complex passwords, brute-forcing access to one of these volumes is a dead proposition. However, the very fact that a long, complex password is used presents a way to break into these crypto containers. It’s human nature to keep things easy. Typing a long, complicated passphrase every time the user requires access to a file stored on an encrypted volume is not easy. Most users will opt for typing the password just once after the PC loads. The encrypted container will remain “open” and readily accessible during the entire session. Quite obviously, what’s kept open can be unlocked with an appropriate tool. These tools work by extracting actual encryption keys (as opposed to user-selected passphrases) from the computer’s memory (live RAM analysis), Windows page file, or hibernation file. A FireWire attack on a running PC can be performed in order to obtain a live RAM image.

Disabled Local and Remote Logging
While most applications create local history files, some applications (e.g. the latest versions of Yahoo Messenger) use cloud storage to keep their log files. Disabling all logging can be an effective technique employed by criminals to prevent forensic access to digital evidence. When logging is disabled, log files and history files are not being written on the hard disk or stored in the cloud. However, certain logs are still kept in the computer’s memory. Therefore, live RAM analysis can reveal some or all recent evidence. If the computer is on, a snapshot of its operating memory (RAM) can be taken for live RAM analysis. If the computer is off, investigators can still analyze swap (paging) and hibernation files.

Live RAM Analysis
Additional digital evidence can be extracted by analyzing the content of a computer’s RAM, the PC’s volatile operating memory. Generally speaking, the PC should be powered on in order to perform live RAM analysis. This is exactly the reason investigators are instructed to leave suspects’ computers on if they are running, and leave them off if they’re shut down. There are multiple forensic tools available that can save a snapshot of a computer’s memory into a file. That snapshot can then be investigated on another PC with various forensic tools.

Locked Computers
If a suspect’s PC is locked, investigators should not attempt rebooting the PC. Windows PCs with a FireWire port, used or not, are susceptible to a FireWire attack, unless FireWire drivers are deliberately disabled by the user. Even if a FireWire port is not available, a hot-pluggable FireWire adapter may be used. The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links.⁶ An investigator can take direct control of the computer’s operating memory (RAM) by connecting to a PC with a FireWire cable and launching a small application on the investigator’s PC. After that, capturing the complete memory snapshot only takes a few minutes. The attack exploits the fact that FireWire uses direct memory access (DMA) to control memory. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or not. Explicitly disabling FireWire drivers in Windows Device Manager is the only way to protect the PC against this attack. The vulnerability exists for as long as the system is running.

If nothing else helps and one is preparing to shut down the PC anyway, attempting to reboot the PC, entering BIOS Setup, and configuring the PC to load from an external media (USB flash drive or CD/DVD) will leave most of the memory untouched. Having booted from an external media, the investigator can use a RAM dumping tool. This approach will fail if BIOS Setup is password-protected, does not allow booting from external media, and the password is not known. Note that it is essential to performed a so-called “soft” reset by using the “Restart computer” button that may be available on the Windows logon screen (unless blocked by the user). A hard reset with the computer’s “reset” switch will reset the content of that computer’s RAM, making it useless for live RAM analysis.³

Performing Live RAM Analysis
Data carving is used to carry on live RAM analysis. Carving can help extract recent messenger conversations, text messages sent and received, and any other temporary information used by applications, such as Facebook, Gmail, and World of Warcraft. Of course, as we’re speaking of volatile memory, only the most recent information will be accessible. The information obtained this way may be damaged or partially overwritten, but this is still better than nothing.

Click for larger image.

Figure 6: Gmail remnants extracted from a RAM memory dump. The messages are already corrupted, and not all fields are available. For example, the first message is missing Message and Recipient fields.

Disabling Live RAM Analysis
Disabling live RAM analysis is possible to a certain degree, but very hard to achieve in practice. Computer users can disable booting from external devices in their BIOS setup; select a strong BIOS password to avoid changing the boot sequence back (can be re-set by investigators quite easily);² disable hibernation and virtual memory; block FireWire ports in order to prevent a FireWire attack; lock the computer or switch off the computer; or set up their system to lock automatically after a certain period of inactivity. While these measures can make live RAM analysis difficult or impossible, they will lead to significantly reduced performance and are unlikely to be performed altogether as a complex.

Page File and Hibernation File Analysis
There is one important exception when live memory content may survive shutting down the PC. Windows maintains two types of files to keep snapshots of the computer’s memory: page file and hibernation file. These two files may contain live memory artifacts written to a disk as a part of the operation system’s working routine. The hibernation file is most commonly used on laptops to allow for seamless on/off without losing any opened applications. Page files (there can be more than one) are used on most computers, keeping bits of information from the memory to extend the amount of RAM available to other applications.

These two files can be analyzed using the same carving approach. Windows hibernation files (hiberfil.sys) must be decompressed beforehand as Windows uses compression to reduce file size and improve startup time with less information to be read from the (slow) disk.

Note that the page file and hibernation file get changed or deleted during the system boot sequence. This is one of the reasons investigators are instructed to leave suspects’ computers on if they’re running, and leave them off if they’re not.¹

Real-Time Analysis and Other Considerations
Sometimes, post-factum analysis is not enough. In many cases, IT security and intelligence specialists watch suspected criminals by intercepting their network traffic or logging keypresses and general PC activities with one of the many commercially available keyloggers. These techniques are worth mentioning although, generally speaking, computer surveillance is beyond the scope of this article.

Worst Case Scenario
Finally, what if the users do everything right to protect their information? If they store everything on an encrypted volume that’s configured to dismount when the PC is locked; configure Windows to automatically lock after a period of inactivity; block FireWire drivers to prevent FireWire attacks; set a BIOS password and lock boot sequence; disable logs and history files where possible, or wipe them off securely if not; disable paging and hibernation files … if they do all that in combination, investigators won’t be able to extract much, if anything, out of that PC. Investigators can still research victims’ computers, analyze Internet provider logs, and collect evidence from the suspect’s mobile phones and tablets. However, most criminals are ordinary people and rather average computer users. More often than not, they believe in security-through-obscurity. They tend to sacrifice security for convenience. They are not normally trained IT security specialists, so they’re more than likely to miss one or more things, opening a way for investigators to break in and collect the required evidence by the using methods described in this article.

References

1. Digital Evidence & Computer Forensics, David Nardoni CISSP, EnCE. http://www-scf.usc.edu/~uscsec/images/ DigitalEvidence&ComputerForensicsversion1.2USC.pdf
2. How to clear an unknown BIOS or CMOS password. http://www.computerhope.com/issues/ch000235.htm
3. Understanding hard reset. http://h10010.www1.hp.com/ewfrf/wc/document?lc=en&dlc=en&cc=us&docname=c...
4. Google Searches Used in Murder Trial. http://ask.slashdot.org/story/05/11/12/167241/google-searches-used-in-mu...
5. Solving a Teen Murder by Following a Trail of Digital Evidence. http://www.forbes.com/sites/kashmirhill/2011/ 11/03/solving-a-teen-murder-by-following-a-trail-of-digital-evidence/
6. Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update). http://www.hermann-uwe.de/blog/ physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
7. TRIM and the Perceived Demise of Digital Forensics. http://www.crowehorwath.com/folio-pdf/BIS12901_ ExpertPositioningArticle_lo.pdf
8. Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Graeme B. Bell Richard Boddington. http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
9. SSD firmware destroys digital evidence, researchers find. http://news.techworld.com/security/3263093/ssd-fimware-destroys-digital-...

Yuri Gubanov is the Founder and CEO of Belkasoft. He is a frequent speaker at industry-known conferences such as EuroForensics, CEIC, China Forensic Conference, FT-Day, ICDDF, and TechnoForensics, and an author of f-interviews.com, a blog in which he interviews key persons in digital forensics and security. yug@belkasoft.com