Week 8 Flashcards
Determining data to collect & analyze
involves:
The nature of the case: Criminal or
civil/corporate
▪ The suspected incident surrounding the
analysis to be conducted
▪ The requests of the primary investigator or
responder in the case
▪ The legal considerations of what to gather,
from whom and why
▪ Consent vs. Search warrant/Court order
▪ Corporate assets & acceptable use policy
Mobile or Computer evidence? Or both?
▪ Appropriate measures to ensure that the
data will not be destroyed
▪ Physical signal-blocking devices, anti-static
packaging, etc.
▪ Tools to be used for collection of the data –
need to be appropriate for the data storage
medium
▪ Tools to be used for analysis of the data –
computer vs. mobile vs. specialized
Don’t Forget!
Target media should be wiped & validated
Forensic copies of media should be created
and validated
▪ Validation is done by hash value
comparison/match
▪ Original evidence then stored in secure storage with
documentation
For mobile devices, item should be isolated from
the network immediately upon seizure and
documented
Photograph evidence both at time of seizure & at
lab prior to data acquisition
▪ Document all in your case file
Acquisition and Analysis Considerations
Inventory the HARDWARE on the suspect
computer –Written & photographed
Remove drive from computer in “deadbox” acquisitions
Record HOW (i.e., by what means) you
acquired the data from the drive
Add acquired evidence to tool – validate
again if necessary
Process the data in your tool methodically
▪ List files/folders
▪ Start with root of directory & work down
Ensure the data your analyzing is covered in
your legal authorization
For any password-protected files, ensure to
document how you attempted to circumvent
these measures
Consider using NSRL has sets to exclude
irrelevant data (National Software Reference
Laboratory)
▪ Hash sets available from National Institute
of Standards & Technology (NIST)
▪ Updated frequently: NIST.gov
Maintain control of all evidence & document
all findings of interest/relevance
Refining Your Analysis
Not all analysis will focus on the same data
Does your case involve…
▪ Disputed text messages from a phone
▪ Application usage data
▪ Application chat data
▪ Pictures/Videos
▪ Geo-location data
▪ Emails
▪ Internet connection location, dates, times, IP
addresses etc.
▪ Questioned electronic documents
▪ Allegations of “hacking” or malware attacks
All of these present different challenges &
require different approaches, tools, etc.
Specialized Analysis
Many cases call for targeted or specialized
analysis
Specialized analysis can involve use of thirdparty tools to analyze the specific category of
data
These specific categories often involve…
▪ Mobile device and/or computer application
databases
▪ Emails and email databases from computers
▪ Encrypted or password-protected files
▪ EXIF Metadata analysis from pictures & videos
▪ Enhanced Windows Registry analysis
▪ Enhanced Mac extended metadata analysis
Analysis Tips and Tricks
Don’t let the circumstances of the case as they
are presented to you skew your analysis
▪ A good analyst should be in the pursuit of the
TRUTH, not to prove your “side” was right
Learn how to problem-solve. This is
applicable from seizure to acquisition to
analysis
Gather resources that will help you as your
analysis progresses – online, list serve,
colleagues, etc.
Be flexible in your approach. Rigidity can lead
to bad/erroneous results
Cover all the bases – your findings, reputation
& integrity are on the line
Why do we validate?
No single tool is all-encompassing or will do ALL of the
work in most cases (exceptions)
▪ Automated tools make work easier & more efficient, but
ultimately the answers lie within the data
▪ Our findings have to meet Rule 702 (FRCP) standard for (TEST)
expert testimony (even if you don’t think you’ll be
testifying)
▪ Your scientific, technical or other specialized knowledge will
help the trier of fact to understand the evidence or determine
a fact at issue
▪ Your testimony is based on sufficient facts or data
▪ Your testimony is the product of reliable principles & methods
▪ You have reliably applied the principles & methods to the facts
of the case
Will you be providing an opinion based upon the analysis &
findings? (So we need to validate findings to distill facts)
▪ The Daubert case provides guidance in case law
▪ Results need to be defensible & repeatable
▪ This applies to ALL forensic sciences in which there may be
expert testimony, conclusions, opinions or other findings
Validation helps us…
▪ Provide a foundation for our findings and opinions
▪ Ensure that those findings are correct
▪ Provides a road map for any other expert who may seek to
duplicate our findings, even if they use alternative
methods (i.e., tools)
▪ Adds credibility to opinions offered based upon those
findings
Process of Validation
Use of another tool to come to same conclusion(s)
▪ Manual analysis (complex)
▪ Export and analyze files outside of the forensic environment (export email box out of forensic environment and examine in native environment)
▪ Use of hexadecimal editors to validate using file headers & signatures
▪ Comparing hash values of known files from other sources to files that we have recovered or found during analysis
Look over lab exercise related to this (our was kind of backwards but point still stands)
Encoded data
data that is displayed in a
particular pattern or scheme that is generally
obfuscated from normal language
Why is encoding data important?
Encoding data is used by every electronic device in
use in the modern era
Encoding data allows different operating systems,
applications & programs to interpret certain data in
a particular way that the system, application or
program is designed for
Not a “programming language” per se, but another
way to display data which requires knowledge skills
and tools to decode to human-readable
Common Encoding Schemes
When Hexadecimal is put together in strings,
can be displayed in numerous ways…
▪ Base-32
▪ Base-32 reverse nibble
▪ Base-64
▪ Base-64 reverse or encoded
Many applications store data this way
Not all forensic tools are programmed to decode
this data automatically because it can be
application-specific
Recognizing these encodings takes time, experience
and knowledge… and a little bit of math skill
Common Encoding Schemas (2)
Unicode
▪ Used because ASCII is:
▪ Based in American/English characters
▪ Does not allow for enough specialized characters
▪ Unicode Defined: An international encoding
standard for use with different languages and
scripts, by which each letter, digit, or symbol is
assigned a unique numeric value that applies
across different platforms and programs
▪ A programming language that is universal across all
operating systems, data storage mediums, countries,
etc.
▪ Unicode.org has exhaustive information
Time Encoding
Time Encoding & timestamps
▪ Used in computing applications across the spectrum
▪ Various formats including…
▪ Epoch time and…
▪ Unix time (seconds, microseconds & milliseconds)
▪ Windows file time
▪ Apple/Mac OS time
▪ GPS time
▪ Chromium time
▪ Other case-specific examples
▪ I.e., Ring doorbell and TikTok time
▪ Some of these may require decoding in multiple
steps
Common Time Encoding Schemes
Epoch time – Number of Seconds that have elapsed since
January 1, 1970
▪ Unix time is the same, but can incorporate milliseconds or
microseconds
▪ Windows time: Number of 100-nanosecond intervals that have
elapsed sine 12:00 AM Jan. 1, 1601 (A.D.)
▪ Apple (or Cocoa) time: Number of nanoseconds since January
1, 2001
▪ GPS time: Number of weeks since January 6, 1980
▪ Chromium time – a 64-bit value since January 1, 1601
▪ Ring/TikTok time stamp: Involves taking the 8 most significant
bytes of the integer value, converting them to decimal, then
translating to Epoch time
What is one tool for decoding/encoding time? Is it free or paid?
D-code.
