DOTE

Chain And Rate

Monday, May 9, 2016

Extracting Information from Data

How do you figure out what portion of what you have captured is useful to your investigation? What happens if you can’t find what you are looking for? These are some of the questions that run through the mind of every forensic investigator. After the data is imaged, the forensic examiner can search and index all contents of the drive without changing or modifying the data, thereby preserving the evidence. But what if the evidence is missing? Criminals or intruders can use programs to delete email, pictures, and documents. Trained forensic investigators must have tools available that will help them recover this information and help them prepare the evidence for presentation.

You’ll look at the process of divining the information you need from the data you have captured. You’ll study the process of analyzing and organizing the information you have gathered. You’ll learn when to grab the low-hanging fruit and when to dig deeper for data that may or may not exist. You’ll study the various types of hidden and trace evidence. Finally, you’ll move on to preparing and presenting evidence.

What Are You Looking For?

For a long time he remained there, turning over the leaves and dried sticks, gathering what seemed to me to be dust into an envelope and examining with his lens not only the ground, but even the bark of the tree as far as he could reach.
Dr. Watson on Sherlock Holmes

Finding what you are looking for in a computer forensics investigation can be likened to the preceding quote. There are so many places to look because operating systems vary, application programs vary, and storage methods differ. Computer evidence is almost never isolated. It is a result of the stored data, the application used to create the data, and the computer system that produced the activity. Systems can be huge and complex, and they can change rapidly. Data can be hidden in several locations. After you find it, you may have to process it to make it humanly readable.

Begin the discovery process by installing the disk in your analysis system and boot the system using a boot disk. Be careful not to damage the disk when you connect the disk to the interfaces. Next, identify the partitions on the drive using Partition Utility. Exercise caution when you use the utility; you don’t want to risk modifying the partition table or disk label. In fdisk, you should select the Display Partition Information option to view the name/number, volume label, size, and filesystem associated with every partition on the hard disk. When you are ready to start examine the imaged data, you’ll have many places to explore.

Internet Files
To determine what it is you are looking for, you must first determine the type of intrusion or potential crime and the appropriate response. Let’s start with a case that would involve the Internet and pictures. For example, an employee is suspected of illegally accessing and downloading pictures of proprietary designs from a competitor’s internal website and using these designs in his own work. Due to the nature of the business, this is a serious offense and you have been called to investigate. After your imaged drive is ready to be examined, open your forensic software and start a case.

forensic_software_example_1
Example Of Forensic Software
When a user logs on to a operating system for the first time, a directory structure is created to hold that individual user’s files and settings. This structure is called the profile, and it has a directory that is given the same name as the user. This profile contains several folders and files. Because this case involves searching for images that were downloaded from the Internet, you can begin by adding evidence from the folders where these files may be stored.

forensic_software_example_1
Example Of Using Forensic Software
Before a browser actually downloads a web page, it looks in the Temporary Internet Files folder to see if the information is already there. This is done to increase the speed at which the page will load. Web browsers cache the web pages that the user recently visited. This cached data is referred to as a temporary Internet file, and it is stored in a folder on the user’s hard drive. All of the HTML pages and images are stored on the computer for a certain amount of time, or they are deleted when they reach a certain size.

Sometimes, while a user is viewing web pages, other pages pop up at random. These pop-ups can result in files being written to a user’s hard disk without their knowledge. For example, many hacker sites have Trojan horses that automatically download objectionable material (that is, files) to an unsuspecting user’s computer without the user’s knowledge. The following illustration shows how the information in the Temporary Internet Files folder can be viewed through forensic software.

Besides the temporary Internet files, you may also find evidence in the History folder. The History folder contains a list of links to web pages that were visited. The History feature in Internet Explorer has an option for how long the list of visited websites should be kept. The default setting is 20 days. Computer-savvy people often change this default setting to a shorter period, or they click the Clear History button to erase where they have been before they log off the computer.

The Cookies folder is similar to the History folder. It holds cookies or information stored by Internet sites that were visited by the user. A number of utilities that work with forensic software display the contents of a cookie in an easily readable format. One such utility is CookieView, which you can download from Internet.

Many applications create temporary files when the application is installed and when a file is created. These files are supposed to be deleted after the application is installed or when you close the document, but sometimes this doesn’t happen. For example, each time you create a document in Microsoft Word, the software creates a temporary file (with a .tmp extension). Temporary files can possibly provide some useful evidence.

If, during your investigation of the computer, you find no history files, temporary Internet files, or temporary files in the expected folders, you can assume the data has been stored somewhere else so you’ll need to dig deeper. Here are some file types you may want to look for:
  • Files with strange locations
  • Files with strange names
  • Filenames with too many dots, or that start with a period (.) and contain spaces
  • Files that have changed recently
MACtime is a common forensic tool that is used to see what someone did on a system. It creates an ASCII timeline of file activity. Other various tools are also available. You can use X-Ways Trace to analyze a drive to locate information about Internet-related files. Such tools can be very useful in gathering evidence (such as the site visited, last date visited, and cache filename).

But, after all explanation above, I suggest you'd better using : Kali Linux. ...'^_^