Introductory Computer Forensics Xiaodong Lin

Introductory Computer Forensics A Hands-on Practical Approach Xiaodong Lin Department of Physics and Computer Science Faculty of Science Wilfrid Laurier University Waterloo, ON, Canada

ISBN 978-3-030-00580-1 ISBN 978-3-030-00581-8 (eBook) https://doi.org/10.1007/978-3-030-00581-8

Library of Congress Control Number: 2018957125

© Springer Nature Switzerland AG 2018 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland In deep appreciation and endless memory, this book is dedicated to my dear forever beloved grandmother Xiulin Li who raised me up. Preface

Internet technology is advancing at a speed beyond comprehension. With ever- advancing Internet technology, we truly are living in a digital age. It will certainly improve our quality of life, as it can offer the speed, the capabilities, to handle endless different types of transactions at relatively low cost. Things we take for granted in our daily activities are an excellent example: transferring money, surfing, emailing, sharing information, etc. On the other hand, we will become handicap in our daily life if without Internet. Simply put it, we all depend on the capabilities of Internet technology to run our daily errands more efficiently, even when we do not directly notice it. Unfortunately, one of Murphy’s more applicable axioms becomes apparent with this technology: “with every solution comes a new set of problems.” This marvelous new technology will also provide golden opportunities for organized crime groups, as well as other individuals who want to abuse the technology and maximize their profit illegally. Activities like denial of service attacks, website vandalism, online fraud, money laundering, and more have surfaced. We have all read headlines from around the world about companies being hacked and losing personal information; cybercrimes have become a rampant reality that we must all face, and according to the forecast, the cybercrime trends will worsen globally, and billions of dollars will be lost every year in the global conflict against it. In order to fight against cybercrime effectively, public prosecutors need to be able to do more than simply match a crime to a suspect; they must be able to produce convincing digital evidence in a court of law, before a judge who may not even know what a USB drive is, in order to put the criminals behind bars. This evidence may include all computer log files, corresponding emails, accounting information, spreadsheets, and other related records, regardless of whether or not these files were deleted or not. According to the study, the majority of digital evidence presented in court is obtainable from all sorts of the daily used electronic devices such as computer, digital camera, BlackBerry, and 3G cell phones. In one case, former Alaska Governor Sarah Palin’s e-mail account was hacked by a Tennessee student. After the suspect reset Governor Palin’s e-mail account

vii viii Preface password and posted the new password on a forum, the FBI was able to trace the suspect’s digital footprint or trail, particularly his email address, leading to the suspect’s apartment. This evidence was vital in helping the federal prosecutor to acquire further necessary digital evidence and arrest the suspect, even while the suspect removed, altered, concealed, and covered up files on his laptop computer. No individual alone can effectively fight with online criminals, and technology is evolving much faster than the law can adapt. Traditional forensic science, while still invaluable, will not be able to deal with this new wave of cybercrimes. As a result, an exciting new branch of forensic science—digital forensics—is emerging. Digital forensic investigation is a sequence of interdependent and linked pro- cedures, employing technology to study and recreate chains of events that lead to the current state of digital objects. Digital objects may include (but are not limited to) computer systems, such as software applications and databases; data storage devices, such as hard disks, CDs, DVDs, and USB drives; electronic document such as spreadsheets, documents, emails, and images. Digital objects could be as large as an entire network or as small as a single byte. By using technology to examine the digital objects, the investigator can present trustworthy, satisfactory, and legally acceptable evidence to a court of law and provide answers to the questions raised about criminal events. Unlike established traditional forensic analysis, digital forensics, as a new sub- ject, must overcome many challenges before it becomes widely acceptable in courts of law internationally. The major challenges include the following: (a) The process of collecting the digital evidence may alter the evidence itself, as it can easily be deleted or altered and become inadmissible to the court; hence, the prosecutor must preserve it in the state it was collected in and provide proof that the digital evidence has not suffered any alteration between the time of collection and the time of admission to the court. (b) As the complexity of digital forensic analysis techniques continues to increase and the size of forensic target grows rapidly, you will experience the need for hundreds of gigabytes, or even terabytes of hard drive space to store all the necessary evidence. (c) As technology is always advancing more quickly than the law can compensate for, there is no shortage of new opportunities for online criminals to take advantage of “holes in the legal system” and use new technology to perform activities that are clearly immoral; however, technically speaking, these activi- ties may be “legal,” as the law does not, or there is no law to deal with the new situation/environment created by the new technology and that may become a stumbling block between the prosecutors and the lawyers. As a new subject, digital forensics is not well known to the general public, but interest in it is booming, as more companies and individuals seek the truth about what has happened to their network infrastructure. Even as a growing number of court cases (civil, criminal, and otherwise) involve digital evidence (or electronic evidence), trained digital forensic professionals are in short supply, and cybercrime Preface ix can be committed anywhere in the world. It has become essential for universities and colleges to offer digital forensics to their students so that the students are well prepared with the proper tools to fight against cybercrime. I am a strong believer in active learning. A Chinese proverb says: “Tell me, I will forget. Show me, I may remember. Involve me, and I will understand.” I strongly believe that theoretical knowledge and practical hands-on experience are necessary to function independently to reach each individual student’s full potential, particu- larly in computer security education. Also, they should be integrated into a coherent whole. Such kinds of educational excursions have been proved very attractive and informative to students in my computer security and forensics classes. It is crucial to let students know why they need to study one subject, what they need to know about the subject, and most importantly, how they can apply knowledge and skills learned in classes to some real-life situations. I am trying to tie the theory with the practical, real world through case studies and practice exercises to help the students learn the material better, because they literally make more connections as opposed to only learning theory and how to apply a formula to get a result. Holistic learning including hands-on experience and theory is what is needed more. For example, man-in-the-middle (MITM) attacks using address resolution protocol (ARP) spoofing in the switched network environment are classic but complicated network attacks. A decent theoretical illustrations help, but may not gain enough classroom attention or cooperation. Thus, in order to improve student learning and encourage cooperation among students, after a theoretical explanation of ARP spoofing and man-in-the-middle attacks, a live demonstration of ARP spoofing and man-in-the- middle attacks can be conducted in class to show students how ARP protocol works before and after the attacks through captured network traffic and how the participat- ing computers will behave as attacks proceed by showing their ARP tables at different stages of the attacks. By doing so, students are able to reflect on knowledge that they just have learned in the classroom. Hence, gaining hands-on experience through live lab experiment is as vital to a student as one is to a medical student. I have taught courses on computer forensics, cyberattack and defense techniques, and software security in several Canadian universities over the past decade. In my teaching, I developed a lot of hands-on practice exercises to enhance understanding of concepts/theories of information security and forensics introduced in my classes and increase student interest in information security and forensics. This book is the first edition of an experience-oriented textbook that stems from the introductory digital forensics course I developed at the University of Ontario Institute of Tech- nology (UOIT), Canada. The objective of this book is to help students gain a better understanding of digital forensics, gaining hands-on experience in collecting and preserving digital evidence by completing various practice exercises. This experience-oriented textbook contains 20 student-directed, inquiry-based practice exercises to help students better understand digital forensic concepts and learn digital forensic investigation techniques. This hands-on, experience-oriented text- book is a great way to introduce people to the world of computer forensics, a fast- evolving field for solving crimes. x Preface

Practice Exercise Environment

While all the practice exercises in this book can be conducted in a physical computer, we use virtualization and build a forensics workstation using a publically available Kali Linux virtual machine for your use while working on the exercises in this book. Virtualization is a technology to use a computer hardware to run operating system (s) within an operating system, and it has the potential to be within an operating system within an operating system. It is a way to run multiple operating systems at the same time on one computer hardware, and each operating system runs separately and could do something completely different. In virtualization, there are two main components, the first being the host machine, the physical machine on which the virtualization takes place, and the second being the guest machine, i.e., the virtual machine (VM). The benefits of using virtualization or a preconfigured Kali Linux virtual machine include the following: First, we can save a lot of time from configuring the devices and software. If thing does not work out, we can always roll back to a snapshot and start over again until it works. In other words, we can have an environment that can be saved, deleted, backed up, etc., on demand. By using virtualization, we can always have a copy of clean and workable image, which is very good for the purpose of teaching. Second, all students have the same practice exercise environments, which can be well controlled. As a result, it could become easy to troubleshoot and diagnose problems in the exercise environments of students.

Book Organization

The book consists of 21 chapters, which are organized into 6 parts. Chapter 1 discusses basic concepts of computer forensics. As for the rest, each of them is composed of two parts, background knowledge and hands-on experience through practice exercises. Each theoretical or background section concludes with a series of review questions, which are prepared to test students’ understanding of the materials, while the practice exercises are intended to afford students the opportunity to apply the concepts introduced in the section of background knowledge. The below flowchart illustrates the chapter organizations that instructors can follow to achieve their course plans. The arrow means the order of chapters and sections which the instructors are suggested to follow. The dashed lines indicate that the pointing-to parts are optional for an introductory computer forensics course. For an introductory course, the instructors are suggested to cover the first three parts. Depending on course length and level, the instructor will be able to choose and determine the order of the rest parts, as each of them is self-standing and does not require knowledge from the other sections. Preface xi

Part I. Chapter 1: Introduction to Computer Forensics Chapter 2: Introduction to Computer Organization Chapter 3: Building a Forensics Workstation

Part II. Chapter 4: Volume Analysis Chapter 5: Examining FAT File System Chapter 6: Deleted File Recovery in FAT Chapter 7: Examining NTFS File System Chapter 8: Deleted File Recovery in NTFS Chapter 9: File Carving Chapter 10: File Signature Searching Forensics Chapter 11: Keyword Forensics Chapter 12: Timeline Analysis Chapter 13: Data Hiding and Detection

Part III. Chapter 14: Log Analysis

Part V. Chapter 18: Introductory Malware Analysis Chapter 19: Ransomware Analysis

Part IV. Part VI. Chapter 15: Android Forensics Chapter 20: Image Forgery Detection Chapter 16: GPS Forensics Chapter 21: Steganography and Steganalysis Chapter 17: SIM Cards Forensics

The summary of the book parts is given below: The first part, or Part I (Chaps. 1–3), is focused on basic computer skill required before studying computer forensics and completing practice exercises in the book. In Chap. 1, we will introduce you to the fundamentals of computer forensics and why computer forensics skills are important to our society. In Chap. 2, we will review some basic concepts in computer organization, which are essential for you to know how computer forensics techniques work. If you are familiar with computer organi- zation, you can skip ahead to the next chapter. In Chap. 3, you will build your own forensics workstation using some open-source digital forensics tools. Part II (Chaps. 4–13) discusses file system forensics analysis. It is concerned with the most common source of digital evidence, computer storage devices such as hard drives, which can be divided into multiple sections known as partitions. Then each partition is formatted with a file system such as FAT and NTFS before data can be stored into it. It is worth mentioning that this part can be used in conjunction to File System Forensics Analysis by Brian Carrier. File System Forensics Analysis is an excellent reference for anyone that studies analysis techniques of file systems for investigative purposes. However, this part of our book can be used as extra hands-on exercises to enhance student learning and improve skills and knowledge for file system forensics, thereby helping them gain a more detailed understanding of file xii Preface system analysis for investigative purposes. In Chap. 4, we will discuss the concept of disk partitioning and study volume analysis techniques. Chap. 5 describes analysis of FAT file system. In this chapter, we also provide an introduction to the concepts of file system. Then in Chap. 6, the discussion focuses on how to recover deleted files in FAT file system based on remaining file system metadata. Chapter 7 describes analysis of NTFS file system. Then in Chap. 8, the discussion focuses on how to recover deleted files in NTFS file system based on remaining file system metadata. Chapter 9 describes file carving techniques, which can recover deleted files when file system metadata is missing. Chapter 10 covers keyword searching forensic tech- nique. Chapter 11 discusses file signature searching forensic technique. Chapter 12 discusses timeline analysis. In Chap. 13, we discuss data hiding and detection techniques. Part III (Chap. 14) covers log forensic analysis. Chapter 14 is concerned with forensic analysis of log files in computer systems, which are another important source of digital evidence. Part IV (Chaps. 15–17) covers mobile device forensics. Chapter 15 discusses android-based device forensics. Chapter 16 studies Global Positioning System (GPS) forensics. Chapter 17 covers forensic analysis of SIM card data. Part V (Chaps. 18 and 19) is concerned with the study of malware analysis. Chapter 18 provides an introduction to malware analysis. Then in Chap. 19, the study of ransomware, a new breed of malware, is considered. The last part, or Part VI (Chaps. 20 and 21), is focused on multimedia forensics. In Chap. 20, we will introduce you to the fundamentals of digital image forgery and detection techniques. In Chap. 21, we discuss the principles of image steganography and steganalysis.

Supplements

An Instructor’s Solutions Manual Solutions for all questions in the end of background knowledge section, as well as the textbook practice exercises, are provided. The solutions can be downloaded from the publisher. Data Files Data files are provided for the practice exercises, which are required in most of the chapters to complete these hands-on exercises. They are available for download from the publisher.

Waterloo, ON, Canada Xiaodong Lin Acknowledgments

After several years of teaching an introductory digital forensics course, particularly, receiving positive feedback in extensive lab exercises for hands-on experience, an idea just came to my mind: why not put together the course materials I developed as a textbook, an experience-based textbook in particular. I realized how much work was involved only after I started to write the book. Finishing the book would be impossible without the help, advice, and support of people. I am greatly grateful to many of my former students and particularly to Corey Knecht, Khalid Alharbi, Muhammad Ali Raffay, Zhenxing Lei, and Aiqing Zhang for their invaluable feedback and suggestion for improvement, especially from their points of view as students, after carefully reviewing parts of the manuscript.

xiii Contents

Part I Fundamentals of Computer Systems and Computer Forensics 1 Introduction to Computer Forensics ...... 3 1.1 Introduction ...... 3 1.1.1 Young History ...... 3 1.1.2 A Field on the Rise ...... 5 1.1.3 Challenges ...... 6 1.1.4 Privacy Risk with Digital Forensics ...... 10 1.1.5 Looking Ahead ...... 10 1.2 What Computer Forensics Is and Why It Is Important ...... 12 1.3 Digital Evidence ...... 15 1.4 Computer Forensics Procedures and Techniques ...... 19 1.4.1 Preparation Stage ...... 22 1.4.2 In Crime Scene Stage ...... 22 1.4.3 In Digital Evidence Lab Stage ...... 24 1.5 Types of Computer Forensics ...... 27 1.6 Useful Resources ...... 30 1.7 Exercises ...... 34 References ...... 35 2 Introduction to Computer Organization ...... 37 2.1 Computer Organization ...... 37 2.2 Data Representation ...... 41 2.3 Memory Alignment and Byte Ordering ...... 43 2.4 Practice Exercise ...... 47 2.4.1 Setting Up the Exercise Environment ...... 47 2.4.2 Exercises ...... 48 Appendix A: How to Use GDB to Debug C Programs ...... 50 References ...... 52

xv xvi Contents

3 Building a Forensics Workstation ...... 53 3.1 The Sleuth Kit (TSK) and Autopsy Forensic Browser ...... 53 3.1.1 The Sleuth Kit (TSK) ...... 53 3.1.2 Autopsy Forensic Browser ...... 56 3.1.3 Kali Linux Sleuth Kit and Autopsy ...... 58 3.2 Virtualization ...... 58 3.2.1 Why Virtualize? ...... 59 3.2.2 What Are the Virtualization Options? ...... 60 3.2.3 Why VMware Virtualization Platform? ...... 60 3.3 Building Up Your Forensics Workstation with Kali Linux ...... 61 3.4 First Forensic Examination Using TSK ...... 76 3.5 Practice Exercise ...... 80 3.5.1 Setting Up the Exercise Environment ...... 81 3.5.2 Exercises ...... 81 Appendix A Installing software in Linux ...... 87 Appendix B dcfldd Cheat Sheet ...... 88 References ...... 89

Part II File System Forensic Analysis 4 Volume Analysis ...... 93 4.1 Hard Disk Geometry and Disk Partitioning ...... 93 4.1.1 Hard Disk Geometry ...... 94 4.1.2 Disk Partitioning ...... 97 4.1.3 DOS-Style Partitions ...... 98 4.1.4 Sector Addressing in Partitions ...... 104 4.2 Volume Analysis ...... 105 4.2.1 Disk Layout Analysis ...... 105 4.2.2 Partition Consistency Check ...... 106 4.2.3 Partition Extraction ...... 107 4.2.4 Deleted Partition Recovery ...... 107 4.3 Practice Exercise ...... 110 4.3.1 Setting Up the Exercise Environment ...... 110 4.3.2 Exercises ...... 110 4.4 Helpful Tips ...... 112 References ...... 114 5 Examining FAT File System ...... 115 5.1 File System Overview ...... 116 5.2 FAT File Systems ...... 123 5.2.1 The Partition Boot Sector ...... 124 5.2.2 The File Allocation Table ...... 128 5.2.3 Addressing in FAT File Systems ...... 129 5.2.4 The Root Directory and Directory Entry ...... 130 5.2.5 The Long File Name ...... 133 Contents xvii

5.3 Lab Exercises ...... 138 5.3.1 Setting up the Exercise Environment ...... 138 5.3.2 Exercises ...... 138 5.4 Helpful Tips ...... 140 Appendix A: Data Structure for the FAT12/16 Partition Boot Sector ...... 142 Appendix B: Data Structure for the FAT32 Partition Boot Sector ..... 143 Appendix C: Checksum Algorithm for LFN Entry ...... 144 References ...... 144 6 Deleted File Recovery in FAT ...... 145 6.1 Principles of File Recovery ...... 145 6.2 File Creation and Deletion in FAT File Systems ...... 148 6.2.1 File Creation ...... 149 6.2.2 File Deletion ...... 150 6.3 Deleted File Recovery in FAT File Systems ...... 151 6.4 Practice Exercise ...... 154 6.4.1 Setting Up the Exercise Environment ...... 154 6.4.2 Exercises ...... 154 6.5 Helpful Tips ...... 157 References ...... 161 7 Examining NTFS File System ...... 163 7.1 New Technology File System ...... 163 7.2 The Master File Table ...... 165 7.3 NTFS Indexing ...... 174 7.3.1 B-Tree ...... 174 7.3.2 NTFS Directory Indexing ...... 176 7.4 NTFS Advanced Features ...... 185 7.4.1 Encrypting File System (EFS) ...... 186 7.4.2 Data Storage Efficiency ...... 191 7.5 Practice Exercise ...... 194 7.5.1 Setting Up the Exercise Environment ...... 194 7.5.2 Exercises ...... 194 7.6 Helpful Tips ...... 195 7.6.1 Locate the Master File Table (MFT) in an NTFS Volume ...... 195 7.6.2 Determine the Address of the Cluster Which Contains a Given MFT Entry ...... 196 References ...... 197 xviii Contents

8 Deleted File Recovery in NTFS ...... 199 8.1 NTFS Deleted Files Recovery ...... 199 8.1.1 File Creation and Deletion in NTFS File Systems ...... 200 8.1.2 Deleted File Recovery in NTFS File System ...... 206 8.2 Practical Exercise ...... 208 8.2.1 Setting Up the Exercise Environment ...... 208 8.2.2 Exercises ...... 208 References ...... 210 9 File Carving ...... 211 9.1 Principles of File Carving ...... 212 9.1.1 Header/Footer Carving ...... 212 9.1.2 Bifragment Gap Carving (BGC) ...... 216 9.2 File Carving Tools ...... 221 9.2.1 Foremost ...... 221 9.2.2 Scalpel ...... 223 9.2.3 TestDisk and Photorec ...... 223 9.3 Practical Exercise ...... 231 9.3.1 Setting Up Practical Exercise Environment ...... 231 9.3.2 Exercises ...... 232 References ...... 232 10 File Signature Searching Forensics ...... 235 10.1 Introduction ...... 235 10.2 File Signature Search Process ...... 236 10.3 File Signature Search Using hfind...... 238 10.3.1 Create a Hash Database Using md5sum ...... 239 10.3.2 Create an MD5 Index File for Hash Database ...... 240 10.3.3 Search Hash Database for a Given Hash Value ...... 240 10.4 Practice Exercise ...... 241 10.4.1 Setting Up the Exercise Environment ...... 241 10.4.2 Exercises ...... 241 Appendix A: Shell Script for Generating Files for File Hash Database ...... 242 References ...... 244 11 Keyword Forensics ...... 245 11.1 Forensic Keyword Searching Process ...... 246 11.2 Grep and Regular Expressions ...... 247 11.3 Case Study ...... 248 11.4 Practice Exercise ...... 252 11.4.1 Setting Up Practical Exercise Environment ...... 252 11.4.2 Exercises ...... 252 Appendix: Regular Expression Metacharacters ...... 254 References ...... 255 Contents xix

12 Timeline Analysis ...... 257 12.1 Principle of Timeline Analysis ...... 257 12.1.1 Timeline ...... 257 12.1.2 Timeline Event ...... 259 12.2 Timeline Analysis Process ...... 260 12.2.1 Timeline Creation ...... 260 12.2.2 Timeline Analysis ...... 261 12.2.3 MAC Timeline Creation and Analysis with TSK ...... 262 12.3 Forensic Timeline Analysis Tools ...... 264 12.3.1 Log2timeline ...... 265 12.3.2 EnCase ...... 265 12.4 Case Study ...... 265 12.5 Practice Exercise ...... 267 12.5.1 Setting Up the Exercise Environment ...... 267 12.5.2 Exercises ...... 268 References ...... 269 13 Data Hiding and Detection ...... 271 13.1 Data Hiding Fundamentals ...... 271 13.1.1 Hidden Files and Folders ...... 273 13.1.2 Masks and Altering Names ...... 274 13.1.3 Volume Slack ...... 275 13.1.4 Slack Space ...... 275 13.1.5 Clusters in Abnormal States ...... 275 13.1.6 Bad MFT Entries ...... 276 13.1.7 Alternate Data Streams ...... 276 13.2 Data Hiding and Detection in Office Open XML (OOXML) Documents ...... 278 13.2.1 OOXML Document Fundamentals ...... 278 13.2.2 Data Hiding in OOXML Documents ...... 280 13.2.3 Hidden Data Detection in OOXML Documents ...... 295 13.3 Practical Exercise ...... 298 13.3.1 Setting Up the Exercise Environment ...... 299 13.3.2 Exercises ...... 299 References ...... 300

Part III Forensic Log Analysis 14 Log Analysis ...... 305 14.1 System Log Analysis ...... 306 14.1.1 Syslog ...... 306 14.1.2 Windows Event Log ...... 310 14.1.3 Log Analytics Challenges ...... 312 xx Contents

14.2 Security Information and Event Management System (SIEM) ...... 313 14.2.1 Log Normalization and Correlation ...... 316 14.2.2 Log Data Analysis ...... 318 14.2.3 Specific Features for SIEM ...... 320 14.2.4 Case Study of Log Correlation ...... 321 14.3 Implementing SIEM ...... 322 14.3.1 How OSSIM Works ...... 322 14.3.2 AlienVault Event Visualization ...... 324 14.4 Practice Exercise ...... 328 14.4.1 Setting Up the Exercise Environment ...... 328 14.4.2 Exercises ...... 331 References ...... 331

Part IV Mobile Device Forensics 15 Android Forensics ...... 335 15.1 Mobile Phone Fundamentals ...... 336 15.2 Mobile Device Forensic Investigation ...... 338 15.2.1 Storage Location ...... 339 15.2.2 Acquisition Methods ...... 341 15.2.3 Data Analysis ...... 349 15.2.4 Case Studies ...... 352 15.3 Practice Exercise ...... 362 15.3.1 Setting Up Practical Exercise Environment ...... 362 15.3.2 Exercises ...... 368 References ...... 370 16 GPS Forensics ...... 373 16.1 The GPS System ...... 374 16.2 GPS Evidentiary Data ...... 377 16.3 Case Study ...... 377 16.3.1 Experiment Setup ...... 378 16.3.2 Basic Precautions and Procedures ...... 378 16.3.3 GPS Exchange Format (GPX) ...... 379 16.3.4 GPX Files ...... 384 16.3.5 Extraction of Waypoints and Trackpoints ...... 385 16.3.6 How to Display the Tracks on a Map ...... 386 16.4 Practice Exercise ...... 389 16.4.1 Setting Up Practical Exercise Environment ...... 389 16.4.2 Exercises ...... 389 References ...... 397 Contents xxi

17 SIM Cards Forensics ...... 399 17.1 The Subscriber Identification Module (SIM) ...... 399 17.2 SIM Architecture ...... 401 17.3 Security ...... 403 17.4 Evidence Extraction ...... 405 17.4.1 Contacts ...... 405 17.4.2 Calls ...... 405 17.4.3 SMS ...... 406 17.5 Case Studies ...... 406 17.5.1 Experiment Setup ...... 406 17.5.2 Data Acquisition ...... 406 17.5.3 Data Analysis ...... 409 17.6 Practice Exercise ...... 418 17.6.1 Setting Up the Exercise Environment ...... 418 17.6.2 Exercises ...... 421 References ...... 422

Part V Malware Analysis 18 Introductory Malware Analysis ...... 425 18.1 Malware, Viruses and Worms ...... 426 18.1.1 How Does Malware Get on Computers ...... 426 18.1.2 Importance of Malware Analysis ...... 427 18.2 Essential Skills and Tools for Malware Analysis ...... 427 18.3 List of Malware Analysis Tools and Techniques ...... 428 18.3.1 Dependency Walker ...... 429 18.3.2 PEview ...... 432 18.3.3 W32dasm ...... 435 18.3.4 OllyDbg ...... 436 18.3.5 Wireshark ...... 436 18.3.6 ConvertShellCode ...... 438 18.4 Case Study ...... 441 18.4.1 Objectives ...... 442 18.4.2 Environment Setup ...... 442 18.4.3 Concluding Remarks ...... 452 18.5 Practice Exercise ...... 453 References ...... 454 19 Ransomware Analysis ...... 455 19.1 Patterns of Ransomware ...... 456 19.2 Notorious Ransomware ...... 458 19.2.1 CryptoLocker Ransomware ...... 459 19.2.2 Miscellaneous Ransomware ...... 461 xxii Contents

19.3 Cryptographic and Privacy-Enhancing Techniques as Malware Tools...... 462 19.3.1 RSA Cryptosystem ...... 462 19.3.2 AES Cryptosystem ...... 463 19.3.3 Cryptographic Techniques as Hacking Tools ...... 464 19.3.4 Tor Network and Concealing Techniques ...... 464 19.3.5 Digital Cash and Bitcoin as Anonymous Payment Methods ...... 466 19.4 Case Study: SimpleLocker Ransomware Analysis ...... 468 19.4.1 Overview of Android Framework ...... 468 19.4.2 Analysis Techniques for SimpleLocker ...... 469 19.4.3 Online Scan Service ...... 471 19.4.4 Metadata Analysis ...... 472 19.4.5 Static Analysis ...... 475 19.4.6 Analysis of SimpleLocker Encryption Method ...... 485 19.4.7 Dynamic Program Analysis ...... 491 19.4.8 Removal Methods of SimpleLocker ...... 492 19.5 Practice Exercise ...... 496 19.5.1 Installing Android Studio ...... 496 19.5.2 Creating an Android Application Project ...... 497 References ...... 503

Part VI Multimedia Forensics 20 Image Forgery Detection ...... 507 20.1 Digital Image Processing Fundamentals ...... 508 20.1.1 Digital Image Basis ...... 508 20.1.2 Image Types ...... 510 20.1.3 Basic Operation and Transform ...... 512 20.2 Image Forgery Detection ...... 518 20.2.1 Image Tampering Techniques ...... 520 20.2.2 Active Image Forgery Detection ...... 522 20.2.3 Passive-Blind Image Forgery Detection ...... 525 20.3 Practice Exercise ...... 549 20.3.1 Setting Up Practical Exercise Environment ...... 549 20.3.2 Exercises ...... 550 References ...... 554 21 Steganography and Steganalysis ...... 557 21.1 Steganography and Steganalysis Basis ...... 558 21.1.1 Steganography Basis ...... 558 21.1.2 Steganalysis Basis ...... 561 21.2 Steganography Techniques and Steganography Tools ...... 562 21.2.1 Steganography Techniques ...... 563 21.2.2 Steganography Tools ...... 569 Contents xxiii

21.3 Steganalytic Techniques and Steganalytic Tools ...... 571 21.3.1 Steganalytic Techniques ...... 572 21.3.2 Steganalysis Tools ...... 574 21.4 Practice Exercises ...... 574 21.4.1 Setting Up the Exercise Environment ...... 574 21.4.2 Exercises ...... 575 References ...... 576