On-Scene Triage of Electronic Evidence

On-Scene Triage

• Identification of electronic evidence • Identifying wireless networks • Capturing volatile data pt. 1 – RAM dumps • Encryption • On-scene imaging of electronic data • Capturing volatile data pt. 2 – Router interrogation • Seizure/transportation/storage

Identification of Electronic Evidence

1 What is “electronic evidence”?

• Items of interest in a criminal investigation which contain evidence in the form of electronic data • Computers • External storage media • Mobile devices • Gaming devices • Networking devices • Navigation devices • Etc.

Computers

• Desktop

• Laptop

Desktop computers

2 iMac all-in-one

All-in-one PCs

Mac Mini

3 Laptop PC

MacBook laptop

Netbooks

4 Internal hard drives

IDE vs. SATA

Solid State

5 Internal drive dock

External Drives

Multi-drive externals

6 Other externals

Network Attached Storage (NAS)

USB flash media

7 Some “different” ones

Would you seize this?

These, however, are not storage devices

8 Media

• Floppy Disk/Zip/Jaz/SuperDisk

• CD/DVD

• Flash media cards

Floppy Disks

Zip disks

9 Jaz drives

SuperDisk

CD/DVD

10 Do we need to seize these?

How About this?

Flash media cards

Let’s say I’m serving a search warrant for files such as documents, spreadsheets, etc.

Is this something I should be interested in?

11 Mobile devices

• Cell phones

• Tablets

• PDAs

Cell Phones

Smartphones

12 SIM Cards

And what do a lot of phones have in them?

Tablets

13 PDAs

Gaming devices

Media players

14 Networking devices

GPS

15 Printers/Copiers

16 Accessories/Supplemental Devices

• Chargers

• Manuals

• Software

Do I need to take everything?

• Short answer: yes

• Longer answer: maybe not

Why should I take everything?

• You may need to recreate the suspect’s system, for court or analysis

• Forfeiture

• To make it more difficult for him to continue/renew criminal activity

• Some devices may be specialized and/or rare/obsolete; your examiner may be unable to complete exam without them

17 Why should I not take everything?

• Much of it will not be useful in your investigation

• You may just end up returning it later

• It will fill up your evidence room and really annoy your evidence custodian

A word of caution:

• We cannot seize computers, etc., from a business or an individual that needs that equipment for employment or business activity, and not provide the business or individual access to the (non-contraband) data he needs.

Additionally:

• We cannot seize data that is “work product” from journalists, authors, artists, etc., and not give them access to the (non- contraband) data.

18 So we’ve got a warrant, and we know what electronic evidence looks like. Now what?

First, some general guidelines/principles to be aware of…

• At the scene officer safety is the number one priority. Make sure you have enough manpower to secure the scene. If your bad guy isn’t home, don’t cut everyone loose while you search the house. Remember, some of the crimes we are talking about will result in these people going to jail for a long, long time; they may act foolishly.

• Also with regard to officer safety, be aware of what brought you there. A lot of computer evidence relates to crimes such as child porn. Do not touch the keyboard without gloves. Don’t take home something you don’t want.

19 • Do not let the suspect, witness or anyone else access the devices (for example, to enter a password for you, or show you where a file is located)

• This includes you; don’t sit down at the keyboard and “look around”

• Be aware that it is not always possible for items to be seized and removed from the scene for examination.

• If things look really complicated, or something about the situation makes you nervous, call for help. Electronic evidence that is seized incorrectly can be lost forever. There is no shame in asking for help from a specialist. Trust your instincts.

20 • Get a good interview with the bad guy while you are at the scene. He may be willing to tell you things that will help you. • Encryption keys • Locations of files • Confession

Can I just shut it down?

• NOT YET!!

• We need to document what is going on • We need to determine if data is encrypted • We need to determine if any volatile data needs captured

• Once the scene is secured, before we start fiddling around with the evidence, take photographs to document everything.

21 Documentation

• Why do we care what the computer is doing when we arrive? • Chatting

• Downloading

• Opened files which may not be saved

• System date and time

22 What happens to this unsaved document if I just yank the plug? Is there any way to preserve this evidence?

• We can testify to the jury about what was going on when we arrived, and what we subsequently discovered during the examination, but a picture has a lot more impact with them.

• Document, document, document

23 Before we get started…

• One of the tools we are going to use in a lot of the following procedures is FTK Imager Lite

• Let’s get it set up

First, let’s prepare our media

• Most thumb drives will be formatted with a FAT file system by default. THIS WILL NOT WORK ON NEWER SYSTEMS!

• 4GB file size limit • How do we change that?

• So let’s re-format it with an NTFS file system, which will handle files larger than 4GB.

24 FTK Imager Lite

• Free download • We want the “Lite” version • https://accessdata.com/product-download

FTK Imager Lite

• The download is a .zip file

• Unzip it to your thumb drive/external drive

• Create a folder on the drive to direct your output to

• We’ll talk about the other tools as we go along

25 Identifying Wireless Networks

Identifying wireless networks

• Why do we need to?

• Do we need a specialized device?

• Note: prior to using the following techniques, you need to “sterilize” your equipment by forgetting all the stored networks, so that the device will not automatically connect to the router if it recognizes its SSID.

26 • Using your laptop’s wifi utility, locate the suspect network – it will give the name, and indicate whether or not it is secured

• You can also use the wifi utility in your phone or tablet, if so equipped

• There are also mobile apps which will give us info about the wireless network to which the device is connected

27 • Things change quickly in the world of computer technology

• We must be willing to adjust our methods accordingly

Encryption

Encryption

• Encryption vs. password

• Can we access the encrypted data?

28 Encryption

• Quality encryption is readily available to non-geeks • BitLocker • EFS • TrueCrypt • Free* • User friendly

• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?

• What can we, as examiners do with files or disks that are encrypted, if we don’t know the key?

- NOTHING

29 Some common types of encryption

• Full disk encryption – entire physical or logical disk • Can be software or hardware based • Files or systems in use are not protected • Files at rest are protected • Protects against situations like laptop theft, etc.

• PGP, BitLocker, FileVault, some hard drives

Some common types of encryption

• Filesystem-level encryption – Individual files or folders are encrypted • Can add further security to a fully encrypted disk • Metadata, such as file names, sizes, timestamps, and directory structure are not encrypted • EFS is a filesystem-level encryption

BitLocker

• BitLocker is included in the Ultimate and Enterprise versions of Vista, 7 and 8

• BitLocker is full disk encryption

30 BitLocker

Here’s how a BitLocker encrypted drive appears in Windows Explorer

• Some versions of Windows also allow us to encrypt files or folders using EFS (encrypting file system)

• Drive must be formatted NTFS (most thumb drives are not)

31 Now the encrypted files and folders will be green in Windows Explorer

TrueCrypt

• TrueCrypt WAS a free on-the-fly encryption utility which could be used to encrypt an entire physical or logical disk, or to create an encrypted container

• As of May 28, 2014, TrueCrypt is no longer supported or maintained, and advised its users find other solutions

32 Does this mean we will no longer encounter TrueCrypt?

TrueCrypt

• Using TrueCrypt, we can either encrypt the whole drive, or we can create an “encrypted container”

• We select how large we want the container to be, and what the encryption key will be

Here is an attempt to open a previously created encrypted TrueCrypt container; note that the OS doesn’t know what to do with it.

33 Now, we assign a vacant drive letter to the soon-to-be decrypted container, direct TrueCrypt to the container we had previously created, and tell it to mount the container…

TrueCrypt prompts us to enter the encryption key.

And TrueCrypt decrypts and mounts the container, making it available to us.

34 And we can now access the decrypted contents.

• So, if we encounter a computer and are aware that TrueCrypt is running…

…it behooves us to secure that encrypted data prior to shutdown (we’ll discuss how shortly).

VeraCrypt

• Forked off from TrueCrypt in 2013

• Claim to have overcome security issues with TrueCrypt

• Current version released in July of 2017

• Allows some additional features, such as volumes within volumes, and encrypting hidden operating systems

35 • So, now that we’re sufficiently convinced that our bad guy has convenient choices for encrypting his stuff, what do we do?

Encryption detection

• Tools are available which will assist us in detecting if encryption is present • FTK Imager Lite • osTriage • CryptHunter

• None are perfect (but, on the positive side, all are free!)

Before we start…

• In order to run these tools, we have to insert a thumb drive into a running suspect system

• Are we changing data?

• Is this a problem?

36 • We add our evidence item

• And then check for encryption

Here is FTK Imager looking at the thumb drive containing the EFS encrypted files

If we drill down to the files on the drive, we see the key icon next to them, indicating that they are EFS encrypted

37 • Great; problem solved, Right?

…not so fast.

Here are our other two thumb drives, one encrypted with BitLocker and one encrypted with TrueCrypt

• FTK Imager only detects EFS encryption

• Is that good enough?

38 Let’s try it with osTriage

2 out of 3

• osTriage currently detects TrueCrypt, Veracrypt, BestCrypt, PGP, and Bitlocker

39 Those same three drives as seen by CryptHunter

What’s the moral of the story?

• None of the tools are perfect

• You may need to use more than one

• You need to evaluate your suspect and your scene, and don’t rely solely on the tools

Capturing Volatile Data pt.1

RAM Dumps

40 Volatile Data

• What exactly are we talking about?

• Memory that will lose its contents if power is removed

• RAM • Router memory

RAM – Random Access Memory

• Data can be written and read in the same amount of time regardless of what order the data is stored in

• By contrast, with direct access memory (hard drives, CDs, etc.) data read and write speeds depend on physical location of the data on the medium

• RAM is memory available to the operating system and programs for processing and functioning, not storage

41 What is a pagefile?

• In most systems, a portion of the computer’s hard drive space is set aside as “virtual RAM” to extend the RAM capacity of the system

• Results in additional (although slower) RAM; data is swapped back and forth from this pagefile (also called a swap file sometimes) to the RAM

RAM – Random Access Memory

• Data is stored as electrical impulses which disappear when power is removed

• Everything present must, therefore, have been created since the computer was turned on

• Remember, this is memory that will lose its contents if power is removed

• We can’t seize these items and take them back to our office and examine it there – it must be done on-scene, or it’s gone forever

42 Things to remember

• You can’t put 8GB of RAM on a 4GB thumb drive (or an 8GB thumb drive, for that matter)

• This is called a memory “dump” for a reason

• You are making changes to the system

FTK Imager Lite

43 Select the Browse button

Direct it to a prepared folder on your thumb drive

Rename it

And don’t forget to capture the pagefile, too

44 Capture Memory

…and wait

Until you see:

45 Hit the close button:

In your “Acquired Data” folder

Now?

• We examine the dump using a forensic tool, such as EnCase or FTK

• Let’s take a look at some things we found in a sample RAM dump…

46 • First, let’s look at what I did before I dumped the RAM…

I mounted a TrueCrypt volume…

I did a search for tips on poisoning my wife…

47 And I typed a note to a friend…

• Can we find any sign of these activities in our RAM dump?

Loaded into EnCase…

48 How about our TrueCrypt key?

• In plain text! (and it actually appears four times in the dump)

Our threatening note (that was never saved)

Our Google Search

49 • Lots of good data may be available to us in the RAM dump

• We can’t seize it and examine it later

On-Scene Imaging

On-scene Forensic Imaging

• First, what is a forensic image?

• What tools do we use to create them?

• And in what situations would we need to create them on- scene?

50 FTK Imager Lite

• There are several tools which can create images of different format

• FTK Imager Lite is the one we recommend • Industry standard from industry leader Access Data • Fast, reliable • FREE!

FTK Imager Lite

• Some considerations… • How big is the source drive? • How big is the target drive? • How much time do you have?

Here is the icon for creating an image…

51 FTK Imager Lite

• In most situations, we are going to be creating images of physical drives

FTK Imager Lite

• Now, we select the drive we are going to create an image of

• What’s that second listed drive?

What do these mean?

52 Very Important

• And then turn it loose…

• …and wait

FTK Imager Lite

• What are we going to do with the resulting image?

• Examining the image is a more advanced, complex, and time-consuming procedure

• But we have preserved the evidence, and made sure that it is available to our examiner

53 Capturing Volatile Data pt. 2

Router Interrogation

Router Interrogation

• This is a brief overview of the process of router interrogation, not a detailed tutorial

• Before trying this at a scene, seek further training, and practice, practice, practice

How do we connect to the router?

• First, disconnect the router from the internet (i.e., “the outside world”)

54 How do we access a router?

• First, we need to attach our laptop to the router via one of the LAN ports

• Next, we open a browser and type in the IP address of the gateway

• Then, we need to know the IP address and username/password for the router • This is not the internet username and password

Why don’t we connect wirelessly?

• So we can say for sure we connected to the correct device – what if there are several wifi networks in range?

• We need a password to connect to a secured network via wifi, but not via direct physical connection

55 56 • The data that a router will store depends on the router itself, as well as how it has been set up

57 Router Log

• Did we make any changes to the data contained in this router? • Entry in DHCP client list for our machine • Entry in log for administrative access

• Did we just screw up our case?

• There is a lot of other interesting information contained in the router – security settings, date/time, filtering data, etc. – that may be valuable to your investigation

• If this is something that interests you, get more training, and practice

58 Seizing Electronic Evidence

Operating system

• The method we will use to shut down the computer will be determined by the operating system • Windows (server?)

• Linux

• Mac OS

• If the computer is turned off, leave it off

• If the computer is on, but the screen is blank, move the mouse to wake it up

59 How can you tell what the OS is?

• Most of us are familiar with the general look of a Windows machine

What does Linux look like?

How about Mac OS?

60 Windows

• If it is a Windows machine, and is not Windows Server, pull the plug from the back of the machine. (This is after dealing with any encryption issues.)

• Why not the wall?

• How about a laptop?

Windows Server

• If it is Windows Server, turn the computer off using the appropriate commands.

Linux

• Turn the computer off using appropriate commands. (This is after dealing with any encryption issues.)

61 Mac OS

• Turn the computer off using appropriate commands. (This is after dealing with any encryption issues.)

• Once it’s off, label the cords as you remove them from the back of the machine, and label the ports to which those cords are attached.

Mobile devices – isolate?

• Why would we want to isolate a mobile device from the network? • Prevent changes to the data

• Protect evidence

• Ensure we are in compliance with our warrant

62 • Why would we not want to isolate a mobile device from the network? • Prevent device from locking us out

• Prevent rapid battery drain

Low-tech options

• Remove the battery? • Pros: easy, cheap and takes no skill • Cons: Some batteries can’t be removed (iPhone) and it may also activate the PIN. • Airplane mode? • Pros: cheap, and effective • Cons: You are changing data. Can you successfully turn on airplane mode without accidentally screwing something up? Does airplane mode disable wifi access?

Other options

• Faraday bags • Foil • Signal jammers?

63 I am not going to tell you how you should do it. The bottom line is that you should develop an SOP and stick to it…

…and don’t be afraid to break it (as long as you can explain why you did).

Now it’s off; what do we do with it?

• Transport it in the car like a person; put a seatbelt on it

• Keep it in the position in which it was found

• Keep it away from: • Heat • Cold • Water • Magnetic fields

64 Once it’s back at your station:

• Package it in two containers: • Items that will be examined • Computers • Mobile devices • Media • External devices • Items that will not be examined • Monitors • Keyboards • Mice • Speakers

Accurately label the items

• Make, model, serial number • Do cell phones have serial numbers? • MEID/ESN • IMEI

• Do Dell computers have serial numbers? • Service tag

Some final thoughts…

• Evidence that is not seized cannot be examined • Don’t be afraid to make (justifiable) changes to the data • Don’t be afraid to ask for help or advice

• Most importantly, be careful

65 Follow PATCtech!

PATCtech @PATCtech

Forensic Digital Evidence Investigators (LinkedIn Group)

• Updates & PATCtech Research • Public Safety News • Training Opportunities

66