NICA Tool: Extract and Correlate Evidences in Computer Forensics

Total Page:16

File Type:pdf, Size:1020Kb

NICA Tool: Extract and Correlate Evidences in Computer Forensics

i

NICA Tool: Extract and Correlate Evidences in Computer Forensics

by

Alicia Castro

B.S. Computer Engineering, University of Louisville, 2003

A Thesis

Submitted to the Faculty of Graduate School of the

University of Colorado at Colorado Springs

In partial fulfillment of the Requirements

for the Degree of

Master of Engineering in Software Engineering

Department of Computer Science

2010 ii

©Copyright by Alicia Castro 2010

All rights Reserved iii

This thesis for the Master of Engineering degree by

Alicia Castro

has been approved for the

Department of Computer Science

by:

Dr. Edward Chow (Advisor)

Dr. Jugal Kalita

Dr. Xiaobo Zhou

______Date iv

NICA Tool: Extract and Correlate Evidences in Computer Forensics

by

Alicia Castro

(Master of Engineering, Software Engineering)

Thesis directed by Associate Professor C. Edward Chow

Department of Computer Science

Abstract

Computer forensics is a fast growing field. The technology is advancing faster than some U.S. laws can keep up with. Probable cause, search warrants, and focus of search when dealing with computers, software, and Web content have been compared to traditional searches. Since computers contain so much information, it is possible to uncover incriminating information that cannot be used due to the limits of search warrants. The motivation behind the search and seizure laws will be examined in relation to the computer forensic field. This thesis examines the close relationship between the constitution and other important laws about search and seizure of computers and digital evidence. It is very important to understand the connection between the legality of the act of getting the evidence and proving that a crime was committed.

This thesis also developed a new forensic tool named NICA Forensic Tool that will help the investigator to gather more detailed information about sites visited with date and time stamp. Also if there is any doubt that the user logged into the computer or was the one that download or visited those sites the tool will search for other login activities from programs like Skype, Outlook and Instant Messenger. At the end there should be no doubt about whether there was the intention or not to commit a crime. v

This thesis is dedicated to my husband Dean my children: Christina, Richard and Christopher vi

Acknowledgements

I would like to express my appreciation to my advisor Dr. Edward Chow for his constant support and guidance. Special thanks to my advisory committee: Dr. Xiaobo

Zhou, and Dr. Jugal Kalita. My gratitude also goes to Patricia Rea, who helped to keep track of my time and all the paperwork needed in order to graduate on time.

Special thanks to Dean, Marlon and Rebecca that helped me editing this thesis.

The most special thanks go to my best partner and friend, my husband Dean, who helped me and support me through all this long process. vii

TABLE OF CONTENTS

Table of Figures...... x

Chapter 1 Forensics Legal Issues Overview...... 1

1.1 Introduction...... 1

1.2 Related Work...... 3

1.3 Search and Seizure...... 4

1.4 Electronic Communications Privacy Act (ECPA)...... 8

1.5 Wiretap Statute...... 16

1.6 Pen/Trap Statute...... 19

1.7 USA PATRIOT ACT...... 20

1.8 Colorado House Bill Amendment...... 23

1.9 Roles of Computer Forensic...... 24

1.10 Computer Forensic Investigation...... 27

Chapter 2 Related Work...... 31

2.1 Forensic Tool Requirements...... 31

2.1.1 Basic Customer Requirements...... 31

2.1.2 Purpose...... 32

2.2 Project Scope...... 32

2.3 Software System Perspective...... 33

2.3.1 Operating Environment...... 33

Chapter 3 Designing of the NICA Computer Forensic Tool...... 34

3.1.Objectives of the Computer Forensic Tool Design...... 34

3.2 Design of the Forensic Tool...... 35

3.3 Brief Introduction to the Essential Registry Key Information...... 35

3.4 Understanding the Actors...... 37 viii

3.4.1 User Profile...... 37

3.4.2 Internet Explorer...... 42

3.4.3 Mozilla Firefox...... 51

3.4.4 Google Chrome...... 53

3.4.5 Skype...... 54

3.4.6 Outlook...... 56

3.4.7 Instant Messenger...... 57

3.5 Understanding the Data Flow...... 61

Chapter 4 External Tools used with NICA Forensic Tool...... 64

4.1 Internet Explorer Cache View (IECacheView)...... 65

4.2 Internet Explorer History Viewer (IEHistoryView)...... 66

4.3 MozillaCacheView...... 68

4.4 ChromeCacheView...... 70

4.5 SQLite...... 71

4.6 Microsoft Log Parser...... 72

4.7 Outlook Redemption...... 76

Chapter 5 Cracking a Criminal Case Using the NICA Forensic Tool...... 78

5.1 Criminal Case Statement...... 78

5.2 Computer Forensics Analysis...... 79

5.3 Finding Evidence...... 80

5.4 Analysis of Evidence Found...... 86

5.5 Correlating Evidence...... 86

5.6 Relevant Evidence...... 87

Chapter 6 NICA Forensic Tool Analysis...... 89

6.1 Functionality Analysis...... 89 ix

6.2 Performance Analysis...... 90

6.3 Usage Evaluation...... 90

Chapter 7 Lessons Learned...... 95

Chapter 8 Conclusions...... 96

References...... 98

Appendix B User’s Manual...... 108

Product...... 108

Scope/Purpose:...... 108

User’s Data Flow...... 109

Conventions...... 109

Installing the software...... 110

System Requirements (General)...... 110

Information/resources required in the process of installation...... 111

Deploying the Forensic Tool...... 111

NICA Forensic Tool GUI:...... 111 x

Table of Figures

Figure1. Registry key for users (SID)...... 42

Figure 2. Internet Explorer location of the cookies files...... 44

Figure 3. IE location of the History file containing web site information...... 45

Figure 4. IE location of the Internet Files containing web sites info and index.dat files.. 46

Figure 5. IE TypedURL information location...... 47

Figure 6.Index.dat file header...... 49

Figure 7.Index.dat file size...... 49

Figure 8.Location of the hash table...... 50

Figure 9.Begining of the hash table...... 50

Figure 10.Files downloaded from the web...... 50

Figure 11.Mozilla Firefox profiles information...... 52

Figure 12.Google Chrome file’s location...... 54

Figure 13.Instant Messenger Menu default settings...... 58

Figure 14. Windows Live Messenger keys location...... 59

Figure 15.Data Flow Diagram...... 61

Figure 16. IE History file content...... 66

Figure 18. Location of Mozilla Firefox Cache files...... 69

Figure19. Location of Google Chrome Cache files...... 71

Figure 20.Log Parser architecture diagram...... 73

Figure 21. Log parser output to the console...... 75

Figure 22. Log parser output to a datagrid...... 76 xi

Figure 23.Enter New Case Information...... 80

Figure 24 .Run Parser to get entries activities...... 81

Figure 25.User profile and timeline for activities...... 81

Figure 26.Mark items that seems suspicious...... 82

Figure 27.Enter the prefer time frame between activities...... 82

Figure 28. View the suspicious activity and surround activities marked...... 83

Figure 29. Mark Items by Pattern on the Outlook grid...... 83

Figure 30.Seach evidence between two outlook users...... 84

Figure 31.Report displaying activities that comply with the pattern selected...... 84

Figure 32.Select and mark activities by defined keywords...... 85

Figure 33.Display the amount of activities found...... 85 1

Chapter 1

Forensics Legal Issues Overview

In order to better understand computer forensics legal issues, one needs to understand the fundamentals about search and seizure laws, electronic communications privacy act, wiretap statue, pen/trap status and the PATRIOT act. Computer Forensics or investigators need to apply these laws to their daily investigative work. There is a strong relationship between the legal issues related to forensics and the use of forensic tools.

Evidence must be collected in a way that is legally admissible in a court case.

1.1 Introduction

For years the police have entered homes and offices, hauled away filing cabinets full of records, and searched them back at the police station for evidence. In Fourth

Amendment terms, these actions are entry, seizure, and search, respectively, and usually require the police to obtain a warrant. Modern-day police can avoid some of these messy steps with the help of technology: They have tools that duplicate stored records and collect evidence of behavior, all from a distance and without the need for physical entry.

These tools generate huge amounts of data that may be searched immediately or stored indefinitely for later analysis. Meanwhile, it is unclear whether the Fourth Amendment’s restrictions apply to these technologies: Are the acts of duplication and collection themselves seizure? Before the data is analyzed, has a search occurred? Today, tools can detect heat released from buildings, recreate images displayed on distant computer 2 monitors, determine what is typed on a keyboard by listening to the distinct sounds of the key presses, and eavesdrop on Wi-Fi Internet communications traveling through the air.

Handheld GPS units can monitor and store our movements around town, and web browsers keep detailed records of the websites we have visited. Tomorrow will surely bring new tools that are more invasive, easier to use, and able to work from greater distances (Ohm, 2005).

Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. New court rulings are issued that affect how computer forensics is applied. The important point for forensics investigators is that evidence must be collected in a way that is legally admissible in a court case (CERT, 2008).

Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases. Documents maintained on a computer are covered by different rules, depending on the nature of the documents. Many court cases in state and federal court have developed and clarified how rules apply to digital evidence. The Fourth Amendment of the US Constitution (and each state’s constitution) protects everyone’s right to be secure in their person, residence and property from search and seizure (Computer Forensics, 2008). Thus like any other crime scene, rules apply to obtaining search warrants to search and seize computers, computer files, and disks. 3

1.2 Related Work

Computer Forensics in Forensics

Computer Forensics in Forensics (Peisert, 2008)paper explains the relation between seize and seizures laws, forensic investigation rules and the use of the forensic tools and/or forensic analysis. I actually used this paper as a guide for my thesis. I was attracted and puzzle by the ambiguity of the laws and I wanted to investigate more about it. Also the steps and structure that the forensic analysis needs to follow was of a lot of interest and of course the use of forensic tools, that in this case was the creation and use of a forensic tool.

Discipline of Internet Forensic

In Discipline of Internet Forensic (Berghel, 2003) paper is a brief explanation of the correlation of seizes and seizure and computer forensic tools and explains that an internet forensic specialist needs to know as much or more that a hacker. So actually a forensic specialist kind of needs to be a hacker to understand how the tools work. Even though this paper focus more on network tools and netscan tools, the general theory about having a knowledge how computers works is a fact to create and understand how a forensic tool works.

Next Generation Digital Forensics

Next Generation Digital Forensics (Roussev, 2006) paper exposes the need of new forensic tools and strategies. Investigators have more and complex cases, there is a feeling that forensic tools now are not up to the new challenges. Even thought this paper 4 did not apply to my thesis, I found out that cyber crime is going up and getting more sophisticated and forensic tools are lagging behind.

Secure Audit Logs to Support Computer Forensics

In Secure Audit Logs to Support Computer Forensics (Kelsey, 1999) paper uses the audit log as a forensic tool. It assumes that audit log entries detect an intrusion; like record the opening of a door, removal of a tamper resistant coating, access of a normally secret files etc. The main objective is to detect intrusion and provide audit capabilities. This solution could be efficient for detecting hacking or intrusion, but this thesis objective is about getting information of users that have a user profile already in the computer

1.3 Search and Seizure

In computer forensics the search and seizure Fourth Amendment has played a fundamental roll. The fourth amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized (Wegman,

2004). 5

The Fourth Amendment is part of the Bill of Rights which guards against unreasonable searches and seizures. It was ratified as a response to the abuse of the writ of assistance which was a type of general search warrant in the American Revolution. It specified that any warrant must be judicially sanctioned for a search or an arrest in order for such a warrant to be considered reasonable. Warrants must be supported by probable cause and be limited in scope according to specific information supplied by a person. It only applies to governmental actors and to criminal law (IST 432- Computer Forensic).

An example would be if a warrant is issued for child porn on an individual’s computer, but finds records of embezzlement, the embezzlement records could not be used in a court of law. The exception is if the police could justify obtaining a warrant to search the computer for records of embezzlement.

The Fourth Amendment interposes a magistrate as an impartial arbiter between the defendant and the police. The magistrate may issue a search warrant if the magistrate or judge is convinced that probable cause exists to support a belief that evidence of a crime is located at the premises. The officer must prepare an affidavit that describes the basis for probable cause and the affidavit must limit the area to be searched and evidence searched for. The warrant thus gives the police only a limited right to violate a citizen’s privacy. If the police exceed that limited right, or if a warrant is required, but the police have not first obtained one, then any evidence seized must be suppressed (U.S.

Department of justice 2002). The issue of suppression driven by a determination of whether the Fourth Amendment has been correctly followed by the police is often the determining factor in criminal cases (Wegman, 2004). 6

Search warrants give only limited authority to the police to search. The search should be no more extensive than necessary as justified by probable cause. Thus, if the probable cause indicates that the contraband is located in a file on a CD, this would not justify seizing every computer and server on the premises. The extent of the search is tailored to the probable cause. If the police wish to seize a computer for analysis at a later time, the probable cause statement should demonstrate the impracticality or danger of examining the computer on the premises; hence the need to confiscate it and analyze it off-site (Wegman, 2004).

Another question facing law enforcement is when to notify the target of a search.

Normally the target is notified at the time a physical search is made. However, the USA

PATRIOT Act amended Title 18, Sec.3103a of the United States Code to permit delayed notification. Law enforcement may now delay notification of the target for up to 90 days, with another delay possible upon a showing of good cause. In order to obtain authority for delayed notification, an investigator must show a need for the delay (IST 432-

Computer Forensic). Reasons include danger to the life or safety of an individual, risk of flight from prosecution, witness or evidence tampering, or that immediate notice would seriously jeopardize the investigation.

Another legal issue in computer forensic cases is how much time the police may have to analyze a computer after seizing it. Federal Rule of Criminal Procedure 41 (c)

(1) gives the police ten days after issuance of the warrant to serve it. But there is nothing in the Federal Rule of Criminal Procedure about how long the police may keep and analyze the computer. As a practical matter, the search of a computer in police custody 7 should be done as quickly as possible. This is especially important if the computer is needed for the operation of a business (Wegman, 2004).

In the United States Supreme court case of Illinois v. Andreas, 463 U.S. 765

(1983), the Court held that a search warrant is not needed if the target does not have a reasonable expectation of privacy in the area searched. The loss of a reasonable expectation of privacy, and therefore the loss of Fourth Amendment protection is extremely important because much information is transmitted to networks and to the internet. If circumstances suggest the sender had no reasonable expectation of privacy, then no warrant is required by the police in order to obtain that information (Wegman,

2004). Examples would be blogs, website posts, and websites themselves. Public computers like library computers are not covered under the expectation of privacy.

No warrant is needed when the target consents to a search of his/her computer. No warrant is needed where a third party, such as a spouse, parent, employer or co-worker consents to the search, so long as the third party has equal control over the computer

(USA Dept of Justice, 2009). An example would be if a married couple shared a computer in their home. The wife could consent to a search without the husband’s consent and vice versa.

Agents should be especially careful about relying on consent as the basis for a search of a computer when they obtain consent for one reason, but then wish to conduct a search for another reason. In two recent cases, the Courts of Appeals suppressed images of child pornography found on computers after agents procured the defendant's consent to search his property for other evidence. In United States v. Turner, 169 F.3d 84 (1st Cir.

1999), detectives searching for physical evidence of an attempted sexual assault obtained 8 written consent from the victim's neighbor to search the neighbor's "premises" and

"personal property." Before the neighbor signed the consent form, the detectives discovered a large knife and blood stains in his apartment, and explained to him that they were looking for more evidence of the assault that the suspect might have left behind.

While several agents searched for physical evidence, one detective searched the contents of the neighbor's personal computer and discovered stored images of child pornography.

The neighbor was charged with possessing child pornography. On interlocutory appeal, the First Circuit held that the search of the computer exceeded the scope of consent and suppressed the evidence. According to the Court, the detectives' statements that they were looking for signs of the assault limited the scope of consent to the kind of physical evidence that an intruder might have left behind. By transforming the search for physical evidence into a search for computer files, the detective had exceeded the scope of consent. (Concluding that agents exceeded scope of consent by searching the computer after the defendant signed a broadly-worded written consent form, because agents told the defendant that they were looking for drugs and drug-related items rather than computer files containing child pornography) (USA Dept of Justice, 2009).

1.4 Electronic Communications Privacy Act (ECPA)

Congress has responded to the changing technological landscape. The most important federal statutes affecting computer forensics are the Electronic Communications Privacy

ACT (ECPA), the Wiretap Statute, the Pen/Trap Statute and the USA PATRIOT

Act(Wegman, 2004). Enacted in 1986, the Electronic Communications Privacy Act sets 9 provisions for the access, use, disclosure, interception and privacy protections of electronic communications. Violations of the ECPA may result in criminal penalties and civil remedies, including punitive damage. This act was written to expand the wiretapping provisions to wireless telephony (cellular) and email communications. The

ECPA works to prohibit unauthorized interceptions or disclosure of electronic communications. According to the US code electronic communications “means any transfer of signs, signals, writing images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce, “thereby making much of the desired content of possible forensics searches out of reach (IST 432- Computer

Forensic).

In more detail, the ECPA covers communications via pager, cellular and wireless telephony, browser requests, internet downloads, chat room traffic, voice mail and emails when transmitted by common carriers in interstate commerce. ECPA prohibits unlawful access and certain disclosures of communications contents. Additionally, the law prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure (IST 432- Computer Forensic).

Computer forensics is affected a great deal by the ECPA. There are prohibitions in place against unlawful access to stored communications which include probing into

RAM or disk drives for information in source or destination computer or during transit while the communication temporary intermediary storage such as on a server. Such a law may affect the searching of certain protected material; however, there are some exceptions under the ECPA. Currently the ECPA has not been updated to accommodate 10 the Internet. Investigators have sought to use technologies which collect much more information than pen registers or trap and trace devices under the authority of this law. It should be strengthened to protect citizen’s privacy in electronic communications (IST

432- Computer Forensic).

There are certain critical exceptions to ECPA. If the situation falls within an exception, the communications may be disclosed (18 U.S.C. & 2511(1) (18 U.S.C &

2702(b). Where an individual lacks an expectation of privacy law enforcement officers do not need a warrant to listen in. ECPA will not bar intercepting the communications in these instances. Where one has an expectation of privacy is not always clear. If I set up a rendezvous with an acquaintance in a secluded public park in the middle of the day, sitting on a solitary park bench, do we have an expectation of privacy? According to

DOJ, this inquiry embraces two discrete questions. First is whether the individual's conduct reflects "an actual (subjective) expectation of privacy” (IST 432- Computer

Forensic). Secondly is whether the individual's subjective expectation of privacy is "one that society is prepared to recognize as 'reasonable'" (IST 432- Computer Forensic). In most cases, the difficulty of contesting a defendant's subjective expectation of privacy focuses the analysis on the objective aspect of the Katz test, i.e., whether the individual's expectation of privacy was reasonable (IST 432- Computer Forensic).

Courts foraying into cyberspace must shift their focus away from the two-prong

Katz expectation of privacy test in order to preserve the values underlying the Fourth

Amendment. In developing a new framework for expectation of privacy analysis in cyberspace, courts should focus on the historic context of the Fourth Amendment and the intent of its Framers. Government monitoring and analysis of click stream data is closely 11 analogous to the general searches which the Founding Fathers sought to curtail in enacting the Fourth Amendment. Both types of searches are indiscriminate, exposing lawful activity along with contraband or unlawful action. Also both are incredibly intrusive, exposing intimate details about the lives of citizens to government scrutiny. A new rule needs to be established which recognizes that click stream data may be protected by the Fourth Amendment. Not because that the protection fits well with expectation of privacy analysis as developed by the Court in recent years, but rather because government click stream analysis is precisely the type of search the Framers intended to be subject to the Amendment's limitations (Winn, 2008).

Courts addressing this question should apply the normative analysis set forth by the Supreme Court in Smith v. Maryland instead of the rigid two-prong Katz test. The

Court in Smith recognized that the two-prong Katz expectation of privacy test will sometimes provide an inadequate index of Fourth Amendment protection. In such situations, the Court explained, courts must undertake a normative inquiry to determine whether Fourth Amendment protection was appropriate. This normative inquiry asks a very simple question. Should an individual in a free and open society be forced to assume the risk that the government will monitor her as she engages in the activity at issue? Courts employing the normative inquiry "must evaluate the 'intrinsic character' of investigative practices with reference to the basic values underlying the Fourth

Amendment" (Winn, 2008). Unlike the two-prong test, which assumes that society has already reached an objective conclusion about the proper amount of protection a particular activity deserves, the normative test acknowledges that society has not reached 12 a consensus about the proper level of protection a certain activity warrants. In that case, the activity can be evaluated against constitutional norms (Winn, 2008).

Application of Smith's normative inquiry to click streams reveals that Internet users should retain an expectation of privacy in click streams, because this data is precisely the type of information the Framers sought to protect against arbitrary government intrusion. The Fourth Amendment was intended to limit government searches which held the potential to intrude into the intimate details of the private lives of citizens. Courts must recognize a legitimate expectation of privacy in the intimate records of our online activity in order to satisfy these constitutional norms (Winn, 2008).

The passage of the Fourth Amendment was the Framers' reaction to overly intrusive searches and seizures conducted by British and colonial authorities. Prior to the

Amendment's passage, the colonists were plagued by the use of general warrants and writs of assistance which authorized law and customs enforcement officers to enter and search any building suspected of housing contraband (Winn, 2008). The searches conducted using these devices were broad and abusive, and occurred without particularized suspicion. The raids were led by executive officials with unlimited discretion (Winn, 2008). For example, the New Hampshire Council once allowed search warrants for "all houses, warehouses, and elsewhere in this Province", and the

Pennsylvania Council once required a weapons search of "every house in Philadelphia"

(Winn, 2008). Far from being isolated instances, such searches were widespread (Winn,

2008).

In response to these abuses, the Framers sought to limit the power of government actors to search or seize persons, houses, papers, and effects. The invasion the Framers 13 sought to prohibit was not merely the physical intrusion upon a "person" or "house."

Instead, "the amendment's opposition to unreasonable intrusion ... sprang from a popular opposition to the surveillance and divulgement that intrusion made possible" (Winn,

2008). As one scholar explained, "The objectionable feature of general warrants was their indiscriminate character" (Winn, 2008). In addition to any contraband or unstamped goods that the generalized searches uncovered, the entirety of a person's private life was exposed to prying government eyes. This sort of indiscriminate search stripped the colonists of privacy without adequate justification, exposing them to the arbitrary and potentially despotic acts of government officials (Winn, 2008).

Monitoring and analysis of click streams by government officials is closely analogous to colonial general searches because it exposes the intimate lives of Web users, fails to discriminate between lawful and unlawful activity and grants enormous discretion to front-line executive officials. As with general searches of colonial homes, click stream searches will unnecessarily reveal private information to government view, even when this information pertains to lawful activity. For example, law enforcement agents monitoring click streams could learn that an outwardly heterosexual man spends time entertaining homosexual fantasies online in an adult chat room, or that a high-profile political leader used the Internet to reserve a spot in an addiction recovery center. While such conduct is certainly legal, it is also intensely private. Allowing government agents to expose the conduct of the innocent in order to pursue the guilty contradicts the purpose and intent of the Fourth Amendment (Winn, 2008).

On a more general level, the broad and arbitrary intrusion occasioned by a click stream search is contrary to "the most basic values underlying the Fourth Amendment" 14

(Winn, 2008). Although the use of general warrants and writs of assistance undoubtedly motivated the Framers in drafting the Amendment, they did not intend its protection to be limited to the narrow purpose of outlawing general searches. Instead, the Amendment was intended to protect citizens against the type of arbitrary invasions by government into the lives of citizens which general searches typified. As one commentator explained:

While the history of the Fourth Amendment reveals many facets, one central aspect of that history is pervasive: controlling the discretion of government officials to invade the privacy and security of citizens, whether that discretion be directed toward the homes and offices of political dissentients, illegal smugglers, or ordinary criminals.

(Winn, 2008)

Similarly, the Supreme Court has repeatedly recognized that the harm the Fourth

Amendment seeks to prevent is not the tangible invasion of one's person, papers, effects, or home, but rather the intangible invasion upon the sanctity and privacy of those objects occasioned by an unreasonable search or seizure (Winn, 2008).

The indiscriminate nature of click stream searches illustrates their incompatibility with the values upon which the Fourth Amendment was based. As one scholar argued:

The first problem with indiscriminate searches is that they expose people and their possessions to interferences by government when there is no good reason to do so. The concern here is against unjustified searches and seizures: it rests upon the principle that every citizen is entitled to security of his person and property unless and until an adequate justification for disturbing that security is shown. The second problem is that indiscriminate searches and seizures are conducted at the discretion of executive officials, 15 who may act despotically and capriciously in the exercise of the power to search and seize. This latter concern runs against arbitrary searches and seizures; it condemns the petty tyranny of unregulated rummages. (Winn, 2008)

Absent an expectation of privacy in click stream data, law enforcement agents will be free to rummage through our online lives, revealing intensely private conduct.

The Founding Fathers found the ability to conduct such arbitrary and suspicion without reason searches to be one of the most offensive aspects of general warrants and writs of assistance. This was clearly intended such searches to be illegal. Allowing such intrusions into private cyberspace activity merely because an outdated expectation of privacy test would find assumption of risk or the absence of a subjective expectation of privacy in click stream data does intense violence to the values underlying both the

Fourth Amendment and a free society. Yet this is exactly the result that will be reached if courts continue to cling to Katz's two part test.

Once an expectation of privacy is established in click stream data, traditional

Fourth Amendment principles regulating the reasonableness of searches and seizures can easily be applied. The traditional test of reasonableness, which balances the nature and quality of the intrusion upon an individual's Fourth Amendment interests against the importance of the governmental interests alleged to justify the intrusion, is perfectly suited for cyberspace. This test allows courts to protect against overly extensive and indiscriminate intrusion into online lives while also acknowledging that a sufficiently compelling governmental interest may justify such searches. This is the question that should be getting asked in every click stream search. However, it will never be asked 16 until courts loosen their vise grip on the two-prong Katz test and decide that Internet users should retain a legitimate expectation of privacy in click stream data (Winn, 2008).

ECPA is a highly nuanced example of public policy. Congress felt that information stored on a network deserved varying levels of privacy protection, depending on how important or sensitive the information was. Accordingly, in Title 18, section

2703 of the U.S Code ECPA created five categories of sensitivity. The more sensitive the category, the greater the justification the government must show in order to obtain the information from a third party (usually the system administrator). The most sensitive information consists of the content of un-retrieved communications such as email that has resided in electronic storage for 180 days or less. After one hundred eighty days the information is considered “stale” and not deserving of the top category of protection, so does not require a full search warrant for access (Bui, Enyeart, Luong., 2003). The least sensitive category includes only basic information such as the name of the subscriber and how bills are paid. To obtain that information, the government needs only an administrative subpoena. An administrative subpoena can be issued by a government agency on its own, without prior approval by a court. For example, the FBI could issue an administrative subpoena for good cause. That subpoena could later be challenged, and if a court later decided that good cause did not exist then information obtained under that subpoena would be suppressed (Bui et all. 2003).

1.5 Wiretap Statute

The Wiretap Statute (Title III) was amended 2001. While ECPA regulates government access to stored computer information in the hands of third parties, the Wiretap statute 17 deals with direct surveillance or real time interception of electronic communications by government agents. Wiretaps most commonly affect telephone conversations (IST 432-

Computer Forensic). Wiretap requires special judicial and executive authorization. An application for interception may not be filed unless it is first authorized by the attorney general or a specially designated deputy or assistant. The application must identify the officer authorizing the application. Attached to the government application should be the authorization, as well as copies of the attorney general’s designations of those

Department of Justice officials who have been authorized to approve wiretaps. Unlike traditional search warrants, a federal magistrate judge is not authorized to issue a wiretap.

Only a federal district or circuit court judge may issue a wiretap. The application must contain a full and complete statement of the facts and circumstances relied upon to support a belief that an interception order should issue. The issuing judge must determine that there exists probable cause to believe that particular communications concerning the alleged offenses will be obtained through interceptions of communications. Before an interception order may issue, the judge must find:

 Probable cause for belief that a particular enumerated offense is being committed.

 Probable cause for belief that particular communications concerning that offense

will be obtained through interception.

Besides a sufficient factual predicate like probable cause, the Fourth Amendment requires that every search be reasonable. As with any other search, whether an electronic search is reasonable depends upon balancing the degree of intrusion against the need for it.

Thus, because an order to surreptitiously intercept private conversations is such an intrusive search, the application for interception must show more than mere probable 18 cause, it must also show necessity. The application must contain a full and complete statement as to whether other investigative procedures have been tried and failed, or the reasons why such procedures reasonably appear to be unlikely to succeed or to be too dangerous if tried. The issuing judge must find that normal investigative procedures have been tried and failed or reasonably appear unlikely. A wiretap may issue only for particular crimes. The application must contain a full and complete statement regarding the details as to the particular offense that has been, is being, or is about to be committed.

The issuing judge must find probable cause to believe those particular crimes are being committed, have been committed, or are about to be committed by an individual. The identities of persons to be intercepted must be particularly described in the application and order. The nature and location of the communication facilities to be intercepted must be particularly set forth in the application and order. The application must contain a particular description of the type of communications sought to be intercepted. The issuing judge must determine that there exists probable cause to believe that particular communications concerning the alleged offenses will be obtained through interceptions of communications. The application and order must set forth either that interception will cease after the particular communication sought is first intercepted or that interception will continue for a particular time period. Requirements of the Fourth Amendment is to prevent the execution of the overbroad general warrant abhorred by the colonists which results in a general, exploratory rummaging in a person’s belongings. Given the intrusive nature of an interception order, the Wiretap Act incorporates a number of provisions which circumscribe the scope of the warrant and guard against law enforcement officers generally rummaging through phone calls. The order for interception must contain a 19 provision requiring the officers to execute the order in a manner whereby the interception of calls not particularly described and not otherwise subject to interception will be minimized. Similarly, no order may be entered authorizing interception for a period of time longer than necessary to achieve the objective, but in no event shall the authorization exceed thirty days (Monnat, Ethen., 2004).

Three U.S. federal statutes govern the interception, accessing, use, disclosure and privacy protections of electronic and wire communications. The U.S. Electronic

Communications Privacy Act (ECPA, 18 U.S.C. §§ 2701-2712) of 1986 covers stored communications. Real-time interception, as in wireless networks, is covered by the

Pen/Trap Statute, 18 U.S.C. §§ 3121-3127, centered in addressing information (like

802.11 protocol headers), and by the Wiretap Statute ("Title III"), 18 U.S.C. §§ 2510-

2522, centered in the contents of communication.

1.6 Pen/Trap Statute

The Pen/Trap Statute was amended in 2001. The Pen/Trap Statute, 18 United

Sates Code Sec. 3121-3127, provides for a less intrusive form of government surveillance than wiretap statue; it authorizes the installation of pen registers and trap and trace devices. A pen register records only dialing, routing and addressing information regarding outgoing electronic communications. Electronic communications include telephone, computer, telegraph and telex communications. A trap can trace device records the same information regarding incoming electronic communications. The significant fact regarding both becomes that the content of communications is not 20 recorded. Only information such as telephone numbers of incoming and outgoing calls is recorded. Because these devices record less sensitive private information the legal burden upon the government is significantly less than with a wiretap. Court orders for a pen/trap device require only a statement by the investigator that is the investigator’s belief that the information likely to be obtained is relevant to a criminal investigation. A recitation of probable cause is not necessary, nor is it necessary to attest to the many other requirements necessary to obtain a wiretap order or a search warrant (Wegman,

2004).

To obtain an order, applicants must identify themselves, identify the law enforcement agency conducting the investigation and then certify their belief that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by the agency. The law prohibits unlawful monitoring and disclosure of the content of communications. It also mandates law enforcement to follow proper procedures to review electronic communications, such as the search and seizure electronic evidence procedures detailed in the “Searching and Seizing Computers and

Obtaining Electronic Evidence in Criminal Investigations” document by the US DOJ, specifically sections III and IV, focused on electronic communications and surveillance.

1.7 USA PATRIOT ACT

On October 26, 2001 President Bush signed the Uniting and Strengthening

America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

Act (USA PATRIOT Act). This Act was overwhelmingly passed by Congress shortly 21 after the events of September 11, 2001. It expands the government’s investigative power.

This Act has become very controversial drawing criticism from both Conservatives and

Liberals who question whether the Act goes too far.

Perhaps the most controversial provision of the PATRIOT Act is the so-called

“sneak and peek” authority conveyed in Section 213 of the Act. This Section provides delayed notification to the targets of searches. The Act modifies the U.S. Criminal Code,

Title 18, Sections 3103a and 2705. These modifications allow the government to delay notification of physical searches for up to ninety days. Extensions may be given for good cause. However, the delayed notification provision is restricted to cases where the government demonstrates an urgent need for delay, including situations where the life or physical safety of an individual is in jeopardy or to avoid the destruction of evidence.

Excerpts of Section 2705 are reproduced in Appendix A.

Delayed notification is not an entirely new element in federal criminal law. It is the norm in wiretap cases, as noted above, has been used and upheld in the seminal U.S.

Supreme Court case of Dalia v. U.S. in 1979. In that case federal investigators entered a home, searched and implanted a hidden microphone pursuant to a search warrant. Notice was delayed until the surveillance ended. What is new about the PATRIOT Act is that it provides for delayed notification in ordinary physical searches. In the past delayed notification has been used only in connection with electronic surveillance (Waxman,

2004).

The Act also makes it easier for law enforcement to install an electronic surveillance device. Formerly, a wiretap order or pen register order had to be obtained in 22 the jurisdiction in which the device was to be installed. Internet communications typically involve Internet service providers (ISP) located in many jurisdictions. Sections

216 and 220 allow devices to be installed anywhere in the U.S.A.

Section 225 of the Act is of particular importance to computer forensic investigators and providers of information to the government. It gives immunity from civil lawsuits to any person who provides technical or other assistance in obtaining electronic information pursuant to a court order or valid request for emergency assistance.

 The PATRIOT Act contains numerous other provisions expanding the scope of

forensic investigations. However, it also contains a sunset provision. Under this

provision the Act will terminate on December 31, 2005, unless Congress votes to

extend it. The sunset provision does not apply to the entire Act. Significant

sections, including those authorizing delayed notification, national wiretap and

pen register orders will not sunset automatically. The Obama administration

supported the revisions to the law as approved by the committee and on Feb 2010,

it was extended for one more year. The three sections of the Patriot act that would

stay in force:

o Authorize court approved roving wiretaps that permit surveillance on

multiple phone

o Allow court approved seizure of records and property in anti-terrorism

operations

o Permit surveillance against a so called lone wolf, a non-US citizen

engaged in terrorism who may not be part of a recognized terrorist group. 23

Computer forensics is specifically supported by the PATRIOT Act. Section 816 authorizes the expenditure of $50 million for the creation and support of regional computer forensic laboratories. These laboratories will conduct investigations and also train investigators (wegman, 2004).

1.8 Colorado House Bill Amendment

Effective April 30, 2010 House Bill 10-1201

CRS 16-3-310. Oral advisement and written consent prior to search of a vehicle or a person during a police contact. (1) (a) Prior to conducting a consensual search of a person who is not under arrest, the person’s effects or a vehicle, a peace officer shall comply with paragraph (b) of the subsection(1).

(b) A peace officer may conduct a consensual search only after articulating the following factors to, and subsequently receiving consent from, the person subject to the search of the person with the apparent or actual authority to provide permission to search the vehicle or effects. The factors are:

(I) The person is being asked to voluntarily consent to a search; and

(II) The person has the right to refuse the request to search

(c) After providing the advisement required in paragraph (b) of this subsection(1), a peace officer may conduct the requested search only if the person subject to the search voluntarily provides verbal or written consent. Other evidence of knowing and voluntary consent may be acceptable, if the person is unable to provide written or verbal consent. 24

(2) A peace officer providing the advisement required pursuant to subsection (1) of this section need not provided a specific recitation of the advisement, substantial compliance with the substance of the factors is sufficient to comply with the requirement

(3)If a defendant moves to suppress any evidence obtained in the course of the search, the court shall consider the failure to comply with the requirements of this section as a factor in determining the voluntariness of the consent.

(4) This section shall not apply to a search conducted pursuant to section 16-3-

103 C.R.S. a valid search incident to or subsequent to a lawful arrest, or to a search for which there is a legal basis other than voluntary consent. This shall include, but not be limited to, a search in a correctional facility or on correctional facility property, a detention facility, county detention facility, custody facility, juvenile correctional facility of any mental health institute or mental health facility operated by or under a contract with the department of human services, a community corrections facility or a jail or a search of a person subject to probation or parole by a community supervision or parole officer when the person has consented to search as a term and condition of any probation or parole. (House Bill 10-1201, 2010)

1.9 Roles of Computer Forensic

The issue most related to computer forensics has to do with wire-tapping and warrant gathering. The bill changes the ability of the government to delay the notification of a warrant by up to ninety days after the search. In the past, it had been possible to delay notification when doing surveillance such as wiretaps, since it would be pointless to listen in on a conversation when the parties involved know of the surveillance. This was 25 upheld in the case Dalia v. U.S., where a wiretap was used and notification was delayed.

The change in the PATRIOT Act, however, extends this ability to actual physical searches, including the search of computers. This can theoretically be very helpful, as it is can be an easy process to remove data from a hard disk, but combined with the ability of not needing a warrant in terrorist matters can be a very infringing ability.

As alluded to the USA PATRIOT Act also allows investigators to act prior to actually obtaining a warrant, as long as the individual involved personally feels that a threat is inherent. It also prevents third parties who aid in the surveillance from being liable in a civil case. This, however, can be conflicting. There could theoretically be times where a government agent feels there is a threat and elicits the help of another, but then the third party might not be protected if a warrant is not granted in the future. This is definitely an issue that is relevant to computer forensics, as an ISP may grant access to a government official, only to then be held liable for granting that access in the future (IST

432- Computer Forensic).

Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer and related equipment may or may not be the targets. This process of identifying, preserving, analyzing and presenting digital evidence in a legally acceptable manner is not much different from traditional forensic science. The only difference is that the former focuses on digital evidence, whereas the latter focuses on physical evidence. Casey defines digital evidence as:

Any data stored or transmitted using a computer that support or refute a theory of how an offence occurred or that address critical elements of the offence such as intent or 26 alibi. Digital evidence includes computer generated records such as outputs of computer programs and computer-stored records such as email messages. It is important to criminal investigations because it can be used as proof of crime, connection or alibi.

However, handling digital evidence is challenging because the evidence can be easily hidden, manipulated or altered. Moreover, it is difficult to attribute certain computer activities to an individual especially in a multi-access environment. Similar to physical evidence digital evidence provides only a partial view of what may have happened.

(Lim, Khoo, 2008)

The field of computer forensics has become a critical part of legal systems throughout the world. As early as 2002 the FBI stated that fifty percent of the cases the

FBI now opens involve a computer (Reyes, Wiles., 2007). However, the accuracy of the methods and therefore the extent to which forensic data should be admissible is not yet well understood. Therefore, it is not yet safe to make the kinds of claims about computer forensics that can be made about other kinds of forensic evidence that has been studied more completely, such as DNA analysis. The accuracy of DNA analysis is well understood by experts, and the results have been transformational both in current and previous court cases. DNA evidence has been instrumental in convicting criminals, and clearing people who have been wrongly convicted and imprisoned. DNA evidence condenses to a single number (alleles) with a very small, and will depend on probability of error. On the other hand, computer forensic evidence has matured without foundational research to identify broad scientific standards, and without underlying science to support its use as evidence. Another key difference between DNA and computer forensic data is that DNA evidence takes the form of tangible physical objects created by physical events. 27

Contrast these to computer objects that are created in a virtual world by computer events

(IST 432- Computer Forensic).

The technology of computers and other digital devices is evolving at an exponential pace. Existing laws and statutes simply cannot keep up with the rate of change. Therefore, when statutes or regulations do not exist, case law is used. Case law allows legal counsel to use previous case similar to the current one because the laws do not yet exist. Each new case is evaluated on its own merit and issues (Nelson, Phillips,

Enfinger & Steuart, 2008).

1.10 Computer Forensic Investigation

When conducting a computer investigation for potential criminal violations of the law the legal processes one follows depends on local custom, legislative standards and rules of evidence. In general, however, a criminal case follows three stages: complaint, investigation and prosecution.

A criminal case begins when someone finds evidence of an illegal act or witnesses an illegal act. The witness or victim makes a complaint to the police. Based on the incident or crime, the complainant makes allegations, an accusation or supposition of fact that a crime has been committed. A police officer interviews the complainant and writes a report about the crime. The police department processes the report and the department’s upper management decides to start an investigation, or log the information into a police blotter. The police blotter provides a record of clues to crimes that have been committed previously. Criminals often repeat actions in their illegal activities, and these habits can be discovered by examining police blotters. This historical knowledge is 28 useful when conducting investigation especially in high technology crimes (Nelson et all.

2008).

The investigator assigned to the case should be a specialist in retrieving digital evidence or computer forensic expert. After the investigator builds a case the information is turned over to the prosecutor. When conducting a computer investigation for a business, remember that businesses must continue with minimal interruption from an investigation. Because businesses usually focus on continuing their usual operations and making profits, many in a private corporate environment consider an investigation and apprehension of a suspect secondary to stopping the violation and minimizing damage or loss to the business.

Law enforcement officers often find computers and computer components as they are investigating crimes, gathering other evidence or making arrests. With digital evidence, it is important to realize how easily key data such as last access date, can be altered by an overeager investigator who is first at the scene. The U.S Department of

Justice (DOJ) lays out a procedure in a manual that reviews proper acquisition of electronic evidence.

The authenticity and integrity of the evidence examined will be of critical importance. The first step is to establish a chain of custody policy for your organization.

The goal of the policy is to ensure that each piece of evidence collected is accountable to an individual until it is either returned to its original owner or disposed of (Reyes, Wiles.,

2007).

Computing investigations demand that you adjust procedures to suit the case. For example, if the evidence for a case includes an entire computer system and associated 29 storage media, such as floppy disks, cartridges, tapes and thumb drives, an investigator must be flexible when accounting for the entire item. Some evidence is small enough to fit into an evidence bag. Other items, such as the monitor and printer are too large. To secure and catalog the evidence contained in large computer components an investigator can use large evidence bags, tape, tags, labels and other products available from police supply. Be cautious when handling a computer component to avoid damaging the components, or coming into contact with static electricity which can destroy digital data.

For this reason, an investigator needs to use antistatic bags when collecting computer evidence. An investigator might consider using an antistatic pad with an attached wrist strap as well. Both help prevent damage to computer evidence. Computer components require specific temperature and humidity ranges also. If it is too cold, hot, or wet, computer components and magnetic media can be damaged. Even heated car seats can damage digital media. Placing a computer on top of a two-way car radio in the trunk can damaged magnetic media. When collecting computer evidence, an investigator must have a safe environment for transporting and storing it until a secure evidence container is available (Nelson et all., 2008).

In traditional, old fashioned cases, a detective would receive information from a reliable informant that contraband, for example drugs, are located at a premises. The detective would prepare a statement describing the informant’s reliability and that the informant had recently observed drugs at the premises. The detective would take the affidavit to a judge, who would determine whether probable cause existed. If that determination was positive, the judge would sign the search warrant authorizing the detective to search for and seize a specific type and quantity of drugs at that premises. 30

The detective would then go to the location and execute the warrant (Skibell 2003).

However, in computer forensics cases there is added complexity. The contraband might consist of child pornography, or records of drug sales. This information might be located on a laptop computer, but it might also be located on a network server in another state or in a foreign country. The information might be located on a hard drive, a diskette or a

CD. The contraband information might be very difficult to recognize, it could be encrypted, misleadingly titled or buried among a large number of innocent files

(Weigman, 2004). It could take considerable time to identify the contraband.

As noted above, a search warrant gives only limited authority to the police to search. The search should be no more extensive than necessary, as justified by probable cause. Thus, if the probable cause indicates that the contraband is located in a file on a

CD, this would not justify seizing every computer and server on the premises (Brenner

2002). The extent of the search is tailored to the extent of the probable cause. If the police wish to seize a computer and analyze it at a later time, the probable cause statement should demonstrate the impracticality or danger of examining the computer on the premises hence the need to confiscate it and analyze it off-site. 31

Chapter 2

Related Work

The work of this thesis bases itself upon previous work in the forensic fields, particularly the open source forensic tools Galleta and Pasco were used as a very basic reference.

2.1 Forensic Tool Requirements

Design a forensic tool that captures user information from any of the three more popular web browsers like Internet Explorer, Mozilla Firefox and Google Chrome, to obtain detailed evidence of date and time of accessed sites and the frequency of access to the same sites. Also capture more supporting information that correlates the times between sites visited and any other login activities like Skype, Instant Messaging or

Outlook. A time line report should be generated to correlate all the information collected and weighted as relevant evidence or discarded as it is not relevant.

2.1.1 Basic Customer Requirements

Investigate the computer forensic techniques for improving the accuracy of the evidences on web accesses by correlating the events in the other logs. Due to the increasing cyber threats and potential insider attacks, it is critical to validate that web accesses are indeed generated by the person of interest and not planted by others. 32

2.1.2 Purpose

The web accesses are typically captured by the cookie files on the client side and the access logs on the server side. The web accesses of a person can be verified by correlating the login period in system access logs. It can also be supported by the access logs of other applications such as, email, instant messaging or Skype. Of interest in computer crime evidence collections are

. The date and time of the access to a certain site.

. The frequency of the access.

. Other supporting evidences that the person is using the same machine.

. The collaborating evidences that the web site has corresponding access records.

Investigate how to weigh the different support evidences and related practices by District

Attorney’s Office Investigators Office

2.2 Project Scope

Develop a .NET windows form application that can be used by the investigators or the forensic technician. The application will allow for the requesting and reporting of the case related forensic information.

SQLlite will be used to store the case information. The web interface will be developed using the Microsoft Development Suite (Visual Studio C#). 33

2.3 Software System Perspective

This application will assist the investigator with information about the user’s browser activities and history, any other activities using Outlook, Skype and instant messaging. The information collected can be used to find out the frequency of a user visiting a particular web site, the history of the user visiting that web site, and other login activities that could be used as evidence against the user.

A thumb drive with the Forensic Tool on it will be given to investigators; they can run the tool from the thumb drive on the computer that an alleged crime was committed on, open a case, and view/save the reports

Features:

Report tool: Investigators will have the ability to run reports as needed. These reports will include a timeline for each activity on the browsers, IM, Skype or Outlook.

Printing: Case can be saved and then printed

Database: All data input can be saved into a database

Entry: New entries can be added to the database through the New case->save

Reload: Reports can be run on previously saved cases.

2.3.1 Operating Environment

The system will be using Windows XP, SQLite, NET 3.5 and a C# compiler. 34

Chapter 3

Designing of the NICA Computer Forensic Tool

It is very important to know the primary players because based on that, we can select the actors that will be part of the forensic application. The application will look for user profiles. Getting the user profiles requires an understanding of how the registry works .The information gathering task involves getting the information about the cookies, temporary files and history from the web browsers, login information and date/time stamps that Skype, Outlook or Instant Messenger stored. More detailed information is offered throughout this chapter.

3.1. Objectives of the Computer Forensic Tool Design

The forensic tool application looks into the user profile directory, to find out how many users profiles exist on the computer to be investigated, then finds the surfing history, typed URLS, cookies, and numbers of visits to a particular site. To accomplish this objective the forensic tool will look into the cookies files, internet temporary files, internet history files and cache files. Also the forensic tool will look into the logins and activities for Skype, Outlook and Instant Messenger if any of them are installed on the machine to be investigated. The information collected will be used to generate a report with timeline by date and time of each activity. This application cannot replace the final analysis of an investigator and his/her conclusion about the evidence compiled. 35

3.2 Design of the Forensic Tool

Statistics have important information. Studies by different companies have shown that Internet Explorer is used for 32% of the web users, Firefox 46.4% and

Chrome 13.6%. Internet Explorer and Firefox are the most common browsers. Because of the popularity of these browsers, they were selected to be players for this application.

Also Instant Messaging is said to be one of the most popular forms of internet communications today beating out email thanks to the lack of spam and instant feedback.

Microsoft Instant Messenger and Skype were also selected as players for this application because their popularity and the video properties that Skype provides.

Outlook is the most frequently used email program by companies. A lot of forensic are being done to computers used by employees, so it is very important to get information from Outlook.

3.3 Brief Introduction to the Essential Registry Key Information

The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exist on the system and the ports that are being used.

A registry hive is a group of keys, subkey and values in the registry that has a set of supporting files that contains backups of its data. The registry is a database used to store computer and user specific settings. Portions of the registry can be saved as files 36 and reloaded for use as necessary. The supporting files for all hives except

HKEY_CURRENT_USER are in the %SystemRoot%\System32\Config folder on

Windows XP. The supporting files for HKEY_CURRENT_USER are in the

%SystemRoot%\Profiles\Username folder. There are five registry hives:

HKCR - Abbreviated from the registry key name HKEY_CLASSES_ROOT.

HKCR stores information about registered applications, such as Associations from files

Extensions and OLE object Class ID’s tying them to the applications used to handle these items.

HKCU - Abbreviated from the registry key name HKEY_CURRENT_USER.

HKCU stores settings that are specific to the currently logged in user. The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the users; the same information is reflected in both locations.

HKU - Abbreviated from the registry key name HKEY_USERS. HKU contains subkey corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.

HKCC - Abbreviated from the registry key name HKEY_CURRENT_CONFIG.

HKCC contains information gathered at runtime; information stored in this key is not permanently stored on the hard disk, but rather regenerated at boot time.

HKPD - Abbreviated from the registry key name

HKEY_PERFORMANCE_DATA. HKPD provides runtime information of performance data provided by either the operating system kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API (Yang, 2008). 37

Computer accounts, user accounts, groups, and other security−related objects are security principles. Security Identifiers (SIDs) uniquely identify security principles. Each time Windows XP or Active Directory creates a security principle, they generate a SID for it. Windows XP's Local Security Authority (LSA) generates SIDs for local security principles and then stores them in the local security database. The Domain Security

Authority generates SIDs for domain security principles and then stores them in Active

Directory. SIDs is unique within their scope. Every local security principle's SID is unique on the computer. And every domain security principle's SID is unique within any domain in the enterprise. What's more, Windows XP and Active Directory never reuse a

SID, even if they delete the security principle to which that SID belonged. Thus, if you delete an account and then add it back, the account gets a new SID.

3.4 Understanding the Actors

3.4.1 User Profile

A user profile describes the desktop computing configuration for a specific user, including the user’s environment and preference settings.

A profile is created the first time that a user logs on to a computer running

Windows Server 2003, Windows XP, Windows 2000, or Windows NT Workstation. A user profile is a group of settings and files that defines the environment that the system loads when a user logs on. It includes all the user-specific configuration settings, such as program items, screen colors, network connections, printer connections, mouse settings, 38 and window size and position. Profiles are not user policies and the user has a profile even if you don't use Group Policy.

Depending on how you manage your network, you or a user can define the desktop settings. The following user profiles are available in Windows Server 2003,

Windows XP Professional, and Windows 2000 Professional (TechNet, 2010):

 Local User Profile. Created the first time that a user logs on to a computer, the

local user profile is stored on a computer's local hard disk. Any changes made to

the local user profile are specific to the computer on which the changes are made.

 Roaming User Profile. A copy of the local profile is copied to, and stored on a

server share. This profile is downloaded every time that a user logs on to any

computer on the network, and any changes made to a roaming user profile are

synchronized with the server copy upon logoff.

 Mandatory User Profile. A type of profile that administrators can use to specify

particular settings for users. Only system administrators can make changes to

mandatory user profiles. Changes made by the user to desktop settings are lost

when the user logs off.

 Temporary User Profile. A temporary profile is issued any time that an error

condition prevents the users profile from being loaded. Temporary profiles are 39

deleted at the end of each session - changes made by the user to their desktop

settings and files are lost when the user logs off.

A primary goal of user profiles is to separate each users settings and data from that of other users and the local computer (Technet2, 2010). A user profile consists of a registry hive and a set of profile folders stored in the file system.

Registry hive. User profiles take advantage of the hive feature to provide roaming profile functionality. The user profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on.

The NTuser.dat hive maintains the user’s environment preferences when the user is logged on. It stores those settings that maintain network connections, Control Panel configurations unique to the user such as the desktop color and mouse, and application- specific settings. The majority of the settings stored in the registry are opaque to user profiles settings and are owned and maintained by individual applications and operating system components (Technet2, 2010).

A set of profile folders stored in the file system. User profile files are stored in the file system in the Documents and Settings directory, in a per user folder. The user profile folder is a container for applications and other operating system components to populate with subfolders and per-user data, such as shortcut links, desktop icons, startup applications, documents, configuration files and so forth. Windows Explorer uses the user profile folders extensively for special folders such as the user’s desktop, start menu and my documents folder (Technet2, 2010). 40

The NICA Forensic Tool application presented in this thesis uses the log parser to query the registry for the information we need to find (user information and application information). When log parser is executed it returns a logrecordset. We first iterate thru the logrecordset to get the NTUSER.DAT path from the registry key

(HKLM\system\controlse001\control\hivelist ) for every user (see table 2). Next we get the ProfileImagePath (usually it will be like %SystemDrive%\Documents and

Setting\UserName) from the logrecordset; then we get the user SID’s for each user profile that contains the pattern S-1-5-21 %.

NICA Forensic Tool not only checks the currently logged in user but it also checks all other users on the computer. With all the users SID’s we can iterate thru the registry one user at a time and make them active so that we can gain access to the HKCU which would not normally be available. Once active we then proceed to get all the users application settings that will be used later.

string iQuery = @"SELECT * FROM '\HKLM\SOFTWARE\MICROSOFT\WINDOWS

NT\CURRENTVERSION\PROFILELIST' WHERE PATH LIKE '%S-1-5-21%'";

// Execute the query

LogRecordSet oRecordSet = oLogQuery.Execute(iQuery, oREGInputFormat);

String iSIDValue = string.Empty;

List iLoggedUsers = GetLoggedUsers();

UserProfile iUserProfile = new UserProfile();

// Browse the recordset

do { if (iUserProfile.KeyName == String.Empty) {

iUserProfile.KeyName = oRecordSet.getRecord().getValue("KeyName").ToString(); 41

iUserProfile.LastWriteTime =

Convert.ToDateTime(oRecordSet.getRecord().getValue("LastWriteTime").ToString());

iUserProfile.RegistryKeyPath = Convert.ToString(oRecordSet.getRecord().getValue("Path")); }

switch (oRecordSet.getRecord().getValue("ValueName").ToString()) {

case "ProfileImagePath": {

iUserProfile.ProfilePath = oRecordSet.getRecord().getValue("Value").ToString();

iUserProfile.UserName = iUserProfile.ProfilePath.Replace(iProfilesDirectory + "\\", "");

iUserProfile.Logged=iLoggedUsers.Contains(iUserProfile.UserName);

if (File.Exists(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT")) {

FileInfo iFileInfo = new FileInfo(iUserProfile.ProfilePath + "\\" + "NTUSER.DAT");

iUserProfile.CreatedTime=iFileInfo.CreationTime;

iUserProfile.ModifiedTime = iFileInfo.LastWriteTime;

iUserProfile.RegistryFileSize = iFileInfo.Length; } } break;

Table 2. Using Log parser

Local Profile - Existing User

 The user logs on. Windows checks the list of user profiles located in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\ProfileList to get the path to the user’s profile (see Fig. 1).

 The users registry hive NTUSER.DAT is mapped to the

HKEY_CURRENT_USER portion of the registry. 42

 The users %userprofile% environment variable is updated with the value of the

local profile folder.

 When the user logs off, the profile is saved to the local hard disk of the computer

Figure1. Registry key for users (SID).

3.4.2 Internet Explorer

During Forensic analysis it is often relevant to parse the information in IE cookies files into a human readable format. Cookies aid forensic analysts during the investigation by providing insight to a suspect’s internet activity.

Internet Explorer stores its data in one key and has three subkey within it that holds the majority of useful information

 HKCU\software\Microsoft\InternetExplorer\Main: stores the user’s

settings in Internet Explorer. It contains information such as search bars, start 43

page, form settings, etc.

 HKCU\software\Microsof\InternetExplorer\TypedURLs: stores all URLs

that a user has typed into the address field of the web browser.

 HKCU\software\Microsoft\InternetExplorer\DownloadDirectory: displays

the last directory used to store a downloadable file from Internet Explorer

(Farmer, 2008)

IE stores data in: the drive\Documents and Settings\user\profile folders

Folders = Favorites, cookies, history, and Temporary Internet Files

Registry stores Typed URL’s, Passwords and protected Storage information

NICA Forensic Tool gets the paths for the IE Cache, IE History and IE Cookie of the application. For each application we define the name, exe file and the three paths. The input type is KEY because the information is kept in the windows registry, the output is type S that means single value.

IE Cookies:

The IE cookie file format: after visiting a website such as www.securityfocus.com a cookie will be generated on the user’s pc that looks similar to the following

(Jones, 2003):

ssfocus---variable

home ----- value of the variable 44

securityfocus.com/---website that issue the cookie

0----contains flags

1238799232----the most significant integer for expiration time for the cookie

29570658------the least significant integer for expiration time for the cookie

1484443312--- the most significant integer for creation time

29552553------the least significant integer for creation time

After visiting a website, a cookie will be generated on the user’s computer. This cookie contains the information meant to be saved on the client from the web server, the domain name that is responsible for this cookie, and the relevant time/date stamps.

The file will be created in the user’s IE cookie directory:

C:\Documents and Settings\\Cookies (see Fig. 2).

Figure 2. Internet Explorer location of the cookies files. 45

IE History

History tracks the websites visited by the user and includes date/time info in

C:\Documents and Setting\\Local Settings\History (see Fig. 3).

The History folder contains a master index.dat file that tracks the History

The History folder displays icons that represent the weekly/daily history activity. Each of these folders contain an index.dat file

Figure 3. IE location of the History file containing web site information

IE Temporary Internet Files

 Located at drive C:\Documents and Settings\user\Local Settings\ (see Fig.4).

 Contains an index.dat file that records the URL, Filename, Username and Content

info 46

 Provides information about browser activity even if the user deletes their

Temporary Internet Files

 Review the Temporary Internet Files for cached Internet emails

Outlook = read ~.htm or main~.htm

Figure 4. IE location of the Internet Files containing web sites info and index.dat files.

Registry – Typed URL’s

Most URLs that you visit are saved in the History folder. However, Internet Explorer also saves the last 25 URLs that you typed in the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs (see

Fig.5) 47

The lowest numbered entry is the most recent site visited (url1, url2, url3, etc)

Figure 5. IE TypedURL information location.

Index.dat file

Index.dat is a file used by the Internet Explorer web browser. The index.dat file functions as an active database, which runs as long as a user is logged on in Windows. It functions as a repository of redundant information, such as web URLs, search queries and recently opened files. Its role is similar to that of an index file in the field of databases, where a technique called “indexing” stores the contents of a database in a different order to help speed up query responses. Similarly when the auto complete function is enabled in Internet Explorer, every web address visited is sorted in the index.dat file, allowing

Internet Explorer to attempt to find an appropriate match when a user types in an edit field. Separate index.dat files exist for the Internet Explorer history, cache, and cookies 48

The index.dat file contains a header that harbors important information about the file’s properties. Specifically the header will contain the index.dat file length, the HASH table offset and the internet cache directory names (Jones, 2003). (See Fig.6)

The first field we notice is the file size. The file size is given in the file header immediately following the NULL (0x00) terminated version string. (See Fig. 7)

Immediately following the file size is the location of the HASH table. The HASH table is an array of data that contains entries pointing to the relevant activity data within the index.dat file.

 Bytes 0x20 – 0x23: Location of hash table.(see Fig. 8)

Hash table is used to store the actual entries

Beginning of hash table (see Fig.9):

After the HASH table offset is a listing of directories that this index.dat file uses to store the locally cached files on the user’s computer (Jones, 2003). These directories contain the files that were actually downloaded from the web (see Fig. 10).

o Size: 0x00394000 3751936

o Hash Table: 0x00005000

o Directories: (null-terminated, 0x50) 49

Figure 6.Index.dat file header.

Figure 7.Index.dat file size. 50

Figure 8.Location of the hash table.

Figure 9.Begining of the hash table.

Figure 10.Files downloaded from the web. 51

3.4.3 Mozilla Firefox

Firefox stores a user’s personal information such as bookmarks, extensions, and user preferences in a unique profile stored in files within a special folder on your pc. The first time you start Firefox, it will automatically create a default profile; additional profiles can be created using the profile manager. Profile folders are placed in a common location by default but are named randomly for additional security (e.g. “xxxxxx.default” is the profile folder name for the “default” profile, where xxxxxx represents a random string of characters). The NICA Forensic Tool will only search up to 5 profiles for any given user.

Starting in Firefox 3 a new file format is used to record browser history information.

Rather than storing this information in a flat file using the mork file format, the information is kept in a SQLlite database (MozillaZine, Profile Folder, 2009).

Firefox stores most of its data in files instead of the registry; it is easy to find, in individual folders and it is very easy for a user to wipe the folders securely.

It stores personal information such as bookmarks, extensions and user preferences in a unique profile, called Profile

Files in Profile.ini

NICA Forensic Tool gets the path for History, Cache and Cookies of the Firefox application. For each application we define the name, exe file and the three paths. The input type is INI because Firefox does not use the windows registry; the information can 52 only be retrieved thru the INI file. Firefox keeps the INI file in the Application Data or

Local Application Data directory, the source path is “[ApplicationData] +

”\\Mozilla\\Firefox.

Firefox History Files File location:

C:\Documents and Settings\\Application

Data\Mozilla\Firefox\Profiles\zb0sttcz.default\places.sqlite (see Fig.11).

The following registry path is will tell us if Mozilla Firefox is installed and where the

Mozilla Firefox info is contained: (Musings, 2007)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox (see Fig.12)

Figure 11.Mozilla Firefox profiles information 53

3.4.4 Google Chrome

Google Chrome is a web browser developed by Google. The name is derived from the graphical user interface frame or Chrome of web browsers. As of April 2010,

Chrome was the third most widely used browser.

File location:

C:\Documents and Settings\\Local Settings\Application

Data\Google\Chrome\User Data\Default\Local Storage (see Fig 12).

Google Chrome stores the browser history in a SQLite database.

The database file that contains the browsing history is stored under the Default folder as “History” and can be examined using any SQLlite browser there is (such as sqlite3). The available tables are download, presentation, urls, keyword search terms, segment usage, visits, Meta and segments. The most relevant tables for browsing history are the “urls” table that contains all the visited URLs, the “visits” table that contains among other information the type of visit and the timestamps and finally the “downloads” table that contains a list of downloaded files (Brainfold, 2010).

54

Figure 12.Google Chrome file’s location.

NICA Forensic Tool get the paths for History, Cache and Cookies of the Google Chrome application. For each application we define the name, exe file and three paths. The input type is DIR because Firefox does not use the windows registry; the information only can be retrieve thru the DIR file. Google Chrome keeps the DIR file on the Local

Application Data directory (C:\Documents and Settings [USERNAME] Local

Settings\Application Data\Google\Chrome).

3.4.5 Skype

Skype is communications software that allows users to communicate with each other in real time using VoIP, video chat or text chat. It is unique among other IM applications in that Skype runs over a decentralized peer to peer (P2P) network rather than routing all 55 communications packets through a central server or cluster of servers ( ISO Consensus

Paper: Skype, 2009)

For windows systems, Skype’s functionality can be managed at a number of levels.

Skype configuration and policy settings are maintained in the following hierarchy:

o HKEY_LOCAL_MACHINE Registry Keys

o HKEY_LOCAL_USER Registry Keys

o XML config. Files in C:\Documents and

Settings\\Application Data\Skype\

Skype software uses a number of files to store data. These files relate mainly to historical information, call histories, file transfers, messaging sessions, etc. They also cache user profiles. The interpretation of these log files can yield a significant amount of information about communications that have taken place through the software.

Information available in log files

This section details the information available for extraction from Skype logs. Note that the sequence number allows the order of events to be determined, without relying on the resolution of the timestamp. The timestamps give date and time to a resolution of one second.

File-naming convention

Files are stored with a .dbb extension with the filename consisting of a string describing the contents followed by a number which indicates the record length (e.g. call256.dbb, chatmsg512.dbb etc). The minimum record length observed is 256 bytes, with files seen up to 16384 bytes. Items are stored in the smallest length format possible 56 with blank padding to fill any space remaining in the record. Therefore it is quite common to have multiple files with the same prefix and different record lengths.

Skype Log File Analysis Skype Log File Analysis call*.dbb Call history chatmsg*.dbb Chat history profile*.dbb Details of user profiles transfer*.dbb Details of file transfers chat*.dbb Chat history contactgroup*.dbb Unknown user*.dbb Local user's profile voicemail*.dbb Details of voicemail messages (no contents)

NICA Forensic tool get the path of the Skype Activity. For each application we define the name, exe file target path, Input Type is DIR, and the source path is

[ApplicationData] + \\Skype

3.4.6 Outlook

Email is one of the most common ways people communicate. From internal meeting requests, distribution of documents and general conversation one would be hard pressed to find an organization of any size that does not rely on email. Studies have shown that more email is generated every day than phone conversations and paper 57 documents combined. Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document

Discovery is complete without requesting, searching and organizing email.

What is a PST file? A PST file (personal storage file) is Microsoft Outlooks file format for email storage. This single file, is a compound file, like a ZIP file, and can contain thousands of emails, contacts, tasks, and calendar entries.

To view the contents of a PST file, the file can be mounted in Outlook or specialist forensic tools such as EnCase.

PST files are important, if not critical, in forensic and electronic discovery investigations as they provide one of the primary storage methods for email within companies.

NICA Forensic tool gets the path to the Outlook applications PST file. For each application we define the name, file target path: target name is Microsoft Outlook, Input

Type is KEY (registry key), and the source path is

HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging

Subsystem\Profiles, value name is 001f6700 (works for outlook 2003-2007) and the output type is L for List Value. 001f6700 is a subkey and it contains a byte array that when converted and parsed gives you the path to the PST file.

3.4.7 Instant Messenger

MSN Messenger has the ability to keep an indefinite log of all conversations. 58

In MSN Messenger select the Tools menu, Options... menu item, and then the Messages tab. At the bottom of the dialog is an item labeled: Message History. Select it and your conversations will be recorded in the directory listed in the box below (see Fig 13).

When conversations are saved in the listed directory you'll find several files, typically one per person that you've had a conversation with. The files will all end with ".XML".

Figure 13.Instant Messenger Menu default settings.

There is not a way that I know of to retrieve the IM messages unless logging has been enabled. Conversations, when not being archived, may never even hit the disk, so 59 there's nothing to be recovered. There might be small, tiny chances that some memory swapping happened and that a fragment landed on disk, but again the chances are small and it was probably immediately overwritten. The same tiny chance applies for any equipment that the conversation traveled through (Notenboon, 2004).

Instant messaging applications can provide strong evidence in certain cases

(Farmer, 2008). Windows Messenger, MSN Messenger and Windows Live Messenger generally utilize any of the three following keys:

HKEY-CURRENT-USER\software\Microsoft\Messenger Service

HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger (See Fig. 14)

HKEY_LOCAL_MACHINE\Software\MICROSOFT\Messenger Service

Figure 14. Windows Live Messenger keys location.

NICA Forensic Tool passes the parameters thru the code of where to look for the files: C:\\Documents and Settings\\Local Settings\Application 60

Data\Microsoft\Messenger; what files to look for: ContactsLog.txt; where to output the results: save the information in the database.

This one was the most challenging because there was not any information available about how to get the information that we need. I had to look into several files and through a lot of trial and error; I found the one that contained the information needed.

Once all information is gathered in the dataset the program then saves the information in the SQLite database. 61

3.5 Understanding the Data Flow

Figure 15.Data Flow Diagram. 62

The application allows for creating a new case (1) or opening an existing one (4).

For a new case the user needs to enter the properties of the case (2), like Case ID number, charges associated with the case, forensic analyst or investigator’s name and a short description that identifies the case or any relevant notes. Save the case (3) to the database.

Once saved, the case status is set to open automatically (4) and the user can execute the parser tool (5). When the parser tool is executed, the application gets the user profile by reading the valueNames of the windows registry. For each user profile found (6) we check, if this is the logged in user it means the active user (7). If it is not the logged in user, we get the Hive file (NTUSER.DAT) of the user corresponding to the HKU key of the actual user of the name declared in the User Profile (8) then we proceed to obtain the paths of the folders and/or files that we are going to evaluate (9). This process is based in a series of parameters established for each application’s activity. The search of the paths and folders and files is done by: Key (window registry), DIR (in a specific location, like the ones for Google Chrome Browser and Skype) and INI (that contains a section where we can find the paths to follow, like Firefox Browser). Before we read the target paths, the program verifies if the application is installed under the sub key software\Microsoft\CurrentVersion\App Paths\ (Skype path is located under software\Skype\Phone. To read from a non active user, the reading is done under HKU\

[username], otherwise HKLM. Once the information is gathered, if it is a non active user

(10) we get the Hive File (11). This process repeats itself until we reach the last user in the user profile list.

Once the data for the users is obtained, we establish a list of jobs considering the particularities of each application and tools to be used (12). This list is displayed to the 63 investigator before proceeding to execute the parser. When the parser is executed, we clean the pre-existing data in the database (12) and a principal thread is sent to the job list

(14). This thread is in charge of searching the job list and serves each one of the jobs contained in the list (15) and executes another thread in the background (16). If the analysis is finished with the internal process (17) then execute the corresponding method thru delegation (18), where we proceed to create a dataset that contains the tables (19), extract the data from the activity of the target application, store it temporarily in the dataset (20), when the process ends the data is stored in the database (21). When we use the tool for parsing (17) an asynchronous thread executes the tool (22) and evaluates if the alternative process is ended (23). The external tools create xml files containing the activity of the applications; tools add non valid tags or non standard characters, so before an xml file is created (24) it has to be sanitized (25) and then save the data in the database

(26) until the job list is done (27).

After the parser has been executed (29) you can see all the activities displayed in the viewer (28). 64

Chapter 4

External Tools used with NICA Forensic Tool

Microsoft Log Parser is distributed by Microsoft; Outlook Redemption was developed by Ditrimty Streblechenko and can be downloading for free from his web site dimastr/redemption. IECacheView, IEHistoryView, MozillaCacheView and

ChromeCacheView are utilities developed by Nir Sofer, who is the owner of NirSoft.

Nirsoft is a web site that provides more than a hundred free utilities.

The Log parser and outlook redemption tools are .dll libraries integrated in to the forensic tool. ChromeCacheView, IEHistoryView, IEChacheView and

MozillaCacheView are utilities that are executed thru the program. The parameters and the paths to the applications are directed thru the code with the help of the log parser. The

Utilities generate an xml report that needs to be sanitized, and then the xmlreader reads the XML files and saves the information in the SQLite database.

ChromeCacheView, IECacheView and MozillaCacheView are utilities used in the NICA Forensic Tool to read the cache folder. The cache folder contains Web page content that is stored on the hard disk for quick viewing. IEHistoryView reads the

Internet History. Internet History is a record of all the sites visited.

SQLite is an open source ADO.NET database. It is used to save all the case information and reports. It was selected as the database choice because it is serverless, compact size and primarily because it is used by Mozilla Firefox and Google Chrome to record the cookies, history, bookmark, password and user’s information. 65

Outlook Redemption is used to access and manipulate MAPI profiles and accounts.

Microsoft Log Parser is used to slice and dice log file types. It can process and query all the common logs formats and can address the file system and the registry as well.

4.1 Internet Explorer Cache View (IECacheView)

Internet Explorer Cache View is a small utility that reads the cache folder of

Internet Explorer, and writes the content to a file that is the read in to the Forensic Tool.

For each cache file, the following information is captured and displayed: Filename,

Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number of Hits, File Size, Folder Name, and full path of the cache filename.

NICA Forensic Tool calls the IECacheView utility and passes the parameters of where to look for the files: C:\\Documents and Settings\\Local

Settings\Temporary Internet Files; what files to look for: folder Temporary Internet Files; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

Advantages over the 'Temporary Internet Files' viewer of Windows

The reasons that Forensic tools used IECacheView instead of reading the information directly from the Temporary Internet files are: IECacheView displays only the list of cache files, while the cache view of Windows displays a mix of cookies and cache files, IECacheView allows you to filter the cache files by file type (image, text, 66 video, audio, or application), allows you to view the cache files of another user or from another disk, while with the Windows viewer; you can only watch the cache of the current logged-on user. IECacheView displays some columns that are not displayed by the cache viewer of Windows: Content Type, Number of hits, Sub-folder name, and the full-path of the cached filename.

4.2 Internet Explorer History Viewer (IEHistoryView)

Each time that you type a URL in the address bar or click on a link in Internet

Explorer browser, the URL address is automatically added to the history index file (See 67

Fig. 16).

Figure 16. IE History file content.

When you type a sequence of characters in the address bar, Internet Explorer automatically suggests to you all URLs that begin with the character sequence that you 68 typed (unless the AutoComplete feature for Web addresses is turned off). However,

Internet Explorer doesn't allow you to view and edit the entire URL list that it stores inside the history file. The location of the history folder is different from one operating system to another. On Windows 2000/XP, the History folder is located inside the "Local

Settings" folder of your user profile. For Example: C:\Documents and

Settings\Administrator\Local Settings\History. The "Local Settings" folder is hidden by default, so you won't see this folder unless your system is configured to display hidden files and folders.

NICA Forensic Tool calls the IEHV utility and passes the parameters of where to look for the files: C:\Documents and Settings\Administrator\Local Settings\History; what files to look for: folder History; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

The Typed URLs List

Most URLs that you visit are saved in the History folder. However, Internet

Explorer also saves the last 25 URLs that you typed in the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

By default, IEHistoryView doesn't display the URLs list from the Registry, but with the

Forensic tools parameters were pass to enable this feature. The URLs list in the Registry are captured and displayed, in addition to the list of all URLs stored in the History folder.

4.3 MozillaCacheView 69

Mozilla Cache View is a small utility that reads the cache folder of

Firefox/Mozilla Web browsers, and writes the content to a file that is the read in to the

Forensic Tool. For each cache file, the following information is captured and displayed:

URL, Content type, File size, last modified time, last fetched time, expiration time, fetch count, server name, and more.

Starting in Firefox 3 a new file format is used to record browser history information.

Rather than storing this information in a flat file, the information is kept in a SQLlite database (See Fig.17).

Figure 17. Google Chrome SQLite Database Structure.

Firefox stores most of its data in files instead of the registry, easy to find, in individual folders and it is very easy for a user to wipe the folders securely. This is a nice 70 feature for users but a nightmare for computer forensics because there is not an easy way to retrieve the deleted information.

Using MozillaCacheView

The cache folder of Mozilla Firefox is located under: C:\Documents and Settings\

[User Name]\Local Settings\Application Data\Mozilla\Firefox\Profiles\[Profile

Name]\Cache (See Fig 18)

Figure 18. Location of Mozilla Firefox Cache files.

NICA Forensic Tool calls the MozillaCacheView utility and passes the parameters of where to look for the files: C:\Documents and Settings\\Local 71

Settings\Application Data \Mozilla\ Firefox\Profiles\zb0ttcz.default\cache; what files to look for: folder cache; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

4.4 ChromeCacheView

Chrome Cache View is a small utility that reads the cache folder of Google

Chrome web browser, and writes the content to a file that is the read in to the Forensic

Tool. For each cache file, the following information is captured and displayed: URL, content type, file size, last accessed time, expiration time, server name, server response, and more.

Chrome Cache Folder location

The cache folder for Google Chrome is located under [User Profile]\Local

Settings\Application Data\Google\Chrome\User Data\Default\Cache (See Fig 19)

Figure19. Location of Google Chrome Cache files. 72

NICA Forensic Tool calls the ChromeCacheView utility and passes the parameters of where to look for the files: C:\\Documents and Settings\\Local

Settings\Application Data\Google\Chrome\User Data\Default\Cache; what files to look for: folder cache; where to output the results: put the output in a temp file in the forensic main temp folder and save the information in the database.

4.5 SQLite

SQLite is an embeddable database system that uses flat files. It does not need to be started, stopped, configured, or managed like other SQL databases. It is lightweight, fast, and compact. And it works completely out of the box without any configuration. The entire database (definitions, tables, indices, and the data itself) is stored as a single cross- platform file on a host machine. This simple design is achieved by locking the entire database file during writing (Kristianto, 2009).

Advantages of SQLite:

Some of the advantages are: zero configuration, serverless, single database file, stable cross platform database file, compact size, variable length records, and free with the public domain license.

Disadvantages of SQLite:

Some of the disadvantages are that in most cases database size is restricted to 2 GB, it

Lock the whole file while writing, no caching mechanism, not very scalable. 73

4.6 Microsoft Log Parser

Microsoft log parser queries everything with SQL. It lets you slice and dice a variety of log file types using a common SQL-like syntax. It's an incredibly powerful concept, and the LogParser implementation doesn't disappoint. This architecture diagram from the

LogParser documentation explains it better (See Fig.20).

Figure 20.Log Parser architecture diagram.

Log Parser operates as a kind of data pipeline. Into this pipe you can send information from IIS logs, Windows Event logs, Active Directory information, file system data, Registry data, Network Monitor traces, and so on. Once the data is in the pipe, you can process it using SQL statements; for example, to select certain portions of the data by using a SELECT query. Then, as the processed data comes out of the 74 pipeline, you can output it to text files, HTML files, Excel-style charts, or a SQL database table, or simply to the console as raw output.

Log parser consists of three components, which are: 1) input engine, 2) SQL query engine, and 3) output engine. The input engine and output engines are truly incredible and, combined, make this tool shine. When investigating network intrusions, you are faced with analyzing logs from many sources, none of them being compatible with the other. Log parser can accept most any common log format and output it into one of many formats of your choosing. When you are done, you can combine all your disparate logs into one common format for analysis.

At any point in the process you can subject your logs to a query so that you narrow down the data to that which is relevant. While many GUI tools are out there that provide filters, even those that allow the user to build custom filters can't compare with the power of writing a custom SQL query in Log Parser.

As an intrusion investigator / forensic examiner, you are tasked with mastering many tools to get your work done. It would be nice if we only had to master a couple of tools, but such will never be the case. We can however, limit the number of tools we have to use if we make careful selections. Whenever you can use one tool that will handle multiple tasks instead for multiple tools for the same number of tasks that should be your tool of choice. Log parser fits this criterion as it can process and query all the common logs formats and can address your file system and your registry as well, including those of remote systems (Bunting, 2006).

Using Log parser 75

One of the cooler things about the Log Parser is that it is exposed via a COM interface so the tool can be scripted or called from your application (like Forensic Tool). It uses SQL queries that are very straightforward and very easy to use. It makes a programmers life easier because it helps to find registry key information without much hassle.

NICA Forensic Tool uses the log parser to get all the SID’s that start with S-1-5-

21 because they belong to the user profiles. Log parser is also use to find the logged in user and the users that are not logged in but have a user profile.

These are some examples of how log parser can be used:

Open the command (cmd.exe) line interface in the root of the folder "C:\Program

Files\Log Parser 2.2" wherein lies the executable "logparser.exe". From the command line interface, type in the following: logparser.exe -i:EVT -o:NAT "SELECT

TimeGenerated, EventID FROM System (See Fig. 21)

Figure 21. Log parser output to the console. 76

Another output feature of log parser is its "DATAGRID" output. Instead of dumping the query to a screen, you can send it to a GUI interface. To send it to a datagrid, enter the following: logparser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM System" and you should see the following (see Fig. 22).

Figure 22. Log parser output to a datagrid

4.7 Outlook Redemption

Outlook security patches prevent users from listing out the internet headers from the emails they receive; most of the header information is not accessible. Outlook

Redemption is a regular COM object that allows access to any properties and methods available on an original outlook item, both blocked and not blocked.

With Outlook Redemption you can make your code run unaffected by the Security

Patches, access properties not exposed by the Outlook Object Model (internet message headers, sender e-mail address and hundreds more properties), Display Address Book, 77

Directly access the RTF body of any Outlook item, Import MSG, EML (RFC822) and

TNEF files, Export messages to the MSG, EML, TXT, HTML, TNEF, iCal and vCard formats, Access and manipulate Outlook accounts (Outlook 2002 and above, RDO library),Create, access and manipulate MAPI profiles and accounts, Access MAPI stores,

Access Outlook nicknames, Manage Junk Mail settings, Manage categories, Directly access message attachments as strings or as arrays without saving them as files first

Redemption supports Outlook 98, 2000, 2002, 2003, 2007 and 2010-32 bit,

(Streblechenko, 2010)

NICA Forensic Tool passes the parameters thru the code of where to look for the files: C:\\Documents and Settings\\My Documents; what files to look for:

Personal Folder .pst ; where to output the results: save the information in the database.

With the basic information of where to look for the pst(s) the NICA Forensic Tool first loops thru all pst(s) one at a time, then within each pst it loops thru all messages in the pst and gathers the pertinent information including create and modified dates for the messages as well as attachments and saves this information in a dataset. Once all information is gathered in the dataset the program then saves the information in the

SQLite database. 78

Chapter 5

Cracking a Criminal Case Using the NICA Forensic Tool

5.1 Criminal Case Statement

The legal process for computer investigation for potential criminal violations of the law depends on local customs, legislative standard and rules of evidence. In general a criminal case follows three stages: the complaint, the investigation and the prosecution.

Complaint: Colorado Springs Police Department agents received information that an employee from All About Cats was downloading child pornography images on his work computer.

Investigation: A search warrant was executed at All about Cats’ building.

Agents conducted a preview examination of Doe’s hard drive and discovered numerous image files of children engaged in sexually explicit conduct. During the investigation,

Doe stated that he had about 13, 0000 images of child pornography, ranging in age from toddlers to teens.

Prosecution: First Appearance court day is schedule for November 3, 2010.

The extent of the search is tailored to the extent of the probable cause. If the police wish to seize a computer and analyze it at a later time, the probable cause statement should demonstrate the impracticability or danger of examining the computer on the premises hence the need to confiscate it and analyze it off-site. The forensic 79

Technician considered that the investigation should be done on premises being that some networking connections to the server could be needed.

5.2 Computer Forensics Analysis

Examining and analyzing digital evidence depends on the nature of the investigations and the amount of data to process. Criminal investigations are limited to finding data defined in the search warrant and civil investigations are often limited by court order for discovery. Investigations often involve locating and recovering a few specific items which simplifies and speeds processing.

Although there are some basic principles that apply to almost all computer forensics cases, the approach taken depends largely on the specific type of case to be investigated.

Mr. Doe’s case is required to gathered email information, so the case will involve more than accessing network logs and email server backups to locate specific messages. The investigator may need to contact the ISP and e-mail service.

Mr. Doe stated that he did not download any images, that those images were planted on his computer by an employee that was jealous of him and wanted to get him fired.

The NICA Forensic Tool that was designed in this thesis is the chosen tool by the forensic technician because it is the perfect tool for this specific case. 80

5.3 Finding Evidence

Mr. Holmes is the forensic Technician designated to find the evidence of this case. His first step is to insert the thumb drive with the NICA Forensic Tool on it and run the program. Enter a new court case number that was already assigned:

C021CR20103456, type of case: Child Pornography, investigator’s name: Holmes and any notes important to the case (See Fig. 5). Run the parser to collect the information

(See Fig. 6), once it is done open the viewer and select the user and timeline (See Fig. 7), select a date, view the activities and mark the one that look suspicious or are important for evidence (See Fig.8). View the suspicious activities (See Fig. 9) in separate screen to facilitate the interpretation of the data (See Fig. 10)

Figure 23.Enter New Case Information. 81

Figure 24 .Run Parser to get entries activities.

Figure 25.User profile and timeline for activities. 82

Figure 26.Mark items that seems suspicious.

Figure 27.Enter the prefer time frame between activities. 83

Figure 28. View the suspicious activity and surround activities marked.

Figure 29. Mark Items by Pattern on the Outlook grid. 84

Figure 30.Seach evidence between two outlook users.

Figure 31.Report displaying activities that comply with the pattern selected. 85

Figure 32.Select and mark activities by defined keywords.

Figure 33.Display the amount of activities found. 86

5.4 Analysis of Evidence Found

On a specific date , evidence shows that the defendant visited the child pornographic web site at 7:07pm. Defendant states that someone planted the images, but he shows a Windows Instant Messaging log in at 7:07 pm, log out at 7:10 pm and log in again at 7:10 pm. Evidence also shows that he visited this site on 25 different occasions and different times. There is not any email information relevant to the case, even though he has email activity the timeline is not good to use as evidence, because it there is about four hours difference between the time he used his email and when he visited the related site.

In conclusion there is strong evidence that the defendant visited the child pornographic site base on the following facts:

He logged into Instant Messenger at 7:07 pm and he visited the site at 7:07 pm.

He log out from IM at 7:10pm and log in at 7:10 pm again. That information put him at his desk between 7:07pm and 7:10pm. Suspect needs username and password to log in the Instant Messenger. Also there is evidence that he previously visited this site at least

25 times on different dates and times. It can be stated that there is more evidence that he did it than there is that the images were planted.

5.5 Correlating Evidence

There are different ways of searching for evidence using the NICA Forensic Tool:

Search by a specific suspected activity and surrounding activities by time frame:

Select the time frame desired between any activities and a suspected activity. On the 87

Time Line report select and mark the suspected activity. All activities will be displayed and any surrounding activities done by the user between the time frame selected.

Evidence of other activities being done close to the time where the suspected activity occurred can be a good supporting evidence that a crime was committed by the suspected individual.

Search for a specific keyword, it can be a name, email address, or site name.

Enter the keyword and all the activities containing the keyword will be displayed under the time window activities report. It will be displayed by date and time. This search can be use to prove that the suspected site was visited previously and/or different occasions by the suspected person.

Search by Pattern does searching using a group of keywords. On outlook activities, select a specific activity and mark the pattern. Enter the sender name and the receiver under the pattern window. All the emails between the selected sender and selected receiver will be displayed under the time windows display report. Also the user can search by email subject and the information will be displayed on the time windows report. Users can mark activities by pattern on any of the browser or application grids.

This search can be used as supporting evidence that the user did have communications with co workers and/or friends close in time when the suspected activity occurred.

5.6 Relevant Evidence 88

There is Inclusion and Exclusion Criteria weighted by the Investigators of the District

Attorney’s Office. Note that this is not an official statement, just an opinion based on hypothetical cases.

Inclusion Criteria:

 There are more than one different activity e.g. visiting web site and sending an

email and

 The time difference between activities should not be more than 15 minutes apart

 The more activities close in time, the more relevant is the evidence

 Show that user’s history previously visited the same web site (very relevant)

Exclusion Criteria

 There is only one activity and no history of user’s visiting the same web site

 More than one activity but more than 15 minutes apart and no history of user’s

visiting the same web site 89

Chapter 6

NICA Forensic Tool Analysis

6.1 Functionality Analysis

NICA Forensic Tool was designed as a tool to be used by investigators or forensic analysts it in no means should be a substitute for the investigators experience. It will allow the investigators to find the specific suspected sites, times that they were visited and previous history; also it will provide information if any other applications like Skype,

Instant Messenger or Outlook was used.

NICA Forensic Tool uses external tools to help parse the cache files from IE,

Mozilla Firefox and Google Chrome browsers and also to gain access and parse the

Outlook pst files. The external tools just perform the function of parsing the related files, they do not do anything other than create and output which the NICA Forensic Tool then consumes. NICA Forensic Tool takes the output of the parsers and uses logic to determine what information is valuable, put that information in a database, and display any necessary output. All other tasks of the NICA Forensic Tool such as getting cookies, history file, Skype logs, instant messenger, all GUI displays for all information and all reports are completely the job of the NICA Forensic Tool.

With this information investigators can mark the suspicious activities, and display and analyze the time between any of the activities. That information can be used as evidence. How relevant the information is will depend on the law enforcement policies, but it can be a very powerful tool. 90

6.2 Performance Analysis

I tested the performance of the NICA Forensic Tool on three different computers and obtained the following results:

Computer Name Activities Entries Total Time

Computer 1 IE, Firefox, Chrome, Skype, Outlook, IM, 25,356 5min, 10 sec

Computer 2 IE, Firefox, Outlook 256 2 sec

Computer 3 IE, Firefox, Outlook, IM 16,381 2min, 12 sec

Table 1. NICA Forensic Tool Performance Analysis

The time depends on how many activities is storage in the computer and how many applications are installed. It can be as fast as two seconds or can take several minutes. I could not find volunteers that wanted a forensic tool run in their computer.

6.3 Usage Evaluation

Possible Users of the NICA Forensic Tool

Investigators: police investigators or DA’s investigators that are searching for evidence to support an alleged criminal case. 91

Forensic Technician: assist law enforcement agencies in searching for digital evidence.

System Administrators from large corporations: to investigate if employees have broken any company computer/network usage policies.

Learning Difficulties and technical difficulties for the users

NICA Forensic Tool is a new application, during the beginning, the user might have some challenges but it is easy to use. A user’s manual is available to each user, it explains step by step each process needed to find and get the evidence needed. The evidence accuracy is an important key in the court law; users will be very motivated to find evidence for their case.

User’s Tasks

The actions that the user will perform with the program are:

 Copy the program to the “suspected” computer

 Create a New Case or Open a case if one has been previously saved. Run the

parser to get the quantity of items that the program finds. Mark the suspected

activities, select the time windows between activities

 Additional information can be found by entering a keyword or dates, mark the

items by selecting keyword and/or dates 92

 Get the time line report by: marking suspected activities that occurred in the time

frame already specified and/or marked as suspicious activities by keyword and/or

dates.

User’s Informational Needs

Users need to read the user manual to understand how the application works

Users can save all the information and retrieve it as need it.

User’s observations from testing the NICA Forensic Tool

Investigator 1

He recommended that the user manual could have more images and guide him step by

step. He used the 30 minute window setting between activities instead of the default

value of 15 minutes. He stated that additional activities closer in time to the suspected

activity make the evidence more convincing, but that 30 minutes is also reasonable.

After he marked a suspected site, the time window activities report displayed the

suspected activity and surrounding activities within the 30 minute time frame. He

thinks that the information displayed is very valuable and useful in a court of law

because the time was very specific to the milliseconds. The report also contained

detailed information about the suspect logins and usage of other applications within

the 30 minute time frame. The evidence found will at least create a doubt in the

jury’s mind when the evidence shows that the suspect was doing other activities 93

almost at the same time that he/she visited the suspected site. He suggested the ability

to print the report in a word document to make it easier to read.

Investigator 2

She found that the user manual was very detailed in the step by step instructions and

that she could skip some areas. She used the feature of marking by pattern; she

wanted to find out if a suspect previously visited a specific site. Windows Time

Activities displayed all the requested information. The investigator was pleased with

the information found because it could be used in court to prove that the suspect had

previously visited the sites. This type of information helps with the theory that the

suspect had the intention to commit a crime. She wanted to know if there was a way

to find if a suspect visited a site and then later he deleted the file trying to cover up

his/her crime. She would want this feature added to the NICA Forensic Tool if it was

possible. Otherwise she found the information very useful and suggested to put it on

the market.

Investigator 3

He chose to mark the items by keyword because he has experience looking for

evidence in the outlook application. Marking items by keyword allows him to find

emails that were sent back and forth between two users. The report displayed

information about the sender and receiver and what time each activity occurred. He

also tested the feature of finding an email that contained a specific keyword in the

subject. The report displayed the information found by date and time. He suggested a 94

future enhancement would be to enable searching information on all the existing

email applications like Hotmail, Gmail and Yahoo.

User’s Learning Preferences

Users prefer a user manual, explaining the process step by step. 95

Chapter 7

Lessons Learned

I learned a great deal of information about the legal side of forensics and in the technical part of forensics.

On the legal side I found out that the laws are very ambiguous, leaving the judges with a lot room for interpretation of the law. I learned about all the new amendments done to the PATRIOT act and to the search and seizure bill affecting the state of

Colorado.

In the technical part I did not know much about the windows registry keys, it is amazing how much information can be tracked using them. The information and potential evidence that reside in the Registry make it a significant forensic resource; uncovering this data can be crucial to any computer related investigation. Another big thing I learned about was the Microsoft log parser tool and how useful it can be for daily activities tracking.

There are not any standard rules for computer forensics, a tool can be admitted in court in one county and maybe it will not be admitted in another county. Even Encase which is the most popular tool for forensic investigations sometimes has issues in court. 96

Chapter 8

Conclusions

There a lot of open source forensic tools available. The most popular forensic tools are very expensive and available mostly to law enforcement agencies. There is not a set of rules established for capturing forensic evidence, the laws are very ambiguous.

Computer Forensics is a relatively young area, it is changing to quickly and our laws are lagging behind.

The lack of standardization for forensic tools has allowed different tools to have different ways of generating the data and different formats for outputting the data.

The goal was to create a tool that captures evidence about web sites visited and captures any activity or logins to Outlook, Skype and instant messenger.

Forensic analysis of a computer system involves identifying suspicious objects or events and then examining them in enough detail to form a hypothesis as to their cause and effect. Much more cyber crime exists than law enforcement acknowledges or identifies and there are many techniques that law enforcement is largely unaware of.

Because the focus of law enforcement is on recovering files rather than discovering how the files entered the system there is little emphasis on enhancing systems to collect such data. None of the forensic techniques currently used in court are sufficient to justify claims that implicate a specific person. It is not enough to recover a deleted file or view a standard system log. One has to know the history of files and the events that led up to their creation, viewing, deletion and modification. A criminal conviction requires proving beyond a reasonable doubt that a person intentionally downloaded child pornography 97 onto the schools computer. Images might appear on a disk without the computer user knowing about them for many reasons – pop up- images’ on web sites may download files in the background and save them in the cache; the images could be part of unsolicited spam email, another person may simply have downloaded them, either to view the pornography themselves or to implicate someone else. Many forms of malware are capable of commandeering a computer in order to store and/or redistribute porn.

Such malware would have explained the images as well as the corresponding changes to the browser’s history. Forensic software used in the vast majority of court cases cannot make the distinction among these methods of file creation (Peisert, Bishop., 2007).

In general, the goal of this thesis was achieved by getting the evidence with a timeline to prove that a defendant had the intention to commit a crime. It will not make a distinction if someone planted the evidence, but if other login activities were done by the user at the same time or very close in time; it will help the investigator to demonstrate that there is relevant evidence positioning the defendant at that place and time of the crime activities. NICA Forensic Tool helps the prosecutor providing relevant evidence the rest is up to him/her.

98

References

Berson, T (2005, October 18) Skype Security Evaluation. Retrieve from http://security.utexas.edu/consensus/skype.html

Brenner, S.W., & Frederiksen B.A. (2001/2002). Computer Searches and Seizures: Some

Unresolved Issues. Michigan Telecommunications and Technology Law Review 8/39

Bui, S., Enyeart, M., & Luong, J., (2003, May 22) Issues in Computer Forensics Retrieve from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic

%20Investigation.pdf

Bunting, S., (2006) Computer Forensic Resources – Log Parser. Retrieved from http://www.stevebunting.org/udpd4n6/forensics/logparser.htm

Computer Forensics. (2008) Retrieve from http://en.wikipedia.org/wiki/computer_forensics

Herong Yang. (2008). Registry Hives. Retrieved May 7, 2010, from Herong's Tutorial

Examples Web site: http://www.herongyang.com/Windows/Registry-Hives-HKCR-

HKCU-HKLM-HKU-HKCC-HCPD.html(Herong Yang).

H. Berghel. The Discipline of Internet Forensics. Communications of the ACM (46) August 2003. 99

Downloadatoz, (2010) Outlook Redemption. Retrieved from http://www.downloadatoz.com/outlook-redemption/

House Bill 10-1201 (2010) General Assembly of the State of Colorado

IST 432- Computer Forensic. Retrieve from http://faculty.ist.psu.edu/bagby/432Portals/T2/IST%20432%20-20Computer

%20Forensics.htm

Jones, K., (2003, May 06). Forensic Analysis of Internet Explorer Activity Files

Retrieved from http://www.foundstone.com/us/pdf/wp_index_dat.pdf

Jones, K., (2003) Forensic Analysis of Microsoft Internet Explorer Cookies Files.

Retrieved from http://sourceforge.net/projects/odessa/files/ODESSA/White

%20Papers/IE_Cookie_File_Reconstruction.pdf/download

Kristianto, I., (2009) How to use Sqlite ADO.NET with C#. Retrieve from http://www.ivankristianto.com/software-development/visual-studio-net/howto-use-sqlite- ado-net-with-c/943/

Llim, N., & Khoo, A.,(2009) Forensics of computers and Handheld Devices Identical of

Fraternal Twins? Communications of the ACM, volume 52, issue 6 (June 2009) 100

Monnat, D., & Ethen, L.,(2004, March) A Primer on the Federal Wiretap Act and Its

Fourth Amendment Framework. Retrieve from http://www.monnat.com/Publications/Wiretap.pdf

MozillaZine, Profile Folder – Firefox, 2009. Retrieve from http://kb.mozillazine.org/Profile_folder

MozillaZine, Profile.ini Folder – Firefox, 2009. Retrieve from http://kb.mozillazine.org/Profiles.ini_file

Nelson, B., Phillips, A., Enfinger, F., & Steuart, C., (2008) Guide to Computer Forensics and Investigations. Thomson Course Technology

Nirsoft (2009)IEHistoryView Retrieve from http://www.nirsoft.net/utils/iehv.html

Nirsoft(2009)ChromeCacheView Retrieve from http://www.nirsoft.net/utils/chrome_cache_view.html

Nirsoft(2009) MozillaCacheView Retrieve from http://www.nirsoft.net/utils/mozilla_cache_viewer.html

NirSoft (2009) IECacheView–Internet Explorer Cache Viewer – Retrieved from http://www.nirsoft.net/utils/ie_cache_viewer.html 101 otenboom, L., (2004) Are you sure there is no way to retrieve msn messenger history without archive messages selected?. Retrieve from http://ask- leo.com/are_you_sure_theres_no_way_to_retrieve_msn_messenger_history_without_arc hive_messages_selected.html Website: Ask Leo

Notenboon, L., (2004) Can I retrieve old msn messenger conversations? Retrieve from http://ask-leo.com/can_i_retrieve_old_msn_messenger_conversations.html Website: Ask

Leo

Ohm, P., (2005) The Fourth Amendment Right to Delete Retrieved from

http://www.harvardlawreview.org/forum/issues/119/dec05/ohm.pdf]

Peisert, S., Bishop, M., Marzullo, K. Computer Forensics in Forensis. Communications of the ACM, (42), April 2008.

PeterI., Outlook Redemption. Retrieved from http://en.wikipedia.org/wiki/User:Peterl/Outlook_Redemption

Richard III, G., & Roussev, V. Next Generation Digital Forensics. Communications of the ACM (49), February 2006

Reyes, A & Wiles, J., (2007). The Best Damn Cybercrime and Digital Forensics.

Burlington, MA. Syngress Publishing Inc.

Schneier, B., Kelsey, J., Secure Audit Logs to Support Computer Forensics. Communications of the ACM (2), May 1999. 102

Skibell, R. (2003). Cybercrimes and Misdemeanors: A Reevaluation of the Computer

Fraud and Abuse Act. Berkely Technology Law Journal, 18/909.

Skype Log File Analysis (2009) Retrieve from http://www.lpcforensic.it/public_html/yabbfiles/Attachments/SkypeLogFileAnalysis.pdf

Streblechenko, D., (2010) Outlook Redemption Retrieved from http://www.dimastr.com/redemption/

United States Department of Justice. (2009, Sept) Computer Crime and Intellectual

Property Section. Retrieve from http://www.cybercrime.gov/ssmanual/index.html

US-CERT,(2008) Computer Forensics Retrieved from http://www.us- cert.gov/reading_room/forensics.pdf

Wegman, J., (2004) Computer Forensic: Admissibility of Evidence in Criminal Cases.

Retrieve from http://www.cbe.uidaho.edu/wegman/Computer%20Forensics%20AA

%202004.htm

Winn, P., (2008, Dec 8) Katz and the Origins of the “Reasonable Expectation of Privacy” test. Retrieve from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1291870 103

Appendix A

US Criminal Code 2705

US Criminal Code 2705 was modified by Section 213 of the PATRIOT act.

§ 2705. Delayed notice

(a) Delay of notification.--(1) A governmental entity acting under section 2703(b) of this title may--

(A) where a court order is sought, include in the application a request, which the

court shall grant, for an order delaying the notification required under section 2703(b)

of this title for a period not to exceed ninety days, if the court determines that there is

reason to believe that notification of the existence of the court order may have an

adverse result described in paragraph (2) of this subsection; or

(B) where an administrative subpoena authorized by a Federal or State statute or a

Federal or State grand jury subpoena is obtained, delay the notification required under

section 2703(b) of this title for a period not to exceed ninety days upon the execution

of a written certification of a supervisory official that there is reason to believe that

notification of the existence of the subpoena may have an adverse result described in

paragraph (2) of this subsection.

(2) An adverse result for the purposes of paragraph (1) of this subsection is-- 104

(A) endangering the life or physical safety of an individual;

(B) flight from prosecution;

(C) destruction of or tampering with evidence;

(D) intimidation of potential witnesses; or

(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

(3) The governmental entity shall maintain a true copy of certification under paragraph (1) (B).

(4) Extensions of the delay of notification provided in section 2703 of up to ninety days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.

(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail to, the customer or subscriber a copy of the process or request together with notice that--

(A) states with reasonable specificity the nature of the law enforcement inquiry; and

(B) informs such customer or subscriber-- 105

(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;

(ii) that notification of such customer or subscriber was delayed;

(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and

(iv)which provision of this chapter [18 USCS §§ 2701 et seq.] allowed such delay.

(6) As used in this subsection, the term "supervisory official" means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency's headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney's headquarters or regional office.

(b) Preclusion of notice to subject of governmental access.--A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703(b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason 106

to believe that notification of the existence of the warrant, subpoena, or court order

will result in--

(1) endangering the life or physical safety of an individual;

(2) flight from prosecution;

(3) destruction of or tampering with evidence;

(4) intimidation of potential witnesses; or

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

SEC. 213

AUTHORITY FOR DELAYING NOTICE OF THE EXECUTION OF A

WARRANT.

Section 3103a of title 18, United States Code, is amended--

(1) by inserting (a) IN GENERAL- ' before `In addition'; and

(2) by adding at the end the following:

(b) DELAY- With respect to the issuance of any warrant or court order under this

section, or any other rule of law, to search for and seize any property or material that

constitutes evidence of a criminal offense in violation of the laws of the United

States, any notice required, or that may be required, to be given may be delayed if-- 107

(1) the court finds reasonable cause to believe that providing immediate notification of the execution of the warrant may have an adverse result (as defined in section

2705);

(2) the warrant prohibits the seizure of any tangible property, any wire or electronic communication (as defined in section 2510), or, except as expressly provided in chapter 121, any stored wire or electronic information, except where the court finds reasonable necessity for the seizure; and

(3) the warrant provides for the giving of such notice within a reasonable period of its execution, which period may thereafter be extended by the court for good cause shown. 108

Appendix B

User’s Manual

This chapter is an explanation of the GUI and the information that the NICA

Forensic Tool will provide to the investigator

Product

NICA Forensic Tool is designed to help forensic investigators in finding out if a crime was or was not committed. It is tailored towards web activities related to child pornography, Credit Card Fraud, Identify Theft, Industrial Espionage, Casual Hacks and others.

This application will get the information needed to provide the investigator with the information about what web sites the user visited if the browsers used were: Internet

Explorer, Google Chrome and/or Mozilla Firefox. Also it will collect information from outlook, Skype and Instant Message if they are installed on their computer. Finally it will provide the investigator with a timeline of information for each activity which will allow them to weigh the evidence.

Scope/Purpose:

This new tool is very easy to use, it is a windows form with a very user friendly

GUI. It is accessible to everybody that has the system requirements to download the 109 application. It was designed to help forensic investigators, providing more information than just browser information; it supplies a timeline of activities and a weight of the evidence. Most of the information is retrieved from the registry keys that provide accurate information.

User’s Data Flow

Conventions

Dates conform to ISO 8601 to avoid international ambiguity 110

Numbers conform to the IEEE convention that spaces separate every three digits and the decimal place should be represented by a dot.

Each file has a similar look and feel. Several templates are necessary to cover the different programming languages. A new source file is created by running the appropriate template script and redirecting the output into a new file.

Uniform code is used though out the application along with naming convention.

Installing the software

System Requirements (General)

Processor 600 MHz processor Same Same

Recommended: 1 gigahertz (GHz) processor1 RAM 192 MB Same 256 MB

Recommended: 256 MB1 Available Hard  1 GB of available space Same Same Disk Space Operating System Windows 2000 Service Pack 4, Windows XP Service Pack Same Same 2, Windows Server 2003 Service Pack 1, or Windows Vista3,4

For a 64-bit computer, the requirements are as follows:

 Windows Server 2003 Service Pack 1 x64 editions 111

 Windows XP Professional x64 Edition CD-ROM Drive or Required Required Required DVD-ROM Drive Video 800 X 600, 256 colors Same Same

Recommended: 1024 X 768, High Color 16-bit Mouse Microsoft mouse or compatible pointing device

Information/resources required in the process of installation

All the utilities are included in the application; there is nothing for the user to install.

Deploying the Forensic Tool

NICA Forensic Tool Application will be distributed to investigators using a thumb drive. They should extract the zip file to a location on the computer to be investigated like the hard drive (i.e. User desktop), Open the folder and run (double click) the forensicTool.exe file to launch the program.

NICA Forensic Tool GUI:

File-> Open Case to create a new forensic case 112

Under the file tab, investigators have the choice to create a new case or to open an existing case. Also Save Case, Save Case As, or Exit the application.

If New Case is selected: 113

Enter case reference ID, usually cases numbers are C021CR2010002323, but it depends on the law enforcement department.

Forensic Analyst is the name of the forensic investigator and Notes relevant to the case

Case will be saved if the case number was not created and saved before; otherwise it will send a message to the users stating that case already exists.

If case already exists - > Open case 114

Previous cases are saved in a table, using the SQLite database.

Find and select the case number to reload the case and run the parser

Parser - > Run Parser 115

Press Start to do the search or press cancel

In this case there are 3 user profiles in the computer, there are 15,883 entries in the IE cache file, 2726 history files, 923 cookies, 6 Firefox history files, 151 Firefox cache files,

71 Firefox cookies, 1189 Chrome history files, 788 Chrome cache files. 116

There is also Skype, Outlook and Windows Live Messenger entries if those programs are being run on the investigated computer.

Viewer allows the investigator to view user profiles, internet explorer, Firefox, chrome,

Skype, outlook, windows live messenger and timeline activities for each user. 117

Viewer - > Internet Explorer - > History to view the History of the Internet Explorer

The IE History file contains the user’s URL, Title of the site, how many times the site was hit, date that file was last modified, expiration time, subfolder if there is any, and the user name. The title of the site give the name of the specific site and a little more information about the site, this feature helps investigators to glance faster to information 118 and find the suspected sites. E.g. url: Durango.org does not tell the investigator much information but the title name information: Colorado vacation: Colorado sightseeing-

Durango area gives more specific easy to read information.

The following procedures can be done with each of browsers: Internet Explorer,

Firefox and Chrome and can be use on each grid that contains the history, cache and cookie file for each browser.

To find all the Internet Explorer visits to any “Durango” site, investigators needs to right click the activity select Mark items by pattern and enter Durango as keyword to be search

There are 5 items found that contains the keyword “Durango” 119

After the entries have been selected by the NICA forensic tools, it would be easier to display all the information found by itself. Go to Viewer -> Time Window Activities to view the suspected activities

Time Window Activities grid display the days and times that the suspect visited the sites that contain the keyword “Durango”. Eg on 4/28/2010 sites containing the keyword

“Durango” was visited five times: at 8:47 am, 8:47 am, 10:37am, 10:43 am and 10:46 am. 120

If more information about the site is needed, right click and select properties. A window will display more information about the sites 121

Internet cache Files and cookie files

Viewer - >Internet Explorer - > Cache will display the Internet Explorer cache file. The information displayed is the file name that can be gif files, Content type that explains what type of file it is, like an image file, URL, the last time the file was created, the last time the file was modified, expiration time, how many times the file was hit, file size, subfolder location, the full path location and the user name. 122

Viewer - > Internet Explorer - > Cookies, displays the IE cookies information, like web site, modified time, last time it was accessed, created time, file name, missing file, file size and user name.

Viewer - > Firefox - > History

It display the URL information, last visited time, how many times the site was visited, reference (redirected links tracks), web site title, visit type, like link, typed URL and user name. 123

Viewer - > Firefox - > cache. Display the information in the Firefox cache files like file name, content type, url, file size, how many times the site was visited, last time the file was modified, last fetched, expiration time, server name,

server response, server time, server last time modified, content encoding, cache name, cache control, entity tag and user name. 124

Viewer -> Firefox - > cookies. Displays the information in the cookies files like, domain host, path, value, expiration time, last accessed time, secure, domain access, line Id and user name

Viewer - > Chrome - > History 125

It display chrome history files information like URL, last visited time, how many times it was visited, reference, title, visit type, redirect type and user name

Viewer - > Chrome - > cache. Displays the cache file information like file name, content type, url, file size, last accessed time, expiration time, 126

server name, server response, server time, server last modified, content, cache name, cache control, entity tag and user name

Viewer - > chrome - > cookies, displays the cookies information like domain host, path, value, expiration time, last accessed time, secure, domain access, line id and user name. 127

Skype Activities

If Skype is installed in the investigated computer a list of activities will show on the viewer - > Skype. If it is not installed or does not have activities it will show zero activities

Record number, action type (chat message, outgoing call, incoming call, video) action time, Skype user, display name, (Skype user name is most of the time just a nickname not the name of the user), duration time for the current activity, the chat message (notice that calls messages could not be retrieved), chat ID, 128

Filename, Skype Account (when an account is set up, a username and password needs to be created. The Skype account is that user name) and User name (who logged into the computer).

Also specific Skype activities can be found by right clicking and mark items by pattern to select information as with whom the suspected was having communication, what time and what days. 129

A total of activities will be shown

TimeWindowsActivitiesViewer will display all the activities that comply with the requested parameters. Dates, times and activities’ detail will be available for the investigator to help on the search for evidence. 130

Outlook Activities

This viewer will display if Outlook has any activities

Folder Name, Sender Name, Sender email address, send to, copy to, blind copy to is some of the information that the viewer can display 131

Modified, last modification time, if the message was read or it is unread, submitted, deleted, auto forward, read receipt, size, and the .pst file (this is the outlook file where it stores the information). Note that the email message is not displayed. This NICA

Forensic Tool is concerned about the time and other particular evidences like send to, the email message contents are not required for the functionality of the tool.

Time information is needed for the timeline report and send to can be used as evidence to prove that the owner of the computer knows the receiver of the email.

Also Outlook specific activities could be found by right click on the Outlook activity grid select the specific activity of interest and select the mark items by pattern 132

Activities can be choose by sender name or email address. This feature will help the investigators to find all the outlook activities between a specific sender name and a receiver name.

The windows activity viewer will show all the days that the conditions met. Just select the day and a window will show each acitity by day 133

Instant Messenger

The viewer is showing windows live messenger activities

Right click to mark items by pattern to select specific activities 134

Activities by account are being selected, and will be display by dates, times and activities’ description. 135

TimeLine Report

This report shows all the combined information by date and time for each user found. In this case we have four users. Select a user that is under investigation; choose the date that you suspect that suspected activities occurred.

If there is a suspect activity click to select and right click to open a dialog box to mark the selected item - > suspect items or malicious items

Then go to tools -> Time Window Setting 136

This feature will allow the investigator to select any other activity like Skype, outlook,

IM or any visited to a site that is contain in the specific time frame. In this case, the time frame will be 15 minutes.

Go to Viewer -> TimeWindowActivities 137

A Time window will open showing all the activities around the previously marked suspected activity that are 15 minutes apart. 138

NICA forensic tool feature helps the investigators to get faster information from sites visited. Tools-> Browser Keyword List allow the investigator to enter a keyword for visited sites, like 1and1.

On the timeline viewer mark with defined keywords (already selected previosly) 139

A window will display the total amount of entries found with the specific parameters.

On the time window viewer will display with highlights all the dates and times that the site 1and1 was visited 140

Also if more information is needed for a specific activity, right click and select view properties. An open window will display all the details of the selected activity

Recommended publications