Bar News - January 19, 2007
Forensic Evidence - Understanding Basic Digital Forensics
By: By Jerry Nicholson
It seems you can’t go a day without hearing that digital forensics was instrumental in the outcome of some case or another. Watching forensics in action on television makes it all seem so easy. Real life is seldom so cut- and-dried.
Digital forensics is the science of discovery of the tiniest evidence in the most mind- boggling quantity. Evidence can exist as just a few deleted e-mail files amongst hundreds of thousands of files on a hard drive or it can be 10,000 digital images that need to be categorized by origin, date, subject matter and ownership. Computer Forensics can be very expensive, but is worth the cost to win a case. Very often digital forensic evidence results in capitulation without the time and expense of a trial.
Evidence can be derived from computer hard drives, cell phones, PDAs, zip drives, thumb drives, digital cameras and tape backups. Evidence can be recovered from a hard drive that has been completely deleted and formatted. Password- and encryption-protected data can often be recovered with a little effort.
There are very specific requirements for obtaining digital evidence. Of primary concern is not modifying the original data stored on a computer or other device during the discovery process. Merely starting a computer modifies information on the hard drive. Opening a file to read its contents changes information stored about that file, including its Modified, Accessed and Created time, known as the MAC Time. Modifying a file’s MAC time leaves room to question what other evidence was modified. It is imperative to prevent changes of any kind to the data being analyzed. This is accomplished by the use of “write blocking.”
Write blocking can be implemented by the use of special software or by the use of hardware devices. Both methodologies prevent system calls that would modify data on the original media. It’s been observed that hardware write blocking is more readily accepted over software, though when used properly, both types produce the desired results. It is standard procedure to reproduce the original media so that analysis can be performed on a copy and not the original. The reproduction of the original data is known as an “image.” There are a handful of currently accepted image formats, some of which are common to forensic software applications while others are proprietary to the company producing the forensic software. Hard drives are usually removed from the suspect computer and imaged in a safe environment on another computer.
It can be proven that data was not modified during imaging by the use of “hash values.” A hash is a unique string of numbers and letters produced by a complex algorithm. The values produced by a hash such as the industry standards MD5 and SHA1 have proven to be reliable. During discovery, hash values are produced for each file imaged as well as for the entire hard drive or other media. Any modification of the image will result in a different hash value than that of the original media.
Time is a critical factor in digital forensics. Computers date/time stamp all files based on the computer’s internal clock. If that clock is off by an hour or a year, it can dramatically influence culpability. Computer time is determined by booting the machine without hard drives attached and examining the BIOS time and comparing it to a reliable source.
Preservation of evidence is also important. If a computer forensic examiner images a hard drive and the hard drive is then returned to service, that media will be modified from the original. Thus, it can be problematic to prove that the image obtained is an accurate reproduction. Files that are deleted will actually remain on a hard drive indefinitely until they are overwritten by new data. Putting that hard drive back into use will ultimately destroy evidence. There is then no way to compare the image to the original and that can reduce the value of the image.
Digital forensics is still in its infancy. There are various certifications available to the industry, most of which require the same training and knowledge. Some demand experience in the field while others emphasize classroom and lab training and testing. All require knowledge of computing devices, storage media and how those systems work together. However, knowing a lot about computers does not necessarily meet the requirements of digital forensics.
Copyright 2006, Mlink.com LLC. All rights reserved worldwide.
Jerry Nicholson is president of Mlink.com, a Canaan-based information technology firm that offers computer forensic analysis services. Contact him with your comments at email@example.com.