Computer Forensics and Cyber

Security
Forensic examination of computers
and digital electronic media

1
 Introduction
•In order to properly gather evidence, it is
important to understand how the technology
works
•Requisite understanding of technology
•Tools to help in gathering the evidence from
those devices.

2
 Computers and Digital Electronic
media
• Devices
– Hard Disks
– Tablets and Mobile phones
• Email

3
 Basic Hard Drive Technology
• Composition of hard drives
– Platters
– Heads
– Cylinders
– Sectors
• Locating hard drive geometry information
– Information on label on hard drive
contains drive geometry

4
 Basic Hard Drive Technology
• Platters
– Actual disks inside the drive that store the
magnetized data.
– Traditionally made of a light aluminum alloy and
coated with a magnetizable material such as a
ferrite compound
– Newer technology uses glass and/or ceramic
platters because they can be made thinner and
also because they are more efficient at resisting
heat.

5
 Basic Hard Drive Technology
• Heads
– Mechanism that reads data from or writes data to
a magnetic disk.
– Hard drives usually many heads
– Usually two heads per platter

6
 Basic Hard Drive Technology
(Cont.)
• Hard drive standards
– ATA (advanced technology attachment)
– ATAPI (advanced technology attachment
programmable interface)
– IDE (integrated drive electronics)
– PIO (programmable input/output)
– UDMA (ultra direct memory access)
– ATA speed rating
– SATA (serial advanced technology attachment)

7
 Other Storage Technologies
• Tape drive technologies
– QIC, DAT, DLT
• ZIP and other high-capacity drives
– Optical media structures
– Single session vs. multisession CDs
– DVDs
• USB Flash drives
• SSD drives
8
 Tablets and Cellular Phones
 New phones are low-end computers with the
following capabilities:
– PDA functionality – Subscriber identity module
– Text messaging – Global positioning systems
• SMS, EMS, MMS, IM – Video streaming
– Single photo and/or movie – Audio players
video capable
– Phonebook
– Call logs

9
 Cellular Standards
• GSM, CDMA, LTE
• CDMA
– Worldwide: 500M + subscribers
• GSM/3G GSM(UMTS)
– 4.5B subscribers

10
 Drive and Media Analysis
• Acquiring data from hard drives
– Bit-stream transfer
– Disk-to-disk imaging

11
 Drive and Media Analysis (Cont.)
• Acquiring data from removable media
– Document the scene
– Use static-proof container and label container
with
• Type of media
• Where media was found
• Type of reader required for the media
– Transport directly to lab
– Do not leave any media in a hot vehicle or
environment
– Store media in a secure and organized area

12
 Drive and Media Analysis (Cont.)
• Acquiring data from removable media (cont.)
– Once at the lab, make a working copy of the drive
• Make sure the media is write-protected
• Make a hash of the original drive and the duplicate
• Make a copy of the duplicate to work from
• Store the original media in a secure location

13
 Drive and Media Analysis (Cont.)
• Acquiring data from USB flash drives
– Write protect the drive
– Software may be needed to write protect
– Essentially recognized much like a regular hard
drive by the operating system

14
 Handheld devices Analysis
• Guidelines for seizing PDAs/Tablets/Phones:
– If already off, do not turn it on
– Seal in an envelope before putting it in an
evidence bag to restrict access
– Attach the power adapter through the evidence
bag to maintain the charge
– Keep active state if PDA is on when found

15
 PDA Analysis (Cont.)
• Guidelines for seizing PDAs/Tablets/Phones (cont.):
– Search should be conducted for associated memory
devices
– Any power leads, cables, or cradles relating to the
device should also be seized, as well as manuals
– Anyone handling the devices before their examination
should treat them in such a manner that gives the
best opportunity for any recovered data to be
admissible as evidence in any later proceedings

16
 Chain of Custody
• Documentation of the chain of custody should
answer the following:
– Who collected the device, media, and associated
peripherals?
– How was the e-evidence collected and where was
it located?
– Who took possession of it?
– How was it stored and protected while in storage?
– Who took it out of storage and why?
17
 Secured Devices
• Ask the suspect what the password is
• Contact the manufacturer for backdoors or
other useful information
• Search the Internet for known exploits for
either a password crack or an exploit that goes
around the password
• Call in a professional who specializes in data
recovery

18
 Cellular Phone Analysis
• History
– Originated in Europe and focused on the GSM SIM
card. Roaming of Devices from Network and
Spectrum
– Required : Identity info on SIM, SMS, Phonebooks,
and Last Numbers Dialled on SIM
– Terrorist use of phones as IED detonators
Increased the demand for mobile forensics.
Mobile device forensics is making a real impact in
the war on terror.

19
 Cellular Phone Analysis
• What data is obtainable (starting with the SIM):
– IMSI: International Mobile Subscriber Identity
– ICCID: Integrated Circuit Card Identification (SIM Serial
No.)
– MSISDN: Mobile Station Integrated Services Digital
Network (phone number)
– Network Information
– LND: Last Number Dialled (sometimes, not always,
depends on the phone)
– ADN: Abbreviated Dialled Numbers (Phonebook)

20
 Cellular Phone Analysis
• What is obtainable(starting with the SIM):
– SMS: Text Messages, Sent, Received, Deleted,
Originating Number, Service Center (also depends
on Phone)
– SMS Service Center Info: GPRS Service Center Info:
– Location Information: The GSM channel (BCCH)
and Location Area Code (LAC) when phone was
used last.

21
 Cellular Phone Analysis
• What is obtainable (Not on SIM, but found in
GSM Devices)
– IMEI: International Mobile Equipment Identity.
– To Find IMEI, Type #*06#.
– IMEI is on the Device,
– IMEI registers with the network, along with IMSI.
– IMSI+IMEI+MSISDN the most detailed identity
information of user.

22
 Cellular Phone Analysis
• What is obtainable (Not on SIM, but found in
GSM Devices)
– Phonebook
– Call History and Details (To/From)
– Call Durations
– Text Messages with identifiers (sent-to, and
originating) Sent, received, deleted messages
– Multimedia Text Messages with identifiers

23
 Cellular Phone Analysis
• What is obtainable:
– Photos and Video (also stored on external flash)
– Sound Files (also stored on external flash)
– Network Information, GPS location
– Phone Info (CDMA Serial Number)
– Emails, memos, calendars, documents, etc. from
PDAs.
– Today with Smartphones – GPS Info, Social
Networking Data
24
 Cellular Phone Analysis
• Determine which forensic software package
will work with the suspect cellular phone
• Ascertain the connection method
• Some devices need to have certain protocols
in place before acquisition begins
• Physically connect the cellular phone and the
forensic workstation using the appropriate
interface

25
 Cellular Phone Analysis (Cont.)
• Before proceeding, make sure all equipment
and basic data are in place
• Most software packages are GUI based and
provide a wizard
• Once connected, follow the procedures to
obtain a bit-stream copy
• Search for evidence and generate reports
detailing findings

26
 Cellular phone Analysis
• From iOS (iPhone, iPod,iPad)
– Focus Today is Getting Image of iPhone and
Analyzing for Data.
– Logical Tools Getting Contacts, Call logs, SMS,
MMS, Pics – Much more.
– Facebook Contacts, Skype, YouTube data
– Myspace Username and Passwords
– Location from GPS, Cell Towers and Wi-Fi
networks
27
 Cellular phone Analysis
• From RIM’s Blackberry
– Most Difficult of Smartphone Devices To Pull Data
– Limited Deleted Data acquired
– A Handset PIN locked Device All But Impossible To
Access
– Common practice is to Get IPD “Back-Up” File and
Analyze it.
– Call Logs, SMS, Pictures, Phonebook, Email,
Location info from IPD Back-up file.

28
 Cellular phone Analysis
• From Android Device
– Logical Tools Acquiring Call Logs, Pics, Phonebooks
– SIMs on many Androids Providing Last Numbers Dialled
and SMS messages
– Physical Access improving. Practioners Rooting Device to
Obtain More Data – Parsing Required.
– Most actively pursued device by mobile forensic
tool players.

29
 Analysis Beyond the Device
• Cellular networks
• Network call Data records

30
 The GSM Network in Brief
Network Structure

b EIR – Equipment Identity Register -

Holds Phone Identity. Can Be Used to Locate Stolen Devices

b MSC – Mobile Switching Center HLR

b BSC – Base Station Control
b BTS – Base Transceiver Station EIR
MSC

VLR
BSC

AT+T
BTS BSIC: 9876
Cell ID#: 11987

b HLR - Home Location Register

MS b VLR – Visitor Location Register
These Hold User Info Where Records
SIM
Are Stored – Used Today for Traffic
For Traffic Jam Reporting
 Analysis Beyond the Device
• Network Call Data Records (CDR)
– Call Data Records Show Call History
• Incoming, Outgoing, SMS Info Sent and Received
• Not Data – Unless very soon after event
– Data is Not Kept Long!
• Only History.
– Tower Information as to where calls originated or
Received.
– Most data relative to what the network operator
bills us for
32
 Disk Image Forensic Tools
• Guidance software
• Paraben® software
• FTK™
• Logicube

33
 PDA/Cellular Phone Forensic Software

• Tools for examining PDAs

– EnCase and Palm OS software
– PDA Seizure
– Palm dd (pdd)
– POSE (Palm OS Emulator)
– PDA memory cards

34
PDA/Cellular Phone Forensic Software (Cont.)

• Tools for examining cellular phones

– Bit PM
– Cell Seizure
– Oxygen PM
– Pilot-link
– Forensic SIM
– SIMCon
– SIMIS

35
PDA/Cellular Phone Forensic Software (Cont.)

• Tools for examining both PDAs and cellular

phones
– Paraben software
– Logicube

36