11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations...
Transcript of 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations...
![Page 1: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/1.jpg)
11th National Investigations Symposium
Making the most of electronic data How Computer Forensics can assist
investigations
10 November 2016 David Sinden
Electronic Evidence Specialist
![Page 2: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/2.jpg)
Introduction
10 years Computer Forensics 8 years private sector Global Fraud, Bribery and Corruption
cases Last 18 months at NSW ICAC
2
![Page 3: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/3.jpg)
Objective
Insight into the wealth of electronic information available for investigations
How to make most of it and where it is located
Focus on Email and Mobile Phones Hints & Tips
3
![Page 4: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/4.jpg)
Electronic Data Overview
Growing phenomenally • IBM – 2.5 exabytes (2 billion gigabytes) was
generated every day in 2012 • 90 per cent of the data in the world today has
been created in the last two years • World’s data volume expected to grow 40 per
cent per year, and 50 times by 2020
4
![Page 5: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/5.jpg)
Electronic Data Growth
5
![Page 6: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/6.jpg)
Electronic Data
More systems Interconnected Greater data sharing IoT devices – Cameras, Fridges etc. Car Infotainment Systems
6
![Page 7: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/7.jpg)
Digital Forensic Challenges
Subjects wiser, cover trail App developers starting to use encryption Technology and platforms change at rapid
pace
7
![Page 8: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/8.jpg)
Email Forensics
![Page 9: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/9.jpg)
Corporate Email Systems
Microsoft Exchange/Outlook Lotus Domino/Notes Novell GroupWise
9
![Page 10: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/10.jpg)
Email Applications
Outlook Express Windows Mail Mozilla Thunderbird Windows Live Mail Pegasus
10
![Page 11: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/11.jpg)
Email Applications
Fox mail SeaMonkey Mail The Bat!
11
![Page 12: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/12.jpg)
Apple Mac
Mail – eml, emlx Mbox Eudora Microsoft Entourage Outlook for Mac
Different storage formats
12
![Page 13: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/13.jpg)
Microsoft Exchange/Outlook
EDB database – hierarchical • Public and Private Mail stores
Private contains user mailboxes Found on servers Tip: Should be dismounted before
collecting
13
![Page 14: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/14.jpg)
Outlook Data Files
Found on local computer PST – Personal Storage Table OST – Offline Storage Table
• Synchronised copy downloaded to computer – can still read and compose messages if connection interrupted
• Restored messages are synchronised
14
![Page 15: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/15.jpg)
Microsoft Exchange/Outlook
What happens when a user deletes a message?
Delete - Deleted items folder Soft delete – deleted items folder to
Recoverable Items folder. Also covers shift + Delete
15
![Page 16: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/16.jpg)
Microsoft Exchange/Outlook
Dumpster – Recoverable items Retention Policy based Purge after 14 days (default), 28 days or
never!
16
![Page 17: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/17.jpg)
Microsoft Exchange/Outlook Other ways to recover deleted emails? EDB, OST, PST are databases Carving looking for message structures
I still can’t find that deleted email?
17
![Page 18: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/18.jpg)
Email Journaling Systems
MailMarshall
IronPort
18
![Page 19: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/19.jpg)
Archiving Systems
Commvault, Enterprise Vault etc.. May separate attachments from emails Leave behind a stub file with a link Tip: Extracts don’t always provide all the
information – look for missing attachments
19
![Page 20: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/20.jpg)
Tape Backups
Snapshot based Understand the backup schedule daily,
weekly, monthly Takes time to restore and fails often
20
![Page 21: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/21.jpg)
Where is technology heading?
Cloud Service • Office 365 • Built in legal hold and discovery feature
Virtual Machines VM - Emulation Web based mail – difficult to see on a
local computer Mobile Device Email Apps
21
![Page 22: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/22.jpg)
Mobile Forensics
![Page 23: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/23.jpg)
Smartphone Evolution – 1994 IBM Simon
23
![Page 24: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/24.jpg)
2000 – Ericsson R380
24
![Page 25: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/25.jpg)
2002 – Palm Treo
25
![Page 26: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/26.jpg)
2003 - Blackberry
26
![Page 27: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/27.jpg)
2007
27
![Page 28: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/28.jpg)
Smartphone Platforms
Android (Marshmallow, Nougat next) Apple iOS (10) Windows 10 Mobile Blackberry 10
All are enhancing security
28
![Page 29: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/29.jpg)
Apple iOS
Interesting fact – non public code names • Mainly ski resorts
• 9.1 Boulder • 9.2 Castlerock • 9.3 Eagle • 10.0 Whitetail
29
http://www.imore.com/ios-version-codenames
![Page 30: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/30.jpg)
Apple iOS
Protected by passcode – Simple V Complex
No Passcode? – Lockdown trust file from computer
30
![Page 31: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/31.jpg)
iTunes Backups
Local PC and Cloud Copy of everything on device Automatic sync on computers with iTunes
software installed (unless disabled)
31
![Page 32: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/32.jpg)
iTunes Backup Location
Mac: ~/Library/Application Support/MobileSync/Backup/ Windows XP: \Documents and
Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\ ...
Windows Vista, Windows 7,8 and 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
32
![Page 33: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/33.jpg)
iTunes Backups
UDID Unique identifier
Matches folder name
33
![Page 34: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/34.jpg)
iTunes Backups
Non readable format Uniquely named files 40 digit alphanumeric hex value no file
extension
34
![Page 35: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/35.jpg)
iTunes Backups
SHA1 hash value of the file path appended to respective domain name and ‘-’
e.g.HomeDomain-Library/SMS/sms.db Consistent across phones unless apple
changes the architecture How to decode these filenames and the
data? 35
![Page 36: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/36.jpg)
iTunes Backups
4 Metadata files
36
![Page 37: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/37.jpg)
iTunes Backups
Info.plist – Device details – name, IMEI Manifest.mbdb – Info about all other files Manifest.plist – Passcode set, encrypted,
last backup computer name, date Status.plist – Details about the backup,
state, date and version
37
![Page 38: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/38.jpg)
iTunes Backups
What about encrypted backups? Password only entered once and oft
forgotten
38
![Page 39: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/39.jpg)
iTunes Backups
Attacks: brute force, dictionary… Word list from computer Acquire memory
39
![Page 40: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/40.jpg)
Passwords….
40
![Page 41: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/41.jpg)
Passwords
Apple Mac Keychain • Password management system • Stores passwords for applications, servers,
web sites, WiFi Passwords, even iTunes • Keychain Access GUI OS X • Encrypted normally password of the computer • Windows need alternative tools to view
41
![Page 42: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/42.jpg)
Mac OS X Keychain App
42
![Page 43: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/43.jpg)
iCloud
Cloud credentials recovered from phone or backup
Many tools that can acquire data from the cloud with credentials
Appropriate Legal authority required Where is the data even stored?
43
![Page 44: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/44.jpg)
iTunes Backups
The iTunes Backup might have been
deleted, what now?
44
![Page 45: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/45.jpg)
Volume Snapshot Service (VSS)
VSS – Volume Snapshot Service
• Backup feature included in Microsoft Windows • Vista, 7,8,10 and Server 2008, 2012
45
![Page 46: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/46.jpg)
VSS
Right click volume (C) Select properties Previous Versions tab
46
![Page 47: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/47.jpg)
VSS
47
![Page 48: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/48.jpg)
VSS
48
Each backup can be viewed on machine it was created on
Third party tools can parse them Not all files backed up e.g. OST You might find iTunes backups that were
thought deleted
![Page 49: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/49.jpg)
iTunes Backups
49
Tip: Delete button doesn’t appear to delete data
![Page 50: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/50.jpg)
Other Challenges for Investigations
Non searchable documents • Optical Character Recognition (OCR) • OCR not perfect not brilliant with handwriting • Never assume every piece of data is
searchable
50
![Page 51: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/51.jpg)
Other Challenges for Investigations
Screenshots SMS messages
51
![Page 52: 11th National Investigations Symposium Sinden.pdf · 2017-05-18 · 11th National Investigations Symposium Making the most of electronic data How Computer Forensics can assist investigations](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f92fa7c99bd17537450c6b0/html5/thumbnails/52.jpg)
Any questions?
52