News & Computer Forensics Blog
Author Jon Berryhill
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
by Jon Berryhill To understand metadata, you first have to understand what the word means. The prefix “meta” means “beyond” and is used to indicate a concept that is an abstraction behind another concept. From this we get the meaning that metadata is the “data beyond the data”. In the world of digital forensics, metadata is the data and information that is part of or attached to some other more obvious piece of data. We usually think of metadata being associated with a particular file. Every file on a computer has some amount of metadata associated with it. The amount, type and usefulness of that data depends on the type of file and the type of investigation. I usually break metadata down into two broad groups: internal and external. Every file on a computer or any digital storage media has some external metadata and most user created files have varying amounts of internal metadata. On all modern computer systems the minimum metadata is the external metadata that consists of several date/time stamps that memorialize the file creation, last access and last written date/time. That information, along with the file name, is not stored with the file but rather in a table maintained by the operating system for each storage device (and stored on that device). I doesn’t matter if it’s a hard drive, thumb drive or SD card. Each storage device has a table, separate from the files, that exist for house keeping purposes. Think of it like a card catalog system in an old fashion library. The card in the little drawer has the name of a book, directions on where to find it and a small amount of other information about the book that would vary depending on the library system and the type of book. The tables maintained by the computer are similar. The table has the name of the file, various date/time stamps and directions for the computer on where to find the file. In this imaginary virtual library, the books don’t have covers that contain the sort of information you might expect to find if you just browsed the shelves and pulled out a book at random. You need to cross reference the book with the card catalog card to get the full picture. There is other stuff there too that is, usually, less interesting from an investigative standpoint. Even this most basic metadata can be misinterpreted and is often misunderstood. Top on this list is the file creation date/time. This date/time is not what you might think from the simple name. What it is, is when that particular file was first written to the storage media we see it. The other basic date/time stamps are a bit more straight forward in their meaning. Last written is the last time the file was saved for any reason, not necessarily when it last changed, but just the last time the “save” button was hit or an auto save feature was engaged. The last access date/time is simply the last time the file was touched for some reason. There is no information here about what, who, why or what software tool took the action. The two most common reasons would be that the file was either opened or copied. How all this metadata is interpreted is critical and often requires some explaining. First we have the intuitively backwards situation that can occur where we could have a file that has a last written date/time of yesterday and a file creation date/time of today. Doesn’t a file have to be created before it was last saved? This is a common scenario that happens when a file is moved from one computer to another. If you created a file on computer A yesterday and then today copy that file from computer A to computer B (assuming you make no changes to the content), the last written date/time (in most, but not all cases) will carry over to the new computer but the file creation date/time will not. By copying the file from A to B, you have created a new file on B and it will have a file creation date/time that reflects when that action took place. In most cases the act of this file copy would also cause the last accessed date/time on computer A to be updated. Further, if we examine the time stamps on the two computers we can figure out exactly when the file left (a copy of it actually) A and when it landed on B. A gap in the timing could even indicate that an intermediate storage device may exist (which mean yet another copy of the file is floating around out there somewhere). If the last access and file creation date/time on computer B match, that is a pretty good indication that nothing has been done with that file since it was first copied to computer B. Just from this metadata it is possible to put together a great deal of valuable information about what a user may have been up to with their computer usage.
10 Comments
By Jon Berryhill
If you’ve encountered a matter involving computer evidence, you may have heard the term “hash value” and wondered what in the world a hash value is. A hash tag “#” (otherwise known as the pound symbol or, originally, an octothorpe), brought to you by Twitter in 2007, is not what this post is about. A hash value and a hash tag are two completely different things. Let’s take a quick dive into this somewhat esoteric term for a critical tool. A hash value is a common feature used in forensic analysis as well as the cryptographic world. The best definition I’ve seen is that a hash is a function that can be used to map data of an arbitrary size onto data of a fixed size. The word “function” is used in its truest form from mathematics. The hash value is the result of the function. Standard hash algorithms are sets of complex but public mathematical steps. There is nothing secret about them. Some people equate a hash value to a fingerprint. It provides a way of identifying and verifying a chunk of digital data. You can have a hash value for a single file, groups of files, or even an entire hard drive. A hash value is a harmless looking string of hexadecimal values, generally 32 to 64 characters long, depending on the hash algorithm used. There is absolutely nothing in a hash value that will tell you anything about what was hashed or how big it was. The way the algorithms work, the length of the hash value is always the same no matter the quantity of the data processed. So what do they look like? By Jon Berryhill Making a forensic image of digital evidence is the best way to preserve data that might be needed for current or potential legal proceedings. The most common target of this process is a hard drive, but there are many other forms of digital storage. The first and perhaps most important rule of evidence handling is preservation. Digital evidence can be fragile. Most people don’t realize just how easy it is to change digital evidence, and it may be that the most easily, and often inadvertently, changed data might be the most important. So, what exactly is a forensic image? It’s a way of capturing all of the contents of a digital storage device. This includes both the logical file structure (files and folders) and all the associated metadata for that logical structure (metadata is a topic for another blog post). A forensic image also includes the file slack space and the unallocated space (also topics for another post). This is where all sorts of interesting things might be found that can include deleted files, file fragments, and more. Not all cases involve the analysis of the digital contents beyond the logical structure. However, if you don’t capture everything from the start, it may be lost, and you won’t have a chance should it become important later. The nuts and bolts of creating a forensic image start with write-blocking technology. Using either specialized hardware or software, an analyst can connect to and read the contents of a storage device while ensuring that nothing, including last access dates, gets changed on the original device. There are a number of acceptable software tools as well as output formats for a forensic image. The two most common are the DD and .e01 (EnCase) formats. These are functionally equivalent. The key is that both are locked down, read-only, exact versions of everything on the original evidence item. Once the forensic image copy has been made, it can be shared among as many other investigators/analysts as needed. There is no need to go back to the original evidence item. All copies are verifiable and can be certified as being true and correct copies of the evidence (HASH values is a topic for yet another upcoming blog post). Does a forensic image capture EVERYTHING? Not quite. While the process I described is the gold standard for handling evidence in civil and criminal cases, there are a couple of exceptions that I have run into over the years. First, all modern hard drives contain what is called SMART data. This is mostly hardware diagnostics and health information. This can include data such as how many times the hard drive has been powered on. Obscure information certainly, but it (and the other SMART data) might be important depending on the case. Another item that comes to mind is specific to USB devices like hard drives and thumb drives. These devices contain a (mostly) unique ID that you can think of as a serial number (but different from the actual serial number that may be visible on the device). No forensic imaging process captures this information, and it is not changeable. The only way I know of to obtain this information is to attach the original USB device to an analysis computer and use software to specifically read this data either directly from the device or from the Windows registry where this information gets stored. What is this unique ID good for? In most cases it is possible (as least on a Windows machine) to determine if a particular USB device has been attached. I have seen cases where an analysis of a Windows computer has led to a user being ordered to produce all storage devices they used on it. Once the items were turned over, along with a sworn declaration, analysis showed the user did a bait-and-switch, either completely omitting some items or providing a similar make and model device. In addition to the user’s other problems, they introduced perjury into the mix. The forensic imaging process is the single most important part of a digital forensic analysis. If it is not done correctly, the digital evidence isn’t really evidence at all because it cannot be shown to be accurate and could likely not stand up in court. More about mishandling of evidence in a future post. By Jon Berryhill So what is a digital forensic analysis? The short answer is – it depends…. Every case and situation is different. Recently I was talking to someone who had retained the services of a company to conduct an analysis of a laptop. The customer had a fairly simple question he was trying to answer: “Is there evidence that the user of the machine was engaging in the suspected inappropriate communications and/or activity?”. What the customer got back was a several hundred page “report” of “preliminary findings” and was told that was their “phase one” analysis. In order to get more information or even an explanation of the provided report, the customer would have to pay for the “phase two” analysis. The additional cost was tiered depending on how quickly the work would be done with the “standard” (lowest cost) option having a 60-day turnaround. Needless to say the cost of a much more reasonable turnaround time made me gag. A proper analysis means doing whatever data processing and analysis is necessary to answer the pertinent questions for the specific case. This usually means putting together the pieces of the puzzle from many different sources to put together a logical and relevant conclusion. Most digital forensic analysis software packages (like EnCase, FTK and others), can generate an automated “report.” With little or no input from the analyst, the scripts that generate these reports can produces hundreds of pages of information. Seldom do these reports contain anything meaningful or understandable to a customer. When an analyst dumps one of these automated reports on a client, especially when accompanied by a bill, it is usually done for what I call the “thud effect” (how loud a sound can you make when you drop the report on a table in an effort to make it appear you have done a lot of work?). Did all that work and the trees they killed producing it provide answers? Did the analyst explain the findings? By Jon Berryhill Recently our firm was brought into a case where the opposing counsel had retained a computer forensic expert. After the work was complete, questions began to surface regarding the quality of the work and the value received for the cost. During the initial telephone call, information regarding this "expert's" work process and work product started to raise giant red flags for us. We went to the location where the computer forensics "expert" had gathered evidence. We counted the computers, noted the size of the hard drives, and analyzed the scope of work. Since that initial phone call, what we discovered has been rather alarming: exaggerated fees, unsupported conclusions, exaggerated hours per task, opinions not supported by the facts, and the list goes on! Ultimately, this "expert" billed over $100,000 for computer forensics services that should have required about 10–20 hours of work. While their hourly rates were within the average range for the industry, they pumped up the amount of time and the number of employees required to complete the job. To protect your firm from being fleeced by a computer forensics "expert," read Hiring A Computer Expert - Don't Get Fleeced! As a bonus, we have included a standard chart of typical or common computer forensic services, and corresponding amounts of time usually needed to complete each task. If you are involved in a case in which a computer forensics firm has been hired by opposing counsel, give us a call. Protect your clients and your firm's reputation; don't allow shoddy computer forensics work to damage your case. Author: Jon BerryhillWrite something about yourself. No need to be fancy, just an overview. Special thanks to Sgt Fred Deltorchio and the Benicia (CA) Police Department for their assistance with this test. Recently we have seen several alarming warnings about the dangers of placing computer evidence in the trunk of a police car containing a trunk-mounted radio. These articles claimed that the RF energy of the nearby radio would corrupt the computer evidence. We found these claims interesting, so we decided to conduct a test. The results showed absolutely zero corruption of magnetic media. While this test only used one type of trunk-mounted police radio, the results may be similar for other types of modern radios. We would be interested to hear from anyone who believes they have had computer evidence corrupted by a trunk-mounted radio. In the future we plan to conduct similar tests with other brands of radios operating in other frequency ranges. The tested media was four 3.5" 1.44MB floppy disks and one Quantum ProDrive 80MB SCSI hard drive. Using a version of a disk duplication program that is exclusively for law enforcement use, we created four identical floppy disks. We then ran a program that for each disk generated a CRC value for each file on the disk. We placed two disks each in paper envelopes. The hard disk was formatted and approximately 36 megabytes of data was written to it. We then ran the same CRC generating program for the hard disk. The hard disk was placed in an anti-static bag and packed in paper in a cardboard box. One envelope containing the 3.5" disks was placed directly between the transmitter/receiver and the mounting bracket of a GE MVS VHF trunk-mounted police radio (mounted on the side wall of the trunk). This radio operates in the 150MHz band. The second envelope was placed on the floor of the trunk opposite the radio. The box containing the hard disk was placed in the center of the trunk. The police car also had a trunk-mounted cellular phone transmitter/receiver mounted next to the VHF radio. Author: Jon BerryhillWrite something about yourself. No need to be fancy, just an overview. What if opposing counsel informs you they’re calling a computer forensics analyst as an expert? Even if you don’t need an expert to analyze computer data, it can pay to have one in your hip pocket. Computer forensics and eDiscovery can involve computers belonging to your client and/or the opposing side. If there were computer evidence (or the potential for evidence) germane to a case, you would be best served to have an experienced computer forensics analyst look at the data. A computer forensics expert can work as a special master or can sign a non-disclosure agreement in order to protect confidential information. If opposing counsel hires an expert, you will want to have their analysis and conclusions reviewed by your own expert. Occasionally, opposing counsel will share the imaged (copied) hard drives from computers involved in the discovery. If you are deposing opposing counsel’s computer forensics expert, it can be extremely valuable to have your own expert in attendance. Often, they can identify flaws in the other expert’s answers, or suggest a line of questioning. We recently provided this service to a client. During the depositions, the other side’s experts essentially refuted much of what was in their own analysis. Before the case ever went to trial, opposing counsel had withdrawn its computer forensics experts. Have you ever considered acting as your own computer forensics expert? A few years ago, a defense attorney contacted our company and asked to rent (use) our forensics equipment to view and analyze a hard drive image of his client’s computer made by investigators. As experienced professional computer forensic experts, we were concerned about this request, and offered our analysis services, which this defense attorney declined. The attorney paid for the use of our equipment, and until recently, we had not heard what became of the case. Unfortunately for his client, this attorney lost the case. His client spent the next few years in jail as a result. We were approached on this case after the client had secured a new attorney to handle an appeal. The original trial judge provided a declaration expressing his opinion that the defendant had been poorly represented. Our company was the only other party asked to provide a declaration, which we did, stating our professional opinion that the computer forensics evidence was incomplete and not conclusive. Perhaps if the attorney had not tried to act as his own expert, his client might have been spared prison time. When to Call a Computer Forensics Specialist?
In nearly all litigation these days, there is some evidence on a computer. Have you considered this for your case? If you haven't, you should. But don't panic. Bring in a seasoned computer forensics specialist sooner rather than later, and you can save valuable time and money; not to mention legal wrangling. Intuition is a powerful force that deserves your respect. If your gut is nagging at you, suspecting that some legal issues may be afoot, it's worth checking out. And it's literally never "too soon" to call in a qualified computer forensics expert. Doing so may speed up the legal process, and help clarify facts and issues from the get-go that may influence your case later on. In fact, the earlier an expert is brought in, the more helpful we can be. Is there a downside to calling your computer forensics expert right away? We're hard pressed to think of one, perhaps just the confirmation that you have a legal battle ahead. But that would have been the case whether or not you called us first! Even in that worst case scenario, computer forensics can smooth or even shorten the rough road you anticipate. In the best scenario, we can help clients avoid court altogether. We've discovered many a "smoking gun" in the discovery phase that put an abrupt end to the proceedings. What's the downside to not calling computer forensics experts first? Evidence may be lost that could support your case. If you've even considered litigation, your first consideration should be to preserve evidence. Don't even touch an evidence computer until you've spoken to a forensics specialist. Worried we'll come in and stop business operations in their tracks? No need. We quickly archive data to preserve a snapshot of every potential piece of evidence. Bringing us in when you first suspect a problem means you have a qualified guide in navigating even the first few crucial steps of the electronic discovery process. It's an opportunity to avoid pitfalls that would otherwise harm your case, and gain valuable insight into the facts. Sometimes we're brought in early enough that we can deliver excellent advice or recommendations without even touching a computer. Sounds strange, we know. But a thoughtful conversation leveraging decades of experience can often dispel a client's concerns. And in situations where squaring off in court seems unavoidable, we're right there with expert advice. We help clients anticipate challenges and face them down with the very best evidence available. So if you've got butterflies, chances are you're about to wade into the ESI (electronically stored evidence) jungle. Call or e-mail us first, because every step counts. Especially the first one! |