Digital forensics is the branch of forensic science encompassing the recovery and investigation of material found in digital devices often in relation to computer crime
When do people approach digital forensic expert?
Digital forensic people are approached by a corporate or people when a situation arises to recover evidence that either proves or disproves some sort of assumption.
How digital forensic expert carries out the task?
- Digital Forensics can be used in data breaches involving theft of corporate data including corporate and consumer records. It can help uncover critical information and support the prosecution of the attacker.
- Forensics on digital media and social media sites can be used to apportion responsibility in cases of cyber-bullying.
- Information in texts, emails, messaging services, or social media sites can provide evidence in cases involving infidelity.
What is an Autopsy Tool?
Autopsy is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and smartphones. It has a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python.
Principles behind the making of Autopsy tool:
- Ease of Use
- Multiple Users
Who uses this tool?
- Law enforcement Team
- Military Examiners
- Corporate Examiners
How it works?
Autopsy analyzes major file systems (NTFS, FAT, exFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2) by hashing all files, unpacking standard archives (ZIP, JAR etc.), extracting any EXIF values and putting keywords in an index. Some file types like standard email formats or contact files are also parsed and cataloged. Users can search these indexed files for recent activity or create a report in HTML or PDF summarizing important recent activity. If time is short, users may activate triage features that use rules to analyze the most important files first. The autopsy can save a partial image of these files in the VHD format.
Why it would be useful?
- It can run keyword searches.
- It produces real time results.
- It provides Timeline Analysis.
- It can extract Web Artifacts from different internet providers.
- It provides Data Carving.
Procedure to recover the deleted image from a storage device using Autopsy Tool:
To start we need to convert our storage disk into an image file. The image should be stored in the .dd (RAW) Format. To do that we have to use FTK Imager.
Click on “File” and go to “Create Disk Image”, it will open a window like that below. Select “Physical Drive”
This will open another window asking you to select the source drive location. Click “Finish” after selecting the device
Enter the “Image Destination”. Click “Add”. Now You should then be prompted for the type of image you would like to create. Select a “Raw” or dd image.
Then we have to enter the following details in the next page a case number, evidence number, a unique description, the examiner’s name, and notes.
Next select the corresponding destination and file name to store.
Click on “Finish”. FTK Imager will now begin the time-consuming process of copying the device, bit-by-bit to the file you have designated.
Next, open the Autopsy tool and do the following:
Click “Create New Case”.
Next, Enter case number and Examiner (optional).
Next, add the image file that is stored in .dd format and hit next.
Autopsy will begin to do its analysis.
After it gets loaded If we expand the “File Types” in the object explorer, it will display all the file types and the number of files in each category.
A little further below in the object explorer, we can see a File Type named “Deleted Files”. When we click on it will display all the deleted files.
When we click on a deleted file, we can do some analysis in the lower right window. There you will see tabs labeled, Hex, Strings, File Metadata, Results, and Indexed Text.
In this case, click on the “File Metadata “ tab and it will display the file’s metadata including the name, type, size, modified, accessed and created (MAC).
To recover the deleted file, right click on the deleted file and select “Export”. Save the deleted file into the Export sub-directory. double click on that file to open it in the appropriate application.
How files are recovered in NTFS?
In NTFS, all of the metadata is stored in the MFT. This includes names, dates, parent folder, etc. the occupied clusters are also stored in there in a structure called data runs. The clusters storing the file data hold only file data and there is no linked list that holds info about the next or previous cluster.
When a file is deleted (assuming a skip of the recycle bin), there is a single bit in the MFT record that gets turned off. The rest of that record stays in place exactly how it was otherwise. The metadata from a deleted file does not get wiped out until a new file needs to occupy that record slot with its metadata.
The MFT is a contiguous block of clusters with records in the size of 1024 bytes. NTFS uses the first unallocated record (from the top) when it creates a new file.
Forensic tools need only start at the top of the MFT and treat each block of 1024 bytes as a record. If the deleted/allocated bit is on, then it is an allocated file. If it is off, then the file has been deleted.
There was mention in another comment of wiping MFT unallocated space, and this is one way of trying to hide metadata. This involves writing over the records in the MFT that have been marked as deleted. If that metadata is gone, it makes file recovery more difficult, but not impossible.
There are a number of different ways it can be done. In large part, the easiest way is following the link pointers to each of the chunks, but that isn’t the only way by any means. (The MFT isn’t the only source of those links in many file systems as well)
At a lower level, it can identify all the chunks and try to match some of them up on content if the files have an internal structure that allows one chunk to be matched to another. That won’t work for all files though if the pointers are removed, since some don’t have much of a pattern to them, but it will work with enough that it’s still a major concern, especially since unless your drive is highly fragmented, even a large file probably isn’t more than a few dozen large pieces.
There are a number of possible ways to recover the file. In some cases, simply removing the pointers may be enough, but a truly determined analysis can likely still put the puzzles together by looking for fragments that make sense, especially if they are looking for something in particular.
The Lone Wolf scenario is a set of materials from a fictional seizure of a laptop of a fictional individual who was planning a mass shooting and how autopsy tool helped in analyzing the character’s laptop.