Forensic Capture and Analysis of Computer Data

Modern day computers contain one or more hard drives that provide the persistent storage of a users data.
Unfortunately, the variety and size of these storage mechanisms is making the life of a forensic investigator incresingly
difficult. Storage may consist of interna "fixed" drives in desktop, laptop and server computers, USB attached external
drives, RAID arrays of drives on servers, as well as Palm and other handheld devices.

In addition, there are now many computer programs, some built into modern operating systems, that allow users to
"shred" or "scrub" files arked for deletion. This makes recovery of the deleted files more difficult and in some instances
impossible.

Computer forensics is based largely on the premise that the data recovered from computer systems will ultimately be
presented in a court of law. As such, another important feature of computer forensic software is a verification process
that establishes that the examiner did not corrupt or tamper with the subject evidence at any time in the course of the
investigation. Computer forensic software employs a standard algorithm to generate an image hash value. The
algorithm calculates a unique numerical value based upon the exact contents contained in the evidentiary image copy. If
one bit of data on the acquired evidentiary bit-stream image changes, even by adding a single space of text or changing
the case of a single character, this value
changes.

The most common hashing process utilized is the MD5 (message digest number 5), which is based on a publicly
available algorithm developed by RSA Security. The odds of two computer files or two images of drives with different
contents having the same MD5 hash value is roughly ten raised to the 38th power, or one followed by 38 zeros (keep in
mind that one trillion is one followed by just twelve zeros). The MD5 hash function allows the examiner to confidently
stand by the integrity of the data in court.

Forensic Capture of Computer Hard Drives

The hard disk drive in your system is the "data center" of the PC. It is here that all of your programs and data are stored
between the occasions that you use the computer. While computer hard drives are often referred to as "disks", they are
in relity made up of many disk surfaces, usually hundreds, with each disk surface having a dedicated read/write head.
Hence, it is customary to refer to the entire disk subsystem as a "drive". The hard drive subsystem differs from the other
forms of storage such as floppy disks, CD-ROMs, tapes, removable drives, primarily in three ways: size (usually larger),
speed (usually faster) and permanence (usually fixed in the PC and not removable).

Capture of Laptop Hard Drives.
Most laptops today contain drives with capacity of 40Gigabytes or less. In addition, many of them share the same
physical drive form factor, and a forensic analyst can simply remove the subject drive form the Laptop and connect it to
the forensic capture computer through a standard ATA ribbon cable. (A pin out converter is required to make the physical
connection to the ATA cable, since the Laptop drive requires different power and signal connections.)
Some Laptops have disk drive subsystems that are intimately coupled to the motherboard, and the drive cannot be
operated outside of the physical Laptop environment. In such cases the subject drive can only be captured throug a DOS
kernel that allows access remotely through a parallel port or a LAN port.

Sofware Disk Configurations
A software disk configuration is controlled by the operating system’s software as an additional layer over the top of the
customary hardware controller card. In a software disk configuration, the information relevant to the layout of the
partitions across the disks is located in the registry or at the end of the disk, depending on the operating system used to
build the set. The information pertaining to the hardware disk configuration is stored in the BIOS of the controller card.
Various disk configurations can be configured with the combination of software and hardware disk management
elements described. For example - spanned, mirrored, striped, RAID-5, and basic.

Basic Disks in Windows Systems
Windows Disk Management in WIndows 2000/XP operating systems supports both basic and dynamic disks.
A basic disk is a physical disk that contains primary partitions, extended partitions, or logical drives. Basic disks may
also contain spanned volumes (volume sets), mirrored volumes (mirror sets), striped volumes (stripe sets), and RAID-5
volumes (stripe sets with parity) created using Windows NT 4.0 or earlier.
Basic disks are appropriate if the computer also runs MS-DOS, Windows 98 or earlier, or Windows NT 4.0 or earlier
because these operating systems cannot access dynamic volumes.
A dynamic disk is a physical disk that contains dynamic volumes created using Disk Management.

Dynamic Disk Subsystems.
Microsoft Disk Management features support both basic and dynamic disks. When you install Windows 2000 or
Windows XP, your hard disks are automatically initialized as basic. By using the upgrade wizard you may convert them to
dynamic after the initial installation is complete. Both basic and dynamic disks may be implemented on the same
computer system, but a volume consisting of multiple disks, such as a mirrored volume, must use only one type of disk.  
However, Dynamic disks are not supported on portable computers, so when you right-click a disk in the graphical or list
view in Disk Management, you will not see the option to upgrade the disk to dynamic.

Dynamic disks should be used only if your computer runs Windows 2000/XP and if you want to use more than four
volumes per disk, create fault-tolerant volumes such as RAID-5 and mirrored volumes, or extend volumes onto one or
more disks.

Basic disks adhere to the familiar partition-oriented scheme of Windows NT Server 4.0 disk organization. When
upgrading from Windows NT 4.0, the original partitioned disks are automatically initialized as basic disks, and the
original partitions and volumes can be maintained as before. New or empty disks can be initialized as basic or dynamic
after WIndows 2000 or XP installation. The advantages of using a Dynamic Disk configuration are only apparent when a
new fault-tolerant disk system is set up, or if it is desired to make changes to disks without restarting your computer. In
the latter situations, Dynamic DIsks must be utilized.

A dynamic disk is a physical disk that contains dynamic volumes created using Disk Management. (Use Programs-
>Administrative Tools->DiskManagement to bring up the required utilities).  Note that Dynamic disks cannot contain
partitions or logical drives, nor can they be accessed using MS-DOS. When a disk is first made Dynamic, an internal
partition-handling system is installed on the disk. This system permits the
drive(s) to be formatted in several different configurations and several combinations. The partition types are as follows:
RAID 0 (Striped), RAID 1 (Mirror), RAID 5 (Striped with parity), Spanned, and Basic. RAID refers to "Redundantant Array of
Inexpensive Disks".

The EnCase forensic capture application will automatically detect the disk configuration and will map all of the
partitions, while still preserving the boot area and the unused disk area of each disk for further searching. Systems that
do not support Dynamic Disks will only show one partition per drive. For disks configured as RAID 5 (striped with parity)
where one disk is missing,  EnCase will use the
parity bits from the remaining drives to reconstruct the missing drive information and display data for the entire volume.

Forensic Capture of Disk Array Storage
As described above, disks attached to a non-mobile computer may be configured in managed groups. The term RAID is
used to describe many of these configurations. RAID stands for - "Redundantant Array of Inexpensive Disks. Here we
use the term to collectively include all of the following disk configurations:  RAID-0 Striped, RAID-1 Mirrored and RAID-5
Redundant.

The information detailing the types of partitions and the specific layout across multiple disks
is contained in the registry of the drive with the operating system. The EnCase capture program can read
registry information and map the system to one of the possible configurations based on the key information.
The composite drive array can then be virtually mounted within EnCase and captured as an evidence file.
Dynamic Disk is a disk configuration utility available in Windows 2000, where the information pertinent to building the
configuration resides at the end of the disk rather than in a registry key. Therefore, each physical disk in this
configuration contains the information necessary to reconstruct the original setup. EnCase reads the Dynamic Disk
partition structure and resolves the configurations based on the information extracted.

Forensic Analysis of email Files

Outlook PST Files
Mail archive files stored on a user's client computer provide a fertile opportunity for forensice information analysis. SInce
Microsoft Outlook is one of the most popular e-mail programs used in businesses today, it is important that any forensic
analysis tools be capable of reading and extracting content from files with the PST format. The EnCase tools can read
PST files and extract email for plain-text analysis. It can handle PST files that have both compressible encryption and full
encryption, as well as overriding PST file passwords.

Forensic Analysis of Palm PDAs

Introduction
PDAs have come into widespread use in the consumer marketplace. It is evident that they will also become a target for
criminal investigations and forensic analysis.  Alexus Consulting uses EnCase forensic capture tools as well as other
proprietary tools to perform data acquisition and analysis of portable devices. The forensic investigator has the ability to
collect credible digital evidence from a handheld device either as a digitally signed forensic evidence file, or as a hot
sync capture. Password "cracking" tools are available in cases where the user has applied password protection.

Palm has licensed the Palm Operating System to various companies including Handspring, Sony, IBM, Kyocera,
Samsung, QUALCOMM, Franklin Covey, TRG, and Symbol Technologies. Approximately 80 percent of the global
handheld computing market is made up of devices running the Palm OS. In total, this amounts to about 20 million
devices, consisting of consumer-based PDAs, telephones integrated with PDA functionality, and barcode and wireless
integration in industrial applications.

The Alexus Consulting forensic capabilities cover all Palm devices up to and including the Palm 5.5 Tungsten t. The goal
of incident response is to preserve the entire digital crime scene with minimal or no modification of data. To this end, the
Guidance Software EnCase forensic capture application has been integrated with other tools to support the imaging and
forensic acquisition of data from the entire family of Palm Personal Digital Assistants (PDAs). The EnCase system
preserves the crime scene by obtaining a bit-for-bit image of the Palm device’s memory contents. The captured data can
be then be used by forensic investigators, incident response teams, and criminal and civil prosecutors.

Palm Architecture
It is useful for the forensic examiner to have an understanding of the Palm's internal structure, and how the various
components such as flash memory, file system, hot synch software, record removal and deletion, retrieval of system
passwords, and telephony interfaces play together in the Palm environment.

The memory image of the Palm device contains all user applications and databases. In turn, these memory segments
are the repositories for log data, completed ‘To Do’ items, ‘Private’ records, passwords, cryptographic components, and
other potentially useful information for incident response or forensic analysis purposes. Vestigial fragments of data that
applications may have left behind can also be retrieved, as well as records that have been marked for deletion, since the
latter are not removed from the device until the user’s next HotSync operation. The Palm OS Console Mode Debugger is
used to acquire memory card information and to create the image of the selected memory region. EnCase is able to
view the Palm as a device when it is in the Console Mode, and after selecting the Palm as the target for acquisition, a
forensic capture of memory is achieved. In this capture mode, EnCase relies solely on the built-in Palm OS Debugger
functionality and does not require any additional software components loaded onto the Palm device. Data retrieved is
forensically preserved, representing a true evidence file replica of the Palm’s memory at the time of acquisition. Note that
there are cases when the Palm system is password-protected. In these cases where the Palm system lockout is active,
the Palm HotSync functionality is disabled and cannot be used for data acquisition. With the use of the Palm OS Console
Mode Debugger forensic capture is still possible.

Note that the Palm OS does not use a flat file system as is traditional with desktop PC operating systems. Random
Access Memory (RAM) with continuous online battery power is used to implement non-volatile storage, which is logically
divided into dynamic and static storage. Dynamic memory, analogous to RAM installed in a typical desktop system, is
used as working space for the program stack and short-term data (e.g., pen strokes, key presses, system events, video
memory, global variables, and user interface structures). The size of the dynamic memory region depends on the OS
version and on the total memory on the Palm device and changes constantly during device use. The remainder of RAM is
used as storage memory, analogous to a disk drive.
Regardless of the logical division of RAM, EnCase captures the entire RAM region, containing both
dynamic and storage memory areas.

Acquiring a Palm PDA Device
Palm devices may be accessed through the EnCAse capture functionality. The Palm products that are currently
supported include Palm IIIx, Palm IIIxe, Palm V, Palm VII series, Palm M and Palm Tungsten t series. A USB cradle must
be available. The USB cable is connected to a USB port on the forensic computer at one end and to the Palm via the
cradle at the other end. The Palm device is first put into console modeafter which it is selected as a device in the
EnCase program and the "Acquire" function is started.

Once the capture is complete, the contents of the Palm memory are available within the EnCase product for analysis as
a fully protected evidence file. As such, the evidence file provides the normal protection of chain of custody through digital
encryption of hashed digests.