Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
tantamount to allowing evidence to be destroyed. Every time you boot windows you destroy<br />
or alter data. The creati<strong>on</strong> of temp files, the updating of logs, the reading of c<strong>on</strong>figurati<strong>on</strong><br />
files may all seem benign acts, but they likely entail use of unallocated space, overwriting of<br />
latent data and alterati<strong>on</strong> of metadata values.<br />
Bit Stream Backup<br />
Once latent data is overwritten, it’s pretty much g<strong>on</strong>e forever. If you want to preserve the<br />
status quo and retain access to latent data, the <strong>on</strong>ly practical way to do so is by making a bit<br />
stream copy of the hard drive. A bit stream copy is a sector-by-sector/byte-by-byte copy of a<br />
hard drive. A bit stream copy preserves not <strong>on</strong>ly the files and directory structures; it<br />
preserves all of the latent data, too. Anything less will leave potential evidence behind. It’s<br />
critically important that you appreciate the difference between a bit stream copy and an<br />
archival copy of the type that people create to protect them in the event of a system crash.<br />
Archival backups copy and retain <strong>on</strong>ly the active files <strong>on</strong> a drive, and frequently not even all<br />
of those. If you can imagine a hard drive with all latent data stripped away, you’d have a<br />
pretty good picture of an archival back up. In short, an archival back up is simply no<br />
substitute for a bit stream back up when it comes to computer forensics.<br />
Computer forensic specialists create bit stream copies using any of several applicati<strong>on</strong>s,<br />
including programs like Encase, FTK Imager, X-Ways <strong>Forensics</strong>, SnapBack and SafeBack.<br />
These and other commercially available programs make the mirroring process easier, but an<br />
identical copy of every sector of a drive can also be made using a free utility called Linux DD<br />
(which runs under the also-free Linux operating system, but not <strong>on</strong> a machine running DOS<br />
or Windows). Whatever program is used, it is essential that the examiner be able to establish<br />
its reliability and acceptance within the forensic community. The examiner should be able to<br />
dem<strong>on</strong>strate that he or she has a valid license to own and use the software as the use of a<br />
bootleg copy could prove an embarrassing revelati<strong>on</strong> in cross-examinati<strong>on</strong>.<br />
The creati<strong>on</strong> of a forensically competent bit stream copy entails a sec<strong>on</strong>d step. It is not<br />
enough to simply make a faithful copy of the disk drive; a forensic examiner must be<br />
equipped to irrefutably dem<strong>on</strong>strate that the copy does not deviate from the original, both<br />
immediately after it is created and following analysis. This is typically accomplished using<br />
some mathematical sleight-of-hand called “hashing.” Hashing a disc creates a digital<br />
fingerprint; that is, a small piece of data that can be used to positively identify a much larger<br />
object. Hashing is a form of cryptography that relies up<strong>on</strong> a c<strong>on</strong>cept called “computati<strong>on</strong>al<br />
infeasibility” to fashi<strong>on</strong> unique digital signatures. Essentially, the entire c<strong>on</strong>tents of any<br />
stream of digital informati<strong>on</strong> is processed by a specialized mathematical equati<strong>on</strong> called an<br />
“algorithm” that works in <strong>on</strong>ly <strong>on</strong>e directi<strong>on</strong> because it would be a gargantuan (i.e.,<br />
“computati<strong>on</strong>ally infeasible”) task--demanding hundreds of computers and thousands of<br />
years--to reverse engineer the computati<strong>on</strong>. The bottom line is that if the bit stream copy of<br />
the data is truly identical to the original, they will have the same hash values; but, if they differ<br />
by so much as a comma (well, a byte), the hash values will differ markedly. The<br />
computati<strong>on</strong>al infeasibility means that some<strong>on</strong>e trying to pass a doctored drive off as a bit<br />
stream copy can’t make changes that will generate an identical hash value. There are a<br />
number of hash algorithms floating around, but the two most frequently employed in<br />
<strong>Page</strong> 35