June 7th 2020
I’m a cybersecurity consultant, tech writer, and a regular columnist for InfoSec Insights.
Digital Forensics deals with the recovery and investigation of digital
media often in relation to computer crimes. If there is a data breach, or an attempt to damage or manipulate data to cover up evidence, it is the job of a digital forensic investigator to recover these files or determine how an attacker gained access and what they did on the network.
The digital forensics process can be broken down into three phases –
- acquisition of the digital media to be examined,
- its analysis, and
- presentation of the results by the examiner.
In addition to getting started on some basic concepts, we’ll look at an
example scenario on how to acquire an image (that can be used as evidence in a court of law), and then perform a simple data reconstruction using the Sleuth Kit. This open-source toolkit comes pre-installed with Kali Linux.
Acquiring the Image
Once a forensic investigator arrives at the crime scene, they seize all relevant evidence and retain volatile data (that is lost once the power supply is removed) before transferring the evidence to a forensic lab.
Then they create an exact duplicate of the original evidence taking care not to tamper with the original disk, examining it as little as possible, and documenting any changes. In addition to preserving the evidence, it is essential to prepare and record the chain of custody to keep track of who handled the evidence at every stage and include it in the final report.
This step is necessary to prevent any allegations of evidence tampering in a legal proceeding.
Let’s begin by creating an image that will be analyzed and investigated.
1. Capturing the Image
In order to create a bit-by-bit image of the hard drive, and generating an MD5 checksum of the image, we run the following command on our Kali Linux machine:
dcfldd if=/dev/sdb1 hash=md5 of=/media/[filename].dd bs=512 noerror
- if (input file)=/dev/sdb1 is the source drive.
- hash=md5 is used to calculate an MD5 hash of the image that verifies the image integrity.
- of (output file)=/media/[filename].dd is the disk image file that gets created (in this case, the location is on an external device mounted at /media).
- bs=512 is used to transfer the image, 512 bytes at a time.
- noerror indicates that the command will continue the data transfer in the case of read errors by writing zeros where the error occurs.
This step creates a bit-by-bit identical image of the disk (which in my case is a 16 GB removable USB drive) and saves it to my external hard drive with the extension .dd, 512 bytes at a time, and writes zeros when encountering an error (rather than terminating and providing us with the md5 hash of the image). However, you can also run the command without the noerror option.
The most critical task that we need to do when acquiring an image is to ensure its integrity.
The step above will generate a hash file along with the image. We can hash the image on our end to verify that the values match.
To read the hash value run the command:
To create a hash execute the following:
3. Verifying the Image
In this step, we get the associated details of the image file and use the
‘mmls’ command to obtain information about the partition layout.
If you receive the following error (as shown in the screenshot), it could indicate that the disk image created is a logical one and not a physical disk image. For this walk-through, we will need a bit by bit copy of the disk, aka a physical disk image.
Guymager is a forensic imaging tool that can be used in place of the ‘dcfldd’ command to generate a physical disk image. Run guymager in Kali Linux using the following command:
Right-click on the device to be acquired and select Linux dd image. The image can also be split into multiple files. Specify the directory where the image file will be saved and click on start.
The files are split into four starting from [filename].000 to [filename].003,
and [filename].info contains the hash values. The hash for the individual split files will be different, but to calculate the md5 of all the files together we can use the following command:
cat [filename].0* | md5sum
Now when we run mmls on the disk image (working on a complete test image, not split files) we can see the partition layout:
Analysis and Recovery
After successful image acquisition, the next step brings us to examining the evidence and analyzing the disk to trace the crime. It typically involves data recovery, extracting hidden files, accessing protected content if technically feasible and legally appropriate, etc.
fsstat -o 2048 [filename].dd
Using fsstat, we get a whole bunch of information about the file system. The offset is given as 2048 since the rest is either unallocated or has partition table info (see the partition layout, as shown above, using mmls). The other areas can also be investigated.
Host protected areas on a disk that typically contain vendor restoration utilities can be used to hide data by anyone with sufficient knowledge of hard drives. The disk_stat tool in the Sleuth kit can determine if an HPA exists on a disk.
fls -o 2048 [filename].dd
Deleted files are indicated with a ‘*’ symbol before them, such as Enrollment form.docx. If we want to look into the test directory, we can refer it using its inode number (which in this case is 5).
fls -o 2048 [filename].dd [inode number]
Once inside the test directory, apart from regular files, we see a dot ‘.’ before a filename, indicating that the file is hidden.
You can use the icat tool if you have to read the contents of a particular file, without recovering the drive. You can also read the contents of a hidden file using this command.
icat -o 2048 [filename_of_the_image].dd [inode number of the file you want to read]
Some other Sleuth kit tools that work on metadata include ifind and ffind that can be utilized to find the file, based upon where a string is located. Apart from using a keyword search, another common technique is conducting a file signature search to examine specific file types relevant to the investigation.
To recover files from the image [filename].dd, execute the command below specifying the path where you want to store recovered files. Make sure there is sufficient available space in this drive.
tsk_recover -e -o 2048 [filename].dd /root/[destination folder path]
The report is the final deliverable that’ll be presented to whoever requested the initiation of the digital forensic investigation. It will only contain facts observed, analyzed, and documented from a completely objective standpoint relevant to the case. It must, at the very least, provide
- The executive summary section gives an overview of the case and related observations.
- The analysis summary in a report describes in detail the evidence collection and analysis process. It should include a thorough discussion of all the steps taken by the investigator to confirm or refute the allegations that form the basis of the investigation.
- The final summary wraps up the report with closing arguments and a conclusion.
A forensic report’s importance in any legal proceeding will rely heavily on two primary factors:
- authenticity (focusing on the source and non-contamination of the evidence), and
- reliability (questioning the accuracy of the evidence).
If an attorney can establish reasonable doubt with regards to these two aspects of the evidence, though it is not considered inadmissible, the weight assigned to the evidence gets reduced. The forensic investigator should be mindful of this while carrying out and documenting the investigation.