Forensic procedure to retrieve digital evidence

In some cases, evidence needed or required for criminal investigation is stored on the hard disc duly distributed and marked, with characteristic names and extensions on appropriate locations.

However, there are cases when forensic experts are not so lucky. Cyber-crime perpetrators or perpetrators may sense that they are to be arrested soon and therefore delete incriminating evidence. Sometimes, a perpetrator may use sophisticated techniques to hide data. In some cases, the data that might be important evidence, has never been stored on the hard disc, but was used exclusively from transferable media:

• mass use of mobile devices that contain private and company data
• use of mobile devices for online transactions
• evidence for purpose of police and prosecution investigations
• location history of subject
• private detective investigations

There are many cases and various technics for each case:

• 1

  DETECTING DELETED DATA

• 2

  FINDING HIDDEN DATA

• 3

  SLACK SPACE

• 4

  SHADOW DATA

• 5

  STEGANOGRAPHY

• 6

  ALTERNATE DATA STREAMS

• 7

  HIDDEN PROTECTED AREA

DETECTING DELETED DATA

Many computer users, including criminals, believe that once they delete a file, it disappears from the hard disc. Even some experts believe that files are destroyed when recycle bin is emptied.

But things are not as simple as they think. Deleting files by tools of operating system simply removes the file indicators from the table of disc contents. This table is called differently in different types of file systems. The very term FAT abbreviated from File Allocation Table indicates the system of file storing. With regards to NTFS file systems, there is a MFT ‘Master File Table’ which has a back-up copy. Linux file systems use different recording methods and file allocation, so called INODs, but file reallocation is still possible.

Data are stored on a hard disc in clusters consisting of a certain number of bits. As file parts are not always put in clusters adjacent to each other on the physical level, but in most cases their parts are scattered on a disc, deleting indicators makes reconstruction and finding such files much more difficult but not impossible.

After files are deleted, the emptied space is marked as unallocated. Such space is available to the system later on for storing other data when required.

Due to technological development and increase in disc capacity, it may take a long time until all fragments of a file are overwritten by some other data.

FINDING HIDDEN DATA

Data hidden in a disc zone may be useful for investigation in many different ways. Some data remain present even after data deletion or disc repartitioning. Besides, there are many options for criminals with technical know-how how to hide data, mainly using a disc editor, stenography, encryption etc. Finding, recovery and reconstruction of hidden data can be a very time-consuming and tedious process, but in some cases it may produce evidence that will crack the case.

In order to fully understand how and why data remain on a disc, one should learn about the concept of storing data on a disc.

A disc sector is a unit of fixed size defined when file system is created (usually 512 bites). Older hard discs may have some ‘wasted’ storage space on the outside tracks, as logically each track is divided into equal number of sectors.

It is possible in some cases to hide data in the space between sectors on the larger outside tracks. This is called the sector gap. Some data recovery services may be able to locate and retrieve data that is hidden in this gap.

SLACK SPACE

Another option for hiding data is the slack space caused by file sizes that don’t exactly match the size of the clusters in which they are stored.

Usually a part of cluster remains empty, particularly with regards to file systems where cluster sizes are based on the partition size (FAT).

Can this space be used intentionally?

No. Forensic experts are interested in this space particularly because of functions through which DOS and Windows operating systems use this slack to fill in the system’s memory (RAM slack). All kinds of data can be found in this space, and some of them may be crucial for the investigation.

SHADOW DATA

Another option that may be examined is shadow data, created due to a difference in vertical and horizontal alignment of the magnetic heads. Namely, when accessing particular disc sector, the access points of head 1 and head 2 are not exactly the same, and this difference enables some data to remain present even after overwriting. Hence, it is sometimes possible (although very time consuming and expensive) to recover overwritten data.

STEGANOGRAPHY

Steganography implies hiding files within other files. This type of encryption is made possible through empty space or change in value of the least significant bit. The easiest way to explain stenographic methods is through data hidden within images. To begin with, an image is recorded through description of any single pixel represented by particular bite e.g. 10011000. When the least significant bit (the last one) is changed from 0 to 1, a different shade of pixel color is obtained and a hidden bit is created. In this way the entire file may be hidden within different parts of the image. Hidden bits and their order can be detected by using a key to their correct order, meaning only someone who knows the code can successfully reconstruct the file. Surely, like any other code, this one might be cracked by several anti-steganography programs that can detect the presence of hidden files. Detecting the presence of hidden files is much easier than their reconstructing.

ALTERNATIVE DATA STREAMS

Alternative data streams are yet another possible source of information within computer forensics. This term refers to NTFS file system compatible with this option. A stream of any size can be created and linked to usually visible file (a parent file), but this stream remains hidden and can be detected only through specialized program. Such data streams are completely legitimate. Namely, through these streams Macintosh / Apple files can be used. Each Macintosh file has two parts: resource and data part. The first part is hidden in alternative stream. There is another function of streams – the storage of control sums for anti-virus programs. These streams may be linked to both files and directories.

A stream cannot be directly deleted, meaning that firstly parent file must be erased. Many programs for data destruction delete only parent files while streams remain on hard disc. Also viruses and Trojans use streams for hiding files. Criminals may use them to hide incriminating data.

HIDDEN PROTECTED AREA (HPA)

When examining a hard disc (functioning based on ATA standard), forensic experts all over the world fail to examine Hidden Protected Area (HPA).

The HPA is located on a part of the hard disc inaccessible to operating system. This area is called UBA. All modern ATA disks have HPA. It is created mainly for the needs of manufacturers but also for the needs of large distributors. Identifying HPA presence is very easy, as only results of two ATA commands need to be compared READ_NATIVE_MAX_ADDRESS and IDENTIFY_DEVICE. If there is HPA on device, two resulting values will be different.

Why HPA is important to forensic experts?
There are two realistic dangers:

1. Firstly, there is a danger of locking the disc and maximizing the level of protection. In this way, access to LBA zone is disabled, and thus potential data remain intact. Of course, this password is impossible to crack by changing electronics, or even by transferring plates into another case, as the password is encrypted on the very plate. Password consists of 32 bits, and particularly in IBM/HGST disks it is protected by a very powerful encryption mechanism. This protection can be removed in two ways, one way is ATA command SECURITY_ERASE with mandatory factory password (MASTER) by means of which each disc track is formatted and thus disc is unlocked but evidence is destroyed. Second option is to use command UNLOCK by means of which the disc is unlocked with factory password and data remains intact. Therefore forensic experts apply the second option. Mechanisms for cracking factory code are business secret of data recovery service, but governmental and security agencies may acquire all passwords through official channels directly from the manufacturers.

2. The second more serious danger is configuring SET_MAX_LBA parameters. This command will adjust maximum number of sectors that may be addressed. In this way, savvy cyber criminals may lead inexperienced investigators into thinking that they are examining a disc of let’s say 60GB instead of actual 80GB disc.

E.g. there are two identical discs (same manufacturer, same model) differing only in capacity, 80GB and 160GB respectively. The only difference is that model with bigger capacity has two extra plates; extra plates cannot be easily detected, particularly if we take into account that a criminal would change all stickers on a disc; or even only the lid of a disc; then he would use 80GB for storing let’s say classic music and remaining 80 GB for child pornography, meaning that there would be two 80GB partitions; then by accessing the HPA he would adjust maximum value to about 160 million LBA (equivalent of about 80GB), restart the computer, and format the disc again. Now disc is examined by forensic specialist or less experienced technician. No matter how hard he tries to search all sectors and no matter how many times he performs the search, he constantly gets to the classic music partition. After some time he quits and criminal is let loose.

Taking into account the above example, it is necessary to pay close attention, have professional approach and perform thorough examination in each particular computer forensic case.