Computer Forensics

Eventually every computer forensic specialist runs into a storage device which is mechanically damaged in some way.  Most computer forensic investigators are very adept at using software and their skills to ferret out information on storage devices that are in perfect physical working condition, but what most computer forensic classes gloss over is the fact you can only do an investigation on storage devices that actually work!  If the platter is scratched or the actuator arms are not working, all the software and skills in the world will amount to nothing.

This is where your pure computer hardware geek comes into play!  There aren’t very many out there, but there are computer forensic investigators that are also hardware geeks.  To be sure, there are services out there which will repair and/or replace a harddrive for the forensic investigator, but that just adds more time to the case.  In some cases, I’m hearing about one year delays on investigations that have working storage devices to work with!!  Imagine having to send it out to get the hardware working.  The reason for this blog is that quite simply I had a string of people come in within the last 2 months with dead drives and no recourse but to send it out to a data recovery service.

With a little research I discovered you do not need a full clean room to do this kind of work!  A simple glove box type clean room that is HEPA filtered with gloves and the necessary hardware to either make it positive or negative air pressure is all that is needed.  A simple clean box example can be found here: http://www.ktank.com/22.gif.  If you are mechanically inclined you can build your own box with some large “Tupperware” and PVC: http://www.instructables.com/answers/Homemade-glove-box-clean-room-for-DIY-hard-drive-r/.

A couple of things to keep in mind here.  The first is that you must have an identical drive that you can switch the parts into or from.  In other words, if you have to switch the platters from one drive to another you must use the same model drive, firmware revision, etc.  Any major difference will more than likely not work.  Older drives can be difficult to match, but you may get lucky on Ebay or Craigslist!  The second thing to keep in mind is that you will create some debris when working on these drives.  Always keep the air moving inside the box if at  all possible and use filters to minimize the dust floating around.  If you have ever wondered just how much room you have between the platter and the magnetic head: http://www.instructables.com/file/F78LAXCFTY4C8AC/.  Not much room for error!!!

Once you have switched out the parts not working it is imperative to get the data off as quickly as possible.  Quite frankly, there is no telling how long the repair will last or if some contaminate made it through your filters.

In the computer forensic world the age old (for computer forensics anyway) argument of whether to power down a computer or keep it on to analyze the contents of RAM just got a little bit closer to resolution thanks to Peter Silberman and Steven Davis of Mandiant.

During the 2009 Blackhat conference in Las Vegas this year the duo from Mandiant introduced a product called Memoryz which is a forensic tool for RAM.  Since necessity is the mother of invention, the use for this type of forensic software is becoming more and more useful to forensic investigators.  As most forensic investigators already know, the majority of forensic cases deal with data that is written to storage devices in some form or fashion.  The problem we are now beginning to see on a larger scale is the use of operating systems or application software that never writes to the storage device.  Operating systems such as Knoppix or other “Live CD/DVD” based systems are designed not to write to the existing storage device by default or by manual switch.  Applications such as Metasploit’s Meterpreter are also designed to only write into RAM and not the storage device. 

In looking into what Memoryz can do, the company website lists the following:

The tool looks to be a proof of concept software and not in full production, but it does look promising.  Some of you are asking yourself what good is this tool since RAM is volatile and gets wiped fairly often when in use.  Little known secret about RAM is that just like storage space the operating system usually does not overwrite any data in RAM and in fact remnants of data are still in RAM until overwritten by new data.  The process of being overwritten can take minutes, hours, or even days depending on the use the computer is put through.  The one caveat here is that the computer cannot be turned off since this will erase everything in memory and clean the slate of any information.  So note to investigators:  if you suspect someone is using a RAM based operating system NEVER let them turn the machine off!

Follow these two links for more information:

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Silberman

http://www.mandiant.com/software/memoryze.htm

August 26th, 2009 may come to be a day prosecutors and law enforcement look back on and wish had turned out a bit differently.  For others it is a day which leads them to believe the Federal Courts can be fair and actually do seek justice for all.

The case centers around government investigators and prosecutors overreaching their authority and violating conditions set forth by a US Magistrate intentionally and willfully.  The details of the case revolve around steroid use by Major League Baseball players and the test results held in computers by the laboratories who did the actual testing.  During the course of an investigation, the government learned of 10 baseball players who had tested positive for steroid use and petitioned a US Magistrate for a search warrant to find evidence on only those ten players.  What followed is arguably one of the most blatant attempts by those in law enforcement/prosecution to throw out the rules of law (in particular the 4th Amendment).

When executing the search warrant for the information on the ten baseball players, the lead investigative agent (Agent Novitsky) ignored the US Magistrate’s orders that only the forensic specialist was to separate out the data specified in the search warrant.  The problem faced with this search was (and is) the fact that hundreds of  individual private medical records were contained in the same computer as those of the ten baseball players listed in the warrant.  Agent Novitsky was present during the execution of the warrant and in viewing the data before the ten players information was separated out saw other results which pointed to positive drug results and under the “Plain View” doctrine seized everything contained on that storage device.  From this cache of “evidence”, the government subpoenaed data from two other labs citing evidence from the first seizure.

As you can imagine, the labs sued for the return of their property and in fact the government was ordered by three separate judges to return all property and evidence with the exception of the information on the original ten players.  The behavior on the part of the government investigators and prosecutors was so far out of line the judges went so far as, “…to accuse the government of manipulation and misrepresentation.”  The case makes for interesting reading and makes you wonder what the agents and prosecutors were thinking.

In this ruling the 9th Circuit has effectively thrown out the “Plain View” doctrine as it applies to electronic searches.  Plain and simple as that.  What the Court has also done is set up a framework or set of guidelines for any future seizures of electronic/digital evidence:

1. Magistrates should insist that the government waive reliance
upon the plain view doctrine in digital evidence cases.
See p. 11876 supra.
2. Segregation and redaction must be either done by specialized
personnel or an independent third party. See pp.
11880-81 supra. If the segregation is to be done by government
computer personnel, it must agree in the warrant application
that the computer personnel will not disclose to the
investigators any information other than that which is the target
of the warrant.
3. Warrants and subpoenas must disclose the actual risks of
destruction of information as well as prior efforts to seize that
information in other judicial fora. See pp. 11877-78, 11886-87
supra.
4. The government’s search protocol must be designed to
uncover only the information for which it has probable cause,
and only that information may be examined by the case
agents. See pp. 11878, 11880-81 supra.
5. The government must destroy or, if the recipient may
lawfully possess it, return non-responsive data, keeping the
issuing magistrate informed about when it has done so and
what it has kept. See p. 11881-82 supra.

These “guidelines” explicitly lay out what government agents can do during an investigation centered around digital evidence.  In fact, these guidelines offer very little latitude for government agents and in fact put such clear guideposts an agent or prosecutor which ignores these will have a very hard time winning any cases if this case is used as precedent.  To say that the government agents and prosecutors angered the Federal Judiciary to such a degree they have been slapped down is an understatement.

The dissenting judges in the case bring up the point that some evidence will be found during routine searches and should not be separated out just because it was not part of the original warrant.  Their example was one that during a search for one type of evidence child porn is found.  A valid point it is, but the point is a red herring in that this particular case is about evidence co mingled with that of many other people who have no part in this case.  For example, a warrant is executed to examine the emails of one person on a Google server.  The dissenting judge’s argument is that ALL emails on that server are subject to search simply because they are in “Plain View” while doing a search of the one email listed in the warrant.  Those of us in the computer field know how easy it is to use filters and queries to extract only what we need or want.  To say that combing through an entire storage device is required is disingenuous at best.

To further clarify the point here let’s flip the scenario around:  Do regular US citizens have access to Top Secret or Secret material held by the US Government?  Of course not.  The US Government states unless you have a need to know then the information is off limits.   Regular citizens also have this right via the 4th Amendment.  Unless the government has a need to know your private information based on certain conditions set forth in the 4th Amendment, the government or its agents have no reason or authority to view your private information.  There are those that will argue that if you have nothing to hide you should not fear the government looking at your private data.  To those souls, I say you should lay bare your banking and credit information for all the world to see.  Every time I have made that point they say, “But that is private!!” to which a light bulb shines brightly above their head.

Bravo for the 9th Circuit and let this be a lesson to overzealous investigators who are now saddled with onerous rules because some played fast and loose with the rights of US Citizens.

Welcome to our new site with my thoughts and analysis of things computer forensic.  Bear with us as we get the site up and running!!!