The first session I ran on a two day course for potential first responders across a large financial services client.

1. Phil Huggins
February 2004

2.  Investigation Theory
 Digital Evidence
 Order of Volatility
 Disks
 File Systems
 File Data
 Deleted Data
 Associated Evidence
 Summary

3.  Three major types of evidence can be found
 Inculpatory Evidence: That which supports a theory
 Exculpatory Evidence: That which contradicts a
theory
 Traces of tampering: That which does not support
any theory, but shows that data was wiped or
modified
 We want to find all three types of evidence to get
the whole picture

4.  The data on a system can be broken into two
categories: static and volatile.
 Volatile data will cease to exist after the system is
powered off. Examples of this include memory
contents, a list of running processes, a list of open
network ports, and a list of users that are currently
logged on.
 Static data will continue to exist after the system is
powered off. Examples of this include hard disk
contents, BIOS settings, and other hard coded
values (such as MAC addresses).

5.  Register State
 Memory
 Network
 Process INCREASING
VOLATILITY
 Disk
 Floppy Disks (FDs)
 CDROM

6.  A byte is 8 bits (11111110 = 254)
 A disk can be thought of as a
long stream of bytes
 The bytes are organized into
512-byte chunks called sectors
The disk is divided into partitions (or slices)
For Intel/DOS-based systems, the partition table describes the
partition layout (in the Master Boot Record)

7.  File Systems manage data storage
 Organized into files
 Files can be spread around all over a disk in data units
 File system maintains data about a file such as;
 Name
 Where the data units are
 When it was last accessed
 Provide an addressing scheme that is easy for humans to
understand
 Examples: FAT, EXT2FS, FFS, NTFS, EXT3FS

8.  Data about files is useful as it can tell us;
 Which system account accessed a file last
 When that happened
 When the file was last written to
 When a file was created.
 By looking at files when we investigate a
system we may destroy this sort of evidence

9.  File deletion theory is the same across file system
types
 There are five major actions:
 Mark the data describing the file as unallocated
 Mark the data unit itself unallocated
 Remove the file name so the ‘dir’ or ‘ls’ command does not
show it
 Delete the link between the file name and the data about
the file
 Delete the links between the data about a file and data
units
 The first three are required, the last two are not

10.  Deleted data is not removed but the bit of the disk
that holds it may be reused for different data
 Just a matter of time and how much data a system
need to write to disk
 We need to get that deleted data before it is
overwritten
 Therefore we need to do as little as possible on a
system that may overwrite the data while we are
investigating.

11.  Digital Evidence at best can only tell you which
computer account did what when.
 When only one person has access to the account
details then it is easy to identify a culprit.
 However, sometime we need to look into the real
world for other associated evidence such as:
 CCTV
 Building Entry Logs
 Statements from Witnesses

12.  We don’t want to prove someone guilty. We want
the truth so don’t ignore sources exculpatory
evidence.
 Be aware of what effect our investigation actions
are going to have on the evidence.
 Use Forensically sound tools to avoid damaging
evidence.
 Take copies of data early to avoid overwriting
valuable deleted data.
 Look for non-digital sources of evidence that can
support the investigation.