Aspects of Data Analysis
...Document, Document, Document

Contemporary Criminal Behavior Requires Computer Forensic Analysis

Analysis may lead to "bigger things" that are involved in other illegal directions

Handle the evidence (hard disk drives and other media) with CARE

What is Important
User Profiles: Data that pertains or was created by the individual user
Program Files: Software applications that were installed in the computer
Temporary Files: Files that were created by application
Special Application Level Files: Includes Internet history and email files
*Meta Data: Data about data (System Metadata & Application Metadata

Windows System Registry: A database employed by the Windows operating system which stores configuration information
Event Log of Log Files: Files which record or document any significant occurrence in a system or program
Swap Files: Computer memory files written to the hard disk drive
Printer Spool: Information stored in buffers which are awaiting printing
Recycle Bin: The temporary location of deleted files.
*Press the shift button to delete directly and permenently

- Establish forensically sterile computer forensic lab rooms
- Ensure the legitimacy & capabilities of analysis tools
- Note the physical conditions of ALL of the suspects computer and computer-related property
- Initiate the creation and verification of a hard disk drive image (Do Not Use the Original Drive to Conduct Computer Forensic Investigations)
- You may need to "jump" the CMOS password in order to gain access to the machine
- You may need to "short circuit a chip" with the use of a paperclip, which STOPS the "boot process"

- You may need to "pull the battery" in order to freeze the hard disk drive & other writing components in that current state
- Default passwords may need to be used in order to gain access to a machine & can be found on the Internet by the OEM
- Social Engineering/Brute Force may need to be used by law enforcement (Freezing RAM & re-installing it on another machine)
- "Key Discs" may be used by investigators in order to set passwords (ASCII)
- Image verification of a hard disc drive is needed prior to computer for analysis

- Logical examination is conducted for conducted for criminal evidence (You may need to look at the Partition Table for storage or hidden files)
- Restoration of files is needed in order to find deleted, erased, and compressed files
- Listing of Files is needed in "tree" structure form, which can be done with forensic software
- Examine Unallocated Space for Data Remnants (May be intentionally manipulated by suspects)
- You may need to unlock individual files using "password cracking dictionaries" and powerful password cracking software

- Program Defaults & Program Specific Crackers may be used
- Examination of User Data Files (Case Specific)
- Piping of Evidence is needed to share case information
- Examination of Executable Programs (Back Orifice, Deep Throat, Netbus)

Examples:
Nmap
Nessus Remote Security Scanner
John the Ripper
Nikto
SuperScan
p0f
Wireshark
Eraser
Yersinia

- Trading or sharing information
- Concealing their identity
- Assuming another identity
- Identifying and gathering victim's information
- Communication with co-conspirators
- Distributing information or misinformation
- Coordinating meeting places, sites, or parcel drops

Tracing IP Addresses or Domain Names

- Whois
- Traceroute
- nslookup

User Accounts, Email, & Instant Messaging

Websites & Internet History

*Note: TheWayBackMachine is located at http://www.archive.org/web/web/php and is used to pull up over two billion Internet archived pages

Macintosh Operating System
- Great media platform
- Is now compatible with other machines
- Known for the GUI

Imaging
- Need Disk Arbitration Disabled
- Use a dd command to create an image

Finding Evidence
- Evidence may be found in the same locations as in other operating systems but in different file locations

Forensic Tools Used
- Black Bag Technologies/ Mac Forensic Software/ Mac Forensics Lab

Characteristics
- Inexpensive in nature
- Increased software applications
- Approaches system files, user accounts, and data files differently
- Consists of a unified system with three partitions (root, boot, and swap)

Variety of Operating System
- Red Hat, SUSE Linux, Solaris, HP Unix, and IBM's AIX

Open Source Options
"In the wild, using Virtual File System and GREP

Where is evidence found?
- /etc/passwd: contains on every account created on the suspects machine (Account ID, Encrypted Passwords, Numeric UserID, Numeric GroupID, Account Information, Home Directory, and Login Shell
- /etc/shadow: if instillation uses "shadow passwords"
- /etc/hosts: contains local domain name system entries (web Activity)
- /etc/sysconfig: contains assorted configuration files
- /home/useraccountID/Trash: like a trashbin, contains deleted files which have NOT been released into unallocated space

Tools
- Maresware: Linux Forensics
- The Farmers Boot CD
- SMART
- The Sleuth Kit (TSK) The Coroner's Toolkit and Autopsy

Mobile devices are becoming more like mini computers

PDA's Contain
- Microprocessors
- ROM- Read Only Memory
- RAM - Random Access Memory
- Multiple hardware keys and interfaces
- Touch sensitive crystal display
- Memory cards and peripherals
- WiFi, BlueTooth, and Infrared

Where evidence may be contained...
- Address books
- Appointment books
- Calendars
- Mailboxes
- Tasks boxes
- Saved areas
- Lists boxes
- Remotely by Web Service
- Safe's (used to lock with password)

PDA Forensic Technology

Paraben Software- Device Seizure
...Includes logical and physical acquisitions and ensures data integrity through write blocking software

At a minimum, all reports should include date, time, and investigative personnel for the following events:

- Evidence seizure
- Digital imaging and verification
- Application and forensic software
- Special techniques or problems
- Consultation with outside sources

Two of the most popular computer forensic suites are:
- Access Data's Forensic Toolkit
- Guidance Software's EnCase

Standard BIOS Passwords

AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HTL, KDD, ZBAAACA, ZAAADA, ZIAAADC, and djonet

AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder

Other passwords you may try (for AMI/AWARD or other BIOSes)
LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj