This paper analyses the results of a lab analysis of digital forensic work that investigated the use of Adepto and Helix in imaging and analysis. The paper also presents a letter to the professor detailing the activities carried out in the lab, what was successful, and what failed during the analysis.
This paper is divided into three parts. The first part describes the procedures that were used in the Lab to carry out a digital forensic analysis while second part is a report to the Professor detailing the successes and the failures of the lab work. On the other hand, the final part answers questions that are related to forensic analysis.
Part I: Lab Deliverables
A. Screenshots (10 points): Capture and paste the following five screenshots you captured during your lab work in this order. Give a one-sentence short description at the beginning of each screenshot to describe what it is about.
1. A screenshot of Device Info similar to (may not be the same as) the illustration in Step 10 of the Lab1-Write-up.
From the Device Info: Make, Model, and Size of the source drive sda are identified, except for the Serial Number.
2. A screenshot of Imaging in Progress similar to (may not be exactly the same as) the illustration in Step 16 of the Lab1-Write-up.
The source is in a progress of acquiring.
3. A screenshot of Verification Success similar to (may not be exactly the same as) the illustration in Step 18 of the Lab1-Write-up with a “Verify Successful” message.
The source is done acquiring and it is successfully verified, which indicated the start time (11:33:00AM), the verify time (11:33:13AM) and the stop time (11:33:18AM).
4. A screenshot of Chain of Custody with Hash value similar to (may not be exactly the same as) the illustration in Step 19 of the Lab1-Write-up.
In Chain of Custody tab, the evidence was shown and the hash algorithms value under MD5 was generated from the image file.
5. A screenshot of creating Chain of Custody PDF form similar to (may not be exactly the same as) the illustration in Step 20 of the Lab1-Write-up.
A form of Chain of Custody is created under PDF document, which is saved as /medi/sdb1/COC-201227601-.pdf
Part I B
The data file displays a graphical user interface that has icons to direct the user on the actions that need to be done. The data file also provides a log where the user chooses the name of the file she or he wants to access and the log displays all details about this file including name, size, sector, and system bus. The next data file displays a log where the name and password stored in the application. Adepto log provides the name of the document to be analyzed and indicates notes about the image. The log also provides the mount point destination for the document.
The next data file shows a log for Chain of Custody details as displayed in Adepto 2.1. Details of the chain of custody including the manufacture, model, and size are shown in the log. There is also indicated the name of the creator, the date when it is created, image name, storage drive, and the hash value for the analyzed image. The final data file displays the chain of custody log indicating the name and number of pages. The data file also displays a smaller log indicating that the PDF document has been created and saved under a particular name.
Part II: Letter to Professor
5 October 2012
Dear Mr. (Name)
I am writing this letter to inform you about my Lab test results on the subject of Forensic analysis. This letter will bring to your attention several finding from the Lab analysis.
My reason for going in the Lab was to attempt the use of digital forensic work. The first step while in the lab was to open the Helix tool and launch it into an active mode. While doing this I managed to take a screenshot of information.
I managed to get the source and acquired its successful verification, which indicated the start time (11:33:00AM), the verify time (11:33:13AM) and the stop time (11:33:18AM). I also managed to get the Chain of Custody tab, the evidence was shown and the hash algorithms value under MD5 was generated from the image file.
Through the lab work, I learned how to start Adepto and run it using Helix tools. I also learnt about imaging and generation of messages using MD5 and SHA1 and the use of different cryptographic hashes in forensic analysis. I believe that the time I spent in the Lab will be useful in improving my skills in forensic analysis.
Part II answers
What types of forensic image formats does Adepto support?
As one of the first computer forensic tools, Adepto is a graphical user interfaced imaging program found on Helix Live CD. It is used to acquire drives images and files by creating forensic sound images from hard drive and other media. The program supports the DD and the DCFL-DD command line imaging tools.
Adepto is an image acquisition type of tool that supports common imaging formats including JPG, TIF, PNG, and GIF. This is because Adepto is not an analysis tool but rather a tool for capturing sound copy or images that are forensically sound from the hard drive. This is mainly because Adepto uses a process that does not return different MD5 for different image formats, and therefore the need to produce forensically sound images.
Adepto supports three imaging formats and each format has its own pros and cons. The first format is the raw format, which allows for writing bit-stream data to files. The format is easy to transfer and ignore small errors from read on the source drive. This format is also readable through most computer forensic tools apart from Adepto. The second format is the proprietary formats that allow for compression of image files, splitting of images into segmented files, and even integration of metadata into image files. However, this format has the limitation of being unable to allow for sharing of images between different tools and limiting the size that each segment can occupy. The third is the Advanced Forensics Format (AFF) that allows for compressing of files and does not provide any restriction for disk image files. The format also works with multiple open source platforms and operating systems.
What kinds of write blocking does Helix provide?
Helix provides several write blocking features including the USB-write protection features that blocks any attempt to make writing on the USB devices. However, this requires that the target drives be connected to internal controllers like the PATA (IDE), SATA, or SCSI. Helix also provide write protection through the way of creating desktop icons that automates and controls the enabling and disenabling of all write protections to the USB devices (Altheide & Carvey, 2011).
Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging.
The first technique is that booting the machine using a bootable CD that allows for mounting of read-only in analyzing and imaging. The method uses CDs like CAINE, DEFT, and Helix3 Pro both based on Linux. This technique provide the advantage of being able to mount on all platforms allowing imaging to be done using friendly graphical tools. The disadvantage of the technique is that it does not work for flash drives, and therefore support only a limited number of applications.
The second technique involves plugging an external hard drive and using imaging tool to image the hard drive that connects with the targeted drive. The technique is simple and straightforward and allows for running a small executable program on the system before connecting to image the drive from a remote location. However, it requires a few added steps for its proper execution because it will have an impact on the system that is running which may be investigated later.
Why would a forensic examiner possibly select a different cryptographic hash type from MD5?
A forensic examiner possibly selects a different cryptographic hash type from MD5 because MD5 function does not provide the benefits that are found in other cryptographic hashes. MD5 has been discovered to contain serious flaws that can lead to misleading of information. The MD5 function also takes an input of arbitrary length and produces a message digest that is 128 bits long. This size is large when compared to that occupied by the cryptographic hash. Similarly, MD5 may not be appropriate where the message is short because it is designed mainly for long messages and quicker comparison (Nickell & Fischer, 1998).
Additionally, a forensic examiner may prefer cryptographic hash where there is need for easier computation of values for a particular computation. Cryptographic hash also allows for generation of hashed messages and therefore making the modification of the message difficult. To change the message, the hash must also be changed. Forensic examiner may also prefer to use cryptographic hash instead of MD5 in situations where the accuracy of information needs to be exact. This is because, with cryptographic hashes, it is impossible to produce two messages that may contain similar hashes. Thus, cryptographic hashes ensure that the certainty of the message is maintained without the possibility of making an error.
What is the MD5 hash value of your image in Lab 1?
The MD5 has value of my image in Lab 1 is f71625daed269ba7145a6e6b27fcb89a.
What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?
Helix provides tailored systems that carefully provide messages for incident response, data recovery, security auditing, and systems investigation and analysis. The tool can be used in almost the entire environment that the forensic examiner may find themselves in, ranging from small to large environments where the possibility of data loss and the breach to security is likely to occur.
Helix also operates on common platforms including Linux and Windows. The tool is available for forensic examiners through download upon registration. It is also easier to work with Helix because it comes in a live CD and therefore can be used on any machine using its inbuilt operating system. Helix also provides the advantage of being able to undertake auditing of all machines around because of its ability to run on any machine operating system. The tool also provides the forensic examiner with the opportunity to choose between highly developed anti-virus scanners like XFPROT and ClamTk to investigate files and folders on any machine both in the local and remotes disks.
What is the significance of the Adepto logs? Why are they needed?
Adepto logs are important tools that are used in storing the messages that are useful to the forensic examiner. The logs are needed to provide evidence of the imaging from the drive. Using the log files, the forensic examiner is able to withdraw information from the hard drive.
What is the significance of the forensic investigator’s individual reports and logs?
Forensic reports and logs are important tools that forensic examiner need to keep because they are used as evidence of the findings of an investigation. The report and logs forms critical and primary elements in terms of the forensic practitioner’s participation in the case that the examiner was investigating. These are the evidences that the forensic examiner can present before a court of law as evidence to either incriminate or discharge a suspect from the case that is facing them (Sawyer, 2012).
Why are cryptographic hashes such as MD5 and SHA1 needed? Why would an investigator not use a CRC or some other value?
Cryptographic hashes like MD5 and SHA1 are important because of their ability to detect small changes within the messages leading to what is described as avalanche effect in the final messages. MD5 and SHA1 provides the forensic investigator with the opportunity to detect very negligible variations within a message that CRC and other values cannot detect
What is the significance of the Chain of Custody PDF form from Adepto? Why is it needed?
Chain of Custody form from Adepto is a legal document that guarantees the reference of identity and integrity of data from the analysis. The form is an important document that details all the information and steps that are required in order to use the product. Chain of Custody PDF form from Adepto is needed to provide guidelines in the way of using Adepto in the Forensic imaging.
Chain of Custody is needed to provide guidelines on how forensic examiner will keep the results of lab test, by giving guidelines on the collecting and handling data and sample, specifying the people to access the lab results, documenting procedures involving transfer of samples and data, and outline the procedure to give permanency to the recording procedures.
- Altheide, C. & Carvey, H. (2011). Digital Forensics with Open Source Tools. New York: Elsevier
- Casey, E. (2011). Helix - A Linux forensics corkscrew. Available at: http://www.dedoimedo.com/computers/helix.html
- Nickell, J. & Fischer, J. F. (1998). Crime Science: Methods of Forensic Detection. Kentucky: University Press of Kentucky.
- Sawyer, J. H. (2012). Drive Imaging Using Software Write Blocking. Available at: http://www.darkreading.com/blog/227700667/drive-imaging-using-software-write-blocking.html