Department of CSE

DIGITAL FORENSICS
20CS3259AA
Topics:
The filesystem, transgression, Indexing and searching for files,
look for possible evidence, Unallocated data analysis

Session - 3

CREATED BY K. VICTOR BABU

 AIM OF THE SESSION

To familiarize students with the concepts of The filesystem category, The metadata category, The
content category

INSTRUCTIONAL OBJECTIVES

This Session is designed to:

1. Describe about The filesystem category
2. Describe about The metadata category
3. Describe about The content category

LEARNING OUTCOMES

At the end of this session, you should be able to:

1. Illustrate about importance of The filesystem category
2. Illustrate about importance of The metadata category
3. Illustrate about importance of The content category

CREATED BY K. VICTOR BABU

 SESSION CONTENTS

 The filesystem category

 The metadata category
 The content category
 Locating evidence in file systems
 Determining the means of transgression
 Determining opportunity to transgress
 Determining the motive to transgress
 Deciding where to look for possible evidence
 Indexing and searching for files
 Unallocated data analysis
CREATED BY K. VICTOR BABU
 The filesystem category

 The filesystem category records the general filesystem information, which,

while following a general design, is a unique structure on each individual
device.
 By cataloging this data, the filesystem category shows users where to find the
data and files they are seeking as well as acting as a map for the filesystem.
 It brings order to chaos and allows sound storage and retrieval of files for
users.
 There is also a benefit of the filesystem, which is rich in file metadata, to
practitioners.
CREATED BY K. VICTOR BABU
 The filesystem category

 Filesystem metadata forms an essential part of practitioners' navigation and

the examination of filesystem information.
 It can assist greatly in reconstructing events of relevance to a case.
 However, if any of this data is corrupted or lost, then additional analysis is
made more difficult because backup copies of the data and records will be
required.
 Otherwise, the practitioner will need to guess what the original values were
and guess the type of application that created the filesystem and the creation
date of the file or folder.
CREATED BY K. VICTOR BABU
 The filename category

 The filename category, sometimes referred to as the human interface category,

catalogs data used to assign a name to each file.
 It consists of directory lists of filenames with the corresponding metadata
address of each file.
 Deleted filenames and their corresponding metadata addresses are used to
recover the file content using metadata-based recovery.
 Being able to use filename listings is a fundamental part of forensic examinations
as it allows the practitioner to identify the names of the files and parent
directories and can be used for searching for evidence based on filename, path,
or file extension.
CREATED BY K. VICTOR BABU
 The filename category

 A file extension identifies the type of file, such as a system file or, in the case of
an MS Word document, a file denoted by the .docx extension.
 However, if the metadata address is cleared during file deletion, it may not be
possible to locate further information.
 If only part of a filename is known, it is still possible to search using that part,
such as in the case of the file extension or name being known, but not its full
path.
 Metadata is stored in fixed-length tables with its own address.
 When a file is deleted, the metadata entry is changed to the unallocated state,
and the operating system may wipe some of the file values.
CREATED BY K. VICTOR BABU
 The filename category
 It should also be noted that file-wiping tools may delete filenames and metadata addresses or overwrite
key values in the filename, showing that an entry existed before being invalidated.
 The operating system stores all file data and metadata in binary form, which is translated to human-
readable text or images through the application interface, often referred to as the Graphical User
Interface (GUI).

This figure shows the

filename data saved
in binary form and
the timestamp
metadata:

CREATED BY K. VICTOR BABU

 The metadata category

 The metadata category contains data that describes the properties or attributes of a
file, displaying the file location and size.
 Most importantly, it provides a history of the file, providing timestamps for its
creation, modification, and access.
 Metadata-based recovery may be required to look for that missing or elusive file and
is used when metadata from the deleted file has not been erased.
 The file may have been relocated, such as being moved from one folder to another.
 This may prove problematic to detect as it is not uncommon when a file has been
reallocated to recover two or more unallocated metadata entries that have the same
file address.
CREATED BY K. VICTOR BABU
 The metadata category

 Examination of metadata may assist

when viewing file contents and searching
for file values as well as locating deleted
files.
 It is usually initiated when a filename
points to a specific metadata structure
and file examination is required.
 The following figure shows metadata
recovered from a thumbnail of a
photographic image.
CREATED BY K. VICTOR BABU
 The metadata category

 The thumbnail database files keep a record of multimedia files stored in specific
folders.
 Even after the original file has been removed from the folder, the small database
file may remain, containing miniature versions of the original file and file
metadata.
 In this example, the file metadata contains Exchangeable Image File Format (EXIF)
data typical of photographs taken with a digital camera or device.
 This may provide additional details of the precise map reference where the image
was taken for certain types of camera and, occasionally, the serial number of the
camera.
CREATED BY K. VICTOR BABU
 The metadata category

 Different file types provide basic

metadata and sometimes even
versions of the file, as in MS
Word documents.
 The file properties shown in the
next screenshot provide details
of the file creation, modification,
and last accessed timestamps
and the file location:

CREATED BY K. VICTOR BABU

 The content category

The content category consists of the contents of a file, such as

the text written to a document file, figures added to a
spreadsheet, or a picture inside an image file.
 If recovered from unallocated space, it may have no linked
metadata or filename, and the only clues to its antecedents
may be gleaned from the file signature and clues garnered
from the contents, especially text documents.
CREATED BY K. VICTOR BABU
 Locating evidence in file systems

 The nature of the transgression to some extent dictates the type of relevant
evidence that may be recovered.
 For example, in a homicide where the victim died of gunshot wounds, it would
be helpful to determine the time, location, and cause of death.
 A search would commence for the weapon; discharged bullets or shot, spent
cartridges; gunpowder residue; blood spatter; and projectile trajectory data.
 At a microscopic level, DNA analysis of samples from the spent cartridge,
chemical analysis of the gunpowder residue, postmortem analysis to
determine the cause of death, and so forth will be undertaken.
CREATED BY K. VICTOR BABU
 Locating evidence in file systems

 One of the fundamental challenges practitioners face is determining with

any certainty the link between a suspect and the data recovered from a
computer.
 Without a human observer or perhaps a CCTV camera to place the suspect at
the computer at the time of the transgression, it becomes a matter of an
educated guess at best or speculation at worst.
 The practitioner must be guided by the evidence and if that proves
inconclusive, he or she must look for more evidentiary clues to offer likely
hypotheses as to what happened.
CREATED BY K. VICTOR BABU
 Locating evidence in file systems

 The practitioner collects all relevant evidence that supports various

hypotheses, but it is for others, such as juries, to decide whether the evidence
helps determine guilt or innocence.
 The challenge to practitioners is locating information or data of relevance to
the case under investigation.
 It is also common for the examination to seek specific evidence in accordance
with a legal brief, but during the examination, evidence of other transgressions
may be recovered.

CREATED BY K. VICTOR BABU

 Determining the means of transgression

 Reconstructing the transgression may be a relatively easy process, or it may be

difficult to reconstruct because little record remains of the transgression and
transgressors.
 The practitioner would have to determine where the truth lay and undertake a
thorough analysis of the e-mail message in relation to the computer being
examined.
 Another aspect of determining whether a suspect had the means to
commission an offense is verifying whether the suspect had the computer skills
to use the software involved, such as in the case of forging an electronic
document or manipulating a photograph.
CREATED BY K. VICTOR BABU
 Determining the means of transgression

 The practitioner collects all relevant evidence that supports various

hypotheses, but it is for others, such as juries, to decide whether the evidence
helps determine guilt or innocence.
 The challenge to practitioners is locating information or data of relevance to
the case under investigation.
 It is also common for the examination to seek specific evidence in accordance
with a legal brief, but during the examination, evidence of other transgressions
may be recovered.

CREATED BY K. VICTOR BABU

 Determining opportunity to transgress

 Any one can use computer for some illegal operations but proving the suspect alone
had the opportunity through access to the computer may be problematic.
 It may be difficult, if not impossible, to link the time of the crime to a suspect's access
to the computer or network in the absence of any corroboration.
 Audit logs recording the details of specific users accessing a computer or network
often assume that the person who used the authorized user's logon details and
password was the actual user.
 Often, that may be so, but if another person gained unauthorized access to the user
details and logged on to the system, it may be difficult to prove unless there is some
other evidence, such as a human observer or perhaps a CCTV recording, to clarify
CREATED BY K. VICTOR BABU
 Determining opportunity to transgress

 Audit and access user logs are not infallible and can be altered and falsified and are
therefore not always reliable.
 Time and date stamps and file locations of key events help confirm the circumstances
relating to a transgression. They may often help determine which user had the
opportunity to transgress at a given time.
 Time and date stamps and file locations of key events help confirm the circumstances
relating to a transgression. They may often help determine which user had the
opportunity to transgress at a given time.
 Computer user access security may prohibit unauthorized access transgression and
establish user identity. This would help narrow down the list of those users who may
have been responsible for the transgression.
CREATED BY K. VICTOR BABU
 Determining opportunity to transgress

 In criminal cases, much is made of assumptions as to who committed the offence, but it
must be proven beyond reasonable doubt, and to a lesser extent in civil cases, where
there is more of a balance of probability and a lower threshold.

CREATED BY K. VICTOR BABU

 Determining the motive to transgress

 It is not essential to prove motive, and it is often difficult to do so without

perhaps some form of confession by the transgressor, for who knows what
was in the mind of the transgressor at the time of the act?
 However, data may exist on a device that may offer some explanation to
possible motivation or, for that matter, an absence of motive and criminal
intent.

CREATED BY K. VICTOR BABU

 Deciding where to look for possible evidence

 We have a transgression; somebody had the means, the opportunity, and

the motive to commit it using a computing device.
 Records of the applications and files used and the operating system can
provide some useful electronic fingerprints to help practitioners reconstruct
what happened, when it happened, where on the device or in the system it
occurred, how it happened, and, hopefully, why it happened—the often-
hard-to-prove motive. So where should the practitioner start?
 Computers and other devices store information in directory systems of
varying sorts, similar to Windows Explorer.
CREATED BY K. VICTOR BABU
 Deciding where to look for possible evidence

 This screenshot shows part of a Windows directory structure viewed

through the advanced forensic tool ILookIX:

CREATED BY K. VICTOR BABU

 Deciding where to look for possible evidence

 However, the number of files stored on a typical computer makes it

impracticable because of time constraints and the fatigue of checking every
file.
 Some are system files that will not normally be examined other than for
specific checking.
 So, providing the practitioner with easy-to-review categories of files would be
more helpful.
 If, for example, webpage files such as HTML and other categories were
conveniently categorized, it would make locating and selecting evidence
quicker and less tedious.
CREATED BY K. VICTOR BABU
 Deciding where to look for possible evidence

 File categories can be divided into file signature and file type, as shown in
ILookIX's Category Explorer panel in the next screenshot.

CREATED BY K. VICTOR BABU

 Deciding where to look for possible evidence

 File signatures recognize the internal structure and pattern of a file, while file types are based
on the application software that uses the files, such as Microsoft Office using Word to open a
file with the .docx file extension.
 If e-mail messages or multimedia files were being sought, then these helpful catalogs would be
a convenient start to a search.
 The main areas of interest may be cataloged and provide some useful starting points for a
broad range of cases, as detailed in the examples set out in the next table:

CREATED BY K. VICTOR BABU

 Deciding where to look for possible evidence
Category Reason for Search

Archive files These include zipped and compressed files whose contents may be relevant to the investigation.

These files may record some Skype conversations or provide evidence of downloading music files in breach of
Audio
copyright regulations.

Databases These include databases of thumbnail files (.db) and other records relating to user activities on the device.

E-mails These are a rich source of information about human communications and sometimes contain incriminating evidence.

These are records of various user and system activities retained by the device—useful for recreating timelines of
Event logs
events.
These provide a record of browsing activities as well as a record of searches made that may relate to an
Internet browser files
investigation.
These files tell us about the files and applications most recently used and help reconstruct user activities and
Link files
timelines of events.

Recycler Deleted files and folders are often a rich source of evidence.

The registry records the state of various features available to users and has a record of various devices
Registry files
attached to the computer.
Most of these may be irrelevant to an examination but some play an important role in reconstructing relevant
System files
events.
These files may contain evidence of user activities of relevance to a case, or child exploitation material, for
Video
example.
CREATED BY K. VICTOR BABU
 Indexing and searching for files

 Searches may be index-based or keyword searches.

 Index-based searches require the indexing of each file in the dataset that
the practitioner decides may be relevant to the examination and can filter
out extraneous files that would otherwise slow down the indexing and
searching processes.
 Once the dataset is indexed, the time for a search is almost instantaneous,
with quicker results of hits being provided to the practitioner.
 Keyword searches take longer but are also time savers.

CREATED BY K. VICTOR BABU

 Indexing and searching for files

 The following screenshot shows a variety of search terms populating a configuration file
created by the advanced ISeekDesigner program, which provides the practitioner with a rich
selection of keyword search terms.
 In this process, the configuration file is used by the ISeekDiscovery automaton to search for
the terms, which are later indexed for speedier analysis:

CREATED BY K. VICTOR BABU

 Indexing and searching for files

 Search results are presented in a variety of formats, allowing the practitioner to examine a
smaller and more manageable dataset, as highlighted in the following screenshot.
 It shows the result of a search of a large dataset consisting of more than two million files
resulting in the identification of six files that assist the case reconstruction of this training crime
simulation designed by me:

CREATED BY K. VICTOR BABU

 Unallocated data analysis

 The area available to store data on a hard drive or storage drive depends on the size of the
device and any installed components.
 For example, a newly acquired laptop may have on it the operating system and a range of basic
software applications, system files, user data, and so forth.
 The remaining space, in pristine condition, is available to store data as required by the user,
system, and software applications.
 This free space or unallocated space is initially empty but soon starts getting filled during normal
usage.
 Files may be recovered from allocated space, where they are maintained by the operating
system in what is called a logical state.
 Most of the files here, unless they are hidden files, may be located and recovered during
forensic recovery.
CREATED BY K. VICTOR BABU
 Unallocated data analysis

 The same may be said of deleted files that remain in the trash folder.
 Eventually, the device can run out of space and crash the operating system or at least make
its operation sluggish.
 Files are frequently deleted by users and held in the trash bin, from where they may be
restored or removed back into unallocated space.
 There, the remnants of the file remain but will be further eroded and eventually completely
overwritten by new files being written to and occupying the same space.
 However, forensic tools allow the practitioner to recover these files or fragments of deleted
files that may assist in reconstructing key events in a case.
 Deleted files may be readily recoverable by checking for deleted filenames held in file
directories.
CREATED BY K. VICTOR BABU
 Unallocated data analysis

 However, it is not uncommon for the names of deleted files to be reused before any
changes to the metadata are made.
 The files may have retained no filename, but the file metadata may still persist.
Conversely, the filename and metadata may remain but not the file contents.
 Consistency checking of unallocated blocks by an experienced practitioner may reveal
deliberate attempts at data hiding or filesystem errors that have hidden data.
 Data wiping may be detected too by finding a zeroed or invalid entry between two valid
entries.
 Data carving is the technique used to undertake the recovery of file fragments and can
be done manually using a hex editor or automatically using advanced forensic tools.

CREATED BY K. VICTOR BABU

 Unallocated data analysis

 However, unless access to the device can be gained, all these attempts at data recovery
may be thwarted if the device is password protected and encrypted.
 Motive may be determined by collecting evidence that links the user to some activities
that confirm a degree of knowledge and control over the computer and relevant
applications and files used in the transgression.
 Always be wary of the obvious.
 Speculation such as "it is the suspect's computer; therefore, the suspect is responsible"
is highly inappropriate, even it if not voiced by the practitioner.
 False evidence, too, can relatively easily be generated by mischief-makers out to
implicate an innocent party.

CREATED BY K. VICTOR BABU

 THANK YOU

Team – Digital Forensics

CREATED BY K. VICTOR BABU