General strategy an...
 
Notifications
Clear all

General strategy and concerns so far  

  RSS
cosmicnet
(@cosmicnet)
New Member

Hi All,
I've had a bit of a play now with FTK (v 1.5 build 4). A few things occur to me
I assume like many of you, being into computers means you end up helping out friends when they have computer problems. This can be anything from installing a virus checker, to taking out their hd, putting it into one of my machines, backing things up, re-installing, etc.
I read a post on here about a computer repair guy getting arrested and I've suddenly started to feel paranoid. Do you guys have a procedure for helping people? Such to ensure you don't end up left with potential nasties that might be on their disks?? Or do you always check friends disks before you fix them?
I'm assuming that any backups you've made of peoples stuff should be thoroughly shredded off your own disks once you've given them back. But as I understand it things you've opened would go into your ram, which could swap out to disk, so your computers main disk can contain things you are unaware of???
Frightening stuff, I guess it's best not to over think this? Or is paranoia the best policy when dealing with computer forensics?

So far I've just been poking about with an image I've taken of an old disk. For some reason FTK (the version I have at least) doesn't like java much and takes ages to process the various jars and classes, so I've excluded these from the case.
The thumbnail viewer seemed mostly filled of little icons, so I filtered out 0 - 5kb files.
I tried a live search but that takes ages.

This is the general strategy I have so far-

1. Reduce evidence as much as possible to speed things up.
2. Ignore small image files
3. Ignore java files
4. Only live search if you find something suspicious

As for searching, FTK has an import, but no predefined word lists which seemed a little odd to me. Seen as I'm not searching for anything specific I'm assuming the process is first a general word list followed by specific lists based on what the general one brings up. I've searched on here for word lists and only found people talking about them and not wanting to post theirs. I thought there would be standard lists of sorts, am I missing something?

Also, is there a moral issue if I check some backups from friends computers? Do you guys see this as a big no-no, or as your duty as forensics? Do I really want to know if there is anything there or should I just wipe it?

As for wiping files/disk/slack/free space, if there a defacto standard bit of software (preferably free) that you all use?

Ooops, that got a little long. Sorry for all the questions, I have been searching and reading posts to try to answer most my questions.

Lyle

Quote
Posted : 05/05/2010 9:11 pm
binarybod
(@binarybod)
Active Member

Lyle,

You ask a lot of questions and so I'll concentrate on just one if you don't mind.

You give your location as the UK which could mean Scotland or Northern Ireland and I'm not too sure about the relevant legislation there. If however your location is England or Wales then the following links might prove useful
Section 1, Protection of Children Act 1978
Section 160, Criminal Justice Act 1988
Section 62, Coroners and Justice Act 2009
Section 63, Criminal Justice and Immigration Act 2008
All of which make it an offence to make, possess or distribute any indecent photograph, movie or drawing of a child and also any images of an extreme nature (such as bestiality, extreme sadism or necrophilia).

Now if you have a friend who needs you to 'have a look' at their machine, be aware that if you find any of this stuff and you give the machine back then a case might be made out for you distributing that material.

I have been in just such a situation and the friend had to be arrested!

Paul

ReplyQuote
Posted : 06/05/2010 3:15 am
samr
 samr
(@samr)
Active Member

I concur with Paul. The law is very clear when it comes to finding indecent images of children. You must report it to the police as soon as you possibly can. Retaining the data yourself could mean you are deemed to be in possession of the material yourself. In fact, as soon as you find such material you should stop everything and contact the police. You shouldn't attempt to investigate it yourself or inform the owner. The law is quite clear that only the police have the authority to investigate such cases (even someone like an expert witness in the area is unable (rightly so) to investigate such cases without the appropriate authority).

Attempting to wipe such material could mean you are tampering with evidence and a lot of questions would be raised against you. More importantly it could mean that a person who is a potential threat to children is not appropriately prosecuted so that they can get the help they require.

Kind regards

ReplyQuote
Posted : 06/05/2010 4:02 am
cosmicnet
(@cosmicnet)
New Member

Now if you have a friend who needs you to 'have a look' at their machine, be aware that if you find any of this stuff and you give the machine back then a case might be made out for you distributing that material.

Does this imply that I shouldn't look in the first place, and without knowing shouldn't be liable for anything? Just wipe any old backups of friends disks that I have.

Lyle

ReplyQuote
Posted : 06/05/2010 4:52 am
samr
 samr
(@samr)
Active Member

If you find anything indicative of indecent images of children it should be reported to the police. If you have such files (due to a backups of other computers) then you should report it to the police (not wipe it), informing them what you have and how you acquired it and let the police take it from there.

If you have suspicions so are investigating, then you have no authority to do so. If you suspect anything involving indecent images of children you should report it to the police.

I should add, that say for instance such a friend has been arrested for such charges and you believe the disks/backups you have may contain evidence you should report it to the police.

You obviously have some suspicions otherwise I doubt you'd be asking the question. So if you believe you have evidence of a person making/possessing/distributing indecent images then you should report it.

ReplyQuote
Posted : 06/05/2010 5:05 am
markg43
(@markg43)
Member

OK, I will answer your questions on technical merit since my learned colleagues have covered a bit of the ethics.. please consider their comments.

1. Reduce evidence as much as possible to speed things up
– Yes, but be careful that you don't reduce the evidence by actually removing something relevant. On of the ways that we do that is by using negative hashing. For instance, build your own Windows XP box with java. Then hash all the files from that instance into a list and create a KFF file (since you are using FTK) marking all the files as IGNORE (get blank KFF library here- http//www.accessdata.com/downloads.html). Now load this
KFF into FTK and then filter out IGNORABLE. Also see the NSRL hash lists, NIST makes these hash sets for this same purpose.

2. Ignore small image files
— Yes, I generally do that. Where I work, even CP images that are tiny are generally useless for prosecution but can show intent if it is all you have.

3. Ignore java files
– You could try hashing them out like the KFF above. However, I often will mark these as IGNORABLE in FTK after the case processes; I do that instead of Refining Evidence to get them out.

4. Only live search if you find something suspicious
– Live search is used to find patterns/Regex. Yes, I takes a long time but you can find phone number, email addresses, credit card numbers etc. With Indexed Search, you can only search for one item at a time, you cannot search for all Phone numbers, etc. Does that help?

As for searching, FTK has an import, but no predefined word lists which seemed a little odd to me. Seen as I'm not searching for anything specific I'm assuming the process is first a general word list followed by specific lists based on what the general one brings up. I've searched on here for word lists and only found people talking about them and not wanting to post theirs. I thought there would be standard lists of sorts, am I missing something?
— Word list for what?

Also, is there a moral issue if I check some backups from friends computers?
— It's the owner of the computer's permission you need. Refer to previous post here about finding things that you might not want to find. To add to that, I say be careful, you can learn ALOT about people from what they do with their computer. Much of that you might not want to know.. especially if these people are your friends. People need their secrets (the legal ones).

Do you guys see this as a big no-no, or as your duty as forensics? Do I really want to know if there is anything there or should I just wipe it?
— My forensic duty stops at the door of my job, or perhaps at the end of my search warrant.

As for wiping files/disk/slack/free space, if there a defacto standard bit of software (preferably free) that you all use?
– There are many ways. Using dd in Linux is one way, this is generally how I do it unless I use a hardware wiper like a Logicube Talon or Wiebetech eRazor.

Such to ensure you don't end up left with potential nasties that might be on their disks??
– I don't look for other stuff when I clean out viruses etc. I fix whatever I need to and that's all. Respect their privacy.

Or do you always check friends disks before you fix them?
– Check for what? They generally tell you what is wrong. But I'll do Malware scans etc.

I'm assuming that any backups you've made of peoples stuff should be thoroughly shredded off your own disks once you've given them back.
— Oh yes. wipe them good. In Windows XP and later, you can just delete the files from the file system ( and empty the recycle bin) then run this command on the drive that had that data. C\cipher /w c\
This will wipe the unallocated areas on the drive. That should do the trick.

But as I understand it things you've opened would go into your ram, which could swap out to disk, so your computers main disk can contain things you are unaware of???
I personally would not be very concerned about the paging file. It is difficult enough to get data of out it. Try it, open a picture file or better yet… several pictures, get them all in ram. Open a bunch more stuff, you are trying to force those pics to be paged off to disk. Now shutdown and reboot into a Boot CD and copy off that pagefile.sys. Reboot and process that pagefile.sys and data carve the picture types and see if you get any. Testing is always the best way to determine what things do or how they work.

I hope this helps.

MarkG

ReplyQuote
Posted : 06/05/2010 11:44 am
oldbloke1
(@oldbloke1)
New Member

Of course if you do wipe such material knowing it to be there, it would be a strong case of Perverting the Course of Justice which if my retired memory recalls is around 7 years. Just a thought.

Sorry

OB1

ReplyQuote
Posted : 06/05/2010 3:21 pm
cosmicnet
(@cosmicnet)
New Member

You obviously have some suspicions otherwise I doubt you'd be asking the question. So if you believe you have evidence of a person making/possessing/distributing indecent images then you should report it.

Hold your horses there a minute! I don't have any suspicions of anything, I was just thinking about the possibilities from the posts I've read on here. It's unfortunately in my nature to think of worst case scenarios, you should see me when it comes to long car journeys, I'm not a good passenger.

I wondered why the replies have gone in this direction. I obviously gave the wrong impression from my original post. So far the only upsetting images I've found are of me and my ex girlfriend that I deleted when we broke up (

At least it's very clear now what to do if I do find anything untoward. Thank you )

MarkG,
Thanks for your detailed reply. I haven't been using KFF and wasn't sure what is was for, but this makes sense. I'll download and have a play with it. I didn't have much luck getting FTK to ignore Java files after the evidence collection, maybe I missed something or it's the version I'm on?
Ahhh, so Live search can have Regex, I'm familiar with them from Perl - I guess that's why Perl is popular for this )
As for Word lists, I've been assuming the Uni module focuses on illegal content. One of the people from the module that came to our Perl presentation was already working for the police. The module has got popular because of CSI and most the students are fans. Although thinking about it more I guess when a disk is brought to them there is already a suspicious area to be checked, whether is fraud or the kind of images the others have outlined. So a general word list wouldn't be much good, unless it's like the old copper joke "What can I do you for?", lol.
That's a good point on the moral issue and privacy. I wouldn't want to find out a friends wife was having an affair or something like that. I once found out that an ex girlfriends dad was into hairy women porn from his internet history, although I found it a little amusing at first, I REALLY would have rather not known.
cipher is totally new to me, I'll have to have a play with that.

Thanks very much for your detailed reply, that's cleared a lot of stuff up )
I'm sure I'll have more questions soon enough. I'll try and get some details of the uni modules structure so I can be less vague.

Lyle

ReplyQuote
Posted : 06/05/2010 9:59 pm
markg43
(@markg43)
Member

Word lists -

I am currently working on a murder/suicide, so I plan to cobble together a nice list of terms and then load the list up through Indexed Search to see what I get. But I can't rely on just that list, it may miss things. If I get nothing, then I would go through things by hand. If I get enough from that word list search for a conviction, then my manual search would be less detailed.

In the perfect world I could examine every single file to find inculpatory and exculpatory evidence and provide it all to the case agent. In the real world, there are privacy, legal authority and more cases to do concerns that preclude my looking at every file.

And generally, the computer forensics is not the ONLY evidence. Just a piece of the pie.

MarkG

ReplyQuote
Posted : 07/05/2010 1:55 am
cosmicnet
(@cosmicnet)
New Member

In the perfect world I could examine every single file to find inculpatory and exculpatory evidence and provide it all to the case agent

Wow, that's a lot of files. So would this actually be looking at the individual files, or just the disk directly one block at the time?

Lyle

ReplyQuote
Posted : 11/05/2010 3:31 am
markg43
(@markg43)
Member

That's in a perfect world, in the real world, as a day in and day out forensic examiner - most of my cases do not require me to start examining the data blocks in hex. Generally, I stick with logical files and also some unallocated space searches if I do not find enough for conviction in logical files.

ReplyQuote
Posted : 11/05/2010 3:40 am
Share: