Skip to content

Page288

Forensic Artifacts

Forensic investigations hinge on analysis of salient artifacts. Forensic artifacts are simply observable details that could include information related to the investigation. Numerous types of artifacts exist that might pertain to a particular security incident. Broad classes of artifacts include, but are not limited to, those related to systems, networks, and applications. The classes, and more detailed categories, exist simply to allow for a more structured approach to their potential acquisition and analysis. For example, mobile devices could generically fall within the purview of system; however, these systems prove distinct enough that they are often explicitly distinguished from general-purpose desktop or server-based systems.

Categories of system-related artifacts include: files, processes, services, users, registry, shell elements, logs, and more. Further, the particular artifacts and how they are investigated could depend on whether the evidence acquired came from non-volatile (e.g., hard disk, solid state) or volatile (memory/RAM) sources.

As stated above, mobile devices are often singled out from general-purpose computing systems. One reason to distinguish these systems is due to the different processes used for acquisition as well as the different locations and targets of artifacts. Additionally, mobile devices can also frequently be used to establish geographic location at particular times.

Network oriented sources of artifacts include: full packet captures, flow-based data, IDS alerts, and DNS logs. Hostnames, IP addresses, and ports are commonly used for finding relevant network-based artifacts within these sources.

Forensic Media Analysis

In addition to the valuable data gathered during the live forensic capture, the main source of forensic data typically comes from binary images of secondary storage and portable storage devices such as hard disk drives, USB flash drives, CDs, DVDs, and possibly associated cellular phones and mp3 players. The reason that a binary or bit stream image is used is because an exact replica of the original data is needed. Normal backup software will only archive the active partitions of a disk. Normal backups could miss significant data that had been intentionally deleted by an attacker; as such, binary images are preferred.

Here are the four basic types of disk-based forensic data:

  • Allocated space—portions of a disk partition that are marked as actively containing data.
  • Unallocated space—portions of a disk partition that do not contain active data. This includes portions that have never been allocated, and previously allocated portions that have been marked unallocated. If a file is deleted, the portions of the disk that held the deleted file are marked as unallocated and made available for use.
  • Slack space—data is stored in specific size chunks known as clusters (clusters are sometimes also referred to as sectors or blocks). A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster, then some extra space will exist within the cluster. This leftover space is known as slack space: it may contain old data, or can be used intentionally by attackers to hide information.
  • “Bad” blocks/clusters/sectors—hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system since no data could be read in those defective portions. Attackers could intentionally mark sectors or clusters as being bad in order to hide data within this portion of the disk.

Given the disk level tricks that an attacker could use to hide forensically interesting information, a binary backup tool is used rather than a more traditional backup tool that would only be concerned with allocated space. There are numerous tools that can be used to create this binary backup including free tools such as dd and dc3dd as well as commercial tools such as AccessData’s FTK Imager or OpenText’s Tableau Forensic Imager.