Digital Forensics

1
Digital Forensics

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Lecture 12
• Computer Forensics Analysis/Validation and
  Recovering Graphic Files
• October 1, 2008

2
Outline

• Topics fir Lecture 12
• What data to collect and analyze
• Validating forensics data
• Data hiding techniques
• Remote acquisitions
• Recovering Graphic files
• Data compression
• Locating and recovering graphic files
• Stgenaography and Steganalysis
• Reference Chapter 9 am 10 of Textbook
• Topics for Lecture Number 13

3
What data to collect and analyze

• Depends on the type of investigation
• Email investigation will involve network logs,
  email server backups
• Industrial espionage may include collecting
  information from cameras, keystrokes
• Scope creep Investigation extends beyond the
  original description due to unexpected evidence

4
Validating forensic data

• Validating with hexadecimal editors
• Provides support such as hashing files and
  sectors
• Discriminating functions
• Selecting suspicious data from normal data
• Validating with forensics programs
• Use message digests, hash values

5
Data Hiding

• Data hiding is about changing or manipulating a
  file to conceal information
• Hiding partitions Create partitions and use disk
  editor to delete reference to it, then recreate
  links to find the partition
• Marking bad clusters Placing sensitive or
  incriminating data in free space use disk
  editors to mark good clusters as bad clusters
• But shifting Change bit patterns or alter byte
  values
• Using Stereography to hide data (Lecture 13)
• Encrypt files to prevent access
• Recover passwords using passwords recovery tools

6
Remote Acquisitions

• Tools are available for acquiring data remotely
• E.g., Diskexplorer for FAT
• Diskexporer for NTFS
• Steps to follow
• Prepare the tool for remote acquisition
• Make remote connection
• Acquire the data

7
Recovering Graphic Files

• What are graphic files
• Bitmaps and Raster images
• Vector graphics
• Metafile graphics
• Graphics file formats
• Standards and Specialized
• Digital camera file formats
• Raw and Inage file format

8
Data Compression

• Lossless compression
• Reduce file size without removing data
• Lossy compression
• Reduces file size but some bits are removed
• JPEG
• Techniques are taught in Image processing courses

9
Locating and Recovering Graphic Files

• Identify the graphic file fragments
• If the file is fragmented, need to recover all
  the fragments carving or salvaging)
• Repair damage headers
• If header data is partially overwritten need to
  figure out what the missing pieces are
• Procedures also exist form recovering digital
  photograph evidence
• Steps to follow
• Identify file
• Recover damage headers
• Reconstruct file fragments
• Conduct exam

10
Steganography

• Steganography is the art of covered or hidden
  writing.
• The purpose of steganography is covert
  communication to hide a message from a third
  party.
• This differs from cryptography, the art of secret
  writing, which is intended to make a message
  unreadable by a third party but does not hide the
  existence of the secret communication.

11
Topics for Lecture 13

• Steganography
• Null Ciphers
• Digital Image and Audio
• Digital Carrier Methods
• Detecting Steganography
• Tools
• Reference
• http//www.fbi.gov/hq/lab/fsc/backissu/july2004/re
  search/2004_03_research01.htm
• http//en.wikipedia.org/wiki/Steganography
• http//en.wikipedia.org/wiki/Digital_watermarking
• http//www.garykessler.net/library/steganography.h
  tml
• http//www.spectrum.ieee.org/aug08/6593