DIGITAL FORENSICS

Common analysis mistakes and pitfalls

Christian Prickaerts

About me

• Christian Prickaerts – Teaching SANS 408 & 508

• My day job – Head of forensics team @ Fox-IT – In charge of digital forensic investigations – Expert witness testimony

Time is of the essence

• Talking about time –Timelining is hot! –New artifacts added constantly

• Same mistakes made –Over and over again

What time was this file copied to the USB drive?

System time at acquisition

W32Time / Windows Time Service

• Automatic time sync – ID 35 = Good – ID 17, 29 (XP) = Bad – ID 134 (Win7) = Bad

Look for a bunch of them

Times, they are changing

• Look for system time change events

Phone timestamping

Alas….

Science behind it all

• Scientific papers published in the last 5-10 years • The Rules of Time on NTFS File System • Unification of relative time frames for digital forensics • Time and date issues in forensic computing a case study • A correlation method for establishing provenance of

timestamps in digital evidence • Computer forensic timeline visualization tool • An automated timeline reconstruction approach for digital

forensic investigations • A brief study of time • Etc, etc, etc,

Observational skills

Logic dictates

• You have lots of tools at your disposal • But they are not intelligent (enough)

• No. 1 tool? – (Your) grey mass

Absence of evidence isn’t  evidence  of  absence

- Carl Sagan

Evidence of absence is evidence of absence

- Christian Prickaerts?

The picture is never complete, ever...

How representative is your dataset

How complete is your dataset?

Local IE history vs proxy

The name is not the content

Sorting by time

Sorting by logical order

Field of view issues

When was this document last printed?

Attribution and action

• Analysis of data in RAM

Unallocated space

Carved LNK file

Internet Explorer

Registry artifacts

Tooling

Hey Wilson, what forensic tools are you using these days?

Tool validation

http://windowsir.blogspot.com/2013/06/there-are-four-lights-lnk-parsing-tools.html

Summertime,  and  the  living  is…  well, whatever

Viewed on November 11

Viewed on May 28

Fish are jumping and the cotton is high...

Windows explorer

Acrobat PDF reader

Eventlog Explorer in Summer

Eventlog Explorer in Winter

Test your tools

I’ve  upgraded  this  tool  

to be more awesome!

Test your hypotheses

Final thoughts

• You are looking at the result of certain activity, not at the activity itself

• There might be an alternative scenario that produces that specific pattern