Innovations Blog

In my previous blog, I mentioned a new product called FI Data Profiler Portable.  This portable software tool is aimed at reducing the backlog of digital evidence weighing down on Forensics Labs.  The idea is to filter out computer/hard drives that have no potential for containing the evidence pertinent to a case.  The best time to do that is on the scene before confiscating equipment & media, or when a device is being prepared for analysis by a highly trained investigator.  Let’s try to use the time, of these skilled investigators, as wisely as possible.

This tool is designed to be simple for first responders without the benefits of extensive training, yet highly configurable so that advanced investigators can fine tune it to their exact needs.  It utilizes our proven File Investigator file identification engine, to catch 3,410 different types of files with high accuracy.  The result is a statistical analysis of what types of data, and how much of each, is on each computer/hard drive.  All of this is performed while running from a USB thumb drive or CD ROM.

Will you help us test this tool, and tell us what you think?  We want the tool to be a good fit for investigators.  In order to accomplish that, we need to include all of the necessary features and functionality.  Here’s how you can help:

Quick Look Steps (just 2 minutes):

1. Go to http://www.forensicinnovations.com/download/fidpp102.exe with your browser.
2. You may need to click on a browser warning dialog/ribbon to allow the download.
3. Click the “Run” button, and a 688KB file will download.
4. Click the “Run” button on the security warning dialog. (Vista & Windows 7 only)
5. Click the “README.TXT” button for details on this tool. (optional)
6. Click the “OK” button.
7. Ignore the Case Details fields, and click the “Start Analysis” button.
8. Select the “File” > “Exit” menu option when you are done.

You should see bar charts displaying quantities of files found on your local hard drive.  This will continue for 15 minutes to 2 hours depending on how many files you have and the speed of your computer. Try the different “View” menu settings, to display charts by Platforms, Storage and File Types. The downloaded files will be automatically removed when you exit the application. Please send your comments to Support@ForensicInnovations.com. All feedback is welcome, even if it is just to say that it worked on your PC.

Testing Steps:

1. Go to http://www.forensicinnovations.com/download/fidpp102.exe with your browser.
2. You may need to click on a browser warning dialog/ribbon to allow the download.
3. Click the “Save” button, and select a folder to save the 688KB file to.
4. Rename the file’s extension to “.ZIP” and click the “Save” button.
5. UnZip the contents to a test folder, and run FIProfilerPortable.exe.
6. Click the “Run” button on the security warning dialog. (Vista & Windows 7 only)
7. Click the “README.TXT” button for details on this tool.
8. Click the “OK” button.
9. Fill in any Case Details fields that pertain to you.
   1. The Target Path will default to “C:\” if you leave it blank.
10. Click the “OK” button to continue to the main window.
11. Select the “File” > “Start Analysis” menu option to start the process.

When you finish testing on one or more computers, we would appreciate any feedback that you can provide:

• How useful is this tool for you?
• What features would make it more useful?
• Did you run into any problems?
• What needs to be improved?

Please send your feedback to Support@ForensicInnovations.com. If you are willing, we would also like to receive saved Data Profiles for the computers that you test. These profiles only contain the information that you enter into the Case Details dialog and the charts that you see on the screen.  Here are the steps for sending the Data Profiles:

1. Select “File” > “SaveAs Analysis”, after each test completes the analysis.
2. Attach the saved .FIS file(s) to an email addressed to Support@ForensicInnovations.com.

We appreciate your time and we value your opinion.

The best approach to a Digital Forensics (aka Computer Forensics or Cyber Forensics) investigation has been to perform a “Dead” analysis of the data storage devices.  This requires the imaging (or copying) of hard drives, flash drives, discs, etc. for further analysis in a controlled lab environment.  An even simpler approach is to simply take the entire computer to the lab and let someone else image its contents there.  When the evidence may be presented in court, you want to make sure that every step of the investigation was conducted correctly and is well documented.  Its best to perform this process in a lab where you have access to all of your equipment, software, references and trusted advisors as well as time to figure out complex issues, re-search with new terms and maybe even crack encryption codes.

But, now investigators are being pushed into performing “Live” analysis.  If you find a computer turned on, turning it off may prevent you from ever accessing its data again.  Whole disk encryption typically prompts you for an encryption key each time the computer is turned on.  While it is still on, you can capture an image of its RAM and analyze it later for encryption keys and any evidence of outside tampering.  Then you can image the hard drive and/or turn the computer off and take it to the lab, right?  Not any more!

The Ninth U.S. Circuit Court of Appeals in San Francisco recently made a ruling that may prevent us from performing Dead Forensics.  It says that evidence needs to be gathered on location, and that taking entire hard drives infringes on a person’s rights.  For example, if you’re searching for evidence on one crime and happen to notice child pornography (CP), then you have to just ignore it.  Normally, you could stop your investigation and quickly obtain a second search warrant for CP, because it was “in plain view”.  Then, you could continue your investigations under two warrants and find evidence for both crimes.  In plain view will no longer work for computer investigations, and large collections of computer data will not be allowed to leave the site.

Does this mean that all equipment and software needs to be brought to the scene, and your most talented investigators have to come to each site and perform their analysis there?  So much for the idea of first responders collecting the data and more senior investigators performing the detailed analysis!  What happens when you have some new terms to search for, as a case progresses?  Do you then have to revisit the site and perform another search on data that may have been changed outside of your control?

We are about to send out a prerelease version of our FI Data Profiler Portable product, that will assess each computer/storage device and display charts of what types of data are there.  We have been targeting this product at reducing the backlog on the labs, by eliminating computers and hard drives that have no potential for containing the evidence specified in a search warrant.  But, maybe this new tool will also help the investigators on site to quickly target just the computers that will contain the pertinent data.

Why do people encrypt their data?  Well, to protect their information from getting into the wrong hands, of course.  But, what if the “wrong hands” is law enforcement, the court system or even your boss?  Should they have the right to access your data when the law is on their side, or when you are storing it on a company owned computer?  Most people would say that their information is sacred, and that they need to maintain control of it themselves.

When companies and individuals encrypt their data, they typically use software that is easily detectable.  They see no need to hide the fact that they are encrypting data.  Why should they?  It is their data.  There’s nothing wrong with encrypting data.  But, maybe they should hide the data too.  Can’t the encryption be broken with decryption software?  Sure, depending on how strong the encryption key is and how many days, months or years you want to spend working on it.  One step you can take to further secure your data, is to hide it as well.

How do you hide encrypted data?  Well, you can find some very complicated ways to move it to unused/hidden places on a hard drive, make it look like a different/innocuous type of computer file or make it look like random/unerased data.  This may sound pretty complicated, but products like TrueCrypt (9,623,114 downloads/users) actually make this whole process simple.

What does TrueCrypt do?  TrueCrypt is a free open source utility that specializes in encrypting and hiding your data.  This tool can create an entire encrypted hard disk partition, or a smaller encrypted file (virtual drive) that is easily seen by any disk utility.  Where they differ from most of their competitors is that they also encrypt the parts of their storage file that don’t contain your data.  This means that there are no file signatures, magic number IDs or even a common file extension for the disk utilities to identify that the encrypted file is made by TrueCrypt or even that it is encrypted.  They even go one step further and provide an hidden encrypted partition within an encrypted partition for the off chance that your encrypted data is discovered and you are forced to provide the encryption key.  In that situation, the invading party will see inside the first level of encryption and assume that there is nothing else to find.

How do investigators detect encrypted data?  Well, most encryption tools use a recognizeable file header that can easily be recognized, but tools like TrueCrypt don’t do that.  Encrypted data tends to look like random data.  So, without a file header, encrypted data is completely undetectable.  Or so we thought…

We recently started analyzing encrypted files, and found a method for detecting headerless encrypted data.  Sure, it looks random, but not really.  There actually is a pattern to it.  You have to know how to extract that pattern.  We just released version 2.23 of File Investigator TOOLS.  This version detects TrueCrypt Dynamic files as well as most any other headerless encrypted file, as far as we have seen so far.  Feel free to try the tool and see if you can find an encrypted file that it can’t identify.

What’s the value in finding encrypted data, that you can’t decrypt?  It’s up to you how you leverage the information that our tool provides.  Use it to entice the encryption key from a suspect, show the withholding of potential evidence in a case or catch your employees hiding data on company computers.

What is a Killer App. (aka Killer Application)?  Wikipedia says it’s software that is so necessary, or desirable, that it drives sales of the software/hardware necessary to run it.  Investopedia defines it as “a buzzword that describes a software application that surpasses all of its competitors.”

I’ve compiled a list of the more popular killer apps. below.  The dates listed are approximate or the start of public acceptance, as opposed to the actual creation date.

• 1979 Spreadsheets (drove Apple II & IBM PC sales)
• 1979 Video Games (drove game console and personal computer sales)
• 1984 Desktop Publishing (drove Macintosh sales)
• 1988 Electronic Mail (E-mail; drove online service subscription sales)
• 1993 Web Browser (drove Internet service subscription sales)
• 1993 Personal Information Manager (PIM; drove PDA sales)
• 1994 Web Search Engine (full text)
• 1996 Global Positioning System (GPS; drove PDA sales)
• 1996 Instant Messenger (drove upgrades to advanced cell phones)
• 2002 Web 2.0 (Web based applications/ collaboration)
• Soon Web 3.0 (Semantic Web)

The original promise of personal computers is that they would make you more efficient and enable you to complete your work faster.  That they did, but when people saw what they were capable of they found more tasks to perform.  Then they complained that it took longer to use computers.  That’s because people were choosing to increase the content of their tasks.  This trend of increasing amounts of data and frustration over data overload has continued for a few decades.  Now it’s out of control!

Looking at the list of killer apps (above) we can see that the amount of information available to us is growing faster than we can handle.  Spreadsheets encouraged the financial industry to create more financial scenarios, new ways of looking at the same old numbers and started the trend of storing data on disk.  Video Games didn’t increase our data storage much at first, because they came on cartridges.  But they did make people more comfortable with computers, which brought more young people into computers early and created a surge in new creative ways of utilizing computers.  Desktop Publishing pulled corporate business and advertising departments into the computer revolution and introduced the need for large documents and images to be stored.

E-mail has turned out to be the worst offender in the data overload problem, and that’s not just due to SPAM.  Internet Service Providers (ISPs) have gradually increased the maximum attachment size to multiple megabytes.  Now, a single user can attach a multi-megabyte file to an email message and send it to a large group of people.  That message is then copied for each recipient which exponentially increases the amount of data traveling over the Internet or being stored on a single company’s intranet email server.  The size of the emails isn’t as bad as the number of emails arriving in each person’s inbox.  Sure, SPAM is a part of that problem, but once the spam is removed the remaining emails often take people 50% or more of their work day to process.  Many people experience E-mail Bankruptcy (information overload).  That’s when they can’t keep up with the emails flowing into their inbox and they give up.  These are the people who seldom respond your your emails, even when they are urgent.

The Web Browseris every-one’s favorite portal to all of the information on the Web.  It has provided even novice users with a method to reach data from any where on the planet.  Unfortunately, it is just a window into a universe of data.  It doesn’t zoom out to provide the bigger picture.  If you weren’t frustrated with access to too much information before the Internet, now you can feel like there is no subject to talk about where someone else, within quick access to your web content, isn’t more of an expert on your topic than you are.  Thankfully, with the Web Browser came the Search Engine.  Search Engines are great at performing text searches across the entire Internet, unfortunately you aren’t seeing the entire Internet.  At least not on the first few pages of results.  What you see is the list of web sites that do the best job at Search Engine Optimization or are willing to pay the most for advertising.  That doesn’t mean that they have the most accurate information or that their content matches your needs.  So, now you have instant access to even more information, but no way to filter the search results other than manually reading each web page.

Personal Information Managers (PIM) do a good job at managing your personal data, but they only handle a narrow list of structured data (database) types: Calendar, Contacts, E-mail, etc..  Web 2.0 applications and collaboration offer solutions for backing up your data, freeing up space on your local hard drive, and sharing live data (with others on the Web), but that also spreads your data across the Internet which can make it even harder to manage.  Finally, Web 3.0 (the Semantic Web) promises to better connect us to the information that is most pertinent to us, and enable our applications to import the data automatically.  That should improve our Search Engine experience, but it does nothing to help us manage the growing amount of information constantly being shovelled onto our computers.

With all of these wonderful “killer app” technologies fulfilling their promises of connecting us to more and more information, what do we do with it all?  Here is my approach:

1. Locate all Data (even the data not intended to be shared/viewable)
   1. On the Internet, this means the data missed by the popular search engines.  They limit how deep they search into each web page.
   2. On your local hard drive, this means deleted or hidden files and files lost due to disorganization.
   3. In Electronic Discovery and Data Recovery, this means files maliciously hidden and intelligently carving data lost to disk corruption.
2. Interpret the Data
   1. Identify each file type and record type (records are stored in databases).
   2. Intelligently index the data, using knowledge of each file format’s structure.
3. Data Mine for Relevant Information
   1. Classify each file and record into categories in order to group related content together.
      1. Use the Semantic Web technology when author’s choose to cooperate with this new standard.
      2. Use categories already associated with the known file type and record type.
   2. Search for terms most pertinent to the user
      1. Use knowledge of the file structure to choose the method used, depending on the type of text data and language being searched.
      2. Use fuzzy searches to catch each mis-spelling and alternate word usage.
   3. Filter the search results by classifications and related terms.
4. Summarize the Data for Meaningful and Applicable Conclusion(s)
   1. Specify the search request
      1. Advanced users need the ability to specify detailed searches, using Boolean logic and all of the available filters.
      2. Novice users need automatic settings that allow them to perform casual searches with a minimum number of settings used.  The solution must observe the user’s prior usage and current terms to automatically make intelligent settings that will best serve the user.
   2. Automatically create a report
      1. Use human readable text in paragraph form, using bullet points and diagrams where possible.
      2. List the search criteria used (even when the settings were made automatically).
      3. Summarize the search results, highlighting the most pertinent results and how they relate to each other.
      4. List the most relevant results, limited to a length that won’t exceed its usefulness.
      5. Conclude the results, based on the relationships between the most pertinent results.
      6. Recommend how the search settings and terms can be improved for the next run.

The results from this approach would provide what I like to call “Data Wisdom“.  That key knowledge that we currently have to spend countless hours searching and reading for.

While the technologies required for many of these steps are not yet available, we at Forensic Innovations are working on solutions to tackle each of these challenges.  File Investigator is useful in steps 1-2, 1-3, 2-1, 3-1-2, 3-2-1 & 3-3.  File Expander is used in steps 2-2 & 3-2-1.  File Harvester will support steps 1-2 & 1-3.  Our focus is providing the technologies necessary to obtain Data Wisdom using the most accurate, automated and efficient methods possible.  Where current methods are missing, or inadequate, we create our own.

If you were a criminal and wanted to hide computer evidence, how difficult could it be?  Actually, you don’t even have to be a criminal, maybe you just want to hide something from a family member or your employer.  Your first thought would probably be to encrypt the data to guarantee that no one else can view it.  That will work, but it will also stick out like a sore thumb if someone is looking for it.  Then, they will know that you’re hiding something.  Wouldn’t it be better if no one even knew that you had something to hide?

I’m not writing this to to help criminals, nor do I want to help people hide stuff.  What I’m trying to do is raise the awareness of the holes in today’s Computer Forensics, Electronic Discovery and even your basic desktop search software.  If I’m successful, then maybe we can raise the bar on finding the hidden data stored on everyone’s hard drive.  That’s right, there is data hiding on your computer right now!  It may not be malicious, or illegal, but it is there and you probably don’t know how to find it.

The easiest way to hide your data is to store it in a translated or compressed file that no one knows how to open.  You don’t want anyone to even know what type of file it is.  Did you know that Computer Forensics tools typically support 500 or less different file types?  The most popular tool, EnCase by Guidance Software, only supports 250 natively.  If you want to see a list of the 400 most common file types that tools usually look for, then visit Oracle’s Outside In web site.  That’s where most tools get their file identification technology from.  They simply license it, snap the File ID SDK into their source code, then forget about it.  That’s why they are so far behind in competing against computer crime.

Looking at the list of 400+ file types, there are only 9 compressed file types supported.  That means that using any other type of compressed file type renders your data as unknown in those computer forensics tools.  To play it safe, you should still choose a lesser known compression tool to work around the few tools that use their own file identification method.  You obviously don’t want to use PK Zip, LZA, LHA, TAR or Gzip.  They’re too common.  Here are a few that most people have not heard of: WinACE, Slim! & BMA.  If you are concerned that someone will figure out the file type, then you can still encrypt your data first, then compress it with one of these programs.

Another step you can take is to simply change the file’s extension.  It’s amazing how many applications and people can’t identify a file without the file extension.  If you use one of those rare archive file types and rename the file extension, then people can’t even search the internet for a file extension match.  Oh, and make sure that you don’t leave the archiving software on your hard drive.  Otherwise, a good investigator could figure it out.  Instead, use a simple command line compression program and keep it on a memory stick or flash card.

Microsoft’s NTFS hard drive format provides a more technical way to hide your files.  If you are using a recent version of MS Windows, then you are probably already using NTFS.  And, if you are, then you DO have files hiding on your hard drive RIGHT NOW!  I don’t mean files with the ‘H’ attribute set, those are way too easy to find.  I’m talking about Alternate Data Streams (ADS).  These files are actually hidding behind other files.  There are very few tools that can even see these stream files.  ADS was intended to make it easier to mimic Apple’s Application/Resource Fork file system, but instead it has created a parallel dimension for files to be hidden in.  For example, if I have a file called addresses.doc I can hide another file behind addresses.doc.  It’s as simple as copying the second file (baddeeds.txt) behind addresses.doc, for a resulting filename of addresses.doc:baddeeds.txt.  Here’s how:

>type evidence.txt >  addresses.doc:baddeeds.txt

That may seem too simple, but now programs can’t see the second file.  If you look at a list of files in that folder you won’t see it.  But, if you already know what the name of the file is, then you can still open it with some programs.  For example:

>notepad.exe addresses.doc:baddeeds.txt

This command will open the hidden baddeeds.txt file and allow you to edit it.  You can also copy the hidden file back later.

>more < addresses.doc:baddeeds.txt > evidence.txt

If you would like more information about manipulating NTFS ADS files, then visit the heysoft site.  They provide one of the few tools (LADS) that can actually see these hidden files.  Unfortunately, their tool can only be used on the command line and doesn’t tell you anything about each file, other than its name.  Our File Investigator products also see NTFS ADS files.  If you would like to find the ADS files on your hard drive, identify what they are and look inside them, then download our FI Tools applications.  The trial version will stop searching after the first 100 files found, but you can set it to only show NTFS ADS files by selecting the Text & Attributes tab and adding a check in front of NTFS ADS before you click the Find Now button to perform your search.

Remember when I told you that you already have files hiding on your NTFS hard drive?  Well, here’s proof.  Download and install FI TOOLS, put the check by the NTFS ADS attribute on the Text & Attributes tab, then do a search of your entire hard drive (Look in: c:\).  Any files that appear are NTFS ADS files.  If you wait long enough, you will see ????:Zone.Identifier and maybe some ????:SummaryInformation files.  The Zone files are put there by Internet Explorer when you download a file from the Internet.  The SummaryInformation files are a result of right clicking a file in Windows Explorer, selecting Properties and changing the values on the Summary tab.  That’s right, you may have created some of those hidden files and not known it.  If you see any other types of files, leave us a comment telling us what you found.  Maybe you’ll catch a virus!

There are other more complicated places to hide data on a hard drive, but I wanted to show you how easy it is to hide files not how hard it can be.  NTFS ADS files are already being used by some viruses/trojan horses, and many virus protection applications don’t know about NTFS ADS yet.  So, this easy data hiding technique may be used against us.  make sure that your virus scanner looks for NTFS ADS files or periodically use a tool like FI TOOLS to search your hard drive and remove anything that doesn’t look familiar to you.  I’ve never known of an NTFS ADS that contained vital system or application information.  The heysoft web site includes instructions for deleting NTFS ADS files.

Quality computer forensics software should identify thousands of file types, not 500, and be focused on increasing that support to perform competent searches for evidence.  That’s why we are constantly adding more file types to our File Investigator products.

Data Classification seems to mean different things to different people.  In our File Investigator products, we classify each file by

1. Platform it is typically found on (ex: Macintosh, MS Windows, Linux, …)
2. Storage method(s) used (ex: Archive, Digital Audio, Vector, …)
3. Types of Content inside (ex: Database, Personal/User Data, Spreadsheet, …)

That fits the meaning for some, but not all.  The government is most interested in classifying data into separate clearance levels so they can decide who has access to the data.  Document Management products use classifications to decide what area of a server each file is saved to and what data should be backed up often, seldom or archived instead.  Electronic Discovery products use classifications to help narrow down the search for evidence.  Which use is right for you, and would it be advantageous to merge these uses into a single product or service?

A friend recently attended the MER (Managing Electronic Records) Conference in Chicago, and provided me with some information on Orchestria.  I was familiar with most of the other vendors, but I had not heard of this one.  Orchestria recommends the following list of best practices:

1. Deploy a common platform to classify and control converging information obligations
2. Identify, classify, and control information across multiple channels
3. Classify and control data in motion and at rest
4. Support both user-directed and automated classification models
5. Analyze and classify information across multiple dimensions
6. Deploy at multiple points within a corporate infrastructure

I interpret this as a single solution that encompasses all corporate data from all departments and provides the necessary security and customized actions using automated and manual classification methods.  Wow, that was a mouthful, and probably a run-on sentence.  They’re obviously working to be the ultimate solution to all customers.  Is that realistic or science fiction?

We prefer to focus on one area at a time and be the best at it.  Right now, that’s identifying files / records and extracting as much background information and metadata as possible.  The better the solution, the more you can automate the process.  The biggest complaint that I hear about today’s Document Management solutions is the laborious process of checking in your documents.  One alternative is to automatically inventory files company wide without your intervention.  That would protect against accidental or malicious  supression of valuable company data.  Some companies already do this with email.  It would prove very valuable when faced with litigation.  But, then they would need an effective Data Reduction method to avoid data overload.

Isn’t it better if your company’s solution volunteered the most likely input for those manually entered fields based on the type of file and data found within that file?  You could simply skim the results and make small corrections before continuing with the check-in process.  We provide that technology today, but the solution providers need to hear their customers request that feature before they will add it.

Aren’t Electronic Discovery and Computer Forensics the same thing?

Some people would say that they are, but many practitioners strongly disagree.  Here are some definitions that I found for Electronic Discovery:

• Gartner said that ”E-discovery is the production and presentation of ESI [Electronically Stored Information] that meets the basic requirements and needs of discovery.”
• About.com:Legal Careers described it as ”the obligation of parties to a lawsuit to exchange documents that exist only in electronic form.”
• Wikipedia said that eDiscovery “includes “raw data” which Forensic Investigators can review for hidden evidence.”
• Search Financial Security added the following to the end of their definition, “Computer forensics, also called cyberforensics, is a specialized form of e-discovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer, investigators make a digital copy of the hard drive. Then the original computer is locked in a secure facility to maintain its pristine condition. All investigation is done on the digital copy.”

So the definitions range from no mention of Computer Forensics to the inclusion of Computer Forensics as an integral part of eDiscovery.  Here are some definitions that I found for Computer Forensics:

• ExperLaw gave a basic definition describing it as ”obtaining and documenting digital information…”
• Cyber Security Institute said it is ”the analysis of information contained within and created with computer systems and computing devices…”
• Wikipedia called it ”a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.”

Now we have definitions ranging from simply obtaining information to forensic science and finally including the mention of legal evidence.  Can Computer Forensics exist outside of eDiscovery?  Or, can eDiscovery exist without Computer Forensics?

I think Search Financial Security stated it best when they described Computer Forensics as a specialized form of eDiscovery.  So, Electronic Discovery may or may not include the use of Computer Forensics, depending on the budget or the type of evidence listed in a search warrant?

I’ve heard people say that a search for email doesn’t require Computer Forensics, because once you’ve found the email database file you don’t need to look any further.  When dealing with a trusted individual that may be true, but what about a second hidden email database that they use for covert communications?  Don’t you care about discovering that data too?  The field of Accounting Forensics is all about the search for a second set of accounting books.  Shouldn’t we then be including Computer Forensics in every investigation that we conduct?  Oh, does that cost too much?

It’s unfortunate when we are forced to rush an investigation due to insufficient funds, or manpower, and miss potentially vital evidence.  A computer novice can hide their data by simply renaming file extensions and deleting files.  Without some level of Computer Forensics, those simple methods are successful.  When you find the right Computer Forensics solution, it shouldn’t be a waste of your time.  In fact it may actually save you time when it’s used correctly.