Book Image

Windows Forensics Cookbook

By : Scar de Courcier, Oleg Skulkin
Book Image

Windows Forensics Cookbook

By: Scar de Courcier, Oleg Skulkin

Overview of this book

Windows Forensics Cookbook provides recipes to overcome forensic challenges and helps you carry out effective investigations easily on a Windows platform. You will begin with a refresher on digital forensics and evidence acquisition, which will help you to understand the challenges faced while acquiring evidence from Windows systems. Next you will learn to acquire Windows memory data and analyze Windows systems with modern forensic tools. We also cover some more in-depth elements of forensic analysis, such as how to analyze data from Windows system artifacts, parse data from the most commonly-used web browsers and email services, and effectively report on digital forensic investigations. You will see how Windows 10 is different from previous versions and how you can overcome the specific challenges it brings. Finally, you will learn to troubleshoot issues that arise while performing digital forensic investigations. By the end of the book, you will be able to carry out forensics investigations efficiently.
Table of Contents (13 chapters)

Ensuring evidence is forensically sound

The chain of custody in digital investigations is of paramount importance. Not only does it demonstrate who had access to the evidence at any given time, it also - at least in theory - shows what was done with the evidence after it was seized, and the measures that were taken to ensure its preservation and integrity.

For investigators who work in a team, for example in law enforcement agencies or within a corporation, there will generally be an already established process to follow, in line with the guidelines provided by the agency or company. For freelance and individual investigators (or for those who believe their company's acquisition procedure may need a bit of an overhaul), it is important to bear a few basic principles in mind.

The level of forensic soundness that you as an investigator will be required to demonstrate will probably depend, at least in part, on the nature of the case on which you are working. Civil cases, for example, will generally not require such a high level of evidential integrity as criminal investigations, since civil cases are less likely to end up in court. It is good practice, however, to get used to maintaining as high a level of forensic soundness as possible;"doing so means that, if in the future you specialize in more in-depth investigations, you will already you will already be used to setting the right level of groundwork for your forensic examinations.

Generally, it is sufficient when gathering evidence to image a device—that is, to create an exact copy of the data contained therein—and then to use this forensic image as the basis for your analysis, rather than conducting analysis on the physical device you have seized from the scene. Sometimes, you may also be required to verify both that the copy is authentic, and that the process you used to copy the data did not alter it in any way. Audit trails are a large part of this—if you can demonstrate where the data sources have been stored, in which devices, for how long, and who has had access to them, this should suffice.

Removing the source of digital evidence from the scene of the investigation is the first step in this process and must be done with care. Switching off or unplugging a machine, typing in a password, moving a mouse, or performing any other kind of interaction with an object encountered in the course of a crime scene investigation can have unpredictable effects on the outcome of the investigation. Sometimes, devices are set up to be wiped automatically when turned off; some will encrypt all data when a password is entered incorrectly.

In most cases, investigators will be encouraged to leave the source of evidence in the state in which it is found. For example, if a mobile phone is recovered from a scene, it may be placed in a Faraday bag, which will block electric fields and therefore prevent signals from coming through while the phone is being transported.

If there is no way to remove an item from a scene without somehow tampering with it—for example, if a desktop PC is plugged in and turned on, but needs to be taken away for analysis—the person tasked with the removal of the item should be expertly qualified to ensure that no changes happen except the ones that are absolutely necessary, and that any actions that take place are detailed within the audit trail.

It may sound like this is a relatively straightforward process—don't change anything unless you absolutely have to; if you do have to, ensure the person who is making the changes is qualified to do so; and keep a record of everything that happens. However, this is a broad overview of the basic general requirements for the sound preservation of evidence, and these will differ—sometimes quite widely—depending on local or national legislation. One of the most challenging things about being a specialist in computer forensics is that computer crimes often have an international flavor, and it is not unheard of for an investigation to span several continents, let alone states within a given country.

For this reason, it is of the utmost importance to verify the local legislative requirements when it comes to the identification, collection, preservation, and analysis of digital forensic evidence, particularly if the case on which you are working is likely to end up in court.