Digital Forensics: Threatscape and Best Practices

Digital Forensics

Threatscape and Best Practices

Edited by

John Sammons

Assistant Professor and Director of the Digital Forensics and Information Assurance Program, Marshall University, Huntington, WV, USA

Table of Contents

Cover

Title page

Copyright

Dedication

List of Contributors

Editor Biography

Biographies

Acknowledgments

Chapter 1: The cryptocurrency enigma

Abstract

Purpose

Introduction

What makes a currency?

Cryptocurrency

Public key encryption basics

Forensic relevance

Bitcoin

Bitcoin protocol

Forensic artifacts

Multibit HD

The bitcoin protocol in action

Summary

Chapter 2: The key to forensic success: examination planning is a key determinant of efficient and effective digital forensics

Abstract

Introduction

The four phases of digital forensics

It is a matter of questions

Investigative questions

Legal questions

Forensic questions

Identification

Classification/individualization

Association

Reconstruction

Forensic questions as a bridge

Developing forensic hypotheses

Knowing how far to go

Starting the plan

How do you know when you are done?

Examination phase – data extraction

The forensic analysis

The examination planning process

Conclusion

Chapter 3: Psychological profiling as an investigative tool for digital forensics

Abstract

Current model

Issues

New model

Phases

Limitations

Case studies

Conclusions

Chapter 4: The intersection between social media, crime, and digital forensics: #WhoDunIt?

Abstract

Introduction

Social media and crime

Social media and digital forensics

Social media evidence on the network

Social media evidence on the physical device

Summary

Chapter 5: Mobile device forensics: threats, challenges, and future trends

Abstract

Introduction

The hardware versus software complexity trend

Cloud services and mobile platforms – inherent vulnerabilities

There is an app for that – forensic challenges and threats within apps

Persistent threats and challenges – what lies ahead for mobile device forensics

Conclusion

Chapter 6: Digital forensics in an eDiscovery world

Abstract

Introduction

eDiscovery processes and EDRM

Digital investigations workflows

Chapter 7: OS X El Capitan forensics

Abstract

Introduction

Default directory structure

User

{User name}/library

New features in OS X 10.11 El Capitan

Conclusion

Quick reference table

Chapter 8: Cybercrimes: an overview of contemporary challenges and impending threats

Abstract

Combating cybercrimes

Current cybercrimes and evolving threats

Hacking

Future issues for law enforcement and digital forensic analysts

Chapter 9: Legal

Abstract

Introduction

The fourth amendment

Search warrants

Federal privacy legislation

Drones

Tracking vehicles

Tracking cell phones

Automated license plate readers

Cell phones

Encryption

Encryption and cell phones

The internet of things

The dark web

Malware

Looking ahead

Author Index

Subject Index

Copyright

Acquiring Editor: Chris Katsaropoulos

Editorial Project Manager: Anna Valutkevich

Project Manager: Priya Kumaraguruparan

Designer: Mark Rogers

Syngress is an imprint of Elsevier

225 Wyman Street, Waltham, MA 02451, USA

Copyright © 2016 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-804526-8

For information on all Syngress publications visit our website at store.elsevier.com/Syngress

Dedication

For Lora, Abby, and Rae for making me a truly blessed and lucky man. To my aunt Ruth whose love, support, and encouragement means so much. To my mother Juanita, and my grandmother Grace. For the many sacrifices you made and the example you set … I miss you.

List of Contributors

Rob Attoe ,     Marshall University, WV, USA

Dhruba J. Bora,     Marshall University, WV, USA

Margaret Phipps Brown,     Marshall University, WV, USA

Josh Brunty,     Marshall University, WV, USA

Kimberly A. DeTardo-Bora,     Marshall University, WV, USA

Shawn Jordan,     Marshall University, WV, USA

Sean C. Leshney,     Tippecanoe County Prosecutor’s Office, IN, USA

Preston Miller,     Consultant at an International cybersecurity and forensics firm, USA

Mark Pollitt,     Digital Evidence Professional Services, Inc., MD, USA

Marcus K. Rogers,     Purdue University, IN, USA

Kathryn C. Seigfried-Spellar,     Purdue University, IN, USA

Editor Biography

John Sammons is an Assistant Professor and Director of the undergraduate program in Digital Forensics and Information Assurance at Marshall University in Huntington, West Virginia. John teaches digital forensics, electronic discovery, information security and technology in the Department of Integrated Science and Technology. He is also adjunct faculty with the Marshall University graduate forensic science program where he teaches the advanced digital forensics course. John is the founder and past President of the Appalachian Institute of Digital Evidence (AIDE). AIDE is a nonprofit organization that provides research and training for digital evidence professionals including attorneys, judges, law enforcement and information security practitioners in the private sector. He is the author of best selling book, The Basics of Digital Forensics published by Syngress.

John, a former police officer, is also an Investigator with the Cabell County Prosecuting Attorney’s Office and a member of the West Virginia Internet Crimes Against Children Task Force. He is an Associate Member of the American Academy of Forensic Sciences, the High Technology Crime Investigation Association, the Southern Criminal Justice Association and Infragard.

Biographies

Rob Attoe is a Director within the training department at Cellebrite, where he leads the training departments business development and delivery of course content across all disciplines, ensuring the curriculum and delivery concepts, which are of the highest standards within the industry as well production of customized courses tailored for mobile forensic practitioners globally. Attoe also leads the research in to forensic artifacts found on various operating systems and regularly presents finding are large conferences globally. Previously as SVP of Global Training at Nuix and Director of Training at AccessData, Attoe has over a decade of experience developing Digital Forensics and Decryption training programs for the global digital investigations community.

In the past, Attoe has held positions as a Computer Crime Specialist II with the National White Collar Crime Centre, where his primary focus was the research and development of a file system analysis and automated forensic tool curriculum, and with the Kent Police as a Forensic Computer Analyst.

As a certified member of the International Association of Computer Investigative Specialists (IACIS), Attoe has instructed at the association’s annual conference, as well as regularly presenting at the premier international digital forensics conferences and events such as High Technology Crime Investigation Association, Department of Defence Cyber Crime, F3 Annual Conference, and Internet Crimes against Children taskforce. Attoe has authored and taught many digital forensic courses globally as well as coauthoring a course for The National Hi-Tech Crime Unit in the United Kingdom and advanced courses for IACIS.

Kimberly A. DeTardo-Bora is a Professor of Criminal Justice and Criminology at Marshall University where she serves as both undergraduate and graduate program directors. She obtained her Ph.D. degree in Criminology from Indiana University of Pennsylvania in 2003. Dr. DeTardo-Bora has carried out state and federal-level grant projects to evaluate court-appointed special advocate programs, domestic violence programs, the weed and seed program, and housing authority programs. Her most recent endeavor has been exploring the world of hacktivists. Besides a book titled, West Virginia’s Criminal Justice System published with co-authors Dhruba J. Bora and Samuel L. Dameron, Dr. DeTardo-Bora’s research has been published in scholarly venues such as Action Research, Corrections Compendium, Security Journal, and Women and Criminal Justice.

Dhruba J. Bora is a Professor of Criminal Justice and Criminology, as well as an Associate Dean of the College of Science at Marshall University in Huntington, WV. He received his Ph.D. degree in Criminology from Indiana University of Pennsylvania. Over the past 20 years, he has worked on several grants funded by the U.S. Department of Justice in the areas of community policing and domestic violence and has published on topics related to campus safety and security, crime prevention, juvenile justice, and counterterrorism.

Margaret Phipps Brown is a graduate of West Virginia Wesleyan College (B.A., 1976) and Emory University School of Law (J.D., 1979). She has been an attorney licensed to practice in West Virginia since 1979. She is a professor of Criminal Justice and Criminology at Marshall University, where she has taught for 35 years. She has served as a part-time assistant prosecuting attorney with the Cabell County, West Virginia Prosecuting Attorney’s Office from 1988 to 2015, where her responsibilities include coordinating the multidisciplinary child abuse task force and prosecution of felony cases, including technology-facilitated crimes against children.

Josh Brunty is a former digital forensics laboratory manager and examiner. Josh Brunty has over a decade of experience in the field of digital forensics and investigations. Josh is currently an Assistant Professor of Digital Forensics for the Department of Integrated Science and Technology and Forensic Science Departments at Marshall University. Prior to joining Marshall University, Josh spent several years as a Digital Forensics Examiner and Technical Leader assisting in many high-profile cases for agencies around his home state of West Virginia, as well as serving on several federal and state-level cyber-crime task forces. Josh holds numerous certifications within the digital forensics discipline including: AccessData Certified Examiner (ACE), Cellebrite Certified Physical and Logical Analyst (CCPA/CCLO), AccessData Mobile Examiner (AME), Computer Hacking Forensic Examiner (CHFI), Seized Computer Evidence Recovery Specialist (SCERS), Certified Malware Investigator, Certified Steganography Examiner, and is certified by the National Security Agency in Information Assurance Methodology (NSA-IAM).

He has developed a variety of digital forensic training sessions and curriculum, including past recertification scenarios/examinations for the International Association of Computer Investigative Specialists (IACIS). Josh has also authored numerous articles, publications, and texts on topics such as: digital and mobile forensics, social media forensics, and image and video forensics. Josh is a member of the Mid-Atlantic Association of the High Technology Crime Investigation Association (HTCIA), the Digital-Multimedia Sciences section of the American Academy of Forensic Sciences (AAFS), the NIST OSAC subcommittee on digital evidence, the Appalachian Institute of Digital Evidence (AIDE), the West Virginia Cyber Crimes Task Force, and the West Virginia Chapter of FBI INFRAGARD.

Shawn Jordan is a recent graduate from Marshall University. He majored in Digital Forensics and Information Assurance and graduated Summa Cum Laude. He is the cocreator of Network Scout, a distributed Intrusion Detection System. He has spoken at DerbyCon, Hack3rCon, and AIDE. He is currently working on another open-source project. While at Marshall University, he started a middle school group helping children learn Python, received an STEM grant to help build Network Scout, and was a treasure for Marshall’s Colligate Cyber Defense Challenge team. He leads a small college group at a local church. He plans on perusing the Offensive Security Certified Professional certification. He will be speaking at SecureWV on the future of education and Information Security.

Sean Leshney is the Chief Digital Forensics Investigator for the Tippecanoe County Prosecutor’s Office in Lafayette, IN. He is a US Navy veteran and has been involved in law enforcement with several agencies since 2000. He currently leads the Tippecanoe County High Tech Crime Unit (HTCU) and is a member of the Indiana Internet Crimes Against Children (ICAC) Task Force. He has been a forensic interviewer of child victims for sexual and physical abuse since 2009. In 2008, he graduated a Master of Science with a specialization in the area of Cyber Forensics. He has instructed numerous law enforcement officers and graduate courses at Purdue University in the area of digital evidence. He has testified numerous times in state and federal court for digital evidence investigations. He is a member of the International Association of Computer Investigative Specialists (IACIS) and is a Certified Forensic Computer Examiner (CFCE). He also holds certifications in several forensic software tools.

Preston Miller, a Texas native, obtained his undergraduate degree at Vassar College in Poughkeepsie, NY. While obtaining his masters in Digital Forensics at Marshall University, he worked closely with the West Virginia State Police Digital Forensics Unit and taught two classes to first-year graduate students. Preston was the sole recipient of the prestigious J. Edgar Hoover Scientific Scholarship in 2014 in recognition of his academic achievements. Preston is currently a consultant at a large and well-regarded global technology consulting firm working out of their headquarters in New York City.

Dr. Mark M. Pollitt, Ph.D., for 40 years has served as a military officer in the United States Marine Corps and Coast Guard; a Special Agent, executive, and forensic scientist for the Federal Bureau of Investigation; a consultant; and an educator. After service in the military, he joined the FBI and was a Street Agent for over 10 years. He helped to develop and build the FBI’s digital forensic program and retired as the Chief of the Computer Analysis Response Team and Director of the Regional Computer Forensic Laboratory Program.

After retirement from the FBI, he became a consultant and a full-time academic. His last post was as Associate Professor of Engineering Technology and Principal Investigator on a large National Science Foundation grant focusing on cyber forensics.

Dr. Pollitt holds a Bachelor of Science from Cornell University, a Master of Science from Syracuse University, and a Ph.D. from the University of Central Florida. He is a Fellow of the American Academy of Forensic Sciences and holds numerous professional certifications.

Marcus K. Rogers, Ph.D., CISSP, CCCI, DFCP, is a Professor and Dept. Head in Computer and Information Technology, Purdue University. He is a University Faculty Scholar, Fellow of the Center for Education and Research in Information Assurance and Security (CERIAS), and Fellow of the American Academy of Forensic Sciences (AAFS). Dr. Rogers is also the Co-Editor of the IEEE Privacy and Security Cyber Crime Department and Chair of the NIST/OSAC-DE Education Sub-committee. His areas of research and interest cover the behavioral aspects of the deviant use of technology, cyber criminal behavioral analysis, and understanding cyber terrorism.

Kathryn Seigfried-Spellar, Ph.D., is an Assistant Professor with the Department of Computer and Information Technology (CIT) at Purdue University. She has multiple publications and conference paper presentations, including international presentations in India, Ireland, Russia, and South Korea, on the who and why of cybercrime. Specifically, Dr. Seigfried-Spellar studies the personality characteristics and socio-legal factors associated with cyberdeviance, such as Internet child pornography use, hacking, cyberbullying, trolling, and cyber threats via social media. In addition, Dr. Seigfried-Spellar has published in the area of digital forensics, specifically the ability to conduct a behavioral analysis of digital forensic evidence from child pornography investigations. She is a member of the Digital and Multimedia Sciences section of the American Academy of Forensic Sciences (AAFS), the IEEE Computer Society, International Association of Law Enforcement Intelligence Analysts (IALEIA), and the American Psychological Association (APA). Dr. Seigfried-Spellar also serves as an editorial board member for the Journal of Digital Forensics, Security, and Law, as well as the International Journal of Psychology and Cyber Crime.

Acknowledgments

There are many folks who are well-deserving of my gratitude for this project. Simply put, this book would not have been possible without them. First and foremost are the contributing authors who shared their time, experience, and expertise. Big thanks are given to: Dr. Mark Pollitt, Dr. Marc Rogers, Dr. Kate Seigfried-Spellar, Dr. Dru Bora, Dr. Kim Bora, Mrs. Margaret Phipps Brown, J.D., Mr. Rob Attoe, Mr. Preston Miller, Mr. Josh Brunty, Mr. Sean Leshney and Mr. Shawn Jordan. I cannot tell you how much I appreciate your respective contributions.

Second, I want to thank the good folks at Syngress, particularly Chris Katsaroupolos and Anna Valutkevich. Thank you both for your patience and guidance during the creation of this book.

Lastly, (but certainly not least) my wife Lora. I could not do what I do without her. Thank you for picking up my slack and your never-ending support.

Chapter 1

The cryptocurrency enigma

Preston Miller    Consultant at an international cybersecurity and forensics firm, USA

Abstract

Bitcoin has become a fixture in today’s modern society, a source of innovation and mystery, and has begun to change the way we think about currency. Because of Bitcoin’s success, many modern cryptocurrencies are simply variations on the Bitcoin framework. These Bitcoin derivatives are referred to as Altcoins. By understanding the cryptocurrency framework, through analysis of Bitcoin, examiners will be capable of understanding artifacts in a wide range of cryptocurrencies. In this chapter, we learn Bitcoin through example by first understanding the underlying theory and then seeing it in action. By using the MultiBit HD client, we observe transactions coming across the wire and look for their network and disk-based artifacts. From this approach we accomplish two things: the reader obtains a technical understanding of how cryptocurrencies work and how to forensically analyze and evaluate cryptocurrency artifacts.

Keywords

Bitcoin

blockchain

cryptocurrencies

asymmetric encryption

network and disk-based artifacts

MultiBit HD

digital signature

decentralized

proof of work

mining

Purpose

The goal of this chapter is to serve as a primer for cryptocurrency conventions and artifacts. By focusing on the technical aspects of Bitcoin, the most popular cryptocurrency, and examples from wallet software, the examiner should be more knowledgeable and comfortable while investigating crimes involving cryptocurrency.

Introduction

Bitcoin has become a fixture in today’s modern society, a source of innovation and mystery, and has begun to change the way we think about currency. In this chapter, we are going to explore the context, underlying framework and protocol, and artifacts related to Bitcoin. This chapter will focus exclusively on Bitcoin. However, because of Bitcoin’s success, many modern cryptocurrencies are simply variations on the Bitcoin framework. These Bitcoin derivatives are referred to as Altcoins. By understanding the cryptocurrency framework, through analysis of Bitcoin, examiners will be capable of understanding artifacts in a wide range of cryptocurrencies.

Often synonymous with providing anonymity for the acquisition of nefarious goods online, cryptocurrencies, such as Bitcoin, have been brought to the forefront after gaining traction due to recent media attention. Increased exposure has publicized the utility of cryptocurrencies and spurred the production of new currencies at a rate previously unseen. As more consumers depend on cryptocurrencies to purchase both legal and illegal goods, understanding cryptocurrencies and the channels through which they travel is vital.

As of August 2015, there are 678 cryptocurrencies on the market that come in varying types. A list of these cryptocurrencies and their prices can be found at coinmarketcap.com. Cryptocurrencies are often perceived as an unknown quantity; however, for the most part they are extremely well documented for those who want to read the technical details. For most of these cryptocurrencies a white paper is available that explains the underlying framework of the currency.

What makes a currency?

When talking about cryptocurrencies, it is not uncommon to be asked why they have a value at all. These currencies have a cost associated with them, despite lacking a physical component, and for some this is a tough concept to come to terms with. However, nonphysical currencies