DATA RECOVERY – FORENSICS STYLE

Posted on Aug 22, 2013Written by itongtong517

by Donna Eno, CCNA

So there you are…running your business or maybe you’re at home catching up on emails etc. Minding your own business. Then
you notice files are missing, your screen flashes, your network connection slows to a crawl. You begin to wonder. You remember the conversation, just the other day with an IT friend over lunch about how more and more networks and the computers that sustain those networks are being compromised. You remember that conversation and some of the symptoms that a network and/or computer would display at the onset of a network attack. It bears a real resemblance to what you are experiencing sitting at your computer desktop. You get that sinking feeling in your gut as you wonder if it has happened to you and what it will take to minimize the damage….

Data Recovery speaks to re- covering the data. Period. Regardless of how much is re- covered and/or what the state of the files, whether or not they are readable, and what is/was the last disposition of those files. It is that… recovered data. However, if litigation of your losses is in the near future, then… Data Recovery will not be ‘good enough.’ Why? US Courts have determined that in order to substantiate whether or not electronic data is authentic and/or original… said data must adhere to some pretty strict guidelines. And so… this discussion will be regarding, Forensic Data Recovery. Data Recovery that will, at the end, hold up in court allowing you, the victim of network fraud, hacking etc., win in court and watch the bad guy go to jail.

umacsoft data recovery

First, let us revisit our victim, who has now realized that the computer and possibly the network has been infiltrated and files are missing, mayhem has ensued. He calls his IT friend who, very graciously has offered his assistance as well as his staff.

But this is a good place to stop. Before anything progresses from this point forward a few facts. FRE (Federal Rules of Evidence) state the following in order: “To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is. “ and part of that process or supportive of that process: “Evidence About a Process or System. Evidence describing a process or system and showing that it produces an accurate result. “ (FRE Rule 801(a)(9)). Courts have rule that hash values assigned to the electronic evi- dence satisfy this requirement. The term Hash Value is the application of an algorithmic equation being applied to the data file in such a way as to make it unique to all other files contained within a piece of evidence. There are varying types of hash values according to the algorithm equation such as, MD5, SHA1 and SHA2. In a Forensic Data Recovery ALL evidence artifacts (which are ALL files on an image, regardless of type) are assigned MD5 hash values. There have been studies shown where there is a duplicate MD5 has value applied. These are called MD5 collisions and  and there have been many papers written regarding this anomaly. The short version of MD5 or HASH collisions is this: When the algorithm that is applied to a binary string produces the same number to a wholly different binary string, then that is what is defined as MD5 collisions because the algorithmic numbers match exactly when they should be different.

MD5 has values are as 128-bit/16 byte has values therefore MD5 collisions are rare but they do occur. So.. SHA1 and SHA2 has algorithms were created and applied. SHA1 has values are 160bit and SHA2 are 256bit has algorithms using an entirely different methodology to arrive at their respective numbers. SHA1 and SHA2 has algorithms are required by government entities due to the cryptographic security these has algorithms provide. Problem solved.

But how does the hash value get applied so that the end result is: data recovered and bad guy goes to jail or pays a hefty fine? The answer is: Forensic Imaging.

Most data recovery companies will wish to take an image of the hard drive or electronic device in question, just to be able to then process that data, and extract out the recovered data. The Forensic image is a bit different and almost always, a Forensic Image is more in-depth. A Forensic Image is a bit stream image from the very first zero or bit at the very first position of the platter on the hard drive or electronic device to the very end. Assigning hash values along the way. It is very important to note that a Forensic Image captures absolutely everything including Un Allocated Space, Un Partitioned Space, File-slack, Deleted data…every- thing. Including the Service Area of a Hard drive or electronic device. A Service Area is the area of the electronic device that is for the indexing of the drive itself. With the advent of Smart drives, this area is reserved for drive index data that is ‘out- side’ of the operating system and all other data included in the drive Smart software. This comes in handy when decrypting whole encrypted drives as the encryption data itself (the key) is stored outside of the operating system. So the process is as follows:

  • The hard drive and or electronic device is connected to a write blocker device. The write blocker device is a device that only allows data from the hard drive to be read and no electronic signal is able to go ‘back’ to the hard drive it- self disallowing any ability for the data on the hard drive to be manipulated in any way.
  • A clean target drive is connected in such a way as to be able to capture the data from the source drive as it si being read from the source drive. Thus a complete exact replica of the source drive is created along with the necessary hash values being assigned to each file folder directory and finally the whole drive.
  • Verification of the written image is performed. this verification process is an process whereby all the hash values are computed again and verified with the first set of hash values computed to verify that they match. If no data has changed on the source drive since the imaging process began, then the hash values will match. IF so much as ONE BIT of data change don’t the source drive since the be-ginning of the imaging process, the hash values will not match and questions will need to be answered as to why.
  • So what would cause the hash values to NOT match? Several things and they could be quite in- nocuous.
  • Bad spot on the source drive itself. since this is a bit-stream image, and bit not read correctly and or properly would cause a hash value miss-match.
  • Electrical surges. All of this equipment, computers, hard drives, electronic devices… all are subject to electrical power surges. To remedy this, verify that all pertinent that is good up to 700 joules. Most lightening strikes are under that… so if you happen to be imaging in an area with lightening strikes… work with a surge protector, always.
  • Lastly, operator interference. NO one likes to get caught. So if someone realizes the game is up, they may be attempting to cover their tracks by removing data, the source drive etc., while the imaging process is occurring. This actually happened once when I was imaging a drive. One of the custodians (bad guys) logged onto the machine that was being imaged and began to erase data. Pretty impressive. Did that end the process in whole or in part? No. Why? Because all of the allegations still had to be proven in court. It did not matter at all that I had witnessed someone erasing data even as the image was being created and verified.Keep that in mind. Just because an image may have been compromised does not stop the forensic process whatsoever. So…what did we do? Re-Start the image again with a new tar- get drive (the drive being written to) so that a comparative analysis could be made between the first image created and the second one to determine what files and or data was destroyed.

To be continued… 

 

 

 

 

Published under: Computer, Data Recovery for Mac

Tagged with:

Comments are closed.