Our Technicians can try and assess if

Before paying, contact us, and we will identify the type and perhaps decrypt with no payment needed to the bad actor! Certainly, don’t insult or be rude to them unless you want the Ransom doubled! We have a special technique and training to lower the ransom, and in many cases, we pay for ourselves 7 fold compared to trying to ‘do it yourself. We are fast, efficient, reasonable, and if you have to pay, you won’t have the FCA or FBI knocking on the door because compliance checks will have been passed in terms with who the bad actor is; sometimes, using computer forensic techniques, we can recover data from backups, using files carving and other methods.

https://www.nomoreransom.org/crypto-sheriff.php?lang=en

https://www.nomoreransom.org/en/decryption-tools.html

The police are not trained/funded/staffed sufficiently and are too swamped to deal with cybercrime, and ransomware in particular, on its own. And security researchers cannot do it without support from law enforcement agencies. So responsibility for the fight against ransomware is shared between the police, the justice department, Europol and IT security companies and requires a joint effort. Together we will do everything in our power to disrupt criminals’ money-making schemes and return files to their rightful owners without the latter having to pay loads of money.

>BTC/LiteCoin/Monero Wallet recovery when the item is lost or deleted from a hard drive

>Examination of a hard disk to ascertain login info to an exchange or vendor such as Coinbase, Crypto.com when the password is forgotten

> Password Recovery – if you recall some part of your password, or you think the password was not too complex, then we can help you.

>We are a bricks and mortar business you can trust us with your wallet

“I read Bitcoin hitting 40k then thought about my wallet sitting on a formatted hard disk. Compute Forensics were able to recover this and I gained 80%”

John from London

It is like having a computer forensic expert in your office! Alistair Ewing Director Compute Forensics Ltd

As technology advances remote forensic services are being more commonly utilised in the eDiscovery or forensic sphere. Compute Forensics can collect and triage data remotely either 1) On the corporate network to a server or system on the same local IP range in a live state but a blocked mode. 2) Across the internet with a secure AES encrypted connection using a forensic operating system with a remote connection. The original disk is untouched as the OS or method blocks writes to the drive. The image and working copy is made to a Bitlockered or Veracrypted disk connected to the system by the client.

Travel costs and board costs can be out of proportion to the case, or the data may reside on a home connection so it may be required to perform a remote collection.

Situations when a Remote Aquisition is Useful

1. The budget doesn’t suit an onsite collection.
2. The data is in a far away location.
3. The data and the user is on the same corporate network. The physical and volatile data needs to be collected onsite but remotely without the culprit’s knowledge but with the authority of the organisation.
4. The collection or triage is on a tight schedule.
5. There are only 1 or 2 devices on the client site.

Is a Remote Collection Safe and Forensically Sound?

Yes, all the data packets sent and received during the remote collection at the client end including, keyboard and mouse signals, images and files transfers are encrypted. Only the Computer Forensic Expert has access to the AES-256 and RSA-1024 cryptographic keys. The internal disk is untouched should the instructions be executed diligently; a pre-briefing exercise ensures this.

The following steps display the methods entailed in a remote collection:

How a Remote Collection is Conducted on a Machine in an Off State

1. The client gives us information about the machine model etc. A contract allowing us to make a remote collection is to be completed by both parties before the forensic imaging. The technique works on Intel Based Macs as well as most PC Laptop models and tower PCs.
2. A bespoke digital forensic OS is uploaded to a secure location in an ISO format and made available for download. The client burns this to an optical disk or a USB using Rufus.
3. The CD or USB is added to the system along with a USB 3.0 destination drive that is larger in capacity than the internal drives.
4. The system is connected to an ethernet connection buy the client.
5. When switching on the system, the user at the client side presses a key, DEL/F12/F8 or similar, during the power on self-test stage as the machine is waking up. On the system’s BIOS or the UFEI, the boot menu. The attached boot USB or CD is booted from bypassing the OS on the system but using the system’s hardware to function.
6. In the forensic OS, the client right clicks and selects the ‘connect to network’ option.
7. From there the forensic examiner takes over the system and begins the collection process.
8. All system data such as disk serial numbers are seized by specialist software to help produce the analysis report.
9. Any forensic images, logs or findings are exported to the encrypted attached USB stick or…
10. Uploaded via SFTP to the eDiscovery firms remote storage box or direct to a cloud-based eDiscovery platform such as Goldfynch.

On an Apple Device

1. Start OS X
2. Hold the option key until CD is displayed as an option (takes a little bit to appear)
3. Release the option key
4. Use the arrow keys (or mouse) to select the CD
5. Press Return.
6. The investigation begins.

How a Remote Collection is Conducted onsite on a Machine in an On State

1. A machine connected to the corporate network with Accessdata’s FTK installed is prepared.
2. The IP of a culprit’s machine is entered onto the examination machine.
3. The evidential disk is connected to remotely without the user’s knowledge after a remote agent is pushed to the machine remotely.
4. The examiner gains access to the file system through the remote agent. The volatile data can be analysed for malware and passwords. The disk can be copied and triaged.

Should you require a forensic collection, please don’t hesitate to contact a member of our team.

4 Reasons Why Hotels Are Exploited Commonly

1. Travellers make more purchases while travelling and take longer to notice anomalies. Business users just don’t mind as much as they won’t take the losses personally.
2. The information racked up by hotels about their guests coupled with poor network security mean that the hotel networks are stellar targets for a man in the middle attackers. They can sniff network traffic or hack the hotel booking system finding out the date of birth, passport numbers and other information about guests.
3. The hotel environment has many ripe payment terminals for exploits discovered at onsite shops, restaurants and spas. The relaxed demeanour of untrained staff and lax security mean these terminals can be exploited either by strapon devices and other techniques.
4. Open WIFI networks and lack of a VPN mean network traffic can be recorded with ease.

What Can You Do?

1. Use a VPN such as one by Private Internet Access while travelling.
2. Invest in monitoring systems that can detect breaches and perhaps train IT staff in data security.
3. Monitor your bank activity using Experian or similar.
4. Try a tool such as Rippleshot Siren that provides a unique overview of the status of all your locations, colour-coded by breach severity level, as well as personalised alerts whenever a location’s threat level changes, or otherwise needs your immediate attention.

If you are suspect a breach or are concerned about the security in your hotel then contact a computer forensic expert at Compute Forensics for a free telephone consultation.

IT security is no joke. According to the Federation of Small Businesses owners lost 800 million GBP to cybercrime. The cost of preventing this colossal amount would have been a fraction of this loss. Some fixes need special consultancy and training such as penetration testing or if a breach has occurred digital forensics techniques may be required. Prevention is better than the cure. Many fixes are simple and don’t require much in cost and effort from you or your IT department.

I have summarised some tips below to help secure your small business.

Top Security Tips Summary

• Use Anti-Virus/Firewalls/Anti-Malware/Active Monitoring This can be free for your small business so there is no excuse. Comodo is a great antivirus and can be used legally for small businesses. Sophos provides a great free firewall for small businesses as long as you keep the rules up to date and configure it correctly! Much active monitoring software exists, take a gander at Variato for example.

• CCleaner By Piriform is worth having it allows admins to wipe disks that may hold IP so they may be recycled (Don’t wipe or reuse ex-employees data. Look at this article so you can find out why!). This is important as you don’t want insiders using data recovery software to find artefacts. It can also function to delete internet history and can wipe free space so old data can’t be discovered so you may not want this to be present on employees systems.

• Shred Unwanted Documents You may want to use a digital shredder

• Secure Your Website This can be done by patching, updating and ethically hacking to test the site to test the site’s security. Update the backend of your site and schedule regular tests. Test the applications on the site, design them with security in mind.

• Backup Be sure to back everything up off your network before an event occurs. Make backups of servers and computers using Clonezilla, a free cloning software. Backup your website and if using WordPress use plugins such as ‘All In One WP Security & Firewall‘ that has built-in scanners and firewalls. Backup your assets the old fashioned way to cheap readily available external USB disks. Make sure these are encrypted, you can add encryption and passwords for these using Veracrypt. Store backups safely and if needed in a safe with limited access. Making regular backups that can be readily restored means your business can get up and running should ransomware or other threats strike. Your assets will be protected and the crash or hack will be a minor setback. It is important to save and cherish your intellectual property but keep it off any networks.

• Due Diligence Consider employee background checks as can be carried out by companies such as Tendo Solutions.

• Conserve Ex-Employee Data Be sure to preserve ex-employees hard disks in case of IP theft or unauthorised activity that you may need to use against them in the future. Consider a forensically imaging the disk and having a full computer forensic analysis on the data. You may need to hire a computer forensic expert to do this.

• Use Strong Passwords Don’t use default passwords on devices, change the passwords on routers and similar. Use password creation websites such as Password Generator to generate a strong password. Don’t store passwords on post-it notes attached to your monitor!

• Implement Two-Step Authentication Try to use an email service such as Gmail Business that has two step authentication where you can link a mobile phone with an account and use this device to generate a code after you enter a password as another layer of security. Even if some gets hold of one of your employee’s password while doing business in Hong Kong they can’t get into your account without the Authenticator application linked to a particular phone.

• Mobile Phone Security Try to have all your employees phones preconfigured with encryption, a decent password and an anti-virus.

• Virtual Private Network Try to have a VPN app installed and running at all times to protect your data while browsing on unsecured WIFI on a mobile phone or computer.

• Encrypt Whole Disks Protect movable assets such as laptops by using Veracrypt to encrypt the disk before you even get to the Windows login, you could even us Bitlocker already built into Windows.

• Training You employees need training in threat awareness and online security.

• Look For Software and Hardware Keyloggers or Recorders Sometimes rogue employees may attach hardware devices to log keystrokes or indeed install software in order to do so. If they can do this they access to your passwords and activity.

• Phishing Train your staff on phishing awareness and even try and bait your staff to see if they fall for spoofed emails or similar.

• Restrict ‘Bring Your Own Devices’ This policy is risky as you have no way of knowing the integrity and security of your employee’s devices. Give staff their own devices preconfigured.

• Updates Keep your software up to date and patched. Nothing is more useless than anti-virus that is 4 years out of date!-virus that is 4 years out of date!

• Guest Networks Your companies WIFI and the network may be secure but plenty of juicy information can be sniffed using a man in the middle attack in the canteen on level 0’s free unsecured WIFI network. Again use a decent VPN.

• Restrict Software Allowing employees to download software that hasn’t been vetted by anti-virus software or the IT department is a recipe for disaster.

• Maintain Logs and Store Them Backup your server and other logs, encrypt them and keep them somewhere safe for a possible future analysis.

Thank you for reading. No single technique or guide will totally secure your business.

Please like and share this article.

Regards,

Alistair Ewing

You can trace your current IP address here. The trace will tell you your location, internet service provider and even which browser you are using. This means if you are a major our corporation you risk a data breach. Your data can be logged and monitored by your ISP, marketers can then target your computer with area-specific adverts. Onlookers cannot see your information should you use a VPN. If you are not using one now you may be only one transaction away from online banking fraud thus giving your details to the hacker. You can also purchase full protection for up to 5 devices for only £40 a year.

What is a VPN?

In a nutshell, a VPN is a secure encrypted connection between your computer and the VPN server. While connected all your data passes through an encrypted tunnel. This way no one can eavesdrop or sniff the data being transferred. Also, you have a different public IP address (Your internal IP will remain the usual 198.168.1.xxx or of that range).

Many corporate environments have a VPN. You could be using one already. Consumer versions of VPN technology are vast. A personal favourite of mine for many reasons Private Internet Access. This company offers a super fast VPN service for Windows, Mac, iOS and Linux for around £24 a year. They have on their hardware list a plethora of servers from around the world as the closest server to you will be the fastest, this is a must. There is no use of watching online videos browsing from a slow server in Mumbai when sat in a cafe in London.

Benefits of a VPN

Free WIFI Security Concerns

One of the main advantages of a VPN is if you connect to a free WIFI hotspot such as an airport anyone related to that service can see your browsing stream and use a tool like Wireshark to sniff your credit card details and passwords. Recently it is now possible to do this on a mobile phone. An android tool called ZAnti automatically filters out the noise and leaves users with a report detailing sniffed passwords and activities. The culprit would start reconnaissance by using a tool to scan IP addresses and discover devices on that network then target a particular device to sniff the data. Had you been using VPN your activity would be invisible. I once conducted a pen test for a bluechip firm. I couldn’t find any holes in their network; It was pretty tight. I went to the canteen ran by a dreadful favourite coffee chain style clone. They had free WIFI and an open connection. This connection infiltrated the business, and some employees were unwittingly using this to connect to the internet. From this, I was able to sniff confidential company data while supping a terrible faux Italian coffee looking trendy utilising a ‘man in the middle’ attack. I reported that this occurred and the director of compliance was shocked. Heads rolled, and changes were made. I collected my bonus pay for finding the weakness and their brands reputation was saved.

Being Naughty

If your family has been doing the unthinkable and downloading that latest release through BitTorrent then you probably won’t be receiving that court summons as the IP address won’t be trackable. Your IP address will also be anonymous. Most VPN companies don’t leave logs so will have nothing to hand over when they receive the knock from that ‘Paramount Fox’. I do not condone this and if you download copyrighted material then expect strange things to happen.

Watching Online TV

More innocently, If you are in a foreign country and wish to watch your local online TV stations then you can fool them into thinking that you are based in that country. Just recently though Netflix have grown wise to this so there is no guarantee how long this bubble will last.

Tin Foil Hat Wearers

If you are worried about the reptilian government NSA spying agency intercepting your plans at organizing a David Icke appreciation tea party then a VPN is for you. Instead of your outside IP address being traceable and your data stream being unencrypted using a VPN will make your activity much harder to track and decipher. This article suggests that the US government are silently deciphering up to two-thirds of VPN connections. Right or wrong, this article is simply informational and remains agnostic but it is happening. This may aid spooks to catch those who wish to harm but who’s to say that someone doesn’t come knocking at your door at 3 am in 10 years time when a fascist government takes control and they got hold of information you voted Green for Ralph Nader back in 2000.

What to Look for in a VPN Firm

A google search will reveal ‘free’ VPN services. They are OK for short-term use but on the whole, I find them slower and unreliable; see Tunnelbear, Windscribe and Cyberghost.

You want something fast, that doesn’t hand over logs, one-click activation, one-click connection, advanced features, fast performance, multiple payment options with Multi-platform support and a VPN kill switch. Again I tested many and find Private Internet Access has the best speed, the most servers, and countries in which to choose to browse from.

I Have an Anti-Virus and Firewall so Why Bother?

Fine then! But think about it; for the price of a Spotify subscription, you can evade from network attacks which are becoming increasingly common. A VPN provides another level of security that anti-virus and firewalls don’t. With NSA, hackers, and IP hungry advertisers all vying for our information, VPN is going to be something that will become more common in coming years. Think about using a VPN as a daily habit for you anonymity and protection.

Written by Alistair Ewing Director at Compute Forensics

Only a qualified computer forensics expert from a company such as Compute Forensics should be selected to perform forensic data collection. You can call us on +44 (0)203 5989658, email us at expert@compute-forensics.com or ‘Live Chat’ to a computer forensics expert witness by clicking on the red tab at the left of the website. Compute Forensics offers a global collection service for e-Discovery firms, Digital Forensic firms and businesses under litigation. Compute Forensics can provide training and equipment to IT departments that require the collection skills themselves as to give a lightning response that is needed when the need arises.

Introduction

This article is designed to be a general overview of the actions, programs and techniques used in data collection before scenarios such as a digital investigation of a recently departed employee or for an e-Discovery litigation hold.

What is Forensic Imaging?

Forensic imaging, in a nutshell, is the act of gathering data in a court accepted fashion from digital media to a Veracrypted encrypted output device where possible. That data may come from a live system, a dead PC, DVD, iMac, USB disk, X-Box or remote mailbox. Those are just a few examples.

Typically, the source media should be placed into a blocked state when being read and the data outputted to an attached destination disk with read/write access. It is essential contiguous notes of the system and steps taken are made while the imaging is taking place. The forensic imaging should be done by a certified, experienced digital forensics expert witness or at least an individual with collection training and IT knowledge.

On certain occasions blocking writes to the source media may not be possible such as if you are presented with a live system server or an encrypted system that is discovered switched on. In these instances, the image must be taken live as not to disturb a server or re-encrypt an unlocked disk.

In addition to noting the collection process, it is important to note the physical location of the evidence and store it in a compliant manner and always gain signatures when handing over data.

Tip: As a rule, if the system is switched off leave it that way. If it is changed on leave, it switched on but take the computer, laptop or phone off the network and connected to power. For a computer that may mean unplugging the network cable, sliding a switch to ensure WIFI is off, pulling out a dongle, popping out a network card or disabling networking in the control panel of the operating system. For a tower computer, it may mean just pulling out the Ethernet cable.

What is a Physical Forensic Image?

A physical forensic image is a full ‘bit for bit’ copy of the particular media. This includes every byte of data from the live file system to the unallocated deleted areas of the disk.

The forensic image may be outputted in some formats such as a simple format agnostic raw dd image format, the common EnCase E01 evidence image or the less common Advanced Forensics Format (AFF). If you wrote this forensic image back to a disk in its raw format (FTK has this functionality) with the same capacity, it would be identical in every way to the original. From this image, a computer forensic analysis would be conducted as not to risk damaging the original.

I have personally experienced occasions where forensic software wasn’t used to collect the data for some reasons like a RAID wasn’t being recognised on older systems or the disk was not being read in Windows. In these instances, something akin to a bootable Clonezilla Live distro may be used to produce the image. When doing so always explain your reasoning in notes and find the verify or MD5 hash the result if necessary. Getting something is better than walking away with no data at all. Again this should always be done by a qualified person that is well versed in forensic imaging.

What is a Logical Forensic Image?

A logical forensic image or skeleton image is a particular copy of certain files from a source. Many programs can produce logical images: Stefan Fleischmann’s excellent X-Way’s Imager, the superb and free FTK Imager or new on the scene Magnet’s Acquire software can be used to do this in a Windows environment.

A logical acquisition is the option to use if the digital expert requires a targeted collection for litigation reasons, just a few files of interest are needed, or the client collect wishes you to collect from one or more custodian’s user profiles from a server that may have many users.

In an active state, FTK Imager Lite as shown in Fig 1, can be executed from the destination disk on the computer you wish to extract from as not to write to the live computer by installing software to the source. A custom content list can be built into the programs user interface, and a logical forensic image file is thus produced.

FTK Imager can be used to mount forensic images to view in Windows Explorer, build custom content images of live machines, image RAM (random access memory) from a live system, view and export from Linux/Mac/Windows filesystems and most commonly forensically image a hardware or software writeblocked device to an external disk. FTK Imagers only drawback is when an examiner images a damaged disc the software fills in the unreadable sectors with 0’s. Not attempting to read the drive is unacceptable when a data recovery solution such as ‘ddrescue‘ may recover a whole email collection where the forensic tool fills what it can’t read with 0’s. In an investigation or legal hold, every byte counts! I have been the examiner that has acquired 100% of an image where others had to explain in court why some sectors weren’t imaged.

Fig 1 FTK Imager Version 3.3.0.5 the Crème De La Crème of Forensic Imaging Tools

On a live Mac you may want to produce a full image using a bootable Linux forensics distribution such as Caine then go on to build a list from that main image onsite should the client not want all the data walking off site. There are other solutions like BlackBag’s convenient MacQuisition.

Verification MD5 and SHA1

The verification information is hardcoded inside the metadata of the image in the case of most advanced forensic image formats such as E01, AD1, and AFF. A log is produced by any decent imaging software with a verification sum generated for the forensic image to signify the image is identical to the original. Verification is done so that the professional examining the image can be sure the image hasn’t changed since it was taken by checking the MD5 or SHA1 hash sum or other before commencing the investigation.

Fig 2 displays an example log auto-generated by AccessData’s FTK Imager. The imaging log gives forensic experts some information about the physical capacity of the disk, serial number and some of the notes I have used. In this case, the image was a server that was running a virtual machine. FTK imager was run live in this instance in the emulated environment, and the image was outputted to the emulated physical disk. Another option is shutting down the virtual machine image and logically copying and verifying the file or indeed the whole of the servers physical disk. Shutting down a server may cause financial loss to a firm and disruption if the server is in use. If it is on image the machine while it is in that state while taking notes, that is my recommendation.

Fig 2 – Example Forensic Imaging Log File Automatically Generated by FTK Imager Lite V3.1.1.8

Email E-Discovery Collection

Anyone collecting emails should be sure that emails on the local computer mailbox match the server. If they don’t then it is good practice to receive from both anyway and let the software de-duplicate the items, so you obtain a complete picture of the emails in the forensic search. Computers were after all invented to take the labour out of tasks.

Emails can appear in many forms (Lotus Notes NSF archives, Microsoft PST/OST’s, or individual EMLX or MSG files) and may not even reside on the custodian’s hard disk or smartphone under investigation. Other places they could be discovered are on enterprise servers, as a fragment in the deleted areas of a hard disk or even on the cloud via services such as Gmail for business or Microsoft 365. The email archive may also carry encryption so you may get a Lotus Notes NSF email archive file; without the unlock ID and a tool to open you will run into trouble, which goes for password locked PST’s too.

A computer forensic collection of emails may be as simple as collecting a PST email archive file that resides locally on an individual’s laptop, server or user share.

A more complex instruction may need the collection of specific emails that contain only certain keywords on a Microsoft Exchange server while keeping the integrity of the email attachment/mailbox structure. In these more complex situations an E-Discovery collection expert and your client may need to cough up for Discovery Attender by Sherpa Software, this excellent program plugs into your exchange server and can search, filter and extract onsite. You could also attach FTK with an enterprise agent or even image the whole disk and search from that image onsite.

I have created a summary guide below of the best tools in my experience in email E-Discovery collection:

Summary of Email Formats and Best Tools for E-Discovery Email Collections

• Local PST/OST Just logically collect an image using FTK Imager or similar. Be sure to hash verify the collected items if copied and make notes!
• Webmail such as Gmail/Hotmail/Yahoo/365 Etc Use Intella’s PI or the chopped starting at $100 for a 10GB case limit. Using IMAP settings (and permission!) you can collect the whole remote email archive as the binary file and export as a PST file. All these actions carry a full audit log. Many webmail providers such as Gmail have a built-in option to backup and download the whole archive; you may also consider this.
• Microsoft Exchange Database It is possible to just download the whole EDB file and process in FTK 5.6 the full version or later. You could export different custodians as a PST, search, and filter if needed. If you need a few custodians, then something like MessageOps is convenient. You can install the software on the server, and with admin, credentials run through and select the custodians you wish to export from. The results are outputted as nicely packaged PST’s along with a log file for verification. Dated indigenous X-merge can also export mailboxes as a PST, but it has a 2GB limit and can be a pain in more extensive collections.
• Lotus Notes The mailbox can be exported from the custodian machine in its entirety in the GUI options of the mail user interface. This approach is great if you have a few especially the admin ID file that contains the decryption keys. Then Proofinder or FTK 5.6 or later can be used to mount and read these archives. You may want to collect direct from the server. In the live environment, you may find the archives don’t copy. Use Teracopy or Robocopy or something similar to copy stubbornly locked files in a live setting. It is quite likely Samsung, or similar doesn’t want its Lotus IBM Domino database of 1000 users shut down for 20 hours while it is being imaged! If you have never encountered Lotus Notes before it is because it is antiquated and belongs in the dustbin of history; you needn’t a Delorian or the Doc to go back in time a few minutes in the dated GUI with fool anyone into thinking it is 1994!
• Loose or Deleted Emails These can be recovered from the server or local by using a data recovery program such as the ugly but effective photorec as shown below Fig 3. Data Recovery should be made from a previously produced forensic image. If an image is not possible an experienced computer forensics collection expert would run photorec live from an external disk and output the data to that same external disk. Emails may also be logically recovered from the email admin interface or reside on the server even though they have been deleted from the custodian’s machine.

Warning: Do not install data recovery software to the drive you wish to recover from or worse still output the retrieved data to the source drive.

Fig 3 – PhotoRec TestDisk’s Beautiful and Modern User Interface

Physically Forensic Imaging Using a Hardware Writeblocker

Many Computer Forensic companies such as Compute Forensics choose to use a hardware write blockers in many instances. A writeblocker is just a device that halts any writes to the disk from the forensic examination system when copying or viewing. This is shown in Fig 4. A computer forensics examiner would then go on to attach this device to a USB 3.0 socket on the examination computer’s USB 3.0 port for optimum speed. Making sure the evidence disk is in ‘Locked Mode’ it can be attached to the device. The disk should then show up in Windows Explorer and FTK Imagers ‘Add Evidence’ GUI option. The device should now be safe as it is now attached to a hardware writeblocker.

Writeblocking devices used to cost £1000’s but recently Compute Forensics discovered a decent one built by CoolGear. The Coolgear forensic imaging device has USB 3.0 support and images 2.5″ and 3.5″ sizes of SATA drives. You can pick one of these up for £40.00. I, Alistair Ewing, have tested the CoolGear forensic writeblocker and am content with the performance. It is fast and reliable.

Imaging Bottlenecks

The device will only read/copy as fast as the slowest component. On average it takes 4-8 hours for one disk to complete despite companies boasting 500mbs second speeds the device will image anywhere from 1mbs to 80mbs-100mbs. A skilled examiner can copy up to 8 drives at once, much like spinning plates. Collection costs can start at around the £700 a day mark dependant. If you are a company instructing us, please don’t complain if your rickety 15-year-old IDE disk is taking too long to copy!

Fig 4 – CoolGear USB 3.0 Forensic Writeblocker Attached to a 3.5″ SATA Hard Disk Drive

Forensic Imaging Using any SATA/IDE to USB Adaptor and Software Blocking

Another unorthodox method I have used in the past when the drive attached to the write blocker won’t read, or you need a special adapter that isn’t IDE or SATA. This method uses a software blocker and a USB to SATA, IDE, memory card or whatever adaptor. Make sure the destination drive is a USB 3.0 external drive for speed. A software writeblocking program is used in this instance. Usage is simple but also easy to screw up.. Royally! The steps are:

1) Plug in your destination drive.

2) Start Ratool or Thumbscrew and select ‘Block USB Storage Devices’ and then apply changes.

3) Plug in a test USB disk and try and delete format it. Windows shouldn’t allow writing access to this disk.

4) If it does repeat step 2) & 3) until the drive is blocked. When blocked it is safe to plug in the USB disk and adapter in the port that you plugged your test device into the system.

5) Now you should have your destination writable (anything previously plugged in will be writeable too) and your evidence USB stick, Drive or Card plugged in but blocked.

6) Use your favourite imaging software such as FTK imager or Magnet Aquire. Output the full physical disk to your destination disk. Be sure to make continuous notes of what you are doing, videos, pictures of the system and be sure to check the image has been MD5 verified by the hash sum, then you can be sure the copy is identical to the original.

Forensic Imaging Using a Forensic Bootdisk or USB

Using a bootdisk is the preferred method as you don’t need to waste time opening up a drive. The operating system uses the system as a terminal device, and the hard disks are by default blocked. This method works on most Macs, Windows and Linux systems.

Caine, Paladin & Deft – 3 Free Computer Forensic Bootable Linux Distros

Firstly download a distro, my favourite is favourite is Caine. Famous actor Michael Caine assembles it (Only kidding it is made by Italian consultant Nanni Bassetti!). Another great free distro that you have to register to obtain is Suri’s Paladin, see Fig 4. Download the ISO from the website then burn the ISO to a DVD or use Rufus with default settings to make a bootable USB disk. To produce a bootable USB in Rufus merely select the USB stick, click the disk logo and locate the ISO you just downloaded then hit the start button and wait for your bootable USB to be prepared. Always have a copy of DEFT or Helixhandy on a compact disk rather than DVD in case you are working on a device that won’t boot from DVD or USB. from a device that won’t boot from DVD or USB.

Fig 4 Paladin’s ToolBox Imaging Graphical User Interface in Linux Running in Live Mode on a Host Machine

Booting Your Computer Forensics Distribution in the Bios

Before any booting of the system from a switched off state do some research into what key combinations trigger the boot disk. It varies, on a Mac hold the ‘Option Key’ or ‘C’, on a Windows system it could be anything from ‘F1’ or ‘Del’. Take time to look through this list before switching to the system in preparation for booting into a Forensic OS. If you get it wrong, you may boot into the operating system if this event occurs switch the computer off by the button (if safe) or pull out the power cord.

Then the general idea is to use a GUI program such a Guymager as shown in Fig 5 to acquire the media to the destination drive without removing the disk while preserving the integrity of the drive. You need to remember to unlock your destination drive.

Fig 5 Guymager Forensically Imaging 2 Attached Disks USB Disk

Remote Forensic Imaging over a Network

A computer forensic examiner would place a clean virus free computer on the network and attach to the companies domain. Using Encase Enterprise or FTK v5.6+ a computer forensic examiner, with root access, could push an agent to gain access to a remote system. The RAM could be examined for malware and Physical Disk in Read-Only mode. The examiner could then review the computer in real time to produce a logical forensic skeleton image of only the files that are of interest. Alternatively, the examiner could copy the disk remotely and have it outputted to a secure location on the server or locally.

If the user profile exists on the server, it might be sufficient to mount the remote disk or user share in logically in Windows by selecting ‘Map Network Drive’ and using FTK Imager to image the contents locally logically. The local machine should be physically copied where possible in addition to the remote user directory for completeness.

Forensic Imaging Mobile Phones – iOS, Blackberry, Windows and Android

If you come across a phone place it in aeroplane mode or switch it off immediately as it is easy to wipe a device remotely using iCloud’s ‘Find My Phone’ or Similar apps of that ilk.

For a mobile phone forensics expert Magnet’s free software Aquire, CellBrite, UFED and XRY can be used to grab an image logically and physically of a mobile device. A logical grab will obtain the filesystem and no deleted data (except items in the SQL databases that can be logically recovered and scraped from these databases).

A physical ‘Hex Dump’ of a mobile device is the holy grail of mobile acquisition. Hex dumping entails the device to be rooted or jailbroken as so a 3rd party app can exploit the phone allowing the device to be imaged much like a computer hard drive. From this image, deleted data can is gathered.

Mobile Phone Backups

It is also worth a mention that Mobilebackups in the form of BBB/IPD Blackberry backups and Mobilesync backups for Apple may exist on the computer system seized that can be read much like actual mobile device if for some reason the device is no longer available. These backups may contain messages, photos and chat conversations.

Thank you for reading my overview of forensic imaging. I hope it was informative.

By Alistair Ewing Director of Compute Forensics

Introduction

So you are work in human resources, or you are a business owner and are concerned that an incident has occurred or may have occurred? Data may have been emailed or taken out from an ex-employee, or you may have even been hacked. Your first instinct may be some actions or non-actions such as: calling the IT department, pull the plug on the item, leaving the piece on and networked, hire “Bob the computer expert” from down the road or even to have a look at the computer or phone yourself. Any of these options may end in disaster through accidental evidence deletion, evidence destruction and you may be liable having to explain your wrong actions in court or a tribunal.

The IT staff may be in on the incident or involved so with this in mind be sure to investigate a ‘need to know’ basis.

Pulling the plug, as what was done in the past, this may mean the loss of vital encryption keys in the RAM (the computers volatile working memory that is lost when switched off) on Macs, Linux and Windows machines.

Leaving the computer on the network may expose the device to being wiped remotely by the culprit. The assumption here is: The IT department or the director is not forensically trained and neither are you so leave well alone unless you know what you are doing!

Real Case Example Disaster – The Client that Installed Programs on the System to Perform the Themselves

I have experienced cases where the IT department has installed a data recovery program such as Recuva to the disk they wanted to recover from and had the recovered files outputted to that same disk. The actions as mentioned earlier caused the areas that could be retrieved from to fill up with the recovered data and the newly installed program, defeating the purpose of recovery! Not only did they lose valuable data, the recruitment firm’s client list on that computer, The organisation, but also had to explain why they meddled with the system after the event to the opposing parties team in the tribunal. Lucky it was discovered that a list matching the name and size was emailed out. Additionally, a fragment of that list was found in the file slack of another file. The file slack is akin to the unused space at the end of a physical file size space that hasn’t thoroughly been wiped over by the new logical file, invisible to most users. The spreadsheet didn’t exist in its live form, but the fragments and metadata were also discovered using an advanced forensic search.

Evidence Tampering.Deletion by the Culprit

If you are aware, the culprit has tried to format the disk or use wiping software such as CCleaner don’t worry a computer forensics expert should have experienced any number of these occurrences on a weekly basis and is trained to deal with them. Chances are you will make things worse by trying yourself. More often than not their tampering leads to more evidence against them of a cover-up!

Commencement of Search and Seizure

Data exists on computers, external drives, DVD’s, CD’s, mobile phones, memory cards, memory sticks and a plethora of other potential digital media. Make sure you don’t overlook anything in your search. Make a list of the time and date you seized these items along with some photos, videos, serial numbers and any other identifying features you can record. Don’t make anyone aware until you are sure the data is onsite and right before the seizure.

Tip: Sweep your Offices for Hardware Keyloggers and Voice Recording Devices in your

Concerned about intellectual property walking out of your organisation? Often people may not have the skill to hack or install software keyloggers. Hardware keyloggers such as KeyGrabber can log every keystroke, and they appear as innocuous devices on the back of tower computers that plugin easily behind the keyboards. Fig 1 is an example of such a keylogger.

Fig 1 Keylogger Plugged into the Posterior of a Computer Tower

Other Devices

Unscrupulous individuals and gangs have been known to put voice/SMS/telephone bugs in bins or under desks to record conversations. Don’t overlook this. I have come across this in an insider trading investigation where nothing was found on the actual computer, but the office was bugged. Remember there are many ways to steal IP (intellectual property). More advanced bugs now exist that act as a WIFI dongle record traffic such as passwords and then email the booty to the culprit. Even worse is the KeyGrabber module, this is actual implanted inside the computer and are nigh on impossible to spot to the uninitiated. If a logger is discovered, hand this device over to the professional digital investigator.

Protecting the Integrity of the Digital Evidence

It is important not to leave the device anywhere it can be tampered with by the unscrupulous. The culprit or sympathetic co-worker could access the item and tamper with the data. If possible lock the room with the items in, make sure only you have access.

Disabling Network Access on the Computer

If the evidence is a Laptop unplug the network cable at the posterior of the computer, switch off the WIFI switch if there is one showing the WIFI symbol or physically pop out the PCI network card with the computer on. You may also switch off disable the adaptors in the settings if possible. Make sure the item is plugged in and switched on so it doesn’t power off. Try to disable sleep and auto lock in settings or control panel on the system if possible.

If the evidence is a computer Tower  is switched on and logged in disable auto lock and sleep in the control panel. Pull the network cable from the back, pull any WIFI dongle, unscrew the aerial from any protruding card and disable WIFI if it exists on the tower. Try to keep the tower on and not networked if possible. Logout and shutdown only if you are sure there is no BitLocker, FileVault or Trucrypt encryption on the devices. Make notes with times and dates of your specific actions.

If you are not sure about this, please contact a computer forensic expert at Compute Forensics or another organisation proficient to do this. At this stage, it is important to recognise you are just protecting the computer from:

a) Physical Tampering

b) Remote Tampering until an expert arrives on the scene.

Note: if you are sure a cryptovirus or another tool is working in the background on the machine and you know the BitLocker, FileVault or Truecrypt/VeraCrypt password or key or that there isn’t one then it is probably wise to unplug the computer from the power cord or remove the battery. An incident response expert can then attempt to salvage what hasn’t been decrypted and decrypt what has been.

The reason for leaving the system on is at a later stage, and if the computer is on, the digital forensic expert would image the RAM as well as locked registry files and indeed the unencrypted logical image of the unlocked hard disk if the disk is encrypted. Then the examiner would go on to take a full physical copy of the device to follow proper practice procedures. If the item encrypted and off then the examiner may have to crack the password.

Damaged Drive?

Don’t be tempted to use recovery software. The more you use a faulty disk, the less likely a successful recovery will occur. Our experts have been known to image faulty devices while onsite successfully. More often than not the equipment isn’t defective but has just been formatted or modified by the culprit.

Mobile Device Forensic Imaging

If you find a phone on site, put it into aeroplane mode as to stop any remote tampering or switch it off. A Logical image (just the filesystem) and the holy grail of forensics ‘the complete physical image’ (included files system and deleted areas) can be taken when the examiners are onsite.

Don’t worry if this isn’t possible. Backups often exist unwittingly on the suspect’s computer. The data discovered can often yield as much or often more than the live phone data.

Call the Computer Forensic Expert

It is now the incident response experts turn to arrive on the scene take notes and forensically collect the data. The basic premise is that where ever possible the computer forensic expert would collect the data without changing it, along with contiguous notes that can confront rigorous testing in court. Using a forensic blocking device, a forensic Linux distribution or a remote method the expert would then go on to collect the data for analysis and output this verified copy to an encrypted disk.

What Happens Next?

The computer forensic examiner would then go on to examine the forensic copies, not the original disks. This technique is to preserve the integrity of the evidence and not to damage the originals.

A robust digital timeline would probably be needed to be produced to examine the chain of events that occurred. Computer Registry in Windows or Plist files and logs in Mac would generally be probed to discover when programs were run, what was connected to the system and much more. The timeline goes into every event log, internet history and registry item and outputs the results as a table. This table can be painstakingly analysed to correlate the suspect wrongdoings against times and other evidence such as CCTV.

Internet history, chat and email can be recovered using data recovery techniques along with deleted files such as Word and Excel documents. Along with the files, useful metadata can tell us which user the item was last saved by and when the article was copied to a particular location and much more.

The drive can be indexed to allow powerful keyword searches across the data. This searching can search inside files content, its metadata as well as deleted fragments. Powerful searches are not standard for Windows or Macs! Preparation by HR of keywords, dates and times aids the examiner considerably.

Malware can be discovered by scanning the mounted disk using powerful anti-virus software as well as by manual more time-consuming methods such as reverse engineering and running the item in s safe environment.

Using what was found the events can be put together into an expert technical report to ascertain what had happened and possibly reprimand the suspect.

Written by Alistair Ewing of Compute Forensics

______________________________________________________________________

Contact us and we can provide a training solution for your IT department in evidence handling, forensic imaging of ex-employees devices and legal admissibility standards. If you are worried about security consult with us in regards to our pen testing options.

The sooner data is collected, the better. It is better the examiner has experience as an expert witness and is Sweet, and Maxwell vetted rather than hiring someone that is just IT savvy.

Please don’t hesitate to email us at expert@compute-forensics.com or call +44 (0)203 5989658 now should you have an incident.

I continued the investigation from a forensic image as not to harm the contents of the original disk I had made. I managed to find fragments of documents, link files and SQLite database for Chrome Browsing recovered from the unallocated clusters (deleted areas of the disk) and active areas in the ‘Windows Old’ folder that indicated production of a contact list spreadsheet from an Act! contact database. The client database was then uploaded to the culprits Google Drive Cloud account via Google Chrome. I had found the smoking gun!

I suggested to the IT department to have some safeguards in place for the future. They should list the serial number of the disk and who it is in use by. Ideally, they should take out the disk from the caddy of the laptop and store it in an evidence bag somewhere safe. Another option is to hire a computer forensic expert to make a certified copy of the disk verifiable by an MD5 hashsum. Prevention is better than cure so safeguards such as blocking USB writing, CD burning and certain sites or exit points of data was implemented. Too many restrictions can hamper productivity so there must be a balance between security and convenience.

Assets must be assessed not just on their material value but on the value of the IP intellectual property contained within. What damage would be done if that written off considered worthless £200 laptop got into the wrong hands? Suddenly it seems worth paying £400 securing it.

Your company may have saved itself £70 on the price of a new hard disk but almost lost £1000’s concerning lost business from other clients. Think before something is reused or is just valued on its material retail price. It may cost you much more than you think. You must protect your assets.