On March 19th, Belkasoft Evidence Center was featured in a Guidance Software webinar. This month the company is featured as a Guidance’s Partner of the Month. We enjoyed fantastic response from many attendees, and received a lot of questions during and after the presentation. Due to the limited time we could only handle a few of them, but we decided to answer all questions here in the Belkasoft blog.
Can you discuss how Evidence Center finds destroyed or deleted data?
Evidence Center implements a complex approach including data carving, hibernation and page file analysis, and Live memory dump analysis looking for deleted and volatile data. In addition, we analyze various places that might keep remnants of deleted information. For example, when looking for deleted pictures, we analyze system Thumbnail cache. Paths to open files are usually stored in Windows Jumplists (and kept there forever). Deleted Skype records are often available through special Skype folder called chatsync. Deleted data can be found in a Volume Shadow Copy folder. We look in all these places, and more.
You mentioned data carving. What is the purpose of scanning allocated disk areas?
While the primary purpose of carving remains discovering destroyed evidence, data carving is not limited to finding deleted data. If can be used to analyze slack space, discover files-inside-files and injected data (I mean the situation when a larger file is used as containers to keep smaller file; for instance, a PDF file containing malicious VB-Script). Finally, data carving is used to locate files that were moved or renamed, so searching by name or extension does not work.
For me, as an EnCase user, what extra benefits Belkasoft integration can bring?
Belkasoft Evidence Center extends EnCase capabilities with multiple unique and forensically significant functions, some of which we have discussed today. These important functions include Live RAM Analysis for hundreds of Web applications and social networks; system file analysis, SQLite freelist support, automatic pornography, text and face detection in pictures and videos, keyframe extraction, photo forgery detection, and so on. Please note that EnCase integration is available free of charge, if you have both EnCase and Belkasoft licenses.
If you are in Law Enforcement or Education, you can obtain a full one-month license to Belkasoft Evidence Center absolutely free of charge at http://belkasoft.com/trial. If you do not fall into one of these categories, you can use the demo version available on our website.
Looking at the App section I can see the various options available for Belkasoft. If a customer has already purchased Belkasoft independently…are there any discounts available when purchasing the App for EnCase?
Absolutely! The EnCase integration script is completely free, so you’ll be receiving a 100% discount. Of course, this would be a great opportunity for you to upgrade your edition Evidence Center to a more powerful one. In general, this will cost you the difference in prices between the edition you are upgrading to and the edition you are upgrading from.
If you are speaking about purchasing an additional license with discounts, please write us at firstname.lastname@example.org.
What is the difference between Belkasoft options vs. Skype specific EnScripts?
There are indeed a number of great scripts for Skype investigation inside EnCase. However, our analysis is a great deal more comprehensive. We support Skype applications for all platforms including Windows, Linux, Maс OS X, Android and other mobile devices. We support all versions of Skype from v.2, not just the current v.5. Evidence Center can analyze chatsync folders. We offer carving of deleted Skype information, which is different from regular file carving (detailed explanation was given when answering another question). Belkasoft can extract Skype data inside SQLite freelists and can visualize main.db database in the built-in SQLite viewer. We can find Skype databases inside Live RAM dumps. The product extracts Skype data from hibernation and page file, and Volume Shadow Copy. And there are many more other tricks to analyze Skype. At this time, I am not aware of any single EnScript that could do all of the above.
Is it necessary to have the suspect’s machine on for live memory analysis?
You only need the suspect’s computer on to obtain a memory dump. We recommend using Belkasoft Live RAM Capturer, which is free, works in 32-bit and 64-bit environments, and operates in kernel mode to bypass active anti-dumping protection systems.
After you have a memory dump, you can do live memory analysis on another machine and switch the suspect’s machine off.
Is it also compatible with EnCase 6 ?
Unfortunately not. We only support EnCase v.7.
Is there support for mobile phones?
Yes. Evidence Center provides extensive support for mobile backups, UFED dumps and binary chip-off images captured from iPhone, iPad, Android and BlackBerry mobile devices.
Please explain what is “Chip-off” mentioned in your presentation and how can you help with this kind of analysis?
Excellent question! Chip-off is one of the methods used to analyze mobile devices. As you know, imaging a mobile device becomes increasingly difficult as manufacturers actively resist acquisition attempts. Chip-off is used for certain models of devices where software-based and even hardware-based acquisition is extremely difficult. During chip-off analysis, experts physically extract flash memory chips from a device and obtain information from these chips directly by using special electronic hardware.
As a result, investigators receive a raw, binary dump of the device instead of a ready-to-analyze image. Belkasoft Evidence Center can mount such images and extract a whole lot of information including Internet chats, pictures, SQLite databases, contacts, SMSes and so on. Finally, this information can be imported into EnCase.
How much time the system conserves the evidence of ram before dump?
Volatile memory is just that: volatile. If the computer has plenty of RAM, and there are no activities, the PC can keep evidence for a relatively long time (several hours if the PC is running, unlimited time if it’s sleeping or hibernated). However, if the system requires some memory for other tasks, it can swap parts of the volatile memory into a page file, in which case we can analyze it. Finally, if the user closes the application of interest, its memory set is released and gets erased fairly quickly, depending on the amount of available RAM and on user activities. Note that even if there are no user activities, Windows has a lot of business to do, so it will eventually claim unused memory pages even if there are no user activities.
With these tools, can we carve through deleted information for SSD?
In a word, yes we can. Of course, the effects of TRIM and internal garbage collection may affect availability of deleted information, but under certain circumstances the recovery is possible.
SSD drives are a big topic. We’ll cover it in detail in the nearest future in a new article. It will be published soon (probably next week), and announced in this blog. You may subscribe to our blog to get notified when we have it published.
If most of the data is hiberfil or pagefil.sys is there possibility to investigate shadow copies by using Belkasoft?
Of course! Evidence Center looks in the VSS (Volume Shadow Copy Service) areas as well as in many other hidden places and system locations. VSS is one of the many locations we look for evidence.
You mentioned Jumplists. What is this and why is this important?
Belkasoft can analyze a great number of data types, including many system file types. Jumplists are system files that keep information on the use of applications and, particularly, open files. If, for example, a suspect uses Notepad to open a text file, Windows will instantly record that fact into a special system file (called Jumplist). The newly created Jumplist will contain amazing amount information about this event: the file name with full path, open time, computer name, the name of a user currently logged into the system, file size in bytes, and even the time the computer was last booted and computer current Mac Address!
Now let’s say the suspect denies the use of a document named “my.doc”. If the document has been deleted with a so-called “eraser” or “secure wipe” application like CCleaner, there would be no trace in the system that the file has ever existed. However, if this file was ever opened, Windows will still keep information about that file in a corresponding Jumplist! It’s hard to believe, but on many systems we’ve seen Jumplists with dates going all the way back to the day the operating system was first installed on that computer!
Jumplists are also great when it comes to SSD drive analysis, allowing investigators discover files that existed on the disk before TRIM and garbage collection wiped deleted evidence.
How we can find that jumplist? It’s somewhere at registry files but is that able to index?
Jumplists are files stored under the user’s account. Normally, they are located at this location:
The %appdata% variable gets replaced with a path that looks like c:\Users\user_name\AppData\Roaming\, so the full path to jumplists would be something like c:\Users\user_name\AppData\Roaming\microsoft\windows\recent\automaticdestinations\ (where user_name is the name of the Windows account being investigated).
What other types of evidence exist, like Jumplists, which one should know about for forensic investigation?
Windows has many hidden and little known places that keep remnants or traces of evidence, for example, the Thumbnail cache. If a suspect used secure erase to delete a certain picture, and denies its existence, it doesn’t mean end of story for us. Instead, we’ll look into the Thumbnail cache.
Windows keeps thumbnail-sized copies of images stored on the computer in thumbnail cache, keeping thumbnails even if the original image has been deleted. This gives investigators a chance to find a small version of the picture of interest in Windows Thumbnails. Thumbnails are indirect but strong pieces of evidence. It’s worth mentioning that if Windows (or the suspect) delete a thumbnail item, we can recover it with file carving implemented in Evidence Center.
Another important source of evidence is Windows Event Log. Event Log stores information about the system and user activities. It includes information on installing and removing applications, logs antivirus events, records changes to time zone and computer time and date, and so on. Again, we have a full support for this data source in Evidence Center.
Which social media applications are most popular for criminals? Why?
The most popular social media apps used by the criminals are those popular with general public, so it’s mostly Facebook for the Western world. In China we get a lot of QQ Messenger recovery requests. By the way, Evidence Center is the only forensic tool to support the latest versions of QQ Messenger which is strongly encrypted. In Russia, the most popular social application is Vkontakte with hundreds millions of users. Social networks are very popular among criminals because it is hard to find any traces on a local computer, but Evidence Center solves this issue.
Facebook stores very little, if any, information on a hard drive. You say you support social networks and web-based chats. How?
That’s a great question. Indeed, social networks, Web-based chats, cloud applications and similar online services keep very little, if any, information on the local disk. All data is actually stored in the cloud. As a result, analyzing the disk or the file system will usually not yield meaningful results. However, we have other sources. By analyzing the computer’s memory dump, hibernation and page files, we can discover evidence stored in the computer’s volatile memory that does not normally end up on the hard drive as a history file. All online services inevitably make use of the computer’s Live memory. As a result, information may end up in a hibernation or pagefile, and so it’s recorded on the disk – even if not in a dedicated history file.
Evidence Center implements a sophisticated Live RAM Analysis algorithm that can pull data from all of these sources. We processed hundreds of different signatures that are specific to certain data types. Now we can reliably identify signatures that belong to all popular social networks and many cloud services and online applications. As a result, we can extract that data and import it from Evidence Center to EnCase.
Can you use EnCase to share evidence found with Belkasoft with other examiners? How?
Of course! Belkasoft Evidence Center collects data and imports it back to EnCase with a free script. From that point, all evidence is handled, processed and analyzed by EnCase. EnCase can be used for creating reports, displaying or exporting data and so on.
You said Evidence Center supports SQLite freelists. What is this? Why is this important for forensic investigation?
This is indeed important question! SQLite is an extremely popular database format nowadays. About 90 percent of new applications use SQLite to keep their databases. This includes Skype and a vast majority of mobile apps. That’s why SQLite database analysis is important.
Now back to the original question. SQLite reminds a regular disk, when it comes to deleting data. Similar to how Windows deletes files, SQLite does not erase deleted records immediately. If an SQLite database has the “autovacuum” option off, these records remain in the database until they are overwritten with new records. The area containing these deleted but not erased records is called “freelist”. By analyzing freelists, one can recover deleted SQLite records, including cleared Skype chats or, say it, WhatsApp conversations. However, you must use the right tool specifically supporting freelists, as none of that data is available when analyzing history files or even carving the disk.
We recently had an absolutely fantastic case. We were investigating a Skype database with literally hundreds of deleted Skype records! By that time we didn’t have freelist analysis function in Evidence Center, so we had to use a hex viewer and complicated manual search, but this case proven that freelist extraction is a great feature. The data, successfully recovered from freelist helped our customer to solve a really serious crime. Now we have automatic freelist support in the Evidence Center so you do not have to spend much time in hex viewer anymore.
What is a video keyframe and how can you help with video analysis?
Video analysis is extremely time-consuming. Sometimes investigators need to analyze hundreds of videos, each several hours long. That would take several months of full-time work just watching those videos.
Evidence Center can process video files, extracting so-called key frames. Keyframe is a frame which significantly differs from a previous keyframe. Thus, if you only look through the keyframes, you don’t lose any significant information. This is a huge time saver! By using key frames, you can simply review a still image gallery instead of watching the full video. As you can glance at 20 to 30 images at a time, this will literally take a few minutes to check if particular video contains illegal content or important evidence or not.
If that’s not enough, Evidence Center can automatically detect pornography, faces and scanned texts embedded in photos or video keyframes. This, in particular, helps you to quickly identify videos with people.
What is “forgery detection” and how does it work?
Photo Forgery Detection is a great and unique function of our product which to the best of my knowledge no competitor on the forensic market has. We can reliably detect a photo that has been altered after leaving a digital camera. By altering we understand any alteration in a graphical editor such as cropping, adjusting brightness and contrast, cloning and so on. Besides, alteration includes changing of EXIF metadata.
Forgery detection is based on a comprehensive scientific research. This is not just about EXIF analysis and searching a graphical editor signature there. Evidence Center analyzes quantization tables, detects cloning, performs photo quality checks and matches it with quality expected from a particular camera. The product does various statistical and mathematical checks and, finally, applies the knowledge of more than 3000 different cameras specifics, which we extracted working with all these cameras in our lab. All this helps us identify EXIF forgery, when it says that the photo is made by a certain camera, but the digital footprint matches a different camera.