Forensic Blogs

An aggregator for digital forensics blogs

by

Data Recovery – Blog 1

The Science of Data Recovery

Do you think your deleted data is truly gone? Every day, people around the world share, save, or move critically important data, like credit card numbers, medical checks, and passwords. It wouldn’t be unreasonable to think that the delete function erases files forever, but the truth is that those files could still exist.

In an age where computing power doubles every two years, we replace hardware quickly. The data from old devices doesn’t disappear from storage, even if we delete it. Criminals could use the photos, files, and even names of the previous owners left on these devices to exploit someone’s funds or position of trust. Our goal at the LCDI this semester is to see if we can find personally identifiable information left behind on old hard drives that were “wiped” using free and available programs. 

What is Personally Identifiable Information?

A good place to start when talking about this subject is the basics: What is PII? Personally Identifiable Information is data that could allow others to identify you. This information is critical, as often even small pieces of data fall into the wrong hands. The data allows people to impersonate you or gain access to your identity. Social Security numbers, credit card numbers, and a driver’s license are all common examples. This even extends to smaller pieces of data, like birth location, place of work, and your username on social media.

Though this information may seem random, password recovery for websites uses this information. They can obtain the data in many ways. Websites asking for your information is the most common, but phone calls or lost wallets have long been exploited. Digital data is akin to a wallet, full of personal information and liable to theft. With online shopping being the zeitgeist of the consumer world, this has never been more of a concern than now.

How is data deleted?

We started our project by researching what’s established, including ways people previously deleted data and how it’s done now. There are no universal data deletion instructions or laws for non-government officials to follow, but rather a list of previous and current methods. We looked at government bureaus for practical data deletion standards. The National Institute of Standards and Technology’s SP 800-88 Media Erasure Guideline and the Department of Defense 5220.22-M ECE are two such examples. The documents differ on acceptable and appropriate methods for different levels of data security. The DoD standard states that the only way to destroy data forever is to destroy the device itself. The NIST protocol states only one digital wipe is necessary for data destruction.

Digital wiping or a “wipe” is the nonphysical option. This is the replacement of all data with a few of patterns, like random zeros and ones, or multiple replacements of random integers from zero to nine. The number of times this process occurs changes, but traditionally, it’s been between one and seven times. The reason behind the variation is the security of the information and the risk of recovery. The importance of the data could be trivial, like a grocery list from 5 years ago. On the other hand, it could be as severe as losing the PII of a secret agent in the field.

The digital wipe is less expensive, but also less secure due to the possibility of remaining data.  This is possible no matter how many wipes have occurred. Physically destroying a hard drive can be favorable because it prohibits the device from any future use, but it’s more expensive to replace the lost device.

Benefits of Physical Destruction

There are multiple ways to physically destroy a hard drive, but the goal is to damage or destroy the platter. The platter is a small metal disk in all hard drives where it writes and reads the data. The simplest and most available way is to destroy the hard drive physically, by hitting it with a hammer or large object. Another method is the magnetic degaussing. The process takes the iron oxide within the platter, a necessity for storing data, and uses it to remove the magnetic readings written on it.

The physical effects depend on the intensity of the magnetic field. Oersteds measure the amount of energy in the magnetic field, and the higher the oersteds, the more capable degaussing is at destroying data. However, not all magnetic marks can be easily removed. Hard drives’ resistance to the magnetic field is called coercivity, and the more intense the coercivity, the more oersteds needed to degauss. Shredding the hard drive or incinerating it are also viable methods. Machines capable of these methods are more suited for large scale businesses due to the high cost, but companies do provide these services.

Conclusion

Nothing’s scarier than discovering a lost wallet. That feeling is the reason our mission is so critical in our society. We integrate technology into work, recreation, and security, as well as our money and data. The point of our research is to identify if PII data is still left on hard drives after “wiping”.  Next week, we plan on investigating data recovery freeware and delivering our verdict on what it means for data disposal. 

 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our progress!

The post Data Recovery – Blog 1 appeared first on The Leahy Center for Digital Investigation.

by

Elcomsoft Tool Evaluation Blog 1

Welcome to Our Blog

Welcome to the blog of the Elcomsoft Tool Evaluation Team! This semester, the LCDI has the honor of exploring and investigating the different tools Elcomsoft has to offer. Established in 1990, Elcomsoft is headquartered in Moscow, Russia and they focus on creating forensic toolkits for law enforcement, businesses, and individual users alike. These tools are vital in retrieving the contents of damaged or misplaced files. Elcomsoft’s tools are always under development so they stay up to date with modern technology.

The tools our team get to work with are all part of the Password Recovery Bundle. This comes with twenty-eight different tools which we’ll test over the course of the semester. These tools can recover passwords from programs ranging from Microsoft Office all the way to Facebook and Blackberrys. In other words, the main focus of the computer security programs are on password and system recovery software. The company offers a range of mobile and computer forensics tools, corporate security solutions, and tools for IT security audits.

Why Evaluate Elcomsoft?

Above all, we at the LCDI pride ourselves on creating credible evaluations and educational resources surrounding digital investigations. Our hope for this project is to provide an accurate and definitive assessment for the Elcomsoft tools we test that anyone can use. In terms of the field of digital forensics, it’s important investigators fully understand the capabilities and limitations of the tools they use. For instance, it can be difficult to look through a bunch of information and not know what’s important to look at. Knowing how effective a tool can be makes it easier for the user to implement said tool for practical use. This project will help to show if the tool can be user friendly depending on the level of knowledge someone may have.

Our Evaluation Process

Office tools we will be looking at: Advanced Lotus Password Recovery, Advanced Office Password Breaker, Advanced Office Password Recovery, Advanced WordPerfect Office Password

Phone tools we will be looking at: Elcomsoft Phone Breaker, Phone Viewer, Password Digger, eXplorer for WhatsApp

So far, our team has spent two weeks researching the different tools we have access to. Each tool has benefits and features that make it unique. Fortunately for us, we were able to find videos on the Elcomsoft website that show how the tools operate. With all this information, our team can start testing and evaluating the tools.

In order to stay organized, we created a spreadsheet with all the tools listed and split them up into categories. This will make it easier for each of us to work on specific tools. Before we start evaluating, there will be a list of what the tool should be able to do. Once testing is completed, we’ll write an evaluation of how well the device performed the tasks and it’s user-friendliness. After that, we’ll give scores based on the above specified criteria on a scale of 1-10 (10 being the most functional/user friendly and 1 being the least functional/user friendly). Readers can see our evaluations and decide for themselves if they should search for other options.

Conclusion

Ultimately, our goal is to examine tools from Elcomsoft, a renowned software company specializing in utility applications for businesses and users as well as Windows productivity. We’ll test the tools and score them based on two criteria: functionality and user-friendliness. We’ll test a couple of tools and report on them in our next blog. This will include our scores and evaluations for the tools we’ve tested as well as any updates. We are eager to get started on this process and  produce comprehensive results for the LCDI and Elcomsoft. Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our progress!

The post Elcomsoft Tool Evaluation Blog 1 appeared first on The Leahy Center for Digital Investigation.

by

Wearable Forensics Team 1

Smart Watches Can Solve Crimes

This semester, The Senator Patrick Leahy Center for Digital Investigation at Champlain College (LCDI) is continuing research from the spring of 2016 about wearable technology and the impact devices like the Apple Watch and Fitbit have on forensic investigations. The team hopes to create a guide law enforcement and forensic analysts can use to find information that could aid a criminal investigation. This could include data on the user’s location, movement, heart rate, and more.

Why Wearables?

These devices have exploded in popularity in recent years, with over 102 million wearable smart devices sold in 2016. As a result, forensic investigators and law enforcement have used data from these devices, especially Fitbit, to aid investigations and prosecute criminals in homicide cases.

Despite these successes, there is still little information available on how to pull information from the wearable devices themselves. Most often, investigations utilize data pulled from the paired phones or the account information stored in the cloud. The research team at the LCDI hopes to directly image the devices and see what information is available. This would provide a standard for cases where the phone isn’t available or information can’t be released by the company.

However, if the team is unable to pull information directly from the wearable devices, they will continue the research from the 2016 wearables team and investigate data available on the paired phones and information stored by the company in the cloud. These devices and accounts include various different databases with valuable information that can aid in criminal investigations.

Four Devices to Test

The team will work with four smart watches with fitness capabilities: the Samsung Galaxy Watch, the Fitbit Versa, the Garmin Fenix 5, and the Apple Watch Series 4.  These four devices are the top smartwatches currently available. This week, the team began with datagen for the Galaxy Watch and the Fitbit Versa. This included testing the movement and heart rate sensors, GPS, and third party applications. Beyond testing each device as a smart watch, a team member took the first two devices home for a night. Check back on the team’s next blog post to see what artifacts they were able to find!

The post Wearable Forensics Team 1 appeared first on The Leahy Center for Digital Investigation.