INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION

INCIDENT RESPONSE, PRESERVATION AND COLLECTION

OVERVIEW OF INCIDENT RESPONSE

Most secure database is the one you know the most. Tamper detection compares the past and
present status of the system and produces digital evidence for forensic analysis. The focus is
on different methods or identification of different locations in an oracle database for collecting
the digital evidence for database tamper detection. Starting with the basics of oracle
architecture, continuing with the basic steps of forensic analysis, it elaborates the extraction of
suspicious locations in oracle. As a forensic examiner, collecting digital evidence in a database
is a key factor. Planned and a modelled way of examination will lead to a valid detection.

Database Forensics is a branch of digital forensic science relating to the forensic study of
databases and their related metadata. For the forensic examination of a database, it has to be
related to the timestamps that apply to the update time of a row in a relational table being
inspected and tested for validity in order to verify the actions of a database user. Alternatively,
a forensic examination may focus on identifying transactions within a database system or
application that indicate evidence of wrong doing, such as fraud. Hence forth identifying who,
when and how modified or tampered the data.

Systematic procedure is imperative in any cybercrime investigation. According to Clarke (2010),

in the UK, examiners adhere with the Association of Chief of Police Officers (ACPO) guidelines.
These comprise of four principles:

1. No action must be taken that will change data held on a digital device that could later
be relied on as evidence in Court.
2. If it’s necessary to access original data held on a digital device, you must be both
competent to do so and able to explain your actions, as well as explain the impact of
them on any digital evidence used in a Court.
3. A trail or record of all the actions taken and applied to the digital evidence must be
created and kept safely and securely. If an independent third party forensic expert
examines the processes they should be able to come to the exact same conclusion.
4. The person in charge of the investigation has the overall responsibility of making sure
these principles are followed.

LIVE DATA COLLECTION OR LIVE RESPONSE

For all purposes, proper collection is important, most especially during incident response. The
main purposes of the collection are to preserve volatile evidence that will further the
investigation.

Live Responses, also called LRs is commonly performed during an intrusion investigation.
However, it may be prudent to do so during other types of investigations. There five important

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

68
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
factors to consider when deciding I a live response is appropriate in your current situation
(Luttgens, 2014):

1. Is there reason to believe volatile data contains information critical to the

investigation that is not present elsewhere?
2. Can the live response be run in an ideal manner, minimizing changes to the
target system?
3. Is the number of affected systems large, making it infeasible to perform forensic
duplications on all of them?
4. Is there risk that forensic duplications will take an excessive amount of time or
potentially fail?
5. Are there legal or other considerations that make it wise to preserve a much as
data as possible?

Digital Investigative Analysis

1. Acquisition- it involves the process of evidence retrieval in computer forensic

investigations from the search for the evidence to its collection and documentation.
2. Identification- an investigator explains and documents the origin of the evidence and its
significance. This phase determines the context in which the evidence was found. It
looks at both the physical environment and the logical context of the location of
electronic evidence.
3. Evaluation- the data retrieved are analyzed to establish their significance and relevance
to the case at hand.
4. Presentation- it involves reporting data pertinent to the case. The evaluation of
evidence by outside parties may be expected in this stage so the computer forensic
investigators must be prepared to testify in court.
Moreover, digital forensic investigator must carefully choose the forensic tool to be used in
the digital examination. It must be able to perform various tasks depending on the need of the
case. As stated by Luttgens (2014), the live response tool you choose should be capable of
collecting the following common live response data from a system:

1. The system time and date, including the time zone

2. Operating system version information
3. General system information, such as memory capacity, hard drives, and mounted file
systems
4. List of services and programs configured to automatically start on boot-up, such as web
servers, databases, multimedia applications, and e-mail programs
5. List of tasks scheduled to automatically run at given times or intervals

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

69
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
INCIDENT RESPONSE

Digital forensic analysis of forensic image may contain millions of information. It is therefore
crucial that the identification and collection of the digital evidence be done in a very systematic
manner to ensure the admissibility of the digital evidence. As stated by Luttgents (2014),
incident response is a coordinated and structured approach to go from incident detection to
resolution. Likewise, according to Rouse (2005), incident response is an organized approach to
addressing and managing the aftermath of a security breach or cyberattack wherein the goal is
to handle the situation in a way that limits damage and reduces recovery time and costs. In the
investigation of cybercrime, initial incident response is necessary so that law enforcemerg
officers can intelligently react when they encountered power-on devices and/ or computers at
the search scene.

According to Carrol (2018), responding to an incident or conducting a search involving

computer systems is a dynamic environment requiring numerous considerations based on the
state of computer systems when investigative personnel arrive. However, the law
enforcement officers must see to it that they have the right to either search or seize the
evidence in question

(Solomon, Rudolph, Tittel, Broom & Barrett, 2011). They emphasized that the law enforcers
should never assume that they have the consent to search or seize compute equipment. It is a
standard operating procedure to ensure compliance with all policies and laws when
conducting an investigation.

It has been emphasized throughout this book that digital evidence on computers and other
electronic devices can be easily altered, deleted, or destroyed. First responders should
document, photograph, and secure digital evidence as soon as possible at the scene.
According to Marras (2015), when securing and evaluating the scene, the first responder
should check whether the computer is powered off or powered on.

Powered Off Devices:

a. Follow departmental policy for securing crime scenes.

b. b. Immediately secure all electronic devices, including personal or portable devices.

c. Ensure that no unauthorized person has access to any electronic devices at the search/crime
scene.

d. Refuse offers of help or technical assistance from any unauthorized persons.

e. Remove all persons from the search/crime scene or the immediate area from which evidence
is to be collected

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

70
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
f. Ensure that the condition of any electronic device is not altered.

g. Leave a computer or electronic device off if it is already turned off. Components such as
keyboard, mouse, removable storage media, and other items may hold latent evidence such as
fingerprints, DNA, or other physical evidence that should be preserved (Kavrestad, 2018).

Furthermore, when gathering evidence from powered-off system (Cyber Crime Investigation
Manual, 2011), the first responders must secure and take control of the scene both physically
and electronically. Physically means sending away all persons from the scene and electronically
means, disabling the modems and network connection. However, the first responders must
make it sure that the computer is switched-off because some screen savers may give the
appearance that the computer is switched off, but the hard drive and monitor activity lights
may indicate that the machine is switched on. This can be done by moving the mouse or
pressing the "Alt" or "Ctrl" key on the keyboard. Likewise, they must be aware that some
laptop computers may power on by opening the lid; it is necessary to remove the battery from
the laptop computers. According to Kavrestad (2018), the following are suggested when the
computer is powered-off or switched off:

a. Label and photograph or video all the components undisturbed or untouched and if no
camera is available, draw a sketch plan of the system.
b. Unplug the power and other devices from sockets; never switch on the computer in any
circumstances.
c. Label the ports (in and out) and cables so that the computer may be reconstructed at a
later date, if necessary.
d. Carefully open the side casing of the CPU or laptop and identify the hard disk; detach the
hard disk from the mother board by disconnecting the data transfer cable and power cable.
(note: this may not be possible in come laptops & tablet devices)
e. Take out the storage device (hard disk) carefully and record unique identifiers like make,
model and serial number. If the entire CPU is seized, also note down any unique identifier.
f. Get the signature of the accused or/and witness on hard disk by using permanent marker.
Ensure that all items are signed and completed exhibit labels.

Powered on Devices

First responders should take the appropriate steps to ensure that physical evidence is not
compromised during documentation. They must secure the area containing electronic and
digital evidence; never allow people near the computer and power supply. If a computer is on
or the power state cannot be determined, the first responder should (Kavrestad, 2018):

a. Look and listen for indications that the computer is powered on. Listen for the sound of
fans running, drives spinning, or check to see if light emitting diodes (LEDs) are on.

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

71
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
b. Check the display screen for signs that digital evidence is being destroyed. Words to look
out for include "delete," "format," "remove," "copy," "move," "cut," or "wipe.
c. Look for indications that the computer is being accessed from a remote computer or
device.
d. Look for signs of active or ongoing communications with other computers or users such
as instant messaging windows or chat rooms.
e. Take note of all cameras or Web cameras (Web cams) and determine if they are active.
Developments in technology and the convergence of communications capabilities have
linked even the most conventional devices and services to each other, to computers, and
to the Internet. This rapidly changing environment makes it essential for the first
responder to be aware of the potential digital evidence in telephones, digital video
recorders, other household appliances, and motor vehicles.

Four Basic Incident Response Steps

With the increased likelihood of encountering encryption, prosecutors and agents should
familiarize themselves with the four basic recommended steps for responding to a computer
that is powered on with a user logged in.

First, isolate and preserve the state of the computer as it is when law enforcement first
encounters it. Do a visual assessment to determine if there is anything that requires immediate
action. For example, consider disconnecting the system from the network. If the responder
detects excessive hard drive activity suggesting the drive is being wiped, consider terminating
the wiping program if possible, or removing power from the computer to prevent further
damage (Carrol, 2017).

Second, preserve volatile data by imaging RAM. There are many simple ways this can be
accomplished but all require the introduction of incident response software. Incident response
software is typically introduced to the target computer by inserting external storage media
such as a USB drive. Some incident responders have expressed concern that the introduction
of anything to the target computer changes evidence and may render the computer
inadmissible. While that is always a theoretical risk, the risk is quite small, and it is usually a
greater risk not to image RAM (Carrol, 2017).

As an initial matter, the "changes" to the computer caused by imaging RAM are minimal,
contained, and usually identifiable. These changes are especially de minimus, when one
recognizes that any computer which is powered on is always in a fluid state of motion and
changes are taking place regardless what actions are taken by the examiner. Thus, the risk
created by imaging RAM is quite minimal. The incident responder can further minimize the risk
by using a sanitized storage device to introduce the incident response software and by

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

72
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
carefully documenting any actions they take on a live computer system for later reference
(Carrol, 2017).

Furthermore, Carrol (2017) stated that the risk created by not imaging RAM is often much
more significant. The average computer sold between 2015-2016 came with a minimum of six
gigabytes of RAM. Six gigabytes of text are roughly equivalent to a stack of paper 6,000 feet
high. An aggressive defense counsel may argue that, by removing power from the computer
without preserving RAM, your agent just destroyed the equivalent to a 6,000 foot stack of
information (most of which was surely exculpatory).

Third, once RAM has been preserved, check for signs of encryption. The two most common
encryption detection tools are "Encrypted Disk Detector (EDD) by Magnet Forensics or
"Crypthunter" by the Software Engineering Institute at Carnegie Mellon University. When
executed, both tools will report the presence of a number of different volume and disk-based
encryption programs.

Finally, create a forensic image. If there are no indications of encryption and RAM has been
successfully imaged, power should be removed from the system to abruptly stop all
operations. Removing power prevents any maintenance or counter forensic programs from
running and causing changes to the system during the standard shutdown process. A "write
block (preferably a "hardware write block") should be applied to the hard drive before any
further actions are taken to prevent the imaging process from writing any information to the
drive being imaged, or otherwise changing the data being investigated.

Did you know?

A forensic copy is a copy created in blocks where every byte is copied in the block, including unallocated
bytes. This is like the way a forensic image is created, but a forensic copy is created on another drive the
same size or larger than the original rather than by creating an image file (Arnes. 2018).
Steps in Incident Response and Imaging

The value of the digital evidence present at the search scene will depend on how it was
protected. The investigating officer must be familiar in how to vital volatile computer data
since once lost, it cannot be retrieved. As suggested by Carrol (2017) the United States
Department of Justice Computer Crimes and Intellectual Property (CCIPS) developed the best
way to preserve digital information and devices by following the 3 steps in incident response,
namely:

1. Image RAM
2. Check for Encryption
3.Image Hard drive

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

73
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
Step 1: Imaging the RAM

As the first step in incident response, preserving the RAM have many advantages for the
digital investigators. The RAM at a minimum of a Windows 10 OS would be at least 4GB to run
properly. This 4 GB of data is to many to disregard. As emphasized by Carroll (2017), for years,
law enforcement has debated the value of imaging RAM when they encounter a powered- on
computer with an active user account logged in. RAM is the place in a computing device where
the operating system, applications and data in use are kept so they can be quickly reached by
the device's processor. RAM is much faster than other kinds of storage. Data remains in RAM
as long as the computer is running. When the computer is turned off, information in RAM
rapidly dissipates and is lost. He mentioned that in 2016, the majority of law enforcement
officers more often selected to pull the power plug from the computer rather than image the
RAM.

A computer system according to Clarke (2010), fundamentally has two sources of data that are
of interest to a forensic examiner: volatile and non-volatile memory. Volatile memory primarily
relates to the main RAM of a computer, but also includes cache memory and even register
memory. Forensic investigations typically focus upon the main memory, as this has a
significantly larger capacity than the other two, with systems 2-4 gigabytes (GBS) of data.

RAM is very important in digital investigation as it contains gigabyte of information. To

emphasize the importance of RAM in digital forensic analysis Oettinger (2020), stated that
RAM is the kitchen table of the computer system. Any action the user/system takes within the
system will access the RAM. Every mouse clicks and every keyboard button that's pushed will
be processed through the RAM, and you can recover entire files, passwords, and the text that
was placed into the clipboard. All of these are potential sources of digital evidence.
Sometimes, you can recover the encryption keys for closed encrypted containers that have
been created by the user.

One of the biggest mistakes to commit in digital forensic analysis is to underestimate the
digital information in RAM. As argued by Caroll (2017) many agents still prefer not to acquire
RAM because they believe that RAM is unlikely to contain relevant evidence. He mentioned
that there are times agents base this belief on the specific nature of the investigation (e.g,
white collar crime) or the latency of the crime under investigation. With the advent of
technology, Caroll stressed that the most appropriate practice today is to image RAM where
practicable. With his experience as digital forensic analyst, he gave the following reasons why
it is important to image the RAM at the crime scene:

a. An aggressive defense counsel may argue that RAM might have contained exculpatory
evidence and its intentional destruction amounts to a knowing Brady violation (Brady vs
Maryland, 1963).

b. There is increased possibility the hard drive of the computer to be searched will be
encrypted.
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

74
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
Undeniably, the first responders must decide whether to image RAM Carrol (2017) emphasize
one of the effective way to image RAM is USB drive that contains live response tool.
Accordingly, the first responder must remember that the RAM should never be saved on the
suspect's computer Hence, there is a need to use a USB drive with a big storage capacity with
live incident response tools to be plug-in to the suspect's computer.

The contents of RAM may include artifacts of what is or has occurred ; on the system. This can
include but not limited to the following (Carrol, 2017)

1. Configuration information
2. Typed commands
3.Passwords
4. Encryption keys
5.Unencrypted data
6. IP addresses
7.Internet history
8. Chat conversations
9. Emails
10. Malware
In an investigation perspective, RAM can store valuable evidence about a crime, but it is
difficult to capture. Copying and analyzing RAM is known as live memory forensics, which we
will discuss later in this chapter. RAM has space limitations, so to increase RAM capacity and
optimize performance, computers also have "virtual RAM", which acts like RAM, except the
data is stored temporarily in the computer's persistent (long-term) memory. Data that might
traditionally be stored in volatile RAM may also be written temporarily to the computer's
persistent storage to make more room available in the RAM, or when the computer is set to
"sleep" or "hibernate. The existence of virtual RAM, or swap-space, means some RAM data
might be recoverable through digital forensics of a computer's persistent storage (Bandler and
Merzon, 2020).

To image the RAM, the first responders may use any of the following forensic tools:

1. Access Data Forensic Tool Kit (FTK) Imager - FTK is intended to be a complete computer
forensics solution. It gives investigators an aggregation of the most common forensic tools in
one place. Whether you are trying to crack a password, analyze emails, or look for specific
characters in files, FTK has got you covered. And, to sweeten the pot further, it comes with an
intuitive GUI to boot.

2. DumpIt - DumpIt is a free tool written by Matthieu Suiche from MoonSols. Dumpit support
both 64-bit and 32-bit Windows operating systems (Ullrich, 2013).

Dumplt utility is used to generate a physical memory dump of Windows machines. The raw
memory dump is generated in the current directory; only a confirmation question is prompted

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

75
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
before starting. Perfect for deploying the executable on USB keys, for quick incident
responses needs (Jain, 2016).

3. Magnet RAM Capture - is a free imaging tool designed to capture the physical memory of a
suspect's computer, allowing investigators to recover and analyze valuable artifacts that are
often only found in memory (Magnet Forensics, Inc, 2019).

For purposes of training, particularly the students, the FTK Imager is more advisable to be
utilized because it is simple but a concise tool. It saves an image of a hard disk in one file or in
segments that may be later reconstructed It calculates MD5 hash values and confirms the
integrity of the data before closing the files. This is a computer forensic software product
made by AccessData for forensic investigations that is capable of both acquiring and analyzing
computer forensic evidence (De Alwis, 2018). Accordingly, the evidence FTK Imager can
acquire can be split into two main parts, such as:

1. Acquiring volatile memory

2. Acquiring non-volatile memory (Hard disk)

There are two possible ways this tool can be used in forensics image acquisitions:

1. Using FTK Imager portable version in a USB pen drive or HDD and opening it directly from
the evidence machine. This option is most frequently used in live data acquisition where the
evidence PC/laptop is switched on.

2. Installing FTK Imager on the investigator's laptop. In this case the source disk should be
mounted into the investigator's laptop via write blocker. The write blocker prevents data
being modified in the evidence source disk while providing read-only access to the
investigator's laptop. This helps to maintain the integrity of the source disk.

Capturing an Image with AccessData FTK Imager

According to Nelson (2019), FTK Imager is a Windows data acquisition program that's included
with a licensed copy of AccessData Forensic Toolkit. FTK Imager, like most Windows data
acquisition tools, requires using a device such as a USB or parallel port dongle for licensing.
However, a version of FTK Imager has been provided on this book's DVD for you to use for
activities and projects.

Nelson further stated that FTK Imager is designed for viewing evidence disks and disk-to-image
files created from other proprietary formats. FTK Imager can read AccessData .e01, Expert
Witness (EnCase) e01, SafeBack (up to version 2.0), SMART .s01, and raw format files. In
addition to disk media, FTK Imager can read CD and DVD file systems. This program provides a

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

76
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
view of a disk par- tition or an image file as though it is a mounted partition, with additional
panes showing the contents of the selected file.

FTK Imager can make disk-to-image copies of evidence drives and enables you to acquire an
evidence drive from a logical partition level or a physical drive level. You can also define the
size of each disk-to-image file volume, allowing you to segment the image into one or many
split volumes. For example, you can specify 650 MB volume segments if you plan to store
volumes on 650 MB CD-Rs or 2.0 GB volume segments so that you can record volumes on DVD-
/+Rs. Because FTK Imager is designed to run in Windows, the evidence drive from which you're
acquiring data must have a hardware write- blocking device or the USB write-protection
Registry feature enabled between your workstation and the evidence drive (Nelson, 2019).

Step 2: Checking for Encryption

According to Technopedia (n.d.), encryption is the process of using an algorithm to transform

information to make it unreadable for unauthorized users. This cryptographic method protects
sensitive data such as credit card numbers by encoding and transforming information into
unreadable cipher text. In short, file encryption is a process that occurs on chosen files in order
to preserve, protect the importance, secrecy and confidentiality of a file

Once the RAM is already preserved (Carroll, 2018), the first responder must proceed to the
next critical step during incident response before shutting off the computer. This is to check
for possible encryption, which may be in the form of whole disk, volume, or folder level. This is
very important because if it is encrypted and once the computer has been shut down, it can no
longer be opened without decryption key.

According to Carroll (2017), investigative agencies are already beginning to see an increased
use of "BitLocker" whole disk encryption. He further stressed that whole disk encryption is still
not the default on every Windows computer, however, in later versions of the Windows
operating system it is becoming more common, and in some instances, it is automatically done
without the user knowing. This feature is currently dependent on the computer meeting
specific hardware configurations. These conditions must be met for Microsoft to encrypt the
operating system drive:

a. the device meets Connected Standby or Modern Standby hardware

specifications:
b. the device features a non-removable (soldered) low powered dynamic random
access memory-DRAM (this protects against the rarely used cold-boot technique
where RAM is removed and placed in a separate reader device and imaged
without allowing the computer to be powered down);
c. the device has a Trusted Platform Module (TPM) 2.0 chip at least one account
with administrative privileges logs in with Microsoft Live ID Account credentials

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

77
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
(this has become the default starting with Windows 8, as opposed to using a
local Windows account).

Accordingly, while this may sound like a lot of very specific requirements, It is worth noting
that every Windows Surface and Surface Pro computer meets all these requirements and is
encrypted by default. And even if a computer does not initially meet all the requirements (e.g,
it has no solid-state drive or an account with administrative privileges using Microsoft Live ID
account credentials is used), the moment the device meets all the prerequisites, Windows will
begin silently encrypting the boot partition in the background without notice to the user.

It is important for prosecutors to be aware that because BitLocker Device Encryption encrypts
Windows devices without user awareness, it also currently automatically stores a 48-character
recovery key in the users Microsoft OneDrive account by default. Prosecutors may be able to
serve legal process upon Microsoft to obtain the BitLocker Recovery Key from the user's
Microsoft OneDrive account. CCIPS recommends that prosecutors use a search warrant to
obtain the recovery key in most instances. If you find that any of your personal computers
have been automatically encrypted, you can see all your BitLocker recovery keys by logging
into your OneDrive account and going to https://onedrive.live.com/recoverykey.

To check for encryption, EDD (Encrypted Disk Detector by Magnet Forensics) can be used by
the forensic digital investigation to determine whether the hard drive is encrypted or not
(Figure 37). There is always the possibility of encountering encryption, hence, the prosecutors
and agents should be familiar with the following recommended steps of Carroll (2017) in
responding to a powered-on computer with a user logged in

1. Isolate and preserve the state of the computer as it is when law enforcers first encounter it.
Conduct visual assessment to determine if anything requires action. Like for example, consider
disconnecting the system from the network However, if the responder detects excessive hard
drive activity that suggest that the drive is being wiped, consider terminating the wiping
program if possible or removing the power from the computer to prevent further damage.

2. Preserve volatile data by imaging the RAM following the procedures presented in the
subsequent pages.

3. Once the RAM has been preserved, check for the sign of encryption using Encrypted Disk
Detector (EDD).

4. Create a forensic image. If there are no indications of encryptions and RAM has been
successfully imaged, the power should be removed from the system to abruptly stop all
operations. Removing power prevents any maintenance or counter forensic programs from
running and causing changes to the system during the standard shutdown process. A "write
block" (preferably a hardware write block) should be applied to the hard drive before any

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

78
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
further actions are taken to prevent the imaging process from writing any information to the
drive being imaged or otherwise changing the data being investigated.

Step 3. Imaging the Hard Drive

If encrypted, consider creating a Live Logical Image, however, creating an image of a drive can
take a long time. On average it takes approximately one hour to image 80 gigabytes. But it
should be noted that there are several factors that can increase the average amount of time to
image. A triage image contains digital artifacts that can be quickly imaged and analyzed to
identify logical investigative leads while the lengthy process of a full image is being conducted.

Hast Values: Verification Standard of Forensic Image

Verification is the final step in the preservation process of digital evidence. For evidence to be
admissible, there must be a method to verify that the evidence presented is exactly the same
as the original collected. Verification is accomplished by using a mathematical algorithm that
calculates a number based on the contents of the evidence.

1. Message Digest 5 (MD5) - hashing algorithm is a one- way cryptographic function that
accepts a message of any length as input and returns as output a fixed- length digest value to
be used for authenticating the original message (Rouse, 2017).

According to Carrol (2014) MD5 was the fifth revision of a message digest algorithm developed
by Professor Ronald Rivest of RSA Laboratories. The algorithm takes as input a message of
arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the
input. It is conjectured that it is computationally infeasible to produce two messages having
the same message digest, or to produce any message having a given prespecified target
message digest. The MD5 algorithm is intended for digital signature applications, where a large
file must be "compressed" in a secure manner before being encrypted with a private (secret)
key under a public-key cryptosystem like the RSA (Rivest-Shamir-Adleman)

2. Secure Hash Algorithm 1 (SHA1) this is a family of cryptographic functions designed to keep
data secured by producing a checksum before the file has been transmitted, and then again
once it reached its destination. In forensic imaging it ensures that data will not be altered.
(Landman, et. al., 2020)

In cybercrime investigation, hashing is important step to ensure authenticity of the forensic

image. Since digital information are stored on the storage device like a thumb drive, it can be
easily altered or replaced by another disk image. To ensure that the disk image created at the
search scene is authentic, disk imaging software like FTK imager creates a hash value after
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

79
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
imaging a disk. For example, a document with a content "Dennis S. Lagumen and Henedina A.
Lagumen" when hashed would produce the hash value of (Figure 57):

Verification of forensic image is called creating a "hash value" Forensic duplication tools
automatically create a "verification" hash for the original and the copy during the duplication
process. If these hash values do not match there is an opening for a challenge to the
authenticity of the evidence as compared to the original (Daniel and Daniel, 2012).

As emphasized by Carroll and Krotoski (2014), a hash value is a unique result representing a
specific data set (for example, a particular file, record, or hard drive). The result, which is
generated by an algorithm, is a distinct fixed length alphanumeric string, using a combination
of letters and numbers. In addition, Carroll (2015), stressed that such an algorithm result is
sometimes referred to as a checksum (Figure 58).

According to Kavrasted (2018), when a forensic image is created, cryptographic checksums are
generated for two reasons:

1. when the image is taken from a drive that is offline (static) and preserved, the hash is used
to verify and demonstrate that the forensic image is a true and accurate representation of the
original.

2. the hash is used to detect if the data was modified since the point of time at which the
image was created. When you're working with static images, the hashes serve both purposes.
If, however, the image was created from a live system or created to contain a logical file copy,
or if the original was not retained for a legitimate reason, the hash is simply used to ensure
that the integrity has been maintained throughout the life of the image.

According to Kavrestad (2018). The significance of a hash value is similar to a "digital

fingerprint" or "digital DNA." Any change to the hard drive, even by a single bit, will result in a
radically different hash value. Therefore, any tampering or manipulation of the evidence is
readily detectable.

Furthermore, hash values (Carroll, 2015) provide a fundamental role in forensic examinations
concerning the review and analysis of data. Among other things, analysts can authenticate
digital evidence by determining the hash value of the original evidence, making a physical copy
of the evidence, and then confirming that the copy has the exact same hash value as the
original evidence. If a corrupt or sloppy agent were to change even a single character in one
Word document saved on a 10-terabyte hard drive after imaging it, the entire drive would have
a different hash value. Thus, the fact that two hash values matches is powerful evidence that
the prosecutor is presenting a perfect image of the original drive (Figure 59).

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

80
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
Hash value is significant in any digital investigation because the chances that to data would
produce the same hash value. In the hashing process, the algorithm also considers the size of
the storage device, the amount of allocated and unallocated cluster in the disk, the content of
the files, etc. As an analogy, hash value can be compared to DNA. A DNA has a probability of
one (1) in every 1 trillion (1,000,000,000,000) chances that the DNA of two persons will be an
exact match. Much the same way, the chances of 2 hash value to be similar is almost non-
existent. The estimated chances that two MD5 checksum would have the same hash value is
one (1) in every 340 undecillions (340,00 0,000,000,000,000,000,000,000,000,000,000,000).
For SHA-1 hash value the estimated chances that two-hash value will be the same is one (1) in
every 1.4 quindecillion (1.4,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000). This figure will tell prosecutors and judge that hash value is a reliable means of
authenticating disk image (Carrol, 2017).

LIVE FORENSIC AND DEAD-BOX FORENSIC

As stressed by Oettinger (2020), being a digital forensic examiner requires you to have a plan
to conduct the investigation. For instance, there is the kitchen sink approach - where the
person requesting the examination states, I want it all. However, this is not practical when the
smallest drive from a system might contain hundreds of thousands of pages or events. While
the kitchen sink approach is a plan, it may not be the most efficient.

He further emphasized that, the search method will depend on the crime you are investigating,
and whether there are limitations to the scope of the search. In some investigations, the
judicial authority may restrict an investigator's access to digital evidence to only email
messages, or you may be limited to a specific date and time within the forensic image.

As mentioned before, the advent of the internet of things has made people very with digital
device. As stressed by the Wiley because society has embraced technology to such an extent,
it is now commonplace to be asked to consider whether digital devices may contain some
information about any crime which has been committed. Even though the device itself may not
have played any part in the activity, its very presence at the scene, or use by one of those
involved, often leads to it being a potential source of valuable evidence. For example, if a child
has gone missing, investigators would typically now ask where that child's mobile phone is. A
mobile phone, particularly to a younger person, is an essential personal communication tool.
They very rarely. if ever, let them out of their sight. If the phone can be found, we have either
found the person, or found a location where something significant happened to them: i.e. a
crime scene.

As stressed by Clarke (2010), the analysis of the drive can be achieved in two ways: live-box
forensics and dead-box forensics. Traditionally, the forensic procedure has focused upon dead

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

81
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
box analysis - analyzing the forensic image from your trusted forensic system. The data on the
image never changes and the integrity of the data is therefore simpler to maintain.

Live forensic or live data acquisition involves collecting data from a running system. This can
include memory, mounted files such as Windows registry hives, unencrypted volumes or file
systems, security files, or open processes. Live data acquisition has become common in cases
where a suspect is believed to have used full disk encryption - which means shutting down the
system will remove the decryption key from memory and render the device unreadable
without the correct password or key (Arnes, 2018).

Did you know?

Live forensics is the examination of powered on/live computer's entire running system.

Dead box forensics is the examination of powering down computer and removing the disk (or disks)
to connect it to a forensic workstation or hardware or software to create the forensic image.

Corollary, there are times when it may not be feasible to take a system offline for perform
dead-box forensics. In the case of a large e-commerce site (such as eBay) where any downtime
is calculated in the of dollars, when critical infrastructure is a factor, or when a system must be
maintained online, the ability to capture, image, and analyze a system while it is live can be of
immense value, the only option is live forensics (Reyes and Wales, 2007).

Within dead-box analysis, digital forensic analysis can interpret a specific file system, and
subsequently recreate the file system for you. To achieve this the forensic digital analysts must
understand the exact nature of the file system from the location and operation of the file
system, to interpreting the file record metadata. Forensic analysis is easier now because of the
availability of forensics tool applications than several years ago. Prior to these forensic tools
being available, the forensic examiner would have difficulty in establishing file pathways and
understanding the structure of the file system without performing a live analysis - where the
host OS would interpret the file system for the examiner. File system analyzers also allow the
examiner to acquire all the metadata about the files and folders, such as modified accessed,
and created timestamps, which is essential in understanding an investigation (Clarke, 2010).

In performing dead-box forensics, according to Daniel and Daniel (2012) the proper forensic
method for duplicating evidence from a computer hard drive or other media storage device
requires the use of write-blocking of the original storage device. Write-blocking can be
accomplished either by using a physical hardware device that is connected between the
original (source) and the copy (target) hard drive or by using a special boot media that can
start a computer in a forensically sound manner. The best option for making a forensic copy of
a hard drive is to remove the hard drive from the computer connect it to a physical write-
blocker, and then use a forensic workstation and forensic software to make the copy.

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

82
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
As explained by Holts (2018) a write blocker is a device that allows read only access to all
accessible data on a drive, as well as preventing anything from being written to the original
drive, which would alter or modify the original evidence. As defined by Reiber (2019), a write
blocker is a software or hardware device that stops specific communication from a computer
to a mass storage device. Write blockers come in many different types Software- based write
blockers can use a simple Windows Registry change; hardware units are sophisticated boxes
that are coupled to the examination computer via cables, with the device to be examined
attached to the other side. Some allow a connection directly to the pins located on the actual
hard drive and then to the computer conducting the forensic analysis, while others have USB
connections to plug a removable USB hard drive or flash drive into an available port. On the
other hand, for Ellis (2013) a software blocker is an application that is run on the operating
system that implements a software control to turn off the write capability of the operating
system.

Furthermore, hardware write blockers are also known as bridges, since the digital evidence is
connected to the examiner's computer through the write blocker. Once the original data
device is imaged, the next step is for the digital forensic examiner to determine whether the
original and duplicate copies are in fact one and the same.

Digital Device to be Analyzed

1. Desktops and laptops. User desktops and laptops are physical computers that are used for
day-to-day business. They are typically located at a user's desk or work area. The system
usually contains one or more hard drives that contain the operating system, applications, and
associated data. Data may also be stored on an external storage solution or media that is
physically connected accessed through a computer network. Moreover, today, desktops can
also be virtualized. Virtual desktops are commonly accessed through a terminal that has no
local data storage and only provides remote access to the virtualized system. The virtual
desktop is commonly run on a centralized virtualization infrastructure This shifts data storage
from the traditional desktop to a central infrastructure (Luttgens, 2014). or

2. Servers, Server systems typically provide core business or infrastructure services. They are
usually found in data centers, server rooms, or communication closets. Server systems may
physically look like a user desktop or laptop but are more commonly rack mount devices.
Servers will normally have at least one hard drive for the operating system but may or may not
contain any additional drives for applications or data. In some cases, application and data are
stored exclusively on external storage solutions. This is especially true in the case of virtual
servers, which are typically centralized in a virtual server infrastructure (Luttgens, 2014).

3. Mobile devices. Mobile devices are typically small, handheld, networked computers. They
include cell phones, personal digital assistants (PDAs), tablets, and wearable computers.
Nearly all mobile devices have a relatively small amount of built-in storage, typically some form
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

83
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
of nonvolatile (flash) memory. Many mobile devices also have expansion slots for additional
internal storage, or interfaces that can access external storage media (Luttgens, 2014)

As argued by Reiber (2019), a mobile device can contain many pieces of information, from
contacts, SMS, and call logs in early devices, to complex documents, applications, media, SMS,
Multimedia Messaging Service (MMS), call logs, e-mail, calendar, notes, and contacts in today's
devices, which are actually small computing devices. Built-in applications, or apps, can store
additional data types, communicate with the Internet, launch rockets, play music, map a
house, direct a vehicle to a destination, determine internal body vitals, and conduct bank
transactions. There is almost nothing that person cannot do with these smart devices-including
activities that only ten years ago required devices thousands of times their size. Today's
current smart devices come with standard apps, but a user can also install one of
approximately seven million apps available on various mobile phone app distribution points,
which makes a "standard examination" of the contents of mobile devices a nearly impossible
exercise.

4. Cloud services. In this context, a cloud service is an off-site third- party service that provides
hosted applications or data storage for an organization. Common business services are hosted
e-mail, timesheets, payroll, and human resources. But there are also many personal services,
such as Dropbox or Google Drive (Luttgens, 2014).

Cloud computing can be considered as a new paradigm for delivering Information

Communications Technology (ICT) to organizations that do not need to invest in hardware,
software, and network infrastructures. The National Institute of Standards (NIST) defined
cloud computing as a model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (Nhien-An and Kim- Kwang, 2020).

Unfortunately, according to Nhien-An and Kim-Kwang (2020), cloud computing is impacting

significantly in the way. digital forensic investigations are conducted. Cloud forensics
represents a new category and is until today, one of the most challenging disciplines in the
recognized science of digital forensics. Investigators are faced with the challenges of evidence
identification, accessing, acquiring, analyzing, and examining data from and within cloud-based
environments.

The cloud has three basic service levels (Nelson, 2019):

a. SaaS- Software as a service (SaaS) With this cloud service level, typically a Web hosting
service provides applications for subscribers to use. means applications are delivered via the
Internet. A familiar one is Google Docs, which is similar to office suites such as Microsoft Office
or-LibreOffice. Data is stored in the cloud, and files can be accessed and shared with others.

b. PaaS- Platform as a service (PaaS) A cloud is a service that provides a platform in the cloud
that has only an OS. The customer can use the platform to load their own applications and
data. The cloud service provider (CSP) is responsible only for the OS and hardware it runs on;

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

84
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
the customer is responsible for everything else that they have loaded on to it. means an OS has
been installed on a cloud server. Users can then install their own applications, settings, and
tools in the cloud environment. The cloud provider maintains just the hardware for customers,
who are responsible for their own system administration and application support.

c. laaS-Infrastructure as a service (laaS) With this cloud service level, an organization supplies
its own OS, applications, databases, and operations staff, and the cloud provider is responsible
only for selling or leasing the hardware. means customers can rent hardware, such as servers
and workstations, and install whatever OSS and applications they need. IaaS can come in
handy when customers can't afford to purchase hardware or pay someone to maintain it but
can afford to rent. In addition, this service level makes it easy to add hardware during peak
business periods, such as tax season or end-of-year accounting, and then cut back on hardware
when it's not needed during slow periods.

5. Flash Drives and Novelty Flash Drives. Another category of device which can pose problems
is that of portable storage. Typically, these are lumped together under the catch-all terms
"thumb drives" or "USB sticks" because the earliest and most common versions of these USB
devices were about the same size and shape as a thumb drive.

Although it is becoming easier to disguise devices through the production of customized

cases, it is still easier to adopt Edgar Allan Poe's "purloined letter" approach where the object
is, effectively, hidden in plain view but disguised by being placed in such an obvious location as
to appear not hidden, or is disguised as an innocuous object.

As an example, consider a DVD on which a collection of illegal images of children (IOC) has
been written. The criminal may take steps to hide this under floorboards, behind a panel in the
wall, or in some other secret location. Alternatively, he may choose to hide the DVD by simply
placing it in a case for a commercially available DVD, possibly even going as far as printing a
false label on it to further disguise its identity. If the illegal disc is then placed in a collection of
innocent discs, its presence will be less obvious and more likely to be overlooked if a search of
the disc collection is anything less than thorough.

This method has been employed to hide several different types of device and, with
miniaturization leading to devices such as micro-SD or Trans- Flash cards it has become
possible to secrete large volumes of data in very small hiding places such as the spines of
hardback books, children's coin banks and so on.

6. Secondary Storage. are various storage devices, for example, hard disks, USB drives, SD
cards, Solid State Drives (SSD), floppy disks, tapes, CD-ROM, DVD, and hard disk is the most
commonly used one (Xiaodong, 2018). However, according to Sammons (2014), storage
locations inside a computer serve different purposes. Some are for the short term, to
temporarily hold the data that the computer is using at the moment. The other is for more

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

85
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
permanent, long-term keeping. The data stored in this disks are important in digital forensic
analysis as this will provide the "smoking gun" in order to prove the commission of cybercrime.

DIGITAL INVESTIGATIVE ANALYSIS

One principle that is often discussed in forensic science is Locard's exchange principle. This
principle postulates that, when two objects come into contact, they leave a trace on each
other. For example, if you walk into a house with carpeting, dirt from shoes is left on the
carpet, and the carpet leaves fibers on the soles of your shoes. These traces that are
exchanged form the basis of what is termed trace evidence in the physical forensics' world. In
the digital world, there is often very similar trace evidence left when two systems encounter
each other. For example, if an individual browses a website, the web server or web application
firewall may record the individual's IP address within a collection log. The website may also
deposit a cookie on the individual's laptop. Just as in the physical world, evidence exchanged
in this manner may be temporary, and our ability to observe it may be limited to the tools and
knowledge we currently have (Johansen, 2020).

Physical or Logical Extraction

In the digital analysis of the forensic image is concerned with extracting computer data to be
examine and analyze Data extraction according to Nelson (2010) is the process of pulling
relevant data from an image and recovering or reconstructing data fragments, one of the five
required functions of computer forensics tools. While according to Holts (2010), data recovery
or extraction refers to the process of salvaging digital information. In general, there are two
types of extraction: physical and logical.

The physical extraction phase identifies and recovers data across the entire physical drive
regardless of the file systems present on the drive. As mentioned previously, file systems are
the way in which data is stored and retrieved on a computer drive, and each piece of data is
called a file. The file system dictates how the computer manages and keeps track of the name
and location of every file on a computer. For example, FAT and NTFS are the file systems used
by certain Microsoft Windows operating systems (e.g. Windows 98, Windows XP) Overall, a
physical extraction pulls all the digital data from a computer hard drive but does not consider
how the data was stored on the drive.

On the other hand, logical extraction refers to the process of identifying and recovering data
based on the file systems present on the computer hard drive During logical extraction, data
may be retrieved from a variety of sources, such as active files, deleted files, file slack, and
unallocated file space (Holts 2018)

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

86
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION

OVERVIEW OF EXAMINATION OF DIGITAL ARTIFACTS

Digital analysis is not only concern in analyzing deleted files. There is more than simply locating
the digital evidence, creating a forensic image, and locating hidden files. Part of digital forensic
analysis is the examination of the computer system, particularly the registry hive. As stressed
by Luttgens (2014), to be blunt, investigating Windows can be an intimidating challenge. The
operating system is a complex beast on its own-even more so when it is part of an Active
Directory domain, as is most often the case in corporate environments. The sheer volume of
files, registry keys, log entries, and other artifacts generated by a system during normal day-to-
day use can be overwhelming for a new analyst. Fortunately, as the fields of forensics and
incident response have matured over the past decade, so too have the tools available to
investigate Windows systems. The net result is that it is easier than ever to collect and parse
the sources of evidence now.

As stated by Kavrestad (2018) windows registry is a hierarchical database that stores

information about users, installed application and the windows system itself. According to
Graeme (2020), the registry as a central hierarchical database. This database is used to store
configuration hardware devices, and applications. As for Palmers and Walters (2012) windows
registry is an extensive database of information about the operating system. This registry
contains data about:

a. all the hardware components, and

b. all software

c. information about windows services that started automatically, manually or disabled.

According to Nelson (2010), to following understand windows registry, the following terms
should be clear:

a) Registry Editor-A Windows utility for viewing and modifying data in the Registry. There are
two Registry Editors: Regedit and Regedt32 (introduced in Windows 2000).

b) HKEY-Windows splits the Registry into categories with the prefix HKEY Windows 9x systems
have six HKEY categories and Windows 2000 and later have five. Windows programmers refer
to the "H" as the handle for the key.

c) Key-Each HKEY contains folders referred to as keys. Keys can contain other key folders or
values.

d) Branch-A key and its contents, including subkeys, make up a branch in the Registry.
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

87
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
e) Subkey-A key displayed under another key is a subkey, similar to a subfolder in Windows
Explorer.

1. File Knowledge/File Access

File access is another aspect of forensic analysis useful. As emphasized by Carrol (2014), for
years, one challenge in digital investigative analysis has been proving a user not only had
something significant to an investigation on their computer, but that he knew it was on there.
Two of the easiest ways help prove knowledge of a file is to prove the user was searching for it
or accessed it. For Microsoft to enhance the user experience, Windows tracks the names of
files you access and search for in multiple locations. As previously discussed, the Windows
registry is essentially several databases called registry hives. Each user has his own primary
registry hive called the NTUSER DAT. This registry hive tracks information specific to each
user's activity and preferences. Starting in Windows 7, when a user conducts a search on his
computer using the Windows search function or the "Charm Bar" in Windows 8-10 (the
magnifying glass that appears when you move your mouse to the right edge of the screen),
Windows records each search in temporal order in the "NTUSER DAT Software\
Microsoft\Windows\CurrentVersion\ Explorer WordWheelQuery" registry recorded in temporal
order, an analyst can frequently see indications of the user's thought process as he searched
for particular files.

As further stated by Carvey (2016), there are several times when determining a user's access to
files, or more specifically, the user account used to access files, can be paramount. This can be
pertinent information during a human resources issue, access to illicit images or files case, as
well as during data breach cases involving a targeted, dedicated adversary. One of the great
things about Windows systems from the perspective of a forensic analyst is that the systems
record and save a great deal of information specific to actions taken via a user account. This
can be valuable, as the information is maintained on the system long after the file has ceased
to exist on the system.

A. WordWheelQuerry

As stated by Carvey (2016_), when searching for a file in Windows, users will often search for
things (files by name, keywords within files, etc.) on their systems, as well as other systems,
and on the Internet using the search dialogue box (Figure 80). Sometimes, they even do this
using the built-in search capability that comes starting with Windows. Starting with Windows
7, information about what the user searched recorded in the Registry in the WordWheelQuery
key. The full path to this key appears as follows:

Software\Microsoft\Windows\CurrentVersion\Explorer\

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

88
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
WordWheelQuery

The "WordWheelQuery" is a feature in windows wherein you can specify search terms that
start with certain letters, or that are phonetically like words you enter. "WordWheelQuery"
helps you to define search terms, or even find out if a word is in your index before you search
for it. The Word Wheel button is found on the Menu-Assisted, Command-Based and Natural
Language query window (Carrol, 2014).

B. Lnk Files

Windows also records in numerous artifacts when a user opens or attempts to open non-
executable files. Four of the most useful digital artifacts to identify files opened or attempted
to be opened are "Lnk" files (pronounce as "link" files), Jump lists and several "most recently
used" registry keys (Carrol, 2014).

To understand the meaning of executable and non-executable files. Lihmee (2018) stated that
an executable file is a file that can be directly executed by the computer and is capable of
performing the indicated tasks according to the encoded instructions. A non-executable file is
a file that is not directly executed by the CPU and is created for a specific task.

According to Carroll (2015), Lnk files are a relatively simple but valuable artifact for the
forensics investigator. They are shortcut files that link to an application or file commonly found
on a user's desktop, or throughout a system and end with an. LNK extension. Anytime the
program is close, the "LNK files are stored. This "Ink files" are associated by windows to a
certain application or a file to enable windows for quickly open the file again (Figure 83 on
page 200).

C. Jump of Lists

Carrol, 2014 stated that one of the newest artifacts to identify files opened by a user are "Jump
Lists." Starting in Windows 7, Microsoft introduced two types of jump lists:
"AutomaticDestinations" and "CustomDestinations." Automatic and Custom jump lists are
created and stored in their respective directory in each user's home directory under the
"AppData\ Roaming\ Microsoft\ Windows\Recent" directory. Each application can incorporate
its own jump lists as a "mini-start" menu. AutomaticDestinations allow a user to quickly "jump"
to or access files they recently or frequently used, usually by right clicking the application in
the Windows taskbar (Figure 84). CustomDestinations allow a user to pin recent tasks, such as
opening a new browser window or create a new spreadsheet to the jump list (Figure 84).

2. Application Specific Registry Keys

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

89
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
In doing a deep analysis of the suspect's computer, it is noteworthy to check the registry keys
since there are files are constantly tracked and stored by the Registry. As stressed by Carrol
(2014) starting with Office version 365 and 2016, Microsoft Office tracks the "reading location"
for each Word, PowerPoint, and Excel document opened and when each file was closed. Using
this information, an analyst can determine not only what document was last opened and when
it was closed, but also that the user had scrolled to and the user was on page 32 of the
document when it was closed. The following are applications specific registry keys:

a. "RecentDocs"
b. "TypePaths"
c. "Jump Lists
d. "ShellBag"
e. "Microsoft Office FileMRU" h. "Perfetch"
f. "OpenSave PIDIMRU."
g. "Last Visited PIDIMRU"
h. "UserAssist"
i. "Recentdocs" Registry Key

Windows systems do a very good job of tracking what documents a user has accessed, making
them available in the Recent Documents menu. This list of documents can be very revealing
about a user's activities. In most cases, such as in a corporate environment, the documents
listed here will be legitimate, business-oriented documents. However, even in such
environments, users may be found accessing documents that they should not. Information
about the documents that the user has accessed is maintained in the "RecentDocs" key.

b. "Most Recently Used (MRU) Registry Keys"

With every Windows application, developers have the ability to create their own set of registry
keys to track specific configuration and user activity for their application. If a specific
application is used to commit or facilitate a crime or is otherwise significant to an investigation,
it is often advantageous for the analyst to determine if the application has its own set of
registry keys and determine what actions those keys record. Two excellent examples are
"Winzip," which records the name of the last several zip files created and extracted and the
Microsoft Office suite of applications (Carrol, 2014)).

c. OPENSAVEPIDIMRU

In simplest terms, this key tracks files that have been opened or saved within a Windows shell
dialog box. This happens to be a big data set, not only including web browsers like Internet
Explorer and Firefox, but also a majority of commonly used applications. What sometimes gets
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

90
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
missed is that this key is also responsible for tracking auto-complete terms for that same
dialog box. The values stored in the key itself are items that do not have file extensions
associated with them. Since most files have extensions, what often ends up here is auto-
complete information. Consider an OpenSave dialog box that allows you to choose your file
type from a list (e.g. .jpg, .png, .bmp). User input into this dialog will typically be the name of
the file without the extension since the dropdown filetype menu takes care of that. Thus, what
is stored in the key is the auto-complete information for that transaction, and the full filename
is not stored (Tibury, 2010).

3. Directory Locations Used

According to Carrol (2014) there is one additional artifact, the "LastVisitedPIDMRU," that, for
each application, specifically tracks the last directory navigated to when opening or saving a
file. Another artifact that also tracks the directories a user navigates, even when they do not
open or save a file, is "ShellBags."

a. LastVisitedPIDIMRU

As discussed by Luttgens (2014), LastVisitedPIDIMRU (LastVisitedMRU in older versions of

Windows) tracks programs that have launched an Open or Save As dialog and the most recent
directory accessed by each. This is how programs can reopen the Open/Save As dialog in the
same location where it was previously used.

b. Typed Paths

According to Canvey (2016), the typed paths key records paths that the use typed into window
explorer. On Windows 10, typing into the little box to the right of the windows icon on the
TaskBar, the one that usually says "Search the web and Windows" will populate this key
(Figure 90 on page 210).

Again, that is under normal circumstance and doesn't apply if the user modifies the key
through the Registry Editor or through the use of code, such as Visual Basic script. However, it
is very rare that his value is manipulated in that manner.

c. Shellbags

Shellbags are an artifact associated with folders accessed by a user through the Windows
Explorer interface (or "shell"). Using the "shellbag" artifacts to develop an understanding of
resources accessed by the user, particularly during incident response involving targeted threat
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

91
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
actors (commonly referred to as "advanced persistent threats" or "APT") that have foregone
the use of malware and have started accessing the compromised infrastructure through
Terminal Services (Carvey, 2016).

4. Application Used

a. Prefetch

Oettinger (2020). prefetch is a feature Microsoft introduced to enhance the user experience
with the Windows operating system. It allows faster response times by preloading data into
the RAM in anticipation of its demand by the user or system. Similarly, Carroll, Brannon and
Song (2008) stressed that prefetching is the process of loading information from the hard
drive into memory, before it is needed. Vista adds six prefetch files. This does not sound
significant; however, it is six more chances to identify information that may be important to
the investigation.

As stated by Carrol (2014), prefetch began in Windows XP and is located in the

"Windows\Prefetch" directory. Prior to Windows 10, a maximum of 134 were stored at a time,
as compared to 1,024 prefetch files stored with Windows 10. The prefetch file is designed to
essentially be an audit log of all the files needed to execute a particular application. Any time
an application is launched, the prefetch file monitors and creates a list of every file name and
full directory path that is accessed during the initial execution of the application.

b. User Assist

The "UserAssist" registry key tracks all applications run that have a graphical user interface.
The UserAssist registry key is frequently an artifact that complements the Windows Prefetch
artifact previously discussed. Like Prefetch, the UserAssist key tracks applications run and the
number of times each application is executed, however, UserAssist also tracks the "focus
count" and "focus time." Focus count records the number of times the application has come
into primary focus of the Windows desktop. Focus time tracks the total time, down to the
millisecond, each application was in primary focus on the Windows Desktop. This artifact has
been useful when a defendant claims he had no knowledge that a specific application had run
and suggests it must have been running in the background (Figure 93). With UserAssist, the
analyst can tell exactly how many times the application was run and how many hours, minutes,
and seconds the application was the foremost active application on the desktop (Carrol, 2014).

5. USB Storage Device Analysis

The USB flash drives is one of the most common storage devices today. USB flash drives, or
thumb drives, are one of the most common removable storage devices. They are small,
lightweight, and can be easily transported and concealed. In addition, memory cards, such as
PREPARED BY: SILKIE C. TUGUINAY, MSCJ

92
 INTRODUCTION TO CYBERCRIME WITH DIGITAL FORENSICS INVESTIGATION
the CompactFlash card or SM card, are small data storage devices that are commonly
associated with digital cameras, mobile phones, video game consoles, and other handheld
devices. Overall, data storage devices may contain a plethora of electronic

evidence, but they may also be more difficult to identify due to their small size and portability
(Holts, 2018).

According to Carvey (2016), when a USB device is connected to a Windows system, the Plug-
and-Play (PnP) manager receives the notification and queries the device. Information about
the device, extracted from the device descriptor (which is not part of the memory area of the
device), is then stored in the System hive beneath the ControlSet00n\Enum\ USBStor and USB
subkeys. The storage device is then (most often) recognized as a disk device and mounted as a
drive letter or volume on the system. As such, additional information related to the device is
recorded in the MountedDevices key within the System hive, as well as beneath the
Control\DeviceClasses key

PREPARED BY: SILKIE C. TUGUINAY, MSCJ

93