Tony Sammes and Brian Jenkinson Forensic Computing Second edition 1 3 TonySammes,BSc,MPhil,PhD,FBCS,CEng,CITP TheCentreforForensicComputing DCMT CranfieldUniversity Shrivenham,Swindon,UK BrianJenkinson,BA,HSc(hon),MSc,FBCS,CITP ForensicComputingConsultant BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary LibraryofCongressControlNumber:2006927421 ISBN-13:978-1-84628-397-0 e-ISBN-13:978-1-84628-732-9 ISBN-10:1-84628-397-3 e-ISBN10:1-84628-732-4 ISBN1-85233-299-91stedition Printedonacid-freepaper ©Springer-VerlagLondonLimited2007 Firstpublished2000 Secondedition2007 Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,as permittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybe reproduced,storedortransmitted,inanyformorbyanymeans,withthepriorpermissionin writingofthepublishers,orinthecaseofreprographicreproductioninaccordancewiththe termsoflicencesissuedbytheCopyrightLicensingAgency.Enquiriesconcerningreproduction outsidethosetermsshouldbesenttothepublishers. Theuseof registerednames,trademarksetc.inthispublicationdoesnotimply,eveninthe absenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantlawsandregula- tionsandthereforefreeforgeneraluse. Thepublishermakesnorepresentation,expressorimplied,withregardtotheaccuracyofthe informationcontainedinthisbookandcannotacceptanylegalresponsibilityorliabilityforany errorsoromissionsthatmaybemade. 9 8 7 6 5 4 3 2 1 SpringerScience+BusinessMedia springer.com Dedication ToJoanandVal Acknowledgements Theauthorswouldliketothankallthemembersandformermembersofthe FCGTrainingCommitteefortheveryvaluablecontributionsthattheymade tothefirsteditionofthisbook.Inparticular,ourgratefulthanksgotoSteve Buddell, Tony Dearsley, Geoff Fellows, Paul Griffiths, Mike Hainey, Dave Honeyball,PeterLintern,JohnMcConnell,KeithMcDonald,GeoffMorrison, Laurie Norton, Kathryn Owen and Stewart Weston-Lewis.For this second edition we would, in addition, like to thank Lindy Sheppard, Dr Tristan JenkinsonandJohnHunterfortheirkindsupport.Ourthanksalsogotothe studentsof the30orsoForensicComputingFoundationCoursesthathave nowbeenrunforalltheirhelpfulcommentsandsuggestions.Wewouldlike to add a sincere word of thanks to our publisher and editors,to Catherine Brett,Wayne Wheeler,Helen Callaghan and Beverley Ford,all of Springer, who,aftermuchchivvying,eventuallymanagedtogetustoputpentopaper forthissecondedition,andamostimportantthankyoualsotoIanKingston of IanKingstonPublishingServices,whohasmadetheresultlooksogood. Finallyourcontritethanksgotoourfamilies,towhomwedidsortofpromise thatthefirsteditionwouldbethelast. Contents 1 ForensicComputing . . . . . . . . . . . . . . . . . . . . . . . . . 1 OriginoftheBook . . . . . . . . . . . . . . . . . . . . . . . . . . 2 StructureoftheBook . . . . . . . . . . . . . . . . . . . . . . . . . 3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 UnderstandingInformation . . . . . . . . . . . . . . . . . . . . . 7 BinarySystemsandMemory . . . . . . . . . . . . . . . . . . . . . 8 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 NumberSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 ComputerPrograms . . . . . . . . . . . . . . . . . . . . . . . . . 27 RecordsandFiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 FileTypesandSignatures . . . . . . . . . . . . . . . . . . . . . . 29 UseofHexadecimalListings . . . . . . . . . . . . . . . . . . . . . 29 WordProcessingFormats . . . . . . . . . . . . . . . . . . . . . . 30 MagicNumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 GraphicFormats . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 ArchiveFormats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 OtherApplications . . . . . . . . . . . . . . . . . . . . . . . . . . 44 QuickViewPlus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3 ITSystemsConcepts . . . . . . . . . . . . . . . . . . . . . . . . . 49 TwoBlackBoxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 TheWorkedExample . . . . . . . . . . . . . . . . . . . . . . . . . 53 Program,Data,RulesandObjects . . . . . . . . . . . . . . . . . . 62 PatternsCanMeanWhateverWeChooseThemtoMean . . . . . 63 SoftwareDevelopment . . . . . . . . . . . . . . . . . . . . . . . . 64 BreakingSequence . . . . . . . . . . . . . . . . . . . . . . . . . . 67 AnInformationProcessingSystem . . . . . . . . . . . . . . . . . 70 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 4 PCHardwareandInsidetheBox . . . . . . . . . . . . . . . . . . 75 TheBlackBoxModel . . . . . . . . . . . . . . . . . . . . . . . . . 75 TheBusesandtheMotherboard . . . . . . . . . . . . . . . . . . . 77 vii viii Contents IntelProcessorsandtheDesignofthePC . . . . . . . . . . . . . 86 AFewWordsaboutMemory . . . . . . . . . . . . . . . . . . . . . 93 BackingStoreDevices . . . . . . . . . . . . . . . . . . . . . . . . 96 FloppyDiskDriveUnits . . . . . . . . . . . . . . . . . . . . . . . 98 ExternalPeripherals . . . . . . . . . . . . . . . . . . . . . . . . . 98 ExpansionCards . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 5 DiskGeometry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 ALittleBitofHistory . . . . . . . . . . . . . . . . . . . . . . . . . 103 FiveMainIssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 PhysicalConstructionoftheUnit . . . . . . . . . . . . . . . . . . 104 FormationofAddressableElements . . . . . . . . . . . . . . . . . 106 EncodingMethodsandFormatsforFloppyDisks . . . . . . . . . 107 ConstructionofHardDiskSystems . . . . . . . . . . . . . . . . . 112 EncodingMethodsandFormatsforHardDisks . . . . . . . . . . 114 TheFormattingProcess . . . . . . . . . . . . . . . . . . . . . . . 127 HardDiskInterfaces . . . . . . . . . . . . . . . . . . . . . . . . . 130 IDE/ATAProblemsandWorkarounds . . . . . . . . . . . . . . . . 141 FastDrivesandBigDrives . . . . . . . . . . . . . . . . . . . . . . 157 SerialATA(SATA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 ThePOST/BootSequence . . . . . . . . . . . . . . . . . . . . . . 160 AWordAboutOtherSystems . . . . . . . . . . . . . . . . . . . . 172 TheMasterBootRecordandPartitions . . . . . . . . . . . . . . . 173 FATs,DirectoriesandFileSystems . . . . . . . . . . . . . . . . . . 189 RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 6 TheNewTechnologyFileSystem . . . . . . . . . . . . . . . . . . 215 ABriefHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 NTFSFeatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 NTFS–HowitWorks . . . . . . . . . . . . . . . . . . . . . . . . . 217 TheMFTinDetail . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 AnalysisofaSampleMFTFileRecordwithResidentData . . . . 224 AnalysisofaSampleMFTFileRecordwithNon-ResidentData . 240 DealingwithDirectories . . . . . . . . . . . . . . . . . . . . . . . 247 AnalysisofaSampleMFTDirectoryRecordwithResidentData . 248 ExternalDirectoryListings–Creationof“INDX”Files . . . . . . 261 Analysisofan“INDX”File . . . . . . . . . . . . . . . . . . . . . . 268 SomeConclusionsofForensicSignificance . . . . . . . . . . . . . 270 7 TheTreatmentofPCs . . . . . . . . . . . . . . . . . . . . . . . . . 277 TheACPOGoodPracticeGuide . . . . . . . . . . . . . . . . . . . 278 SearchandSeizure . . . . . . . . . . . . . . . . . . . . . . . . . . 279 ComputerExamination–InitialSteps . . . . . . . . . . . . . . . 288 ImagingandCopying . . . . . . . . . . . . . . . . . . . . . . . . . 291 Contents ix References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 8 TheTreatmentofElectronicOrganizers . . . . . . . . . . . . . . 301 ElectronicOrganizers . . . . . . . . . . . . . . . . . . . . . . . . . 301 ApplicationoftheACPOGoodPracticeGuidePrinciples . . . . . 311 ExaminationofOrganizersandWhatmaybePossible . . . . . . 313 JTAGBoundaryScan . . . . . . . . . . . . . . . . . . . . . . . . . 324 AFewFinalWordsaboutElectronicOrganizers . . . . . . . . . . 324 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 9 LookingAhead(JustaLittleBitMore) . . . . . . . . . . . . . . . 327 BiggerandBiggerDisks . . . . . . . . . . . . . . . . . . . . . . . 328 LiveSystemAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . 332 NetworkedSystemsAddtotheProblems . . . . . . . . . . . . . . 333 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 AFinalWord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Appendices 1 CommonCharacterCodes . . . . . . . . . . . . . . . . . . . 351 2 SomeCommonFileFormatSignatures . . . . . . . . . . . . 355 3 ATypicalSetofPOSTCodes . . . . . . . . . . . . . . . . . 359 4 TypicalBIOSBeepCodesandErrorMessages . . . . . . . . 363 5 DiskPartitionTableTypes . . . . . . . . . . . . . . . . . . . 367 6 ExtendedPartitions . . . . . . . . . . . . . . . . . . . . . . 373 7 RegistersandOrderCodefortheIntel8086 . . . . . . . . . 379 8 NTFSBootSectorandBIOSParameterBlock . . . . . . . . 387 9 MFTHeaderandAttributeMaps . . . . . . . . . . . . . . . 389 10 TheRelationshipBetweenCHSandLBAAddressing . . . . 411 11 AlternateDataStreams–aBriefExplanation . . . . . . . . 415 AnswerstoExercises . . . . . . . . . . . . . . . . . . . . . . . . . 425 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 1. Forensic Computing Introduction Throughoutthisbookyouwillfindthatwehaveconsistentlyreferredtotheterm “ForensicComputing”forwhatisoftenelsewherecalled“ComputerForensics”.In theUK,however,whenwefirststartedup,thename“ComputerForensics”hadbeen registeredtoacommercialcompanythatwasoperatinginthisfieldandwefeltthatit wasnotappropriateforustouseanamethatcarriedwithitcommercialconnota- tions.Henceouruseoftheterm“ForensicComputing”.Havingsaidthat,however, we will need on occasion to refer to “Computer Forensics”, particularly when quotingfromoverseasjournalsandpaperswhichusetheterm,andouruseinsuch circumstances should then be taken to be synonymous with that of “Forensic Computing”andnotasareferencetothecommercialcompany. Inpointoffact,wewillstartwithadefinitionofComputerForensicsthathasbeen given by Special Agent Mark Pollitt of the Federal Bureau of Investigation as: “Computerforensicsistheapplicationofscienceandengineeringtothelegalproblem ofdigitalevidence.Itisasynthesisofscienceandlaw”(Pollitt,undated).Inhispaper hecontraststheproblemsofpresentingadigitaldocumentinevidencewiththoseof a paper document,and states: “Rarely is determining that the [paper] document physicallyexistsorwhereitcamefrom,aproblem.Withdigitalevidence,thisisoftena problem.Whatdoesthisbinarystringrepresent?Wherediditcomefrom?Whilethese questions,tothecomputerliterate,mayseemobviousatfirstglance,theyareneither obviousnorunderstandabletothelayman.Theseproblemsthenrequireasubstantial foundation being laid prior to their admission into evidence at trial.” These are questionsforwhichwetrytoprovidetherequisitetechnicalknowledgeinChapters 2,3,4,5and6. Inasecondpaper(Pollitt,1995),SpecialAgentMarkPollittsuggeststhatinthe fieldofcomputerforensics:“Virtuallyallprofessionalexaminerswillagreeonsome overriding principles” and then gives as examples the following three: “... that evidence should not be altered, examination results should be accurate, and that examination results are verifiable and repeatable”.He then goeson tosay:“These principles are universal and are not subject to change with every new operating system, hardware or software. While it may be necessary to occasionally modify a principle, it should be a rare event.” In Chapters 7 and 8 we will see that these overridingprinciplesareincompleteaccordwiththepracticesthatwerecommend andwiththosethathavebeenputforwardintheGoodPracticeGuideforComputer based Electronic Evidence (ACPO, 2003) of the UK Association of Chief Police Officers(ACPO). 1 2 Forensic Computing In short, it is the essence of this book to try to provide a sufficient depth of technical understanding to enable forensic computing analysts to search for,find andconfidentlypresentanyformofdigitaldocument1asadmissibleevidenceina courtoflaw. OriginoftheBook Theideaforthebooksprangoriginallyfromacoursethathadbeendevelopedto support the forensic computing law enforcement community.The then UK Joint Agency Forensic Computer Group2 had tasked its Training Sub-Committee with designingandestablishingeducationandtrainingcoursesforwhatwasseentobea rapidlydevelopingandurgentlyneededdiscipline.Thefirstrequirementwasfora foundationcoursethatwouldestablishhighstandardsfortheforensiccomputing disciplineandwouldprovideabasisforapprovedcertification.TheTrainingSub- Committee,incollaborationwithacademicstafffromCranfieldUniversity,designed thefoundationcoursesuchthatitwouldgivesuccessfulcandidatesexemptionfrom anexistingmoduleinForensicComputingthatwasavailablewithintheCranfield UniversityForensicEngineeringandScienceMSccourseprogramme.TheForensic Computing Foundation course (FCFC) was thus established from the outset at postgraduatelevelanditcontinuestobeformallyexaminedandaccreditedatthis levelbytheuniversity. TheFCFC,oftwoweeksduration,isjointlymanagedanddeliveredbystafffrom both the forensic computing law enforcement community and the university. It coversthefundamentalsofevidencerecoveryfrommainlyPC-basedcomputersand thesuccessfulpresentationof thatevidencebeforeacourtof law.Thecoursedoes not seek to produce computer experts. Rather, it sets out to develop forensic computinganalystswhohaveaprovencapabilityforrecoveringevidentialdatafrom computers whilst preserving the integrity of the original and who are fully competentinpresentingthatevidenceinanunderstandableformbeforeacourtof law. At the time of writing,some 30 cohorts have successfully completed the FCFC since its inception in March 1998,and the taught material of the course has been continuallyrevisedandupdatedinthelightofmuchusefulfeedbackandexperience. AfullMScinForensicComputingisnowofferedbytheuniversity,ofwhichtheFCFC isacoremodule,andthefirstcohortof studentsonthisprogramgraduatedwith 1 Documentherereferstoadocumentinthewidestsense.Itincludesallformsofdigital representations:photographicimages,pictures,soundandvideoclips,spreadsheets, computerprogramsandtext,aswellasfragmentsofallofthese. 2 TheJointAgencyForensicComputerGroupwasmadeupofrepresentativesfrom ACPO,theInlandRevenue,HMCustomsandExcise,theForensicScienceServiceand theSeriousFraudOffice.IthasnowbeenrenamedtheDigitalEvidenceGroupandstill retainsasimilarcomposition. Forensic Computing 3 theirMScsin2005.ItisthematerialfromtheFCFCthatformsmuchofthesubstance ofthisbook. The structure of the book differs a little from the way in which the material is presentedonthecourseitself,inordertomakethesequencingmorepertinenttothe reader. Nevertheless, it is intended that the book will also serve well as a basic textbookfortheFCFC. StructureoftheBook Pickingupononeof thekeyquestionsraisedbySpecialAgentMarkPollittinthe earlierquotes–“...Whatdoesthisbinarystringrepresent?”–westartourinvesti- gationinChapter2byconsideringwhatinformationisandjustwhatbinarystrings mightrepresent.Welookatnumbersystemsinsomedetail,startingwithdecimal andthenmovingtobinary,rangingthroughlittleendianandbigendianformats, fixed point integers and fractions,floating point numbers,BCD and hexadecimal representations. We then look at characters, records and files, file types and file signatures(ormagicnumbers)andhexadecimallistings.Anumberoffileformats are then considered,with particular reference to some of the better known word processing,graphicandarchivefileformats.Tocomplementthischapter,theASCII, Windows ANSI and IBM Extended ASCII character sets are listed at Appendix 1, wherementionisalsomadeofUCS,UTFandUnicode,andthemagicnumbersigna- turesofmanyofthestandardfileformatsarelistedatAppendix2.Inaddition,the ordercodefortheIntel8086processorislistedinhexadecimalorderatAppendix7. These appendices provide a useful reference source for the analysis of binary sequencesthatareinhexadecimalformat. In Chapter 3, we look at fundamental computer principles: at how the Von Neumannmachineworksandatthestoredprogramconcept.Thebasicstructureof memory, processor and the interconnecting buses is discussed and a worked exampleforasimplifiedprocessorissteppedthrough.Theideasofcodesequences, ofprogrammingandofbreakingsequenceareexemplified,followingwhichablack boxmodelofthePCisputforward. Although the material in Chapters 2 and 3 has altered little, apart from some minorupdating,fromthatofthefirstedition,thatofChapter4hashadtobesignifi- cantlyupdatedtotakeaccountofthechangesintechnologythathaveoccurredsince 2000.Chapter4continuesonfromChapter3andaimstoachievetwogoals:toputa physicalhardwarerealizationontotheabstractideasofChapter3andtogiveabetter understandingofjustwhatis“insidethebox”andhowitallshouldbeconnectedup. Weneedtodothislookinginsideandbeingabletoidentifyallthepiecessothatwe canbesurethatatargetsystemissafetooperate,thatitisnotbeingusedasastorage boxforotheritemsofevidentialvalue,andthatallitscomponentsareconnectedup andworkingcorrectly.Weagainstartwiththeblackboxmodelandrelatethistoa modernmotherboardandtothevarioussystembuses.NextwelookattheearlyIntel processorsandatthedesignofthePC.ThisleadsontothedevelopmentoftheIntel processorsuptoandincludingthatofthePentium4andthenabrieflookatsome othercompatibleprocessors.Discussionisthencentredonmemorychips,andthisis