Computing for Forensic Science

1
Computing for Forensic Science

• An Introduction to Software

Chris Casey
2
Introduction

• Software is the essence of computing
• The operating system controls the hardware
• Applications
• General Word processor, spreadsheet
• Security Virus Checker, Encryption
• Forensic File Viewer, Log analysis

3
Topics
Monitor
Software
Operating System

• Operating System
• Windows isnt the only one
• Caching
• Memory Management
• Hiding Information
• File types
• Encryption
• Steganography

Keyboard
Video Card
Disk
CPU
ROM
Mouse
RAM
4
Operating Systems

• Software directly controlling hardware
• Device drivers
• File Management (directory, files)
• Load manage applications
• Security
• Graphic User Interface, command interface
• E.g. Windows, Unix (Linux)

5
Boot Sector Viruses

• Boot Process
• ROM program loads Disk Boot sector
• Boot program loads operating system
• Operating system interacts with user
• Replace floppy boot sector with virus
• Floppies left in drive
• Infect any data floppies used

6
Caching

• Frequently used data in quick storage
• Telephone numbers
• Internet pages
• on proxy server
• on local computer
• Check cache, fetch only if not present
• Internet cache may hold evidence
• IE, Tools, Internet Options, History Settings

7
Memory Management

• Programs need lots of memory
• Disk cheap, slow - RAM dear, fast
• Virtual Memory, managed by O.S.
• Uses disk to imitate memory
• Swap data to disk when application needs more
• Copy of program memory in Swap File
• Still on disk when O.S. closed down
• Overwritten when the O.S. restarts

8
Write Blocker

• Connected between analysts PC Disk
• Stop write signal reaching the disk
• Allows data to be read.

9
Applications

• Any software that is not part of the OS
• Different applications store data differently
• E.g. raster image stored as a grid of colours
• Represent Red, Green, Blue values of colour
• Blocky when stretched
• Used for photos
• Vector image stored as shapes, positions, sizes
• Can stretch indefinitely
• Used for line drawings

10
Vector Raster graphics
11
Hiding Information

• Disguise
• Partitions
• Steganography
• Prevent Access
• Password Protection
• Hide Application
• Encryption

12
Partitions

• Can split a disk into virtual disks
• Simplifies re-installation back-up
• Unix partitions are invisible to Windows
• Can store secret information
• Access through Unix (or Linux)

C
C
D
13
Steganography

• Cant find data if you dont know it exists
• Hiding information in other files
• Image file
• Broken into pixels
• Red, Green, Blue value for each pixel
• 0-255 intensity
• Replace least significant bit with bit of data
• Very small effect on quality
• Need a lot of pixels to hide significant data

14
Steganography in Images
Pixel
The effect of changing pixel values
Red 60, Green 120, Blue 0
Red 61, Green 121, Blue 1

• Changing the values by 1 has little visible
  effect
• To hide data set least significant bits of every
  pixel to zero
• Then add 3 bits from secret data to every pixel
• Obviously, I need a lot of pixels to hide a large
  file
• OK to hide text files, less good for photos, poor
  for video

15
File Structure

• File structure
• Representation depends on application
• Windows recognises type from extension
• Link to appropriate application recorded in
  registry
• E.g. abusive.jpg, abusive.doc
• Some files contain a magic value identifying
  their type
• E.g. there are many types of image files with the
  information encoded in different ways
• Hex Editor shows raw values
• Changing extension is a poor way of hiding things

16
Encryption

• Combining data with key value using particular
  procedure (algorithm)
• Caesar Algorithm

Encode Key 3
Decode Key 3
17
Types of Encryption

• Symmetric Key
• 1 Key used to encode and decode
• Both sender and receiver need key
• How do you get the key to the receiver?
• Public Key
• 2-way algorithm
• Public key (that everyone knows) to encode
• Private key to decode
• Can also be used to sign documents

18
Summary

• Operating System
• Device management
• Memory management
• Boot Sector can hold viruses
• Files hold information in different ways
• Can hide information by
• Changing file extensions (.jpg -gt .sys)
• Encryption Public Symmetric Key
• Steganography Secret Partitions