Forensic 4cast » simon

Microsoft Word – What Lies Beneath

simon — Mon, 10 Aug 2009 18:29:10 +0000

As a Forensic Investigator it is crucial that any investigation of a case is thorough and done to the best of an individual’s ability. In the interest of time there can be a temptation to delve deep enough to find the required evidence, report it, then move on to the next case. People may, in fact, be under very real pressure to do this. Sometimes doing such things can cause problems for a case in the future when another expert potentially reviews and comments on your own findings.

Imagine the following scenario as a forensic investigator. You are handed a case brief and a computer hard drive to examine. The case brief informs you that Bill, the owner of the computer, is suspected of using the computer to create fraudulent documents for their own financial benefit. The alleged offence took place between May and July. You image the disk, load the disk image into your preferred forensic software and begin your examination.

Initial searches uncover a large number of Microsoft Word documents. You open these documents and discover that they do, indeed, contain a number of fraudulent documents. You discover that the documents have been created over the period of two months and that they have been accessed by a the Windows user named ‘Bill’ on the computer. Well, there you have it. Guilty? Innocent? However it looks on the surface, if you dig a little deeper you could see things very differently.

You discover that the NTUSER.DAT registry hive for the user ‘Bill’ shows Microsoft Office to have been used and registered by this same user. When the software was first run he specified the user name ‘Bill’ and the initials ‘BT’. You also find that Microsoft Office was installed on the computer three months earlier.

Whilst a lot of people are aware that this and more information is stored by Microsoft Office, they may not be aware of how this can potentially swing a case. This information, as well as much more, is embedded into every Microsoft Word document by default.

When a document is created by the user selecting ‘New’ from the Office menu or the File menu Microsoft immediately records the time and date as a ‘Create Date’ for that document. Regardless of what happens to that original document or where it is copied to, this date and time remains the same. In addition to this the above user name and initials are also stored in this document as ‘Author’ details even before it is saved by the user. When the document is first saved a ‘Last Revised Date’ record is created, and a ‘Last Saved By’ field stores the current Microsoft Word user. This information is updated every time a document is saved, but ‘Author’ data remains the same. When a file is printed a ‘Last Print’ date and time is recorded. Depending on the version of Microsoft Office you may occasionally find the make and model of the printer used in plain text. This can be useful in determining whether a document was printed form a certain place.

You may know this already or wonder why this is relevant. Take the following examples.

A document has an NTFS creation date of 30th July 2009 but a Microsoft Word ‘Create Date’ of 12th February 2009. The Author and ‘Last Saved’ fields show ‘Ted’. The ‘Last Revised Date’ and ‘Last Print Date’ for the document both showed 13th February. What does this information tell us about a document saved on the hard drive of Bill’s computer? It tells us that maybe he didn’t put it there.

Another document has a Word ‘Create Date’ showing some time after the creation date saved by the NTFS file system and the ‘Last Print Date’ recorded by Microsoft Word. This shows that another document has been saved over an existing document. As a result it is not possible to determine exactly what was printed. The document as it exists now is likely not the document that was ever printed.

A further document has a ‘Create Date’ of 1st March 2009 but a ‘Last Revised Date’ 24th February 2009 and ‘Last Printed Date’ of 22nd February 2009. How can this happen? The document was likely created from an existing older document that has previously been printed, and had inherited a number of its properties.

It is of course possible for a user to modify their user name. An investigator would then have to determine the likelihood of a user having sufficient knowledge to make such changes. This can be determined by seeing what programs have been installed and used, where the user has saved files, and whether there is anything hinting at a more experienced user (I have seen computers with more than one anti-virus program running permanently. This could be the result of paranoia or a less than full understanding of how such programs work).

Now imagine having done a computer investigation having not looked for this information. An expert hired by the defence team then examines your findings and the disk images and finds this information. All of a sudden doubt can be cast over your work, which previously appeared to be quite convincing. The fact that you missed this information doesn’t help your own reputation.

I have had cases where apparent guilt was turned on its head as a result of investigating Microsoft Office embedded data. I have seen documents created before they existed on a suspect’s computer. I have seen documents printed before they were created or edited by Microsoft Word.

This information can potentially confuse an investigation. It can make or break a case and determine whether someone has been the perpetrator of a crime or not.

Testing of this is easy and of extreme importance. I would recommend that any forensic investigator take a few minutes to test embedded Microsoft Office data. Only then can you say with any authority that dates and times show in a specific order because of specific events. This embedded data can make all the difference to your investigation, and looking a little bit closer can provide a more complete picture, whatever that complete picture shows.

The Changing Face of Phone Forensics

simon — Fri, 08 May 2009 20:47:11 +0000

As the less-contributing member of the Forensic 4Cast team, I felt it was about time I wrote something.

My current position at work is that of supervisor of anything and everything associateed with the forensic examination of mobile phones (cell phones to those on the other side of the Atlantic). This has, over the past two years, been a part of my work, but has recently become pretty much all of it.

Lee, who as listeners will know, works next to me, has often commented jokingly to our phone examiners that they are involved in “play forensics” and that they would someday graduate to “real forensics” in examining computers and disk images. Everyone has found such comments amusing and taken them well, but the past few weeks have made me consider the forensic examination of mobile phones.

It may have been the case a year or two ago that mobile phone forensics was not as in-depth, complicated or interesting as computer forensics, but I don’t think that is really the case anymore.

With the advent of the Apple iPhone, the Nokia N95 (and other Symbian v9 based devices) and the wider acceptance of new HTC handsets like the Touch Diamond, the G1 and the Touch HD, mobille phone examinations are now considerably more complex.

Even if these phones are discounted, the average storage and capabilities of phones has been increasing. In the past two years I’ve seen the average size of a phone examination (what we archive following completion of the job) increase from 50-150 megabytes to more than half a gigabyte. That doesn’t sound like much, but when you consider the bulk of phones are still the smaller, older phones, this means anything newer has an average content size of a gigabyte or more, especially when considering the memory card. New HTC handsets (such as the Touch HD for example) can accept MicroSDHC card upto 32GB.

Phone forensic examinations used to consist of extracting all handset data and providing the client with it. This will have to change to include an in-depth analysis when an examiner considers and requires more specific case requirements when larger, more complex handsets are to be examined.

With these sizes increasing, content of mobile phones has also been changing.

My first mobile phone could make and receive calls, send and receive SMS messages, and unusually for the time, access WAP content. “Smartphones” can do anything from word processing to accessing full web pages and uploading and downloading video via YouTube, reading ebooks and uploading content directly to the likes of Facebook, Bebo and MySpace. Anyone not up-to-date on these mobile devices will miss eventually something that would have strengthened a case.

While the basics remain the same, standard mobile phone content may be the same, but the way it is stored is changing. SMS messages can be stored on memory cards on a number of handsets. When you think of the size of commercially available memory cards (as previously mentioned), the amount of messages that can be stored in this manner is massive. If a handset is examined and the memory card is not treated correctly, this kind of content can easily be missed.

With the ever-increasing array of mobile software or “apps”, it is becoming possible to do almost anything with a new mobile device. When you consider Java applications and the number of handsets that support them, this encompasses an almost unlimited number of handsets.

I think there is little doubt that the gulf between PC and phone examinations has become a line that is becoming smaller and smaller. As phone forensics establishes itself more, and as more handsets are released with more features, we will soon see the day where forensic examinations of any device will be treated in the same way as computers and other similar media. I think phone forensics itself has graduated, and is now as much a part of digital forensics as any work that can be undertaken on a PC.

Things Not to Do to a Hard Drive Part 1

simon — Thu, 10 Jul 2008 09:26:42 +0000

Episode 3.1 of the podcast is still available on this site and via iTunes.

This is no doubt the first of many experiments in the name of Forensic 4Cast. It really depends on what other strange stuff I may feel like doing in the future.

This first experiment involves an already broken hard drive, an inkjet refill syringe, and a carbonated drink. I think you know where I’m going with this!

First of all I took an old Western Digital hard drive of a standard PATA connection. This hard drive had an issue regarding dodgy jumper pins, meaning when connected to a computer it would not recognise any PATA devices at all.n Rather than fix it, I thought I’d play around a little bit.

I remember reading somewhere that an interesting way of rendering a hard drive unusable was to inject a soft drink into the air hole, sticking together the mechanisms, and allowing the carbonation of the drink to wear away at the platters. I thought I’d give it a try.

Having prepared my drink and syringe, and taken “before” pictures, I injected a carbonated pineapple and grapefruit drink (hoping citric acid would have an affect too) into the air hole.

I next left the hard drive to marinade in this drink overnight, and checked it the next day.

I expected to find some kind of damage, and maybe a slight sheen taken off the platters of the hard drive. To my disappointment, other than being much wetter than the day before, nothing else had changed. I don’t know what I was expecting really, but I hoped for something interesting.

Nonetheless, I took my “after” pictures, and I am left wondering what effect the drink actually had on the data held on the hard drive. I would still fancy my chances of recovering something from the disk if the correct machinery was available. As it isn’t the hard drive is sat soggy and unworking in my kitchen.

Anyone want a slightly damp, rattling paperweight?

Following shortly is a video of the experiment.