Digital Forensic on Windows-Based Harddisk

This article is about Digital Forensic process including acquisition, processing, and analyzing data from windows-based harddisk.

Executive Summary

The article aims to explore about digital forensic, data retrieval, and analysis from windows-based hard disks acquired from public market place. The urgent needs for this article is to notify the potential risks about data fragments that still dwells on the hard disk even when the data already erased, which this case can lead to unauthorized access to confidential data or sensitive information.

1. Methodology

There are four main process in the Digital Forensic, which are Preparation, Acquisition, Analysis, and Reporting.

Preparation

• Resource preparation: Buy hard disks from public market place with minimum size of 250 GB.
• Define Objectives: Determine the goal of forensic analysis (data recovery, evidence gathering, malware investigation).
• Gather Tools: Identify the tools we need for supporting the digital forensic process, such as FTK Imager for acquisition, Autopsy or OSForensics for analysis.

Acquisition

• Write Blockers: Use software, hardware, or boot-able USB to ensure that no data is modified when doing acquisition process.
• Create Forensic Images: Acquire the images of the hard disk that we want to use for analyzing using imaging tools like FTK Imager, and determine the format data we want to use such as E01, dd or etc.. Ensure the acquired images data has the integrity with the real images data using hash checksum (MD5, SHA256).
• Log Everything: Keep a track the chain of custody for who was handling the evidence, the time when it was collected, and the time when it was returned.

Analysis

File System Analysis

• Identify File System Type: Determine what the file system is used (NTFS, FAT32, etc).
• Recover Deleted Files: Use file recovery techniques and tools to recover deleted files and analyze their metadata (timestamps, file size).
• Check for Hidden Files: Look for hidden, system files, or camouflaged files that may contain relevant evidence.

Registry Analysis

• Extract Registry: Analyze Windows registry to gather information about user, installed software, and system configuration.

Artifact Analysis

• Investigate Temporary Files: Examine temporary files, prefetch files, and recent documents for trails of user activity.
• Review Log Files: Analyze Windows Event Logs, Security Logs, and application logs for relevant actions and events.

Memory Analysis

• Utilize Memory Dumps: If available, analyze memory dumps to extract live data about processes, network connections, and other volatile information.

Timeline Creation

• Establish a Timeline: Create and chronologically arrange events based on file metadata, log files, and registry entries to create a timeline of user activity.

Reporting

• Document Findings: Create a comprehensive report detailing methods used, findings from analysis, and the significance of discovered artifacts.

2. Preparation

For this article, the process is carried out by purchasing several hard disks from the public market place and e-commerce platforms. We need to make sure that the hard disk that we bought is a windows based operating system. To make the acquisition and analyzing process much faster, we limiting the hard disks size to 250 GB only.

The following tools of this project are:

1. FTK Imager tool for acquisition process
2. Autopsy version 4.21.0 (Windows) tool for analysis purposes
3. USB Write Protect version 2.0.0 (Windows) for write blocker.
4. Boot-able USB with Linux OS can be used as alternative write blocker
5. CrystaldiskInfo application to check the status and health of the hard disks.
6. Orico Docker for mounting the hard disks.
7. Sandisk External SSD with capacity of 2 TB is used to save the images of each hard disk and for analysis purposes.

3. Acquisition

Before doing the acquisition process, make sure the write blocker application or the boot-able runs correctly to ensure that no modified data when in the middle of acquisiton process. After that, the imaging process is carried out using the FTK Imager tool and we choose the Raw (dd) data format. This format was chosen not only because it is easy, but it also performs bit-for-bit copy without compression, thus we can get a identical image as the real image data. The image data we get from the acquisition process is stored in the external SSD that we prepared before.

From the results of the check using the Crystal disk application, not all hard disks we have are 100% healthy, but the acquisition process can still be carried out perfectly. Since we have 3 hard disks, we can respectively named it using a code to make it easier to investigate later. When the acquisition process is finished, each images from every hard disks have MD5 hash value, we need to make sure that the MD5 hash value of the imaged data match perfectly with the original image MD5 Hash value.

4. Analysis

After finishing the imaging process, the next step is to analyze the images in external SSD using analysis tools. Using Autopsy we can conduct an investigation of user profiling, date recovery, and data leak identification. After analyzing and investigating the image of several hard disks using keyword search and file identification, we find that one of the image of the hard disks contains information related to user profile, sensitive information and confidential data.

DF-01

On this hard disk, the operating system and user account were found, but there was no other supporting sufficient data to perform user profiling account. Because of the very small amount of data in files and history on the website, we unable to determine the user behaviour.

DF-02

On this hard disk, the operating system was found and DF-02 has a user profile and some confidential data or sensitive information. Using the Autopsy tools, various pieces of information can be recovered on this hard disks, and this hard disks has sufficient data to help our investigation.

DF-03

On this hard disk, the operation system used was also found, but there was no specific user account used by the user plus there was no other supporting data sufficient to perform user profiling on the account. Also, no confidential data was found on this hard disk. But there is one thing that is quite interesting, a ZIP file was found that is suspected to be a ZIP Bomb file.

Keywords Used

The following are the keywords that used during the analysis and investigation process.

OS Information & Accounts

For the DF-01 hard disk, the previous user used Windows 10 Pro operating system with AMD64 architecture. The user is known to use the P***o A*******r user account. The author has tried to do user profiling but due to lack of supporting data, this user data could not be obtained.

For DF-02 hard disk, the previous user used the Windows 7 Ultimate Service Pack 1 operating system with x86 architecture. The hard disk owner's name is L**u, and the name of her computer L**U-PC. We found several accounts used in this hard disk.

We analyzed the accounts and concluded that there were 2 main accounts that were most often used, namely the L**u account as many as 907 times and B*****g as many as 1198 times. The B*****g account was created on May 21, 2011, and L**u was created on October 15, 2012. Both of these accounts are Administrator accounts and were found no need to use passwords to log in. Apart from the 2 accounts mentioned above, there were 2 Administrator and Guest accounts were also found each with disabled status.

For DF-03 hard disk, no specific user account was found from the previous user and the lacks of other supporting data meant that the we did not get user profiling from the previous user.

User Profile & Data Leak

User profile is information about the previous users which can contain data such as:

• Full name.
• Residential address.
• Place of work.

Meanwhile, data leaks are sensitive information that is meant to be kept private and is protected from unauthorized access, disclosure, or use that is successfully found during the analysis and investigation process such as:

• Personal Identifiable Information (PII).
• Protected Health Information.
• Financial Information.

In conducting the analysis, We found a user profile on DF-02 hard disk that matched one of the user accounts and computer names obtained previously, namely L**u. Then we conducted further investigation and found data related to L**u including college registration, driver's license number, residential address, email, social media and other supporting data.

From several sample data that shown above, we found that L**u's real name is K*****i and was born in B*****i on February 2, 19**. K*****i graduated from the H******h Dental Academy in Jakarta in 20**. It seems that K*****i tried to continue her education to a bachelor's program at the University of I******a majoring in Public Health. K*****i used her email l**uK*****i@gmail.com for the registration. Based on cross-references from data in documents and her social media, K*****i has 3 work history which we can't shown due to privacy. And what we got from the analysis was that K*****i has a permanent address in the B****i area, but also has a temporary residence in the Jakarta. She is married, and have kids.

For the summary above, what we found in the hard disk contains Data Leak from previous user, that contains Driving License Number, educational certificate, and Curriculum vitae. All of those data leaks are confidential data and sensitive information that can be used as malicious activity. And for the DF-01 and DF-03 hard disks, we did not find any user profile and confidential data leaks.

User Behaviour & Other Information

For DF-02 hard disk, the author conducted a behavioral analysis of previous users starting from the analysis of programs installed on the OS. Many games were found installed in the OS, it seems that K*****i's children installed and played the games. Pirated games were also found in it. Previous users also installed common programs such as Microsoft Office, Nitro PDF, Yahoo! Messenger and Google Chrome.

When analyzing office files and PDF formats, many readings and presentation materials were found on health, especially in the military environment, considering K*****i's background in health and the military.

The author also found a third-party antivirus installed in the OS using ESET NOD32. Seeing that this third-party antivirus is installed, it can be concluded that the user are concerned about their device security.

From the results of the search on web history, the author found that Facebook is one of the most frequently accessed websites by K****i, From the results of the search on web history, the author found that Facebook was one of the most frequently accessed websites by K*****i, then Twitter became the next website that was frequently accessed.

We also found that there were 2 chromium profiles, namely First User which was used by the L**u account and Default Profile which was used by the B*****g account. For the DF-01 and DF-03 hard disks, we did not find any user behavior instructions or other supporting information because the lacks of data.

5. Conclusion

Based on the results of the digital forensics investigation that has been carried out, we can draw conclusions:

1. For the user profile, we found the main user account used in the OS from DF-02 hard disk, namely L**u, whose real name is K*****i. The woman who was born in B******i on February 2, 19**, her 3 work of history. Her current addreses, her family, and the evidence of her and her family photos.
2. For confidential data leaks, we found a educational certificate, curriculum vitae and driver's license number from K*****i from DF-02 hard disk. The certificate found was a certitiface when she took education at the H******h Academy in Jakarta. Then the resume includes the date of birth, position, rank history and position history. And finally on the registration form, the author found the driver's license number used as the ID to register.
3. For user behavior, we found that users install a lot of game applications and several commonly installed programs such as Microsoft Office and Google Chrome on the OS, some were found to use pirated game applications from DF-02 hard disk. The author also found that the user was using ESET NOD32 antivirus. Also found were many files of materials and presentations related to health and military, according to the user's background.

Appendix

1. Hard disks bought from the market place

DF-01

• Brand: Hitachi
• Size: 250 GB
• P/N: 0A73352

DF-02

• Brand: Hitachi
• Size: 250 GB
• P/N: 0A74422

DF-03

• Brand: Hitachi
• Size: 250 GB
• P/N: 0A70432

2. Acquisition

FTK Imager DF-01

Created By Exterro® FTK® Imager 4.7.3.81
Case Information:
Acquired using: ADI4.7.3.81
Case Number: DF-01
Evidence Number: 01
Unique description: DF-01
Examiner: DFIR
Notes:
Information for F:\DF-01\DF-01:
Physical Evidentiary Item (Source) Information:
[Device Info]
  Source Type: Physical
[Drive Geometry]
  Cylinders: 30.401
  Tracks per Cylinder: 255
  Sectors per Track: 63
  Bytes per Sector: 512
  Sector Count: 488.397.168
[Physical Drive Information]
  Drive Model: HITACHI HTS725025A9A361 SCSI Disk Device
  Drive Serial Number: 8F9038EE1A62
  Drive Interface Type: SCSI
  Removable drive: False
  Source data size: 238475 MB
  Sector count:    488397168
ATTENTION:
The following sector(s) on the source drive could not be read:
        287027738
The contents of these sectors were replaced with zeros in the image.
[Computed Hashes]
  MD5 checksum:    8d608d993a1b6b7c9588860e1b096184
  SHA1 checksum:   c6bf819984808887d40f507992a8e8c105604d0b
 Segment list:
  F:\DF-01\DF-01.001
  COMPUTED HASH :  8d608d993a1b6b7c9588860e1b096184
  COMPUTED HASH :  c6bf819984808887d40f507992a8e8c105604d0b
Image Verification Results:
  MD5 checksum:    8d608d993a1b6b7c9588860e1b096184 : verified
  SHA1 checksum:   c6bf819984808887d40f507992a8e8c105604d0b : verified

FTK Imager DF-02

Created By Exterro® FTK® Imager 4.7.3.81
Case Information:
Acquired using: ADI4.7.3.81
Case Number: 2
Evidence Number: DF-02
Unique description: HITACHI 250 GB-0A74422
Examiner: DFIR
Physical Evidentiary Item (Source) Information:
[Device Info]
  Source Type: Physical
[Drive Geometry]
  Cylinders: 30.401
  Tracks per Cylinder: 255
  Sectors per Track: 63
  Bytes per Sector: 512
  Sector Count: 488.397.168
[Physical Drive Information]
  Drive Model: Hitachi HTS545025B9A300 SCSI Disk Device
  Drive Serial Number: 8F9038EE1A62
  Drive Interface Type: SCSI
  Removable drive: False
  Source data size: 238475 MB
  Sector count:    488397168
[Computed Hashes]
  MD5 checksum:    e29e70fce358dc1cd1848864e3be3c9c
  SHA1 checksum:   183dd19f8f0330ec8e15dabdba2da2d61b4fa079
 Segment list:
  D:\DF-02\DF-02.001
  COMPUTED HASH :  e29e70fce358dc1cd1848864e3be3c9c
  COMPUTED HASH :  183dd19f8f0330ec8e15dabdba2da2d61b4fa079
Image Verification Results:
  MD5 checksum:    e29e70fce358dc1cd1848864e3be3c9c : verified
  SHA1 checksum:   183dd19f8f0330ec8e15dabdba2da2d61b4fa079 : verified

FTK Imager DF-03

Created By Exterro® FTK® Imager 4.7.3.81
Case Information:
Acquired using: ADI4.7.3.81
Case Number: DF-03
Evidence Number: 03
Unique description: DF-03
Examiner: DFIR
Notes:
Information for E:\DF-03\DF-03:
Physical Evidentiary Item (Source) Information:
[Device Info]
  Source Type: Physical
[Drive Geometry]
  Cylinders: 30.401
  Tracks per Cylinder: 255
  Sectors per Track: 63
  Bytes per Sector: 512
  Sector Count: 488.397.168
[Physical Drive Information]
  Drive Model: Hitachi HTS545025B9A300 SCSI Disk Device
  Drive Serial Number: 8F9038EE1A62
  Drive Interface Type: SCSI
  Removable drive: False
  Source data size: 238475 MB
  Sector count:    488397168
[Computed Hashes]
  MD5 checksum:    ab3965104e82b4c44d60c8afeabb8ebc
  SHA1 checksum:   912e8b113c5d36ed5705772f6d2d90489cab5e5e
 Segment list:
  E:\DF-03\DF-03.001
  COMPUTED HASH :  ab3965104e82b4c44d60c8afeabb8ebc
  COMPUTED HASH :  912e8b113c5d36ed5705772f6d2d90489cab5e5e
Image Verification Results:
  MD5 checksum:    ab3965104e82b4c44d60c8afeabb8ebc : verified
  SHA1 checksum:   912e8b113c5d36ed5705772f6d2d90489cab5e5e : verified

3. Analysis Process

4. OS Information

OS Information DF-01

File: /img_DF-01.001
MD5: -
Tools: Autopsy
Short Description: OS Information from DF-01
Artifacts: A1

OS Information DF-02

File: /img_DF-02.001
MD5: e29e70fce358dc1cd1848864e3be3c9c
Tools: Autopsy
Short Description: OS Information from DF-02
Artifacts: A2

OS Information DF-03

File: /img_DF-03.001
MD5: -
Tools: Autopsy
Short Description: OS Information from DF-03
Artifacts: A3

5. OS Accounts

OS Account DF-01

OS Account DF-02

OS Account DF-03

6. Sample list of installed games

Installed Games in DF-02 account

7. Antivirus installed

Antivirus in DF-02

File: /img_DF-02.001/vol_vol2/Windows/System32/config/RegBack/SOFTWARE
MD5: f940198b8253f541f2e2fad8cc7fcba4
Tools: Autopsy
Short Description: Sample list of installed antivirus.
Artifacts: A18

8. ZIP Bomb

ZIP Bomb in DF-03

File: /img_DF-03.001/vol_vol6/Windows/bootstat.dat
MD5: 926d009a45277629a81311ba551e6815
Tools: Autopsy
Short Description: ZIP Bomb file.
Artifacts: A21

References

1. [1]
   Amoruso, E., Zou, C. and Leinecker, R. (2023) 'User Profiling Attack Using Windows Registry Data', 2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp. 171–181. https://doi.org/10.1109/UEMCON59035.2023.10315968
2. [2]
   Carvey, H.A. (2009) Windows forensic analysis DVD toolkit 2E. 2nd ed. Burlington, Mass: Syngress Pub.
3. [3]
   Dong, X. et al. (2020) 'Profiling users via their reviews: an extended systematic mapping study', Software and Systems Modeling, 20, pp. 49–69. https://doi.org/10.1007/s10270-020-00790-w
4. [4]
   Kwon, H., Lee, S. and Jeong, D. (2021) 'User profiling via application usage pattern on digital devices for digital forensics', Expert Syst. Appl., 168, p. 114488. https://doi.org/10.1016/j.eswa.2020.114488
5. [5]
   https://www.autopsy.com/support/custom-development/
6. [6]
   https://www.exterro.com/digital-forensics-software/ftk-imager