 Hello everyone. This week we're going to be talking about data locations and the meaning of data that are located in certain locations. For this lecture I'll talk about a few common places or a few places we normally look for information about user activities and in systems and then I'll have a couple things you can read that says about other data types and where to look for them and how to investigate them on your own. So so far we have from actually one of our first lectures a process for asking questions and finding answers to those questions, specifically using the scientific method for your investigation. So so far we've acquired suspect or victim data, we've recovered quite a bit of information from the suspect or victim data and now we need to make sense of it. We actually need to investigate that suspect or victim data and find out what how does this data relate to the question that's being asked. So the first thing we need to know is what is the question that we're actually trying to ask with this data. Once we've done these investigation or once we've done all of these forensic processes to get the data exactly the way that the suspect had it, what what are we actually trying to answer here? So are we just looking for evidence that the husband killed their wife? Are we looking for evidence that this kid went to a certain fishing website or that their computer was hacked? What are we looking for? So to be able to start the investigation we need a very good question. What is the investigator trying to answer? We need verified forensic copies of the data so that was the past lectures. I hope you you are aware of you know acquisition and verification of the suspect data and we need the data to have been processed somehow or recovered. This is our kind of recovery process and usually in forensic tools also indexing and doing some other processes to get the data ready to be analyzed. So that's what we have so far. We need to figure out what exactly does this data mean. So now that we have the data we have to find what it means to our investigation. Imagine that I'm looking at whether the husband could have killed his wife. If the crime is not necessarily a cyber crime that's a very physical crime but digital devices might be related to it. So maybe I want to prove that the husband was actually at the house at the time that's around the time that the murder took place. I can potentially do that in a few different ways with the with the data and the first thing that comes to mind is looking at time stamps on the computer. So does the husband have for example his own laptop and was he logged in was he checking Facebook or YouTube or something like that and what were the time stamps of those activities on his system. So looking at time stamps can potentially place him along with the fact that he was logged in on or someone was logged in on his computer can place him at the crime scene potentially. So some examples of some things that we look at to try to establish user behavior user actions are time stamps definitely. Windows registry entries and also some similar entries in OSX and Linux we'll talk about. Files in the downloads folder. What do files in the downloads folder actually mean? Files in the temporary internet files. What what could files in the temporary internet files mean? So I'll talk about those locations and what they potentially mean for our investigation just because it's so useful for so many investigations. So also I'll have a lot of information about other locations as well. So first off file time stamps. Think about on your computer right now or your phone or whatever digital device you're dealing with what time stamps are created where they located and where is the data stored. So most or let's say most people are using probably Windows systems. On Windows systems files tend to have well now two but usually about three file time stamps. So whenever I create a file or I modify a file or somehow change it those time stamps are updated. So we usually have creation time, access time and modified time most common access modified. But what does that actually mean? Whenever I'm looking at those time stamps what can they mean for the investigation? So most file systems on any system a file system itself will keep track of the time stamp information. So in a Windows system we most likely have NTFS file system installed and all of the metadata or the time stamp information along with some other information will be stored in the file system. It's not related I mean it's not stored in the file itself it's stored in the file system. Again we usually have modified access and created times. So what do these time stamps mean? It means that some action has taken place at that particular time or around that time. We just have to establish what action was it. So for an example for file creation times most people would look at a file creation time and say well obviously that's the time that the file was created but is that always true? Can we always say that's true? Not necessarily. If I create a file on my computer then the creation time would most likely be the time that I created it. But what happens whenever you copy the file onto a USB stick and then move it to another computer and copy it onto that computer? Are the time stamps updated? How are the time stamps updated? And how the time stamps are updated completely depend on the file systems that they're being copied to. So for example most USB sticks are probably something like FAT32 or EXFAT and whenever you copy the time stamps over or the data over the time stamps might be updated and then if you copy it to another computer that might be updated again. So this metadata can change depending on the file system and how people are copying things. So just because we see a created time at a certain time it doesn't necessarily mean that that was when it was created. It just means that some action has taken place on this system at that time and we have to find out what exactly that action is. So time stamps can be updated for example moving the files around, copying the files, creating the file, editing the file. All of these common actions that we do on files can potentially update the time stamps in different ways. So it's the investigators job to know when are certain time stamps updated for certain file systems. Once we know how the time stamps are updated then it becomes much easier for us to investigate and actually say something about what those time stamps mean. So we'll practice that a little bit this week. So we really just need to figure out whenever we're looking at a time stamp we know that some action has taken place on that data most likely on that system at a particular time. We just have to establish which action was it that took place. So we'll work a lot more with time stamps and especially timeline building this week but I'll talk about that a little bit more. Next a very common data source for investigations especially in Windows systems are Windows registry analysis. The Windows registry is essentially a database of all of the settings and just settings and data that Windows keeps. So every setting that Windows knows about is stored in the Windows registry along with a lot of other information about the user about the system about connections that have been made all sorts of information like that. So because it stores all of the settings information it's a very very good source for forensic investigators to be able to recover activities that have taken place in the system. The registry contains something we call keys that contain information about the settings and each key has its own time stamp. And one key that I particularly like to talk about is something called the typed URLs key. So something that looks like typed URLs probably of course it's a URL so it most likely relates to browsing behavior right and it's specifically called typed URLs. So when we look at that key we want to establish what exactly does it mean if we find data in this key and whenever we look in there I have an example on my slides here. If we look into that key we find just websites. So what exactly does it mean whenever we find websites inside that key? And from its name you might be able to guess those are websites that are specifically typed in by the user. They are not accessed it's not internet history or anything like that. Those are the things that are only added whenever a user types it in manually using a keyboard. They could be inserted other ways. Hackers for example could try to insert some things but for the most part they are specifically typed in by the user. Now why is that interesting? Well we have a key that's only created manually by a human and that means that whenever we're doing an investigation if we want to say that somebody knew about a bad website or they knew they were going to someplace illegal or they knew they were hacking a certain bank or something like that we can establish that they manually typed in the domain name for this bad website or all these things because a human had to have done it. Now of course placing the actual person as the one who typed it is a little bit more difficult but at least we can say a human must have typed this. It's not going to be automatically added it's not going to be a robot or something like that it's going to be a human. So this data source typed URLs in the Windows registry can start to establish human behavior like a human must have done this and that's what we're normally trying to figure out when did the suspect do something with a victim and how do we know that it was them and not something else right so this kind of this kind of investigation. So typed URLs we'll look at that a little bit this week right. The other thing about typed URLs that's somewhat interesting not only the fact that it must have been a human but also that there is a an order to typed URLs. So basically for the first URL that is the most recently typed URL and we have a timestamp so we can say that this URL was typed at a certain time. So if the suspect is trying to say I don't know anything about that website we can say were you home at this time and if they say yeah I was home using my computer but I don't know that website then we can say okay well this typed URL this URL was typed at the time that you were home using your computer so how do you explain that. I'm trying to establish what activities could the user have done and what is their story or their alibi what are they trying to say happened and what does the computer say happened that's that's what we're trying to do. So we'll talk about typed URLs and analyze a little bit of the registry this week. Next is files in the downloads folder think about for a second what what you think files that you find in a downloads folder mean. Of course most web browsers will default any data that they download will download directly to the downloads folder but does that mean that that's the only way that data gets into the downloads folder if we find a an illegal file or a virus or any of this any of these things in the downloads folder what can that tell us it can tell us that it probably came from a browser but I might have also copied it from a USB stick or some other place and I just happened to put it in my downloads folder for temporary storage. Don't assume that there's only one way to get data into a specific folder like the downloads folder it can tell us that most likely this file is related to internet browsing but it doesn't necessarily have to be right so then we go back to timestamp analysis when would the files have been added to the folder we can see the the timestamps of the files when they were created or modified we can also look at internet history at that point and see was there in any internet activity at the same time so now we're looking at multiple data sources to trying to try to figure out okay I think these files were downloaded from the internet but I don't see in any internet history or anything related to these files from any browser installed on the system but these files are still in the downloads folder where could they have come from well now we can go back to the Windows registry and look for inserted USB devices and what time the last USB device was inserted maybe that USB device correlates to the same time as the files in the downloads folder so we can kind of make an argument for for that so again just looking at different data sources and trying to tie everything together don't assume that a data source has to come from a certain location like the internet for the downloads folder but it also is very likely that it did right so we don't assume anything but the chances are pretty good the downloads are going to be related somehow the next thing kind of related files and internet cash or temporary internet files or what's called I net cash now temporary storage for browsers when downloading web pages or web resources a lot of people don't know that their browsers whenever they're connecting to a website the reason it takes a long time to load is because your computer is actually downloading all of the material to your computer right so your browser stores all of that information in temporary internet cash or cash file basically many files are downloaded that the user is usually not aware of so everything you can see on your screens downloaded and that's resident on your computer this is good for investigators as long as it's not cleared out because we can potentially see what the user was accessing however other programs may also use temporary internet files or I net cash it doesn't necessarily have to be a browser although at most of the times it is a browser other programs can use it and could potentially download the illegal the illegal files or legal information that way through a different program than a browser but because it's in temporary internet files we might just automatically assume it's a browser so again there's a lot of a lot of data sources that have a lot of information about user activities that we're normally very interested in the list is huge and it also depends on the operating system systems we're looking at so this week we'll take a look at a few of the data sources for windows as well as maybe some common data sources for I think I'll do Linux a few Linux systems so there are many locations for data and there are a lot of different types of data that relate to user activities either directly or indirectly and usually just by making a timeline we can get an idea of what traces normally relate to user activities each data source or each piece of data can mean something different depending on the context of the case so I guess the whole point behind this is you have to investigate within the context of the case or within the context of the data around around the data that you're looking for so for example if you find in temporary internet files or files that are downloaded whenever people are just browsing the internet if you find pictures of knives and bombs and a picture of soul you might assume that the person wants to kill somebody or blow up soul or whatever however if you look around a little bit more you might also find out that they were just reading CNN news and the CNN news articles had pictures of knives and bombs and soul or something like that right so in one case it might be somebody planning something horrible in context it's actually just somebody who's reading the news like normal right so context and investigations is very very important and the whole point of this is investigators must know how when and how data changes based on user and program activities the more you know how data changes based on some action the better or the easier it becomes to try to reconstruct all of these events so if you know all of the different ways that temporary internet files could be updated or could be added you might or you'll have a better chance that's finding the truth whenever you're doing your investigation so that's what we're doing this week is looking at all of these different data sources trying to extract them and analyze them and see what can they tell us about what we're trying to investigate so this week we'll have quite a bit of homework about just data analysis data location identification and pulling out some more information thank you