The following is an excerpt from Google Earth Forensics: Using Google Earth Geo-Location in Digital Forensic Investigations by authors Michael Harrington and Michael Cross and published by Syngress. This section from chapter five explores what digital forensics in and how Google Earth fits into it.
WHAT IS DIGITAL FORENSICS?
Digital Forensics is a branch of forensic science that focuses on the recovery, examination, and investigation of evidence stored on computers and other digital devices, as well as various media that may have been used to store data. Although it is commonly associated with criminal investigations, digital forensics has been used in civil cases, internal investigations, tribunals, and other inquiries or forums that require an exploration of data.
The Process of Digital Forensics
The process of performing a digital forensic investigation can be broken down into four stages:
- Seizure, in which computers, mobile devices and other devices and/or media are obtained and preserved.
- Acquisition, in which the data is retrieved from a device
- Analysis, in which an image or copy of the data acquired in the previous step is examined
- Reporting, in which the procedures and processed that were followed in the previous steps are documented, along with the evidentiary findings
When a computer or other device is seized, it is taken into custody and secured with goal of preserving any potential evidence. As with every stage of a digital forensic investigation, you will document the scene, actions that were taken, and procedures that were followed. It is also important at this stage to establish a chain of custody that will carry on through all the other stages, documenting who and when and when a person had position of evidence.
In addition to photographing the scene where the computer or device was seized, photograph the computer or mobile device and what is displayed on the screen. Photographing the screen will preserve what applications were open, possible information, and will show what the user was last using doing on the computer or device. Under no circumstances should you use the computer/device, search for evidence, or alter its running condition. A rule of thumb is that if it is turned off, leave it off; if it is turned on, leave it on.
During the seizure, some steps may be taken to acquire digital evidence. If a computer is turned on, you would start by collecting any live data, inclusive to taking an image of the physical memory. A utility that can be used to image the RAM is F-Response (www.f-response.com). This tool could also be used to collect a logical image of the disk if you discovered the hard disk was encrypted. You would also gather any other data that is required for the investigation about the computer's live state, such as logged on users, its network connection state, running processes, and so on.
You should also take effort in documenting how the computer or device was found. Photographs and diagrams should be made of how it was setup when found, inclusive to any cords plugged into the machine. You should also label all of the cords, and document the model numbers and serial numbers of the computer/device and any other devices attached to it. Nothing should be disconnected from a computer or device until the previous steps have been completed.
When you are ready to transport the computer/device, you should package all of the components in anti-static bags, and seize any other storage media. This would include external hard disks, USB sticks, as well as CDs and DVDs that may contain data. To keep the media safe, you should avoid putting it near anything that may damage the data, such as magnets, radio transmitters, and so on. In gathering these additional items, you should also collect any manuals or documentation that may be related to the device. You never know if these will be helpful later in your investigation, or if they contain useful information (such as passwords, etc.).
There are additional considerations when a mobile device is seized. When a mobile device is connected to a cellular network, it may access new data that will overwrite evidence. Similarly, a mobile GPS unit that is turned on may continue to record track points (i.e., locations that the GPS has been) as its being transported. Because a mobile phone or tablet can be sent a command to wipe the device, you also run the risk of everything on it being erased. To preserve potential evidence on a mobile phone, GPS or other device, it is important they are stored in a Faraday bag or cage. A Faraday cage is an area protected by material that blocks signals, essentially creating the same conditions of being in a "dead zone" where you cannot get a cell phone signal from your carrier. A Faraday bag is used to store mobile devices for transport, preserving any evidence stored on them.
The acquisition stage is where data is retrieved from a device or media, and generally occurs after the evidence has been collected, safeguarded and transported. In acquiring evidence from a device, a decision is made whether you need to perform a live or dead analysis. A live analysis is performed when a computer or device is powered on, and cannot be powered off until this information is collected. A dead analysis occurs when the machine is powered off, and transported to a lab where data can be retrieved in a controlled environment.
Acquiring data from a computer, device, or various media that may be used to store potential evidence generally requires specialized tools. This is not to say there are not times when a mobile device may require the manual acquisition of data, whereby an investigator uses the user interface of a phone or other device to view and photograph information displayed on the screen. However, in doing so, the only data that will be displayed is that which is accessible to the device's operating system and/or apps. In addition, using the interface may result in data being written to the device. To safely acquire all of the data, inclusive to that which may have been deleted, software and hardware tools are commonly used to create a bit-for-bit copy of what is stored on the device. Once a copy of the data is acquired, the investigator can then examine the copy of the data so that the original remains untouched during analysis.
There are several ways in which you may acquire a copy of what is stored on a file system, but not all of them will provide the same results. These methods include:
- Copying files, which will only copy the files that are on the system and not ones that may have been deleted. Also, metadata related to file ownership, times a file was accessed, permissions and other data may be lost in copying the file.
- Backups, which will restore a copy of the files. Depending on the backup software used, not all of the metadata related to files will be included with the backup, and it will not capture information about deleted files.
- Copying disk partitions, which will create a bit-for-bit copy of the file system including metadata related to the files and information residing in unallocated space.
- Copying the entire disk, which creates a bit-for-bit copy of the file system, including storage space before and after disk partitions.
In looking at these methods, you can see that a bit-by-bit copy of the data will yield the most possible results. While you might think this would only apply to the hard disk of a computer, many mobile devices use file systems and may be used as storage devices. In addition, devices that use SD cards can have the card removed and processed like other removable media. By using various tools discussed later in this chapter, you will be able to collect the data on these devices, making a copy that you can then analyze to identify evidence related to your case.
The analysis stage generally occurs after evidence has been collected. If live data is not being examined, then an investigation is conducted against static data that has been copied from a system. Once an image of data on the computer, device, or other media has been made, an examination of the data takes place. This may involve performing keyword searches relating to a crime, running scripts to identify certain types of data, manually reviewing information and content of files, and various other techniques.
By analyzing various types of data found on a machine, investigators will search for evidence that implicates or exonerates a suspect. The evidence may include digital photographs or downloaded images (as in the case of child pornography cases), electronic spreadsheets (in the case of financial crimes), email and other types of data. Using the content, metadata, or other information discovered, the investigator may reconstruct a series of events related to the case.
Documentation is crucial to any digital forensics case. It is important to make a record of any actions taken, devices or media examined, procedures that were followed, and other details relating to the evidence. Remember that, especially after a case goes to court, there is the possibility that anything related to the case may be questioned, and your documentation may be used to provide answers.
Read an excerpt
Download the PDF of chapter five in full to learn more!
Throughout the process of conducting an investigation, it is vital that the integrity of the data and the device storing it is preserved, and part of this involves a documented chain of custody. Once a computer, device or media is seized, it should start the chain of custody, showing who initially took possession and who had custody of it after that point. It is also important to remember that the original devices, storage media, or other items that evidence was collected from may be requested by defense council or other parties involved in the case. In some cases, evidence files or images taken of a system may be requested. By preserving these items and ensuring there is a record of who had access to them, you can help to ensure the evidence has not been corrupted or tampered with in anyway.
It should also come as no surprise that you will need to create a report about what was found during the course of your investigation, and how it applies to the case. This could include listings and details about any files found on storage mediums (e.g., hard disks, tape, USB devices, etc.), information recovered from emails or other sources, and any other data that is being used as evidence. As we will discuss later in this chapter, many commercial tools provide features that will automatically generate reports about the files that were found. You would also write a report yourself that outlined the steps taken to acquire and analyze the data, and how the files or information found apply to the case. The reports themselves may then be submitted as evidence of an accused persons guilt or innocence.
Where Google Earth Fits In
Google Earth (GE) can be used in multiple stages of the digital forensic process. Most often, you will find that it is used in the later parts of a case, when you need to analyze coordinates from various sources, or as a reporting tool to create presentations relating to geographic locations. In some cases, it may also be used to acquire GPS data from a device, although other tools may be more suited to collecting such data for a forensic investigation.
When a person uses a GPS device, he or she will enter in locations called waypoints that are stored in the GPS. The waypoint may be a person's current location, or a location that he or she wants to navigate to. The GPS device will use a series of waypoints to create a route, showing the person how to navigate from one location to others in a specific order. Because this information can be stored on the device, it can also be retrieved and examined during an investigation.
GPS devices will also store tracks, which are geographic points that the unit has been. When you turn on the GPS unit, it will connect to satellites and determine its current location. As you travel, additional track points will be stored as a record of where the GPS unit has been, and stored in a track log. By looking at the track log, you are able to view a listing of coordinates that the portable GPS has visited and, by extension, where its owner has been.
As we saw in Chapter 3, and revisit in the next chapter, Google Earth can be used to acquire data from a Garmin or Magellan GPS unit. In performing the import, you will see the number of waypoints, tracks and routes that are imported from a GPS device, which can then be reviewed in the 3D viewer.
However, importing GPS data in this way copies the data directly off of the device into Google Earth. It does not retrieve any data that may have been deleted, or is hidden on the device.
This can be a major issue if a particular location of interested a suspect visited existed in the deleted data, and no longer appeared in the tracks you copied using Google Earth's import feature. For this reason, it is often best to use forensic tools to collect all of the data, not just what is visible to the device's interface, inclusive to any deleted or hidden data that may reside on the device.
Also, in acquiring the data from a GPS device for use with Google Earth, you want to ensure nothing is written to the GPS device. As the device will store files, your operating system or applications might write data without your knowledge or intention. If data from the original source of evidence has been modified, it could be challenged in court, and become inadmissible as evidence. To prevent this from happening, you should ensure that your forensic machine uses write protection and/or uses tools that are designed to gather evidence in a forensically sound manner, as we discuss in the next section.
About the authors:
Michael Harrington is a former Law Enforcement officer with over ten years of experience in digital forensics. He lectures on Mobile Forensics around the world and has been involved in various forensic projects including Pandora's Box and WOLF. Michael has been published in the Thomas J Cooley Law Journal and on Forensic Focus. He also writes on the subject of mobile forensics at http://mobileforensics.wordpress.com/
Michael Cross is a SharePoint Administrator and Developer, and has worked in the areas of software development, Web design, hardware installation/repairs, database administration, graphic design, and network administration. Working for law enforcement, he is part of an Information Technology team that provides support to over 1,000 civilian and uniformed users. His theory is that when the users carry guns, you tend to be more motivated in solving their problems. Michael has a diverse background in technology. He was the first computer forensic analyst for a local police service, and performed digital forensic examinations on computers involved in criminal investigations. Over five years, he recovered and examined evidence involved in a wide range of crimes, inclusive to homicides, fraud, and possession of child pornography. In addition to this, he successfully tracked numerous individuals electronically, as in cases involving threatening e-mail. He has consulted and assisted in numerous cases dealing with computer-related/Internet crimes and served as an expert witness on computers for criminal trials. In 2007, he was awarded a Police Commendation for work he did in developing a system to track local high-risk offenders and sexual offenders. With extensive experience in Web design and Internet-related technologies, Michael has created and maintained numerous Web sites and implementations of Microsoft SharePoint. This has included public Web sites, private ones on corporate intranets, and solutions that integrate them. In doing so, he has incorporated and promoted social networking features, created software to publish press releases online, and developed a wide variety of solutions that make it easier to get work done. Michael has been a freelance writer and technical editor on over four dozen I.T. related books, as well as writing material for other genres. He previously taught as an instructor and has written courseware for IT training courses. He has also made presentations on Internet safety, SharePoint and other topics related to computers and the Internet. Despite his experience as a speaker, he still finds his wife won't listen to him. Over the years, Michael has acquired a number of certifications from Microsoft, Novell and Comptia, including MCSE, MCP+I, CNA, Network+.
Google Earth Forensics
Reprinted with permission from Elsevier/Syngress, Copyright ©2014