Ask the Expert: Yuri Gubanov, CEO of Belkasoft
Digital Forensics | Apr 21, 2015
Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?
A: Sure! As a Guidance Software partner, we support all images created by their tools, particularly physical images such as E01 and Ex01, logical images such as L01 and Lx01, and of course, memory dumps.
Q: In one of your stories, your tool found some Skype data inside something you call “SQLite freelist.” When SQLite deletes data, does it always go to a freelist?
A: It's only true for databases configured without the option called “AutoVacuum.” If this option presents, no freelist is used, unfortunately. However, quite a few forensically important applications store their data inside SQLite databases configured without this option. In particular, Skype, WhatsApp, Chrome, Firefox, and many more.
Q: Are there any chances to find SQLite data if it is not present in regular SQLite areas (I mean tables) and freelist?
A: SQLite forensic analysis is a tricky thing because SQLite itself is tricky. Besides regular tables and freelist area, which we already explained, it has some more peculiarities. For example, older versions of SQLite had a so-called “journal” file, which was used to coordinate database transactions. Newer versions of SQLite have so-called Write Ahead Log files, or WAL-files, which contain uncommitted transaction data. Both journal and WAL files sit in the same folder as the main database and may contain up to 20-30% of data inside the main database file.
For example, my Skype database is around 100 megabytes (yes, I've used Skype for a long time and never delete my history). In my setup journal file for my Skype account is 20 megabytes, which is 20%. So if you don’t investigate these files, you are going to lose 20% of the information, which you absolutely cannot afford in the course of criminal investigation. That’s why you need a tool like Evidence Center to automate such routine things. For a moment, there are not many forensic tools capable of doing automatic processing of freelist, journal and WAL files, so this is one reason to have Evidence Center to complement your EnCase installation.
I should also mention that a SQLite database can have so-called unallocated space. It resembles a regular hard drive, which can also have unallocated space, This space does not belong to any table and is not a freelist. Inside this space you may find some remnants of deleted data, not necessarily completely valid, because it may have been already overwritten or corrupted. However, in our experience, we were able to find meaningful conversations there. Technically, you can carve unallocated space inside SQLite database and find data, as we discussed with Skype chats or WhatsApp messages. This is what Evidence Center can do automatically for you. This info, if found, is then merged with existing data (I mean, non-deleted data from regular tables) and can be imported back to EnCase Forensic.
Q: What can a criminal do to hide data stored once inside an SQLite database and what can Belkasoft together with EnCase do against such attempts?
A: Well, to hide SQLite data they can do pretty much the same as with other files. They can move a file, delete it, or rename or delete data by using regular means of an application, which uses a particular SQLite database. We have already discussed what happens when data is deleted from an app itself: it goes to a freelist and can be partially recovered. When a file is renamed or deleted, Evidence Center can carve such a file. There are also some changes to find remnants of data inside special system areas such as hibernation or pagefile, shadow volume copy, live RAM dump, if any, and so on. Evidence Center supports all these scenarios.
Q: In the drug story, you were looking for Facebook chats. Will you download Facebook chats from online? Do you need a password for that?
A: No, the tool never goes online. Instead, the investigator was trying to locate chats inside a RAM dump he had. When someone chats via Facebook or any other app, this data is kept inside RAM, where it can be then found. To find such data we use a signature approach. We know signatures for data layout in RAM for hundreds of types of applications and do data extraction for you out of the box. Therefore, no internet is required and no Facebook password is required. Note, however, that you can hardly hope to extract all chats, just a small fraction of an entire history.
Q: If only remnants of Facebook chats could be found on a switched off machine, how long is the history you are able to recover? Can a whole history be recovered, theoretically and practically?
A: Theoretically, if the history is small, it is possible to recover the entire history. Practically speaking, you can generally only recover some very recent chats. This is because portions of RAM are overwritten every fraction of a second and older messages are gone quickly. If not gone, they can be corrupted. That’s life, but this is better than having nothing. Facebook and other browser applications do not store anything on a hard drive (if we are not talking about the mobile Facebook app), so the only chance to find anything is to search inside RAM.
Q: How quick is the data processing?
A: It depends on the size of your EnCase image file and your hardware. In our lab 500 GB hard drive with all types of analysis, we have, selected, takes about 8 hours to complete. 2Tb drive with around half-million photos, takes about 18 hours, but this is because of huge amount of picture processing. We recommend you to have at least 16 GB of memory to have comfort processing time, but this is not a hard requirement. During conferences (by the way, we will be on Guidance Software’s CEIC conference as a sponsor and presenter this year), well, during conferences we use a laptop with just 4Gb of memory and the product works perfectly fast.
Q: You say you can recover deleted SQLite data. What about other types of deleted data? Can you restore them?
A: Almost all types of data which we can analyze being non-deleted, we can carve. To name a few: documents, emails, pictures, system files such as registries, event logs, thumbnails, jumplists, chats and browser histories, SQLite databases, and many more types of data.
Q: You say you work with multiple platforms and multiple devices. Which platforms/devices do you support?
A: We work on Windows only, but support a wide variety of Windows version from Windows XP to the most new and fancy Windows 10. However, we can also analyze all major operating systems such as Mac OS X, iOS, Linux/Unix, Android, Windows Phone, and Blackberry. Concerning devices, we support both computers and laptops as well as all modern smartphone platforms. By the way, we can also work on special “forensic” portable builds of Windows.
Q: In the story with the lost girl, the investigator was lucky to find the girl’s laptop in a sleep mode without a password, so there were no problems to capture a RAM dump. However, if a computer is switched off, how do you do live RAM analysis?
A: Windows and other systems usually use two types of files that we can roughly call “RAM dumps made by the operating system itself," These are pagefile (where your virtual memory is kept) and hibernation file (used to quickly turn computer on after hibernation). Both files contain memory artifacts because they are indeed memory. Unlike RAM, they survive reboot so you can investigate them. Interestingly, that inside you can find quite old data. For example, we've seen a few cases with Facebook chats as old as few months inside a pagefile.
Have other questions? Tips or ideas? Talk to us in the comments section below.