Thursday, August 29, 2019

RAM data significance in Digital Forensics

Last semester, I made memory dump file for analyzing trace remaining after using Tor-browser. However, my boss said it is useless because that file was available to get only when the computer kept power on. After that I thought the RAM data are so volatile that forensic investigators really don’t care about when do investigation. However, today professor mentioned about RAM evidence in class, so I thought it can be important in some cases even if it has volatile properties. And then I found this paper explaining about the significance of volatile data.
This is the summary of the paper, RAM data significance in Digital Forensics (2015).
Live Data Forensics
It is defined as volatile or partially volatile computer data which disappear on shutting down. Most investigators normally analyze the data from HDD, CD/DVD, USB memories known as post-mortem analysis. However, for knowing live data, we have to analyze Pagefile, Hibernation file, Crash Dump files and Random Access Memory (RAM).

Random Access Memory (RAM)
All data made by users pass through RAM first. All information stored in RAM tell us specific time of what happened while data in the hard disk show that in general.

Importance of RAM analysis
Using RAM investigators can figure out information that is more restricted in traditional post-mortem analysis. Investigators have difficulty to access encrypted data using hard disks and USB. They need to crack it by using tool. However, the data that users entered their passwords are being stored in RAM. It is possible to hide data in RAM to make systems endanger by malware. We can understand the way the computer used when we detect malware.

Information and Data that can be found in the RAM
l  Active processes
-      Processes which were stopped can also be found in RAM would remain in RAM.
l  Open files and “registry handles”
l  General files
-      All files opened, read, modified
-      Copied and paste feature
-      clipboard
l  Information on network traffic
-      Open ports
-      Open connections or planted processes
l  Internet data
-      Very common
-      Downloaded data (Gmail, Yahoo emails, Skype conversation)
-      But no data after shut the computer down
l  Passwords and cryptographic keys
-      They have to be stored in RAM and remain stored there until overwritten or the computer is shut down
l  Decrypted content (hidden processes and data)
-      If users decrypt the file, that unencrypted files will remain in RAM
l  Other data that can be found in RAM (malware, temporary data, portable apps)
-      Which users logged in and what time and what did users do.
-      Retrieve a screenshot of the desktop and all opened windows
-      RAM information in virtualized environment

K. Hausknecht, D. Foit, J. Buric, “RAM data significance in Digital Forensics”, 2015

Thursday, August 22, 2019

Expert Witness Compression Format (EWF)
- About EWF-E01

·        is used to store media images which are disks and partition images
·        photo
·        can store a single image in one or more segment files
- Segment files
·        Segment file = A file header + Multiple sections
o   A file header = a signature part + fields part
§  A file header is 13 bytes of size
·        8 bytes: signature
·        1 bytes: start of fields
·        2 bytes: Segment number
·        segment file extension (for E01)
·        First segment file .E01
·        Second segment file .E02
·        This will continue up to .E99

·        After which the next segment file has the extension .EAA
·        This will continue up to .EZZ
·        2 bytes: End of fields
o   The sections
§ Every section starts with the same data: Section Descriptor
      • Section Descriptor consist of 76 bytes, it contains information about a specific section
·        16 bytes: A string containing the section type definition
·        8 bytes: relative from the start of the segment file
·        8 bytes: section size
·        40 bytes: padding
·        4 bytes: checksum
      • Section types
·        There are multiple section types
·        Header section
·        Volume section
·        Table section
·        Next and Done section
·        Recent E01 format additional
·        Header2 section
·        Disk section
·        Sectors section
·        Table2 section
·        Data section
·        Errors2 section
·        Session section
·        Hash section
·        Digest section


Wednesday, August 21, 2019

Digital Forensic Applications in Medical Dispute Investigation (Korea)


In medical malpractice, medical records are only evidence for proving evidence. If it can be confirm that the electronic medical records are manipulated by digital forensic application, medical dispute investigation can be concluded rapidly. So, to apply digital forensic system in the investigation, we need to build institutional plan. 


In medicoegal problem, the only evidence for the patient is the medical record that doctor has prepared and kept. Medical dispute judgement depends on hospital records, so fake records or added and edited records cannot prove mistake of doctors. Especially after 2002 when the electronic medical records became mandatory, it is easy to edit and delete the medical data more easily.

First you have to differentiate a false entry (허위 기재)and a bad entry (부실 기재). According to article 17 of the Enforcement Rules of the Medical Law, a bad entry means not to record any prescribed entry lists. Also, the concept defines when the part of the entry is missed out. However, a false entry means that peoplewrite false records or change, delete and add patient medical records after death. 

If false evidence is proven, the damage caused by medical accidents can be quickly and fairly recovered. Now digital forensic is required to prove the electronic medical record is fabricated.


Electronic Medical Record Procedure is what the doctor wrote and signed on about medical practice. All papers such as medical records, nursing records, doctor's instructions, examination records, and video testing should be completed only by doctors
It is recommended that the timing of the record immediately after the careIn some cases, if the writing is delayed, it can lead to suspicions such as false entries. However, in the event of an emergency, the timing of the entry may be delayed considering situations.
According to Article 22 paragraph 1 of the Medical Service Act, medical personnel are required to record their respective medical records "in detail" and to what extent they should be recorded.However, the criteria for detailed records are controversial. There are no objective standards, so the judgement depends on the judges. 

Institutional Measure to apply Digital Forensic in Investigation of Electronic Medical Record

1. Standardization of Electronic Medical Record
So far, there are on standardization of electronic medical record. So, each hospital has different forms of system. And there are no regulations for electronic medical records, storage patterns or storage methods in law. To prove a false entry of medical records using digital forensic, the form should be standardization to optimize the investigation. 

Specific legislative proposals are as follows.
A legislative bill of medical law
Part of article 23 says that the electronic medical record system should use a system certified by the health and welfare minister. The Minister of Health and Welfare can set up and announce a certificate.

2Enactment of the obligation to keep log records and the provision of punishment for deletion
Analysis of log records is essential for proof of conduct for digital forensics. If log records are not preserved, it may be difficult to prove needed evidences. It is necessary to make it mandatory for log records to be kept for a certain period and make a bill to impose criminal penalties in case of violation.

3Imposing obligation to submit electronic records when investigating arbitration committee
In order to prove false entries by digital forensics procedures, original electronic medical records data must be obtained. In the law, investigators can access or copy related documents or objects by entering hospitals. In the digital forensics, the original evidence should be preserved as it was at the time of the evidence. Otherwise, it goes against the principle of integrity.
There may be controversy over what is the original data, and there needs to be clear legislation about it. 

권양섭 (2014.10) 의료분쟁 조사과정에서 디지털 포렌식 활용방안(Digital Forensic Applications in Medical Dispute Investigation)

RAM data significance in Digital Forensics

RAM data significance in Digital Forensics Last semester, I made memory dump file for analyzing trace remaining after using Tor-brows...