Proprietary Embedded DataDecember 10, 2009
This is a case study using a specific piece of software – Adobe Photoshop Album. While some examiners may encounter this software in a case, focusing on the software itself is not the intent of this paper. This would severely limit the scope, audience and overall value of this document. Rather this is intended to demonstrate a methodology to recognizing and carving out useable data structures from within a proprietary object or file.
In some ways, I view methodology the same way I view “cop instinct”. What I mean by this is that sometimes, based on real world experience, training, and a host of personal observations, a correct conclusion can be formulated before the facts can be articulated. In other words, it’s impossible to train for instinct by enumerating a number of steps you must go through every time. Similarly, it’s impossible to train methodology by giving a clear cut step by step process. Certainly a step by step process and training will give a foundation for examiners and it will clearly begin to develop the experience one needs to be able to have that “cop instinct” or know where to go based on methodology.
Analogies tend to break down eventually, and in this case this one breaks down here: In the law enforcement world, if “cop instinct” is misjudged, at best there’s an opportunity lost (for an arrest or stopping a violent situation before it escalates), and at worst it means injury or a law suit. Fortunately with computer forensics, if methodology is misjudged, we can try a different path since we’re working on an image not the original evidence.
I am not intending to portray myself as infallible; I’m trying to demonstrate that persistence, experience, and a documented, repeatable (even if not graceful) methodology are invaluable for a Computer Forensic Examiner – sometimes more invaluable than any tool in their expensive tool chest.
Publishing this paper is ultimately meant to show the fact that data was recognized within a proprietary file structure (a tn.4.cache file in this case), the data was known to include contraband, and data was carved out to make viewing easier (or indeed possible) by non-technical agents and/or prosecutors. Even proprietary software tends to use known data structures for their proven reliability and efficiency. This paper reminds the experienced examiner that their most trusted tool is still a raw hex viewer/editor holstered somewhere on their belt next to a magazine filled to capacity with their methodology.
The complete document is available here: Carving Data Structures from Files – Case Study Adobe Photoshop Album