This lab exercise, which involved acquiring and analyzing the data from the internal storage of a Nikon Coolpix E4600 digital camera, provides an opportunity to become more familiar with conducting forensic acquisitions and analysis on this type of device. This lab showed different types of evidence that could potentially be present on digital cameras. The lab also allows students to gain experience with popular forensics tools and processes that are currently in use by professionals in the fields of cyber forensics, incident response, and electronic discovery. Completing this lab also shed light on some of the issues and problems that are commonly encountered when examining digital cameras as well as any device that has internal flash storage accessible via USB.
Steps of the Process
1. Access the internal flash storage on the digital camera from the lab computer using the included USB cable. Four methods were tested in an effort to understand what exactly triggers the camera to power on. The first three methods were unsuccessful, but the final attempt was successful.
Attempt #1. Plug the included USB cable into the camera and then into the USB port on the computer. No batteries were in the device and the power button was not pressed. No signs of activity on either the camera or the computer.
Attempt #2. Plug the included USB cable into the camera and then into the USB port on the computer. No batteries were in the device, but the power button on the camera was pressed. No signs of activity on either the camera or the computer.
Attempt #3. Put new AA batteries into the device and then plug the included USB cable into the camera and then into the USB port on the computer. The power button was not pressed. No signs of activity on either the camera or the computer.
Attempt #4. With new batteries in the device, plug the USB cable into the camera and then into the USB port on the computer. The power button is then pressed and the device came to life.
2. The device powered on and asked the user to set the date and time. In order to minimize the impact on the data of the device the date and time were not set and “cancel” was selected using the directional pad on the camera.
3. After “cancel” was selected the computer started to connect to the device and was successful. The camera was then visible from “My Computer” on the Windows computer being used in this lab.
4. FTK Imager by AccessData (version 220.127.116.11) was used to create a physical image of the 2GB of flash storage on the camera. The “dd” file type was used.
5. After approximately forty-eight minutes, the image, in total only 1938MB, was complete and MD5 and SHA1 hash values were calculated and verified.
MD5 checksum: e40aa7de7c21f9a522bdea866e3ea1e9
SHA1 checksum: c4c8bdf66f915395cf098b2122c9f9704a0bd0a1
6. The Nikon Coolpix E4600 digital camera was then disconnected from the computer and shutdown.
7. Autopsy Forensic Browser (version 3.0.6), used as a graphical interface for The Sleuth Kit (version 4.1.0), was opened and the newly created image was then loaded into the program.
8. All default ingest modules were used when processing the image. This included Scalpel (version 1.0), which carves files from unallocated space.
9. Scalpel successfully carved 1167 files from unallocated space, most of which were JPEG images with a few MOV video files.
10. The filesystem was analyzed and showed one partition formatted in FAT16 with small chunks of unallocated space before (249 sectors) and after (2560 sectors). The file structure was expanded and can be seen in Figure 1.
Figure 1. The complete folder structure from the 2GB of internal storage on the Nikon Coolpix digital camera shows how all the files and folders are organized. The six subfolders of the DCIM folder can be seen containing the majority of the files on the drive.
11. The various files and folders were explored to find what data was stored in what folders. Of the six subfolders of the DCIM folder, the only folder to contain photos that hadn’t been deleted was 105NIKON. The remaining folders only contained photos that were previously deleted and then recovered using Scalpel.
12. Deleted images and videos that had been taken and deleted around six years ago, according to the owner, were found to remain on the camera. There were also deleted images and videos that had been taken and deleted in the week prior to the imaging of the device. These files were distributed in the subfolders of the DCIM folder including 100NIKON, 101NIKON, 102NIKON, 103NIKON, and 104NIKON. Deleted images were also recovered in the 105NIKON folder alongside the few pictures and videos that were purposefully not deleted.
13. Upon closer examination of the photos and videos, the phone brand and model, Nikon E4600, was readable in the EXIF data in the hex at the beginning of each file. Also present in the EXIF data were the settings that the camera was set to when the picture was taken such as the mode, shutter speed, and color.
14. Not all files that the program carved were viewable. Many of the JPEG images that were recovered from unallocated space could not be seen even though the software recognized something resembling an image was there. Some of the images that did display were only a small part of a once complete image. There were some complete images recovered from unallocated space.
15. Timestamps on many of the files were found to be inaccurate. This was most likely caused by the date and time not being set by the user after the batteries were changed.
16. There were only 2 files present on the drive that were not images or videos. This included ORDER.NJB (17 bytes) and AUTPRINT.MRK (1275 bytes), which were in the MISC folder. ORDER.NJB contained no readable information. AUTPRINT.MRK contained the brand and model of the camera as well as a list of all images and videos currently on the camera that had not been deleted.
17. After this analysis of the filesystem, files, and folders from the image obtained from the internal storage of the Nikon Coolpix E4600 digital camera, the case was saved in Autopsy and closed.
Issues and Problems
1. The most efficient and least damaging way to acquire the data from this digital camera was by plugging the device into our computer with its included USB cord. The device was able to hold more data with a removable SD card, but one was not present in the device. Since the internal storage of the camera was the target of this lab exercise, the device had to be plugged in. When this was done, the device powered itself on. There is no way to prevent the device from turning on, but this will inevitably alter data on the device and therefore this made process less forensically sound.
2. There was a lot of interesting data on the camera in the way of deleted images and videos, but since the device has been in use for around six years by the owner there was no way to know everything that had been deleted. Without having a device that is populated and examined by the same person, there is no way to be sure of how much data is normally recoverable from a device like this one. Images were carved from unallocated space that, according to the timestamps were taken six years ago, but that is a different issue. These dates were suggested by the owner to most likely be accurate
3. After new batteries were put into the camera and it was plugged into the computer for the first time, the date and time had to be set so that pictures could be accurately tagged. Unfortunately, there is no way for the camera to verify the date and time so whatever the user sets these values as is what the camera uses to establish the MAC times for all files. This provides little confidence for the forensic examiner because they are relying on the owner of the device to accurately and honestly set the date and time.
. This device was chosen because it had 2 GB of internal storage which, from an acquisition standpoint, is totally different than a camera that uses a removable SD card. Acquiring a physical image of an SD card is usually much simpler than getting a physical image of flash memory that is inside a device and can only be obtained with a USB cable. Acquiring and analyzing this digital camera led to finding many potentially interesting images and videos that had been deleted, but were still present on the device.
If this type of device were involved in a criminal investigation, being able to recover the deleted files would be helpful, but the fact that the date and time couldn’t be relied upon makes it unlikely they could be used as evidence. The data from this digital camera was acquired and analyzed with a method similar to that which is used by investigators in the field of cyber forensics. This lab exercise demonstrates that, at least for this specific device, it is possible to acquire the data and find potentially valuable information.