There are many reasons why anyone working in the digital forensics/incident response profession should have the ability to record the screen of their computer. Whether it is recording the actions taken during an investigation so another person can replicate them, recording an adversaries activity on a victim machine, or simply creating some training videos, screen recordings are a great source of information. While I was in law enforcement, I used screen recordings often to show a jury how I was able to locate different forensic evidence on a defendant’s computer. I walked the jury through all of the steps and was able to narrate my actions while they could watch it on the screen. Screen recordings are a much better solution than trying to do a live demonstration of technology and it allows the presenter to be confident in the results.
Several software applications are available to do screenshots and screen recordings, but today I’m going to focus on free tools that are built into the Mac Operating System (OS). In my last lab and in my current lab, our examiners all utilize Mac computers as our primary workstations for a variety of reasons. Being able to create instant screenshots and screen recordings with free tools is just some of the benefits of using a Mac.
Imagine that during a forensic examination of a computer, the examiner discovered that the subject of the investigation was intentionally hiding files on the computer. Using the Windows hidden file attribute is one of many ways people will attempt to hide their activity from other computer users. This, along with giving a file a bad extension (for example renaming badfile.jpg to badfile.txt), were two of the most common ways I see people obfuscate their data. Usually I see this type of activity with subjects who share their computer with other family members or coworkers and lacked the technical sophistication to do more advanced file hiding techniques. Nonetheless, hiding files does help to show the mental culpability of the subject and their knowledge that the files were intentionally possessed and something they did not want others to find.
With the scenario above, think about the options the examiner has to present this information to a non-technical fact finder. The examiner could testify about the methods a user would have to go through to hide files. The other way to present this information would be through the use of a screen recording and the examiner can narrate the steps the subject would have to go through to hide files while actually showing it being done on a screen. Using a virtual machine and VMware Fusion on my Mac, I created a video below using Apple QuickTime Player to show a jury how to hide files. As you watch it, think about how you would explain these steps to the audience.
In the example video created by the built-in QuickTime Player, it was easy to follow along and anyone who has ever used a computer with the Windows OS would see some familiar sights. In my experience, it is so much easier explaining things like this, where people can easily relate, than trying to provide a technical description from the witness stand. I think having professional video recordings like shown above also exhibits dedication, competency, and professionalism of the witness in the eyes of the audience.
Now that I have shown some reasons to make a screen recording, I’ll next go over how to use QuickTime Player to do it. The steps are below:
1. Launch QuickTime Player.
2. Click “File” and then “New Screen Recording.”
3. The small arrow on the right side of the box can be clicked to change the settings of the audio and video.
4. To record audio, either record from a microphone, use the built-in microphone (not recommended), or download the free Sunflower application that allows the user to record what the speakers are playing. Under “Options” the user can show mouse clicks to help the viewer see what was clicked (this was done in my video above).
5. When ready, click the red record button. After pressing the button, a pop-up window will appear which is shown below:
6. If just a portion of the screen needs to be recorded, drag a box around the area to be recorded. Once the button on the mouse is released, a button will appear in the center of the recording box. When the button is clicked, the recording begins:
While the recording is occurring, the time of the recording and the file size of the recording is updated continuously. At the conclusion of the recording, click the black stop button and QuickTime Player will open with the recorded video.
If the video is ready to be shared without any editing, the share button on the bottom left hand corner can be clicked and the video uploaded to a social medial outlet:
Once the video is open in QuickTime, there are multiple editing features available such as trimming the frames, splitting the video, etc. To find these options, click “Edit.” When the editing is complete, click “File” and export the video out to the necessary format and destination. Another option is to upload the video to YouTube and do the editing within YouTube itself.
Screenshots are a highly effective tool that I use in nearly every forensic investigative report I complete. The old saying that a picture is worth a thousand words is certainly true in forensic reports or demonstrative exhibits. One of my favorite examples of using screenshots effectively was during a jury trial that involved an individual who was accused of possession and distribution of child pornography. The defendant’s main defense was that some malware caused his computer to download the illegal images. There were multiple forensic artifacts that disputed his defense, but one of the strongest visual aids I gave the jury was a PowerPoint presentation showing my analysis including screenshots. The screenshot below shows the intricate file structure created by the user, where the images of child sexual abuse were neatly cataloged and named; something malware was not capable of doing. The screenshot from this presentation is below (I commonly use it when teaching about technical defenses to illustrate this very point):
Natively within the Mac OS there are two types of screenshots a user can make. The first is to take a screenshot of the entire screen. I rarely use this because I’m generally interested in a specific window or perhaps the area of a VM that is running. To take a screenshot of the entire screen, press and hold Command, Shift, 3. That key combination will automatically save a .png file on the desktop of the computer titled “Screen shot” and then the date and time the screenshot was taken.
More often, I use a selective screenshot. To do this, press and hold Command, Shift, 4. When this key combination is pressed, a crosshair symbol will be shown. Click and drag the crosshair over the area to screenshot. When the mouse button is released a .png file will be created and named with the date and time, just like explained above.
It is possible to annotate the screenshots with additional built-in Mac tools. For example, I often will add boxes and/or arrows to my screenshots to draw the attention of the audience. To do this, open the .png screenshot with the preview application. Once open in Preview, click “Tools” and then “Annotate”. There is also an Edit toolbar that can be added by clicking on “View” and then “Show Edit Toolbar.” Users can annotate by adding all sorts of shapes and text. See an example below: