This document provides an overview of computer forensics. It defines computer forensics as the scientific examination and analysis of data from computer storage media for use as evidence in a court of law. The document discusses the history and development of the field from the 1970s to present day, covering important events like the creation of specialized investigation teams and the establishment of standards and guidelines. It also outlines key concepts in computer forensics like principles, tools, requirements and processes involved in investigations.
2. Page | 2
What is Computer Forensics ?
Computer forensics is the scientific examination and analysis of data held on, or
retrieved from, computer storage media in such a way that the information can be
used as evidence in a court of law.
Our reliance on computer and network technologies has led to a number of
concerns. For example, the use of computers has inspired new types of misconduct,
such as hacking or denial of service attacks against computer systems. Conversely,
ordinary, inexpert people find new opportunities for older crimes such as credit
card fraud, embezzlement or blackmail.
Computer forensics is emerging as an important tool in the fight against crime.
Computer forensics may be defined as the investigation of situations where there is
computer-based (digital) or electronic evidence of a crime or suspicious behaviour,
but the crime or behaviour may be of any type not otherwise involving computers.
Therefore, computers facilitate both the commission of and investigation into the
act in question.
Specialists in the area follow structured methodologies to ensure the integrity of
the evidence that they collect and process. Preservation
Identification
Extraction
Documentation
Interpretation
It is not just law enforcement that is developing the computer forensics field.
Increasingly, commercial and non-commercial organisations are requiring experts
in the field to investigate incidents. Thus, there are many applications of computer
forensics tools and techniques other than for criminal prosecution, such as:
Determine root cause of an event to ensure no repeat
Identify responsibility for an action
Internal investigation within the organisation
Intelligence operations
Audit
Recovering lost data
3. Page | 3
HISTORY:
1970s
First crimes cases involving computers, mainly financial fraud
1980’s
Financial investigators and courts realize that in some cases all the records and
evidences were only on computers.
Norton Utilities, ―Un-erase‖ tool created
Association of Certified Fraud Examiners began to seek training in what
became computer forensics
SEARCH High Tech Crimes training created
Regular classes began to be taught to Federal agents in California and at
FLETC in Georgia
HTCIA formed in Southern California
1984
FBI Magnetic Media Program created. Later it become Computer Analysis and
Response Team (CART)
FBI
1987
Acces Data – Cyber Forensic Company formed
1988
Creation of IACIS, the International Association of Computer Investigative
Specialists
First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993
First International Conference on Computer Evidence held
1995
International Organization on Computer Evidence (IOCE) formed
4. Page | 4
1997
The G8 countries in Moscow declared that ―Law enforcement personnel must
be trained and equipped to address high-tech crimes‖.
1998
In March G8 appointed IICE to create international principles, guidelines and
procedures relating to digital evidence
1998
INTERPOL Forensic Science Symposium
1999
FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000
First FBI Regional Computer Forensic Laboratory established
2003
FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
ORIGIN :
Forensic roots from a Latin word, ―forensic‖ which generally means forum or
discussion. In the reign of the Romans, any criminal who has been charged with a
crime is presented before an assembly of public folks. Both of the complainant and
the defendant are to present their sides through their own speeches. The one who
was able to explain his side with fervent delivery and argumentation typically won
the case.
ActivitiesHeld :
– the secure collection of computer data
– the identification of suspect data
– the examination of suspect data to determine details such as origin and
content
– the presentation of computer-based information to courts of law
– the application of a country's laws to computer practice.
5. Page | 5
Process :
Computer forensics investigations take a lot of time to conduct. This is not
surprising given the increasing size of storage media that is being encountered. For
example, hard drives of several hundred Gigabytes are not uncommon. In addition,
the amount of devices and data storage that must be searched and analysed is also
increasing. This must be conducted in a robust manner that can be demonstrated in
court or to management at a later date.
Below is my Organisational Model of Computer Forensics which aims to simplify
the investigation process irrespective of the computer forensics tools and
techniques used.
Prior to an investigation, the analyst must make some preparations. For example,
what is the purpose of the investigation? This will ultimately determine the tools
and techniques used throughout the resulting investigation.
Next, evidence must be collected. This must be conducted robustly and maintain
the integrity of the evidence. Once the evidence is collected, a copy of the material
is made and all analysis is performed on the copy. This ensures that the original
evidence is not altered in any way.
The analysis of the evidence is conducted with forensics tools. For example,
analysing the hard drive of a computer requires the recreation of the logical
structure of underlying operating system. Once this is done, the analyst may have
to triage and view both extant and deleted files to build a picture of the suspect’s
activities.
The analyst will then report any suspicious or malicious files and supply
supporting evidence. For example, the time and date the file was created, accessed
or modified and which user was responsible.
Finally, the analyst must present evidence. In law enforcement, this is to a court of
law. Increasingly, with the growth of the field in internal corporate investigations,
this will be to management.
7. Page | 7
Tools :
The tools and techniques used in computer forensics are as wide and varied as the
crimes that are investigated. Each investigation will ultimately determine the tools
that are used. Below is just a brief outline of tools used in the search for relevant
evidentiary data on a computer. For further information on tools and techniques, it
is recommended that you consult a book on the subject of computer forensics.
A number of computer forensic tools and approaches are used for the detection of
suspicious data on the hard drive. These can be generally divided into file
analysis and format specific approaches.
Commonly used computer forensic tools, such as the Forensic Toolkit (screenshot
below) and EnCase, provide examples of file analysis approaches. These tools are
used for storage media analysis of a variety of files and data types in fully
integrated environments. For example, the Forensic Toolkit can perform tasks such
as file extraction, make a forensic image of data on storage media, recover deleted
files, determine data types and text extraction. EnCase is widely used within law
enforcement and like FTK provides a powerful interface to the hard drive or data
source under inspection, for example, by providing a file manager that shows
extant and deleted files.
Format specific approaches specifically look for data belonging to particular
applications or data types. For example,Jhead is an application to extract specific
JPEG image data, such as time and date a picture was taken, camera make and
model, image resolution, shutter speed, etc. Tools such as Data Lifter are able to
extract files of a multitude of types. These tools support data carving to retrieve
files of specific types by searching the disk for file preambles
8. Page | 8
.• AccesData Group for Forensic Toolkit (FTK)
• ArcSight for ArcSight Logger
• Guidance Software for EnCase Forensic
• NetWitness for NetWitnessNextGen 9.5
• Quest Software for Quest ChangeAuditor
9. Page | 9
Principles :
The fundamental principles of computer forensics can be thought of as rules
governing the way in which digital evidence is handled which allow such evidence
to be admissible in court.
Immediately we can see that any attempt to define these principles is made difficult
by the fact that legislation concerning digital evidence differs from country to
country. Nevertheless, attempts have been made to standardise principles on an
international basis and the following are commonly agreed upon:
- The act of collecting digital evidence should not result in any alteration of the
data in question, wherever this is possible
- All handling of digital evidence (from collection through to preservation and
analysis) must be fully documented
- Access to original digital evidence should be restricted to those deemed
"forensically competent"
Each of the above principles require more detailed explanation to be properly
appreciated and understood, and debate continues regarding their implementation.
For example, how are situations where it is impossible to avoid the alteration of
some data during evidence collection to be handled (e.g. during live analysis)?
What does "fully documented" mean and how are details of an investigation to be
recorded? How do you determine if someone is "forensically competent"?
10. Page | 10
Why is Computer Forensics Important?
Adding the ability to practice sound computer forensics will help you ensure the
overall integrity and survivability of your network infrastructure. You can help
your organization if you consider computer forensics as a new basic element in
what is known as a ―defense-in-depth‖
―Defense in depth is designed on the principle that multiple layers of different
types of protection from different vendors provide substantially better protection‖
approach to network and computer security. For instance, understanding the legal
and technical aspects of computer forensics will help you capture vital information
if your network is compromised and will help you prosecute the case if the intruder
is caught.
Fundamentals
Military
Acquisition
Analysis
Examination
Report
Investigation
Criminal
FRYE
FRE 702
Daubert/Kumho
Civil
Federal Rules of Civil Procedure
Sedona
Rowe
Rules of Evidence
Expert Witness
Friend of the Court
Technical Expert
Presentation
Standards & Guidelines
Law Enforcement Private Sector
Computer Forensics
11. Page | 11
REQUIREMENTS :
• Hardware
– Familiarity with all internal and external devices/components of a
computer
– Thorough understanding of hard drives and settings
– Understanding motherboards and the various chipsets used
– Power connections
– Memory
• BIOS
– Understanding how the BIOS works
– Familiarity with the various settings and limitations of the BIOS
• Operation Systems
– Windows 3.1/95/98/ME/NT/2000/2003/XP
– DOS
– UNIX
– LINUX
– VAX/VMS
• Software
Familiarity with most popular software packages
such as Office
13. Page | 13
What is Digital Forensics ? :
Digital forensics (sometimes known as digital forensic science) is a branch
of forensic science encompassing the recovery and investigation of material found
in digital devices, often in relation to computer crime. The term digital forensics
was originally used as a synonym for computer forensics but has expanded to
cover investigation of all devices capable of storing digital data. With roots in
the personal computing revolution of the late 1970s and early '80s, the discipline
evolved in a haphazard manner during the 1990s, and it was not until the early 21st
century that national policies emerged.
Digital forensics investigations have a variety of applications. The most
common is to support or refute a hypothesis before criminal or civil (as part of
the electronic discovery process) courts. Forensics may also feature in the private
sector; such as during internal corporate investigations or intrusion investigation
(a specialist probe into the nature and extent of an unauthorized network intrusion).
The technical aspect of an investigation is divided into several sub-branches,
relating to the type of digital devices involved; computer forensics, network
forensics, forensic data analysis and mobile device forensics. The typical forensic
process encompasses the seizure, forensic imaging (acquisition) and analysis of
digital media and the production of a report into collected evidence.
As well as identifying direct evidence of a crime, digital forensics can be used to
attribute evidence to specific suspects, confirm alibis or statements,
determine intent, identify sources (for example, in copyright cases), or authenticate
documents. Investigations are much broader in scope than other areas of forensic
analysis (where the usual aim is to provide answers to a series of simpler
questions) often involving complex time-lines or hypotheses.
14. Page | 14
HISTORY:
Prior to the 1980s crimes involving computers were dealt with using existing laws.
The first computer crimes were recognized in the 1978 Florida Computer Crimes
Act, which included legislation against the unauthorized modification or deletion
of data on a computer system. Over the next few years the range of computer
crimes being committed increased, and laws were passed to deal with issues
ofcopyright, privacy/harassment (e.g., cyber bullying, cyber stalking, and online
predators) and child pornography. It was not until the 1980s that federal laws
began to incorporate computer offences. Canada was the first country to pass
legislation in 1983. This was followed by the US FederalComputer Fraud and
Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the
British Computer Abuse Act in 1990.
1980s–1990s: Growth of the field
The growth in computer crime during the 1980s and 1990s caused law
enforcement agencies to begin establishing specialized groups, usually at the
national level, to handle the technical aspects of investigations. For example, in
1984 the FBIlaunched a Computer Analysis and Response Team and the following
year a computer crime department was set up within the British Metropolitan
Police fraud squad. As well as being law enforcement professionals, many of the
early members of these groups were also computer hobbyists and became
responsible for the field's initial research and direction.
Throughout the 1990s there was high demand for the these new, and basic,
investigative resources. The strain on central units lead to the creation of regional,
and even local, level groups to help handle the load. For example, the
British National Hi-Tech Crime Unit was set up in 2001 to provide a national
infrastructure for computer crime; with personnel located both centrally in London
and with the various regional police forces (the unit was folded into the Serious
Organised Crime Agency (SOCA) in 2006).
15. Page | 15
During this period the science of digital forensics grew from the ad-hoc tools and
techniques developed by these hobbyist practitioners. This is in contrast to other
forensics disciplines which developed from work by the scientific community. It
was not until 1992 that the term "computer forensics" was used in academic
literature (although prior to this it had been in informal use); a paper by Collier and
Spaul attempted to justify this new discipline to the forensic science world.This
swift development resulted in a lack of standardization and training. In his 1995
book, "High-Technology Crime: Investigating Cases Involving Computers", K
Rosenblatt wrote:
Seizing, preserving, and analyzing evidence stored on a computer is the greatest
forensic challenge facing law enforcement in the 1990s. Although most forensic
tests, such as fingerprinting and DNA testing, are performed by specially trained
experts the task of collecting and analyzing computer evidence is often assigned to
patrol officers and detectives.
2000s: Developing standards :
Since 2000, in response to the need for standardization, various bodies and
agencies have published guidelines for digital forensics. The Scientific Working
Group on Digital Evidence (SWGDE) produced a 2002 paper, "Best practices for
Computer Forensics", this was followed, in 2005, by the publication of
an ISO standard (ISO 17025, General requirements for the competence of testing
and calibration laboratories). A European lead international treaty, the Convention
on Cybercrime, came into force in 2004 with the aim of reconciling national
computer crime laws, investigative techniques and international co-operation. The
treaty has been signed by 43 nations (including the US, Canada, Japan, South
Africa, UK and other European nations) and ratified by 16.
The issue of training also received attention. Commercial companies (often
forensic software developers) began to offer certification programs and digital
forensic analysis was included as a topic at the UK specialist investigator training
facility, Centrex.
Since the late 1990s mobile devices have become more widely available,
advancing beyond simple communication devices, and have been found to be rich
forms of information, even for crime not traditionally associated with digital
forensics. Despite this, digital analysis of phones has lagged behind traditional
computer media, largely due to problems over the proprietary nature of devices.
16. Page | 16
Focus has also shifted onto internet crime, particularly the risk of cyber
warfare and cyberterrorism. A February 2010 report by theUnited States Joint
Forces Command concluded:
Through cyberspace, enemies will target industry, academia, government, as well
as the military in the air, land, maritime, and space domains. In much the same way
that airpower transformed the battlefield of World War II, cyberspace has fractured
the physical barriers that shield a nation from attacks on its commerce and
communication.
The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital
Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and
Shenoi identified a bias towards Windows operating systems in digital forensics
research. In 2010 SimsonGarfinkel identified issues facing digital investigations in
the future, including the increasing size of digital media, the wide availability of
encryption to consumers, a growing variety of operating systems and file formats,
an increasing number of individuals owning multiple devices, and legal limitations
on investigators. The paper also identified continued training issues, as well as the
prohibitively high cost of entering the field.
Aerial photo of FLETC, where US digital forensics standards were developed in the 1980s and
'90s
17. Page | 17
PROCESS :
The basic process of forensics
– Identification
– Collection
– Preservation
– Examination
– Analysis
– Reporting
• The process of digital forensics is the same as other forensics sciences
•
Not all applications of digital forensics are designed to produce evidence b
ut all require reliability, integrity, and veracity
– Information security incident response
– Intelligence gathering
– Policy compliance
– Remediation
– Research
18. Page | 18
During the analysis phase an investigator recovers evidence material using a
number of different methodologies and tools. In 2002, an article in
the International Journal of Digital Evidence referred to this step as "an in-depth
systematic search of evidence related to the suspected crime." In 2006, forensics
researcher Brian Carrie described an "intuitive procedure" in which obvious
evidence is first identified and then "exhaustive searches are conducted to start
filling in the holes."
The actual process of analysis can vary between investigations, but common
methodologies include conducting keyword searches across the digital media
(within files as well as unallocated and slack space, recovering deleted files and
extraction of registry information (for example to list user accounts, or attached
USB devices).
The evidence recovered is analysed to reconstruct events or actions and to reach
conclusions, work that can often be performed by less specialised staff. When an
investigation is complete the data is presented, usually in the form of a written
report, in lay persons terms.
APPLICATION :
Digital forensics is commonly used in both criminal law and private investigation.
Traditionally it has been associated with criminal law, where evidence is collected
to support or oppose a hypothesis before the courts. As with other areas of
forensics this is often as part of a wider investigation spanning a number of
disciplines. In some cases the collected evidence is used as a form of intelligence
gathering, used for other purposes than court proceedings (for example to locate,
identify or halt other crimes). As a result intelligence gathering is sometimes held
to a less strict forensic standard.
In civil litigation or corporate matters digital forensics forms part of the electronic
discovery(or eDiscovery) process. Forensic procedures are similar to those used in
criminal investigations, often with different legal requirements and limitations.
Outside of the courts digital forensics can form a part of internal corporate
investigations.
A common example might be following unauthorized network intrusion. A
specialist forensic examination into the nature and extent of the attack is performed
as a damage limitation exercise. Both to establish the extent of any intrusion and in
an attempt to identify the attacker.Such attacks were commonly conducted over
phone lines during the 1980s, but in the modern era are usually propagated over the
Internet.
19. Page | 19
The main focus of digital forensics investigations is to recover objective evidence
of a criminal activity (termed actusreus in legal parlance). However, the diverse
range of data held in digital devices can help with other areas of inquiry.
Attribution
Meta data and other logs can be used to attribute actions to an individual.
For example, personal documents on a computer drive might identify its
owner.
Alibis and statements
Information provided by those involved can be cross checked with digital
evidence. For example, during the investigation into theSoham murders the
offender's alibi was disproved when mobile phone records of the person he
claimed to be with showed she was out of town at the time.
Intent
As well as finding objective evidence of a crime being committed,
investigations can also be used to prove the intent (known by the legal
term mensrea). For example, the Internet history of convicted killer Neil
Entwistle included references to a site discussing How to kill people.
Evaluation of source
File artifacts and meta-data can be used to identify the origin of a particular
piece of data; for example, older versions of Microsoft Word embedded a
Global Unique Identifer into files which identified the computer it had been
created on. Proving whether a file was produced on the digital device being
examined or obtained from elsewhere (e.g., the Internet) can be very
important.
Document authentication
Related to "Evaluation of source," meta data associated with digital
documents can be easily modified (for example, by changing the computer
clock you can affect the creation date of a file). Document authentication
relates to detecting and identifying falsification of such details.
20. Page | 20
TOOLS
Bootable Environments
Use to boot a suspect system into a trusted state.
Data Acquisition
Use to collect data from a dead or live suspect system.
Volume System
Use to examine the data structures that organize media, such as partition
tables and disk labels.
File System
Use to examine a file system or disk image and show the file content and
other meta data.
Application
Use to analyze the contents of a file (i.e. at the application layer).
Network
Use to analyze network packets and traffic. This does not include logs from
network devices.
Memory
Use to analyze memory dumps from computers.
Frameworks
Frameworks used to build custom tools.
Limitations
One major limitation to a forensic investigation is the use of encryption; this
disrupts initial examination where pertinent evidence might be located using
keywords. Laws to compel individuals to disclose encryption keys are still
relatively new and controversial.
21. Page | 21
COMMUNITIES
There at least 3 distinct communities within Digital Forensics
• Law Enforcement
• Military
• Business & Industry
• Possibly a 4th
– Academia
22. Page | 22
Subcategories of DFS
There is a consensus that there are at least 3 distinct types of DFS analysis
Media Analysis
-Examining physical media for evidence
Code Analysis
-Review of software for malicious signatures
Network Analysis
-Scrutinize network traffic and logs to identify and locate
Media Analysis
May often be referred to as computer forensics.
More accurate to call it media analysis as the focus is on the various storage
medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)
Excludes network analysis.
The 3 A’s
The basic methodology consists of the 3 As:
-Acquire the evidence without altering or damaging the original.
-Authenticate the image.
-Analyze the data without modifying it.
23. Page | 23
Branches in DIGITAL FORENSICS
Branches of Digital Forensics include:
– Network Forensics
– Firewall Forensics
– Database Forensics
– Mobile Device forensics
The names of the different branches speaks to the different areas which they focus
on.
25. Page | 25
-Unlike computer forensics that retrieves information from the computer’s disks,
network forensics, in addition retrieves information on which network ports were
used to access the network
There are several differences that separate the two including the following:
– Unlike computer forensics where the investigator and the person
being investigated, in many cases the criminal, are on two different
levels with the investigator supposedly on a higher level of
knowledge of the system, the network investigator and the adversary
are at the same skills level.
– In many cases, the investigator and the adversary use the same tools:
one to cause the incident, the other to investigate the incident. In fact
many of the network security tools on the market today, including
NetScanTools Pro, Tracroute, and Port Probe used to gain
information on the network configurations, can be used by both the
investigator and the criminal.
– While computer forensics, deals with the extraction, preservation,
identification, documentation, and analysis, and it still follows well-
defined procedures springing from law enforcement for acquiring,
providing chain-of-custody, authenticating, and interpretation,
network forensics on the other hand has nothing to investigate unless
steps were in place ( like packet filters, firewalls, and intrusion
detection systems) prior to the incident.
26. Page | 26
AGENDA :
• Introduction to network forensics
• Tracing the intrusion process
• Elements of an end-to-end forensic trace
• Log analysis and correlation (discussion with System Administrators from
ERC)
– Perimeter Network
• Everything outside the firewall(s) and touching external public
networks such as the Internet
– End-to-End
• From the attack computer to the victim computer and
everything between
– Log correlation
• Matching elements of various logs for consistency in time, date,
source, destination, event and protocol
– Ambient data
• Data that has been erased but is still present and must be
forensically extracted and data that exists in swap files and
slack space
- Attack scenario
• The events that make up an attack organized into their logical
sequence
27. Page | 27
INSTRUTION PROCESS :
• What network forensics can do if successful
– Show a path that the intruder took over the network
– Reveal intermediate intrusions
– Provide leads and corroborating evidence
• What network forensics cannot do
– Solve the case alone
– Tie the suspect to the attacks (usually)
• Potential pitfalls
– Normal computer/network activity sometimes looks like attack
activity (false positives; difficult to make a case)
– Gaps in the chain of evidence
– No, ambiguous, or incomplete logs
– International involvement
• How intruders intrude – general case
– Information gathering
• Does not touch the victim
– Footprinting
– Enumerating
– Probing for weaknesses
– Penetration
– Back dooring, trojans, etc.
– Cleanup
29. Page | 29
• Collecting the evidence
– Information gathering
• Files or ambient data on attack computer
– Footprinting
• Files or ambient data on attack computer and log entries in
intermediate devices
– Enumerating
• Files or ambient data on attack computer and log entries in
intermediate devices
– Probing for weaknesses
• Files or ambient data on attack computer and log entries in
intermediate devices and the victim
– Penetration
• Files or ambient data on attack computer and the victim, and
log entries in intermediate devices and the victim
– Back dooring, trojans, etc.
• Files or ambient data on attack computer and the victim, and
log entries in intermediate devices and the victim
• Run Scanner to determine existence.
– Cleanup
• Files or ambient data on attack computer and the victim, and
log entries in intermediate devices and the victim
30. Page | 30
Elements of an End-to-End Forensic Trace :
• The end-to-end concept
– Applies predominantly to penetration attempts but may be used for
other types of attack investigations
– The attack starts at the attack computer, passes through intermediate
devices and ends at the victim if successful
– Evidence resides on each device in the path from the attack computer
to the victim
– By using appropriate forensic techniques the whole path can be
forensically documented as evidence (called a ―chain of evidence‖),
including, in some cases, evidence of premeditation or intent
–
• Looking for evidence
– Attack computer, intermediate computers
• Logs, files, ambient data, tools
– Firewalls
• Logs
• If the firewall was the victim same as on any victim
– Internetworking devices
• Logs and buffers as available
– Victim
• Logs, files, ambient data, altered config and other files,
remnants of trojaned files, files that don’t match hash sets,
tools, trojans and viruses, stored stolen files, web defacement
remnants.
31. Page | 31
• Correlations – preliminaries
– Objectives
• Match data on attack and victim computers
• Find evidence of attack and/or victim on intermediate systems
• Find evidence on attack computer that it was used to gather
information about, footprint and enumerate the victim’s
network
– Match logs of all involved devices for timeline of events
– Analyze monitors (IDS, firewall, host logs, etc.) for events that
indicate probing, penetration attempts, etc.
• Some pitfalls of network evidence collection
– Logs roll rapidly on large systems – data can be lost in a very short
time
– Legal wranglings are necessary to obtain evidence from certain
sources such as ISPs
• Takes time, may cost evidence
– There can be gaps in the evidence chain that need to be inferred –
open to challenge in court
• Analysis of individual events
– Host logs, firewall logs, intrusion detection logs
• Event correlation
– Same events showing in single or multiple data sources with different
names (normalizing)
– Removing redundancies - the same event showing multiple times in
single or multiple sources (deconfliction)
32. Page | 32
– Objective is to identify every unique instance of an event and only the
unique instances
– Normalized events are useful for chain of evidence, deconflicted
events are useful for statistical analysis and timeline analysis
• Timeline analysis and chain of evidence construction
Log Analysis and Correlation :
• Syslogs, messages logs, other Unix host logs
Messages Log
Mar 9 17:54:35 nileftpd[1556]: lost connection to 231-216.205.122.dellhost.com
[216.205.122.231]
Mar 9 17:54:35 nileftpd[1556]: FTP session closed
Mar 9 17:54:35 nileinetd[502]: pid 1556: exit status 255
Mar 9 22:20:22 nilepumpd[557]: renewed lease for interface eth0
Mar 10 04:02:01 nileanacron[1748]: Updated timestamp for job `cron.daily' to 2002-03-10
Mar 10 04:02:59 nilePAM_pwdb[2399]: (su) session opened for user news by (uid=0)
Mar 10 04:03:00 nilePAM_pwdb[2399]: (su) session closed for user news
Mar 10 04:22:01 nileanacron[2455]: Updated timestamp for job `cron.weekly' to 2002-03-10
Mar 10 08:50:22 nilepumpd[557]: renewed lease for interface eth0
Mar 10 16:12:06 nileftpd[8929]: ANONYMOUS FTP LOGIN FROM 200.68.32.185
[200.68.32.185], lamer@
Mar 10 11:12:25 nileinetd[502]: pid 8929: exit status 141
Mar 10 11:13:08 nileftpd[8965]: FTP LOGIN FROM pcp01103425pcs.aubrnh01.mi.comcast.net
[68.62.72.193], pstephen
33. Page | 33
Security/Auth Log
Mar 9 13:07:49 nilein.telnetd[1315]: connect from 68.62.72.193
Mar 9 13:09:24 nilein.rlogind[1321]: connect from 68.62.72.193
Mar 9 13:09:27 nilein.ftpd[1326]: connect from 68.62.72.193
Mar 9 13:09:28 nilein.rshd[1329]: connect from 68.62.72.193
Mar 9 13:09:28 nilein.telnetd[1333]: connect from 68.62.72.193
Mar 9 13:09:31 nilein.fingerd[1334]: connect from 68.62.72.193
Mar 9 13:12:13 nilein.fingerd[1352]: connect from 68.62.72.193
Mar 9 13:12:13 nilein.rlogind[1357]: connect from 68.62.72.193
Mar 9 13:12:14 nilein.rshd[1360]: connect from 68.62.72.193
Mar 9 13:12:16 nilein.telnetd[1365]: connect from 68.62.72.193
Mar 9 13:12:18 nilein.ftpd[1368]: connect from 68.62.72.193
Mar 9 13:15:23 nilein.ftpd[1382]: connect from 68.62.72.193
Mar 9 13:15:24 nilein.telnetd[1384]: connect from 68.62.72.193
Mar 9 13:15:27 nilein.rshd[1396]: connect from 68.62.72.193
Mar 9 13:15:28 nilein.rlogind[1398]: connect from 68.62.72.193
Mar 9 13:15:29 nilein.fingerd[1400]: connect from 68.62.72.193
Mar 9 13:26:43 nile login: ROOT LOGIN ON tty1
Mar 9 13:37:15 nilein.ftpd[1447]: connect from 68.62.72.193
Mar 9 13:37:44 nilein.fingerd[1448]: connect from 68.62.72.193
Mar 9 17:17:19 nilein.telnetd[1521]: connect from 12.87.62.43
Mar 9 17:17:26 nile login: LOGIN ON 0 BY pstephen FROM 43.detroit-16-
17rs.mi.dial-access.att.net
Mar 9 17:50:13 nilein.ftpd[1556]: connect from 216.205.122.231
Mar 10 11:12:02 nilein.ftpd[8929]: connect from 200.68.32.185
Mar 10 11:13:07 nilein.ftpd[8965]: connect from 68.62.72.193
35. Page | 35
Intrusion Detection Log (RealSecure)
• Correlating data from multiple sources
– Normalizing
• Same events may have different names depending upon the
source
– Translating IDS codes
» Cisco NetRanger: 4052
» ISS RealSecure: Chargen_Denial_of_Service
• Use to build a chain of evidence
Event Date Event Name
Protocol
ID
Sourcce
Port Dest Port
Src Port
Name
Dest Port
Name Src Address Dest Address Engine IP
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.230.102 192.168.9.243
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.230.102 192.168.9.243
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.4.18.245 192.168.9.243
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.4.18.245 192.168.9.243
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.4.18.245 192.168.9.243
9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.4.18.245 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 192.168.6.75 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 192.168.6.75 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 192.168.6.75 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 192.168.6.75 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.151.231 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.151.231 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.151.231 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.151.231 192.168.9.243
9/10/2001 11:44 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.151.246 192.168.9.243
36. Page | 36
– Deconfliction
• Same event shows up multiple times with same names
– Certain types of denial of service attacks
– Some penetration attacks
» Use care not to remove individual steps in an
attack scenario
• Same event repeated so rapidly that the logging device reports a
large number of the same event in a very short (sometimes sub-
second) period of time
• Multiple rapid events that make an attack scenario such as a
port scan
• Deconflicted events are used with normalized data to create an
event timeline
– Creating chain of evidence and event timelines
• Using deconflicted and normalized events on multiple data
sources, chart the chain of events into an event timeline
– Carefully note the timebase of various data sources and
correct to a common timebase
– Note events and attack scenarios – correlate connected
events into scenarios
• Document every assumption with evidence and, if possible,
corroboration using both forensic and traditional investigation
37. Page | 37
• Forensic handling of deleted or modified logs
– Useful only in certain types of systems
• Recovering deleted logs
– System must support recovery of ambient data
• Recovering altered logs
– Logging source must delete old log and create a new one
when the log is altered
– System must support recovery of ambient data
• Establishing that an attack actually occurred – event analysis applied
– Use normalized and deconflicted data from all sources in a
spreadsheet
No. EventName Total Of Signature ID 9/10/2001 9/11/2001 9/12/2001 9/13/2001 9/14/2001 9/15/2001
1 FTP_Get 2 0 0 0 0 0 0
2 FTP_Pass 11 0 0 0 0 0 0
3 FTP_Put 6 0 0 0 0 0 0
4 FTP_Site_Cmd 14 0 0 0 0 0 0
5 FTP_Syst 14 0 0 0 0 0 0
6 FTP_User 14 0 0 0 0 0 0
7 IPDuplicate 91 1 0 0 0 0 0
8 IPUnknownProtocol 2 0 0 1 0 0 0
9 Netbios_Session_Rejected 28 0 0 0 0 0 0
10 SNMP_Activity 49084 840 1028 964 1134 981 60
38. Page | 38
• Establishing that an attack actually occurred– event analysis applied
– Examine event distribution
• Establishing that an attack actually occurred– event analysis applied
– Chart number of instance of each event type by day during the attack
window
IDS Signatures 9/10 - 9/28
FTP_Get
FTP_Pass
FTP_Put
FTP_Site_Cmd
FTP_Syst
FTP_User
IPDuplicate
IPUnknownProtocol
Netbios_Session_Rejected
Nmap_Scan
PingFlood
Port_Scan
SNMP_Community
Stream_DoS
SYNFlood
TelnetTerminaltype
Windows_Access_Error
Windows_Null_Session
0
50
100
150
200
250
300
9/10/20019/11/20019/12/20019/13/20019/14/20019/15/20019/16/20019/17/20019/18/20019/19/20019/20/20019/21/20019/22/20019/23/20019/24/20019/25/20019/26/20019/27/20019/28/2001
FTP_Get
FTP_Pass
FTP_Put
FTP_Site_Cmd
FTP_Syst
FTP_User
IPDuplicate
IPUnknow nProtocol
Netbios_Session_Rejected
Nmap_Scan
PingFlood
Port_Scan
SNMP_Community
Stream_DoS
SYNFlood
TelnetTerminaltype
Window s_Access_Error
Window s_Null_Session
39. Page | 39
New Techniques :
• Establishing that an attack actually occurred – event analysis applied
– Correlate event distribution by both event and time
• The Windows Access Error event occurred a total of 328 times
but 260 of them were on a single day
– Look for unexplained peaks that lead up to the main event
• If there are none, an attack probably did not occur
– Look for corroborating evidence whether you believe an attack
occurred or didn’t
• If you can’t corroborate the attack in other ways, it is unlikely
that one occurred
• Ensure that your explanation makes sense and fits the evidence
- Establishing premeditation
- Pre-attack events against a victim that are traceable to the same source
may be used to establish premeditation
- Port scans, nMap scans, other probes and penetration attempts
- Usually most effective with penetration attacks
- Least effective with script kiddy attack ―sweeps‖ that have no pre-
attack probes
- DDOS (unless you can establish pre-attack activity on ―zombies‖)
- Most effective with full packet decode logs, i.e, SNORT IDS
- Begin with the same data analysis we used in proving that an attack
actually occurred
- Assume for our purposes that you decide there was an attack
- Look for pre-attack activity up to a month prior to the successful
attack
- Observe source and destination data – beware of source spoofing
40. Page | 40
• Establishing premeditation – an easy approach using attack prediction
techniques
– Pick the top ten events over the course of the pre-attack period
examined
– Calculate the three day moving average (3DMA) of events reported
per day – plot on a chart such as the one used previously
– Set control limits by calculating the standard deviation of the average
over the period, multiply by 2 (2-sigma control limits)
– When the 3DMA exceeds the 2-sigma limit or there are three or more
increases in the 3DMA without intervening decreases there is a
positive attack prediction factor as defined by the Honeynet Project’s
research
• A positive attack prediction factor probably indicates premeditation if it can
be traced to the same attacker
• Preparing for litigation or transfer to law enforcement
– Treat every case as if it will end up in federal prosecution
• Most won’t
– Maintain chain of custody
– Create a case report in sections
• Simple explanations that non-technical readers will be
comfortable with
• Full details for techies
• Evidence listing with chain of custody
– Reports and evidence from logs and enCase analysis
• Interview notes
42. Page | 42
Backtracking:
• Nowadays hackers are increasingly sophisticated about hiding tracks
– The ones that are good, you won’t catch
– The ones that you can catch aren’t worth catching
• Very few good tools for backtracking are available
Hidden Directories :
• Warez: Cute term for pirated software
• Warez are often hidden in FTP or web areas using weird directory names:
– ―...‖
– ― ― (space)
– ―normal ― (normal with space after it)
• Check FTP areas for new directories
Finding Hacker-Prints :
• Search suspected infected system for new files:
– find / -mtime -30 -print
– Use tripwire
– Restore filesystems to a different disk and compare all the files (slow
and painful!)
43. Page | 43
Tools to Look for :
• nuke - icmp bomb program
• rootkit - trojans and patches
• cloak - log clearer
• zap - file date changer
• icepick - penetration test tool
• toneloc - wargames dialer
Law Enforcement
• FBI:
– Jurisdiction over electronic crime
• Secret Service: (Treasury Dept)
– Credit card fraud
– Attacks against financial organizations
• Law enforcement interest depends on sexiness of case
• Law enforcement still Internet-ignorant
• Expect to have to educate them
– Not worth it
• The situation is improving rapidly
– Your mileage, however, may vary wildly depending on location
44. Page | 44
Watching the Bad Guy :
• Get a copy of cloak and watch the attacker semi-invisibly
– If they see they are being watched they will leave and may destroy
the machine
• If they have forgotten to disable shell command history you can get a good
idea what commands they are using
• Building booby-trapped telnet/rlogin clients lets you monitor everything the
attacker does
– Sometimes the attacker will reveal themself
• Social engineer the attacker
– Sometimes the attacker will brag on IRC
– Sometimes you can learn who it is by piquing their ego
• Leave a modem number someplace for the attacker to find
– Make sure modem is connected to callerID
• If they leave warez or tools in FTP area
– Log who retrieves them
– Replace warez with files of white noise
– Contact site admins at sites downloading the software
45. Page | 45
Legal Issues :
• You may not be able to use hacker techniques against them
• Laws for gathering evidence are confusing
• Logs may or may not be admissable
• Perpetrator may or may not be prosecutable
when to Quit ?
• Eventually it may be easier to unplug the network for a day or two and just
clean up
• Use clean up time to improve security and logging
47. Page | 47
WHAT IS FIREWALL FORENSICS
The firewall is a vital element for the security of a private network . It is placed at
the drop-off of the private network and internet. It implements an access control
policy for the TCP/IP traffic exchanged between the two networks. All the packets
exchanged between the private network and internet must imperatively pass
through the firewall in order to be filtered according to the implemented access
control policy. This policy consists of filtering rules which examine all the
incoming and outgoing TCP/IP packets individually in the aim to allow or deny
their transit by the firewall.
By port numbering, network hosts are able to distinguish one TCP and UDP
service from another at a given IP address. This way one server machine can
provide many different services without conflicts among the incoming and
outgoing data.
Types of Firewalls
Firewalls can be set up to offer security services to many TCP/IP layers. The
many types of firewalls are classified based on the network layer it offers services
in and the types of services offered. They include.
Packet Inspection Firewalls - are routers that inspects the contents of the source
or destination addresses and ports of incoming or outgoing TCP,UDP, ICMP
packets being sent between networks and accepts or rejects the packet based on the
specific packet policies set in the organization’s security policy.
Application Proxy Server: Filtering Based on Known Services - is a machine
server that sits between a client application and the server offering the services
the client application may want. It behaves as a server to the client and as a client
to the server, hence a proxy, providing a higher level of filtering than the packet
filter server by examining individual application packet data streams.
48. Page | 48
Modern proxy firewalls provides three basic operations:
Host IP address hiding – when the host inside the trusted network
sends an application request to the firewall and the firewall allows the
request through to the outside Internet, a sniffer just outside the
firewall may sniff the packet and it will reveal the source IP address.
The host then may be a potential victim for attack. In IP address
hiding, the firewall adds to the host packet its own IP header. So that
the sniffer will only see the firewall’s IP address. So application
firewalls then hide source IP addresses of hosts in the trusted network.
Header destruction – is an automatic protection that some
application firewalls use to destroy outgoing packet TCP, UDP and
IP headers and replace them with its own headers so that a sniffer
outside the firewall will only see the firewall’s IP address. In fact this
action stops all types of TCP, UDP, an IP header attacks.
Protocol enforcement – Since it is common in packet inspection
firewalls to allow packets through based on common port numbers,
hackers have exploited this by port spoofing where the hackers
penetrate a protected network host using commonly used and easily
allowed port numbers. With application proxy firewall this is not
easy to do because each proxy acts as a server to each host and since
it deals with only one application, it is able to stop any port spoofing
activities.
Virtual Private Network (VPN) Firewalls
A VPN, as we will see in chapter 16, is a cryptographic system
including Point-to-Point Tunneling Protocol (PPTP), Layer 2
Tunneling Protocol (L2TP), and IPSec that carry Point-to-Point
Protocol (PPP) frames across an Internet with multiple data
links with added security.
The advantages of a VPN over non-VPN connections like
standard Internet connections are:
– VN technology encrypts its connections
– Connections are limited to only machines with specified
IP addresses.
49. Page | 49
Small Office or Home (SOHO) Firewalls
A SOHO firewall is a relatively small firewall connecting a
few personal computers via a hub, switch, a bridge, even a
router on one side and connecting to a broadband modem like
DSL or cable on the other.
NAT Firewalls
In a functioning network, every host is assigned an IP address.
In a fixed network where these addresses are static, it is easy for
a hacker to get hold of a host and use it to stage attacks on other
hosts within and outside the network. To prevent this from
happening, a NAT filter can be used. It hides all inside host
TCP/IP information. A NAT firewall actually functions as a
proxy server by hiding identities of all internal hosts and
making requests on behalf of all internal hosts on the network.
This means that to an outside host, all the internal hosts have
one public IP address, that of the NAT.
Implementation of a Firewall
There are actually two approaches to configuring a firewall to suit the needs
of an organization.
– One approach is to start from nothing and make the necessary
information gathering to establish the needs and requirements of the
organization. This is a time consuming approach and probably more
expensive.
– The other approach is what many organizations do and take a short
cut and install a vendor firewall already loaded with features.
The Demilitarized Zone (DMZ)
A DMZ is a segment of a network or a network between the protected
network and the ―bad external network‖. It is also commonly referred to as a
service network.
The purpose for a DMZ on an organization network is to provide some
insulation and extra security to servers that provide the organization
services for protocols like HTTP/SHTTP, FTP, DNS, and SMTP to the
general public.
50. Page | 50
Security Through the Firewall
- For added security, sometimes it is usually better to use two firewalls.
- can also be equipped with intrusion detection systems (IDS). Many newer
- firewalls now have IDS software built into them.
- firewalls can be fenced by IDS sensors.
Firewall Services
As technology improves, firewalls services have widened far beyond old strict
filtering to embrace services that were originally done by internal servers.
Firewall Services - are based on the following access controls:
– Service control – where the firewall may filter traffic on the basis of
IP addresses, TCP, UDP, port numbers, and DNS and FTP protocols
in addition to providing proxy software that receives and interprets
each service request before passing it on.
– Direction control – where permission for traffic flow is determined
from the direction of the requests.
– User control – where access is granted based on which user is
attempting to access the internal protected network; may also be used
on incoming traffic.
– Behavior control – in which access is granted based on how particular
services are used. For example, filtering e-mail to eliminate spam.
Limitations
– Firewalls cannot protect against a threat that by-passes it, like a dial-in
using a mobile host,
– Firewalls do not provide data integrity because it is not possible,
especially in large networks, to have the firewall examine each and
every incoming and outgoing data packet for anything.
– Firewalls cannot ensure data confidentiality because, even though
newer firewalls include encryption tools, it is not easy to use these
tools. It can only work if the receiver of the packet also has the same
firewall.
– Firewalls do not protect against internal threats, and
– Firewalls cannot protect against transfer of virus-infected programs or
files,
52. Page | 52
What is DATA BASE FORENSICS ?
Database Forensics is a branch of digital forensic science relating to the forensic
study of database and their related metadata .
The discipline is similar to computer forensics, following the normal forensic
process and applying investigative techniques to database contents and metadata.
Cached information may also exist in a servers RAM requiring live
analysis techniques.
A forensic examination of a database may relate to the timestamps that apply to the
update time of a row in a relational table being inspected and tested for validity in
order to verify the actions of a database user. Alternatively, a forensic examination
may focus on identifying transactions within a database system or application that
indicate evidence of wrongdoing, such as fraud.
Software tools such as ACL, Idea and Arbutus (which provide a read-only
environment) can be used to manipulate and analyse data. These tools also provide
audit logging capabilities which provide documented proof of what tasks or
analysis a forensic examiner performed on the database.
Currently many database software tools are in general not reliable and precise
enough to be used for forensic work as demonstrated in the first paper published on
database forensics. There is currently a single book published in this field, though
more are destined. Additionally there is a subsequent SQL Server forensics book
by Kevvie Fowler named SQL Server Forensics which is well regarded also.
The forensic study of relational databases requires a knowledge of the standard
used to encode data on the computer disk. A documentation of standards used to
encode information in well-known brands of DB such as SQL Server and Oracle
has been contributed to the public domain.
It is important to note, for evidential purposes, that because the forensic analysis of
a database is not executed in isolation, the technological frame work within which
a subject database exit, is crucial to understanding and resolving questions of data
authenticity and integrity especially as it relates to database users.
53. Page | 53
TYPES
Solving a crime takes a lot of time, but thanks to developments in science,
forensics technology has evolved rapidly. In the past, blood typing was probably
one of the most regarded ways to gather evidence asides from fingerprint
matching. Digital technology has enabled the development of forensic databases,
which have proven to be an enormous asset to law enforcement.
DNADatabase
This is probably the most popular database in forensics because of shows like
CSI and NCIS. DNA databases may include profiles of suspects awaiting trial,
people arrested, convicted offenders, unknown remains and even members of law
enforcement. This database is especially useful for an easier identification process.
For example, the police can take a suspect's DNA sample through mouth swabs
upon the suspect's capture. Another option can be getting the suspects clothing
upon arrest.
Whatever the source may be, DNA can then be extracted, characterised and kept
in a database. In the future when a crime occurs, forensics experts may run samples
through the database for comparison. Although this database may seem ideal, it is
not without controversy. Some people oppose the existence of such a database for
privacy reasons. This is especially true for people who gave DNA samples in the
past. These people may no longer be suspects but their DNA sample is still in the
system. Fears may also arise from potential hacking into the records system and
possible DNA information leakage into unsavory companies.
54. Page | 54
BulletDatabase
This database records bullets and casings found in crime scenes. This is useful
in identifying the type of bullet used by a suspect in a particular crime. The
disadvantage is that identified bullets must match the gun used by the suspect. This
is because the database only records the type of the bullet and the casing. It cannot
conclusively prove anything without the suspected gun. It is still useful because it
gives the police leads on what kind of gun the suspect used. In the end, this helps
narrow down the search to a particular gun.
PaintSampleDatabase
This database contains paint samples from past and present manufacturers as
well as samples from crime scene evidence. The database ranges from common
house paint to automotive paints used in the market. The information in the
database includes the composition of the paint, the chemical compounds present as
well as other possible paint additives. This database is useful, for example, in
identifying vehicles used in a crime. The data could show that chemicals found in a
particular paint are restricted to a certain year only. It could also show the
industries that use this kind of paint for their operation. The database could also
show which manufacturers used this paint, thus narrowing the search for suspects
further.
How it works?
usually consists of four—is examined to determine the spectra and chemical
composition. The chemical components and proportions are coded into the
database. These known samples are compared against a paint sample from a crime
scene or a suspect’s vehicle to search the make, model, and year of manufacture of
a vehicle involved in a hit-and-run or other criminal activity.
ShoeprintDatabase
This database keeps a record of the soles of shoes produced in the market. It is
particularly useful for identification and elimination of suspects. For example, the
database may eliminate the shoeprints of the victims who were present during the
commission of the crime. It also eliminates the shoeprints of the law enforcers who
investigated the crime. In turn, the data will then be able to identify which
shoeprint belongs to the suspect. It can yield what kind of shoes the suspect wore,
the brand of the shoes, what size the shoes were and the stores that carry this brand
of shoes. The data can then approximate the height and weight of the perpetrator.
55. Page | 55
TreadDatabase
A tread database carries information on tread patterns of various vehicles. It can
be useful in identifying the vehicle that the suspect used and the probable model of
this vehicle. This is useful in cases like hit and runs, drive by shootings and
vehicular manslaughter. Once the data is processed, it will enable the police to
arrest the suspect faster. This is especially true if the suspect presently travels with
the vehicle used in the crime.
How It works ?
Impressions from a crime scene are obtained using the current recovery methods of
photograph, gel lift, dust lift, and adhesive lift. These are input directly into the
analytical system by high-resolution digital imaging. The same procedure is used
with an impression of a suspect’s shoe print: It is photographed using a high-
resolution digital camera, and these impressions (along with the offender’s details)
are input into the analytical system, where the operator can measure, analyze, and
compare crime-scene and suspect images.
Other types
Oracle Databases – including Oracle Financials
MySQL, PostgreSQL. MS SQL Server
IBM Mainframes (IMS, DB2 Etc.)
XML, Access, DBX
Windows, Unix/Linux, OSX
Enterprise Resource Planning or ERP Systems
Sage and Microsoft Financials
Accounting Applications
Midrange Systems (Stratus and HP)
Small Business Management Systems
56. Page | 56
Database Security
Enforce security at all database levels
Security access point: place where database security must be protected and applied
Data requires highest level of protection; data access point must be small
-Reducing access point size reduces security risks
-Security gaps: points at which security is missing
-Vulnerabilities: kinks in the system that can become threats
-Threat: security risk that can become a system breach
Database Security Levels
• Relational database: collection of related
data files
• Data file: collection of related tables
• Table: collection of related rows (records)
• Row: collection of related columns (fields)
58. Page | 58
What is mobile device forensics ?
Mobile device forensics is a branch of digital forensics relating to recovery
of digital evidence or data from a mobile device under forensicallysound
conditions. The phrase mobile device usually refers tomobile phones; however, it
can also relate to any digital device that has both internal memory
andcommunication ability, including PDA devices, GPS devices and tablet
computers.
The use of phones in crime was widely recognised for some years, but the forensic
study of mobile devices is a relatively new field, dating from the early 2000s. A
proliferation of phones (particularlysmartphones) on the consumer market caused a
demand for forensic examination of the devices, which could not be met by
existing computer forensics techniques.
Mobile devices can be used to save several types of personal information such as
contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may
additionally contain video, email, web browsing information, location information,
and social networking messages and contacts.
Mobile device forensics can be particularly challenging on a number of levels
Evidential and technical challenges exist. for example, cell site analysis following
from the use of a mobile phone usage coverage, is not an exact science.
Consequently, whilst it is possible to determine roughly the cell site zone from
which a call was made or received, it is not yet possible to say with any degree of
certainty, that a mobile phone call emanated from a specific location e.g. a
residential address.
To remain competitive, original equipment manufacturers frequently
change mobile phone form factors, operating system file structures, data
storage, services, peripherals, and even pin connectors and cables. As a result,
forensic examiners must use a different forensic process compared to computer
forensics.
Storage capacity continues to grow thanks to demand for more powerful "mini
computer" type devices.
As a result of these challenges, a wide variety of tools exist to extract evidence
from mobile devices; no one tool or method can acquire all the evidence from all
devices. It is therefore recommended that forensic examiners, especially those
wishing to qualify as expert witnesses in court, undergo extensive training in order
to understand how each tool and method acquires evidence; how it maintains
59. Page | 59
standards for forensic soundness; and how it meets legal requirements such as
the Daubert standard or Frye standard.
HISTORY
As a field of study forensic examination of mobile devices dates from the late
1990s and early 2000s. The role of mobile phones in crime had long been
recognised by law enforcement. With the increased availability of such devices on
the consumer market and the wider array of communication platforms they support
(e.g. email, web browsing) demand for forensic examination grew.
Early efforts to examine mobile devices used similar techniques to the first
computer forensics investigations: analysing phone contents directly via the screen
and photographing important content. However, this proved to be a time-
consuming process, and as the number of mobile devices began to increase,
investigators called for more efficient means of extracting data. Enterprising
mobile forensic examiners sometimes used cell phone or PDA synchronization
software to "back up" device data to a forensic computer for imaging, or
sometimes, simply performed computer forensics on the hard drive of a suspect
computer where data had been synchronized. However, this type of software could
write to the phone as well as reading it, and could not retrieve deleted data.
Some forensic examiners found that they could retrieve even deleted data using
"flasher" or "twister" boxes, tools developed by OEMs to "flash" a phone's
memory for debugging or updating. However, flasher boxes are invasive and can
change data; can be complicated to use; and, because they are not developed as
forensic tools, perform neither hash verifications nor (in most cases) audit
trails. For physical forensic examinations, therefore, better alternatives remained
necessary.
To meet these demands, commercial tools appeared which allowed examiners to
recover phone memory with minimal disruption and analyse it separately. Over
time these commercial techniques have developed further and the recovery of
deleted data from proprietary mobile devices has become possible with some
specialist tools..
60. Page | 60
Professional applications
Mobile device forensics is best known for its application to law enforcement
investigations, but it is also useful for military intelligence, corporate
investigations, private investigations, criminal and civil defense, and electronic
discovery.
Types of evidence
As mobile device technology advances, the amount and types of data that can be
found on a mobile device is constantly increasing. Evidence that can be potentially
recovered from a mobile phone may come from several different sources,
including handset memory,SIM card, and attached memory cards such
as SD cards.
Traditionally mobile phone forensics has been associated with
recovering SMS and MMS messaging, as well as call logs, contact lists and
phone IMEI/ESN information. However, newer generations of smartphones also
include wider varieties of information; from web browsing, Wireless
network settings, geolocation information (including geotags contained within
image metadata), e-mail and other forms of rich internet media, including
important data—such as social networking service posts and contacts—now
retained on smartphone 'apps'.
Internal memory
Nowadays mostly flash memory consisting of NAND or NOR types are used for
mobile devices. For a wide overview on NAND flash forensics see Salvatore
Fiorillo, 2009.
External memory
External memory devices are SIM cards, SD cards (commonly found within GPS
devices as well as mobile phones), MMC cards, CFcards, and the Memory Stick.
Service provider logs
Although not technically part of mobile device forensics, the call detail
records (and occasionally, text messages) from wireless carriers often serve as
"back up" evidence obtained after the mobile phone has been seized. These are
useful when the call history and/or text messages have been deleted from the
phone, or when location-based services are not turned on. Call detail records
and cell site (tower) dumps can show the phone owner's location, and whether they
61. Page | 61
were stationary or moving (i.e., whether the phone's signal bounced off the same
side of a single tower, or different sides of multiple towers along a particular path
of travel). Carrier data and device data together can be used to corroborate
information from other sources, for instance, video surveillance footage or
eyewitness accounts; or to determine the general location where a non-geo tagged
image or video was taken.
The European Union requires its member countries to retain
certain telecommunications data for use in investigations. This includes data on
calls made and retrieved. The location of a mobile phone can be determined and
this geographical data must also be retained. In the United States, however, no
such requirement exists, and no standards govern how long carriers should retain
data or even what they must retain. For example, text messages may be retained
only for a week or two, while call logs may be retained anywhere from a few
weeks to several months. To reduce the risk of evidence being lost, law
enforcement agents must submit a preservation letter to the carrier, which they then
must back up with a search warrant.
Process
The forensics process for mobile devices broadly matches other branches of digital
forensics; however, some particular concerns apply. Generally, the process can be
broken down into three main categories: seizure, acquisition, and
examination/analysis. Other aspects of the computer forensic process, such as
intake, validation, documentation/reporting, and archiving still apply.
Seizure
Seizing mobile devices is covered by the same legal considerations as other digital
media. Mobiles will often be recovered switched on; as the aim of seizure is to
preserve evidence, the device will often be transported in the same state to avoid a
shutdown, which would change files. In addition, the investigator or first responder
would risk user lock activation.
However, leaving the phone on carries another risk: the device can still make a
network/cellular connection. This may bring in new data, overwriting evidence. To
prevent a connection, mobile devices will often be transported and examined from
within a Faraday cage (or bag). Even so, there are two disadvantages to this
method. First, it renders the device unusable, as its touch screen or keypad cannot
be used. Second, a device's search for a network connection will drain its battery
more quickly. While devices and their batteries can often be recharged, again, the
62. Page | 62
investigator risks that the phone's user lock will have activated. Therefore, network
isolation is advisable either through placing the device in Airplane Mode,
or cloning its SIM card (a technique which can also be useful when the device is
missing its SIM card entirely).
Acquisition
The second step in the forensic process is acquisition, in this case usually referring
to retrieval of material from a device (as compared to the bit-copy imaging used in
computer forensics).
Due to the proprietary nature of mobiles it is often not possible to acquire data with
it powered down; most mobile device acquisition is performed live. With more
advanced smartphones using advanced memory management, connecting it to a
recharger and putting it into a faraday cage may not be good practice. The mobile
device would recognize the network disconnection and therefore it would change
its status information that can trigger the memory manager to write data.Most
acquisition tools for mobile devices are commercial in nature and consist of a
hardware and software component, often automated.
Examination and analysis
As an increasing number of mobile devices use high-level file systems, similar
to the file systems of computers, methods and tools can be taken over from hard
disk forensics or only need slight changes.
The FAT file system is generally used on NAND memory. A difference is
the block sizeused, which is larger than 512 bytes for hard disks and depends on
the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128,
256, or 512 kilobyte.
Different software tools can extract the data from the memory image. One could
use specialized and automated forensic software products or generic file viewers
such as anyhex editor to search for characteristics of file headers. The advantage of
the hex editor is the deeper insight into the memory management, but working with
a hex editor means a lot of handwork and file system as well as file header
knowledge.
In contrast, specialized forensic software simplifies the search and extracts the data
but may not find everything.AccessData, Sleuthkit, and EnCase, to mention only
some, are forensic software products to analyze memory images. Since there is no
63. Page | 63
tool that extracts all possible information, it is advisable to use two or more tools
for examination. There is currently (February 2010) no software solution to get all
evidences from flash memories.
Acquisition types
Mobile device data extraction can be classified according to a continuum, along
which methods become more technical and ―forensically sound,‖ tools become
more expensive, analysis takes longer, examiners need more training, and some
methods can even become more invasive.
Manual acquisition
The examiner utilizes the user interface to investigate the content of the phone's
memory. Therefore the device is used as normal, with the examiner taking pictures
of each screen's contents. This method has an advantage in that the operating
system makes it unnecessary to use specialized tools or equipment to transform
raw data into human interpretable information. In practice this method is applied to
cell phones, PDAs and navigation systems Disadvantages are that only data visible
to the operating system can be recovered; that all data are only available in form of
pictures; and the process itself is time-consuming.
Logical acquisition
Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g.,
directories and files) that reside on a logical store (e.g., a file system partition).
Logical acquisition has the advantage that system data structures are easier for a
tool to extract and organize. Logical extraction acquires information from the
device using the original equipment manufacturer application programming
interface for synchronizing the phone's contents with a personal computer. A
logical extraction is generally easier to work with as it does not produce a
large binary blob. However, a skilled forensic examiner will be able to extract far
more information from a physical extraction.
File system acquisition
Logical extraction usually does not produce any deleted information, due to it
normally being removed from the phone's file system. However, in some cases—
particularly with platforms built on SQLite, such as iOS and Android—the phone
may keep a database file of information which does not overwrite the information
but simply marks it as deleted and available for later overwriting. In such cases, if
the device allows file system access through its synchronization interface, it is
possible to recover deleted information. File system extraction is useful for
understanding the file structure, web browsing history, or app usage, as well as
64. Page | 64
providing the examiner with the ability to perform an analysis with traditional
computer forensic tools.
Physical acquisition
Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g. flash
memory; therefore, it is the method most similar to the examination of a personal
computer. A physical acquisition has the advantage of allowing deleted files and
data remnants to be examined. Physical extraction acquires information from the
device by direct access to the flash memories.
Generally this is harder to achieve because the device original equipment
manufacturer needs to secure against arbitrary reading of memory; therefore, a
device may be locked to a certain operator. To get around this security, mobile
forensics tool vendors often develop their own boot loaders, enabling the forensic
tool to access the memory (and often, also to bypass user passcodes or pattern
locks).
Generally the physical extraction is split into two steps, the dumping phase and the
decoding phase.
Tools
Early investigations consisted of live manual analysis of mobile devices; with
examiners photographing or writing down useful material for use as evidence.
Without forensic photography equipment such as Fernico ZRT, eDEC Eclipse,
or Project-a-Phone, this had the disadvantage of risking the modification of the
device content, as well as leaving many parts of the proprietary operating system
inaccessible.
In recent years a number of hardware/software tools have emerged to recover
logical and physical evidence from mobile devices. Most tools consist of both
hardware and software portions. The hardware includes a number of cables to
connect the phone to the acquisition machine; the software exists to extract the
evidence and, occasionally even to analyse it.
Most recently, mobile device forensic tools have been developed for the field. This
is in response both to military units' demand for fast and accurate anti-terrorism
intelligence, and to law enforcement demand for forensic previewing capabilities at
a crime scene, search warrant execution, or exigent circumstances. Such mobile
forensic tools are often ruggedized for harsh environments (e.g. the battlefield) and
rough treatment (e.g. being dropped or submerged in water).
Generally, because it is impossible for any one tool to capture all evidence from all
mobile devices, mobile forensic professionals recommend that examiners establish
65. Page | 65
entire toolkits consisting of a mix of commercial, open source, broad support, and
narrow support forensic tools, together with accessories such as battery chargers,
Faraday bags or other signal disruption equipment, and so forth.
Open Source Tools
Most open source mobile forensics tools are platform-specific and geared toward
smartphone analysis. Examples include iPhone Analyzer, Katana
Forensics' Lantern Lite imager, the Mobile Internal Acquisition Tool, TULP2G,
and viaForensics' Open Source Android Forensics application. Though not
originally designed to be a forensics tool, BitPim has been widely used on CDMA
phones as well as LG VX4400/VX6000 and many Sanyo Sprint cell phones.
Physical Tools
Forensic desoldering
Commonly referred to as a "Chip-Off" technique within the industry, the last and
most intrusive method to get a memory image is todesolder the non-volatile
memory chip and connect it to a memory chip reader. This method contains the
potential danger of total data destruction: it is possible to destroy the chip and its
content because of the heat required during desoldering. Before the invention of
theBGA technology it was possible to attach probes to the pins of the memory chip
and to recover the memory through these probes. The BGA technique bonds the
chips directly onto the PCB through molten solder balls, such that it is no longer
possible to attach probes.
Here you can see that moisture in the circuit board turned to steam when it was
subjected to intense heat. This produces the so-called "popcorn effect."
Desoldering the chips is done carefully and slowly, so that the heat does not
destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven
to eliminate remaining water. This prevents the so-called popcorn effect, at which
the remaining water would blow the chip package at desoldering.
66. Page | 66
There are mainly three methods to melt the solder: hot air, infrared light, and
steam-phasing. The infrared light technology works with a focused infrared light
beam onto a specificintegrated circuit and is used for small chips. The hot air and
steam methods cannot focus as much as the infrared technique.
Chip re-balling
After desoldering the chip a re-balling process cleans the chip and adds new tin
balls to the chip. Re-balling can be done in two different ways.
The first is to use a stencil. The stencil is chip-dependent and must fit exactly.
Then the tin-solder is put on the stencil. After cooling the tin the stencil is
removed and if necessary a second cleaning step is done.
The second method is laser re-balling; see. Here the stencil is programmed into
the re-balling unit. A bondhead (looks like a tube/needle) is automatically
loaded with one tin ball from a solder ball singulation tank. The ball is then
heated by a laser, such that the tin-solder ball becomes fluid and flows onto the
cleaned chip. Instantly after melting the ball the laser turns off and a new ball
falls into the bondhead. While reloading the bondhead of the re-balling unit
changes the position to the next pin.
A third method makes the entire re-balling process unnecessary. The chip is
connected to an adapter with Y-shaped springs or spring-loaded pogo pins. The Y-
shaped springs need to have a ball onto the pin to establish an electric connection,
but the pogo pins can be used directly on the pads on the chip without the balls.
The advantage of forensic desoldering is that the device does not need to be
functional and that a copy without any changes to the original data can be made.
The disadvantage is that the re-balling devices are expensive, so this process is
very costly and there are some risks of total data loss. Hence, forensic desoldering
should only be done by experienced laboratories.
JTAG
Existing standardized interfaces for reading data are built into several mobile
devices, e.g., to get position data from GPS equipment NMEA or to get
deceleration information from airbag units.
Not all mobile devices provide such a standardized interface nor does there exist a
standard interface for all mobile devices, but all manufacturers have one problem
in common. The miniaturizing of device parts opens the question how to test
automatically the functionality and quality of the soldered integrated components.
67. Page | 67
For this problem an industry group, the Joint Test Action Group (JTAG),
developed a test technology called boundary scan.
Despite the standardization there are four tasks before the JTAG device interface
can be used to recover the memory. To find the correct bits in the boundary
scan register one must know which processor and memory circuits are used and
how they are connected to the system bus. When not accessible from outside one
must find the test points for the JTAG interface on the printed circuit board and
determine which test point is used for which signal. The JTAG port is not always
soldered with connectors, such that it is sometimes necessary to open the device
and re-solder the access port. The protocol for reading the memory must be known
and finally the correct voltage must be determined to prevent damage to the circuit.
The boundary scan produces a complete forensic image of the volatile and non-
volatile memory. The risk of data change is minimized and the memory chip must
not be desoldered. Generating the image can be slow and not all mobile devices are
JTAG enabled. Also, it can be difficult to find the test access port.
Command Line Tools
System commands
Mobile devices do not provide the possibility to run or boot from a CD, connecting
to a network share or another device with clean tools. Therefore system commands
could be the only way to save the volatile memory of a mobile device. With the
risk of modified system commands it must be estimated if the volatile memory is
really important. A similar problem arises when no network connection is available
and no secondary memory can be connected to a mobile device because the
volatile memory image must be saved on the internal non-volatile memory, where
the user data is stored and most likely deleted important data will be lost. System
commands are the cheapest method, but imply some risks of data loss. Every
command usage with options and output must be documented.
AT commands
AT commands are old modem commands, e.g., Hayes command set and Motorola
phone AT commands, and can therefore only be used on a device that has modem
support. Using these commands one can only obtain information through
the operating system, such that no deleted data can be extracted.
dd
For external memory and the USB flash drive, appropriate software, e.g., the Unix
command dd, is needed to make the bit-level copy. Furthermore USB flash
drives with memory protection do not need special hardware and can be connected
68. Page | 68
to any computer. Many USB drives and memory cards have a write-lock switch
that can be used to prevent data changes, while making a copy.
Name Platform License Version Description
Cellebrite Mobile
Forensics
Windows proprietary
Universal Forensics Extraction Device -
Hardware and Software
Elcomsott iOS Forensic
Toolkit (EIFT)
Windows,
Mac
proprietary
Acquires bit-precise images of Apple iOS
devices in real time
Elcomsoft Phone
Password Breaker
(EPPB)
Windows proprietary
Enables forensic access to password-
protected backups for smartphones and
portable devices based on RIM BlackBerry
and Apple iOS platforms,
MicroSystemation
XRY/XACT
Windows proprietary
Hardware/Software package, specialises in
deleted data
MOBILedit! Forensic]
Windows proprietary Hardware-Connection kit/Software package
Oxygen Forensic Suite
(former Oxygen Phone
Manager
Windows proprietary Smart forensics for smartphones
Paraben Device Seizure[
Windows proprietary Hardware/Software package
Radio Tactics Aceso Windows proprietary "All-in-one" unit with a touch screen
69. Page | 69
Cellular Phone Evidence Extraction Process
Intake -Identification -Preparation -Isolation -Processing -Verification –Archiving .
CHALLENGES ASSOCIATED WITH MOBILE PHONE FORENSICS
A. Mobile phone forensics is challenging field due to fast changes in technology.
Several models of mobile phones exist in the world today. Manufacturers lack
standardized methods of storing data. Most of the mobile phones use closed
operating systems and has proprietary interfaces. To meet this challenge there
is always a need for development of new forensics tools and techniques.
B. Signals of mobile phone need to be blocked while carrying forensics analysis.
Blocking RF signals quickly drains the battery. This can be minimized while
carrying forensics analysis of mobile phones in properly shielded labs. Shielding
methods for lab include such as EMI/EMC protection.
C. Large variety of data cables exist for mobile phones. Identification and
collection of cables required for forensics analysis of mobile phones is challenging
task. Small databases for defining mobile phone models and their associated cables
with tags can help a great deal.
D. Most of the commercially available forensic tools do not provide solutions to
deal with physically damaged mobile phones. Forensic examiners must be trained
and equipped to handle such situations.
E. Conflicts can occur due to different operating system, vendor and version
specific device drivers. It is therefore recommended to have separate machines for
each type of forensic software. However to economize resources Virtual Machine
environments can be created.
F. Data on active mobile phone tends to change constantly due to lack of
conventional write-blocking mechanism. Analysis must be done on a phone that is
powered ON but it is ideal that the phone does not receive any calls, text messages,
or other communications. Shielded labs can address this issue.
G. Most of the international trainings available in the field are vendor specific.
There is need of for neutral and standard trainings.
70. Page | 70
H. Status of unopened emails and messages will change after reading them. Care
must be taken while recoding such type of evidence.
J. Mobile phones may lose data or ask for security measures on next restart once
shut down. Owner of themobile phone (if available) may be asked about security
codes.
K. Authentication mechanisms can confine access to data. Finding of Personal
Identification Number (PIN), Phone Unlock Key (PUK), and handset and memory
card passwords can become difficult at times.
L. Now days there are various methods available to remotely destroy or change
data on a mobile phone. Such happening can be avoided in shielded lab
environments while carrying forensic investigations. Care must also be taken to
protect mobile phones while carrying them to labs.
M. Data from mobile phone internal memory is restricted without the use of SIM
card. Inserting another SIM can cause the loss of mobile phone data.
N. Many commercial mobile phone forensic tools only provide logical acquisition
of data. Deleted data can only be recovered using physical acquisition.
O. Introduction of Mobile Number Portability (MNP) can result into improper
identification of subscriber. Mobile Phone network operators may be consulted for
proper identification.
P. IMEI changing for few mobile handsets is possible with the use flashing tools
like Universal Flasher UFS-3. This can result improper identification of phones.
These illegal activities shall be banned.
72. Page | 72
Introduction:
Computer forensics involves the preservation, identification, extraction,
documentation and interpretation of computer data.
The three main steps in any computer forensic investigation are acquiring,
authenticating, and analyzing of the data. Acquiring the data mainly involves creating a
bit-by-bit copy of the hard drive. Authentication is the ensuring that the copy used to
perform the investigation is an exact replica of the contents of the original hard drive by
comparing the checksums of the copy and the original. Analysis of the data is the most
important part of the investigation since this is where incriminating evidence may be
found.
Part of the analysis process is spent in the recovery of deleted files. The job of the
investigator is to know where to find the remnants of these files and interpret the results.
Any file data and file attributes found may yield valuable clues. Investigation of
Windows and Unix systems are similar in some ways, but the forensic analyst can tailor
the investigation to one or the other since each operating system is different in unique
ways. If deleted data could not be recovered through the use of common forensic tools,
more sensitive instruments can be used to extract the data, but this is rarely done becauseof the
high cost of the instruments.
Data recovery is only one aspect of the forensics investigation. Tracking the
hacking activities within a compromised system is also important. With any system that
is connected to the Internet, hacker attacks are as certain as death and taxes. Although it is
impossible to completely defend against all attacks, as soon as a hacker successfully breaks into
a computer system the hacker begins to leave a trail of clues and evidence that can be used to
piece together what has been done and sometimes can even be used to follow a hacker home.
Computer forensics can be employed on a compromised system to find out exactly how a hacker
got into the system, which parts of the system were damaged or modified. However, system
administrators must first be educated in the procedures and methods of forensic investigation if a
system is to be recovered and protected. With the help of computer forensics, administrators are
able to learn about mistakes made in the past and help prevent incidents from occurring in the
future.
Each time any kind of input is fed into the computer, whether it is a key pressed
on your keyboard, or a click on the mouse, a signal is generated and sent to the
appropriate computer application and they can be intercepted in your computer via a
software program that is running in the background or physically from some external
device. 2Keystroke loggers are made specifically for this purpose and can be employed
by a network administrator to ensure employees are not misusing the company resources; or they
can be used by hackers to steal passwords, social security numbers, and any other sensitive
information entered by an unsuspecting person.
Because of the wealth of information that can be gained from a computer forensics investigation,
ethical considerations should be examined.
73. Page | 73
Computer forensics is essentially a means for gathering electronic evidence during an
investigation. In order to use this information to prosecute a criminal act and to avoid
suppression during trial, evidence must be collected carefully and legally. It is particularly
important to be aware of the privacy rights of suspects, victims and uninvolved third parties. An
investigator needs to have knowledge of several laws and statutes that govern electronic
evidence collection including the fourth amendment of the constitution, 18 U.S.C. §2510-22,
also known as the wiretap statute, the Electronic Communications Privacy Act (ECPA), and the
USA PATRIOT Act. Each of these items affects the legality of electronic evidence and the
appropriate procedures to acquire that evidence.
General Steps in a Forensic Investigation
The three main steps to a forensic investigation are the acquisition of the
evidence, the authentication of the recovered evidence, and the analysis of the evidence.
Although each forensic investigator may add their own steps in the forensics process,
these three steps (acquisition, authentication, and analysis) are essential to any forensic
investigation.
Acquiring evidence in a computer forensics investigation primarily involves
gaining the contents of the suspects hard drive. But other aspects may be involved in the
acquisition of evidence. Photographs of the computer screen and the entire computer system in
its installed configuration may yield useful information to the investigator. In addition, some
forensic investigators believe in gathering evidence before shutting down the suspects computer;
this is a source of arguments within the forensics community - whether to shutdown the
computer immediately and preserve the exact state that it was found, or to gather evidence before
shutting down in order to gain any volatile data that might be destroyed on shutdown (like the
running processes on the computer). Ideally, the forensic analysis is not done directly on the
suspects computer but on a copy instead. This is done to prevent tampering and alteration of the
suspects data on the hard drive. The contents of the hard drive are copied on one or more hard
drives that the investigator will use to conduct the investigation. These copies, or images, are
obtained by coping bit by bit from the suspects hard drive to another hard drive or disk.
The hard drive containing the image of the suspects hard drive obtained in this manner is called a
bit-stream backup. The reason why hard drives must be copied bit by bit is
because doing so ensures that all the contents of the hard drive will be copied to the other
Otherwise, unallocated data (such as deleted files), swap space, .bad. sectors, and slack space
will not be copied. A goldmine of evidence may be potentially held in these unusual spaces on
74. Page | 74
the hard drive.5 Of course, the investigator must make sure that the hard drive or disk used to
hold the copy is completely free of any data so that the evidence will not be tainted. The
commonly used forensics tools for the imaging of hard drives are Safeback and Encase, which
also performs many other forensics functions. There are also disk-wiping tools to clean the
image hard drive. The authentication of the evidence is the process of ensuring that the evidence
has
not been altered during the acquisition process. In other words, authentication shows that the no
changes to the evidence occurred during the course of the investigation. Any
changes to the evidence will render the evidence inadmissible in a court. Investigators
authenticate the hard drive evidence by generating a checksum of the contents of the hard drive.
This checksum is like an electronic fingerprint in that it is almost impossible for two hard drives
with different data to have the same checksum. By showing that the
checksums of the seized hard drive and the image are identical, the investigators can
show that they analyzed an unaltered copy of the original hard drive. The algorithms
most commonly used to generate these checksums are MD5 and SHA. Some tools to
generate checksums use a combination of algorithms such as CRC (cyclic redundancy
check) with MD5 in order to ensure a higher quality of authentication.
The last and most time-consuming step in a forensics investigation is the analysis
of the evidence. It is in the analysis phase that evidence of wrongdoing is uncovered the
investigator. Because of the differences between Windows-based operating systems and UNIX, I
will discuss the analysis of the data on these two systems in separate sections. In general,
forensic investigators rely on special forensics tools to analyze the huge amounts of data on the
hard drive (the size of hard drives continues to get larger and larger). These range from a hex
editor (a text editor that views the data in hexadecimal format) to full-blown forensic toolkits like
Encase. It is important that the chain of custody is maintained throughout the investigation. The
chain documents everything that happens to the evidence: who handled it, where and how it was
handled, and how it was stored. It preserves the integrity of the evidence. Even if the suspect was
guilty, if the chain is not maintained, a lawyer can argue that the chain of custody was not
properly established, casting doubt on the damning evidence acquired during the analysis phase.
Forensic Analysis on Windows systems
Despite the unreliability and propensity to crash, Windows remains the most
widely used operating system in people computers. Investigators must be familiar with
how Windows work and the idiosyncrasies associated with Windows in order to conduct
a thorough and fruitful investigation. An intimate knowledge of file allocation and deletion in
Windows file systems is needed to recover deleted files. For this paper, I will be focusing on
NTFS, the file system used in Windows NT and Windows 2000 and above. But many of the
techniques mentioned in this section could be used in earlier versions of Windows with few, if
any, modifications. NTFS stores attributes of files and folders in a system file called the Master
File Table or MFT. The attributes in the MFT of most interest to the forensic analyst are the
filename, MAC times (the date and time of a file last modification, last access, and creation),
and the data (if the file is small enough) or the location of the data on the disk.
With folders, additional attributes of interest are the index entries in the MFT of the files
for that folder or, if the MFT cannot hold the entire folders entries, the location of these
entries in an index buffer (an allocated space outside the MFT to hold these index