Professional Documents
Culture Documents
Computer forensics is rapidly becoming a science recognized on a par with other forensic
sciences by the legal and law enforcement communities. As this trend continues, it will
become even more important to handle and examine computer evidence properly. Not
every department or organization has the resources to have trained computer forensic
specialists on staff.
1
Acknowledgement
The confidence one attains while performing a task that has great importance of its own
comes not only through one’s own constant efforts but rather is a result of ceaseless
cooperation, constant guidance and ever motivating tips of various experienced people.
An undertaking of study like this is never an outcome of efforts put in by a single person;
rather it bears imprint of number of persons who directly or indirectly helped me in
completing the study.
At the outset I would like to extend my sincere gratitude to Dr. D.V.Gupta, Director of
ACME, Mr. Jatin Verma Head of Department (CSE/IT), for providing the opportunity
to carry out the research and for providing guidance during the preparation of the report
whenever needed.
I would like to thank Mrs. Shabnam seminar coordinator, for providing the basic
knowledge on topic & the methodology to be used for preparing the report.
I would also like to thank the faculty members of the my institute with whom I had
fruitful interactions. I would like to thank specially to Mr. Gulshan who gave me
immense help and technical guidance during the seminar preparation.
(SAVITA)
2
Introduction
3
Multiple methods of -
• Discovering data on computer system.
• Performing investigation after multiple users had taken over the system
4
History of Computer Forensics
Michael Anderson
“ Father of computer forensics”.
The first Seized Computer Evidence Recovery Specialists (SCERS) classes held
History
5
Steps of Computer Forensics
6
Computer forensics process
7
Why is Computer Forensics Important?
Adding the ability to practice sound computer forensics will help you ensure the overall
integrity and survivability of your network infrastructure. You can help your organization
if you consider computer forensics as a new basic element in what is known as a
“defense-in-depth”1 approach to network and computer security. For instance,
understanding the legal and technical aspects of computer forensics will help you capture
vital information if your network is compromised and will help you prosecute the case if
the intruder is caught.
1 “Defense in depth is designed on the principle that multiple layers of different types of protection from
different vendors provide substantially better protection”
<http://netsecurity.about.com/cs/generalsecurity/a/aa112103.htm>.
Produced 2008 by US-CERT, a government organization. Updated 2008. 2
What happens if you ignore computer forensics or practice it badly? You risk destroying
vital evidence or having forensic evidence ruled inadmissible in a court of law. Also, you
or your organization may run afoul of new laws that mandate regulatory compliance and
assign liability if certain types of data are not adequately protected. Recent legislation
makes it possible to hold organizations liable in civil or criminal court if they fail to
protect customer data.2
Computer forensics is also important because it can save your organization money. Many
managers are allocating a greater portion of their information technology budgets for
computer and network security. International Data Corporation (IDC) reported that the
market for intrusion-detection and vulnerability-assessment software will reach 1.45
billion dollars in 2006. In increasing numbers, organizations are deploying network
security devices such as intrusion detection systems (IDS), firewalls, proxies, and the
like, which all report on the security status of networks.
From a technical standpoint, the main goal of computer forensics is to identify, collect,
preserve, and analyze data in a way that preserves the integrity of the evidence collected
so it can be used effectively in a legal case.
What are some typical aspects of a computer forensics investigation? First, those who
8
investigate computers have to understand the kind of potential evidence they are looking
for in order to structure their search.3 Crimes involving a computer can range across the
spectrum of criminal activity, from child pornography to theft of personal data to
destruction of intellectual property. Second, the investigator must pick the appropriate
tools to use. Files may have been deleted, damaged, or encrypted, and the investigator
must be familiar with an array of methods and software to prevent further damage in the
recovery process
Two basic types of data are collected in computer forensics. Persistent data is the data
that is stored on a local hard drive (or another medium) and is preserved when the
computer is turned off. Volatile data is any data that is stored in memory, or exists in
transit, that will be lost when the computer loses power or is turned off. Volatile data
resides in registries, cache, and random access memory (RAM). Since volatile data is
ephemeral, it is essential an investigator knows reliable ways to capture it.
System administrators and security personnel must also have a basic understanding of
how routine computer and network administrative tasks can affect both the forensic
process (the potential admissibility of evidence at court) and the subsequent ability to
recover data that may be critical to the identification and analysis of a security incident
9
Reasons for Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence collected by Federal, State and local authorities for
crimes relating to:
• Theft of trade secrets
• Frauda
• Extortion
• SPAM investigations
• Virus/Trojan distribution
• Homicide investigations
• Forgery
Business Environment:
• Theft of or destruction of intellectual property
• Unauthorized activity
• Reconstructing Events
• Inferring intentions
• Software Piracy
10
Users Computer Forensics
Criminal
Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as
evidence.
Civil
Litigations
– Personal and business data discovered on a computer can be used in fraud, divorce,
harassment, or discrimination cases.
Insurance
Companies
– Evidence discovered on computer can be used to mollify costs.
Private
Corporations
– Obtained evidence from employee computers can be used as evidence in harassment,
fraud, and embezzlement cases.
Law
Enforcement Officials
– Rely on computer forensics to backup search warrants and post-seizure handling.
Individual/Private
Citizens
- Obtain the services of professional computer forensic specialists to support claims of
harassment, abuse, or wrongful termination from employment.
11
Handling Evidence
Admissibility
of Evidence
– Legal rules which determine whether potential evidence can be considered by a
court.
– Must be obtained in a manner which ensures the authenticity and validity and that no
tampering had taken place.
No possible evidence is damaged, destroyed, or otherwise compromised by the procedures
used to search the computer.
Preventing viruses from being introduced to a computer during the analysis process.
Extracted / relevant evidence is properly handled and protected from later mechanical or
electromagnetic damage.
Not divulging and respecting any ethically [and legally] client-attorney information that is
inadvertently acquired during a forensic exploration.
12
Handling Information
Information and data being sought after and collected in the investigation must be properly
handled.
Volatile
Information
• Network Information
Communication between system and the network.
• Active Processes
Programs and daemons currently active on the system.
• Logged-on Users
Users/employees currently using system.
• Open Files
Libraries in use; hidden files; Trojans (root kit) loaded in system.
Non-Volatile
Information
• This includes information, configuration settings, system files and registry settings
that are available after reboot.
13
Evidence Processing Guidelines
Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks.
Step 5: Mathematically Authenticate Data on All Storage Devices
– Must be able to prove that you did not alter any of the evidence after the computer
came into your possession.
Step 6: Document the System Date and Time.
Step 7: Make a List of Key Search Words.
Step 8: Evaluate the Windows Swap File.
Step 9: Evaluate File Slack
– File slack is a data storage area of which most computer users are unaware; a source
of significant security leakage.
Step 10: Evaluate Unallocated Space (Erased Files).
Step 11: Search Files, File Slack and Unallocated Space for Key Words.
Step 12: Document File Names, Dates and Times.
Step 13: Identify File, Program and Storage Anomalies.
Step 14: Evaluate Program Functionality.
Step 15: Document Your Findings.
Step 16: Retain Copies of Software Used.
14
Methods of Hiding Data
To human eyes, data usually contains known forms, like images, e-mail, sounds, and text.
Most Internet data naturally includes gratuitous headers, too. These are media exploited using
new controversial logical encodings: steganography and marking.
Steganography:
The art of storing information in such a way that the existence of the
information is hidden.
Watermarking:
Hiding data within data
Information can be hidden in almost any file format.
Numerous software applications will do this for you: Many are freely available online.
Hard
Drive/File System manipulation
Slack Space is the space between the logical end and the physical end of file and is called
the file slack. The logical end of a file comes before the physical end of the cluster in which it
is stored. The remaining bytes in the cluster are remnants of previous files or directories
stored in that cluster.
– Slack space can be accessed and written to directly using a hex editor.
– This does not add any “used space” information to the drive.
Hidden drive space is non-partitioned space in-between partitions
The File Allocation Table (FAT) is modified to remove any reference to the non-partitioned
space.
o The address of the sectors must be known in order to read/write information to them.
15
Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a
(specified) number of unsuccessful tries, it copies (if possible) the information to another
sector and marks (flags) the sector as bad so it is not read from/written to again.
– users can control the flagging of bad sectors.
– Flagged sectors can be read to /written from with direct reads and writes using a hex
editor.
Extra Tracks: most hard disks have more than the rated number of tracks to make up for
flaws in manufacturing (to keep from being thrown away because failure to meet minimum
number).
– Usually not required or used, but with direct (hex editor) reads and writes, they can
be used to hide/read data.
Change file names and extensions – i.e. rename a .doc file to a .dll file.
16
Methods of Detecting/Recovering Data
• Images and sound/video clips can be viewed or listened to and distortions may be found.
• Generally, this only occurs if the amount of data hidden inside the media is too large to be
successfully hidden within the media (15% rule).
– Software analysis
• Even small amounts of processing can filter out echoes and shadow noise within an
audio file to search for hidden information.
• If the original media file is available, hash values can easily detect modifications.
– Disk analysis utilities can search the hard drive for hidden tracks/sectors/data.
– RAM slack is the space from the end of the file to the end of the containing sector.
Before a sector is written to disk, it is stored in a buffer somewhere in RAM. If the
buffer is only partially filled with information before being committed to disk,
remnants from the end of the buffer will be written to disk. In this way, information
that was never "saved" can be found in RAM slack on disk.
– Firewall/Routing filters can be applied to search for hidden or invalid data in IP
datagram headers.
17
– Statistical Analysis
• Most steganographic algorithms that work on images assume that the Least
Significant Bit (LSB) is random
• If a filter is applied to an image, the LSB bits will produce a recognizable image, so
the assumption is wrong
• After inserting hidden information into an image, the LSB is no longer non-random
(especially with encrypted data). If you apply the same filter, it will no longer
produce a recognizable image
• Statistical analysis of the LSB will tell you if the LSB bits are random or not
– Frequency scanning
• Software can search for high, inaudible frequencies.
Steganalysis methods –
Recovery
– Recovery of watermarked data is extremely hard.
• Currently, there are very few methods to recover hidden, encrypted data.
– Data hidden on disk is much easier to find. Once found, if unencrypted, it is already
recovered
– Deleted data can be reconstructed (even on hard drives that have been magnetically
wiped)
– Check swap files for passwords and encryption keys which are stored in the clear
(unencrypted)
18
– Software Tools
• Scan for and reconstruct deleted data
• Break encryption
19
Example:
GetFree - Forensic Data Capture Tool When files are 'deleted' in DOS, Windows, Windows
95 and Windows 98, the data associated with the file is not actually eliminated. It is simply
reassigned to unallocated storage space where it may eventually be overwritten by the
creation of new files over time. Such data can provide the computer forensics investigator
with valuable leads and evidence.
GetSlack - Forensic Data Capture Utility this software is used to capture all of the file slack
contained on a logical hard disk drive or floppy diskette on a DOS, Windows, Windows 95
and/or Windows 98 computer system. The resulting output from GetSlack can be analyzed
with standard computer utilities or with special NTI tools, e.g., Filter_I and Net Threat
Analyzer software.
Forensic Graphics File Extractor - NTI's Forensic Graphics Image File Extractor is a
computer forensics software tool which was designed to automatically extract exact
copies of graphics file images from ambient data sources and from SafeBack bit stream
image backup files. The latter process has the potential of quickly identifying all graphics
file images stored on a computers hard disk drive. The resulting output image files can be
quickly evaluated using a graphics file viewer.
Disk Scrub - Hard Drive Data Elimination Software It is becoming standard practice in
corporations, government agencies, law firms and accounting firms to reassign computers
and to donate older computers to charity. Millions of personal computers have been put to
use since 1981 when the IBM Personal Computer came into existence. Many of the older
personal computers have been reassigned or donated to charity and many more will fall into
this category in the future. However, data security is often ignored when computers change
hands. You must be aware that personal computers were never designed with security in
mind. Potentially anything that transpired on a used computer still exists. Multiply that by the
number of computers your organization will reassign or surplus this year, and you get the
point. Computers should be reassigned and donated to charity but the contents of the hard
disk drives should not be ignored. With computer technology changing almost daily,
corporations and government agencies have to stay current while still making the best uses of
aging computer resources. Advancements in hard disk drive storage capacities, operating
20
systems and software applications cause corporations to buy or lease new computers every
year.
But what is done with the old computers? What is done about the sensitive data still
Existing, essentially "stored" on these computers when they are sold, transferred or donated?
That is a serious problem, and NTI's Disk Scrub software was specifically designed to deal
with these risks, for corporations, government agencies, hospitals, financial institutions, law
firms and accounting firms.
21
Advantages of Computer Forensics
It has an ability to search through a massive amount of data
Quickly
Easily
Thoroughly
22
Disadvantages of Computer Forensics
• Digital evidence accepted into court
Must prove that there is no tampering.
23
Conclusion
Practical investigations tend to rely on multiple streams of evidence which corroborate each
other - each stream may have its weaknesses, but taken together may point to a single
conclusion. Disk forensics may remain for some time the single most important form of
digital evidence .Increasing number of computer crime means increasing demand for
computer forensics services. In doing computer forensics investigation, choosing the right
disk imaging tool is very important. There is no standard conformity of computer forensic
imaging methodology or tool. This paper only provides guidance and suggestions regarding
imaging tool. It should not be constructed as mandatory requirement.
Today, everyone is exposed to potential attacks and has a responsibility to its network
neighbors to minimize their own vulnerabilities in an effort to provide a more secure and
stable network. As the enormity of the problem unfolds, we will better comprehend how vital
it is to work towards dramatic changes in research, prevention, detection and reporting, and
computer crime investigation. Security can no longer be thought of as an impediment to
accomplishing the mission, but rather a basic requirement that is properly resourced.
Our focus has been to implement the newest and most advanced technology, but little has
prepared us for the gaping security holes we‟ve neglected to mend along the way. From the
ranks of management to every employee that works behind each terminal, the policies that
protect and mitigate risks must be current, understood, and aggressively enforced. Reporting
must be standard operating procedure so that everyone can realize the total impact and define
what is required for a secure cyber environment. The responsibility belongs to everyone and
it is with that effort we will be able to harness the security of this new technological age. An
enormous challenge lies before us and we must attack it with the same enthusiasm and
determination that brought us to this new frontier.
24
References
http://www.allstateinvestigation.com/ComputerForensicServices.htm
Computer
Forensics, Inc. http://www.forensics.com/
http://www.computer-forensic.com/index.html
Middlesex
County Computer Technology. January 2005.
http://www.respond.com/countyguides/1800000002/NJ/023
Virtue,
Emily. “Computer Forensics: Implications for Litigation and Dispute
Resolutions.” April 2003. http://ncf.canberra.edu.au/publications/emilyvirtue1.pdf
25
26