COMPUTER FORENSICS LABORATORY AND TOOLS

*
Guillermo A Francia III and Keion Clinton Mathematics, Computing, and Information Sciences Department Jacksonville State University Jacksonville, Alabama Emails: gfrancia@jsu.edu, kmclinton@hotmail.com ABSTRACT The pervasiveness and the convenience of information technology tend to make most of society deeply dependent on the availability computers and network systems. As our reliance on such systems grows, so does our exposure to its vulnerabilities. Day after day, computers are being attacked and compromised. These attacks are made to steal personal identities, to bring down an entire network segment, to disable the online presence of businesses, or to completely obliterate sensitive information that is critical for personal or business purposes. It is the responsibility of every organization to establish a reasonably secure system to protect its own interests as well as those of its customers. And as computer crime steadily grows, so does the need for computer security professionals trained in understanding computer crimes, in gathering digital forensic evidence, in applying the necessary security tools, and in collaborating with law enforcement agencies. This paper presents the design and implementation of an experimental Computer Security and Forensic Analysis (CSFA) laboratory and the tools associated with it. The laboratory is envisioned to be a training facility for future computer security professionals.

___________________________________________
*

Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the CCSC copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a fee and/or specific permission. 143

JCSC 20, 6 (June 2005) INTRODUCTION Computers and the Internet have become a major part of our lives. The pervasiveness and the convenience of information technology tend to make most of society deeply dependent on the availability computers and network systems. Each day, many of us carry out banking transactions, purchases, and message exchanges through email. As our reliance on such systems grows, so does our exposure to its vulnerabilities. Day after day, computers are being attacked and compromised. These attacks are made to steal personal identities, to bring down an entire network segment, to disable the online presence of businesses, or to completely obliterate sensitive information that is critical for personal or business purposes. It is the responsibility of every organization to establish a reasonably secure system to protect its own interests as well as those of its customers. And as computer crime steadily grows, so does the need for computer security professionals trained in understanding computer crimes, in gathering digital forensic evidence, in applying the necessary security tools, and in collaborating with law enforcement agencies. Computer forensic is the identification, preservation, and the analysis of information stored, transmitted, or produced by a computer system or computer network. Its main purpose is to establish the validity of the hypotheses used in an attempt to explain the circumstances or the cause of an activity under investigation [1]. The practice was initiated by the U.S. military and intelligence agencies in the early 1970’s. Although little is known about these activities due to their classified environments, it is reasonable to presume that they had a counter-intelligence focus via computer mainframes. In the 1980’s, the Internal Revenue Service Criminal Investigations Division (IRS-CID) and Revenue Canada were two of the first government agencies with an obvious and openly noticeable obligation to carry out forensics on external systems linking to criminal offences. Also in 1984, the FBI established the Computer Analysis and Response Team (CART), to provide computer forensic support [2]. There are a number of computer forensic training courses offered today. However, most of them are specifically focused on a certain set of tools. A computer forensic examiners training course should be broad enough to familiarize the student with all methodologies of the field. The National Cybercrime Training Partnership (NCTP) was set up by the U.S. government, to provide guidance and assistance to local, state, and federal law enforcement agencies. Other U.S. organizations involved in training include NCJIS (The National Consortium for Justice Information and Statistics), and the HighTech Crime Investigation Association (HTCIA). In Europe, NATO’s Lathe Gambit Information Security program and Interpol both offer similar training course for allied countries. In the Asia-Pacific region, the Australasian Center for Policing Research (ACPR), conducts a number of training course for Australia and New Zealand [3]. A number of proprietary software for computer security and forensic analysis is available on the market today. The evaluation methods and criteria for such software are detailed in [7] and [13]. Generally we can divide the functionality of such tools into three main categories as describe in [1]: 1. Imaging:
144

CCSC:Mid-South Conference a. Imaging volatile memory; b. Disk and file imaging; c. Write blockers; d. Integrity code generators and checkers. 2. Analysis: a. Ambient data recovery and searching of raw disk data for text strings, by sectors; b. Data and file recovery; c. Disk and file system integrity checking tools; d. File conversion; e. Data filtering by date last modified and other file properties; f. Search tools; g. Data mining tools. 2. Visualization: a. Time-lining; b. Link analysis tools. This paper presents a computer security and forensic analysis project which includes the design and implementation of 1) an experimental Computer Security and Forensic Analysis (CSFA) laboratory, 2) a computer security and forensic toolkit for the laboratory, and 3) hands-on activities on computer forensic analysis. OBJECTIVES The objectives of the proposed project are as follow: 1) To design and implement an experimental computer security and forensic analysis laboratory with features that will suit both research and pedagogical activities. Although the size of the CSFA laboratory will be limited to a proof-of-concept variety, its design will be guided by the need for future scalability in size and adaptability to new technologies. To provide students the exposure to the spectrum of computer forensic tools and to the development of forensic toolkits that they can use for computer crime scene investigations. To establish core forensic procedures necessary in performing thorough inspection of all computer systems and file types, in tracking offenders on the Internet, in proper evidence handling, and in working with law enforcement agencies. To explore the possibility of designing a cross-disciplinary course in the area of computer networks security, forensic data collection and analysis, and security audit and assessment that will involve two or more academic disciplines other than computer science. To disseminate the research results and the lessons/experiences gained in designing and implementing the CSFA laboratory and the hands-on activities that evolved within.

2) 3)

4)

5)

145

JCSC 20, 6 (June 2005) THE CSFA LABORATORY The CSFA laboratory consists of five (5) desktop and two (2) notebook computers taken from previously completed grant projects. All of these computers are configured with utmost flexibility to thrive on multiple operating systems, on different network interconnections, and on persistent forensic data collection and retrieval activities. These computers are designated mainly by three categorizations: analysis server, scratch and test workstation, and evidence collection workstation. The analysis server provides the platform for forensic analysis and investigation. The scratch and test workstation is used to simulate hacking activities and vulnerability assessment processes. The evidence collection workstation is used as a central station for forensic data collection and replication. The network infrastructure, both wired and wireless, is established using legacy devices that were gathered from academic computing system upgrades and also from previously completed grant projects. In addition to the computing resources described above, various versions of operating system, tape drives, floppy drives, and portable disk drives are obtained through our reclamation effort to put some of the old computers, systems, and peripherals to good use. THE FORENSIC SOFTWARE TOOLS Data Analysis Tools Forensic data analysis is the process of revealing and discovering evidentiary information that may not be apparent or may be completely concealed. With the availability of data mining techniques, this process may also include intelligent prediction of events and attack-pattern recognition. Several data analysis tools, both open source and commercial, are available in the market. A few of these are described in the following discussions. Sleuth kit/Autopsy Forensic browser is collection of open source forensic tools developed by Brian Carrier. It can be used in accessing low-level file systems, in searching image files for data, and in viewing file activities. The kit, described extensively in [14], may be downloaded from a website repository at [15]. Disk Investigator is a forensic freeware utility that can gather a variety of information from a user’s hard disk [4]. Disk Investigator helps discover all that is “hidden” on a computer hard disk, aids in locating sensitive data with search-viewing functions, and displays the drives true contents. By bypassing the operating system and directly reading raw drive sectors, Disk Investigator helps the user search file clusters for specific keywords or content. The freeware utility is available for download from [5]. A snapshot of the Disk Investigator’s graphical user interface (GUI) is depicted in Figure 1. SectorSpyXP is a powerful computer forensic tool that can be used by law enforcement or anyone wishing to search for and retrieve evidence left on computer hard drives and diskettes [4]. SectorSpyXP examines all data on a hard drive or diskette at the sector level and even contains detailed documentation on how to use it to perform a keyword search to find and retrieve incriminating evidence. It can be used to retrieve
146

CCSC:Mid-South Conference lost information, text that has been deleted and removed from the recycle Bin, and even information not found by other file-retrieval programs. This program works on Windows 2000 and XP operating systems. The freeware may be downloaded from the company website at [6]. A snapshot of the SectorSpyXP’s graphical user interface (GUI) is depicted in figure 2.

Figure 1. The Disk Investigator GUI Disk Imaging Tools In computer forensic analysis, it is always prudent to avoid working directly on the evidence. This stems from the fact that physical evidence should always be held pristine. Thus, the need for excellent disk imaging process and tools is paramount. The National Institute of Standards and Technology (NIST) [7] have developed several tools used for disk drive imaging tool evaluation. The Institute’s requirements for disk imaging tools are: • The tool should be able to make a bit-stream duplicate or an image of an original disk or partition. • The tool should never alter the original disk. • The tool should be able to log I/O errors.

147

JCSC 20, 6 (June 2005)

Figure 2. SectorSpyXP GUI • The tool’s documentation should all be correct. The following discussions present several disk imaging tools, both open-source and commercial types, that can be used for evidence-on-disk preservation. The “dd” (data dump) command is one of the original UNIX utilities that is used for disk cloning or duplication. It can extract parts of binary files, write into specified sectors of a disk, make boot images, and perform file format conversions. A summary of all “dd” options can be found in [8]. Acronis True Image 6.0 [12] takes an exact image of a hard disk drive or separate partitions and performs a complete backup image or a clone of it. Acronis' exclusive innovative technology allows creating and restoring complete disk images online in Windows and FAT16/32 and NTFS, as well as the Linux Ext2, Ext3, ReiserFS file systems. SafeBack [9] is used to create mirror-image (bit-stream) files of disks or disk partitions. It is a self authenticating forensics tool that is used to create evidence grade images of disk drives. The self-authentication (integrity preservation) of SafeBack files achieved through the use of two separate mathematical hashing processes which rely upon the NIST-tested SHA256 algorithm. EnCase [10] can be used to mount images of hard drives or CDs as read-only local drives. Together with VMWare [11], a virtual machine infrastructure software, EnCase enables the booting and examination of a computer under investigation to a state when the evidence was first captured.

148

CCSC:Mid-South Conference FORENSIC LABORATORY PROJECTS The following laboratory projects are designed to provide hands-on training exercises in computer forensics analysis. • Given a specific disk imaging tool, design and implement a test methodology that will provide a measure of assurance of its effectiveness. Refer to the NIST testing methodologies found in [7] for guidance. • Given a floppy disk that contains hidden evidence material, perform a thorough data analysis and extract the hidden evidence from it. • Given an image file that has been severely corrupted, recover parts of it through header reconstruction and, possibly, value interpolation. • Perform an analysis of a given ethereal log file and report all findings. (Note: the logging was done during a simulated attack on a test workstation). • Given a hard disk, representing a captured evidence material, create working copies of a) the entire disk, b) the specific sectors on the disk, and c) the specified files and folders on the disk. Check the integrity of the working copies. • Perform a data analysis of a given file representing the dumped system/security log files and report all findings. (Note: the log files will contain information on simulated penetration attempts and system file alterations). Do this task separately for Windows 2000 and Linux operating systems. • Given a floppy disk as an evidence material, recover all forensic information out of this disk. This information will include, but not limited to, deleted files, file activity timelines, file types, corrupted files, and basic file information such as size, date created, ownership, and access modifiers. CONCLUSIONS AND FUTURE PLANS This paper outlined the resources found in an experimental computer security and forensics laboratory and the supported hands-on exercises. The activities and projects are designed and structured to provide practical experiences while illustrating theory and possible research areas. As indicated above, the computer security and forensic laboratory can be implemented using legacy equipment that may be acquired at a minimal cost. The challenge for the authors will be in the continual development of these activities and the introduction of novel practices that will leverage the availability of state-of-the-art equipment and system tools. Future work will include: • • • • • Forensic analysis of application code Web services security Radio Frequency Identifier (RFID) security Forensic analysis of electronic mails Development of advanced vulnerability assessment tools.

ACKNOWLEDGEMENTS This paper is based upon a project partly supported by the National Science Foundation under grants DUE-9950946 and DUE-0125635. Opinions expressed are those of the authors and not necessarily of the Foundation.
149

JCSC 20, 6 (June 2005) REFERENCES [1] Anderson, A., Collie, B., De Vel, O., McKemmish, R., Mohay, G., Computer and Intrusion Forensics, Artech House, 2003. [2] Culley, A., “Computer Forensics: Past, Present, and Future,” Information Security Technical Report, vol. 8, pp. 32-36, 2003. [3] Rogers, M., Seigfried, K., “The Future of Computer Forensics: A Needs Analysis Survey,” Computer & Security, vol. 23, pp. 12-16, January 2004. [4] Schweitzer, D., Incident Response: Computer Forensic Toolkit. Wiley Publishing, Inc, 2003. [5] website: http://ww.theabsolute.net/sware [6] website: http://www.majorgeeks.com/download.php?det=2562 [7] website: http://www.cftt.nist.gov [8] Siever, E., Figgins, S., and Weber, F. Linux in a Nutshell 4th Ed, O’Reilly Publishing, 2003. [9] website: http://www.forensics-intl.com/safeback.html. [10] website: http://www.guidancesoftware.com/products/EnCaseForensic [11] website: http://www.vmware.com [12] website: http://www.acronis.com [13] Nelson, B., Phillips, A., Enfinger, F., and Steuart, C. Guide to Computer Forensics and Investigations. Course Technology. 2004

150

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.