Guide to a Secured and Hassle-Free Internet Life

Articles of Computer Forensics and Network Forensics

June 2010

A Report Prepared By

http://www.agdatacom.com/

with support from

eDecision Group
http://www.edecision4u.com/

Copyright 2010. AG Datacom Philippines Inc. All Rights Reserved.

Guide to Secured and Hassle-Free Internet Life

Articles of Computer Forensics and Network Forensics
OVERVIEW
I am sitting on my table and thinking what will be my next topic to discuss. Do I really
have initial discussion at all? I was in IT Industry for a long time and really dont have enough
time to write something I really want to tackle. Mostly, there are just mainly theoretical that
rephrase the statement and add up a new standpoint, or plain technical documentation that tackle
one product and another.
I am starting think more of that. As a Pre-Sales Manager of AG Datacom Philippines
Incorporated, managing all IT products and solutions that helps everyone in terms of their
technology needs, from desktop management to most complicated and sophisticated aspect of IT
requirements, I want to see the real position of our country, Philippines, in an IT Environment.
Something that missed out by the IT people and neglected as it is not really a priority, a high
priority right now. But what is really our concern now is that, how we are in IT environment
individually?
Are we really secured in terms of Internet life? Are you experience any changes during
your online transactions or any unknown errors, while surfing?
The growing danger from cyber crimes against computers or internet are starting to claim
an important attention in our area nowadays. Philippines, I would say, not yet aware enough
about internet-related problems such as internet bugs, virus, errors, web unavailable, intrusion
and most common attack, hacking, which can able to stole million information on the web in just
few coding, few press of the keys and one click of mouse. Isnt amazing? No need for personal
contact or interaction, it is just few research, tool to retrieve other account, few tweaks and
boom! Hacking Complete.
Is everyone around our country aware of it? Even though every time we enter to any
online transaction, and see some reminders, we are often ignoring those crucial notes and we just
go ahead of our online business to maximize time and for the convenience. I dont argue on that

statement when it comes to convenient output of online processing. No Queue. No Business

Operation Time period. No Personal Interaction to annoying staffs. Just input your account
details such as your username and password, one click of logon or submit then you got all you
need.
I am researching on Philippine Law regarding Cyber Crime or any related internet crime
laws and punishments, they really exists. But those existing law, are happened to be
unenforceable against such crimes. This lack of Legal Protection means business, public and
most likely private, are depending on their technical measures in-house to prevent stealing data,
deny access or even the worst of all, destroying the information, in full blast.
Individual or Self-Protection, which very essential, is not ample to make your cyber
world in peaceful and secured. It is still not able to make safe business transactions on World
Wide Web. Those laws should be enforced. Inadequate Legal Protection in those countries that
are not really implementing rule of law is increasingly less competitive to the global market and
economy.
In addition to that, law itself is only part of the answer. As we all know that extending the
rules of law is a very critical step in order to secure business all over the globe and create a
trustworthy environment for people.
To provide the self-protection, especially in any private institutions and business groups,
organization should focused on the cyber security rules and measures within the premises. As
technology dragged by and its fast-faced process, organizations need to commit the resources to
educate employees on security practices, develop through plans for the handling of sensitive
data, records and transactions, and incorporate robust security technologysuch as firewalls,
anti-virus software, intrusion detection tools and authentication servicesthroughout the
organizations computer systems.
These tools, are mainly for system protection, it is either software or hardware, these are
for defending information systems, are complex and expensive to operate. To avoid hassles and
expense, system manufacturers and system operators routinely leave security features turned
off, needlessly increasing the vulnerability of the information on the systems. Bugs and security

holes with known fixes are routinely left uncorrected. Further, no agreed-upon standards exist to
benchmark the quality of the tools, and no accepted methodology exists for organizations to
determine how much investment in security is enough. The inability to quantify the costs and
benefits, of information security investments leave security managers at a disadvantage when
competing for organizational resources. Much work remains to improve management and
technical solutions for information protection. [1]
Computer Network, either it is wired or wireless, both area of network environment
should be implemented with great security in order to breathe in and out peacefully. Wired
network can control by the computer policy implemented within the premise. It is easy to secure
it by using appropriate devices that can integrate to one another.
Now I am thinking ahead, about working on clouds, wirelessly, is it that safe? So I am
considering the fact that we have a solution on this kind of issue, when I am thoroughly browsing
our variety of IT solutions. I am digging all my stuff in this product, and I am happy to see
related articles that I can share here and tackle the important of it all throughout the
documentation.
Please take note that all articles and related documentation are not my own creation. They
are coming from our business partners and we want to share it in order to fully understand what
can this issue, affect us individually as well as globally. We cant thank them enough for giving
us opportunity to tackle those issues and their respective contribution that can be turned out to be
a great solution nowadays.

1.

For more information,

cybercrime.pdf

please

visit:

http://www.witsa.org/papers/McConnell-

Challenges of Computer Forensics and Network Forensics

Computer Forensics or Digital Forensics, as popularly called by many, is a science that
helps apply criminal laws of a State/Country to crimes committed with a computer and its
accessories, or in the process of the crime being committed; a computer might have been used in
producing the criminal evidence. This technique involves the seizure of computer and its
accessories, to collect digital evidence from the storage media containing data of interest.
This sounds simple right? Not so fast, I will say. The methodology involved in acquiring
data from the computer requires due care and documentation, in order to keep the evidence
unchanged throughout the course of processing, to the final evidence production stage. These
actions are to keep the evidence in its pristine stage, as well as making the whole process
followed, reproducible for anyone utilizing the same process arriving at the same conclusion.
This is what makes it a science.
Technology is changing very fast, and the way computer users store data is equally
changing. Storage media size and types keep changing, network bandwidth and speed have
increased to allow easy transfer of data from local computer to different locations, and this poses
a challenge to Computer forensic Examiners. Storage media Encryption technologies have also
made it difficult for examiners to access data on a local machine which has been powered down,
and the suspected user refusing to divulge his decryption key. Under such a situation, it will only
take the intervention of the court of law to direct the release of decryption from suspect, or
network acquisition of the partitions on the suspect's computer, while he is working on it. Again,
this has its own challenges if the system password of the computer is unknown, or the examiner
does not have administrator privilege on the target computer. The challenge posed by this
problem is minimal when a corporate client machine is the target, as administrators have local
administrator right on all client machines on a domain.
Network data acquisition has its drawback, as some tools utilized, install agents on the
target machines to enable network connection. The agent installed hence changes the overall
MD5 checksum of the drive, and examiner could face a challenge in court if actions taken are not
clearly recorded and the changes done to the overall data are not enumerated. An agent on the
target machine might be deemed a malware installation, which borders on a crime committed by
examiner, hence causing the whole case to be thrown out of court.
There are instances that data on a drive might be corrupted and evidence cannot be
obtained. Under such circumstances, an examiner might be compelled to format the drive, and
use data recovery tools to recover files on drive. This is where reliance on the registry for events
and their time stamps become crucial in trying to pinpoint when an instance occurred, e.g., which
USB storage device was attached to the system and when I call this technique destroy and
search, as opposed to the popular search and destroy concept used by the military in their combat
operations. When this technique is utilized, the "goldmine" to harvest is the unallocated space.

The "Simple file Carver tool", by Filesig, does a good job with data carving and every forensic
examiner must have one in his arsenal of tools.
In conclusion, one can safely infer that as computer technology evolves, so must digital
forensic practices evolve. For instance, the 512 Bytes default sector size for hard drives is
changing to 4096 Bytes, which is going to change some of the ways we examine evidence on
drives with respect to the definition of slack space and unallocated space. At this point, we are
faced with the question of: What happens to the 1024 Bytes size of MFT on NTFS partitions?
Are operating systems going to change to adapt to this situation? Are forensic tool vendors going
to retool? All I can say for now is; Time will tell. My next article will be on cloud computing and
Network Forensics.

Cloud Computing and Network Forensics in the Eyes of Computer

Forensic Examiner
Technology, keeps amazing me. It changes so rapidly that sometimes before one catches
up to it; it has evolved to a newer phase, with a whole new set of changes from the previous. This
means Users have to keep spending money to keep up, end result being nagging, complaining,
and a lot of money spent. This is a form of a vicious cycle that keeps turning. It is through this
array of unending expenditure that has brought forth what is now called "Cloud computing".
Cloud computing allows the user to use all resources he/she would otherwise have
invested to install on his local machine on a server located somewhere deemed the cloud. This
includes storage space, application usage, social networking, etc.., for a fee. The computer user
does not have to worry about hard drive crashing, data being stolen from computer, etc. Just pay
a fee and you are good to go. Files and application are accessed through the web. This implies all
one needs is internet access and an access medium, which could be a portable handheld device,
smart phones, or a basic computer.
Many organizations and individuals are already using this technology and have realized
its great benefits of being hassle free. However, we may pause to ask ourselves a few questions;
do we know where our data is physically located? Do we know how secured our records are?
How do we investigate an event should some breach occur? Are we in compliance with
Legislation and regulations such as; SOX, HIPPA, etc? As a network administrator in an
organization, how much grasp do you have on controls, security and function? These are some of
the questions we have to keep asking ourselves. As Computer Forensic Examiners, what do we
do to access data that are breached for analysis? Is a search warrant issued in your jurisdiction
going to be honored by the location where the servers are located? What limitations are you
going to face? Do countries have treaties that will allow cross border search warrants to be
executed?

Before we go through all the impediments that might be in the way of investigations,
Network Forensics might be a prime solution to buttress your case for further searches. Network
Forensics in a conventional way, is the analysis of network traffic logs for tracing events that
have occurred. The logs may reveal source and destination IP addresses of systems in question,
as well as time stamps and event that occurred, with the type of transaction that took place. This
will sometimes lead to dead end, rendering investigations useless. Evidence in question never
gets discovered and culprits walk away free, while the victim loses out. E.g. is a case of
corporate espionage.
The best way to deal with impediments in cloud computing investigation is to have
lawful interception of data crossing the corporate boundaries to the cloud. This is the collection
of raw data packet at the data link layer by intelligent tools, namely, Decision Group's EDetective Capturing Tool and the E-detective Data Decoding Center tool, which decodes raw
data in real time and offline as well, into various web application formats. There are other cost
effective and easy to use tools by Decision Group that will provide total compliance solutions to
companies and law enforcement agencies that are faced with the same impediments I have
mentioned.
We cannot revert to the old way of doing things on our network. Cloud computing is a
technology of now and it is going to be on the increase with time. We have to be able to adjust to
investigating data that has ever crossed the network through the internet to the cloud.
Do we have what it takes to do the job? I believe we all would have to adjust to meet the
present test of time. In my next presentation, I will talk about Network Packet Forensics and
evidence handling, and how to make it acceptable in the court of Law.

Deep Packet Inspection and Reconstruction for Network Forensics

and Lawful Interception
I am back as promised, to talk about Deep Packet Inspection and Reconstruction for the
purpose of Network Forensics and Security.
Deep packet inspection technology is based on packet sniffing of network traffic,
utilizing a network adapter card set in promiscuous mode, on the network being monitored. The
packets sniffed and captured during this process are not interpreted from the header information
alone. The data payload is analyzed simultaneously to gather information about session
establishment, presentation layer information as well as the application layer information.
The promiscuous mode allows the network interface card to accept and send broadcast
messages traversing the network, just as what happens across the ports of a hub serving as the
central connection point of all nodes interconnected on the network. These days, hubs have been

replaced with switches, which defeat the purpose of sniffing traffic on the entire network, but
only traffic emanating from a port on a switch, which has its own broadcast domain. Mac
flooding is a way to make the switch act in the same manner as a hub, hence enabling sniffing of
packets across all its ports.
The process of deep packet inspection begins with packet capturing, which occurs at the
outgoing connection to the internet. Depending on which sections of the network to be
monitored, a switch could be carefully configured into a mirror mode, where packets leaving the
network are mirrored back to the packet capturing appliance. The other alternative is to do an
inline capturing, where cable from the internal network is connected to one port of the capturing
appliance, and the other cable connects to another port of the capturing device to the internet
interface.
The packets captured are then organized to their various data formats from the inspection
and capturing carried out. This data is then decoded by the appliance to allow playback of the
data. This playback present the data in the same format it entered the network. This is good, as it
presents the data to the viewer in exactly the same way. There are 3 appliances engineered by
Decision Group Inc. which carry out the capturing, decoding and playback. The E-detective or
Wireless-detective product does real time decoding and plays back data. There is also the Edetective Decoding Center appliance that does both real time decoding and playback of data, or
offline decoding of data, either captured by the device or captured from offsite utilizing a
network packet sniffing device.
All data decoded is stored in a database on the appliance. This allows investigators the
chance to sift through to find evidence should the need ever arise, with less difficulty.
Note of caution: First and foremost, every reader must know that packet sniffing is
illegal. Corporations, in protecting their intellectual property, integrity of network traffic,
fighting off malware and viruses, can use the sniffing technology with caution. The employees
must be made aware of such a process going on, and must be duly informed of that. Secondly,
employees must also be given a central location with internet ready computers where they can
transact their personal business and check their mails. This network must not be included in the
segment being sniffed.
For the purpose of computer forensics, as cloud computing has changed the way data can
be stored, the surest way to be able to track back emails and other means of communication via
computers, which are mostly used in committing corporate crimes, is to have such a system in
place. This will eliminate the need to figure out how to execute search warrants on cloud
computing storage sites, which might be thousands of kilometers away, because a replica of the
communication is stored onsite.
As national security is on the minds of every government in the world and deemed very
important, I believe the art of Lawful packet interception will be very instrumental in tracking

down criminals and terrorists, as most of their means of communication is via the internet. Deep
packet inspection technology should be instrumental in dealing with such acts. Law enforcement
agencies in Taiwan have used this technology from Decision Group to their success.
This is the moment to think seriously about adoption of this technology for lawful usage.
Privacy must be considered when having this brain storming section. Just as we are now going
through virtual strip searches at airports, privacy must be carefully defined when dealing with
national security. There are ways to prevent abuse of this technology.
1: Only sworn law enforcement officials- Corporate Security must have access to the
Management interface of the appliance to search for information. In terms of Government
investigations, search warrants must be obtained before access to data is granted.
2: Data captured must also be preserved in a manner that follows proper chain of custody
procedures.
3: Officers running the appliances must be well trained to carry out their work.
Security, as I always say, is 85% common sense application, and 15% technology. And
with the 15%, 90% of it depends on people, and 10% on the equipment.

Deep packet inspection needed for combating cybercrime

I know there is the privacy law governing the internet, which is a great idea. At the same
time, the same internet service is mostly utilized as a vehicle for attacking networks, be it
government or corporations, or individual networks. Just as we have all agreed to be searched
thoroughly at the airports before flights, we should allow the Security Agencies to utilize deep
packet inspection to help in protecting networks. Sounds interesting right? Yes. So how do we do
it right?
1: Packets being captured and kept for a period of time, to allow security agents reach into the
packets to find source of attack, should the need arise will be the best solution. At least to the
best of my knowledge, such technology exists, and it is easy to use.
To learn more on this, visit http://www.edecision4u.com

Articles tackled here are created by Samuel Amoah, is a Certified Computer Examiner, Network Packet
Forensics Examiner and Private Investigator. Also, President of CFG Computer Forensics Inc., located at
Brampton, Ontario, Canada. Partner of Decision Group.

What is AG Datacom?

AG Datacom Philippines Incorporated is a pioneer in development of

computerized call billing system and also the distributor/system integrator for many
computer-telecommunication related solutions, which has served to assist many
organizations in using their computer-telecommunications assets more efficiently and
effectively.
Since its inception, AG Datacom has also been expanding from strictly technical
product development into active marketing and after-sales service, with the objective of
becoming a leading computer-telecommunication solution provider.
Why Datacom?
Customer Satisfaction is our Business. Our relationship with your company doesn't end
after a sale has been closed; rather, it is only just beginning. Our prime after-sales support
team has succeeded in satisfying the security needs of the numerous companies in various
industries that have invested in our system.
Quality Product is our Commitment. We have taken every effort to assure you of a failsafe system by subjecting each product to every conceivable real world disaster that it may
encounter.
Investment Protection is Yours. We have been successful in making obsolescence a
concern of the past. Using our system means you will save your investment when your
company growing, because we have complete range so there is no need to buy new
system. Upgrading the existing one is enough.

AG DATACOM PHILIPPINES INCORPORATED

Suite 1705, 17th Floor Atlanta Center, # 31 Annapolis
Street, Greenhills, San Juan, Metro Manila,
Philippines 1502

+ (632) 7443243 / 5840988

info@agdatacom.com