COMPUTER FORENSICS LABORATORY AND TOOLS
Guillermo A Francia III and Keion Clinton Mathematics, Computing, and Information Sciences Department Jacksonville State University Jacksonville, Alabama Emails: firstname.lastname@example.org, email@example.com ABSTRACT The pervasiveness and the convenience of information technology tend to make most of society deeply dependent on the availability computers and network systems. As our reliance on such systems grows, so does our exposure to its vulnerabilities. Day after day, computers are being attacked and compromised. These attacks are made to steal personal identities, to bring down an entire network segment, to disable the online presence of businesses, or to completely obliterate sensitive information that is critical for personal or business purposes. It is the responsibility of every organization to establish a reasonably secure system to protect its own interests as well as those of its customers. And as computer crime steadily grows, so does the need for computer security professionals trained in understanding computer crimes, in gathering digital forensic evidence, in applying the necessary security tools, and in collaborating with law enforcement agencies. This paper presents the design and implementation of an experimental Computer Security and Forensic Analysis (CSFA) laboratory and the tools associated with it. The laboratory is envisioned to be a training facility for future computer security professionals.
Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the CCSC copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a fee and/or specific permission. 143
to provide guidance and assistance to local. Day after day. Each day. In the Asia-Pacific region. In Europe. in applying the necessary security tools. It is the responsibility of every organization to establish a reasonably secure system to protect its own interests as well as those of its customers. in gathering digital forensic evidence. Also in 1984. computers are being attacked and compromised. to bring down an entire network segment. Computer forensic is the identification. Imaging:
. In the 1980’s. and in collaborating with law enforcement agencies. so does the need for computer security professionals trained in understanding computer crimes. military and intelligence agencies in the early 1970’s. government. the Australasian Center for Policing Research (ACPR). Its main purpose is to establish the validity of the hypotheses used in an attempt to explain the circumstances or the cause of an activity under investigation . The National Cybercrime Training Partnership (NCTP) was set up by the U. Other U. the Internal Revenue Service Criminal Investigations Division (IRS-CID) and Revenue Canada were two of the first government agencies with an obvious and openly noticeable obligation to carry out forensics on external systems linking to criminal offences. The practice was initiated by the U. so does our exposure to its vulnerabilities. it is reasonable to presume that they had a counter-intelligence focus via computer mainframes. and message exchanges through email. organizations involved in training include NCJIS (The National Consortium for Justice Information and Statistics). NATO’s Lathe Gambit Information Security program and Interpol both offer similar training course for allied countries. most of them are specifically focused on a certain set of tools. A computer forensic examiners training course should be broad enough to familiarize the student with all methodologies of the field.S. A number of proprietary software for computer security and forensic analysis is available on the market today. conducts a number of training course for Australia and New Zealand . many of us carry out banking transactions. to disable the online presence of businesses.S. Generally we can divide the functionality of such tools into three main categories as describe in : 1. As our reliance on such systems grows. These attacks are made to steal personal identities. Although little is known about these activities due to their classified environments. purchases. However. state. to provide computer forensic support . and the analysis of information stored. preservation.S. And as computer crime steadily grows. The pervasiveness and the convenience of information technology tend to make most of society deeply dependent on the availability computers and network systems. transmitted. 6 (June 2005) INTRODUCTION Computers and the Internet have become a major part of our lives. the FBI established the Computer Analysis and Response Team (CART). The evaluation methods and criteria for such software are detailed in  and . and the HighTech Crime Investigation Association (HTCIA).JCSC 20. or produced by a computer system or computer network. or to completely obliterate sensitive information that is critical for personal or business purposes. There are a number of computer forensic training courses offered today. and federal law enforcement agencies.
File conversion. To disseminate the research results and the lessons/experiences gained in designing and implementing the CSFA laboratory and the hands-on activities that evolved within. To explore the possibility of designing a cross-disciplinary course in the area of computer networks security. Imaging volatile memory. Ambient data recovery and searching of raw disk data for text strings. its design will be guided by the need for future scalability in size and adaptability to new technologies. d. Analysis: a. Data and file recovery. b. Link analysis tools. and in working with law enforcement agencies. Data mining tools. Disk and file imaging. b.CCSC:Mid-South Conference a. f. c. This paper presents a computer security and forensic analysis project which includes the design and implementation of 1) an experimental Computer Security and Forensic Analysis (CSFA) laboratory. 2. forensic data collection and analysis. e. Time-lining. and security audit and assessment that will involve two or more academic disciplines other than computer science. Integrity code generators and checkers. Data filtering by date last modified and other file properties. Although the size of the CSFA laboratory will be limited to a proof-of-concept variety. To provide students the exposure to the spectrum of computer forensic tools and to the development of forensic toolkits that they can use for computer crime scene investigations. 2. Write blockers. 2) a computer security and forensic toolkit for the laboratory. by sectors. OBJECTIVES The objectives of the proposed project are as follow: 1) To design and implement an experimental computer security and forensic analysis laboratory with features that will suit both research and pedagogical activities. Disk and file system integrity checking tools. g.
. c. To establish core forensic procedures necessary in performing thorough inspection of all computer systems and file types. in proper evidence handling. in tracking offenders on the Internet. Search tools. d. b. and 3) hands-on activities on computer forensic analysis. Visualization: a.
and displays the drives true contents. By bypassing the operating system and directly reading raw drive sectors. The scratch and test workstation is used to simulate hacking activities and vulnerability assessment processes. and in viewing file activities. aids in locating sensitive data with search-viewing functions. These computers are designated mainly by three categorizations: analysis server. The network infrastructure. The kit. Disk Investigator helps the user search file clusters for specific keywords or content. With the availability of data mining techniques. A snapshot of the Disk Investigator’s graphical user interface (GUI) is depicted in Figure 1. SectorSpyXP examines all data on a hard drive or diskette at the sector level and even contains detailed documentation on how to use it to perform a keyword search to find and retrieve incriminating evidence. Sleuth kit/Autopsy Forensic browser is collection of open source forensic tools developed by Brian Carrier. systems. both wired and wireless. are available in the market. Disk Investigator helps discover all that is “hidden” on a computer hard disk. The freeware utility is available for download from . In addition to the computing resources described above. this process may also include intelligent prediction of events and attack-pattern recognition. tape drives. SectorSpyXP is a powerful computer forensic tool that can be used by law enforcement or anyone wishing to search for and retrieve evidence left on computer hard drives and diskettes . and evidence collection workstation. both open source and commercial. The evidence collection workstation is used as a central station for forensic data collection and replication.JCSC 20. Disk Investigator is a forensic freeware utility that can gather a variety of information from a user’s hard disk . THE FORENSIC SOFTWARE TOOLS Data Analysis Tools Forensic data analysis is the process of revealing and discovering evidentiary information that may not be apparent or may be completely concealed. described extensively in . floppy drives. in searching image files for data. It can be used in accessing low-level file systems. and on persistent forensic data collection and retrieval activities. scratch and test workstation. various versions of operating system. A few of these are described in the following discussions. and peripherals to good use. 6 (June 2005) THE CSFA LABORATORY The CSFA laboratory consists of five (5) desktop and two (2) notebook computers taken from previously completed grant projects. may be downloaded from a website repository at . The analysis server provides the platform for forensic analysis and investigation. is established using legacy devices that were gathered from academic computing system upgrades and also from previously completed grant projects. and portable disk drives are obtained through our reclamation effort to put some of the old computers. It can be used to retrieve
. Several data analysis tools. on different network interconnections. All of these computers are configured with utmost flexibility to thrive on multiple operating systems.
Figure 1. The National Institute of Standards and Technology (NIST)  have developed several tools used for disk drive imaging tool evaluation. it is always prudent to avoid working directly on the evidence. The Institute’s requirements for disk imaging tools are: • The tool should be able to make a bit-stream duplicate or an image of an original disk or partition. • The tool should never alter the original disk. This program works on Windows 2000 and XP operating systems. The Disk Investigator GUI Disk Imaging Tools In computer forensic analysis. • The tool should be able to log I/O errors. This stems from the fact that physical evidence should always be held pristine. and even information not found by other file-retrieval programs. the need for excellent disk imaging process and tools is paramount. text that has been deleted and removed from the recycle Bin. Thus. A snapshot of the SectorSpyXP’s graphical user interface (GUI) is depicted in figure 2. The freeware may be downloaded from the company website at .CCSC:Mid-South Conference lost information.
The following discussions present several disk imaging tools. ReiserFS file systems. Acronis' exclusive innovative technology allows creating and restoring complete disk images online in Windows and FAT16/32 and NTFS. SafeBack  is used to create mirror-image (bit-stream) files of disks or disk partitions. It is a self authenticating forensics tool that is used to create evidence grade images of disk drives. make boot images. SectorSpyXP GUI • The tool’s documentation should all be correct. a virtual machine infrastructure software. and perform file format conversions. that can be used for evidence-on-disk preservation.0  takes an exact image of a hard disk drive or separate partitions and performs a complete backup image or a clone of it. Ext3. both open-source and commercial types.
. 6 (June 2005)
Figure 2.JCSC 20. It can extract parts of binary files. A summary of all “dd” options can be found in . The self-authentication (integrity preservation) of SafeBack files achieved through the use of two separate mathematical hashing processes which rely upon the NIST-tested SHA256 algorithm. Acronis True Image 6. The “dd” (data dump) command is one of the original UNIX utilities that is used for disk cloning or duplication. EnCase enables the booting and examination of a computer under investigation to a state when the evidence was first captured. Together with VMWare . write into specified sectors of a disk. as well as the Linux Ext2. EnCase  can be used to mount images of hard drives or CDs as read-only local drives.
• Given a specific disk imaging tool. This information will include. possibly. • Given a floppy disk that contains hidden evidence material. • Perform an analysis of a given ethereal log file and report all findings. deleted files. but not limited to. design and implement a test methodology that will provide a measure of assurance of its effectiveness. representing a captured evidence material.
. • Perform a data analysis of a given file representing the dumped system/security log files and report all findings. b) the specific sectors on the disk. ownership. and c) the specified files and folders on the disk. file activity timelines. Opinions expressed are those of the authors and not necessarily of the Foundation. file types. As indicated above. corrupted files. recover parts of it through header reconstruction and. (Note: the log files will contain information on simulated penetration attempts and system file alterations). recover all forensic information out of this disk. and access modifiers.
ACKNOWLEDGEMENTS This paper is based upon a project partly supported by the National Science Foundation under grants DUE-9950946 and DUE-0125635. • Given a floppy disk as an evidence material. Refer to the NIST testing methodologies found in  for guidance. date created. the computer security and forensic laboratory can be implemented using legacy equipment that may be acquired at a minimal cost. Check the integrity of the working copies. The activities and projects are designed and structured to provide practical experiences while illustrating theory and possible research areas. • Given an image file that has been severely corrupted. CONCLUSIONS AND FUTURE PLANS This paper outlined the resources found in an experimental computer security and forensics laboratory and the supported hands-on exercises. create working copies of a) the entire disk. value interpolation. • Given a hard disk. perform a thorough data analysis and extract the hidden evidence from it. and basic file information such as size. (Note: the logging was done during a simulated attack on a test workstation). The challenge for the authors will be in the continual development of these activities and the introduction of novel practices that will leverage the availability of state-of-the-art equipment and system tools. Do this task separately for Windows 2000 and Linux operating systems. Future work will include: • • • • • Forensic analysis of application code Web services security Radio Frequency Identifier (RFID) security Forensic analysis of electronic mails Development of advanced vulnerability assessment tools.CCSC:Mid-South Conference FORENSIC LABORATORY PROJECTS The following laboratory projects are designed to provide hands-on training exercises in computer forensics analysis.
.majorgeeks... A. Figgins. vol. G. 2003. Phillips. 2003.com/products/EnCaseForensic  website: http://www.nist. 12-16.gov  Siever.. E.com  Nelson.  Culley. R. O.  website: http://ww.theabsolute.. Collie. Course Technology.. Guide to Computer Forensics and Investigations. De Vel.  website: http://www. Mohay. F. McKemmish.JCSC 20. 2003. 8.cftt. 6 (June 2005) REFERENCES  Anderson. Seigfried. “Computer Forensics: Past.acronis. Wiley Publishing. Inc.  Rogers. Incident Response: Computer Forensic Toolkit.  website: http://www.” Information Security Technical Report.php?det=2562  website: http://www. Present.vmware. and Future.” Computer & Security.. C.net/sware  website: http://www. pp. S. A. “The Future of Computer Forensics: A Needs Analysis Survey... Computer and Intrusion Forensics. B.com/download.. K. Enfinger. vol.forensics-intl..guidancesoftware.com/safeback..html. M. pp. O’Reilly Publishing. and Weber. 2003.. 32-36. F. Linux in a Nutshell 4th Ed. D.com  website: http://www. January 2004. and Steuart. Artech House.  Schweitzer. 23. A..