CS556: Computer Security

Computer Forensics

Computer Forensics: A look into the processes, sources, techniques and importance of this field in today’s electronic age.
Aaron M. Alexander alexande@cs.colostate.edu (970) 222-3231 Colorado State University School of Natural Sciences: Computer Science Department Fort Collins, CO 80523 December 2003 Keywords: evidence, protection, forensics, prevention, virus, recovery Abstract Computers have become an important part of every day life. With so many people using this technology, it has become apparent that new issues are arising within the computing environment. New forms of data protection, data recovery, and evidence gathering must be devised and implemented in the field of computers in order to account for this growth of electronic information technology. This paper will give some technical insight into issues concerning computer information and forensics. It will include forms of data protection and recovery, as well as forms of data intrusion and corruption. The paper will also cover different sources of electronic evidence that can be found on a variety of storage devices while searching for certain evidence during investigations. Introduction As the risk of malicious attacks against computer systems grows, the need to increase security measures becomes more important. This growth is also resulting in an increase in research areas and creates a new arena of study for the computer security sector. There is a flood of improvements and prevention tactics being used in an effort to hinder attacks, but no matter how many different approaches of security are developed, there will always be computer and network attacks that are successful. It is the responsibility of the computer forensics technicians to catch and punish the criminals responsible for these attacks, and make sure that the recovery of an attacked system is as complete as possible. Forensic evidence gathering has been a long practiced method of investigation processes. Computer forensics has many meanings, originating back in the late 1980’s by early law enforcement practitioners who used it as a reference for examining stand-alone computers for digital evidences of crime. A definition of computer forensics is: the scientific examination and analysis of data that is kept on, or retrieved from, computer

CS556: Computer Security

Computer Forensics

storage media in such a way that the information can be used as evidence in a court of law. Computer forensics has become a term that is less widely used by professionals. Most of today’s attacks deal with computer systems that are on a network. This has revealed a need to change the old “Computer Forensics” label into a more meaningful one called “Computer and Network Forensics”. The addition of the term “Network” has become necessary because of the mainstream attacks being dealt with today, such as: distributed denial of service attacks, viruses, domain name hijacking, and websites shut down. These crimes are normally committed via an electronic network. The techniques used by Computer and Network Forensics are there to discover evidence in a wide range of crimes varying from theft of trade secrets, to protection of intellectual property, to general misuse of computers. The main goal of CNF is to provide the ability to gather sufficient evidence after a crime has been committed in order to prosecute those who are responsible. This leaves the Computer and Network Forensics studies mainly suited for law enforcement agencies. An Approach to Protection As with any information management system, it is important to maintain the confidentiality and integrity of the system information. It has been found that the most effective way of obtaining this security is by using three mutually supportive technologies: authentication, access control, and audit. Authentication is the act of making sure the identity of a user is established to some part of the system, usually through a password. Access control is the act of allowing certain tasks to be completed between parties, with authentication as a prerequisite. Auditing is the process that gathers up information about the activity taking place on the system and then analyzing that data to discover any security violations. Authentication can be considered the most basic security mechanism by which other security devices depend. Authentication is the building block upon which access control and audit are built. This process is described as providing an establishment of identity between a user and a computer, or more generally, a pair of computers. This authentication is useful in order to prevent replay attacks on network traffic, and spoofing attacks between computers. Authentication can be achieved by using passwords, where a special “code” is required before a user may access a computer. Token-based authentication is the practice of carrying a credit card size device that contains a unique private cryptographic key stored on it. Biometric authentication is used for more highend applications where voice checks of different phrases or active input such as dynamic handwriting of signatures are used. These biometric checks must be dynamic in some way every time they are used in order to prevent replay attacks. Access Control is based on the idea of implementing an access control matrix. This matrix contains subjects, objects, and privileges. The subjects are given privileges to certain objects. There are a few approaches to implementing this mean of protection:

CS556: Computer Security

Computer Forensics

access control lists, capabilities, and authorization relations. Access control lists are implemented where each object is associated with an ACL, showing each subject in the system the accesses the subject is authorized to execute on the object. The matrix is stored in columns. Capabilities are more of a dual approach to ACL’s, where each subject is associated with a list, called the capability list, indicating for each object, the accesses the subject is authorized to execute on the object. The matrix is stored in rows. In authorization relations, a table is set up where each row, or tuple, of the table specifies one access right of a subject to an object. Access control policies are required to determine how accesses are controlled and access decisions determined. There are three common ways of achieving this: classic discretionary policies, classic mandatory policies, and role-based policies. In discretionary, policies govern the access of users to the information on the basis of the user’s identity and authorizations that specify, for each user and each object on the system, the access modes the user is allowed on the object. In mandatory, policies govern access on the basis of classification of subjects and objects in the system, where each user and each object in the system is assigned a security level. In role-base, policies regulate the access of users to the information on the basis of the activities the users execute in the system. Roles are assigned to users where each role is a set of actions and responsibilities associated with a particular working activity. Auditing and intrusion detection is the act of examining the history of events in a system in order to determine whether and how security violations have occurred or been attempted. This data is recorded in an audit log, or audit trail. The information that is usually recorded for each event includes the subject requesting the access, the object being accessed, the operation requested, the time of the request, the location from which the request originated, the response of the access control system, the amount of resources used, and if the operation succeeded or not. The actions requested by privileged users, such as administrators, should always be logged. This helps prevent misuse of powerful privileges, and allows the control of penetrations in which the attacker gains a privileged status. Authentication, access control, and audit and intrusion detection when put together are the foundations for building systems that possess the ability to store information with integrity and confidentiality. They are all precautionary and post-attack approaches to system security. Every system must have a plan to deter attackers from gaining access to the system. They must also have a plan in place to handle such attacks if the preventative measures have failed. Computer Attack Chronology Attacks implemented by hackers can range from benign to devastating, depending on the skill and knowledge of the hacker. Hacker range anywhere from novice users to experienced computer experts. An interesting observation made over the years has concluded that no matter what the skill level of the hacker, a pattern seems to have

CS556: Computer Security

Computer Forensics

developed among the hacker community. This patterns stages go as: probe, invade, create mischief, and cover tracks. • Probing This first step is where a hacker observes his potential targets. The hackers might try to create a profile of a certain organization’s structure, network capabilities and content, and security mechanisms. It is during this stage where a hacker will determine which target will be the best for his attack and then devise plans in order to carry out his attack. • Penetration After a hacker has probed a potential target, there should be enough information gained to penetrate the system. In many cases, the target may have configuration errors, such as open access to the system via FTP, or other file transfer protocol (TFTP) vulnerabilities giving full system access to the hacker. • Expanding Capabilities After a hacker has penetrated the system, the next possible step is to increase his ability to traverse the system. By exploiting the systems vulnerabilities discovered by the hacker, he may be able to obtain higher privileges in the system, such as the ability to access root accounts. • Creating Mischief Once a hacker has obtained special privileges on the targeted system, he can now attempt to accomplish his original task, attacking the system. Here the hacker can exploit their secret access by installing Trojan Horses, recording system passwords, delete or manipulate files, or many other forms of malicious behavior. • Covering Tracks Probably the most important step for the hacker is the ability to cover his tracks after completing his objectives in the targeted system. The common way of covering tracks is to disable event logging and restoring the system to its original status before the hacker broke into the system. The hacker will attempt to clear any event logs and hide all files that would provide evidence of the hacker being in the system. These patterns have proved to be a fairly reliable way for a hacker to break into an unprotected system. However, the positive side to these patterns is the fact that we are able to examine them in order to find valuable information in preventing such attacks.

CS556: Computer Security

Computer Forensics

Such examinations helps prosecutors identify attackers and increase a system’s security mechanisms. Computer and Network Forensics There are different forms of evidence left by criminals on computer systems, be it criminal or civil, for example: Evidence can be found in event logs kept by system auditors.; It can be found in criminal cases where incriminating material is found in documents relating to homicide, child pornography, drug or embezzlement record keeping, or financial fraud. It can be found in civil cases where material could contain personal or business records dealing with fraud, divorce cases, harassment, or discrimination. Computer and Network Forensics experts are hired by a multitude of sources, ranging from lawyers, insurance companies looking to discover evidence to decrease the amount paid in an insurance claim, and individuals looking to support claims of wrongful termination, sexual harassment, or discrimination. The ability to gather evidence is the backbone of CNF. In crimes dealing with computerrelated issues, the accumulation of evidence collected comes from many different components of a system. This information cannot officially become evidence until the data is used to prove a crime has been committed. Therefore, you cannot technically call data collected anything other than potential evidence. One source of potential evidence is files found on a system. Information found on word documents, spreadsheets, databases, and so on are usually some of the best places to find valuable potential evidence. Hidden application files that sometimes contain history information, caches, backup, or activity logs are also very useful forms of potential evidence. On some occasions, intelligent criminals may try to encrypt files that could incriminate them, or hide them in a way that makes them unsuspecting to the naked eye. Since the process of gathering this potential evidence sometimes proves more difficult than simply finding application files on a computer, it definitely requires someone with special skills. Experts in CNF are required to specially train to gain the skills necessary to carry out a forensic investigation. Skills required include the investigative skills of a detective, the legal skills of a lawyer, and the computer skills of the criminals that carry out these crimes. The likelihood of one person being an expert in all of these areas is something of a rarity today due to this field being somewhat new. One way to combat this problem is by breaking up a CNF specialist into different jobs, with each position being an expert in his/her specific field of study. The United States National Security Agency’s information assurance workforce development programs have come up with an approach to this issue. They have classed four forensic positions to represent a reasonable approach to developing a reliable CNF system. Here is an example of spreading out the responsibilities of a CNF specialist:

CS556: Computer Security • CNF Technician

Computer Forensics

A CNF technician position is the more “hands-on” field of study. These people are responsible for exercising the technical aspects of gathering the evidence. They are required to have the necessary technical skills to gather information from computers and the network. Technicians must understand the software and the hardware on host computers, as well as the network that connects them. It is sufficient for a CNF technician to only have an associate’s degree from a two-year college or technical school, but obviously a technician with a four-year degree that deals with technology is the ideal choice. This may be a requirement for anyone that aspires to become a CNF professional. • CNF Policy Maker The CNF policy maker is a completely different position all together. This person will be a manager or administrator who establishes CNF policies that will reflect the enterprise’s broad considerations. The policy maker must see the impact of forensics in the broader context of business goals and make the hard decisions that trade off forensics capabilities with issues of privacy and also morale. Even though these administrators need to focus on the “big picture”, they also need to be familiar with computing and forensic sciences. While computer familiarity is growing in the executive ranks, few senior administrators realize the need for CNF. • CNF Professional The CNF professional plays a critical role as a link between policy and execution. The professional must have extensive technical skills as well as a broad and thorough understanding of the legal procedures and requirements gained through either a broader education or extensive experience. Also, the CNF professional has to understand the fundamental enterprise business to ensure that CNF policies are executed properly within the business context. • CNF Researcher Although the field of CNF has not yet been fully recognized as an independent discipline, it is far past the development status it held during the early years of the Internet. And, there is a demand for educators who specialize in it. Although the CNF professionals might be able to double as trainers for elementary computer and evidence discovery classes, graduate degrees are requited to introduce these courses into higher education.

CS556: Computer Security

Computer Forensics

Along with its neighboring discipline (computer and network security), CNF researcher education will begin with masters programs. It is hard to tell if CNF research will reach a sufficient basic research categorization to meet the rigid “contribution of knowledge” requirements of doctoral degrees. Academia will employ most CNF researchers, although a few will be needed in large federal and state government agencies. Career progression into the CNF policy maker is a possibility in certain circumstances. Due to the multidisciplinary nature of Computer and Network Forensics, we have to break down its structure into four main categories: evidence collection, evidence preservation, evidence presentation, and forensic preparation. • Evidence Collection The core of any forensic science if information; evidence is nothing more than information presented in court. Before anyone can present this information, however, information relative to the malicious act must be discovered and recovered. In the area of CNF, simply knowing where to look will frequently uncover information. Forensic investigators can find information hidden in logs, caches, swap files, deleted files, and unwritten segments. In networks, information finds its way into intermediate devices such as router caches, switches, proxy servers, firewalls, and other types of network devices. It is the responsibility of the forensic expert to know where to look and understand how to interpret important tips and clues that can be hidden in the information. The act of data recover, though, is the result of applying special measures to extract information from locations where it is known to reside. Probably the best known example of data recovery is being able to recover information from electromagnetically wiped or damaged disk drives. Another well-known data recovery method is the ability to extract deleted files from magnetic devices or volatile memory. A fact that is not well known throughout the data recovery community is that network information is rarely available solely through discovery. Information on a network is partitioned into packets and must be reconstructed into sessions in order to recover relevant information. The act of discovering and recovering information is the heart of computer forensics. • Evidence Preservation As soon as you have recovered the information, you must follow rigid requirements to help preserve it for later use in court. This preservation helps CNF experts answer a couple of important questions: Was the evidence gathered properly, so that it reflects all the pertinent information on the subject device when it was collected? Has the evidence been changed since it was collected?

CS556: Computer Security

Computer Forensics

Technology such as secure copying and storage mirroring provide mechanisms for showing the acquired evidence’s accuracy. The act of mirroring simply means making an exact copy of an entire storage device; the CNF expert can extract relevant information from the copy without disturbing the original device. Secure copying techniques allow investigators to bind the target information to some other information that verifies the copy’s accuracy. Cryptographic digital signatures, in conjunction with strong physical security, provide the potential to protect digital evidence’s integrity even further. With proper preparation and tools, these signatures can be made tamper-resistant against even the most sophisticated intruders and can be reconstructed from the presented evidence to ensure authenticity. • Evidence Presentation A problem with digital evidence is that it is usually very hard to present in court, with the biggest challenge being trying to present evidence that does not really have any physical character; digital evidence is abstract. This makes it hard to present to a jury, who, in most cases, may be vaguely familiar with computers, but does not possess the technical knowledge to understand the evidence being presented to them. When presenting the digital information, the presenter must make the evidence understandable to the normal person by studying case histories and use simple and sophisticated graphics to represent the digital data. In many cases, however, there are few computer technicians or data experts who are familiar enough with the problems in presenting evidence in court or with the mechanisms that can facilitate the process. It is this situation that makes it necessary for a CNF specialist to have extensive instruction in theory and methods of effectively presenting digital evidence in court. • Forensic Preparation In most cases forensic efforts start after a malicious act or attack occurs. It has been realized that much can be done to facilitate forensics investigation before malicious acts or attacks actually happen. The idea is this can act in much the way that surveillance cameras help make the case against shoplifters, electronic mirroring, logging, and marketing help investigators reconstruct malicious acts and trace attackers. Watermarking, for example, (inserting marks that identify stolen information after it is discovered) is continually evolving. These steps show the process of computer and network forensics from start to finish. This trade requires many skills due to the multiple fields of study involved. Computer experts, law enforcement officials, and lawyers must all work together in order to maintain a thorough computer and network forensics investigation.

CS556: Computer Security

Computer Forensics

CONCLUSION Computer and Network Forensics is a growing field. With more and more hackers springing up each year, the need for people who can prevent them from attacking systems, and prove their guilt in a court of law when they do break into a system, increases as well. It has been shown that with there being so many aspects of this field, it covers a wide range of professional expertise. It seems as though if you were a computer expert, lawyer, and law enforcement official all wrapped into one package, you would be the ideal person to take on computer and network forensics. This wide range of skills required makes it necessary to spread the field out to multiple areas of professionals. Computers have always been vulnerable to unwanted intrusions. As the sophistication of computer technology increases, so does the need to anticipate, and safeguard against, a corresponding rise in computer related criminal activity.

CS556: Computer Security

Computer Forensics

REFERENCES [WaH02] [EdL04] [PiS00] [PaF01] [ShG03] [SyM03] [AyY01] [AyR03] [RaP01] [LeL00] Warren G. Kruse II and Jay G. Heiser, Computer Forensics, AddisonWesley, Boston, 2002 Ed Skoudis and Lenny Zeltser, Malware Fighting Malicious Code, Pearson Education, New Jersey, 2004 Pierangela Samarati and Sushil Jojodia, Data Security, SRI International and George Mason University, CA and VA, 2000 Partha Pal and Franklin Webber and Richard Schantz and Joseph Loyall, Intrusion Tolerant Systems, BBN Technologies, MA, 2001 Sharon Gaudin, Internet Recovering From Slammer Attack, Internet News, 2003, http://www.internetnew.com/dev-news/article.php/1574911 Symantec Virus home page (Author N/A), Virus Attacks, http://www.symantec.com/ Alec Yasinsac and Yanet Manzano, Policies to Enhance Computer and Network Forensics, IEEE, United States Military Academy, West Point, NY, June 2001 Alec Yasinsac and Robert Erbacher and Donald Marks and Mark Pollit and Peter Sommer, Computer Forensics Education, IEEE, 2003 Ravi S. Sandhu and Pierangela Samarati, Authentication, Access Control, and Intrusion Detection, IEEE, 2001 Leonard J. LaPadula, A Compendium of Commercial and Government tools and Government Research Projects, MITRE, Bedford MA, 2000