Introduction to Computer

Forensics

Roadmap
Incidents & Crimes and Responding to
them
Vulnerabilities, Threats, Incidents/Crimes
Types of incidents/crime

How computers & networks work (A

Forensic perspective)?
Boot Sequence
How data is stored and how can it be viewed?

Roadmap
Forensic Investigations
Objectives of investigations
The process
How to handle evidence

How computers work: A Forensic

perspective?
How computers work (A Forensic
perspective)?
Boot Sequence
How data is stored and how can it be
viewed?
4

How Computers Work?

Computer Components
What happens when you turn the
computer on?
What is a File System?
How is data stored on disks?
How data is represented in
computers and how it can be looked
at?
How is data in windows 2000
encrypted?
5

Components of computers
Central Processing Unit (CPU)
Basic Input and Output System (BIOS)
Memory
Peripherals (disks, printers, scanners,
etc)
6

Boot Sequence
What happens when you turn the
computer on?
CPU reset: when turned on, CPU is reset and
BIOS is activated
Power-On Self Test (POST) performed by BIOS:

Verify integrity of CPU and POST

Verify that all components functioning properly
Report if there is a problem (beeps)
Instruct CPU to start boot sequence

(System configuration & data/time information is

stored in CMOS when the computer if off.
POST results compared with CMOS to report
problems)

Boot Sequence
Disk boot: Loading of the operating system from
disk into memory. The bootstrap is in Read-OnlyMemory.

IMPORTANT POINTS
CMOS chip contains important evidence on the
configuration. If the battery powering CMOS is
down, important evidence may be lost (Moussaoui
case, 2003)
If the computer is rebooted, the data on the hard
disk may be altered (for example the time stamps
on files).
Hence the importance of booting from a floppy
and accessing the CMOS setup during the boot
up.

Boot Sequence: Important

Points
It is a good idea to obtain BIOS
password from user. Resetting CMOS
password can change system settings
and hence alter evidence. For example,
you can change the boot sequence so
that the computer accesses drive A first.
It is possible to overwrite BIOS
passwords using services such as
www.nortek.on.ca. However, one should
use it as a last resort
It may be necessary to physically
remove the hard disk to retrieve data

The File System

File system is like a database that tells
the operating system where is what
data on the disks or other storage
devices.
FAT in MS-DOS is a flat table that provides
links to their location on disks. But
Microsofts NTFS is similar to unix file
systems.
In unix systems, it consists of a (inode)
table providing pointers from file
identifiers to the blocks where they are
stored, and a directory.
10

The File System

Mounting a file system is the process of making
the operating system aware of its existence.
When mounted, the operating system copies the
file tables into kernel memory
The first sector in a hard disk contains the
master boot record which contains a partition
table. The partition table tells the operating
system how the disk is divided
Partitions can be created and viewed using
fdisk. Each partition contains the boot sector,
primary and secondary file allocation tables
(FAT), the root directory, and unallocated space
for storing files.
Formatting a partition (using format in windows
or mkfs in unix) prepares it for recognition by
the operating system as a file system.

11

The File System:

Important Points
Formatting a hard drive does not
erase data, and therefore the data
can be recovered
Low-level formatting does erase
data. However, special vendor
software is needed to low-level
format hard disks
12

Disk Storage
Data is stored on the disk over concentric
circles called tracks (heads). When the
disks are stacked, the set of tracks with
identical radius collectively are called a
cylinder. The disk is also divided into
wedge-shaped areas called sectors.
Disk capacity is given by the product of
number of cylinders, tracks, and sectors.
Each sector usually stores 512 bytes.
13

Disk Storage
Zoned Bit Recording (ZBR) is used
by disk manufacturers to ensure
that all tracks are all the same
size. Otherwise the inner tracks
will hold less data than the outer
tracks.

14

Disk Storage
The tracks on disks may be one of
Boot track (containing partition and boot
information)
Tracks containing files
Slack space (unused parts of blocks/clusters)
Unused partition (if the disk is partitioned)
Unallocated blocks (usually containing data
that has been deleted)
(When the program execution is complete, the
allocated memory reverts to the operating
systems. Such unallocated memory is not
physically erased, just the pointers to it is
deleted)

15

Disk Storage: Important

Points

Hard drives are difficult to erase

completely. Traces of magnetism can
remain. This is often an advantage, since
evidence may not have been erased
completely by the perpetrator. Such
evidence can be recovered using one of
the data recovery services (such as
www.ontrack.com, www.datarecovery.net
, www.actionfront.com, www.ibas.net )
Files deleted may be partially
recovered since their fragments may still
be in unallocated blocks
16

Disk Storage: Important

Points

Traces of information can remain on

storage media such as disks even after
deletion. This is called remanence. With
sophisticated laboratory equipment, it is
often possible to reconstruct the
information. Therefore, it is important to
preserve evidence after an incident.
A perpetrator can hide data in the interpartition gaps (space between partitions
that are specified while partitioning the
disk) and then use disk editing utilities to
edit the disk partition table to hide them.

17

Disk Storage: Important

Points
The perpetrator can hide data in NT Streams,
and such streams can contain executables.
They are NOT visible through windows
explorer and can not be seen through any
GUI based editors (This weeks assignment)
The perpetrator can declare smaller than
actual drive size while partitioning and then
save information at the end of the drive.
Many of the above can be uncovered by using
disk editors such as winhex, Hex Workshop,
or Norton Disk Editor if the disks are
formatted for one of the Microsoft operating
systems.

18

Disk Storage: Important

Points

For linux systems, LDE (Linux Disk

Editor at lde.sourceforge.net) is a
similar utility available under Gnu
license.
Main Lesson: Do not depend on
directories or windows explorer.
Get to the physical data stored on
the disk drives. Do not look only
at the partitioned disk.
Incriminating data may be
lurking elsewhere on the disk.
19

Data Representation
While all data is represented ultimately
in binary form (ones and zeroes), use of
editors that provide hexadecimal or
ascii format display of data are valuable
in forensics. They allow you to see
features that are otherwise not visible.
Popular tools for viewing such files
include Winhex (www.winhex.com), Hex
Workshop (www.hexworkshop.com ), and
Norton Disk Edit (www.symantec.com)

20

Data Representation:
Important point
One should be careful in
using such editors, since
data can be destroyed
inadvertently.

21

Computer Networks
How are internet communications
organised?
How the internet protocols work?
What are some of the
vulnerabilities caused by the
internet protocols?
22

Networking
The Internet Model:
Application Layer (http, telnet, email client,)
Transport Layer: Responsible for ensuring data delivery.
(Port-to-Port) (Protocols: TCP and UDP) (Envelope name:
segment)

Network Layer:

Responsible for communicating between

the host and the network, and delivery of data between two nodes
on network. (Machine-to-Machine) (Protocol: IP) (Envelope name:
datagram) (Equipment: Router)

Data Link Layer:

Responsible for transporting packets

across each single hop of the network (Node-to-Node) (Protocol:
ethernet) (Envelope name: Frame) (Equipment: Hub)

Physical Layer:

Physical media (Repeater-to-repeater)

(Equipment: Repeater)

23

Protocol Layering
Routing

(Source:
Host A
Host B
http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)

Application Layer

Application Layer
Message

Transport Layer

Transport Layer

Packet

Router
Network Layer

Network Layer
Datagram

Link Layer

Network Layer
Datagram

Link Layer
Frame

Physical Network

Link Layer
Frame

Physical Network

24

Protocols

(Source:
http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)

A protocol defines the format and the order of messages

exchanged between two of more communicating entities
as well as the actions taken on the transmission and/or
receipt of a message or other event.
TCP Connection Request
Hi
TCP Connection Response
Hi
Get http://www.ibm.com/index.html
Got the Time?

8:50

Index.html

25

 TCP

Some Protocol
Vulnerabilities

Connection Oriented Service (Establish

connection prior to data exchange, coupled with
reliable data transfer, flow control, congestion
control etc.)

Port scanning using netstat

(unix/windows) or N-map (
http://www.insecure.org/nmap/)
Attacker can mask port usage using
kernel level Rootkits (which can lie
about backdoor listeners on the ports)
Attacker can violate 3-way handshake,
by sending a RESET packet as soon as
SYN-ACK packet is received
26

 UDP

Some Protocol
Vulnerabilities

Connectionless Service (No handshake

prior to data exchange, No acknowledgement of
data received, no flow/congestion control)

Lack of a 3-way handshake

Lack of control bits hinders control
Lack of packet sequence numbers
hinders control
Scanning UDP ports is also harder,
since there are no code bits (SYN,
ACK, RESET). False positives are
common since the target systems
may not send reliable port
unreachable messages
27

Digital Evidence
Sources of evidence on the
internet?
Evidence can reside on the
computers, network equipment
(routers, for example), and on servers
Various tools are available to extract
evidence from these sources
28

Evidence on workstations &

Servers
Locations (Disks)
Disk partitions, inter-partition gaps (not all
partitions may have file systems. For example,
swap space in unix systems do not have file
systems)
Master Boot Record (contains partition table)
Boot sector (has file system information)
File Allocation Tables (FAT)
Volume slack (space between end of file system
and end of the partition)
File slack (space allocated for files but not used)
RAM slack (in case of pre windows 95a, space
between end-of-file and end-of-sector)

29

Evidence on workstations,
Servers

Locations (continued)

Unallocated space (space not yet

allocated to files. Also includes recently
deleted files, some of which might have
been partially overwritten)

Locations (Memory or RAM)

Registers & Cache (usually not possible
to capture. Cache can be captured as
part of system memory image)
RAM
Swap space (on disk)
30

Evidence on Servers & Network

Equipment
Router systems logs
Firewall logs of successful and
unsuccessful attempts
Syslogs in /var/logs for unix
systems
wmtp logs (accessed with last
command) in unix systems
31

Evidence on Workstations,
Servers, Network: Important
Points

It is possible to hide partitions

It is possible to hide data in files
using streams so they are not
visible. You can know of their
existence only by analyzing the
Master File Table
It is possible to hide data in interpartition gaps, volume slack
It is possible to hide data at the end
of the drive by declaring drive size
smaller than its actual size.

32

Types of Evidence
Physical evidence (computers, network
equipment, storage devices,)
Testimonial evidence
Circumstantial evidence
______________________
Admissible evidence (evidence that a
court accepts as legitimate)
Hearsay evidence
33

Hearsay Evidence:
Exception
A memorandum, report,
record, or data compilation, in
any form, of acts, events, conditions, opinions, or
diagnoses, made at or near the time by, or from
information transmitted by, a person with knowledge, if
kept in the course of a regularly conducted business
activity, and if it was the regular practice of that
business activity to make the memorandum, report,
record or data compilation, all as shown by the
testimony of the custodian or other qualified witness, or
by certification that complies with Rule 902(11),
Rule 902(12), or a statute permitting certification, unless
the source of information or the method or circumstances
of preparation indicate lack of trustworthiness.
Source: Federal Rules of
Evidence:http://www.law.cornell.edu/rules/fre/rules.htm

34

Characteristics of
Evidence

Authenticity (unaltered from the original)

Relevance (relates crime, victim and
perpetrator)
Traceability (audit trail from the
evidence presented back to the original)
Complete (presents total perspective on
the crime. Ideally, should include
exculpatory evidence)*
Reliable (one should not be able to doubt
the authenticity and traceability of the
evidence collection and chain of custody)
35

Characteristics of
Evidence

Believable (jury should be able to

understand the evidence)
____________________________________

36

Typical Sequence of Events in

Incident Response (RFC2196 Model)
RFC 2196 and Incident Management
(ftp://ftp.isi.edu/in-notes/rfc2196.txt)
0. Abnormal/unexpected behavior detected
1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Follow-Up
37

Typical Sequence of Events in

Incident Response (RFC2196
Model)

1. Identification of the incident

1. Is it real? (False alarms)

2. Determine the scope of the incident
3. Assess damage

2. Notification of incident
1. Whom to notify,
2. what to document,
3. choice of language
38

Typical Sequence of Events in

Incident Response (RFC2196
Model)

3. Protection of evidence

1. Audit records
2. Time-tagged actions taken in the
investigation
3. Details of all external conversations
4. Collecting evidence

4. Containment
1. Decision whether to shut down the
system
2. How to shut down the system without
losing or corrupting the evidence
39

Typical Sequence of Events in

Incident Response (RFC2196
Model)

5. Eradication

1. Collect all evidence before this step

2. Removal of the vulnerability that
caused the incident

6. Recovery from clean backups

7. Follow up (Post mortem of the
incident)
40

Evidence Collection
Principles
Maintain chain of custody of the
evidence

Acquire evidence from volatile as well as

non-volatile memory without altering or
damaging original evidence
Maintain the authenticity and reliability
of evidence gathered
No modification of data while analyzing
it
41

Maintaining Chain of
Custody

Movement of evidence from place

to place must be documented
Changing of hands in custody of
the evidence must be documented
There must be no gaps in the
custody of the evidence

42

Volatile & Non-volatile

memory

Places where evidence may reside

Memory
Hard drives
File systems
Parts of disk with no file system loaded

Memory:
In MS-Windows 2000,
setting up the Registry to enable capturing
memory.dmp manually
Using Dumpchk.exe to generate memory dump

In unix systems, using /etc/sysdump to

generate a live dump of /dev/mem, and
using /etc/crash to analyze the dump
43

Volatile & Non-volatile

memory
Hard Drives
Imaging: Non-destructive Sector-by-Sector copy
of the drive that does not require the machine to
be booted
NIST requirements for imaging tools:
Tool make Bit-stream copy or image of the disk or
partition if there are no access errors
No altering of the disk by the tool
Tool must access both IDE and SCSI
Tool must verify integrity of the image file
Tool must log I/O errors, and create a qualified bitstream duplicate identifying the areas of bit-stream in
error
Tools documentation must be correct
Notify user if source disk is larger than destination disk

44

Volatile & Non-volatile

memory
Some tools:
Linux dd (www.redhat.com)
SnapBack DatArrest
(www.snapback.com)

45

Authenticity & Reliability of

evidence gathered

Time Synchronization problems in

networks
If the times on various machines are not
synchronized, the evidence collected may
not have strength
Network Time Protocol (NTP) supported on
Unix, Linux, but not supported in Windows.
However there are third-party tools such as
those found at
www.oneguycoding.com/automachron
NIST Internet Time Service
www.nist.gov/timefreq/service/its.htm
www.pawprint.net/wt

46

Authenticity & Reliability of

evidence gathered
Time Stamping
Once the system is compromised, the
perpetrator will alter the logs to confuse
the investigator
Digital time stamping service can be used
www.datum.com
www.evertrust.com

Use of Tripwire Monitoring & Reporting

Software to monitor changes

47

How to obtain admissible

evidence?

The Forensic Investigation Process

Incident alert or accusation: violation

of policy or report of crime
Assessment of worth/damage: To set
priorities
Incident/Crime scene protocols:
Actions taken at the scene
Identification and seizure of evidence:
Recognition of evidence and its proper
packaging (protection)
Preservation of evidence: Preserve the
integrity of the evidence obtained
48

The Forensic Investigation

Process

Recovery of evidence: recovery of hidden

and deleted information, recovery of
evidence from damaged equipment
Harvesting: Obtaining data about data
Data reduction: Eliminate/filter evidence
Organization and search: Focus on
arguments
Analysis: Analysis of evidence to support
positions
Reporting: Record of the investigation
Persuasion and testimony: In the courts
(Source: Digital Evidence & Computer Crime, Eoghan
Casey, Elsevier, 2004)

49

Objectives of the
Investigative
Process
Acceptance: Process has wide
acceptance
Reliability: Methods used can be trusted
to support findings
Repeatability: Process can be replicated
Integrity: Trust that the evidence has
not been altered
Cause & Effect: Logical relationship
between suspects, events, evidence
Documentation: Recording of evidence
50

Computer Forensics
How to handle evidence?
What to search/seize?
What kind of evidence to gather?
How?
Documenting the evidence gathered
How to maintain the authenticity of
evidence?
51

Incident Handling
How to handle incidents?

Types of incidents based on severity

How to recognise them
Whether to report them
Actions required to maintain
readiness to handle incidents
Actions to take at the scene of the
incident
Pull the plug? Turn off the machine?
Live forensics?
52

How to handle incidents?

What are the types of incidents from the
viewpoint of response? How they are
recognized?
Whether to report incidents, and to whom to
report?
What actions are required to maintain
readiness to handle incidents?
What actions to take at the scene of the
accidents?
What actions to take to protect evidence?
What evidence to collect and how to collect?
53

Types of incidents based on

severity
LOW

Loss of passwords, unauthorised sharing

of passwords, successful/unsuccessful
scans/probes, hardware misuse,

MEDIUM
Property destruction, illegal download
of music/files or unauthorised software,
unauthorised use of system for personal
data, acts by disgruntled employees,
illegal hardware access/tress pass, theft
(minor)
54

Types of incidents based on

severity
HIGH

Child pornography, pornography,

personal theft, property destruction,
break-in, illegal software download,
malicious code ( viruses, worms, trojan
horses, malicious scripts,), changes to
system hardware, software, or firmware,
violation of law.

Source: Incident Response: Computer

Forensics Toolkit, Douglas
Schweitzer, (John Wiley, 2003)
55

Types of incidents & How to

recognize them
End user detected incidents
Application detected incidents
System detected incidents

56

End user detected

incidents
Unavailability of web pages
Download of file containing
virus/worm
Abnormal behavior of web site
Spam
Distribution of pornography
Unusual request of personal
information (ebay, Nigerian scams)
57

Application detected
incidents
Abnormal behavior of an
application
Inappropriate use of application
(eg., unauthorised access)
Unauthorised change of data (eg.,
defacement of web pages,
alteration of data,)
58

System detected incidents

Detected by intrusion detection
systems
Detected by analysis of firewall logs
Viruses/worms detected by servers
Unavailability of servers (DoS attacks)
Lack of remote availability of the
system
Detection of abnormal changes by
monitoring software (eg., tripwire)
Unauthorised access of servers,
59

Whether to report
incidents?

Depends on the party: users,

system administrators
Users: In their interest to report the
incident, usually to the help desk
System administrators: Report to
CSIRT (Computer Security Incident
Response Team) in the Company.

60

Whether to report
incidents?

Report to Law Enforcement?

Consult lawyers if an illegal act has

occurred and if there are reporting
responsibilities
Reporting to law enforcement changes the
character of the evidence handling process.
Evidence can be subpoenaed by courts
Perpetrators and their lawyers can get access to
it in the trial
Evidence gathering process and all actions and
documentation of the investigations may also be
accessible to the other party during litigation.

61

What actions are required to

maintain readiness to handle
incidents?

Acceptable use policies

Access control policies
Protocols for handling incidents
Education of all personnel on
dealing with incidents
Incident handling toolkits
(hardware and software)

62

What actions are required to

maintain readiness to handle
incidents?
System backups
Computer Security Incident
Response Team (CSIRT)

63

Incident handling toolkits

Hardware:
Large capacity IDE & SCSI Hard
drives, CD-R, DVR drives
Large memory (1-2GB RAM)
Hubs, CAT5 and other cables and
connectors
Legacy hardware (8088s, Amiga, )
specially for law enforcement
forensics
Laptop forensic workstations
64

Incident handling toolkits

Software
Viewers (QVP http://www.avantstar.com/,
ThumbsPlus http://www.thumbsplus.de/)
Erase/Unerase tools: Diskscrub/Norton
utilities)
CD-R, DVR utilities
Text search utilities (dtsearch
http://www.dtsearch.com/ )

Drive imaging utilities (Ghost, Snapback,

Safeback,)
Forensic toolkits
Unix/Linux: TCT The Coroners Toolkit/ForensiX
Windows: Forensic Toolkit

65

Forensic Boot Floppies

Disk editors (Winhex,)
Operating systems
Forensic acquisition tools
(DriveSpy, EnCase, Safeback,
SnapCopy,)
Write-blocking tools (FastBloc
http://www.guidancesoftware.com)
to protect evidence.
66

Policies
Who can add or delete users?
Who can access machines remotely
Who has root level access to what
resources (SetUID and sudo
privileges)
Control over pirated software
Who can use security related software
(network scanning/snorting, password
cracking, etc.)
Policy on internet usage
67

System backups
Systems backups help investigation
by providing benchmarks so that
changes can be studied
Unix:
dump: dump selected parts of an object
file
cpio: copy files in and out of cpio
archives
tar: create tape archives and add or
extract files
dd: Convert and copy a file
68

System backups
Windows:
Programs | Accessories | System
Tools | Backup
NTBACKUP: Part of NT Resource kit
Backup : From disk to disk

69

What actions to take at the scene of

the accidents?
Pull the plug? Turnoff the machine?
Live forensics?
What to search/seize?
What kind of evidence to gather?
How to gather the evidence?
How to maintain authenticity of the
evidence?
70

Pull the plug? Turnoff the

machine? Live forensics?
By pulling the plug you lose all volatile
data. In unix system, you may be able
to recover the data in swap space
Perpetrator may have predicted the
investigation, and so altered system
binaries
You can not use the utilities on the live
system to investigate. They may have
been compromised by the perpetrator
71

What to search/seize?
Public investigations (criminal, usually
by law enforcement agencies) vs.
Corporate investigations.
Public investigations, with search
warrants, can seize all computers &
peripherals, but fourth amendment
provides protection
Corporate investigators may not have
the authority to seize computers, but
may only allow one to make bit-stream
copies of drives
72

What kind of evidence to

gather?
How?
Secure the scene with yellow tape barriers

to prevent bystanders from entering or

interfering with investigation.
The computer is just one of a number of
types of evidence to be gathered
DNA evidence from keyboard
Fingerprint evidence (AFIS: Automated
Fingerprint Identification System)
Fingerprints of all people who had access
to the crime scene

73

What kind of evidence to

gather? How?

No one to examine the computer before the

bit stream image of the hard drive has been
captured
Follow the standards outlined in DOJ Manual
Keep journal on all significant activities,
people encountered.
Good idea to carry a tape recorder, and a
still pictures camera
Usually not a good idea to video tape the
scene. The defendants attorney may have
access to it during trial.
74

What kind of evidence to

gather? How?

If the computer is on,

capture information on the processes,

save data on all current applications,
photograph all screens.
After saving all active files (preferably on
external media, but if necessary to save
on seized computer, save with a new
name to avoid confusion), you can shut
down the system.

If the computer is off, you can acquire

the evidence on hard drives (you will
have lost the data in volatile memory)
75

What kind of evidence to

gather? How?

Tagging and bagging evidence

(including software/hardware
documentation)
Precautions:

Grounding wristbands, static electricity

resistant floor mats
Mark location of collected evidence
Carry response kit (laptop, flashlight,
digital camera, IDE 40-to-44 pin adapters,
computer toolkit, dictation recorder,
evidence bags, labels, tags, tape, marking
pens, floppy disks, evidence log forms,)
76

Documenting the evidence

gathered

Maintain either single or multiple

evidence forms to document evidence
gathered
The forms should include: Case
number/name, Nature of the case, for
each item its description (model/serial
numbers, manufacturer), case
investigator, investigator recovering
the evidence, location of original
evidence,

77

How to maintain authenticity of the

evidence?
Maintaining authenticity provides
assurance to the jury that the
evidence is reliable and has not been
tampered with.
Authenticity is provided by
cryptographic checksums (message
digests or fingerprints).
MD5 and SHA are two common hash
algorithms used. They provide a
fingerprint of the evidence gathered.
78

How to maintain authenticity of the

evidence?
Executable for MD5 algorithm can be
downloaded from
http://www.etree.org/software.html for various
operating systems.
Example: In unix systems, if you want the MD5
digest of the files /etc/passwd and /etc/services
files, you would
Cat /etc/passwd and /etc/services >file
Md5sum file > file.md5

Such algorithms are subject to cryptographic

attack. Therefore it is important to provide
some redundancy.
79

How to maintain authenticity of the

evidence?
Some software such as Tripwire
compute hash values using multiple
algorithms so that even if one
algorithm becomes susceptible to
attack, authenticity can be proven
using other algorithms
Whenever a copy of the evidence is to
be produced, the authenticity of the
copy can be shown by re-computing
the hash value and comparing with
the original

80