Computer forensics: Difference between revisions

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Computer forensics" – news · newspapers · books · scholar · JSTOR (Learn how and when to remove this message)

Computer forensics is application of the scientific method to digital media in order to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, either fixed like hard disks or removable like compact disks and solid state devices. Computer forensics experts:

1. Identify sources of documentary or other digital evidence.
2. Preserve the evidence.
3. Analyze the evidence.
4. Present the findings.

Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law.Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal.

Understand the suspects

It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which probably prohibits the machine modifying the drives, or in exactly the same way they would.

If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action occurs. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in Random Access Memory, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.

Electronic Evidence Considerations

Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm of the data’s origin.

Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used when to ensure that the evidence is not destroyed or compromised:

1. Handle the original evidence as little as possible to avoid changing the data.
2. Establish and maintain the chain of custody.
3. Document everything done.
4. Never exceed personal knowledge.

If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are:

1. The time that business operations are inconvenienced.
2. How sensitive information which is unintentionally discovered will be handled.

In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.

Secure the machine and the data

Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made.

To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:

Examine the machine's surroundings

The collection phase starts off with the computer forensic team analyzing its surroundings. Similar to police investigating a crime in any other case, all printouts, disks, notes, and other physical evidence must be collected to take back to the laboratory for analysis. Furthermore, an investigating team must take digital photographs of the surrounding environment before any of the hardware is dealt with. This initial collection phase sets the tone for the rest of the investigation and therefore the evidence must be locked away securely, with limited access granted to authorized team members only.

Look for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as keydrives, MP3 players or security tokens. See Category:Solid-state computer storage media.

Record open applications

If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.

RAM can be analyzed for prior content after power loss, although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. Data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The liklihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below -60C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery.

As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place. [1]

Power down carefully

If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. The method that should be used is dependent on the operating system that the computer is running. The recommended methods of shutting down are shown in the following table:

If the operating system cannot be determined, pulling the plug will suffice.

When pulling the plug make sure that you pull the lead out from the computer unit itself. This is because if the computer has an uninterruptible power supply (UPS) connected and the power to this is turned off, the power to the computer will remain powered.

Shutting the computer down by the correct method is critical if certain data is normally stored only in memory, to be committed back to disk when the machine is powered off.

Shutting down computers which do not normally store data in memory (such as Windows XP) by the usual method will result in possible changes to the data on the hard drive. This is to be avoided at all cost, especially if there is no benefit in shutting down the computer in this way. For this reason it is recommended that the plug is pulled on these computers. Keep in mind there is also a risk of damaging data if the power is cut suddenly.

Inspect for traps

Inspect the chassis for traps, intrusion detection mechanisms, and self-destruct mechanisms. It takes a lot to destroy a hard drive to the point where no data at all can be recovered off of it—but it doesn't take much to make recovery very, very difficult. Find a hole in the chassis you can use for inspection (cooling fans are a good bet), or pick a safe spot in the chassis to drill one, and use an illuminated fiberscope to inspect the inside of the machine. Look specifically for large capacitors or batteries, nonstandard wiring around drives, and possible incendiary or explosive devices. PC hardware is fairly standardized these days, and you should treat anything you don't recognize as cause for concern until proven otherwise. Look for wires attached to the chassis—PCs aren't normally grounded this way, so those are cause for concern.

You should specifically look for a wire running from anything to the CMOS battery or "CMOS clear" jumper. CMOS memory can be used to store data on the motherboard itself, and if power is removed from it, the contents will be lost. You must avoid causing CMOS memory to lose power. Encryption keys, etc., may be stored here.

Once you have determined that the case is safe to open, proceed to remove the cover.

Fully document hardware configuration

Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later.

Duplicate the hard drives

Using a standalone hard-drive duplicator or similar device, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering.

Use some kind of hardware write protection to ensure no writes will be made to the original drive. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is the best practice. The process is often called Imaging. You can image to another hard disk drive, a tape, or other media. Tape is a preferred format for archive images, since it is less vulnerable for damage and can be stored for a longer time. There are two goals when making an image:

1. Completeness (imaging all of the information)
2. Accuracy (copying it all correctly)

The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms. To make a forensically sound image, you need to make two reads that result in the same output by the message digest algorithm. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification in the event one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null.

E-mail Review

E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. Because users may access email in a variety of ways, it's important to look for different kinds of emails. The user may have used a dedicated program, or Mail User Agent (MUA), a web browser, or some other program to read and write email. Additionally, files for each of these programs may be stored on a local hard drive, a network device, or a removable device. A good examiner will search all of these locations for email data. Be aware that many email clients will save a copy of outgoing messages, so both the sender and the recipient may have a copy of each message. Finally, mail may also be stored on a dedicated mail server, either awaiting delivery or as permanent storage.

E-mail Headers

All email programs generate headers that attach to the messages. The study of these headers is complex. Some investigators favor reading the headers from the bottom up, others from the top down. Under normal circumstances, headers are supposed to be created by the mail user agent and then prepended by mail servers, the bottom up method should work. But a malicious mail server or forger may make this difficult.

The headers added by an MUA are different from those added by mail servers. For example, here is the format for headers generated by Mozilla Thunderbird 1.0 running on Microsoft Windows.

Message-ID: <41B5F981.5040504@hostname.net>
Date: Tue, 07 Dec 2004 13:42:09 -0500
From: User Name <username@hostname.net>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: recipient@otherhost.com
Subject: Testing
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Extensions such as enigmail may add extra headers.

The Message-ID field has three parts:

1. The time the message was sent in seconds past the epoch in hexadecimal.
2. A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509".
3. The fully qualified domain name of the sender.

Message-ID: [time].[salt]@[domain-name]

Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id() and therefore applies only to mail sent by this application. Generally the format of the Message-ID is arbitrary, and you should refer to the applicable RFCs.

Sorting Through the Masses

While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search through e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand.

Computer Forensic Examples

Forensics can be defined as the use of technology and science for investigation and fact recovery when dealing with criminal matters. Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law. They are able to recover damaged and deleted files. Some cases in particular used the art of computer forensics as their lead of evidence to indict a criminal offender or find the location of a missing person.

Example One

In the case about Chandra Levy a Washington intern whose disappearance caused great stir within the community. She went missing on April 30, 2001. While her whereabouts were unknown, she had used the Internet as well as e-mail to organize travel arrangements and to communicate with her parents. The use of this technology helped a computer criminalist to trace her whereabouts. The information found on her computer lead the police to this location, even though she had been missing for one year.

Example Two

There have been a number of cases recently found at private schools where authority figures have been charged with possession of child pornography. These discoveries were made from the use of computer forensics. Through the ability to track the buying and selling of pornography online, computer forensic investigators have been able to locate people involved with these crimes. They are able to use this information they have found on the computers as circumstantial evidence in court, allowing prosecution to occur. Due to this profession, child pornographers are being penalized for their actions and taking them out of the education system.

Example Three

A final example of how computer forensics is affecting the current workplace is the aspect of security. Employees work computers are now being monitored to ensure no illegal actions are taking place in the office. They also have heightened security so outsiders cannot access a company’s confidential files. If this security is broken a company is then able to use computer forensics to trace back to which computer was being tampered with and what information was extracted from it, possibly leading to the guilty parties and other potential parties involved.

See also

• Counter forensics
• Data analysis (information technology)
• Cryptanalysis
• Data recovery
• Data remanence
• Encryption
• Steganography
• Steganalysis
• MAC times
• Mobile forensics
• Information forensics
• Information technology audit
• Digital evidence
• Computer security audit
• Software testing

References

Xiaoyun Wang and Hongbo Yu. "How to Break MD5 and Other Hash Functions" (PDF). EUROCRYPT 2005. {{cite conference}}: Cite has empty unknown parameter: |month= (help); Unknown parameter |booktitle= ignored (|book-title= suggested) (help)

External links

• Digital Data Acquisition Tool Specification (PDF)
• Computer Forensics World Forum
• IT Crime Investigation: An overview of techniques
• Forensics: Electronic Trail of Evidence
• Original Computer Forensics Wiki
• Electronic Evidence Information Center
• Forensic Focus
• Forensics Wiki
• Digital Forensic Research Workshop (DFRWS)

Related Journals

• International Journal of Digital Evidence[2]
• Journal of Digital Forensic Practice[3]
• Cryptologia[4]

Hardware

• Logicube Forensics Hardware computer forensics systems for onsite duplication and analysis.