Understanding Computer Forensics
Everywhere from the Scot Peterson trial to, the war on terror computer forensics is in the news. Computer related crimes or "Cyber-Crimes" as they are aptly named are on the rise. By the looks of it Cyber-Crimes are here to stay. According to a report by the National Research Council, "Computers At Risk" 1991, "The Modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb." It's funny how that report turned out to be a self-fulfilling prophecy. Cyber-crimes are on the rise and the war on terror has reviled that our foes are using laptops and the Internet, as essential tools to their operations.
Another significant threat to society is Industrial Espionage. Big businesses now find themselves constantly having to protect their intellectual property even more than before. Not only do corporations have to protect themselves from and their competitors and "Script Kiddies" but from foreign countries as well. The growth of the Internet has brought businesses to a global multinational arena. With tremendous power comes tremendous responsibility, its not longer business as usual.
What is Computer Forensics? We can define Computer Forensics as science of gathering evidence from an electronic crime scene while assuring its authenticity. The Computer Forensics investigator has to be able to prove, beyond "any shadow of a doubt," that the data obtained is the bona fide original as it was left in the crime scene. The evidence in digital form, should be untainted, unmodified and unaltered.
When responding to a computer crime scene, timing can be crucial. Taking action in a timely manner can make or break the investigation. Before investigating the crime scene, one should disconnect the affected workstation from the network. By no means should the computer be turned down until the computer forensics expert has examined the system. One should start with the most volatile form of memory storage to the least. Sophisticated hackers are more then likely to load their tools only in the computers RAM. Making it harder for someone to track the hacker down. Ensuring that the tools and methods used does not tamper with the evidence.
Before a forensics investigation takes place a lot of preparation and planning should be made ahead of time. One of the preparations is acquiring or building a Computer Forensics Toolkit. The toolkit usually consists of tools in the form of computer programs that allow you to extract the data without altering it or damaging its integrity. The goal is to keep the data on the computer exactly the same way the culprit left it at the time the crime was committed.
The computer forensics process can be broken down to 3 basic steps. The first step is to acquire the digital evidence from the crime scene, without altering the original. The second step is to authenticate that the evidence is directly identical to the original. The third is to analyze the data without modifying it.
The way the evidence is handled is very important, especially if you want to present the data, as evidence in a court of law. An accurate record known as the Chain of Custody is an important document in your investigation. It is designed to protect the integrity of the evidence and prevent a defense attorney to argue that the evidence was tampered with. This document states, who had collected the evidence. Who took position of the evidence, how it was stored and how was it protected in storage. Maintaining a proper chain of custody is mission critical.
As a general rule no one should utilize the tools, commands or programs contained in the compromised machine. It is possible that the suspect my have tainted the executable files housed on the computer.
Surprisingly there is a wide array of commercial, open source and public domain programs that you can add to your tool kit. Some commercial packages attempt to be the "one stop solution" for your investigative needs. The open source tools available are sophisticated enough to give some of the commercial packages a run for the money. When using open source software I recommend that you examine the MD5 hash signatures to insure that binaries have not been tampered by hackers.
Encase by Guidance Software appears to be the most widely used commercial computer investigation software. This is a Windows based program that can acquire and analyze the data. It has been designed to analyze file formats ranging from FAT, NTFS, HFS+, UFS, EXT2, EXT3, Reiser, JFS, DVDs and CD-ROMS.
SMART by ASR Data is a analysis and acquisition tool designed to operate on the Linux operating system. Which can analyze CD-ROMS, Reiser, JFS, UFS, EXT3, EXT2, NTFS and FAT partitions.
The Sleuth Kit and Autopsy are a collection of Unix based analysis tools. The Sleuth kit has over twenty command line tools. Autopsy adds a graphical user interface for the Sleuth kit. The Sleuth Kit is able to analyze data file types FAT, NTFS, UFS, EXT2, and EXT3.
NTI offers a handy utility called GetTime to have the CMOS date of the computer under forensic examination documented. Another interesting tool is one developed by security researcher, Dr. Fred Cohen, called ForensiX. Which is a bootable Linux based CDROM available to only law enforcement agencies. However, Helix is another Linux based live bootable CDROM developed for incident response.
WinHex created by Stefan Fleishman is a sophisticated hexadecimal editor. Which enables you to perform low level cloning, imaging, and disk analysis. It integrates CRC32 checksums in 128-bit or 256-bit MD5 format to assist in demonstrating the authenticity of your data. In addition WinHex enables you to examine the slack space on the hard drive under investigation. Witch can contain traces of files that were previously there.
Other tools that can be used are Ethereal, nmap, snort, necat, and cryptcat. All of which can be obtained individually or from Biatchux F.I.R.E (Forensic and Incident Response Environment). witch can be mounted on a wide variety of Operating Systems to include Win32, SPARC, Solaris and Linux.
As part of your forensic kit, you should include a mini cassette recorder, mini cassettes, digital camera, and a video camera mounted on a tri pod. The cassette recorder is for you to record any notes you may have while you conduct the investigation. The digital camera is used to take photographs of your finds and so fourth. The video camera can be used to record the investigation while in progress.
After the original copy of the evidence has been obtained, it is important that the data is verified side by side with a CRCMd5 tool. As explained earlier, this establishes the authenticity of the data. The matching values are a confirmation that the data had not been altered or compromised. The MD5 digest and CRC checksum are values produced by an algorithm that gives a unique output signature of your data. Therefore all data under forensic examination should undergo CRCMd5 verification.
In summary, Computer Forensics can be defined as a science of gathering evidence from an electronic crime scene while assuring its authenticity. In a Computer forensics investigation timing can be crucial. Proper planing and preparation should take place before the investigation is underway. The computer forensics process encompasses 3 basic steps, acquire the digital evidence from the crime scene, authenticate the evidence and analyzing the data without modifying it.
One should concentrate examining the most volatile memory to the least. The forensics investigator should authenticate all the data using a unique signature based tool such as CRCMd5. I have discussed what programs and utilities are available to construct a Computer Forensics toolkit. Last but not least, a proper chain of custody document should be maintained at all times. I have enjoyed learning about the tools available and the techniques used in a computer forensics investigation.
Bibliography
Daniel A. Morris "Tracking a Computer Hacker" May 2001
URL: http://www.cybercrime.gov/usamay2001_2.htm
"Computers at Risk" National Research Council 1991
Anton Chuvakin, and Cyrus Peikari. Security Warrior O'Reilly, January 2004
Warren G. Krusell, and Jay G. Hieser Insident Response Essentials Addison Wesley, Lucent Technologies, 2002
Brian Carrier. File System Forensic Analysis Addison Wesley Professional, March 2005
Ajay Gupta, and Scott Laliberte. Defend I.T.: Security by Example Addison Wesley. May 2004
Julie Lucas, and Brian Moeller. The Effective Inccident Response Team Addison Wesley Sept. 2003
T.J. Klevensky, Scott Laliberte, and Ajay Gupta. Hack I.T.: Security Through Penetration Testing Addison Wesley. Feb. 20
Kirk Hausman, Diane Barrett, and Martin Weiss. Security+ Exam Cram 2 (Exam SYO-101) Que. April 2003
Brad Crusey. "How to Respond to Attacks." Certification Magazine June 2005
Everywhere from the Scot Peterson trial to, the war on terror computer forensics is in the news. Computer related crimes or "Cyber-Crimes" as they are aptly named are on the rise. By the looks of it Cyber-Crimes are here to stay. According to a report by the National Research Council, "Computers At Risk" 1991, "The Modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb." It's funny how that report turned out to be a self-fulfilling prophecy. Cyber-crimes are on the rise and the war on terror has reviled that our foes are using laptops and the Internet, as essential tools to their operations.
Another significant threat to society is Industrial Espionage. Big businesses now find themselves constantly having to protect their intellectual property even more than before. Not only do corporations have to protect themselves from and their competitors and "Script Kiddies" but from foreign countries as well. The growth of the Internet has brought businesses to a global multinational arena. With tremendous power comes tremendous responsibility, its not longer business as usual.
What is Computer Forensics? We can define Computer Forensics as science of gathering evidence from an electronic crime scene while assuring its authenticity. The Computer Forensics investigator has to be able to prove, beyond "any shadow of a doubt," that the data obtained is the bona fide original as it was left in the crime scene. The evidence in digital form, should be untainted, unmodified and unaltered.
When responding to a computer crime scene, timing can be crucial. Taking action in a timely manner can make or break the investigation. Before investigating the crime scene, one should disconnect the affected workstation from the network. By no means should the computer be turned down until the computer forensics expert has examined the system. One should start with the most volatile form of memory storage to the least. Sophisticated hackers are more then likely to load their tools only in the computers RAM. Making it harder for someone to track the hacker down. Ensuring that the tools and methods used does not tamper with the evidence.
Before a forensics investigation takes place a lot of preparation and planning should be made ahead of time. One of the preparations is acquiring or building a Computer Forensics Toolkit. The toolkit usually consists of tools in the form of computer programs that allow you to extract the data without altering it or damaging its integrity. The goal is to keep the data on the computer exactly the same way the culprit left it at the time the crime was committed.
The computer forensics process can be broken down to 3 basic steps. The first step is to acquire the digital evidence from the crime scene, without altering the original. The second step is to authenticate that the evidence is directly identical to the original. The third is to analyze the data without modifying it.
The way the evidence is handled is very important, especially if you want to present the data, as evidence in a court of law. An accurate record known as the Chain of Custody is an important document in your investigation. It is designed to protect the integrity of the evidence and prevent a defense attorney to argue that the evidence was tampered with. This document states, who had collected the evidence. Who took position of the evidence, how it was stored and how was it protected in storage. Maintaining a proper chain of custody is mission critical.
As a general rule no one should utilize the tools, commands or programs contained in the compromised machine. It is possible that the suspect my have tainted the executable files housed on the computer.
Surprisingly there is a wide array of commercial, open source and public domain programs that you can add to your tool kit. Some commercial packages attempt to be the "one stop solution" for your investigative needs. The open source tools available are sophisticated enough to give some of the commercial packages a run for the money. When using open source software I recommend that you examine the MD5 hash signatures to insure that binaries have not been tampered by hackers.
Encase by Guidance Software appears to be the most widely used commercial computer investigation software. This is a Windows based program that can acquire and analyze the data. It has been designed to analyze file formats ranging from FAT, NTFS, HFS+, UFS, EXT2, EXT3, Reiser, JFS, DVDs and CD-ROMS.
SMART by ASR Data is a analysis and acquisition tool designed to operate on the Linux operating system. Which can analyze CD-ROMS, Reiser, JFS, UFS, EXT3, EXT2, NTFS and FAT partitions.
The Sleuth Kit and Autopsy are a collection of Unix based analysis tools. The Sleuth kit has over twenty command line tools. Autopsy adds a graphical user interface for the Sleuth kit. The Sleuth Kit is able to analyze data file types FAT, NTFS, UFS, EXT2, and EXT3.
NTI offers a handy utility called GetTime to have the CMOS date of the computer under forensic examination documented. Another interesting tool is one developed by security researcher, Dr. Fred Cohen, called ForensiX. Which is a bootable Linux based CDROM available to only law enforcement agencies. However, Helix is another Linux based live bootable CDROM developed for incident response.
WinHex created by Stefan Fleishman is a sophisticated hexadecimal editor. Which enables you to perform low level cloning, imaging, and disk analysis. It integrates CRC32 checksums in 128-bit or 256-bit MD5 format to assist in demonstrating the authenticity of your data. In addition WinHex enables you to examine the slack space on the hard drive under investigation. Witch can contain traces of files that were previously there.
Other tools that can be used are Ethereal, nmap, snort, necat, and cryptcat. All of which can be obtained individually or from Biatchux F.I.R.E (Forensic and Incident Response Environment). witch can be mounted on a wide variety of Operating Systems to include Win32, SPARC, Solaris and Linux.
As part of your forensic kit, you should include a mini cassette recorder, mini cassettes, digital camera, and a video camera mounted on a tri pod. The cassette recorder is for you to record any notes you may have while you conduct the investigation. The digital camera is used to take photographs of your finds and so fourth. The video camera can be used to record the investigation while in progress.
After the original copy of the evidence has been obtained, it is important that the data is verified side by side with a CRCMd5 tool. As explained earlier, this establishes the authenticity of the data. The matching values are a confirmation that the data had not been altered or compromised. The MD5 digest and CRC checksum are values produced by an algorithm that gives a unique output signature of your data. Therefore all data under forensic examination should undergo CRCMd5 verification.
In summary, Computer Forensics can be defined as a science of gathering evidence from an electronic crime scene while assuring its authenticity. In a Computer forensics investigation timing can be crucial. Proper planing and preparation should take place before the investigation is underway. The computer forensics process encompasses 3 basic steps, acquire the digital evidence from the crime scene, authenticate the evidence and analyzing the data without modifying it.
One should concentrate examining the most volatile memory to the least. The forensics investigator should authenticate all the data using a unique signature based tool such as CRCMd5. I have discussed what programs and utilities are available to construct a Computer Forensics toolkit. Last but not least, a proper chain of custody document should be maintained at all times. I have enjoyed learning about the tools available and the techniques used in a computer forensics investigation.
Bibliography
Daniel A. Morris "Tracking a Computer Hacker" May 2001
URL: http://www.cybercrime.gov/usamay2001_2.htm
"Computers at Risk" National Research Council 1991
Anton Chuvakin, and Cyrus Peikari. Security Warrior O'Reilly, January 2004
Warren G. Krusell, and Jay G. Hieser Insident Response Essentials Addison Wesley, Lucent Technologies, 2002
Brian Carrier. File System Forensic Analysis Addison Wesley Professional, March 2005
Ajay Gupta, and Scott Laliberte. Defend I.T.: Security by Example Addison Wesley. May 2004
Julie Lucas, and Brian Moeller. The Effective Inccident Response Team Addison Wesley Sept. 2003
T.J. Klevensky, Scott Laliberte, and Ajay Gupta. Hack I.T.: Security Through Penetration Testing Addison Wesley. Feb. 20
Kirk Hausman, Diane Barrett, and Martin Weiss. Security+ Exam Cram 2 (Exam SYO-101) Que. April 2003
Brad Crusey. "How to Respond to Attacks." Certification Magazine June 2005
Comments