Computer Forensics and Advanced Topics Chapter 17
Computer Forensics • Application of computer science and engineering principles and practices to investigate unauthorized computer use and/or the use of a computer to support illegal activities • Computer forensics is conducted for three purposes: • Investigating and analyzing computer systems as related to violation of laws. • Investigating and analyzing computer systems for compliance with an organization's policies. • Investigating computer systems that have been remotely attacked.
Role of a Computer Forensic Specialist • Isolates security holes • Identifies modes of access • Detects clues for evidence of a cybercrime or security breach • Ensures maximum recovery of data and preservation of digital evidence
The Forensic Process • Identify evidence • Collection of evidence • Examination of evidence • Analysis of evidence • Documenting and reporting of evidence
Digital Evidence • Digital evidence can be retrieved from computers, cell phones, pagers, PDAs, digital cameras, and any device that has memory or storage. • Extremely volatile and susceptible to tampering • Often concealed like fingerprints • Sometimes time sensitive
Digital Evidence • Evidence consists of documents, verbal statements, and material objects admissible in a court of law. • It is critical to convince management, juries, judges, or other authorities that some kind of violation has occurred. • If evidence will be used in court proceedings or actions that could be challenged legally, evidence must meet these three standards: • Sufficiency: The evidence must be convincing or measure up without question. • Competency: The evidence must be legally qualified and reliable. • Relevancy: The evidence must be material to the case or have a bearing on the matter at hand.
Principles of Digital Evidence • Investigation/analysis performed on seized digital evidence should not change evidence in any form • Evidence should only be manipulated and analyzed on a copy of original source • Individual must be forensically competent to be given permission to access original digital evidence • Activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
Identify Evidence • Mark evidence properly as it is collected so that it can be identified as the particular piece of evidence gathered at the scene. • Label and store evidence properly. • Ensure that the labels cannot be removed easily. • Keep a logbook. • Identify each piece of evidence (in case the label is removed).
Identify Evidence • The information should be specific enough for recollection later in the court. • Log other identifying marks, such as device make, model, serial number, and cable configuration or type. • Note any type of damage to the piece of evidence. • It is important to be methodical while identifying evidence. • Do not collect evidence by yourself—have a second person witness the actions.
Identify Evidence • Protect evidence from electromagnetic or mechanical damage. • Ensure that the evidence is not tampered, damaged, or compromised by the procedures used during the investigation. • Do not damage evidence – Avoids liability problems later. • Protect evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration. • Use static-free evidence protection gloves, not standard latex gloves. • Seal the evidence in a proper container with evidence tape.
Types of Evidence • Direct evidence is oral testimony that proves a specific fact, such as an eyewitness' statement. • Real evidence is physical evidence that links the suspect to the scene of a crime. • Documentary evidence is evidence in the form of business records, prints, and manuals. • Demonstrative evidence is used to aid the jury and can be in the form of a model, experiment, or chart, offered to prove that an event occurred.
Three rules of Evidence • Best Evidence Rule • Courts prefer original evidence rather than a copy to ensure no alteration of the evidence has occurred. • Exclusionary Rule • The Fourth Amendment to the United States Constitution precludes illegal search and seizure and, therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. • Hearsay Rule • Hearsay is second-hand evidence—evidence not gathered from the personal knowledge of the witness.
Guidelines for Collecting Evidence • While conducting the investigation, analyze computer storage carefully. • Analyze a copy of the system and not the original system – that is evidence. • Use a system specially designed for forensics examination. • Conduct analysis in a controlled environment with: • Strong physical security • Minimal traffic • Controlled access
Guidelines for Collecting Evidence • Unless there are specific tools to take forensic images under Windows, DOS should be used for imaging process instead of standard Windows. • Boot it from a floppy disk or a CD, and have only the minimal amount of software installed to preclude propagation of a virus or the inadvertent execution of a Trojan horse or other malicious program. • Windows can then be used to examine copies of the system.
Collecting Evidence • Each investigation is different. Given below is an example of a comprehensive investigation. • Remove or image only one component at a time. • Remove the hard disk and label it – use an anti-static or static-dissipative wristband and mat before beginning the investigation. • Identify the disk type (IDE, SCSI, or other type). Log the disk capacity, cylinders, heads, and sectors. • Image the disk with a bit-level copy, sector by sector – this will retain deleted files, unallocated clusters, and slack space.
Collection Steps • Make a list of all systems, software, and data involved, as well as evidence to be collected • Establish criteria for what is likely to be relevant and admissible in court • Remove external factors that may cause accidental modification of file system or system state • Perform quick analysis of external logs and IDS output continued…
Collection Steps • Proceed from more volatile assets to less • Memory • Registry, routing table, arp cache, process cache • Network connections • Temporary files • Disk or storage device • Check processes running on the system • Copy arp cache, routing table, registry, status of network connections • Capture temporary files • Make byte-by-byte copy of entire media • Remove and store original media in a secure location • Do not run programs that modify files or their access times • Do not shutdown until the most volatile evidence has been collected • Do not trust programs on the system • Document the procedure
Chain of Custody • The chain of custody accounts for all persons who handled or had access to the evidence. • It shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence.
Chain of Custody • Steps in the chain of custody are: • Record each item collected as evidence. • Record who collected the evidence along with the date and time. • Document a description of the evidence. • Put the evidence in containers and tag the containers with the case number the name of the person who collected it, and the date and time.
Chain of Custody • Steps in the chain of custody are (continued): • Record all message digest (hash) values in the documentation. • Securely transport the evidence to a protected storage facility. • Obtain a signature from the person who accepts the evidence at this storage facility. • Provide controls to prevent access to and compromise of the evidence while it is being stored. • Securely transport it to the court for proceedings.
Free Space vs Slack Space • When a user deletes a file, the file is not actually deleted. • Instead, a pointer in a file allocation table is deleted. • A second file that is saved in the same area does not occupy as many sectors as the first file – there will be a fragment of the original file. • The sector that holds the fragment of this file is referred to as free space because the operating system marks it usable when needed. • When the operating system stores something else in this sector, it is referred to as allocated. • Unallocated sectors still contain the original data until the operating system overwrites them.
Free Spack vs Slack Space • When a file is saved to a storage media, the operating system allocates space in blocks of a predefined size, called sectors. • The size of all sectors is the same on a given system or hard drive. • Even if a file contains only 10 characters, the operating system will allocate a full sector of say 1,024 bytes—the space left over in the sector is slack space.
Free Space vs Slack Space • It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space. • Slack space from files that previously occupied that same physical sector on the drive may contain information. • Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.
Education and Training • One of the most cost-effective tools in computer security • Knowledge of systems documentation • Knowledge of security procedures • Availability of resources and references • “Loose lips sink ships” • Clearly delineate information that may never be divulged over the phone
Education and Training • Require proof of positive identity • Purpose of training and awareness program • Agency security appointments and contacts • Contacts and action in the event of a real or suspected security incident • Legitimate use of system accounts • Access and control of system media continued…
Education and Training • Destruction and sanitization of media and hard copies • Security of system accounts (including sharing of passwords) • Authorization for applications, databases, and data • Use of the Internet, the Web, and e-mail