Computer forencis

Page | 1

INTRODUCTION

Page | 2

What is Computer Forensics ?

Computer forensics is the scientific examination and analysis of data held on, or

retrieved from, computer storage media in such a way that the information can be

used as evidence in a court of law.

Our reliance on computer and network technologies has led to a number of

concerns. For example, the use of computers has inspired new types of misconduct,

such as hacking or denial of service attacks against computer systems. Conversely,

ordinary, inexpert people find new opportunities for older crimes such as credit

card fraud, embezzlement or blackmail.

Computer forensics is emerging as an important tool in the fight against crime.

Computer forensics may be defined as the investigation of situations where there is

computer-based (digital) or electronic evidence of a crime or suspicious behaviour,

but the crime or behaviour may be of any type not otherwise involving computers.

Therefore, computers facilitate both the commission of and investigation into the

act in question.

Specialists in the area follow structured methodologies to ensure the integrity of

the evidence that they collect and process. Preservation

Identification

Extraction

Documentation

Interpretation

It is not just law enforcement that is developing the computer forensics field.

Increasingly, commercial and non-commercial organisations are requiring experts

in the field to investigate incidents. Thus, there are many applications of computer

forensics tools and techniques other than for criminal prosecution, such as:

Determine root cause of an event to ensure no repeat

Identify responsibility for an action

Internal investigation within the organisation

Intelligence operations

Audit

Recovering lost data

Page | 3

HISTORY:

1970s First crimes cases involving computers, mainly financial fraud

1980’s Financial investigators and courts realize that in some cases all the records and

evidences were only on computers.

Norton Utilities, ―Un-erase‖ tool created

Association of Certified Fraud Examiners began to seek training in what

became computer forensics

SEARCH High Tech Crimes training created

Regular classes began to be taught to Federal agents in California and at

FLETC in Georgia

HTCIA formed in Southern California

1984 FBI Magnetic Media Program created. Later it become Computer Analysis and

Response Team (CART)

FBI

1987 Acces Data – Cyber Forensic Company formed

1988 Creation of IACIS, the International Association of Computer Investigative

Specialists

First Seized Computer Evidence Recovery Specialists (SCERS) classes held

1993 First International Conference on Computer Evidence held

1995 International Organization on Computer Evidence (IOCE) formed

http://www.forensics-research.com/index.php/computer-forensics/computer-forensics-history/fbi/

Page | 4

1997 The G8 countries in Moscow declared that ―Law enforcement personnel must

be trained and equipped to address high-tech crimes‖.

1998

In March G8 appointed IICE to create international principles, guidelines and

procedures relating to digital evidence

1998 INTERPOL Forensic Science Symposium

1999 FBI CART case load exceeds 2000 cases, examining 17 terabytes of data

2000 First FBI Regional Computer Forensic Laboratory established

2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data

ORIGIN : Forensic roots from a Latin word, ―forensic‖ which generally means forum or

discussion. In the reign of the Romans, any criminal who has been charged with a

crime is presented before an assembly of public folks. Both of the complainant and

the defendant are to present their sides through their own speeches. The one who

was able to explain his side with fervent delivery and argumentation typically won

the case.

ActivitiesHeld :

– the secure collection of computer data

– the identification of suspect data

– the examination of suspect data to determine details such as origin and

content

– the presentation of computer-based information to courts of law

– the application of a country's laws to computer practice.

Page | 5

Process :

Computer forensics investigations take a lot of time to conduct. This is not

surprising given the increasing size of storage media that is being encountered. For

example, hard drives of several hundred Gigabytes are not uncommon. In addition,

the amount of devices and data storage that must be searched and analysed is also

increasing. This must be conducted in a robust manner that can be demonstrated in

court or to management at a later date.

Below is my Organisational Model of Computer Forensics which aims to simplify

the investigation process irrespective of the computer forensics tools and

techniques used.

Prior to an investigation, the analyst must make some preparations. For example,

what is the purpose of the investigation? This will ultimately determine the tools

and techniques used throughout the resulting investigation.

Next, evidence must be collected. This must be conducted robustly and maintain

the integrity of the evidence. Once the evidence is collected, a copy of the material

is made and all analysis is performed on the copy. This ensures that the original

evidence is not altered in any way.

The analysis of the evidence is conducted with forensics tools. For example,

analysing the hard drive of a computer requires the recreation of the logical

structure of underlying operating system. Once this is done, the analyst may have

to triage and view both extant and deleted files to build a picture of the suspect’s

activities.

The analyst will then report any suspicious or malicious files and supply

supporting evidence. For example, the time and date the file was created, accessed

or modified and which user was responsible.

Finally, the analyst must present evidence. In law enforcement, this is to a court of

law. Increasingly, with the growth of the field in internal corporate investigations,

this will be to management.

Page | 6

Page | 7

Tools :

The tools and techniques used in computer forensics are as wide and varied as the

crimes that are investigated. Each investigation will ultimately determine the tools

that are used. Below is just a brief outline of tools used in the search for relevant

evidentiary data on a computer. For further information on tools and techniques, it

is recommended that you consult a book on the subject of computer forensics.

A number of computer forensic tools and approaches are used for the detection of

suspicious data on the hard drive. These can be generally divided into file analysis and format specific approaches.

Commonly used computer forensic tools, such as the Forensic Toolkit (screenshot

below) and EnCase, provide examples of file analysis approaches. These tools are

used for storage media analysis of a variety of files and data types in fully

integrated environments. For example, the Forensic Toolkit can perform tasks such

as file extraction, make a forensic image of data on storage media, recover deleted

files, determine data types and text extraction. EnCase is widely used within law

enforcement and like FTK provides a powerful interface to the hard drive or data

source under inspection, for example, by providing a file manager that shows

extant and deleted files.

Format specific approaches specifically look for data belonging to particular

applications or data types. For example,Jhead is an application to extract specific

JPEG image data, such as time and date a picture was taken, camera make and

model, image resolution, shutter speed, etc. Tools such as Data Lifter are able to

extract files of a multitude of types. These tools support data carving to retrieve

files of specific types by searching the disk for file preambles

Page | 8

.• AccesData Group for Forensic Toolkit (FTK)

• ArcSight for ArcSight Logger

• Guidance Software for EnCase Forensic

• NetWitness for NetWitnessNextGen 9.5

• Quest Software for Quest ChangeAuditor

Page | 9

Principles :

The fundamental principles of computer forensics can be thought of as rules

governing the way in which digital evidence is handled which allow such evidence

to be admissible in court.

Immediately we can see that any attempt to define these principles is made difficult

by the fact that legislation concerning digital evidence differs from country to

country. Nevertheless, attempts have been made to standardise principles on an

international basis and the following are commonly agreed upon:

- The act of collecting digital evidence should not result in any alteration of the

data in question, wherever this is possible

- All handling of digital evidence (from collection through to preservation and

analysis) must be fully documented

- Access to original digital evidence should be restricted to those deemed

"forensically competent"

Each of the above principles require more detailed explanation to be properly

appreciated and understood, and debate continues regarding their implementation.

For example, how are situations where it is impossible to avoid the alteration of

some data during evidence collection to be handled (e.g. during live analysis)?

What does "fully documented" mean and how are details of an investigation to be

recorded? How do you determine if someone is "forensically competent"?

Page | 10

Why is Computer Forensics Important?

Adding the ability to practice sound computer forensics will help you ensure the

overall integrity and survivability of your network infrastructure. You can help

your organization if you consider computer forensics as a new basic element in

what is known as a ―defense-in-depth‖

―Defense in depth is designed on the principle that multiple layers of different

types of protection from different vendors provide substantially better protection‖

approach to network and computer security. For instance, understanding the legal

and technical aspects of computer forensics will help you capture vital information

if your network is compromised and will help you prosecute the case if the intruder

is caught.

Fundamentals

Military

Acquisition

Analysis

Examination

Report

Investigation

Criminal

FRYE

FRE 702

Daubert/Kumho

Civil

Federal Rules of Civil Procedure

Sedona

Rowe

Rules of Evidence

Expert Witness

Friend of the Court

Technical Expert

Presentation

Standards & Guidelines

Law Enforcement Private Sector

Computer Forensics

Page | 11

REQUIREMENTS :

• Hardware

– Familiarity with all internal and external devices/components of a

computer

– Thorough understanding of hard drives and settings

– Understanding motherboards and the various chipsets used

– Power connections

– Memory

• BIOS

– Understanding how the BIOS works

– Familiarity with the various settings and limitations of the BIOS

• Operation Systems

– Windows 3.1/95/98/ME/NT/2000/2003/XP

– DOS

– UNIX

– LINUX

– VAX/VMS

• Software

Familiarity with most popular software packages

such as Office

Page | 12

DIGITAL FORENSICS

Page | 13

What is Digital Forensics ? :

Digital forensics (sometimes known as digital forensic science) is a branch

of forensic science encompassing the recovery and investigation of material found

in digital devices, often in relation to computer crime. The term digital forensics

was originally used as a synonym for computer forensics but has expanded to

cover investigation of all devices capable of storing digital data. With roots in

the personal computing revolution of the late 1970s and early '80s, the discipline

evolved in a haphazard manner during the 1990s, and it was not until the early 21st

century that national policies emerged.

Digital forensics investigations have a variety of applications. The most

common is to support or refute a hypothesis before criminal or civil (as part of

the electronic discovery process) courts. Forensics may also feature in the private

sector; such as during internal corporate investigations or intrusion investigation

(a specialist probe into the nature and extent of an unauthorized network intrusion).

The technical aspect of an investigation is divided into several sub-branches,

relating to the type of digital devices involved; computer forensics, network

forensics, forensic data analysis and mobile device forensics. The typical forensic

process encompasses the seizure, forensic imaging (acquisition) and analysis of

digital media and the production of a report into collected evidence.

As well as identifying direct evidence of a crime, digital forensics can be used to

attribute evidence to specific suspects, confirm alibis or statements,

determine intent, identify sources (for example, in copyright cases), or authenticate

documents. Investigations are much broader in scope than other areas of forensic

analysis (where the usual aim is to provide answers to a series of simpler

questions) often involving complex time-lines or hypotheses.

Page | 14

HISTORY:

Prior to the 1980s crimes involving computers were dealt with using existing laws.

The first computer crimes were recognized in the 1978 Florida Computer Crimes

Act, which included legislation against the unauthorized modification or deletion

of data on a computer system. Over the next few years the range of computer

crimes being committed increased, and laws were passed to deal with issues

ofcopyright, privacy/harassment (e.g., cyber bullying, cyber stalking, and online

predators) and child pornography. It was not until the 1980s that federal laws

began to incorporate computer offences. Canada was the first country to pass

legislation in 1983. This was followed by the US FederalComputer Fraud and

Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the

British Computer Abuse Act in 1990.

1980s–1990s: Growth of the field

The growth in computer crime during the 1980s and 1990s caused law

enforcement agencies to begin establishing specialized groups, usually at the

national level, to handle the technical aspects of investigations. For example, in

1984 the FBIlaunched a Computer Analysis and Response Team and the following

year a computer crime department was set up within the British Metropolitan

Police fraud squad. As well as being law enforcement professionals, many of the

early members of these groups were also computer hobbyists and became

responsible for the field's initial research and direction.

Throughout the 1990s there was high demand for the these new, and basic,

investigative resources. The strain on central units lead to the creation of regional,

and even local, level groups to help handle the load. For example, the

British National Hi-Tech Crime Unit was set up in 2001 to provide a national

infrastructure for computer crime; with personnel located both centrally in London

and with the various regional police forces (the unit was folded into the Serious

Organised Crime Agency (SOCA) in 2006).

Page | 15

During this period the science of digital forensics grew from the ad-hoc tools and

techniques developed by these hobbyist practitioners. This is in contrast to other

forensics disciplines which developed from work by the scientific community. It

was not until 1992 that the term "computer forensics" was used in academic

literature (although prior to this it had been in informal use); a paper by Collier and

Spaul attempted to justify this new discipline to the forensic science world.This

swift development resulted in a lack of standardization and training. In his 1995

book, "High-Technology Crime: Investigating Cases Involving Computers", K

Rosenblatt wrote:

Seizing, preserving, and analyzing evidence stored on a computer is the greatest

forensic challenge facing law enforcement in the 1990s. Although most forensic

tests, such as fingerprinting and DNA testing, are performed by specially trained

experts the task of collecting and analyzing computer evidence is often assigned to

patrol officers and detectives.

2000s: Developing standards :

Since 2000, in response to the need for standardization, various bodies and

agencies have published guidelines for digital forensics. The Scientific Working

Group on Digital Evidence (SWGDE) produced a 2002 paper, "Best practices for

Computer Forensics", this was followed, in 2005, by the publication of

an ISO standard (ISO 17025, General requirements for the competence of testing

and calibration laboratories). A European lead international treaty, the Convention

on Cybercrime, came into force in 2004 with the aim of reconciling national

computer crime laws, investigative techniques and international co-operation. The

treaty has been signed by 43 nations (including the US, Canada, Japan, South

Africa, UK and other European nations) and ratified by 16.

The issue of training also received attention. Commercial companies (often

forensic software developers) began to offer certification programs and digital

forensic analysis was included as a topic at the UK specialist investigator training

facility, Centrex.

Since the late 1990s mobile devices have become more widely available,

advancing beyond simple communication devices, and have been found to be rich

forms of information, even for crime not traditionally associated with digital

forensics. Despite this, digital analysis of phones has lagged behind traditional

computer media, largely due to problems over the proprietary nature of devices.

Page | 16

Focus has also shifted onto internet crime, particularly the risk of cyber

warfare and cyberterrorism. A February 2010 report by theUnited States Joint

Forces Command concluded:

Through cyberspace, enemies will target industry, academia, government, as well

as the military in the air, land, maritime, and space domains. In much the same way

that airpower transformed the battlefield of World War II, cyberspace has fractured

the physical barriers that shield a nation from attacks on its commerce and

communication.

The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital

Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and

Shenoi identified a bias towards Windows operating systems in digital forensics

research. In 2010 SimsonGarfinkel identified issues facing digital investigations in

the future, including the increasing size of digital media, the wide availability of

encryption to consumers, a growing variety of operating systems and file formats,

an increasing number of individuals owning multiple devices, and legal limitations

on investigators. The paper also identified continued training issues, as well as the

prohibitively high cost of entering the field.

Aerial photo of FLETC, where US digital forensics standards were developed in the 1980s and

'90s

Page | 17

PROCESS :

Thebasicprocessofforensics

– Identification

– Collection

– Preservation

– Examination

– Analysis

– Reporting

•  Theprocessofdigitalforensicsisthesameasotherforensicssciences

•

 Notallapplicationsofdigitalforensicsaredesignedtoproduceevidenceb

utallrequirereliability,integrity,andveracity

– Informationsecurityincidentresponse

– Intelligencegathering

– Policycompliance

– Remediation

– Research

Page | 18

During the analysis phase an investigator recovers evidence material using a

number of different methodologies and tools. In 2002, an article in

the International Journal of Digital Evidence referred to this step as "an in-depth

systematic search of evidence related to the suspected crime." In 2006, forensics

researcher Brian Carrie described an "intuitive procedure" in which obvious

evidence is first identified and then "exhaustive searches are conducted to start

filling in the holes."

The actual process of analysis can vary between investigations, but common

methodologies include conducting keyword searches across the digital media

(within files as well as unallocated and slack space, recovering deleted files and

extraction of registry information (for example to list user accounts, or attached

USB devices).

The evidence recovered is analysed to reconstruct events or actions and to reach

conclusions, work that can often be performed by less specialised staff. When an

investigation is complete the data is presented, usually in the form of a written

report, in lay persons terms.

APPLICATION :

Digital forensics is commonly used in both criminal law and private investigation.

Traditionally it has been associated with criminal law, where evidence is collected

to support or oppose a hypothesis before the courts. As with other areas of

forensics this is often as part of a wider investigation spanning a number of

disciplines. In some cases the collected evidence is used as a form of intelligence

gathering, used for other purposes than court proceedings (for example to locate,

identify or halt other crimes). As a result intelligence gathering is sometimes held

to a less strict forensic standard.

In civil litigation or corporate matters digital forensics forms part of the electronic

discovery(or eDiscovery) process. Forensic procedures are similar to those used in

criminal investigations, often with different legal requirements and limitations.

Outside of the courts digital forensics can form a part of internal corporate

investigations.

A common example might be following unauthorized network intrusion. A

specialist forensic examination into the nature and extent of the attack is performed

as a damage limitation exercise. Both to establish the extent of any intrusion and in

an attempt to identify the attacker.Such attacks were commonly conducted over

phone lines during the 1980s, but in the modern era are usually propagated over the

Internet.

Page | 19

The main focus of digital forensics investigations is to recover objective evidence

of a criminal activity (termed actusreus in legal parlance). However, the diverse

range of data held in digital devices can help with other areas of inquiry.

Attribution

Meta data and other logs can be used to attribute actions to an individual.

For example, personal documents on a computer drive might identify its

owner.

Alibis and statements

Information provided by those involved can be cross checked with digital

evidence. For example, during the investigation into theSoham murders the

offender's alibi was disproved when mobile phone records of the person he

claimed to be with showed she was out of town at the time.

Intent

As well as finding objective evidence of a crime being committed,

investigations can also be used to prove the intent (known by the legal

term mensrea). For example, the Internet history of convicted killer Neil

Entwistle included references to a site discussing How to kill people.

Evaluation of source

File artifacts and meta-data can be used to identify the origin of a particular

piece of data; for example, older versions of Microsoft Word embedded a

Global Unique Identifer into files which identified the computer it had been

created on. Proving whether a file was produced on the digital device being

examined or obtained from elsewhere (e.g., the Internet) can be very

important.

Document authentication

Related to "Evaluation of source," meta data associated with digital

documents can be easily modified (for example, by changing the computer

clock you can affect the creation date of a file). Document authentication

relates to detecting and identifying falsification of such details.

Page | 20

TOOLS

Bootable Environments

Use to boot a suspect system into a trusted state.

Data Acquisition

Use to collect data from a dead or live suspect system.

Volume System

Use to examine the data structures that organize media, such as partition

tables and disk labels.

File System

Use to examine a file system or disk image and show the file content and

other meta data.

Application

Use to analyze the contents of a file (i.e. at the application layer).

Network

Use to analyze network packets and traffic. This does not include logs from

network devices.

Memory

Use to analyze memory dumps from computers.

Frameworks

Frameworks used to build custom tools.

Limitations

One major limitation to a forensic investigation is the use of encryption; this

disrupts initial examination where pertinent evidence might be located using

keywords. Laws to compel individuals to disclose encryption keys are still

relatively new and controversial.

Page | 21

COMMUNITIES

There at least 3 distinct communities within Digital Forensics

• Law Enforcement

• Military

• Business & Industry

• Possibly a 4th

– Academia

Page | 22

Subcategories of DFS

There is a consensus that there are at least 3 distinct types of DFS analysis

Media Analysis

-Examining physical media for evidence

Code Analysis

-Review of software for malicious signatures

Network Analysis

-Scrutinize network traffic and logs to identify and locate

Media Analysis

May often be referred to as computer forensics.

More accurate to call it media analysis as the focus is on the various storage

medium (e.g., hard drives, RAM, flash memory, PDAs, diskettes etc.)

Excludes network analysis.

The 3 A’s

The basic methodology consists of the 3 As:

-Acquire the evidence without altering or damaging the original.

-Authenticate the image.

-Analyze the data without modifying it.

Page | 23

Branches in DIGITAL FORENSICS

Branches of Digital Forensics include:

– Network Forensics

– Firewall Forensics

– Database Forensics

– Mobile Device forensics

The names of the different branches speaks to the different areas which they focus

on.

Page | 24

-

NETWORK FORENSICS

Page | 25

-Unlike computer forensics that retrieves information from the computer’s disks,

network forensics, in addition retrieves information on which network ports were

used to access the network

There are several differences that separate the two including the following:

– Unlike computer forensics where the investigator and the person

being investigated, in many cases the criminal, are on two different

levels with the investigator supposedly on a higher level of

knowledge of the system, the network investigator and the adversary

are at the same skills level.

– In many cases, the investigator and the adversary use the same tools:

one to cause the incident, the other to investigate the incident. In fact

many of the network security tools on the market today, including

NetScanTools Pro, Tracroute, and Port Probe used to gain

information on the network configurations, can be used by both the

investigator and the criminal.

– While computer forensics, deals with the extraction, preservation,

identification, documentation, and analysis, and it still follows well-

defined procedures springing from law enforcement for acquiring,

providing chain-of-custody, authenticating, and interpretation,

network forensics on the other hand has nothing to investigate unless

steps were in place ( like packet filters, firewalls, and intrusion

detection systems) prior to the incident.

Page | 26

AGENDA :

• Introduction to network forensics

• Tracing the intrusion process

• Elements of an end-to-end forensic trace

• Log analysis and correlation (discussion with System Administrators from

ERC)

– Perimeter Network

• Everything outside the firewall(s) and touching external public

networks such as the Internet

– End-to-End

• From the attack computer to the victim computer and

everything between

– Log correlation

• Matching elements of various logs for consistency in time, date,

source, destination, event and protocol

– Ambient data

• Data that has been erased but is still present and must be

forensically extracted and data that exists in swap files and

slack space

- Attack scenario

• The events that make up an attack organized into their logical

sequence

Page | 27

INSTRUTION PROCESS :

• What network forensics can do if successful

– Show a path that the intruder took over the network

– Reveal intermediate intrusions

– Provide leads and corroborating evidence

• What network forensics cannot do

– Solve the case alone

– Tie the suspect to the attacks (usually)

• Potential pitfalls

– Normal computer/network activity sometimes looks like attack

activity (false positives; difficult to make a case)

– Gaps in the chain of evidence

– No, ambiguous, or incomplete logs

– International involvement

• How intruders intrude – general case

– Information gathering

• Does not touch the victim

– Footprinting

– Enumerating

– Probing for weaknesses

– Penetration

– Back dooring, trojans, etc.

– Cleanup

Page | 28

Page | 29

• Collecting the evidence

– Information gathering

• Files or ambient data on attack computer

– Footprinting

• Files or ambient data on attack computer and log entries in

intermediate devices

– Enumerating


intermediate devices

– Probing for weaknesses


intermediate devices and the victim

– Penetration

• Files or ambient data on attack computer and the victim, and

log entries in intermediate devices and the victim

– Back dooring, trojans, etc.



• Run Scanner to determine existence.

– Cleanup



Page | 30

Elements of an End-to-End Forensic Trace :

• The end-to-end concept

– Applies predominantly to penetration attempts but may be used for

other types of attack investigations

– The attack starts at the attack computer, passes through intermediate

devices and ends at the victim if successful

– Evidence resides on each device in the path from the attack computer

to the victim

– By using appropriate forensic techniques the whole path can be

forensically documented as evidence (called a ―chain of evidence‖),

including, in some cases, evidence of premeditation or intent

–

• Looking for evidence

– Attack computer, intermediate computers

• Logs, files, ambient data, tools

– Firewalls

• Logs

• If the firewall was the victim same as on any victim

– Internetworking devices

• Logs and buffers as available

– Victim

• Logs, files, ambient data, altered config and other files,

remnants of trojaned files, files that don’t match hash sets,

tools, trojans and viruses, stored stolen files, web defacement

remnants.

Page | 31

• Correlations – preliminaries

– Objectives

• Match data on attack and victim computers

• Find evidence of attack and/or victim on intermediate systems

• Find evidence on attack computer that it was used to gather

information about, footprint and enumerate the victim’s

network

– Match logs of all involved devices for timeline of events

– Analyze monitors (IDS, firewall, host logs, etc.) for events that

indicate probing, penetration attempts, etc.

• Some pitfalls of network evidence collection

– Logs roll rapidly on large systems – data can be lost in a very short

time

– Legal wranglings are necessary to obtain evidence from certain

sources such as ISPs

• Takes time, may cost evidence

– There can be gaps in the evidence chain that need to be inferred –

open to challenge in court

• Analysis of individual events

– Host logs, firewall logs, intrusion detection logs

• Event correlation

– Same events showing in single or multiple data sources with different

names (normalizing)

– Removing redundancies - the same event showing multiple times in

single or multiple sources (deconfliction)

Page | 32

– Objective is to identify every unique instance of an event and only the

unique instances

– Normalized events are useful for chain of evidence, deconflicted

events are useful for statistical analysis and timeline analysis

• Timeline analysis and chain of evidence construction

Log Analysis and Correlation :

• Syslogs, messages logs, other Unix host logs

Messages Log

Mar 9 17:54:35 nileftpd[1556]: lost connection to 231-216.205.122.dellhost.com

[216.205.122.231]

Mar 9 17:54:35 nileftpd[1556]: FTP session closed

Mar 9 17:54:35 nileinetd[502]: pid 1556: exit status 255

Mar 9 22:20:22 nilepumpd[557]: renewed lease for interface eth0

Mar 10 04:02:01 nileanacron[1748]: Updated timestamp for job `cron.daily' to 2002-03-10

Mar 10 04:02:59 nilePAM_pwdb[2399]: (su) session opened for user news by (uid=0)

Mar 10 04:03:00 nilePAM_pwdb[2399]: (su) session closed for user news

Mar 10 04:22:01 nileanacron[2455]: Updated timestamp for job `cron.weekly' to 2002-03-10

Mar 10 08:50:22 nilepumpd[557]: renewed lease for interface eth0

Mar 10 16:12:06 nileftpd[8929]: ANONYMOUS FTP LOGIN FROM 200.68.32.185

[200.68.32.185], lamer@

Mar 10 11:12:25 nileinetd[502]: pid 8929: exit status 141

Mar 10 11:13:08 nileftpd[8965]: FTP LOGIN FROM pcp01103425pcs.aubrnh01.mi.comcast.net

[68.62.72.193], pstephen

Page | 33

Security/Auth Log

Mar 9 13:07:49 nilein.telnetd[1315]: connect from 68.62.72.193

Mar 9 13:09:24 nilein.rlogind[1321]: connect from 68.62.72.193

Mar 9 13:09:27 nilein.ftpd[1326]: connect from 68.62.72.193

Mar 9 13:09:28 nilein.rshd[1329]: connect from 68.62.72.193


Mar 9 13:09:31 nilein.fingerd[1334]: connect from 68.62.72.193











Mar 9 13:26:43 nile login: ROOT LOGIN ON tty1




Mar 9 17:17:26 nile login: LOGIN ON 0 BY pstephen FROM 43.detroit-16-

17rs.mi.dial-access.att.net




Page | 34

TCPDump logs

11:30:27.181108 eth0 < pcp01103425pcs.aubrnh01.mi.comcast.net.17697

>nile.ftp: . 1:1(0) ack 1 win 4288 (DF)

11:30:27.190617 eth0 >arp who-has ubr01-a-rtr.aubrnh01.mi.comcast.net tell nile

(0:0:86:54:50:5b)

11:30:27.198369 eth0 <arp reply ubr01-a-rtr.aubrnh01.mi.comcast.net is-at

0:5:5f:e9:10:54 (0:0:86:54:50:5b)

11:30:27.207662 eth0 < ns02.pntiac01.mi.comcast.net.domain > nile.1025: 20012

1/2/2 PTR pcp01103425pcs.aubrnh01.mi.comcast.net. (174) (DF)


1/2/2 A pcp01103425pcs.aubrnh01.mi.comcast.net (151) (DF)


1/2/2 PTR pcp01103425pcs.aubrnh01.mi.comcast.net. (174) (DF)

11:30:27.231013 eth0 >nile.ftp> pcp01103425pcs.aubrnh01.mi.comcast.net.17697:

P 1:80(79) ack 1 win 32120 (DF) [tos 0x10]

11:30:27.253084 eth0 < pcp01103425pcs.aubrnh01.mi.comcast.net.17697

>nile.ftp: P 1:16(15) ack 80 win 4209 (DF)

11:30:27.253122 eth0 >nile.ftp> pcp01103425pcs.aubrnh01.mi.comcast.net.17697:

. 80:80(0) ack 16 win 32120 (DF) [tos 0x10]

Page | 35

Intrusion Detection Log (RealSecure)

• Correlating data from multiple sources

– Normalizing

• Same events may have different names depending upon the

source

– Translating IDS codes

» Cisco NetRanger: 4052

» ISS RealSecure: Chargen_Denial_of_Service

• Use to build a chain of evidence

Event Date Event Name

Protocol

ID

Sourcce

Port Dest Port

Src Port

Name

Dest Port

Name Src Address Dest Address Engine IP

9/10/2001 11:27 SNMP_Activity 17 1030 162 1030 SNMPTRAP 192.168.10.199 10.1.230.102 192.168.9.243















Page | 36

– Deconfliction

• Same event shows up multiple times with same names

– Certain types of denial of service attacks

– Some penetration attacks

» Use care not to remove individual steps in an

attack scenario

• Same event repeated so rapidly that the logging device reports a

large number of the same event in a very short (sometimes sub-

second) period of time

• Multiple rapid events that make an attack scenario such as a

port scan

• Deconflicted events are used with normalized data to create an

event timeline

– Creating chain of evidence and event timelines

• Using deconflicted and normalized events on multiple data

sources, chart the chain of events into an event timeline

– Carefully note the timebase of various data sources and

correct to a common timebase

– Note events and attack scenarios – correlate connected

events into scenarios

• Document every assumption with evidence and, if possible,

corroboration using both forensic and traditional investigation

Page | 37

• Forensic handling of deleted or modified logs

– Useful only in certain types of systems

• Recovering deleted logs

– System must support recovery of ambient data

• Recovering altered logs

– Logging source must delete old log and create a new one

when the log is altered

– System must support recovery of ambient data

• Establishing that an attack actually occurred – event analysis applied

– Use normalized and deconflicted data from all sources in a

spreadsheet

No. EventName Total Of Signature ID 9/10/2001 9/11/2001 9/12/2001 9/13/2001 9/14/2001 9/15/2001

1 FTP_Get 2 0 0 0 0 0 0

2 FTP_Pass 11 0 0 0 0 0 0

3 FTP_Put 6 0 0 0 0 0 0

4 FTP_Site_Cmd 14 0 0 0 0 0 0

5 FTP_Syst 14 0 0 0 0 0 0

6 FTP_User 14 0 0 0 0 0 0

7 IPDuplicate 91 1 0 0 0 0 0

8 IPUnknownProtocol 2 0 0 1 0 0 0

9 Netbios_Session_Rejected 28 0 0 0 0 0 0

10 SNMP_Activity 49084 840 1028 964 1134 981 60

Page | 38

• Establishing that an attack actually occurred– event analysis applied

– Examine event distribution

• Establishing that an attack actually occurred– event analysis applied

– Chart number of instance of each event type by day during the attack

window

IDS Signatures 9/10 - 9/28FTP_Get

FTP_Pass

FTP_Put

FTP_Site_Cmd

FTP_Syst

FTP_User

IPDuplicate

IPUnknownProtocol

Netbios_Session_Rejected

Nmap_Scan

PingFlood

Port_Scan

SNMP_Community

Stream_DoS

SYNFlood

TelnetTerminaltype

Windows_Access_Error

Windows_Null_Session

0

50

100

150

200

250

300

9/10

/200

1

9/11

/200

1

9/12

/200

1

9/13

/200

1

9/14

/200

1

9/15

/200

1

9/16

/200

1

9/17

/200

1

9/18

/200

1

9/19

/200

1

9/20

/200

1

9/21

/200

1

9/22

/200

1

9/23

/200

1

9/24

/200

1

9/25

/200

1

9/26

/200

1

9/27

/200

1

9/28

/200

1

FTP_Get

FTP_Pass

FTP_Put

FTP_Site_Cmd

FTP_Syst

FTP_User

IPDuplicate

IPUnknow nProtocol

Netbios_Session_Rejected

Nmap_Scan

PingFlood

Port_Scan

SNMP_Community

Stream_DoS

SYNFlood

TelnetTerminaltype

Window s_Access_Error

Window s_Null_Session

Page | 39

New Techniques :

• Establishing that an attack actually occurred – event analysis applied

– Correlate event distribution by both event and time

• The Windows Access Error event occurred a total of 328 times

but 260 of them were on a single day

– Look for unexplained peaks that lead up to the main event

• If there are none, an attack probably did not occur

– Look for corroborating evidence whether you believe an attack

occurred or didn’t

• If you can’t corroborate the attack in other ways, it is unlikely

that one occurred

• Ensure that your explanation makes sense and fits the evidence

- Establishing premeditation

- Pre-attack events against a victim that are traceable to the same source

may be used to establish premeditation

- Port scans, nMap scans, other probes and penetration attempts

- Usually most effective with penetration attacks

- Least effective with script kiddy attack ―sweeps‖ that have no pre-

attack probes

- DDOS (unless you can establish pre-attack activity on ―zombies‖)

- Most effective with full packet decode logs, i.e, SNORT IDS

- Begin with the same data analysis we used in proving that an attack

actually occurred

- Assume for our purposes that you decide there was an attack

- Look for pre-attack activity up to a month prior to the successful

attack

- Observe source and destination data – beware of source spoofing

Page | 40

• Establishing premeditation – an easy approach using attack prediction

techniques

– Pick the top ten events over the course of the pre-attack period

examined

– Calculate the three day moving average (3DMA) of events reported

per day – plot on a chart such as the one used previously

– Set control limits by calculating the standard deviation of the average

over the period, multiply by 2 (2-sigma control limits)

– When the 3DMA exceeds the 2-sigma limit or there are three or more

increases in the 3DMA without intervening decreases there is a

positive attack prediction factor as defined by the Honeynet Project’s

research

• A positive attack prediction factor probably indicates premeditation if it can

be traced to the same attacker

• Preparing for litigation or transfer to law enforcement

– Treat every case as if it will end up in federal prosecution

• Most won’t

– Maintain chain of custody

– Create a case report in sections

• Simple explanations that non-technical readers will be

comfortable with

• Full details for techies

• Evidence listing with chain of custody

– Reports and evidence from logs and enCase analysis

• Interview notes

Page | 41

Tools

• Tcpdump

• Argus

• NFR

• Tcpwrapper

• Sniffers

• Nnstat

• A line printer

• Tripwire

• Backups

Page | 42

Backtracking:

• Nowadays hackers are increasingly sophisticated about hiding tracks

– The ones that are good, you won’t catch

– The ones that you can catch aren’t worth catching

• Very few good tools for backtracking are available

Hidden Directories :

• Warez: Cute term for pirated software

• Warez are often hidden in FTP or web areas using weird directory names:

– ―...‖

– ― ― (space)

– ―normal ― (normal with space after it)

• Check FTP areas for new directories

Finding Hacker-Prints :

• Search suspected infected system for new files:

– find / -mtime -30 -print

– Use tripwire

– Restore filesystems to a different disk and compare all the files (slow

and painful!)

Page | 43

Tools to Look for :

• nuke - icmp bomb program

• rootkit - trojans and patches

• cloak - log clearer

• zap - file date changer

• icepick - penetration test tool

• toneloc - wargames dialer

Law Enforcement

• FBI:

– Jurisdiction over electronic crime

• Secret Service: (Treasury Dept)

– Credit card fraud

– Attacks against financial organizations

• Law enforcement interest depends on sexiness of case

• Law enforcement still Internet-ignorant

• Expect to have to educate them

– Not worth it

• The situation is improving rapidly

– Your mileage, however, may vary wildly depending on location

Page | 44

Watching the Bad Guy :

• Get a copy of cloak and watch the attacker semi-invisibly

– If they see they are being watched they will leave and may destroy

the machine

• If they have forgotten to disable shell command history you can get a good

idea what commands they are using

• Building booby-trapped telnet/rlogin clients lets you monitor everything the

attacker does

– Sometimes the attacker will reveal themself

• Social engineer the attacker

– Sometimes the attacker will brag on IRC

– Sometimes you can learn who it is by piquing their ego

• Leave a modem number someplace for the attacker to find

– Make sure modem is connected to callerID

• If they leave warez or tools in FTP area

– Log who retrieves them

– Replace warez with files of white noise

– Contact site admins at sites downloading the software

Page | 45

Legal Issues :

• You may not be able to use hacker techniques against them

• Laws for gathering evidence are confusing

• Logs may or may not be admissable

• Perpetrator may or may not be prosecutable

when to Quit ?

• Eventually it may be easier to unplug the network for a day or two and just

clean up

• Use clean up time to improve security and logging

Page | 46

FIREWALL FORENSICS

Page | 47

WHAT IS FIREWALL FORENSICS

The firewall is a vital element for the security of a private network . It is placed at

the drop-off of the private network and internet. It implements an access control

policy for the TCP/IP traffic exchanged between the two networks. All the packets

exchanged between the private network and internet must imperatively pass

through the firewall in order to be filtered according to the implemented access

control policy. This policy consists of filtering rules which examine all the

incoming and outgoing TCP/IP packets individually in the aim to allow or deny

their transit by the firewall.

By port numbering, network hosts are able to distinguish one TCP and UDP

service from another at a given IP address. This way one server machine can

provide many different services without conflicts among the incoming and

outgoing data.

Types of Firewalls

Firewalls can be set up to offer security services to many TCP/IP layers. The

many types of firewalls are classified based on the network layer it offers services

in and the types of services offered. They include.

Packet Inspection Firewalls - are routers that inspects the contents of the source

or destination addresses and ports of incoming or outgoing TCP,UDP, ICMP

packets being sent between networks and accepts or rejects the packet based on the

specific packet policies set in the organization’s security policy.

Application Proxy Server: Filtering Based on Known Services - is a machine

server that sits between a client application and the server offering the services

the client application may want. It behaves as a server to the client and as a client

to the server, hence a proxy, providing a higher level of filtering than the packet

filter server by examining individual application packet data streams.

Page | 48

Modern proxy firewalls provides three basic operations:

Host IP address hiding – when the host inside the trusted network

sends an application request to the firewall and the firewall allows the

request through to the outside Internet, a sniffer just outside the

firewall may sniff the packet and it will reveal the source IP address.

The host then may be a potential victim for attack. In IP address

hiding, the firewall adds to the host packet its own IP header. So that

the sniffer will only see the firewall’s IP address. So application

firewalls then hide source IP addresses of hosts in the trusted network.

Header destruction – is an automatic protection that some

application firewalls use to destroy outgoing packet TCP, UDP and

IP headers and replace them with its own headers so that a sniffer

outside the firewall will only see the firewall’s IP address. In fact this

action stops all types of TCP, UDP, an IP header attacks.

Protocol enforcement – Since it is common in packet inspection

firewalls to allow packets through based on common port numbers,

hackers have exploited this by port spoofing where the hackers

penetrate a protected network host using commonly used and easily

allowed port numbers. With application proxy firewall this is not

easy to do because each proxy acts as a server to each host and since

it deals with only one application, it is able to stop any port spoofing

activities.

Virtual Private Network (VPN) Firewalls

A VPN, as we will see in chapter 16, is a cryptographic system

including Point-to-Point Tunneling Protocol (PPTP), Layer 2

Tunneling Protocol (L2TP), and IPSec that carry Point-to-Point

Protocol (PPP) frames across an Internet with multiple data

links with added security.

The advantages of a VPN over non-VPN connections like

standard Internet connections are:

– VN technology encrypts its connections

– Connections are limited to only machines with specified

IP addresses.

Page | 49

Small Office or Home (SOHO) Firewalls

A SOHO firewall is a relatively small firewall connecting a

few personal computers via a hub, switch, a bridge, even a

router on one side and connecting to a broadband modem like

DSL or cable on the other.

NAT Firewalls

In a functioning network, every host is assigned an IP address.

In a fixed network where these addresses are static, it is easy for

a hacker to get hold of a host and use it to stage attacks on other

hosts within and outside the network. To prevent this from

happening, a NAT filter can be used. It hides all inside host

TCP/IP information. A NAT firewall actually functions as a

proxy server by hiding identities of all internal hosts and

making requests on behalf of all internal hosts on the network.

This means that to an outside host, all the internal hosts have

one public IP address, that of the NAT.

Implementation of a Firewall

There are actually two approaches to configuring a firewall to suit the needs

of an organization.

– One approach is to start from nothing and make the necessary

information gathering to establish the needs and requirements of the

organization. This is a time consuming approach and probably more

expensive.

– The other approach is what many organizations do and take a short

cut and install a vendor firewall already loaded with features.

The Demilitarized Zone (DMZ)

A DMZ is a segment of a network or a network between the protected

network and the ―bad external network‖. It is also commonly referred to as a

service network.

The purpose for a DMZ on an organization network is to provide some

insulation and extra security to servers that provide the organization

services for protocols like HTTP/SHTTP, FTP, DNS, and SMTP to the

general public.

Page | 50

Security Through the Firewall

- For added security, sometimes it is usually better to use two firewalls.

- can also be equipped with intrusion detection systems (IDS). Many newer

- firewalls now have IDS software built into them.

- firewalls can be fenced by IDS sensors.

Firewall Services

As technology improves, firewalls services have widened far beyond old strict

filtering to embrace services that were originally done by internal servers.

Firewall Services - are based on the following access controls:

– Service control – where the firewall may filter traffic on the basis of

IP addresses, TCP, UDP, port numbers, and DNS and FTP protocols

in addition to providing proxy software that receives and interprets

each service request before passing it on.

– Direction control – where permission for traffic flow is determined

from the direction of the requests.

– User control – where access is granted based on which user is

attempting to access the internal protected network; may also be used

on incoming traffic.

– Behavior control – in which access is granted based on how particular

services are used. For example, filtering e-mail to eliminate spam.

Limitations

– Firewalls cannot protect against a threat that by-passes it, like a dial-in

using a mobile host,

– Firewalls do not provide data integrity because it is not possible,

especially in large networks, to have the firewall examine each and

every incoming and outgoing data packet for anything.

– Firewalls cannot ensure data confidentiality because, even though

newer firewalls include encryption tools, it is not easy to use these

tools. It can only work if the receiver of the packet also has the same

firewall.

– Firewalls do not protect against internal threats, and

– Firewalls cannot protect against transfer of virus-infected programs or

files,

Page | 51

DATABASE FORENSICS

Page | 52

What is DATA BASE FORENSICS ?

Database Forensics is a branch of digital forensic science relating to the forensic

study of database and their related metadata .

The discipline is similar to computer forensics, following the normal forensic

process and applying investigative techniques to database contents and metadata.

Cached information may also exist in a servers RAM requiring live

analysis techniques.

A forensic examination of a database may relate to the timestamps that apply to the

update time of a row in a relational table being inspected and tested for validity in

order to verify the actions of a database user. Alternatively, a forensic examination

may focus on identifying transactions within a database system or application that

indicate evidence of wrongdoing, such as fraud.

Software tools such as ACL, Idea and Arbutus (which provide a read-only

environment) can be used to manipulate and analyse data. These tools also provide

audit logging capabilities which provide documented proof of what tasks or

analysis a forensic examiner performed on the database.

Currently many database software tools are in general not reliable and precise

enough to be used for forensic work as demonstrated in the first paper published on

database forensics. There is currently a single book published in this field, though

more are destined. Additionally there is a subsequent SQL Server forensics book

by Kevvie Fowler named SQL Server Forensics which is well regarded also.

The forensic study of relational databases requires a knowledge of the standard

used to encode data on the computer disk. A documentation of standards used to

encode information in well-known brands of DB such as SQL Server and Oracle

has been contributed to the public domain.

It is important to note, for evidential purposes, that because the forensic analysis of

a database is not executed in isolation, the technological frame work within which

a subject database exit, is crucial to understanding and resolving questions of data

authenticity and integrity especially as it relates to database users.

Page | 53

TYPES

Solving a crime takes a lot of time, but thanks to developments in science,

forensics technology has evolved rapidly. In the past, blood typing was probably

one of the most regarded ways to gather evidence asides from fingerprint

matching. Digital technology has enabled the development of forensic databases,

which have proven to be an enormous asset to law enforcement.

DNA Database

This is probably the most popular database in forensics because of shows like

CSI and NCIS. DNA databases may include profiles of suspects awaiting trial,

people arrested, convicted offenders, unknown remains and even members of law

enforcement. This database is especially useful for an easier identification process.

For example, the police can take a suspect's DNA sample through mouth swabs

upon the suspect's capture. Another option can be getting the suspects clothing

upon arrest.

Whatever the source may be, DNA can then be extracted, characterised and kept

in a database. In the future when a crime occurs, forensics experts may run samples

through the database for comparison. Although this database may seem ideal, it is

not without controversy. Some people oppose the existence of such a database for

privacy reasons. This is especially true for people who gave DNA samples in the

past. These people may no longer be suspects but their DNA sample is still in the

system. Fears may also arise from potential hacking into the records system and

possible DNA information leakage into unsavory companies.

Page | 54

Bullet Database

This database records bullets and casings found in crime scenes. This is useful

in identifying the type of bullet used by a suspect in a particular crime. The

disadvantage is that identified bullets must match the gun used by the suspect. This

is because the database only records the type of the bullet and the casing. It cannot

conclusively prove anything without the suspected gun. It is still useful because it

gives the police leads on what kind of gun the suspect used. In the end, this helps

narrow down the search to a particular gun.

Paint Sample Database

This database contains paint samples from past and present manufacturers as

well as samples from crime scene evidence. The database ranges from common

house paint to automotive paints used in the market. The information in the

database includes the composition of the paint, the chemical compounds present as

well as other possible paint additives. This database is useful, for example, in

identifying vehicles used in a crime. The data could show that chemicals found in a

particular paint are restricted to a certain year only. It could also show the

industries that use this kind of paint for their operation. The database could also

show which manufacturers used this paint, thus narrowing the search for suspects

further.

How it works?

usually consists of four—is examined to determine the spectra and chemical

composition. The chemical components and proportions are coded into the

database. These known samples are compared against a paint sample from a crime

scene or a suspect’s vehicle to search the make, model, and year of manufacture of

a vehicle involved in a hit-and-run or other criminal activity.

Shoeprint Database

This database keeps a record of the soles of shoes produced in the market. It is

particularly useful for identification and elimination of suspects. For example, the

database may eliminate the shoeprints of the victims who were present during the

commission of the crime. It also eliminates the shoeprints of the law enforcers who

investigated the crime. In turn, the data will then be able to identify which

shoeprint belongs to the suspect. It can yield what kind of shoes the suspect wore,

the brand of the shoes, what size the shoes were and the stores that carry this brand

of shoes. The data can then approximate the height and weight of the perpetrator.

Page | 55

Tread Database

A tread database carries information on tread patterns of various vehicles. It can

be useful in identifying the vehicle that the suspect used and the probable model of

this vehicle. This is useful in cases like hit and runs, drive by shootings and

vehicular manslaughter. Once the data is processed, it will enable the police to

arrest the suspect faster. This is especially true if the suspect presently travels with

the vehicle used in the crime.

How It works ?

Impressions from a crime scene are obtained using the current recovery methods of

photograph, gel lift, dust lift, and adhesive lift. These are input directly into the

analytical system by high-resolution digital imaging. The same procedure is used

with an impression of a suspect’s shoe print: It is photographed using a high-

resolution digital camera, and these impressions (along with the offender’s details)

are input into the analytical system, where the operator can measure, analyze, and

compare crime-scene and suspect images.

Other types

Oracle Databases – including Oracle Financials

MySQL, PostgreSQL. MS SQL Server

IBM Mainframes (IMS, DB2 Etc.)

XML, Access, DBX

Windows, Unix/Linux, OSX

Enterprise Resource Planning or ERP Systems

Sage and Microsoft Financials

Accounting Applications

Midrange Systems (Stratus and HP)

Small Business Management Systems

Page | 56

Database Security

Enforce security at all database levels

Security access point: place where database security must be protected and applied

Data requires highest level of protection; data access point must be small

-Reducing access point size reduces security risks

-Security gaps: points at which security is missing

-Vulnerabilities: kinks in the system that can become threats

-Threat: security risk that can become a system breach

Database Security Levels

• Relational database: collection of related

data files

• Data file: collection of related tables

• Table: collection of related rows (records)

• Row: collection of related columns (fields)

Page | 57

MOBILE DEVICE

FORENSICS

Page | 58

What is mobile device forensics ?

Mobile device forensics is a branch of digital forensics relating to recovery

of digital evidence or data from a mobile device under forensicallysound

conditions. The phrase mobile device usually refers tomobile phones; however, it

can also relate to any digital device that has both internal memory

andcommunication ability, including PDA devices, GPS devices and tablet

computers.

The use of phones in crime was widely recognised for some years, but the forensic

study of mobile devices is a relatively new field, dating from the early 2000s. A

proliferation of phones (particularlysmartphones) on the consumer market caused a

demand for forensic examination of the devices, which could not be met by

existing computer forensics techniques.

Mobile devices can be used to save several types of personal information such as

contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may

additionally contain video, email, web browsing information, location information,

and social networking messages and contacts.

Mobile device forensics can be particularly challenging on a number of levels

Evidential and technical challenges exist. for example, cell site analysis following

from the use of a mobile phone usage coverage, is not an exact science.

Consequently, whilst it is possible to determine roughly the cell site zone from

which a call was made or received, it is not yet possible to say with any degree of

certainty, that a mobile phone call emanated from a specific location e.g. a

residential address.

To remain competitive, original equipment manufacturers frequently

change mobile phone form factors, operating system file structures, data

storage, services, peripherals, and even pin connectors and cables. As a result,

forensic examiners must use a different forensic process compared to computer

forensics.

Storage capacity continues to grow thanks to demand for more powerful "mini

computer" type devices.

As a result of these challenges, a wide variety of tools exist to extract evidence

from mobile devices; no one tool or method can acquire all the evidence from all

devices. It is therefore recommended that forensic examiners, especially those

wishing to qualify as expert witnesses in court, undergo extensive training in order

to understand how each tool and method acquires evidence; how it maintains

Page | 59

standards for forensic soundness; and how it meets legal requirements such as

the Daubert standard or Frye standard.

HISTORY

As a field of study forensic examination of mobile devices dates from the late

1990s and early 2000s. The role of mobile phones in crime had long been

recognised by law enforcement. With the increased availability of such devices on

the consumer market and the wider array of communication platforms they support

(e.g. email, web browsing) demand for forensic examination grew.

Early efforts to examine mobile devices used similar techniques to the first

computer forensics investigations: analysing phone contents directly via the screen

and photographing important content. However, this proved to be a time-

consuming process, and as the number of mobile devices began to increase,

investigators called for more efficient means of extracting data. Enterprising

mobile forensic examiners sometimes used cell phone or PDA synchronization

software to "back up" device data to a forensic computer for imaging, or

sometimes, simply performed computer forensics on the hard drive of a suspect

computer where data had been synchronized. However, this type of software could

write to the phone as well as reading it, and could not retrieve deleted data.

Some forensic examiners found that they could retrieve even deleted data using

"flasher" or "twister" boxes, tools developed by OEMs to "flash" a phone's

memory for debugging or updating. However, flasher boxes are invasive and can

change data; can be complicated to use; and, because they are not developed as

forensic tools, perform neither hash verifications nor (in most cases) audit

trails. For physical forensic examinations, therefore, better alternatives remained

necessary.

To meet these demands, commercial tools appeared which allowed examiners to

recover phone memory with minimal disruption and analyse it separately. Over

time these commercial techniques have developed further and the recovery of

deleted data from proprietary mobile devices has become possible with some

specialist tools..

Page | 60

Professional applications

Mobile device forensics is best known for its application to law enforcement

investigations, but it is also useful for military intelligence, corporate

investigations, private investigations, criminal and civil defense, and electronic

discovery.

Types of evidence

As mobile device technology advances, the amount and types of data that can be

found on a mobile device is constantly increasing. Evidence that can be potentially

recovered from a mobile phone may come from several different sources,

including handset memory,SIM card, and attached memory cards such

as SD cards.

Traditionally mobile phone forensics has been associated with

recovering SMS and MMS messaging, as well as call logs, contact lists and

phone IMEI/ESN information. However, newer generations of smartphones also

include wider varieties of information; from web browsing, Wireless

network settings, geolocation information (including geotags contained within

image metadata), e-mail and other forms of rich internet media, including

important data—such as social networking service posts and contacts—now

retained on smartphone 'apps'.

Internal memory

Nowadays mostly flash memory consisting of NAND or NOR types are used for

mobile devices. For a wide overview on NAND flash forensics see Salvatore

Fiorillo, 2009.

External memory

External memory devices are SIM cards, SD cards (commonly found within GPS

devices as well as mobile phones), MMC cards, CFcards, and the Memory Stick.

Service provider logs

Although not technically part of mobile device forensics, the call detail

records (and occasionally, text messages) from wireless carriers often serve as

"back up" evidence obtained after the mobile phone has been seized. These are

useful when the call history and/or text messages have been deleted from the

phone, or when location-based services are not turned on. Call detail records

and cell site (tower) dumps can show the phone owner's location, and whether they

Page | 61

were stationary or moving (i.e., whether the phone's signal bounced off the same

side of a single tower, or different sides of multiple towers along a particular path

of travel). Carrier data and device data together can be used to corroborate

information from other sources, for instance, video surveillance footage or

eyewitness accounts; or to determine the general location where a non-geo tagged

image or video was taken.

The European Union requires its member countries to retain

certain telecommunications data for use in investigations. This includes data on

calls made and retrieved. The location of a mobile phone can be determined and

this geographical data must also be retained. In the United States, however, no

such requirement exists, and no standards govern how long carriers should retain

data or even what they must retain. For example, text messages may be retained

only for a week or two, while call logs may be retained anywhere from a few

weeks to several months. To reduce the risk of evidence being lost, law

enforcement agents must submit a preservation letter to the carrier, which they then

must back up with a search warrant.

Process

The forensics process for mobile devices broadly matches other branches of digital

forensics; however, some particular concerns apply. Generally, the process can be

broken down into three main categories: seizure, acquisition, and

examination/analysis. Other aspects of the computer forensic process, such as

intake, validation, documentation/reporting, and archiving still apply.

Seizure

Seizing mobile devices is covered by the same legal considerations as other digital

media. Mobiles will often be recovered switched on; as the aim of seizure is to

preserve evidence, the device will often be transported in the same state to avoid a

shutdown, which would change files. In addition, the investigator or first responder

would risk user lock activation.

However, leaving the phone on carries another risk: the device can still make a

network/cellular connection. This may bring in new data, overwriting evidence. To

prevent a connection, mobile devices will often be transported and examined from

within a Faraday cage (or bag). Even so, there are two disadvantages to this

method. First, it renders the device unusable, as its touch screen or keypad cannot

be used. Second, a device's search for a network connection will drain its battery

more quickly. While devices and their batteries can often be recharged, again, the

Page | 62

investigator risks that the phone's user lock will have activated. Therefore, network

isolation is advisable either through placing the device in Airplane Mode,

or cloning its SIM card (a technique which can also be useful when the device is

missing its SIM card entirely).

Acquisition

The second step in the forensic process is acquisition, in this case usually referring

to retrieval of material from a device (as compared to the bit-copy imaging used in

computer forensics).

Due to the proprietary nature of mobiles it is often not possible to acquire data with

it powered down; most mobile device acquisition is performed live. With more

advanced smartphones using advanced memory management, connecting it to a

recharger and putting it into a faraday cage may not be good practice. The mobile

device would recognize the network disconnection and therefore it would change

its status information that can trigger the memory manager to write data.Most

acquisition tools for mobile devices are commercial in nature and consist of a

hardware and software component, often automated.

Examination and analysis

As an increasing number of mobile devices use high-level file systems, similar

to the file systems of computers, methods and tools can be taken over from hard

disk forensics or only need slight changes.

The FAT file system is generally used on NAND memory. A difference is

the block sizeused, which is larger than 512 bytes for hard disks and depends on

the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128,

256, or 512 kilobyte.

Different software tools can extract the data from the memory image. One could

use specialized and automated forensic software products or generic file viewers

such as anyhex editor to search for characteristics of file headers. The advantage of

the hex editor is the deeper insight into the memory management, but working with

a hex editor means a lot of handwork and file system as well as file header

knowledge.

In contrast, specialized forensic software simplifies the search and extracts the data

but may not find everything.AccessData, Sleuthkit, and EnCase, to mention only

some, are forensic software products to analyze memory images. Since there is no

Page | 63

tool that extracts all possible information, it is advisable to use two or more tools

for examination. There is currently (February 2010) no software solution to get all

evidences from flash memories.

Acquisition types

Mobile device data extraction can be classified according to a continuum, along

which methods become more technical and ―forensically sound,‖ tools become

more expensive, analysis takes longer, examiners need more training, and some

methods can even become more invasive.

Manual acquisition

The examiner utilizes the user interface to investigate the content of the phone's

memory. Therefore the device is used as normal, with the examiner taking pictures

of each screen's contents. This method has an advantage in that the operating

system makes it unnecessary to use specialized tools or equipment to transform

raw data into human interpretable information. In practice this method is applied to

cell phones, PDAs and navigation systems Disadvantages are that only data visible

to the operating system can be recovered; that all data are only available in form of

pictures; and the process itself is time-consuming.

Logical acquisition

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g.,

directories and files) that reside on a logical store (e.g., a file system partition).

Logical acquisition has the advantage that system data structures are easier for a

tool to extract and organize. Logical extraction acquires information from the

device using the original equipment manufacturer application programming

interface for synchronizing the phone's contents with a personal computer. A

logical extraction is generally easier to work with as it does not produce a

large binary blob. However, a skilled forensic examiner will be able to extract far

more information from a physical extraction.

File system acquisition

Logical extraction usually does not produce any deleted information, due to it

normally being removed from the phone's file system. However, in some cases—

particularly with platforms built on SQLite, such as iOS and Android—the phone

may keep a database file of information which does not overwrite the information

but simply marks it as deleted and available for later overwriting. In such cases, if

the device allows file system access through its synchronization interface, it is

possible to recover deleted information. File system extraction is useful for

understanding the file structure, web browsing history, or app usage, as well as

Page | 64

providing the examiner with the ability to perform an analysis with traditional

computer forensic tools.

Physical acquisition

Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g. flash

memory; therefore, it is the method most similar to the examination of a personal

computer. A physical acquisition has the advantage of allowing deleted files and

data remnants to be examined. Physical extraction acquires information from the

device by direct access to the flash memories.

Generally this is harder to achieve because the device original equipment

manufacturer needs to secure against arbitrary reading of memory; therefore, a

device may be locked to a certain operator. To get around this security, mobile

forensics tool vendors often develop their own boot loaders, enabling the forensic

tool to access the memory (and often, also to bypass user passcodes or pattern

locks).

Generally the physical extraction is split into two steps, the dumping phase and the

decoding phase.

Tools

Early investigations consisted of live manual analysis of mobile devices; with

examiners photographing or writing down useful material for use as evidence.

Without forensic photography equipment such as Fernico ZRT, eDEC Eclipse,

or Project-a-Phone, this had the disadvantage of risking the modification of the

device content, as well as leaving many parts of the proprietary operating system

inaccessible.

In recent years a number of hardware/software tools have emerged to recover

logical and physical evidence from mobile devices. Most tools consist of both

hardware and software portions. The hardware includes a number of cables to

connect the phone to the acquisition machine; the software exists to extract the

evidence and, occasionally even to analyse it.

Most recently, mobile device forensic tools have been developed for the field. This

is in response both to military units' demand for fast and accurate anti-terrorism

intelligence, and to law enforcement demand for forensic previewing capabilities at

a crime scene, search warrant execution, or exigent circumstances. Such mobile

forensic tools are often ruggedized for harsh environments (e.g. the battlefield) and

rough treatment (e.g. being dropped or submerged in water).

Generally, because it is impossible for any one tool to capture all evidence from all

mobile devices, mobile forensic professionals recommend that examiners establish

Page | 65

entire toolkits consisting of a mix of commercial, open source, broad support, and

narrow support forensic tools, together with accessories such as battery chargers,

Faraday bags or other signal disruption equipment, and so forth.

Open Source Tools

Most open source mobile forensics tools are platform-specific and geared toward

smartphone analysis. Examples include iPhone Analyzer, Katana

Forensics' Lantern Lite imager, the Mobile Internal Acquisition Tool, TULP2G,

and viaForensics' Open Source Android Forensics application. Though not

originally designed to be a forensics tool, BitPim has been widely used on CDMA

phones as well as LG VX4400/VX6000 and many Sanyo Sprint cell phones.

Physical Tools

Forensic desoldering

Commonly referred to as a "Chip-Off" technique within the industry, the last and

most intrusive method to get a memory image is todesolder the non-volatile

memory chip and connect it to a memory chip reader. This method contains the

potential danger of total data destruction: it is possible to destroy the chip and its

content because of the heat required during desoldering. Before the invention of

theBGA technology it was possible to attach probes to the pins of the memory chip

and to recover the memory through these probes. The BGA technique bonds the

chips directly onto the PCB through molten solder balls, such that it is no longer

possible to attach probes.

Here you can see that moisture in the circuit board turned to steam when it was

subjected to intense heat. This produces the so-called "popcorn effect."

Desoldering the chips is done carefully and slowly, so that the heat does not

destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven

to eliminate remaining water. This prevents the so-called popcorn effect, at which

the remaining water would blow the chip package at desoldering.

http://en.wikipedia.org/wiki/File:PopcornBGA.jpg

http://en.wikipedia.org/wiki/File:PopcornBGA.jpg

Page | 66

There are mainly three methods to melt the solder: hot air, infrared light, and

steam-phasing. The infrared light technology works with a focused infrared light

beam onto a specificintegrated circuit and is used for small chips. The hot air and

steam methods cannot focus as much as the infrared technique.

Chip re-balling

After desoldering the chip a re-balling process cleans the chip and adds new tin

balls to the chip. Re-balling can be done in two different ways.

The first is to use a stencil. The stencil is chip-dependent and must fit exactly.

Then the tin-solder is put on the stencil. After cooling the tin the stencil is

removed and if necessary a second cleaning step is done.

The second method is laser re-balling; see. Here the stencil is programmed into

the re-balling unit. A bondhead (looks like a tube/needle) is automatically

loaded with one tin ball from a solder ball singulation tank. The ball is then

heated by a laser, such that the tin-solder ball becomes fluid and flows onto the

cleaned chip. Instantly after melting the ball the laser turns off and a new ball

falls into the bondhead. While reloading the bondhead of the re-balling unit

changes the position to the next pin.

A third method makes the entire re-balling process unnecessary. The chip is

connected to an adapter with Y-shaped springs or spring-loaded pogo pins. The Y-

shaped springs need to have a ball onto the pin to establish an electric connection,

but the pogo pins can be used directly on the pads on the chip without the balls.

The advantage of forensic desoldering is that the device does not need to be

functional and that a copy without any changes to the original data can be made.

The disadvantage is that the re-balling devices are expensive, so this process is

very costly and there are some risks of total data loss. Hence, forensic desoldering

should only be done by experienced laboratories.

JTAG

Existing standardized interfaces for reading data are built into several mobile

devices, e.g., to get position data from GPS equipment NMEA or to get

deceleration information from airbag units.

Not all mobile devices provide such a standardized interface nor does there exist a

standard interface for all mobile devices, but all manufacturers have one problem

in common. The miniaturizing of device parts opens the question how to test

automatically the functionality and quality of the soldered integrated components.

Page | 67

For this problem an industry group, the Joint Test Action Group (JTAG),

developed a test technology called boundary scan.

Despite the standardization there are four tasks before the JTAG device interface

can be used to recover the memory. To find the correct bits in the boundary

scan register one must know which processor and memory circuits are used and

how they are connected to the system bus. When not accessible from outside one

must find the test points for the JTAG interface on the printed circuit board and

determine which test point is used for which signal. The JTAG port is not always

soldered with connectors, such that it is sometimes necessary to open the device

and re-solder the access port. The protocol for reading the memory must be known

and finally the correct voltage must be determined to prevent damage to the circuit.

The boundary scan produces a complete forensic image of the volatile and non-

volatile memory. The risk of data change is minimized and the memory chip must

not be desoldered. Generating the image can be slow and not all mobile devices are

JTAG enabled. Also, it can be difficult to find the test access port.

Command Line Tools

System commands

Mobile devices do not provide the possibility to run or boot from a CD, connecting

to a network share or another device with clean tools. Therefore system commands

could be the only way to save the volatile memory of a mobile device. With the

risk of modified system commands it must be estimated if the volatile memory is

really important. A similar problem arises when no network connection is available

and no secondary memory can be connected to a mobile device because the

volatile memory image must be saved on the internal non-volatile memory, where

the user data is stored and most likely deleted important data will be lost. System

commands are the cheapest method, but imply some risks of data loss. Every

command usage with options and output must be documented.

AT commands

AT commands are old modem commands, e.g., Hayes command set and Motorola

phone AT commands, and can therefore only be used on a device that has modem

support. Using these commands one can only obtain information through

the operating system, such that no deleted data can be extracted.

dd

For external memory and the USB flash drive, appropriate software, e.g., the Unix

command dd, is needed to make the bit-level copy. Furthermore USB flash

drives with memory protection do not need special hardware and can be connected

Page | 68

to any computer. Many USB drives and memory cards have a write-lock switch

that can be used to prevent data changes, while making a copy.

Name Platform License Version Description

Cellebrite Mobile

Forensics Windows proprietary

Universal Forensics Extraction Device -

Hardware and Software

Elcomsott iOS Forensic

Toolkit (EIFT)

Windows,

Mac proprietary

Acquires bit-precise images of Apple iOS

devices in real time

Elcomsoft Phone

Password Breaker

(EPPB)

Windows proprietary

Enables forensic access to password-

protected backups for smartphones and

portable devices based on RIM BlackBerry

and Apple iOS platforms,

MicroSystemation

XRY/XACT Windows proprietary

Hardware/Software package, specialises in

deleted data

MOBILedit! Forensic] Windows proprietary

Hardware-Connection kit/Software package

Oxygen Forensic Suite

(former Oxygen Phone

Manager

Windows proprietary

Smart forensics for smartphones

Paraben Device Seizure[ Windows proprietary

Hardware/Software package

Radio Tactics Aceso Windows proprietary

"All-in-one" unit with a touch screen

http://en.wikipedia.org/wiki/List_of_digital_forensics_tools#cite_note-mf-7

Page | 69

Cellular Phone Evidence Extraction Process

Intake -Identification -Preparation -Isolation -Processing -Verification –Archiving .

CHALLENGES ASSOCIATED WITH MOBILE PHONE FORENSICS

A. Mobile phone forensics is challenging field due to fast changes in technology.

Several models of mobile phones exist in the world today. Manufacturers lack

standardized methods of storing data. Most of the mobile phones use closed

operating systems and has proprietary interfaces. To meet this challenge there

is always a need for development of new forensics tools and techniques.

B. Signals of mobile phone need to be blocked while carrying forensics analysis.

Blocking RF signals quickly drains the battery. This can be minimized while

carrying forensics analysis of mobile phones in properly shielded labs. Shielding

methods for lab include such as EMI/EMC protection.

C. Large variety of data cables exist for mobile phones. Identification and

collection of cables required for forensics analysis of mobile phones is challenging

task. Small databases for defining mobile phone models and their associated cables

with tags can help a great deal.

D. Most of the commercially available forensic tools do not provide solutions to

deal with physically damaged mobile phones. Forensic examiners must be trained

and equipped to handle such situations.

E. Conflicts can occur due to different operating system, vendor and version

specific device drivers. It is therefore recommended to have separate machines for

each type of forensic software. However to economize resources Virtual Machine

environments can be created.

F. Data on active mobile phone tends to change constantly due to lack of

conventional write-blocking mechanism. Analysis must be done on a phone that is

powered ON but it is ideal that the phone does not receive any calls, text messages,

or other communications. Shielded labs can address this issue.

G. Most of the international trainings available in the field are vendor specific.

There is need of for neutral and standard trainings.

Page | 70

H. Status of unopened emails and messages will change after reading them. Care

must be taken while recoding such type of evidence.

J. Mobile phones may lose data or ask for security measures on next restart once

shut down. Owner of themobile phone (if available) may be asked about security

codes.

K. Authentication mechanisms can confine access to data. Finding of Personal

Identification Number (PIN), Phone Unlock Key (PUK), and handset and memory

card passwords can become difficult at times.

L. Now days there are various methods available to remotely destroy or change

data on a mobile phone. Such happening can be avoided in shielded lab

environments while carrying forensic investigations. Care must also be taken to

protect mobile phones while carrying them to labs.

M. Data from mobile phone internal memory is restricted without the use of SIM

card. Inserting another SIM can cause the loss of mobile phone data.

N. Many commercial mobile phone forensic tools only provide logical acquisition

of data. Deleted data can only be recovered using physical acquisition.

O. Introduction of Mobile Number Portability (MNP) can result into improper

identification of subscriber. Mobile Phone network operators may be consulted for

proper identification.

P. IMEI changing for few mobile handsets is possible with the use flashing tools

like Universal Flasher UFS-3. This can result improper identification of phones.

These illegal activities shall be banned.

Page | 71

Issues in

Forensic science

Page | 72

Introduction:

Computer forensics involves the preservation, identification, extraction,

documentation and interpretation of computer data.

The three main steps in any computer forensic investigation are acquiring,

authenticating, and analyzing of the data. Acquiring the data mainly involves creating a

bit-by-bit copy of the hard drive. Authentication is the ensuring that the copy used to

perform the investigation is an exact replica of the contents of the original hard drive by

comparing the checksums of the copy and the original. Analysis of the data is the most

important part of the investigation since this is where incriminating evidence may be

found.

Part of the analysis process is spent in the recovery of deleted files. The job of the

investigator is to know where to find the remnants of these files and interpret the results.

Any file data and file attributes found may yield valuable clues. Investigation of

Windows and Unix systems are similar in some ways, but the forensic analyst can tailor

the investigation to one or the other since each operating system is different in unique

ways. If deleted data could not be recovered through the use of common forensic tools,

more sensitive instruments can be used to extract the data, but this is rarely done becauseof the

high cost of the instruments.

Data recovery is only one aspect of the forensics investigation. Tracking the

hacking activities within a compromised system is also important. With any system that

is connected to the Internet, hacker attacks are as certain as death and taxes. Although it is

impossible to completely defend against all attacks, as soon as a hacker successfully breaks into

a computer system the hacker begins to leave a trail of clues and evidence that can be used to

piece together what has been done and sometimes can even be used to follow a hacker home.

Computer forensics can be employed on a compromised system to find out exactly how a hacker

got into the system, which parts of the system were damaged or modified. However, system

administrators must first be educated in the procedures and methods of forensic investigation if a

system is to be recovered and protected. With the help of computer forensics, administrators are

able to learn about mistakes made in the past and help prevent incidents from occurring in the

future.

Each time any kind of input is fed into the computer, whether it is a key pressed

on your keyboard, or a click on the mouse, a signal is generated and sent to the

appropriate computer application and they can be intercepted in your computer via a

software program that is running in the background or physically from some external

device. 2Keystroke loggers are made specifically for this purpose and can be employed

by a network administrator to ensure employees are not misusing the company resources; or they

can be used by hackers to steal passwords, social security numbers, and any other sensitive

information entered by an unsuspecting person.

Because of the wealth of information that can be gained from a computer forensics investigation,

ethical considerations should be examined.

Page | 73

Computer forensics is essentially a means for gathering electronic evidence during an

investigation. In order to use this information to prosecute a criminal act and to avoid

suppression during trial, evidence must be collected carefully and legally. It is particularly

important to be aware of the privacy rights of suspects, victims and uninvolved third parties. An

investigator needs to have knowledge of several laws and statutes that govern electronic

evidence collection including the fourth amendment of the constitution, 18 U.S.C. §2510-22,

also known as the wiretap statute, the Electronic Communications Privacy Act (ECPA), and the

USA PATRIOT Act. Each of these items affects the legality of electronic evidence and the

appropriate procedures to acquire that evidence.

General Steps in a Forensic Investigation The three main steps to a forensic investigation are the acquisition of the

evidence, the authentication of the recovered evidence, and the analysis of the evidence.

Although each forensic investigator may add their own steps in the forensics process,

these three steps (acquisition, authentication, and analysis) are essential to any forensic

investigation.

Acquiring evidence in a computer forensics investigation primarily involves

gaining the contents of the suspects hard drive. But other aspects may be involved in the

acquisition of evidence. Photographs of the computer screen and the entire computer system in

its installed configuration may yield useful information to the investigator. In addition, some

forensic investigators believe in gathering evidence before shutting down the suspects computer;

this is a source of arguments within the forensics community - whether to shutdown the

computer immediately and preserve the exact state that it was found, or to gather evidence before

shutting down in order to gain any volatile data that might be destroyed on shutdown (like the

running processes on the computer). Ideally, the forensic analysis is not done directly on the

suspects computer but on a copy instead. This is done to prevent tampering and alteration of the

suspects data on the hard drive. The contents of the hard drive are copied on one or more hard

drives that the investigator will use to conduct the investigation. These copies, or images, are

obtained by coping bit by bit from the suspects hard drive to another hard drive or disk.

The hard drive containing the image of the suspects hard drive obtained in this manner is called a

bit-stream backup. The reason why hard drives must be copied bit by bit is

because doing so ensures that all the contents of the hard drive will be copied to the other

Otherwise, unallocated data (such as deleted files), swap space, .bad. sectors, and slack space

will not be copied. A goldmine of evidence may be potentially held in these unusual spaces on

Page | 74

the hard drive.5 Of course, the investigator must make sure that the hard drive or disk used to

hold the copy is completely free of any data so that the evidence will not be tainted. The

commonly used forensics tools for the imaging of hard drives are Safeback and Encase, which

also performs many other forensics functions. There are also disk-wiping tools to clean the

image hard drive. The authentication of the evidence is the process of ensuring that the evidence

has

not been altered during the acquisition process. In other words, authentication shows that the no

changes to the evidence occurred during the course of the investigation. Any

changes to the evidence will render the evidence inadmissible in a court. Investigators

authenticate the hard drive evidence by generating a checksum of the contents of the hard drive.

This checksum is like an electronic fingerprint in that it is almost impossible for two hard drives

with different data to have the same checksum. By showing that the

checksums of the seized hard drive and the image are identical, the investigators can

show that they analyzed an unaltered copy of the original hard drive. The algorithms

most commonly used to generate these checksums are MD5 and SHA. Some tools to

generate checksums use a combination of algorithms such as CRC (cyclic redundancy

check) with MD5 in order to ensure a higher quality of authentication.

The last and most time-consuming step in a forensics investigation is the analysis

of the evidence. It is in the analysis phase that evidence of wrongdoing is uncovered the

investigator. Because of the differences between Windows-based operating systems and UNIX, I

will discuss the analysis of the data on these two systems in separate sections. In general,

forensic investigators rely on special forensics tools to analyze the huge amounts of data on the

hard drive (the size of hard drives continues to get larger and larger). These range from a hex

editor (a text editor that views the data in hexadecimal format) to full-blown forensic toolkits like

Encase. It is important that the chain of custody is maintained throughout the investigation. The

chain documents everything that happens to the evidence: who handled it, where and how it was

handled, and how it was stored. It preserves the integrity of the evidence. Even if the suspect was

guilty, if the chain is not maintained, a lawyer can argue that the chain of custody was not

properly established, casting doubt on the damning evidence acquired during the analysis phase.

Forensic Analysis on Windows systems Despite the unreliability and propensity to crash, Windows remains the most widely used operating system in people computers. Investigators must be familiar with

how Windows work and the idiosyncrasies associated with Windows in order to conduct

a thorough and fruitful investigation. An intimate knowledge of file allocation and deletion in

Windows file systems is needed to recover deleted files. For this paper, I will be focusing on

NTFS, the file system used in Windows NT and Windows 2000 and above. But many of the

techniques mentioned in this section could be used in earlier versions of Windows with few, if

any, modifications. NTFS stores attributes of files and folders in a system file called the Master

File Table or MFT. The attributes in the MFT of most interest to the forensic analyst are the

filename, MAC times (the date and time of a file last modification, last access, and creation),

and the data (if the file is small enough) or the location of the data on the disk.

With folders, additional attributes of interest are the index entries in the MFT of the files

for that folder or, if the MFT cannot hold the entire folders entries, the location of these

entries in an index buffer (an allocated space outside the MFT to hold these index

Page | 75

entries).NTFS writes data to the disk in whole chunks called clusters. The size of the

cluster varies depending on the size of the disk partition and the Windows version. NTFS uses

another system file $BITMAP to keep track of what clusters have been allocated on the disk. In

the $BITMAP file, a single bit is used to indicate to if the cluster has been allocated or not. So

when a file is allocated the bit for the assigned cluster of that file must be set in the $BITFILE

file, a record must created in the MFT, an index entry must be created in the folder MFT record

or index buffer, and addresses of any clusters used to hold file information must be added to the

MFT record.

When a file is deleted the bit of the clusters of that file is set to zero in the

$BITMAP file, the MFT record is marked for deletion and the index entry is deleted (by

moving up the entries below it and thus, overwriting it). However, if the index entry is

the last one for that folder, the entry remains visible and thus the attributes are

recoverable; useful evidence like file access times can be found. NTFS overwrites the

MFT records marked for deletion when creating a new record in the MFT. If no new

records have been created in the MFT, the records marked for deletion are not

overwritten and useful file attributes and possibly data (if it fit in the record) can be

recovered as well.

But it is possible to recover deleted files even after its record is overwritten in the

MFT and index entry of its parent folder. If the file data was large enough, the data

would have resided in some clusters on the disk instead of the MFT itself. Clusters

holding data of deleted files compose part of the unallocated space on the disk, so a

simple listing of the file directory contents will not show the deleted files. Because the

forensic analyst has all the contents of the suspect hard drive, the analyst could search for a

deleted file contents on the disk using a hex editor or other forensic tools.

Unallocated space is a huge source of information for analysts because deleted file data

residing there may not have been overwritten yet. Unallocated space also contains

contents of the index buffers of deleted folder entries.

Moving and renaming a file creates entries in the MFT that have the same MAC

times, starting clusters and file sizes. Forensic analysts can examine the record allocated renamed

file in the MFT with the deleted file in the unallocated space to compare if they are indeed the

same. If they are the same, this can establish proof that a suspect had knowledge of the files.

existence since the suspect moved it (if only the suspect had access to the computer). MAC times

also can help prove the suspect. knowledge of a file and its contents as they show the time it was

created, last modified, and last accessed. For example, if the file was last accessed at a time

much later than the creation time, the investigator could show that the suspect knowingly used

the file, as shown in a court case involving child pornography in which the defendant had

claimed he simply downloaded files of unknown content and forwarded them to others without

viewing them. The forensic investigator had evidence of the MAC times of the files in question

and that many of the files had access times far later than the creation times. The defendant pled

guilty as a result.

Page | 76

Analysts can also inspect the contents of the Recycle Bin that holds files that aredeleted by the

user. When a file is deleted it is moved to the Recycle Bin where a recordis created in a system

file of the Recycle Bin (named INFO) for that particular file. The

entry contains useful information for the analyst such as the file location before it was

deleted, the file original name and path, and the date of the deletion. These pieces of

information can show that the suspect did create and knew the location of a file and

knowingly deleted it. When the user empties the Recycle Bin, Windows deletes the

entries in the INFO file. If it is not completely overwritten, the deleted INFO file entry

can still be examined.

As stated before, deleted file data and attributes may reside in the unallocated

space. Another area of the disk that may hold deleted file attributes is the file slack. File

slack refers to the space between the end of a file and the cluster it resides in. It is often

the case that a file does not fit into an exact multiple of clusters. So the space remaining

is called file slack and it may contain data from previously deleted files.

For the forensic analyst, a bigger cluster means more file slack to examine, and thus are of more

value. In addition data may be found in the swap space. If the RAM is full, the OS writes some

of the data to a special place on the disk called the swap space. This is the concept behind virtual

memory. The swap space may contain the remnants of these deleted files if they were deleted

Page | 77

very recently. Shortcut files in Windows provide analysts with another source of information

about files. Shortcut files contain MAC time of the files that they refer to and the full paths to the

referred files.

Remnants of deleted shortcut files, like other files, can be searched in the unallocated space,

slack space, and swap space of the disk Investigators can also examine the Internet files that are

cached by Internet Explorer. These files are named Index.DAT and they contain the URL, date

last modified by the server and the date last accessed by the user.

These caches may be deleted by the user but again, like deleted files and shortcuts, these deleted

cached files may be recovered in the spaces of the disk mentioned above. When a file is printed,

temporary files containing the data to be printed are

created by the system. These temporary files are used to spool print jobs in order for the

application program to continue to be interactive with the user. The temporary files

include the data itself and the full path, potentially useful to the forensic examiner. When

the printing job is finished, these temporary files are deleted and may be recovered in

unallocated space or the swap file.14

The forensic analyst may look at Windows registry to find information about

hardware and software used. The registry contains the configuration information for the

hardware and software and may also contain information about recently used programs

and files.

Proof that a suspect had installed a program or application may be found in

the registry. Another source to recover files and find evidence is the NTFS $LOGFILE. The

$LOGFILE records all transactions done on the NTFS. The $LOGFILE is used to restore the

NTFS if (or more appropriately, when) the system crashes. The NTFS is then able toundo or redo

transactions. The $LOGFILE may contain index entries for folders, a copyof a MFT record

(including MAC times), index buffers, and other potentially useful information that the examiner

can use. For example, evidence of a filename may only exist in the $LOGFILE and nowhere else

(if it had been overwritten)

Windows systems give the forensic analyst plenty of sources of useful

information. The places mentioned in this paper are just some of the areas that the

investigator can search for evidence against the suspect.

Forensic Analysis on Unix systems Conducting an investigation on Unix systems is very similar to conducting one on

Windows systems. The forensic analyst must understand how Unix allocates and deletes files in

order to know where to look for the contents and attributes of files that exist (and potentially

hidden) and are deleted. But the idiosyncrasies of Unix provide the

investigator with different approaches to analyzing the data on Unix systems versus

Windows systems.Unix and Windows view files very differently. Unix uses the concept of

inodes (index nodes) to represent files. Each inode contains the pointers to the actual data on the

disk as well as file attributes useful to the investigator; these include the owner ID, access

permissions (read, write, execute), the number of links (number of directories referencing the

Page | 78

file), the MAC times which are the last modification, access, and change of status (change of

owner, permission or number of links), and file size. Note that the filename is not included with

the inode. Instead the file name is stored as an entry in the directory structure along with the

location of the actual inode.

Like the NTFS on a Windows system, the Unix file system allocates data in fixed sized

pieces called blocks. This is analogous to the clusters used by the NTFS. Therefore, file slack,

the space between the end of a file and the end of the cluster, is also found on Unix systems as

well as Windows systems because not all files fit exactly into the blocks on the disk. Forensic

analysts can examine the file slack for remnants of deleted files and attributes. File deletion in

Unix involves marking the directory entry for that file name to marked as unused, resulting in the

disconnection of the file name with the actual file data and attributes. The inode of the file is

marked as unused and some but not all of attribute information is lost. The file data blocks are

marked as unused. According to the creators of the Unix forensics toolkit, The Coroners Toolkit

(TCT), the deleted file data and attributes remain for long periods of time such as hundreds of

days for heavily used systems because Unix has good file system locality .files tend to be

clustered together instead of randomly space apart. Unix file systems avoid fragmentation as

much as possible to achieve this locality, allowing deleted files and attributes to remain much

longer on the disk since chances are slim that the new files to be written to the disk are the same

size as these deleted files.

So, deleted files may be easier to recover on Unix systems than on Windows. The

Coroner Toolkit is widely used to examine Unix systems and contains many useful

utilities for forensic analysts. One such tool is the unrm, a tool that undelete. files.

Deleted file attributes can be recovered using the tool in the TCT. Remember that file

attributes are very important to investigators, especially the MAC times. Even TCT

includes a tool called mactime that neatly displays the MAC times of a file.

Everything in Unix is a file. So any transactions done within Unix will leave

evidence of that the transaction occurred because the MAC times for the associated files will be

altered. Analysts can examine the MAC times of files in Unix like the MAC times of files in

Windows to show that the suspect had knowledge of the existence and contents of a file.

However, skilled hackers can alter the MAC times to hide their tracks within the file system

since inode information is stored in the file system. So investigators should not completely trust

the MAC times of files. Unix tools can be used to examine the contents of the hard drive.

Commonly used commands include find, grep, and strings. Analysts can use these tools to form

keywords to search for a specific piece of data like an email or pornography. The TCT includes a

tool called lazar us that attempts to classify the blocks of data as text files or binaries. With text

files, lazar us checks for the keywords that the analyst has requested in the form of regular

expressions

Places on the hard drive that the analyst could look for remnants of files are

nearly the same as those on Windows systems. In addition to the file slack mentioned

earlier, investigators can search through the Unix swap file (similar to the Windows swap file),

and of course, the unallocated space occupied by unused and deleted files. In addition, for each

user in Unix there is a directory named tmp that holds temporary

Page | 79

application files. This is similar to the situation in Windows with temporary application

files being created; the contents of these temporary files may still exist in the /tmp

directory at the time of the investigation and may be used as evidence against the

suspect.21

Unix gives the users the ability to repeat commands used in previous sessions. In

order to do this, the commands are saved in a shell history file. Thus the shell history file can be

examined to trace the steps of a hacker or to show that the suspect knowingly created, modified,

accessed, and/or deleted a specific file. However, a user (or hacker) can clean out the shell

history file to cover his tracks.22 So, the shell history file can be useful only some of the time,

especially if no attempt has been made at modifying it. Forensic analysis of a Unix system shares

some characteristics with that of a Windows system. The search for deleted data involves

looking in the same kinds of

spaces like the unallocated space, file slack, and swap space. But investigation of Unix

systems can involve the use of Unix tools that help in the search for certain patterns

among the contents of the disk. In addition, Unix forensics toolkits such as The

Coroner. Toolkit enormously aid in the examination of Unix systems.

Obtaining Magnetic Residue Data Data overwritten on the hard disk may seem to be unrecoverable. Using the

forensic techniques outlined above will not enable the investigator to retrieve data from

deleted files that have been overwritten. However, the hard disk is a physical device. It consists

of a stack of disks covered in magnetic material that stores the pattern of 1.s and 0.s that make

up the data. A read/write head hovers above it to read or write data to a track, one of the

concentric rings on the disk. But when a track is overwritten with new data, traces of the old data

remain underneath. This is due to the .inability of the writing device to write in the exactly the

same location each time, and partially due to the variations in [magnetic] media sensitivity and

filed strength over time and among devices.

Specialized equipment is needed to recover some of the overwritten layers

through the use of magnetic force microscopy (MFM). MFM creates patterns of the

magnetic data on the disk. Thus, any traces of old data will appear on the image of the

patterns. The number of layers that can be read depends on the sensitivity of the

instrument used to perform the MFM. But it is generally known that these machines can

read the first two layers quite easily.

This kind of data recovery at the physical level is rarely done. The machines are

very expensive to manufacture and only certain government agencies actually possess

them.

Page | 80

Dealing with an Intrusion

Once a system has been compromised, actions must be taken immediately to

ensure that a record of the state of the system is accurately recorded before it is

accidentally modified. The first thing is to create an exact copy of the system.s entire file

contents. Many administrators respond to an intrusion by restarting the compromised

system and rebooting the system and restoring from backups. However, this is not the

ideal course of action; not only do they neglect the fact that the attack can happen again, but they

lose valuable evidence that can be used to trace the attacker. To ensure that the evidence is

preserved, a copy of the file system must be made immediately and without rebooting the system

(as restarting the computer may change and overwrite files, inadvertently destroy some

evidence). This is usually done using a binary disk imaging software that records not only

existent files on the hard drive but also every single bit that is left on the system, which in effect

records deleted files as well.

It is recommended that first one copy be made from the original drive and then

the original should be sealed away and handled as little as possible. It is important to

record exactly to whom the original drive has been entrusted to at each step, so that a

future prosecution would be more successful. This first copy will now become the

.original.from which other copies can be made and examined. This is done to ensure as

little handling with the true original as possible. Once the original is copied and safely

secured, the investigation can begin.

Looking into the Logs

The most useful piece of evidence that can help piece together the events are the

systems logs. Both UNIX and Windows are capable of logging important events and

their details as they occur and they should always be turned on long before an intrusion

occurs. The more logs that there are available, the clearer the picture of events will be.

One very useful kind of log is a login log, or connection log. These logs tell precisely every

connection attempt that is made by recording the precise date, time, the

network IP address of the computer that is attempting to log in, and the result of each

login.

These logs usually show the very first signs of unusual behavior, for example when an unknown

address is attempting to connect to an unusual port number or when multiple unsuccessful

attempts are made to login to a specific account.

If an intruder has successfully logged into the system with an account, the system

can also keep a shell command history, which can show exactly what each user typed into the

shell at what time.

This is very useful in trying to figure out what the hacker was

trying to do with the system (e.g. which files he/she accessed or modified), but

unfortunately, shell command histories cannot record individual commands executed

within a script. Process accounting logs are very useful for revealing the activities of the intruder

by showing exactly which files were executed, when, by whom and for how long.

Page | 81

These logs are quite detailed and sometimes very useful. However, reading these logs are

difficult because they are sorted in order of when the processes were terminated, so processes

that ran longer than others may go unnoticed and those are still running will not be listed. A

hacker may have left a process running and it can be analyzed by first halting the process without

killing it, as terminating the process may discard important information as to the plans of the

attacker.

The process.symbol table and core stack can then be extracted and examined with a debugger.

With these system logs, in addition to any IDS or Firewall logs, a system administrator can piece

together a fairly good picture of what the hacker did and is intending to do with the system in the

future. From there, an administrator can start repairing the damage and attempt to plug up the

holes that allowed the intruder to invade the system.

Repairing the System

In addition to leaving lots of evidence, hackers often leave numerous amounts of

programs and data on the victim system, usually as a branching off point to attack other systems.

These files are generally called remnant files and can include anything from exploit scripts to

key logging programs to Trojan horses meant for further damage after a clean-up. Hackers often

replace common executable files on systems such as ls, telnet,andfindwith their own modified

versions that have harmful side-effects, so it is important that system administrators backup their

systems often and regularly perform

cryptographic checksums such as Message Digest 5 (MD5) or Secure Hash Algorithm

(SHA-1) on the file systems. In the event of an incident, files can be compared against the

checksums to determine whether or not they have been tampered with.26 Checksums should also

be performed on all system configuration files as modifying those are also part of the hacker

Modus Operandi Hackers also tend to hide files on a victimize system by deleting them, by

placing them in obscure locations, or by giving them unusual names that are not easily found. A

hacker deleted files can be found and recovered using appropriate utilities that are available on

the Internet. Sometimes hackers prefix hidden filenames with two or more periods so that the

lscommand does not list them normally. They can hide fragments of data of unused blocks left

from internal fragmentation of files scattered throughout the file system. They can also

sometimes insert data inside code or data segments of regular executable files and are undetected

because those blocks are never accessed by the executables.

Tracking the Hacker

After examining the logs and a reasonable interpretation of the hacker.s activities

has been reached, a next possible step is to trace down the hacker himself. Unfortunately, this is

rarely an easy task. The system logs are the only key to find out who is responsible for the attack.

When an attacker invades a system, they often modify or delete logs that can be used to trace

him, so it is good practice to set up your system so that logs are written to an offline file system

as to prevent the hacker from accessing them. A similar practice should be adopted for the

Page | 82

cryptographic checksums of system executables and system configurations. This will ensure that

the system can be recovered successfully and perhaps even catch the person responsible.

Network router logs can also be useful in finding a hacker as they record

information about packets that pass through. If a general time frame for the attack can be

determined, then it will be much easier to find relevant information on network logs.

Once an IP address is determined to be the source of the attacks, a simple traceroutecan find the

system. However, this system is likely to be simply another victimized system that the hacker

has used, so this entire process must be repeated for that system and any other systems along the

way until the hacker is ultimately found. Unfortunately, this is difficult because there are many

barriers that prevent us from finding the perpetrator. If any compromised system along the way

did not keep adequate logs, then the trail grows cold very fast. If the ISP of the hacker is

uncooperative then tracing becomes difficult as well.

Most difficult of all, if one of the compromised systems lies across international borders

then things get a lot more complicated. It is because of these and other complications that can

bring the hunt to a screeching halt. The best that can be done is to do the best we can to restore

the services, learn from past mistakes, consistently update system security patches and to stay

vigilant.

Keystroke Loggers

Keystroke loggers run primarily in the background of a computer and many run in

.stealth.mode, meaning they are not listed in process lists and hide the registry

modifications it makes to system settings. Once each key is intercepted, the information

may be stored somewhere on the computer (or a remote computer) to be accessed later or

streamed, in real-time, over the network to the person who started the logging program.

Keystroke loggers have become more advanced and now are capable of features such as

notification for the logger initiator when specific behavior or content is

encountered and can even record screenshots of anything that is displayed on the monitor at any

particular event or at regular time intervals, allowing key loggers to become even more intrusive.

A key logger normally consists of two parts: a Dynamic-Link Library (DLL) file that performs

the logging, and an executable (EXE) file that loads the DLL and sets the hook onto the

keyboard28. A hook is defined as any mechanism that uses a function to intercept events before

they can reach an application. The function can then change,

manipulate, or discard (keyboard) events in any way before allowing them through to the

destination application. Hooks come in two flavors: system-wide and thread-specific; key

loggers use system-wide hooks. DLLs are files that contain functions (as well as other

information) that can be linked to any application at run-time. When this is done, the functions in

a DLL are attached to processes themselves and are mapped into the

process address space, allowing them to be called from the process

Page | 83

Finding the Spy

Keystroke logging programs can be installed either in person who has physical

access to the target computer, or remotely, either by a .Trojan horse. application or by a

hacker who has gained root access to a system. Once loaded, the keystroke logging

software is virtually undetectable by the user. Key loggers normally use little memory

and do not affect a computer.s performance, making it more difficult to detect. However,

there are anti-snooping products available that claim to be able to find such key loggers

by probing the resident memory and recognize the programs that exhibit devious

behavior. Products, like one called KeyPatrol30, use behavior-detecting and patternmatching

algorithms. Once a particular application has .hooked.the keyboard, the application can be easily

found by detecting a procedure call to the keystroke logging function.

A Physical Alternative

Another way that keystrokes can be monitored is by a physical device that is

connected directly to the keyboard. The most well-known of such devices is the

KeyGhost31 key logger which is a small device that is placed on the end of the keyboard

cable and is plugged into the back of the computer. This device has many advantages over its

software counterparts. It is easy to install, works with any operating system, and cannot be

detected by anti-snooping software. Installing the device requires no expertise whatsoever of

computers and can be done regardless of whether the computer is on or off. This device is OS

independent and cannot be detected by software because it does not require any software or

drivers; it simply reads the keystrokes as it is inputted into the keyboard, records the information

on

a flash memory embedded in the device and allows each key to pass through to the

computer unchanged. The software then can record keystrokes even before the OS is

loaded and stores BIOS passwords as well. The device requires no external power and

causes no slow down due to use of system resources. The data that is recorded is kept in 128-bit

encryption to prevent unauthorized extraction of data.

To access its stored information, a specific series of keys must be pressed on the

keyboard that are highly unlikely to be pressed accidentally (much like a password).

Once the correct combination is detected, the device will output a menu by sending a

series of keystrokes to the computer and can be viewed with any text editor. From there, the

information can be downloaded, erased, and the device options can be changed. They drawback

of this device is that it has a finite amount of memory and can

only store so many characters; depending on how much a person is willing to spend on

the device, the Key Ghost device can store anywhere between 128,000 keystrokes and

2,000,000+ keystrokes. Once all the memory is filled before it is downloaded, the device

will begin overwriting the oldest recorded data.

The device itself closely resembles an ordinary keyboard cable extension but

anyone who checks the back of their computer will be able to notice it. This particular

vendor also offers keyboards that have the Key Ghost device built into it that behave as

Page | 84

any keyboard would, except for its logging capability, giving added secrecy to the device.

Privacy Computer forensics investigations typically involve one of two privacy issues. The first

occurs when evidence is retrieved a particular computer or electronic device. In this case, the

investigating officers need to be careful to avoid charges of illegal search and seizure. In other

words, they need to comply with the Fourth Amendment to the Constitution. The second issue

involves evidence pertaining to Internet usage. The Internet is usually considered an open forum

that allows users the anonymity to express themselves without fear of reproach. It is important to

provide the opportunity for such anonymity in order to promote free speech. Furthermore, it

allows the minority voice to be heard when fear of backlash from the majority might otherwise

keep it silent. However, when that anonymity is used to perpetrate a crime, such as accessing

bank records or circulation of child pornography, it is no longer a matter of the minority opinion,

but of tracking down and prosecuting a criminal.

The Fourth Amendment

Technology has invaded most aspects of our lives, and computers have become

ubiquitous. In 2000, more than fifty-one percent of American households had a

computer. Many people have access to computers, including those with criminal

intentions. In some cases, computers are simply fancy storage devices for keeping

records. When this is the case, examination of the computer (as previously explained)

can produce valuable evidence. In legal cases that involve seizure of a computer or other

electronic device, it is important that investigators comply with the Fourth Amendment.

The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and

effects, against unreasonable searches and seizures, shall not be violated,

and no Warrants shall issue, but upon probable cause, supported by Oath

or affirmation, and particularly describing the place to be searched, and

the persons or things to be seized.

The amendment mandates that, in order to search a suspect personal property,

the investigating officer must first obtain a search warrant. This is true for any electronic

devices found in the suspect home, work, or that are considered personal property.

Failure to do so will often result in a suppression of the evidence. In other words,

evidence illegally obtained cannot be used during prosecution.

A search conducted without a warrant is not illegal if it does not violate a person

reasonable expectation of privacy. With respect to a computer, .the Fourth Amendment

generally prohibits law enforcement from accessing and viewing information stored in a

computer without a warrant if it would be prohibited from opening a closed container and

examining its contents in the same situation.

Typically, a computer is protected fromsuch search and seizure when it is under the control of

the owner. However, when the device is under the control of another person, the owner has less

expectation of privacy if that person is allowed to access the system. For example, the computer

Page | 85

is temporarily placed under the control of another person, and that computer is not password

protected, then the owner does not have a reasonable expectation of privacy.

Privacy and the Internet

As educated users, we know that our Internet connection is not as anonymous as

we might want. Typically, most users do not hide their IP address, which can usually be

traced back to a specific computer, thus revealing the location of the user. Furthermore,

Internet Service Providers (ISPs) often keep records that link access accounts and IP

addresses to individual users. However, ISPs generally serve the public at large, and it is in their

best interest to protect the rights of their customers. An investigator must go

through the proper processes in order to attain a user identity.

The problem of determining identity falls under the restrictions of the Electronic

Communications Privacy Act (ECPA). The ECPA .governs law enforcement access to

the contents of electronic communications stored by third-party service providers..41

Furthermore, .whenever agents or prosecutors seek stored e-mail, account records, or

subscriber information from a network service provider, they must comply with

ECPA..42 Essentially, any email or voicemail communications in storage for less than

180 days can only be accessed with a warrant. However, any communication stored for

more than 180 days can be accessed with a subpoena.

When a subpoena is used instead of a warrant, the investigator or service provider must provide

notice of the intent to view files to the user. It is important to note that the ECPA details

restrictions for stored communications and account details only. Any communications that are

monitored in real-time are governed by 18 U.S.C. § 2510, also known as the Pen/Trap statute or

Title III. The Pen/Trap statute authorizes devices that monitor the addresses of incoming and

outgoing communications. This simple court order allows for such monitoring as tracing a

computer intruder IP address. Conversely, Title III, also known as the wiretap statute, regulates

the collection of actual content of wire and electronic communications.

Page | 86

CONCLUSION

-Definition of Forensics

Tell the story: what was lost, how it was lost

-Be able to understand process in building legally sound case

Complex issues

-Identify forensic capabilities you will need in a typical corporate environment

Only you know your topology

Future Scope

Finally, the scope of computer forensics is starting to be used for non-investigative

purposes. These uses include data mapping for security and privacy risk

assessment as well as automated search for intellectual property. Thus, computer

forensics is transitioning from an ―investigation and response mechanism to one of

prevention, compliance, and assurance‖.

Who knows? Maybe 50 years from now computers themselves will be able to

testify in court, eliminating the need for computer forensics experts.

Page | 87

REFERENCES

^ Michael G. Noblett; Mark M. Pollitt, Lawrence A. Presley (October 2000). "Recovering and

examining computer forensic evidence". Retrieved 26 July 2010.

Jump up ^ Leigland, R (September 2004). "A Formalization of Digital Forensics".

Jump up ^ A Yasinsac; RF Erbacher, DG Marks, MM Pollitt (2003). "Computer forensics

education". IEEE Security & Privacy. CiteSeerX: 10.1.1.1.9510.

Jump up ^ Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response

essentials. Addison-Wesley. p. 392. ISBN 0-201-70719-5. Retrieved 6 December 2010.

Jump up ^ Gunsch, G (August 2002). "An Examination of Digital Forensic Models".

Jump up ^ Adams, R. (2012). "'The Advanced Data Acquisition Model (ADAM): A process

model for digital forensic practice".

^ Jump up to: a b c d Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second

Edition. Elsevier. ISBN 0-12-163104-4.

^ Jump up to: a b Various (2009). Eoghan Casey, ed. Handbook of Digital Forensics and

Investigation. Academic Press. p. 567. ISBN 0-12-374267-6. Retrieved 27 August 2010.

Jump up ^ Garfinkel, S. (August 2006). "Forensic Feature Extraction and Cross-Drive

Analysis".

Jump up ^ "EXP-SA: Prediction and Detection of Network Membership through Automated

Hard Drive Analysis".

Jump up ^ Aaron Phillip; David Cowen, Chris Davis (2009). Hacking Exposed: Computer

Forensics. McGraw Hill Professional. p. 544. ISBN 0-07-162677-8. Retrieved 27 August 2010.

Jump up ^ Dunbar, B (January 2001). "A detailed look at Steganographic Techniques and

their use in an Open-Systems Environment".

Jump up ^ J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William

Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (2008-

02-21). Lest We Remember: Cold Boot Attacks on Encryption Keys. Princeton University.

Retrieved 2009-11-20.

Jump up ^ Geiger, M (March 2005). "Evaluating Commercial Counter-Forensic Tools".

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-noblett_1-0

http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm

http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-leigland_2-0

http://www.utica.edu/academic/institutes/ecii/publications/articles/A0B8472C-D1D2-8F98-8F7597844CF74DF8.pdf

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-cf-education_3-0

http://en.wikipedia.org/wiki/CiteSeer#CiteSeerX

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.1.9510

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-kruse_4-0

http://books.google.com/books?id=nNpQAAAAMAAJ

http://books.google.com/books?id=nNpQAAAAMAAJ

http://en.wikipedia.org/wiki/International_Standard_Book_Number

http://en.wikipedia.org/wiki/Special:BookSources/0-201-70719-5

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-gunsch_5-0

http://www.utica.edu/academic/institutes/ecii/publications/articles/A04A40DC-A6F6-F2C1-98F94F16AF57232D.pdf

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-theadam_6-0

http://trove.nla.gov.au/work/178427331?versionId=194240020

http://trove.nla.gov.au/work/178427331?versionId=194240020

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-casey_7-0




http://books.google.com/?id=Xo8GMt_AbQsC&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition

http://books.google.com/?id=Xo8GMt_AbQsC&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition



http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-handbook_8-0

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-handbook_8-1

http://books.google.co.uk/books?id=xNjsDprqtUYC




http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-garfinkel_9-0

http://www.simson.net/clips/academic/2006.DFRWS.pdf

http://www.simson.net/clips/academic/2006.DFRWS.pdf

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-nsf_10-0

http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0730389

http://www.nsf.gov/awardsearch/showAward.do?AwardNumber=0730389

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-exposed_11-0

http://books.google.co.uk/books?id=yMdNrgSBUq0C




http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-dunbar_12-0

http://www.sans.org/reading_room/whitepapers/covert/detailed-steganographic-techniques-open-systems-environment_677

http://www.sans.org/reading_room/whitepapers/covert/detailed-steganographic-techniques-open-systems-environment_677

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-ColdBoot_13-0

http://en.wikipedia.org/wiki/Seth_Schoen

http://en.wikipedia.org/wiki/Jacob_Appelbaum

http://en.wikipedia.org/wiki/Edward_W._Felten

http://citp.princeton.edu/memory/

http://en.wikipedia.org/wiki/Princeton_University

http://en.wikipedia.org/wiki/Computer_forensics#cite_ref-geiger_14-0

http://www.dfrws.org/2005/proceedings/geiger_couterforensics.pdf

Page | 88

BIBLiOGRAPHY

Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-

163104-4.

K S Rosenblatt (1995). High-Technology Crime: Investigating Cases Involving Computers. KSK

Publications. ISBN 0-9648171-0-1. Retrieved 4 August 2010.

Aaron Phillip; David Cowen, Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill

Professional. pp. 544.ISBN 0071626778. Retrieved 27 August 2010.

Various (2009). Eoghan Casey. ed. Handbook of Digital Forensics and Investigation. Academic

Press. pp. 567.ISBN 0123742676. Retrieved 27 August 2010.

Various (2009). M889 Computer forensics and investigations. Open University

Vrizlynn L.L. Thing, Kian-Yong Ng, Ee-Chien Chang (Augus 2010). "Live memory forensics of mobile

phones". Digital Investigation7. doi:10.1016/j.diin.2010.05.010. ISSN 1742-2876.

http://books.google.co.uk/books?id=Xo8GMt_AbQsC


http://en.wikibooks.org/wiki/Special:BookSources/0-12-163104-4


http://www.ncjrs.gov/App/abstractdb/AbstractDBDetails.aspx?id=175264





http://en.wikibooks.org/wiki/Special:BookSources/0071626778



http://en.wikibooks.org/wiki/Special:BookSources/0123742676

http://en.wikipedia.org/wiki/Digital_object_identifier

http://dx.doi.org/10.1016%2Fj.diin.2010.05.010

http://en.wikipedia.org/wiki/International_Standard_Serial_Number

http://www.worldcat.org/issn/1742-2876

Computer forencis

Internet

computer analysis

presentation of computer

computer systems

computer practice

computer evidence ioce

computer forensics field

computer storage media

digital evidence