COMPUTER FORENSICS Mr Kolapo Oyeusi 04044790 [email protected]Supervisor : Dr. Nick Ioannides [email protected]A Dissertation submitted in partial fulfilment of the requirements of London Metropolitan University for the degree of Bachelor of Science in Computer Networking with Honours May 2009
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
of the requirements of London Metropolitan University for
the degree of Bachelor of Science in Computer Networking with Honours
May 2009
Faculty of Computing
TABLE OF CONTENT
Definition of Terms
Glossary
Acknowledgements
Dedication
Abstract
Chapter 1: Introduction
Chapter 2: Literature review
Chapter 3: Approach and scope
Chapter 4: Practical/ Simulation/ Research work & Result
Chapter 5: A Critical Appraisal, Recommendations and Suggestions for further Work
Summary
Chapter 6: Conclusions
Appendices
Appendix A: Project Proposal Report
Appendix B: Materials (i.e Configurations, Program source listings etc)
Reference & Bibliography
Literature review
2
Reference and Bibliography
Definition of terms
Write-Blockers: These are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Hardware write blockers can be IDE-to-IDE or Firewire/USB-to-IDE.
Good data: These are known file types such as operating system files and common programs (Microsoft word etc)
3
Chapter 1: Introduction
Computer forensic is the collection, preservation, analysis and presentation of computer
related evidence that can be useful in criminal cases, civil disputes and human
resources/employment proceedings (Vacca, 2005).
With the growth of the internet and the ever changing digital environment, the need for
computer forensics experts cannot be over emphasised.
The world gradually is becoming a global village due to the presence of the internet and the
personal computer. Businesses and transactions that would have been done in person are now
carried out online. The internet has made targets much more accessible and the risk involved
for the criminals are much lower than traditional crimes.
With more people embracing the internet, the number of people using the internet is expected
to rise to 794 million in 2009 from 657 million that is currently available (Vacca, 2005).
However, the word forensic was derived from usage in the medical field. Forensic Medicine
has been a recognised discipline as far back as the 18th century (Dixon, 2005). The computer
industry has been taking computer forensic serious for some years now due to embarrassing
computer break-ins by teenage hackers.
Computer forensics is one of the largest growing professions of the 21st century. (Vacca,
2005). This is partly due to the growth of the internet which allows organizations and
individuals to be susceptible to security threat.
It is difficult to pinpoint the first computer forensic examination but in 1991, the term
computer forensics was coined in the first training session held by the International
Association of Computer Investigative Specialist (IACIS) (www.forensics-intl.com)
4
Computer forensics has also been described as the autopsy of a computer hard disk drive
because specialized software tools and techniques are required to analyze the various levels at
which computer data is stored after the fact. The Military and the intelligence gathering
agency have been involved in computer forensics since the mid-1980 but this field is
relatively new to the private sector. Computer forensic tools and procedures are used to
identify computer security weaknesses and the leakage of sensitive computer data.
(www.forensics-intl.com)
The main goals of computer forensics are the preservation, identification, extraction,
documentation and interpretation of recovered computer data.
5
Chapter 2: Literature review
Several criminal activities are being committed nowadays such as cyber terrorism, internet
fraud, viruses, illegal downloads, falsification of document, child pornography, counterfeiting,
economic espionage, benefit fraud, human resources/employment proceedings just to mention
a few. As such, there is need for necessary legislation to help prosecute the perpetrators of
these crimes. This is where the skills of a forensic expert come in to help build indisputable
evidence against them.
If the computer and its contents are examined by anyone other than a trained and experienced
computer forensics specialist, the usefulness and credibility of that evidence will be tainted
(Vacca , 2005). A highly skilled computer forensic analyst is someone who understands the
discipline as well as understands the use of computer forensic tools.
Network forensic investigators on the other hand uses log files to determine when users
logged on and they also try to determine which URL’s users accessed, how they logged on to
the network and from what location. In special cases, forensic experts use electron
microscopes and other sophisticated equipments to retrieve information from machines that
have been damage or formatted. The use of this method can be very capital intensive which
may sometime exceed $20000. (Bill Nelson et al, 2008)
A survey recently conducted reveals that both public and private agencies face serious threats
from external and internal sources. (Computer Crime and Security Survey, 2003)
There are three things to take into consideration when carrying out computer forensic. A
computer can be the target of the crime, it can be the instrument of the crime or it can serve as
an evidence repository storing valuable information about the crime. Knowing what role the
6
computer played in the crime can of tremendous help when searching for evidence. This
knowledge can also help reduce the time taken to package your evidence.
Also, the evidence required can be located on a network, embedded system or on dead
systems. Most forensic examination is carried out on dead systems that have been delivered
for analysis. It is recommended that computers should be powered down to prevent loss of
evidence when making seizure but doing so before collecting volatile evidence can lead to
loss of evidence when dealing with systems with large RAM or those having active network
connections (Casey,2002).
The integrity and security of evidence is a priority when carrying out forensic investigation
and there are stringent guidelines that must be adhered to even when trying to save time.
A computer forensics specialist should not just rely on just one tool to preserve, identify,
extract and validate the computer evidence. Cross validation through the use of multiple tools
and techniques is standard in all forensic sciences. When this procedure is not used, it creates
advantages for defence lawyers who may challenge the accuracy of the software tool used and
thus the integrity of the results. Using multiple validation software tools enables computer
forensic specialists and procedures eliminate any doubt about the accuracy of the evidence.
(www.forensics-intl.com)
When searching for graphical images on a computer system, it is important not to look for
files with the GIF or JPEG extensions only since the suspect might have saved it with another
extension like DOC. Therefore it is important to search every sector of the physical disk for
certain file types (Casey, 2002)
Encryption and stenography hinder the investigation of a computer forensic specialist.
Encryption makes it difficult for the examiner to analyse evidence that have been found,
7
collected, documented and preserved. Stenography on the other hand involves the act of
hiding information.
An individual using specialist data hiding tools like the Marutukku can protect its self from all
data recovery techniques. (Casey, 2002)
Computers have been featuring in litigations for over 31 years. In 1977, there were 20 U.K
cases in which the word computer appeared and which was sufficiently important to be noted
in the lexis database. In the United state, there were 291 federal cases and 246 state cases in
which it appeared (Vacca, 2005). A lot of people sometimes think of a computer forensic
expert as someone who helps in recovering lost digital data from a computer but their work
goes far beyond that.
Countries all over the world are creating new laws and amending old ones since the surge in
computer related crimes. It is important to have the necessary legal backing to bring the
perpetrators of these crimes to justice or else the work carried out by a computer forensic
specialist will be in vain. Likewise, businesses are adjusting their policies to help protect
themselves against disgruntled employees willing to reveal sensitive client records and trade
secrets.
Employing the services of a computer forensic specialist can be tricky sometimes. Having
someone with the expertise and experience is not just enough nowadays. The individual must
also be able to testify and stand up to scrutiny and pressure of cross examination in the law
court.
In the early 1980’s, computer forensic tools were simple and mainly generated by government
agencies such as the U.S internal Revenue Service (IRS) and the Royal Canadian Mounted
Police (RCMP) in Ottawa. Most of the tools written then were in C language and assembly
language and were not that popular. Moving into the mid 1980’s, a software known as Xtree
8
Gold was introduced which was able to recognise file types as well as retrieve lost or deleted
files. Shortly after the release of Xtree, Norton released the DiskEdit and this became the best
tool for finding deleted files at that time because the DiskEdit was compatible with most PC’s
then.
Moving into the 1990’s, specialist tools for computer forensics became available. This led to
the training on software for computer forensic investigation by the International association of
Computer Investigative Specialist (IACIS). ASR Data created commercial GUI forensic
software called Expert Witness. The Expert Witness could recover deleted files and fragments
of deleted files. One of the ASR partner left to develop Encase which is the most popular
forensic tool.
DATA RECOVERY
Data recovery is the process in which highly trained forensic experts evaluate and extract data
from damaged media and return it in an intact format (Vacca, 2005). Lost data might be as a
result of computer systems crashing, accidental deletion, computer viruses corrupting files,
disgruntled employee destroying files just to mention a few. There is a high chance of
recovering all the data if recovery is attempted shortly after the files must have been removed.
Most Linux systems use the ext2 file system which reveals the presence of slack space. A tool
called bmap can jam data in the slack space, take out data and also wipe the slack space clean
if needed. Data can be hidden in slack space to store secrets, plant evidence and maybe hide
tools from integrity checkers.
EVIDENCE COLLECTION
There are two main reasons why we need to collect evidence:
9
1) Future prevention.
2) Responsibility.
The job of a computer forensic specialist goes far beyond just data recovery. Evidence
collection must be done in a methodological manner by professionals trained for this purpose.
Real Evidence: is any evidence that speaks for itself without relying on anything else. For
instance, a log produced by an audit function which is free from contamination.
Testimonial Evidence: This is any evidence supplied by a witness. This evidence is dependent
on the reliability of the witness. As long as the witness is reliable, the testimonial evidence
can be as powerful the real evidence. It should be noted that hear say is inadmissible in the
court.
RULES OF EVIDENCE COLLECTION
The 5 rules of electronic evidence collection are also related to the 5 properties that evidence
must possess to be useful and they are:
1) Admissible: Evidence gathered is meant for use in the court/tribunal
2) Authentic: Evidence collected must be relevant to the incidence.
3) Complete: Evidence must be able to prove that the offender is liable for the offence
despite other people present at the same time of attack. Evidence that will implicate as
well as those that will vindicate him must be collected.
4) Reliable: The methods used in the collection of evidence and the analysis procedure
must not cast any doubt on the authenticity of the evidence.
5) Believable: The evidence presented must be understandable and believable to the jury.
10
To have believable evidence, there are certain guidelines you must adhere to such as:
Minimise handling and corruption of original data
Account for any changes and keep detailed logs of your actions
Comply with the five rules of evidence
Don’t exceed your knowledge
Follow your local security policy
Capture as accurate an image of the system as possible
Be prepared to testify
Work fast
Proceed from volatile to persistence evidence
Don’t shutdown before collecting evidence
Don’t run any program on affected system
11
TYPES OF COMPUTER FORENSIC TOOLS
Computer forensic tools can be classified into two major categories namely:
Hardware Forensic Tool
Software Forensic Tool
Hardware Forensic Tools
Hardware forensic tool varies and may range from simple, single purpose components to
complete systems and servers. An example of the single-purpose component is the ACARD
AEC-7720WP Ultra Wide SCSI-to-IDE Bridge. This device helps to write-block an IDE
Computer forensic tools are required to be able to perform and meet certain criteria which can be grouped into 5 Major Categories namely:
Acquisition
Validation and Discrimination
Extraction
Reconstruction
Reporting
Acquisition: It involves making copies of the original drive. Acquisition is referred to as the
first task in computer forensics investigation. Tools such as EnCase and AccessData FTK are
used to acquire data images. It is also possible to acquire image of data using hardware
devices such as Talon from Logicube. This hardware device possesses in-built software for
data acquisition. There are two types of data copying methods used in software acquisition
and they are: physical copying of entire drive and logical copying of disk partition. Logical
acquisition is more preferable because data acquired can be read and analysed easily.
Validation and Discrimination: Validation is the process of ensuring and maintaining the
integrity of the data acquired. The process of validating data is what result in the
discrimination of data. The main purpose of data discrimination is to separate good data from
suspicious data. All computer forensic tools have a way of ensuring that the integrity of the
data is still intact by comparing the original data with the image data. This is possible with the
help of processes like Hashing, Filtering and Analysing file header. Searching and comparing
file headers improves data discrimination.
Extraction: This is the recovery task in a computing investigation (Bill et al, 2008).
Subfunctions of extraction used in investigation include: Data viewing, Keyword searching,
22
Decompressing, carving, Decrypting and Bookmarking. Extraction of data involves great
mastery in the software and hardware deployed.
Reconstruction: Reconstruction features in a forensic tool are necessary to recreate a
suspect’s drive and to show what happened during the crime or an incident (Bill et al, 2008).
Duplicating a suspect’s hard drive enables other investigators to carry out their own
acquisition, test and analysis of the evidence. The most reliable way to recreating an image of
a suspect’s hard drive is to obtain the same make and model drive as the suspect’s drive.
Subfunctions of reconstructions are: Disk-to-disk copy, Image-to-disk copy, Partition-to-
partition copy, Image-to-partition copy. Examples of tools that can perform image-to-disk and
image-to-partition copies are: SafeBack, SnapBack, EnCase, FTK Imager, ProDiscover. All
these tools are proprietary and as such image created can only be re assemble by the exact
application that created them.
Reporting: The report phase is the final phase of the forensic disk analysis and examination.
The log report can be included in the final report detailing the step by step process undergone
during the examination.
23
SCENARIO
A company evaluates the performance and productivity of his staff and noticed that it falls
way below the standard. It discovers that valuable time being lost by his employees
downloading and surfing the internet during office hours and as such he implements strict
policy guiding against the indiscriminate use of the internet.
After few weeks, his IT manager reviews a detection tool report used by the company. This
report suggests that an employee of the company is still accessing restricted sites and
downloading objectionable content (graphic) during office hours using his official
workstation PC.
The IT manager decided to follow procedure by contacting the chief information officer
(CIO) of the company who is the person officially nominated to deal with computer related
violations and crimes within the company. He decides to invoke the incident response team
comprising of a computer forensic specialist.
The company aims to determine which employee is responsible, examining data recovered
from the employee hard disk, build evidence against such employee which might eventually
lead to their dismissal.
24
AIM AND OBJECTIVES
The purpose of Computer Forensics is to preserve, identify, extraction, document and
interpret computer data that are located on offending machines.
Academic Objectives
1) To locate and isolate offending machine(s)
2) To conduct computer forensics examination of the computer system using necessary
tools and technology.
3) To analyse the data gathered to determine where the materials came from, how often it
has been going on.
4) To prevent evidence from being contaminated.
5) To produce a report detailing every activity and action carried out on the offending
machine.
Personal objectives
To have a better understanding of computer forensics methodologies
To improve my problem solving and communication skills
To conclude my project within the allocated time required
To develop my project management skills.
25
RISKS
There are several risks that I foresee might hinder the progress of my project and they include:
Loss of data as a result of damage or loss to memory stick
Availability of credible resources
Lack of experience in the subject area.
CONTINGENCIES
Backing up all my data on multiple storage devices.
Work fast so that there is enough time to rectify any mishap.
LIMITATIONS
Time: Being able to divide my time between my project and other module as well as my paid
employment.
Cost of Tools/Software: Computer Forensic software can be very expensive so i have decided
to use the trial version of the software required to achieve my goals
Availability of credible resources: There are limited materials regarding computer forensics in
the school library.
26
27
A Brief Description of the hard drive recovered/Given
The hard drive retrieved is the Maxtor’s D740X-6L 20GB AT hard disk. This hard disk is part
of the family of high performance 1-inch high hard drive. This hard drive uses a non-
removable 3 ½-inch hard disks available with ATA interface. The Maxtor D740X-6L 20GB
AT hard disk possess an embedded hard disk drive controllers and uses ATA commands to
optimise system performance.
General characteristics
Manufacturer: Maxtor Corporation
Model: D740X6L (20GB)
Interface: EIDE/UltraATA/133
Capacity: 20GB
Total LBAs: 40,132,503
Height: 1.028" (26.10mm) max
Width: 4.00 ± 0.01" (101.6 ± 0.25mm)
Depth: 5.786" (147mm) max
Weight: <1.4lbs. (635grm)
Performance
Rotational speed: 7200RPM
Average Rotational Latency: 4.17ms
Spin-up time to Ready (typical) 12.5Sec
28
Activity Specification
Track-to-Track 0.8ms
Average Random Read 8.5ms
Average Random Write 10.5ms
Full Stroke 17.8ms
Cache (Total): 2MB
Interface transfer rate (Max) 133MB/Sec Burst
Interleave Factor: 1:1
Internal Characteristics
Number of Heads: 1
Number of Disks: 1
Track Density: 60,000 tracks per inch
Total sector: 40,132,503
Byte per sector: 512
Electrical
Nominal Voltage: +5Vdc/ +12Vdc
Voltage Margin: +5Vdc @ ± 5%, +12vdc @ ± 10%
Environmental
Operating Temperature: 5 to 55 Degrees centigrade
Operating Humidity: 10 to 85% RH (non-condensing)
Non-Operating Temperature: -40 to 65 Degrees Centigrade
Non-Operating Humidity: 5 to 95% RH (non-condensing)
29
Power Dissipation
Operating Mode Power (Watts)
Start-up (Peak) 23.9 Watts
Maximum Seeking 11.6Watts
Read/Write on Tracks 7.1Watts
Idle 6.5Watts
Standby 1.0Watt
Sleep 1.0Watt
Fig1: A diagram of the Maxtor D740X-6L 20GB AT hard drive
30
Fig2: A diagram showing the drive power and interface connector of the hard drive.
Fig3: Show the jumper locations on the hard drive
31
The Maxtor’s D740X-6L 20GB AT hard disk has three jumper location which is used to
configure the master or slave operation.
Fig4: Picture of the Maxtor’s D740X-6L 20GB AT hard disk
32
GANTT CHART
FIG1: Gantt chart showing how I intend to implement my task
33
WORK BREAKDOWN STRUCTURE
34
COMPUTER FORENSICS
To investigate the current and future state of computer forensics
To identify and explain various tools and technology employed in computer forensics and ways of recovering and analysing data to produce indisputable evidence
Applying computer forensic skills in the recovering of lost data
Current state of computer forensics
Explaining the tools and technology employed in computer forensics
Ways to recover and analyse data to produce indisputable evidence
Examining a recovered hard disk for lost data.
Using necessary tools and technology to extract lost data.
Analyse recovered data.
Production of report that can be allowed in legal proceedings.
Future of computer forensics
Technology employed in computer forensic
Ways to recover lost data
Ways of analysing data to produce indisputable evidence
Tools available in the market and Specialist tools
INDICATIVE FINAL YEAR PROJECT
Acknowledgement
Abstract
Introduction
Literature review
Current state and future direction of computer Forensics
Software deployed in Computer Forensics
Case study/Scenario
How to capture and analyse data
Production of Report
Conclusion
Recommendation
Bibliography
Appendix
35
REFERENCE AND BIBLIOGRAPHY
BOOKS
“2003 Computer Crime and Security Survey,” Federal Bureau of Investigation, J.
Edgar Hanover Building, 935 Pennsylvania Ave. NW, Washington, D.C. 20535-0001,
2003.
John R. Vacca (2005) Computer Forensics: Computer Crime Scene Investigation 2nd
Ed. Charles River Media. Massachusetts (USA)
Casey Eoghan (2002) Handbook of Computer Crime Investigation: Forensic Tool and
Technology. 1st Ed Academic Press Amsterdam (Netherlands)
Casey Eoghan (2004) Digital Evidence and Computer Crime: Forensic Science,
Computers and the Internet. 2nd Ed. Academic Press. California (USA)
Sammes, T., Sammes, A.J and Jenkinson, B (2000) Forensic Computing: A