INFORMATION SECURITY [1 st International Conference on Management of Technology and Information Security ( ICMIS-2010 )]

INFORMATION SECURITY

[1st International Conference on

Management of Technology and Information Security ( ICMIS-2010 )]

An Examination into Computer Forensic Tools

Lokendra Kumar TiwariDepartment of Electronics & Comm. AllD. Univ.

& Arun Kumar Singh

Department of CSED, MNNIT Allahabad

Outline….

• Computer Forensics• Forensic Expert.• Goals of Comp. Forensics• Forensics Procedure• Key Principal of Forensics• Problems.• Forensic Tools.• Demonstration of Tools

COMPUTER FORENSICS Forensics is not by itself a science

(‘‘forensic: of, used in, courts of law’’— Concise Oxford Dictionary).

Forensics ???Forensic means to apply a discipline, any

discipline, to the law. It is the job of forensics to inform the court.

So, you can be a computer scientist, and if you apply computer science to inform the court, you are a forensic computer scientist.

Contd…

• A key skill in forensic computer science is the challenge that lies in ‘‘informing the court’’

• This requires specialized expertise and training in a range of computing and non-computing skills—legal knowledge, evidence management, data storage and retrieval, and not least, courtroom presentation.

Forensic Expert: The forensic expert is a person who has the knowledge of

Provisions of Indian Evidence Act,

Code of Criminal Procedure,

Indian Penal Code,

Constitution of India and Constitution of other countries,

and also other related statutes.

forensic expert has to assist the court hence he must have knowledge of any technology (say computer science)

The primary goals of the computer forensic analysis process are:  To help participants determine what undesirable

events occurred, any.

To gather, process, store, and preserve evidence to support the prosecution of the culprit(s), if desired.

To use that knowledge to prevent future occurrences. (Detection & prevention).

Forensics Procedure

Identification.

Collection & Preservation. (Chain of custody)

Analysis

Production

Computer forensic analysis within the forensic tradition.

Alphonse Bertillon- [freezing the scene]: in 1879 introduce a methodical way of documenting the scene by photographing, for example, bodies, items, footprints, bloodstains in situ with relative measurements of location, position, and size Bertillon is thus the first known forensic photographer.

Bertillonage : system of identifying individuals over 200 separate body measurements, was in use till 1910 and was only rendered obsolete by the discovery that fingerprints were unique.

Key Principal of Forensics

• Edmond Locard articulated one of the forensic science’s key rules, known as Locard’s Exchange Principle.

• “The principle states that when two items or persons come into contact, there will be an exchange of physical traces. Something is brought, and something is taken away, so that suspects can be tied to a crime scene by detecting these traces”.

Stakeholders:• National security

• Custom & Excise

• Law enforcement agents• Businesses (embezzlement, industrial espionage,

stealing confidential information, and racial or sexual harassment).

• Corporate crime [according to report the accountants and auditors for Enron not only used e-mail to communicate but also subsequently deleted these e-mails]

Problems In Indian Context.No Standard for Computer Forensic is yet

developed.

No Guidelines for Companies dealing with electronic data, during disputes.

No recognition to any of the forensics tool.

Issues related to anti-forensics are not talked about. ………………

Over All Scenario

To date, computer forensics has been primarily driven by vendors and applied technologies with very little consideration being given to establishing a sound theoretical foundation

The national and international judiciary has already begun to question the ‘‘scientific’’ validity of many of the ad hoc procedures and methodologies and is demanding proof of some sort of theoretical foundation and scientific rigor.

CONTD..

Commercial software tools are also a problem because software developers need to protect their code to prevent competitors from stealing their product.

However, since most of the code is not made public, it is very difficult for the developers to verify error rates of the software, and so reliability of performance is still questionable.

CONTD..The specialized tools used by a computer forensic expert are viewed as intolerably expensive by many corporations, and as a result many corporations simply choose not to invest any meaningful money into computer forensics. This trend amplifies cyber crime rates

Open source software’s were also not been tested or verified for the effectiveness to serve the above purposes (Open for research)

Legal AspectsThe growing demand for security and certainty in cyber space leads to more stringent laws.

The violation and maintaining of these laws (cyber laws) must be distinguished from classical criminal activities and criminal law enforcement.

The dynamics between these different forms of law violation and law enforcement is important and shall be addressed.

Government Initiative• Proposed amendment in IT ACT 2000. “70A. (1) The Indian Computer Emergency Response Team (CERT-In)

shall serve as the national nodal agency in respect of Critical Information Infrastructure for coordinating all actions relating to information security practices, procedures, guidelines, incident prevention, response and report.

(2) For the purposes of sub-section (1), the Director of the Indian Computer Emergency Response Team may call for information pertaining to cyber security from the service providers, intermediaries or any other person.

………………..• National E-Governance Plan 2007.

Computer Forensic is the need of an Hour….

Data Protection

Privacy

E-governance

E-commerce.

COMPUTER FORENSICS

Computer Forensic ToolsForensic Tool Kit:

FTK is developed by Access Data Corporation (USA); it enables law enforcement and corporate security professionals to perform complete and in-depth computer forensic analysis.

Main Window of FTK

Contd…

ENCASE FORENSIC:  

Encase Forensic developed by Guidance Software USA is the industry standard in computer forensic investigation technology. With an intuitive Graphical User Interface (GUI), superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single robust tool, capable of conducting large-scale and very complex investigations from beginning to end.

Main Window of Encase

Contd..Cyber Check Suites:

The IT Act 2000 is India's first attempt to combat cyber crime. To assist in the enforcement of the IT Act, the Department of Information Technology, Ministry of Communications and Information Technology, has setup a Technical Resource Centre for Cyber Forensics at C-DAC, Thiruvananthapuram.

Cyber Check is a forensic analysis tool developed by C-DAC Thiruvanathapuram,

Probe Window of Cyber Check Suite

Comparison between Encase Version 6.0, FTK, and Cyber Check Suite.

Conclusion

• Encase Forensic is very useful forensic solution but it lacks following important feature:

• In Encase forensic there is no password cracking/recovery facility. So if during investigation process the examiner detected any password protected files then he had to rely on third party tools.

Recovery of Deleted E-mail

Demonstration

References• Computer forensics by Michael Sheetz published by John

Wiley and Sons

• Cyber crime Impact in the new millennium by R.C Mishra.

• Roadmap for digital forensic Research [Report From the First Digital Forensic Research Workshop]

• Forensic Corpora: A Challenge for Forensic Research Simson L. Garfinkel April 10, 2007

• Computer and Intrusion Forensics by Mohay,Anderson Collie,Devel Published by Artech House.

THANKS