Computer forensics
|
|
Computer forensics is the process of investigating data processing equipment-- typically a home computer, laptop, server, or office workstation-- to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. Computer forensics experts must:
- Identify suspects and sources of evidence
- Preserve the digital evidence
- Analyze the evidence
- Present the findings
They must do so in a fashion that adheres to the standards of evidence that is admissible in a court of law.
| Contents |
Understand the suspects
It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which provably prohibits the machine modifying the drives, or in exactly the same way they would.
If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action happens. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in RAM, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.
Electronic Evidence Considerations
Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps There are a handful of cardinal rules that are used when to ensure that the evidence is not destroyed or compromised:
- Handle the original evidence as little as possible
- Establish and maintain the chain of custody
- Document everything done
- Never exceed personal knowledge
If such steps are not followed the original data may be ruined or become suspect, and so any results generated will not hold up in a court of law. Other things to take into consideration are
- The time that business operations are inconvenienced
- How sensitive information which is unintentionally discovered will be handled
Secure the machine and the data
Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, must be made.
To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:
Examine the machine's surroundings
XD_Picture_Card_with_penny.jpg
IBM_microdrive.jpg
Look for notes, concealed or in plain view, that may contain passwords or security instructions. Secure any recordable media, including music mixes. Also look for removable storage devices such as keydrives, MP3 players or security tokens. In some cases, these can be worn as jewelry. See Category:Solid-state computer storage media
Record open applications
If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down, it will be lost. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.
Modern RAM cannot be analyzed for prior content after erasure and power loss with any real probability of success.
Power down carefully
If the computer is running when seized, it should be powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. The method that should be used is dependent on the operating system that the computer is running. The recommended methods of shutting down is shown in the following table:-
| DOS | Pull the plug |
| Windows 3.1 | Pull the plug |
| Windows 95 | Pull the plug |
| Windows 98 | Pull the plug |
| Windows NT | Pull the plug |
| Windows NT Server | Shut down |
| Windows 2000 | Pull the plug |
| Windows 2000 Server | Shut down |
| Windows XP | Pull the plug |
| Windows 2003 | Shut down |
| Linux | Shut down |
| Unix | Shut down |
| Macintosh | Pull the plug |
If the operating system cannot be determined, pulling the plug will suffice.
When pulling the plug make sure that you pull the lead out from the computer unit itself. This is because if the computer has an uninterruptible power supply connected and the power to this is turned off, the power to the computer will remain powered.
Shutting the computer down by the correct method is critical if certain data is normally stored only in memory, to be committed back to disk when the machine is powered off.
Shutting down computer which do not normally store data in memory (such as Windows XP) by the usual method will result in possible changes to the data on the hard drive. This is to be avoided at all cost, especially if there is no benefit in shutting down the computer in this way. For this reason it is recommended that the plug is pulled on these computer.
Inspect for traps
Inspect the chassis for traps, intrusion detection mechanisms, and self-destruct mechanisms. It takes a lot to destroy a hard drive to the point where no data at all can be recovered off of it-- but it doesn't take much to make recovery very, very difficult. Find a hole in the chassis you can use for inspection (cooling fans are a good bet), or pick a safe spot in the chassis to drill one, and use an illuminated fiberscope to inspect the inside of the machine. Look specifically for large capacitors or batteries, nonstandard wiring around drives, and possible incendiary or explosive devices. PC hardware is fairly standardized these days, and you should treat anything you don't recognize as cause for concern until proven otherwise. Look for wires attached to the chassis-- PCs aren't normally grounded this way, so those are cause for concern.
You should specifically look for a wire running from anything to the CMOS battery or "CMOS clear" jumper. CMOS memory can be used to store data on the motherboard itself, and if power is removed from it, the contents will be lost. You must avoid causing CMOS memory to lose power. Encryption keys, etc., may be stored here.
Once you have determined that the case is safe to open, proceed to remove the cover.
Fully document hardware configuration
Completely photograph and diagram the entire configuration of the system. Note serial numbers and other markings. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later.
Duplicate the hard drives
Using a standalone hard-drive duplicator or similar device, completely duplicate the entire hard drive. This should be done at the sector level, making a bit-stream copy of every part of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering.
Use some kind of hardware write protection to insure your Forensic PC cannot write to the original drive. Even if operating systems like Linux can be configured to prevent this, a HW write blocker is the best practice. The process is often called Imaging. You can image to a new HD, a tape or a file. Taped is the preferred format, since it is less vulnerable for damage and can be stored for a longer time. There are two goals when making an image:
- Completeness (imaging all of the information)
- Accuracy (copying it all correctly)
The imaging process is verified by using a MD5 message digest algorithm or higher (SHA1, etc.). To make a forensic sound image, you need to make two reads that results in the same MD5. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification in the event one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null. This method applies to images made to HD's and files as well. The software used must support this and also how to manage bad blocks.
E-Mail Review
E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. An e-mail may exist in a variety of places, so all is not lost if the culprit simply deletes the e-mail; examples of such places are:
- On the hard-drives of the sender and recipients
- In a network drive
- In a mailbox
Sorting Through the Masses
While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search though e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand.
See also
- Data Analysis
- cryptanalysis
- data recovery
- data remanence
- encryption
- steganography
- steganalysis
- MAC times
- IT audit resources
- Information technology audit
External links
- Computer Forensics World (http://www.computerforensicsworld.com) Community of computer forensic professionals
- Windows Forensics: Have I been Hacked? (http://www.bleepingcomputer.com/forums/tutorial24.html)
- Computer Forensics Wiki (http://computer-forensics.safemode.org)
- Computer Forensics research, tools and presentations (http://www.forensics.nl/)
- Forensic Invesitagion: Who needs forensics? (http://www.ecodatarecovery.com/forensic.html)
Other Sources of Reading
- An Explanation of Computer Forensics (http://www.computerforensics.net/forensics.htm)
- Digital Data Acquisition Tool Specification (http://www.cftt.nist.gov/Pub-Draft-1-DDA-Require.pdf)
- Forensics: Electronic Trail of Evidence (http://www.nhscpa.org/May2002News/forensics.htm)
- Computer Forensics Emerges... (http://www.isaca.org/Content/ContentGroups/Member_Content/Journal1/20023/Computer_Forensics_Emerges_as_an_Integral_Component_of_an_Enterprise_Information_Assurance_Program.htm)