Transcript Chapter Eight

Chapter Eight
Forensic Terminology and
Criminal Investigation
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Who Benefits from Forensic
Computer Science
• prosecutors - variety of crime where incriminating
documents can be found ranging from homicide to
financial fraud to child pornography
• civil litigators – personal and business records which
relate to fraud, divorce, discrimination, and harassment
• insurance companies – mitigate costs by using discovered
computer evidence of possible fraud in accident, arson,
and workman’s comp cases
• corporations – ascertain evidence relating to sexual
harassment, embezzlement, theft, or misappropriation of
trade secrets and other internal/confidential information
• law enforcement officials – for pre-search warrant
preparations and post-seizure handling of computer
equipment
• individuals – support of claims of wrongful termination,
sexual harassment, or age discrimination
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Why LE investigations require it
• Protects and maintains the integrity of potential
evidence by:
– maintaining a chain of custody
– ensuring that viruses are not introduced
– ensuring that evidence or potential evidence remains
in an unaltered state (i.e., not destroyed, damaged, or
otherwise manipulated during the investigative
process.)
– enables the creation of forensically sound images for
data analysis
– prevents allegations of corruption or misconduct
– enables the discovery of all relevant files on suspect
systems, including overt, hidden, password-protected,
slack, swap, encrypted, and some deleted files
– enhances the likelihood of timely processing
(necessary to protect departments from civil litigation
claiming unreasonable interruption of business
operations.)
– More specifically – establishes procedures for the
recovery, preservation, and analysis of digital
evidence
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Traditional problems in
computer investigations
• Inadequate resources
• Lack of communication and
cooperation among agencies
• Over-reliance on automated
programs and self-proclaimed
experts
• Lack of reporting
• Corruption of evidence
• Encryption
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Inadequate Resources
• The least equipped agencies are the least able to secure
external funding for necessary equipment or training .
• Even those agencies currently favored by funding entities
struggle to justify the exponential costs associated with
computer forensics.
• Software and training such as that offered by NTI (New
Technologies, Inc.) and Litton/TASC may cost as much as
$2000/person.
• Individualized licensing requires departments to send
multiple attendees.
• Federal Programs, like those offered at the FBI and
FLETC, are also disproportionately attended by large,
better funded agencies.
• National White Collar Crime Center is a step in the right
direction.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Lack of Communication
• Traditionally, communication and
cooperation between law
enforcement agencies has been
strained due to competing interests
(funding, etc.).
• Individual practitioners, however,
have developed professional
organizations like HTCIA which has
encouraged collaboration.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Over-reliance on automated
programs & self-proclaimed
experts
• The familiarity and utilization of
automated programs may result
in a situation where
investigators know just enough
to make them potentially
hazardous to the very
investigation to which they are
dedicated.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Lack of Reporting
• Many businesses and individual
citizens do not perceive the police as
technologically advanced.
• Often wish to contain the problem
within
• Believe that they may conduct their
own investigation, and then turn it
over to the police
• Fear of losing consumer confidence
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Corruption of Evidence
• Many “departmental computer
experts” have destroyed cases due
to their lack of knowledge of disk
structure.
• Corporations or private entities
which initiate investigations often
fail to appreciate the legal
complexities of evidence
preservation and custodial
documentation.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Three Cardinal Rules of Computer
Investigations
• Always work from an image –
leaving the original intact.
• Document, Document, Document
• Maintain chain of custody
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Computer forensic science and
disk structure
• Investigators must be aware of
both the physical and logical
structure, disk management,
and memory storage.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Simple Terms
•
Computer - a device capable of storing,
transmitting or manipulating data through
mathematical and logical processes or operations
• Static memory - that area on hard and/or floppy
disks in which data and programs are stored
• Volatile memory - that area of a computer which
holds information during processing and is erased
when power is shut down
• Semi-permanent storage - that area of a disk that is
not dependent upon a power source for its
continued maintenance, and which may be changed
under the appropriate operating conditions (i.e.,
storage devices, floppy and fixed disks, magnetic
tapes, etc.). This is where the majority of the work
and storage is conducted, and where the most
processed data is stored. Thus, it is extremely
important in computer forensics.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
• Computer storage - the holding of data in an
electromagnetic form for access by a computer
processor
• Primary storage - data in RAM and other built-in
devices
• Secondary storage - data on hard disk, tapes, and
other external devices
• Floppy disks or diskettes - single circular disks with
concentric tracks which are turned by spindles
under one or more heads
• CD-ROMs have a single track, spiraling from the disk
edge towards the center which may only be written
to once (CDs write data from the center out, and
music from the outside in; while CD-RWs act as
traditional disk drives which may be written to more
than once
• Hard/fixed disks - one or more disks comprised of
one or more heads which are often fixed inside a
sealed enclosure (may have more than two sides if
the disk consists of more than one platter)
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Disk Structure
• Physically, a drive is usually
composed of a number of rotating
platters. Each platter is divided
concentrically into tracks. In turn,
tracks are divided into sectors,
which are further divided into bytes.
Finally, read/write heads are
contained on either side of the
platters.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
• Head – Each platter has one head per side. These
heads are very close to the surface of the platter,
and allow reading of, and writing to, the platter.
Heads are numbered sequentially from zero.
• Tracks – the concentric bands dividing each platter.
Tracks are numbered sequentially beginning with
zero.
• Cylinder – the set of tracks located in the same
position on every platter in the same head position.
Unlike physical disk units, cylinders are intangible
units. Simply put, they are a cross-section of a
disk. (Imagine using a hole puncher on a perfectly
positioned stack of paper. The resulting hole would
be a visible representation of an empty sector).
Each double-sided floppy has two tracks. The same
track is on all stacked platters. The set of
corresponding tracks on a magnetic disk that lie the
same distance from the disk’s edge. Taken
together, these tracks form a cylindrical shape. For
a hard drive, a cylinder usually includes several
tracks on each side of each disk platter.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Data Storage
• On all DOS machines, certain
structural rules exist in which
physical drives are loaded first,
logical drives second, and
drivers third.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
• Physical drives - devices and data at the electronic or
machine level
• Logical drives- (most important in computer forensics) are
allocated parts of a physical drive that are designated
and managed as independent units
• binary digits or bits – based on principles of two – bits
may likened to on/off switches. Collections of bits are
interpreted by the computer and transformed into a
format for non-mechanical, human consumption.
• ASCII – American Standard Character for Information
Interchange – most common set of associations between
particular binary patterns and characters (ensures
compatibility between systems and system components)
• This code defines characters for the first 128 binary
values (i.e. 0 to 127)
• The first 32 of these are used as non-printing control
characters which were designed to control data
communications equipment and computer printers and
displays
• Extended ASCII code - provides particular character
symbols to binary values 128 through 255
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Data Interpretation
• Binary system – interpretative rules are associated
with a base of 2 with integers represented by 0’s
and 1’s. the range of whole numbers that can be
represented by a single byte is 0 to 255. Thus, it is
often necessary to use 2 bytes to represent whole
numbers, and four bytes where greater levels of
precision are required.
• Hexadecimal system - interpretative rules are
associated with a base of 16, with integers ranging
from 0 to 9 and A to F. Very useful for investigators
as some programs reuse memory blocks without
modification.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Fixed units of storage
• Sectors – smallest physical storage unit on a
disk – an arched-shaped portion of one of the
disk tracks (magnetic disks formatted for U.S.
versions of Windows contain a standard 512
bytes)
– Sectors start with 1, and are numbered
sequentially on a track.
• Clusters (File Allocation Units) – comprised of
one or more adjacent sectors, and represent
the basic allocation units of magnetic disk
storage
– Although size varies with disk size, clusters
represent the minimum space allocated to an
individual file in DOS.
– Clusters make it easier for operating systems to
manage files.
• Files – composed of one or more clusters – the
smallest unit that distinguishes one set of data
from another
Computer Forensics and Cyber Crime
PRENTICE HALL
Britz
©2004 Pearson Education, Inc.
Logical vs. Physical
• Logical file size – the exact size of a file in
bytes
• Physical file size – the actual amount of space
that the file occupies on a disk
• File slack - information found within that
portion of unused space between the logical
end of a file and the physical end of a cluster
– may be likened to a table in a restaurant in which
a couple is seated at a table for four. Although
the extra two chairs are empty, they
constructively belong to those individuals until
they are finished their meal.
– Extremely important for forensics, as the slack
may contain the remnants of old files or other
evidence, including passwords, old directory
structures, or miscellaneous information stored
in memory
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Partioning
• Partition – portion of a fixed disk that the
operating system identifies as a single unit
(maximum of four)
• Windows NT and other operating systems may
treat multiple partitions on different physical
disk drives as a single disk volume.
• Every bootable hard disk includes one disk
partition for the OS.
• “Extended partions” may be subdivided into a
maximum of 23 additional logical disks.
• Remember: the partition of the boot drive
where the operating system resides must be
bootable.
• FDISK, MS product, enables user to partition a
hard drive. Partitioning creates a master boot
record and partition table for the hard disk.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Partitions cont’d
• The FAT – partition table describes every logical
volume on a disk.
• It also identifies corresponding locations, indicates
which partition is bootable, and contains the Master
Boot Record.
• Extremely important in forensic investigations –
enables users to hide entire partitions.
Investigators unaware of this fact may be confused
to see that the logical drive size is contrary to
identified characteristics.
• Partition data is stored at physical: cylinder = 0;
head = 0; sector = 1.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Data Location
• File Allocation Table (FAT) – system used to identify
and locate files on a disk
– 12, 16, 32 bit designations used by DOS indicate how
many bits the FAT used to identify where on the disk
(appropriate cluster numbers) a file resides.
• Every number contained within the FAT identifies a
particular cluster.
• Information contained therein identifies:
– if the cluster is “bad” or available;
– if the end of a file is contained within;
– the next cluster attached to a file.
• FAT32 was created to manage space more
efficiently by utilizing smaller cluster sizes.
• NTFS – emerging in popularity – is the most efficient
way to manage data
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Data Management
• boot sector – located at the very first
sector of the physical disk or absolute
sector 0
– Contains code that enables the computer to find
the partition table and the operating system
• BIOS (Basic Input Output System) – number
of machine code routines stored in ROM
that includes a variety of commands
including those necessary for reading
physical disks by sector which are
executed upon system booting
• bootstrap loader – the first command
executed upon system booting
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Data Integrity
• CRC (Cyclical Redundancy Checksum) –
used to identify files by a computer –
generated (i.e., calculated) value
• MD5 Hash – a 128-bit verification tool
developed by RSA which acts as the
equivalent of digital DNA.
– Odds that 2 different files have the same value is 2128.
– Brian Deering, NDIC, analogizes the chance of
randomly generated matching has values to hitting the
Pennsylvania Lottery Super 6 - 5.582 x 10^41 (or
558,205 billion, billion, billion, billion) times before this
will occur http://theory.lcs.mit.edu/~rivest/RivestMD5.txt
• Hashkeeper – program which maintains the
hash values of a variety of known files –
reduces the amount of information needing to
be processed
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.
Conclusions
• Computer crime is the wave of the
future.
• Administrators must establish
forensic computer science
capabilities, evaluating the feasibility
of partnering LE personnel with
civilian experts and relying on
cooperation of corporate entities.
• Proper training must begin with a
basic understanding of computer
structure and data management.
Computer Forensics and Cyber Crime
Britz
PRENTICE HALL
©2004 Pearson Education, Inc.