Transcript COMPUTER FORENSICS COMPUTER FORENSICS Chapter 2: Understanding Data Recovery INFORMATION SECURITY MANAGEMENT Outline • File Systems and Disk Structure • • Computer Forensics tools Executing an Investigation.

COMPUTER FORENSICS
COMPUTER FORENSICS
Chapter 2:
Understanding Data Recovery
INFORMATION SECURITY MANAGEMENT
Outline
•
File Systems and Disk Structure
•
•
Computer Forensics tools
Executing an Investigation
INFORMATION SECURITY MANAGEMENT
File Systems and Disk Structure
 File systems interact with the operating system so that the operating system can find files
requested from the hard disk. The file system keeps the table of contents of the files on the
disk. While a file is requested, the table of contents is searched to locate and access the file
 The directory formation and method for organizing a partition is called a File System. The
different file systems replicate different operating system requirements.
 The similar hard disk can have partitions with file systems belonging to DOS, NT, or LINUX.
When more than one file system type is installed on a hard drive, this is called multi-boot
or dual-boot configuration.
 Most Hard Disks (HDDs) are designed for installation inside a computer, and for that reason
they were referred to as fixed disks. The most common factors that have been used over
the past few decades are:
 5.25-inch These were the first hard drives that were used on PCs, and they were commonly
installed in machines during the 1980s.
 3.5-inch This is the common size of form factor used in modern PCs.
 2.5-inch This is the common size of form factor used in laptop/notebook computers.
INFORMATION SECURITY MANAGEMENT
•
Computer file system types can be classified into disk file systems, network file systems and
special purpose file systems.
•
Disk file systems are designed to store information on a hard drive disk. FAT, NTFS and UDF
are all types of disk file systems.
•
Network file systems act as a client for file access protocols on a server. FTP, WebDAV and
NFS are types of network file systems.
•
Special purpose file systems are the miscellaneous systems that do not fit into the disk or
network file system categories.
•
Special purpose systems are generally used in Unix-based systems. Flat file systems are one
of the most general ways to store data. Information is stored on the same level instead of
creating sub-levels of data.
•
There are sub-categories of file systems as well. Database file systems, for example, identify
files by their type, author or other meta data.
•
Transactional file systems log the access of files by individuals in the hopes of executing all
changes at the same time; banks and financial institutions employ this type of file structure
in their computer systems to ensure the seamless transfer of money between two accounts
and other functions that require autonomy.
Computer Forensics tools
INFORMATION SECURITY MANAGEMENT
 Forensic tools will often trait the ability to acquire evidence from the hard disk.
 By imaging (duplicating) data, the information from a machine can be acquired and then
analyzed for any information that is applicable to the case.
 Computer Forensic tools have been developed for different operating system platforms.
Some tools are open source tools and the others are proprietary.
 Different tools exist for performing evidence acquisition from live systems and analyzing the
evidence. Some commonly used computer forensic tools are listed below:
INFORMATION SECURITY MANAGEMENT
•
These computer forensic tools may be evaluated against different criteria such as the
completeness in functionality of the tool, the time taken by the tool to perform its function,
the ease of use and user friendliness of the tool, cost of the tool, acceptability of the tool in
court, and so on
•
The course of imaging a hard drive involves making a bit-by-bit copy of the drive to a raw
image file also called as the analysis drive.
•
Imaging a suspects hard drive is one of the most critical functions of the computer forensic
process. It is most important that no data be written to the suspect’s hard drive during this
process. To ensure this, a software based or hardware based write-blocker technology is
used.
•
Write-blocker tools ensure that any write to the disk being imaged is blocked. It is also
essential that every bit copied to the analysis drive is exactly the same as that found in the
suspects drive. Plenty of imaging tools have been developed for use in a forensic
examination.
•
Forensic analysis behavior differ based on the type of media being analyzed, the file system
used, and so on.
•
Some of the commonly used analysis tools are :
•
DriveSpy is a DOS-based forensic tool, developed by Digital Intelligence, Inc. DriveSpy is an
extended DOS forensic shell. DriveSpy providesan interface that is similar to the MS-DOS
command line, along with new andextended commands. The entire program is only 110KB
and easily fits on a DOSboot floppy disk.DriveSpy provides many of the functions necessary
to copy and examine drivecontents. All activities are logged, optionally down to each
keystroke. If desired,logging can be disabled at will.
INFORMATION SECURITY MANAGEMENT
 The EnCase product line from Guidance Software is one of the most complete forensic
suites available. In addition to providing tools and a framework in which to manage a complete case, EnCase includes a drive duplicator. The drive imager creates an exact copy of a
drive and validates the image automatically. It either creates complete images or splits drive
images to economize storage. EnCase can copy virtually any type media, creating an
identical image for analysis. EnCase calls this staticdata support
 Forensic tool kits generally provide set of tools for performing many activities of a computer
forensic investigation. There is no single toolkit has been developed that encompasses all
the forensic activities that an investigation might require.
 There are two following toolkits that can be used to perform a variety of forensic activities:
 TCT (The coroner’s Toolkit) is a collection of programs by Dan Farmer and Wietse Venema
for a post-mortem analysis of a UNIX system. The software was presented first in a
Computer Forensics Analysis class in August 1999.
 Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a
hard drive looking for various information.It can for example locate deleted emails and scan
a disk for text strings to use them as a password dictionary to crack encryption.
INFORMATION SECURITY MANAGEMENT
Executing an Investigation
•
Inevitably and frequently without notice or sufficient preparation, police investigators find
themselves confronted with the challenges of high technology.
•
While in the course of a basic criminal investigation, an investigator comes across computer
equipment (hardware & software) that might enclose important evidence, the question that
often surfaces is, what should the investigator do?
•
High technology evidence presents unique and challenging situations for the investigator. In
addition to ensuring that the necessary forensic examination and essential preservation of
computer evidence is done, the investigator needs specialized training and tools with which
to work with.
•
The use of advanced search programs, access to sophisticated computer equipment, a
working knowledge of evidence recovery methods, and a keen understanding of the types
of associated computer evidence are all key factors that help investigators find evidence in
computers.
•
When investigators learn that a computer system is involved in some measurable way with
the offense, they need to elaborate on "how" the computer was used.
•
For example, if the police have learned from knowledgeable and reliable sources that a
particular person uses a computer data base and spreadsheet program to account for illicit
drug sales, then investigators need to include this information in their affidavits.
INFORMATION SECURITY MANAGEMENT
•
In many cases, sophisticated drug dealers, money launders, organized crime accountants
and others, have effectively used coded/encrypted shipment, financial and customer data
files in the furtherance of their criminal activities.
•
Forensic investigators are allowed to reasonably search in any place where these items
(data records) could be located. Investigators should justify their search into these devices
based upon some specific training, knowledge and/or experience they obtained, suggesting
that the described records can in fact be stored on computer systems.
•
In the writing of the affidavit, investigators should to be aware of the correct computer
terminology when describing the places to be searched and items to be seized.
•
Examples of specific computer language can often be found in previous search warrants,
and selected training materials. In order to help satisfy the particularity requirement,
investigators need to describe the particular computer system sought.
•
When investigators do not know the exact description of the computer, but suspect or know
of its use, then using general descriptions and definitions of a computer system might be
adequate.
•
The process of taking down a computer system depends in large upon the scope of the
search, according to the system’s configuration (LAN, WAN networks, mainframes, servers,
PC’s, etc.).
•
If the subject of the warrant is operating on a network, then keep in mind that the ability to
store evidence throughout that network is possible.
INFORMATION SECURITY MANAGEMENT
•
When conducting controlled searches, investigators should also look at network drives, the
network & local backup copies, including mirrored/redundant logical drives, the local disk
drives and various removable storage drives, disks and tapes. Investigators must also know
that many businesses store their backup information off-site, often with contracted third
party vendors.
•
Prior to the execution of the search warrant, the investigator should get as much
information on the type of computer system they are searching for and possibly seizing.
Police need to know that computer systems can comprise a number of hardware
components and software.
•
When forensic investigators are dealing with smaller networks, desktops PC and
workstations an attempt to justify the taking of the whole system should be based on the
following criteria.
•
When an entire organization is fully involved in an ongoing criminal scheme, with little
legitimate business, (in non-essential services) and evidence of the crime is clearly present
throughout the network, an entire system seizure might be proper.
•
In small level desktop situations, investigators must seize the whole system, after
requesting to do so in the affidavit. Investigators seizing the whole systems should be
justified it by wording their affidavits in such a way so as to refer to the computer as a
"system", dependant on set configurations to preserve "best evidence" in a state of original
configuration. This may include peripherals, components, manuals, and software.
INFORMATION SECURITY MANAGEMENT
•
Forensic Investigators need to seek out critical information from persons present or having
direct knowledge of the computer system. The mainly important information that
investigators need is information about passwords/security devices on the system.
•
Computer crime investigators recognize the vulnerability of electronic data and strongly
suggest that forensically acceptable image duplication software be used in investigations.
After the investigator makes a duplicate image of the seized media (hard drive, floppy,
removable drives, etc.) and restores this backup onto another system, the original evidence
should be secured away.
•
The restored backup image (exact copy of the original) now becomes the location to search
for electronic evidence.Remember a proper forensic image will copy each sector of the
original media, including unused areas, data that is hidden, partially erased and encrypted,
allowing the investigator to attempt restoration of data.
•
A huge number of forensic tools exist that enable investigators to streamline and control
their search for evidence in storage devices.
•
Investigators need to know that encrypted data and various compressed data formats will
not allow these types of searches until the data is uncompressed or decrypted.
•
After the evidence is located, it needs to be understood and interrelated to the case being
investigation. Computer investigators utilize specialized viewer and conversion programs
that can accommodate many file formats for quick viewing and printing of evidence.
INFORMATION SECURITY MANAGEMENT
Computer Forensics as a Profession
•
Computer forensics is a focused, fast growing and interesting field. As business enterprises
and organizations become more multifaceted and exchange more information online, ultramodern crimes are also increasing at a rapid rate. Due to this situation, many companies
and professionals are now offering computer forensic services.
•
A computer forensics investigator is a combination of a private investigator and a computer
scientist. Although this unique field requires technical, legal and law enforcement
experience, many industries choose professionals with investigative intelligence and
technology expertise.
•
A computer forensics professional can fill a diversity of roles which include a private
examiner, an investigator, a corporate compliance professional, and a law enforcement
official.
•
Before becoming a computer forensics professional, we need to be aware that:
•
•
•
•
The rest of the world is not part of that profession
Majority of the general public are excluded from computer forensics
Majority of computer professionals are not skilled in computer forensics
Many computer forensic practitioners come from other disciplines (of computing and from
other areas, e.g. audit).
INFORMATION SECURITY MANAGEMENT
•
Aspects essential to the computer forensics profession are:
Academic
Application of computer science
Application of forensic science
Narrow specialism
Aligned to computer security
Core discipline
•
A good forensics investigator should always follow these rules:
Examine original evidence as little as possible. Instead examine the duplicate evidence.
Follow the rules of evidence and do not tamper with the evidence.
Always prepare a chain of custody, and handle evidence carefully.
Never go beyond the knowledge base of the forensic investigation.
Document any changes in evidence.
• In relation to ethical behavior in computer forensics, there is a very thin line between what
is acceptable and what is deemed as malpractice.
• Computer forensics exists in an ethical grey area. The forensics investigator needs to
balance between self motivation, legal constraints and procedural considerations.
INFORMATION SECURITY MANAGEMENT
•
It is also the responsibility of the forensics investigator to help the court on matters within
his knowledge. The duty overrides any obligation to the person from whom the forensics
investigator receives instructions from or by whom he is paid by.
•
While investigating cyber crimes, one has to know the laws that cover such crimes. Legal
authorizations are needed to access targets of evidence. In order to preserve the
admissibility of evidence, proper handling of evidence by a computer forensics expert is
required.
•
Different warrant requirements and other legal constraints apply to different categories of
data such as recent, older, interceptable, not interceptable, etc.
•
Investigators should always consult the legal department of their corporation to understand
the limits of their investigation. Privacy rights of suspects should not be ignored.
•
Legal issues associated with cyber crime are still being developed by legislators and may
change in future