Computer forensics

From Wikipedia, the free encyclopedia

Forensic science
Physiological sciences
Forensic pathology · Forensic dentistry
Forensic anthropology · Forensic entomology
Social sciences
Forensic psychology · Forensic psychiatry
Other specializations
Fingerprint analysis · Forensic accounting
Ballistics · Bloodstain pattern analysis
DNA analysis · Forensic toxicology
Forensic footwear evidence
Questioned document examination
Explosion analysis
Cybertechnology in forensics
Information forensics · Computer forensics
Related disciplines
Forensic engineering
Forensic materials engineering
Fire investigation
Vehicular accident reconstruction
People in Forensics
Auguste Ambroise Tardieu
Edmond Locard
Bill Bass
Related articles
Crime scene · CSI Effect
Trace evidence
This box: view • talk • edit

The simple definition of computer forensics

... is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and for solving puzzles, which is where the art comes in. - Chris L.T. Brown, Computer Evidence Collection and Preservation, 2006

Thus, it is more than the technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a civil wrong or a criminal act. Computer forensics requires specialized expertise and tools that goes above and beyond the normal data collection and preservation techniques available to end-users or system support personnel. One definition is analogous to "Electronic Evidentiary Recovery, known also as e-discovery, requires the proper tools and knowledge to meet the Court's criteria, whereas Computer Forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence."[1] Another is "a process to answer questions about digital states and events"[2]. This process often involves the investigation and examination computer system(s), including, but not limited to the data acquisition that resides on the media within the computer. The forensic examiner renders an opinion, based upon the examination of the material that has been recovered. After rendering an opinion and report, to determine whether they are or have been used for criminal, civil or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Computer forensics experts:

1. Identify sources of documentary or other digital evidence.
2. Preserve the evidence.
3. Analyze the evidence.
4. Present the findings.

Computer forensics is done in a fashion that adheres to the standards of evidence that are admissible in a court of law. Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal. Refer to Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations for the US Department of Justice requirements for Computer Forensices and electronic evidence processing.

Contents 1 Understand the suspects 2 Electronic evidence considerations 3 Secure the machine and the data 3.1 Examine the machine's surroundings 3.2 Examine the Live System and record open applications 3.3 Power down carefully 3.4 Inspect for traps 3.5 Fully document hardware configuration 3.6 Duplicate the electronic media (evidence) 4 E-mail review 4.1 E-mail headers 4.2 Sorting through the masses 4.3 Computer forensic examples 4.3.1 Example 4.3.2 Example two 4.3.3 Example three 5 Comparison to Physical Forensics 6 See also 7 References 8 External links 9 Related Journals

Understand the suspects

It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that the examiner appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which probably prohibits the machine modifying the drives, or in exactly the same way they would.

If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action occurs. It is straightforward to link this to the Microsoft Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in Random Access Memory, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.

Electronic evidence considerations

Electronic evidence can be collected from a variety of sources. Within a company’s network, evidence will be found in any form of technology that can be used to transmit or store data. Evidence should be collected through three parts of an offender’s network: at the workstation of the offender, on the server accessed by the offender, and on the network that connects the two. Investigators can therefore use three different sources to confirm the data’s origin.

Like any other piece of evidence used in a case, the information generated as the result of a computer forensics investigation must follow the standards of admissible evidence. Special care must be taken when handling a suspect’s files; dangers to the evidence include viruses, electromagnetic or mechanical damage, and even booby traps. There are a handful of cardinal rules that are used to ensure that the evidence is not destroyed or compromised:

1. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.

In order to verify that a tool is forensically sound, the tool should be tested in a mock forensic examination to verify the tool's performance. There are government agencies such as the Defense Cyber Crime Institute that accept requests to test specific digital forensic tools and methods for governmental agencies, law enforcement organizations, or vendors of digital forensic products at no cost to the requestor.

1. Handle the original evidence as little as possible to avoid changing the data.
2. Establish and maintain the chain of custody.
3. Document everything done.
4. Never exceed personal knowledge.

If such steps are not followed the original data may be changed, ruined or become tainted, and so any results generated will be challenged and may not hold up in a court of law. Other things to take into consideration are:

1. The time that business operations are inconvenienced.
2. How sensitive information which is unintentionally discovered will be handled.

In any investigation in which the owner of the digital evidence has not given consent to have his or her media examined – as in most criminal cases – special care must be taken to ensure that you as the forensic specialist have legal authority to seize, image, and examine each device. Besides having the case thrown out of court, the examiner may find him or herself on the wrong end of a hefty civil lawsuit. As a general rule, if you aren't sure about a specific piece of media, do not examine it. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation.

Some of the most valuable information obtained in the course of a forensic examination will come from the computer user themself. In accordance with applicable laws, statutes, organizational policies, and other applicable regulations, an interview of the computer user can often yield invaluable information regarding the system configuration, applications, and most important, software or hardware encryption methodology and keys utilized with the computer. Forensic analysis can become exponentially easier when analysts have passphrase(s) utilized by the user open encrypted files or containers used on the local computer system, or on systems mapped to the local computer through a local network or the internet.

Secure the machine and the data

Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, forensically sound copies of all data storage devices, primarily hard drives, is made. Exceptional consideration to this practice are detailed below regarding live system considerations.

To ensure that the machine can be analyzed as completely as possible, the following sequence of steps is followed:

Examine the machine's surroundings

A USB keydrive

XD Picture Card

Secure Digital card

The collection phase starts off with the computer forensic team analyzing its surroundings. Similar to police investigating a crime in any other case, all printouts, disks, notes, and other physical evidence are collected to take back to the laboratory for analysis. Furthermore, an investigating team must take digital photographs of the surrounding environment before any of the hardware is dealt with. This initial collection phase sets the tone for the rest of the investigation and therefore the evidence is locked away securely, with limited access granted to authorized team members only.

The area is examined for notes, concealed or in plain view, that may contain passwords or security instructions. Any recordable media, including music mixes is secured. A search is also made for removable storage devices such as keydrives, MP3 players or security tokens. See Category:Solid-state computer storage media.

Examine the Live System and record open applications

If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded. If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down it may be lost, so acquiring the data while the RAM is still powered is a priority. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.

Several Open Source tools are available to conduct an analysis of open ports, mapped drives (including through an active VPN connection), and of significant importance, open or mounted encrypted files (containers) on the live computer system. Additionally, through Microsoft's implementation of the Encrypted File System (EFS), once a system is powered down, it becomes more difficult to examine previously-mounted EFS files and directory structures. Utilizing open source tools and commercially available products, it is possible to obtain an image of these mapped drives and the open encrypted containers in an unencrypted format. For Windows based systems, these Open Source tools include Knoppix and Helix. Commercial imaging tools include Access Data's Forensic Tool Kit and Guidance Software's EnCase application.

The aforementioned Open Source tools can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.

With MS most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it will probably become more important to develop procedures for examining and imaging live (mounted unencrypted) systems.

It is possible that in utilizing tools to analyze and document a live computer system that changes can be made to the content of the hard drive. During each phase of system analysis, the forensic examiner documents what they did and why they did it. Specifically, the examiner details the potentially-perishable information that can/will be lost during a system power down process. The examiner balances the need to potentially change data on the hard drive versus the evidentiary value of such perishable data.

RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below − 60 °C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.

As expeditious destruction of chronic residual stress within the module can really only be achieved by impractical exposure to high energies, applications written with data security in mind will periodically bit-flip critical data, such as encryption keys, to eliminate 'imprinting' of this data on the RAM, thus preventing the need to actively destroy it in the first place.^[1]

It is important to note that when a live analysis is performed, the data that is most likely to be modified or damaged first must be captured first. The order of volatility is as follows:

1. Network connections

Network connections can close quickly and often leave no evidence of where they were connected to or the data being transferred.

2. Running Processes

The programs running on a computer are noted before further analysis is conducted.

3. RAM

The systems Random Accessing Memory contains information on all running programs, as well as recently run programs. The information that can be gained from the system ram includes Passwords, encryption keys, personal information and system and program settings.

4. System settings

The Operating system settings can now be extracted. this includes User lists, currently logged in users, system date and time, currently accessed files and current security policies.

5. Hard Disk

The hard disk can then be imaged. It is important to note that it is not forensically-sound to image a hard drive while it is running live unless there are extenuating circumstances.^[2]

Power down carefully

If the computer is running when seized, it is powered down in a way that is least damaging to data currently in memory and that which is on the hard disk. Which method is used depends on many differing values, such as the operating system in use, and the role of the computer to be seized. Performing a proper shut down may cause malicious scripts to be run, or volatile data to be lost. On the other hand, removing the power plug may cause corruption of the filesystem or loss of crucial data.

Examiners are aware of the fact that computers may feature an internal uninterruptible power supply (UPS). With such devices the computer may stay running long after the power cable has been removed.

Inspect for traps

See also: commons:Category:Computer hardware

Fully document hardware configuration

Photograph and diagram the configuration of the system. Serial numbers and other markings are noted, with special attention being paid to the following:

1. Order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. 2. Cable connections, including modem, LAN and storage subsystems. 3. Wireless networking hardware.

Duplicate the electronic media (evidence)

The process of creating an exact duplicate of the original evidenciary media is often called Imaging. Using a standalone hard-drive duplicator or software imaging tools such as DCFLdd or IXimager, the entire hard drive is completely duplicated. This is usually done at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the filesystem. The original drive is then moved to secure storage to prevent tampering.

Usually some kind of hardware write protection to ensure no writes will be made to the original drive is used. Even if operating systems like Linux can be configured to prevent this, a hardware write blocker is usually the best practice. The Defense Cyber Crime Institute warns that if a hardware write-block is used the examiner should take into consideration the fact that write-blocks can introduce extra benign data when being used to image damaged media (bad sectors).^[3] Special consideration is also given to hard drives with Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs). These small areas of a hard drive, normally reserved for hard drive device and diagnostic utilities and hidden from the operating system, can be altered up to the entire capacity of the hard drive and used to store information (potential evidence) that many imaging applications and devices fail to image. You can image to another hard disk drive, a tape, or other media. Tape is a preferred format for archive images, since it is less vulnerable for damage and can be stored for a longer time. There are two goals when making an image:

1. Completeness (imaging all of the information)
2. Accuracy (copying it all correctly)

The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms. To make a forensically-sound image, two reads that result in the same output by the message digest algorithm are required. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification, in the event that one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null.

Note: Ultimately the methodology used by computer forensic investigators in capturing potential evidence on a system (such as imaging hard drives) will be dictated by the proportionality of the likely importance of that evidence in the matter for which these services are engaged. Additional influences such as claims of privilege and potential damages sought for business interruption create potential headaches for corporate investigations where forensic soundness is often sacrificed for practicality. Law enforcement personnel moving into the corporate environment tend to be overly strict in their application of computer forensic principles in litigations where the burden of proof does not require it. There is an increasing need to capture servers live and capturing less than whole disks worth of data in an effort to work within a time and cost framework. Even an unsolved murder investigation must be wound up at some point where there are diminishing gains to be had in progressing the investigation, so too with computer forensic investigations in both the corporate and criminal arenas where the sheer quantity of digital evidence can become overwhelming and threaten to overburden investigators.

Also, it must be remembered that any computer evidence is potentially admissible regardless of the methodology by which it came to the attention of the court. If an examiner fails to create a SHA or MD5 hash on the original hard drive, the data is not necessarily worthless or non admissible. Traditional discovery has been happening for at least a decade (often without a hashes). Application of proper forensic principles will however improve its overall credibility and diminish admissibility challenges. However, reasonable attempts need to made to ensure that the most complete and accurate image possible is obtained.

E-mail review

E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. Because users may access email in a variety of ways, it's important to look for different kinds of emails. The user may have used a dedicated program, or Mail User Agent (MUA), a web browser, or some other program to read and write email. Additionally, files for each of these programs may be stored on a local hard drive, a network device, or a removable device. A good examiner will search all of these locations for email data. Be aware that many email clients will save a copy of outgoing messages, so both the sender and the recipient may have a copy of each message. Finally, mail may also be stored on a dedicated mail server, either awaiting delivery or as permanent storage.

E-mail headers

Main article: E-mail#Internet e-mail header

All email programs generate headers that attach to the messages. The study of these headers is complex. Some investigators favor reading the headers from the bottom up, others from the top down. Under normal circumstances, headers are supposed to be created by the mail user agent and then prepended by mail servers, the bottom up method should work. But a malicious mail server or forger may make this difficult.

The headers added by an MUA are different from those added by mail servers. For example, here is the format for headers generated by Mozilla Thunderbird 1.0 running on Microsoft Windows.

Message-ID: <41b5f981.5040504@example.net>
Date: Tue, 07 Dec 2004 13:42:09 -0500
From: User Name 
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: recipient@example.com
Subject: Testing
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Extensions such as enigmail may add extra headers.

The Message-ID field has three parts:

1. The time the message was sent in seconds past the epoch in hexadecimal (Unix 32 bit Big Endian Hex Value)
2. A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509".
3. The fully qualified domain name of the sender.

Message-ID: [time].[salt]@[domain-name]

Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id() and therefore applies only to mail sent by this application. Generally the format of the Message-ID is arbitrary, and you should refer to the applicable RFCs.

Sorting through the masses

While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search through e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand.

Also, emails may contain In-Reply-To: headers that allow threads to be reconstructed. Good email clients can do this.

Computer forensic examples

Forensics can be defined as the use of technology and science for investigation and fact recovery when dealing with criminal matters. Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law. They are able to recover damaged and deleted files. Some cases in particular used the art of computer forensics as their lead of evidence to indict a criminal offender or find the location of a missing person.

Example

Chandra Levy, who went missing on April 30, 2001, was a Washington, D.C. intern whose disappearance was widely publicized. While her location was unknown, she had used the Internet as well as e-mail to make travel arrangements and to communicate with her parents. The use of this technology helped a computer criminalist trace her whereabouts. The information found on her computer led police to her location, even though she had been missing for one year.

Example two

There have been a number of cases at private schools where authority figures have been charged with possession of child pornography. These discoveries were made using computer forensics. By tracking the buying and selling of pornography online, computer forensic investigators have been able to locate people involved in these crimes. They are able to use information found on the computers as circumstantial evidence in court, allowing prosecution to occur.

Example three

A final example of how computer forensics is affecting the current workplace is the aspect of security. Employees' work computers are now being monitored to ensure no illegal actions are taking place in the office. They also have heightened security so outsiders cannot access a company’s confidential files. If this security is broken a company is then able to use computer forensics to trace back to which computer was being tampered with and what information was extracted from it, possibly leading to the guilty parties and other potential parties involved.

Comparison to Physical Forensics

There are many core differences between computer forensics and "physical forensics." [3] At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation^[4] than the physical forensic processes.