Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
| < Day Day Up > |
|
As previously defined, computer forensics involves the preservation, identification, extraction, and documentation of computer evidence stored in the form of magnetically encoded information (data). Many times the computer evidence was created transparently by the computer’s operating system and without the knowledge of the computer operator. Such information may actually be hidden from view and, thus, special forensic software tools and techniques are required to preserve, identify, extract, and document the related computer evidence.
Computer forensics tools and techniques have proven to be a valuable resource for law enforcement in the identification of leads and in the processing of computer-related evidence. Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management.
Forensic software tools and methods can be used to identify passwords, log-ons, and other information that is automatically dumped from the computer memory as a transparent operation of today’s popular personal computer operating systems. Such computer forensic software tools can also be used to identify backdated files and to tie a diskette to the computer that created it.
Law enforcement and military agencies have been involved in processing computer evidence for years. This part of the chapter touches very briefly on issues dealing with Windows NT™ and Windows 2000™, and their use within law enforcement computer forensic technology. In other words, security and computer evidence issues associated with Windows NT and Windows 2000 will be covered in this part of the chapter.
Windows 95™ and Windows 98™ are the predominant operating systems used on notebook and desktop computers in corporations and government agencies. Thus, they are currently the operating systems most likely to be encountered in computer investigations and computer security reviews. Be advised that this chapter does not cover the use of Black Box computer forensics software tools. Those tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution. Furthermore, such approaches are all but useless in computer security risk assessments. Such assessments usually require that searches and file listings be conducted overtly or even covertly from a single floppy diskette.
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer evidence processing standards. Computer processing procedures have also been developed for the U.S. Treasury Department.
Training and certification programs have also been developed for the International Association of Computer Investigation Specialists (IACIS). For these reasons, computer forensic trainers or instructors should be well qualified to teach the correct computer-processing methods and procedures.
PRESERVATION OF EVIDENCE
Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. Computer forensic instructors should try and expose their trainees to bit stream back-up theories that ensure the preservation of all storage levels that may contain evidence. For example, SafeBack software overcomes some of the evidence weaknesses inherent in Black Box computer forensics approaches (see sidebar, “Mirror Image Backup Software”). SafeBack technology can be purchased from Sydex, Inc.;[iii] and has become a worldwide standard in making mirror image back-ups since 1990, when it was developed based on requirements then established by the U.S. Treasury Department and the IACIS.
SafeBack is a sophisticated evidence-preservation tool that was developed specifically for use by federal law enforcement agencies in the United States in the processing of computer evidence. It is a unique piece of software that has become an industry standard in the processing of computer evidence around the world. SafeBack is currently the tool of choice for the Federal Bureau of Investigation and the Internal Revenue Service’s Criminal Investigation Division. Both of these agencies lead the field in the federal government.
SafeBack can also be used covertly to duplicate all storage areas on a computer hard disk drive. Drive size creates essentially no limitation for this unique computer forensics tool. This unique tool has survived the test of time since 1990; and is used to create mirror-image back-ups of partitions on hard disks drives and also to make a mirror-image copy of an entire hard disk, which may contain multiple partitions and/or operating systems.
Back-up image files, created by SafeBack, can be written to essentially any writeable magnetic storage device, including SCSI tape backup units. SafeBack preserves all of the data on a backed-up or copied hard disk, including inactive or deleted data. Cyclical redundancy checksums (CRCs), distributed throughout the back-up process, enforce the integrity of back-up copies to ensure the accuracy of the process.
Back-up image files can be restored to another system’s hard disk. Remote operation via parallel port connection allows the hard disk on a remote PC to be read or written by the master system. A date- and time-stamped audit trail maintains a record of SafeBack operations during a session, and software dongles are not involved or required for operation. From an evidence standpoint, SafeBack is ideal for the computer forensics specialist, because the restored SafeBack image can be used to process the evidence in the environment in which it was created. This is especially important when system configurations and/or application settings are relevant to the display or printing of the evidence.
This powerful software is designed for use by computer forensics experts and training is required in the use of this software. If you have not been formally trained in computer forensics or you don’t have a strong background in computer hardware configurations, this software is not for you.
Primary Uses
The program is used to archive the image hard disk drives on Intel™-based computer systems. The program is also used to restore archived images on another computer hard disk drive of equal or greater storage capacity.
Program Features and Benefits
-
DOS-based for ease of operation and speed
-
Provides a detailed audit trail of the back-up process for evidence documentation purposes
-
Checks for and duplicates data stored in sectors wherein the sector CRC does not match the stored data
-
Copies all areas of the hard disk drive
-
Allows the archive of non-DOS and non-Windows hard disk drives, (Unix on an Intel-based computer system)
-
Allows for the back-up process to be made via the printer port
-
Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode
-
SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs
-
Tried and proven evidence-preservation technology with a 10-year legacy of success in government agencies
-
Creates a noncompressed file that is an exact and unaltered duplicate of the original. This feature eliminates legal challenges concerning the potential alteration of the evidence through compression or translation.
-
Fast and efficient. Depending on the hardware configurations involved, the data transfer rate exceeds 50 million bytes per minute during the back-up process.
-
Makes copies in either physical or logical mode at the option of the user
-
Copies and restores multiple partitions containing one or more operating systems
-
Can be used to accurately copy and restore Windows NT and Windows 2000 drives in a raid configuration
-
Writes to SCSI tape back-up units or hard disk drives at the option of the user[iv]
Trojan Horse Programs
The need to preserve the computer evidence before processing a computer should be clearly demonstrated by the computer forensic instructor through the use of programs designed to destroy data and modify the operating systems. The participant should be able to demonstrate his (or her) ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network log-ons.
Computer Forensics Documentation
The documentation of forensic processing methodologies and findings is important. This is even true concerning computer security risk assessments and internal audits, because without proper documentation, it is difficult to present findings. In the event the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important. Thus, the computer forensic instructor should also teach the participant the ins and outs of computer evidence processing methodology (which facilitates good evidence-processing documentation and good evidence chain of custody procedures). The benefits will be obvious to investigators, but they will also become clear to internal auditors and computer security specialists.
File Slack
The occurrence of random memory dumps in hidden storage areas should be discussed and covered in detail during workshops. Techniques and automated tools that are used to capture and evaluate file slack should be demonstrated in a training course. Such data is the source of potential security leaks regarding passwords, network log-ons, e-mail, database entries, and word processing documents. These security and evidence issues should also be discussed and demonstrated during the training course. The participants should be able to demonstrate their ability to deal with slack and should demonstrate proficiency in searching file slack, documenting their findings, and eliminating the security risk.
Data-Hiding Techniques
Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. These issues should be discussed in any computer forensics training course from a detection standpoint, as well as from a security risk standpoint. Tools that help in the identification of such anomalies should be demonstrated and discussed (like AnaDisk™ {see sidebar, “Diskette Analysis Tool”}) in the training course. Participants should be required to demonstrate their understanding of such issues. This aspect of the training becomes especially important during the last day of the course when the participants are called on to extract their Certificate of Completion from a special floppy diskette. Data-hiding courses are only open to classified government agencies and businesses that have a demonstrated need to know of this kind of information as outlined in a company’s training policies. This is because the information covered in a data-hiding course can be used to defeat government computer security review processes and techniques.
AnaDisk turns your PC into a sophisticated diskette analysis tool. The software was originally created to meet the needs of the U. S. Treasury Department in 1991. It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software. It works at a very low level and makes maximum use of the floppy diskette hardware. The software also has limited search capabilities and can be used to copy abnormal diskettes. It can also be used to write data at a physical sector level and to format diskettes using any number of combinations.
AnaDisk can be used to analyze floppy diskettes when doing computer evidence consulting work, which involves abnormal floppy diskettes or data storage issues tied to floppy diskettes. It can also be used in data-hiding courses to create data-hiding areas by adding extra sectors and/or tracks to floppy diskettes and in writing data to unformatted floppy diskettes. This unique software was also created at Sydex, Inc.[v].
Primary Uses
-
Security reviews of floppy diskettes for storage anomalies
-
Duplication of diskettes that are nonstandard or that involve storage anomalies
-
Editing diskettes at a physical sector level
-
Searching for data on floppy diskettes in traditional and nontraditional storage areas
-
Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques
Program Features and Benefits
-
DOS-based for ease of operation and speed
-
Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques.
-
All DOS formats are supported as well as many non-DOS formats, (Apple Macintosh, Unix TAR™, and many others. If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it.
-
Allows custom formatting of diskettes with extra tracks and sectors
-
Scans for anomalies will identify odd formats, extra tracks, and extra sectors. Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data.
-
This software can be used to copy almost any diskette, including most copy-protected diskettes.[vi]
E-Commerce Investigations
A new Internet forensic tool has recently been introduced that aims to help educators, police, and other law enforcement officials trace the past World Wide Web activity of computer users. Net Threat Analyzer™, from Gresham, Oregon-based New Technology Inc. (NTI), can be used to identify past Internet browsing and e-mail activity done through specific computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users.
Kids can figure out ways to prevent their parents from finding anything on their machine, but Net Threat Analyzer goes back in after the fact where things are easier to detect. New Technology Inc. has made its Net Threat Analyzer available free of charge to computer crime specialists, school officials, and police.
The program is booted from a floppy disk and uses filtering tools to collect data on users’ basic browsing and e-mail history. It flags possible threats, like anything dealing with drugs, bombs, country codes, or pornography. Web sites are changing so often that it’s difficult to keep up with which ones are porn or drug sites.
For example, http://www.whitehouse.gov, is the official White House Web site, and www.whitehouse.com is a pornography site. If Junior’s been to whitehouse.com 300 to 500 times, it will make it through most Net Nanny’s software. But that will cause a red flag with the Net Threat Analyzer product.
The software was designed to help prevent situations like the recent tragedies at Columbine High School in Littleton, Colorado, and the Thurston High School in Springfield, Oregon, where weapons were made by teenagers who had downloaded the instructions from the Internet.
New Technology Inc., which specializes in computer forensics tools and training, has posted order forms for its software on its Web site at http://www.forensics-intl.com. The tool is not available to the public, but a special version can be purchased by Fortune 500 companies, government agencies, military agencies, and consultants, who have a legitimate need for the software.
Dual-Purpose Programs
Programs can be designed to perform multiple processes and tasks at the same time. They can also be designed for delayed tasking. These concepts should be demonstrated to the training participants during the course through the use of specialized software. The participant should also have hands-on experience with these programs.
Text Search Techniques
New Technology Inc. has also developed specialized search techniques and tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. Each participant will leave their training class with a licensed copy of their TextSearch Plus™ software and the necessary knowledge to conduct computer security reviews and computer related investigations (see sidebar, “Text Search Plus”).
Note | This search tool is approved for use in security reviews by some U.S. government classified agencies. |
TextSearch Plus was specifically designed and enhanced for speed and accuracy in security reviews. It is widely used by classified government agencies and corporations that support these agencies. The software is also used by hundreds of law enforcement agencies throughout the world in computer crime investigations.
This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text. It operates at either a logical or physical level at the option of the user. TextSearch Plus has been specifically designed to meet the requirements of the government for use in computer security exit reviews from classified government facilities. The current version is approximately 25% faster than prior versions. It is also compatible with FAT 12, FAT 16, and FAT 32 DOS-based systems. As a result, it can be used on DOS, Windows, Windows 95, and Windows 98 systems. Tests indicate that this tool finds more text strings than any other forensic search tool. It is sold separately and is also included in several of the NTI tool suites. As a stand alone tool, it is ideal for security risk assessments. When security spills are identified, they can easily be eliminated with NTI’s M-Sweep™ program.
Primary Uses
-
Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space
-
Used in exit reviews of computer storage media from classified facilities
-
Used in internal audits to identify violations of corporate policy
-
Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments
-
Used in corporate due diligence efforts regarding proposed mergers
-
Used to find occurrences of keywords strings of text in data found at a physical sector level
-
Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence
-
Used to find embedded text in formatted word processing documents (WordPerfect™ and fragments of such documents in ambient data storage areas)
Program Features and Benefits
-
DOS-based for ease of operation and speed
-
Small memory foot print (under 60k), which allows the software to run on even the original IBM PC
-
Compact program size, which easily fits on one floppy diskette with other forensic software utilities
-
Searches files, slack, and erased space in one fast operation
-
Has logical and physical search options that maintain compatibility with government security review requirements
-
User-defined search configuration feature
-
User configuration is automatically saved for future use
-
Embedded words and strings of text are found in word processing files
-
Alert for graphic files (secrets can be hidden in them)
-
Alert for compressed files
-
High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives
-
Screen and file output
-
False hits don’t stop processing
-
Government Tested—Specifically designed for security reviews in classified environments
-
Currently used by hundreds of law enforcement computer crime units
-
Currently in use by all of the Big 5 accounting firms
-
Currently used by several government military and intelligence agencies
-
Currently used by numerous Fortune 500 corporations
-
The current version allows for up to 120 search strings to be searched for at one time.[vii]
Fuzzy Logic Tools Used to Identify Unknown Text
NTI has also developed a methodology and tools that aid in the identification of relevant evidence and unknown strings of text. Traditional computer evidence searches require that the computer specialist know what is being searched for. However, many times not all is known about what may be stored on a given computer system. In such cases, fuzzy logic tools can assist and can provide valuable leads as to how the subject computer was used. The training participant should be able to fully understand these methods and techniques. They should also be able to demonstrate their ability to use them to identify leads in file slack, unallocated file space, and Windows swap files. Each training participant should also be able to leave the class with a licensed copy of NTI’s Filter_I™ software (see sidebar, “Intelligent Forensic Filter”).
This enhanced forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient computer data (Windows swap file data, file slack data, and data associated with erased files). This tool is so unique that process patents have been applied for with the U.S. Patent Office.
Filter_I relies on preprogrammed artificial intelligence to identify fragments of word processing communications, fragments of e-mail communications, fragments of Internet chat room communications, fragments of Internet news group posts, encryption passwords, network passwords, network log-ons, database entries, credit card numbers, social security numbers, and the first and last names of individuals who have been listed in communications involving the subject computer. This software saves days in the processing of computer evidence when compared to traditional methods.
This computer forensic tool can also be effectively used in computer security reviews as it quickly reveals security leakage and violations of corporate policy that might not be uncovered otherwise. Be aware that the software does not rely on keywords entered by the computer specialist. It is a pattern recognition tool that recognizes patters of text, letter combinations, number patterns, potential passwords, potential network log-ons, and the names of individuals. To avoid possible violation of privacy laws, this software should only be used with the approval of corporate legal counsel. For this reason, this software is not made available to the general public.
Primary Uses
-
Used covertly to determine prior activity on a specific computer
-
Used to filter ambient computer data, the existence of which the user is normally unaware of (memory dumps in file slack, Windows swap files, Windows DAT files and erased file space)
-
The ideal tool for use by corporate and government internal auditors
-
The ideal tool for use by corporate and government computer security specialists
-
The ideal tool for use by corporate, military, and law enforcement investigators
-
Perfect for covert intelligence gathering when laws permit and you have physical access to the subject computer
Program Features and Benefits
-
DOS-based for speed. The speed of operation is amazing.
-
Automatically processes any binary data object
-
Provides output in an ASCII text format that is ready for import into any word processing application
-
Capable of processing ambient data files that are up to 2 gigabytes in size[viii]
DISK STRUCTURE
Participants should be able to leave a training course with a good understanding of how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk. They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives.
DATA ENCRYPTION
A computer forensics course should cover, in general, how data is encrypted; it should also be able to illustrate the differences between good encryption and bad encryption. Furthermore, demonstrations of password-recovery software should be given by the trainers to the participants regarding encrypted WordPerfect, Excel, Lotus, Microsoft Word, and PKZIP files. The participant should become familiar with the use of software to crack security associated with these different file structures.
MATCHING A DISKETTE TO A COMPUTER
NTI has also developed specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on the floppy diskette. Unlike some special government agencies, NTI relies on logical rather than physical data storage areas to demonstrate this technique. Each participant is taught how to use special software tools to complete this process.
DATA COMPRESSION
The participant should be shown how compression works and how compression programs can be used to hide and/or disguise sensitive data. Furthermore, the participant should learn how password-protected compressed files can be broken; this should be covered in hands-on workshops during the training course.
ERASED FILES
The training participant should be shown how previously erased files can be recovered by using DOS programs and by manually using data-recovery techniques. These techniques should also be demonstrated by the participant and cluster chaining will become familiar to the participant.
INTERNET ABUSE IDENTIFICATION AND DETECTION
The participant should be shown how to use specialized software to identify how a targeted computer has been used on the Internet. This process will focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).
THE BOOT PROCESS AND MEMORY RESIDENT PROGRAMS
The participant should be able to participate in a graphic demonstration of how the operating system can be modified to change data and destroy data at the whim of the person who configured the system. Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the participants understand these potential risks and how to identify them.
[iii]Sydex, Inc., P. O. Box 5700, Eugene, OR 97405, USA, 2001.
[iv] “SafeBack Mirror Image Backup Software,” New Technologies, Inc., 2075 NE Division St, Gresham, Oregon 97030, 2001. (©Copyright 2002, New Technologies, Inc. All rights reserved), 2001.
[v]Sydex, Inc., P. O. Box 5700, Eugene, OR 97405, USA, 2002.
[vi] “AnaDisk Diskette Analysis Tool,” New Technologies, Inc., 2075 NE Division St, Gresham, Oregon 97030, 2001. (©Copyright 2002. New Technologies, Inc. All rights reserved), 2001.
[vii] “Text Search Plus,” New Technologies, Inc., 2075 NE Division St, Gresham, Oregon 97030, 2001. (©Copyright 2002, New Technologies, Inc. All rights reserved), 2001.
[viii] “FILTER_1: Intelligent Forensic Filter,” New Technologies, Inc., 2075 NE Division St, Gresham, Oregon 97030, 2001. (©Copyright 2002, New Technologies, Inc. All rights reserved), 2001.
| < Day Day Up > |
|