Computer forensics - forensics.pdf · Global Forensic audit & Investigation Page | 1 Computer...

Global Forensic audit & Investigation

Page | 1

Computer forensics

Our reliance on computer and network technologies has led to a number of concerns. For

example, the use of computers has inspired new types of misconduct, such as hacking or

denial of service attacks against computer systems. Conversely, ordinary, inexpert people

find new opportunities for older crimes such as credit card fraud, embezzlement or

blackmail.

Need for Computer Forensics

The purpose of computer forensics is mainly due to the wide variety of computer crimes

that take place. In the present technological advancements it is common for every

organization to employ the services of the computer forensics experts. There are various

computer crimes that occur on small scale as well as large scale. The loss caused is

dependent upon the sensitivity of the computer data or the information for which the

crime has been committed.

The computer forensics has become vital in the corporate world. There can be theft of the

data from an organization in which case the organization may sustain heavy losses. For this

purpose computer forensics are used as they help in tracking the criminal.


Page | 2

The need in the present age can be considered as much severe due to the internet

advancements and the dependency on the internet. The people that gain access to the

computer systems without proper authorization should be dealt in. The network security is

an important issue related to the computer world. The computer forensics is a threat

against the wrong doers and the people with the negative mindsets.

The computer forensics is also efficient where in the data is stored in a single system for

the backup. The data theft and the intentional damage of the data in a single system can

also be minimized with the computer forensics. There are hardware and software that

employ the security measures in order to track the changes and the updating of the data or

the information. The user information is provided in the log files that can be effectively

used to produce the evidence in case of any crime a legal manner.

The main purpose of the computer forensics is to produce evidence in the court that can

lead to the punishment of the actual. The forensic science is actually the process of utilizing

the scientific knowledge for the purpose of collection, analysis, and most importantly the

presentation of the evidence in the court of law. The word forensic itself means to bring to

the court.

The need or the importance of the computer forensics is to ensure the integrity of the

computer system. The system with some small measures can avoid the cost of operating

and maintaining the security. The subject provides in depth knowledge for the

understanding of the legal as well as the technical aspects of computer crime. It is very

much useful from a technical stand point, view.

The importance of computer forensics is evident in tracking the cases of the child

pornography and email spamming. The computer forensics has been efficiently used to

track down the terrorists from the various parts of the world. The terrorists using the

internet as the medium of communication can be tracked down and their plans can be

known.

http://www.computerforensics1.com/


Page | 3

There are many tools that can be used in combination with the computer forensics to the

find out the geographical information and hide outs of the criminals. The IP address plays an

important role to find out the geographical position of the terrorists. The security personnel

deploy the effective measures using the computer forensics. The Intrusion Detecting

Systems are used for that purpose.

The application of computer technology to the investigation of computer based crime has

given rise to a new field of specialization—forensic computing—which is the process of

identifying, preserving, analyzing and presenting digital evidence in a manner that is legally

acceptable. It encompasses four key elements.

1. The identification of digital evidence is the first step in the forensic process.

Knowing what evidence is present, where it is stored and how it is stored is vital to

determining which processes are to be employed to facilitate its recovery. Whilst

many people think of personal computers as the sole focus of forensic computing, in

reality it can extend to any electronic device that is capable of storing information,

such as mobile/cellular telephones, electronic organizers (digital diaries) and smart

cards. In addition, the computer forensic examiner must be able to identify the type

of information stored in a device and the format in which it is stored so that the

appropriate technology can be used to extract it.

2. The preservation of digital evidence is a critical element in the forensic process.

Given the likelihood of judicial scrutiny in a court of law, it is imperative that any

examination of the electronically stored data be carried out in the least intrusive

manner. There are circumstances where changes to data are unavoidable, but it is

important that the least amount of change occurs. In situations where change is

inevitable it is essential that the nature of, and reason for, the change can be

explained. Alteration to data that is of evidentiary value must be accounted for and

justified. This applies not only to changes made to the data itself, but also includes

physical changes that are made to the particular electronic device to facilitate access

to the data.


Page | 4

3. The analysis of digital evidence—the extraction, processing and interpretation of

digital data—is generally regarded as the main element of forensic computing. Once

extracted, digital evidence usually requires processing before it can be read by

people. For example, when the contents of a hard disk drive are imaged, the data

contained within the image still requires processing so that it is extracted in a

humanly meaningful manner. The processing of the extracted product may occur as

a separate step, or it may be integrated with extraction.

4. The presentation of digital evidence involves the actual presentation in a court of

law. This includes the manner of presentation, the expertise and qualifications of the

presenter and the credibility of the processes employed to produce the evidence

being tendered.

WHAT IS A COMPUTER SECURITY INCIDENT?

We define a computer security incident as any unlawful, unauthorized, or unacceptable

action that involves a computer system or a computer network. Such an action can include

any of the following events:

Theft of trade secrets

Email spam or harassment

Unauthorized or unlawful intrusions into computing systems

Embezzlement

Possession or dissemination of child pornography

Denial-of-service (DoS) attacks

Tortious interference of business relations

Extortion


Page | 5

Any unlawful action when the evidence of such action may be stored on

computer media such as fraud, threats, and traditional crimes.

Notice that many of these events include violations of public law, and they may be

actionable in criminal or civil proceedings. Several of these events have a grave impact on

an organization’s reputation and its business operations. Responding to computer security

incidents can involve intense pressure, time, and resource constraints. A severe incident

affecting critical resources can seem overwhelming. Furthermore, no two incidents are

identical, and very few will be handled in exactly the same manner. However, breaking

down the procedure into logical steps makes incident response manageable.

WHAT ARE THE GOALS OF INCIDENT RESPONSE?

In our incident response methodology, we emphasize the goals of corporate security

professionals with legitimate business concerns, but we also take into consideration the

concerns of law enforcement officials. Thus, we developed a methodology that promotes a

coordinated, cohesive response and achieves the following:

Prevents a disjointed, noncohesive response (which could be disastrous)

Confirms or dispels whether an incident occurred

Promotes accumulation of accurate information

Establishes controls for proper retrieval and handling of evidence

Protects privacy rights established by law and policy

Minimizes disruption to business and network operations

Allows for criminal or civil action against perpetrators

Provides accurate reports and useful recommendations

Provides rapid detection and containment


Page | 6

Minimizes exposure and compromise of proprietary data

Protects your organization’s reputation and assets

Educates senior management

Promotes rapid detection and/or prevention of such incidents in the future (via

lessons learned, policy changes, and so on)

INCIDENT RESPONSE METHODOLOGY

Computer security incidents are often complex, multifaceted problems. Just as with any

complex engineering problem, we use a “black box” approach. We divide the larger

problem of incident resolution into components and examine the inputs and outputs of

each component. In methodology, there are seven major components of incident response:

1. Pre-incident preparation Take actions to prepare the organization and the CSIRT

before an incident occur.

2. Detection of incidents Identify a potential computer security incident.

3. Initial response Perform an initial investigation, recording the basic details

surrounding the incident, assembling the incident response team, and notifying the

individuals who need to know about the incident.

4. Formulate response strategy Based on the results of all the known facts, determine

the best response and obtain management approval. Determine what civil, criminal,

administrative, or other actions are appropriate to take, based on the conclusions

drawn from the investigation.

5. Investigate the incident Perform a thorough collection of data. Review the data

collected to determine what happened, when it happened, who did it, and how it can

be prevented in the future.


Page | 7

6. Reporting accurately report information about the investigation in a manner useful

to decision makers.

7. Resolution Employ security measures and procedural changes, record lessons

learned, and develop long-term fixes for any problems identified.

These are defined in detailed as follows:

1. Pre-Incident Preparation

Preparation leads to successful incident response. During this phase, your

organization needs to prepare both the organization itself as a whole and the CSIRT

members, prior to responding to a computer security incident. We recognize that

computer security incidents are beyond our control; as investigators, we have no

idea when the next incident will occur. Furthermore, as investigators, we often have

no control or access to the affected computers before an incident occurs. However,

lack of control does not mean we should not attempt to posture an organization to

promote a rapid and successful response to any incidents. Incident response is

reactive in nature. The pre-incident preparation phase comprises the only proactive

measures the CSIRT can initiate to ensure that an organization’s assets and

information are protected. Ideally, preparation will involve not just obtaining the

tools and developing techniques to respond to incidents, but also taking actions on

the systems and networks that will be part of any incident you need to investigate.

Preparing the Organization Preparing the organization involves developing all of

the corporate-wide strategies you need to employ to better posture your

organization for incident response. This includes the following:

Implementing host-based security measures

Implementing network-based security measures

Training end users


Page | 8

Employing an intrusion detection system (IDS)

Creating strong access control

Performing timely vulnerability assessments

Ensuring backups are performed on a regular basis

Preparing the CSIRT

The CSIRT is defined during the pre-incident preparation phase. Your organization

will assemble a team of experts to handle any incidents that occur. Preparing the

CSIRT includes considering at least the following:

The hardware needed to investigate computer security incidents

The software needed to investigate computer security incidents

The documentation (forms and reports) needed to investigate computer

security incidents

The appropriate policies and operating procedures to implement your

response strategies

The training your staff or employees require to perform incident response in

a manner that promotes successful forensics, investigations, and

remediation.

2. Detection of Incidents

If an organization cannot detect incidents effectively, it cannot succeed in

responding to incidents. Therefore, the detection of incidents phase is one of the

most important aspects of incident response. It is also one of the most decentralized

phases, in which those with incident response expertise have the least control.

Suspected incidents may be detected in countless ways. Computer security incidents


Page | 9

are normally identified when someone suspects that an unauthorized, unacceptable,

or unlawful event has occurred involving an organization’s computer networks or

data-processing equipment. Initially, the incident may be reported by an end user,

detected by a system administrator, identified by IDS alerts, or discovered by many

other means.

No matter how you detect an incident, it is paramount to record all of the known

details.

3. Initial Response

The initial response phase involves assembling the CSIRT, collecting network-based

and other data, determining the type of incident that has occurred, and assessing the

impact of the incident. The individuals involved with detecting an incident actually

begin the initial response phase. The details surrounding the incident are

documented by whoever detected the incident or by an individual who was notified

that the incident may have occurred (for example, help desk or security personnel).

The control of the response should be forwarded to the CSIRT early in the process to

take advantage of the team’s expertise; the more steps in the initial response phase

performed by the CSIRT, the better. Typically, the initial response will not involve

touching the affected system(s). The data collected during this phase involves

reviewing network-based and other evidence. This phase involves the following

tasks:

Interviewing system administrators who might have insight into the

technical details of an incident

Interviewing business unit personnel who might have insight into business

events that may provide a context for the incident

Reviewing intrusion detection reports and network-based logs to identify

data that would support that an incident has occurred


Page | 10

Reviewing the network topology and access control lists to determine if any

avenues of attack can be ruled out

At the conclusion of the initial response stage, you will know whether or not an

incident has occurred and have a good idea of the systems affected, the type of

incident, and the potential business impact. Armed with this information, you are

now ready to make a decision on how to handle the incident.

4. Formulate a Response Strategy

The goal of the response strategy formulation phase is to determine the most

appropriate response strategy, given the circumstances of the incident. The strategy

should take into consideration the political, technical, legal, and business factors

that surround the incident. The final solution depends on the objectives of the group

or individual with responsibility for selecting the strategy.

Response strategies will vary based on the circumstances of the computer security

incident. The following factors need to be considered when deciding how many

resources are needed to investigate an incident, whether to create a forensic

duplication of relevant systems, whether to make a criminal referral, whether to

pursue civil litigation, and other aspects of your response strategy:

How critical are the affected systems?

How sensitive is the compromised or stolen information?

Who are the potential perpetrators?

Is the incident known to the public?

What is the level of unauthorized access attained by the attacker?

What is the apparent skill of the attacker?

How much system and user downtime is involved?


Page | 11

What is the overall loss?

Incidents vary widely, from virus outbreaks to theft of customers’ credit card

information. A typical virus outbreak generally results in some downtime and lost

productivity, while the theft of customers’ credit card information could put a

fledgling dot-com operation out of business. Accordingly, the response strategy for

each event will differ.

Considering Appropriate Responses

The response strategy must take into consideration your organization’s business

objectives. For this reason, and because of the potential impact to your organization,

the response strategy should be approved by upper-level management.

5. Investigate the Incident

The investigation phase involves determining the who, what, when, where, how, and

why surrounding an incident. No matter how you conduct your investigation, you

are responding to an incident caused by people. People cause these incidents by

using things to destroy, steal, access, hide, attack, and hurt other things. As with any

type of investigation, the key is to determine which things were harmed by which

people. However, a computer crime incident adds complexity to this simple

equation. Establishing the identity behind the people on a network is increasingly

difficult. Users are becoming more adept at using encryption, steganography,

anonymous email accounts, fakemail, spoofed source IP addresses, spoofed MAC

addresses, masquerading as other individuals, and other means to mask their true

identity in “cyberspace.”

A computer security investigation can be divided into two phases: data collection

and forensic analysis. During the data collection phase, you gather all the relevant

information needed to resolve the incident in a manner that meets your response

strategy. In the forensic analysis phase, you examine all the data collected to


Page | 12

determine the who, what, when, where, and how information relevant to the

incident.

Data Collection

Data collection is the accumulation of facts and clues that should be considered

during your forensic analysis. The data you collect forms the basis of your

conclusions. If you do not collect all the necessary data, you may not be able to

successfully comprehend how an incident occurred or appropriately resolve an

incident. You must collect data before you can perform any investigation.

Data collection involves several unique forensic challenges:

You must collect electronic data in a forensically sound manner.

You are often collecting more data than you can read in your lifetime

(computer storage capacity continues to grow).

You must handle the data you collect in a manner that protects its integrity

(evidence handling).

The information you obtain during the data collection phase can be divided into

three fundamental areas: host-based information, network-based information, and

other information.

a) Host-based Information Host-based evidence includes logs, records,

documents, and any other information that is found on a system and not

obtained from network-based nodes.

For example, host-based information might be a system backup that harbors

evidence at a specific period in time. Host-based data collection efforts

should include gathering information in two different manners: live data

collection and forensic duplication.

In some cases, the evidence that is required to understand an incident is

ephemeral (temporary or fleeting) or lost when the victim/relevant system is


Page | 13

powered down. This volatile data can provide critical information when

attempting to understand the nature of an incident. Therefore, the first step

of data collection is the collection of any volatile information from a host

before this information is lost. The volatile data provides a “snapshot” of a

system at the time you respond. You record the following volatile

information:

The system date and time

The applications currently running on the system

The currently established network connections

The currently open sockets (ports)

The applications listening on the open sockets

The state of the network interface (promiscuous or not)

In order to collect this information, a live response must be performed. A live

response is conducted when a computer system is still powered on and

running. This means that the information contained in these areas must be

collected without impacting the data on the compromised device. There are

three variations of live response:

Initial live response This involves obtaining only the volatile data from

a target or victim system. An initial live response is usually performed when

you have decided to conduct a forensic duplication of the media.

In-depth response This goes beyond obtaining merely the volatile data. The

CSIRT obtains enough additional information from the target/victim system

to determine a valid response strategy. Nonvolatile information such as log

files are collected to help understand the nature of the incident.

Full live response This is a full investigation on a live system. All data for


Page | 14

the investigation is collected from the live system, usually in lieu of

performing a forensic duplication, which requires the system to be powered

off.

At some point (usually during your initial response), you need to decide

whether or not to perform a forensic duplication of the evidence media.

Generally, if the incident is severe or deleted material may need to be

recovered, a forensic duplication is warranted. The forensic duplication of

the target media provides the “mirror image” of the target system, which

shows due diligence when handling critical incidents. It also provides a

means to have working copies of the target media for analysis without

worrying about altering or destroying potential evidence. If the intent is to

take judicial action, law enforcement generally prefers forensic “bit-for-bit,

byte-for-byte” duplicates of target systems. If the incident could evolve into a

corporate-wide issue with grave consequences, it is prudent to perform a

forensic duplication.

b) Network-based Evidence Network-based evidence includes information

obtained from the following sources:

IDS logs

Consensual monitoring logs

Nonconsensual wiretaps

Pen-register/trap and traces

Router logs

Firewall logs

Authentication servers

An organization often performs network surveillance (consensual

monitoring) to confirm suspicions, accumulate evidence, and identify co-

conspirators involved in an incident. Where host-based auditing may fail,

network surveillance may fill in the gaps.


Page | 15

Network surveillance is not intended to prevent attacks. Instead, it allows an

organization to accomplish a number of tasks:

Confirm or dispel suspicions surrounding an alleged computer

security incident.

Accumulate additional evidence and information.

Verify the scope of a compromise.

Identify additional parties involved.

Determine a timeline of events occurring on the network.

Ensure compliance with a desired activity.

Other Evidence The “other evidence” category involves testimony and other

information obtained from people. This is the collection of evidence following

more traditional investigative techniques.

Forensic Analysis

Forensic analysis includes reviewing all the data collected. This includes reviewing

log files, system configuration files, trust relationships, web browser history files,

email messages and their attachments, installed applications, and graphic files. You

perform software analysis, review time/date stamps, perform keyword searches,

and take any other necessary investigative steps. Forensic analysis also includes

performing more low-level tasks, such as looking through information that has been

logically deleted from the system to determine if deleted files, slack space, or free

space contain data fragments or entire files that may be useful to the investigation.

6. Reporting

Reporting can be the most difficult phase of the incident response process. The

challenge is to create reports that accurately describe the details of an incident, that


Page | 16

are understandable to decision makers, that can withstand the barrage of legal

scrutiny, and that are produced in a timely manner

7. Resolution

The goal of the resolution phase is to implement host-based, network-based, and

procedural countermeasures to prevent an incident from causing further damage

and to return your organization to a secure, healthy operational status. In other

words, in this phase, you contain the problem, solve the problem, and take steps to

prevent the problem from occurring again.

The following steps are often taken to resolve a computer security incident:

1. Identify your organization’s top priorities. Which of the following is the most critical

to resolve: returning all systems to operational status, ensuring data integrity,

containing the impact of the incident, collecting evidence, or avoiding public

disclosure?

2. Determine the nature of the incident in enough detail to understand how the

security occurred and what host-based and network-based remedies are required to

address it.

3. Determine if there are underlying or systemic causes for the incident that need to be

addressed (lack of standards, noncompliance with standards, and so on).

4. Restore any affected or compromised systems. You may need to rely on a prior

version of the data, server platform software, or application software as needed to

ensure that the system performs as you expect it to perform.

5. Apply corrections required to address any host-based vulnerabilities. Note that all

fixes should be tested in a lab environment before being applied to production

systems.

6. Apply network-based countermeasures such as access control lists, firewalls, or IDS.


Page | 17

7. Assign responsibility for correcting any systemic issues.

8. Track progress on all corrections that are required, especially if they will take

significant time to complete.

9. Validate that all remedial steps or countermeasures are effective. In other words,

verify that all the host-based, network-based, and systemic remedies have been

applied correctly.

10. Update your security policy and procedures as needed to improve your response

process.

PRE-INCIDENT PREPARATION

Preparing for incident response involves organization steps as well as computer security

incident response team (CSIRT) preparation steps. We recommend the following

preparations, which are described in detail in this chapter:

1. Identify your corporate risk.

2. Prepare your hosts for incident response and recovery.

3. Prepare your network by implementing network security measures.

4. Establish policies and procedures that allow you to meet your incident response

objectives.

5. Create a response toolkit for use by the CSIRT.

6. Create a CSIRT that can assemble to handle incidents.

NETWORK-BASED EVIDENCE

Collecting network-based evidence includes setting up a computer system to perform

network monitoring, deploying the network monitor, and evaluating the effectiveness of

the network monitor.


Page | 18

The analysis of network-based evidence includes reconstructing the network activity,

performing low-level protocol analysis, and interpreting the network activity.

WHAT ARE THE GOALS OF NETWORK MONITORING?

If a law enforcement officer suspects an individual of a crime such as minor drug dealing,

the suspect is usually placed under surveillance to confirm suspicions, accumulate

evidence, and identify co-conspirators. The same approach works with suspected crimes

against computer networks. Network monitoring is not intended to prevent attacks.

Instead, it allows investigators to accomplish a number of tasks:

Confirm or dispel suspicions surrounding an alleged computer security incident.

Accumulate additional evidence and information.

Verify the scope of a compromise.

Identify additional parties involved.

Determine a timeline of events occurring on the network.

Ensure compliance with a desired activity.

WHAT IS EVIDENCE?

According to the U.S. Federal Rules of Evidence (FRE), relevant evidence is defined as any

information “having a tendency to make the existence of any fact that is of consequence to

the determination of the action more probable or less probable than it would be without

the information.”

Best Evidence Rule

The Best Evidence Rule, which had been established to deter any alteration of evidence,

either intentionally or unintentionally, states that the court prefers the original evidence at

the trial, rather than a copy, but they will accept a duplicate under these conditions: ·

Original lost or destroyed by fire, flood, or other acts of God. This has included such things

as careless employees or cleaning staff.


Page | 19

RULES OF EVIDENCE

Before delving into the investigative process and computer forensics, it is essential that the

investigator have a thorough understanding of the Rules of Evidence. The submission of

evidence in any type of legal proceeding generally amounts to a significant challenge, but

when computers are involved, the problems are intensified. Special knowledge is needed to

locate and collect evidence and special care is required to preserve and transport the

evidence. Evidence in a computer crime case may differ from traditional forms of evidence

in as much as most computer-related evidence is intangible-in the form of an electronic

pulse or magnetic charge.

Before evidence can be presented in a case, it must be competent, relevant, and material to

the issue, and it must be presented in compliance with the rules of evidence. Anything that

tends to prove directly or indirectly that a person may be responsible for the commission

of a criminal offense may be legally presented against him.

Proof may include the oral testimony of witnesses or the introduction of physical or

documentary evidence.

By definition, evidence is any species of proof or probative matter, legally presented at the

trial of an issue, by the act of the parties and through the medium of witnesses, records,

documents, and objects for the purpose of inducing belief in the minds of the court and

jurors as to their contention. In short, evidence is anything offered in court to prove the

truth or falsity of a fact in issue. This section describes each of the Rules of Evidence as it

relates to computer crime investigations.

Types of Evidence

Many types of evidence exist that can be offered in court to prove the truth or falsity of a

given fact. The most common forms of evidence are direct, real, documentary, and

demonstrative.


Page | 20

Direct evidence is oral testimony, whereby the knowledge is obtained from any of the

witness's five senses and is in itself proof or disproof of a fact in issue. Direct evidence is

called to prove a specific act (e.g., an eyewitness statement).

Real Evidence, also known as associative or physical evidence, is made up of tangible

objects that prove or disprove guilt.

Physical evidence includes such things as tools used in the crime, fruits of the crime, or

perishable evidence capable of reproduction. The purpose of the physical evidence is to

link the suspect to the scene of the crime. It is the evidence that has material existence and

can be presented to the view of the court and jury for consideration.

Documentary evidence is evidence presented to the court in the form of business records,

manuals, and printouts, for example. Much of the evidence submitted in a computer crime

case is documentary evidence.

Finally, demonstrative evidence is evidence used to aid the jury. It may be in the form of a

model, experiment, chart, or an illustration offered as proof. When seizing evidence from a

computer-related crime, the investigator should collect any and all physical evidence, such

as the computer, peripherals, notepads, or documentation, in addition to computer-

generated evidence.

Four types of computer-generated evidence are:

a) Visual output on the monitor.

b) Printed evidence on a printer.

c) Printed evidence on a plotter.

d) Film recorder (i.e., a magnetic representation on disk and optical representation on

CD).

A legal factor of computer-generated evidence is that it is considered hearsay. The

magnetic charge of the disk or the electronic bit value in memory, which represents the

data, is the actual, original evidence. The computer-generated evidence is merely a

representation of the original evidence, but in Rosenberg v. Collins, the court held that if


Page | 21

the computer output is used in the regular course of business, the evidence shall be

admitted.

THE CHALLENGES OF EVIDENCE HANDLING

One of the most common mistakes made by computer security professionals is failure to

adequately document when responding to a computer security incident. Critical data might

not ever be collected, the data may be lost, or the data’s origins and meaning may become

unknown. Added to the technical complexity of evidence collection is the fact that the

properly retrieved evidence requires a paper trail. Such documentation is seemingly

against the natural instincts of the technically savvy individuals who often investigate

computer security incidents. All investigators need to understand the challenges of

evidence handling and how to meet these challenges. That is why every organization that

performs computer security investigations requires a formal evidence-handling procedure.

The biggest challenges to evidence handling are that the evidence collected must be

authenticated at a judicial proceeding and the chain-of-custody for the evidence must be

maintained. You also must be able to validate your evidence.

Authentication of Evidence

It basically means that whomever collected the evidence should testify during direct

examination that the information is what the proponent claims. In other words, the most

common way to authenticate evidence is to have a witness who has personal knowledge as

to the origins of that piece of evidence provide testimony.

If evidence cannot be authenticated, it is usually considered inadmissible, and that

information cannot be presented to the judging body.It is important to develop some sort

of internal document that records the manner in which evidence is collected.

Chain of Custody

Once evidence is seized, the next step is to provide for its accountability and protection.

The chain of evidence, which provides a means of accountability, must be adhered to by law


Page | 22

enforcement when conducting any type of criminal investigation, including a computer

crime investigation. It helps to minimize the instances of tampering.

In other words, Maintaining the chain of custody requires that evidence collected is stored

in a tamper- proof manner, where it cannot be accessed by unauthorized individuals. A

complete chain-of-custody record must be kept for each item obtained. Chain of custody

requires that you can trace the location of the evidence from the moment it was collected to

the moment it was presented in a judicial proceeding.

The chain of evidence must account for all persons who handled or who had access to the

evidence in question. The chain of evidence shows:

Who obtained the evidence.

Who secured the evidence.

Who had control or possession of the evidence.

It may be necessary to have anyone associated with the evidence testify at trial. Private

citizens are not required to maintain the same level of control of the evidence as law

enforcement, although they are well advised to do so. Should an internal investigation

result in the discovery and collection of computer-related evidence, the investigation team

should follow the same, detailed chain of evidence as required by law enforcement. This

will help to dispel any objection by the defense that the evidence is unreliable, should the

case go to court.

Admissibility of Evidence

Computergenerated evidence is always suspect, because of the ease of which it can be

altered, usually without a trace. Precautionary measures must be taken to ensure that

computer-generated evidence has not been tampered with, erased, or added. To ensure

that only relevant and reliable evidence is entered into the proceedings, the judicial system

has adopted the concept of admissibility:

a) Relevancy of Evidence. Evidence tending to prove or disprove a material fact. All

evidence in court must be relevant and material to the case.


Page | 23

b) Reliability of Evidence. The evidence and the process to produce the evidence must

be proven to be reliable. This is one of the most critical aspects of computer-

generated evidence.

Once computer-generated evidence meets the business record exemption to the hearsay

rule, is not excluded for some technicality or violation, and follows the chain of custody, it is

held to be admissible. The defense will attack both the relevancy and reliability of the

evidence, so that great care should be taken to protect both.

Evidence Validation

Another challenge is to ensure that the data you collected is identical to the data that you

present in court. It is not uncommon for several years to pass between the collection of

evidence and the production of evidence at a judicial proceeding

OVERVIEW OF EVIDENCE-HANDLING PROCEDURES

When handling evidence during an investigation, you will generally adhere to the following

procedures:

1) If examining the contents of a hard drive currently placed within a computer, record

information about the computer system under examination.

2) Take digital photographs of the original system and/or media that is being

duplicated.

3) Fill out an evidence tag for the original media or for the forensic duplication

(whichever hard drive you will keep as best evidence and store in your evidence

safe).

4) Label all media appropriately with an evidence label.

5) Store the best evidence copy of the evidence media in your evidence safe.

6) An evidence custodian enters a record of the best evidence into the evidence log. For

each piece of best evidence, there will be a corresponding entry in the evidence log.

7) All examinations are performed on a forensic copy of the best evidence, called a

working copy.


Page | 24

8) An evidence custodian ensures that backup copies of the best evidence are created.

The evidence custodian will create tape backups once the principal investigator for

the case states that the data will no longer be needed in an expeditious manner.

9) An evidence custodian ensures that all disposition dates are met. The dates of

evidence disposition are assigned by the principal investigator.

10) An evidence custodian performs a monthly audit to ensure all of the best

evidence is present, properly stored, and labeled.

Computer forensics

It is emerging as an important tool in the fight against crime. Computer forensics may be

defined as the investigation of situations where there is computer-based (digital) or

electronic evidence of a crime or suspicious behaviour, but the crime or behaviour may be

of any type not otherwise involving computers. Therefore, computers facilitate both the

commission of and investigation into the act in question.

Specialists in the area follow structured methodologies to ensure the integrity of the

evidence that they collect and process. Computer (and intrusion) forensics involves data...

Preservation

Identification

Extraction

Documentation

Interpretation

Computer forensics involves the identification, documentation, and interpretation of

computer media for using them as evidence and/or to rebuild the crime scenario .

According to computer forensics defined as the process of identifying, collecting,

preserving, analyzing and presenting the computer-related evidence in a manner that is


Page | 25

legally acceptable by court. More recently, computer forensics branched into several

overlapping areas, generating various terms such as,

digital forensics,

data forensics,

system forensics,

network forensics,

email forensics,

cyber forensics,

forensics analysis,

enterprise forensics,

proactive forensics etc.,

1. Digital forensics is the investigation of what happened and how.

2. System forensics is performed on standalone machines.

3. Network forensics involves the collection and analysis of network events in order to

discover the sources of security attacks. The same process applied on Web is also

known as Web forensics.

4. Data forensics major focuses on analysis of volatile and non-volatile data.

5. Proactive forensics is an ongoing forensics and there is an opportunity to actively,

and regularly collect potential evidence in an ongoing basis.

6. Email forensics deals with one or more e-mails as evidence in forensic investigation.

Enterprise forensics is named in the context of enterprise; it is primarily concerned

with incident response and recovery with little concern about evidence.

7. Cyber forensics focuses on real-time, on-line evidence gathering.

8. Forensics analysis deals with identification, extraction and reporting on data

obtained from a computer system.

It is not just law enforcement that is developing the computer forensics field. Increasingly,

commercial and non-commercial organizations are requiring experts in the field to

investigate incidents. Thus, there are many applications of computer forensics tools and

techniques other than for criminal prosecution, such as:


Page | 26

Determine root cause of an event to ensure no repeat

Identify responsibility for an action

Internal investigation within the organization

Intelligence operations

Audit

Recovering lost data

'Computer forensics' is the use of specialised techniques for recovery, authentication, and

analysis of electronic data when a case involves issues relating to:

reconstruction of computer usage;

examination of residual data;

authentication of data by technical analysis;

explanation of technical features of data and computer usage.

In simple words, it is the process of unearthing data, of probative value, from information

systems.

Cyber Crimes

With increased use of Internet in homes and offices, there has been a proliferation of cyber-

related crimes and these crimes investigation is a tedious task. Cybercrime is typically

described as any criminal act dealing with computers or computer Networks Cybercrimes

can be classified into three groups;

Crimes directed against computer,


Page | 27

Crimes where the computer contains evidence, and

Crimes where the computer is used to commit the crime.

Other names of cybercrime are

e-crime,

computer crime or

Internet crime.

Cybercrimes spread across the world with various names like

worms,

logic bombs,

botnets,

Data diddling,

mail bombing,

phishing,

root kits,

salami theft,

spoofing,

zombie,

time bomb,

Trojan horse etc.


Page | 28

Using the Internet, a person sitting in a Net cafe of a remote location can attack a computer

resource in USA using a computer situated in Britain as a launch pad for his attack.

Challenges behind these situations are both technological and jurisdictional.

Confidentiality, integrity and availability are the cardinal pillars of cyber security and they

should not be compromised in any manner.

Attackers also begin using anti-forensic techniques to hide evidence of a cybercrime. They

may hide folders, rename files, delete logs, or change, edit or modify file data.

To combat these kinds of crimes, Indian Government established Cyber Forensics

Laboratory in November, 2003.

Overview of Cyber Forensics

Cyber forensics becoming as a source of investigation because human expert witnesses are

important since courts will not recognize software tools such as Encase, Pasco, Ethereal as

an expert witness. Cyber forensics is useful for many professionals like military, private

sector and industry, academia, and law. These areas have many needs including data

protection, data acquisition, imaging, extraction, interrogation, normalization, analysis, and

reporting. It is important for all professionals working in the emerging field of cyber

forensics to have a working and functioning lexicon of terms like bookmarks, cookies,

webhit etc., that are uniformly applied throughout the profession and industry. Cyber

forensics international guidelines, related key terms and tools are focused in the cyber

forensics field manual.

The objective of Cyber forensics is to identify digital evidence for an investigation with the

scientific method to draw conclusions.

Examples of investigations that use cyber forensics include

unlawful use of computers,

child pornography, and


Page | 29

cyber terrorism.

The area of cyber forensics has become prominent field of research because:

1. Forensics systems allow the administrator to diagnose errors

2. Intrusion detection systems are necessary in avoiding cyber crimes

3. Change detection can be possible with proactive forensics Cyber forensics can be

used for two benefits:

a) To investigate allegations of digital malfeasance

b) To perform cause analysis

PHASES OF CYBER FORENSICS

Cyber forensics has four distinct phases: incident identification, acquisition of evidence,

analysis of evidence, and reporting with storage of evidence.

INCIDENT IDENTIFICATION

ACQUISATION OF

EVIDENCE

ANALYSIS OF EVIDENCE

REPORTING WITH

STORAGE OF EVIDENCE


Page | 30

1) Identification Phase

The identification phase is the process of identifying evidence material and its probable

location. This phase is unlike a traditional crime scene it processes the incident scene

and documents every step of the way. Evidence should be handled properly. Basic

requirement in evidence collection is evidence must be presented without alteration.

This requirement applies to all phases of forensics analysis. At the time of evidence

collection, there is a need of thorough check of system logs, time stamps and security

monitors. Once evidence collected, it is necessary to account for its whereabouts.

Investigators would need detailed forensics to establish a chain of custody, the

documentation of the possession of evidence. Chain of custody is a vital part of

computer forensics and the legal system and the goal is to protect the integrity of

evidence, so evidence should be physically secured in a safe place along with a detailed

log. Handling specific type of incidents like Denial of Service, Malicious Code,

Unauthorized access etc are described in computer security incident handling guide

2) Acquisition Phase

The acquisition phase saves the state of evidence that can be further analyzed. The goal

of this phase is to save all digital values. Here, a copy of hard disk is created, which is

commonly called as an image.

As per law enforcement community, there are three types of commonly accepted

forensics acquisition:

a) mirror image,

b) forensics duplication and

c) Live acquisition.

Mirror images, bit-for-bit copy, involve the backups of entire hard disk. Creation of

mirror image is simple in theory, but its accuracy must meet evidence standards. The

purpose of having mirror image is evidence available in the case of the original system

need to be restarted for further analysis.


Page | 31

A forensic duplicate, sector-by-sector, is an advanced method that makes a copy of

every bit without leaving any single bit of evidence. The resultant may be single large

file and must be an exact representation of the original drive at bit stream level. This

method is most common type of acquisition because it creates a forensic image of the e-

evidence and it also contains file slack. In case of the small file overwrites a larger file,

surplus bytes are available in the file slack. The forensic duplication process can be

done with the help of tools like Forensic Tool Kit (FTK) imager, UNIX dd command, or

Encase. Access Data’s FTK is one of the powerful tools available and one of the

promising features is the ability to identify steganography and practice of camouflaging

data in plain sight. It is often desirable to capture volatile information, which is stored

in RAM; it cannot be collected after the system has been powered down. This

information may not be recorded in a file system or image backup, and it may hold clues

related to attacker. All currently running processes, open sockets, currently logged

users, recent connections etc, are available in volatile information. Generally, intruder

takes steps to avoid detection. Trojans, key loggers, worms etc., are installed in subtle

places. One of such things to be considered in the acquisition process is rootkits,

automated packages that create backdoors. An Intruders/hackers use rootkits to

remove log files and other information to hide the presence of intruder. Mobile phones

are become tools for cybercrimes, mobile phone evidence acquisition testing process

are discussed in

3) Analysis Phase

Forensic analysis is the process of understanding, recreating, and analyzing arbitrary

events that have gathered from digital sources. The analysis phase collects the acquired

data and examines it to find the pieces of evidences. This phase also identify that the

system was tampered or not to avoid identification. Analysis phase examines all the

evidence collected during collection and acquisition phases. There are three types of

examinations can be applied for the forensics analysis;

limited,


Page | 32

partial or

full examination.

Limited examination covers the data areas that are specified by legal documents or

based on interviews. This examination process is the least time consuming and most

common type.

Partial examination deals with prominent areas. Key areas like log files, registry,

cookies, e-mail folders and user directories etc., are examined in this case of partial

examination. This partial examination is based on general search criteria which are

developed by forensic experts. Most time consuming and less frequent examination

process are full examination. This requires the examiner to look each, and every

possible bit of data to find the root causes of the incident. File slack inspection is done

in this examination. Some of tools used in the analysis phase are Coroner, Encase, FTK.

The Coroner toolkit run under UNIX and EnCase is a toolkit that runs under Windows.

EnCase has the ability to process larger amounts and allow the user to use predefined

scripts to pull information from the data being processed. FTK contains a variety of

separate tools (text indexing, NAT recovery, data extraction, file filtering and email

recovery etc.) to assist in the examination.

4) Reporting Phase

The reporting phase comprises of documentation and evidence retention. The scientific

method used in this phase is to draw conclusions based on the gathered evidence. This

phase is mainly based on the Cyber laws and presents the conclusions for

corresponding evidence from the investigation. There is a need of good policy for how

long evidence from an incident should be retention. Factors to be considered in this

process are prosecution, data retention and cost. To meet the retention requirements

there is a need of maintaining log archival. The archived logs must be protected to

maintain confidentiality and integrity of logs.

CYBER FORENSICS TOOLS


Page | 33

The main objective of cyber forensics tools is to extract digital evidence which can be

admissible in court of law. Electronic evidence (e-evidence, for short) is playing a vital role

in cybercrimes. Computer forensics tools used to find skeletons in digital media. To reduce

the effect of anti forensics tools the Investigator is likely to have the tools and knowledge

required to counter the use of anti-forensics techniques. Sometimes collection of digital

evidence is straightforward because intruders post information about themselves from

Facebook, Orkut, Twitter, MySpace and chat about their illegal activities. A subpoena,

rather than special forensics tools, required obtain this information; these e-mails or chats

from social networks can be admissible as evidence. A snapshot of the state of the art of

forensic software tools for mobiles given in [18]. The process model for cellular phone tool

testing had shown in [14]. Various cyber forensics tools and their description are provided

in [7] some of them are:

1) The Coroner’s Toolkit (TCT), is an open source set of forensic tools designed to

conduct investigation UNIX systems.

2) Encase is the industry standard software used by law enforcement

3) The Forensic Toolkit (FTK) is very powerful tool but not simple to use.

4) I2Analyst is a different type of analysis tool, It is a visual investigative analysis

software.

5) LogLogic’s LX 2000 is powerful and distributed log analysis tool.

6) NetWitness and security intelligence, are network traffic security analyzer tools.

7) ProDiscover Incident Response (IR) is a complete IT forensic tool that can access

computers over the network to study the network behavior

8) The Sleuth Kit is one of network forensics tools used to find file instances in an NTFS

file.

Computer forensics vs. computer security

Computer security and computer forensics are distinct but related disciplines due to the

degree of overlap of raw material used by both fields. In general, computer security aims to

preserve a system as it is meant to be (as per the security policies) whereas computer


Page | 34

forensics (and especially network or intrusion forensics) sets out to explain how a policy

became violated. Therefore, the main difference can be seen as one of system integrity

versus culpability for an event or set of events.

Whereas the two fields may use similar data sources, they have different and sometimes

opposing aims. For example, security countermeasures such as encryption or data wiping

tools may work against the computer forensic investigation. The security measures will

complicate the investigation as the data must be decrypted prior to analysis. In addition,

security functions tend to only implement minimal logging by design. Therefore, not all the

information required will be available to the forensic analyst.

Computer security is an established field of computer science, whilst computer forensics is

an emergent area. Increasingly, computer security will involve forensic investigation

techniques, and vice versa. Therefore, both fields have much to learn from each other.

Computer forensics process

Computer forensics investigations take a lot of time to conduct. This is not surprising given

the increasing size of storage media that is being encountered. For example, hard drives of

several hundred Gigabytes are not uncommon. In addition, the amount of devices and data

storage that must be searched and analysed is also increasing. This must be conducted in a

robust manner that can be demonstrated in court or to management at a later date.

Below is my Organizational Model of Computer Forensics which aims to simplify the

investigation process irrespective of the computer forensics tools and techniques used.


Page | 35

Prior to an investigation, the analyst must make some preparations. For example, what is

the purpose of the investigation? This will ultimately determine the tools and techniques

used throughout the resulting investigation.

Next, evidence must be collected. This must be conducted robustly and maintain the

integrity of the evidence. Once the evidence is collected, a copy of the material is made and

all analysis is performed on the copy. This ensures that the original evidence is not altered

in any way.

The analysis of the evidence is conducted with forensics tools. For example, analysing the

hard drive of a computer requires the recreation of the logical structure of underlying

operating system. Once this is done, the analyst may have to triage and view both extant

and deleted files to build a picture of the suspect’s activities.


Page | 36

The analyst will then report any suspicious or malicious files and supply supporting

evidence. For example, the time and date the file was created, accessed or modified and

which user was responsible.

Finally, the analyst must present evidence. In law enforcement, this is to a court of law.

Increasingly, with the growth of the field in internal corporate investigations, this will be to

management.

Computer forensics tools

The tools and techniques used in computer forensics are as wide and varied as the crimes

that are investigated. Each investigation will ultimately determine the tools that are used.

Below is just a brief outline of tools used in the search for relevant evidentiary data on a

computer. For further information on tools and techniques, it is recommended that you

consult a book on the subject of computer forensics.

A number of computer forensic tools and approaches are used for the detection of

suspicious data on the hard drive. These can be generally divided into file

analysis and format specific approaches.

Commonly used computer forensic tools, such as the Forensic Toolkit (screenshot below)

and EnCase, provide examples of file analysis approaches. These tools are used for storage

media analysis of a variety of files and data types in fully integrated environments. For

example, the Forensic Toolkit can perform tasks such as file extraction, make a forensic

image of data on storage media, recover deleted files, determine data types and text

extraction. EnCase is widely used within law enforcement and like FTK provides a powerful

interface to the hard drive or data source under inspection, for example, by providing a file

manager that shows extant and deleted files.

Network forensics


Page | 37

Network forensics involves the recovery and analysis of information from computer

networks suspected of having been compromised or accessed in an unauthorised manner

and is closely related to the computer security field of intrusion detection. Its purpose is to

allow investigators to reason about the circumstances or causes of the activity under

investigation and to (possibly) provide evidence for any resulting legal case.

Network forensics encompasses:

Detecting, responding and assigning responsibility for attacks against our systems

The use of security devices and their audit information for evidentiary data

Using networks for passive information gathering during the investigation

In general, network forensics investigations will use event log analysis and timelining to

determine the following:

Who: is responsible for the activity

What: has the attacker done, e.g. files accessed, backdoor placed on system, etc.

When: each event occurred

Where: identify the location or host that the attack took place from, e.g. their IP

address

Why: why did the person hack you, what were their motives

How: which tools were used or vulnerabilities exploited

With many illegal activities involving network technologies, these types of investigation are

growing in number and form an important element of computer forensics.

Global Forensic Audit & Investigation

www.globalforensic.in

http://www.globalforensic.in/

Computer forensics - forensics.pdf · Global Forensic audit & Investigation Page | 1 Computer...

Documents

Transcript of Computer forensics - forensics.pdf · Global Forensic audit & Investigation Page | 1 Computer...