Computer forensics - forensics.pdf · Global Forensic audit & Investigation Page | 1 Computer...
Transcript of Computer forensics - forensics.pdf · Global Forensic audit & Investigation Page | 1 Computer...
Global Forensic audit & Investigation
Page | 1
Computer forensics
Our reliance on computer and network technologies has led to a number of concerns. For
example, the use of computers has inspired new types of misconduct, such as hacking or
denial of service attacks against computer systems. Conversely, ordinary, inexpert people
find new opportunities for older crimes such as credit card fraud, embezzlement or
blackmail.
Need for Computer Forensics
The purpose of computer forensics is mainly due to the wide variety of computer crimes
that take place. In the present technological advancements it is common for every
organization to employ the services of the computer forensics experts. There are various
computer crimes that occur on small scale as well as large scale. The loss caused is
dependent upon the sensitivity of the computer data or the information for which the
crime has been committed.
The computer forensics has become vital in the corporate world. There can be theft of the
data from an organization in which case the organization may sustain heavy losses. For this
purpose computer forensics are used as they help in tracking the criminal.
Global Forensic audit & Investigation
Page | 2
The need in the present age can be considered as much severe due to the internet
advancements and the dependency on the internet. The people that gain access to the
computer systems without proper authorization should be dealt in. The network security is
an important issue related to the computer world. The computer forensics is a threat
against the wrong doers and the people with the negative mindsets.
The computer forensics is also efficient where in the data is stored in a single system for
the backup. The data theft and the intentional damage of the data in a single system can
also be minimized with the computer forensics. There are hardware and software that
employ the security measures in order to track the changes and the updating of the data or
the information. The user information is provided in the log files that can be effectively
used to produce the evidence in case of any crime a legal manner.
The main purpose of the computer forensics is to produce evidence in the court that can
lead to the punishment of the actual. The forensic science is actually the process of utilizing
the scientific knowledge for the purpose of collection, analysis, and most importantly the
presentation of the evidence in the court of law. The word forensic itself means to bring to
the court.
The need or the importance of the computer forensics is to ensure the integrity of the
computer system. The system with some small measures can avoid the cost of operating
and maintaining the security. The subject provides in depth knowledge for the
understanding of the legal as well as the technical aspects of computer crime. It is very
much useful from a technical stand point, view.
The importance of computer forensics is evident in tracking the cases of the child
pornography and email spamming. The computer forensics has been efficiently used to
track down the terrorists from the various parts of the world. The terrorists using the
internet as the medium of communication can be tracked down and their plans can be
known.
Global Forensic audit & Investigation
Page | 3
There are many tools that can be used in combination with the computer forensics to the
find out the geographical information and hide outs of the criminals. The IP address plays an
important role to find out the geographical position of the terrorists. The security personnel
deploy the effective measures using the computer forensics. The Intrusion Detecting
Systems are used for that purpose.
The application of computer technology to the investigation of computer based crime has
given rise to a new field of specialization—forensic computing—which is the process of
identifying, preserving, analyzing and presenting digital evidence in a manner that is legally
acceptable. It encompasses four key elements.
1. The identification of digital evidence is the first step in the forensic process.
Knowing what evidence is present, where it is stored and how it is stored is vital to
determining which processes are to be employed to facilitate its recovery. Whilst
many people think of personal computers as the sole focus of forensic computing, in
reality it can extend to any electronic device that is capable of storing information,
such as mobile/cellular telephones, electronic organizers (digital diaries) and smart
cards. In addition, the computer forensic examiner must be able to identify the type
of information stored in a device and the format in which it is stored so that the
appropriate technology can be used to extract it.
2. The preservation of digital evidence is a critical element in the forensic process.
Given the likelihood of judicial scrutiny in a court of law, it is imperative that any
examination of the electronically stored data be carried out in the least intrusive
manner. There are circumstances where changes to data are unavoidable, but it is
important that the least amount of change occurs. In situations where change is
inevitable it is essential that the nature of, and reason for, the change can be
explained. Alteration to data that is of evidentiary value must be accounted for and
justified. This applies not only to changes made to the data itself, but also includes
physical changes that are made to the particular electronic device to facilitate access
to the data.
Global Forensic audit & Investigation
Page | 4
3. The analysis of digital evidence—the extraction, processing and interpretation of
digital data—is generally regarded as the main element of forensic computing. Once
extracted, digital evidence usually requires processing before it can be read by
people. For example, when the contents of a hard disk drive are imaged, the data
contained within the image still requires processing so that it is extracted in a
humanly meaningful manner. The processing of the extracted product may occur as
a separate step, or it may be integrated with extraction.
4. The presentation of digital evidence involves the actual presentation in a court of
law. This includes the manner of presentation, the expertise and qualifications of the
presenter and the credibility of the processes employed to produce the evidence
being tendered.
WHAT IS A COMPUTER SECURITY INCIDENT?
We define a computer security incident as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network. Such an action can include
any of the following events:
Theft of trade secrets
Email spam or harassment
Unauthorized or unlawful intrusions into computing systems
Embezzlement
Possession or dissemination of child pornography
Denial-of-service (DoS) attacks
Tortious interference of business relations
Extortion
Global Forensic audit & Investigation
Page | 5
Any unlawful action when the evidence of such action may be stored on
computer media such as fraud, threats, and traditional crimes.
Notice that many of these events include violations of public law, and they may be
actionable in criminal or civil proceedings. Several of these events have a grave impact on
an organization’s reputation and its business operations. Responding to computer security
incidents can involve intense pressure, time, and resource constraints. A severe incident
affecting critical resources can seem overwhelming. Furthermore, no two incidents are
identical, and very few will be handled in exactly the same manner. However, breaking
down the procedure into logical steps makes incident response manageable.
WHAT ARE THE GOALS OF INCIDENT RESPONSE?
In our incident response methodology, we emphasize the goals of corporate security
professionals with legitimate business concerns, but we also take into consideration the
concerns of law enforcement officials. Thus, we developed a methodology that promotes a
coordinated, cohesive response and achieves the following:
Prevents a disjointed, noncohesive response (which could be disastrous)
Confirms or dispels whether an incident occurred
Promotes accumulation of accurate information
Establishes controls for proper retrieval and handling of evidence
Protects privacy rights established by law and policy
Minimizes disruption to business and network operations
Allows for criminal or civil action against perpetrators
Provides accurate reports and useful recommendations
Provides rapid detection and containment
Global Forensic audit & Investigation
Page | 6
Minimizes exposure and compromise of proprietary data
Protects your organization’s reputation and assets
Educates senior management
Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
INCIDENT RESPONSE METHODOLOGY
Computer security incidents are often complex, multifaceted problems. Just as with any
complex engineering problem, we use a “black box” approach. We divide the larger
problem of incident resolution into components and examine the inputs and outputs of
each component. In methodology, there are seven major components of incident response:
1. Pre-incident preparation Take actions to prepare the organization and the CSIRT
before an incident occur.
2. Detection of incidents Identify a potential computer security incident.
3. Initial response Perform an initial investigation, recording the basic details
surrounding the incident, assembling the incident response team, and notifying the
individuals who need to know about the incident.
4. Formulate response strategy Based on the results of all the known facts, determine
the best response and obtain management approval. Determine what civil, criminal,
administrative, or other actions are appropriate to take, based on the conclusions
drawn from the investigation.
5. Investigate the incident Perform a thorough collection of data. Review the data
collected to determine what happened, when it happened, who did it, and how it can
be prevented in the future.
Global Forensic audit & Investigation
Page | 7
6. Reporting accurately report information about the investigation in a manner useful
to decision makers.
7. Resolution Employ security measures and procedural changes, record lessons
learned, and develop long-term fixes for any problems identified.
These are defined in detailed as follows:
1. Pre-Incident Preparation
Preparation leads to successful incident response. During this phase, your
organization needs to prepare both the organization itself as a whole and the CSIRT
members, prior to responding to a computer security incident. We recognize that
computer security incidents are beyond our control; as investigators, we have no
idea when the next incident will occur. Furthermore, as investigators, we often have
no control or access to the affected computers before an incident occurs. However,
lack of control does not mean we should not attempt to posture an organization to
promote a rapid and successful response to any incidents. Incident response is
reactive in nature. The pre-incident preparation phase comprises the only proactive
measures the CSIRT can initiate to ensure that an organization’s assets and
information are protected. Ideally, preparation will involve not just obtaining the
tools and developing techniques to respond to incidents, but also taking actions on
the systems and networks that will be part of any incident you need to investigate.
Preparing the Organization Preparing the organization involves developing all of
the corporate-wide strategies you need to employ to better posture your
organization for incident response. This includes the following:
Implementing host-based security measures
Implementing network-based security measures
Training end users
Global Forensic audit & Investigation
Page | 8
Employing an intrusion detection system (IDS)
Creating strong access control
Performing timely vulnerability assessments
Ensuring backups are performed on a regular basis
Preparing the CSIRT
The CSIRT is defined during the pre-incident preparation phase. Your organization
will assemble a team of experts to handle any incidents that occur. Preparing the
CSIRT includes considering at least the following:
The hardware needed to investigate computer security incidents
The software needed to investigate computer security incidents
The documentation (forms and reports) needed to investigate computer
security incidents
The appropriate policies and operating procedures to implement your
response strategies
The training your staff or employees require to perform incident response in
a manner that promotes successful forensics, investigations, and
remediation.
2. Detection of Incidents
If an organization cannot detect incidents effectively, it cannot succeed in
responding to incidents. Therefore, the detection of incidents phase is one of the
most important aspects of incident response. It is also one of the most decentralized
phases, in which those with incident response expertise have the least control.
Suspected incidents may be detected in countless ways. Computer security incidents
Global Forensic audit & Investigation
Page | 9
are normally identified when someone suspects that an unauthorized, unacceptable,
or unlawful event has occurred involving an organization’s computer networks or
data-processing equipment. Initially, the incident may be reported by an end user,
detected by a system administrator, identified by IDS alerts, or discovered by many
other means.
No matter how you detect an incident, it is paramount to record all of the known
details.
3. Initial Response
The initial response phase involves assembling the CSIRT, collecting network-based
and other data, determining the type of incident that has occurred, and assessing the
impact of the incident. The individuals involved with detecting an incident actually
begin the initial response phase. The details surrounding the incident are
documented by whoever detected the incident or by an individual who was notified
that the incident may have occurred (for example, help desk or security personnel).
The control of the response should be forwarded to the CSIRT early in the process to
take advantage of the team’s expertise; the more steps in the initial response phase
performed by the CSIRT, the better. Typically, the initial response will not involve
touching the affected system(s). The data collected during this phase involves
reviewing network-based and other evidence. This phase involves the following
tasks:
Interviewing system administrators who might have insight into the
technical details of an incident
Interviewing business unit personnel who might have insight into business
events that may provide a context for the incident
Reviewing intrusion detection reports and network-based logs to identify
data that would support that an incident has occurred
Global Forensic audit & Investigation
Page | 10
Reviewing the network topology and access control lists to determine if any
avenues of attack can be ruled out
At the conclusion of the initial response stage, you will know whether or not an
incident has occurred and have a good idea of the systems affected, the type of
incident, and the potential business impact. Armed with this information, you are
now ready to make a decision on how to handle the incident.
4. Formulate a Response Strategy
The goal of the response strategy formulation phase is to determine the most
appropriate response strategy, given the circumstances of the incident. The strategy
should take into consideration the political, technical, legal, and business factors
that surround the incident. The final solution depends on the objectives of the group
or individual with responsibility for selecting the strategy.
Response strategies will vary based on the circumstances of the computer security
incident. The following factors need to be considered when deciding how many
resources are needed to investigate an incident, whether to create a forensic
duplication of relevant systems, whether to make a criminal referral, whether to
pursue civil litigation, and other aspects of your response strategy:
How critical are the affected systems?
How sensitive is the compromised or stolen information?
Who are the potential perpetrators?
Is the incident known to the public?
What is the level of unauthorized access attained by the attacker?
What is the apparent skill of the attacker?
How much system and user downtime is involved?
Global Forensic audit & Investigation
Page | 11
What is the overall loss?
Incidents vary widely, from virus outbreaks to theft of customers’ credit card
information. A typical virus outbreak generally results in some downtime and lost
productivity, while the theft of customers’ credit card information could put a
fledgling dot-com operation out of business. Accordingly, the response strategy for
each event will differ.
Considering Appropriate Responses
The response strategy must take into consideration your organization’s business
objectives. For this reason, and because of the potential impact to your organization,
the response strategy should be approved by upper-level management.
5. Investigate the Incident
The investigation phase involves determining the who, what, when, where, how, and
why surrounding an incident. No matter how you conduct your investigation, you
are responding to an incident caused by people. People cause these incidents by
using things to destroy, steal, access, hide, attack, and hurt other things. As with any
type of investigation, the key is to determine which things were harmed by which
people. However, a computer crime incident adds complexity to this simple
equation. Establishing the identity behind the people on a network is increasingly
difficult. Users are becoming more adept at using encryption, steganography,
anonymous email accounts, fakemail, spoofed source IP addresses, spoofed MAC
addresses, masquerading as other individuals, and other means to mask their true
identity in “cyberspace.”
A computer security investigation can be divided into two phases: data collection
and forensic analysis. During the data collection phase, you gather all the relevant
information needed to resolve the incident in a manner that meets your response
strategy. In the forensic analysis phase, you examine all the data collected to
Global Forensic audit & Investigation
Page | 12
determine the who, what, when, where, and how information relevant to the
incident.
Data Collection
Data collection is the accumulation of facts and clues that should be considered
during your forensic analysis. The data you collect forms the basis of your
conclusions. If you do not collect all the necessary data, you may not be able to
successfully comprehend how an incident occurred or appropriately resolve an
incident. You must collect data before you can perform any investigation.
Data collection involves several unique forensic challenges:
You must collect electronic data in a forensically sound manner.
You are often collecting more data than you can read in your lifetime
(computer storage capacity continues to grow).
You must handle the data you collect in a manner that protects its integrity
(evidence handling).
The information you obtain during the data collection phase can be divided into
three fundamental areas: host-based information, network-based information, and
other information.
a) Host-based Information Host-based evidence includes logs, records,
documents, and any other information that is found on a system and not
obtained from network-based nodes.
For example, host-based information might be a system backup that harbors
evidence at a specific period in time. Host-based data collection efforts
should include gathering information in two different manners: live data
collection and forensic duplication.
In some cases, the evidence that is required to understand an incident is
ephemeral (temporary or fleeting) or lost when the victim/relevant system is
Global Forensic audit & Investigation
Page | 13
powered down. This volatile data can provide critical information when
attempting to understand the nature of an incident. Therefore, the first step
of data collection is the collection of any volatile information from a host
before this information is lost. The volatile data provides a “snapshot” of a
system at the time you respond. You record the following volatile
information:
The system date and time
The applications currently running on the system
The currently established network connections
The currently open sockets (ports)
The applications listening on the open sockets
The state of the network interface (promiscuous or not)
In order to collect this information, a live response must be performed. A live
response is conducted when a computer system is still powered on and
running. This means that the information contained in these areas must be
collected without impacting the data on the compromised device. There are
three variations of live response:
Initial live response This involves obtaining only the volatile data from
a target or victim system. An initial live response is usually performed when
you have decided to conduct a forensic duplication of the media.
In-depth response This goes beyond obtaining merely the volatile data. The
CSIRT obtains enough additional information from the target/victim system
to determine a valid response strategy. Nonvolatile information such as log
files are collected to help understand the nature of the incident.
Full live response This is a full investigation on a live system. All data for
Global Forensic audit & Investigation
Page | 14
the investigation is collected from the live system, usually in lieu of
performing a forensic duplication, which requires the system to be powered
off.
At some point (usually during your initial response), you need to decide
whether or not to perform a forensic duplication of the evidence media.
Generally, if the incident is severe or deleted material may need to be
recovered, a forensic duplication is warranted. The forensic duplication of
the target media provides the “mirror image” of the target system, which
shows due diligence when handling critical incidents. It also provides a
means to have working copies of the target media for analysis without
worrying about altering or destroying potential evidence. If the intent is to
take judicial action, law enforcement generally prefers forensic “bit-for-bit,
byte-for-byte” duplicates of target systems. If the incident could evolve into a
corporate-wide issue with grave consequences, it is prudent to perform a
forensic duplication.
b) Network-based Evidence Network-based evidence includes information
obtained from the following sources:
IDS logs
Consensual monitoring logs
Nonconsensual wiretaps
Pen-register/trap and traces
Router logs
Firewall logs
Authentication servers
An organization often performs network surveillance (consensual
monitoring) to confirm suspicions, accumulate evidence, and identify co-
conspirators involved in an incident. Where host-based auditing may fail,
network surveillance may fill in the gaps.
Global Forensic audit & Investigation
Page | 15
Network surveillance is not intended to prevent attacks. Instead, it allows an
organization to accomplish a number of tasks:
Confirm or dispel suspicions surrounding an alleged computer
security incident.
Accumulate additional evidence and information.
Verify the scope of a compromise.
Identify additional parties involved.
Determine a timeline of events occurring on the network.
Ensure compliance with a desired activity.
Other Evidence The “other evidence” category involves testimony and other
information obtained from people. This is the collection of evidence following
more traditional investigative techniques.
Forensic Analysis
Forensic analysis includes reviewing all the data collected. This includes reviewing
log files, system configuration files, trust relationships, web browser history files,
email messages and their attachments, installed applications, and graphic files. You
perform software analysis, review time/date stamps, perform keyword searches,
and take any other necessary investigative steps. Forensic analysis also includes
performing more low-level tasks, such as looking through information that has been
logically deleted from the system to determine if deleted files, slack space, or free
space contain data fragments or entire files that may be useful to the investigation.
6. Reporting
Reporting can be the most difficult phase of the incident response process. The
challenge is to create reports that accurately describe the details of an incident, that
Global Forensic audit & Investigation
Page | 16
are understandable to decision makers, that can withstand the barrage of legal
scrutiny, and that are produced in a timely manner
7. Resolution
The goal of the resolution phase is to implement host-based, network-based, and
procedural countermeasures to prevent an incident from causing further damage
and to return your organization to a secure, healthy operational status. In other
words, in this phase, you contain the problem, solve the problem, and take steps to
prevent the problem from occurring again.
The following steps are often taken to resolve a computer security incident:
1. Identify your organization’s top priorities. Which of the following is the most critical
to resolve: returning all systems to operational status, ensuring data integrity,
containing the impact of the incident, collecting evidence, or avoiding public
disclosure?
2. Determine the nature of the incident in enough detail to understand how the
security occurred and what host-based and network-based remedies are required to
address it.
3. Determine if there are underlying or systemic causes for the incident that need to be
addressed (lack of standards, noncompliance with standards, and so on).
4. Restore any affected or compromised systems. You may need to rely on a prior
version of the data, server platform software, or application software as needed to
ensure that the system performs as you expect it to perform.
5. Apply corrections required to address any host-based vulnerabilities. Note that all
fixes should be tested in a lab environment before being applied to production
systems.
6. Apply network-based countermeasures such as access control lists, firewalls, or IDS.
Global Forensic audit & Investigation
Page | 17
7. Assign responsibility for correcting any systemic issues.
8. Track progress on all corrections that are required, especially if they will take
significant time to complete.
9. Validate that all remedial steps or countermeasures are effective. In other words,
verify that all the host-based, network-based, and systemic remedies have been
applied correctly.
10. Update your security policy and procedures as needed to improve your response
process.
PRE-INCIDENT PREPARATION
Preparing for incident response involves organization steps as well as computer security
incident response team (CSIRT) preparation steps. We recommend the following
preparations, which are described in detail in this chapter:
1. Identify your corporate risk.
2. Prepare your hosts for incident response and recovery.
3. Prepare your network by implementing network security measures.
4. Establish policies and procedures that allow you to meet your incident response
objectives.
5. Create a response toolkit for use by the CSIRT.
6. Create a CSIRT that can assemble to handle incidents.
NETWORK-BASED EVIDENCE
Collecting network-based evidence includes setting up a computer system to perform
network monitoring, deploying the network monitor, and evaluating the effectiveness of
the network monitor.
Global Forensic audit & Investigation
Page | 18
The analysis of network-based evidence includes reconstructing the network activity,
performing low-level protocol analysis, and interpreting the network activity.
WHAT ARE THE GOALS OF NETWORK MONITORING?
If a law enforcement officer suspects an individual of a crime such as minor drug dealing,
the suspect is usually placed under surveillance to confirm suspicions, accumulate
evidence, and identify co-conspirators. The same approach works with suspected crimes
against computer networks. Network monitoring is not intended to prevent attacks.
Instead, it allows investigators to accomplish a number of tasks:
Confirm or dispel suspicions surrounding an alleged computer security incident.
Accumulate additional evidence and information.
Verify the scope of a compromise.
Identify additional parties involved.
Determine a timeline of events occurring on the network.
Ensure compliance with a desired activity.
WHAT IS EVIDENCE?
According to the U.S. Federal Rules of Evidence (FRE), relevant evidence is defined as any
information “having a tendency to make the existence of any fact that is of consequence to
the determination of the action more probable or less probable than it would be without
the information.”
Best Evidence Rule
The Best Evidence Rule, which had been established to deter any alteration of evidence,
either intentionally or unintentionally, states that the court prefers the original evidence at
the trial, rather than a copy, but they will accept a duplicate under these conditions: ·
Original lost or destroyed by fire, flood, or other acts of God. This has included such things
as careless employees or cleaning staff.
Global Forensic audit & Investigation
Page | 19
RULES OF EVIDENCE
Before delving into the investigative process and computer forensics, it is essential that the
investigator have a thorough understanding of the Rules of Evidence. The submission of
evidence in any type of legal proceeding generally amounts to a significant challenge, but
when computers are involved, the problems are intensified. Special knowledge is needed to
locate and collect evidence and special care is required to preserve and transport the
evidence. Evidence in a computer crime case may differ from traditional forms of evidence
in as much as most computer-related evidence is intangible-in the form of an electronic
pulse or magnetic charge.
Before evidence can be presented in a case, it must be competent, relevant, and material to
the issue, and it must be presented in compliance with the rules of evidence. Anything that
tends to prove directly or indirectly that a person may be responsible for the commission
of a criminal offense may be legally presented against him.
Proof may include the oral testimony of witnesses or the introduction of physical or
documentary evidence.
By definition, evidence is any species of proof or probative matter, legally presented at the
trial of an issue, by the act of the parties and through the medium of witnesses, records,
documents, and objects for the purpose of inducing belief in the minds of the court and
jurors as to their contention. In short, evidence is anything offered in court to prove the
truth or falsity of a fact in issue. This section describes each of the Rules of Evidence as it
relates to computer crime investigations.
Types of Evidence
Many types of evidence exist that can be offered in court to prove the truth or falsity of a
given fact. The most common forms of evidence are direct, real, documentary, and
demonstrative.
Global Forensic audit & Investigation
Page | 20
Direct evidence is oral testimony, whereby the knowledge is obtained from any of the
witness's five senses and is in itself proof or disproof of a fact in issue. Direct evidence is
called to prove a specific act (e.g., an eyewitness statement).
Real Evidence, also known as associative or physical evidence, is made up of tangible
objects that prove or disprove guilt.
Physical evidence includes such things as tools used in the crime, fruits of the crime, or
perishable evidence capable of reproduction. The purpose of the physical evidence is to
link the suspect to the scene of the crime. It is the evidence that has material existence and
can be presented to the view of the court and jury for consideration.
Documentary evidence is evidence presented to the court in the form of business records,
manuals, and printouts, for example. Much of the evidence submitted in a computer crime
case is documentary evidence.
Finally, demonstrative evidence is evidence used to aid the jury. It may be in the form of a
model, experiment, chart, or an illustration offered as proof. When seizing evidence from a
computer-related crime, the investigator should collect any and all physical evidence, such
as the computer, peripherals, notepads, or documentation, in addition to computer-
generated evidence.
Four types of computer-generated evidence are:
a) Visual output on the monitor.
b) Printed evidence on a printer.
c) Printed evidence on a plotter.
d) Film recorder (i.e., a magnetic representation on disk and optical representation on
CD).
A legal factor of computer-generated evidence is that it is considered hearsay. The
magnetic charge of the disk or the electronic bit value in memory, which represents the
data, is the actual, original evidence. The computer-generated evidence is merely a
representation of the original evidence, but in Rosenberg v. Collins, the court held that if
Global Forensic audit & Investigation
Page | 21
the computer output is used in the regular course of business, the evidence shall be
admitted.
THE CHALLENGES OF EVIDENCE HANDLING
One of the most common mistakes made by computer security professionals is failure to
adequately document when responding to a computer security incident. Critical data might
not ever be collected, the data may be lost, or the data’s origins and meaning may become
unknown. Added to the technical complexity of evidence collection is the fact that the
properly retrieved evidence requires a paper trail. Such documentation is seemingly
against the natural instincts of the technically savvy individuals who often investigate
computer security incidents. All investigators need to understand the challenges of
evidence handling and how to meet these challenges. That is why every organization that
performs computer security investigations requires a formal evidence-handling procedure.
The biggest challenges to evidence handling are that the evidence collected must be
authenticated at a judicial proceeding and the chain-of-custody for the evidence must be
maintained. You also must be able to validate your evidence.
Authentication of Evidence
It basically means that whomever collected the evidence should testify during direct
examination that the information is what the proponent claims. In other words, the most
common way to authenticate evidence is to have a witness who has personal knowledge as
to the origins of that piece of evidence provide testimony.
If evidence cannot be authenticated, it is usually considered inadmissible, and that
information cannot be presented to the judging body.It is important to develop some sort
of internal document that records the manner in which evidence is collected.
Chain of Custody
Once evidence is seized, the next step is to provide for its accountability and protection.
The chain of evidence, which provides a means of accountability, must be adhered to by law
Global Forensic audit & Investigation
Page | 22
enforcement when conducting any type of criminal investigation, including a computer
crime investigation. It helps to minimize the instances of tampering.
In other words, Maintaining the chain of custody requires that evidence collected is stored
in a tamper- proof manner, where it cannot be accessed by unauthorized individuals. A
complete chain-of-custody record must be kept for each item obtained. Chain of custody
requires that you can trace the location of the evidence from the moment it was collected to
the moment it was presented in a judicial proceeding.
The chain of evidence must account for all persons who handled or who had access to the
evidence in question. The chain of evidence shows:
Who obtained the evidence.
Who secured the evidence.
Who had control or possession of the evidence.
It may be necessary to have anyone associated with the evidence testify at trial. Private
citizens are not required to maintain the same level of control of the evidence as law
enforcement, although they are well advised to do so. Should an internal investigation
result in the discovery and collection of computer-related evidence, the investigation team
should follow the same, detailed chain of evidence as required by law enforcement. This
will help to dispel any objection by the defense that the evidence is unreliable, should the
case go to court.
Admissibility of Evidence
Computergenerated evidence is always suspect, because of the ease of which it can be
altered, usually without a trace. Precautionary measures must be taken to ensure that
computer-generated evidence has not been tampered with, erased, or added. To ensure
that only relevant and reliable evidence is entered into the proceedings, the judicial system
has adopted the concept of admissibility:
a) Relevancy of Evidence. Evidence tending to prove or disprove a material fact. All
evidence in court must be relevant and material to the case.
Global Forensic audit & Investigation
Page | 23
b) Reliability of Evidence. The evidence and the process to produce the evidence must
be proven to be reliable. This is one of the most critical aspects of computer-
generated evidence.
Once computer-generated evidence meets the business record exemption to the hearsay
rule, is not excluded for some technicality or violation, and follows the chain of custody, it is
held to be admissible. The defense will attack both the relevancy and reliability of the
evidence, so that great care should be taken to protect both.
Evidence Validation
Another challenge is to ensure that the data you collected is identical to the data that you
present in court. It is not uncommon for several years to pass between the collection of
evidence and the production of evidence at a judicial proceeding
OVERVIEW OF EVIDENCE-HANDLING PROCEDURES
When handling evidence during an investigation, you will generally adhere to the following
procedures:
1) If examining the contents of a hard drive currently placed within a computer, record
information about the computer system under examination.
2) Take digital photographs of the original system and/or media that is being
duplicated.
3) Fill out an evidence tag for the original media or for the forensic duplication
(whichever hard drive you will keep as best evidence and store in your evidence
safe).
4) Label all media appropriately with an evidence label.
5) Store the best evidence copy of the evidence media in your evidence safe.
6) An evidence custodian enters a record of the best evidence into the evidence log. For
each piece of best evidence, there will be a corresponding entry in the evidence log.
7) All examinations are performed on a forensic copy of the best evidence, called a
working copy.
Global Forensic audit & Investigation
Page | 24
8) An evidence custodian ensures that backup copies of the best evidence are created.
The evidence custodian will create tape backups once the principal investigator for
the case states that the data will no longer be needed in an expeditious manner.
9) An evidence custodian ensures that all disposition dates are met. The dates of
evidence disposition are assigned by the principal investigator.
10) An evidence custodian performs a monthly audit to ensure all of the best
evidence is present, properly stored, and labeled.
Computer forensics
It is emerging as an important tool in the fight against crime. Computer forensics may be
defined as the investigation of situations where there is computer-based (digital) or
electronic evidence of a crime or suspicious behaviour, but the crime or behaviour may be
of any type not otherwise involving computers. Therefore, computers facilitate both the
commission of and investigation into the act in question.
Specialists in the area follow structured methodologies to ensure the integrity of the
evidence that they collect and process. Computer (and intrusion) forensics involves data...
Preservation
Identification
Extraction
Documentation
Interpretation
Computer forensics involves the identification, documentation, and interpretation of
computer media for using them as evidence and/or to rebuild the crime scenario .
According to computer forensics defined as the process of identifying, collecting,
preserving, analyzing and presenting the computer-related evidence in a manner that is
Global Forensic audit & Investigation
Page | 25
legally acceptable by court. More recently, computer forensics branched into several
overlapping areas, generating various terms such as,
digital forensics,
data forensics,
system forensics,
network forensics,
email forensics,
cyber forensics,
forensics analysis,
enterprise forensics,
proactive forensics etc.,
1. Digital forensics is the investigation of what happened and how.
2. System forensics is performed on standalone machines.
3. Network forensics involves the collection and analysis of network events in order to
discover the sources of security attacks. The same process applied on Web is also
known as Web forensics.
4. Data forensics major focuses on analysis of volatile and non-volatile data.
5. Proactive forensics is an ongoing forensics and there is an opportunity to actively,
and regularly collect potential evidence in an ongoing basis.
6. Email forensics deals with one or more e-mails as evidence in forensic investigation.
Enterprise forensics is named in the context of enterprise; it is primarily concerned
with incident response and recovery with little concern about evidence.
7. Cyber forensics focuses on real-time, on-line evidence gathering.
8. Forensics analysis deals with identification, extraction and reporting on data
obtained from a computer system.
It is not just law enforcement that is developing the computer forensics field. Increasingly,
commercial and non-commercial organizations are requiring experts in the field to
investigate incidents. Thus, there are many applications of computer forensics tools and
techniques other than for criminal prosecution, such as:
Global Forensic audit & Investigation
Page | 26
Determine root cause of an event to ensure no repeat
Identify responsibility for an action
Internal investigation within the organization
Intelligence operations
Audit
Recovering lost data
'Computer forensics' is the use of specialised techniques for recovery, authentication, and
analysis of electronic data when a case involves issues relating to:
reconstruction of computer usage;
examination of residual data;
authentication of data by technical analysis;
explanation of technical features of data and computer usage.
In simple words, it is the process of unearthing data, of probative value, from information
systems.
Cyber Crimes
With increased use of Internet in homes and offices, there has been a proliferation of cyber-
related crimes and these crimes investigation is a tedious task. Cybercrime is typically
described as any criminal act dealing with computers or computer Networks Cybercrimes
can be classified into three groups;
Crimes directed against computer,
Global Forensic audit & Investigation
Page | 27
Crimes where the computer contains evidence, and
Crimes where the computer is used to commit the crime.
Other names of cybercrime are
e-crime,
computer crime or
Internet crime.
Cybercrimes spread across the world with various names like
worms,
logic bombs,
botnets,
Data diddling,
mail bombing,
phishing,
root kits,
salami theft,
spoofing,
zombie,
time bomb,
Trojan horse etc.
Global Forensic audit & Investigation
Page | 28
Using the Internet, a person sitting in a Net cafe of a remote location can attack a computer
resource in USA using a computer situated in Britain as a launch pad for his attack.
Challenges behind these situations are both technological and jurisdictional.
Confidentiality, integrity and availability are the cardinal pillars of cyber security and they
should not be compromised in any manner.
Attackers also begin using anti-forensic techniques to hide evidence of a cybercrime. They
may hide folders, rename files, delete logs, or change, edit or modify file data.
To combat these kinds of crimes, Indian Government established Cyber Forensics
Laboratory in November, 2003.
Overview of Cyber Forensics
Cyber forensics becoming as a source of investigation because human expert witnesses are
important since courts will not recognize software tools such as Encase, Pasco, Ethereal as
an expert witness. Cyber forensics is useful for many professionals like military, private
sector and industry, academia, and law. These areas have many needs including data
protection, data acquisition, imaging, extraction, interrogation, normalization, analysis, and
reporting. It is important for all professionals working in the emerging field of cyber
forensics to have a working and functioning lexicon of terms like bookmarks, cookies,
webhit etc., that are uniformly applied throughout the profession and industry. Cyber
forensics international guidelines, related key terms and tools are focused in the cyber
forensics field manual.
The objective of Cyber forensics is to identify digital evidence for an investigation with the
scientific method to draw conclusions.
Examples of investigations that use cyber forensics include
unlawful use of computers,
child pornography, and
Global Forensic audit & Investigation
Page | 29
cyber terrorism.
The area of cyber forensics has become prominent field of research because:
1. Forensics systems allow the administrator to diagnose errors
2. Intrusion detection systems are necessary in avoiding cyber crimes
3. Change detection can be possible with proactive forensics Cyber forensics can be
used for two benefits:
a) To investigate allegations of digital malfeasance
b) To perform cause analysis
PHASES OF CYBER FORENSICS
Cyber forensics has four distinct phases: incident identification, acquisition of evidence,
analysis of evidence, and reporting with storage of evidence.
INCIDENT IDENTIFICATION
ACQUISATION OF
EVIDENCE
ANALYSIS OF EVIDENCE
REPORTING WITH
STORAGE OF EVIDENCE
Global Forensic audit & Investigation
Page | 30
1) Identification Phase
The identification phase is the process of identifying evidence material and its probable
location. This phase is unlike a traditional crime scene it processes the incident scene
and documents every step of the way. Evidence should be handled properly. Basic
requirement in evidence collection is evidence must be presented without alteration.
This requirement applies to all phases of forensics analysis. At the time of evidence
collection, there is a need of thorough check of system logs, time stamps and security
monitors. Once evidence collected, it is necessary to account for its whereabouts.
Investigators would need detailed forensics to establish a chain of custody, the
documentation of the possession of evidence. Chain of custody is a vital part of
computer forensics and the legal system and the goal is to protect the integrity of
evidence, so evidence should be physically secured in a safe place along with a detailed
log. Handling specific type of incidents like Denial of Service, Malicious Code,
Unauthorized access etc are described in computer security incident handling guide
2) Acquisition Phase
The acquisition phase saves the state of evidence that can be further analyzed. The goal
of this phase is to save all digital values. Here, a copy of hard disk is created, which is
commonly called as an image.
As per law enforcement community, there are three types of commonly accepted
forensics acquisition:
a) mirror image,
b) forensics duplication and
c) Live acquisition.
Mirror images, bit-for-bit copy, involve the backups of entire hard disk. Creation of
mirror image is simple in theory, but its accuracy must meet evidence standards. The
purpose of having mirror image is evidence available in the case of the original system
need to be restarted for further analysis.
Global Forensic audit & Investigation
Page | 31
A forensic duplicate, sector-by-sector, is an advanced method that makes a copy of
every bit without leaving any single bit of evidence. The resultant may be single large
file and must be an exact representation of the original drive at bit stream level. This
method is most common type of acquisition because it creates a forensic image of the e-
evidence and it also contains file slack. In case of the small file overwrites a larger file,
surplus bytes are available in the file slack. The forensic duplication process can be
done with the help of tools like Forensic Tool Kit (FTK) imager, UNIX dd command, or
Encase. Access Data’s FTK is one of the powerful tools available and one of the
promising features is the ability to identify steganography and practice of camouflaging
data in plain sight. It is often desirable to capture volatile information, which is stored
in RAM; it cannot be collected after the system has been powered down. This
information may not be recorded in a file system or image backup, and it may hold clues
related to attacker. All currently running processes, open sockets, currently logged
users, recent connections etc, are available in volatile information. Generally, intruder
takes steps to avoid detection. Trojans, key loggers, worms etc., are installed in subtle
places. One of such things to be considered in the acquisition process is rootkits,
automated packages that create backdoors. An Intruders/hackers use rootkits to
remove log files and other information to hide the presence of intruder. Mobile phones
are become tools for cybercrimes, mobile phone evidence acquisition testing process
are discussed in
3) Analysis Phase
Forensic analysis is the process of understanding, recreating, and analyzing arbitrary
events that have gathered from digital sources. The analysis phase collects the acquired
data and examines it to find the pieces of evidences. This phase also identify that the
system was tampered or not to avoid identification. Analysis phase examines all the
evidence collected during collection and acquisition phases. There are three types of
examinations can be applied for the forensics analysis;
limited,
Global Forensic audit & Investigation
Page | 32
partial or
full examination.
Limited examination covers the data areas that are specified by legal documents or
based on interviews. This examination process is the least time consuming and most
common type.
Partial examination deals with prominent areas. Key areas like log files, registry,
cookies, e-mail folders and user directories etc., are examined in this case of partial
examination. This partial examination is based on general search criteria which are
developed by forensic experts. Most time consuming and less frequent examination
process are full examination. This requires the examiner to look each, and every
possible bit of data to find the root causes of the incident. File slack inspection is done
in this examination. Some of tools used in the analysis phase are Coroner, Encase, FTK.
The Coroner toolkit run under UNIX and EnCase is a toolkit that runs under Windows.
EnCase has the ability to process larger amounts and allow the user to use predefined
scripts to pull information from the data being processed. FTK contains a variety of
separate tools (text indexing, NAT recovery, data extraction, file filtering and email
recovery etc.) to assist in the examination.
4) Reporting Phase
The reporting phase comprises of documentation and evidence retention. The scientific
method used in this phase is to draw conclusions based on the gathered evidence. This
phase is mainly based on the Cyber laws and presents the conclusions for
corresponding evidence from the investigation. There is a need of good policy for how
long evidence from an incident should be retention. Factors to be considered in this
process are prosecution, data retention and cost. To meet the retention requirements
there is a need of maintaining log archival. The archived logs must be protected to
maintain confidentiality and integrity of logs.
CYBER FORENSICS TOOLS
Global Forensic audit & Investigation
Page | 33
The main objective of cyber forensics tools is to extract digital evidence which can be
admissible in court of law. Electronic evidence (e-evidence, for short) is playing a vital role
in cybercrimes. Computer forensics tools used to find skeletons in digital media. To reduce
the effect of anti forensics tools the Investigator is likely to have the tools and knowledge
required to counter the use of anti-forensics techniques. Sometimes collection of digital
evidence is straightforward because intruders post information about themselves from
Facebook, Orkut, Twitter, MySpace and chat about their illegal activities. A subpoena,
rather than special forensics tools, required obtain this information; these e-mails or chats
from social networks can be admissible as evidence. A snapshot of the state of the art of
forensic software tools for mobiles given in [18]. The process model for cellular phone tool
testing had shown in [14]. Various cyber forensics tools and their description are provided
in [7] some of them are:
1) The Coroner’s Toolkit (TCT), is an open source set of forensic tools designed to
conduct investigation UNIX systems.
2) Encase is the industry standard software used by law enforcement
3) The Forensic Toolkit (FTK) is very powerful tool but not simple to use.
4) I2Analyst is a different type of analysis tool, It is a visual investigative analysis
software.
5) LogLogic’s LX 2000 is powerful and distributed log analysis tool.
6) NetWitness and security intelligence, are network traffic security analyzer tools.
7) ProDiscover Incident Response (IR) is a complete IT forensic tool that can access
computers over the network to study the network behavior
8) The Sleuth Kit is one of network forensics tools used to find file instances in an NTFS
file.
Computer forensics vs. computer security
Computer security and computer forensics are distinct but related disciplines due to the
degree of overlap of raw material used by both fields. In general, computer security aims to
preserve a system as it is meant to be (as per the security policies) whereas computer
Global Forensic audit & Investigation
Page | 34
forensics (and especially network or intrusion forensics) sets out to explain how a policy
became violated. Therefore, the main difference can be seen as one of system integrity
versus culpability for an event or set of events.
Whereas the two fields may use similar data sources, they have different and sometimes
opposing aims. For example, security countermeasures such as encryption or data wiping
tools may work against the computer forensic investigation. The security measures will
complicate the investigation as the data must be decrypted prior to analysis. In addition,
security functions tend to only implement minimal logging by design. Therefore, not all the
information required will be available to the forensic analyst.
Computer security is an established field of computer science, whilst computer forensics is
an emergent area. Increasingly, computer security will involve forensic investigation
techniques, and vice versa. Therefore, both fields have much to learn from each other.
Computer forensics process
Computer forensics investigations take a lot of time to conduct. This is not surprising given
the increasing size of storage media that is being encountered. For example, hard drives of
several hundred Gigabytes are not uncommon. In addition, the amount of devices and data
storage that must be searched and analysed is also increasing. This must be conducted in a
robust manner that can be demonstrated in court or to management at a later date.
Below is my Organizational Model of Computer Forensics which aims to simplify the
investigation process irrespective of the computer forensics tools and techniques used.
Global Forensic audit & Investigation
Page | 35
Prior to an investigation, the analyst must make some preparations. For example, what is
the purpose of the investigation? This will ultimately determine the tools and techniques
used throughout the resulting investigation.
Next, evidence must be collected. This must be conducted robustly and maintain the
integrity of the evidence. Once the evidence is collected, a copy of the material is made and
all analysis is performed on the copy. This ensures that the original evidence is not altered
in any way.
The analysis of the evidence is conducted with forensics tools. For example, analysing the
hard drive of a computer requires the recreation of the logical structure of underlying
operating system. Once this is done, the analyst may have to triage and view both extant
and deleted files to build a picture of the suspect’s activities.
Global Forensic audit & Investigation
Page | 36
The analyst will then report any suspicious or malicious files and supply supporting
evidence. For example, the time and date the file was created, accessed or modified and
which user was responsible.
Finally, the analyst must present evidence. In law enforcement, this is to a court of law.
Increasingly, with the growth of the field in internal corporate investigations, this will be to
management.
Computer forensics tools
The tools and techniques used in computer forensics are as wide and varied as the crimes
that are investigated. Each investigation will ultimately determine the tools that are used.
Below is just a brief outline of tools used in the search for relevant evidentiary data on a
computer. For further information on tools and techniques, it is recommended that you
consult a book on the subject of computer forensics.
A number of computer forensic tools and approaches are used for the detection of
suspicious data on the hard drive. These can be generally divided into file
analysis and format specific approaches.
Commonly used computer forensic tools, such as the Forensic Toolkit (screenshot below)
and EnCase, provide examples of file analysis approaches. These tools are used for storage
media analysis of a variety of files and data types in fully integrated environments. For
example, the Forensic Toolkit can perform tasks such as file extraction, make a forensic
image of data on storage media, recover deleted files, determine data types and text
extraction. EnCase is widely used within law enforcement and like FTK provides a powerful
interface to the hard drive or data source under inspection, for example, by providing a file
manager that shows extant and deleted files.
Network forensics
Global Forensic audit & Investigation
Page | 37
Network forensics involves the recovery and analysis of information from computer
networks suspected of having been compromised or accessed in an unauthorised manner
and is closely related to the computer security field of intrusion detection. Its purpose is to
allow investigators to reason about the circumstances or causes of the activity under
investigation and to (possibly) provide evidence for any resulting legal case.
Network forensics encompasses:
Detecting, responding and assigning responsibility for attacks against our systems
The use of security devices and their audit information for evidentiary data
Using networks for passive information gathering during the investigation
In general, network forensics investigations will use event log analysis and timelining to
determine the following:
Who: is responsible for the activity
What: has the attacker done, e.g. files accessed, backdoor placed on system, etc.
When: each event occurred
Where: identify the location or host that the attack took place from, e.g. their IP
address
Why: why did the person hack you, what were their motives
How: which tools were used or vulnerabilities exploited
With many illegal activities involving network technologies, these types of investigation are
growing in number and form an important element of computer forensics.
Global Forensic Audit & Investigation
www.globalforensic.in