CHAPTER Computer Forensicsebook.eqbal.ac.ir/Security/Certification/Security+ SY0... · 2012. 6. 26. · CHAPTER All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./White

CHAPTER

All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6 All-in-1 / CompTIA Security+ All-in-One Exam Guide, 3rd Ed./ White / 177147-6

20Computer Forensics

In this chapter, you will•Learntherulesandtypesofevidence•Reviewthecollectionofevidence•Studythepreservationofevidence•Discovertheimportanceofaviablechainofcustody•Explorethestepstoinvestigatingacomputercrimeorpolicyviolation

Computer forensics is certainly a popular buzzword in computer security. This chapter addresses the key aspects of computer forensics in preparation for the Security+ certifi-cation exam. It is not intended to be a legal tutorial regarding the presentation of evi-dence in a court of law. These principles are of value in conducting any investigative processes, including internal or external audit procedures, but many nuances of han-dling legal cases are far beyond the scope of this text.

The term forensics relates to the application of scientific knowledge to legal prob-lems. Specifically, computer forensics involves the preservation, identification, docu-mentation, and interpretation of computer data. In today’s practice, computer forensics can be performed for three purposes:

• Investigatingandanalyzingcomputersystemsasrelatedtoaviolationoflaws

• Investigatingandanalyzingcomputersystemsforcompliancewithanorganization’s policies

• Investigatingcomputersystemsthathavebeenremotelyattacked

This last point is often referred to as incident response and can be a subset of the first two points. If an unauthorized person is remotely attacking a system, laws may indeed have been violated. However, a company employee performing similar acts may or may not violate laws and corporate policies. Any of these three purposes could ultimately result in legal actions and may require legal disclosure. Therefore, it is important to note that computer forensics actions may, at some point in time, deal with legal violations, and investigations could go to court proceedings. As a potential first responder, you should always seek legal counsel. Also, seek legal counsel ahead of time as you develop and implement corporate policies and procedures. It is extremely important to under-stand that even minor procedural missteps can have significant legal consequences.

581

ch20.indd 581 6/2/11 11:20 AM


Chapter 20: Computer Forensics

583CompTIA Security+ All-in-One Exam Guide, Third Edition

582The incident response cycle is a quick way to remember the key steps in computer

forensics. Figure 20-1 graphically conveys the incident response cycle. There are five key steps:

1. Discover and report Organizations should administer an incident-reporting process to make sure that potential security breaches as well as routine application problems are reported and resolved as quickly as possible. Employees should be trained on how to report system problems.

2. Confirm Specialists or a response team member should review the incident report to confirm whether or not a security incident has occurred. Detailed notes should be taken and retained as they could be critically valuable for later investigation.

3. Investigate A response team composed of network, system, and application specialists should investigate the incident in detail to determine the extent of the incident and to devise a recovery plan.

4. Recover The investigation is complete and documented at this point in time. Steps are taken to return the systems and applications to operational status.

5. Lessons learned A post-mortem session should collect lessons learned and assign action items to correct weaknesses and to suggest ways to improve.

Figure 20-1 Incidentresponsecycle

ch20.indd 582 6/2/11 11:20 AM




582

PA

RT

V

EvidenceEvidence consists of the documents, verbal statements, and material objects admissible in a court of law. Evidence is critical to convincing management, juries, judges, or other authorities that some kind of violation has occurred. The submission of evidence is challenging, but it is even more challenging when computers are used because the people involved may not be technically educated and thus may not fully understand what’s happened.

Computer evidence presents yet more challenges because the data itself cannot be sensed with the physical senses—that is, you can see printed characters, but you can’t see the bits where that data is stored. Bits of data are merely magnetic pulses on a disk or some other storage technology. Therefore, data must always be evaluated through some kind of “filter” rather than sensed directly by human senses. This is often of con-cern to auditors, because good auditing techniques recommend accessing the original data or a version as close as possible to the original data.

Standards for EvidenceTo be credible, especially if evidence will be used in court proceedings or in corporate disciplinary actions that could be challenged legally, evidence must meet three standards:

• Sufficient evidence The evidence must be convincing or measure up without question.

• Competent evidence The evidence must be legally qualified and reliable.

• Relevant evidence The evidence must be material to the case or have a bearing on the matter at hand.

Evidence Control Mental ChecklistKeep these points in mind as you collect evidence:

• Whocollectedtheevidence?

• Howwasitcollected?

• Wherewasitcollected?

• Whohashadpossessionoftheevidence?

• Howwasitprotectedandstored?

• Whenwasitremovedfromstorage?Why?Whotookpossession?

ch20.indd 583 6/2/11 11:20 AM




584

Types of EvidenceAll evidence is not created equal. Some evidence is stronger and better than other, weaker evidence. Several types of evidence can be germane:

• Direct evidence Oral testimony that proves a specific fact (such as an eyewitness’s statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions.

• Real evidence Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime.

• Documentary evidence Evidence in the form of business records, printouts, manuals, and the like. Much of the evidence relating to computer crimes is documentary evidence.

• Demonstrative evidence Used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.

Three Rules Regarding EvidenceAn item can become evidence when it is admitted by a judge in a case. Three rules guide the use of evidence, especially if it could result in court proceedings:

• Best evidence rule Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. In some instances, an evidence duplicate can be accepted, such as when the original is lost or destroyed by acts of God or in the normal course of business. A duplicate is also acceptable when a third party beyond the court’s subpoena power possesses the original. Copies of digital records, where proof of integrity is provided, can in many cases be used in court.

NOTE Evidencerulesexistatthefederalandstatelevelsandvary.Digitalevidenceisnotalwaysconsidereda“writing”andisnotalwayssubjecttobestevidencerule.

• Exclusionary rule The Fourth Amendment to the U.S. Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related violations of the U.S. Code, it may not be admissible to a court. For example, if no policy exists regarding the company’s intent to monitor network traffic or systems electronically, and the employee has not acknowledged this policy by signing an agreement, sniffing network traffic could be a violation of the ECPA.

ch20.indd 584 6/2/11 11:20 AM




584

PA

RT

V

• Hearsay rule Hearsay is second-hand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. Typically, computer-generated evidence is considered hearsay evidence, as the maker of the evidence (the computer) cannot be interrogated. Exceptions are being made where items such as logs and headers (computer-generated materials) are being accepted in court.

NOTE ThelawsmentionedhereareU.S.laws.Othercountriesandjurisdictionsmayhavesimilarlawsthatwouldneedtobeconsidered inasimilarmanner.

Collecting EvidenceWhen informationorobjectsarepresented tomanagementoradmitted to court tosupport a claim, that information or those objects can be considered as evidence or documentation supporting your investigative efforts. Senior management will always ask a lot of questions—second- and third-order questions that you need to be able to answer quickly. Likewise, in a court, credibility is critical. Therefore, evidence must be properly acquired, identified, protected against tampering, transported, and stored.

Acquiring EvidenceWhenanincidentoccurs,youwillneedtocollectdataandinformationtofacilitateyour investigation. If someone is committing a crime or intentionally violating a com-pany policy, he or she will likely try to hide his/her tracks. Therefore, you should collect as much information as soon as you can. In today’s highly networked world, evidence can be found not only on the workstation or laptop computer, but also on company-owned file servers, security appliances, and servers located with the Internet service provider (ISP).

Data VolatilityThe following list shows data sources from the most volatile to the most persistent:

1. CPU storage (registers/cache)

2. System storage (RAM)

3. Kernel tables

4. Fixed media

5. Removable media

6. Output/hardcopy

ch20.indd 585 6/2/11 11:20 AM




586A first responder must do as much as possible to control damage or loss of evi-

dence. Obviously, as time passes, evidence can be tampered with or destroyed. Look around on the desk, on the Rolodex, under the keyboard, in desktop storage areas, and on cubicle bulletin boards for any information that might be relevant. Secure floppy disks, CDs, flash memory cards, USB drives, tapes, and other removable media. Request copies of logs as soon as possible. Most ISPs will protect logs that could be subpoenaed. Take photos (some localities require use of Polaroid photos, as they are more difficult to modify without obvious tampering) or video tapes. Include photos of operating computer screens and hardware components from multiple angles. Be sure to photo-graph internal components before removing them for analysis.

Whenanincidentoccursandthecomputerbeingusedisgoingtobesecured,youmust consider two questions: should it be turned off, and should it be disconnected from thenetwork?Forensicsprofessionalsdebatethereasonsfor turningacomputeronorturning it off. Some state that the plug should be pulled in order to freeze the current state of the computer. However, this results in the loss of any data associated with an attack in progress from the machine. Any data in RAM will also be lost. Further, it may corrupt the computer’s file system and could call into question the validity of your findings.

Imaging or dumping the physical memory of a computer system can help identify evidence not available on a hard drive. This is especially appropriate for rootkits, where evidence on the hard drive is hard to find. Once the memory is imaged, you can use a hex editor to analyze the image offline on another system. (Memory-dumping tools and hex editors are available on the Internet.) Note that dumping memory is more ap-plicable for investigative work where court proceedings will not be pursued. If a case is likely to end up in court, do not dump memory without first seeking seek legal advice to confirm that live analysis of the memory is acceptable; otherwise, the defendant will be able to dispute easily the claim that evidence was not tampered with.

On the other hand, it is possible for the computer criminal to leave behind a soft-ware bomb that you don’t know about, and any commands you execute, including shutting down or restarting the system, could destroy or modify files, information, or evidence. The criminal may have anticipated such an investigation and altered some of thesystem’sbinary files.While teachingat theUniversityofTexas,Austin,Dr.LarryLeibrock led a research project to quantify how many files are changed when turning offandonaWindowsworkstation.Theresearchdocuments thatapproximately0.6percentoftheoperatingsystemfilesarechangedeachtimeaWindowsXPsystemisshut down and restarted.

Further, if the computer being analyzed is a server, it is unlikely management will support taking it offline and shutting it down for investigation. So, from an investigative perspective, either course may be correct or incorrect, depending on the circumstances surroundingtheincident.Whatismostimportantisthatyouaredeliberateinyourwork,you document your actions, and you can explain why you took the actions you did.

EXAM TIP ForSecurity+testingpurposes,rememberthis:thememoryshouldbedumped,thesystempowereddowncleanly,andanimageshouldbemadeandusedasyouwork.

ch20.indd 586 6/2/11 11:20 AM




586

PA

RT

V

Many investigative methods are used. Figure 20-2 shows the continuum of investi-gative methods from simple to more rigorous.

Figure 20-3 shows the relationship between the complexity of your investigation and both the reliability of your forensic data and the difficulty of investigation.

CAUTION: Youshouldneverexamineasystemwiththeutilitiesprovidedbythatsystem.Youshouldalwaysuseutilitiesthathavebeenverifiedascorrectanduncorrupted.Evenbetter,useaforensicsworkstation,acomputersystemspecificallydesignedtoperformcomputerforensicsactivities.Donotopenanyfilesorstartanyapplications.Ifpossible,documentthecurrentmemoryandswapfiles,runningprocesses,andopenfiles.Disconnectthesystemfromthenetworkandimmediatelycontactseniormanagement.IfyourorganizationhasComputerIncidenceResponseTeam(CIRT)procedures,followthem.Captureandsecuremail,DomainNameService(DNS),andothernetworkservicelogsonsupportinghosts.Unlessyouhaveappropriateforensictrainingandexperience,considercallinginaprofessional.

Identifying EvidenceEvidence must be properly marked as it is collected so that it can be identified as a par-ticular piece of evidence gathered at the scene. Properly label and store evidence, and make sure the labels can’t be easily removed. Keep a log book identifying each piece of evidence (in case the label is removed); the persons who discovered it; the case number; the date, time, and location of the discovery; and the reason for collection. Note any type of damage to the piece of evidence. Keep a log of all staff hours and expenses. This

Figure 20-2 Investigativemethodrigor

Figure 20-3 Rigoroftheinvestigativemethodversusbothdatareliabilityandthedifficultyofinvestigation

ch20.indd 587 6/2/11 11:20 AM




588information should be specific enough for recollection later in court. It is important to log other identifying marks, such as device make, model, serial number, cable configu-ration or type, and so on.

Being methodical is extremely important while identifying evidence. Do not collect evidence by yourself—have a second person who can serve as a witness to your actions. Keep logs of your actions during both seizure and during analysis and storage. A sample log is shown here:

Item Description

Investigator Case Date Time Location Reason

DellLatitudelaptopcomputer,D630,Serialnumber:6RKC1G0

Smith C-25 30Jan2010

1325MST

Room312safe

Safekeeping

Protecting EvidenceProtect evidence from electromagnetic or mechanical damage. Ensure that evidence is not tampered with, damaged, or compromised by the procedures used during the in-vestigation. Be careful not to damage the evidence to avoid potential liability problems later. Protect evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration. Use static-free evidence protection gloves as opposed to standard latex gloves. Seal the evidence in a proper container with evidence tape, and mark it with your initials, date, and case number. For example, if a mobile phone with advanced capabilities is seized, it should be properly secured in a hard container designed to prevent accidentally pressing the keys during transit and storage. If the phone is to re-main turned on for analysis, radio frequency isolation bags that attenuate the device’s radio signal should be used. This will prevent remote locking or disabling of the device.

Transporting EvidenceProperly log all evidence in and out of controlled storage. Use proper packing tech-niques, such as placing components in static-free bags, using foam packing material, and using cardboard boxes. Be especially cautious during transport of evidence to ensure custody of evidence is maintained and the evidence isn’t damaged or tampered with.

Storing EvidenceStore the evidence in an evidence room that has low traffic, restricted access, camera monitoring, and entry logging capabilities. Store components in static-free bags, foam packing material, and cardboard boxes.

ch20.indd 588 6/2/11 11:20 AM




588

PA

RT

V

Conducting the InvestigationWhenanalyzingcomputerstoragecomponents,youmustuseextremecaution.Acopyof the system should be analyzed—never the original system, as that will have to serve as evidence. A system specially designed for forensics examination, known as a foren-sics workstation, should be used. Forensics workstations typically contain hard drive bays, write blockers, analysis software, and other devices to safely image and protect computer forensic data. Conduct analysis in a controlled environment with strong physical security, minimal traffic, controlled access, and so on.

EXAM TIP Neveranalyzetheseizedevidencedirectly.Theoriginalevidencemustbesecuredandprotectedwithachainofcustody.Itshouldneverbesubjectedtoaforensicexamination,becauseofthefragilenatureofdigitalevidence.Aforensiccopy,however,canbeexaminedand,ifsomethinggoeswrong,discarded,andthecopyprocesscanberepeated.Agoodforensicprocesswillprovethattheforensiccopyisidenticaltotheoriginalatthestartandattheendoftheexamination.Fromapracticalstandpoint,investigatorsusuallymakemultipleforensiccopiesandperformtheiranalysisinparallelonthemultiplecopies.

Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked, “Did you lock the file sys-tem?”andcan’tansweraffirmatively.Or,whenasked,“Whenyouimagedthisdiskdrive,didyouuseanewsystem?”thewitnesscan’tanswerthatthedestinationdiskwasnewor had been completely formatted using a low-level format before data was copied to it.

Tools of the Trade

• Disk wipe utilities Tools to completely delete files and overwrite contents

• File viewers Text and image viewers

• Forensic programs Tools to analyze disk space, file content, system configuration, and so on

• Forensic workstations Specialized workstations containing hardware, software, and component interface capabilities to perform computer forensics activities

• Hard drive tools Partition viewing utilities, bootable CDs

• Unerase tools Tools to reverse file deletions

ch20.indd 589 6/2/11 11:20 AM




590UnlessyouhavetoolsspecificallydesignedtotakeforensicimagesunderWindows,

your imaging process should use a LiveCD that executes upon booting the system with-out installing anything to the hard drive. Only the minimal amount of software should be installed to preclude propagation of a virus or the inadvertent execution of a Trojan horseorothermaliciousprogram.Windowscanthenbeusedwhenexaminingcopiesof the system. The Helix LiveCD, for example, contains many forensic tools, such as a tool to make forensic images of internal devices and physical memory, a file browser that gives myriad details about files, including the MD5 hash, and tools to analyze graphic files and documents.

Although each investigation will be different, the following image backup process is a good example of a comprehensive investigation:

1. Remove and analyze/image only one component at a time to avoid corrupting data or inadvertently contaminating evidence by dealing with too many aspects of the investigation at one time. Imaging in the forensics workstation is the recommended approach.

2. Remove the hard disk and label it. Be sure to use an antistatic or static-dissipative wristband and mat before conducting forensic analysis.

3. Identify the disk type (IDE, SCSI, or other type). Log the disk capacity, cylinders, heads, and sectors.

4. Image the disk by using a bit-level copy, sector by sector. This will retain deleted files, unallocated clusters, and free and slack space.

5. Make either three or four copies of the drive: one replaces the drive removed if the system is to be returned to its owner and you don’t want to divulge that the drive has been exchanged; a second is marked, sealed, logged, and stored with the original, unmodified disk as evidence; a third will be used for file authentication; and the last is for analysis.

6. Check the disk image to make sure no errors occurred during the imaging process by reviewing the imaging results and logs.

7. Before analyzing the suspect disk, generate a message digest for all system directories, files, disk sectors, and partitions. MD5 and SHA are suitable and are superior to the older CRC32 or weaker hashing algorithms. Remember that even creating the message digest can change file access times, so it is important that you lock the files and use the image, not the original evidence. Keep a good log of the hash values.

8. Inventory all files on the system.

9. Document the system date and time so you have a reference point for your investigation.

ch20.indd 590 6/2/11 11:20 AM




590

PA

RT

V

TIP Althoughthistextdescribestheimagebackupprocessandprovidesspecificstepstobeperformed,usethestepsasguidelines.Anynotesorrecordofresultsyoumakecanendupbeingevidenceinacourt.Therefore,usingachecklistandmakingnotesonitcouldresultinthoselistsandnotesbecomingevidence.Yourcredibilitycouldbedamagedifyoucreatespecificchecklistsandskipasteportwobecausetheyaren’tapplicable—rememberthatyoumayneedtoexplainwhyyouskippedcertainsteps.Whilefollowingthechecklist,keepalogofallcommandsyouissuedonthesystembetweenthetimeyouidentifiedtheincidentandthetimeyouimagedthedisk.Thatway,ifyouarequestionedincourtaboutwhetheryouchangedanythingonthedisk,youcansay,ineffect,“Yes,buthereisexactlywhatIdidandhereishowitwouldhavechangedthings.”

Chain of CustodyEvidence, once collected, must be properly controlled to prevent tampering. The chain of custody accounts for all persons who handled or had access to the evidence. The chain of custody shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained.

The following shows critical steps in a chain of custody:

1. Record each item collected as evidence.

2. Record who collected the evidence along with the date and time it was collected or recorded.

3. Writeadescriptionoftheevidenceinthedocumentation.

4. Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.

5. Record all message digest (hash) values in the documentation.

6. Securely transport the evidence to a protected storage facility.

7. Obtain a signature from the person who accepts the evidence at this storage facility.

8. Provide controls to prevent access to and compromise of the evidence while it is being stored.

9. Securely transport the evidence to court for proceedings.

ch20.indd 591 6/2/11 11:20 AM




592

Free Space vs. Slack SpaceWhenauserdeletesafile,thefileisnotactuallydeleted.Instead,apointerinafileal-location table is deleted. This pointer was used by the operating system to track down the file when it was referenced, and the act of “deleting” the file merely removes the pointer and marks the cluster(s) holding the file as available for the operating system to use. The actual data originally stored on the disk remains on the disk (until that space is used again); it just isn’t recognized as a coherent file by the operating system.

Free SpaceSince a deleted file is not actually completely erased or overwritten, it sits on the hard disk until the operating system needs to use that space for another file or application. Sometimes the second file that is saved in the same area does not occupy as many clus-ters as the first file, so a fragment of the original file is left over.

The cluster that holds the fragment of the original file is referred to as free space because the operating system has marked it as usable when needed. As soon as the op-erating system stores something else in this cluster, it is considered allocated. The unal-located clusters still contain the original data until the operating system overwrites them. Looking at the free space might reveal information left over from files the user thought were deleted from the drive.

Slack SpaceAnother place that should be reviewed is slack space, which is different from free space. Whenafileissavedtoastoragemedia,suchasaharddrive,theoperatingsystemal-locates space in blocks of a predefined size, called clusters. Even if your file contains only 10 characters, the operating system will allocate a full cluster—with space left over in the cluster. This is slack space.

It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space. You may also find information in slack space from files that previ-ously occupied that same cluster. Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.

Message Digest and HashIf files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn’t modified. In most cases, a tool that implements a hashing algorithm to create message digests is used.

A hashing algorithm performs a function similar to the familiar parity bits, check-sum, or cyclical redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file). If a subsequent hash created on the same data stream results in a different hash value, it usually means that the data stream was changed.

ch20.indd 592 6/2/11 11:20 AM




592

PA

RT

V

NOTE Themathematicsbehindhashingalgorithmshasbeenresearchedextensively,andalthoughitispossiblethattwodifferentdatastreamscouldproducethesamemessagedigest,itisveryimprobable.Thisisanareaofcryptographythathasbeenrigorouslyreviewed,andthemathematicsbehindMessageDigest5(MD5)andSecureHashAlgorithm(SHA)isverysound.In2005,weaknesseswerediscoveredintheMD5andSHAalgorithmsleadingtheNationalInstituteofStandardsandTechnology(NIST)toannounceacompetitiontofindanewcryptographichashingalgorithmnamedSHA-3. InDecember2010,fivefinalists(BLAKE,Grøstl,JH,Keccak,andSkein)wereselectedtoenterthethirdandfinalevaluationround.Proclamationofawinnerandpublicationofthestandardarescheduledtotakeplacein2012.Thesealgorithmsarestillstrongandarethebestavailable—thediscoveredweaknessesshowtheyaren’tasstrongasoriginallycalculated.(Formoreinformationabouthashingandalgorithms,seeChapter4.)

The hash tool is applied to each file or log and the message digest value is noted in the investigation documentation. It is a good practice to write the logs to a write-once mediasuchasaCD-ROM.Whenthecaseactuallygoestotrial,theinvestigatormayneed to run the tool on the files or logs again to show that they have not been altered in any way.

NOTE Thenumberoffilesstoredontoday’sharddrivescanbeverylarge,withliterallyhundredsofthousandsoffiles.Obviouslythisisfartoomany fortheinvestigatortoanalyze.However,bymatchingthemessagedigests forfilesinstalledbythemostpopularsoftwareproductstothemessagedigestsofthefilesonthedrivebeinganalyzed,theinvestigatorcanavoidanalyzingapproximately90percentofthefilesbecausehecanassumetheyareunmodified.TheNationalSoftwareReferenceLibrary(NSRL)collectssoftwarefromvarioussourcesandincorporatesfileprofilesintoaReferenceDataSetavailablefordownloadasaservice.Seewww.nsrl.nist.gov.

AnalysisAfter successfully imaging the drives to be analyzed and calculating and storing the message digests, the investigator can begin the analysis. The details of the investigation will depend on the particulars of the incident being investigated. However, in general, the following steps will be involved:

1. Check the Recycle Bin for deleted files.

2. Check the web browser history files and address bar histories.

3. Check the web browser cookie files. Each web browser stores cookies in different places. Browsers not listed here will require individual research.

a. InternetExplorerstorescookiesintwoplacesonWindowsmachines(ahandy tool for viewing IE cookies is IECookiesView, which you can find at CNET Download.com):

ch20.indd 593 6/2/11 11:20 AM




594• IntheTemporaryInternetFilesfolderonWindowsXP/2000,c:\Documents

andSettings\<username>\LocalSettings\TemporaryInternetFiles;onWindowsVista,C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files.

• IntheCookiesfolderonWindowsXP/2000,c:\DocumentsandSettings\<username>\Cookies;onWindowsVista,C:\Users\<username>\AppData\Roaming\Microsoft\Windows\CookiesandC:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\low.

b. In Netscape for Mac, click the hard drive icon and open the System folder. Double-click Preferences | Netscape Users Folder | Your Profile Folder.

c. NetscapeforUNIXstoresthemin$HOME/netscape.

4. Check the Temporary Internet Files folders. Usually these are found in the WindowsdirectoryC:\DocumentsandSettings\<username>\LocalSettings\Temporary Internet Files. This location can be changed, so be sure to check where Internet Explorer is storing those files. In Internet Explorer, choose Tools | Internet Options | General | Browsing History | Settings. The current location will be indicated on that screen.

5. Search files for suspect character strings. To conserve valuable time, be wise in the choice of words you search for, choosing “confidential,” “sensitive,” “sex,” or other explicit words and phrases related to your investigation.

6. Search the slack and free space for suspect character strings as described previously.

NOTE TheHelixLiveCDorKnoppixLiveLinuxCDarejusttwoexamplesofthemanytoolsyoucanusetoperformcomputerforensicsactivities.

Cleanup: Possible Remediation Actions after an AttackThese are things you’ll need to do to restore your system after you’ve responded to an incident and completed your initial investigation:

1. Place the system behind a firewall.

2. Reload the OS.

3. Run scanners.

4. Install security software.

5. Remove unneeded services and applications.

6. Apply patches.

7. Restore the system from backup.

ch20.indd 594 6/2/11 11:20 AM




594

PA

RT

V

Chapter ReviewThis chapter provided information essential to understanding the role of forensic anal-ysis. The topics covered help you understand that certain rules must be followed when dealing with evidence and why evidence must be properly collected, protected, and controlled to be of value during court or disciplinary activities. The terms discussed and concepts presented are essential to understand in your preparation for the Security+ certification exam. Understanding the process of conducting an investigation will not only assist the reader during Security+ exam preparations but will also help in the dis-covery of potential violations of laws or corporate policies.

Questions 1. Whichofthefollowingcorrectlydefinesevidenceasbeingsufficient?

A. The evidence is material to the case or has a bearing to the matter at hand.

B. The evidence is presented in the form of business records, printouts, and so on.

C. The evidence is convincing or measures up without question.

D. The evidence is legally qualified and reliable.

2. Whichofthefollowingcorrectlydefinesdirectevidence?

A. The knowledge of the facts is obtained through the five senses of the witness.

B. The evidence consists of tangible objects that prove or disprove a fact.

C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred.

D. It is physical evidence that links the suspect to the scene of a crime.

3. Whichofthefollowingcorrectlydefinesdemonstrativeevidence?

A. The evidence is legally qualified and reliable.



D. The evidence is in the form of business records, printouts, manuals, and so on.

4. Whichofthefollowingcorrectlydefinesthebestevidencerule?

A. The evidence is legally qualified and reliable.

B. Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (intentional or unintentional) has occurred.


D. Physical evidence that links the suspect to the scene of a crime.

ch20.indd 595 6/2/11 11:20 AM




596 5. Whichofthefollowingcorrectlydefinestheexclusionaryrule?

A. The knowledge of the facts is obtained through the five senses of the witness.



D. Any evidence collected in violation of the Fourth Amendment is not admissible as evidence.

6. Whichofthefollowingisthemostrigorousinvestigativemethod?

A. Build a new system that completely images the suspect system.

B. Verify software on the suspect system and use that software for investigation.

C. Examine the suspect system using its software without verification.

D. Use a dedicated forensic workstation.

7. Whichofthefollowingcorrectlydefinesslackspace?

A. The space on a disk drive that is occupied by the boot sector

B. The space located at the beginning of a partition

C. The remaining clusters of a previously allocated file that are available for the operating system to use

D. The unused space on a disk drive when a file is smaller than the allocated unit of storage (such as a cluster)

8. Whichofthefollowingcorrectlydefinestheprocessofacquiringevidence?

A. Dump the memory, power down the system, create an image of the system, and analyze the image.

B. Power down the system, dump the memory, create an image of the system, and analyze the image.

C. Create an image of the system, analyze the image, dump the memory, and power down the system.

D. Dump the memory, analyze the image, power down the system, and create an image of the system.

9. If you are investigating a computer incident, and you need to remove the disk drive from a computer and replace it with a copy so the user doesn’t know it has been exchanged, how many copies of the disk should you make, and how shouldtheybeused?

A. Three copies: One to replace the drive removed, one to be used for file authentication, and one for analysis.

ch20.indd 596 6/2/11 11:20 AM




596

PA

RT

V

B. Four copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; and one is for analysis.

C. Five copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; one is for analysis; and one is for holding message digests.

D. Four copies: One to replace the drive removed; one is marked, sealed, logged, and stored with the original, unmodified disk as evidence; one is for file authentication; and one is for holding message digests.

10. Whichofthefollowingcorrectlydescribesthehashingconcept?

A. A method of verifying that data has been completely deleted from a disk

B. A method of overwriting data with a specified pattern of 1s and 0s on a disk

C. An algorithm that applies mathematical operations to a data stream to calculate a unique number based on the information contained in the data stream

D. A method used to keep an index of all files on a disk

Answers 1. C. is the correct definition. Answer A defines relevant evidence. Answer B

defines documentary evidence. Answer D defines competent evidence.

2. A. is the correct definition. Answer B defines real evidence. Answer C defines demonstrative evidence. Answer D defines real evidence.

3. C. is the correct definition. Answer A defines competent evidence. Answer B defines real evidence. Answer D defines documentary evidence.

4. B. is the correct definition. Answer A defines competent evidence. Answer C defines demonstrative evidence. Answer D defines real evidence.

5. D. is the correct definition. Answer A defines direct evidence. Answer B defines real evidence. Answer C defines demonstrative evidence.

6. D. Answers A and B are other methods on the rigor spectrum. Answer C is the least rigorous method.

7. D. Answers A and B are contrived definitions. Answer C defines free space.

8. A. The other answers are not in the correct order.

9. B. The other answers are contrived responses.

10. C. is the correct definition. The other answers are contrived responses.

ch20.indd 597 6/2/11 11:20 AM