Computer Forensics

  • Published on

  • View

  • Download

Embed Size (px)


<p>COMPUTER FORENSICSMr Kolapo Oyeusi04044790</p> <p>Supervisor : Dr. Nick Ioannides</p> <p>A Dissertation submitted in partial fulfilment of the requirements of London Metropolitan University for the degree of Bachelor of Science in Computer Networking with Honours</p> <p>May 2009</p> <p>Faculty of Computing</p> <p>TABLE OF CONTENT Definition of Terms Glossary Acknowledgements Dedication Abstract Chapter 1: Introduction Chapter 2: Literature review Chapter 3: Approach and scope Chapter 4: Practical/ Simulation/ Research work &amp; Result Chapter 5: A Critical Appraisal, Recommendations and Suggestions for further Work Summary Chapter 6: Conclusions Appendices Appendix A: Project Proposal Report Appendix B: Materials (i.e Configurations, Program source listings etc) Reference &amp; Bibliography Literature review Reference and Bibliography2</p> <p>Definition of terms</p> <p>Write-Blockers: These are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Hardware write blockers can be IDE-to-IDE or Firewire/USB-to-IDE. Good data: These are known file types such as operating system files and common programs (Microsoft word etc)</p> <p>3</p> <p>Chapter 1: Introduction Computer forensic is the collection, preservation, analysis and presentation of computer related evidence that can be useful in criminal cases, civil disputes and human resources/employment proceedings (Vacca, 2005). With the growth of the internet and the ever changing digital environment, the need for computer forensics experts cannot be over emphasised. The world gradually is becoming a global village due to the presence of the internet and the personal computer. Businesses and transactions that would have been done in person are now carried out online. The internet has made targets much more accessible and the risk involved for the criminals are much lower than traditional crimes. With more people embracing the internet, the number of people using the internet is expected to rise to 794 million in 2009 from 657 million that is currently available (Vacca, 2005). However, the word forensic was derived from usage in the medical field. Forensic Medicine has been a recognised discipline as far back as the 18th century (Dixon, 2005). The computer industry has been taking computer forensic serious for some years now due to embarrassing computer break-ins by teenage hackers. Computer forensics is one of the largest growing professions of the 21st century. (Vacca, 2005). This is partly due to the growth of the internet which allows organizations and individuals to be susceptible to security threat. It is difficult to pinpoint the first computer forensic examination but in 1991, the term computer forensics was coined in the first training session held by the International Association of Computer Investigative Specialist (IACIS) (</p> <p>4</p> <p>Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. The Military and the intelligence gathering agency have been involved in computer forensics since the mid-1980 but this field is relatively new to the private sector. Computer forensic tools and procedures are used to identify computer security weaknesses and the leakage of sensitive computer data. ( The main goals of computer forensics are the preservation, identification, extraction, documentation and interpretation of recovered computer data.</p> <p>5</p> <p>Chapter 2: Literature reviewSeveral criminal activities are being committed nowadays such as cyber terrorism, internet fraud, viruses, illegal downloads, falsification of document, child pornography, counterfeiting, economic espionage, benefit fraud, human resources/employment proceedings just to mention a few. As such, there is need for necessary legislation to help prosecute the perpetrators of these crimes. This is where the skills of a forensic expert come in to help build indisputable evidence against them. If the computer and its contents are examined by anyone other than a trained and experienced computer forensics specialist, the usefulness and credibility of that evidence will be tainted (Vacca , 2005). A highly skilled computer forensic analyst is someone who understands the discipline as well as understands the use of computer forensic tools. Network forensic investigators on the other hand uses log files to determine when users logged on and they also try to determine which URLs users accessed, how they logged on to the network and from what location. In special cases, forensic experts use electron microscopes and other sophisticated equipments to retrieve information from machines that have been damage or formatted. The use of this method can be very capital intensive which may sometime exceed $20000. (Bill Nelson et al, 2008) A survey recently conducted reveals that both public and private agencies face serious threats from external and internal sources. (Computer Crime and Security Survey, 2003) There are three things to take into consideration when carrying out computer forensic. A computer can be the target of the crime, it can be the instrument of the crime or it can serve as an evidence repository storing valuable information about the crime. Knowing what role the computer played in the crime can of tremendous help when searching for evidence. This knowledge can also help reduce the time taken to package your evidence.6</p> <p>Also, the evidence required can be located on a network, embedded system or on dead systems. Most forensic examination is carried out on dead systems that have been delivered for analysis. It is recommended that computers should be powered down to prevent loss of evidence when making seizure but doing so before collecting volatile evidence can lead to loss of evidence when dealing with systems with large RAM or those having active network connections (Casey,2002). The integrity and security of evidence is a priority when carrying out forensic investigation and there are stringent guidelines that must be adhered to even when trying to save time. A computer forensics specialist should not just rely on just one tool to preserve, identify, extract and validate the computer evidence. Cross validation through the use of multiple tools and techniques is standard in all forensic sciences. When this procedure is not used, it creates advantages for defence lawyers who may challenge the accuracy of the software tool used and thus the integrity of the results. Using multiple validation software tools enables computer forensic specialists and procedures eliminate any doubt about the accuracy of the evidence. ( When searching for graphical images on a computer system, it is important not to look for files with the GIF or JPEG extensions only since the suspect might have saved it with another extension like DOC. Therefore it is important to search every sector of the physical disk for certain file types (Casey, 2002) Encryption and stenography hinder the investigation of a computer forensic specialist. Encryption makes it difficult for the examiner to analyse evidence that have been found, collected, documented and preserved. Stenography on the other hand involves the act of hiding information.</p> <p>7</p> <p>An individual using specialist data hiding tools like the Marutukku can protect its self from all data recovery techniques. (Casey, 2002) Computers have been featuring in litigations for over 31 years. In 1977, there were 20 U.K cases in which the word computer appeared and which was sufficiently important to be noted in the lexis database. In the United state, there were 291 federal cases and 246 state cases in which it appeared (Vacca, 2005). A lot of people sometimes think of a computer forensic expert as someone who helps in recovering lost digital data from a computer but their work goes far beyond that. Countries all over the world are creating new laws and amending old ones since the surge in computer related crimes. It is important to have the necessary legal backing to bring the perpetrators of these crimes to justice or else the work carried out by a computer forensic specialist will be in vain. Likewise, businesses are adjusting their policies to help protect themselves against disgruntled employees willing to reveal sensitive client records and trade secrets. Employing the services of a computer forensic specialist can be tricky sometimes. Having someone with the expertise and experience is not just enough nowadays. The individual must also be able to testify and stand up to scrutiny and pressure of cross examination in the law court. In the early 1980s, computer forensic tools were simple and mainly generated by government agencies such as the U.S internal Revenue Service (IRS) and the Royal Canadian Mounted Police (RCMP) in Ottawa. Most of the tools written then were in C language and assembly language and were not that popular. Moving into the mid 1980s, a software known as Xtree Gold was introduced which was able to recognise file types as well as retrieve lost or deleted files. Shortly after the release of Xtree, Norton released the DiskEdit and this became the best</p> <p>8</p> <p>tool for finding deleted files at that time because the DiskEdit was compatible with most PCs then. Moving into the 1990s, specialist tools for computer forensics became available. This led to the training on software for computer forensic investigation by the International association of Computer Investigative Specialist (IACIS). ASR Data created commercial GUI forensic software called Expert Witness. The Expert Witness could recover deleted files and fragments of deleted files. One of the ASR partner left to develop Encase which is the most popular forensic tool.</p> <p>DATA RECOVERY Data recovery is the process in which highly trained forensic experts evaluate and extract data from damaged media and return it in an intact format (Vacca, 2005). Lost data might be as a result of computer systems crashing, accidental deletion, computer viruses corrupting files, disgruntled employee destroying files just to mention a few. There is a high chance of recovering all the data if recovery is attempted shortly after the files must have been removed. Most Linux systems use the ext2 file system which reveals the presence of slack space. A tool called bmap can jam data in the slack space, take out data and also wipe the slack space clean if needed. Data can be hidden in slack space to store secrets, plant evidence and maybe hide tools from integrity checkers. EVIDENCE COLLECTION There are two main reasons why we need to collect evidence: 1) Future prevention. 2) Responsibility.9</p> <p>The job of a computer forensic specialist goes far beyond just data recovery. Evidence collection must be done in a methodological manner by professionals trained for this purpose. Real Evidence: is any evidence that speaks for itself without relying on anything else. For instance, a log produced by an audit function which is free from contamination. Testimonial Evidence: This is any evidence supplied by a witness. This evidence is dependent on the reliability of the witness. As long as the witness is reliable, the testimonial evidence can be as powerful the real evidence. It should be noted that hear say is inadmissible in the court. RULES OF EVIDENCE COLLECTION The 5 rules of electronic evidence collection are also related to the 5 properties that evidence must possess to be useful and they are:1) Admissible: Evidence gathered is meant for use in the court/tribunal 2) Authentic: Evidence collected must be relevant to the incidence. 3) Complete: Evidence must be able to prove that the offender is liable for the offence</p> <p>despite other people present at the same time of attack. Evidence that will implicate as well as those that will vindicate him must be collected.4) Reliable: The methods used in the collection of evidence and the analysis procedure</p> <p>must not cast any doubt on the authenticity of the evidence.5) Believable: The evidence presented must be understandable and believable to the jury.</p> <p>To have believable evidence, there are certain guidelines you must adhere to such as: Minimise handling and corruption of original data</p> <p>10</p> <p> Account for any changes and keep detailed logs of your actions Comply with the five rules of evidence Dont exceed your knowledge Follow your local security policy Capture as accurate an image of the system as possible Be prepared to testify Work fast Proceed from volatile to persistence evidence Dont shutdown before collecting evidence Dont run any program on affected system</p> <p>11</p> <p>TYPES OF COMPUTER FORENSIC TOOLS Computer forensic tools can be classified into two major categories namely: Hardware Forensic Tool Software Forensic Tool Hardware Forensic Tools Hardware forensic tool varies and may range from simple, single purpose components to complete systems and servers. An example of the single-purpose component is the ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge. This device helps to write-block an IDE drive connected to a SCSI cable.</p> <p>Fig: ACARD AEC-7720WP Ultra Wide SCSI-to-IDE Bridge Examples of complete systems forensic tool include the Digital Intelligence F.R.E.D. systems, DIBS Advanced Forensic Workstation, and Forensic Computers Forensic Examination stations and portable units (e.gTalon) just to mention a few.</p> <p>12</p> <p>Fig: Digital Intelligence F.R.E.D. systems Forensic Recovery of Evidence Device (F.R.E.D) systems are designed for stationary laboratory. It can acquire data directly from a whole range of hard drives and storage devices including DLT-V4 tapes and save the forensic image retrieved onto a DVD, CD or hard drive.</p> <p>Fig: DIBS Advanced Forensic Workstation The DIBS Advanced Forensic Workstation is a very versatile piece of forensic equipment that is easy to use. It can copy and analyse hard drives using windows XP operating systems. The unit runs on Pentium 4 3GHz processor with a motherboard of 1GB RAM. DIBS is acceptable in courts throughout the world.</p> <p>13</p> <p>Fig: Portable Forensic Lab (PFL) The Hand-held, computer forensic Talon is an advanced forensic capture system designed specifically for the use of law enforcement, Military, corporate security, investigators and auditors. Talon can make images and verifies data up to 4GB/min which makes it industrys most powerful and versatile data capturing system. This device captures IDE/UDMA/SATA drives as well as SCSI drives via USB cable Software Forensic Tools Software forensic tool can be classified into command-line applications and GUI applications. Some of these tools are designed to perform only one Task. A good example of this is the SafeBack software which is a command-line disk acquisition tool...</p>