COMPUTER Forensics for computer Science

7/30/2019 COMPUTER Forensics for computer Science

1/90

COMPUTER FORENSICS

BY

HENRY O. QUARSHIE

1


2/90

INTRODUCTION

Computer forensics is a newer field in the legal and lawenforcement field. As the computer industry has takenoff and more and more people are investing with acomputer, the need to understand, examine and present

the facts in a case regarding a computer have beenessential.

The persons who identify and analyse evidence found ina computer are called computer forensic experts. Theseindividuals also present the evidence during legal

proceedings.

2


3/90

Computer forensics requires a specializedapproach and expertise. It goes far beyond whata typical system support analyst or personnelwill do for normal data collection.

Instead, the expert in computer forensics mustfollow legal protocol and still be able to locatethe information integral to the case. They willexamine the computer to see if it has been anaid in criminal or otherwise illegal activities.

3


4/90

Definition of Computer Forensics

There are a number of slightly varyingdefinitions around. However, generally,computer forensics is considered to be the

use of analytical and investigativetechniques to identify, collect, examineand preserve evidence/information which

is magnetically stored or encoded.

4


5/90

The objective of this, is to provide digitalevidence of a specific or general activity.

5


6/90

WHO CAN USE COMPUTER

FORENSIC EVIDENCE?

. A forensic investigation can be initiatedfor a variety of reasons. The most highprofile are usually with respect to criminal

investigation, or civil litigation, but digitalforensic techniques can be of value in awide variety of situations, including

perhaps, simply re-tracking steps takenwhen data has been lost.

6


7/90

WHO CAN USE COMPUTER

FORENSIC EVIDENCE?

Many types of criminal and civil proceedings can and domake use of evidence revealed by computer forensicsspecialists:

Criminal Prosecutors use computer evidence in avariety of crimes where incriminating documents can befound: homicides, financial fraud, drug andembezzlement record-keeping, and child pornography.

Civil litigations can readily make use of personal andbusiness records found on computer systems that bearon: fraud, divorce, discrimination, and harassment

cases. Insurance Companies may be able to mitigate costs by

using discovered computer evidence of possible fraud inaccident, arson, and workman's compensation cases.

7


8/90

Corporations often hire computer forensics specialiststo ascertain evidence relating to: sexual harassment,embezzlement, theft or misappropriation of tradesecrets and other internal/confidential information.

Law Enforcement Officials frequently requireassistance in pre-search warrant preparations andpost-seizure handling of the computer equipment.

Individuals sometimes hire computer forensicsspecialists in support of possible claims of: wrongfultermination, sexual harassment, or age discrimination.

8


9/90

What are the common scenarios?

Wide and varied! Examples include:- Employee internet abuse (common, butdecreasing)- Unauthorized disclosure of corporate

information and data (accidental and intentional)- Industrial espionage- Damage assessment (following an incident)- Criminal fraud and deception cases- More general criminal cases (many criminals

simply store information on computers,intentionally or unwittingly)- and countless others!

9


10/90

What will a computer forensicsspecialist do on the job?

They can take copies of the hard drive; identify andrecover lost files; access hidden or protected files; studythe residue of previously deleted files and create adetailed report of all the actions on the computer that can

be considered suspect or illegal. Throughout theprocess, they are not permitted to change the data inany way as this would be considered literally tamperingwith the evidence being collected.

The computer forensics expert is specifically trained to

prevent altering the data while they search for theremnants and telling signs left on the computer itself.

10


11/90

CYBERCRIME

Cybercrime is defined as crime committedon the internet using the computer aseither a tool or a targeted victim. It is very

difficult to classify crimes in general intodistinct groups as many crimes evolve ona daily basis.

11


12/90

TYPES OF CYBERCRIME

ELECTRONIC THEFT:

Citibank was subjected to over 40 electronicthefts by a former Russian employee of a St

Petersburg software house.

Together, with a number of accomplices, hemanaged to transfer approximately $7.5 million

to Finland, California, Israel, Germany, Holland& Switzerland(source:PCB Lawson House U.S.A)

12


13/90

Police in London foiled a massive banktheft, 17th March 2005,the plan was tosteal 220m from the London offices of

the Japanese bank, Sumitomo Mitsui.They managed to infiltrate the system withkeylogging software.

13


14/90

CREDIT CARD FRAUD:

An Internet retailer, C. D. Universe Whorefused to pay $100,000 to a Russianhacker, known as "Maxim" stole 300,000Credit Card numbers from their web site.

As a result, the hacker posted some

25,000 credit card details on the web, forall to see. (source: PCB Lawson House U.S.A)

14


15/90

ONLINE AUCTION FRAUD: it is thenumber one Internet fraud in the U. S.Goods often dont arrive, in one case a

Russian fraudster ordered goods using astolen credit card, then sold them on anonline auction at a low price to United

States citizens, who then wired money toan untraceable Latvian bank.. (source:PCB Laws- onHouse U.S.A}

15


16/90

Internet auction fraud accounted for 62percent of the 97,076 Internet fraudcomplaints that the Internet Crime

Complaint Center U.S,A. referred to law-enforcement agencies for investigation in2005.

16


17/90

PYRAMID FRAUD

It entices the victim with promises ofextraordinary returns on investment.Those at the top of the scheme are initiallysuccessful, but subsequent investorsloose all the money invested. .(source: PCB LawsonHouse U.S.A)

17


18/90

FRAUDULENT INTERNET BANKING SITES

The Internet allows fraudsters to offer bogus

credible banking services. It is difficult for the

consumer to discern between genuine andfraudulent Internet banks. The fraudsterdoes not need to go to great expense to

dress up his site as genuine and will enticevictims with a promise of high interestrates..(source: PCB Lawson House U.S.A )

18


19/90

PHISHING:

This attack occurs when a hacker tries toget people's banking details electronicallyand then use the details to rob bankaccounts.

19


20/90

A phishing email claiming that The NationalAustralia Bank (NAB) is bankrupt caught morethan 1,000 of the bank's customers in its net.

It claimed that the bank's ATMs were notworking, This caused panic withdrawals. Itinvited them to click on a link that will provide

them with more information.

20


21/90

The link in fact downloads a Trojan ontothe hapless banker's machine. This stoletheir bank login details and password

when they follow the rest of the emailed"advice" to go online to check theirbalance.

(Source channel Register, June 19,2006)

21


22/90

CYBERTERRORISM:

This is a very real threat in todays informationage. Cyberterrorists have at their disposal

weapons that can cause severe destruction.

Cyberterrorists, such as Russian cyber gangscan attack anyone, anywhere, blackmailing

organizations into paying them millions toprevent the terrorists from destroying theirsystems.

22


23/90

A group of British hackers allegedlydemanded a 10m ransom from Visa,after they claimed they would crash the

Visa system if they were not paid. The hackers stole computer "source

codes" that are critical to programming. Ifthe system did crash, even for just a day,the cost to Visa would have run into tensof millions of pounds.(source :PCB Lawson House U.S.A)

23


24/90

LOTTERY SCAM

These are emails that tells recipient they havewon a sum of money in a lottery. The recipient is

instructed to keep the notice secret and tocontact an agent. After contacting the "agent",the recipient will be asked to pay money as fees,but will never receive any lottery payment.

24


25/90

At the end of 2005, the U.S. Department ofTreasury announced that cybercrimeovertook drug trafficking .Cybercrime cost

$180 billion.

(source:Sun-Sentinel.com June 03,2006)

25


26/90

While criminal activity via the Internet isstill a fairly new phenomenon, the FBIranks it just behind stopping terrorism and

counterintelligence on their list of priorities.

26


27/90

Nigerian 419 scam stole the most moneyoff Internet.Americans reported losing anall-time high of $183 million to Internet

fraud in 2005, up 169 percent from $68million in 2004.

(Source: Internet Crime Complaint Center)

27


28/90

REPORTS (GHANA)

Man of God in 419 for alleged cyber fraud. He claimsto have inherited $39m. .( source Daily Graphic 25th April 2005)

11 Nigerians arrested at a caf at Dzowulu withforged documents designed to deceive potentialvictims.( source Daily Graphic 20th Aug 2005)

Online Fraud security council gets tough. Ghana hasbeen blacklisted and could be totally banned from theuse of credit cards. .( source Daily Graphic 19th Sept 2005)

28


29/90

Techniques and Tools used in

Computer Crime

Computer Virus, spyware, adware,malware.

cracking

Spamming

Phishing

Cyberterrorism

29


30/90

Computer Virus

A computerv i rus can be defined by threebasic properties:

It is a piece of Software (executable code).

It is a parasite. It never remains as anamed piece of Software. It attaches itselfwith some other executable code and

remains with it.

30


31/90

To attach, might mean physically adding tothe end of a file, inserting into the middleof a file, or simply placing a pointer to a

different location on the disk somewherewhere the virus can find it.)

It reproduces itself. On activation it always

tries to spread by attaching itself withother executable codes also.

31


32/90

Since a virus is an executable code and for itsactivation it has to attach itself with such a codewith which it can get executed. Hence a

computer virus can live with Boot Sector.

Partition Table.

Executable files (EXE, COM, DLL, OVL etc). Macros in MS Office files (Documents,Spreadsheet etc.)

32


33/90

TYPES OF VIRUSES

Boot / Partition Viruses.

File Viruses

Macro Viruses Backdoor

Worms

Trojans

33


34/90

Boot / Partition Viruses.

The Partition Table / Boot Sector virusgets themselves housed at the originalBoot / Partition areas and shift the original

code to some other location.Most of these viruses remain in thememory, thereby take control of themachine. From here these viruses getthemselves attached to the boot sector ofthe hard drive or other executable.

34


35/90

Macro Viruses .

These are viruses, which infect Document fileslike MS-Word. All MS-Office components (Word,Excel, PowerPoint & Access) support writing

macros.Unlike the limited macro powers available inprevious generation, these macros providealmost all the functionalities of a computer

programming language. Viruses too smell theopportunity and target these Macros.

35


36/90

Backdoor

Backdoor have two components. Itbasically creates a client-serverenvironment. The target machine is

converted into a server and the attackerposes as a client taking control of themachine and information.

36


37/90

Worms

A Worm is a computer program or a pieceof software that has the ability to replicateon its own. It arrives as an e-mail or

newsgroup attachment and infect userswho run the attachment. The worm altersthe host computers windsock32.dll file,

the doorway to the internet. Worms canspread rapidly to other machines on thenetwork. E.g. W32 Nimda, W32 sircam.

37


38/90

Trojans

A Trojan refers to a program that appears,as something you may think is safe, buthidden inside is usually something

harmful, probably a worm or a virus. The lure of Trojans is that you may

download a game or a picture, thinking it's

harmless, but once you execute this file(run it); the worm or virus gets to work.

38


39/90

TECHNIQUE USED BYCOMPUTER VIRUS WRITERS

Self-Encryption

This hides its code and its destructive property, avirus remains in the file in encrypted format anddecrypts itself at the time of execution. Thismakes the task of studying the virus a trickyaffair.

Thus the virus now consists of 2 parts, one is thedecryption routine and another is the originalencrypted code of the virus. If not studiedproperly, an accidental removal of the virus mayresult into serious loss of data, so be careful.

39


40/90

Polymorphic natureThe new generation viruses keep on

changing and modifying their code. This

poly (many) orphic nature makes the virusidentification a difficult task. At times theform changes to such an extent that if notstudied properly some of its variantsevade the virus scanner. Almost all thenew viruses are polymorphic in nature.

40


41/90

Stealth Methodology:

A virus that actively conceals itself bytemporarily removing itself from an

infected file that is about to be examined,and then hiding a copy of itself elsewhereon the drive. It can keep a copy of the bootsector and show it as normal to anti-virussoftware. They also report the correct filesize even after infecting a file.

41


42/90

SPYWARE

Software that hides itself somewhere onyour computer collecting information aboutyou and what you do on the internet and

pass on your personal details without youever knowing.

There are currently over 78,000 spywareand adware programs that are infectinginnocent Internet users.

42


43/90

HOW SPYWARE WORKS

Steal your passwords

Steal your Identity

SPAM your email account

Crash your computer Bombard you with advertising

Steal your credit card numbers

Download your private files

Monitor your emails & Keystrokes

Watch the sites you visit

43


44/90

Symptoms of SPYWARE

Computer slows down

E-mails bounce back

E-mails being sent without your knowledge

Programs opening and closing

CD drive opening and shutting

Credit card account and password being

tempered with.( offline symptoms) Hijacks your homepage

44


45/90

ADWARE

Software that presents advertisements tothe user, normally in the form of Pop-upadverts. Adware is installed on a user's

computer at some Web sites, "freeware"products, and sometimes, with legitimatelypurchased commercial software.

45


46/90

Adware has been criticized because itusually includes code that tracks a user'spersonal information and passes it on to

third parties, without the user'sauthorization or knowledge.

This practice has been dubbed spyware

and has prompted an outcry fromcomputer security and privacy advocates.

46


47/90

SYMPTOMS OF ADWARE

Slow computer performance

New desktop shortcut or switchedhomepage

Annoying pop-ups on your PC

47


48/90

HOW ADWARE WORKS

Steals your information

Sends deceptive adverts

Breaks websites

Installs new code to your system

48


49/90

CRACKING TECHNIQUES

The following are some of the techniques used bycrackers.

1.Remote Penetration: Programs that go out on theInternet (or network) and gain unauthorized control of a

computer. 2.Local Penetration: Programs that gain unauthorized

access to the computer on which they are run.

3. Remote Denial of Service: Programs that go out onthe Internet (or network) and shut down another

computer or a service provided by that computer. 4. Local Denial of Service: Programs that shut down

the computer on which they are run.

49


50/90

5. Network Scanners: Programs that map out a networkto figure out which computers and services are availableto be exploited.

6.Vulnerability Scanners: Programs that scour theInternet looking for computers vulnerable to a particular

type of attack. 7. Password Crackers: Programs that discover easy-to-

guess password in encrypted password files. Computerscan now guess passwords so quickly that manyseemingly complex password can be guessed.

8. Sniffers: Programs that listen to network traffic. Oftenthese programs have features to automatically extractusernames, passwords, or credit card information.

50

G id li f F i


51/90

Guidelines for Forensic

examination and Analysis Forensics is a science and an art that

requires specialised techniques forrecovery, authentication, and analysis of

electronic data for the purpose of acriminal act. Specific processes existrelating to reconstruction of computer

usage, examination, of residual data,authentication of data by technicalanalysis or explanation of technical

51


52/90

Features of data, and computer usage.This is not something the ordinary networkadministrator should be carrying out.

52


53/90

INTERNATIONAL ORGANISATION ONCOMPUTER EVIDENCE

The international organisation oncomputer evidence(IOCE) was created todevelop international principles dealing

with how digital evidence is to be collectedand handled so various courts willrecognise and use the evidence in the

same manner.

53


54/90

The international principles developed byIOCE for the standardized recovery ofcomputer-based evidence are governed

by the following attributes: 1: Consistency with all legal systems

2: Allowance for the use of a common

language.

3: Durabilty.

54


55/90

4: Ability to cross international boundaries.

5: Ability to instill confidence in theintegrity of evidence.

6: Applicability to all forensic evidence.

7: Applicability at every level, includingthat of individual, agency, and country.

55


56/90

FORENSICS INVESTIGATION PROCESS

To ensure that forensics activities arecarried out in a standardized manner, it isnecessary for the team to follow specific

laid-out steps so nothing is missed andthus ensure the evidence is admissible.Each team or company or team may come

up with their own steps, but all areessentially accomplishing the same things.

56


57/90

1: Adhere to your site's Security Policy andengage the appropriate Incident Handlingand Law Enforcement personnel. Capture

as accurate a picture of the system aspossible.

57


58/90

2: When confronted with a choicebetween collection and analysis youshould do collection first and analysis

later.

58


59/90

3: Computer Time and Date Settings The time and date that files were created can be

important in cases involving computer evidence.However, the accuracy of the time and date stamps on

files is directly tied to the accuracy of the time and datestored in the CMOS chip of the computer.

Consequently, documenting the accuracy of thesesettings on the computer is important. Without suchinformation, it will be all but impossible to validate theaccuracy of the times and dates associated with relevantcomputer files.

59


60/90

4: Hard Disk Partitions The potential for hidden or missing data exists

when computer hard disk drives are involved. Asa result, it is important to document the make,model and size of all hard disk drives containedin the computers. This is accomplished byconducting a physical examination of the harddisk drive.

The factory information recorded on the outsideof the hard disk drive should be documented.

60


61/90

5: Operating System and Version

The computer may rely upon one or moreoperating systems. The operating system

involved should be documented.

The results of findings should be notedand the software and version used should

be documented.

61


62/90

6: File Catalog The files stored on the computer hard disk drive

should be listed and cataloged. The dates andtimes that the files were created and/or updated

should also be recorded. Many times relevantleads can be obtained through the sorting of thefiles by file date and time.

The combination of such information frommultiple computers as evidence in the samecase can also prove valuable for leads. Suchinformation can be helpful in documenting aconspiracy when sorted file dates and times areevaluated.

62


63/90

7: Backups:

Normally computer evidence is preserved bymaking an exact copy of the original evidence

before any analysis is performed. It is notenough to just make copies of computer filesusing a conventional backup program. Valuableevidence may exist in the form of erased files

and the data associated with these files can onlybe preserved through a backup.

63


64/90

8: Never run any programs on the computer inquestion without taking precautions, e.g. writeprotection or by making a backup. Also, you

should not boot or run the computer using theoperating system on the computer in question.

It is relatively easy for criminals to rig theircomputers to destroy hard disk drive content or

specific files by planting decoy programs orthrough the modification of the operating system

64


65/90

Take Precautions In The Transport ofComputer Evidence.

Computer evidence is very fragile. Heat and

magnetic fields can destroy or alter it in avery short period of time.

65

ANALYSIS OF A SECURITY


66/90

ANALYSIS OF A SECURITYSOFTWARE

ONLINE PROTECTION

Prevents your system from virus attack bycontinuously monitoring the system and

prevents virus infection from e-mail attachments,Internet Downloads, network, ftp, floppy, Datastorage devices, CD-DVD ROM file executablesand during suspected file copying. All this is

done in the background and you are notifiedonly when a virus infected file is found or a viruslike activity is detected.

66


67/90

EMAIL PROTECTION.

Mail Protection has been redesigned toprovide utmost and best protection to its

users. Your e-mail messages are scannedautomatically for any malicious codecontent within.

67


68/90

QUARANTINTE Quarantine helps in safely isolating the

infected or suspected files. When a file is

added to Quarantine, the files areencrypted and kept inside the Quarantinedirectory. Being kept in an encrypted form,these files cannot be executed and hence

are safe. Quarantine also keeps a copy ofinfected file before repairing.

68


69/90

MESSENGER

It automatically gathers information from the web site and

informs you about New Viruses, Hoaxes, Upgradeavailabilities and other information. It can be also usedfrom Local Folder or Network path.

The messenger starts blinking along with an Audio Alarmwhenever there is a new message. Click on the blinkingball to view the message. A detailed log of messages isalso maintained.

69


70/90

Virus List

Provides an exhaustive database ofrespective virus names along with their

category.

70


71/90

System Information is an essential tool togather critical information of a Windowsbased system for following cases:

This tool gathers information to detectnew Malwares from Running processes,Registry, System files like Config.Sys,

Autoexec.bat etc.

71


72/90

REPORTS

This provide detailed information about thedifferent modules functioning and virus scan

sessions. Examples are Scan reports

Online protection reports

E-mail reports Scheduler reports

72


73/90

Advanced System ExplorerThis tool provides all important information related

to your computer such as running process,installed BHOs, toolbars installed in Internet

Explorer, installed ActiveX, Hosts, LSPs, StartupPrograms, Internet Explorer settings and Activenetwork connection. This will help diagnose thesystem for tracing existence of any new malware

or riskware.

73


74/90

Hijack RestoreThis restores the important Internet Explorer

settings to default settings. Internet Explorersettings modified by Malwares, Spywares,

Genuine applications and even by you can beeasily restored to default setting using Hijackrestore. This tool also restores certain othercritical operating system settings like registry

editor and task manager.

74


75/90

DNAScanThis detects new and unknown threats without the needfor update. Additionally it copies the suspected file in thequarantine directory before taking any action. These

quarantined suspicious files are submitted to a researchlab for further analysis. After the detailed analysis it canthen be added in the known threat database which willbe provided in updates to all the users. This can only bepossible if they are detected and eliminated before their

wild spread. DNAScan technology successfully trapssuspected files with very less false alarms.

75


76/90

WINDOW SPY This tool can be used to find out more information about

an application or process whenever required. At times ithappens that we keep on getting dialog boxes ormessages that are shown by spyware or some malware

and we are not able to locate the malware. In suchsituation this tool can be used to find out moreinformation about the application by dragging the targeton to the dialog or window that appears on the screen.

This tool will provide following information about the

dialog or a window.

76


77/90

Application Name Original File Name Company Name File Description File Version Internal Name Product Name

Product Version Copyrights Information Comments

77


78/90

ANTI-SPAM

Anti-spam tags unwanted emails like spam,phishing emails and porn emails. It blocks

unwanted mails coming to your inbox Anti-Spamscans the mail, while scanning it will append thesubject of the spam mail with [SPAM] -.ASpamMails folder in the e-mail client gets

created automatically and all spam mails will bedirectly moved to that folder.

78


79/90

Spam is estimated to account for up to40% of global e-mail traffic and is causinga massive headache for businesses,

which are losing billions in productivity.

79


80/90

ANTI-PHISHING This prevents you from accessing phishing and

fraudulent websites. Phishing is a fraudulentattempt, usually made through email, to steal

your personal information. This automatically scans all accessed webpages for fraudulent activity protecting youagainst any phishing attack as you surf theinternet. Prevents identity theft by blocking

phishing websites. So you can do onlineshopping, banking and website surfing safely.

80


81/90

Phishing is generally attempted through emails.It usually ask for your personal information, suchas credit card number, social security number,account number or password.

. In order for Internet criminals to successfully"phish" your personal information, they must getyou to go from an email to a website.

Phishing emails will almost always tell you to

click a link that takes you to a site where yourpersonal information is requested.

81

P i C id ti


82/90

Privacy Considerations

1:Respect the privacy rules and guidelinesof your client and your legal jurisdiction. Inparticular, make sure no information

collected along with the evidence you aresearching for is available to anyone whowould not normally have access to this

information.

82


83/90

2:Do not intrude on people's privacy withoutstrong justification. In particular, do notcollect information from areas you do not

normally have reason to access (such aspersonal file stores) unless you havesufficient indication that there is a real

incident.

83


84/90

3: Make sure you have the backing of yourcompany's established procedures intaking the steps you do to collect evidence

of an incident.

84

L l C id ti


85/90

Legal Considerations

Computer evidence needs to be1:Admissible: It must conform to certainlegal rules before it can be put before a

court.2:Authentic: It must be possible topositively tie evidentiary material to the

incident.

85


86/90

3:Complete: It must tell the whole story andnot just a particular perspective.

4: Reliable: There must be nothing about

how the evidence was collected andsubsequently handled that casts doubtabout its authenticity and veracity.

5:Believable: It must be readily believableand understandable by a court.

86

T


87/90

Transparency

The methods used to collect evidenceshould be transparent and reproducible.You should be prepared to reproduce

precisely the methods you used, andhave those methods tested byindependent experts.

87

C ll ti St


88/90

Collection Steps

1:List what systems were involved in theincident and from which evidence will becollected.

2:Establish what is likely to be relevant andadmissible.

3:Don't forget the people involved. Makenotes of who was there and what werethey doing, what they observed and howthey reacted.

88

Ch i f C t d


89/90

Chain of Custody

You should be able to clearly describehow the evidence was found, how it washandled and everything that happened to

it. The following need to be documented1: Where, when, and by whom was the

evidence discovered and collected.

89


90/90

2:Where, when and by whom was theevidence handled or examined.

3:Who had custody of the evidence, during

what period.4:How was it stored.

5: When the evidence changed custody,

when and how did the transfer occur.