Computer Forensics and Cyber Crime PDF
Document Details
Uploaded by IndebtedOwl
2013
Marjie T. Britz
Tags
Summary
This document provides a summary of computer forensics, covering terminology and requirements. It goes through issues in computer investigations, from evidence integrity to minimum software tools required. It clearly details various schemes of data storage in detail.
Full Transcript
Computer Forensics and Cyber Crime CHAPTER 10 Computer Forensics: Terminology and...
Computer Forensics and Cyber Crime CHAPTER 10 Computer Forensics: Terminology and Requirements Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Computer Forensics Computer forensics is the practice of collecting, analyzing and reporting on digital data in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Computer Forensics – An Emerging Discipline New New New Patterns Police Technology of Techniqu Criminal es and Behavior Strategie s Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Computer Forensics – An Emerging Discipline Necessary to maintain integrity of evidence Maintaining a chain of custody Ensuring that viruses are not introduced to a suspect machine during analysis Ensuring that evidence remains in an unaltered state Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Computer Forensics – An Emerging Discipline Goal: Protect digital evidence from possible alterations, damage, data corruption, or infection by design or carelessness Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Traditional Problems in Computer Investigations Inadequate resources For local law enforcement, increased responsibilities and dwindling budgets, decreasing chances of taking advantage of limited educational opportunities Lack of communication and cooperation among agencies Forced alliances may not achieve much success Excessive dependence on automated programs and self-proclaimed experts Great need equals great expectations for any efforts? Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Traditional Problems in Computer Investigations Lack of reporting Due to perception of incompetence of law enforcement, low rate of reporting by victims Exacerbated by corporate advisors' self- serving, discouraging take on the process Belief that law enforcement lacks sufficient resources Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Traditional Problems in Computer Investigations Evidence Corruption – Cardinal Rules of Computer Investigations Always work from an image, leaving the original hard drive unaltered. Document, document, document. Maintain the chain of custody. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Disk Structure and Digital Evidence Terms to know: Nonvolatile storage Operating systems Computer storage Hardware Primary storage Software Secondary storage Firmware Floppy disks or Computer diskettes Static memory CD-ROMs Volatile memory (cache, CD-RWs RAM) Hard/fixed disks Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Disk Structure and Data Storage Drives Physical: Devices and data at the electronic or machine level Physical file size: Actual space that the file occupies on a disk Logical: Allocated parts of a physical drive that are designated and managed as independent units; most important in computer forensics Logical file size: The exact size of a file in bytes Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Disk Structure and Digital Evidence Terms Spindle Bits ASCII Tracks Binary system Cylinder Hexadecimal system Sectors Clusters (aka file Shaft allocation units) Head Compressed files Actuator arm Platters Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme Sectors: Data is stored in disks in fixed units, called Sectors. It is the smallest physical storage unit on a disk. It is arc-shaped portions of one of the disk tracks. Operating system determines the size of each sector. Magnetic disks formatted for Windows contain a standard 512 bytes sectors. Beginning at 1, sectors are numbered, sequentially on a track- by-track basis. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme Clusters (file allocation units): comprised of one or more adjacent sectors and represent the basic allocation units of magnetic disk storage. Although size varies with disk size, clusters represent the minimum space allocated to an individual file in DoS. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme Logical file size: refers to the exact size of a file in bytes. Physical file size refers to the actual amount of space that the file occupies on a disk. File slack space: portion of unused space between the logical end of a file and the physical end of a cluster. Such distinction is necessary in comprehensive investigations as it allows for the discovery of information found within the file slack. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme Partition: Disk partitions are portions of fixed disks that the operating system identifies as a single unit (maximum of four). The partition of the “boot” drive where the operating system resides must be bootable. the hard disk may have an “extended partition” that can be subdivided into a maximum of 23 additional logical disks. Partitioning creates a master boot record and partition table for the hard disk. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme Partition table: it identifies corresponding locations of partitions. indicates which partition is bootable (only one partition may be bootable at a time), contains the master boot record (MBR). Partition data is stored at physical cylinder = 0; head = 0; sector = 1. This knowledge is extremely important in forensic investigations, as it enables users to hide entire partitions. Investigators unaware of this fact may be confused to see that the logical drive size is contrary to identified characteristics. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme File Systems: is the disk management platform employed by a Particular operating system. More specifically, a file system is the underlying structure that an individual computer uses to organize data on a hard disk. Prior to the introduction of DOS, concerns of data deployment were nonexistent. The introduction of disk operating systems reduced the data management burden of applications while allowing application- specific disk hierarchies. It allows data to be stored in discontinuous sectors, it provided a mechanism which maximized the use of limited space. Three file systems currently available from Microsoft are FAT16, FAT32, and NTFS. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme FAT (File Allocation Table): creates a map or directory to the drive identifying the location of each piece of the file in question. It contains the name, size of the file, and the number of the first cluster allocated to that particular file, and so on until the end of the file is reached. It is important to note that when a file is deleted by a user, it does not erase the data contained therein. It simply signals that the clusters allocated to the deleted file are now available for use. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Data Storage Scheme NTFS (New Technology File System): was developed by Microsoft in the early 1990s. It was intended to provide security, improve performance, and provide for larger file sizes. NTFS systems contain a Master File Table (MFT), and every file in NTFS is described by one or more records in the MFT. NTFS is more efficient in terms of utilization of storage space, and it provides more security than FAT. For the forensic investigator, it means: NTFS systems still create fragmentation which allows the forensic investigator to evaluate information contained in slack space. the Encrypting File System (EFS) may create additional steps in the investigative process. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Disk Structure and Digital Evidence Firmware – Operating Instructions Not only hardware Terms BIOS (Basic Input/Output System) Initial commands about bootstrap loader (using boot sector/absolute sector 0) POST (Power-on self-test) Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Disk Structure and Digital Evidence Data integrity Cyclical redundancy checksum (CRC), a tool for validation MD5-Hash, a verification tool Hashkeeper, software that lists known files. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Developing Computer Forensic Science Capabilities Standard Operating Procedure (SOP) are constantly changing due to advances in technology. Should be clearly articulated and readily available Consisting of appropriate software, hardware, special investigating procedures SOP should be reviewed annually due to the changing nature of technology Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Minimum Software Requirements Five broad categories of software tools: Data preservation, duplication, and verification tools Data recovery/extraction tools Data analysis tools Data reporting tools Network utilities Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 1- Data preservation, duplication, and verification tools National Institute of Standards and Technology (NIST) define imaging programs as: The tool must be capable of making a bitstream duplicate or an image of an original disk or partition onto fixed or removable media. It must not alter the original disk. It must be able to access both IDE and SCSI disks. It must be able to verify the integrity of a disk image file. It must log I/O errors. It must provide substantial documentation. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 2- Data recovery/extraction tools Physical extraction phase: identifies and records data across the entire physical drive without regard to file system. Logical extraction phase: identifies and recovers files and data based on the installed operating system(s), file system (s), and/or application(s). may include data from such areas as active files, deleted files, file slack, and unallocated file space. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 2- Data recovery/extraction tools Physical Extraction: Keyword searching: This may be useful as it allows the examiner to extract data that may not be accounted for by the operating system and file system. File carving: Similar to keyword but for file. Extraction of the partition table: Evaluation of the partition table and unused space may identify the file systems present and determine if the entire physical size of the hard disk is valid. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 2- Data recovery/extraction tools Logical Extraction: Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, data and time stamps, file size, and file locations. Data reduction to identify and eliminate known files. Extraction of files pertinent to the examination. Recovery of deleted files. Extraction of password-protected, encrypted, and compressed data. Extraction of file slack. Extraction of the unallocated space. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 2- Data recovery/extraction tools Overt files: regular ones Hidden files: files which are manipulated (often intentionally) to cover the contents of the original file. Slack space, free or unallocated space, and swap: Swap files include those which are temporarily placed on the computer when applications run out of space. Password-protected files: files which are protected from nonauthorized users with password programs. Compressed files: tools for the identification and examination of compressed files. Encrypted files: encryption refers to the process of converting a message from its original form (“plaintext”) into an indecipherable or scrambled form (“cipertext”). Steganography: it is designed to hide the data from view. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 3- Data analysis tools Data analysis tools may be grouped in five general categories: indexing, text searching, viewers, time frame analysis, application analysis. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 3- Data analysis tools Analysis Examples Reviewing the file names for relevance and patterns. Identifying the number and type of operating systems. Correlating the files to the installed applications. Considering relationships between files, such as e- mails and file attachments. Identifying unknown file types to determine their value to the investigation. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 3- Data analysis tools Examining the users’ default storage location for applications and the file structure of the drive to determine if files have been stored in their default or an alternate Location. Examining user-configuration settings. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 4- Data reporting tools Lab’s name, address, and contact information Date of report Name, signature, and address of the investigator and investigative agency Case number Case information—suspect (s), victim(s), alleged offense Lab case identifier Evidence Log—date and receipt of evidence, seizure details, etc. Physical description of items evaluated Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved 5- Other required software Miscellaneous software Presentation applications (i.e., PowerPoint, etc.) Word processing applications Spreadsheet applications Wiping software Antivirus software Network tools Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Conclusions Guarding against poorly run investigations, due in part to administrative apathy and inadequate resources, lack of appropriate training Need to satisfy forensic computer science capabilities Aim for collaboration with civilian experts and corporate entities, when appropriate Need to meet certain minimum requirements, including equipment and housing Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved
