|Forensic tools and process viewers help keep an articulate record of what goes in and out of a system or network, which can help recreate past usage history of computer systems.|
In practice, computer forensic science is the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability. In turn, that data can be recompiled to paint an accurate picture of how a network, or computer system was used, over time. The results of a successful computer forensics process may be astonishing to many people.
In Chapter 7 computer forensics was discussed as method of managing risk in corporate environments. Now it is time to take a closer look at the technologies and tools available to those who practice computer forensics and the general methods used by forensic computer scientists.
Many of the tools used in computer forensics focus on examining hard drives from different perspectives. What you may see on a hard drive when looking at it though a standard operating system is very different from what the hard drive may actually contain. Forensic software is able to take “Cross sections” of hard drives to determine differences in file structure, file integrity, and even examine previously deleted files! The big challenge, of course, is finding the information to analyze. Computer evidence is fragile and easily modified. Attackers routinely hide, wipe, camouflage or delete evidence from storage media using encryption or freeware/commercial utility programs. For this reason, forensics software uses several methods to find evidence of computer crime:
- Collect all of the free space on the storage media and analyze it for signatures that would indicate data.
- Examine file slack (the space from the end of a file to the end of the storage cluster) for hidden or deleted data.
- For Windows operating systems, analyze swap files, which are dynamic but contain the latest activity.
- Locate deleted files by searching for certain text strings that may have been inserted by the perpetrator in the name or text body of a file.
- Forensic tools also make it possible to detect patterns of usage based on system history.
Commercial products share some factors in common with general forensics procedures. They have become the tool sets that forensic computer scientist use to accomplish specific tasks. The problem is that there are very few commercial forensic tools available to the general public. They tend to be developed in-house by computer forensic consulting firms. These firms generally don’t license their software tools. Even if a majority of the software used by forensics professionals were available; it would not be easy to operate without the proper expertise and knowledge of forensic procedure.
Of course, each of these general procedures involves several intricate steps. It is extremely important to understand the concepts involved in a forensics examination, as well as the basic forensics procedures you'll follow regardless of the software used to perform the analysis.
What People Think: Forensics are used by police in murder investigations
What We Think: Forensics can help corporations stay prepared in the event of a law suit, or other worst case scenario situations.
How It Works
Computer forensics has a lot in common with physical crime investigation. Both involve gathering an assortment of physical evidence, interviewing witnesses and determining suspects. Neither of these professionals have much room for error. Sloppiness is anathema to their reputations. Computer crime investigation combines the many elements of the physical with the technical.
A close look at the methods used by computer forensics experts will provide tremendous insight how important precision and procedure is in this field. The following is a sample procedure that a computer forensic expert might enact before beginning an examination of a computer’s data:
Shut down the computer. Most computer operating systems today have "soft" switches. These allow the computer to go through a process for shutdown. However, a forensic expert won't know ahead of time whether the computer in question has been rigged to go through a series of file altering (or deleting) processes if a soft shutdown is attempted. The best method is to pull the plug. This may result in the loss of some RAM data, but it is a safer alternative than a soft shutdown.
Document the hardware configuration of the system. When the police arrive at a physical crime scene after the fact, one of the first things they do is take photographs of everything. This practice also applies to computer forensics. For each step of the examination, the forensic scientist must be able to prove that he didn't damage, alter or taint evidence. Photographing the original hardware setup is the first step in this process. Before moving or dismantling the target computer, it should be photographed from all angles to document the system hardware components and how they are connected. Also, each wire should be labeled so it can be appropriately reconnected when the system configuration is restored to its original condition.
Transport the computer system to a secure location. This may seem like an unnecessary step, but all too often, seized computers are stored in insecure locations. If the case goes to trial, a forensic expert may be required to demonstrate a proper chain of custody. If someone unwittingly operates a seized computer, he or she may inadvertently destroy or alter critical evidence. Furthermore, a seized computer left unattended can be compromised again--perhaps by the original intruder trying to cover his tracks.
Boot the computer from a DOS boot diskette, or remove the hard drive. This is the most risky (and tricky) part of the investigation. The forensic expert probably doesn't know how the computer is configured ahead of time. Booting up a machine with an unknown configuration can result in data alteration. Therefore, it's critical that the computer be started without booting up the suspect hard drive itself.
Once this exhaustive and painstaking process is complete, the forensic scientist can break into his toolkit. Typically this toolkit contains a wide variety of software packages the enable complex data scrubbing and analysis. Since few professional cyber forensics firms allow access to their own custom tools, comparable tools will be evaluated here.
There are a wide variety of tools that can be downloaded from the Internet which are representative of, or identical to, tools used by professionals in the field. These tools are available for free, and can be found with out much difficulty.
For the most part, one company provides most of the specific tools listed below. However their descriptions and functions serve as an excellent example of typical computer forensic tools and their functions. The titles of the actual software tools were omitted, but the descriptions are accurate.
File List Utility
This is a forensic tool that is used to quickly catalog the contents of one or more computer hard disk drives. The file list output is compressed so that the program and related output will normally fit on just one floppy diskette.
A file-converting program is then used to convert the list output from its native compressed format into a data base file. The file-converting tool is a simple but specialized program that creates a dBASE III file from the output of the file list program.
Database Analysis Tool
This program has been used by law enforcement agencies for years. The author is unknown, but the program has been made available give law enforcement agencies on a budget a free tool. The software is easy to use and is compatible with the dBASE III file structure. This file format is an industry standard and can be imported into most other database file structures and spreadsheet applications.
Unfortunately, the program is undocumented and some trial and error is required on the part of the user to use the program. However, the program has the ability to sort and view up to 999,999 records and includes a field occurrence feature. This makes it ideal for use by law enforcement agencies in the review of output files created by other analyzer software.
This software can analyze dBASE III files that contains patterns of E-mail Internet browsing activity. Furthermore, the output from the file list program can be analyzed using this program, which can also be used to analyze any dBASE III file. It contains easy to use reporting features, indexing and search capabilities.
Binary Data Filtering Tool
This program is used to remove binary (non-alphanumeric) characters from computer data. The program has been used by military and law enforcement agencies for years and was donated to the law enforcement community in 1991 by, Michael R. Anderson. Once a file has been processed with this program the contents can be printed and viewed with traditional computer applications, e.g., word processors.
Internet Usage Analysis Tool
This specialized tool is ideal for use in investigations related to Internet E-mail, Internet Browsing and Internet File Downloading. It can be used to determine E-mail and Internet browsing frequency.
Encryption Pattern Review Aid
This program is very simple. It creates one or more files that contain nothing but spaces. Every file created by this program will contain exactly 10,000 spaces. Files containing repeated patterns of the same data are helpful in evaluating the effectiveness of encryption. This program aids in the evaluation of data distribution tied to encryption.
When an organization has something to hide (for whatever reason) being familiar with the retrieval techniques that forensics provides can help to defend against them. The truth is a forensic specialist can dig up and dig out tremendous amounts of information from computer systems. So shielding oneself from these techniques may come in handy when extreme privacy is needed.
The flip side of that coin is seen when forensics is used as a weapon to reduce costs. By keeping detailed records of all pertinent information that flows through a network, a company can avoid the need for forensics in many circumstances. One example is in the event of a computer crime. If a system is hacked into, careful record keeping on that system can help investigators find the cyber criminal without going to a forensics team for help.
Remember, whether they are used for legal reasons or not, forensics tools are available. When used together, forensics tools can piece together immense amounts of history and information in detail. But, even individual tools in isolated situations can save the day. For example, hard drive data recovery tools can retrieve accidentally deleted information from a hard drive. They are relatively straightforward, and unlike some forensic tools, they are commercially available.
Computer crime prevention is a big area where computer forensics can be useful. Have you been hacked? Have files been stolen? Do you want to catch the perpetrator? Time to consider bringing in some forensic experts. Even if an organization thinks they know who stole their data, proving that fact in a court of law is a different matter entirely. Most good hackers erase their steps. If they are extremely good, they may erase their steps to the point where forensics is of no value. In many scenarios however, cyber forensics may be the first line of offense in helping to build a case against such a perpetrator.
Making The Connection
Proactive Security: Forensics is one technology best left to the experts. Identifying and hiring the right forensic firm to match a given set of needs is an important part of the process. There are many people claiming many sets of expertise in the IT consulting field. With computer forensics, a pedigree in investigations should be a fundamental requirement when reviewing the credentials of any outside firm.
Forensics is a very specific and focused area of computer science. Obtaining general knowledge of what this emerging field is capable is critical in today’s business world. This knowledge can empower business leaders, middle managers, and technology savants to make informed decisions about their need for forensic consulting.
If a company finds itself in a position where it does need computer forensics it’s a good idea to look for outside help. This is one subcategory of computer science where general knowledge is not enough to give “do-it-yourselfers” an excuse to handle it internally. Not only are many of the tools needed to perform computer forensics difficult to use, but also many of the better ones are not available to the general public. Firms that design these tools build them in such a manner that knowledge of their specific investigative methods is a necessary operational prerequisite. That is why it is a good idea to concentrate all efforts on finding the best forensics firm to meet the needs of the situation, and let the pros handle the problem from there.
Forensics tools share a connection with many forms of scanning and monitoring software. Variations of scanning software are used to find data, recover it and then analyze it for information. Monitoring software is used to keep tabs on systems performance and system logs and to watch closely for any system changes that may occur in real time.
Though there are many practical applications for computer forensics methodology and technology, the field remains a niche. It is not uncommon for a forensics investigation to take several months or even years to complete, depending on the size of the project and the amount of data available. For this reason, forensics can be considered a reliable, but expensive and time-consuming solution.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.