Laureate Online Education Computer Forensics © All rights reserved XXXXXXXXXXThe Computer Forensics module, in all its parts: syllabus, guidelines, lectures, discussion questions, technical notes,...

1 answer below »

Laureate Online Education Computer Forensics © All rights reserved 2005 - 2012. The Computer Forensics module, in all its parts: syllabus, guidelines, lectures, discussion questions, technical notes, images, projects and any additional material is copyrighted by Laureate Online Education B.V. Computer Forensics Seminar for Week 2: Computer Forensics Investigative Process In the last seminar, we learned the basics of computer crime and computer-related laws. In this seminar, we will learn the basics of computer crime investigative process, digital evidence reconstruction, modus operandi, motive, and technology. Digital Evidence Investigative Process Computer forensics studies the methodologies and procedures for the preservation, identification, extraction, documentation, and interpretation of digital evidence (e.g., computer data). Similar to crime scene investigation, the goal of computer forensic investigation is to uncover the truth using digital evidence. Computer forensics processes are the same as other types of forensic investigations. For example, if we were investigating a physical criminal activity, such as murder, that took place at one particular place, we would take photos and take samples of the crime. The collection of evidence proceeds similarly in a computer investigation. The special considerations for computer investigation are that digital data can be highly volatile and easily modified. Thus, the digital evidence preservation process is a very challenging one. The most popular method used for digital evidence preservation is to use a secure hash function (e.g., MD5 and SHA1) to compute a hash output H of the digital evidence at the collection time. Then it can be proved that the digital evidence has not been changed by computing the hash output of the digital evidence again and comparing it against H. A mathematician from China showed in 2004 that, theoretically, one can find two digital files A and B such that the hash output of A and B are the same (see MD5 Collision-a). Although this is only a theoretical result, and it was far from practical in earlier 2005 (but it is practical now; e.g.,MD5 Collision-b), it was used in an Australian court to void a speeding ticket “after the Roads and Traffic Authority (RTA), a government agency, failed to prove in court that the algorithm was cryptographically sound.” That is, the defense lawyer claimed that the photos could have been altered along the way. "The integrity of all speed-camera offences has been thrown into serious doubt and it appears that the RTA is unable to prove any contested speed camera matter because of a lack of admissible evidence." More details about this case could be found at CNET (2005). Since digital evidence is presented as the truth or falsehood of an allegation, it could have impact on the decision of whether people are deprived of their liberties or lives. Thus, trusted methodology and technology must be used for digital evidence collection, processing, analysis, and reporting. As computer forensic professionals, we should take a minute to think of the consequences for each case and then handle it as evidence. For each case, forensic investigators should first ask themselves a series of questions to determine whether a crime or infraction has actually occurred and to further determine whether a full investigation will proceed, as there are always many important cases waiting for these valuable and limited investigative resources. For instance, if computer log files indicate that an employee accessed some confidential information of the corporation, but his colleague can prove that they were out for lunch at the specific time, the digital investigator should consider all other possibilities. Was the employee’s password stolen? Was there an outside intrusion to the corporate network? Did the employee change his computer clock time? Did the employee steal the administrator password and modify the log file? Did the employee give his password to another employee to commit the crime? Seminar 2: Computer Forensics Investigative Process 2 After the determination that a full investigation is necessary, the digital investigator should begin plan the investigation process focusing on what happened at which place and at what time. How did it happen and who was involved? Why did it happen? The digital evidence discovery process consists of several steps, each employing strict protocols, proved methods, and trusted tools. Kruse and Heiser (2002, p. 3) described the basic methodology for computer forensic process, which consists of three A’s: 1. Acquire the evidence without altering or damaging the original. 2. Authenticate that you recovered evidence is the same as the original seized data. 3. Analyze the data without modifying it. In the remaining part of this seminar, we will explore each of these topics in detail, which should be the framework of every digital forensic process. Step 1: Acquire the Evidence Acquisition of digital evidence begins when information and/or physical items are collected or stored for examination purposes (FBI Examination). As we have emphasized over the last week, the digital evidence collection process should be a legal process and should be appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee. For example, in the O. J. Simpson case, since the evidence was collected and processed in a way that could be doubted (the evidence against Simpson was described to be "mountainous"), the result of that "trial of the century" shocked many people. Since we are always facing unknown environments and the techniques that we will learn are normally based on ideal environments for forensic investigations, it is important for us to extend the techniques to unforeseen environments and carry out the investigation; this will enable us to easily explain to the court the actions that we have taken. For example, some important digital evidence could only be found in a computer RAM (or other electronic device RAMs). If we turn off the computer or kill the process before acquiring an image of the computer RAM, we will never be able to get this valuable evidence. Thus, in an ideal environment, we should always make an exact image of the computer RAM and an exact image of the hard disk (note that, during the process of turning off a computer, some data on the hard disk could be overwritten) before we shut down the computer. However, this may not always be realistic in a real-time investigation. For example, the suspect may use customized computers that are not compatible with the available forensic tools; or, if the instigator does not turn off the computer immediately, the attack may continue and evidence on the RAM and hard drive may be deleted by the attacker. It should also be noted that a computer criminal may have expected such types of forensic investigations and modified system files using tools such as root kits. Thus, compromised systems should not be investigated using tools found in the systems. In other words, it is always expected that forensic investigation is done on dedicated forensic workstations (certified forensic labs). Such labs generally also have external hardware to examine the system RAM instead of dumping the RAM using the software tools on the compromised system. Chain of custody: If the evidence process is inadequate, the entire investigation could be compromised and the court may throw out the evidence. Special attention should be paid to the data handling (e.g., transportation and storage) process during the investigation to build the chain of custody. The Australian RTA case that we have just discussed is an example of failing the chain of custody. The goal of carefully maintaining the chain of custody is twofold: to protect the integrity of the evidence and to make it difficult for an opposing attorney to successfully argue that the evidence was tampered with while it was in our custody (e.g., in the Australian RTA case). Kruse and Heiser (2002, pp. 6–8) describe the chain of custody procedure as “a simple process of documenting the complete journey of the evidence during the life of the case, including the answers to the following questions: Who collected it? How and where? Who took possession of it? How was it stored and protected in storage? Who took it out of storage and why?” According to Kruse and Heiser (2002), the following facts must be documented: anyone who has possession of the evidence, the time at which they took and returned possession, and why they Seminar 2: Computer Forensics Investigative Process 3 were in possession of the evidence. These facts must be documented, since the defense attorneys do not need to prove that the evidence is in fact modified. They only need to show that the evidence was not adequately safeguarded, such as in the Australian RTA case, and hope the jury will buy their arguments. The Scientific Working Group on Digital Evidence (SWGDE) is the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE). Since the establishment of SWGDE in 1998, it has developed standards for the recovery, preservation, and examination of digital evidence. In particular, the following seven criteria for Standard Operating Procedures (SOPs) defined by SWGDE could be used to achieve the chain of custody for digital evidence: 1. All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority. 2. Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness. 3. Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner. Special attention should be paid to the transportation of digital evidence, as it may be damaged during transportation. When digital evidence is at rest, it should be put in sealed containers in a secure area with limited access. The evidence package (containers) should be sealed by the person who closes it, which can be used to indicate that it has not been opened by anyone other than an authorized person. When the sealed container is opened, it should be documented in reports that the seal was still intact and why the package needs to be unsealed. Once the action is finished, the container should be resealed with a new label and signatures. The reports should also note the person, dates, times, and reason for removing the evidence and the date and time the evidence was returned to the locker. 4. The agency must maintain written copies of appropriate technical procedures. 5. The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure. In particular, we should only use software that we are legally licensed to have. We will lose creditability if it is shown in a court of law that we were using illegally obtained software. 6. All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony. Most of us can fix a computer easily, but when we are asked to explain to the judge how we did it, we might not be able to describe the detailed steps. So we should take notes during the investigation (this could be done by another person). The reports should contain extensive details including collection tools (hardware and software), the methods used to collect and analyze the computer media, and the explanation of why we did what we did. In addition, all digital evidence should be identified clearly. For example, printouts should be labeled with permanent markers; the used operating systems and hardware types should be identified; the serial numbers should be recorded; and the evidence should be marked without being damaged or should be placed in sealed and marked containers. 7. Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner. In order to develop international standards for the exchange and recovery of digital evidence, working groups in Canada, Europe, the United Kingdom, and the United States have been formed under the umbrella of the IOCE (established in 1995) to address the standardization of digital evidence. These international principles for the standardized recovery of digital evidence are governed by the following attributes: Consistency with all legal systems; Seminar 2: Computer Forensics Investigative Process 4 Allowance for the use of a common language; Durability; Ability to cross international boundaries; Ability to instill confidence in the integrity of evidence; Applicability to all forensic evidence; and Applicability at every level, including that of individual, agency, and country. In addition to SWGDE criteria and IOCE principles, Kruse and Heiser (2002, p. 11) also recommend photographing the crime scene. That is, take pictures of the entire scene by gradually getting closer to the suspect computer while it is still connected to most of its cables. You may also compare this technique with the photographs taken in the CSI crime drama series (CSI drama). Step 2: Authenticate the Evidence It is very challenging to prove that the digital evidence we have collected is the same as what was left behind by a criminal. Digital evidence could be damaged for many reasons. Some of the reasons are not within our control. The best we can do is to show that we have tried our best, and if there are any changes, they are due to the nature of environment and do not have impact on the evidentiary value of the evidence. The chain of custody and other evidentiary handling rules that we discussed in previous paragraphs assure the jury that no malicious changes occurred and that it is reasonable to accept that crime scene described by the digital evidence is the same as the scene at the time of the incident. Indeed, in the digital world, we have the advantage to show that the evidence did not change at all after we have collected it. Cryptographic techniques such as hash functions and digital signature schemes could be used to provide integrity and time-stamping for digital evidence. A secure cryptographic hash function could be used to generate a fixed-length binary hashing output (e.g., 160 bit when SHA1 is used) for any size of digital data. The assumption for this technique is that no one can find two digital files in the world whose hashing output is the same. The commonly used cryptographic hash functions are SHA1 (a U.S. government standard, and MD5. As mentioned earlier, MD5 was secure until August 2004, and SHA1 was secure until August 2005. Then a Chinese mathematician (Xiaoyun Wang) not only found several digital files whose MD5 hashing outputs were the same in August 2004, but she also designed relatively efficient algorithms (which take about 263 computer operations) to find two files whose SHA1 hashing output was the same in August 2005. Although Dr. Wang’s methods are still theoretical results, as mentioned earlier, one Australian court case (see reference) uses these arguments to void some traffic tickets. Since these two hashing functions are broken in theory, there are serious challenges to the computer forensics professionals to keep the integrity of the evidence. In particular, most existing software uses SHA1 or MD5 as the underlying hash function. One may use the next-generation hash functions SHA-256, SHA-384, or SHA-512, designed by the National Institute of Standards and Technology (NIST) for U.S. government use. However, at the 2005 Crypto meeting at Santa Barbara, California, NIST organized a hash function seminar; it seems that NIST has no confidence in SHA-256, SHA-384, or SHA-512 right now. We will hear more news about hash functions in the near future. Another cryptographic technique that could be used for authenticating the digital evidence is public key digital signature schemes (DSS). By digitally signing evidence, it is more or less equivalent to sealing evidence in a secure container. I am not aware of any forensic analysis tools that provide this capability yet, but future forensic tools will provide this functionality. By the Digital Millennium Copyright Act of 1998 (DMCA), digital evidence authentication based on approved digital signature schemes are admitted in U.S. courts. (The topic of digital signature schemes is treated in the Security Engineering module.) Step 3: Analysis Seminar 2: Computer Forensics Investigative Process 5 It is always recommended to back up the original data/drive to the image and to use a tape drive to create a second copy from the image. Analysis should be carried out on the duplicated version of the evidence. One of the advantages of digital evidence is that we can even analyze the evidence in an active way (e.g., modifying the evidence in different ways to understand more about the crime) without damaging the original evidence. Though there are many digital evidence analysis tools on the market, some of which we will discuss in next few weeks, we need to keep in mind that no case could be automatically analyzed by tools. In particular, each tool has its limitations and cannot do everything that we want. Thus, we need to be familiar with all the functionalities of each tool and use them for unforeseen circumstances with “human intelligence.” For example, the EnCase software toolkit provides the functionality of time zones so that digital evidence collected from different time zones could be synchronized and the investigator could have a chronological view of all events. However, criminals may modify the machine clock or modify the time stamps of files. Thus, the “synchronized” time may give us the wrong conclusion. Platform-specific digital evidence analysis tools will be discussed in future weeks. In the next two paragraphs, we will focus on the framework of digital evidence analysis using “generic” tools. The standards and principles that we need to use for the analysis process is again the same as digital evidence acquisition process: Do not damage the evidence, and never overstep legal boundaries. In particular, we need to use the seven criteria specified by SWGDE and follow the IOCE principles. These criteria and principles help us to establish the same level of standards and acceptable practices adhered to by physical investigators. There are quite a few forensic backup tools that are “acceptable” (i.e., certified by some legal enforcement organizations) for use in forensics. These tools allow us to have a bit-for-bit clone of the original drive. We should always use legally accepted backup tools, since a “normal” backup tool that is often used by system administrators does not copy deleted files and the other parts of the hard drive in which we have interest. When making a digital copy of an evidence drive, we should always make compute-secure hash outputs (e.g., using SHA-256 at the moment) of the original copy and newly created copy and compare them to see that the copy is the exactly the same as the original one. Then we can use a forensic tool to analyze the master boot record and the boot sector of the duplicated copy of the evidence drive for useful information. We can also search the entire evidence drive for terms related to the case. Next, we may want to consider manually recovering deleted files using a forensic tool (much patience is needed during this process). The last step could be to check unallocated and slack space for residual data using a forensic tool. During the analysis process, if some evidence is located, we should always bookmark it for later analysis (several tools have this capability). Several tools also have the functionality to generate forensic reports automatically from these bookmarks. Digital evidence investigative reconstruction: In most cases, the acquired evidence is not arranged in a straightforward way to be used in a court. In particular, a crime may involve multiple victims in multiple crime scene locations, and the criminal may have committed the crime in a way that confuses investigators. Thus, digital evidence reconstruction is an important component for the entire forensic analysis process. According to Casey (2004, p. 115) and Casey (2000), digital evidence “reconstruction refers to the systematic process of piecing together evidence and information gathered during an investigation to gain a better understanding of what transpired between the victim and the offender during a crime.” The textbook discussed the following basic elements of an investigative reconstruction: equivocal forensic analysis, victimology, and crime scene characteristics. Although there are many tools for digital evidence acquisition, few tools are available for evidence reconstruction. Reconstruction process involves more human “intelligence.” Equivocal forensic analysis: Equivocal forensic analysis is the first step in the process of behavioral evidence analysis (BEA). The term refers to the fact that interpretation of the acquired digital evidence could have more than one meaning. The purpose of this analysis is to understand the most likely meaning of the evidence. For digital evidence, this analysis involves Seminar 2: Computer Forensics Investigative Process 6 answers to the following questions: where the computer came from, who used it in the past, how was it used, what data it contained, and whether a password was required. The textbook described three categories of techniques for equivocal forensic analysis: relational, functional, and temporal. If a computer crime case involves large amount of people and computers, it is useful for the investigation to build a relationship table or a diagram describing associations between the people and computers. Functional analysis is related to identification of necessary conditions for certain aspects of the crime. For instance, it is important to perform functional testing to determine whether the suspect’s computer was capable of performing the suspected actions. In temporal analysis, investigators create a chronological list of events to identify patterns and anomalies that could lead to other sources of evidence. For instance, a system log file with anomalies may affect the direction of further investigations. Victimology: Victimology is the second step in the process of BEA. Victimology builds profiles for victims in a similar fashion to building profiles for the perpetrator. Determining why, how, where, when, and why a particular victim was chosen will help forensic investigators to understand more about the offender and to establish potential links between the victim and the offender. One of the most important aspects of offender-victim links is the victim risk and the effort that an offender was willing to make to access a specific victim. Crime scene characteristics: This step involves the determination of a number of factors relevant to the location of the crime scene, where this crime scene is placed relative to other related crime scenes, and how the offender approached the victims. For instance, if we realize that an intruder broke into multiple computers on a network, we can find more evidence on other compromised computers that can help up understand more about the offender’s true motive. During crime scene investigation, we should always remember that minor details regarding the offender can be important for the entire investigation; we should not overlook any details in the crime scene. Offender characteristics: In this last step of BEA, offender’s behavioral and personality characteristics are derived from, and informed by, the three preceding steps. However, this is not a final report about the offender characteristics; it should be constantly updated and reviewed as new material comes to light and old material is refuted or disproved. Reporting Forensic investigative reports are important components of the entire forensic investigation process. Two types are commonly used: Threshold Assessments and Full Investigative Reports. According to the textbook (p. 134), “a Threshold Assessments is an investigative report that reviews the initial physical evidence of crime related behavior, victimology, and crime scene characteristics for a particular unsolved crime, or a series of potentially related unsolved crimes, to provide immediate investigative direction,” whereas “a Full Investigative Report follows the same structure as a Threshold Assessments but includes more details and has firmer conclusions based on all available evidence.” The Forensic Investigative Reports should include the following contents: summary of conclusions, summary of examinations performed, detailed case background, victimology, equivocal analysis, crime scene characteristics, investigative suggestions, statements regarding the investigators’ qualifications, and a declaration of interests. Courtroom Presentation It is important to present the investigative process and conclusion in an effective and professional way to a judge and jury. In addition to the technical presentation, we should also pay attention to some special rules regarding the court, which we (as information technology professionals) may not be aware of. 1. We should dress appropriately in a court. Some courts may have their own dress codes. 2. We should stand up when we begin to talk. If we do not understand a question, we should ask for repeat. 3. We should always be honest in a court. Otherwise, the defense may attack our credibility, which could cast doubt on our testimony. Seminar 2: Computer Forensics Investigative Process 7 Useful Links 1. Morris, T., MD5 and Speed Cameras http://pubs.tmorris.net/md5-speed-cameras/pdf/ 2. MD5 standard: http://www.ietf.org/rfc/rfc1321.txt 3. SHA1 standard: http://www.itl.nist.gov/fipspubs/fip180-1.htm 4. SHA2 standard: http://csrc.nist.gov/CryptoToolkit/tkhash.html 5. http://www.corpus-delicti.com/ 6. http://www.crimelibrary.com/ Bibliography Casey, E., (2011) Digital evidence and computer crime: forensic science, computers and the internet. 3 rd ed. New York: Elsevier Academic Press. Casey, E. (2000), Criminal Profiling, Computers, and the Internet, Journal of Behavioral Profiling, 1(2). Kruse, W. G. II & Heiser, J. G. (2002), Computer forensics: incident response essentials. Boston: Addison Wesley. Scene investigation http://www.crime-scene-investigator.net/ Crime scene http://www.crime-scene-investigator.net/csi-photo.html MD5 http://www.ietf.org/rfc/rfc1321.txt SHA1 http://www.itl.nist.gov/fipspubs/fip180-1.htm MD5 Collision-a http://eprint.iacr.org/2004/199.pdf MD5 Collision-b http://eprint.iacr.org/2005/067.pdf FBI Examination http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm Simpson case http://www.wagnerandson.com/oj/OJ.htm SWGDE http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm CSI drama http://www.tv.com/csi/show/19/summary.html DSS http://csrc.nist.gov/cryptval/dss.htm DMCA http://www.copyright.gov/legislation/dmca.pdf Reading Requirements Read textbook chapters 6, 7, 8, 9. Skim pages 266-283.

Answered Same DayDec 31, 2021

Answer To: Laureate Online Education Computer Forensics © All rights reserved XXXXXXXXXXThe Computer Forensics...

Robert answered on Dec 31 2021
118 Votes
Location
This is the first step towards recovery. Generally it starts with data structure’s recoverage from byte’s str
eams. There are three different methods in recovering a data stream: Fixed offset, Calculation and Iteration. The first method is used in a FAT file system in particularly the boot sector. The second method takes the values from other fields to locate the data structure. The last method analyses the chunks of data and validates it. These three methods can be used individually or in combination. Sleuthkit’s IIS software can be taken as the example of a combination. It depends on the FAT systems. This combination first performs the boot sector’s recovering. After boot sector recoverage, calculation of data is started which is ended by the validation of pieces of data.

Extraction
We’ll start with extracting of data once we are done with the searching and finding of data. For example: a byte stream of 0x64 and 0x53 can be used for extraction. This extraction is done in two formats: one is ASCII string format and second as big endian format. Not only this string but any other string present in the information can be used. Difference will only be in the...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here