Computer Forensics and Cyber Crime
CHAPTER
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Computer Forensics: Terminology and Requirements
10
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Learning Objectives
Learn some of the problems associated with computer investigation.
Gain insight on how computer disks are structured.
Be able to discuss the means in which computers store data.
Explore the types of data recovery methods which agencies use today.
Develop a working knowledge of FAT and its importance to computer investigation.
Learn the five categories of software that can be used in computer investigation.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Computer Forensics – An Emerging Discipline
New Police Techniques and Strategies
New Patterns of Criminal Behavior
New Technology
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Computer Forensics – An Emerging Discipline
Necessary to maintain integrity of evidence
Maintaining a chain of custody
Ensuring that viruses are not introduced to a suspect machine during analysis
Ensuring that evidence remains in an unaltered state
Goal: Protect digital evidence from possible alterations, damage, data corruption, or infection by design or carelessness
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Traditional Problems in Computer Investigations
Many echo problems with criminal investigations in general.
Inadequate resources
For local law enforcement, increased responsibilities and dwindling budgets, decreasing chances of taking advantage of limited educational opportunities
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Traditional Problems in Computer Investigations
Lack of communication and cooperation among agencies
Forced alliances may not achieve much success
Overreliance on automated programs and self-proclaimed experts
Great need equals great expectations for any efforts?
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Traditional Problems in Computer Investigations
Lack of reporting
Due to perception of incompetence of law enforcement, low rate of reporting by victims
Exacerbated by corporate advisors' self-serving, discouraging take on the process
Belief that law enforcement lacks sufficient resources
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Traditional Problems in Computer Investigations
Evidence Corruption – Cardinal Rules of Computer Investigations
Always work from an image, leaving the original hard drive unaltered.
Document, document, document.
Maintain the chain of custody.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Terms to know:
Operating systems
Hardware
Software
Firmware
Computer
Static memory
Volatile memory (cache, RAM)
Nonvolatile storage
Computer storage
Primary storage
Secondary storage
Floppy disks or diskettes
CD-ROMs
CD-RWs
Hard/fixed disks
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Disk Structure and Data Storage
Drives
Physical: Devices and data at the electronic or machine level
Physical file size: Actual space that the file occupies on a disk
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Logical: Allocated parts of a physical drive that are designated and managed as independent units; most important in computer forensics
Logical file size: The exact size of a file in bytes
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Terms
Bits
Tracks
Cylinder
Sectors
Shaft
Head
Actuator arm
Platters
Spindle
ASCII
Binary system
Hexadecimal system
Clusters (aka file allocation units)
Compressed files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Partition Table
File Systems
FAT: File Allocation Table (FAT16, FAT32)
NTFS (creates fragments; may involve an encrypting file system [EFS])
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Firmware – Operating Instructions
Not only hardware
Terms
BIOS (Basic Input/Output System)
Initial commands about bootstrap loader (using boot sector/absolute sector 0)
POST (Power-on self-test)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Disk Structure and Digital Evidence
Data integrity
Cyclical redundancy checksum (CRC), a tool for validation
MD5-Hash, a verification tool
Hashkeeper, software that lists known files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Developing Computer Forensic Science Capabilities
Standard Operating Procedure (SOP) are constantly changing due to advances in technology.
Should be clearly articulated and readily available
Consisting of appropriate software, hardware, special investigating procedures
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Housing Requirements
Need to have secure, clean facilities suitable for conducting forensic analysis
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Hardware Requirements
Lab systems
Basic: Bare-bones equipment
Better: But can handle only single-tasking workloads
Power: Capable of handling larger workloads simultaneously
Dream: The best system available
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Hardware Requirements
Evidence storage drive
Operating system
Display
Uninterruptible power supply
Write blocker
Scanner
Printer
Evidence backup
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Hardware Requirements
Considerations
Type of computer
Processor speed
Memory
Network
I/O interfaces
Optical drive
OS drive
Evidence storage drive
Operating system
Write blocker
Battery
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Data Preservation, Duplication, and Verification Tools
Critical role played by imaging programs
Pick at least two that are comfortable
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
To comply with NIST standards, this tool ought to:
Be capable of making a bitstream duplicate or an image of an original disk or partition onto fixed or removable media
Not alter the original disk
Be able to access both IDE and SCSI disks
Be able to verify the integrity of a disk image file
Log I/O errors
Provide substantial documentation
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Data Recovery Extraction Utilities
Physical involves:
Keyword-searching
File-carving
Extraction of the partition table and unused space on the physical drive
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Logical involves:
Extraction of the file system information to reveal characteristics (i.e., file names, file size, file location, attributes, etc).
Data reduction to identify and eliminate known files through the comparison of calculated hash values to authenticated hash values
Extraction of pertinent files
Recovery of deleted files
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Extraction of password protected, encrypted, & compressed data
Extraction of file slack
Extraction of unallocated space
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
General categories of data analysis software:
Indexing
Text-searching
viewers
Time frame analysis
Application analysis
Will need to use:
File viewers, often with child pornography cases
Text-searching software for words, phrases, and strings appropriate to a each case
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Reporting software should generate a report containing the following, at a minimum:
Lab’s name, address, and contact information
Date of report
Name, signature, and address of the investigator and investigative agency
Case number
Case information – Suspect(s), victim(s), alleged offense
Lab case identifier
Evidence Log – Date and receipt of evidence, seizure details, etc.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Physical description of items evaluated
Methods, procedures, products, and/or software used in the analysis
Results of the examination
Conditions affecting the results, where applicable
Basis of opinions and interpretations of results, where applicable
Case-specific information requested by investigator
Statement of compliance or noncompliance with certain specifications or other requirements (as applicable to interpretations)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Minimum Software Requirements
Miscellaneous software
Presentation applications (i.e., PowerPoint, etc.)
Word processing applications
Spreadsheet applications
Wiping software
Antivirus software
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
A Sampling of Popular Forensic Software
Guidance Software (EnCase Forensic), especially version with password crackers
Also makes an imaging/verification hardware device: FastBloc
Access Data (Ultimate Toolkit), compatible with EnCase, Snapback and Safeback
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
A Sampling of Popular Forensic Software
Other forensic utilities
Imaging & verification: ByteBack, Safeback
Wiping programs: Maresware’s DECLASFY, Access Data’s WipeDrive – both meet Department of Defense's rigorous standards
Unix: Data Dumper (dd), Grep, The Coroner’s Toolkit
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz
Copyright © 2013 by Pearson Education, Inc. All Rights Reserved
Conclusions
Guarding against poorly run investigations, due in part to administrative apathy and inadequate resources, lack of appropriate training
Need to satisfy forensic computer science capabilities
Aim for collaboration with civilian experts and corporate entities, when appropriate
Need to meet certain minimum requirements, including equipment and housing