Computer Forensics
The world of crime has expanded right along with the explosion of the internet. The modern cyber criminal has veritable global playground in which to steal money and information from unsuspecting victims. Computer forensics is a quickly emerging science against the increasingly difficult battle to bring criminals to justice who perpetrates crimes on others. The computer forensics field is a relatively new investigative tool but enjoys continual advances in procedures, standards, and methodology which is making the identification, preservation, and analyzing of digital evidence a powerful law enforcement apparatus. The job of the cyber forensic professional is to look for clues the attacker left behind on web sites, servers, and even the e-mail message itself that will unravel their sometimes carefully woven veil of secrecy. Attackers come in all forms and from a variety of different circumstances. For instance, an attacker can begin a phishing scam with only a web server they control with very little programming experience and a way to send a lot of e-mail messages. (Jones 4) In order to combat the waves of cyber-attackers, we must utilize Open Source Community applications to combat the continual onslaught of infections, exploitations, and trickery employed everyday against our systems and networks. Today's attacker uses a variety of technologies to employ their methods and understanding those abilities is integral to preparing for an investigation. While dial up modems would seem pretty much a thing of the past, there are still a significant number of people accessing the Internet via these devices. Cable or DSL modems are now the in-vogue conduit to the Internet and offer the vulnerability of always being "on-line." Criminal activity comes in many different forms including, spam, phishing, viruses, and worms to name a few. Spam and viruses are now being merged together to create a platform to install secret e-mail servers on infected desktop systems and then are used as relays for sending out spam but block the original sender's identification information. The use of this innovative platform provides the attacker with a cloak of invisibility against forensic professionals trying to find them. Gathering a system for forensics investigations requires legal searches and seizures. A system can be obtained through subpoena, search warrant, or if the system is given up voluntarily. Of course, the easiest method for all involved is if the system is given up with consent. Consent is given by the system's primary owner usually if they are not the subject of the investigation. The difficulty with voluntary surrender occurs when the system or device being investigated is part of a business' network and it is implausible to remove the entire string of devices or to take the entire system off-line. Even if the computer or system is voluntarily surrendered, it is imperative that all applicable laws and policies are adhered to when retrieving and securing the suspect computer. The subpoena is used to obtain the system if for instance, the owner does not consent to providing it or if there is a concern that the evidence will be destroyed before the actual investigation on the equipment can begin. Another common use of the subpoena allows for obtaining the suspect system from the owner who is unwilling to hand it over even though they are not a suspect. A variety of reasons may compel a system owner in this situation to be reluctant to surrender their machine and could include that the system contains sensitive business information and policies they do not want revealed to outside agencies. The other way for a system to be obtained for investigation is through a search warrant. The search warrant is usually used when there are significant concerns that a subpoena will allow the owner to damage, destroy, or render useless the evidence contained on the system. It is important to understand that the search warrant option is not available to the private computer forensics investigator only to law enforcement officials. Once a system has been obtained for investigative purposes and the investigation begins, it is important that the chain of custody process is strictly adhered to. Chain of custody allows the evidence to be acquired properly and remain pristine but most importantly to be complete and without gaps. The computer forensics professional ensures the integrity of the chain of custody through the use of a log that includes every time the evidence was accessed as well as procedures that describe each step taken during the search for evidence. Each step of the chain of custody must have specific controls instituted whereby the integrity of the evidence is never compromised. The first step is to take photographs of the real evidence to show it in its original state. Controls include following safety procedures and proper handling practices especially sensitive electro-mechanical devices like storage devices, disks, and hard drives. Chain of Custody controls need to be instituted to prevent accidental changes to the evidence including, applying write blockers, generating snapshots of the media using a hash or checksum before any analysis, and verifying and running analysis tools using read-only access. Protecting the evidence through chain of custody controls is critical to establishing the investigator's expertise and credibility. Computer forensics professionals are required to follow clear, well-defined methods and procedures, as well as have the ability to deal with unexpected circumstances and discoveries. Every forensic investigator must treat every case they work on as if it were going to go to trial. It is so easy to fall into the trap of forgetting that the computer is in fact evidence and not taking the necessary steps to properly document all facets of the investigative process. There are four basic steps to completing a forensics investigation on a system. The investigation begins with data collection, followed by examining and analyzing what was found, and then finally reporting to the client what exactly was found. The tools for performing computer forensics investigations are commonly available on the commercial market. At the very beginning of an investigation, the very first step is to get prepared to do the investigation. Preparation is an essential step in the investigative process and cannot be ignored. The better prepared an investigator is, the better the final product will be. Preparation starts with knowing your hardware which entails understanding what types of devices that the information can be retrieved from. Information retrieval is not limited to the system's hard drive but also can be garnered from digital items such as CD-ROMs and thumb drives, all of which store their information relatively intact. Seasoned investigators can also retrieve information from keyboards, monitors, and printers even though these devices do not store information after being turned off. An important aspect of preparation involves knowing what type of operating system is going to be investigated. As a general rule there are only three types of operating systems most commonly used; Microsoft, Unix/Linux, and the Apple Macintosh systems. Other operating systems are out there but are not quite as popular but would still need to be investigated should the need arise. Some of those lesser utilized systems include, IBM's Disk Operating System, Microsoft's MS-DOS, Linspire, and BeOS which has a user-friendly graphical user interface (GUI) that is very fast and stable. Each of them offer networking capabilities with Unix/Linux being considered as some of the most secured systems. (Schweitzer 46) Operating systems are not just confined to work stations; consideration must also be made to the servers on which information is stored and vulnerable to attack. In today's technologically advanced world, there are so many media storage devices that the forensics professional needs to be prepared to investigate a myriad of apparatuses. Computer users are the primary avenue for attackers to circumvent security measures installed to stop them. In a business setting, key logging can also be a viable tool for detecting fraud, finding out if unauthorized users are gaining access to the system, or locating who is wasting valuable company time and resources. Unfortunately, if the company allows key logging apparatuses to remain on their network, it could be used by the attacker to garner information detrimental to the company. Another prime threat to system and network security is the Universal Serial Bus (USB) device. All modern computers, for the most part, have a number of USB connection ports that allows the user to connect and disconnect a variety of devices quickly and simply. The number of USB devices available in today's market include printers, scanners, mice, modems (wireless and DSL), and of course storage devices which are increasing in storage capability at phenomenal rates. The key aspect of USB storage devices are their portability and convenience of being able to connect and disconnect from the machine without having to shut the machine down. The large storage capacities and portability of USB storage devices make them a particularly attractive vehicle for installing malicious applications without the user's knowledge or consent. Key logging and USB technologies are just two of the obstacles that computer forensics professional face when gathering evidence in response to a computer incident. The number one purpose of computer forensics is the proper identification and collection of computer evidence.(Solomon 52) There are basically two categories of computer evidence; real and documentary. Most everybody is familiar with the term real evidence and is essentially evidence that is an object that can be held, touched, or felt. In computer forensics, real evidence could be the actual computer, keyboards, hard drives, or peripheral devices (including removable media). Documentary evidence on the other hand is the type of evidence that will be used to prove a case in court. Documentary evidence is written documentation in the form of log files, database files, incident-specific files and reports all gathered to show what actually occurred but it must be authenticated. The authentication process proves that the evidence was gathered correctly and the data proves a fact.(Solomon 55) The discussion about evidence cannot be complete without talking about what is known as the best evidence rule. The best evidence rule protects the evidence for being tampered with and requires that the documentary evidence submitted must be an original, not a copy. The advantage behind introducing an original piece of documentary evidence is that there is less opportunity for changes to happen when it was being copied. The majority of evidence that is gathered during computer incident investigations will center on the computer itself plus the storage media used during the incident. When conducting an investigation, it is critical that every single step taken is documented. Investigative documentation encompasses cataloging all the programs installed on the system, gathering the audit and activity log files found using default file names, examining the operating system, and searching for any and all files created by using identified programs. The key to documenting evidence is to be thorough, creative, and persistent. Before the evidence can be gathered, the system requiring investigation must be properly obtained. As the investigation begins, the first place the investigator goes to is the log files which are regarded as the primary record of activity that has transpired in the operating system. The log files are a prime source for finding documented evidence of what is or has happened to the system. Logging's main purpose is to capture and store significant events which are placed in system logs, audit application logs, network management logs, network traffic capture, and state of the file system data. Network logs are also a very good source of information that allows you to see what was recorded concerning ongoing computer activity. It is crucial to understand that the log files are sometimes the only evidence of suspicious activity and must be analyzed to determine the extent of the damage, help systems recover quickly, and provide evidence needed for legal proceedings. Another major source of forensic information can be found in the computer's memory. Computer memory is classified in two forms, non-volatile and volatile. Non-volatile memory is used when the data or information that is stored needs to be maintained for long periods of time. Non-volatile memory can be found on motherboard's BIOS chips and is unlikely to contain information germane to a security breach or incident. On the other hand, volatile memory is the Random Access Memory (RAM) chips that every computer uses to load and store operating system generated data. The problem with retrieving data from volatile memory is that once the computer is turned off, the data and therefore the evidence is lost. The forensic investigator should always collect evidence in a particular but simple order from what is concerned the most to the least volatile. Memory is the most volatile and must be collected for because it can be quickly overwritten or deleted. Collecting data from the temporary file is next followed by the disk and then from the least volatile, the physical configuration of the network. Windows registry plays an important role in computer forensics since so much of the world's computers and systems run Microsoft Windows operating systems. Windows registry is the database where all the information about a computer is stored. The registry is used to store everything from installed applications to the colors displayed on the system's screen.(Schweitzer 70) Hackers are able to compromise a system through improper security and permissions settings. Once the attacker compromises the system, they can hide processes, files, and Registry keys as well as launch malicious applications like Trojan horses the next time the computer is started. One useful tool for collecting volatile Registry data is Process Monitor. Process Monitor is a freeware utility that displays, captures, and logs all Registry activity in real-time which makes it a very useful incident-response and forensic tool. The Microsoft Windows' Recycle Bin provides users with the ability to discard and then later retrieve files and information they had placed there. Most users believe that once the Recycle Bin is emptied, the information or files no longer exists. The fact is the data stays in its original place and only the map leading to the information or file is actually deleted. Computer forensics professionals are able to retrieve the data until the system overwrites the original location where the data was stored. Interestingly, when a file is deleted, the first character of the file name is changed to a hex E5 making it easier to recover the information. There are freeware and shareware utilities available for recovering data that has been deleted via the Recycle Bin but it may be more beneficial to purchase specific software extensive enough to do the job right The computer forensics field is becoming increasingly more important in the fight to repel cyber criminals. The computer forensics professional must be aware how the attacker is able to gain access to the system or network and then exploit the system. In order to catch the exploiter, the investigator must understand the different phases of the investigative process including, obtaining the item for investigating, proper chain of custody procedures, and documenting from start to finish. During the investigation, it is critical that the investigator understands where the primary sources for finding incriminating evidence even though there is software available to do the job automatically. Computer forensics professionals will continue to battle the attacker using their skills, techniques, and imagination to seek out and deny the cyber-criminal the ability to make money at the expense of innocent victims. Aquilina, James M., Eoghan Casey, and Cameron H. Malin. Malware Forensics: Investigating and Analyzing Malicious Code. Burlington, MA: Syngress Publishing, 2008.
Bosworth, Seymour, and Michel E. Kabay. Computer Security Handbook. New York: John Wiley & Sons, 2002.
Caloyannides, Michael A., and Michael A. Caloyannides. Privacy Protection and Computer Forensics. Artech House computer security series. Boston: Artech House, 2004.
Jones, Robert. Internet Forensics. Beijing: O'Reilly, 2006.
Kruse, Warren G., and Jay G. Heiser. Computer Forensics: Incident Response Essentials. Boston, MA: Addison-Wesley, 2001.
McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Network Security Secrets & Solutions. Emeryville, Calif: McGraw-Hill/Osborne, 2005.
Mendell, Ronald L., and Ronald L. Mendell. Investigating Computer Crime in the 21st Century. Springfield, Ill: Charles C. Thomas, 2004.
Middleton, Bruce. Cyber Crime Investigator's Field Guide. Boca Raton, FL: CRC Press, 2002.
Schweitzer, Douglas. Incident Response: Computer Forensics Toolkit. Indianapolis, IN: Wiley, 2003.
Solomon, Michael, Diane Barrett, and Neil Broom. Computer Forensics Jumpstart. San Francisco: Sybex, 2005.