Chapter 23: Computer Forensics
Reference Model
Electronic Discovery Reference Model (EDRM), is a coalition of consumers and providers focused on improving e-discovery and information governance, has created a reference model for e-discovery.
Data Volatility
Here are some sources listed from the most volatile to the most persistent: -CPU storage (Registers/Cache) -System Storage (RAM, routing tables, ARP cache, process tables, kernel stats) -Data on fixed media (complete image) -Removable media -Output/Hardcopy
Host Forensics
Host forensics refers to the analysis of a specific system. Host forensics includes a wide arrange of elements, including the analysis of file systems and artifacts of the operating system. These elements often are specific to individual systems and operating systems, such as Linux or Windows.
Big Data
It may seem that big data is all the rage in business today, but in reality it is simply a description of the times. We have created large data stores in most enterprises, a byproduct of cheap storage and the ubiquity of the internet. Big data is an issue in e-discovery as well. The cataloging, storage, and maintenance of corporate records often become big data issues.
Storing Evidence
Store the evidence in an evidence room that has low traffic, restricted access, camera monitoring, and entry logging capabilities. Store components in static free bags, foam packing material, and cardboard boxes, and inside metal tamper resistant cabinets or safes whenever possible. Many of today's electronics are sensitive to environmental factors. It is important for storage areas to have environmental controls to protect devices from temperature and humidity changes. It is also prudent to have environmental monitoring devices to ensure that temperature and humidity remain within safe ranges for electronic devices.
Strategic Intelligence / Counter Intelligence Gathering
Strategic Intelligence - is the use of all resources to make determinations. This can make a large difference in whether a firm is prepared for threats. Strategic intelligence can provide information that limits the scope of investigation to a manageable level. If you have an idea of specific acts you want to have demonstrable evidence of either happening or not happening, you can build a strategic intelligence data set on the information. Where is it, what is it, and what is allowed/not allowed? These are all pieces of information that when arranged and analyzed can lead to a data logging plan to help support forensic event capture. Counter Intelligence - is the act of gathering information specifically targeting the strategic intelligence effort of another entity - Knowing what people are looking at and what information they are obtaining can provide information into their motives and potential future actions
Cloud
The cloud has become a source for enterprise IT systems, and as such it is intimately involved with e-discovery and forensics. Therefore it is important that these issues are detailed and outlined in a contract (cloud agreement) by the organization and third parties.
Registry Analysis
The first and foremost windows artifact is the system registry, which acts as a database repository of a whole host of information and provides a one stop shop for a wide range of windows forensic artifacts - what applications have been installed, user activity, activity associated with external devices, and more. Although the specific artifacts needed in an investigation differ based on the scope of the investigation, it is safe to assume that metadata recorded by the Windows operating system will serve a useful purpose in the investigation, especially since the registry is stored by user and therefore the activity recorded in the registry is attributed to a user. The list of artifacts stored by the registry is extremely long, but some of the major ones include logs of a wide range of system and security information.
Recovery
In a digital forensic sense, recovery is associated with determining the relevant information for the issue at had. This can be a daunting and complicated task. There are ways to trim the work, including creating timelines to indicate when the suspected activity happened, using keywords to see what strings of information make a record relevant, and looking for specific activities. When you can specify specific activities and those activities have logs associated with their occurrence, you can begin to build a solid data set. This leads to the idea of active logging. Ideally, you want to minimize logging in so when you have to use logs, the event you are interested in stands out without being hidden in a sea of irrelevant log items. Before the problem occurs, if the firm sets up logging for specific events in the preparation phase, such as copying sensitive files, then later if questions arise as to whether the event happened or not, a log file exists to provide the information. Active logging is covered in more detail later in the chapter. Notes: The CAINE computer forensics linux live distro and SANS Investigative Forensic Toolkit (SIFT) are just 2 examples of the many tools you can use to perform computer forensic activities.
Legal Hold
In the US legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party "reasonably anticipates" litigation or another type of formal dispute. Although this sounds technical, it is fairly simple; once you realize you need to preserve evidence, you must use a Legal Hold or Litigation Hold, process by which you properly preserve any and all digital evidence related to a potential case. This event is usually triggered by one firm issuing a litigation hold request to another. E-discovery is a branch of digital forensics dealing with identifying, managing, and preserving information that is subject to legal hold.
Computer Forensics can be performed for 3 purposes:
-Investigating and analyzing computer systems as related to a violation of law. -Investigating and analyzing computer systems for compliance a with an organization's policies. -Responding to a request for digital evidence (e-discovery)
Capture Video
A convenient method of capturing significant information at the time of collection is video capture. Videos allow high bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth. Pictures of serial numbers and network and USB connections can prove invaluable later in the forensics process. Complete documentation is a must in every forensics process, and photographs can assist greatly in capturing details that would otherwise take a long time and be prone to transcription error. Notes: A digital camera is great for recording a scene and information. Screenshots of active monitor images may be obtained as well. Pictures can detail elements such as serial numbers, cable connections, and more. Photographs are truly worth a thousand words.
Analysis:
After successfully imaging the drives to be analyzed and calculating and storing the message digests, the investigator can begging the analysis. The details of the investigation will depend on the particulars of the incident bein investigated. However, in general, the following steps will be involved: 1) Check the recycle bin for deleted files. 2) Check the web browser history files and address bar histories 3) Check the web browser's cookie files. Different web browsers store cookies in different places. 4) Check the temporary internet files. 5) Search files for suspect character strings. To conserve valuable time, be wise in the choice of words you search for, choosing confidential, sensitive, sex, or other explicit words and phrases related to your investigation. 6) Search the slack and free space for suspect character strings as described previously.
Types of Evidence
All evidence is not created equal. Some evidence is stronger and better than other evidence. Several types of evidence can be germane, listed here: -Direct Evidence. This oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the fact is obtained through the 5 senses of the witness. -Real Evidence. Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. -Documentary Evidence. This is evidence in the form of business records, printouts, manuals, and the like. Much of the evidence relating to computer crimes is documentary evidence. -Demonstrative Evidence. This type is used to aid the jury and can be in the form of a model, experiment, chart, etc., offered to prove that an event occurred.
Network Traffic and Logs
An important source of information in an investigation can be the network activity associated with a device. There can be a lot of useful information in the network logs associated with network infrastructure. The best data would be from live network forensic collection, but this will usually not be available. There are many other sources of network forensic data, including firewall and IDS logs, network flow data, and event logs on key servers and services.
Three Rules Regarding Evidence
An item can become evidence when it is admitted by a judge in a case. These 3 rules guide the use of evidence with regard to its use in court proceedings: -Best Evidence Rule. Courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or not) has occurred. In some instances, an evidence duplicate can be accepted, such as when the original is lost or destroyed by acts of god or in the normal course of business. A duplicate is also acceptable when a third party beyond the court's subpoena power possesses the original. -Exclusionary Rule. The 4th Amendment to the US Constitution precludes illegal search and seizure. Therefore, any evidence collected in violation of the 4th Amendment is not admissible as evidence. If no policy exists regarding the company's intent to monitor network traffic or systems electronically and the employee has not acknowledge this policy by signing an agreement, sniffing the employee's network traffic could be a violation of the ECPA. -Hearsay Rule. Hearsay is secondhand evidence - evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. Typically, computer generated evidence is considered hearsay evidence because the maker of the evidence (computer) cannot be interrogated. Logs and headers are becoming exceptions.
Slack Space
Another space that should be reviewed is Slack Space. When a file is saved to a hard drive or other storage medium, the operating system allocates space in blocks of a predefined size, called clusters. Even if your file contains only 10 characters, the operating system will allocate a full cluster - with space left over in the cluster. This is called Slack Space. It is possible for a user to hide malicious code, tools, or clues in slack space, as well as in the free space. You may also find information in slack space from files that previously occupied that same cluster. Therefore, an investigator should review slack space using utilities that can display the information stored in these areas.
Track Man Hours
Demonstrating the efforts and tasks performed in the forensics process may become an issue in court and other proceedings. Having the ability to demonstrate who did what, when they did it, and how long it took can establish that the steps were taken per the processes employed. Having solid accounting data on man hours and other expenses can provide corroborating evidence as to the actions performed.
Device Forensics
Device Forensics is the application of digital forensic principles to devices - mobile phones, tablets, the endless list of devices that comprise the "internet of things", and more. All of the forensic principles still apply and are just as important. What does changes are, the tools and processes employed to retrieve and analyze the data.
E-Discovery
Electronic discovery, or E-discovery, is the term used for the document and data production requirements as part of legal discovery in civil litigation. When a civil suit is filed, under court approval, a firm can be compelled to turn over specific data from systems pursuant to the legal issue at hand. Electronic information is considered to be the same as paper documents in some respects and completely different in others. electronic records can be changed without leaving a trace.
Acquiring Evidence
Evidence can be found on the workstation, business servers, and ISP logs, etc... One must do everything possible to prevent damage or loss of evidence. Photographs can be used to document the scene, but the crucial item is in the acquisition of digital infor. Note: For Comptia Security+ exam, remember this: the memory should be dumped, the system should be powered down cleanly, and an image should be made and used as you work. Document your actions, and be able to explain why you did what you did.
Evidence
Evidence consists of the documents, verbal statements, and material objects that are admissible in a court of law. Evidence is critical to convincing management, juries, judges, or other authorities that some kind of violation has occurred. The digital forensic process is a technically demanding one, with no room for errors. The most common cause of evidence from an investigation being excluded from court proceedings is spoiliation, the unauthorized alteration of digital evidence. If the forensic process is less than perfect, spoiliation is assumed. The best guidance is 1) always perform forensics as if you are going to court with the evidence. 2) if you do not have qualified digital forensic investigators in-house do nothing with the media/device - let a professional handle it.
Standards For Evidence
Evidence in US Federal Court cases is governed by a series of legal precedents, the most notable of which is the Daubert Standard. 3 US supreme court cases articulate the Daubert standard and shape how material are entered into evidence. 4 specific elements are associated with the admission of scientific expert testimony. This is important with respect to digital forensics because the form of the evidence means that it can rarely speak for itself; rather, it must be interpreted by an expert and presented to the court. The first element is that the judge is the gatekeeper. Materials are not considered evidence until declared so by the judge. A second element consists of reliability and relevance. The third element is that expert knowledge should be based on science, specifically science that is based on the scientific method with a replicable methodology. The final element relates to this scientific methodology, stating that it must be based on proven science. Subjected to peer review, with a known error rate or potential error rate and consensus among the scientific community that the methodology is generally accepted. To be credible, evidence must meet these 3 standards: 1. Sufficient Evidence. It must be convincing or measure up without question 2. Competent Evidence. It must be legally qualified and reliable. 3. Relevant Evidence. It must be material to the case or have a bearing on the matter at hand.
Identifying Evidence
Evidence must be properly marked as it is collected so that it can be identified as a particular piece of evidence gathered at the scene. Properly label and store evidence, and make sure the labels can't be removed, keep and evidence control log book identifying each piece of evidence (in case the label is removed); the people who discovered it; the case number; the date, time, and location of the discovery; and the reason for collection. Keep a log of all staff hours and expenses. This information should be specific enough for recollection later in court. It is important to log other identifying marks, such as device, make, model, serial number, cable configuration or type, etc. Note any type of damage to the piece of evidence. Do not collect evidence by yourself - have a second person who can serve as a witness to your actions. Keep logs of you actions both during seizure and during analysis and storage. You should never examine a system with the utilities provided by that system. You should always use utilities that have been verified as correct and uncorrupted. Even better, use a forensic workstation, a computer system specifically designed to perform computer forensic activities. Do not open any files or start any applications. If possible, document the current memory and swap files, running processes, and open files. Disconnect the system from the network and immediately contact senior management. Unless you have appropriate forensic training and experience, consider calling in a professional.
Chain of Custody
Evidence, once collected, must be properly controlled to prevent tampering. The chain of custody accounts for all people who handled or had access to the evidence. The chain of custody shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained. The following are the critical steps in a chain of custody: 1) Record each item collected as evidence. 2) Record who collected the evidence, along with the date and time it was collected or recorded. 3) Write a description of the evidence in the documentation. 4) Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected. 5) Record all message digest (Hash) values in the documentation. 6) Securely transport the evidence to a protected storage facility. 7) Obtain a signature from the person who accepts the evidence at the storage facility. 8) Provide controls to prevent access to and compromise of the evidence while it is being stored. 9) Securely transport the evidence to court for proceedings.
Record Time Offset
Files and events logged on a computer will have timestamp markings that are based on the clock time on the machine itself. It is a mistake to assume that this clock is accurate. To allow correlation of timestamp data from records inside the computer with any external event, it is necessary to know any time offset between the machine time and the actual time A common data element needed later in the forensics process is an accurate system time with respect to an accurate external time source. A Record Time Offset is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server. This can be lost if the system is powered down so it is best collected while the system is still running.
Forensic Process:
Forensics is the use of scientific methods in the analysis of matters in connection with crime or other legal matters. Because of the connection to law, it is an exacting process, with not room for error. From a high level point of view, multiple steps are employed in a digital forensic investigation: 1) Identification. Recognize an incident from indicators and determine its type and scope. 2) Preparation. Prepare tools, techniques, and search warrants and monitor authorizations and management. 3) Approach/Strategy. Dynamically formulate an approach based on potential impact on bystanders and the specific technology in question. 4) Preservation. Isolate, secure, and preserve the state of physical and digital evidence. 5) Collection. Record the physical scene and duplicate digital evidence using standardized and accepted procedures. 6) Examination. In depth systematic search of evidence relating to the suspected crime. 7) Analysis. Determine significance, reconstruct fragments of data, and draw conclusions based on the elements of evidence found. 8) Presentation. Summarize and provide and explanation of the conclusions. 9) Returning Evidence. Ensure physical and digital property is returned to its proper owner and determine how and what criminal evidence must be removed. When information or objects are presented to management or admitted to court to support a claim, that info can be considered as evidence.
Take Hashes
If files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn't modified. In most cases, a tool that implements a hashing algorithm to create message digests is used. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream or file to calculate some number, the hash, that is unique based on the information contained in the data stream or file. If the ahs values differ it means the stream was altered. It is best practice to use SHA-2 until SHA-3 is integrated into tools. The hash tool is applied to each file or log, and the message digest value is noted in the investigation documentation.
Message Digest and Hash:
If files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn't modified. In most cases, a tool that implements a hashing algorithm to create message digests is used. The hash tool is applied to each file or log, and the message digest value is noted in the investigation documentation. It is a good practice to write the logs to a write once media such as a CD-ROM. When the case actually goes to trial, the investigator may need to run the tool on the files or logs again to show that they have not been altered in any way since being obtained.
Capture System Image
Imaging or dumping the physical memory of a computer system can help identify evidence not available on a hard drive. This is especially appropriate for rootkits, where evidence on the hard drive is hard to find. Once the memory is managed, you can use a hex editor to analyze the image offline on another system (memory dumping tools and hex editors are available on the internet). Note that dumping memory is more applicable for investigative work where court proceedings will not be pursued. If a case is likely to end up in court, do not dump memory without first seeking legal advice to confirm that live analysis of the memory is acceptable; otherwise, the defendant will be able to dispute easily the claim that evidence was not tampered with. The other system image is that of the internal storage devices. Making forensic duplicates of all partitions is a key step in preserving evidence. A forensic copy is a bit by bit copy and has supporting integrity checks in the form of hashes. The proper practice is to use a write blocker when making a forensic copy of a drive. This device allows a disk to be read but prevents any writing actions to the drive, guaranteeing that the copy operation does not change the original media.
Evidence Control Mental Checklist:
Keep these questions in mind as you collect evidence: -Who collected the evidence? -How was it collected? -Where was it collected? -Who has had possession of evidence? -How was it protected and stored? -When was it removed from storage? why? who took possession?
Linux Metadata
Linux systems have their own sets or artifacts. From a forensics perspective, Linux systems differ from Windows systems in these 3 main ways: -No Registry. Program data is stored in scattered locations. -Different File System. A multitude of different file systems are used, each with different attributes. -Plaintext Abounds. Files and data tend to be in plaintext, which impacts searching. The lack of registry to hold system and program information does not mean that the information is not there; its just means its distributed. The same is true of file system structures (NTFS and FAT), Linux comes with a whole host of different forms. Each of these has quirks, such as no file creation dates in many of them and the zeroing of metadata when files are deleted, results in forensic challenges. When it comes to performing forensics on a Linux system, the value of a good sysadmin cannot be understated. Many of the activity on a Linux system are scattered to various local locations, and good sysadmin can assist in locating and recovering the essential elements for analysis. This is not a license for a sysadmin to begin performing forensic activities! the same rules and procedural requirements listed earlier still apply, and in most cases this needs the use of a forensically trained professional.
Windows Metadata
Microsoft Windows based systems have a wide range of artifacts with forensic value. Before examining some of these artifacts, it is important to understand why they exist. The vast majority of artifacts exist for the purpose of improving the user experience. Tracking what users do and have done and making that information available to the operating system to improve future use is one of the primary reasons for the information; its forensic value is secondary.
Network Forensics
Network Forensics consists of capturing, recording, and analyzing network events to discover the source of network problems or security incidents. Examining networks in a forensic fashion introduces several challenges. First is scale. The scale of the network is related to the number of nodes and the speed of traffic. Second is the issue of volume. Packet capture is not technically difficult, but it can necessitate large quantities of storage. And although storage is relatively cheap, large numbers of packets can be difficult to sort though and analyze. Because of these issues, network forensics becomes an issue of specificity; if you know what target and what protocols you are looking for, you can selectively capture and analyze the traffic for those segments and have data that is useful. But therein lies the other challenge. Network data is temporal. It exists while the packet is in transit, and then it is gone, forever. Metadata such as Netflow data can provide some information, but it does not contain any content of the data being transmitted. The same rules apply to forensics as apply to all other forensic collection efforts. Preserving the integrity of data is paramount, and maintaining control over the data is always a challenge.
Screenshots
Particular attention should be paid to the state of what is on the screen at the time of evidence collection. Taking screenshots, using a digital camera or video camera, can provide documentation as to wat was on the screen at the time of collection. Because you cannot trust the system internals themselves to be free of tampering, do not use internal screenshot capture methods.
Partitions
Physical memory storage devices can be divided into a series of containers; each of these containers are called a partition. A partition is a logical storage unit that is subsequently used by an operating system. Systems can have multiple partitions for a wide variety of reasons, ranging from hosting multiple operating systems to performance-maximizing efforts to protection efforts
Transporting the Evidence
Properly log all evidence in and out of the controlled storage. Use proper packing techniques, such as placing components in static free bags, using foam packing material, and using cardboard boxes. Be especially cautious while transporting evidence to ensure custody of evidence is maintained and the evidence isn't damaged or tampered with.
Witness Interviews
Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked "did you lock the file system" and can't answer affirmatively.
Free Space
Since a deleted file is not actually completely erased or overwritten, it sits on the hard disk until the operating system needs to use that space for another file or application. Sometimes the second file that is saved in the same area does not occupy as many clusters as the 1st file, so a fragment of the original file is left over. The cluster that holds the fragment of the original file is referred to as Free Space because the operating system has marked it as usable when needed. As soon as the operating system places something else in this cluster, it is considered allocated. The unallocated clusters still contain the original data until the operating system overwrites them. Looking at the free space might reveal information left over from files the user thought were deleted from the drive.
Streams
Streams is a short name for alternate data streams, a specific data structure associated with NTFS in Windows. The normal location for data in an NTFS-based system is in the data stream, a location identified by a record in the Master File Table (MFT) called $DATA:, which is technically an unnamed data stream. Alternate data streams have names and are identified by $DATA:streamname, where streamname is the name of the stream being used. Streams can be used to hide information; although the information is still present, most of the normal file utilities do not deal with streams, so it will not be seen.
SSD Forensics
The advent of solid state drives brings substantial improvements in performance. It also brings new issues with respect to forensics.
Order Of Volatility
There are many sources of data in a computer system, and if the machine is running, some of these sources can be volatile. Thigs such as the state of the CPU and its registers are always changing, as are memory and even storage. The following is the order of volatility of digital information in a system: 1) CPU, Cache, and Register contents (collect 1st) 2) Routing tables, ARP cache, process tables, kernel statistics 3) Live network connections and data flows 4) Memory (RAM) 5) Temporary File System/Swap Space 6) Data on hard disk 7) Remotely logged data 8) Data stored on archival media/backups (collect last) When collecting digital evidence, it is important to use the proper techniques and tools. Some of the key tasks are using write blockers when making forensic copies, hashing and verifying hash matches, documenting, handling, and storage, and protecting media from environmental change factors. Of particular note is that the data present on a system can be a function of both the files system and the hardware being employed. A physical hard disk drive will persist data longer than a solid state drive. Additionally, the newer file systems with journaling and shadow systems such as File Allocation Table (FAT) systems. Raw disk blocks can be recovered in some file systems long after the data has been rewritten or erased because of the nature of how the file systems manage the data. (This is why it is important to zero wipe/low level wipe/reformat the drive several times - 3 at a minimum)
Hidden Files
There are numerous ways to hide data on a system. One method is to hide files by setting the hidden attribute, which limits the listing of them by standard file utilities. Devised so that system files that should not be directly manipulated are hidden from easy view, this concept raises a broader question with respect to forensics: How can a user hide information from accessibility? There is a wide range of methods of hiding files, and any attempt to list them would be long and subject to continual change. The major ones typically encountered include changing a file extension, encryption, data streams, and storage on other partitions. Encrypted data, by its very nature, is hidden from view. Without the key, modern encryption methods resist any brute force attempts to determine the contents. It is important to find encrypted data stores and document the locations for later use by legal counsel. Changing a file's extension does not actually alter the contents or usability of a file. It merely breaks the automated runtime association manager that determines what executable is associated with the file type to properly handle it. The term Magic Number describes a series of digits near the beginning of the file that provides information about the file format. Can be seen with an Hex editor.
Cleanup: Possible Remediation Actions After an Attack
These are things you'll need to do to restore your system after you've responded to an incident and completed your investigation: -Place the system behind a firewall -Reload the OS -Run scanners -Install security software -Remove unneeded services -Apply patches -Restore the system from backups
File Systems
When a user deletes a file, the file is not actually deleted. Instead, a pointer in a file allocation table is deleted. This pointer was used by the operating system to track down the file when it was referenced, and the act of "deleting" the file merely removes the pointer and marks the cluster (or clusters) holding the file as available for the operating system to use. The actual data originally stored on the disk remains on the disk (until that space is used again); it just isn't recognized as a coherent file by the operating system.
Forensics based drive imaging
When a forensic investigation on a series of computers is needed to determine facts in a computer investigation, a variety of methods can be used to discover and recover the evidence. For example, if a developer group is being investigated, the investigator could look at each machine and find specific evidence that is being sought. The problem with this approach is that in the process of this investigation, the other developers in the area become aware and have a chance to destroy critical evidence. For this reason to minimize disruption to a team, many times the investigation beings with a large scale duplication effort. The steps are remarkably simple and well practiced by many investigative firms, as shown here: 1) Document the scope of the machines being investigated, noting the number of drives and their sizes. 2) Send in a team after hours to do the duplication 3) Open each machine, disconnect the hard drives, and attach external cables 4) Duplicate each drive using a forensic duplication procedure that makes a complete image of the hard drive on a separate media source. 5) Reassemble the machines, leaving no evidence that the duplication was performed. The forensic images are then examined one by one at a later time away from inquisitive and prying eyes. Notes; The number of files stored on today's hard drives can be large, literally hundreds of thousands of files. Obviously, this is far too many for the investigator to directly analyze. However, by matching the message digests for files installed by the most popular software products to the message digests of the files on the drive being analyzed, the investigator can avoid analyzing approximately 90% of the files because he can assume that they are unmodified. The National Software Reference Library (NSRL) collects software from various sources and incorporates files profiles into a reference data set available for download as a service. see www.nsrl.nist.gov
Conducting the Investigation
When analyzing computer storage components, you must use extreme caution. A copy of the system should be analyzed - never the original system, because that will have to serve as evidence. A system specially designed for forensic examination, known as a forensic workstation, can be used. Forensic workstations typically contain hard drive bays, write blockers, analysis software, and other devices to safely image and protect computer forensic data. Analysis should be done in a controlled environment with physical security and controlled access
Protecting Evidence
When information or objects are presented to management or admitted to support a claim, that information or those objects can be considered as evidence or documentation supporting your investigative efforts. Senior management will ask a lot of questions second and third order questions that you need to be able to answer quickly. Likewise , in a court, credibility is critical. Therefore, evidence must be properly acquired, identified, protected against tampering, transported, and stored. Digital evidence has on huge glaring issue: it can change and not leave a record of change. From the initial step in the forensic process, The most important issue must always be the preservation of the data. There are several key steps that assist the forensic investigator in avoiding data spoilage. First, when data is collected, a solid chain of custody is maintained until the case is completed and the materials are released or destroyed. Second, when forensic copy of the data is obtained, a hash is collected as well to allow for the verification of integrity. All analysis is done of forensic copies of the original data collection, not the master copy itself. And each copy is verified before and after testing with hash values compared to the original set to demonstrate integrity. Protect evidence from electromagnetic or mechanical damage. Ensure that evidence is not tampered with, damaged, or compromised by the procedures used during the investigation. This helps avoid potential liability problems later. Protect evidence from extremes in heat and cold, humidity, water, magnetic fields, and vibration. Use static free evidence protection gloves as opposed to standard latex gloves. Seal the evidence in a proper container with evidence tape, and mark it with your initials, date, and case number. For example, if a mobile phone with advanced capabilities is seized, it should be properly secured in hard container designed to prevent accidentally pressing keys during transit and storage. If the phone is to remain turned on for analysis, radio frequency isolation bags that attenuate the device's radio signal should be used. This will prevent remote wiping, locking, or disabling of the device. This process adds a lot of work and time to an investigation, but it yields one crucial element: repudiation of any claim that the data was changed/tampered/damaged in any way. Should a hash value vary, the action is simple. Discard the copy, make a new copy, and begin again. This process shows the courts 2 key things: process rigor to protect the integrity of the data, and traceability via has values to demonstrate the integrity of the data and the analysis results derived from the data.
Active Logging
When you have an idea of what information you will want to examine, you can make an active logging plan that assures the information is logged when it occurs and, if at all possible, is logged in a location that prevents alteration. Active logging is determined during the preparation phase, and when it comes time for recovery, the advances planning pays off in the production of evidence.
Windows USB Analysis:
Windows records a wide array of information on each USB device used in the system, including the following: -Vendor/make/version and possibly unique serial number -Volume name and serial number -Last drive letter assigned -MountPoints2, a registry entry that stores the last drive mapping per user. -Username that used the USB devices -Time of first USB device connection -Time of last USB device connection -Time of last USB device removal
Forensics
relates to the application of scientific knowledge to legal problems. Specifically, computer forensics involves the preservation, identification, documentation, and interpretation of computer data. Forensics is often associated with incident response, which is the procedure used to respond to an abnormal condition in a system. Incident response is about corrective action - returning the system to a normal state - whereas forensics is about figuring out what happened.
Tools of the Trade:
the following are the tools of the forensic trade: -Disk wipe utilities. Tools to completely delete files and overwrite contents. -File viewers. Text and image viewers. -Forensic Workstation. Specialized workstations containing hardware, software, and component interface capabilities to perform computer forensic activities. -Hard drive tools. Partition viewing utilities, bootable CDs -Unerase tools. Tools to reverse file deletions. One of the key elements to preserving the chain of custody, protecting evidence, and having copies of data for analysis is the concept of digital forensic duplication of data. A digital forensic copy is a carefully controlled copy that has every bit the same as the original. Not just files, but all data structures associated with the device, including unused space, are copied in a digital forensic image copy, every bit, bit by bit. Making this type of copy is not something that is done with normal file utilities; specialty programs are required. Notes: Never analyze the seized system directly. always make multiple images of the device and analyze a copy. When conducting a digital forensic investigation consider local laws. Many states require that independent investigations be licensed private investigators. If you are working as a analyst on in-house systems, the laws may have different levels of applicability. Before consulting, it is best to investigate the need of a license. It is also important not to interface with the digital media using the host system because all file systems both read and write to the storage media as part of their normal operation, altering the media. This type of alteration changes information, potentially damaging the trace evidence needed in the investigation. For this reason, a write blocker is commonly used to connect the media to the investigator's computer. It is common for forensic duplicator devices to have additional features to assist an investigator, such as making multiple copies at once and calculate the hash values for the device and the duplicate. Capturing the hash values for all items is an essential first step in handling any digital evidence.