04-14-2005, 06:17 AM
<b>COMPUTER FORENSICS.</b>
With acknowledgement to the FCA YAHOO group
This article will examine some of the main issues relating to computer
forensics. It is aimed at the investigator or investigations manager
who has a need to understand the basics quickly and who does not
necessarily have much direct experience of, or exposure to, computer
forensics. We have attempted to write in a non-technical way, but
technical terms have been explained where relevant.
What is Computer Forensics?
The first thing to discuss is what exactly we mean by computer
forensics. It is the science of recovering and analysing data stored
electronically in a way that can be relied upon for the purposes of
litigation or other proceedings. At the heart of computer forensics is
the process of taking a "mirror image" of the storage media (usually
known as disk imaging). The disk in question can be anything from that
of a laptop to a server. The differences are of scale, which adds to
the complexity of the procedure and the time that imaging, processing
and analysis take. Forensic analysis can also take place on whole
systems, but this is the subject for another article.
Uses and benefits
Next we should consider in what circumstances computer forensic
techniques might be employed. In all areas of criminal and civil
litigation, employee disputes and fraud and insolvency investigations
is the answer. Wherever a computer might contain evidence or
information relevant to the enquiry it should examined forensically.
The benefits are that whole of the storage media is copied, there is no
interference with the original, information hidden to the ordinary used
can be retrieved and the whole disk can be effectively and efficiently
analysed. Furthermore, the results can be presented in litigation.
How does it work?
There are three distinct steps
Taking the image
Processing the image
Analysing the processed image
Imaging
In simple terms, a device is attached to one of the communications
ports of the target computer (usually the parallel or scsi port) and
this device records a complete copy of the electronic storage media
inside the computer. In some cases the hard disk is removed from the
computer housing. Every part of the media is copied so that what is
obtained is a complete byte-by-byte copy with nothing added and nothing
taken away. This last point is very important because it is essential
that there is no interference with the disk by the investigator.
The copy can be to digital tape or to another hard disk of equal or
greater capacity than the disk being imaged. The expanding size of hard
disks and the amounts of data stored, even on modest personal computer,
raises continual challenges for the investigator.
The imaging process leaves no trace on the target computer, whereas
just the act of starting up a computer and loading an operating system
(such as WindowsT) changes a whole series of dates and times.
Processing
Once imaging is complete, the image should be processed to recover
deleted and partially overwritten files and to process the current
files and folders so that they appear as they would have done on the
target computer.
Whilst on this subject, it is worth explaining why computers do not (in
general) delete files when the delete command is given. At the
beginning of a hard disk is an index of the locations of all the files
on the disk. This index, known as the file allocation table, tells the
operating system on which parts of the disk a file may be found. When
the user asks to see the file, the identifier of the top of the file is
accessed on the disk by reference to the file allocation table.
When a file is "deleted" from an application or explorer command, all
that happens is the file's entry in the table is removed so that the
computer can no longer access that file. The computer also understands
that the disk space occupied by that file is now available to be
overwritten.
Of course, there are programmes that will delete and recursively
overwrite files but, in our experience, these are not widely or
properly used. From a security standpoint, if you need to destroy
highly sensitive data, physical destruction of the hard disk is the
only guaranteed way.
The recovery of deleted files is a straightforward process and can be
very important. The analysis described below automatically includes
deleted files.
Analysis
After processing comes analysis and this is where the investigators
skill and technique are demonstrated.
Analysis all depends on the care with which the image is investigated.
Some of the steps in examining a typical hard disk image would be
never examine an original
key word searches based on the information already available to the
investigator e.g. example, names of people, companies, bank account
numbers and addresses can all be searched for (the more unique the
better)
examination of the personal folders and "my documents" folders for any
files that may be kept there - it is surprising that fraudsters are not
more creative in their hiding places for incriminating evidence; many
still allow documents to be saved to default folders
a look at the recent documents folder to see if there are any
interesting file names to which the links have been broken, possibly
indicating recent deletion
examination of the Internet history file and temporary Internet files -
these can often be very revealing; they are a kind of audit trail of
the user's journey around the Internet
examination of the user's cookies files for more information about
sites visited
if the case involves allegations of internet pornography, then a search
for graphics files (e.g. .gif, .bmp or .jpg extensions) can be
revealing
analysis of the email file
breaking passwords on protected files
circumnavigating encryption that has not been used properly
analysis of the calendar and contacts file
It is essential that proper contemporaneous written records be made of
the complete process from image to analysis so that any third party can
clearly see what has been done.
What sort of things can be discovered?
Here follow a few examples of evidence and information found during
analysis of disk images
duplicate accounts indicating large scale fraud
deleted pornographic images and cookies proving a senior IT engineer
had been using his employer's computer contrary to the companies
policies; this resulted in his resignation prior to formal disciplinary
proceedings
contact and calendar entries showing previously undisclosed links to
third parties
files demonstrating the unauthorised possession of confidential
information
email correspondence indicating a conspiracy
stolen data/intellectual property
dates and times of key events
deleted words and paragraphs from MS WordT documents
Some dos and don'ts
If you are confronted with an investigation where computers may need to
be forensically examined here are some important points to bear in
mind. Computer evidence or data is fundamentally different from, say,
paper evidence. Just the act of turning on a computer can change a
whole series of dates and times and invalidate its use in a court or
tribunal. Therefore, a few basic principles need to be followed when
dealing with potentially valuable computer evidence.
Do
Fully assess the situation before taking any action
Isolate the computer so that it cannot be tampered with
Consider securing all relevant logs (e.g. Internet logs, Server logs,
Building access logs, etc.) and any CCTV footage, at the earliest
opportunity
Record where the computer is based and all who had access to it
Call in IT Security staff or external consultants as appropriate
Then ask the relevant expert to
Disconnect the relevant computers from your network
Restrict remote access
Take an "image" copy of the computer (or server as appropriate)
Don't
Alert any of the potential suspects
Call in your own IT Support staff (they often change evidence
inadvertently)
Move the computer if it is switched on
Turn off the computer if it is turned on
Turn on the computer if it is switched off
Make file copies of the computer
Examine electronic logs without first ensuring that they are preserved
elsewhere.
With acknowledgement to the FCA YAHOO group
This article will examine some of the main issues relating to computer
forensics. It is aimed at the investigator or investigations manager
who has a need to understand the basics quickly and who does not
necessarily have much direct experience of, or exposure to, computer
forensics. We have attempted to write in a non-technical way, but
technical terms have been explained where relevant.
What is Computer Forensics?
The first thing to discuss is what exactly we mean by computer
forensics. It is the science of recovering and analysing data stored
electronically in a way that can be relied upon for the purposes of
litigation or other proceedings. At the heart of computer forensics is
the process of taking a "mirror image" of the storage media (usually
known as disk imaging). The disk in question can be anything from that
of a laptop to a server. The differences are of scale, which adds to
the complexity of the procedure and the time that imaging, processing
and analysis take. Forensic analysis can also take place on whole
systems, but this is the subject for another article.
Uses and benefits
Next we should consider in what circumstances computer forensic
techniques might be employed. In all areas of criminal and civil
litigation, employee disputes and fraud and insolvency investigations
is the answer. Wherever a computer might contain evidence or
information relevant to the enquiry it should examined forensically.
The benefits are that whole of the storage media is copied, there is no
interference with the original, information hidden to the ordinary used
can be retrieved and the whole disk can be effectively and efficiently
analysed. Furthermore, the results can be presented in litigation.
How does it work?
There are three distinct steps
Taking the image
Processing the image
Analysing the processed image
Imaging
In simple terms, a device is attached to one of the communications
ports of the target computer (usually the parallel or scsi port) and
this device records a complete copy of the electronic storage media
inside the computer. In some cases the hard disk is removed from the
computer housing. Every part of the media is copied so that what is
obtained is a complete byte-by-byte copy with nothing added and nothing
taken away. This last point is very important because it is essential
that there is no interference with the disk by the investigator.
The copy can be to digital tape or to another hard disk of equal or
greater capacity than the disk being imaged. The expanding size of hard
disks and the amounts of data stored, even on modest personal computer,
raises continual challenges for the investigator.
The imaging process leaves no trace on the target computer, whereas
just the act of starting up a computer and loading an operating system
(such as WindowsT) changes a whole series of dates and times.
Processing
Once imaging is complete, the image should be processed to recover
deleted and partially overwritten files and to process the current
files and folders so that they appear as they would have done on the
target computer.
Whilst on this subject, it is worth explaining why computers do not (in
general) delete files when the delete command is given. At the
beginning of a hard disk is an index of the locations of all the files
on the disk. This index, known as the file allocation table, tells the
operating system on which parts of the disk a file may be found. When
the user asks to see the file, the identifier of the top of the file is
accessed on the disk by reference to the file allocation table.
When a file is "deleted" from an application or explorer command, all
that happens is the file's entry in the table is removed so that the
computer can no longer access that file. The computer also understands
that the disk space occupied by that file is now available to be
overwritten.
Of course, there are programmes that will delete and recursively
overwrite files but, in our experience, these are not widely or
properly used. From a security standpoint, if you need to destroy
highly sensitive data, physical destruction of the hard disk is the
only guaranteed way.
The recovery of deleted files is a straightforward process and can be
very important. The analysis described below automatically includes
deleted files.
Analysis
After processing comes analysis and this is where the investigators
skill and technique are demonstrated.
Analysis all depends on the care with which the image is investigated.
Some of the steps in examining a typical hard disk image would be
never examine an original
key word searches based on the information already available to the
investigator e.g. example, names of people, companies, bank account
numbers and addresses can all be searched for (the more unique the
better)
examination of the personal folders and "my documents" folders for any
files that may be kept there - it is surprising that fraudsters are not
more creative in their hiding places for incriminating evidence; many
still allow documents to be saved to default folders
a look at the recent documents folder to see if there are any
interesting file names to which the links have been broken, possibly
indicating recent deletion
examination of the Internet history file and temporary Internet files -
these can often be very revealing; they are a kind of audit trail of
the user's journey around the Internet
examination of the user's cookies files for more information about
sites visited
if the case involves allegations of internet pornography, then a search
for graphics files (e.g. .gif, .bmp or .jpg extensions) can be
revealing
analysis of the email file
breaking passwords on protected files
circumnavigating encryption that has not been used properly
analysis of the calendar and contacts file
It is essential that proper contemporaneous written records be made of
the complete process from image to analysis so that any third party can
clearly see what has been done.
What sort of things can be discovered?
Here follow a few examples of evidence and information found during
analysis of disk images
duplicate accounts indicating large scale fraud
deleted pornographic images and cookies proving a senior IT engineer
had been using his employer's computer contrary to the companies
policies; this resulted in his resignation prior to formal disciplinary
proceedings
contact and calendar entries showing previously undisclosed links to
third parties
files demonstrating the unauthorised possession of confidential
information
email correspondence indicating a conspiracy
stolen data/intellectual property
dates and times of key events
deleted words and paragraphs from MS WordT documents
Some dos and don'ts
If you are confronted with an investigation where computers may need to
be forensically examined here are some important points to bear in
mind. Computer evidence or data is fundamentally different from, say,
paper evidence. Just the act of turning on a computer can change a
whole series of dates and times and invalidate its use in a court or
tribunal. Therefore, a few basic principles need to be followed when
dealing with potentially valuable computer evidence.
Do
Fully assess the situation before taking any action
Isolate the computer so that it cannot be tampered with
Consider securing all relevant logs (e.g. Internet logs, Server logs,
Building access logs, etc.) and any CCTV footage, at the earliest
opportunity
Record where the computer is based and all who had access to it
Call in IT Security staff or external consultants as appropriate
Then ask the relevant expert to
Disconnect the relevant computers from your network
Restrict remote access
Take an "image" copy of the computer (or server as appropriate)
Don't
Alert any of the potential suspects
Call in your own IT Support staff (they often change evidence
inadvertently)
Move the computer if it is switched on
Turn off the computer if it is turned on
Turn on the computer if it is switched off
Make file copies of the computer
Examine electronic logs without first ensuring that they are preserved
elsewhere.
]FORENSIC AUDITING[