COMPUTER FORENSICS STUDY - 02 SOURCES: INFOSECINSTITUTE.COM
AN INTRODUCTION TO COMPUTER FORENSICS:
INTRODUCTION:
One of the biggest threats facing businesses and corporations today is that of Cyber-attacks and threats. If these are large enough in scale and magnitude, it could even be considered as an act of Cyber terrorism, in which a significant impact can be felt in both regarding cost and human emotion. Whenever something like this occurs, two of the most common questions that get asked are:
- How did it happen?
How can this be prevented from happening again in the future?
Obviously, there are no easy answers to this, and depending on t he severity of the Cyber-attack, it could take weeks and even months to determine the answers to these two questions. Regarding the latter this can be answered via the means of conducting various in depth penetration testing exercises.
For instance, any remnants of the Cyber-attack and any evidence left behind at the scene needs to be collected very carefully and examined. It is from this point onwards then the question of "who, what, where, when and why" can be answered by the forensics examiners and investigators.
A DEFINITION OF COMPUTER FORENICS AND ITS IMPORTANCE:
"It is the element that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications and storage devices in a way that is admissible as a evidence in a court of law"
LATENT DATA:
In the Cybersecurity world, this kind of data (also called "ambient data") is not easly seen or accessible upon first glance at the scene of a Cyber-attack. In other words, it takes a much deeper level of investigation by the computer forensics expert to unearth them.
Obviously, this data has many uses to it, but it was implemented in such a way that access to it has been extremely limited.
Examples of Latent Data includes:
Information which is in computer storage but is not readly referenced in the file allocation tables;
Information which cannot be viewed readily by the operating system or commonly used software applications;
Data which has been purposely deleted and is now located in:
- Unallocated spaces in hard drive;
- Swap files;
- Print spooler files;
- Memory dumps;
- The slack space between the existing files and the temporary cache
STEPS INVOLVED IN CONDUCTING A COMPUTER FORENSICS CASE:
READINESS:
This first part ensures that the forensics investigator/examiner and his or her respective team is always prepared to take on an investigation at literally a moment's notice. This involves:
Making sure that everybody has been trained in the latest computer forensic research techiniques;
Being aware of any legal raamifications when it comes time to visit the scene of the Cyber-attack;
Planning ahead as best as possible any unexpected technical/non-technical issues at the victim's place of business;
Ensuring that all collection and testing equipment are up to speed and ready to go.
EVALUATION:
At this stage, the computer forensics team receives their instructions about the Cyber-attack they are going to investigate. This involves the following:
The allocation/assignment of roles and resources which will be devoted throughout the course of the entire investigation;
Any known facts, details or particulars about the Cyber-attack which has just transpired;
The identification of any known risks during the course of the investigation;
COLLECTION:
This comoponent is divided into two distinct sub phases:
ACQUISITION:
This involves the actual collection of the evidence and the latent data from the computer systems and another part of the business or corporation which may have also been impacted by the Cyber-attack. Obviously there are many tools and techniques which can be used to collect this information, but at a very high level, this sub phase typically involves the identification and securing of the infected devices, as well as conducting any necessary, face to face interviews with the IT staff of the targeted entity. Tipically, this sub phase is conducted on site.
COLLECTION:
This is the part where the actual physical evidence and any storage devices which are used to capture the latent data are labeled and sealed in tamper resistant bags. These are then transported to the forensics laboratory where they will be examined in much greater detail. As described before, the chain of custody starts to become a critical component at this stage.
ANALYSIS:
This part of the computer forensics investigation is just as import as the previous step. It is here where all of the collected evidence and the latent data are researched in excruciating dettail to determine how and where the Cyber-attack originated from, whom the perpretators are, and how this type of incident can be prevented from entering the defense perimeters of the business or corporation in the future. Once again, there are many tools and techniques which can be used at this phase, but the analysis must meet the following criteria:
It must be accurate;
Every step must be documented and recorded;
It must be unbiased and impartial;
As far as possible, it must be completed within the anticipated time frames and the resources which have been allocated to accomplish the various analyses functions and tasks;
The tools and techniques which were used to conduct the actual analyses must be justifiable by the forensics team.
PRESENTATION:
Once the analyses have been completed, a summary of the findings is then presented to the IT staff of the entity which was impacted by the Cyber-attack. Probably one of the most important components of this particular document is the recommendations and strategies which should be undertaken to mitigate any future risks from potential Cyber-attacks.
Also, a separate document is composed which presents these same findings to a court of law in which the forensics evidence is being presented.
CUSTODY IN COMPUTER FORENSICS:
WHAT IS IT?:
The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer and analysis. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.WHY IS IT IMPORTANT?:
To preserve integrity of the evidence and prevent it from contamination, which can alter the state of the evidence.IMPORTANCE TO THE EXAMINER:
IMPORTANCE TO THE COURT:
THE PROCEDURE TO ESTABLISH THE CHAIN OF CUSTODY:
In order to ensure that the chain of custody is as authentic as possible, a series of steps must be followed. It is important to note that, the more information a forensic expert obtains concerning the evidence at hand, the more authentic is the created chain of custody. Due to this, it is important to obtain administrator information about the evidence: for instance, the administrative log, date and file info, and who accessed the files. - SAVE THE ORIGINAL MATERIALS:
You should aways work on copies of the digital evidence as opposed to the original. This ensures that you are able to ocmpare your work products to the original that you preserved unmodified.
- TAKE PHOTOS OF PHYSICAL EVIDENCE:
Photos of physical (electronic) evidence establish the chain of custody and make it more authentic.
- TAKE SCREENSHOTS OF DIGITAL EVIDENCE CONTENT:
In cases where the evidence is intangible, taking screenshots is an effective way of establishing the chain of custody.
- DOCUMENT DATE, TIME, AND ANY OTHER INFORMATION OF RECEIPT:
Recording the timestamps of whoever has had the evidence allows investigators to build a reliable timeline of where the evidence was prior to being obtained. In the event that there is a hole in the timeline, further investiagion may be necessary.
- INJECT A BIT-FOR-BIT CLONE OF DIGITAL EVIDENCE CONTENT INTO OUR FORENSIC COMPUTERS:
This ensures that we obtain a complete duplicated of the digital evidence in question.
- PERFORM A HASH TEST ANALYSIS TO FURTHER AUTHENTICATE THE WORKING CLONE:
Performing a hash test ensures that the data we obtain from the previous bit-by-bit copy procedure is not corrupt and reflects the true nature of the original evidence. If this is not the case, then the forensic analysis may be flawed and may result in problems, thus rendering the copy non-autenthic.
CONSIDERATIONS INVOLVED WITH DIGITAL EVIDENCE:
A couple of considerations are involved when dealing with digital evidence. We shall take a look at the most common and discuss globally accpeted best pratices.
NEVER WORK WITH THE ORIGINAL EVIDENCE TO DEVELOP PROCEDURES:
The biggestion consideration with digital evidence is that the forensic expert has to make a complete copy of the evidence for forensic analysis. This cannot be overlooked because when errors are made to working copies or comparisons are required, it will be necessary to compare the original and copies.
USE CLEAN COLLECTING MEDIA:
It is important to ensure that the examiner's storage device is forensically clean when acquiring the evidence. This prevents the original copies from damage. Think of a situation where the examiner's data evidence collecting media is infected by malware. If the malware escapes into the machine being examined, all of the evidence can become compromised.
DOCUMENT ANY EXTRA SCOPE:
During the course of an examination, information of evidentiary value may be found that beyond the scope of the current legal authority. It is recommended that this information be documented and brought to the attention of the case agent because the information may be needed to obtain additional search authorities. A comprehensive report must contain the following sections:
- Identity of the reporting agency; - Case identifier or submission nunber; - Case investigator; - Identity of the submitter; - Date of receipt; - Date of report; - Descriptive list of items submitted for examination, including serial number, make, and model; - Identity and signature of the examiner; - Brief description of steps taken during examination, such as string searches, graphics image searches and recovering erased files; - Results/conclusions.CONSIDER SAFETY OF PEPRSONNEL AT THE SCENE:
It is advisable to always ensure the scene is properly secured before and during the search. In some cases, the examiner may only have the opportunity to do the following while onsite:
- Identify the number and type of computers; - Determine if a network is present; - Interview the system administrator and users; - Identify and document the types and volume of media, including removable media; - Document the location from which the media was removed; - Identify offsite storage areas and/or remote computing locations; - Identify proprietary software.