Toriality's Blog

COMPUTER FORENSICS STUDY - 17 SOURCES: FORENSICCONTROL.COM

WHEN AND HOW IS COMPUTER FORENSICS USED?

There are a few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies were among the earlisst and beaviest users of computer forensics - as a result they've often been at the forefront of developments of this field.

Computers can be considered a 'screne of a crime' - for example with hacking or denial of service attacks. They may hold evidence of crimes that happened elsewhere, in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud or drug trafficking.

A forensic computer exam can reveal more than expected.

Investigators are not only interested in the content of emails, documents and other files but also in the metadata associated with those files. Records of a user's action may also be stored in log files and other applications on a computer such as internet browsers.

So a computer forensic examination might reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

Commercial organisations have used computer forensics to help with all kinds of cases, including:

    - Intellectual property theft
    - Employment disputes
    - Invoice fraud, often enabled by phising emails
    - Forgeries
    - Inappropriate email and internet use in the workplace
    - Regulatory compliance
    

LIVE ACQUISTION: GETTING DATA FROM A POWERED COMPUTER

Traditionally, examiners copy data from a device which is turned off. They use a write-blocker to make an exact bit for bit copy of the original storage medium, and create an acquistion hash of the original medium. Then they work from  this copy, leaving the original obiously unchanged.

However, sometiems it is not possible or not desirable to switch a computer off. Perhaps doing so would result in a considerable financial or other loss for the owner, or cause valuable evidence to be permanently lost. In these cases, the computer forensic examiner may need to carry out a 'live acquisition'. This involves running a simple application on the suspect computer to copy (acquire) the data to the examiner's data repository.

By running such application (and attaching a device such as USB drive to the suspect's computer) the examiner makes changes and/or additions to the computer which were not present before. But if the examiner records these actions, can show why they were necessary, and explain their consequences to a court of law, the evidence produced is usually still admissible.

THE STAGES OF COMPUTER FORENSICS EXAMINATION

1. READINESS

    

Forensic readiness is an important and occasionally overlooked stage in the process. In commercial computer forensics, it might include educating clients about system preparedness. For example, forensic examinations provide stronger evidence if a device's auditing features are activated before an incident takes place.

    
    For the forensic examiner, readiness includes appropriate training, testing and verification of their own software and equipment. They need to be familiar with legislation, know how to deal with unexpected issues (such as what to do if child abuse images arre found during a fraud engagement) and ensure their data acquistion computer and associated items are suitable for the task.
    
2. EVALUATION

    

During the evaluation stage, the examiner receives instructions and seeks clarification if any of these are unclear or ambiguous, carries out risk analysis and allocates roles and resources. For law enforcement, risk analysis might include assessing the likelihood of physical threat on entering a suspect's property and how best to deal with it.

    
    Commercial organizations also need to consider health and safety issues, conflict of interest issues and possible risks- financial and to their reputtation - when they accept a particular project.
    
3. COLLECTION

    

If data acquistion (often called "imaging") is carried out on-site rather than at the computer forensic examiner's office, this stage includes identifying and securing devices which may store evidence, and documenting the scene.

    
    The examiner would also hold interviews or meetings with personnel who might have inforamtion relevant to the examination - such as the computer's end users, the manager and the person responsible for the computer services, i.e. an IT administrator.
    
    The collection stage can also involve the labelling and bagging of items from the site which may be used in the investigation - these are sealed in numbered tamper-evident bags. The material then needs to be securely and safely transported to the examiner's office or laboratory.
    
4. ANALYSIS

    

Analysis includes the discovery and extraction of information gathered in the collection stage. The type of analysis depends on the needs of each case. It range from extracting a single email to piecing togheter the complexities of a fraud or terrorims case.

    
    During analysis the examiner usually feeds back to their line manager or client. These exchanges may result in the analysis taking a different path or narrowing to specific areas. Forensic analysts must be acccurate, thorough, impartial, recorded, repeatable and completed within the available timescales and allocated resources.
    
    There are multiple tools available for computer forensic analysis. The examiner should use any tool they feel comfortable with, as long as they can justify their choice. A computer forensic tool must do what it's meant to do, so examiners need to regularly test and calibrate their tools before carrying out any analysis.
    
    Examiners can also use 'dual-tool verification' to confirm the integrity  of their results during analysis. For example, if the examiner finds artfact X at location Y usng tool A, they should be able to replicate these results with tool B.
    
5. PRESENTATION

    

In this stage the examiner produces a structured report on their findings, addressing the points in the initial instructions, along with any further instructions they have received. The report should also cover any other information the examiner deems relevant to the investigation.

    
    The report must be written with the end reader in mind. Often that the reader will be non-technical, so appropriate terminology should be used .The examiner may need to participate in meetings or conference calls to discuss and elaborate on their report.
    
6. REVIEW

    

Like the Readiness stage, the Review is often overlooked or disregarded, because it is not billable work or because the examiner needs to get on with the next job. But carrying out a review of each examination can make future projects more efficient and time-effective, which hsaves money and improves quality in the longer term.

    
    The review of an examination can be simple, quick and begin during any of the above stages. It could incldue a basic analysis of what went wrong and what went well, along with feedback from the person/company who requested the investigation. Any lessons learnt from this stage should be applied to future examinations and feed into the Readiness stage.
    

WHAT ISSUES COMPUTER FORENSICS EXAMINERS FACE?

Computer forensics examiners come up against three main categories of fproblem: technical, legal and administrative.

TECHNICAL ISSUES

    ENCRYPTION:
    
        Encrypted data can be impossible to view without the correct key or password. If the key is not avaiable or the owner won't reveal it, it may be stored:
        
            - Elsewhere on the computer;
            
            - On another computer which the suspect can access;
            
            - On the computer's volatile memory (RAM). This is usually lost on computer shut-down.
            
        When encryption may be present the examiner may  need to consider using "live acquisition" techniques outlined above.
    
    INCREASING STORAGE SPACE:
    
        Storage media hold ever-greater amounts of data, so the examiner's analysis computers need sufficient processing power and available storage capacity to search and analyze large amounts of data efficiently.
        
    NEW TECHNOLOGIES:
    
        Computing is a continually evolving field, with new hardware, software and OS emerging constantly. No single computer forensic examiner can be an expert on all areas, though they are often expected to analyze something they haven't encountered before.
        
        This means they need to be prepared and able to test and experiment with the behaviour of new technologies. At this point, networking and sharing knowledge with other computer forensic examiners comes in useful, because someone else may already have come across the same issue.
        
    ANTI-FORENSICS
    
        Anti-forensics is the practice of attempting to thwart computer forensic analysis - through encryption, over-writing to make it unrecoverable, modifying files' metadata and file obfuscation (diguising files). As with encryption, the evidence that such methods have been used may be stored elsewhere on  the computer or on another computer which the suspect can access.
        
        In our experience, it's very rare to see anti-forensic tools used correctly and frequently enough to totally obscure their presence or the presence of the evidence they were used to hide.
        
LEGAL ISSUES

    

LEGISLATIVE DOMAINS:

    
        Data often isn't stored on a person computer but on remote computers which they are renting storage space on, otherwise known as the 'cloud'. This data may be in a different country, meaning access it could involve different legislation. And if access is possible, it may be complicated and expensive.
        
    LEGAL ARGUMENTS:
    
        Legal issues can confuse or distract from a computer examiner's findings. One example of this is the "Trojan Defence". A trojan is a piece of computer code disguised as something benign but which has a hidden and malicious purpose. Trojans have many uses, including key-logging, up/downloading files and installing viruses. A lawyer may be able to argue that actions on a computer were not carried out by a user, but instead automated by a Trojan without the user's knowledge. This kind of Trojan Defence has been sucessfully used even when no trace of a Trojan or other malicious code was found on the suspect's computer.
        
        In such casesm a competent opposing lawyer supplied with evidence from a competent computer forensic analyst should be able to dismiss the argument. A good examiner will have identified and addressed possible arguments from the 'opposition' during the analysis and writing stages of their report.
        
ADMINISTRATIVE ISSUES

    

ACCEPTED STANDARDS:

    
        These are all kinds of standards and guidelines in computer forensics, few of which are universally accepted. The reasons for this include:
        
            - Standard-setting bodeis can be tied to particular legislation
            
            - Standards are aimed either at law enforcement or commercial forensics but not both
            
            - The authors of such standards are not accepted by their peers
            
            - High joining fees for professional bodeis can put practitioners of
    
    FIT TO PRACTICE:
    
        Many jurisdictions have no qualifying body to check the competence and integrity of computer forensics professionals. This means anyone can present themselves as a computer forensic expert, which in turn can lead to poor quality examinations and negative view of the profession as a whole.
        

COMPUTER FORENSIC TERMS

ACQUISITION HASH:

    

The result of an algorithmic calculation which produces a unique string gof characters that act as a digital "fingerprint" for a particular data set.

    
BIT COPY:

    

A bit is a contraction of the term binary digit, and is the fundamental unit of computing. A bit copy refers to a sequential copy of every bit on a storage medium, which includes areas of the medium "invisible" to the user.

    
DENIAL OF SERVICE ATTACK:

    

An attempt to prevent legitimate users of a computer system from having access to that system's information or services.

    
HACKING:

    

Modifying a computer in a way which was not originally intended in order to benefit the hacker's goals.

    
KEY-LOGGING:

    

The recording of keyboard input giving the ability to read a user's typed passwords, emails and dother information.

    
METADATA:

    

Data about data. It can be embedded within files or stored externally in a separate file and may contain information about the file's author, format, creation date and so on.

    
PHISING:

    

Attempts to trick users into doing "the wrong thing", such as clicking a bad link that will download malicious software, or direct them to a website which will trick them into supplying their password.

    
RAM:

    

Random-Access Memory. RAM is a computer's temporary work space and is volatile, which means its contets are lost when computer is powered off.

    
WRITE-BLOCKER:

    

A hardware device or software application which prevents any data from being modified or added to the storage medium being examined.