What is computer forensics and how does it works?
Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases. The Federal Rules of Evidence (FRE) has controlled the use of digital evidence since 1970; Investigates data that can be retrieved from a computers hard disk or other storage media Task of recovering data that users have hidden or deleted and using It as evidence Evidence can be inculpatory (incriminating) or exculpatory Data Recovery: Recovering information that was deleted by mistake or lost during a power surge or server crash (you know what you are looking for)
Difference between Public and Corporate Crimes - Litigation: Legal process of proving guilt or innocence in court Public investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines Judge much approve and sign a search warrant, before you can use it to collect evidence Computer and networks are only tools that can be used to commit crimes (Many states have added specific language to criminal codes to define crimes involving computers)
Private or corporate investigations Deal with private companies, non-law-enforcement government agencies, and lawyers Arent governed directly by criminal law or Fourth Amendment issues Governed by internal policies that define expected employee behaviour and conduct in the workplace Private corporate investigations also involve litigation disputes
Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage
�Why do companies publish corporate policy? Displaying Warning Banners: Another way to avoid litigation * Usually appears when a computer starts or connects to the company intranet, network, or virtual private network *Informs end users that the organization reserves the right to inspect computer systems and network traffic at will * Establishes the right to conduct an investigation o - As a corporate computer investigator * Make sure company displays well-defined warning banner
-Establishing company policies: one way to avoid litigation is to publish and maintain policies that employees find easy to read and follow Published company policies provide a line of authority, for a business to conduct internal investigations well-defined policies: give computer investigators and forensic examiners the authority to conduct an investigation
How to get a search warrant? In a criminal or public case, if you have enough information to support a search warrant, the prosecuting attorney might direct you to submit an affidavit. This sworn statement of support of facts about or evidence of a crime is submitted to a judge with the request for a search warrant before seizing evidence. Its your responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant. You must then have the affidavit notarized under sworn oath to verify that the information in the affidavit is true. After a judge approves and signs a search warrant, its ready to be executed, meaning you can collect evidence as defined by the warrant. How to prepare a Computer Investigation -Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy -Collect evidence that can be offered in court or at a corporate inquiry o Investigate the suspects computer o Preserve the evidence on a different computer
�-Follow an accepted procedure to prepare a case -Chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court
Planning your Investigation A basic investigation plan should include the following activities: - Acquire the evidence - Complete an evidence form and establish a chain of custody - Transport the evidence to a computer forensics lab - Secure evidence in an approved secure container An evidence custody form helps you document what has been done with the original evidence and its forensics copies Two types - Single-evidence form: lists each piece of evidence on a separate page - Multi-evidence form:
Before you initiate the search and seizure of digital evidence at an incident or crime scene, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data. Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. In some computing investigations, responding slowly might result in the loss of important evidence for the case.
How do you secure the resources and use them? (Things like evidence etc.) -Use evidence bags to secure and catalogue the evidence -Use computer safe products Antistatic bags Antistatic pads
�-Use well-padded containers -Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord -Write your initials on tape to prove that evidence has not been tampered with -Consider computer specific temperature and humidity ranges
Guidance to computer crime scene + Hard drive / How to record Video Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. To secure the scene, use whatever is practical to make sure that only authorized people can access the area. Remove anyone who isnt investigating the scene unless you need his or her help to process the scene. Make sure nothing in this area, including computer evidence, moves until you have had time to record it. Take video and still recordings of the area around the computer. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers. Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab. Make sure you take close-ups of all cable connections, including keyloggers (devices used to record keystrokes) and dongle devices used with software as part of the licensing agreement. Record the area around the computer, including the floor and ceiling, and all access points to the computer, such as doors and windows. Be sure to look under any tables or desks for anything taped to the underside of a table or desk drawer or on the floor out of view. If the area has ceiling panelsfalse ceiling tilesremove them and record that area, too. Slowly pan or zoom the camera to prevent blurring in the video image, and maintain a camera log for all shots you take. Make a sketch of the crime scene, recording rough estimation of dimension and distance of things. Kill power on older systems. Must shut down newer system but get approval for manager first. Make copies of all open windows, browsers and files.
Hard Drive GeometryGeometry refers to a disks structure of platters, tracks, and sectors. HeadThe head is the device that reads and writes data to a drive. Theres one head per platter. TracksTracks are concentric circles on a disk platter where data is located.
� CylindersA cylinder is a column of tracks on two or more disk platters. Typically, each platter has two surfaces: top and bottom. SectorsA sector is a section on a track, usually made up of 512 bytes.
First rule of computer forensics - Preserve the original evidence Conduct your analysis only on a copy of the data
Journal for processing and keeping information Keep an evidence log - Update it every time an evidence container is opened and closed Create and enforce Security Policy - Sign-in for visitors - Anyone that is not assigned to the lab is visitor - Escort all visitors all the time
Subject computer disk for boot disk (image information in read-only mode so data cant not be modified in any way) You must maintain the integrity of digital evidence in the lab as you do when collecting it in the field. Your first task is to preserve the disk data. If you have a suspect computer that hasnt been copied with an imaging tool, you must create a copy. When you do, be sure to make the suspect drive read-only (typically by using a write-blocking device), and document this step. When you must demonstrate in court how criminal activity was carried out on a suspects computer, you need a product that shadows the suspect drive. This shadowing technique requires a hardware device such as Voom Technologies Shadow Drive. This device connects the suspect drive to a read-only IDE port and another drive to a read-write port. The read/write port drive is referred to as a shadow drive. How to boot from a CD ROM on a specific system? Change boot sequence from CMOS(?) Clusters Sectors are grouped to form clusters in Microsoft file structures Storage allocation units of one or more sectors Clusters are typically 512, 1024, 2048, 4096, or more bytes each
�Combining sectors minimizes the overhead of writing or reading files to a disk Clusters are numbered sequentially starting at 2 First sector of all disks contains a system area, the boot record, and a file structure database
Logical Cluster Numbers (LCN) Logical cluster numbers (LCNs) are sequentially numbered from the beginning of the disk partition, starting with the value 0. LCNs become the addresses that allow the MFT to link to non-resident files (files outside the MFT) on the disks partition. File Allocation Table (FAT) File structure database that Microsoft originally designed for floppy disks Used before Windows NT and 2000 FAT database is typically written to a disks outermost track and contains: Filenames, directory names, date and time stamps, the starting cluster number, and file attributes Versions of FAT FAT12this version is used specifically for floppy disks, so it has a limited amount of storage space. It was originally designed for MS-DOS 1.0, the first Microsoft OS, used for floppy disk drives and drives up to 16 MB. FAT16To handle large disks, Microsoft developed FAT16, which is still used on older Microsoft OSs, such as MS-DOS 3.0 through 6.22, Windows 95 (first release), and Windows NT 3.5 and 4.0. FAT16 supports disk partitions with a maximum storage capacity of 2 GB. FAT32When disk technology improved and disks larger than 2 GB were created, Microsoft developed FAT32, which is used on Microsoft OSs such as Windows 95 (second release), 98, Me, 2000, XP, and Vista. FAT32 can access up to 2 TB of disk storage. One disk can have multiple partitions in FAT16, FAT32, or NTFS. FATXXbox media is stored in the FATX format and can be read by any Windows system. The date stamps start at the year 2000, unlike the other FAT formats that start at 1980. Encryption Tools Some available third-party WDE utilities: PGP Whole Disk Encryption
�Voltage SecureDisk Utimaco SafeGuard Easy Jetico BestCrypt Volume Encryption SoftWinter Sentry 2020 for Windows XP BitLocker Available only with Vista Enterprise and Ultimate editions Hardware and software requirements A computer capable of running Windows Vista The TPM microchip, version 1.2 or newer A computer BIOS compliant with Trusted Computing Group (TCG) Two NTFS partitions The BIOS configured so that the hard drive boots first before checking other bootable peripherals Major function of forensics tools, Software functions and Hardware Functions Software Functions Access Datas Forensic Toolkit extensive array of computer forensics tools into a single stand-alone software suite investigators can analyze a computer hard drive and search files, folders, emails, documents, pictures and any remaining evidence that might have been deleted or altered once file has been identified, FTK provides report featuring to documents the forensic analysis and procedures uses to help in the case easy to use since it organizes all digital evidence into buckets that identify the file types, such as documents, graphics, spreadsheets and etc. FTK imager Supports file systemsL: FAT12, FAT16, FAT32, NTFS (DOS and Windows); Ext2, Ext3(Linux), HFS and HFS+(Apple Macintosh) Imaging: process of duplicating digital evidence by using bit-stream Duplicates the original evidence and allows agents to examine the copy without the risk of damaging potential digital evidence Bit-stream process makes an exact byte-for-byte copy of original storage disk including the physical and logical file locations
Remnants of deleted files still exist on a storage device until they are overwritten during computer operation, they can be searched and repaired to recover deleted files and make them readable Imaging process also generates file signatures or hashes that can be used to identify potential evidence and validate their integrity throughout the investigative process Determine form of file (Document, graphic, deleted file or encrypted files) Pro Discover Basic Supports FAT12, FAT16, FAT32, NTFS Basic and Dynamic Disk and RAID disk drive Generates reports on intruders attempting to take control of network resources Searching for deleted files, graphics image, internet history & windows key registry Extracts EXIF digital image information that details (Camera model, date, time, shutter speed and lens information) Can also process VMware running a guest OS with host OS (to view an image as a running computer within comuter)
Access Data Registry Viewer Information on hardware, software, user and password Responsible for booting into the windows environment based on user preferences and it contains valuable forensic information To view content of the Windows registry & search data such as recently opened files, removable store device, user account names, deleted files within recycle Bin, Registry software owners name and other potential evidence
Hardware Functions Any lab should have in stock: IDE cables Ribbon cables for floppy disks SCSI cards, preferably ultra-wide Graphics cards, both PCI and AGP types Power cords
Hard disk drives At least two 2.5-inch Notebook IDE hard drives to standard IDE/ATA or SATA adapter Computer hand tools Maintain licensed copies of software like: Microsoft Office 2007, XP, 2003, 2000, 97, and 95 Quicken Programming languages Specialized viewers Corel Office Suite StarOffice/OpenOffice Peachtree accounting applications
Booting sequence Understanding the boot Sequence - Bootstrap Process: contain in ROM, which tells the computer how to proceed and displays the key or keys you press to open the CMOS setup screen - CMOS (Complementary Metal Oxide Semiconductor): where computer stores system configuration, date and time information, when system is turned off (also modified to boot from a forensic floppy disk or CD(access the optical drive 1st )) - BIOS (Basic Input / Output System): Contains programs that perform input and output at hardware level
Boot Orders Understanding Microsoft Start-up tasks - learn what files are accesses when windows starts - This information helps you determine when a suspects computer was last accesses (important with computers that might have been used after an incident was reported) Startup in windows NT and Later - All NTFS computers perform the following steps when the computer is turned on: - POST (Power-on self test) - Initial Startup - Boot loader
�- Hardware detection and configuration - Kernel loading - User logon Startup files for Windows XP - NT loader (NTLDR) - Boot.ini - BootSect.dos - NTDetect.com - NTBootdd.sys - Ntoskrnl.exe - Hal.dll - Pagefile.sys - Device drivers GUI vs Cmd Command line utilities The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems Norton DiskEdit One of the first MS-DOS tools used for computer investigations Advantage Command-line tools require few system resources Designed to run in minimal configurations GUI Utilities Simplify computer forensics investigations Help training beginning investigators Most of them come into suites of tools Advantages Ease of use Multitasking No need for learning older Oss Disadvantages Excessive resource requirements Produce inconsistent results Create tool dependencies How to extract info from .dat files. What tool do u use? Pro discover basic will allow you to extract .dat files from the windows registry
