Computer and Network

Forensics

Mr. Vinay Aseri

Teaching Research Assistant
NSIT-NFSU, Ahmedabad
 Definition
What is Computer Forensics??
Computer forensics involves the preservation,
identification, extraction, documentation, and
interpretation of computer media for
evidentiary and/or root cause analysis.
Evidence might be required for a wide range of
computer crimes and misuses
Multiple methods of
 Discovering data on computer system
 Recovering deleted, encrypted, or damaged file information
 Monitoring live activity
 Detecting violations of corporate policy
Information collected assists in arrests,
prosecution, termination of employment, and
preventing future illegal activity
 Definition (Cont)
What Constitutes Digital Evidence?
Any information being subject to human
intervention or not, that can be extracted from a
computer.
Must be in human-readable format or capable of
being interpreted by a person with expertise in the
subject.
Computer Forensics Examples
Recovering thousands of deleted emails
Performing investigation post employment
termination
Recovering evidence post formatting hard
drive
Performing investigation after multiple
users had taken over the system
 Reasons For Evidence
Wide range of computer crimes and misuses
Non-Business Environment: evidence
collected by Federal, State and local
authorities for crimes relating to:
 Theft of trade secrets
 Fraud
 Extortion
 Industrial espionage
 Possession of pornography
 SPAM investigations
 Virus/Trojan distribution
 Homicide investigations
 Intellectual property breaches
 Unauthorized use of personal information
 Forgery: unauthorized copying
 Perjury: making a misrepresentation under oath.
 Reasons for Evidence (Cont)
Computer related crime and violations
include a range of activities including:
Business Environment:
 Theft of or destruction of intellectual property
 Unauthorized activity
 Tracking internet browsing habits
 Selling company bandwidth
 Wrongful dismissal claims
 Sexual harassment
 Software Piracy
 Who Uses Computer
Forensics?
Criminal Prosecutors
Rely on evidence obtained from a computer to
prosecute suspects and use as evidence
Civil Litigations
Personal and business data discovered on a
computer can be used in fraud, divorce, harassment,
or discrimination cases
Insurance Companies
Evidence discovered on computer can be used to
mollify costs (fraud, worker’s compensation, arson,
etc)
Private Corporations
Obtained evidence from employee computers can be
used as evidence in harassment, fraud, and
embezzlement cases
Who Uses Computer Forensics?
(cont)
Law Enforcement Officials
Rely on computer forensics to backup
search warrants and post-seizure
handling
Individual/Private Citizens
Obtain the services of professional
computer forensic specialists to support
claims of harassment, abuse, or wrongful
termination from employment
FBI Computer Forensics
Services
Comparison again known data
Transaction sequencing
Extraction of data
Recovering deleted data files
Format conversion
Keyword searching
Decrypting passwords
Analyzing and comparing limited
source code
FBI Computer Forensics
Services
FBI Computer Forensics
Services
 During the past year, FBICFL:
Processed 1,756 terabytes of data;
Conducted 4,524 forensic examinations;
Assisted 591 onsite law enforcement
operations;
Trained 4,991 law enforcement officers in
digital forensics techniques;
Appeared in court 74 times to testify at trial.
Examined 58,609 pieces of digital media of
all kinds. The most popular types included:
 CDs and hard drives (about 17,500 each);
 floppy disks (10,982);
 DVDs (4,310);
 flash media (2,548); and
 cell phones (2,226).
 Other items included digital cameras, GPS
devices, and video and audio tapes.
 Steps of Computer Forensics
Computer Forensics is a four step process
Acquisition
 Physically or remotely obtaining possession of the computer, all
network mappings from the system, and external physical
storage devices
Identification
 This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic
tools and software suites
Evaluation
 Evaluating the information/data recovered to determine if and
how it could be used again the suspect for employment
termination or prosecution in court
Presentation
 This step involves the presentation of evidence discovered in a
manner which is understood by lawyers, non-technically
staff/management, and suitable as evidence as determined by
United States and internal laws
 Admissibility of Evidence
Legal rules which determine whether potential
evidence can be considered by a court Must be
obtained in a manner which ensures the
authenticity and validity and that no tampering had
taken place
The five rules are that evidence must be:
Admissible: Must be able to be used in court or
elsewhere.
Authentic: Evidence relates to incident in relevant way.
Complete: No tunnel vision, exculpatory evidence for
alternative suspects.
Reliable: No question about authenticity and veracity.
Believable: Clear, easy to understand, and believable
by a jury.
Admissibility of the
Techniques
Whether the theory or technique has been
reliably tested
Whether the theory or technique has been
subject to peer review and publication
What is the known or potential rate of error
of the method used?
Whether the theory or method has been
generally accepted by the scientific
community
Handling Evidence
No possible evidence is damaged,
destroyed, or otherwise compromised by
the procedures used to search the
computer
Preventing viruses from being introduced
to a computer during the analysis process
Extracted / relevant evidence is properly
handled and protected from later
mechanical
or electromagnetic damage
Handling Information
Information and data being sought after
and collected in the investigation must be
properly handled
There are two types of information:
Volatile Information
Network Information
 Communication between system and the network
Active Processes
 Programs and daemons currently active on the system
Logged-on Users
 Users/employees currently using system
Open Files
 Libraries in use; hidden files; Trojans (rootkit) loaded in
system
 Handling Information
Non-Volatile Information
This includes information, configuration
settings, system files and registry
settings that are available after reboot
Accessed through drive mappings from
system
This information should be investigated
and reviewed from a backup copy
 Evidence Processing
Guidelines
The following 16 steps are
recommended in processing evidence
Some security firms offer training on
properly handling each step
Step 1: Shut down the computer
 Considerations must be given to volatile information
 Prevents remote access to machine and destruction
of evidence (manual or ant-forensic software)
Step 2: Document the Hardware
Configuration
of The System
 Note everything about the computer configuration
prior to re-locating
Evidence Processing Guidelines
(cont)
Step 3: Transport the Computer System to a
Secure Location
 Do not leave the computer unattended unless it is locked
in a secure location
Step 4: Make Bit Stream Backups of Hard
Disks and Floppy Disks
Step 5: Mathematically Authenticate Data on
All Storage Devices
 Must be able to prove that you did not alter
any of the evidence after the computer
came into your possession
Step 6: Document the System Date and Time
Step 7: Make a List of Key Search Words
Step 8: Evaluate the Windows Swap File
Evidence Processing
Guidelines
Step 9: Evaluate File Slack
 File slack is a data storage area of which most computer
users are unaware of; a source of significant security leakage.
Step 10: Evaluate Unallocated Space (Erased
Files)
Step 11: Search Files, File Slack and
Unallocated Space for Key Words
Step 12: Document File Names, Dates and
Times
Step 13: Identify File, Program and Storage
Anomalies
Step 14: Evaluate Program Functionality
Step 15: Document Your Findings
Step 16: Retain Copies of Software Used
 Anti-Forensics
Software that limits and/or corrupts
evidence that could be collected by an
investigator
Performs data hiding and distortion
Exploits limitations of known and used
forensic tools
Works both on Windows and LINUX based
systems
Might be used prior to or post system
acquisition
 Anti-Forensics (cont)
To human eyes, data usually contains
known forms, like images, e-mail,
sounds, and text. Most Internet data
naturally includes gratuitous headers,
too. These are media exploited using
new controversial logical encodings:
steganography and marking.
Steganography: The art of storing
information in such a way that the
existence of the information is hidden.
Steganography
To human eyes, data usually contains
known forms, like images, e-mail,
sounds, and text. Most Internet data
naturally includes gratuitous headers,
too. These are media exploited using
new controversial logical encodings:
steganography and marking.

The duck flies at midnight. Tame

uncle Sam
Simple but effective when done well
Watermarking
Watermarking: Hiding data within data
Information can be hidden in almost any
file format.
File formats with more room for
compression are best
 Image files (JPEG, GIF)
 Sound files (MP3, WAV)
 Video files (MPG, AVI)
The hidden information may be encrypted,
but not necessarily
Numerous software applications will do
this for you: Many are freely available
online
 Methods of Hiding Data on
Disk
• Hard Drive/File System manipulation
– Slack Space is the space between the logical end and
the physical end of file and is called the file slack. The
logical end of a file comes before the physical end of
the cluster in which it is stored. The remaining bytes in
the cluster are remnants of previous files or directories
stored in that cluster.
• Slack space can be accessed and written to directly
using a hex editor.
• This does not add any “used space” information to the
drive
 Methods of Hiding Data on Disk (cont)

• Hard Drive/File System manipulation cont…

– Hidden drive space is non-partitioned space in-
between partitions
• The File Allocation Table (FAT) is modified to remove
any reference to the non-partitioned space
• The address of the sectors must be known in order to
read/write information to them
– Bad sectors occur when the OS attempts to read info
from a sector unsuccessfully. After a (specified) # of
unsuccessful tries, it copies (if possible) the
information to another sector and marks (flags) the
sector as bad so it is not read from/written to again
• users can control the flagging of bad sectors
• Flagged sectors can be read to /written from with direct
reads and writes using a hex editor
 Methods of Hiding Data on Disk (cont)

• Hard Drive/File System manipulation cont…

– Extra Tracks: most hard disks have more than the
rated # of tracks to make up for flaws in manufacturing
(to keep from being thrown away because failure to
meet minimum #).
• Usually not required or used, but with direct (hex editor)
reads and writes, they can be used to hide/read data
Forensics Tools
Hardware Devices:
Write Blocker
Software Tools:
Imaging Software
 Creates an exact copy of the hard drive (a hash is
used for checking)
 Called also bitstream copy
Disk Deep Searching Software
The forensics tool that is chosen must have
been successfully used in court cases:
Encase
Forensic Toolkit (FTK)
Encase
Encase is a computer forensics tool widely
used by law enforcement agencies
It allows:
Imaging
Write Blocking
Hash calculation
Locating hidden drives and partitions
Locating hidden files
Multiple location searching
Encase
Forensic Toolkit (FTK)
Forensic Toolkit (FTK) allows to:
Create images of hard drives
Analyze the registry
Scan slack space for file fragments
Inspect emails
Identify steganography
Crack passwords
Forensics Toolkit (FTK)
 What is Network Forensics
Network forensics is the process of capturing
information that moves over a network and trying
to make sense of it in some kind of forensics
capacity.
Network forensics is the capture, recording, and
analysis of network events in order to discover the
source of security attacks or other problem incidents.
A network forensics appliance is a device that
automates this process.
Wireless forensics is the process of capturing
information that moves over a wireless network and
trying to make sense of it in some kind of forensics
capacity.
 What is Network Forensics?
Network forensics systems can be one of two
kinds:
"Catch-it-as-you-can" systems, in which all packets
passing through a certain traffic point are captured
and written to storage with analysis being done
subsequently in batch mode. This approach requires
large amounts of storage.
"Stop, look and listen" systems, in which each
packet is analyzed in a rudimentary way in memory
and only certain information saved for future
analysis. This approach requires less storage but
may require a faster processor to keep up with
incoming traffic.
Network Forensics
Challenges
Two attacks make network forensics more
challenging:
IP Spoofing: Change the source IP address in
the header to that of a different machine and
thus avoid traceback:
 Traceback by storing some data in the routers
 Traceback by adding some info in the packets.

Stepping-Stone: The attack flow may travel

through a chain of stepping stones
(intermediate hosts) before it reaches the
victim:
 Time-based sampling and matching.
The end