Cyber Forensics

Computers are one of the largest advances in human technology and have become an integral part of life.  Sadly, like many other advances in technology people use it for immoral purposes.  So digital forensics is needed to determine what people have and have not done on a computer

Introduction

Since it is a recent field and the technology is constantly evolving not many people understand how to handle digital evidence.  Some colleges offer courses in security but it is not a standard part of computer science.  In addition to the few colleges that do offer security, courses several vocational-technical schools offer training cybersecurity and digital forensics.  One of the difficulties with education in digital forensics is there are not many people who have training or experience.  This poses a problem because lawyers will call the evidence invalid if the methods used in handling and collection do not ensure data integrity. 

The first thing that matters is how the evidence is collected.  The methods used depend on whether or not the computer is on or if the computer is off.  In the past, the first thing after finding a computer was to de-power the computer, to protect the data from time bombs, or active deletion.  If the suspect had set up his computer to delete incriminating data at a certain time if predefined conditions were not met or if he knew that his computer was about to be seized and was running software to clean the computer depowering would prevent the data from being lost.  With the changes in technology and hard drive encryption techniques it is now recommended that the computer is left on.  The way modern hard drive encryption is set up, if the computer is shut down it is possible that the only key to the encryption is on the live hard drive and then the data will be nearly impossible to recover.  If the computer is off then it should not be powered up, that way any programs that might damage the data cannot run, and also no one can claim that the evidence was planted on the defendant’s computer. 

Another important requirement for ensuring the integrity of the evidence is to make sure there is a backup of the evidence and that the original is unmodified.  Most of the software packages used in digital forensics guaranty that the original data will be unmodified.  Some of the software will make a copy of a live computer[1].  Most digital forensics toolkits can easily make a backup of a hard drive if the hard drive is not in use by the computer.  Also, there are hardware tools that will force the hard drive to be read-only so that it is impossible to modify the data. 

When creating backups and analyzing the data of a hard drive there can be issues depending on what steps the suspect has taken to hide/secure the data.  The first thing that should be done in any event is to either use an exact copy or attached the drive so that it is read-only, that way the original data is preserved.  The simplest and easiest hard drive to retrieve data from is a hard drive with no security at all.  The next easiest is where the person only has a password to login to the operating system and none of the data encrypted[2].  To get that data the forensic scientist would only have to boot from a CD and copy the data to another hard drive and them he could put the hard drive in another computer and analyze the data. 

The next easiest is if the user has encrypted the data under his username so that when he is logged in he has access to his data and the key for the encryption is his login password.  Depending on the operating systems different tools extract the password file and crack it.  Most of the password cracking software is written for Linux systems.  The theory behind password cracking is that a password hash is co]mpared to a table of hashes until a match is found.  A hash is an encoded version of a password. 

On a Windows system, the password is stored in one file and the way to decrypt it in another file, the SYSTEM and SAM files.  Both files can be extracted and run in a cracking program to find the password.  Once the password is found then the computer can be logged in as the suspect and the encrypted data is accessible. 

A tool that is used to extract the SAM file is samdump.  Then the output of samdump is run through a tool called bkhive.  After bkhive has been run the output can be used in a password-cracking program like John the ripper to find the password.  John the ripper is a hybrid brute force password cracker; it mainly uses a brute force guessing method.  Ophcrack uses rainbow tables to crack passwords more quickly.  Rainbow tables are tables used to lookup passwords, the trade-off is the amount of memory used to store the rainbow table, there are small rainbow tables of a few hundred megabytes but there are tables as large as ten gigabytes.  The most secure passwords are the longest passwords, with the power of modern computers even with upper case and lower case letters, numbers, and symbols a short password will be quick to crack no matter the method used. 

The whole hard drive can be encrypted so that none of the data can be read without decrypting it.  There are two ways to read the data from an encrypted hard drive.  The first way is to have the key, which is unlikely since the person will probably not want his data to read.  The other way is to break the encryption but depending on the strength of the encryption that can take hours, days, or even months.  This is one of the safest ways to protect data but can still be defeated with enough time[3]

The other way that the whole hard drive can be encrypted is hardware using either a key within the firmware of the hard drive or a key within the motherboard.  These methods still have many of the same shortcomings of the other methods, one of the difficulties is how to manage authentication[4].  If all that has to be there is, the hardware on the motherboard then that does not protect the data at all. Although there are issues with how to handle authentication, hardware encryption is still a very good method for protecting data. None of the data on the hard drive can be accessed until the key is found. 

Once the actual data has been found and decrypted the real analysis can be conducted.  The first and easiest thing to do is to look at the visible files.  To see what data is stored on the hard drive and if any of it is valid or useful.  If the visible data is not helpful and there was certainly data that would be useful but it has been deleted, then the whitespace should be analyzed. 

Whitespace is the area on a hard drive that the operating system says is empty or available but it can contain the data of deleted files.  The reason this happens is that when a file is deleted the operating system marks a flag on the memory cells as blank but the cells still hold the data, the only difference is the flag bit[5].  There are secure deletion utilities that will overwrite the memory cells and eventually when you have new data added, the memory locations where the old data was stored will be written over.  Even if the memory cell has been written over, the data may still be recoverable, to be safe the data should be written over at least three times, and that is still not a one hundred percent guaranty.  Checking the whitespace for deleted files is another common function in forensics toolkits.  Once the program finishes the analysis of the whitespace it will normally show what files it found and if whole files or file fragments were found.  The recovered file can then be used to see what was deleted and what the user might have been trying to hide. 

Another way to hide data without deleting it is called Steganography.  Steganography is the science of hiding the data so that only those who know about it can find it.  One of the common places is to hiding a file is within a picture.  A picture is a good file to hide data in because they can be large and the extra size will do unnoticed and depending on the file format it can have many unneeded bits in the file so that it is even harder to tell if there could be a file hidden in the file.  Besides checking the whitespace, the visible files need to be checked for the file hidden within.  Checking for hidden files can take a very long time even with our modern computers[6]

If the drive has been physically damaged and cannot be read by connecting it normally if the data is extremely important there is one thing that can be tried.  The process is extremely difficult and requires a second identical hard drive.  What has to be done is the damaged/broken hard drive is opened and the ‘platter’ is removed and exchanged with the platter in the good hard drive.  The platter is the magnetic disk inside the hard drive where the data is stored.  The process is extremely delicate and it is possible that all the data could be lost. 

The tools available for digital forensics are numerous and powerful.  There is almost no data that cannot be recovered using one of the available tools.  With enough time, the software can recover, crack, or break any computer for the information needed.  Although the government uses forensics to track down cyber criminals there are many other uses.  Large corporations need digital forensics sometimes, if they lose a valuable file, either by accident or by sabotage, they need to recover the file. 

Conclusion

No matter where digital forensics is employed, there is always the issue of legality.  Digital forensics can be a dangerous weapon for either side, it can be good and used to fight immorality, but it can be used to further immorality.  Teaching someone how to track someone on a computer also teaches what to do to not be tracked, so without morality digital forensic techniques can be used to escape justice.

 FAQs:

  • What is Cyber Forensics?
  • Why Cyber Forensics is important for us in today’s world?
  • What is the SAM File?
  • What is the meaning of data mining and data craving?

References

  • Caloyannides, Michael A.  Privacy protection, and computer forensics.  Boston: Artech House, c2004.
  • Carrier, Brian.  Open Source Digital Forensics.  2007.  10 November 2008 <http://www.opensourceforensics.org/>
  • Mohay, George M.  Computer, and intrusion forensics.  Boston: Artech House, c2003.
  • National Institute of Justice.  Electronic Crime Scene Investigation.  2001.  October 20, 2008, <http://www.ncjrs.gov/pdffiles1/nij/187736.pdf>. 
  • Pan, Jeng-Shyang.  Intelligent watermarking techniques.  River Edge, N.J.  : World Scientific, c2004.remote-exploit.org.  31 Oct.  2008. 

[1] James Holley. Computer Forensics Market Survey. SC Magazine September 2000. Available at: http://www.scmagazine.com/scmagazine/2000_09/survey/survey.html

[2] Idib.

[3] Brian Carrier. Defining Digital Forensics Examination and Analysis Tools. In Digital Research Workshop II, 2002. Available at: http://www.dfrws.org/dfrws2002/papers/Papers/Brian_carrier.pdf

[4] NIST. Computer Forensics Tool Testing. Available at http://www.cftt.nist.gov/

[5]  Supra at 3.

[6] Supra at 4.

Leave a Reply

Your email address will not be published. Required fields are marked *