TYPES OF COMPUTER FORENSICS TECHNIQUES

Cross-drive analysis
A forensic technique that correlates information found on
multiple hard drives.
Live analysis
• The examination of computers from within the operating
system using custom forensics or existing sysadmin tools to extract
evidence.
• The practice is useful when dealing with Encrypting File Systems,
before the computer is shut down.
Deleted files
• Modern forensic software have their own tools for recovering or
carving out deleted data
• Most operating systems and file systems do not always erase
physical file data, allowing investigators to reconstruct it from the
physical disk sectors.
• File carving involves searching for known file headers within the
disk image and reconstructing deleted materials.
• Stochastic forensics
A method which uses random properties of the computer system
to investigate activities lacking digital artifacts. Its chief use is to
investigate data theft.
• Steganography
One of the techniques used to hide data is via steganography,
the process of hiding data inside of a picture or digital image
• Volatile data
When seizing evidence, if the machine is still active, any
information stored solely in RAM that is not recovered before
powering down may be lost
INCIDENT AND INCIDENT RESPONSE
METHODOLOGY
 WHAT IS A COMPUTER SECURITY INCIDENT?
We define a computer security incident as any unlawful, unauthorized, or
unacceptable action that involves a computer system or a computer network.
Such an action can include any of the following events:
• Theft of trade secrets
• Email spam or harassment
• Unauthorized or unlawful intrusions into computing systems
• Embezzlement
• Possession or dissemination of child pornography
• Denial-of-service (DoS) attacks
• Tortious interference of business relations
• Extortion
 WHAT ARE THE GOALS OF INCIDENT RESPONSE?
• Prevents a disjointed, non cohesive response (which could be disastrous)
• Confirms or dispels whether an incident occurred
• Promotes accumulation of accurate information
• Establishes controls for proper retrieval and handling of evidence
• Protects privacy rights established by law and policy
• Minimizes disruption to business and network operations
• Allows for criminal or civil action against perpetrators
• Provides accurate reports and useful recommendations
• Provides rapid detection and containment
• Minimizes exposure and compromise of proprietary data
• Protects your organization’s reputation and assets
• Educates senior management
• Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
 WHO IS INVOLVED IN THE INCIDENT
RESPONSE PROCESS?

• Human resources personnel, legal counsel, technical experts, security

professionals, corporate
• security officers, business managers, end users, helpdesk workers, and other
• employees may find themselves involved in responding to a computer security
incident
CSIRT- Computer Security Incident Response Team
1. CSIRT is to respond to any computer security incident.
2. The CSIRT is a multi disciplined team with the appropriate legal, technical, and
other expertise necessary to resolve an incident.
3. The CSIRT is normally a dynamic team assembled when an organization requires
its capabilities.
 INCIDENT RESPONSE METHODOLOGY

We use a “black box” approach. We divide the larger problem of incident

resolution into components and examine the inputs and outputs of each component.
1. Pre-incident preparation
2. Detection of incidents
3. Initial response
4. Formulate response strategy
5. Investigate the incident
6. Reporting
7. Resolution
• Pre-incident preparation Take actions to prepare the organization and the CSIRT before an
incident occurs.
• Detection of incidents Identify a potential computer security incident.
• Initial response Perform an initial investigation, recording the basic details surrounding the
incident, assembling the incident response team, and notifying the individuals who need to
know about the incident.
• Formulate response strategy Based on the results of all the known facts, determine the best
response and obtain management approval. Determine what civil, criminal, administrative, or
other actions are appropriate to take, based on the conclusions drawn from the investigation.
• Investigate the incident Perform a thorough collection of data. Review the data collected to
determine what happened, when it happened, who did it, and how it can be prevented in the
future.
• Reporting Accurately report information about the investigation in a manner useful to
decision makers.
• Resolution Employ security measures and procedural changes, record lessons learned, and
develop long-term fixes for any problems identified.
 PREPARING FOR INCIDENT RESPONSE
The philosophy behind incident preparation is to create an infrastructure that
provides rapid answers to the questions you will have after an incident
occurs:

• What exactly happened?

• What system(s) was affected by the incident?

• What information was compromised?

• What files were created, modified, copied, or deleted?

• Who may have caused the incident?

• Who should you notify?

• What steps can you take to rapidly recover to normal businessprocedures?

 OVERVIEW OF PRE-INCIDENT PREPARATION

Preparing for incident response involves organization steps as well as

(CSIRT) preparation steps.

• Identify your corporate risk.

• Prepare your hosts for incident response and recovery.

• Prepare your network by implementing network security measures.

• Establish policies and procedures that allow you to meet your

incident response objectives.

• Create a response toolkit for use by the CSIRT.

• Create a CSIRT that can assemble to handle incidents.

 IDENTIFYING RISK
• What are your critical assets?

• What is their exposure?

• What is the threat?

Critical assets are the areas within your organization that are critical to the
continued success of the organization.
• Corporate reputation Do consumers choose your products and services in
part due to their confidence in your organization’s ability to keep their
data safe?
• Confidential business information Do you have critical marketing plans or
a secret product formula?
• Nonpublic personally identifiable information Do your information assets
house private individual data?
 PREPARING INDIVIDUAL HOSTS

So what can you do on each machine to implement a security measure?

Here are some steps that you can take to help any investigator respond
effectively:

• Record cryptographic checksums of critical files.

• Increase or enable secure audit logging.

• Build up your host’s defenses.

• Back up critical data and store media securely.

• Educate users about host-based security.

 PREPARING A NETWORK.
• There are many network-based security measures that you can take
to augment your incident response capability.
• In fact, network-based logging is absolutely essential, because there
are many cases in which network monitors are your only hope to
accumulate evidence. Therefore, network administrators play a
critical role during incident response.
• Network administrators are responsible for the network
architecture and topology, which you will need to understand in
order to answer questions such as, “What other systems are
affected?”
• Network administrators also manage devices such as firewalls,
routers, and intrusion detection systems, which you must access in
order to review critical log files.
• Network administrators may be asked to reconfigure these devices
to block certain traffic during incident response.
Network security actions include the following:
• Install firewalls and intrusion detection systems
• Use access control lists on routers
• Create a network topology conducive to monitoring
• Encrypt network traffic
• Require authentication
 CREATING A RESPONSE TOOLKIT

Regardless of the status of network, host, and policy preparation,

the CSIRT will need to be prepared to respond to incidents the

response toolkit is a critical

Component includes

1. the hardware,

2. software, and

3. documentation used during response

 The Response Hardware
• The forensic hardware platform uses full-size components, has
attachments for various external devices, and includes a network interface
card (NIC) as well as a CD-RW drive.
• This platform has proven durable and flexible during incident response,
and is able to handle a variety of applications and networks with ease.
Here are the hardware specifications we suggest:
• High-end processor
• A minimum of 256MB of RAM
• Large-capacity IDE drives( integrated development environment (IDE) )
• Large-capacity SCSI drives(Small Computer System Interface)
• SCSI card and controller
• A fast CD-RW drive
• 8mm exabyte tape drive
 Some other items that you may want to purchase ahead of
time include the following:

• Extra power extenders for • A permanent marker for labeling

peripherals such as drives and CDs
any gear that goes in your
• Jaz or Zip media
forensic tower
• Folders and folder labels for
• Extra power-extension cords
evidence
• Numerous SCSI cables and active
• Operating manuals for all your
terminators
hardware
• Parallel-to-SCSI adapters
• A digital camera
• Plenty of Category 5 cabling and
• Toolkit or Victorinox Cybertool
hubs
(which is all we need)
• Ribbon cables with more than
• Lockable storage containers for
three plugs
evidence (if you are on the road)
• Power strips
• Printer and printer paper
• An uninterruptible power supply
• Burn bags
(UPS)
• CD-Rs, 100 or more
• Labels for the CDs
 The Response Software
Many specific software tools are used during incident response to
investigate various operating systems and applications
The following is a list of the more generic software that forms the basis of any
software toolkit:
• Two to three native operating systems on the machine, such as Windows
98, Windows NT, Windows 2000, and Linux, all bootable via GRUB (a GNU
bootloader) or on a CD-ROM “ghost” image
• Safeback, EnCase, DiskPro, or another forensics software package, used to
re-create exact images of computer media for forensic-processing
purposes
• All the drivers for all of the hardware on your forensic machine (absolutely
necessary!)
• Selection of boot disks (DOS, EnCase, Maxtor, and so on)
• Quick View Plus or some other software that allows you to view nearly all
types of files
• Disk-write blocking utilities
• An image of the complete setup on backup media such as DVD
• The Networking Monitoring Platform
• Documentation
 ESTABLISHING AN INCIDENT RESPONSE TEAM
Deciding on the Team’s Mission
The mission of your CIRT may be to achieve all or most of the following:
• Respond to all security or suspected incidents using formal
investigative process.
• Conduct a complete investigation free from bias
• Quickly confirm whether an intrusion or security incident actually
occurred.
• Assess the damage and scope of an incident
• Establish a 24-hour, 7-day-a-week hotline for clients during the
duration of the investigation.
• Control and contain the incident /Collect and document all evidence
related to an incident.
• Maintain a chain of custody (protect the evidence after
collection).
• Select additional support when needed.
• Protect privacy rights established by law and/or corporate
policy.
• Provide liaison to proper law enforcement and legal
authorities.
• Maintain appropriate confidentiality of the incident to protect
the organization from unnecessary exposure.
• Provide expert testimony.
• Provide management with incident-handling
recommendations that are fully supported by facts
FORENSIC DUPLICATION
 FORENSIC DUPLICATES AS ADMISSIBLE EVIDENCE

What requirements need to be met by a tool investigation?

• The tool or process must ultimately provide you with evidence that may
be presented at a trial.

• There is a set of legal standards that define the minimum criteria to be

met for an item or writing to be admitted into evidence.

• Furthermore, due to the manner in which we obtain the data, the process
of collection also falls under scrutiny.

• In regard to forensic duplicates, the best evidence rule comes into play.

• This applies to any information on which the facts of the case or issues are
based
The rule, U.S. Federal
• Rules of Evidence (FRE) §1002, states that the item or information presented
in court must be the original. Fortunately for us, as with most rules governing
legal issues, there are always exceptions. Quite often, the originals themselves
cannot be obtained due to business needs. The exceptions relevant for our
purposes are defined in two rules:
• FRE §1001-3, Definitions and Duplicates: “If data are stored by computer or
similar device, any printout or other output readable by sight, shown to reflect
the data accurately, is an original.
• ”FRE §1003, Admissibility of Duplicates: “A duplicate is admissible to the
same extent as an original unless
(1) a genuine question is raised as to the authenticity of the original or
(2) in the circumstances it would be unfair to admit the duplicate in lieu of the
original.”
• This concept of representational accuracy allows investigators to gather
forensic duplicates, qualified forensic duplicates, mirror images, and to an
extent, logical copies of the computer and data storage systems involved.
• In this definition, we use “logical copy” to refer to the act of copying discrete
files from the logical file system onto media during the collection process.
 What Is a Forensic Duplicate?
What Is a Forensic Duplicate?
• A forensic duplicate is a file that contains every bit of
information from the source, in a raw bit stream
format.
Eg:A 5GB hard drive would result in a 5GB forensic
duplicate.
Two tools that create a forensic duplicate are
• the Unix dd command and
• dfcldd
Computer Forensics Lab version of the dd command
called dfcldd.
Another tool is the new, open-source Open Data
Duplicator(ODD)
What Is a Qualified Forensic Duplicate?
• A qualified forensic duplicate is a file that contains every bit of
information from the source, but may be stored in an altered
form. Two examples of altered forms are
• in-band hashes and
• empty sector compression.
in-band hashes
• Some tools will read in a number of sectors from the source, generate a
hash from that group of sectors, and write the sector group, followed by
the hash value to the output file.
• This method works very well if something goes wrong during the
duplication or restoration of the duplicate. If a sector group fails to match
the hash value generated for it, the restoration can continue, and the
analyst is aware that information from that sector group may be invalid. If
a similar situation occurred with a forensic duplicate file, the location of
the error may be unknown, possibly invalidating the entire duplicate.
Empty sector compression is a common method for minimizing the size of
the output file. If the tool comes across 500 sectors, all filled with zeros, it
will make a special entry in the output file that the restoration program
will recognize.
• Two tools that create qualified forensic duplicate output files are SafeBack
and EnCase.
 What Is a Restored Image?
• A restored image is what you get when you restore a
forensic duplicate or a qualified forensic duplicate to
another storage medium.
• The restoration process is more complicated than it
sounds.
• For example, one method involves a blind sector-to-
sector copy of the duplicate file to the destination hard
drive.
• If the destination hard drive is the same as the original
hard drive, everything will work fine. The information in
the partition table will match the geometry of the hard
drive. Partition tables will be accurate,
• If the geometries do not match The software would look
in the wrong location and give inaccurate results.
• Instead of forcing everyone to buy new motherboards with
updated BIOS code, they released software that emulated a
modern BIOS. a valid restored image. SafeBack, EnCase, and dd will
create a restored image from the qualified forensic duplicate.
• Depending on your method of analysis, EnCase and dd images may
not need to be restored.
• EnCase, the Forensic Toolkit, treats the images as virtual disks,
eliminating the need for restoration. Processing under Linux works
the same way, associating duplicate images to virtual devices.
What Is a Mirror Image?
• A mirror image is created from hardware that does a bit-for-bit
copy from one hard drive to another. Hardware solutions are very
fast, pushing the theoretical maximum data rate of the IDE or SCSI
interfaces
 FORENSIC DUPLICATION TOOL REQUIREMENTS
The tool must have the ability to image every bit of data on the storage medium.

The tool must create a forensic duplicate or mirror image of the original storage medium.

The tool must handle read errors in a robust and graceful manner.

If a process fails after repeated attempts, the error is noted and the imaging process continues.

A placeholder may be put in the output file with the same dimensions as the portion of the input
with errors.

The contents of this placeholder must be documented in the tool’s documentation.

The tool must not make any changes to the source medium.

The tool must have the ability to be held up to scientific and peer review.

Results must be repeatable and verifiable by a third party, if necessary.

Action and error logs are vitally important as well. The more information logged by the tool
during operation, the easier your job will be when you document the process.
 CREATING A FORENSIC DUPLICATE OF A HARD DRIVE

• The most common tools used for obtaining a true forensic duplicate are built to
run in a Unix operating environment.

• One tool, dd, is part of the GNU software suite. This was improved upon by
programmers at the DoD Computer Forensics Lab and re-released as dcfldd.

• The command-line parameters for dd and dcfldd are nearly identical, and the core
data transfer code has not been altered.

• If your team has validated the operation of dd, very little work will be required to
validate the new features.

• Another tool that we will look at here is the Open Data Duplicator

• One of the strong points of this new Unix tool is that it allows an investigator to
perform multiple functions as the image is being created
 Duplicating with dd and dcfldd
Duplicating with dd and dcfldd
• The dd utility is the most reliable tool for creating a true forensic
duplicate image. As long as the operating system kernel (Linux,
Solaris, OSx, or FreeBSD) recognizes the storage medium, dd will
perform a complete, bit-for-bit copy of the original. The power
comes at a price, however. Other forensic duplication solutions
have safety measures built in that make it more difficult (but not
impossible) to confuse the source and destination of duplication
process. With dd, simply transposing a single character may destroy
evidence.
• Dd is a tool that you should be intimately familiar with before you
need to use it on a real investigation.
• Furthermore, you need to know how the Unix environment
addresses storage devices. dd’s close relative is dcfldd. This tool
adds a significant amount of functionality that satisfies the “old-
school” examiners’ preference for block-based hashes and a
progress indicator.
Creating Linux Boot Media
• Of all the methods that we are discussing in this
section, the preparation for duplication using Linux is
likely the most difficult. The effort is well worth it,
because it can be the most flexible boot environment
in your toolbox. The easy route is to start with a
precompiled version of Linux such as Tomsrtbt, Trinux,
or FIRE (Forensic and Incident Response Environment).
Once you have the basic package up and running, you
can disassemble the packages and add your own
binaries, such as dcfldd.
 Performing a Duplication with dd
In certain situations, duplications will be stored in a series of files that are sized to fit on a particular media
type(such as CDs or DVDs) or file system type (such as files under 2.1GB).
This is that we call a segmented image. The following is a bash shell script that will create a true forensic
duplicate of a hard drive and store the image on a local storage hard drive (for example, when you need to
duplicate a suspect drive on your forensic workstation).
#!/bin/bash
# Bash script for duplicating hard drives with dd
# Set source device name here
source=/dev/hdc
# Set output file name here
output_name=/mnt/RAID_1/dd_Image
# Set output file size here
output_size=2048k;
####
count=1
while (dd if=$source of=$output_name.$count bs=$output_size \
count=1 skip=$(($count-1)) conv=noerror,notrunc);
do printf "#"; count=$((count+1)); done
####
echo "Done. Verify the image with md5sum."
• Most commercial forensic packages will have the
ability to process a segmented image. If you are
processing in Linux, you can concatenate the
segments, or you can set up a software RAID
device to treat the segments as if they were one
large device. If you have no reason to split the
output file, it is much easier to perform multiple
functions in one pass. The following script will
create a true forensic duplicate and calculate an
MD5 sum of the entire drive in one pass over the
source hard drive.
 Duplicating with the Open Data Duplicator (ODD)

The Open Data Duplicator (ODD) is a new open-source tool.

This tool follows a client/ server model that allows the
investigator to perform forensic duplications on a number
of computer systems simultaneously over a local LAN. Of
course, both halves can be run on the same computer
system, so you can use the software on a single forensic
workstation.
Another ODD feature is its ability to perform additional
functions on the data as it is being processed.ODD includes
modules (plug-ins) that will calculate checksums and
hashes, perform string searches, and extract files based on
the file headers.
• There are three portions of the ODD package:
Bootable CD-ROMs These are similar to the
Trinux Linux distribution.
Server-side application The server will perform
most of the processing of the duplicate image,
including the calculation of hashes, string
searches, and the storage of the true forensic
duplication.
Client-side application This portion may be run
locally if you are duplicating drives on a forensic
workstation
• In the following example, we have installed
ODD on Red Hat Linux 7.3 and started the
ODD server application. The first screen asks
for the location of the ODD server. In
this example, we are running everything on the
same forensic workstation, so we can
choose Detect Server, as shown in Figure 7-1.
The second screen, shown in Figure 7-
2, shows the devices that were
detected by ODD.
• The next screen lists the processing options available on the server. The most important
items are the Image Store Plugin and Compressed Image Store Plugin options, which
will produce the true forensic duplicate image. We suggest using the Compressed Image
Store plug-in only if you are low on storage space. Compressing the duplicate image will
add extra steps to your analysis later, because most tools will not work on a compressed
image. In Figure 7-3, we have selected all of the plug-ins except for Compressed Image
Store. The included plug-ins are powerful tools that will save the analyst valuable time
during analysis. While the process is storing your forensic image, it can perform simple
string searches and extract certain types of files based on their file headers
Figure 7-4 shows the requested information for the Notes plug-in. Here, you supply
information such as the case number, the computer’s date and time, the actual date
and time, and the system description.
The Carv plug-in will extract a certain number of bytes from the incoming data
stream, based on file headers. For example, we have selected gif and jpg for extraction
in Figure 7-5. Once the duplication has completed, the carved files may be found in a
directory on the ODD server
• After you’ve set up your selected plug-ins, you
can begin the duplication process.
• You will see the progress bar slowly inch its
way across your screen.
• Another great feature of ODD is the inclusion
of profiles. These allow you to recall
• past configurations. This is useful if you have a
number of drives to duplicate from the
• same area or machine.
 CREATING A QUALIFIED FORENSIC
DUPLICATE OF A HARD DRIVE
• One of the first things that a beginning examiner must learn is to
never boot from the evidence drive. Many items on the evidence
media can be altered, starting from the moment the BIOS executes
the boot block on the hard drive. During the initial boot process, file
access timestamps, partition information, the Registry,
configuration files, and essential log files may be changed in a
matter of seconds.
• Imaging a system requires a clean operating environment. When
imaging drives using
• a DOS application, such as SafeBack or EnCase, this means that you
must create an MS
• DOS boot disk. Using MS DOS 6.22 or Windows 95/98, the following
command will format
• and copy the system files to a floppy
• C:\format a:\ /s
• There should be four files in the root directory of
the floppy. These files contain the
• code to get the computer running a minimal
operating system.
• Directory of A:\
• 05/11/2003 20:01 222,390 IO.SYS
• 05/11/2003 20:01 68,871 DRVSPACE.BIN
• 05/11/2003 20:01 93,880 COMMAND.COM
• 03/20/2003 17:49 9 MSDOS.SYS
• The first file processed by the computer is IO.SYS. The code in
IO.SYS loads the contents
• of MSDOS.SYS and begins to initialize device drivers, tests and
resets the hardware,
• and loads the command interpreter, COMMAND.COM. During the
process of loading
• device drivers, if a disk or partition connected to the machine uses
compression software, such as DriveSpace or DoubleSpace, IO.SYS
loads the DRVSPACE.BIN driver file. You do not want this to happen
when performing a forensic duplication. As the driver loads, it will
mount the compressed volume and present the operating system
with an uncompressed view of the file system. When it mounts the
compressed volume, it changes the time/date stamps on the
compressed file, which means that the evidence will be altered
 Creating a Qualified Forensic
Duplicate with SafeBack
• SafeBack, offered by New Technologies Inc. (NTI),
can make a qualified forensic duplicate
• of any hard drive that is accessible through a
system’s drive controllers, including ATA and SCSI
drives. Even devices accessed through a driver,
such as a PCMCIA hard drive, can be imaged
when the Direct Access option is not selected.
SafeBack is a small application that is designed to
run from a DOS boot floppy, so you will need to
have a clean DOS environment ready on a boot
floppy, as described in the previous section.
• Creating a duplicate of a computer system with
SafeBack is fairly straightforward.
• Figure 7-8 shows the initial startupscreen for SafeBack.
It offers four modes of operation:
• The Backup function produces a forensically sound
image file of the source media.
• The Restore function restores forensically sound image
files.
• The Verify function verifies the checksum values within
an image file.
• The Copy function performs the Backup and Restore
operations in one action.
• Figure 7-9 shows the SafeBack screen for selecting the
drive you wish to duplicate. The drive selection screen
shows the physical and logical drives that were
detected by SafeBack. Since the goal of the forensic
duplication is to obtain an exact bit-for-bit duplicate of
the original media, ignore the logical drive letters
completely. Ensure that the drive specifications match
the information that you recovered from the system’s
BIOS as well as the information from the physical drive
itself. Record any discrepancies that occur. Before
continuing past this point, make sure that SafeBack is
able to address the entire hard drive
Forensics Technology
Cyber forensics focuses on real-time, online evidence gathering rather than the
traditional offline computer disk forensic technology
Two distinct components exist in the emerging field of cyber forensics technology
The first, computer forensics, deals with gathering evidence from computer media
seized at the crime scene
Principal concerns with computer forensics involve imaging storage media, recovering
deleted files, searching slack and free space, and preserving the collected
information for litigation purposes. Several computer forensic tools are available to
investigators
• The second component, network forensics, is a more technically challenging
aspect of cyber forensics. It involves gathering digital evidence that is distributed
across large-scale, complex networks
• Often this evidence is transient in nature and is not preserved within permanent
storage media. Network forensics deals primarily with in-depth analysis of
computer network intrusion evidence, because current commercial intrusion
analysis tools are inadequate to deal with today’s networked, distributed
environments
 TYPES OF MILITARY COMPUTER
FORENSIC TECHNOLOGY
• Key objectives
• Discovery of evidence
• Estimation of potential impact of the
malicious activity on the victim
• Assessment of the intent and identity of the
perpetrator
• Real-time tracking of potentially malicious activity is especially difficult when the pertinent
information has been intentionally hidden, destroyed, or modified in order to elude discovery
• The information directorate’s cyber forensic concepts are new and untested. The directorate
entered into a partnership with the National Institute of Justice via the auspices of the National Law
Enforcement and Corrections Technology Center (NLECTC) located in Rome, New York, to test these
new ideas and prototype tools.
• The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership. This firstof-
• a-kind event represents a new paradigm for transitioning cyber forensic technology from military
research and development (R&D) laboratories into the hands of law enforcement.
• The experiment used a realistic cyber crime scenario specifically designed to exercise and show the
value added of the directorate-developed cyber forensic technology.
• The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent,
targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an
integrated forensic analysis framework.
• The execution of CFX-2000 required
• The development and simulation of a realistic,
• complex cyber crime scenario exercising conventional,
• R&d prototype,
• Cyber forensic tools
• The NLECTC assembled a diverse group of computer crime investigators from DoD and federal,
state, and local law enforcement to participate in the CFX-2000 exercise hosted by the New York
State Police’s Forensic Investigative Center in Albany, New York. Officials divided the participants
into three teams. Each team received an identical set of software tools and was presented with
identical initial evidence of suspicious activity.
• The objective of each team was to uncover several linked criminal activities from a maze of about
30 milestones that culminated in an information warfare crime (Figure 2.1) [1].
• The cyber forensic tools involved in CFX-2000 consisted of commercial off the- shelf software and
directorate-sponsored R&D prototypes.
• The Synthesizing Information from Forensic Investigations (SI-FI) integration environment,
developed under contract by Wet Stone Technologies, Inc,was the cornerstone of the technology
demonstrated. SI-FI supports the collection, examination, and analysis processes employed during a
cyber forensic investigation.
• The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamper proof
containers
• used to store digital evidence.
• Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on
complex investigations.
• Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions
ensures the continued integrity of their contents.
• The teams used other forensic tools and prototypes to
• Collect and analyze specific features of the digital evidence,
• Perform case management and timelining of digital events,
• automate event link analysis,
• Perform steganography detection.
• The results of CFX- 2000 verified that the hypothesis was
largely correct and that it is possible to ascertain the intent
and identity of cyber criminals. As electronic technology
continues its explosive growth, researchers need to
continue vigorous R&D of cyber forensic technology in
preparation for the onslaught of cyber reconnaissance
probes and attacks.
 TYPES OF LAW ENFORCEMENT
COMPUTER FORENSIC TECHNOLOGY
Computer forensics tools and techniques have
proven to be a valuable resource for law
enforcement in the identification of leads and
in the processing of computer related
evidence. Computer forensics tools and
techniques have become important resources
for use in internal investigations, civil lawsuits,
and computer security risk management
 TYPES OF BUSINESS COMPUTER
FORENSIC TECHNOLOGY
Types of business computer forensics
technology:
• Remote monitoring of target computers
• Creating trackable electronic documents
• Theft recovery software for laptops and PCs
• Basic forensic tools and techniques
• Forensic services available
Remote Monitoring of Target Computers
• Data Interception by Remote Transmission (DIRT)
from Codex Data Systems (CDS), Inc. [7] is a
powerful remote control monitoring tool that
allows stealth monitoring of all activity on one or
more target computers simultaneously from a
remote command center. No physical access is
necessary. Application also allows agents to
remotely seize and secure digital evidence prior
to physically entering suspect premises.
Creating Trackable Electronic Documents
• There are so many powerful intrusion detection
tools are available, In general, most of these tools
identify (including their location) unauthorized
intruders who access, download, and view these
tagged documents. The tools also allow security
personnel to trace the chain of custody and chain
of command of allwho possess the stolen
electronic documents.
Theft Recovery Software for Laptops and PCs
• If your PC or laptop is stolen, is it smart enough to tell you where it
is?
• What Is the Real Cost of a Stolen Laptop or PC?
• PC PhoneHomeTM is a software application that will track and
locate a lost or stolen PC or laptop anywhere in the world. It is easy
to install. It is also completely transparent to the user. If your PC
PhoneHome-protected computer is lost or stolen, all you need to
do is make a report to the local police. In other words, PC
PhoneHome is a transparent theft protection and recovery software
system that you install on your laptop or PC. Once installed, it sends
an stealth email message to your address every time the computer
connects to the Internet.
Basic Forensic Tools and Techniques
• Today, many computer forensics workshops have been created to
familiarize investigators
• and security personnel with the basic techniques and tools
necessary for a successful investigation of Internet and computer-
related crimes. So many workshops have been created that it is
beyond the scope of this chapter to mention them all. However,
throughout the book, a number of them will be mentioned in
detail.
• Workshop topics normally include: types of computer crime, cyber
law basics, tracing email to its source, digital evidence acquisition,
cracking passwords, monitoring computers remotely, tracking
online activity, finding and recovering hidden and deleted data,
locating stolen computers, creating trackable files, identifying
• software pirates, and so on.
Forensic Services Available
• Services include but are not limited to
• Lost password and file recovery
• Location and retrieval of deleted and hidden files
• File and email decryption
• Email supervision and authentication
• Threatening email traced to source
• Identification of Internet activity
• Computer usage policy and supervision
• Remote PC and network monitoring
• Tracking and location of stolen electronic files
• Honeypot sting operations
• Location and identity of unauthorized software users
• Theft recovery software for laptops and PCs
• Investigative and security software creation
• Protection from hackers and viruses (see sidebar, “Virus/Trojan/Worm Protection”)
This next section is intended to familiarize the computer
forensic investigator
with various methodologies and tools available to
perform a forensic examination of
a Research In Motion (RIM) wireless (BlackBerry) device.
The procedures and tools
presented here are by no means all encompassing but are
intended to elicit design of
custom tools by those more programmatically inclined.
The methods have been tested
using an Exchange Edition RIM pager and an Exchange
Edition RIM handheld.
 SECURITY AND WIRELESS
TECHNOLOGIES
There are two types of RIM devices within each
model class. The Exchange Edition is meant for
use in a corporate environment, while the
Internet Edition works with standard POP
email accounts. The Exchange Edition employs
Triple-DES encryption to send and receive, but
the Internet Edition communicates in clear
text. Neither employs an encrypted files
system.
• Relevance of RIM Computer Forensics
• A RIM device shares the same evidentiary value as any
other personal digital assistant (PDA). As the computer
forensics investigator may suspect of most file systems a
delete is by no means a total removal of data on the device.
However, the RIM’s always-on, wireless push technology
adds a unique dimension to forensic examination.
• Changing and updating data no longer requires a desktop
synchronization. In fact, a RIM device does not need a
cradle or desktop connection to be useful. The more time a
PDA spends with its owner, the greater the chance is that it
will more accurately reflect and tell a story about that
person. Thus, the RIM’s currently unsurpassed portability is
the examiner’s greatest ally.
Evidence Collection:
The first procedure of evidence collection violates
the computer forensic method by requiring the
investigator to record logs kept on the unit that
will be wiped after an image is taken. The logs
must be accessed on the original unit before the
programmer software development kit (SDK) tool
is applied. The logs are not accessed via the
standard user interface. Rather, they are
reviewed using the following hidden control
functions
• Gathering Logs
• The first procedure of evidence collection violates the computer forensic
method by requiring the investigator to record logs kept on the unit that
will be wiped after an image is taken. The logs must be accessed on the
original unit before the programmer software development kit (SDK) tool
is applied. The logs are not accessed via the standard user interface.
Rather, they are reviewed using the following hidden control functions.
• Imaging and Profiling
• An image should be taken of the file system as the very first step as long as
the logs are not required or a method of extracting the logs from the
image is developed. An image or bit-by-bit backup is acquired using an
SDK utility that dumps the contents of the Flash RAM into a file easily
examined with a hex editor. The Program Loader, which is used to perform
most of the inspection in addition to taking the image, will cause a reset
each time it is run. A reset can mean a file system cleanup. This means
that to get a partition table, you risk changing the file system and spoiling
the data.
• Evidence Review
• Two options are available for information review using the hex dump: manual review of the Hex file
using a hex editor and loading of the hex file into the BlackBerry SDK simulator for review. The hex
editor will provide access to the entire file system including deleted or dirty records indicated by
byte 3 of the file header. Using the SDK will assist in decoding dates on extant records
• The File System
• The RIM file system is abstracted to appear as a database to most available Application
Programming Interfaces (APIs) in order to simplify programming. This abstraction qualifies as a file
translation layer (FTL), hiding what is really a quite complicated system of file management. Under
the hood of your RIM device is a standard Flash RAM used to store all nonvolatile data.
• Flash is organized similarly to dynamic random access memory (DRAM) and has the 65 ns read
performance to match. However, write performance is slower by a factor of nearly 1000 times.
Writing flash is a binary AND or NAND, meaning each 1 in memory can be toggled to 0 but not back
again without an erasure. However, an erasure can only occur in blocks of 64 KB, while writing can
occur in any interval. An erasure costs more in terms of time than a write because of conditioning.
Conditioning means forcing every 1 to a 0 before resetting (erasing) all bits to 1 again in order to
prolong the life of the Flash RAM
• Data Hiding
• Data hiding is accomplished in several ways on a RIM device.
Hidden databases, partition gaps, and obfuscated data are but a
few. Presented here are a few ideas to get the computer forensics
investigator thinking in the right direction. Custom databases with
no icon in the Ribbon graphical user interface (GUI) are capable of
providing hidden data transport. A hacker may write a program that
utilizes a database accessible only through device synchronization.
The average user or uninformed investigator will never have
knowledge of the hidden database. For example, a database reader
can thwart such an attempt, as it will provide access to all
databases on a unit. Unfortunately, it will need to be installed on
the unit investigated for it to function.
 TYPES OF COMPUTER FORENSICS
SYSTEMS

Any product that can remotely be tied to network or computer security is quickly labeled as a
“forensics” system
The types of Computer forensics systems are:
• Internet security systems
• Intrusion detection systems
• Firewall security systems
• Storage area network security systems
• Network disaster recovery systems
• Public key infrastructure security systems
• Wireless network security systems
• Satellite encryption security systems
• Instant messaging (IM) security systems
• Net privacy systems
• Identity management security systems
• Identity theft prevention systems
• Biometric security systems
• Homeland security systems
 INTERNET SECURITY SYSTEMS

Internet security can provide a more secure solution, as

well as one that is faster and less expensive than
traditional solutions to security problems of employees
photocopying proprietary information, faxing or
mailing purchase orders, or placing orders by phone.
• General Internet Security Principles and Architecture
• The first step in defining a corporate Internet security
policy is to draft a high-level management policy
statement establishing a framework and context for
security within an organization
• This policy needs to define the adequate and
appropriate Internet security measures necessary
to safeguard a company’s systems, networks,
• transactions, and data.
• The next step is to start a systematic analysis of
the assets of an organization, determining the
value of information, or the possible damage to
reputation should it be disclosed, along with
possible risks
1. Information such as trade secrets, vault and
authorization codes, and lock and key
information are clearly of a mission critical
nature
2. Departmental information is typically data that is
private to a particular department, such as
payroll information in finance and medical
records in personnel. There may be legal
requirements for securing this information .
3. Company private information varies from
company to company but typically consists of
information that should only be disclosed to
employees and partners of a company, such as
policy and procedure manuals
4. Public information is information such as
product literature, brochures, and catalogs that
needs to be freely available to anyone, but
whose integrity needs to be assured to prevent
unauthorized alteration.
• establishing a corporate Internet security
policy
• involves the following:
• High-level management policy statement
• Systematic analysis of organizations assets
• Examination of risks
• Develop implementation strategy
• Public and Private Key Encryption
• For many business and electronic commerce applications, it is
necessary to transmit information over communications lines and
networks where there is the potential for data to be altered, forged,
or illicitly introduced. A powerful technique for securely sending
information is public key encryption or public
• key infrastructure (which will be covered in detail later in the
chapter).
• Two keys exist, one public, the other private.
• The public key is freely distributed and is used to encrypt the
information to be sent.
• The private key is retained by the recipient and is used to decrypt
the received information
Secure Payment Solutions
Authorization:
Controlling Access
Authenticated Access

Security Futures: Smart Cards

Stored value card

Health care
Access control in offices and hotels
Contactless tickets for ski resorts and airlines
 INTRUSION DETECTION SYSTEMS

• Intrusion Detection Defined

• Intrusion detection systems help computer systems prepare for and deal with
attacks. They accomplish this goal by collecting information from a variety of
system and network sources and then analyzing the information for symptoms of
security problems.
• Intrusion detection systems perform a variety of functions:
• Monitoring and analysis of user and system activity
• Auditing of system configurations and vulnerabilities
• Assessing the integrity of critical system and data files
• Recognition of activity patterns reflecting known attacks
• Statistical analysis of abnormal activity patterns
• Operating system audit trail management, with recognition of user activity
reflecting
• policy violations
• Some systems provide additional features, including
• Automatic installation of vendor-provided software patches
• Installation and operation of decoy servers to record information about intruders
• What Intrusion Detection Systems and Related Technologies Can and Cannot Do
• Every new market suffers from exaggeration and misconception. Some of the claims made in marketing materials
are reasonable and others are misleading. Here is a primer on how to read intrusion detection marketing literature
• Realistic Benefits
• Unrealistic Expectations
• Realistic Benefits
• First of all, intrusion detection systems (IDSs) can lend a greater degree of integrity to the rest of your security
infrastructure
• Second, intrusion detection systems can also make sense of often obtuse system information sources, telling you
what’s really happening on your systems
• Third, intrusion detection systems can also trace user activity from the point of entry to the point of exit or impact
• Fourth, intrusion detection systems can recognize and report alterations to data files
• Fifth, intrusion detection systems can also spot errors of your system configuration that have security implications,
sometimes correcting them if the user wishes.
• Sixth, intrusion detection systems can recognize when your system appears to be subject to a particular attack
• Seventh, intrusion detection systems can relieve your system management staff of the task of monitoring the
Internet, searching for the late hacker attacks
• Eighth, intrusion detection systems can make the security management of your systems by nonexpert staff
possible
• Finally, intrusion detection systems can provide guidelines that assist you in the vital step of establishing a security
policy for your computing assets
• Unrealistic Expectations
• First, intrusion detection systems are not silver bullets
• Second, intrusion detection systems cannot compensate for weak identification and authentication
mechanisms
• Third, intrusion detection systems cannot conduct investigations of attacks without human
intervention
• Fourth, intrusion detection systems cannot intuit the contents of your organizational security
policy.
• Fifth, intrusion detection systems cannot compensate for weaknesses in transmission control
protocol (TCP)/IP, and many other network protocols do not perform strong authentication of host
source and destination addresses
• Sixth, intrusion detection systems cannot compensate for problems in the quality or integrity of
information the system provides
• Seventh, intrusion detection systems cannot analyze all of the traffic on a busy network.
• Eighth, intrusion detection systems cannot always deal with problems involving packet-level attacks
• Finally, intrusion detection systems cannot deal with modern network hardware and features.
 FIREWALL SECURITY SYSTEMS

• Firewall Defined
• A firewall is a system or group of systems that enforces an access control
policy between two networks. The actual means by which this is
accomplished varies widely, but in principle, the firewall can be thought of
as a pair of mechanisms: one that blocks traffic and one that permits
traffic. it implements an access control policy.
• A firewall system can be a router, a personal computer, a host, or a
collection of hosts, set up specifically to shield a site or subnet from
protocols and services that can be abused from hosts outside the subnet
• The Reason for Firewalls
• The general reasoning behind firewall usage is that without a firewall, a
subnet’ systems are exposed to inherently insecure services such as
Network File Syste (NFS) or Network Information Service (NIS) and to
probes and attacks from host elsewhere on the network.
• The Need For Firewalls
• Data Integrity: Absolute verification that data has not been modified
• Confidentiality: Privacy with encryption, scrambled text
• Authentication: Verification of originator on contract
• Non-Repudiation: Undeniable proof-of-participation
• Availability: Assurance of service demand
• Benefits of Firewalls
• The following are the primary benefits of using a firewall:
• Protection from vulnerable services
• Controlled access to site systems
• Concentrated security
• Enhanced privacy
• Logging and statistics on network use and misuse
• Policy enforcement
• Limitations of Firewalls
• Firewalls can’t protect against attacks that don’t go through the firewall
• Another thing a firewall can’t protect you against is traitors or idiots inside your network.
• A firewall opens communications channels between two networks and has no control over what
users choose to transmit using these channels
 STORAGE AREA NETWORK SECURITY
SYSTEMS
• disaster recovery services used storage area
networks (SANs) to restore thousands of
terabytes of business data and get hundreds of
companies running
• As distasteful as the idea might be, with disaster
comes opportunity, and the disasters
• of September 11, 2001, provided a good
opportunity for storage networks to show their
value by providing critically important business
continuity. Rarely has technology demonstrated
its value in a more demanding environment.
• Storage Area Network Overview
• SANs are a relatively new methodology for attaching storage, whereby a separate
network (separate from the traditional LAN) connects all storage and servers. This
network would be a high-performance implementation, such as a fiber channel,
that encapsulates protocols such as a small computer system interface (SCSI).
These are more efficient at transferring data blocks from storage and have
hardware implementations offering buffering and delivery guarantees. This is not
available using TCP/IP
• SAN Benefits
• A SAN provides a perfect environment for clustering that can extend to dozens of
servers and storage devices—all the while having redundant links in a fibre
channel fabric. Servers will continue to function because their data is still available
through the SAN, even if storage devices fail during an NDR.
• Centralized Management
• Scalability
• A storage area
• Reliability
• Performance
• SANs promise the ability to make any-to-any connections among
multiple Servers and storage devices. They can create a shared
“pool” of storage that can be accessed by multiple servers through
multiple paths, resulting in higher availability— especially during a
network disaster recovery (NDR). SANs also promise to simplify
backup procedures. Tape subsystems could still be shared among
numerous servers during backups—all transparent to the user. In
other words, SANs allow distributed servers to access a large
centralized storage
• subsystem for data-sharing applications during an NDR. Devices
could also be distributed throughout a campus yet managed from a
central point though a single management tool. Since devices can
be added or reconfigured transparently with location flexibility,
scaling the SAN will be easy.
 NETWORK DISASTER RECOVERY
SYSTEMS
• How would your company respond in the
event of a network disaster or emergency?
Network disaster recovery (NDR) is the ability
to respond to an interruption in network
services by implementing a disaster recovery
plan to restore an organization’s critical
business functions
• Many companies see their disaster recovery efforts as
being focused primarily on their IT departments. IT
• people are in the lead in sponsoring and managing
their disaster recovery plans, and relatively few
companies involve line-of-business staff and partners
in designing and testing such plans at all
• Larger companies (those with $20 million or more in
annual revenues) are more likely than smaller
companies
• to prepare for events such as hardware component
failure versus natural disasters and accidental
employee-initiated outages.
• A majority of companies indicate they review their NDR
plans every quarter
• A few businesses are showing increased interest in testing
their NDR plans more often than they have in the
• past.
• Most companies believe they don’t have to worry about
being offline for long. Most companies have their mission-
critical systems back up within 24 hours
• Large companies, certainly, have more incentive to plan
and test more completely; as well as the resources to do
• so, but even smaller companies have given at least some
thought to the problem
 PUBLIC KEY INFRASTRUCTURE
SYSTEMS
• PKI Defined
• A PKI enables users of an insecure public network such as the Internet to
securely and privately exchange data through the use of a public and a
private cryptographic key pair that is obtained and shared through a
trusted authority
• PKI is the underlying technology that provides security for the secure
sockets layer (SSL) and hyper text
• transfer protocol secure sockets (HTTPS) protocols, which are used
extensively to conduct secure e-business over the Internet.
• A PKI consists of
• A certificate authority that issues and verifies digital certificates
• A registration authority that acts as the verifier for the certificate
authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their public keys) are
held
• A certificate management system
 WIRELESS NETWORK SECURITY
SYSTEMS
• Overview of Wireless Network Security
• To date, most wireless attacks have happened outside the U.S., in
markets where wireless devices are more widely used.
Nevertheless, one virus that did hit U.S. handhelds was known as
the liberty virus. Some PDA users received what they thought was a
program that would allow them to play a certain game for free, but
when they double-clicked on the link, it launched a virus that
erased all the data on the devices
• Nevertheless, more serious problems have occurred overseas in the
form of viruses and malicious code that forced phones to dial
particular numbers, intercepted transmissions, and stole data. One
virus was distributed in Scandinavia as a short message. The virus
rendered the buttons useless when a user received the message. In
order to get their phones fixed, users had to take them in to their
service providers
• New types of malicious code have been written that force wireless
devices to make phone calls, because many of them also have
telephony capabilities.The threat of data theft, perhaps, is more
alarming to businesses. In order to prevent the interception of
information as it’s being transmitted, all wireless transmission
standards have security built in, but they’re known to be fallible.
The developers of standards such as the wireless application
protocol (WAP) and the wireless LAN 802.11b standard have
included encryption technology designed to head off the threat of
“sniffing.
• sniffing is an inherent problem in wireless. Sniffers must have
access to physical parts of the network in order to break into the
wired world. The problem is that with wireless, they don’t even
have to be in the network. They can be in a van outside with a
transmitter.
• As devices develop more capabilities, these threats are expected to grow more serious and
frequent. Typically, you should look to the past to predict the future
• The Computer Emergency Response Team (CERT) Coordination Center is currently undertaking the
initiative to devise a comprehensive classification of computer incidents as part of the design of
common incident data format and exchange procedures. Unfortunately, their results are not yet
available. Thus, as of this writing, there have been no attempts to formally classify DDoS defense
systems, although similar works exist in the field of intrusion detection systems

• One benefit of the development of DDoS classifications has been to foster easier cooperation
among researchers on DDoS defense mechanisms. Attackers cooperate to exchange attack code
and information about vulnerable machines and to organize their agents into coordinated wireless
networks to achieve immense power and survivability. The Internet community must be equally
cooperative to counter this threat. Good classifications for DDoS attack and defense mechanisms
will facilitate communications and offer the community a common language to discuss their
solutions. They will also clarify how different mechanisms are likely to work in concert and identify
areas of remaining weakness that require additional mechanisms. Similarly, the research
community needs to develop common metrics and benchmarks to evaluate the efficacy of DDoS
defense mechanisms, and good classifications can be helpful in shaping these tasks, as well.
 SATELLITE ENCRYPTION SECURITY
SYSTEMS
• The boom in satellite communications is changing the way we work and live, but it is becoming a
security nightmare for those organizations and governments whose survival depends on the
protection of intellectual property distribution, electronic commerce, electronic battlefields and
national security. The ability to securely exchange information between billions of users around the
globe involving perhaps trillions of transactions is vital to the continued growth and usefulness of
satellite communications as well as the Internet and intranets
• This section shows how governments and organizations around the world can use satellite
encryption to help preserve vital national secrets, limit attacks on a nation’s information
infrastructure, and eliminate security and authentication obstacles to electronic commerce.
Specifically, this part of the chapter provides a brief
• overview of current satellite encryption technology, the threat from the Internet, encrypted
satellite data transmitting (downlink) and receiving (uplink), and encryption cracking
• Current and Future Satellite Technology
• High-Tech Mayhem
• High-Tech Highwaymen
• Prevention versus Detection
• Odd Person Out Attacks
 INSTANT MESSAGING (IM) SECURITY
SYSTEMS
• The security threats from IM are straightforward. Since deployment isn’t
controlled, the enterprise can’t keep a rein on how the systems are used. With the
public IM networks, the individual employee registers for service. If the employee
leaves a company, the firm has no (technology-based) way to prevent him from
continuing to use the account, or from continuing to represent himself as still
working for the company
• without additional tools, the company has no way of archiving IM messages for
legal or regulatory purposes, or of monitoring and controlling the content of
messages to filter for inappropriate communications.
• There are the obvious holes that IM opens up on the corporate network. Each of
the IM networks uses a well-known port that must either be left open on the
corporate firewall to allow traffic in or closed, which, at least in theory, bans that
service to end users
• Securing IM
• Certainly the latter option has some appeal: 34% of all companies simply block all
IM traffic according to industry analysts. One downside to this strategy is that
because workers find IM useful, blocking it isn’t popular or necessarily even a good
business move.
• NET PRIVACY SYSTEMS
• IDENTITY MANAGEMENT SECURITY SYSTEMS
• BIOMETRIC SECURITY SYSTEMS
• While a biometric is the actual characteristic or trait, a biometric system is the computer hardware
and software used to recognize or verify an individual. Although there are many variations in how
specific products and systems work, there are a number of common processing elements.
• Collection
• Extraction
• Comparison and Matching
• HOMELAND SECURITY SYSTEMS
• Homeland Security Defined
• The terms homeland security and homeland defense have received increased attention since the
tragic events of September 11, 2001. While these terms are relatively new, the concepts behind
them are not. Homeland security is defined as the deterrence, prevention, and preemption of and
defense against aggression targeted at
• U.S. territory, sovereignty, population, and infrastructure as well as the management of the
consequences of such aggression and other domestic emergencies.