Page 1
1 1
COMPUTER FORENSIC
Unit Structure
1.0 Objective
1.1 Introduction to Computer Forensic:
1.2 Standard Procedure
1.2.1 Preparing a Computer Investigation
1.2.2 Taking a Systematic Approach
1.2.2.1 Assessing the Case
1.2.2.2 Planning Your Investiga tion
1.2.2.3 Securing Your Evidence
1.2.3 Procedures for Corporate High -Tech Investigations
1.2.3.1 Employee Termination Cases
1.2.3.2 Internet Abuse Investigations
1.2.3.3 E -mail Abuse Investigations
1.2.3.4 Attorney -Client Privilege Inves tigations
1.2.3.5 Media Leak Investigations
1.2.3.6 Industrial Espionage Investigations
1.2.4 Conducting an Investigation
1.2.5 Completing the Case
1.3 Incident Verification and System Identification
1.4 Recovery of Erased and damaged data (Data Acquisition)
1.4.1 Data Encryption and Compression
1.4.2 Storage Formats for Digital Evidence
1.4.3 Determining the Best Acquisition Method
1.4.4 Contingency Planning for Image Acquisitions
1.4.5 Using Acquisition Tools
1.4.6 Validating Data Acquisitions
1.4.7 Using Remote Network Acquisition Tools munotes.in
Page 2
Cyber forensics
2 1.5 Disk Imaging and Preservation
1.6 Automated Search Technique
1.7 Forensic Software (Computer Forensic Tools)
1.7.1 Types of Computer Forensic Tools
1.7.2 Tasks performed b y Computer Forensic tools.
1.8 Summary
1.9 Questions
1.10 References
1.0 OBJECTIVE
This chapter would make you understand the following concept:
Standard Procedure for computer forensic
Bit Stream copy or forensic copy
Procedures for Corporate High -Tech Investigations
Data Acquisition
Computer forensic Tools
1.1 INTRODUCTION TO COMPUTER FORENSIC:
Computer forensics involves obtaining and analyzing digital
information for use as evidence in civil, criminal, or administrative
cases.
The Fourth Amendment to the U.S. Constitution (and each state’s
constitution) protects everyone’sright to be secure in their person,
residence, and property from search and seizure.
Similarly, computer forensics differs from data recovery, which
involves recovering data from a computer that was deleted by mistake
or lost during a power surge.
There are two kinds of evidence: inculpatory (in criminal cases, the
expression is "incriminating") and exculpatory (in which the suspect
might be cleared).
Investigators often examine a co mputer disk not knowing whether it
contains evidence.
1.2 STANDARD PROCEDURE
The standard procedure for conducting computer forensicsinvolves the
following major five tasks: munotes.in
Page 3
Computer Forensic
3 1. Preparing a Computer Investigation
2. Takinga systematic approach
3. procedure for corpo rate High -Tech investigation
4. Conducting an investigation
5. Completing the case
1.2.1 Preparing a Computer Investigation
A computer forensics professional's role is to gather evidence from a
suspect's computer.
Upon discovering evidence that a crime or polic y violation has been
committed, you begin preparing an investigation.
In this process, the suspect's computer is investigated and the evidence
is preserved.
The first step inconducting an investigation is to follow a standard
procedure.
By approaching e ach case systematically, you can evaluate the
evidence carefully and document the chain of evidence, or chain of
custody, which is the route theevidence takes from the time you find it
until the case is closed or goes to court.
There can be two types of cas esthat you might be investigating - one
involving a computer crime and anotherinvolving a company policy
violation .
Computers and computer components are often found by law
enforcement officers as they investigate crimes.
The lead detective on the case w ants you to examine the computer to
find and organize datathat could be evidence of a crime.
Companies regularlyestablish policies for employee use of computers.
Company time can be wasted when employees surf the Internet, send
personal e -mail, or use co mpany computers during work hours.
Computer forensics specialists are often hired to investigate policy
violations because lost time can cost companies millions of dollars.
1.2.2 Taking a Systematic Approach
When preparing a case, you can apply standard s ystems analysis steps,
explained in the following list, to problem -solving. munotes.in
Page 4
Cyber forensics
4 Make an initial assessment about the type of case you are
investigating —assess the type of case you are handling by talking to
those involved and asking questions. Have law enforce ment (police) or
company security officers already seized the computer, disks, and
other components? Do you need to visit an office or another location?
Was the computer used to commit a crime, or does it contain evidence
about another crime?
Determine a p reliminary design or approach to the case —Outline
the general steps you need to follow to investigate the case. If the
suspect is an employee and you need to acquire his or her system,
determine whether you can seize the computer during work hours or
have to wait until evening or weekend hours. If you’re preparing a
criminal case, determine what information law enforcement officers
have already gathered.
Create a detailed checklist —Refine the general outline by creating a
detailed checklist of steps and an estimated amount of time for each
step. This outline helps you stay on track during the investigation.
Determine the resources you need —Based on the OS of the
computer you’re investigating, list the software you plan to use for the
investigation, noting an y other software or tools you might need.
Obtain and copy an evidence drive —In some cases, you might be
seizing multiple computers along with Zip disks, Jaz drives, CDs, USB
drives, PDAs, and other removable media. Make a forensic copy of the
disk.
Identif y the risks —List the problems you normally expect in the type
of case you’re handling. This list is known as a standard risk
assessment. For example, if the suspect seems knowledgeable about
computers, he or she might have set up a logon scheme that shuts
down the computer or overwrites data on the hard disk when someone
tries to change the logon password.
Mitigate or minimize the risks —identify how you can minimize the
risks. For example, if you are working with a computer on which the
suspect has likely p assword protected the hard drive, you can make
multiple copies of the original media before starting. Then if you
destroy a copy during the process of retrieving information from the
disk, you have additional copies.
Test the design —Review the decisions yo u’ve made and the steps
you’ve completed. If you have already copied the original media, a
standard part of testing the design involves comparing hash values
ensure that you copied the original media correctly.
Analyze and recover the digital evidence —using the software tools
and other resources you’ve gathered, and making sure you’ve
addressed any risks and obstacles, examine the disk to find digital
evidence. munotes.in
Page 5
Computer Forensic
5 Investigate the data you recover —View the information recovered
from the disk, including existing files, deleted files, and e -mail, and
organize the files to help prove the suspect’s guilt or innocence.
Complete the case report —Write a complete report detailing what
you did and what you found.
Critique the case —Self-evaluation is an essential part of professional
growth. After you complete a case, review it to identify successful
decisions and actions and determine how you could have improved
your performance.
1.2.2.1 Assessing the Case
In the company -policy violation case, you have been asked to inves tigate
Raju. Daya from the IT Department seize all of Raju’s storage media that
might contain information about his whereabouts. After talking to Raju’s
co-workers, Daya learned that Raju has been conducting a personal
business on the side using company co mputers. Therefore, the focus of the
case has changed from a missing person to a possible employee abuse of
corporate resources.
You can begin assessing the company policy violation case as follows:
Situation — for eg: Employee abuse case.
Nature of the cas e—Side business conducted on the employer’s
computer.
Specifics of the case —The employee is reportedly conducting a side
business on his employer’s computer that involves registering domain
names for clients and setting up their Web sites at local ISPs. Co -
workers have complained that he has been spending too much time on
his own business and not performing his assigned work duties.
Company policy states that all company -owned computing assets are
subject to inspection by company management at any time. Emp loyees
have no expectation of privacy when operating company computer
systems.
Type of evidence —Small -capacity USB drive.
Operating system —Microsoft Windows XP.
Known disk format —FAT16.
Location of evidence —One USB drive recovered from the
employee’s assig ned computer.
1.2.2.2 Planning Your Investigation
As soon as you have identified the requirements of the Domain Name
case, you can plan your approach. You have already determined the kind munotes.in
Page 6
Cyber forensics
6 of evidence you need; now you can identify the specific steps to gat her the
evidence, establish a chain of custody, and perform the forensic analysis.
Most of these steps are listed below:
1. Acquire the USB drive from Raju’s manager.
2. Complete an evidence form and establish a chain of custody.
3. Transport the evidence to your c omputer forensics lab.
4. Place the evidence in an approved secure container.
5. Prepare your forensic workstation.
6. Retrieve the evidence from the secure container.
7. Make a forensic copy of the evidence drive (in this case, the USB
drive).
8. Return the evidence dri ve to the secure container.
9. Process the copied evidence drive with your computer forensics tools.
To document the evidence, you record details about the media, including
who recovered the evidence and when and who possessed it and when.
Use an evidence cus tody form , also called a chain -of-evidence form ,
which helps you document what has and has not been done with the
original evidence and forensic copies of the evidence.
An evidence custody form usually contains the following information:
Case number : Numbe r the organization assigns when an investigation
is initiated.
Figure:1.1 A sample multi -evidence form used in a corporate
environment
munotes.in
Page 7
Computer Forensic
7
Investigating organization: The name of the organization. In large
corporations with global facilities, several organi zations might be
conducting investigations in different geographic areas.
Investigator: The name of the investigator assigned to the case. If
many investigators are assigned, specify the lead investigator’s name.
Nature of case: A short description of the case. For example, in the
corporate environment, it might be “Data recovery for corporate
litigation” or “Employee policy violation case.”
Location evidence was obtained: The exact location where the
evidence was collected. If we’re using multi -evidence f orms, a new
form should be created for each location.
Description of evidence: A list of the evidence items, such as “hard
drive, 20 GB” or “one USB drive, 128 MB.” On a multi -evidence
form, write a description for each item of evidence we acquire.
Vendor name: The name of the manufacturer of the computer
evidence.
Model number or serial number: List the model number or serial
number (if available) of the computer component. Many computer
components, including hard drives, memory chips, and expansion slot
cards, have model numbers but not serial numbers.
Evidence recovered by: The name of the investigator who recovered
the evidence. The chain of custody for evidence starts with this
information. The person placing his or her name on this line is
responsible for preserving, transporting, and securing the evidence.
Date and time: The date and time the evidence was taken into
custody. This information establishes exactly when the chain of
custody starts.
Evidence placed in locker: Specifies which approved secure
container is used to store evidence and when the evidence was placed
in the container.
Item #/Evidence processed by/Disposition of evidence/Date/Time:
When we or another authorized investigator retrieves evidence from
the evidence locker for processing an d analysis, list the item number
and the name, and then describe what was done to the evidence.
Page: The forms used to catalog all evidence for each location should
have page numbers. List the page number, and indicate the total
number of pages for this g roup of evidence.
A single -evidence form, which lists only one piece of evidence per page.
This form gives more flexibility in tracking separate pieces of evidence for munotes.in
Page 8
Cyber forensics
8 the chain -of-custody log. It also has more space for descriptions, which is
helpful when finalizing the investigation and creating a case report. With
this form, we can accurately account for what was done to the evidence
and what was found. Use evidence forms as a reference for all actions
taken during the investigative analysis.
1.2.2.3 Sec uring Your Evidence
1. Large evidence bags, tape, tags, and labels can be used to secure and
catalog evidence in large computer components.
2. When gathering products to secure your computer evidence, make sure
they are safe and effective to use on computer comp onents. Be
cautious when handling any computer component to avoid damaging
the component or coming into contact with static electricity, which can
destroy digital data.
3. For this reason, make sure you use anti - static bags when collecting
computer evidence.
4. Consider using an antistatic pad with an attached wrist strap, too. Both
help prevent damage to computer evidence.
5. Be sure to place computer evidence in a well -padded container.
Padding prevents damage to the evidence as you transport it to your
secure ev idence locker, evidence room, or computer lab.
6. Securing evidence often requires building secure containers. If the
computer component is large and contained in its own casing, such as
a CPU cabinet, you can use evidence tape to seal all openings on the
cabinet.
7. As a standard practice, you should write your initials on the tape
before applying it to the evidence.
8. When collecting computer evidence, make sure you have a safe
environment for transporting and storing it until a secure evidence
container is avail able.
1.2.3 Procedures for Corporate High -Tech Investigations
A high -tech investigation requires formal procedures and informal
checklists to cover all important issues.
These procedures are necessary to ensure that correct techniques are
used in an invest igation.
Use informal checklists to be certain that all evidence is collected and
processed properly.
1.2.3.1 Employee Termination Cases
Investigations for termination cases usually involve employee abuse of
corporate assets. munotes.in
Page 9
Computer Forensic
9 Incidents that create an unf riendly work environment, such as viewing
pornography in the workplace and sending inappropriate e -mail
messages, are the main types of cases investigated.
Consult the organization's general counsel and Human Resources
Department for specific directions on how to handle these
investigations.
The following sections provide a summary of key points to consider
when investigating that could result in the termination of an employee.
1.2.3.2 Internet Abuse Investigations
In order to investigate Internet abuse , you will need the following
information:
The organization’s Internet proxy server logs.
Suspect computer’s IP address obtained from your organization’s
network administrator.
Suspect computer’s disk drive.
Your preferred computer forensics analysis tool.
Following are the steps to follow when investigating Internet abuse:
1. Use the standard forensic analysis techniques and procedures.
2. Using tools such as Data Lifter or Forensic Toolkit’s Internet keyword
search option, extract all Web page URL information.
3. Contact the network firewall administrator and request a proxy server
log, if it’s available, of the suspect computer’s network device name or
IP address for the dates of interest. Confirm with your organization's
network administrator that these logs are maintained and that the time
to live (TTL) is set for IP addresses assigned through Dynamic Host
Configuration Protocol (DHCP).
4. Compare the data recovered from forensic analysis to the proxy server
log data to confirm that they match.
5. If the URL data match es the proxy server log and the forensic disk
examination, continue analyzing the suspect computer’s drive data,
and collect any relevant downloaded inappropriate pictures or Web
pages that support the allegation. If there are no matches between the
proxy server logs, and the forensic examination shows no contributing
evidence, report that the allegation is unsubstantiated.
Before investigating an Internet abuse case, it is important to know your
state or country’s privacy laws.
munotes.in
Page 10
Cyber forensics
10 1.2.3.3 E -mail Abuse Inve stigations
E-mail investigations typically include spam, inappropriate and offensive
message content, and harassment or threats.
Organizations must define a policy for e -mail records, just as they do for
other computer evidence data.
The followings are the list that is needed for investigating e -mail abuse
case:
An electronic copy of the offending e -mail that contains message
header data; consult with your e -mail server administrator
If available, e -mail server log records; consult with your e -mail server
administrator to see whether they are available
For e -mail systems that store users’ messages on a central server,
access to the server; consult with your e -mail server administrator
For e -mail systems that store users’ messages on a computer as an
Outlook .pst or .ost file, for example, access to the computer so that
you can perform a forensic analysis on it
Your preferred computer forensics analysis tool, such as Forensic
Toolkit or ProDiscover
The recommended procedure for e -mail investigations are as fol lows:
1. For computer -based e -mail data files , such as Outlook .pst or .ost
files, use the standard forensic analysis techniques and procedures for
the drive examination.
2. For server -based e -mail data files , contact the e -mail server
administrator and obtain a n electronic copy of the suspect and victim’s
e-mail folder or data.
3. For Web -based e -mailinvestigations , such as Hotmail or Gmail, use
tools such as Forensic Toolkit’s Internet keyword search option to
extract all related e -mail address information.
4. Examin e header data of all messages of interest to the investigation.
1.2.3.4 Attorney -Client Privilege Investigations
When conducting a computer forensics analysis under attorney -client
privilege (ACP) rules for an attorney, you must keep all findings
confident ial.
The attorney you’re working for is the final authority over the
investigation.
For investigations of this nature, attorneys typically request that you
extract all data from drives. munotes.in
Page 11
Computer Forensic
11 It is your responsibility to obey with the attorney’s directions.
Drives can contain large amounts of data, so the attorney will want to
know everything of interest on them.
Many attorneys like to have printouts of the data you have recovered,
but printouts can present problems when you have log files with
several thousan d pages of data or CAD drawing programs that can be
read only by proprietary programs.
The following list are the basic steps for conducting an ACP case:
1. Request a memorandum from the attorney directing to start the
investigation. The memorandum must state that the investigation is
privileged communication and list the name and any other associates’
names assigned to the case.
2. Request a list of keywords of interest to the investigation.
3. After we have received the memorandum, initiate the investigation and
analysis. Any findings we made before receiving the memorandum are
subject to discovery by the opposing attorney.
4. For drive examinations, make two bit -stream images of the drive
using a different tool for each image, such as Encase for the first and
ProDisc over or SafeBack for the second. If we have large enough
storage drives, make each bit -stream image uncompressed so that if it
becomes corrupt, we can still examine uncorrupted areas with the
preferred forensic analysis tool.
5. If possible, compare hash valu es on all files on the original and re -
created disks . Typically, attorneys want to view all data, even if it’s
not relevant to the case. Many GUI forensics tools perform this task
during bitstream imaging of the drive.
6. Methodically examine every portion of the drive (both allocated and
unallocated data areas) and extract all data.
7. Run keyword searches on allocated and unallocated disk space.
Follow up the search results to determine whether the search results
contain information that supports the case.
8. For Windows OSs, use special tools to analyze and extract data from
the Registry, such as AccessData Registry Viewer or a Registry viewer
program. Use the Edit, Find menu option in Registry Editor, for
example, to search for keywords of interest to the investi gation.
9. For binary files such as CAD drawings, locate the correct program
and, if possible, make printouts of the binary file content. If the files
are too large, load the specialty program on a separate workstation
with the recovered binary files so that the attorney can view them. munotes.in
Page 12
Cyber forensics
12 10. For unallocated data (file slack space or free space) recovery, use a
tool that removes or replaces nonprintable data, such as X -Ways
Forensics Specialist Gather Text function.
11. Consolidate all recovered data from the evidence bi t-stream image into
well-organized folders and subfolders. Store the recovered data output,
using a logical and easy -to-follow storage method for the attorney or
paralegal.
1.2.3.5 Media Leak Investigations
The following are the guidelines for media leak i nvestigations:
Examine e -mail, both the organization’s e -mail servers and private e -
mail accounts (Hotmail, Yahoo!, Gmail, and so on), on company -
owned computers.
Examine Internet message boards, and search the Internet for any
information about the compan y or product. Use Internet search engines
to run keyword searches related to the company, product, or leaked
information.
Examine proxy server logs to check for log activities that might show
use of free e -mail services, such as Gmail. Trace back to the s pecific
workstations where these messages originated and perform a forensic
analysis on the drives to help determine what was communicated.
Examine known suspects’ workstations, perform computer forensics
examinations on persons of interest, and develop ot her leads on
possible associates.
Examine all company phone records for any calls to known media
organizations.
The following list outlines steps to take for media leaks:
1. Interview management privately to get a list of employees who have
direct knowledg e of the sensitive data.
2. Identify the media source that published the information.
3. Review company phone records to see who might have had contact
with the news service.
4. Obtain a list of keywords related to the media leak.
5. Perform keyword searches on proxy and e -mail servers.
6. Discreetly conduct forensic disk acquisitions and analysis of
employees of interest.
7. From the forensic disk examinations, analyze all e -mail
correspondence and trace any sensitive messages to other people who
haven’t been listed as havi ng direct knowledge of the sensitive data. munotes.in
Page 13
Computer Forensic
13 8. Expand the discreet forensic disk acquisition and analysis for any new
persons of interest.
9. Consolidate and review the findings periodically to see whether new
clues can be discovered.
10. Report findings to managemen t routinely, and discuss how much
further to continue the investigation.
1.2.3.6 Industrial Espionage Investigations
The following list shows staff that we may need when planning an
industrial espionage investigation:
The computing investigator who is resp onsible for disk forensic
examinations
The technology specialist who is knowledgeable about the suspected
compromised technical data
The network specialist who can perform log analysis and set up
network monitors to trap network communication of possible s uspects
The threat assessment specialist (typically an attorney) who is familiar
with federal and state laws and regulations related to ITAR or EAR
and industrial espionage
The following are the guidelines when initiating an international
espionage investi gation:
Determine whether this investigation involves a possible industrial
espionage incident, and then determine whether it falls under ITAR or
EAR.
Consult with corporate attorneys and upper management if the
investigations must be conducted discreetly.
Determine what information is needed to substantiate the allegation of
industrial espionage.
Generate a list of keywords for disk forensics and network monitoring.
List and collect resources needed for the investigation.
Determine the goal and scope of th e investigation; consult with
management and the company’s attorneys on how much work we
should do.
Initiate the investigation after approval from management, and make
regular reports of activities and findings.
munotes.in
Page 14
Cyber forensics
14 The following are planning considerations for industrial espionage
investigations:
Examine all e -mail of suspected employees, both company -provided e -
mail and free Web -based services.
Search Internet newsgroups or message boards for any postings related
to the incident.
Initiate physical surveilla nce with cameras on people or things of
interest to the investigation.
If available, examine all facility physical access logs for sensitive
areas, which might include secure areas where smart badges or video
surveillance recordings are used.
If there’s a suspect, determine his or her location in relation to the
vulnerable asset that was compromised.
Study the suspect’s work habits.
Collect all incoming and outgoing phone logs to see whether any
unique or unusual places were called.
1.2.4 Conducting an Inve stigation
Start by gathering the resources you identified in your investigation plan.
You need the following items:
Original storage media
Evidence custody form
Evidence container for the storage media, such as an evidence bag
Bit-stream imaging tool; in t his case, the ProDiscover Basic
acquisition utility
Forensic workstation to copy and examine the evidence
Secure evidence locker, cabinet, or safe
1.2.5 Completing the Case
After analyzing the disk, you can retrieve deleted files, e -mail, and
items that ha ve been purposefully hidden.
Now that you have retrieved and analyzed the evidence, you need to
write the final report.
When you write your report, state what you did and what you found.
The report you generated in ProDiscover gives you an account of the
steps you took. As part of your final report, include the ProDiscover
report file to document your work. munotes.in
Page 15
Computer Forensic
15 A computing investigation should produce the same results if you
repeat the steps taken. This capability is referred to as repeatable
findings and witho ut it, your work product has no value as evidence.
Keep a written journal of everything you do. Your notes can be used in
court.
Basic report writing involves answering the six Ws: who, what, when,
where, why, and how.
Your organization might have template s to use when writing reports.
You must describe your analysis' findings in your report based on the
needs and requirements of your organization.
1.3 INCIDENT VERIFICATION AND SYSTEM
IDENTIFICATION (SECURING A COMPUTER
INCIDENT OR CRIME SCENE)
Investigato rs secure an incident or crime scene to preserve the
evidence and to keep information about the incident or crime
confidential. Information made public could risk the investigation.
If you’re in charge of securing a computer incident or crime scene, use
yellow barrier tape to prevent bystanders from accidentally entering
the scene.
Use police officers or security guards to prevent others from entering
the scene. Legal authority for a corporate incident scene includes
trespassing violations; for a crime scen e, it includes obstructing justice
or failing to comply with a police officer.
Access to the scene should be restricted to only those people who have
a specific reason to be there.
Typically, incidents or crime scenes are secured in order to extend
contro l beyond the immediate area of the incident.
Using this technique, you avoid omitting parts of the scene that may be
important.
For major crime scenes, computer investigators are not usually
responsible for defining a scene’s security perimeter.
As part of these cases, other specialists and detectives collect physical
evidence and record the scene.
For incidents primarily involving computers, the computers can be a
crime scene within a crime scene, containing evidence to be processed.
Evidence is commonly lost or corrupted because of professional
curiosity, which involves police officers and other professionals who
aren’t part of the crime scene processing team. munotes.in
Page 16
Cyber forensics
16 Their presence could contaminate the scene directly or indirectly.
Always remember that professi onal curiosity can destroy or corrupt
evidence, including digital evidence.
When working at an incident or crime scene, be aware of what you’re
doing and what you have touched, physically or virtually.
For example, during one homicide investigation, the le ad detective
collected a good latent fingerprint from the crime scene. He compared it
with the victim’s fingerprints and those of others who knew the victim. He
couldn’t find a fingerprint matching the latent fingerprint from the scene.
The detective suspe cted he had the murderer’s fingerprint and kept it on
file for several years until his police department purchased an Automated
Fingerprint Identification Systems (AFIS) computer. During acceptance
testing, the software vendor processed sample fingerprints to see how
quickly and accurately the system could match fingerprints in the
database. The detective asked the acceptance testing team to run the
fingerprint he found at the homicide scene. He believed the suspect’s
fingerprints were in the AFIS database. The acceptance testing team
complied and within minutes, AFIS found a near -perfect match of the
latent fingerprint: It belonged to the detective.
1.4 RECOVERY OF ERASED AND DAMAGED DATA
(DATA ACQUISITION)
Data acquisition means recovering or acquiring d ata from electronic
media.
Data might be erased or it may damage in the electronic media.
Data acquisition is the process of copying data.
For computer forensics, Data Acquisition is the task of collecting
digital evidence from electronic media.
There ar e two types of data acquisition: static acquisitions and live
acquisitions .
Typically, a static acquisition is done on a computer seized during a
police raid.
If the computer has an encrypted drive, a live acquisition is done if the
password or pass -phras e is available —meaning the computer is
powered on and has been logged on to by the suspect.
1.4.1 Data Encryption and Compression
The future of data acquisitions is shifting toward live acquisitions
because of the use of disk encryption with newer operatin g systems
(OSs). munotes.in
Page 17
Computer Forensic
17 Digital investigations are increasingly concerned with collecting any
data that is active in a suspect's computer RAM, in addition to
encryption concerns.
The processes and data integrity requirements for static and live
acquisitions are t he same.
Live acquisitions are not capable of repeatable processes, which are
essential for collecting digital evidence.
With static acquisitions, if we have preserved the original media,
making a second static acquisition should produce the same results.
The data on the original disk is not altered, no matter how many times
an acquisition is done.
Making a second live acquisition while a computer is running collects
new data as OS changes dynamically.
The goal when acquiring data for a static acquisition i s to preserve the
digital evidence.
Many times, we have only one chance to create a reliable copy of disk
evidence with a data acquisition tool.Furthermore, failures do occur, so
we need to learn several acquisition methods and tools.
We should always sear ch for newer and better tools to ensure the
integrity of the forensics acquisitions.
1.4.2 Storage Formats for Digital Evidence
The data acquired by a computer forensics acquisition tool is stored as
an image file in one of three formats .
Two formats are open source and the third is proprietary.
Many computer forensics acquisition tools create a disk -to-image file
in an older open -source format, known as raw, as well as their own
proprietary format.
The new open -source format, Advanced Forensic Format (AFF ), is
starting to gain recognition from computer forensics examiners.
1. Raw Format:
Examiners performed a bit -by-bit copy from one disk to another disk
the same size or larger.
As a practical way to preserve digital evidence, vendors (and some OS
utilities, such as the Linux/UNIX dd command) made it possible to
write bit -stream data to files. munotes.in
Page 18
Cyber forensics
18 This copy technique creates simple sequential flat files of a suspect
drive or data set. The output of these flat files is referred to as a raw
format.
This format has u nique advantages and disadvantages to consider
when selecting an acquisition format.
Advantages: -
1. Fast data transfers
2. Capability to ignore minor data read errors on the source drive.
Disadvantage: -
1. It requires as much storage space as the origin al disk or data set.
2. some raw format tools, typically freeware versions, might not collect
marginal (bad) sectors on the source drive, meaning they have a low
threshold of retry reads on weak media spots on a drive.
Several commercial acquisition tools can produce raw format acquisitions
and typically provide a validation check by using Cyclic Redundancy
Check (CRC -32), Message Digest 5 (MD5), and Secure Hash Algorithm
(SHA -1 or newer) hashing functions.
2. Proprietary Formats:
Proprietary formats typically offer several features that complement
the vendor’s analysis tool, such as the following: -
1. The option to compress or not compress image files of a suspect drive,
thus saving space on the target drive.
2. The capability to split an image into smaller segment ed files for
archiving purposes, such as to CDs or DVDs, with data integrity
checks integrated into each segment.
3. The capability to integrate metadata into the image file, such as date
and time of the acquisition, hash value (for self -authentication) of th e
original disk or medium, investigator or examiner name, and
comments or case details.
The disadvantage of proprietary format acquisitions is: -
1. The inability to share an image between different vendors’ computer
forensics analysis tools.
2. File size limitat ion for each segmented volume.
3. Advanced Forensic Format:
Dr. Simson L. Garfinkel from Basis Technology Corporation have
developed a new open source acquisition format called Advanced
Forensic Format (AFF). munotes.in
Page 19
Computer Forensic
19 This format has the following design goals: -
1. Crea ting compressed or uncompressed image files
2. No size restriction for disk -to-image files
3. Providing space in the image file or segmented files for metadata
4. Simple design with extensibility
5. Open source for multiple computing platforms and OSs
6. Offer internal c onsistency checks for self -authentication
File extensions include. afd for segmented image files and .afm for
AFF metadata.
Because AFF is open source, computer forensics vendors will have no
implementation restrictions on this format.
1.4.3 Determining th e Best Acquisition Method
There are two types of acquisitions: static acquisitions and live
acquisitions.
Typically, a static acquisition is done on a computer seized during a
police raid, for example.
If the computer has an encrypted drive, a live acquisi tion is done if the
password or passphrase is available —meaning the computer is
powered on and has been logged on to by the suspect.
Static acquisitions are always the preferred way to collect digital
evidence.
In some situations, Static Acquisition are li mited, such as an encrypted
drive readable only while the computer is powered on or a networked
computer.
For both types of acquisitions, data can be collected with four
methods:
1. creating a disk -to- image file,
2. creating a disk -to-disk copy,
3. creati ng a logical disk -to-disk or disk -to-data file,
4. creating a sparse copy of a folder or file.
Creating a disk-to-image file is the most common method and offers
the most flexibility for the investigation. With this method, we can
make one or many copies o f a suspect drive.
These copies are bit -for-bit replications of the original drive. munotes.in
Page 20
Cyber forensics
20 Sometimes we cannot make a disk -to-image file because of hardware
or software errors or incompatibilities. This problem is more common
when we have to acquire older drives.
For these drives, we may have to create a disk-to-disk copy of the
suspect drive.
Several imaging tools can copy data exactly from an older disk to a
newer disk. By using these programs, the target disk's geometry can be
adjusted (its cylinder, head, and track configurations) to match the
original suspect disk.
Collecting evidence from a large drive can take several hours. If time
is limited, consider using a logical acquisition or sparse acquisition
data copy method.
A logical acquisition captures only sp ecific files of interest to the case
or specific types of files.
A sparse acquisition is similar but also collects remains of
unallocated (deleted) data. This method is used only when we don’t
need to examine the entire drive.
In electronic discovery for t he purpose of process, a logical acquisition
is becoming the preferred method, especially with large data storage
systems.
To determine which acquisition method to use for an investigation,
consider the size of the source (suspect)disk.
If the source disk is very large, such as 500 GB or more, make sure we
have a target disk that can store a disk -to-image file of the large disk.
If we do not have a target disk of comparable size, review alternatives
for reducing the size of data to create a verifiable copy of the suspect
drive.
When working with large drives, an alternative is using tape backup
systems. Snap -Back and SafeBack have special software drivers
designed to write data from a suspect drive to a tape backup system
through standard PCI SCSI cards.
The advantage of this type of acquisition is that there’s no limit to the
size of data that can be acquired.
The one big disadvantage, especially with microprocessor systems, is
that it can be slow and time consuming.
1.4.4 Contingency Planning for Image Acqu isitions
As we are working with electronic data, we need to take precautions to
ensure its security. munotes.in
Page 21
Computer Forensic
21 We should also make contingency plans in situation software or
hardware doesn’t work or we encounter a failure during an acquisition.
The most common and t ime-consuming technique for preserving
evidence is creating a duplicate of your disk -to-image file. Many
computer investigators do not make duplicates of their evidence
because they don’t have enough time or resources to make a second
image. However, if th e first copy does not work correctly, having a
duplicate is worth the effort and resources. Be sure you take steps to
lessen the risk of failure in your investigation.
As a standard practice, make at least two images of the digital
evidence you collect.
If you have more than one imaging tool, make the first copy with one
tool and the second copy with the other tool.
Many acquisition tools do not copy data in the host protected area
(HPA) of a disk drive. For these situations, consider using a hardware
acqui sition tool that can access the drive at the BIOS level.
As part of your contingency planning, you must be prepared to deal
with encrypted drives.
1.4.5 Using Acquisition Tools
Many computer forensics software vendors have developed acquisition
tools that run in Windows.
These tools make acquiring evidence from a suspect drive more
convenient, especially when we use them with hot -swappable devices,
such as USB -2, FireWire 1394A and 1394B, or SATA, to connect
disks to the workstation.
Some of them are listed below:
1. Windows XP Write -Protection with USB Devices:
When Microsoft updated Windows XP with Service Pack 2 (SP2), a
new feature was added to the Registry: The USB write -protection
feature blocks any writing to USB devices.
On your acquisition workstati on, simply connect the suspect drive to
the USB external drive or connector after we’ve modified the
Windows Registry to enable write -protection.
To update the Registry, we need to perform three tasks.
1. First, back up the Registry in case something fails wh ile we’re
modifying it.
2. Second, modify the Registry with the write protection feature. munotes.in
Page 22
Cyber forensics
22 3. Third, create two desktop icons to automate switching between
enabling and disabling writes to the USB device.
2. Acquiring Data with a Linux Boot CD:
The Linux OS has m any features that are applicable to computer
forensics, especially data acquisitions.
Physical access for the purpose of reading data can be done on a
connected media device, such as a disk drive, a USB drive, or other
storage devices.
In Windows OSs and n ewer Linux kernels, when we connect a drive
via USB, FireWire, external SATA, or even internal PATA or SATA
controllers, both OSs automatically mount and access the drive.
In static acquisitions, this automatic access corrupts the integrity of
evidence. Wh en acquiring data with Windows, we must use a write -
blocking device or Registry utility.
With a correctly configured Linux OS, such as a forensic Linux Live
CD, media are not accessed automatically, which eliminates the need
for a write -blocker.
If we need to acquire a USB drive that does not have a write -lock
switch, use one of the forensic Linux Live CDs to access the device.
3. Capturing an Image with ProDiscover Basic:
ProDiscover automates many acquisition functions, unlike current
Linux tools.
Because USB drives are typically small, a single image file can be
acquired with no need to segment it.
Before acquiring data directly from a suspect drive with ProDiscover
Basic, always use a hardware write -blocker device or the write
protection method for USB -connected drives.
4. Capturing an Image with AccessData FTK Imager:
FTK Imager is a Windows data acquisition program that’s included
with a licensed copy of AccessData Forensic Toolkit.
FTK Imager is designed for viewing evidence disks and disk -to-image
files created from other proprietary formats.
FTK Imager can read AccessData .ad1, Expert Witness (EnCase) .e01,
SafeBack, SMART .s01, and raw format files.
FTK Imager can make disk -to-image copies of evidence drives and
enables we to acquire an evidence driv e from a logical partition level
or a physical drive level. munotes.in
Page 23
Computer Forensic
23 We can also define the size of each disk -to-image file volume,
allowing we to segment the image into one or many split volumes.
5. SnapBackDatArrest:
SnapBackDatArrest from Columbia Data Products is an older
forensics acquisition program that runs from a true MS -DOS boot
floppy disk.
It can make an image of an evidence drive in three ways: disk to SCSI
drive (magnetic tape or Jaz disk), disk to network drive, and disk to
disk.
SnapBackDatArrest pro vides network drivers so that we can boot from
a forensic boot floppy disk and access a remote network server’s drive.
6. NTI SafeBack:
SafeBack, another reliable MS -DOS acquisition tool, is small enough
to fit on a forensic boot floppy disk.It performs an SHA -256
calculation for each sector copied to ensure data integrity.
During the acquisition, SafeBack creates a log file of all transactions it
performs. The log file includes a comment field where we can identify
the investigation and data you collect.
SafeBack does the following:
a) Creates image files
b) Copies from a suspect drive to an image on a tape drive
c) Copies from a suspect drive to a target drive by using a parallel port
laplink cable
d) Copies a partition to an image file
e) Compresses image files to reduc e the number of volume segments
7. DIBS USA RAID:
DIBS USA has developed Rapid Action Imaging Device (RAID) to
make forensically sound disk copies.
DIBS USA RAID is a portable computer system designed to make
disk-to-disk images.
The copied disk can then be a ttached to a write -blocker device
connected to a forensic workstation for analysis.
munotes.in
Page 24
Cyber forensics
24 8. ILook Investigator IXimager:
IXimager runs from a bootable floppy disk or CD. It’s a standalone
proprietary format acquisition tool designed to work only with ILook
Investigator.
It can acquire single drives and RAID drives. It supports IDE (PATA),
SCSI, USB, and FireWire devices.
The IXimager proprietary format can be converted to a raw format if
other analysis tools are used.
IXimager has three format options:
a) IDIF —A co mpressed format
b) IRBF —A raw format
c) IEIF—An encrypted format for added security
9. ASRData SMART:
ASRData SMART is a Linux forensics analysis tool that can make
image files of a suspect drive.
SMART can produce proprietary or raw format images and includes
the following capabilities:
a) Robust data reading of bad sectors on drives
b) Mounting suspect drives in write -protected mode
c) Mounting target drives, including NTFS drives, in read/write mode
d) Optional compression schemes to speed up acquisition or reduce the
amount of storage needed for acquired digital evidence
10. Australian Department of DefencePyFlag:
The Australian Department of Defence created the PyFlag tool.
Intended as a network forensics analysis tool, PyFlag can create
proprietary format Expert Witness image files and uses sgzip and gzip
in Linux.
1.4.6 Validating Data Acquisitions
Validating digital evidence requires using a hashing algorithm utility,
which is designed to create a binary or hexadecimal number that
represents the uniqueness of a data se t, such as a file or disk drive.
This unique number is referred to as a “digital fingerprint.” Because
hash values are unique, if two files have the same hash values, they are
identical, even if they have different filenames. munotes.in
Page 25
Computer Forensic
25 The following sections discuss how to perform validation with some
currently available acquisition programs:
1. Linux Validation Methods:
Linux and UNIX are rich in commands and functions. The two Linux
shell commands, dd and dcfldd, have several options that can be
combined with other co mmands to validate data.
The dcfldd command has additional options that validate data
collected from an acquisition.
Validating acquired data with the dd command requires using other
shell commands.
Current distributions of Linux include two hashing algori thm utilities:
md5sum and sha1 -sum. Both utilities can compute hashes of a single
file, multiple files, individual or multiple disk partitions,or an entire
disk drive.
2. Windows Validation Methods:
Windows has no built -in hashing algorithm tools for computer
forensics.
However, many Windows third -party programs do provide a variety of
built-in tools.
These third -party programs range from hexadecimal editors, such as
X-Ways WinHex or Breakpoint Software Hex Workshop, to computer
forensics programs, such as Pro Discover, EnCase, and FTK.
Each program has its own validation technique used with acquisition
data in its proprietary format.
For example, ProDiscover’s .eve files contain metadata in the
acquisition file or segmented files,including the hash value for th e
suspect drive or partition.
Image data loaded into Pro -Discover is hashed and then compared to
the hash value in the stored metadata.
If the hashes do not match, ProDiscover notifies us that the acquisition
is corrupt and can’t be considered reliable e vidence. This function is
called Auto Verify Image Checksum.
1.4.7 Using Remote Network Acquisition Tools
Recent improvements in computer forensics tools include the
capability to acquire disk data or data fragments (sparse or logical)
remotely.
With this feature, we can connect to a suspect computer remotely via a
network connection and copy data from it. munotes.in
Page 26
Cyber forensics
26 Remote acquisition tools vary in configurations and capabilities. Some
require manual intervention on remote suspect computers to initiate
the data copy.
Others can acquire data secretly through an encrypted link by pushing
a remote access program to the suspect’s computer.
From an investigation perspective, being able to connect to a suspect’s
computer remotely to perform an acquisition has tremendous app eal.
It minimizes the chances of a suspect discovering that an investigation
is taking place.
Most remote acquisitions have to be done as live acquisitions, not
static acquisitions.
The following are some of the Remote Acquisition Tools
1. Remote Acquisit ion with ProDiscover:
Two versions of ProDiscover can perform remote acquisitions:
ProDiscover Investigator and ProDiscover Incident Response.
When connected to a remote computer, both tools use the ProDiscover
acquisition method.
After the connection is e stablished, the remote computer is displayed
in the Capture Image dialog box.
ProDiscover Investigator is designed to capture data from a suspect’s
computer while the user is operating it, which is a live acquisition.
ProDiscover Incident Response is desig ned to be integrated as a
network intrusion analysis tool.
2. Remote Acquisition with EnCase Enterprise:
EnCase Enterprise is set up with an Examiner workstation and a
Secure Authentication for EnCase(SAFE) workstation. Acquisition
and analysis are conduct ed on the Examiner workstation.
The SAFE workstation provides secure encrypted authentication for
the Examiner workstation and the suspect’s system.
The remote access program in EnCase Enterprise is Servlet, a passive
utility installed on the suspect compu ter. Servlet connects the suspect
computer to the Examiner and SAFE workstations.
A unique feature is that Servlet can run in stealth mode on the suspect
computer.
3. Remote Acquisition with R -Tools R -Studio:
The R -Tools suite of software is designed for d ata recovery. munotes.in
Page 27
Computer Forensic
27 As part of this recovery capability, the R -Studio network edition can
remotely access networked computer systems. Its remote connection
uses Triple Data Encryption Standard (3DES) encryption.
Data acquired with R -Studio network edition create s raw format
acquisitions, and it’s capable of recovering the following file systems: