Chapter 14: Computer and Network Forensics Guide to Computer

1
Chapter 14 Computer and Network Forensics

• Guide to Computer Network Security

2
Computer Forensics

• Computer forensics involves the preservation,
  identification, extraction, documentation, and
  interpretation of computer media for evidentiary
  and/or root cause analysis.
• Arose as a result of the growing problem of
  computer crimes.
• Computer crimes fall into two categories
• Computer is a tool used in a crime because of
  the role of computers and networks in modern
  communications, it is inevitable that computers
  are used in crimes.
• Investigation into these crimes often involves
  searching computers suspected to be involved.
• Computer itself is a victim of a crime this
  commonly referred to as incident response.
• It refers to the examination of systems that have
  been remotely attacked.
• Forensics experts follow clear, well-defined
  mythologies and procedures

3

• History Of Computer Forensics
• Computer forensics started a few years ago- when
  it was simple to collect evidence from a
  computer.
• While basic forensic methodologies remain the
  same, technology itself is rapidly changing a
  challenge to forensic specialists.

4

• Basic forensic methodology consists of
• Acquire the evidence without altering or damaging
  the original
• Look for evidence
• Recover evidence
• Handle evidence with care
• Preserve evidence
• Authenticate that your recovered evidence is the
  same as the originally seized data
• Analyze the data without modifying it.

5
Acquire the Evidence

• Keep in mind that every case is different
• Do not disconnect the computers evidence may be
  only in RAM So collect information from a live
  system.
• Consider the following issues
• Handling the evidence- if you do not take care of
  the evidence, the rest of the investigation will
  be compromised.
• Chain of custody the goal of maintaining a good
  chain of custody to ensure evidence integrity,
  prevent tempering with evidence. The chain should
  be answers to
• Who collected it
• How and where
• Who took possession of it
• how was it stored and protected in storage
• Who took it out of storage and why?

6
Storage Media

• Hard Drives
• Make an image copy and then restore the image to
  a freshly wiped hard drive for analysis
• Remount the copy and start to analyze it.
• Before opening it get information on its
  configuration
• Use tools to generate a report of lists of the
  disks contents ( PartitionMagic)
• View operating system logs.

7
Handle Evidence With Care

• Collection
• You want the evidence to be so pure that it
  supports your case.
• Identification
• Methodically identify every single item that
  comes out of the suspects/victims location and
  labeled.
• Transportation
• Evidence is not supposed to be moved so when you
  move it be extremely careful.
• Storage
• Keep the evidence in a cool, dry, and appropriate
  place for electronic evidence.
• Documenting the investigation
• Most difficult for computer professionals because
  technical people are not good at writing down
  details of the procedures.

8
Authenticating evidence

• Authenticating evidence is difficult because
• Crime scenes change
• Evidence is routinely damaged by environmental
  conditions
• Computer devices slowly deteriorate
• Keep proof of integrity and timestamp the
  evidence through encryption of files of data
• Two algorithms (MD5 and SHA-1) are in common use
  today

9
Analysis

• Use any well known analysis tools.
• Make two backups

10
Data Hiding

• There are several techniques that intruders may
  hide data.
• Obfuscating data through encryption and
  compression.
• Hiding through codes, steganoraphy, deleted
  files, slack space, and bad sectors.
• Blinding investigators through changing behavior
  of system commands and modifying operating
  systems.
• Use commonly known tools to overcome

11
Network Forensics

• Unlike computer forensics that retrieves
  information from the computers disks, network
  forensics, in addition retrieves information on
  which network ports were used to access the
  network.
• There are several differences that separate the
  two including the following
• Unlike computer forensics where the investigator
  and the person being investigated, in many
  cases the criminal, are on two different levels
  with the investigator supposedly on a higher
  level of knowledge of the system, the network
  investigator and the adversary are at the same
  skills level.
• In many cases, the investigator and the adversary
  use the same tools one to cause the incident,
  the other to investigate the incident. In fact
  many of the network security tools on the market
  today, including NetScanTools Pro, Tracroute,
  and Port Probe used to gain information on the
  network configurations, can be used by both the
  investigator and the criminal.
• While computer forensics, deals with the
  extraction, preservation, identification,
  documentation, and analysis, and it still follows
  well-defined procedures springing from law
  enforcement for acquiring, providing
  chain-of-custody, authenticating, and
  interpretation, network forensics on the other
  hand has nothing to investigate unless steps
  were in place ( like packet filters, firewalls,
  and intrusion detection systems) prior to the
  incident.

12
Network Forensics Intrusion Analysis

• Network intrusions can be difficult to detect
  let alone analyze. A port scan can take place
  without a quick detection, and more seriously a
  stealthy attack to a crucial system resource may
  be hidden by a simple innocent port scan.
• So the purpose of intrusion analysis is to seek
  answers to the following questions
• Who gained entry?
• Where did they go?
• How did they do it?

13
Damage Analysis

• It is difficult to effectively assess damage
  caused by system attacks.
• It provides a trove of badly needed information
  showing how widespread the damage was, who was
  affected and to what extent.

14

• To achieve a detailed report of an intrusion
  detection, the investigator must carry out a
  post mortem of the system by analyzing and
  examining the following
• System registry, memory, and caches. To achieve
  this, the investogator can use dd for Linux and
  Unx sytems.
• Network state to access computer networks
  accesses and connections. Here Netstat can be
  used.
• Current running processes to access the number of
  active processes. Use ps for both Unix and Linux.
• Data acquisition of all unencrypted data. This
  can be done using MD5 and SHA-1 on all files and
  directories. Then store this data in a secure
  place.

15
Forensic Electronic Toolkit

• Computer and network forensics involves and
  requires
• Identification
• Extraction
• Preservation
• Documentation
• A lot of tools are needed for a thorough work
• The forensically sound method is never to
  conduct any examination on the original media.
• Before you use any forensic software, make sure
  you know how to use it, and also that it works.
• Tools
• Hard Drive - use partitioning and viewing (
  Partinfo and PartitionMagic)
• File Viewers to thumb through stacks of data
  and images looking for incriminating or relevant
  evidence (Qiuckview Plus, Conversion Plus,
  DataViz, ThumnsPlus)

16
More tools (cont.)

• Unerase if the files are no longer in the
  recycle bin or you are dealing with old systems
  without recycle bins.
• CD-R/W examine them as carefully as possible.
  Use CD-R Diagnostics
• Text because text data can be huge, use fast
  scans tools like dtSearch.
• Other kits
• Forensic toolkit command-line utilities used
  to reconstruct access activities in NT File
  systems
• Coroner toolkit - to investigate a hacked Unix
  host.
• ForensiX an all-purpose set of data collection
  and analysis tools that run primarily on Linux.
• New Technologies Incorporated (NTI)
• EnCase
• Hardware- Forensic-computers.com