Electronic data discovery tools are not limited to simply finding the data and metadata. Some of the functions of data acquisition tools are listed above.
Internet history tools are useful in tracking how users have used the internet and sites on the internet that were accessed. This is limited, however, in that there is no way to be sure a site was not accessed by simple searches unless there are multiple sites that are similar in content.
Image and E-mail viewers allow the forensic investigator to view images and E-mails and capture as evidence. Most image and E-mail viewers have the capability to view and access multiple image and E-mail formats.
Dictionary Attack - A dictionary file (a text file full of dictionary words) is loaded into a cracking application, which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to to the job. Hybrid Attack - A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is &quot;cat&quot;; second month password is &quot;cat1&quot;; third month password is &quot;cat2&quot;; and so on. Brute Force Attack - A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password.
Open Source tools are often classified as freeware and shareware. They are easily and readily available on the internet. The reason open source tools may more clearly and comprehensively meet the Daubert guidelines is because of their extensive use and the fact that the code can be viewed and assessed by experts in the field to verify its value.
Digital forensic investigation of mobile devices is beginning to come into its own. Because these devices have some differences with computers, different tools are needed and the scope of the tools has not yet matured. Therefore, there are fewer tools available for this type of investigation.
Forensic tool suites are typically an enterprise type of application. While some suites are a collection of separately used tools, called upon as needed, other suites are a collection of integrated software that require the investigator to follow a process and use the different applications sequentially. Many commercially available tool suites can be quite costly and intricate. The Coroner’s Toolkit and The Sleuth Kit are the only open source suites listed above.
INTRODUCTION TO COMPUTER FORENSIC
What is Computer Forensics?• Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.” ).• Forensics deals primarily with the recovery and analysis of latent evidence.• Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.
What is Computer Forensics? (cont)• Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry.• “We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law”.
Why is Computer Forensics Important?• From a technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.
TECHNOLOGY• Understanding of – storage technology – operating system features • Windows • Linux • Unix • Mac OS – file systems
TECHNOLOGY• Knowledge of – Slack space – Host Protected Area (HPA) – Device Configuration Overlay (DCO)• Disk imaging• Data recovery• Total data deletion• Handling encryption
COLLABORATION• Computer Forensics investigation requires collaboration of – Law enforcement – Attorneys – Computer specialists• In academia, collaborating units could be: – Computer Science – Criminal Justice – Law – Accounting & Finance
APPLICATIONS• Email – Lasts longer than people believe – Businesses monitor employee emails – Admissible in legal proceedings – Protect using PGP• E-commerce – Exchange of confidential data – Impersonation
APPLICATIONS• Data backup – Encrypt – Secure transfer of backup media – Periodic recovery
Security Issues• Data hiding• Image hiding• Improper destruction of sensitive data• Weak authentication tools – Created, Accessed, Modified date – Boot password – Password cracking
What are some typical aspects of a computer forensics investigation?• First, those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search.• Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property.• Second, the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.
NATURE OF FORENSIC EVIDENCE• Two basic types of data are collected in computer forensics. – Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off. – Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off.• Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential an investigator knows reliable ways to capture it.
NATURE OF FORENSIC EVIDENCE (Cont’)• Data must be relevant & reliable• Reliability of evidence gathered by tools assessed by judge in pre-trial hearing aka Daubert Hearing• Assesses Methodology to gather evidence – Sound scientific practices? – Reliable evidence?
PRE-TRIAL HEARINGS• Frye Test – past method – Responsibility on scientific community – Defined acceptable evidence gathering procedures – Used Peer Reviewed Journals• Daubert Hearing – current method – Offers additional methods to test quality of evidence
DAUBERT HEARING PROCESS• Testing – Is this procedure tested?• Error Rate – What is the error rate of this procedure?• Publication – Has procedure been published and reviewed by peers?• Acceptance – Is the procedure generally accepted within the relevant scientific community?
TYPES OF FORENSIC SOFTWARE• Acquisition Tools• Data Discovery Tools• Internet History Tools• Image Viewers• E-mail Viewers• Password Cracking Tools• Open Source Tools• Mobile Device tools (PDA/Cell Phone)• Large Storage Analysis Tools
MORE ABOUT ELECTRONIC DATA DISCOVERY TOOLS• Analyze data• Retrieve data from different media• Convert between different media and file formats• Extract text & data from documents• Create images of the documents• Print documents• Archive documents
INTERNET HISTORY TOOLS• Reads Information in Complete History Database• Displays List of Visited Sites• Opens URLs in Internet Explorer• Adds URLs to Favorites• Copies URLs• Prints URLS• Saves Listing/Ranges as Text File
IMAGE & E-MAIL VIEWERS• Views Files• Converts Files• Catalogs Files• Side by Side File Comparisons
PASSWORD CRACKING TOOLS • Password Recovery • Allows access to computers • 3 Methods to Crack Passwords – Dictionary Attack – Hybrid Attack – Brute Force AttackSource: http://www-128.ibm.com/developerworks/library/s-crack/
OPEN SOURCE TOOLS• Free tools available to Computer Forensic Specialists• Cover entire scope of forensic tools in use• May more clearly and comprehensively meet the Daubert guidelines than closed source tools• Among the most widely usedSource:http://software.newsforge.com/software/05/04/05/2052235.shtml?tid=129&tid=136&t
MOBILE DEVICE TOOLS• Number and variety of toolkits considerably more limited than for computers• Require examiner to have full access to device• Most tools focus on a single function• Deleted data remains on PDA until successful HotSync with computerSources: http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdfhttp://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt#5
FORENSIC TOOL SUITES – Parben• Provide a lower cost way to – The Coroner’s maximize the tools Toolkit (TCT)• Typically include the most – The Sleuth Kit often used tools (TSK) – EnCase – Forensic Toolkit (FTK) – Maresware
OVERVIEW OF SYSTEMS SECURITY• Ten guidelines: – Remove personally identifiable data from storage media – Store an identical copy of any evidentiary media given to law enforcement – Limit search to goal of investigation – Handle time stamped events in strictest confidence – On networks, packet acknowledgement be via the use of tokens than IP addresses
OVERVIEW OF SYSTEMS SECURITY (Cont’)• Safe storage of all internal logs• Preservation of event logs in external nodes• Put policies in place for actionable items related to attacks• Put policies in place for safeguarding backed up data related to an investigation• Handle disposal of sensitive data in a secure manner
COMPUTER FORENSICS AS A PROFESSION?• Attitudes to computer forensics – Academic – Application of computer science – Application of forensic science – Narrow specialism – Aligned to computer security – Core discipline
ETHICAL BEHAVIOUR IN COMPUTER FORENSICS• There is a very fine line between what is acceptable and what is deemed to be malpractice• Computer Forensics exists in an ethical grey area• Often need to balance self motivation versus legal constraints and procedural considerations
Ethical Behaviour in Computer Forensics• Need to understand the ethical responsibility in Computer Forensics work is to: – Self – Profession – Clients – Subjects – Courts – Society
COMPUTER FORENSICS ETHICAL STANDARDS• What is worse? – Failing to convict the guilty – Convicting the innocent• The role of the investigator is to expose the evidence from a neutral point of view• The Auld Report states that – “It is the duty of an expert to help the court on the matters within his expertise. The duty overrides any obligation to the person from whom he has received instruction or by whom he is paid”
PSYCHOLOGY OF INVESTIGATION• Evaluate the allegation – Who made it ? – Is there a hidden agenda ?• Avoid presumption of guilt• Avoid desire to win• Show all the evidence both contrary and supporting the accusation
PSYCHOLOGY OF INVESTIGATION• Ask yourself the questions – Could the person be innocent ? – Could someone else have done it ?• Keep an open mind• Be impartial• Be rigorous and professional
COMPUTER FORENSICS PRACTITIONERS REQUIRE AWARENESS• To help in making decisions about “doing the right thing”.• To provide material in defending or justifying a particular position.• To protect you as a practitioner.• To consider in terms of practitioner and system liability.• To maintain evidential integrity.
QUESTIONING THE LAW• Is the law always ethical ?• Is the law good and just ?• Was apartheid legislation ethical ?• Just because an act or set of circumstances is permitted in computing does not mean that it is ethical.
AREAS OF KNOWLEDGE• What laws to consider ?• What impact the laws might have on a particular activity• Critical analysis – Are the laws appropriate ? – Are there contradictions in legal provision? – Can the laws be applied to computer forensics ? – Should the laws be challenged ?
EXAMPLE OF REGULATIONS TO CONSIDER• Data Protection Act 1998 – Right of access, Right to prevent processing, Right to compensation• Computer Misuse Act 1990 and Computer Misuse (Amendment) Act 2002• Regulation of Investigatory Powers Act 2000
Example of Regulations to Consider• Human Rights Act 1998• Disability Discrimination Act (1995) and Special Educational Needs and Disability Act 2001
Example of Regulations to Consider• Anti-terrorism, Crime and Security Act 2001 – ISPs (Internet Service Providers) keep track of their customers’ activities over a period of 12 months• Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002
Example of Regulations to Consider• Theft Act 1968, 1978• Protection from Harassment Act 1997• Obscene Publications Act 1959• Protection of Children Act 1978• Criminal Justice Act 1988
EXAMPLE OF REGULATIONS TO CONSIDER• Sexual Offences Act 2003• Anti-terrorism, Crime and Security Act 2001• Patents Act 1977 and the Copyright, Designs and Patents Act 1988 – Intellectual Property, Copyright Law, Patent Law, Trademarks and Passing-off• Design Right (Semiconductor Regulations) 1989
PROFESSIONAL BEHAVIOUR IN COMPUTER FORENSICS• Enhance the resolution of crime involving computers and reduce cyber crime• Ensure robust, reliable, valid and safe processes and procedures• Comply with ethical and legal expectations
PROFESSIONAL BEHAVIOUR IN COMPUTER FORENSICS• Enhance public confidence in computer forensics• Enhance computer security• Promote awareness and understanding• Requires the ability and competence to make appropriate decisions
AREAS OF PROFESSIONAL RESPONSIBILITY• Litigation and Liability• Certification and Licence to practice• Compliance – For example web sites with Disability Discrimination Act• Audit• Dealing with contradictions• Professional and ethical responsibility• Organisational regulation and policy – computing action may be legal but against company policy, e.g. Internet transactions on work computers, e-mail language