This document discusses various topics related to computer forensics, including data acquisition, digital evidence storage formats, acquisition methods, using acquisition tools, validating data acquisition, RAID acquisition methods, remote network acquisition tools, processing crime scenes, and analyzing evidence. It provides details on different types of data acquisition, such as static and live acquisition. It also describes best practices for securing evidence, gathering evidence, and analyzing evidence as part of a computer forensics investigation.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Forensic science is a scientific method of gathering and examining information about the past which is then used in the court of law. Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Forensic science is a scientific method of gathering and examining information about the past which is then used in the court of law. Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.
A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Download DOC word file from below Links:
Link 1 :http://gestyy.com/eiT4WO
Link 2: http://fumacrom.com/RQUm
Disclaimer: Above doc file is only for education purpose only
Process of Digital forensics
Identification
Preservation
Analysis
4. Presentation and Reporting:
5. Disseminating the case:
What is acquisition in digital forensics?
How to handle data acquisition in digital forensics
Types of Digital Forensics
Disk Forensics
Network Forensics
Wireless Forensics
Database Forensics
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Download DOC word file from below Links:
Link 1 :http://gestyy.com/eiT4WO
Link 2: http://fumacrom.com/RQUm
Disclaimer: Above doc file is only for education purpose only
Process of Digital forensics
Identification
Preservation
Analysis
4. Presentation and Reporting:
5. Disseminating the case:
What is acquisition in digital forensics?
How to handle data acquisition in digital forensics
Types of Digital Forensics
Disk Forensics
Network Forensics
Wireless Forensics
Database Forensics
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
GDPR for operations and development teams. GDPR includes the data protection by default and data protection by design principles that can be troublesome if not taken into consideration in the beginning of the secure software development life cycle. What are the technical requirements to be considered as "satte of the art" that are mentioned in the regulation. What are the methods of implementation to the risk-based approach the general data protection regulation has.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
Understand the operations necessary to protect and control information processing assets
Identify the security services available
Know the process and techniques that can be implemented to keep the system operational when faced with threats
Introduction to Cyber forensics: Information Security Investigations, Corporate Cyber Forensics, Scientific method in forensic analysis, investigating large scale Data breach cases.
Analyzing Malicious software.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Similar to Lecture 9 and 10 comp forensics 09 10-18 file system (20)
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
2. 2
Data Acquisition
●
Types of acquisition
●
Digital evidence storage formats
●
Acquisition methods
●
Contingency planning
●
Using acquisition tools
●
Validating data acquisition
●
RAID acquisition methods
●
Remote network acquisition tools
●
Some forensics tools
3. 3
Types of Acquisition
●
Static Acquisition
– Acquire data from the original media
– The data in the original media will not change
●
Live Acquisition
– Acquire data while the system is running
– A second live acquisition will not be the same
●
Will focus on static acquisition
4. 4
Digital Evidence Storage
Formats●
Raw formats
– Bit by bit copying of the data from the disk
– Many tools could be used
●
Proprietary formats
– Vendors have special formats
●
Standards
– XML based formats for digital evidence
– Digital Evidence Markup Language
(Funded by National Institute of Justice)
– Experts have argued that technologies that allow disparate law enforcement
jurisdictions to share crime-related information will greatly facilitate fighting crime. One
of these technologies is the Global Justice XML Data Model (GJXDM).
– http://ncfs.ucf.edu/digital_evd.html
5. 5
Acquisition Methods
●
Disk to Image File
●
Disk to Disk
●
Logical acquisition
– Acquire only certain files if the disk is too large
●
Sparse acquisition
– Similar to logical acquisition but also collects
fragments of unallocated (i.e. deleted) data
6. 6
Compression Methods
●
Compression methods are used for very large
data storage
– E.g., Terabytes/Petabytes storage
●
Lossy vs Lossless compression
– Lossless data compression is a class of
data compression algorithms that allows the exact
original data to be reconstructed from the
compressed data. The term lossless is in contrast to
lossy data compression, which only allows an
approximation of the original data to be
reconstructed, in exchange for better compression
rates.
7. 7
Contingency Planning
●
Failure occurs during acquisition
– Recovery methods
●
Make multiple copies
– At least 2 copies
●
Encryption decryption techniques so that the
evidence is not corrupted
8. 8
Storage Area Network Security
Systems
●
High performance networks that connects all the
storage systems
– After as disaster such as terrorism or natural disaster
(9/11 or Katrina), the data has to be availability
– Database systems is a special kind of storage system
●
Benefits include centralized management,
scalability reliability, performance
●
Security attacks on multiple storage devices
– Secure storage is being investigated
9. 9
Network Disaster Recovery
Systems
●
Network disaster recovery is the ability to
respond to an interruption in network services by
implementing a disaster recovery plan
●
Policies and procedures have to be defined and
subsequently enforced
●
Which machines to shut down, determine which
backup servers to use, When should law
enforcement be notified
10. 10
Using Acquisition Tools
●
Acquisition tools have been developed for
different operating systems including Windows,
Linux, Mac
●
It is important that the evidence drive is write
protected
●
Example acquisition method:
– Document the chain of evidence for the drive to be acquired
– Remove drive from suspect’s computer
– Connect the suspect drive to USB or Firewire write-blocker
device (if USB, write protect it via Registry write protect
feature)
– Create a storage folder on the target drive
11. 11
Using Acquisition Tools - 2
●
Example tools include ProDiscover, Access Data
FTK Imager
●
Click on All programs and click on specific tool
(e.g., ProDiscover
●
Perform the commands
– E.g. Capture Image
●
For additional security, use passwords
13. 13
Validating Data Acquisition
●
Create hash values
– CRC-32 (older methods), MD5, SHA series
●
Linux validation
– Hash algorithms are included and can be executed
using special commands
●
Windows validation
– No hash algorithms built in, but works with 3rd
party
programs
14. 14
RAID Acquisition Methods
●
RAID: Redundant array of independent disks
●
RAID storage is used for large files and to
support replication
●
Data is stored using multiple methods
– E.g, Striping
●
When RAID is acquired, need special tools to be
used depending on the way the data is stored
15. 15
Remote Network Acquisition
Tools
●
Preview suspects file remotely while its being
used or powered on
●
Perform live acquisition while the suspect’s
computer is powered on
●
Encrypt the connection between the suspect’s
computer and the examiner’s computer
●
Copy the RAM while the computer is powered on
●
Use stealth mode to hide the remote connection
from the suspect’s computer
●
Variation for the individual tools (ProDiscover,
EnCase)
16. 16
Some Forensics Tools
●
ProDiscover
– http://www.techpathways.com/prodiscoverdft.htm
– http://www.techpathways.com/DesktopDefault.asp
x
●
EnCase
– http://www.guidancesoftware.com/
– http://www.guidancesoftware.com/products/ef_ind
ex.asp
●
NTI Safeback
– http://www.forensics-intl.com/safeback.html
18. 18
Processing Crime and Incident
Scenes:
●
Topics
– Understanding the rules of evidence
– Collecting evidence in private-sector incident scenes
– Processing law enforcement crime scenes
– Steps to Processing Crime and Incident Scenes
– Case study
●
Other topics
– Forensics technologies
19. 19
Securing Evidence
●
To secure and catalog evidence large evidence
bags, tapes, tags, labels, etc. may be used
●
Tamper Resistant Evidence Security Bags
– Example: EVIDENT
– “These heavy-duty polyethylene evidence bags require no
prepackaging of evidence prior to use. The instantaneous
adhesive closure strip is permanent and impossible to open
without destroying the seal. A border pattern around the edge
of the bag reveals any attempt at cutting or tampering with
evidence.”
●
See also the work of SWDGE (Scientific Working
Group on Digital Evidence) and IOCE
(International Organization on Computer
Evidence)
20. 20
Gathering Evidence
●
Bit Stream Copy
– Bit by bit copy of the original drive or storage
medium
– Bit stream image is the file containing the bit stream
copy of all data on a disk
●
Using ProDiscover to acquire a thumb drive
– On a thumb drive locate the write protect switch and place
drive in write protect model
– Start ProDiscover
– Click Action, Capture Image from menu
– Click Save
– Write name of technician
– Use hash algorithms for security
– Click OK
22. 22
Understanding the Rules of
Evidence
●
Federal rules of evidence; each state also may
have its own rules of evidence
– www.usdoj.gov
●
Computer records are in general hearsay
evidence unless they qualify as business records
– Hearsay evidence is second hand or indirect evidence
– Business records are records of regularly conducted business
activity such as memos, reports, etc.
●
Computer records consist of computer generated
records and computer stored records
●
Computer generated records include log files
while computer stored records are electronic data
23. 23
Private sector incident scenes
●
Corporate investigations
– Employee termination cases, Attorney-Client
privilege investigations, Media leak investigations,
Industrial espionage investigations
●
Private sector incident scenes
– Private section includes private corporations and
government agencies not involved with law
enforcement
– They must comply with state public disclosure and
federal Freedom of Information act and make certain
documents available as public records
– Law enforcement is called if needed (if the
investigation becomes a criminal investigation)
24. 24
Law Enforcement crime Scenes
●
A law enforcement officer may seize criminal
evidence only with probable cause
– A specific crime was committed
– Evidence of the crime exists
– Place to searched includes the evidence
●
The forensics team should know about the
terminology used in warrants
●
To prepare for a search and carry out an
investigation the following steps have to be
carried out
– Identifying the nature of the case, the type of computing
system, determine whether computer can be seized, identify
the location, determine who is in charge, determine the tools
25. 25
Steps to processing crime and
incident scenes
●
Seizing a computer incident or crime scene
●
Sizing the digital evidence at crime scene
●
Storing the digital evidence
●
Obtaining a digital hash
●
Conducting analysis and reporting
●
Reference: Chapter 5
26. 26
Case Study (Chapter 5)
●
Company A (Mr. Jones) gets an order for widgets
from Company B. When the order is ready, B
says it did not place the order. A then retrieves
the email sent by B. B states it did not send the
email. What should A do?
●
Steps to carry out
– Close Mr. Jones Outlook
– User windows explorer to locate Outlook PST that has Mr.,.
Jones business email
– Determine the size of PST and connect appropriate media
device (e.g. USB)
– Copy PST into external USB
– Fill out evidence form – date/time etc.
– Leave company A and return to the investigation desk and
carry out the investigation
27. 27
Digital Forensics Analysis
●
Digital Forensics Analysis Techniques
●
Reconstructing past events
●
Conclusion and Links
●
References
– http://www.gladyshev.info/publications/thesis/
●
Formalizing Event Reconstruction in Digital Investigations
Pavel Gladyshev, Ph.D. dissertation, 2004, University
College Dublin, Ireland (Main Reference)
– http://www.porcupine.org/forensics/forensic-
discovery/chapter3.html (Background on file
systems)
29. 29
Search Techniques
●
Search techniques
– This group of techniques searches collected information to answer
the question whether objects of given type, such as hacking tools, or
pictures of certain kind, are present in the collected information.
– According to the level of search automation, techniques can be
grouped into manual browsing and automated searches. Automated
searches include keyword search, regular expression search,
approximate matching search, custom searches, and search of
modifications.
●
Manual browsing
– Manual browsing means that the forensic analyst browses collected
information and singles out objects of desired type. The only tool
used in manual browsing is a viewer of some sort. It takes a data
object, such as file or network packet, decodes the object and
presents the result in a human-comprehensible form. Manual
browsing is slow. Most investigations collect large quantities of
digital information, which makes manual browsing of the entire
collected information unacceptably time consuming.
30. 30
Search Techniques
●
Keyword search
– This is automatic search of digital information for data objects containing
specified key words. It is the earliest and the most widespread technique
for speeding up manual browsing. The output of keyword search is the list
of found data objects
– Keywords are rarely sufficient to specify the desired type of data objects
precisely. As a result, the output of keyword search can contain false
positives, objects that do not belong to the desired type even though they
contain specified keywords. To remove false positives, the forensic scientist
has to manually browse the data objects found by the keyword search.
– Another problem of keyword search is false negatives. They are objects of
desired type that are missed by the search. False negatives occur if the
search utility cannot properly interpret the data objects being searched. It
may be caused by encryption, compression, or inability of the search utility
to interpret novel data
– It prescribes (1) to choose words and phrases highly specific to the objects
of the desired type, such as specific names, addresses, bank account
numbers, etc.; and (2) to specify all possible variations of these words.
31. 31
●
Regular expression search
– Regular expression search is an extension of
keyword search. Regular expressions provide a
more expressible language for describing objects
of interest than keywords. Apart from formulating
keyword searches, regular expressions can be
used to specify searches for Internet e-mail
addresses, and files of specific type. Forensic
utility EnCase performs regular expression
searches.
– Regular expression searches suffer from false
positives and false negatives just like keyword
searches, because not all types of data can be
adequately defined using regular expressions.
Search Techniques
32. 32
●
Approximate matching search
– Approximate matching search is a
development of regular expression search.
It uses matching algorithm that permits
character mismatches when searching for
keyword or pattern. The user must specify
the degree of mismatches allowed.
– Approximate matching can detect
misspelled words, but mismatches also
increase the number of false positives. One
of the utilities used for approximate search
is agrep.
Search Techniques
33. 33
●
Custom searches
– The expressiveness of regular expressions
is limited. Searches for objects satisfying
more complex criteria are programmed
using a general purpose programming
language. For example, the FILTER_1 tool
from new Technologies Inc. uses heuristic
procedure to find full names of persons in
the collected information. Most custom
searches, including FILTER_1 tool suffers
from false positives and false negatives.
Search Techniques
34. 34
●
Search of modifications
– Search of modification is automated search for data objects that have
been modified since specified moment in the past. Modification of data
objects that are not usually modified, such as operating system utilities,
can be detected by comparing their current hash with their expected
hash. A library of expected hashes must be built prior to the search.
Several tools for building libraries of expected hashes are described in the
“file hashes"
– Modification of a file can also be inferred from modification of its
timestamp. Although plausible in many cases, this inference is
circumstantial. Investigator assumes that a file is always modified
simultaneously with its timestamp, and since the timestamp is modified,
he infers that the file was modified too. This is a form of event
reconstruction
Search Techniques
35. 35
Event Reconstruction
●
Search techniques are commonly used for finding incriminating information,
because ”currently, mere possession of a digital computer links a suspect to all the
data it contains"
●
However, the mere fact of presence of objects does not prove that the owner of the
computer is responsible for putting the objects in it.
●
Apart from the owner, the objects can be generated automatically by the system. Or
they can be planted by an intruder or virus program. Or they can be left by the
previous owner of the computer.
●
To determine who is responsible, the investigator must reconstruct events in the
past that caused presence of the objects.
●
Reconstruction of events inside a computer requires understanding of computer
functionality.
●
Many techniques emerged for reconstructing events in specific operating systems.
They can be classified according to the primary object of analysis.
36. 36
Event Reconstruction
●
Two major classes are identified:
– log file analysis and file system analysis.
●
Log file analysis
– A log file is a purposefully generated record of past events in a computer system;
organized as a sequence of entries. An entry usually consists of a timestamp, an
identifier of the process that generated the entry, and some description of the reason for
generating an entry.
– It is common to have multiple log files on a single computer system. Different log files
are usually created by the operating system for different types of events. In addition,
many applications maintain their own log files.
– Log file entries are generated by the system processes when something important (from
the process's point of view) happens. For example, a TCP wrapper process may
generate one log file entry when a TCP connection is established and another log file
entry when the TCP connection is released.
37. 37
Event Reconstruction
– The knowledge of circumstances, in which processes generate log file entries, permits
forensic scientist to infer from presence or absence of log file entries that certain events
happened. For example, from presence of two log file entries generated by TCP wrapper
for some TCP connection X, forensic scientist can conclude that
●
TCP connection X happened
●
X was established at the time of the first entry
●
X was released at the time of the second entry
– This reasoning suffers from implicit assumptions. It is assumed that the log file entries
were generated by the TCP wrapper, which functioned according to the expectations of
the forensic scientist; that the entries have not been tampered with; and that the
timestamps on the entries reect real time of the moments when the entries were
generated. It is not always possible to ascertain these assumptions, which results in
several possible explanations for appearance of the log file entries.
38. 38
Event Reconstruction
– For example, if possibility of tampering cannot be excluded, then forgery of the log file entries could be a
possible explanation for their existence. To combat uncertainty caused by multiple explanations, forensic
analyst seeks corroborating evidence, which can reduce number of possible explanations or give stronger
support to one explanation
– Determining temporal order with timestamps.
●
Timestamps on log file entries are commonly used to determine temporal order of entries from
different log files. The process is complicated by two time related problems, even if the possibility of
tampering is excluded.
●
First problem: if the log file entries are recorded on different computers with different system clocks.
Apart from individual clock imprecision, there may be an unknown skew between clocks used to
produce each of the timestamps. If the skew is unknown, it is possible that the entry with the smaller
timestamp could have been generated after the entry with the bigger timestamp.
●
Second problem: if resolution of the clocks is too coarse. As a result, the entries may have identical
timestamps, in which case it is also not possible to determine whether one entry was generated before
the other.
39. 39
Event Reconstruction
●
File system analysis
– In most operating systems, a data storage device is represented at the lowest
logical level by a sequence of equally sized storage blocks that can be read and
written independently.
– Most file systems divide all blocks into two groups. One group is used for
storing user data, and the other group is used for storing structural information.
– Structural information includes structure of directory tree, file names, locations
of data blocks allocated for individual les, locations of unallocated blocks, etc.
Operating system manipulates structural information in a certain well-defined
way that can be exploited for event reconstruction.
40. 40
Event Reconstruction
– Detection of deleted files.
●
Information about individual files is stored in standardized file entries whose organization
diers from file system to file system.
●
In Unix file systems, the information about a file is stored in a combination of i-node and
directory entries pointing to that i-node.
●
In Windows NT file system (NTFS), information about a file is stored in an entry of the
Master File Table.
●
When a disk or a disk partition is first formatted, all such file set to initial “unallocated"
value.
●
When a file entry is allocated for a file, it becomes active. Its fields are filled with proper
information about the file.
●
In most file systems, however, the file entry is not restored to the “unallocated“ value when
the file is deleted. As a result, presence of a file entry whose value is different from the initial
“unallocated" value, indicates that that file entry once represented a file, which was
subsequently deleted.
41. 41
Event Reconstruction
– File attribute analysis.
●
Every file in a file system is either active or deleted; has a set of attributes such as
name, access permissions, timestamps and location of disc blocks allocated to the file.
●
File attributes change when applications manipulate files via operating system calls.
●
File attributes can be analyzed in the same way as log file entries.
– Timestamps are a particularly important source of information for event reconstruction.
●
In most file systems a file has at least one timestamp. In NTFS, for example, every
active (i.e. non-deleted) file has three timestamps, which are collectively known as
MAC-times.
– Time of last Modification (M)
– Time of last Access (A)
– Time of Creation (C)
42. 42
Event Reconstruction
●
Imagine that there is a log file that records every file operation in the
computer.
●
In this imaginary log file, each of the MAC-times would correspond to the last
entry for the corresponding operation (modification, access, or creation) on
the file entry in which the timestamp is located.
●
To visualize this similarity between MAC-times and the log file, the mactimes
tool from the coroner's toolkit sorts individual MAC-times of files; both active
and deleted; and presents them in a list, which resembles a log file.
●
Signatures of different activities can be identified in MAC-times like in
ordinary log files.
●
Following are several such signatures, which have been published.
43. 43
Event Reconstruction
●
Restoration of a directory from a backup: The fact that a directory was restored from a backup can be
detected by inequality of timestamps on the directory itself and on its sub-directory `.' or `..'. When the
directory is first created, both the directory timestamp and the timestamp on its sub-directories `.' and
`..' are equal. When the directory is restored from a backup, the directory itself is assigned the old
timestamp, but its subdirectories `.' and `..' are timestamped with the time of backup restoration.
●
Exploit compilation, running, and deletion: The signature of compiling, running, and deleting an
exploit program is explored. It is concluded that when someone compiles, runs, and deletes an
exploit program, we expect to find traces of the deleted program source file, of the deleted executable
file, as well as traces of compiler temporary files."
●
Moving a file: When a file is being moved in Microsoft FAT file systems, the old file entry is deleted,
and a new file entry is used in the new location. The new file entry maintains same block allocation
information as the old entry. Thus, the discovery of a deleted file entry, whose allocation information is
identical to some active file, supports possibility that the file was moved.
44. 44
Event Reconstruction
– Reconstruction of deleted files.
●
In most file systems file deletion does not erase the information stored in the file.
Instead, the file entry and the data blocks used by the file are marked as unallocated,
so that they can be reused later for another file. Thus, unless the data blocks and the
deleted file entry have been re-allocated to another file, the deleted file can usually be
recovered by restoring its file entry and data blocks to active status.
●
Even if the file entry and some of the data blocks have been re-allocated, it may still be
possible to reconstruct parts of the file. The lazarus tool for example, uses several
heuristics to find and piece together blocks that (could have) once belonged to a file.
Lazarus uses heuristics about file systems and common file formats.
●
In most file systems, a file begins at the beginning of a disk block; Most file systems
write file into contiguous blocks, if possible; Most file formats have a distinguishing
pattern of bytes near the beginning of the le; For most file formats, same type of data
is stored in all blocks of a file.
45. 45
Event Reconstruction
●
Lazarus analyses disc blocks sequentially. For each block, lazarus tries to determine (1) the type of
data stored in the block { by calculating heuristic characteristics of the data in the block; and (2)
whether the block is a first block in a file { using well known file signatures. Once the block is
determined as a first block", all subsequent blocks with the same type of information are
appended to it until new first block" is found.
●
This process can be viewed as a very crude and approximate reconstruction based on some
knowledge of the file system and application programs. Each reconstructed file can be seen as a
statement that that file was once created by an application program, which was able to write such a
file.
●
Since lazarus makes very bold assumptions about the file system, its reconstruction is highly
unreliable. Despite that fact, lazarus works well for small files that t entirely in one disk block.
●
The effectiveness of tools such as lazarus can probably be improved by using more sophisticated
techniques for determining the type of information contained in a disk block. One such technique
that employs support vector machines
46. 46
What is Lazarus?
●
Lazarus is a program that attempts to resurrect deleted files
or data from raw data - most often the unallocated portions of
a Unix file system, but it can be used on any data, such as
system memory, swap, etc.
●
It has two basic logical pieces - one that grabs input from a
source and another that dissects, analyzes, and reports on its
findings.
●
It can be used for recovering lost data and files (accidentally
removed by yourself or maliciously), as a tool for better
understanding how a Unix system works, investigate/spy on
system and user activity, etc.
47. 47
Time Analysis
●
Timestamps are readily available source of time, but they are easy to forge.
●
Several attempts have been made to determine time of event using sources other
than timestamps.
●
Currently, two such methods have been published. They are time bounding and
dynamic time analysis.
●
Time bounding
– Timestamps can be used for determining temporal order of events. The inverse
of this process is also possible if the temporal order of events is known a priori,
then it can be used to estimate time of events.
– Suppose that three events A, B, and C happened. Suppose also that it is known
that event A happened before event B, and that event B happened before event
C. The time of event B must, therefore, be bounded by the times of events A
and C.
48. 48
Time Analysis
●
Dynamic time analysis
– External sources of time may be used; one could exploit the ability of web servers to insert
timestamps into web pages, which they transmit to the client computers.
– As a result of this insertion, a web page stored in a web browser's disk cache has two timestamps.
– The first timestamp is the creation time of the file, which contains the web page. The second
timestamp is the timestamp inserted by the web server.
– the oset between the two timestamps of the web page reects the deviation of the local clock from the
real time. It is proposed to use that oset to calculate the real time of other timestamps on the local
machine.
– To improve precision, it is proposed to use the average oset calculated for a number of web pages
downloaded from different web servers.
– This analysis assumes that (1) timestamps are not tampered with, and that (2) the oset between
system clock and real time is constant at all times (or at least that it does not deviate dramatically).
49. 49
Conclusion
●
The need for effective and efficient digital forensic
analysis has been a major driving force in the
development of digital forensics.
●
Manual browsing was initially the only way to do
digital forensics.
●
It was later augmented with various search utilities
and, more recently, with tools such as mactimes
and lazarus that support more in-depth analysis of
digital evidence.
●
Due to the limited time and manpower available
to a forensic investigation, there is a constant
demand for tools and techniques that increase the