Types of Computer Forensics Technology

1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY

Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator. Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery. National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal justice professionals to identify urgent and emerging technology needs. NLECTC centers demonstrate new technologies, test commercially available technologies and publish results linking research and practice. National Institute of Justice (NIJ) sponsors research and development or identifies best practices to address those needs. The information directorate entered into a partnership with the NIJ via the auspices of the NLECTC, to test the new ideas and prototype tools. The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership.

COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****

CFX-2000 is an integrated forensic analysis framework. The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework. The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. CFX includes SI-FI integration environment. The Synthesizing Information from Forensic Investigations (SI-FI) integration environment supports the collection, examination, and analysis processes employed during a cyber-forensic investigation. The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof containers used to store digital evidence. Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations.

COMPUTER FORENSICS

UNIT I PART II

 Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents. The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection. The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals. As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks.

CFX-2000 Schematic

2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY

Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in processing computer evidence for years.

Computer Evidence Processing Procedures

Processing procedures and methodologies should conform to federal computer evidence processing standards. COMPUTER FORENSICS UNIT I PART II

1. Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment proceedings. Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a full computer forensics solution. SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics approaches. SafeBack technology has become a worldwide standard in making mirror image backups since 1990.

MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****

SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make a mirrorimage copy of an entire hard disk drive or partition. SafeBack image files cannot be altered or modified to alter the reproduction. This is because SafeBack is an industry standard self-authenticating computer forensics tool that is used to create evidence-grade backups of hard drives.

PRIMARY USES
Used to create evidence-grade backups of hard disk drives on Intel-based computer systems. Used to exactly restore archived SafeBack images to another computer hard disk drive of equal or larger storage capacity. Used as an evidence preservation tool in law enforcement and civil litigation matters. Used as an intelligence gathering tool by military agencies.

PROGRAM FEATURES AND BENEFITS

DOS based for ease of operation and speed. Provides a detailed audit trail of the backup process for evidence documentation purposes. Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not match on the target hard disk drive. These findings are automatically recorded in the SafeBack audit log file. Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-based computer system). Allows for the backup process to be made via the printer port.

COMPUTER FORENSICS

UNIT I PART II

 Duplicate copies of hard disk drives can be made from hard disk to hard disk in direct mode. SafeBack image files can be stored as one large file or separate files of fixed sizes. This feature is helpful in making copies for archive on CDs. Tried and proven evidence-preservation technology with a 10 years legacy of success in government agencies. Does not compress relevant data to avoid legal arguments that the original computer evidence was altered through data compression or software translation. It is fast and efficient. In spite of the extensive mathematical validation, the latest version of SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-the-art computer systems are used to make the backup. Makes copies in either physical or logical mode at the option of the user. Copies and restores multiple partitions containing one or more operating systems. Can be used to accurately copy and restore most hard disk drives including Windows NT, Windows 2000, and Windows XP in a raid configuration. Accuracy is guaranteed in the backup process through the combination of mathematical CRCs that provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs (RSA MD5). Writes to SCSI tape backup units or hard disk drives at the option of the user.

TROJAN HORSE PROGRAMS

The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network logons.

COMPUTER FORENSICS DOCUMENTATION

Without proper documentation, it is difficult to present findings. If the security or audit findings become the object of a lawsuit or a criminal investigation, then documentation becomes even more important.

FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously created and relevant evidence. Techniques and automated tools that are used by the experts to capture and evaluate file slack. COMPUTER FORENSICS UNIT I PART II

DATA-HIDING TECHNIQUES
Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer forensic experts should understand such issues and tools that help in the identification of such anomalies.

ANADISK - DISKETTE ANALYSIS TOOL *****

It is primarily used to identify data storage anomalies on floppy diskettes and generic hardware in the form of floppy disk controllers; bios are needed when using this software

PRIMARY USES
Security reviews of floppy diskettes for storage anomalies Duplication of diskettes that are nonstandard or that involve storage anomalies Editing diskettes at a physical sector level Searching for data on floppy diskettes in traditional and nontraditional storage areas Formatting diskettes in nontraditional ways for training purposes and to illustrate data-hiding techniques

PROGRAM FEATURES AND BENEFITS

DOS-based for ease of operation and speed. No software dongle. Again, software dongles get in the way and they are restrictive. Keyword searches can be conducted at a very low level and on diskettes that have been formatted with extra tracks. This feature is helpful in the evaluation of diskettes that may involve sophisticated data-hiding techniques. All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh, Unix TAR, and many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk can be used to analyze it. Allows custom formatting of diskettes with extra tracks and sectors. Scans for anomalies will identify odd formats, extra tracks, and extra sectors. Data mismatches, concerning some file formats, are also identified when file extensions have been changed in an attempt to hide data. This software can be used to copy almost any diskette, including most copy-protected diskettes.

COMPUTER FORENSICS

UNIT I PART II

E-COMMERCE INVESTIGATIONS
Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific computers. The software analyzes a computers disk drives and other storage areas that are generally unknown to or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer crime specialists, school officials, and police.

DUAL-PURPOSE PROGRAMS
Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts must have hands-on experience with these programs.

TEXT SEARCH TECHNIQUES

Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files.

TEXT SEARCH PLUS *****

This software is used to quickly search hard disk drives, zip disks, and floppy diskettes for key words or specific patterns of text.

PRIMARY USES
Used to find occurrences of words or strings of text in data stored in files, slack, and unallocated file space Used in exit reviews of computer storage media from classified facilities Used to identify data leakage of classified information on non-classified computer systems Used in internal audits to identify violations of corporate policy Used by Fortune 500 corporations, government contractors, and government agencies in security reviews and security risk assessments Used in corporate due diligence efforts regarding proposed mergers Used to find occurrences of keywords strings of text in data found at a physical sector level Used to find evidence in corporate, civil, and criminal investigations that involve computer-related evidence Used to find embedded text in formatted word processing documents (Word-Perfect and fragments of such documents in ambient data storage areas)

COMPUTER FORENSICS

UNIT I PART II

PROGRAM FEATURES AND BENEFITS

DOS-based for ease of operation and speed. No software dongle. Software dongles get in the way and they restrict your ability to process several computers at the same time. Small memory foot print (under 60 KB), which allows the software to run on even the original IBM PC. Compact program size, which easily fits on one floppy diskette with other forensic software utilities. Searches files, slack, and erased space in one fast operation. Has logical and physical search options that maintain compatibility with government security review requirements. User-defined search configuration feature. User configuration is automatically saved for future use. Embedded words and strings of text are found in word processing files. Alert for graphic files (secrets can be hidden in them). Alert for compressed files. High speed operation. This is the fastest tool on the market, which makes for quick searches on huge hard disk drives. Screen and file output. False hits dont stop processing. Government testedspecifically designed for security reviews in classified environments. Currently used by hundreds of law enforcement computer crime units. Currently in use by all of the Big 5 accounting firms. The current version allows for up to 120 search strings to be searched for at one time.

FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT

Computer evidence searches require that the computer specialist know what is being searched for. Many times not all is known about what may be stored on a given computer system. In such cases, fuzzy logic tools can provide valuable leads as to how the subject computer was used.

COMPUTER FORENSICS

UNIT I PART II

INTELLIGENT FORENSIC FILTER - FILTER_G/FILTER_I *****

This forensic filter utility is used to quickly make sense of nonsense in the analysis of ambient data sources (Windows swap/page files, file slack, and data associated with erased files). It is used to quickly identify patterns of English language grammar in ambient data files.

PRIMARY USES
Used as an intelligence gathering tool for quick assessments of a Windows swap/page file to identify past communications on a targeted computer Used as a data sampling tool in law enforcement, military, and corporate investigations Used to quickly identify patterns of English language grammar in ambient data sources Used to identify English language communications in erased file space

PROGRAM FEATURES AND BENEFITS

DOS-based for speed. Automatically processes any data object (a swap file, a file constructed from combined file slack, a file constructed from combined unallocated space, or a Windows swap/page file. Provides output in an ASCII text format that is ready for import into any word processing application.
Capable of quickly processing ambient data files that are up to 2 gigabytes in size.

2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk. They should also demonstrate their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk drives.

3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack security associated with the different file structures.

4. Matching a Diskette to a Computer

Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to create or edit files stored on it. Computer forensic experts should become familiar how to use special software tools to complete this process. COMPUTER FORENSICS UNIT I PART II

5. Data Compression
Computer forensic experts should become familiar with how compression works and how compression programs can be used to hide and disguise sensitive data and also learn how passwordprotected compressed files can be broken.

6. Erased Files
Computer forensic experts should become familiar with how previously erased files can be recovered by using DOS programs and by manually using data-recovery technique & familiar with cluster chaining.

7. Internet Abuse Identification and Detection

Computer forensic experts should become familiar with how to use specialized software to identify how a targeted computer has been used on the Internet. This process will focus on computer forensics issues tied to data that the computer user probably doesnt realize exists (file slack, unallocated file space, and Windows swap files).

8. The Boot Process and Memory Resident Programs

Computer forensic experts should become familiar with how the operating system can be modified to change data and destroy data at the whim of the person who configured the system. Such a technique could be used to covertly capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts understand these potential risks and how to identify them.

3. TYPES OF BUSINESS COMPUTER FORENSIC TECHNOLOGY ***

The following are different types of business computer forensics technology:

REMOTE MONITORING OF TARGET COMPUTERS

Data Interception by Remote Transmission (DIRT) is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center. No physical access is necessary. Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.

COMPUTER FORENSICS

UNIT I PART II

CREATING TRACKABLE ELECTRONIC DOCUMENTS

Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection tool that allows users to create trackable electronic documents. BAIT identifies (including their location) unauthorized intruders who access, download, and view these tagged documents. BAIT also allows security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents.

THEFT RECOVERY SOFTWARE FOR LAPTOPS AND PCS

What it really costs to replace a stolen computer: The price of the replacement hardware & software. The cost of recreating data, lost production time or instruction time, reporting and investigating the theft, filing police reports and insurance claims, increased insurance, processing and ordering replacements, cutting a check, and the like. The loss of customer goodwill. If a thief is ever caught, the cost of time involved in prosecution.

PC PHONEHOME
PC PhoneHome is a software application that will track and locate a lost or stolen PC or laptop any-where in the world. It is easy to install. It is also completely transparent to the user. If your PC PhoneHome-protected computer is lost or stolen, all you need to do is make a report to the local police and call CDs 24-hour command center. CDs recovery specialists will assist local law enforcement in the recovery of your property.

BASIC FORENSIC TOOLS AND TECHNIQUES

Many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes. Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking

COMPUTER FORENSICS

UNIT I PART II

10

online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on.

FORENSIC SERVICES AVAILABLE

Services include but are not limited to: Lost password and file recovery Location and retrieval of deleted and hidden files File and email decryption Email supervision and authentication Threatening email traced to source Identification of Internet activity Computer usage policy and supervision Remote PC and network monitoring Tracking and location of stolen electronic files Honeypot sting operations Location and identity of unauthorized software users Theft recovery software for laptops and PCs Investigative and security software creation Protection from hackers and viruses

Source:

COMPUTER FORENSICS: COMPUTER CRIME SCENE INVESTIGATION, JOHN VACCA

Send your feedback to [email protected]

COMPUTER FORENSICS

UNIT I PART II

11