Module 3

Computer Forensics
Part 3
31. RAID (Redundant Array of Inexpensive Disk): -
RAID (Redundant Array of Inexpensive disks) is a technology that is used to increase the
performance and/or reliability of data storage. A RAID system consists of two or more
drives working in parallel. It is designed to take multiple physical disks and address
them as a single logical unit.

The most commonly used basic RAID levels are as follows:

1. RAID level 0 – Striping

2. RAID level 1 – Mirroring

3. RAID level 5

1. RAID level 0 - Striping:

In a RAID 0 system data are split up into blocks that get written across all the
drives in the array. By using multiple disks (at least 2) at the same time, this offers
superior I/O performance. This performance can be enhanced further by using multiple
controllers, ideally one controller per disk.

Advantages:

 RAID 0 offers great performance, both in read and write operations. There is no
overhead caused by parity controls.

 All storage capacity is used, there is no overhead.

 The technology is easy to implement.

1
Disadvantages:

RAID 0 is not fault tolerant. If one drive fails, all data in the RAID 0 array are lost. It
should not be used for mission critical systems.

Ideal Use:

RAID 0 is ideal for non-critical storage of data that have to be read/written at a high
speed, such as on an image retouching or video editing station.

2. RAID level 1 - Mirroring:

In a RAID 1 system data are stored twice by writing them to both the data drive
(or set of data drives) and a mirror drive (or set of drives). If a drive fails, the controller
uses either the data drive or the mirror drive for data recovery and continues
operation. At least 2 drives are needed for a RAID 1 array.

2
Advantages:

 RAID 1 offers excellent read speed and a write speed that is comparable to that
of a single drive.

 In case a drive fails, data do not have to be rebuild, they just have to be copied to
the replacement drive.

 RAID 1 is a very simply technology.

Disadvantages:

 The main disadvantage is that the effective storage capacity is only half of the
total drive capacity because all data get written twice.

 Software RAID1 solutions do not always allow a hot swap of a failed drive. That
means the failed drive can only be replaced after powering down the computer it
is attached to. For servers, that are used simultaneously by many people, this
may not be acceptable. Such systems typically use hardware controllers that do
support hot swapping.

Ideal Use:

 RAID 1 is ideal for mission critical storage, for instance for accounting systems.

 It is also suitable for small servers in which only two data drives will be used.

3. RAID level 5:
RAID 5 is the most common secure RAID level. It requires at least three disks but
can work with up to 16. Data blocks are striped across the drives and on one drive a
parity checksum of all the block data is written. The parity data are not written to a
fixed drive, they are spread across all drives.

3
Advantages:

 Read data transaction are very fast whereas write data transaction are
somewhat slower (due to the parity that has to be calculated).

 If a drive fails, one still have access to all data, even while the failed drive is being
replaced and the storage controller rebuilds the data on the new drive.

Disadvantages:

 Drive failures have an effect to throughput, although this is still acceptable.

 This is complex technology. If one of the disks in an array using 4TB disks fails and
is replaced, restoring the data (the rebuild time) may take a day or longer,
depending on the load on the array and the speed of the controller. If another
disk goes bad during that time, data are lost forever.

Ideal Use:

 RAID 5 is a good all round system that combines efficient storage with excellent
security and decent performance. It is ideal for file and application servers.

4
32. Foremost and Carving: -
 Foremost is a console program to recover price based on their headers, footers
and internal data structures. This process is commonly referred to as data
carving. Although written for law enforcement use, it is freely available and can
be used as a general data recovery tool. Foremost can work on image files, such
as those generated by dd, SafeBack, Encase etc or directly on a drive.

 File carving is the process of trying to recover files without this metadata. This is
done by analysing the raw data and identifying what it is (text, executable, png,
mp3 etc). This can be done in different ways, but the simplest is to look for the
signature or “magic numbers” that mark the beginning and/or end of a particular
file type. For instance, every java class file has as it’s first four bytes the
hexadecimal value CA FE BA BE. Some files contain footers as well, making it just
as simple to identify the ending of the file.

 File carving is a highly complex task, with a potentially huge number of

permutations to try. To make this task tractable, carving software typically makes
extensive use of models and heuristics. This is necessary not only from a
standpoint of execution time, but also for the accuracy of the results. State of the
art file carving algorithms use statistical techniques like sequential hypothesis
testing for determining fragmentation points.

33. Evidence Collection in Memory: -

 The data stored on temporary memory on a computer while it is running is
known as volatile data. Volatile data is lost almost instantly when a computer is
turned off. Data such as browsing history, chat messages and clipboard contents
are examples of volatile data stored in a computer’s short term memory storage.

5
 A memory dump (also called a core dump or system dump) is a snapshot of
computer memory data taken at a specific point of time. A memory dump can
contain important forensic information about the state of the system prior to an
incident like a crash or a security breach.

 Memory dumps contain RAM data that can be used to determine the cause of an
incident as well as other important details.

 Memory forensics is an important aspects of computer security investigation

because it allows investigators to spot unauthorised and unusual activity on a
target computer or server. This is usually accomplished by running special
software that creates a snapshot file, also known as a memory dump of the
current state of the system’s memory. The investigator can then take this file
offsite and search it.

 This is useful because of the way processes, files and programmes run in memory
and once a snapshot has been taken, the investigator can determine many
important facts, such as:

 Processes that are currently running

 Executable files that are currently running

 Open ports, IP addresses and other networking data

 Users who have logged into the system and from where they are accessing
the system.

 Files that are open and who is accessing them.

 It is already seen how useful this information can be to investigators looking for
system anomalies, and by capturing the volatile information stored in the system
memory, they can create a permanent record of the system’s previous state.

 Memory forensics is a current snapshot of a system that provides investigators

with a near real-time image of the system while it is in use. Data recovery and
decryption are usually the focus of hard drive forensics, which is usually done
using an image of the drive-in question.
6
  Memory forensics can be thought of as a real time response to a current threat,
whereas hard drive forensics is more of a post-mortem of what has already
happened.

 Memory forensics is time sensitive because the required information is stored in

volatile system memory, which is flushed from system memory when the system
is restarted or powered off. Hard drives on the other hand, are a type of
computer storage that is not volatile. Hard drives contain some volatile
components, such as cache and buffer stores, which must be considered by the
forensic investigator.

34. Evidence Acquisition methods in Memory: -

The most common methods and formats used for acquisition in memory are as follows:

 RAW format: Extracted from a live environment.

 Crash Dump: Data gathered by the operating system after a crash.

 Hibernation File: A saved snapshot of operating system, so that os can return to

after hibernating.

 Page File: A page file is a file that stores information that is similar to that which
is stored in the system RAM.

 VMWare Snapshot: It is a snapshot of a virtual machine that saves its state as it

was at the time the snapshot was taken.

7
35. Tools for Memory data collection: -
Many professionals in the market use a combination of free and paid tolls to collect
data. Some examples are as follows:

 Volatility Suite: It is an open-source suite of programmes for analysing RAM that

works on Windows, Linux and Mac computers. It can easily analyse RAW, Crash,
VMWare and VirtualBox dumps.

 Rekall: This is an end-to-end solution that includes both acquisition and analysis
tools for incident responders and investigators. It’s better to think of it as a
forensic framework suite rather than a single application.

 Helix ISO: This is a bootable live CD and a standalone application that makes
capturing a memory dump or memory image of a system very simple.

 Belkasoft RAM Capturer: It is a forensic tool that allows you to capture the
volatile section of your system memory to a file. The functionality and wide
range of tools available in this software package will allow first responders to get
started on their investigations as soon as possible.

 Process Hacker: This is an open-source process monitoring application that can

be run on the target machine while it is in use. It will give the investigator a
better idea of what is currently affecting the system before the memory
snapshot is taken and it will go a long way toward identifying any malicious
processes or processes that have been terminated within a certain time frame.

36. Evidence collection in Windows Registry: -

 The windows registry consists of information, settings options and other values
for programs and hardware installed on all versions of MS Windows operating
systems. For instance, when a program is installed, a new subkey containing
settings like a program’s location, it’s version and how to start the program are
all put into the windows registry.

8
 When windows were launched at the start, it relied closely on .ini files to store
windows programs configurations and settings. Despite the fact that .ini files are
still routinely used, most windows programs rely on settings made to the
windows registry after being installed.

 Windows registry is containing valuable evidence for the investigative purposes.

 One can view the registry by using the Regedit (Registry Editor) program for
Windows 9X or by using Regedt32 for Windows 2000, XP and Vista.

Advantages of Windows Registry are:

 In the registry editor, they can use the Edit, Find menu commands to locate the
entries which might have the trace evidence like information identifying the last
person who logged on to the computer, which is usually stored in user account
information.

 Windows 9x system don’t record a user’s logon information reliably, but one can
find related user information, such as network logon data, by searching for all
occurrences of “username” or application licences.

 One can also use the registry to determine the most recently accessed files and
peripheral devices. In addition, all installed programs store information in the
registry such as website accessed, recent files and even chat rooms accessed.

 Windows Registry organization:

Terminology Description

Registry A collection of files containing system and user information.

Registry A windows utility for viewing and modifying data in the

Editor registry. There are two registry editors : Regedit and Regedt32.

9
HKEY Windows split the registry into categories with the prefix
HKEY_Windows 9x systems have six HKEY categories and
Windows 2000 and later have five. Windows programmers
refer to the “H” as the handle for the key.

Key Each HKEY contains folders referred to as keys. Keys can

contain other key folders or values.

Subkey A key displayed under another key is a subkey, similar to a

subfolder in Windows explorer.

Branch A key and its contents, including subkeys, makeup a branch in

the registry.

Value A name and value in a key; it’s similar to a file and its data
content.

10
 Default All keys have a default value that may or may not contain data.
value

Hives Hives are specific branches in HKEY_USER and

HKEY_LOCAL_MACHINE. Hive branches in
HKEY_LOCAL_MACHINE\Software are SAM, Security,
components and system. For HKEY_USER, each account has its
own hive link to Ntuser.dat.

 It is important to understand that where data files that the registry reads are
located.

 The number of records the registry utilizes relies on upon the windows version.
In Windows 9x/Me, it utilizes just two files; in Windows NT,2000,XP and Vista it
utilizes six files. While looking at registry information from a suspect drive, one
has to know where these records are found with the goal that one can extract
them and investigate their content. One can discover these documents with
tools, for example, Access Data Registry Viewer.

 The following table shows how registry data files are organized and explains
these file’s purposes in different versions of windows.

11
 Windows 9x/Me
Filename and location Purpose of file

Windows\System.dat User-protected storage area; consist of installed program

settings, usernames and passwords associated with installed
programs and system settings.

Windows\User.dat Consist of the most recently used files list and desktop
configuration settings; every user account created on the
Windows\profile\User
system has it’s own user data file.
Account

Windows NT,2000,XP and Vista

Filename and location Purpose of file

Documents and Settings\user- User-protected storage area; contains the MRU

account\Ntuser.dat (in files list and desktop configuration settings.
Vista,Users\UserAccount\Ntuser.dat)

Winnt\System32\config\Default Consist of the computer’s system settings.

Winnt\System32\config\SAM Consist of user account management and security

settings.

Winnt\System32\config\Security Consist of the computer’s security settings.

12
Winnt\System32\config\Software Consist of installed programs settings and
associated usernames and passwords.

Winnt\System32\config\System Consist of additional computer system settings.

Viewing Windows Registry:

To view and make changes to the Windows Registry, type Regedit or regedt32 at
command line you will get the Windows registry editor shown in the figure. This editor
allows you to view all keys and values that are in the registry as well as change
windows, program or driver values you feel are necessary.

When we open the windows registry editor first time, it displays root keys that contain
all registry values. The description of the root keys is given in the table:

13
14
37. Evidence collection in Logs: -
Windows system maintain three log files: the system log, application log and Security
log. By reviewing these logs, the following information may be obtained:

1. Determine who have been accessing specific files.

2. Determine who has been successfully logging on to a system.

3. Determine who has been trying unsuccessfully to log on to a system.

4. Track usage of specific application.

5. Track alterations to the audit policy.

6. Track changes to user permission.

 System Log contains the recorded system processes and device driver
activities. System events audited by windows contain device drivers that fail
to start properly; hardware failures; duplicate IP addresses; and the starting,
pausing and stopping of services.
 Application log include activities related to user programs and commercial
off-the-shelf applications. Application events that are audited by Windows
include any errors or information that an application wants to report. The
application log can include the number of failed logons, amount of disk usage
and other important metrics.

 Security log include system auditing and the security processes used by
windows. Security events that are audited by windows include changes in
user privileges, changes in the audit policy, file and directory access, printer
activity and system logons and logoffs.

 Any user can view the application and system logs, but only administrators
can read the security log. The security log is usually the most useful log during

15
 incident response. An investigator must be comfortable with viewing and
filtering the output to these logs to recognize the evidence that they contain.

 Additionally, many third-party applications and windows system utilities

create log files specific to their corresponding applications.

38. Unallocated space, free space and slack space: -

Unallocated Space:

 Unallocated space refers to portions of the disk that are not currently allocated
to any file system or file. This space has not been assigned to store data by the
file system and may contain remnants (a part or quantity that is left after the
greater part has been used, removed, or destroyed) of deleted files or previously
allocated data.

 When a file is deleted or a disk is formatted, the data is typically not immediately
overwritten. Instead, the file system marks the space occupied by the deleted file
as unallocated, making it available for future use.

 Forensic examiners often analyze unallocated space to recover deleted files, as

fragments of deleted data may still reside in these areas.

Free Space:

 Free space refers to portions of the disk that are currently not occupied by any
files or data. In contrast to unallocated space, free space is part of the file system
and is available for immediate use by the operating system to store new files.

 When files are deleted or moved, the space they occupied becomes free space
within the file system. This space can be reused by the file system to store new
data.

16
  Free space does not contain remnants of deleted files like unallocated space
does, as the file system has reclaimed it for potential future use.

Slack Space:

 Slack space refers to the unused portion of a disk sector that occurs when the
actual data within the sector does not fill it entirely. It is the difference between
the sector size and the size of the data stored within it.

 Slack space typically occurs when a file's size is not an exact multiple of the disk's
sector size. The remaining space within the sector is considered slack space.

 Slack space can contain valuable forensic artifacts, such as remnants of

overwritten files, fragments of deleted data, or metadata associated with files.
Forensic examiners may analyze slack space to search for those hidden data.

39. Recovering Deleted Files on Windows System: -

Sometimes malicious users erased the evidence to cover up their misdeeds or identity
and that data should be recovered.

The following tools are used to recover files:

1. Using Windows-based tools to recover files on File Allocation

Table(FAT) file systems:
To recover the files on FAT files system, the tools Encase and FTK are
recommended. Both these tools have built-in capabilities to automatically
recover any files.

2. Using Linux tools to recover files on FAT file systems:

The following capabilities should be provided by an operating system to value to

17
 a computer forensic examiner.

(a) Supports a wide variety of file systems, including FAT12, FAT16, FAT32, NTFS,
HPFS, Macintosh, OS/2, EXT2,EXT3 and UFS.

(b) Recovers file slack and not allocate space. The improved loopback kernel makes
it easy to recognize slack and not allocate drive space.

(c) Provides an efficient, effective and accurate undeleted utility.

(d) Delivers keyword search competences and performs all functions in a read-only
state on the file system being processed. The NASA kernel also provide the read
only option to setup.

(e) Handles compressed drives (Drivespace, Dblspace and DriveSpace3).

(f) Delivers widespread checking and cataloguing of all forensic activities.

(g) Handles for data authentication and reliability.

40. Analysis and Examination (Windows, Linux, Email, Web,

Malware): -
a) Investigating Live Windows System:-
The steps for conducting the investigation in windows are as follows:

1. Review all relevant/pertinent logs

2. Perform keyword searches

3. Review relevant files

4. Identify unauthorized user accounts or groups

5. Identify rogue processes and services

6. Look for unusual or hidden files/directories

18
 7. Check for unauthorized access points

8. Examine jobs run by the scheduler service

9. Analyse trust relationships

10. Review security identifiers.

1. Review all relevant/pertinent logs:

Windows system maintain three log files: the system log, application log and
Security log. By reviewing these logs, the following information may be obtained:

a) Determine who have been accessing specific files.

b) Determine who has been successfully logging on to a system.

c) Determine who has been trying unsuccessfully to log on to a system.

d) Track usage of specific application.

e) Track alterations to the audit policy.

f) Track changes to user permission.

System Log contains the recorded system processes and device driver activities.
System events audited by windows contain device drivers that fail to start properly;
hardware failures; duplicate IP addresses; and the starting, pausing and stopping of
services.

Application log include activities related to user programs and commercial off-the-
shelf applications. Application events that are audited by Windows include any
errors or information that an application wants to report. The application log can
include the number of failed logons, amount of disk usage and other important
metrics.

Security log include system auditing and the security processes used by windows.
Security events that are audited by windows include changes in user privileges,

19
 changes in the audit policy , file and directory access, printer activity and system
logons and logoffs.

2. Performing keyword searches:

It is important to maintain string searches of the subject’s hard drive during
investigations into possession of intellectual property or proprietary information,
sex offenses and practically any case involving text-based communication. Many
different keywords can be critical to an investigation, including user IDs, passwords,
sensitive data, known filenames and subject specific words. To examine the
contents of an entire drive, string searches can be conducted on the logical file
structure or at the physical level to examine the contents of an entire drive.

3. Reviewing relevant files:

Windows system writes input and output to most files at a time that almost all
actions taken on the system leave some trace of their occurrence. Windows has
temporary files, cache files and a registry which keeps track of recently used files, a
Recycle bin that keeps the deleted files and countless other locations where runtime
data is stored. It is important to recognize files by their extensions and true file
headers.

4. Identifying unauthorized user accounts or groups:

User accounts and user groups on a live system can be audited in several ways:

a) For unauthorized user accounts, look in the user manager.

b) To view all domain accounts on a domain controller and for suspicious entries,
use usrstat from the NTRK.

20
 c) Examine the Security log using Event viewer, filtering for event ID 624,626,636
and 642.

5. Identifying Rogue Processes:

Rogue processes listen for network connection for clear text client IDs and
secret key. Finding these processes are easy when they are executing:

A few tools get data about running processes:

 PsList lists the name of the running process.

 ListDLLs gives the full command-line arguments for every running process.

 Fport shows which processes are listening on which ports.

6. Looking for unusual or hidden files:

Once an attacker gains unlawful access to the windows system, he/she needs to
hide the files for later use. An insider may choose to make a few files invisible. To
hide the data behind legitimate files, the attacker take advantages of NTFS file
stream.

7. Checking for unauthorized access points:

An entry point to unwanted intruders could be provided by any service that
allows some degree of remote access. Such services could be provided by Trojans, in
addition to built-in and third-party applications.

These services include:

a) Terminal server

b) SQL/Oracle

21
 c) Third-party telnet daemons on Windows NT

d) Windows 2000 Telnet Server

e) Third-party FTP daemons

f) Web servers (such as Apache and IIS)

g) Virtual network computing and PC anywhere

8. Examining jobs run by the scheduler service:

A common trick by attackers is to have a scheduled event start backdoor
programs for them and also change the audit policy or perhaps even something
more threatening such as a scheduled wiping of files. The at and soon utilities are
used to schedule the malicious jobs. The at command, with no command line
arguments shows any jobs that have been scheduled.

9. Analysing trust relationship:

Trust relationships among domains can certainly increase the scope of a
compromise, should a valid user ID and password be stolen by an attacker. Access to
one machine may mean logical access to many others. Severity of the incident and
scope of a compromise raise the trust relationships.

10. Reviewing Security Identifiers:

To identify a user or a group uniquely, SID (Security Identifiers) is used. Each
system has it’s own identifier and each user has it’s own identifier on that system.
To make the SID, computer identifier and the user identifier are combined. Thus,
SIDs can uniquely identify user accounts. SIDs do not apply to share security.

22
b) Investigating Live LINUX/UNIX System: -
The UNIX is a powerful, flexible and extremely functional operating system. It has
become essential for both UNIX users and forensic investigators to investigate a
compromised UNIX system and the ability to respond to a computer security incident.

The steps for conducting the investigation in UNIX are as follows:

1. Review all relevant/pertinent logs:

During incident response, UNIX operating system have a variety of log files that
can yield important clues. Not only are system activities such as logons, startups and
shutdowns logged but also events associated with UNIX network services. Most log
files are located in a common directory usually /var/log.

2. Performing keyword searches:

Ranging from email harassment to remote network compromise cases,
keyword searches is a critical part of almost every incident response investigation.
Including an attacker’s backdoor password, a username, a MAC address or an IP
address, the keywords can be a wide range of ASCII strings. Keyword searching can
be performed on the logical file structure or at the physical level, examining the
contents of an entire drive. In UNIX, string searches is performed using grep
command and file searches are performed using find command.

3. Reviewing relevant files:

There are methods to recognize the relevant files to any given incident. These
methods include recognizing relevant files by their time/date stamps and by the
information got during the initial response to LINUX. Configuration and system files
commonly are also searched which are abused by attackers.

23
4. Identifying unauthorized user accounts or groups:
It is very important to recognize the unauthorized user account and groups
because attackers will frequently modify account and group information on victim
systems. This modification can come in the form of additional accounts or increase
in privilege of current accounts. So the audit of users and group accounts on
suspected victim systems is necessary.

a) To assure that user account are not manipulated, those accounts need to be
examined that should be disabled for remote logon. Each user ID and group ID
should be noted. A user ID of 0 or 1 on an user account is suspicious as it
represents root-level and bin-level access respectively. If a normally privileged
user account has a higher privilege level, then it seems to be a backdoor for an
attacker to gain privileged access.

b) Group accounts have the group ID for the groups. While reviewing group
accounts of the system, those clients need to be searched who are in extremely
privileged groups.

5. Identifying Rogue Processes:

Rogue processes identification is easy while examining a live system. It is
necessary to record all listening ports and running processes during the initial
investigation. The running processes should be examined carefully to verify their
validity. Also, all binaries related with listening services and running processes
need to be reviewed to assure that they have not been modified.

6. Checking for unauthorized access points:

Linux system offers an array of network services, for example telnet, rlogin,
NFS etc. Any one of the networked services on LINUX system can potentially

24
 allow some degree of remote access to unwanted intruders, as can a phone line
connected to a modem.

X Servers, FTP, telnet, TFTP, DNS, sendmail, finger, SNMP, IMAP, POP, HTTP and
HTTPs are some common access points that intruders can take advantage.

7. Analysing trust relationship:

Trust relationships with LINUX systems were once a primary mechanism of
attack. Trust can be established between Linux systems with a variety of services,
the most popular of which include rlogin, rsh, the network information service
(NIS and NIS+), NFS and ssh. Trust relationships can be convenient time-savers
for system administrators and users.

8. Detecting trojan loadable kernel modules (LKM):

On the various flavours of LINUX, BSD (Berkeley Software Distribution) and
Solaris LKMs or kernel extensions are found. They extend the capabilities of the
base operating system kernel, typically to provide additional support within the
OS for device and file system drivers. LKMs run at the kernel level instead of a
normal user process level, when they are dynamically loaded by a user with root-
level access.

25