Chapter 13 neo OFSNEICS (CySeT eam [Computer forensics (also known as ¢ Nsics) of digital forensic science pertaining to evidenne 41 re Science) isa p storage media. The goal of computer forensics . i “forensically sound manner wi analyzing and presenting fa: Although it is most often associated with the inv computer crime, computer forensics discipline involves similar techniqu additional guidelines and practices estigation of a wi ety of may also be used in cv! procedne yt es and principles to data y é US. and European court systems.) Forensics is the Process of using scientific knowled, e i analyzing, and presenting evidence to the courts. (The word meee aie bring to the court".) Forensics deals primarily with the Tecovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive. Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is Not yet recognized as a formal "scientific" discipline. } We define computer forensics as the discipline that combines elements of aw and computer science to collect and analyze data from computer systems, networks, wireless communications, and_storage devices in a way that is admissible as evidence in a court of law. stabi on {Computer forensics is the apr D of investigation ene techniques to gather and preserve evidence from a pare goal of computer in a way that is suitable for presentation in acount ® AM T° aintaining a forensics is to perform a structure ne what hap] documented chain of evidence to ase ae ye) computing device and who wpe bales e {when a digital device is 1 i500 FORENSIC SCIENCE Although still in its infancy, cyber forensics is gaining traction as a viable way of interpreting evidence. Cyber forensics is also known as computer forensics. Cyber crimes cover a broad spectrum, from email scams to downloading copyrighted works for distribution, and are fuéled by a desire to profit from another person's intellectual property or private information. Cyber forensics can readily display a digital audit trail for analysis by experts or law enforcement. Developers often build program applications to combat and capture on-line criminals; these applications are the crux of cyber forensics, | Cyber forensic techniques include: © Cross-driven analysis that correlates data from multiple drives * Live analysis, which obtains data acquisitions before a PC is shut down, © Deleted file recovery Each of the above techniques is applied to cyberforensic investigations) Overview In the early 1980s personal computers became more accessible to SP Betbicers, leading to their increased use in criminal activity (for example, to help commit fraud). At the same time, several new "computer crimes" were recognized (such as cracking). The discipline of computer forensics emerged during this time as a method to recover and investigate digital evidence for use in court. Since then computer crime and computer related crime has grown, and has jumped 67% between 2002 and 2003. Today it is used to investigate a wide variety of crime, including child pornography, fraud, espionage, cyberstalking, murder and rape. The discipline also features in civil proceedings as a form of information gathering (for example, Electronic discovery). Forensic techniques and expert knowledge are used to explain the current state of a digital artifact, such as a computer system, storage medium (eg,, hard disk or CD-ROM) or an electronic document (e.g., an email message or JPEG image). The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. In a 2002 book, Computer Forensics, authors Kruse and Heiser define computer forensics as involving "the preservation, identification, extraction, documentation and interpretation of computer data". They go on to describe the discipline as "more of an art than a science", “indicating that forensic methodology is backed by flexibility and extensive domain knowledge. However, while several methods can be used to extract evidence from a given computer, the strategies used by law enforcement are fairly rigid and lack the flexibility found in the civilian world. Why is Computer Forensics Important? Adding the ability to practice sound computer forensics will help you ensure the overall integrity and survivability of your network infrastructure. You can help your organization if you consider computer forensics as a new basic element in what is known as a "defense-in-depth! approach to network and computer security. For instance, understanding the legal and technical 1. "Defense in depth is designed on the principle that multiple layers of different types of protection from different vendors provide substantially better protection’rh FORENSIC PHYSICS, BALLISTICS AND COMPUTER FORENsI¢g 501 Barone Wil help year eat ye computer | ‘ll hel formation if your + nies compromised and will kelp you prosecute the canto the inne net e i i ter forensi ae cavsht ns if you ignore comput "ensics or practic, tb, ! eying val Sane ot having forensic evidence rule inddaaioe isk Sear a ww. Also, YoU oF your organization May run afoul of Rew laws tha Ne latory compliance and assign liability Of certain a s that equate) protected. Recent legislation tn, 'ypes not kes Hie f data are ., i ib| a ations liable in civil or criminal court if then a tipi eatin because it can save Your organization B 4 Breater portion of their information ional Data letection and in 2006. tn Many managers are allocatin, Beiclogy ipdgets for computer a Be AROETDC) had vepored a, for intrusions RAT Acesiinent software will reach 1.45 increasing numbers, organizations billion dollars are deploying network security as intrusion detection systems (IDS), ind network eae Computer forensics is also important Security. Internati fat the market ‘ devices such firewalls, Proxies, and the lil report on the security status of networks, ike, which all es of data are collected in computer forens fored on a local hard drive (or another me im) and Preserved when the computer is tumed off, Tats data\ is any data that is Stored in memory, or exists in transit, that will be lost when the ‘computer loses Power or is tumed off. Volatile data resides in registries, cache, and random access memory (RAM).. Since volatile data i is ephemeral, it is essential and investigator knows reliable ways to capture i % System administrators ani n understanding of how routine computer and network a iyi tasks can : vars ea . affect both the forensic process (the potential admissibility ts oa and the subsequent ability to my identification i al Of id security personnel must also have a basic Forensic proces. FORENSIC SCIENCE rather than “live systems. This a change from early forensic practices where a lack of specialist tools led to investigators commonly working on live data. chniques ‘A number of techniques are used during computer forensics investigations and much as been written on the many techniques used by law enforcement in particular. See e.g, "Defending Child Pornography Cases". Cross-drive analysis It is a forensic technique that correl hard drives. The process, still being reseal Thetworks and to perform anomaly detection. _ information found_on_multiple ed, can be used to identify social Live analysis The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instance, the logical hard drive volume may be imaged (know as a live acquisition) before the computer is shut down. Deleted files A common technique used in computer forensics is the recovery of deleted files. Modem forensic software have their own tools for recovering or carving gut deleted data. Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials. ) Stochastic forensics [BM co patitely ablitsi occttene Its a method which uses stochastic properties of the computer system to investigate activities lacking digital artifacts. Its chief use is to investigate data Steganography One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. An example would be to hide pornographic images of children or other information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available). While the image appears exactly the same, the hash changes as the data changes. : Volatile data When seizing evidence, if the machine is still active, any information stored solely in RAM that is not recovered before powering down may be lost. One application of "live analysis” is to recover RAM data (for example, using Microsoft’s COFFEE tool, windd, WindowsSCOPE) prior to removing an exhibit. Capture GUARD Gateway bypasses Windows login for lockedf FORENSIC PHYSICS, BALLISTICS AND COMPUTER FORENsicg 583 “puters, allowing for the analysis and acquisition of Physical mem, fae Bar. lyzed for prior conter it aft mh RAM can be analy ntent after pow, jcal charge stored in the Memory cells takes che ras a a ted by tre cok Boot attack, The length oft date ie teehee emPtced by 1Ow temperatures and higher cel Voltages. Holding ove is Pelow -60°C helps preserve residual data pres” order of powered ving the chances of successful recovery, However, it can be ime oud othis during a field examination, impractical to Some of the tools needed to extract volatile data, howe: é compte be ina forersc lab, both to maintain a lepine er ene and to facilitate work on the machine. If necese pose techniques to move a live, runnin, . i vements and prey; ts, computer from Boing to sleep accidentally. Usually, an uninterruptible vew's supply (UPS) provides power during transit, However, one of the easiest RAM data to disk. Various file NTFS and Reiser FS keep a large portion of the RAM dats c media during operation, and thes n the main storage fe page files can be reas what was in RAM at that time. sembled to reconstruct Analysis tools ypical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, iscovering and cracking pass keyword searches for topics related to the crime, and extracting e-mail and pictures for review. Certifications ; There are several computer forensics certifications available such as the ISFCE Certified Computer Examiner, Digital Forensics Investigation Professional (DFIP) and IACRB Certified Computer Forensics aeaines. ¢ The top vendor independent certification (especially within EU) is considered the [CCFP-Certified Cyber Forensics Professional. ee Others, worth to mention for USA or International Association of Computer Certified Computer Forensic Examiner Asian School of Cyber La Digital Evidence are available in Many con proprietary cer offering the ( certification © on their tool O certification £01594 FORENSIC SCIENCE Use as, evidence In court, computer forensic evidence is subject to the usual requirements for digital evidence. This requires that information be authentic, reliably obtained, and admissible. Different countries have specific guidelines and practices for evidence recovery. In the United Kingdom, examiners often follow Association of Chief Police Officers guidelines that help ensure the authenticity and integrity of evidence. While voluntary, the guidelines are widely accepted in British courts. Computer forensics has been used as evidence in criminal law since the mid-1980s, some notable examples include : © BIK Killer : Dennis Rader was convicted of a string of serial killings that occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church", this evidence helped lead to Rader’s arrest.