Methods and technology used in Computer Forensics

Authors Avatar

OVERVIEW & INTRODUCTION

1.0 Document Overview

2.0 What is Computer Forensics?

        2.1 Uses of Computer Forensics

SECTION A: RESEARCH, THEORY & METHODOLOGIES

3.0 Computer Forensics Tools & Applications

        3.1 Hardware

                3.1.1 Standalone Devices

                3.1.2 Integrated Configurations

                3.1.3 Forensic Networks

        3.2 Software

                3.2.1 NIST CFTT, FS-TST & NSRL

4.0 Locating Sensitive Data

5.0 Computer Forensic Techniques

5.1 Recovering Deleted Data

5.2 String Searching

5.3 Registry Reconstruction

6.0 Overcoming Forensic Techniques

SECTION B: PRACTICAL APPLICATION

7.0 Recovering Deleted Data

8.0 Web Browser Activity Reconstruction

9.0 Analysing Files of Unknown Origin


OVERVIEW & INTRODUCTION

1.0        Document Overview

This document will examine computer forensics from both a theoretical and practical perspective. Section A will look at the former of these, researching and discussing the various aspects of computer forensics, including important methodologies, technical and practical considerations. Section B will document a series of live tests that I conducted in a virtualised environment, analysing the use of a variety of forensic tools and applications. While this document is primarily concerned with the technical side of computer forensics, the legalalities of the subject will be discussed briefly in Section C, as the legal considerations of the science are too significant an aspect to be ignored. Where relevant, reference has been drawn to examples of situations where various aspects of computer forensics have been applied.

2.0        What is Computer Forensics?

In order to properly examine any aspect of the digital world, it is important to fully understand what it is that you are examining. Essentially, computer forensics is the collection of means through which data can be found on a computer. By “means”, I am referring to a range of techniques, tools and applications, many of which will be discussed throughout the course of this document. The purpose of computer forensics usually comes down to a question of evidence, finding data that can prove some particular fact, usually pertaining to what a user has been doing on their computer. In this sense, this branch of forensic science is no different to that of its counterparts; it’s simply digital.

2.1        Uses of Computer Forensics

As was just noted, computer forensics are used to unconver proof of particular usage in digital environments. This is not always a question of criminal investigation; there are also civil, academic and professional reasons for using computer forensics. Dennis Lynn Rader, a notorious American serial killer, was convicted in 2005 after a lengthly investigation came to a head when disks he had sent to a police station were analysed. Contained on the disks were Microsoft Word documents taunting the authorities. By analysing the metadata contained in the documents, they were able to identify data created by a man named Dennis, and a link to the church at which Rader was a Deacon. After a search that lasted three decades, it was the ability to analyse data that provided the critical piece of evidence. The use of computer forensics in criminal investigations such as the Rader case is commonplace. Cases involving the distribution and download of child pornography, for example. Through digital analysis of hardware, authorities can identify if an alleged offender has being viewing such material, even if the original data has been deleted from the hardware.

The ability to recover data spans across all fields. Civil disputes have often been dependent on the results of hardware analysis. One of the most famous civil actions in history was a consolidation of actions against Microsoft Corporation in the case, United States v Microsoft. Amongst the allegations against the software giant was numerous breaches of antitrust laws. Included in these were allegations that then Microsoft executive, Paul Maritz, now CEO of VMware, had claimed that the inclusion of a clone of the Netscape browser was an attempt at “cutting off the air” from their competitors. While Maritz denied the allegations, subsequent analysis of deleted data uncovered an eMail suggesting the former vice president had in fact made such a statement.

Computer forensics, and the ability to recover data, also plays a part in academic and professional scenarios where legitimate data needs to be recovered, for example, from a corrupted HARD DISK . In summation, there are a vast number of reasons why we need computer forensics and its various applications, the aforementioned were just a taste of some examples of these.

SECTION A: RESEARCH, THEORY & METHODOLOGIES

The primary focus of this document will be an examination of technical aspects involved in the application of computer forensic techniques, as well as a practical demonstration of a selection of these. This section addresses the former of these two objectives; an examination of the technical aspects.

3.0        Computer Forensics Tools & Applications

The evolution of technology progresses at an immensely rapid pace; because of this computer forensics tools and applications must be constantly updated. The techniques involved in computer forensics are, in response to advancing methods of data destruction and concealment, becoming increasingly complex; the tools involved must facilitate this. There are a number of considerations to take into account when choosing which tools to opt for. Firstly, as computer forensics can often entail specifics, it is important to know exactly what it is that you are trying to achieve. Is the aim to uncover hidden or deleted data, or are you trying to reconstruct corrupted information? There are countless scenarios to be considered, such as the platform to be analysed, whether the file system is FAT, NTFS, ext4 or any other of the various file systems in use today; all of these considerations, and more, must be taken into account when choosing computer forensics tools.

The functions of computer forensics tools can be defined in five categories.

One of the primary functions of many computer forensics tools is data acquisition. Essentially, data acquisition is the process of copying digital evidence from disks, and while it sounds trivial, it does hold considerable importance in computer forensics, and with that carries a higher degree of complexity. With this in mind, data acquisition techniques will be is examined in more detail later in this document.

Validation and discrimination are two major concerns of analysts when it comes to computer forensics. Firstly, they must ensure validation; the integrity of data being copied. Secondly, there is the issue of discrimination; the process of filtering data. Without tools that offer validation, analysts may be facing issues of data loss and corruption, and as can often be the case, there may not be a second chance to acquire the necessary data. Many modern computer forensics tools ensure data integrity so as to avoid such issues through the use of various methods of validation, such as obtaining SHA-512 and MD5 hash values. Discrimination features within computer forensics tools provide a major convenience for analysts. When examining data, there are large volumes that are irrelevant to the analysis or investigation. By utilising discrimination features in tools, analysts can avail of such processes as verification of header information, effectively allowing them to filter the data so that they are only provided with what it is that they are interested in.

Extraction of data is more difficult than the aforementioned functions, and so tools incorporating such features are usually more expensive. In computer forensics, extraction of data refers to the ability to recover data from some secure or corrupted location; think of the analogy of air lifting a crew from a stranded vessel. Most tools aid in the extraction of data by providing a number of features, particularly data viewing, and what is known in computer forensics as salvaging, or carving in some circles. Tools facilitate data viewing for extraction through a variety of means, but one popular method is to provide a view of a disk drive’s logical configuration and a hexadecimal view of a drive’s clusters and sectors. Salvaging is when tools analyse unallocated areas of disk space for file specific fragments, which in turn allow for the extraction of full structures and data streams. Extraction tools also feature a number of tools often found to be in use by malicious users. Computer forensic tools will offer their users functions such as brute-force attacks, in the event of an investigator having to overcome some form of encryption in order to get at the data that is required for analysis.

Tools which facilitate reconstruction have become more common with the emergence of more sophisticated methods of data corruption and deletion. Reconstruction tools provide the facility to do two things; copy and rebuild data. Essentially, a reconstruct function could be used to simply create an exact clone of a disk’s partition. This is very helpful in computer forensics, particularly in criminal investigations, or in situations where several investigators or analysts all need individual original copies of the hard disk for examination. While comparable to acquisition, reconstruction features within tools are slightly different, and not to be confused. Acquisition is specific to data bytes and streams, while reconstruction is effectively copying an entire configuration, inclusive of data. It is essentially the same as cloning. More advanced tools will offer the secondary reconstruction feature of combining; allowing various acquisitions and clones to be reconstructed into a near exact replica of a corrupted system, often beneficial in situations where the hardware involved has been damaged to the extent that the data can be extracted, but the configuration itself is beyond repair.

Then, of course, there is always reporting. Because of the nature of the situations in which computer forensics is used, strict reporting is often required. To facilitate this, many tools will offer integrated reporting features, which will create logs of what was found through the analysis, what steps the investigator took during the analysis, as well as translate and create representations of non readable data so that they can be displayed and viewed for reporting purposes.

3.1        Hardware

The hardware used in computer forensics varies greatly dependent on the type and complexity of the analysis in question. Several vendors offer a variety of standalone devices, while other’s provide integrated configurations; essentially complete computer forensics hardware suites for investigators and analysts.

        3.1.1        Standalone Devices

Password Decryption Device

Data needed for analysis, particularly when indictable, will more than likely be, if the user of that data is any way computer competent, encrypted. Developed by Digital Intelligence, the Rack-A-TACC is a typical example of a hardware device used in computer forensics for decryption; often a necessary step before the successful retrieval of data can occur. The device is comprised of four TACC1441 accelerators. Designed by Tableau, the TACC1441 is a hardware accelerator whose use increases decryption speeds by a multiple of 60. Let’s just take a few simple examples to illustrate how this can aid a forensic investigation. Forcefully decrypting information can be extremely difficult, and without sufficient hardware, effectively impossible. There are also certain types of encryption that can only be cracked with extremely powerful machines, which are themselves often beyond the budget of national agencies and law enforcement. For example, the US National Security Agency (NSA) is the cryptologic intelligence unit to the US Government, which controls one of the world’s most powerful supercomputers, requiring 8000 tonnes of water just to keep it cooled. This computer, referred to as “the Thinking Machine”, can decrypt 70 quadrillion keys in a few seconds. “Roadrunner”, stationed within the NSA controlled Los Alamos National Laboratory, can do 1,000 trillion calculations per second. But resources offered by such mammoth configurations found within the Thinking Machine and Roadrunner aren’t available to law enforcement agencies, even in larger countries, but that is not to say that they are stranded. With the likes of Racc-A-TACC and TACC accelerators, data won’t be decrypted in seconds, but it will be decrypted. Take for example, 128-bit encryption. In 128-bit encryption, which simply computes as 2^128, there are a possible 3.39 × 1035 different keys. To a normal computer, that would require an immense amount of calculation. But a computer forensics systems, with say, 10 Rack-a-TACCs, which would in turn contain 40 TACC1441 accelerators. That would improve the speed of the system’s ability to decrypt by 1.33674945 x 1071. Vendor specifications claim that the device can retrieve 105,000 Microsoft Office passwords per second, and WinZip passwords at 2,500,000 passwords a second. This is effectively a gain of 180 times that of what one would get from an average quad core processor, per single TACC. Of course, decryption requirements will vary from situation to situation, but this is just an example of the power afforded to computer forensic investigators by decryption devices currently on the market.

Join now!

Forensic Duplicator

There is a range of forensic duplicators on the market at the moment, each being offered by various vendors. Examples of such are the ImageMASSter Solo 3 Forensic Duplicator, and the TD1 Forensic Duplicator. Forensic duplicators are designed to aid in data acquisition. They are essentially portable imaging tools that can both acquire and replicate data at very high rates. The TD1, for example, can sustain rates of up to 6GB/min, meaning that it could replicate 600GB of data in approximately 10 minutes. Most forensic duplicators, particularly the newer models, would support data acquisition from a ...

This is a preview of the whole essay