Computer Forensics Liu Qian, Fredrik Höglin, Patricia Alonso Diaz Uppsala University 2007-10-08
Outline This PM will give a brief overview of the field of computer forensics, including background, definitions, objectives and the way it is performed. Problems within the process will be highlighted and examples of computer forensics will also be included. Instead of being limited to a small detailed part of the field of computer forensics, this report focuses on a look at the whole picture. After reading this report, readers will understand what computer forensics is used for, why it is used, how it relates to computer security and what a few of the many problems are.
Background From 1946, the year in which the first computer – ENIAC – was born, to now, computer has been developed in a dramatic speed. The appearance and development of network expands the influence that computer brings to human society. Today, computer is widely used all over the world and acts as people's right hand and close friend in almost all fields. It is hard and even terrible to imagine how people's life would be if they did not have computers. However, at the same time, the one people mostly rely on is also the one that could bring them severe injury. While appreciating the benefit computer creates, on the other hand, people should also notice serious harms it causes and beware of these kinds of situations. One of the examples is the fact that computer and other digital products are increasingly used in illegal actions, which is also the origin and motivation of founding computer forensics technology.
Definition There are various kinds of definitions. A classical one is “Computer forensics is the scientific examination and analysis of To: MindSpring Technical Support Desk From:
[email protected] Subject: Reading Mail Headers Cc:
[email protected]
This example shows four pieces of useful information: • • • •
The host that added the Received line - mailgrunt1.mindspring.com The host/IP address of the incoming SMTP connection mailmule0.mindspring.com The reverse-DNS lookup of that IP address - 204.180.128.191 The name the sender used in the SMTP HELO command (this commant initiates de SMTP conversation) when they connected - mailmule0.mindspring.com
Deleted email Some people believe that a deleted email from its client can not be recovered. They make a mistake. Many times emails can be recovered after deletion with forensic techniques from users email clients and email servers. Emails may reside in intermediate servers or in backup tapes that were created during the normal process of email services. Also, they may be extracted from the hard disk of the client or the server. Also, it’s possible to recover emails created or received by web based email services such as Hotmail, Gmail and Yahoo Mail. They use a browser to interface with the email server, the browser hands information to the disk drive in the system that is used to recover or generate the email saving a copy to the disk. With forensic technique it’s possible to extract the HTML based email from disk drive.
How to handle a big quantity of E-mail It’s possible to review all emails, but with the huge volume of email that usually exists, it may be a very hard task. Forensics experts use review tools to make copies and search of emails and their attachments looking for incriminating evidence using keyword searches. Some programs have been developed so much that they can recognize general threads in emails looking at
words or word groups. Also, emails may contain In-Reply-To: headers that allow to be reconstructed. This is something most good email clients can do. Thanks to this technology big amounts of time can be saved eliminating not relevant information.
•
Examples of common uses
Nowadays, there are some basic areas that you will find computer forensics use:
Crimes Computer forensics is used by government and law enforcement personnel to investigate crimes. The use of computer forensics is increasing, since more and more criminals are using computing technology. Cases like financial forgery can have legal evidence through computer forensics to prove the authenticity of the case. Also, criminals are using computer technology to commit crimes that would not be possible without computing devices, such as: breaking into a networked system, stealing or altering secret data, decoding passwords, etc. The use of computer forensics has made possible to detect the crime and also the recovery of the lost or destroyed documents.
Private companies In this case, computer forensics work about the locating, collecting, analyzing and authenticating of potential evidence in computers and digital media storage devices. Computer forensic techniques are used to investigate electronic theft frauds, improper use of computing resources by employees, and so on. Some common uses into a company are: • • • • •
Employee theft or computer incorrect use Litigation support Research email and Internet history Recovery of deleted or password and protected information Hard drive wiping or storage devices
Problems regarding Computer Forensics • Preparation (identify/collect) Since Computer Forensics is about the gathering of data from just about every possible hardware setup in the world, the agents have to have a deep understanding of whichever platform they'll be working on for that particular job. It can vary greatly, from just extracting information from a normal users home computer harddrive to encrypted information from a whole network of computers. To overcome the problem with widely varying hardware, investigators have to be well prepared, and have a good view of the hardware beforehand, so that people with the right skills and right equipment can be called in.
Caution has to be observed regarding the nature of the system(s) as well, seizing a single computer for analysis is often not that problematic, but when investigating a whole company it
might not be in the best interest to seize every machine and router in the building. Legitimate businesses could be hurt, i.e. when Swedish police seized equipment that belonged to PRQ and also interrupted several legitimate businesses in the process.
• Investigation (examine/preserve) Just like on a real crime scene, the same rules apply to computers, the evidence is handled in much the same way. This presents a whole new set of problems. For instance, information that is available while a system is running might disappear when the power is cut. Since the normal procedure is to collect evidence and bring it back to the lab for analysis, you can't just unplug a computer and take it with you, since you could lose valuable information. Once at the "crime scene" problems may include so called counter forensics. An example of this is MAFIA (Metasploit Anti-Forensic Investigation Arsenal). Users involved in criminal activity usually take precautions. This could be for instance scripts that run on shutdown to erase evidence, or other metods to cover their tracks if the computer chassi door is opened. In the case of MAFIA users can alter timestamps and there are tools to work only in RAM, never writing anything to disk, which leaves a lot less evidence for the investigators. It is important for investigators to treat the users like expert unless they have explicit information that they're not. This is of course to avoid loss of evidence. The investigator is actually taking on the role of an attacker while performing the investigation, so a great knowledge of computer security is necessary in order to know how to bypass this security on the investigated system. Another huge problem is time. Todays computers can generate enormous amounts of data, and the time required to analyze all that data quickly adds up. If you also take into account restoration of deleted information and breaking encryptions/passwords it really becomes a big issue. Again, if we look at the police raid on the PRQ hosting company, some hardware has been seized since may 31st 2006, and is just now being released after about a year and a half. Since the goal here is to obtain information that can be used as evidence in a courtroom it is very important that the information is handled in such a way that it is admissable. That means that it has to be shown that the information is authentic. Issues can arise because records are created by the computer, and questions about whether the records have been altered or damaged after creation can come up. It is often much easier to alter computer documents than it is to alter "real" documents, so the points may be valid. You cannot identify a persons handwriting in a text file. Here the issue of computer security pops up again, but this time instead of being an attacker trying to break into a system, computer forensic specialists need to make sure that no one else can break into their systems and change data that they are working on. When working with evidence you traditionally had to produce the original file, how do you produce an original computer file? As soon as you print a document you have a copy. However, just as photography printed from a negative is regarded as an original, a printout of a computer file is also regarded as such.
Summary As Chris L.T. Brown wrote in his book , 2006, computer forensics “is the art and science of applying computer science to aid the legal process. Although plenty of science is attributable to computer forensics, most successful investigators possess a nose for investigations and a skill for solving puzzles, which is where the art comes in" It does not only need high technology and tools, but also sensitive intuition and adept skill. It does not only care about collection and analysis, but also acceptability by laws and court criteria.
References http://www.dn.se/DNet/jsp/polopoly.jsp?d=147&a=700057 http://www.daemon.be/maarten/forensics.html#csm http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm http://computerforensics.net/forensics.htm http://computer-forensics.safemode.org/index.php?page=Computer_Forensics_FAQ http://en.wikipedia.org/wiki/Computer_forensics#Example http://www.computerforensicsworld.com/index.php http://www.cs.purdue.edu/homes/clifton/cs526/Forensics.pdf http://www.computerforensicsworld.com http://en.wikipedia.org/wiki/Computer_forensics http://www.forensicfocus.com http://www.computerforensics.net/forensics.htm http://www.dns.co.uk/NR/rdonlyres/5ED1542B-6AB5-4CCE-838DD5F3A4494F46/0/ComputerForensics.pdf