CHAPTER 4
How to Approach a Computer Forensics Investigation
We’ll Cover
 
image   How to follow an investigative process
image   How to test your hypothesis
image   How to assess the forensic data landscape
image   How to determine what you have the authority to access
 
Chapter 3 covered how to create a forensic lab. In this chapter, you will learn how to prepare for a computer forensics investigation. A computer forensic examination differs from most computer security work that you may have been asked to do. In a typical computer security project, you must try to implement some mechanism—whether policy, software, or hardware—to prevent an action from occurring. In a computer forensic examination, some type of action or activity has already occurred; it’s your job to determine the what, when, where, how, and who.
The Investigative Process
If you’ve watched detective shows on television or at the movies, you might hear a lot of talk about following the investigative process. The idea behind the process is that when you approach an investigation, you are doing so without prejudging the outcome; you’re open to the conclusion that the evidence will reveal. It’s also equally important to stay focused on the questions being asked: If, for example, you are asked to determine whether someone e-mailed company secrets but you instead returned with embarrassing facts about that person’s personal life, you might be the one facing an HR exit interview, instead of the suspect.
LINGO
Most computer forensic publications refer to the person whose activities we are examining as the suspect. This does not mean we believe the person is guilty, but merely that he or she is the focus of our examination. Your suspect may change, or other suspects may be revealed, over the course of your investigation.
What Are You Being Asked to Find Out?
This is the most important question to address when you are asked to perform a computer forensic examination. If, for example, you are asked, “We’ve been told that our suspect has been looking at offensive images during work hours; can you verify this?” then your investigation will be likely focused on the suspect’s Internet activities during work hours. If the suspect is taking his corporate laptop home at night and viewing offensive images from home, that may not be a violation of company policy.
Typically, you require internal authorization to perform an investigation. You will not have authorized yourself to analyze media to determine what has occurred, unless you are testing your own tools or using a honey pot.
LINGO
Honey pots are used in research and intrusion prevention systems. They are usually virtual machines that are configured insecurely to lure an attacker in. The attacker’s actions are recorded outside of the honey pot, and their methods are analyzed.
Where Would the Data Exist?
The next question is one to ask of yourself: Where would I find data that would contain the evidence I need to answer the client’s question? In the case of an employee viewing indecent images, you typically might look in the following locations for evidence:
 
image   Any outbound proxy or web-filtering software log
image   The computer from which the inappropriate access originated
image   Firewalls configured to log outgoing web access
Other books cover how to read, query, and analyze firewall and proxy logs. Although other sources of evidence exist, and you should look at those sources, in a computer forensics investigation we will focus on the computer from which the access originated. We’ll ask the following questions in each of our case examples:
 
image   What applications might have been used in creating the data?
image   Should you request to go beyond the scope of the investigation?
What Applications Might Have Been Used in Creating the Data?
Computer forensic evidence is generated either by the operating system or via an application that the suspect is using in his activity. The operating system can be easily identified, but knowing what application to focus your analysis on requires some thought. In this example, you are interested in the suspect’s web site access, so you need to consider applications that the suspect could have used to access a web site—of which there are many, such as the following:
 
image   Internet Explorer
image   Firefox
image   Opera
image   Chrome
image   Safari
 
Not only must you identify the types of application that might have been used, but you must inspect each application to determine which one the suspect has been using. Once you’ve identified the application, you must determine whether the forensic suite you’ve chosen supports it, either automatically or as a data type you can define for it to extract; this process is called carving. If your suite does not support this application, you’ll need to extract out the suspect’s activity using other methods (as discussed in Chapter 11).
LINGO
Carving, or data carving, is a term often used by examiners and computer forensic tools. Carving is the process of searching for blocks of data that match a pattern, either in the free space or in the unused allocated spaces of the disk, such as the slack space (explained later in this chapter). These patterns are normally called file signatures. A good example of this is an HTML document, which begins with an <html>tag and ends with an </html> tag. If we find a block of data in the free space or the slack space that contains this pattern, then all the data that falls between the two tags may be a deleted HTML document we can recover. That’s data carving in its most simple form; it can quickly get more complicated as the file signatures do.
Should You Request to Go Beyond the Scope of the Investigation?
This question comes up a lot, mainly from internal corporate investigators, who in the scope of their investigations run across activity other than the one they were requested to find. The following considerations should provide you guidance here.
Child Pornography: Stop the Investigation
You can’t read a computer forensic book or attend a computer forensic conference without the issue of child pornography coming up. (This will be the only time this issue is discussed.)
If you find what you believe to be child pornography on a forensic image, stop your investigation immediately!
Do not do anything further with the case. This is now a criminal case, and you are not allowed to investigate, possess, copy, or distribute the evidence, or you could face criminal charges yourself. You have a federally mandated obligation to report any discovered child pornography to the National Center for Missing and Exploit Children (NCMEC) at www.missingkids.com, and you should inform those who asked you to perform your examination of its existence.
image Note
The law changed in 2008 with the introduction of the McCain SAFE Act (primarily aimed at ISP providers) from mandatory disclosure for all under federal law to the following:
Duty To Report. (1) In general. Whoever, while engaged in providing an electronic communication service or a remote computing service to the public through a facility or means of interstate or foreign commerce, obtains actual knowledge of any facts or circumstances described in paragraph (2) shall, as soon as reasonably possible, make a report of such facts or circumstances to the CyberTipline of the National Center for Missing and Exploited Children, or any successor to the CyberTipline operated by such center.
It will be up to the legal department to decide whether you are covered by this provision. Nevertheless, you should establish and follow written procedures incorporating reporting requirements under SAFE.
Ask the Person Requesting the Examination
Many examiners feel empowered to make decisions about what is and what is not relevant to an examination. Many times, however, they can be wrong. I recommend returning to the individuals who asked you to do this work in the first place, and ask them the following: If I find an indication of something other than the original action as requested, would you like me to go forward in examining that issue? Depending on your corporate environment, launching a new line of inquiry into your investigation without prior approval could get you in as much trouble as your suspect is in.
Testing Your Hypothesis
After you’ve identified the application your suspect used and you’ve found what you believe to be evidence, you need to prove that the suspect was looking at something horrible at work. You must ensure that what you believe to be true is, in fact, true!
If this is the first time you’ve found a particular piece of evidence—if, for instance, you’ve never recovered deleted Internet history records from Internet Explorer before—you should make sure that what you are seeing is correct. You do this by defining and testing your hypothesis—very scientific, don’t you think?
image
Your Plan
In this section, I’m basically re-creating the scientific method for your forensic investigations. A more direct example plan would be the following:
 
1.  Characterization   Observations of the subject of your inquiry—in this case, the digital artifacts of the investigation: “I examined entries in the suspect’s index.dat file and have determined that entries there indicate that the suspect accessed inappropriate and/or offensive images using Internet Explorer.”
2.  Hypotheses   Theoretical and hypothetical explanations of what has been observed: “I believe these images were not random pop-ups, because they were found in the Typed URLs section of the index.dat file.”
3.  Predictions   Reasoning and deductions from the hypothesis or theory: “If I take a test machine and type a URL into the address bar, the history entries from the test machine’s index.dat file for that location should be marked as being in the Typed URLs section. I will also open an HTML file that contains a link to a URL located at a different web site with Internet Explorer and click on that link to make sure that entry does not appear in the Typed URLs section of the index.dat file.”
4.  Experiments   Tests of the characterizations, hypotheses, and predictions to validate them: “The URL typed into the address bar of Internet Explorer did indeed show up in the test machine’s index.dat file, while the URL accessed while clicking the link in the HTML file did show up in the log file, but not in the Typed URLs section.”
image
Step 1. Define Your Hypothesis
In this example case, the hypotheses could be as simple as this:
I believe that the entry in index.dat for the offensive images I’ve located is not the result of a pop-up ad or other passive browsing, but of purposeful accesses to the site that hosted it.
 
Note that you don’t actually have to write down your hypothesis, but it’s important to frame it in your mind, because this will help you in determining how to test it.
Step 2. Determine a Repeatable Test
In this example case, you would create a clean virtual machine on which to perform your testing and then visit two kinds of web sites. The first would be testing direct access to a web site that allowed you to click and view multiple images. The second would be testing sites that have pop-under or pop-up ads to find out how their entries are recorded in the Internet history files. Once you’ve found web sites that satisfy both criteria, another investigator can run the same test to solidify your conclusions. If you are not required to use corporate funds to purchase access to a pornographic web site, you might be able to test this against the site the suspect actually visited himself.
Step 3. Create Your Test Environment
It’s important not only to have a new virtual machine to test with, but to make sure the versions of the operating system and the application are the same as the versions used on the suspect’s machine. You don’t want a difference between Firefox 2.0 and Firefox 3.6.8 to throw off your testing. This may seem like overkill for a case involving viewing inappropriate images at work, but if this is your first real case, it’s not too much to ask. This is a generic framework you can apply as you move into more advanced cases, where you may be breaking new ground in a computer forensic research area that has never before been publically documented.
Step 4. Document Your Testing
It’s important that you document your testing environment, what you tested against, and your results. If you went through all the trouble of proving your findings, you should take the extra step to document these details in case someone else wants to re-create your work. The last thing you want is someone to challenge your results because of a simple miscommunication regarding what steps you took.
Budget Note
Rely on tests others have run. For most forensic imaging tools, and many other tools now in progress, NIST (National Institute of Standards and Technology) has produced a series of reports stating the results of their tests. You can find these reliable tests and their results at the Computer Forensics Tool Testing (CFTT) Project web site: www.cftt.nist.gov.
image Note
It’s important that you compare the version of the tool that NIST has tested against the version you are running. Changes do occur between versions, and they can affect your results. When in doubt, test.
The Forensic Data Landscape
When thinking about what will be examined in a computer forensic investigation, many people think about hard drives and stop there—but anything that stores electronic data may come under examination. For your first investigations, you will most likely see five sources of data:
 
image   Active data
image   Unallocated space
image   Slack space
image   Mobile devices
image   External storage
Active Data
Active data refers to data that the user can see when he or she accesses a system. Any nondeleted files or data that are currently active on the disk counts here. Every operating system/file system includes active data, and all the parts that make it up (logs, registries, files, e-mail archives, file system objects such as $MFT, and so on) are files within it. Almost any search tool can help you find data in the active part of the disk, but forensic tools are purpose-built to break down the data into its subset chunks, allowing you to treat your search terms uniformly across all data. This process filters the different data types and compound files into plain text, so that when you are looking for data, you don’t have to think of 100 ways to type in your search term.
image Tip
Not all forensic tools support the ability to filter and normalize data for searching. Make sure that you understand your tool’s capabilities before relying on its results.
Unallocated Space
Unallocated space is just that—the part of the disk that is currently not allocated to any active data. Many people think the unallocated space is a continuous section of the disk, as if data is written linearly to the disk. Instead, however, the unallocated space is a conglomeration of unused space located in various sections of the disk that most forensic suites will show to you as either a large blob of data or segmented into fixed sized numerical chunks of data. This means that depending on how the file system driver decided to write out and reduce fragmentation on the disk and the amount of space that had been used prior to that, you can potentially recover documents that date back to the first use of the drive.
To find, extract, and analyze data from the unallocated method, you first have to locate it within the unstructured blob of data. There are two common ways to do this: by finding file signatures or by using keywords. Neither of these methods is limited to finding data in the unallocated space. Either may also find data within large blobs of data, such as the pagefile, swap space, or slack space.
File Signatures by Data Carving Tools
All the forensic tools covered in this book include a utility you can use to examine the unallocated space to extract data that matches a known file signature. A simple example of this is an XML document. An XML document begins with <?xml> and ends with </<tag here>>. A carving program can search through the unallocated space for any piece of data that begins and ends with known patterns, such as these tags, and then extract out the data for your review. This simplistic example can be expanded for documents, pictures, e-mail archives, system artifacts, logs, and anything else for which analysts find a reliable file signature.
Keywords
There may be times when data you are looking for is partially overwritten by other data. In such cases, a data carve will fail, because it requires that the end of the known file signature exist within so many KB or MB of the beginning. In those situations, you can take some known piece of information, such as an e-mail address, and review search hits within the unallocated space to manually carve out these partial files to the disk. This is a manual and time-intensive process, however.
Slack Space
The slack space is a byproduct of how data is organized on a disk. No matter what the size of a file, the disk is structured into fixed-size blocks that store the data. Any unused space within the block will still contain whatever existed there before. This is true for very small files as well as large files whose total size leaves the last block unfilled.
By definition, data that you recover from the slack space is almost always partially overwritten. There are times when parts of the data within the slack space may still match a file signature, such as a JSON (JavaScript Object Notation) object left over from web browsing, but keywords are usually the best way to find relevant data within it.
There are several types of slack space: volume slack, partition slack, and basically anything that does fill up the entirety of the space allocated to it may contain slack. “Slack” is a term of art that refers to the loose, unfilled part of some preallocated space. To have slack, the storage must not be able to control the block sizes it is requesting. As long as the block size is fixed, there is potential for slack.
LINGO
JSON or JavaScript Object Notation is a mix of XML and JavaScript and is used to transfer data between a web browser and a web server without having to reload a web page. These are the objects that Ajax uses in the websites we’ve come to know as Web 2.0. We talk more about this in later chapters.
Figure 4-1 shows a single sector that has been allocated for a new file. Why a whole 512 bytes? Because that is the smallest sector that a file can be assigned. Whatever remains from the previous file write in the same sector will exist as long as the new file does not fill up the entire sector. Most files are larger than 512 bytes, but unless they are divisible by 512, their last sector will contain data from the previous file that occupied the space—that is, the slack space. The same concept applies to volume slack or partition slack. A file system or partition might contain data from a past file system in unused parts of the allocated structure. Files recovered from the slack space are almost, by definition, partial data fragments, because they occupy the end of a sector.
image
Figure 4-1   Understanding slack space
image Tip
If you are still having trouble visualizing a slack space, Figure 4-1 shows a nontechnical example. Let’s say you have an old cassette tape—good for this example because it’s one long continuous piece of recording medium, so you can think of it as a sector. You previously recorded Elvis on the cassette tape, but now realize that the Beatles are more your thing. However, the Beatles recording was not equal in length to the Elvis recording, so there is still some Elvis left at the end of the tape. That remaining Elvis recording is the data we can recover from the slack space.
Mobile Devices
Cell phones, PDAs, tablets, i-Anything—all of these mobile devices that your suspect has written data to may become part of your investigation. EnCase and FTK both include modules that are able to acquire the contents of mobile devices, but more specialized suites are usually able to acquire a wider range of data.
Let’s talk about what you can recover from mobile devices.
Standard Cell Phones
Even standard cell phones have internal storage for text messages and picture storage that can be recovered from the phone directly or the SIM card. What is recoverable from the cell phone will depend on the model, but the SIM card can be forensically imaged with any SIM card reader.
PDAs and Media Players
iPods, MP3 players, old PDAs—all of these devices have flash storage that has recoverable deleted data. What is recoverable will depend on the device and the operating system.
Smart Phones
iPhones, Androids, Symbian devices, Windows Phones, Windows Mobiles—all of these smart phones have flash storage and recoverable deleted data. All of them can be forensically imaged, depending on the OS version and your tool. You can recover not just text messages and images, but e-mails, documents, and Internet activity. The ability to recover not just what’s on the device now but also what has been deleted from it depends on the software that you are using to acquire it. Check the vendor’s product specification to know whether or not the tool you are using supports the type of data you are trying to get.
IMHO
I use Paraben’s Device Seizure for its large support of phones, but I also use Oxygen Forensic Suite and Elcomsoft’s IOS Toolkit along with other such specialized tools to get specialized data, such as a full forensic image of the flash RAM in an Android phone, that Paraben doesn’t support. Know what your tools support before you promise anything.
In Actual Practice
Keep in mind that there may be issues with getting into a password-protected phone. Blackberries, for example, will wipe themselves if the wrong password is entered too many times. If you are trying to work with a phone that is password-protected, contact the requesting party for direction. In some cases, if the subject of the investigation is asked for the password, he or she will provide it. In other cases, if it is a corporate-issued device that syncs to a corporate server, the administrator may be able to reset the password for you.
Tablets
A number of tablets, such as the iPad, are on the market today, and even more are coming in the future. Running either a mobile or desktop operating system, they contain much the same information as a smart phone. They are also able to be forensically imaged with the same kinds of data you can recover from smart phones, with the exception of text messages or call records, as typically tablets do not have this functionality.
External Storage
External hard drives, DVDs, CDs, and thumb drives are examples of external storage. External storage can come in many forms, but all represent themselves to the operating system as a disk drive—meaning you can forensically image them with your existing tools.
What Do You Have the Authority to Access
Now that you understand the universe of data you can expect to run into during your first investigations, the question becomes, which of those sources do you have the legal right and authority to access? This book is not written for law enforcement, so you will not have a search warrant granting you the right to seize anything the suspect might have. We assume that you are either an employee of a company or are being retained by a company to investigate an employee. To determine whether you have the authority to access data, you should answer the following questions.
Who Hosts the Data?
If you are dealing with data stored on a server or an e-mail account, have you determined who hosts it? If the company you are working for does not directly host the data you are looking to access, does the company pay for and have the right to access the data of its employees on it? If the answer to both of these questions is no, you generally do not have the authority to access the data. If you answered yes to one or both of the questions, you are generally in the clear to access it.
In Actual Practice
Authority gets even more complicated with the new cloud hosting systems that are becoming more profitable. In a cloud-hosted environment, you typically do not have full administrative access to the underlying operating system that contains the logs and deleted files you might need in your investigation. In these cases, you have to work with the cloud-hosting provider to get the information they are willing to provide to you, possibly for a charge, and most definitely with some kind of restrictions of its use.
Who Owns the Device?
Is this a company-owned device or is it owned by the suspect? In general, if the company owns the device, you, as their agent, have the right to access its contents when instructed to do so. If the device is owned by the suspect, you may not have the legal right to access it, depending on your country, legal, and/or HR department’s policies.
image Tip
When in doubt, ask for authorization to access a device in writing, which in these modern days includes e-mail.
In Actual Practice
This will become a more common problem as the bring-your-own-device (BYOD) policies are implemented in corporate-land. BYOD might seem like a great cost-savings measure, but it becomes a nightmare when it comes to investigations, e-discovery, and data breach issues. Remember, though, that corporations can try to get the subject’s consent in writing. It is amazing how often people will allow access when asked for it.
Expectation of Privacy
Before you begin looking into the private life of your suspect on a company owned, hosted, or provided device or service, you need to check with your HR and/or legal department to make sure their policies and your country’s laws state that there is no expectation of privacy. If they have not formally stated this to the company’s employees, then evidence recovered in your investigation may be ruled inadmissible.
Privileged Communications
Part of the expectation of privacy is privileged communications, which include e-mails sent between an attorney and a client. There is case law to support that even on a company-owned resource, e-mails between an employee and his or her counsel are still inadmissible, even if the company owns the device.
Personal Communications
Personal communications in the United States are generally not protected unless there is a reasonable expectation of privacy. This differs in the European Union, where data privacy laws require that a suspect provide written consent to having a forensic image made of any system on which he or she may have stored private data.
We’ve Covered
In this chapter, we’ve prepared you for your first investigation. Much more is going on in your forensic investigation than just the technical aspects of analysis. You’ll be expected to be the expert in your work, and all of the tangential legal and policy issues will become part of your vernacular as you move forward. When in doubt, ask for written approval or authorization until you feel comfortable. In the next chapter, we’ll talk about how to choose the forensic procedures and techniques you will employ in your investigations.
How to follow an investigative process
 
image   What are you being asked to find out?
image   Where would that data exist?
image   What applications might have been used in creating the data?
image   Should you go beyond the scope of the investigation?
How to test your hypothesis
 
image   Define your hypothesis.
image   Determine a repeatable test.
image   Create your test environment.
image   Document your testing.
How to assess the forensic data landscape
 
image   Work with active data.
image   Evaluate unallocated space.
image   Search slack space.
image   Assess mobile devices.
image   Work with external storage.
How to determine what you have the authority to access
 
image   Who hosts the data?
image   Who owns the device?
image   What types of privacy are expected?
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.152.58