CHAPTER 1
What Is Computer Forensics?
We’ll Cover
 
image   What you can do with computer forensics
image   How to get involved with computer forensics
image   The difference between incident response and traditional computer forensics
image   How computer forensic tools work
image   Professional licensing requirements
 
When I meet people in social situations, the usual first question after names are exchanged is, “What do you do?” When I answer, “computer forensics,” I typically get a very puzzled look. Most folks assume I do something involving fingerprints or blood, which I guess is an easier concept to grasp than computer security, which can also lead some people to think that I physically guard computers. So to help you in similar awkward situations, this is my reliable answer: I tell people that I find the bad things that people did using their computers.
When I’m asked the question in a more official capacity, such as while testifying in court, my answer is this:
Computer forensics is the practice of determining the past actions that have taken place on a computer system using computer forensic techniques and understanding artifacts.
LINGO
An artifact is a reproducible file, setting, or system change that occurs every time an application or the operating system performs a specific action. For instance, you can detect the first time a user logs into a Windows system by inspecting the creation time of the user’s home directory. The creation time does not change no matter how many times the user logs into the system, and the action can be repeated on multiple systems to verify its reliability.
What You Can Do with Computer Forensics
Any professional looking to specialize in a new field such as computer forensics may be wondering, Why is this something I would want to learn? Computer forensic techniques can tell us many things about what has occurred on electronic storage media.
Following are some examples of how forensics can help:
 
image   Recover deleted files.
image   Find out what external devices have been attached.
image   Determine what programs have been run.
image   Recover what web pages users have viewed.
image   Recover the webmail that users have read.
image   Determine what file servers users have used.
image   Discover the hidden history of documents.
image   Recover deleted private chat conversations between users.
image   Determine what users have been accessing from external devices.
image   Recover call records and Short Message Service (SMS) messages from mobile devices.
image   Recover what a user did within a virtual host.
image   Find out who is reading another user’s e-mail.
image   Find out if malware is installed and determine what has been captured.
image   Find out who is not working and instead embezzling millions!
 
Computer forensics is a science, and the techniques that you learn and, in the future, possibly discover must be documented, tested, and verified if you expect them to hold up to scrutiny. This book will illustrate how to learn, test, and execute these techniques and will point you to resources where you’ll find more information and advanced techniques as your confidence and capabilities grow as a forensic examiner.
How People Get Involved in Computer Forensics
Most people enter the computer forensics industry via four tracks: law enforcement, military, university programs, and IT and/or computer security. Each of these professionals imparts certain strengths as forensic examiners, and one track is no better than another. If you are looking to see where you can get started as a forensic examiner or to understand where other examiners came from, I’ve compiled my experiences in the following sections.
The following illustration may help you more clearly understand the overlap of the various disciplines with regard to computer forensics. All four areas touch computer forensics, but that does not mean forensics makes up the individual’s entire job. This book will help you make the transition into that middle circle.
image
Law Enforcement
This track includes former and current local, state, and federal law enforcement officers/agents who received forensics training as part of their duties. The large majority of law enforcement’s current computer forensics case load deals with child pornography, an unfortunate statistic. That is not to say that law enforcement has no other exposure to computer forensic cases. Computers are a daily part in almost everyone’s life, from desktops and laptops, to cell phones, and criminal do some crimes, or at least research them, on these devices. This means that law enforcement officials have to review everything they seize for computer forensic evidence, in cases from fraud to murder. Because of this, law enforcement officials have a good exposure to standard computer forensic techniques for examining systems. They also have good exposure to testimony and solid, documented chain-of-custody practices due to the nature of their work.
Military
Former military who were trained for either analysis or first responder duties in gathering evidence from hostile sources in the battlefield make excellent forensic examiners. Military forensic examiners are divided into two camps. The first camp includes those who are testing, identifying, and gathering evidence in the field. These professionals receive good training on how to image and identify multiple sources of electronic evidence. The other camp analyzes this evidence for rapid intelligence gathering and responding to incidents of security breaches, which exposes them to forensic techniques in server and desktop systems. Most military forensic examiners do not gain testifying experience, however.
In Actual Practice
The exception to the military track is the military investigation units, such as the Army Criminal Investigation Command (CID), who investigate crimes that occur within the military community. These investigators get more exposure to standard forensic techniques as would law enforcement personnel and are frequently asked to testify in military trials.
University Programs
This is a relatively new track for entrance into the computer forensics industry. Universities around the world are now offering bachelor’s and master’s degrees in computer forensics. University programs often focus on incident response techniques, because this is a well-funded research area and there are multiple free sources of test images to practice on. Some universities also have traditional forensic classes that focus on law enforcement forensic techniques in finding illicit images. University programs do not, however, provide exposure to testimony experience, but they are a great way to get the qualifications you need to enter the field in an entry-level position without any prior work experience. Community colleges are also getting into the mix, partnering with four- year universities to offer complete associate’s to bachelor’s degree programs in computer forensics. This is great news, because it opens the door for a lot of working professionals who find community college schedules more flexible and tuition more affordable.
IT or Computer Security Professionals
This is how I got started doing forensics. During the normal course of your work as an IT or computer security professional, people come to you asking for help determining how someone broke into a system. Many people in this track start by doing strictly incident response and move into more mainstream computer forensics as they learn more about it. As an IT professional, you are already exposed to system setup, configuration, and maintenance, and this forms a solid base from which your forensic knowledge can grow. You can learn about computer forensic techniques from taking training courses and self study. It may take many years before your work either as an in-house examiner or an external consultant is trusted enough that a lawyer will feel comfortable using you to testify.
IMHO
I got into computer forensics while working in information security in 1999. I had a client who needed someone to determine what a rogue executive was doing with keyloggers on the company’s network. After writing a report the size of a small book on his nefarious activities, I was hooked, and I spent four more years working in the field before a lawyer felt comfortable enough with me to testify.
In Actual Practice
However you arrive at computer forensics does not determine whether or not you will be a good examiner. That distinction is up to you. The most important trait of a good examiner is never relying on facts that can’t be tested or verified. If you can’t explain how something came to exist and can’t illustrate any examples of why the lack of something existing is proof of something in itself (as often used in cases of wiping), then there is a good likelihood that you shouldn’t be relying on it. When you get involved with nontechnical parties in your examination process, they may press you to agree to certain facts or conclusions that are not supported by the evidence. In those circumstances, you must remember that it is your reputation and credibility that are on the line and not theirs; stick to the evidence and you won’t have to worry.
To prepare yourself for testifying, you can take classes, read books, study prior testimony, and watch other experts give testimony (if their testimony is not covered under some kind of protective order). However, none of the preparation you do will get you on the stand. Becoming a testifying witness is a choice made by the attorney representing your client, company, customer, agency, or other entity. Until an attorney feels confident that your testimony will not fall apart on the stand, he or she will not allow you to testify.
I refer to this to friends as a “catch-22 of the testifying witness.” Attorneys want you to testify, but they want you to have already testified for someone else first.
Incident Response vs. Computer Forensics
Many people from outside the industry get confused distinguishing incident response (IR) from computer forensics. They are, in fact, two very different fields of work. The most common computer forensic techniques focus on post-mortem analysis; this means that we are examining a forensic image of a computer system after something bad has occurred. Incident response is usually focused on the examination of a live running system.
Incident response is a different topic altogether from computer forensics and is covered at length in other books. However, there is nothing wrong with bringing standard computer forensic procedures and preservation methods into an IR scenario if you have time to do the work involved. It will always be up to the responder to decide what time and necessity will allow for, since most IR cases will never reach litigation.
The line between forensics and IR can often be crossed by either side, with IR people utilizing standard forensic techniques during a live analysis, or forensic examiners utilizing incident response techniques to capture the contents of RAM of a live system or making a forensic image of a running system. Most often than not, though, that line separates the two disciplines and the focus of their analysis techniques and tools.
LINGO
When laypeople refer to “images,” they’re talking about pictures of things, such as vacation scenes or friends. When IT people refer to “images,” they are talking about system images captured from programs such as Norton Ghost, VMware, or Windows Virtual PC. When a forensic examiner refers to an “image,” he or she is talking about a forensic image—a complete bit-for-bit copy of a piece of electronic media. The major difference between the IT and forensic definition is that a bit-for-bit copy includes all of the unallocated or free space of the electronic media, while a standard Norton Ghost image captures only the allocated space by default. Many tools can capture a forensic image—Norton Ghost can, for example, do so—but tools made particularly for image capture also produce digital fingerprints in varying hash standards (MD5, SHA-1, etc…) that allows an examiner to show that the contents of a forensic image have not been changed.
IMHO
Another major difference between incident response and computer forensics, in my experience, is how the project ends. In an IR case, if you are dealing with an outside attacker breaching the security of your system, the attacker is quite often a) outside of your country’s legal jurisdiction, b) lacking in assets that could be used to pay back the cost of the breach, or c) not worth the time for law enforcement to pursue. These factors lead to most IR projects ending with the identification of the breach, the impact to any data stored within the system, and either the system being secured or reinstalled, with the possibility that those individuals affected will be notified if their information was breached.
This is in contrast to a civil computer forensic investigation, which is usually started in the pursuit of termination of an employee and/or litigation against an employee or third parties. One examiner can and will often perform both the roles of a forensic examiner and an incident responder, but while working in the current role, it’s important that the examiner understand the results he or she is being asked to provide.
I am generalizing this example with regard to IT professionals and civil litigation, but you could make similar comparisons to IR versus criminal or military intelligence–focused computer forensics as well. Under my definition of computer forensics, it’s the end goal of the project or case that you are undertaking that defines its place.
How Computer Forensic Tools Work
The standard computer forensic tool suites work by parsing the entire forensic image that you created. This means that the tool has its own file system parser that rebuilds both active and deleted files. Using forensic tools, you can recover deleted files, identify artifacts, view all files even if they are being hidden by some kind of rootkit, and perform analysis to determine what occurred on a system.
Types of Computer Forensic Tools
Computer forensic tools come in two major categories: forensic suites that attempt to provide an overall forensic workbench for an examiner to begin an investigation and specialized tools that are designed to pull out artifacts related to a single application. Each type of tool is available from commercial sources (fee-based) or open source (free software available to the general public with full source code included).
Suites
Multiple tool suites are available with varying capabilities, costs, and difficulty. You’ll find commercial tools as well as open source tools that are available for free. You’ll learn how to select the best one for your lab in Chapter 3.
Commercial Tools   The majority of commercial tools are written for Windows, because the majority of examiners and examinations deal with Windows systems. The one exception is SMART Forensics, which is a Linux-based tool suite.
IMHO
I find commercial tools to be friendlier than open source, because they come with manuals that explain their usage and the meaning of artifacts, and they offer support forums where you can ask questions. Open source tools tend to be more terse in their documentation for usage but are accompanied by large amounts of research with regard to the type of data they recover or parse. This is typically because the tool is released in conjunction with some type of research and was written as a proof of concept. The Linux kernel is an example of an extremely popular open source project.
Open Source Tools   Tools such as The Sleuth Kit, SANS SIFT, and Volatility are all open source tools. Most are written for Linux, but now work on other platforms, and initially have an incident response focus, although many such as SIFT are expanding into a full computer forensic suite comparable to commercial packages.
LINGO
Steganography is the science of hiding data in plain sight, the most popular method being hiding data within pictures. It’s not limited to pictures though; researchers have found ways to hide data in everything from music to the deleted space on a disk.
Specialized Tools
Specialized tools generally start off as one-offs in your collection and grow into a library of tools that you learn to use to deal with artifacts and programs not directly supported by your forensic suite. These include specialized file carvers, web history parsers for newer or nonstandard browsers, and decryption or steganography tools.
LINGO
File carving commonly refers to techniques involving recovering full or partial remnants of files from the unallocated space of the disk or within large files. It’s called carving because you remove pieces of data from a large set and put the data aside, much like you would carve a turkey, taking the meat but leaving the bones.
Commercial Tools   Popular tools such as NetAnalysis are almost specialized suites, because they support so many different types of web browser history parsing formats. They still fit in this category, however, because they focus on only one type of application.
Open Source Tools   Open source tools such as Scalpel allow specialized and advanced carving beyond what most forensics suites are capable of.
Professional Licensing Requirements
Today, many states in the United States require a private investigator’s license for an external consultant who wants to perform computer forensics work for a client. Law enforcement, military, and internal corporate examiners are normally exempt from these laws. People who are performing only electronic discovery are also sometimes exempted from the licensing requirement. These folks gather evidence to provide to a legal team that reviews it; they do not analyze the information or provide an opinion about it as an expert witness.
It’s important that you research your state’s, province’s, or country’s laws with regard to computer forensic examinations to make sure that you are in compliance. In the United States, you can check the following site to determine whether your state requires some kind of professional license: www.investigation.com/surveymap/surveymap.html. If you do not comply with these laws, penalties can range from disqualification and your client losing their ability to present the evidence you gathered, to fines and your business being shut down until you come into compliance with licensing.
IMHO
I am currently a licensed private investigator in the state of Texas. I am licensed because the state required that I do so in order to operate a business that performs computer investigations for clients. Many people in our profession view the licensing requirements as a barrier to entry into the market; they think that existing private investigators wanted to find a way to keep competition from taking their work and commoditizing the practice. The real pain comes when you work in more than one state, in which case you have to determine whether the state you plan to work in also requires licensing and what you have to do to meet those needs.
I am not opposed to licensing, but I do agree with those who say that we are not private investigators and that the tests and regulations that document the work of private investigators do not include our work—other than we create evidence and present it in court. If at some point the state of Texas creates a computer forensic licensing board, I would be happy to accept it.
We’ve Covered
You’ve made it through the first chapter—congratulations! We won’t get into how to analyze a forensic image until much later into the book and there is a reason for that. You need to know a lot before you can even begin to analyze a system and the majority of this book is here to help you understand those things so you will find success at the end of your first investigation instead of embarrassment. In the next chapter, we’ll cover where and how to get training and continue on from there.
LINGO
Electronic discovery, or e-discovery, is a legal term that distinguishes the collection, processing, and review of paper documents from electronic documents. Electronic discovery professionals collect data in the form of forensic images, backup tapes, document collections, archives, and other sources of data that can be reviewed by a legal team if they think it might contain information pertinent to a legal matter. Electronic discovery is a separate field from computer forensics, though at times they borrow tools from one another the end result is different. Electronic discovery begins with the collection of evidence and ends with the review and production of specific documents from that collection being produced in a legal matter.
What you can do with computer forensics
 
image   Retrieve hidden data and deleted information.
image   Recover access information.
image   Determine what tools have been used by an attacker.
image   Compile evidence to help build a case.
How to get involved with computer forensics
 
image   Paths include law enforcement, military, university programs, or IT and/or computer security.
image   What makes a good examiner?
image   Prepare for testifying.
The difference between incident response and computer forensics
 
image   Computer forensics focuses on post-mortem analysis.
image   Incident response focuses on a live running system.
How computer forensic tools work
 
image   Computer forensic tools can be divided into two types:
image   Suites
image   Specialized tools
Professional licensing requirements
 
image   Some states require licenses.
image   Know and follow requirements and laws or suffer the consequences.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.148.104.124