101Incident Response and Digital Forensics
to write zeros over every bit of a drive. This is not an exhaustive list of items,
but it gives you an idea of what types of things need to be considered when
preparing for a digital forensic investigation.
5.4.2 Collection
Part of the evidence collection is to document the scene. This includes docu-
menting things like the model and make of the devices under investigation
as well as photographing the surroundings. For example, the investigator
may take a photo of the screen to show what was happening when the scene
was entered. In addition, the investigator may check out the task bar and
take a photo of the maximized applications running. If the investigator is
subpoenaed to come to court, one of the things the lawyer may do is attempt
to put some doubt surrounding his or her credibility. The lawyer may ask the
color of the door to the ofce where the computer resided. If the investigator
says brown and it was dark blue, that will be strike one.
Once the scene is documented, the electronic data need to be dealt with. In
responding to an incident thirty years ago, a forensic investigator would not
have thought twice about the “pull the plug” method, which means shutting
it down, bringing it back to a lab, and duplicating the hard drive. Due to the
increase in complexity in today’s computing, the investigator’s response is not
the same for every incident, so powering it down right away may not be in
the best interest of this investigation (Note: taking it off the network is a good
idea to avoid further damage.) The reason that the computer should not be
turned off is that the volatile data (e.g., running processes or network connec-
tions) are lost. In addition, there is a risk that a rogue application may start a
malicious attack when a shutdown is detected. Even the duplication step has
changed. Not only have hard drive sizes increased considerably, but also the
server that needs to be analyzed may be on the other side of the world!
I am not saying that the plug is never pulled; rather, the decision is not black
and white anymore. Accordingly, there are a few ways to respond to live data
collection: focusing on the collection of the volatile data, collecting volatile data
AND log les (e.g., IDPS, router, rewall), or conducting a full investigation by
collecting everything (a forensic duplication where every bit of data is copied).
A duplication (or disk image) is necessary if court proceedings are imminent.
The image is stored on an external drive, or you may send it over the network
using a network utility such as netcat or cryptcat. Netcat is a networking
utility that reads and writes data across a network connection. Cryptcat is
Netcat with encryption. Never use the suspect system to do any analysis.
Doing so will overwrite evidence.
For example, if the incident merits collecting the volatile data, the investi-
gator may run a script from a USB drive on the suspect machine. The script
will run different commands to determine the following: open ports, who
is logged on to the system, dates/times, running processes, applications
running on certain ports, unauthorized user accounts and privileges, etc.
102 What Every Engineer Should Know About Cyber Security
Then, the script output is directed to a le stored on your USB drive. For
example, a script called volatile_collection would look like this:
E:> volatile_collection > volatile_data_case101.txt
where the output from volatile_collection script would be stored in the le volatile_
dat_case101.txt.
Network data, routers, rewalls, IPDS logs, and servers may also need to be
analyzed (via network logs) for anything suspicious to determine the scope
of the incident, who was involved, and a timeline of events. And, nally, the
investigator must identify other sources of data that could go beyond a hard
drive, such as a USB drive or mobile phone.
All of this digital evidence collected must be preserved to be suitable
in court. Digital evidence is very fragile, like footprints in snow or on the
sand, because it is easily destroyed or changed. The FBI suggests having a
secure location for storage (locked up), having sufcient backup copies (two
suggested), having proof that the data have not been altered (hash algorithm),
and establishing a chain of custody, which is a written log (a.k.a. evidence
log) to document when media go in or out of storage (Cameron2011). In
order for the data to be admissible, it has to be proven that they have not
been tampered with; therefore, you should be able to trace the location of
the evidence from the moment it was collected to the moment it appears in
court. If there is a time period that is unaccounted for, there is a chance that
changes could have been made to the data. One way to preserve evidence
is to transfer digital information onto a read-only, nonrewritable CD-ROM
and/or uploading the data onto a secure server and hashing (discussed
earlier) the le to ensure the data’s integrity.
5.4.3 Analysis
Following data collection is data analysis. The image of the suspect machine(s)
needs to be restored so that the analysis of the evidence can begin. The image
should be restored on a clean (wiped) drive that is slightly larger or restored to
a clean destination drive that was made by the same manufacturer to ensure
that the image will t. Next, the review process begins by using one of the
forensic tools such as EnCase, (forensic toolkit) FTK, P2 by Paraben, Helix 3,
etc. To recover deleted les, the unallocated space of the image needs to be
reviewed. The investigator may nd whole les or le fragments since les are
never removed from the hard drive when the delete feature is utilized. What
is deleted is the pointer the operating system used to build the directory tree
structure. Once that pointer is gone, the operating system will not be able to
nd the le—but the investigator can! Keep in mind, however, that when new
les are created, a memory spot is chosen, so there is a chance that the le is
written over or at least part of the le. Here is why: All data are arranged on
a hard drive into allocation units called clusters. If the data being stored require
103Incident Response and Digital Forensics
less storage than a cluster size, the entire cluster is still reserved for that le. The
unused space in that cluster is call slack space. There is an example in Figure5.5.
But, deleting that 20K le frees up the space for a new le. If that cluster is
chosen, the new le is going to be written on top of the old le. If the new le
is smaller than 20K, then part of that 20K le will be retrievable (Figure5.6).
Evaluating every le on the restored image can be an arduous task; thus,
one trick a forensic examiner will use is identifying les with known hashed
values. Known le hashes can be les that are received from a manufacturer
for popular software applications. Other known hashes can be from mov-
ies, cracking tools, music les, and images. The National Software Reference
Library (http://www.nsrl.nist.gov) provides values for common software
applications. An investigator may be able to reduce the number of les
needed to be analyzed by 90 percent by using the “hashkeeper paradigm,”
which assumes that similar les produce the same hash value (Mares 2002):
1. Obtain a list of hash values of “known” les.
2. Obtain the hashes of the suspect les.
3. Compare the two hash lists to match the known les or identify the
unknown les.
4. Eliminate the “known” les from the search.
5. Identify and review the unknown les.
20K File
12K of slack space
32K cluster
FIGURE 5.5
Slack space.
22K of slack space
32K cluster
fi l e
New 10K
10K of the
old fi le in the slack space
FIGURE 5.6
Slack space with a partial le.
104 What Every Engineer Should Know About Cyber Security
For string searches within the data, the drive needs to have all compressed
les decompressed and all encrypted les unencrypted. Then, just as you do
with web searches, you should use effective key words to pare down results.
The exact search methodology used depends on the forensic software tool
you are using, what you are the looking for (e.g., les, web browser history,
or e-mails), the format of the data, your time constraints, and whether the
suspect is aware of the investigation. If so, he or she may have deleted some
les.
A common investigation is an Internet usage analysis that monitors
inappropriate usage at work where, for example, an employee is gambling
or viewing pornography. Divorce lawyers may use this type of analysis to
prove indelity by showing evidence on a social networking site or prov-
ing a spouse was on a blog website looking for advice on how to get an
easy divorce. An anonymous blog posting can be attributed to a spouse
by showing that he or she made purchases with a credit card before
and/or after the post on the blog. Web browsers store multiple pieces of
information, such as history of pages visited, recently typed URLs, cached
versions of previously viewed pages, and favorites. The challenge is also
in showing that the accused was actually the one using that computer
at the time of the incident. For example, if pornography was viewed on
a particular employee’s computer, the investigator has to make sure that
employee was not on vacation or in meetings all day when the abuse
occurred.
When doing this type of analysis (aka a temporal analysis), the investigator
may want to reconstruct the web page. The web page can be reconstructed
by searching the index.dat le for les that are associated with a given URL.
Then, the investigator can look for those les in the cache and copy them to a
temporary directory. The reconstructed page should be viewed in a browser
that is off-line so that the browser does not access the Internet. If the recon-
structed page accesses the Internet, it may follow the URL and download
thelatest version of the page from the server and will not be the version ofthe
web page that the suspect viewed at the time of the incident. Note that the
presence of a single image le does not indicate that the individual visited
a website. Because there are times when images are a result of a pop-up or
redirect, it is important that the investigator also determine which sites were
visited prior to the site in question. Recall the case of Julie Amero discussed
at the beginning of Chapter 2. These are just a few of the many techniques
an investigator could utilize for an effective and forensically sound Internet
usage analysis.
E-mail analysis is also very common. The investigator may be tasked to
prove a certain policy violation, harassment, or impersonation. It may be as
simple as nding the e-mail and determining who sent it and who received
it, or as complicated as reconstructing the entire e-mail chain. This is also an
analysis that should be done off-line so that no e-mails are sent or received
inadvertently during the analysis.
105Incident Response and Digital Forensics
5.4.4 Reporting
The nal stage in the digital forensics life cycle is reporting the results of the
analysis in the previous stage as well as describing reasoning behind actions,
tool choices, and procedures. NIST (2006) describes three main factors that
affect reporting: alternative explanations, audience consideration, and actionable
information.
Alternative explanations back up the conclusions of the incident by including
all plausible explanations for what happened. In the Julie Amero case, she was
convicted (later overturned) of viewing pornography on a school computer in
front of minors. Had the investigators looked for alternative explanations, they
would have gured out that the pornography websites viewed were caused
by spyware. Instead, the clearly ignorant original investigators misled the jury
by only presenting evidence in the temporary Internet les directory and the
school rewall logs showing that pornography websites were accessed. They
missed the alternative explanation and caused her to be unfairly convicted
because their ndings (temporary Internet les and rewall logs) do not
demonstrate a user’s intent. Upon reanalysis by expert forensic investigators
(Eckelberry et al. 2007), it was discovered that the antivirus software was an
out-of-date trial version, that there was no antispyware
*
software installed on
the system, and that the spyware was denitely installed prior to the incident.
The original investigators also misled the jury by informing them that
spyware is not capable of spawning pop-ups (not true), that pop-ups cannot
be in an endless loop (not true), and that the red link color used for some of
the text on the porn website (that they showed the jury) indicated Amero
clicked on the links (the link visits, whether intentional or not, are shown in
the visited color, which they indicated was red). In this particular case, the
link was red; however, if the original investigators had opened the browser
preferences, they would have noted a few things: (1) The links were selected
to be green if a site was visited, and (2) the html source code changed the
font color to red. The investigators also misled the jury by telling them
that the only way spyware is installed on a computer is by actually visit-
ing a pornographic site (not true). Eckelberry et al. (2007) determined that
this particular spyware was installed right after a Halloween screen saver
was downloaded. There were multiple inconsistencies with the original
investigation. I encourage you to read this case as it illustrates very clearly
what NOT to do in a forensic investigation.
Reports on the results of a forensics analysis will vary in content and
detail based on the incident. Just as in any writing, audience consideration
is important. Thus, the level of detail of a forensic analysis report is deter-
mined by the audience who needs the report. If the analysis resulted in a
noncriminal case, the executives or management may want a simple overview
*
Antispyware is software designed to detect and remove a malicious application from a
computer.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.