AS EXPLAINED IN CHAPTER 1, "System Forensics Fundamentals," system forensics is the art and science of locating, extracting, analyzing, and protecting data from devices and networks. Specialists interpret this data and use it as legal evidence. The field of system forensics has been a mainstay for law enforcement and military agencies since the mid-1980s. It is relatively new to the private sector but is rapidly growing.
This chapter looks at specific types of system forensics technology that specialists in the military, law enforcement, and business use. The analytical techniques are the same for each category. However, the focus of investigations differs, depending on the specifics of the case. Perpetrators have different motives, and their actions have different impacts. Attacks range from trouble-making attempts to theft to attacks that cripple corporations or even governments. Some perpetrators go to great lengths to frustrate a forensic investigation. A forensic investigator must know how to choose and use the most suitable technology for a given case.
The U.S. Department of Defense (DoD) coordinates and supervises agencies and functions of the government related to national security and the U.S. armed forces. The DoD uses system forensics to evaluate and examine data related to cyberattacks. The DoD estimates the potential impact of malicious activity. It also assesses the intent and identity of perpetrators.
Note
Real-time tracking of potentially malicious activity is especially difficult when a perpetrator has intentionally or maliciously hidden, destroyed, or modified the pertinent information to elude discovery.
The DoD Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics. It is involved with DoD investigation that requires computer forensics support to detect, enhance, or recover digital media. DC3 is also involved in criminal law enforcement forensics and counterintelligence. It assists in criminal, counterintelligence, counterterrorism, and fraud investigations. In addition, it supports safety investigations and Inspector General and commander-directed inquiries.
DC3 provides computer investigation training. It trains forensic examiners, investigators, system administrators, and others. It also ensures that defense information systems are secure from unauthorized use, criminal and fraudulent activities, and foreign intelligence service exploitation. DC3 partners with government, academic, and private industry computer security officials.
For more information on DC3, see http://www.dc3.mil.
Law enforcement agencies use system forensics tools to identify leads and process computer-related evidence. System forensics tools and techniques are important resources in criminal and internal investigations, civil lawsuits, and computer security risk management.
Law enforcement forensic specialists use a variety of system forensics technologies. They apply software tools and methods to identify and retrieve passwords, logon information, e-mail messages, accounting information, and other data stored on digital devices or media. They also employ forensic software tools to identify backdated files, tie disks to the computers on which they were created, recover deleted files, and locate data that someone attempted to hide. Like the military, law enforcement agencies have been involved in processing computer evidence for many years.
This section touches on issues related to Windows operating systems and their use in law enforcement system forensics. Many laptop and desktop personal computers (PCs) in corporations and government agencies run the Windows XP, Vista, and 7 operating systems. Those involved in computer investigations and computer security reviews are most likely to encounter these operating systems. The forensic concepts presented here do, however, also apply to non-Windows systems, such as UNIX, Linux, and Mac, although the software and techniques for each differ.
The following sections describe some technologies that are especially important in law enforcement system forensics. Many of these technologies also apply to military and business settings.
Computer evidence is fragile. A person can easily alter or destroy it. System forensics specialists must know how to use bit stream backup to ensure the preservation of all storage levels that may contain evidence.
A Trojan horse program is an independent program that, when called by an authorized user, performs a useful function. At the same time, it also performs unauthorized functions, often usurping the privileges of the user. Perpetrators may plant these programs and traps with the intention of capturing sensitive data, such as Social Security numbers, passwords, and network logons. Or they may plant them to destroy data and evidence or modify an operating system. A system forensics specialist must know how to identify, use, avoid, and defeat Trojan horse programs.
Documentation of forensic processing methodologies and findings is critical. Without proper documentation, a forensic specialist has difficulty presenting findings. When security or audit findings become the object of a lawsuit or a criminal investigation, the legal system requires proper documentation. Without documentation, courts are unlikely to accept investigative results. Thus, a system forensics specialist must know the ins and outs of computer evidence processing methodology. This methodology includes strong evidence-processing documentation and good chain of custody procedures.
A system forensics specialist should have a good understanding of how computer hard disks and CDs are structured. A specialist should also know how to find data hidden in obscure places on CDs and hard disk drives.
A system forensics specialist should understand techniques and automated tools used to capture and evaluate file slack. A hard disk or CD is segmented into clusters of a particular size. Each cluster can hold only one file. If you write a 1 KB file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster is wasted. This unused space between the logical end-of-file and the physical end-of-file is known as file slack (see Figure 5-1). Most computer users have no idea that they're creating slack space as they use a computer. In addition, data from a file may remain even after you delete it. This residual data in file slack is not necessarily overwritten when you create a new file. File slack is therefore a source of potential security leaks involving passwords, network logons, e-mail, database entries, and word processing documents. A forensic specialist should know how to search file slack, identify what is and is not useful data, document any findings, and eliminate security risks.
Trade secret information and other sensitive data can easily be hidden using a number of techniques. Data can also be unintentionally left behind. It is possible to hide disks within disks and even to hide entire computer hard disk drive partitions.
A forensic specialist should understand these issues from a detection standpoint, as well as from a security risk standpoint. A forensic specialist should know how to use the software tools discussed later in this chapter to find hidden data. Figure 5-2 shows eight places on hard drives where data can be hidden:
Host protected area (HPA)—The host protected area (HPA) was designed as an area where computer vendors could store data that is protected from user activities and operating system utilities, such as delete and format. To hide data in the HPA, a person would need to write a program to access the HPA and write the data.
Master boot record (MBR)—The master boot record (MBR) requires only a single sector, leaving 62 empty sectors of MBR space for hiding data.
Volume slack—The volume slack is the space that remains on a hard drive if the partitions do not use all the available space. Say that two partitions are filled with data. When you delete one of them, the data is not actually deleted. Instead, it is hidden.
Partition slack—File systems store data in blocks, which are made of sectors. If the total number of sectors in a partition is not a multiple of the block size, leftover sectors can't be accessed through typical means. They make a good place to hide data.
Boot sector in a non-bootable partition—Every partition contains a boot sector. In some cases, that partition isn't bootable. The boot sectors in non-bootable partitions are available to hide data.
Unallocated space—An operating system can't access any unallocated space in a partition. That space can contain hidden data.
Good blocks marked as bad—Say that someone manipulates the file system metadata to mark unusable blocks as bad. The operating system will no longer access these blocks. These blocks can then be used to hide data.
File slack—As mentioned earlier, file slack is the unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file is stored.
With traditional computer evidence searches, a user should know what he or she is searching for. However, a forensic specialist may not know what is stored on a given computer system. In such cases, the investigator can apply fuzzy logic tools to provide valuable leads about how the subject computer was used. A fuzzy logic tool is a tool used to identify unknown strings of text by searching for values between "completely true" and "completely false." A system forensics specialist should be able to use such tools to identify evidence in file slack, unallocated file space, and Windows swap files. Filter_G, discussed later in this chapter, is an example of a fuzzy logic tool.
A system forensics specialist should understand the basics of how data is encrypted. A specialist should also be able to illustrate the differences between good encryption and bad encryption. Some software, including Word, Excel, Lotus, PKZIP, and WordPerfect, uses security to provide limited encryption. A specialist should know how to use software to crack this security. Encryption is covered later in this chapter.
Computers leave traces of their activity when writing to a hard drive or removable media. A forensic specialist should know how to use specialized techniques and tools to tie a CD to a computer that was used to create or edit files stored on the CD.
Compression is the process of encoding information with fewer bits than the unencoded information would use (see Figure 5-3). Compression programs can be used to hide or disguise sensitive data. A system forensics specialist should understand how compression works.
A system forensics specialist should know how to recover previously erased files. A specialist can recover these files by using file recovery software and manual data-recovery techniques.
A system forensics specialist should understand how to use specialized software to identify how a targeted computer has been used on the Internet. The specialist should know how to examine file slack, unallocated file space, and Windows swap files to find data pertinent to the investigation.
A user can modify an operating system to change and destroy data. For example, a hacker might use this technique to covertly capture keyboard activity from corporate executives. A system forensics specialist should understand how to examine the boot process and memory-resident programs.
Flash memory media are computer memory chips or cards that retain data without being connected to a power source. They are popular storage devices in digital cameras and other portable electronic gadgets. In recent years, their storage capacities have grown significantly. Because of their ubiquity, these storage devices are commonly part of system forensics examinations. (See the sidebar, "Processing Data Stored in Flash Memory.")
Companies keep their proprietary information and business processes on computers and networks. Therefore, threats to the strategic value of a business almost always involve a computer or network. A simple and virtually undetectable fraud that posts a few cents to a phony account can reap a perpetrator thousands of dollars. A malicious change to an individual's personnel records could cost the innocent person a job and a career. Divulging a company's financial records could damage it on Wall Street, in the marketplace, and with shareholders. Hackers involved in corporate espionage steal trade secrets. Posting libelous information on the Internet about a company or an individual can damage a reputation beyond recovery. Employees of a company might steal from it or use company resources for their own benefit.
Companies turn to system forensics in many situations. For example, they might need system forensics to deal with litigation, such as a wrongful termination suit. They also need system forensics when there is an actual or suspected incident with a serious risk of information being compromised. In addition, they use system forensics when they face a potential loss of competitive capability or potential damage to reputation and brand. Some companies regularly use forensic investigations to check employee computers. In theory, employees are less tempted to stray when they know their company is watching them. In addition, companies check for Trojans and other malware.
Disgruntled insiders may launch attacks from within a protected network. In recent years, malicious-minded individuals have assaulted numerous e-commerce Web sites with denial of service (DoS) attacks. Attackers have committed other malevolent acts against corporations and governments, including spreading viruses, wiretapping, and committing financial fraud. Cybercrime costs the United States billions of dollars in unrealized profits and exposes organizations to significant risk.
System forensics specialists must be familiar with a number of basic techniques and tools for investigating computer-related crimes. They should be able to trace the source of an e-mail message, acquire digital evidence, and crack passwords. In addition, they may need to monitor computers remotely, track online activity, find and recover hidden and deleted data, and locate stolen computers.
The following sections discuss a number of system forensics technologies used to investigate business systems.
Forensic tools can remotely monitor activities of target computers. System forensics specialists can use tools to remotely seize and secure digital evidence before physically entering suspect premises. These tools include F-Response (http://www.f-response.com) and various key- and screen-logging tools.
Tip
The legal restrictions regarding collection of data apply whether an investigator physically takes control of a computer or gains remote access. Thus, an investigator must have a search warrant, subpoena, or authorization by the system owner before collecting data remotely.
Intrusion detection tools allow the user to create trackable electronic documents. These tools identify unauthorized intruders who access, download, and view tagged documents. The tools also allow security personnel to trace the chain of custody of all who possess stolen electronic documents.
Most stolen computers are never recovered. Laptop theft costs U.S. businesses billions of dollars each year. Consider the real costs to replace a stolen computer:
The price of replacing the hardware
The price of replacing the software
The cost of re-creating data—if re-creating the data is even possible
The loss of customer goodwill due to lost faxes, delayed correspondence or billing, and problems answering questions and accessing data
The cost of reporting and investigating the theft, including the time required to file police reports and insurance claims
The cost of increased insurance
Note
In some cases, a company can't re-create data. The theft of a laptop containing sensitive data could be devastating for a small business. The data a device holds can be worth many times the cost of replacing the hardware and software.
If personally identifying information or financial data is lost, huge fines and mandatory audits for up to 20 years, as well as litigation costs
The cost of processing and ordering replacements, cutting checks, and so on
If law enforcement catches the thief, then the cost of time involved in prosecution
To prevent such losses, a business can install software to track and locate a lost or stolen PC or laptop anywhere in the world. One option is PC PhoneHome (http://www.pcphonehome.com). PC PhoneHome sends a stealth e-mail to a designated e-mail address once a day or every time the user connects to the Internet and is assigned an IP address different from the previous IP address. If the computer is lost or stolen, the user reports the loss to the police and uses the PC PhoneHome Recovery Center to monitor the designated e-mail address. When the stolen computer accesses the Internet by any method, the lost or stolen computer sends a stealth e-mail message that gives its location.
Preserving computer evidence requires planning and training in incident discovery procedures. The following sections describe tasks related to handling evidence and measures to take when gathering evidence.
A system forensics specialist has three basic tasks related to handling evidence:
Find evidence—Gathering computer evidence goes beyond normal data recovery. Finding and isolating evidence to prove or disprove allegations can be difficult. Investigators may need to investigate thousands of active files and fragments of deleted files to find just one that makes a case. System forensics has therefore been described as looking for one needle in a mountain of needles. Examiners often work in secure laboratories, where they check for viruses in suspect machines and isolate data to avoid contamination. (For more information on system forensics labs, see Chapter 4, "Forensics Methods and Labs.")
Preserve evidence—Preserving computer evidence is important because data can be destroyed easily. The 1s and 0s that make up data can be hidden and vanish instantly with the push of a button. As a result, forensic examiners should assume that every computer has been rigged to destroy evidence. They must proceed with care in handling computers and storage media.
Prepare evidence—Evidence must be able to withstand judicial scrutiny. Therefore, preparing evidence requires patience and thorough documentation. Failing to document where evidence comes from and ensure that it has not been changed can ruin a case. Judges have dismissed cases because of such failures.
Forensic specialists should take the following measures when gathering evidence:
Avoid changing the evidence—Forensic specialists should photograph equipment in place before removing it. They should label wires and sockets so computers and peripherals can be reassembled exactly in a laboratory. They should transport computers, peripherals, and media carefully to avoid heat damage or jostling. They should avoid touching original computer hard disks and CDs. They should make exact bit-by-bit copies and store the copies on a medium that cannot be altered, such as a CD-ROM.
Determine when evidence was created—Timelines of computer usage and file accesses can be valuable sources of computer evidence. The times and dates when files were created, last accessed, or modified can make or break a case. Forensic specialists should not trust a computer's internal clock or activity logs. The internal clock might be wrong, a suspect might have tampered with logs, or the mere act of turning on the computer might change a log irrevocably. Before logs disappear, an investigator should capture the time a document was created, the last time it was opened, and the last time it was changed. The investigator can then calibrate or recalibrate evidence, based on a time standard, and work around log tampering.
Trust only physical evidence—The physical level of magnetic materials is where the 1s and 0s of data are recorded. In system forensics, only this physical level is real. A forensic specialist should consider everything else untrustworthy. For example, a suspect might have corrupted all the software operating systems, applications, and communications on a computer. Or software itself might erase evidence while it operates.
Search throughout a device—Forensic specialists must search at the bit level. That is, they should search at the level of 1s and 0s across a wide range of areas inside a computer. This includes e-mail and temporary files in the operating system and in databases. Specialists should also search swap files that hold data temporarily, logical file structures, and slack and free space on the hard drive. They must also search software settings and script files that perform preset activities. In addition, they must investigate Web browser data caches, bookmarks and history, and session logs that record patterns of usage. Forensic specialists can then correlate evidence to activities and sources.
Determine the contents of encrypted files—Investigators often should not attempt to decode encrypted files. Rather, they should look for evidence in a computer that tells them what is in the encrypted file. Frequently, this evidence has been erased, but unencrypted traces remain to make a case. For data concealed within other files or buried inside the 1s and 0s of a picture, an investigator can tell if the data is there even though it is inaccessible. The investigator can compare nearly identical files to identify minute differences.
Present the evidence well—Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. A jury must be able to understand the evidence. In addition, the evidence should be solid enough that a defense counsel cannot rebut it. Therefore, a forensic specialist must create a step-by-step reconstruction of actions, with documented dates and times. In addition, the specialist must prepare charts and graphs that explain what was done and how as well as exhibits. All these charts, graphs, and other exhibits must be able to withstand scrutiny. The specialist's testimony must explain simply and clearly what a suspect did or did not do.
Encryption is the process of making data unreadable to anyone except those who have the correct key. The use of encryption provides a unique challenge for a forensic specialist. Decryption is the process of making encrypted material readable again. Decryption provides a potentially greater obstacle than data recovery. Encryption, whether built into an application or provided by a separate software package, comes in different types and strengths.
The objective of encryption is to protect information by scrambling the data into an unrecognizable form. An encryption process consists of two basic components:
An algorithm that provides specific computer instructions about how information is to be scrambled
A key that provides direction to the algorithm about the specific order in which the algorithm is to execute
The same algorithm and key used to encrypt information must be used to decrypt the information. As shown in Figure 5-4, some encryption processes provide for two keys. One of the keys performs the customary encryption and decryption functions. The other is a public key that can decrypt the information but cannot encrypt information.
According to Jamie Morris in "Forensics on the Windows Platform, Part Two," even when facing tough encryption, a forensic specialist may still be able to decrypt data by widening the scope of the investigation to include intelligence sources beyond the suspect computer. For example, public-key cryptography can be used to create highly secure, encrypted data. Decrypting data encrypted in this fashion requires a public key and a private key. The investigator might find the private key on the suspect's machine or backed up to removable media. Similarly, the investigator might find the public key recorded somewhere on the computer in case it is forgotten or written down and kept in a nearby location.
A number of different encryption algorithms are used in information technology systems. Algorithms differ in their strength. Some are more able than others to resist attempts to bypass or breach the encryption. The U.S. National Institute of Standards and Technology (NIST) is a measurement standards laboratory in the U.S. Department of Commerce. According to its Web site, NIST's mission is "to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life." NIST certifies the integrity and robustness of encryption algorithms. All federal systems must use NIST-certified encryption algorithms. Many other organizations also choose to use these algorithms.
For more information on NIST, see http://www.nist.gov.
It is very unlikely that information that has been encrypted using a NIST-certified algorithm can be decrypted without the decryption key. Thus, when hackers and forensic specialists encounter an encrypted file, they first try to determine what encryption algorithm has most likely been used. If a NIST-certified algorithm was used, the hacker or forensic specialist focuses on determining the encryption key.
Some of the most commonly used applications provide encryption protected by passwords. These products—such as word processing and spreadsheet software—use algorithms that are not NIST certified. Investigators who have the right tools and the time to use them can defeat the passwords used in these products. It is possible to compromise these products by using widely available software.
Phil Zimmerman invented Pretty Good Privacy (PGP), a widely used encryption program, more than a decade ago. Of the 1.8 billion people using the Internet today, about 113 million use PGP to encrypt e-mail. Another 400 million use other forms of encryption. PGP is also used for whole-disk or file-level encryption. PGP uses two keys and a NIST-certified algorithm. It makes encrypted data practically impossible to decipher without the appropriate key.
Encryption is now one of the most common controls for protecting information both when stored and in transit. For example, the Internet uses encrypted protocols—HTTPS and TLS—to secure financial transactions over the Web.
Encryption has two basic problems:
Key management—Encryption users must retain the encryption key. Without the key, the scrambled information usually can't be decrypted. To avoid losing the key, encryption users often "hide" the encryption key on a note in their wallet or desk. Anyone who has physical access to the user's wallet or desk can copy the key and use it to decrypt the information. Just as users often create weak passwords that they can easily remember, they often create weak encryption keys that are easy to remember. Unfortunately, others who know something about these users can often guess the keys. Further, hackers have developed sniffers—software that captures keystrokes as they are entered and transmits those keystrokes to a hacker. A hacker who has physical access to a computer can generally install a sniffer to collect encryption keys and passwords. Once the sniffer collects and transmits this information to the hacker, the hacker has access to the user's encrypted information. The hacker could even change the encryption key and deny the user access to his or her own information.
Key distribution—Encryption is often used to protect information that is shared among multiple users. Everyone who is to share the information must have the decryption key. However, distributing the key to these individuals means multiple machines can decrypt messages. This creates a vulnerability.
These two problems with encryption don't help just hackers. Forensic specialists can also take advantage of them. For example, a forensic specialist who has the appropriate legal authorization could plant a sniffer and covertly collect any needed passwords. In addition, the forensic specialist could retrieve a key from any of the individuals sharing encrypted information.
Your PDA contains a lot of personal information. The more you use your PDA, the greater the chance that a thief could extract data that accurately reflects and tells a story about you. Recognizing the potential vulnerabilities of PDAs, government and major commercial organizations generally require that all PDAs use encrypted storage and transmissions. Protecting PDA data from thieves and attackers, however, also poses obstacles for forensic specialists.
Most forensic acquisitions focus on performing a bit-by-bit copy of the original media. They then compare the unique cryptographic signatures of the original and the copy to ensure that they match. This process is well established in traditional hard drive-based computer forensics. Hard drives can be removed, and many computers can start in special read-only forensic environments. However, the process for mobile forensic devices is quite challenging. With mobile devices such as smartphones, the primary memory is typically not removable. In addition, mobile devices have limited operating systems and cannot boot into a forensic environment. To perform forensics on mobile devices, forensic specialists make both logical and bit-by-bit copies. They read data from removed memory cards as well as subscriber identity module (SIM) cards.
Note
The top three tools for forensics on wireless devices are Cellebrite's UFED, Paraben's Device Seizure, and the Zdziarski technique. These tools are discussed later in this chapter.
The following sections look, in particular, at forensics for Apple iPhones and BlackBerry smartphones.
Apple introduced the iPhone in 2007. Since then, the iPhone has become the most commonly used smartphone. Therefore, the iPhone can be expected to play a role in many system forensics cases. The active iPhone hacking community has yielded research and tools that support forensic investigations.
Tip
Anyone performing forensic analysis on an iPhone should download the iPhone software development kit (SDK). The SDK is free to download after registration.
According to Andrew Hoog and Kyle Gaffaney in their iPhone Forensics white paper, an investigator can use several approaches to acquire and analyze information from iPhones. As with any other forensic investigation, with iPhone forensics, it's important not to modify the source information in any manner. If it is impossible to eliminate all modifications, an investigator must detail the changes and the reasons they were necessary.
Investigators use the following techniques in iPhone forensics:
Acquire data directly from the iPhone—An iPhone's data is automatically updated as necessary to ensure that information on the iPhone and on a particular computer is the same. When possible, an investigator should recover files from a suspect iPhone rather than from the computer with which the iPhone was synchronized. A forensic analyst must understand how the iPhone was acquired and whether the iPhone is modified in any way. For example, iPhones are often "unlocked" to permit their use on multiple networks.
Acquire a backup or logical copy of the iPhone file system, using Apple's protocol—The investigator should read files from the suspect iPhone using Apple's synchronization protocol. By querying the databases directly, an investigator can generally recover more information, such as deleted text messages and e-mail messages.
Make a physical bit-by-bit copy—An investigator should create a physical, bit-by-bit, copy of the file system. This process is similar to the approach taken in PC forensic investigations. Using this approach, an investigator can recover a great deal of data, including deleted files. However, the process is complicated and requires that the investigator modify the system partition of the iPhone.
Note
One key consideration for an iPhone forensic tool is how it handles an iPhone that has a pass code set. Different products have different strategies for this situation, each with benefits and drawbacks.
As with other devices, on a BlackBerry, deletion doesn't totally remove data from the device. However, the BlackBerry's always-on, wireless push technology adds a unique dimension to forensic examination. Changing and updating data does not require desktop synchronization.
Michael W. Burnette, in Forensic Examination of a RIM (BlackBerry) Wireless Device, detailed several data-collection techniques. To collect evidence from a BlackBerry, a forensic specialist's examination includes the following processes:
Gathering logs—Unlike with a PC, with a smartphone, an investigator begins by accessing logs on the original unit. The investigator doesn't access the logs via the standard user interface. Rather, the investigator reviews them using hidden control functions. After examining the logs, the specialist applies the programmer's SDK.
Imaging and profiling—A system forensics specialist often must create a bit-by-bit backup image. An investigator does this by using an SDK utility that dumps the contents of the flash RAM into a file. The investigator can then easily examine this file by using a hex editor. The program loader is used to perform most of the inspection and to take the image. Each time the program loader is run, it causes a reset. A reset can cause a file system cleanup. Therefore, in inspecting a BlackBerry, a forensic specialist risks changing the file system and spoiling the data.
Evidence review—Two options are available for information review using the hex dump. The investigator can manually review the hex file using a hex editor. Or the investigator can load the hex file into the BlackBerry SDK simulator for review. The hex editor provides access to the entire file system, including deleted or dirty records. By using the SDK, a forensic specialist can decode the dates on records.
To simplify programming, the BlackBerry file system is abstracted to appear as a database to most available application programming interfaces (APIs). This abstraction hides a complicated system of file management. Under the hood of the BlackBerry is standard flash RAM used to store all nonvolatile data.
Data can be hidden on a BlackBerry in several different ways, including using hidden databases and partition gaps. Custom-written databases with no icon in the graphical user interface (GUI) are capable of providing hidden data transport. A hacker could write a program that utilizes a database accessible only through device synchronization. The average user or uninformed investigator doesn't know about this hidden database. However, it is possible to install a database reader to see all databases on the unit. An investigator can thus thwart a hacker in such a case.
Many companies and individuals use firewalls to protect system resources from attack. A firewall is a set of hardware and software components that intercept and check network traffic for potential threats. Figure 5-5 shows an example of a firewall. Networks almost always use firewalls to protect against attacks that originate outside the network. With increasing frequency, organizations are using firewalls to protect against attacks that originate within the network.
All the traffic going through a firewall is part of a connection. A connection consists of two Internet Protocol (IP) addresses that are communicating with each other and two port numbers that identify the protocol or service. The destination port number of the first packet often indicates the type of service being connected. When a firewall blocks a connection, it saves the destination port number to its log file. This section describes the meanings of some of these port numbers and explains how to avoid some of the pitfalls.
Port numbers are divided into three ranges:
Well-known ports—The well-known ports are those from 0 through 1023. Usually, traffic on one of these ports clearly indicates the protocol for that service. For example, port 80 almost always indicates Hypertext Transfer Protocol (HTTP) traffic.
Registered ports—The registered ports are those from 1024 through 49151. They are loosely bound to services, which means that although numerous services are "bound" to these ports, these ports are also used for many other purposes that have nothing to do with the official servers.
Dynamic ports—The dynamic, or private, ports are those from 49152 through 65535. In theory, no service should be assigned to these ports. In reality, machines start assigning dynamic ports at 1024. However, there are exceptions. For example, Sun starts its Remote Procedure Call ports at 32768.
Attempts on the same set of ports from widely varying sources all over the Internet are usually due to "decoy" scans. One of the attempts is the attacker; the others are not attackers. A system forensics specialist can use protocol analysis to track down who the attacker is. For example, the specialist can ping each of the systems and match up the time to live (TTL) fields in those responses with the connection attempts. The TTLs should match. If they don't, then they are being spoofed. Newer versions of scanners now randomize the attacker's own TTL, making it harder to identify the attacker.
A system forensics specialist can also attempt to go back further in the logs, looking for all the decoy addresses of people from the same subnets. The specialist is likely to see that the attacker has actually connected recently, while the decoyed addresses haven't.
The following sections look at a few system forensics tools used especially in military and law enforcement but also in business. For a more complete list of forensic software and hardware products, see Chapter 15, "System Forensics Resources."
EnCase from Guidance Software is a well-known forensic tool. This commercial software package has the ability to make bit-level images and then mount them for analysis. EnCase preview mode allows a forensic investigator to use a null modem cable or Ethernet connection to view data on the subject machine without changing anything. Guidance Software states that it is impossible to make any alterations to the evidence during this process. Many law enforcement groups around the world use EnCase.
For information on EnCase, see http://www.guidancesoftware.com.
FTK from AccessData takes a snapshot of an entire disk drive and then makes a bit-level copy for analysis. FTK has many features and is easy to use. FTK is a good all-in-one forensic tool. It includes features such as registry viewing, in-depth easy-to-read logging, easy-to-use standalone disk imaging, and direct e-mail and zip file analysis. FTK is a great forensic analysis tool for those who are just starting to learn about forensics or do not have the time to invest in many different expensive tools.
For information on FTK, see http://www.accessdata.com/forensictoolkit.html.
Helix is a customized Linux live CD used for computer forensics and computer security response. The collection of tools included with Helix is a virtual toolbox to analyze a computer system. The software is free.
For information on Helix, see http://www.e-fense.com/products.php
AnaDisk from NTI turns a PC into a sophisticated disk analysis tool. The software was originally created to meet the needs of the U.S. Treasury Department in 1991. AnaDisk scans for anomalies that identify odd formats, extra tracks, and extra sectors. It can be used to uncover sophisticated data-hiding techniques.
AnaDisk supports all DOS formats and many non-DOS formats, such as Apple Macintosh and UNIX TAR. If a disk will fit in a PC CD drive, it is likely that AnaDisk can be used to analyze it.
For information on AnaDisk, see http://www.forensics-intl.com/anadisk.html.
CopyQM Plus from NTI essentially turns a PC into a disk duplicator. In a single pass, it formats, copies, and verifies a disk. This capability is useful for system forensics specialists who need to preconfigure CDs for specific uses and duplicate them.
In addition, CopyQM Plus can create self-extracting executable programs that can be used to duplicate specific disks. CopyQM is an ideal tool for use in security reviews because once a CopyQM disk-creation program has been created, anyone can use it to make preconfigured security risk assessment disks. When the resulting program is run, the disk image of the original disk is restored on multiple disks automatically. The disk images can also be password-protected when the disk images are converted to self-extracting programs. This is helpful when security is a concern, such as when disks are shared over the Internet. CopyQM Plus is particularly helpful in creating computer incident response toolkit disks.
CopyQM Plus supports all DOS formats and many non-DOS formats, such as Apple Macintosh and UNIX TAR. It copies files, file slack, and unallocated storage space. However, it does not copy all areas of copy-protected disks—extra sectors added to one or more tracks on a CD; AnaDisk software should be used for this purpose.
For information on CopyQM Plus, see http://www.forensics-intl.com/copyqm.html.
TextSearch Plus was specifically designed and enhanced for speed and accuracy in security reviews. TextSearch Plus is government tested and specifically designed for security reviews in classified environments. It is currently used by hundreds of law enforcement computer crime units, several government military and intelligence agencies, and numerous Fortune 500 corporations.
TextSearch Plus is used to quickly search hard disk drives and other media for keywords or specific patterns of text. It operates at either a logical or physical level. It can quickly search huge hard disk drives. TextSearch Plus is primarily used to find occurrences of words or strings of text in data stored in files, file slack, and unallocated file space. It can identify data leakage of classified information on nonclassified computer systems. It can also be used in internal audits to identify violations of corporate policy.
TextSearch Plus can be used on Windows XP, Vista, and 7. Tests indicate that this tool finds more text strings than any other forensic search tool. It is sold as a standalone tool and is also included in several of the NTI tool suites. As a standalone tool, it is ideal for security risk assessments.
For information on TextSearch Plus, see http://www.forensics-intl.com/txtsrchp.html.
The Filter_G forensic filter utility from NTI is used to quickly make sense of nonsense. Forensic specialists can use it to analyze ambient data sources, such as Windows swap files, file slack, and data associated with erased files. Filter_G is a unique fuzzy logic filter. It can quickly identify patterns of English language grammar in ambient data sources and identify English language communications in erased file space. It is used as a data sampling tool in law enforcement, military, and corporate investigations.
Filter_G is DOS based for speed. It can be operated in batch mode with other forensic tools and processes.
For information on Filter_G, see http://www.forensics-intl.com/filter_g.html.
Cellebrite's UFED is a standalone device capable of acquiring data from mobile devices. It can store the information it acquires on a USB drive, flash memory card, or PC. The UFED package ships with about 70 cables for connecting to most mobile devices available today. It uses a number of connection protocols, including serial, USB, infrared, and Bluetooth. A forensic investigator can use UFED in a lab or in the field.
UFED has a built-in SIM card reader and cloner. An investigator can create a clone of the original SIM card. When the clone is inserted into the mobile device, the device functions normally.
The UFED Report Manager has an intuitive interface. It allows an investigator to print a report or to export data into Excel, Outlook, Outlook Express, or comma-separated values (CSV) files. The UFED device can process phones with any language enabled.
Cellebrite UFED is simple to use and easy to update. It performs data acquisitions quickly and is portable. The firmware is updated often to support new phones and functionality.
For information on Cellebrite's UFED, see http://www.cellebrite.com/=UFED-Standard-Kit.html.
Paraben's Device Seizure (DS) is a forensic software tool for use with mobile devices. It can acquire data from more than 2,200 devices, including phones, PDAs, and global positioning system (GPS) devices. DS runs on Microsoft Windows. It is designed to support the full acquisition and investigation process. DS provides the ability to recover deleted files and other important information.
Note
Paraben's SIM Card Seizure allows an analyst to read or clone a SIM card. This product does not ship with DS but can be purchased separately.
A forensic specialist can use DS to acquire data, view data in several formats, and bookmark important data. The tool also allows an investigator to export data and run various reports. The acquisition and reporting processes are fast and thorough. The user interface for subsequent analysis is also quite mature and provides more features than most other tools.
Paraben offers certification for handheld forensics. Paraben Certified Mobile Examiners (PCMEs) attend three levels of training covering multiple tools, theory, and practical application. To learn more, see http://www.paraben-training.com/pcme.html.
For information on Paraben's DS, see http://www.paraben.com/catalog/product_info.php?cPath=25&products_id=405.
Jonathan Zdziarski is a research scientist for McAfee, Inc. In addition, he is well known in the iPhone community as a significant contributor to research on the iPhone and iPod Touch. Zdziarski has authored many utilities and devised many methods to open the iPhone's platform to the open source community.
Zdziarski has created a forensic technique for iPhones. His method provides a way to make a bit-by-bit copy of the original media. By analyzing the image this method provides, an examiner can discover a wealth of information that other tools can't provide. In addition, an investigator can use the Zdziarski technique along with standard hard drive-based forensic analysis tools and approaches.
Zdziarski's method requires modifying a read-only system partition to make the bit-by-bit copy. This partition remains isolated from the partition containing user data. The technique therefore modifies the system partition only and preserves the user partition. Zdziarski's process is more reliable and complete than other approaches. It provides access to the raw disk images and allows the examiner to bypass any security added on the iPhone, such as a user pass code.
Jailbreaking is a hacking process by which the iPhone firmware is overwritten to install third-party applications or unlock the device. The jailbreaking process modifies the user data partition and is therefore forensically unsound. Zdziarski's procedure, on the other hand, operates only on the read-only system partition. Unlike jailbreaking, it does not install additional software or modify the user data partition.
Law enforcement and military agencies have used system forensics since the mid-1980s. System forensics is relatively new to the private sector, but it's a quickly growing field. Investigators use system forensics tools and methodologies to identify and document computer evidence associated with a variety of computer abuses and activities.
This chapter discusses specific system forensics technologies that are used by computer specialists in the military, law enforcement, and business. It also describes some of the forensic tools that are most commonly used in these three sectors.
Ambient computer data
Black-box system forensics software tools
Compression
Connection
Department of Defense (DoD)
DoD Cyber Crime Center (DC3)
File slack
Firewall
Flash memory media
Fuzzy logic tool
Graphical user interface (GUI)
Honeypot
Host protected area (HPA)
Jailbreaking
Master boot record (MBR)
Pretty Good Privacy (PGP)
Public-key cryptography
Unallocated space
Unused space
The _________ is the department of the U.S. federal government that coordinates and supervises agencies and functions of the government related to national security and the U.S. armed forces.
What is the name of the organization that is involved with DoD investigations that require computer forensics support to detect, enhance, or recover digital media?
U.S. Army
U.S. law enforcement
DoD Digital Media Center (DDMC)
DoD Cyber Crime Center (DC3)
Law enforcement agencies do not have to be as careful as corporations about preserving evidence.
True
False
It is almost impossible to use forensic technologies to find evidence on flash memory media.
True
False
Which of the following is the process of encoding information using fewer bits than the unencoded information would use?
Compression
Encryption
Decryption
Jailbreaking
A _________ is a tool used to identify unknown strings of text by searching for values between "completely true" and "completely false."
Which of the following is the name for the process of making data unreadable to anyone except those who have the correct key?
Compression
Encryption
Decryption
Jailbreaking
Port numbers are divided into three ranges. Which of the following is not one of the ranges?
Well-known ports
Open ports
Registered ports
Dynamic ports
Which of the following is a good forensic analysis tool for those who are just starting to learn about forensics or do not have the time to invest in many different expensive tools?
EnCase
FTK
AnaDisk
TextSearch Plus
Filter_G
_________ is a commercial software package that has the ability to make bit-level images and then mount them for analysis.
Which of the following commonly used system forensics tools is utilized primarily to scan for anomalies that identify odd formats, extra tracks, and extra sectors?
EnCase
FTK
AnaDisk
CopyQM Plus
Filter_G
Which of the following commonly used system forensics tools can quickly search hard disk drives, zip disks, and CDs for keywords or specific patterns of text?
AnaDisk
CopyQM Plus
TextSearch Plus
Filter_G
Which of the following commonly used system forensics tools is a fuzzy logic tool employed for data sampling?
AnaDisk
CopyQM Plus
TextSearch Plus
Filter_G
Which of the following forensic tools is a standalone device capable of acquiring data from mobile devices?
UFED
Device Seizure
The Zdziarski technique
EnCase
Unlike jailbreaking, which of the following does not install any additional software or modify the user data partition in any way?
UFED
Device Seizure
The Zdziarski technique
EnCase