NUMEROUS ELECTRONIC DEVICES are commonly used today. These devices include computers, global positioning system (GPS) receivers, personal digital assistants (PDAs), and mobile phones. Electronic devices record aspects of our lives and activities. An increasing number of conflicts and crimes exploit the data on these devices. Electronic evidence and information gathering have therefore become important issues. Collecting, preserving, analyzing, documenting, and presenting digital evidence are all facets of the field of system forensics.
System forensics can be studied several ways. For example, it can be studied by operating system, such as Windows, Macintosh, or UNIX. It can also be studied by the source and type of evidence collected. This book looks at system forensics in a step-by-step manner. Later chapters address topics such as collecting and protecting evidence, investigating information-hiding techniques, and recovering data. This book also covers special cases, such as investigating e-mail, performing network forensics, and working with memory in real time.
This chapter discusses the fundamentals of system forensics. It begins by providing an overview of forensics. Then it discusses how computers are used in crimes, the role of forensic specialists, evidence, and application of forensic analysis skills.
Technological advances have resulted in a modern form of crime. Computer crime, or cybercrime, is criminal activity that pertains to any of the following:
Wrongfully taking information
Causing damage to information
Causing an information system or resources to be unavailable to authorized users when needed
To combat cybercrime, computer and law enforcement professionals have developed new areas of expertise. They have also invented new avenues for collecting and analyzing evidence. This has developed into the science of system forensics. The process of acquiring, examining, and applying digital evidence is crucial in prosecuting a cybercriminal.
System forensics was originally called computer forensics because it focused on hard drives and storage devices. Today, system forensics is also referred to as digital forensics, computer forensics analysis, electronic discovery, electronic evidence discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination. System forensics is the process of methodically examining computer media as well as network components, software, and memory for evidence. A forensic investigator is likely to look for evidence on hard disks, tapes, compact disks (CDs) and other optical disks, flash drives, and other media. A skilled system forensics specialist may be able to conduct a thorough analysis to reconstruct a user's activities on a single device or across a network or the Internet. As discussed later in this chapter, system forensics now includes a number of specialties.
Note
The term computer forensics was coined in 1991, in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. Since then, computer forensics has become a popular topic in computer security circles and in the legal community.
A system forensics specialist uses evidence to reconstruct past events or activities. Forensic specialists also use evidence to gain a better understanding of a crime. They may use it to show possession and handling of digital data. They may use it as well to show use or abuse of information technology (IT) infrastructure and services and to prove policy violations or illegal activity.
System forensics applies to all the domains of a typical IT infrastructure, from the User Domain and Remote Access Domain to the Wide Area Network (WAN) Domain and Internet Domain. (See Figure 1-1.)
Forensics is important to many professions and organizations. The following are some examples:
Law enforcement—Law enforcement uses forensics to gather digital evidence for a variety of crimes. These crimes include child pornography, fraud, terrorism, extortion, cyberstalking, money laundering, forgery, and identity theft. Forensic specialists can help law enforcement personnel prepare search warrants and handle computer equipment that has been seized.
The military—The military uses forensics to gather intelligence information from computers captured during military actions.
Government agencies—Government agencies use forensics to investigate crimes involving computers. These agencies include the Federal Bureau of Investigation (FBI), the U.S. Postal Inspection Service, the Federal Trade Commission, and the U.S. Secret Service. They also include the U.S. Department of Justice's National Institute of Justice (NIJ), the National Institute of Standards and Technology (NIST) Office of Law Enforcement Standards (OLES), and the Department of Homeland Security.
Law firms—Law firms need experienced system forensics professionals to conduct investigations and testify as expert witnesses. For example, civil cases can use records found on computer systems that bear on cases involving fraud, divorce, discrimination, and harassment.
Criminal prosecutors—Criminal prosecutors use digital evidence when working with incriminating documents. They try to link these documents to crimes, such as drug and embezzlement, financial fraud, homicide, and child pornography.
Academia—Academia is involved with forensic research and education. For example, many universities offer degrees in digital forensics and online criminal justice.
Data recovery firms—Data recovery firms use digital forensics techniques to recover data after hardware or software failures and when data has been lost.
Corporations—Corporations use digital forensics to assist in employee termination and prosecution. For example, corporations sometimes need to gather information concerning theft of intellectual property or trade secrets, fraud, embezzlement, sexual harassment, and network and computer intrusions. They also need to find evidence of unauthorized use of equipment, such as computers, fax machines, answering machines, PDAs, and mobile phones.
Insurance companies—Insurance companies can sometimes reduce costs by using digital evidence of possible fraud in accident, arson, and workers' compensation cases.
Individuals—Individuals sometimes hire forensic specialists in support of possible claims. These cases may include, for example, wrongful termination, sexual harassment, or age discrimination.
The objective in system forensics is to recover, analyze, and present computer-based material in such a way that it can be used as evidence in a court of law. In system forensics, as in any other branch of forensic science, the emphasis must be on the integrity and security of evidence. A forensic specialist must adhere to stringent guidelines and avoid taking shortcuts.
Computers can be involved in both white-collar and violent crimes. The FBI recently conducted a survey to determine where it was focusing its system forensics efforts. The survey found that 79 percent of the FBI's workload is focused on white-collar crime.
This type of crime includes health care fraud, government fraud such as erroneous Internal Revenue Service and Social Security benefit payments, and financial institution fraud. Technology makes these high-dollar crimes easy. The other 21 percent of the FBI's forensic workload is focused on violent crime. This type of crime includes child pornography, interstate theft, organized crime such as drug dealing, counterterrorism, and national security.
Computer crime is widespread and has infiltrated areas unimaginable just a few years ago. In 1985, the FBI investigated zero cases of computer crime. In 2008, it investigated nearly 52,000 cases. The FBI's caseload is no doubt even higher today. The number of FBI system forensics personnel has gone from a few part-time scientists to thousands of personnel. These personnel work in and with Regional Computer Forensics Laboratories (RCFLs) throughout the country. Technology has made system forensics an important field.
According to http://www.internetworldstats.com/stats.htm, more than 1.8 billion Internet users worldwide were online in mid-2010. This means a lot of data interchange. Unfortunately, many small businesses and even large organizations do not properly protect their sensitive data. In this way, they leave the door open to cybercriminals.
Many crimes today involve the use of computers and networks. According to Judd Robbins, a computer forensics expert, a computer or another device can play one of three roles in a computer crime:
It can be the target of the crime.
It can be the instrument of the crime.
It can be an evidence repository that stores valuable information about the crime.
In some cases, a computer can have multiple roles. It can be the instrument of a crime and also serve as a file cabinet that stores critical evidence. For example, an attacker may use a computer as a tool to break into another computer and steal files. The attacker may then store the stolen files on the computer used to perpetrate the theft. When investigating a case, it is important to know what roles a computer played in the crime and then tailor the investigative process to those roles.
Applying information about how a computer was used in a crime also helps when searching a system for evidence. If a computer was used to hack into a network password file, the investigator should look for password-cracking software and password files. If a computer was the target of a crime, such as an intrusion, the investigator should check audit logs and look for unfamiliar programs.
Note
Like any other forensic science, system forensics deals with the application of law to a science. In this case, the science involved is computer science, sometimes referred to as forensic computer science. System forensics involves using specialized software tools and techniques to analyze the various levels at which computer data is stored.
Knowing how a computer was used in a crime helps narrow down the evidence collection process. Hard drives today are generally very large. Therefore, checking and analyzing every piece of data a computer and associated media contain can take a long time. Often, law enforcement officials need information quickly. Having a general idea of what to look for on a suspect computer speeds the evidence collection process.
Computers can be involved in a variety of types of crimes, including white-collar crimes, violent crimes such as murder and terrorism, counterintelligence, economic espionage, counterfeiting, child pornography, and drug dealing. A 2008 FBI survey reported that the average bank robbery netted $11,400. In contrast, the average computer crime netted $3.4 million. The Internet has made targets much more accessible, and the risks involved for criminals are much lower than with traditional crimes. From the comfort of home or some other remote site, a cybercriminal can hack into a bank and transfer millions of dollars to a fictitious account. In essence, the criminal can rob the bank without the threat of being physically harmed while escaping.
Cybercrime can involve modification of a traditional crime by using the Internet in some way. It can be as simple as the online illegal sale of prescription drugs or as sophisticated as cyberstalking. Pedophiles use the Internet to exchange child pornography and pose as children to lure victims into real-life kidnappings. Laws governing fraud apply with equal force, regardless of whether the activity is online or offline.
Cybercriminals are more aware of digital forensics today than they were in the past. Many are adept at destroying digital evidence to cover their crimes. Some use "anti-forensic" tools to foil investigations into their activities. Chapter 3, "Challenges of System Forensics," briefly discusses anti-forensic tools.
A system forensics specialist finds evidence, determines the significance of the evidence, and relates the evidence to a crime. The goal of a forensic specialist is to provide a better understanding of what happened, when it happened, and how it happened. Forensics involves research, experimentation, and analysis.
The growth in the number of court cases that involve digital evidence has created a high demand for people with forensic skills. The field of digital forensics is challenging. Investigations may involve a single computer or a network with hundreds or thousands of nodes. As digital forensics technologies and methods have advanced, forensics has become a science as well as an art. A forensic specialist needs a sound knowledge of proven and accepted scientific methods, as well as a deep understanding of various technologies, hardware, and software. (Chapter 15, "System Forensics Resources," discusses some of the training and certification options in the field of system forensics.)
Note
The American Academy of Forensic Science recognizes forensic computer crime investigation as a discipline. See http://www.aafs.org for more details.
These are the two most important aspects of a forensic investigator's job:
Ensuring that the evidence is what the investigator says it is
Showing that the evidence hasn't been altered or substituted since it was collected
A system forensics specialist needs to know how to find and interpret clues. In some situations, files have been deleted, disks have been reformatted, or other steps have been taken to conceal or destroy evidence. Criminals may attempt to steal anything from customer databases to blueprints. No matter how careful they are, when people attempt to steal electronic information, they leave traces of their activities. Likewise, people may try to destroy incriminating computer evidence, such as harassing memos or stolen technology. When they do, they leave behind vital clues. Such traces can help win a court case. Thus, digital evidence is a reliable and essential form of evidence that should not be overlooked.
A system forensics professional does more than turn on a computer, make a directory listing, and search through files. Such a person needs to be able to successfully perform complex evidence recovery procedures. According to Judd Robbins, a forensic specialist may need to take the following measures to identify and attempt to retrieve evidence from a subject computer system:
During the forensic examination, protect the subject computer system from any possible alteration, damage, data corruption, or virus introduction. (See Chapter 6, "Controlling a Forensic Investigation.")
Discover all pertinent files on the subject system. This may include existing normal files, deleted yet remaining files, hidden files, password-protected files, and encrypted files. (See Chapter 7, "Collecting, Seizing, and Protecting Evidence," and Chapter 8, "Understanding Information-Hiding Techniques.")
Understand how to use search and analysis tools to recover as many of the discovered deleted files as possible. (See Chapter 9, "Recovering Data.")
Create an overall analysis of the subject computer system and a list of all possibly relevant files and discovered file data. A system forensics specialist should also provide an opinion of the system layout, the file structures discovered, and any discovered data and authorship information. The specialist should examine attempts to hide, delete, protect, or encrypt information. In addition, a specialist should try to find explanations for anything else that appears to be relevant to the overall computer system examination. (See Chapter 9, "Recovering Data.")
Draw conclusions and provide expert consultation and testimony, as required. (See Chapter 9, "Recovering Data.")
Note
Although involving some of the same skills and software as data recovery, system forensics is a much more complex undertaking. In data recovery, the goal is to retrieve lost data. In system forensics, the goal is to retrieve the data and interpret as much information about it as possible.
A system forensics expert who helps during evidence discovery needs to have experience with a wide range of computer hardware and software. When files have been damaged, a system forensics expert can use advanced tools to recover even very small remaining fragments. Many methods can reveal data that resides in a computer system. An experienced investigator can recover deleted, encrypted, or damaged file information. This information may prove highly valuable during legal proceedings.
It's not sufficient to have the technical skills to locate evidence on computer media. In recovering evidence, system forensics experts must follow certain procedures to ensure that the evidence is preserved in its original form. The general principles are as follows:
The scene of a crime has to be frozen. That is, the evidence must be collected as early as possible and without contamination.
It must be possible to account for all that has happened to the evidence between its original collection and its appearance in court. This is called the chain of custody. In addition, the evidence should be unaltered, if possible.
All procedures used in examination should be auditable. That is, a qualified independent expert should be able to track all the investigations carried out by the prosecution's experts.
These topics are covered in more detail in Chapter 6, "Controlling a Forensic Investigation," and Chapter 7, "Collecting, Seizing, and Protecting Evidence."
Tip
Forensic investigation is most effective when conducted by an impartial third party who has the necessary technical and law enforcement background.
In many cases, it is possible to produce reliable computer-derived evidence without using specialized tools. An investigator can get good results by using the standard disk repair, network testing, and other utilities and by keeping full records. In some cases, however, these methods may not be enough.
More-specialized tools are needed, for example, to recover previously deleted material or if a logic bomb or virus is suspected. The specialized tools themselves don't address all the problems of producing evidence that will stand up in court. Special training is also required. Thus, a forensic specialist must have the following key characteristics:
Careful methodology of approach, including record keeping
A sound knowledge of computing, particularly in any specialist areas claimed
A sound knowledge of the law of evidence
A sound knowledge of legal procedures
Access to and skill in the use of appropriate utilities
Chapter 15, "System Forensics Resources," discusses training and certification programs for forensic specialists.
In the past, documentary evidence was primarily limited to paper documents. Copies were made with carbon paper or using a photocopy machine. Most documents today are stored on computer hard disk drives, CDs, flash drives, and other types of computer storage media. This is where system forensics evidence may reside. An investigator must find this evidence by using system forensics tools and methodologies. Paper documents are no longer always considered the best evidence.
Evidence gathered from computers is subject to the same standards as evidence gathered from any other type of crime scene. Like any other evidence, system forensics evidence must be authentic, accurate, complete, and convincing to juries. In addition, it must conform to all applicable laws to be admissible in court.
Almost any type of investigation and litigation today—criminal or civil—may rely on evidence obtained from computer systems. System forensics evidence, also known as computer evidence or digital evidence, can often make or break a case. Digital evidence can be used to establish that a crime has been committed. It can also be used to assert other points of fact in a court of law. For example, digital evidence can be used to identify suspects, defend the innocent, prosecute the guilty, and understand the motives and intents of individuals.
Note
Criminal and civil litigation actions are relying more and more on digital evidence. Computer evidence helped identify the now-infamous blue dress in the Clinton impeachment hearings. Oliver North got into some of his trouble with the U.S. Congress when erased computer files were recovered as digital evidence. Digital evidence is also used to identify Internet account abuses.
A computer's operating system can create digital evidence without the knowledge of the computer operator. Such information may actually be hidden from view. Special forensic software tools and techniques are required to preserve, identify, extract, and document hidden digital evidence. This evidence may include deleted e-mail messages or files, computer logs, spreadsheets, and accounting information.
There are some special problems related to digital evidence. A significant problem, called evidence dynamics, refers to anything that changes or destroys digital evidence between the time the evidence is created and when the case goes to court. It doesn't matter whether the action that changed the evidence is accidental or deliberate. One common cause of evidence dynamics is a criminal attempting to cover his or her tracks. Or a victim may delete files or e-mails to avoid embarrassment. In addition, when someone uses a subject computer after a crime has been committed, evidence may be altered or destroyed. Other problems related to evidence include:
Digital data changes moment by moment.
Computer data is invisible to the human eye. It can be viewed only indirectly and only after appropriate procedures are followed.
The process of collecting computer data may change it in significant ways. For example, the processes of opening a file and printing it are not always neutral.
Computer and telecommunications technologies are always changing. Forensic processes must keep up with these changes.
The laws haven't kept up with technology.
Protecting evidence is critical. Knowledgeable system forensics professionals should ensure that a subject computer system is carefully handled. According to Judd Robbins, the basic criteria are as follows:
No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer
No computer virus is introduced to a subject computer during the analysis process
Extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage
A continuing chain of custody is established and maintained
Business operations are not affected or are affected for only a limited amount of time
Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged
Chapter 6, "Controlling a Forensic Investigation," and Chapter 7, "Collecting, Seizing, and Protecting Evidence," discuss these issues in greater detail.
The rules vary from legislation to legislation, but basically, the law distinguishes between real evidence, testimonial evidence, and hearsay. Real evidence comes from an inanimate object that can be examined by the court. Testimonial evidence is evidence that a live witness has seen and on which he or she can be cross-examined. The hearsay rule excludes any assertions other than those made by the witness who is testifying. The pure hearsay rule is extremely restrictive and has been extensively modified by various statutory provisions. (See Chapter 7, "Collecting, Seizing, and Protecting Evidence," for more information on these types of forensic evidence.)
Note
In the United States, the seizure of computers containing evidence presents many problems. Law enforcement officers must comply with the Fourth Amendment to the U.S. Constitution. Chapter 6, "Controlling a Forensic Investigation, provides more information.
There are rules about the proving of documents and business books. Some of these rules apply explicitly to computers, but many do not. However, these rules may be interpreted to cover many situations in which computers are involved.
System forensics goes beyond procedures and methods of handling computer hardware and files. The ultimate aim of forensic investigation is use in legal proceedings. However, an obsession with law and judicial rules may inhibit an investigation. It might be a mistake not to commence inquiries simply because of fear of possible inadmissibility. Furthermore, a number of computer-investigatory methods may not be directly admissible but may nevertheless be useful in locating noncomputer evidence that is admissible.
Forensic evidence must undergo the following broad tests:
Authenticity—Does the material come from where it purports to come from?
Reliability—Is the story that the material purports to tell believable? Is it consistent? In the case of computer-derived material, are there reasons to doubt the correct working of the computer?
Completeness—Is the story that the material purports to tell complete? Are there other stories that the material also tells that might have a bearing on the case?
Freedom from interference and contamination—After forensic investigation and other post-event handling, are the levels of interference and evidence contamination acceptable?
An important component of the electronic discovery process is applying forensic analysis skills to recovered data. Forensic analysis is an art and a science. Each case presents unique challenges. The objective of system forensics analysis is to determine the facts of a case in an efficient and nonbiased manner. It involves following the chain of evidence as it unfolds. System forensics analysis goes beyond the initial investigation to include the following:
Ensuring that electronic evidence is admissible in a court of law
Searching for relevant information and determining the history, authentication, and origin of electronic documents
Using electronic data to reconstruct events or substantiate allegations and claims
Minimizing the impact of spoliation—that is, the withholding, hiding, alteration, or destruction of evidence relevant to a legal proceeding
Preparing evidence for litigation support, including deposition and expert witness testimony
One of the fundamental principles of system forensics investigation is the need to follow established and tested procedures meticulously and methodically. At no point in an investigation is this more critical than during initial evidence capture. Reproducibility of evidence is the key. Without a firm base of solid procedures that have been strictly applied, a case as a whole will likely be weakened.
In several high-profile instances, apparently solid cases have been weakened or thrown out because inappropriate consideration was given to the integrity and reproducibility of the digital evidence. This may happen for several reasons. Lack of training is a prime culprit. If the individuals involved have not been trained to the required standards, tainted or damaged digital evidence is the sad but inevitable result. Another frequent cause is lack of experience. Finally, sloppiness, pressure applied onsite, tiredness, and carelessness have been contributory factors in transforming solid digital evidence into a dubious collection of files. It is in everyone's best interest to ensure that the highest forensic standards are maintained.
Note
One of the most difficult onsite skills is knowing when to ask for help. It is essential to create a sympathetic working environment. Otherwise, an investigator may not call for help because of peer pressure or fear he or she will lose status and respect.
Today, system forensics includes a number of specialties. The following are some examples:
Disk forensics—The process of acquiring and analyzing data stored on physical storage media, such as computer hard drives, smartphones, and removable media. Disk forensics includes both the recovery of hidden and deleted data and also the process of identifying who created a file or message. (See Chapter 8, "Understanding Information-Hiding Techniques," and Chapter 9, "Recovering Data.")
E-mail forensics—The study of the source and content of e-mail as evidence. E-mail forensics includes the process of identifying the sender, recipient, date, time, and origination location of an e-mail message. You can use e-mail forensics to identify harassment, discrimination, or unauthorized activities. (See Chapter 10, "Investigating and Scrutinizing E-mail.")
Network forensics—The process of examining network traffic, including transaction logs and real-time monitoring, using sniffers and tracing. (See Chapter 11, "Performing Network Analysis.")
Internet forensics—The process of piecing together where and when a user has been on the Internet. For example, you can use Internet forensics to determine whether inappropriate Internet content access and downloading were accidental. (See Chapter 11, "Performing Network Analysis.")
Software forensics or malware forensics—The process of examining malicious code. (This topic is beyond the scope of this book but is briefly touched on in Chapter 8, "Understanding Information-Hiding Techniques.")
Live system forensics—The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse. (See Chapter 12, "Searching Memory in Real Time with Live System Forensics.")
Each of these types of forensic analysis requires specialized skills and training, as discussed throughout this book.
Consider two real-life examples of the type of material a system forensics specialist might have to work with:
The case of the flying laptop—Police rushed to the ninth floor of a building. Almost immediately thereafter, a laptop flew out the window of the premises and toward the ground. The resultant bag of smashed laptop components arrived at a laboratory for forensic analysis.
The case of the burned tapes—Sets of digital audio tapes (DATs) were caught in a fire that had engulfed a company's head office and wiped out the primary trading infrastructure. The company's IT systems had been at the center of the blaze and were destroyed. The DATs had, inadvisably, not been stored offsite. They were, however, not stored near the center of the blaze. The DATs arrived at a forensics lab in a rather sorry condition. The plastic casing had melted to, around, and onto the tapes, and the whole mechanism was fused into a homologous glob.
As you can see, a system forensics specialist faces a variety of situations. Gathering data and investigating cases provide exciting opportunities to learn new forensic skills.
When computer systems are involved in a crime, much work needs to be done to analyze the contents of those systems. System forensics is the collection, analysis, and presentation of computer-based evidence. A system forensics specialist must take careful steps to identify and attempt to retrieve possible evidence that may exist on a subject computer system. A system forensics specialist should be competent in data seizure, data duplication and preservation, data recovery, document searches, media conversion, and providing expert witness services.
This chapter describes the fundamentals of system forensics, how computers are used in crimes, the role of system forensics specialists, system forensics evidence, and application of forensic analysis skills. The following chapters expand on these ideas.
Cybercrime
Disk forensics
E-mail forensics
Evidence dynamics
Internet forensics
Live system forensics
Network forensics
Software forensics
Spoliation
System forensics
System forensics evidence
System forensics specialist
To which domains of a typical IT infrastructure does system forensics apply?
User Domain
Workstation Domain
LAN Domain
WAN Domain
Remote Access Domain
All of the above
A computer can play one of three roles in a computer crime: It can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository that stores valuable information about the crime.
True
False
When people try to destroy incriminating evidence contained on a computer, they leave behind vital _________.
System forensics is the same as data recovery.
True
False
A system forensics professional should be able to successfully perform complex evidence recovery procedures. Which of the following tasks should such a specialist be able to perform? (Select three.)
Expert witness services
Data recovery
Data dump
Document searches
Which of the following is not an important characteristic of a forensic specialist?
A sound knowledge of computing
Careful methodology of approach
Law degree
Access to and skill in the use of appropriate utilities
Which of the following refers to anything that changes or destroys digital evidence between the time the evidence is created and when the case goes to court?
Disk forensics
Evidence dynamics
Spoliation
Live system forensics
Which of the following is not a broad test that should be applied to forensic evidence?
Fairness
Authenticity
Reliability
Completeness
Freedom from interference and contamination
The system forensics specialty that involves acquiring and analyzing data stored on physical storage media, such as computer hard drives and removable media is called _________.
_________ is an area of system forensics that is used to search memory in real time, typically for working with compromised hosts or to identify system abuse.
_________ is an area of system forensics that is most often used to examine malicious code.