Questions about this topic? Sign up to ask in the talk tab.

Computer Forensics

From NetSec
Jump to: navigation, search

Cybercrime

Cybercrime is a crime which involves the use of the computers, mobile phones, or any form of electronic device over the internet. Many modern devices can be and are targeted for malicious purposes. Many of them are also used to perpetrate a variety of cyber mischiefs or crime.

The critical infrastructure (water, communications, and electricity) of most modern countries is computer controlled. This can lead to more severe cybercrimes against nations or states.

Cybercrime is becoming more widespread due to the developed countries having such a reliance on computers. Some sample occurrences are seen here. Spam email and denial of service attacks are carried out mostly by computers infected with viruses, worms, or other malware.

There are also less obvious occurrences of cybercrime, such as embezzlement (stealing of money or data one has been entrusted with) and extortion. Some breeds of malware are even called ransomware because they encrypt the victim's data and then demand a retrieval fee for the encryption key. In such crimes, evidence is likely to be stored in a digital format.


Investigation

There are procedures in place for response by law enforcement when a cybercrime incident occurs just as there are for other types of crime. This page will focus on the investigation of an incident which includes data collection and data analysis.

Digital forensics is the investigation of these crimes through data collection and data analysis techniques. These techniques include hash matching (md5sum), qualified forensic duplicates, recovering deleted data and hardware analysis.

Data collection is the retrieval of information and hardware necessary for investigation and is the first step for data analysis. Important factors in data collection are chain of custody and evidence validation.


Preserving the evidence

Md5sum (and other hash computing software) is a program used to ensure evidence integrity. It issues a number (named a hash) to the data collected and if the data is modified in any way, that number changes. This acts as a virtual evidence seal, making it an extremely useful program for the investigative and legal processes. This program is usually executed in the presence of witnesses to ensure the integrity of the evidence.

In order to properly collect forensic evidence, you need to know where to find it. For this reason, there is a set of data for collection that is almost always extracted and catalogued. This data includes system date and time, list of users logged on, timestamps for all the files, running applications at the time of custody and a list of systems connected to the system either at the time of the collection or previously.

To ensure the evidence is protected from manipulation after the time of collection, qualified forensic duplicates are used. A qualified forensic duplicate is an exact copy of the data found at the scene of a crime. Some methods of analysis can be destructive such as restoring deleted files. For this reason, duplicates are always used. This ensures that the original evidence is not altered in any way, preserving it for court as well as offering extensive testing on a direct copy of the original evidence.



Where to find evidence

Much like there are usual sites for data collection, there are common locations for forensic evidence. The first place that is looked at is usually hardware. Hardware is easy to isolate as it has a physical location. Here are the two main locations of forensic evidence, RAM (random access memory) and hard disk drives.

Hardwarewise


Hard disk drives, as previously mentioned, are a secondary source of evidence. HDD layout is made up of free space and used space. The used space contains active or currently stored data. Free space is the remainder of the hard drive left over from the used space. This "free space" is not blanked in the case of magnetic hard disks. In the case of SSD, this is not true, as these disks blank unused sectors.

This free space was previously used space but it is available to be written over. As mentioned before, this free space can be repaired or restored, bringing back the files (or rather the data) that were originally there.

Random Access Memory or RAM is the primary location of data on a computer. It is used as very short term storage and is used in all programs. RAM is also volatile storage, meaning if power is lost, the data is eventually removed. In recent cybercrime arrests, officers have brought liquid nitrogen to freeze RAM and thereby preserve all the data on it. However, in most cases this will not occur.

Softwarewise


From the hardware point of view, data can be found in either volatile or durable memory. Contrasting this is actual data. This data relevant to the investigation can be found almost anywhere in the computer but there are several common locations where to find this data. This includes the registry, event logs, temporary files, recycling bin and email storage.

Deleted files are a good location to find evidence because contrary to popular belief, deleted files can be restored completely or partially, depending on how many times the file location on disk has been overwritten. These deleted files can be restored in different ways depending on how they have been deleted such as recycling bin restore or programs made to restore deleted files.

The windows registry is a data location found in the virtual space of the computer. It collects data files that store configuration data of the system. For this reason, it contains information about the hardware and software installed, including log files of all installs.

Forensic Imaging

While there are different types of imaging, and imaging formats. this section will cover Hard Disk Imaging. (Taking a snapshot of a drive)

HardDisk Imaging

There are a variety of forensic imaging tools, a few are:

  • FTK Imager
  • EnCase
  • EnLinen -- Part of the HELIX liveCD, a lightweight version of FTK Imager


There are two types of images, Logical Images, and Physical Images.

Physical Images are images of the entire hard-drive; the file-system, allocated, and unallocated space.

Logical Images contain single files, and each file on that logical image has a checksum. These checksums are normally used later on in court proceedings.


Computer Forensics is a lot of red tape, and protocol, usually to hold up admissibility of the data that is found. So, assuming you've acquired a drive, and followed proper practice, the next step would be to hook the drive up to a hardware write-blocker.

Protip: The reason write-blockers are important is because certain Operating Systems try to auto-mount the drive. If the mount-date on the drive is past that of the date that the evidence (the drive) was acquired, your findings could be inadmissible in court due to mishandling of evidence

Now, with the drive connected, boot into any linux distro of your choice. (Assuming you do not have a hardware imager)

We'll call this drive /dev/sdb


Now, you'll want to connect a new drive, of the same size as /dev/sdb. (This time without a write-blocker.)

We'll call this drive /dev/sdd


To make a physical image, we'll first have to overwrite /dev/sdd with zeros. this can be done with the following command.

RPU0j.png Depending on the size of the drives, this may take a while.
 dd if=/dev/zero of=/dev/sdd

When that finishes, we'll want a checksum of /dev/sdb . This can be acquired by executing the following command:

 md5sum /dev/sdb

Write down the output of this when it finishes, you'll need it later.


Continuing on, the next step is to copy everything from /dev/sdb over to /dev/sdd .

This can be done with the dd command, as follows:

 dd if=/dev/sdb of=/dev/sdd
c3el4.png If you want to monitor progress, you can send kill -s USR1 to the dd pid, and it will display status.

When all the data from /dev/sdb is copied over to /dev/sdd you will want to get an checksum of /dev/sdd .

 md5sum /dev/sdd

And when it finishes, compare this checksum with the one from /dev/sdb . They should match.

The reason we copied the data from the original drive to another, is so that in case something goes wrong, you can just re-image the drive, and nothing is lost.

Now that you've copied the data over to a drive, one can use /dev/sdd as a drive to acquire from in FTK, or EnCase. You have a choice to use either Physical, or Logical. The former of these two will be explained here, as physical images can restore deleted, or partially overwritten files; Opposed to logical images only contain existing files and their checksums.