Difference between revisions of "Computer Forensics"
(→Forensic Imaging) |
(→Forensic Imaging) |
||
Line 66: | Line 66: | ||
*EnCase | *EnCase | ||
*EnLinen -- <i>Part of the HELIX liveCD, a lightweight version of FTK Imager</i> | *EnLinen -- <i>Part of the HELIX liveCD, a lightweight version of FTK Imager</i> | ||
+ | |||
+ | |||
There are two types of images, Logical Images, and Physical Images. | There are two types of images, Logical Images, and Physical Images. | ||
Line 87: | Line 89: | ||
{{warning| Depending on the size of the drives, this may take a while.}} | {{warning| Depending on the size of the drives, this may take a while.}} | ||
dd if=/dev/zero of=/dev/sdd | dd if=/dev/zero of=/dev/sdd | ||
+ | |||
+ | When that finishes, we'll want a checksum of /dev/sdb . | ||
+ | This can be acquired by executing the following command: | ||
+ | md5sum /dev/sdb |
Revision as of 01:45, 27 November 2011
Contents
Cybercrime
Cybercrime is a crime which involves the use of computers, mobiles phones, or any form of electrical device. Most of the devices around us today can and are targeted for malicious purposes. Many of them are also used to perpetrate different forms of cyber mischiefs or crime.
Most of our needs are fulfilled by computers, water, health and electricity.
Cybercrime is widespread due to the developed countries having such reliance on computers. Some sample occurrences are seen here. Email spam and denial of service attacks are carried out mostly by computers infected with viruses: your computer could be responsible for these and you wouldn’t even know.
There are also less obvious occurrences such as embezzlement (stealing of money or data one has been entrusted with) and extortion. In such crimes, evidence could be stored on computers.
Investigation
When a cybercrime incident occurs, there are a series of steps usually taken to respond. This page will focus on the investigation of the incident which includes data collection and data analysis.
Computer forensics is the investigation of these crimes through data collection and data analysis techniques. These techniques include hash matching (md5sum), qualified forensic duplicates, recovering deleted data and hardware analysis.
Data collection is the retrieval of information and hardware necessary for investigation and is the first step for data analysis. Important factors in data collection are chain of custody and evidence validation.
Preserving the evidence
Md5sum (and other hash computing software) is a program used to ensure evidence integrity. It issues a number (named a hash) to the data collected and if the data is modified in any way, that number changes. This acts as a virtual evidence seal, making it an extremely useful program for the investigative and legal processes. This program is usually executed in the presence of witnesses to ensure the integrity of the evidence.
In order to properly collect forensic evidence, you need to know where to find it. For this reason, there is a set of data for collection that is almost always extracted and catalogued. This data includes system date and time, list of users logged on, timestamps for all the files, running applications at the time of custody and a list of systems connected to the system either at the time of the collection or previously.
To ensure the evidence is protected from manipulation after the time of collection, qualified forensic duplicates are used. A qualified forensic duplicate is an exact copy of the data found at the scene of a crime. Some methods of analysis can be destructive such as restoring deleted files. For this reason, duplicates are always used. This ensures that the original evidence is not altered in any way, preserving it for court as well as offering extensive testing on a direct copy of the original evidence.
Where to find evidence
Much like there are usual sites for data collection, there are common locations for forensic evidence. The first place that is looked at is usually hardware. Hardware is easy to isolate as it has a physical location. Here are the two main locations of forensic evidence, RAM (random access memory) and hard disk drives.
Hardwarewise
Hard disk drives, as previously mentioned, are a secondary source of evidence. HDD layout is made up of free space and used space. The used space contains active or currently stored data. Free space is the remainder of the hard drive left over from the used space. This "free space" is not blanked in the case of magnetic hard disks. In the case of SSD, this is not true, as these disks blank unused sectors.
This free space was previously used space but it is available to be written over. As mentioned before, this free space can be repaired or restored, bringing back the files (or rather the data) that were originally there.
Random Access Memory or RAM is the primary location of data on a computer. It is used as very short term storage and is used in all programs. RAM is also volatile storage, meaning if power is lost, the data is eventually removed. In recent cybercrime arrests, officers have brought liquid nitrogen to freeze RAM and thereby preserve all the data on it. However, in most cases this will not occur.
Softwarewise
From the hardware point of view, data can be found in either volatile or durable memory. Contrasting this is actual data. This data relevant to the investigation can be found almost anywhere in the computer but there are several common locations where to find this data. This includes the registry, event logs, temporary files, recycling bin and email storage.
Deleted files are a good location to find evidence because contrary to popular belief, deleted files can be restored completely or partially, depending on how many times the file location on disk has been overwritten. These deleted files can be restored in different ways depending on how they have been deleted such as recycling bin restore or programs made to restore deleted files.
The windows registry is a data location found in the virtual space of the computer. It collects data files that store configuration data of the system. For this reason, it contains information about the hardware and software installed, including log files of all installs.
Forensic Imaging
While there are different types of imaging, and imaging formats. this article will cover Hard Disk Imaging.
HardDisk Imaging
There are a variety of forensic imaging tools, a few are:
- FTK Imager
- EnCase
- EnLinen -- Part of the HELIX liveCD, a lightweight version of FTK Imager
There are two types of images, Logical Images, and Physical Images. Logical Images contain single files, and each file on that logical image has a checksum. These checksums are normally used later on in court proceedings.
Physical Images are images of the entire hard-drive; the file-system, allocated, and unallocated space.
Computer Forensics is a lot of red tape, and protocol, usually to hold up admissibility of the data that is found. So, assuming you've acquired a drive, and followed proper practice, the next step would be to hook the drive up to a hardware write-blocker. Now, with the drive connected, boot into any linux distro of your choice. (Assuming you do not have a hardware imager)
We'll call this drive /dev/sdb
Now, you'll want to connect a new drive, of the same size as /dev/sdb. (This time without a write-blocker.)
We'll call this drive /dev/sdd
To make a physical image, we'll first have to overwrite /dev/sdd with zeros. this can be done with the following command.
Depending on the size of the drives, this may take a while. |
dd if=/dev/zero of=/dev/sdd
When that finishes, we'll want a checksum of /dev/sdb . This can be acquired by executing the following command:
md5sum /dev/sdb