Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Chapter 14: Computer and Network ForensicsNetwork Forensics

Guide to Computer Network Security

Kizza - Guide to Computer Network SecuriKizza - Guide to Computer Network Securityty

22

Computer ForensicsComputer ForensicsComputer forensics involves the preservation, Computer forensics involves the preservation, identification, extraction, documentation, and interpretation identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause of computer media for evidentiary and/or root cause analysis.analysis.Arose as a result of the growing problem of computer Arose as a result of the growing problem of computer crimes.crimes.Computer crimes fall into two categories:Computer crimes fall into two categories:– Computer is a tool used in a crime – because of the role of Computer is a tool used in a crime – because of the role of

computers and networks in modern communications, it is computers and networks in modern communications, it is inevitable that computers are used in crimes.inevitable that computers are used in crimes.

Investigation into these crimes often involves searching computers Investigation into these crimes often involves searching computers suspected to be involved.suspected to be involved.

– Computer itself is a victim of a crime – this commonly referred Computer itself is a victim of a crime – this commonly referred to as incident response. to as incident response.

It refers to the examination of systems that have been remotely It refers to the examination of systems that have been remotely attacked. attacked.

Forensics experts follow clear, well-defined mythologies and Forensics experts follow clear, well-defined mythologies and procedures procedures


33

History Of Computer ForensicsHistory Of Computer Forensics– Computer forensics started a few years Computer forensics started a few years

ago- when it was simple to collect ago- when it was simple to collect evidence from a computer.evidence from a computer.

– While basic forensic methodologies While basic forensic methodologies remain the same, technology itself is remain the same, technology itself is rapidly changing – a challenge to rapidly changing – a challenge to forensic specialists.forensic specialists.


44

Basic forensic methodology consists Basic forensic methodology consists of:of:– Acquire the evidence without altering or Acquire the evidence without altering or

damaging the originaldamaging the originalLook for evidenceLook for evidence

Recover evidenceRecover evidence

Handle evidence with careHandle evidence with care

Preserve evidencePreserve evidence

– Authenticate that your recovered Authenticate that your recovered evidence is the same as the originally evidence is the same as the originally seized dataseized data

– Analyze the data without modifying it.Analyze the data without modifying it.


55

Acquire the EvidenceAcquire the EvidenceKeep in mind that every case is differentKeep in mind that every case is differentDo not disconnect the computers – evidence may be only in RAM – Do not disconnect the computers – evidence may be only in RAM – So collect information from a live system.So collect information from a live system.Consider the following issues:Consider the following issues:– Handling the evidence- if you do not take care of the evidence, Handling the evidence- if you do not take care of the evidence,

the rest of the investigation will be compromised.the rest of the investigation will be compromised.– Chain of custody – the goal of maintaining a good chain of Chain of custody – the goal of maintaining a good chain of

custody to ensure evidence integrity, prevent tempering with custody to ensure evidence integrity, prevent tempering with evidence. The chain should be answers to:evidence. The chain should be answers to:

Who collected itWho collected itHow and whereHow and whereWho took possession of itWho took possession of it how was it stored and protected in storagehow was it stored and protected in storageWho took it out of storage and why?Who took it out of storage and why?


66

Storage MediaStorage MediaHard DrivesHard Drives– Make an image copy and then restore Make an image copy and then restore

the image to a freshly wiped hard drive the image to a freshly wiped hard drive for analysisfor analysis

– Remount the copy and start to analyze Remount the copy and start to analyze it.it.

– Before opening it get information on its Before opening it get information on its configurationconfiguration

– Use tools to generate a report of lists of Use tools to generate a report of lists of the disk’s contents ( PartitionMagic)the disk’s contents ( PartitionMagic)

– View operating system logs.View operating system logs.


77

Handle Evidence With CareHandle Evidence With Care– Collection Collection

You want the evidence to be so pure that it supports your You want the evidence to be so pure that it supports your case.case.

– IdentificationIdentificationMethodically identify every single item that comes out of Methodically identify every single item that comes out of the suspect’s/victim’s location and labeled.the suspect’s/victim’s location and labeled.

– TransportationTransportationEvidence is not supposed to be moved so when you move it Evidence is not supposed to be moved so when you move it be extremely careful.be extremely careful.

– StorageStorageKeep the evidence in a cool, dry, and appropriate place for Keep the evidence in a cool, dry, and appropriate place for electronic evidence.electronic evidence.

– Documenting the investigationDocumenting the investigationMost difficult for computer professionals because technical Most difficult for computer professionals because technical people are not good at writing down details of the people are not good at writing down details of the procedures.procedures.


88

Authenticating evidenceAuthenticating evidenceAuthenticating evidence is difficult Authenticating evidence is difficult because:because:– Crime scenes changeCrime scenes change– Evidence is routinely damaged by Evidence is routinely damaged by

environmental conditionsenvironmental conditions– Computer devices slowly deteriorateComputer devices slowly deteriorate

Keep proof of integrity and timestamp the Keep proof of integrity and timestamp the evidence through encryption of files of evidence through encryption of files of datadata– Two algorithms (MD5 and SHA-1) are in Two algorithms (MD5 and SHA-1) are in

common use todaycommon use today


99

AnalysisAnalysis

Use any well known analysis tools.Use any well known analysis tools.

Make two backupsMake two backups


1010

Data HidingData HidingThere are several techniques that There are several techniques that intruders may hide data.intruders may hide data.– Obfuscating data through encryption and Obfuscating data through encryption and

compression.compression.– Hiding through codes, steganoraphy, Hiding through codes, steganoraphy,

deleted files, slack space, and bad deleted files, slack space, and bad sectors. sectors.

– Blinding investigators through changing Blinding investigators through changing behavior of system commands and behavior of system commands and modifying operating systems.modifying operating systems.

Use commonly known tools to Use commonly known tools to overcome overcome


1111

Network ForensicsNetwork ForensicsUnlike computer forensics that retrieves information from the Unlike computer forensics that retrieves information from the computer’s disks, network forensics, in addition retrieves computer’s disks, network forensics, in addition retrieves information on which network ports were used to access the information on which network ports were used to access the network. network. There are several differences that separate the two including the There are several differences that separate the two including the following:following:– Unlike computer forensics where the investigator and the person being Unlike computer forensics where the investigator and the person being

investigated, in many cases the criminal, are on two different levels investigated, in many cases the criminal, are on two different levels with the investigator supposedly on a higher level of knowledge of the with the investigator supposedly on a higher level of knowledge of the system, the network investigator and the adversary are at the same system, the network investigator and the adversary are at the same skills level. skills level.

– In many cases, the investigator and the adversary use the same tools: In many cases, the investigator and the adversary use the same tools: one to cause the incident, the other to investigate the incident. In fact one to cause the incident, the other to investigate the incident. In fact many of the network security tools on the market today, including many of the network security tools on the market today, including NetScanTools Pro, Tracroute, and Port Probe used to gain information NetScanTools Pro, Tracroute, and Port Probe used to gain information on the network configurations, can be used by both the investigator on the network configurations, can be used by both the investigator and the criminal. and the criminal.

– While computer forensics, deals with the extraction, preservation, While computer forensics, deals with the extraction, preservation, identification, documentation, and analysis, and it still follows well-identification, documentation, and analysis, and it still follows well-defined procedures springing from law enforcement for acquiring, defined procedures springing from law enforcement for acquiring, providing chain-of-custody, authenticating, and interpretation, network providing chain-of-custody, authenticating, and interpretation, network forensics on the other hand has nothing to investigate unless steps forensics on the other hand has nothing to investigate unless steps were in place ( like packet filters, firewalls, and intrusion detection were in place ( like packet filters, firewalls, and intrusion detection systems) prior to the incident. systems) prior to the incident.


1212

Network Forensics Intrusion Network Forensics Intrusion AnalysisAnalysis

Network intrusions can be difficult to detect let Network intrusions can be difficult to detect let alone analyze. A port scan can take place without alone analyze. A port scan can take place without a quick detection, and more seriously a stealthy a quick detection, and more seriously a stealthy attack to a crucial system resource may be attack to a crucial system resource may be

hidden by a simple innocent port scan.hidden by a simple innocent port scan. So the purpose of intrusion analysis is to seek So the purpose of intrusion analysis is to seek answers to the following questions:answers to the following questions:– Who gained entry?Who gained entry?– Where did they go?Where did they go?– How did they do it?How did they do it?


1313

Damage AnalysisDamage Analysis

It is difficult to effectively assess It is difficult to effectively assess damage caused by system attacks. damage caused by system attacks.

It provides a trove of badly needed It provides a trove of badly needed information showing how widespread information showing how widespread the damage was, who was affected the damage was, who was affected and to what extent. and to what extent.


1414

To achieve a detailed report of an To achieve a detailed report of an intrusion detection, the investigator must intrusion detection, the investigator must carry out a post mortem of the system by carry out a post mortem of the system by analyzing and examining the following:analyzing and examining the following:– System registry, memory, and caches. To System registry, memory, and caches. To

achieve this, the investogator can use dd for achieve this, the investogator can use dd for Linux and Unx sytems.Linux and Unx sytems.

– Network state to access computer networks Network state to access computer networks accesses and connections. Here Netstat can be accesses and connections. Here Netstat can be used.used.

– Current running processes to access the Current running processes to access the number of active processes. Use ps for both number of active processes. Use ps for both Unix and Linux.Unix and Linux.

– Data acquisition of all unencrypted data. This Data acquisition of all unencrypted data. This can be done using MD5 and SHA-1 on all files can be done using MD5 and SHA-1 on all files and directories. Then store this data in a and directories. Then store this data in a secure place. secure place.


1515

Forensic Electronic ToolkitForensic Electronic ToolkitComputer and network forensics involves and requires:Computer and network forensics involves and requires:– IdentificationIdentification– ExtractionExtraction– PreservationPreservation– Documentation Documentation

A lot of tools are needed for a thorough workA lot of tools are needed for a thorough workThe “forensically sound “ method is never to conduct any The “forensically sound “ method is never to conduct any examination on the original media.examination on the original media.Before you use any forensic software, make sure you know Before you use any forensic software, make sure you know how to use it, and also that it works.how to use it, and also that it works.Tools:Tools:– Hard Drive - use partitioning and viewing ( Partinfo and Hard Drive - use partitioning and viewing ( Partinfo and

PartitionMagic)PartitionMagic)– File Viewers – to thumb through stacks of data and images File Viewers – to thumb through stacks of data and images

looking for incriminating or relevant evidence (Qiuckview Plus, looking for incriminating or relevant evidence (Qiuckview Plus, Conversion Plus, DataViz, ThumnsPlus)Conversion Plus, DataViz, ThumnsPlus)


1616

More tools (cont.)More tools (cont.)Unerase – if the files are no longer in the recycle bin or you are Unerase – if the files are no longer in the recycle bin or you are dealing with old systems without recycle bins. dealing with old systems without recycle bins. CD-R/W – examine them as carefully as possible. Use CD-R CD-R/W – examine them as carefully as possible. Use CD-R DiagnosticsDiagnosticsText – because text data can be huge, use fast scans tools like Text – because text data can be huge, use fast scans tools like dtSearch.dtSearch.Other kits:Other kits:– Forensic toolkit – command-line utilities used to reconstruct Forensic toolkit – command-line utilities used to reconstruct

access activities in NT File systemsaccess activities in NT File systems– Coroner toolkit - to investigate a hacked Unix host.Coroner toolkit - to investigate a hacked Unix host.– ForensiX – an all-purpose set of data collection and analysis ForensiX – an all-purpose set of data collection and analysis

tools that run primarily on Linux.tools that run primarily on Linux.– New Technologies Incorporated (NTI)New Technologies Incorporated (NTI)– EnCaseEnCase– Hardware- Forensic-computers.comHardware- Forensic-computers.com

Documents

Chapter 14: Computer and Network Forensics