___________________________________________

* Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copywithout fee all or part of this material is granted provided that the copies are not made ordistributed for direct commercial advantage, the CCSC copyright notice and the title of thepublication and its date appear, and notice is given that copying is by permission of theConsortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires afee and/or specific permission.

143

COMPUTER FORENSICS LABORATORY AND TOOLS*

Guillermo A Francia III and Keion ClintonMathematics, Computing, and Information Sciences Department

Jacksonville State UniversityJacksonville, Alabama

Emails: gfrancia@jsu.edu, kmclinton@hotmail.com

ABSTRACTThe pervasiveness and the convenience of information technology tend tomake most of society deeply dependent on the availability computers andnetwork systems. As our reliance on such systems grows, so does ourexposure to its vulnerabilities. Day after day, computers are being attackedand compromised. These attacks are made to steal personal identities, to bringdown an entire network segment, to disable the online presence of businesses,or to completely obliterate sensitive information that is critical for personal orbusiness purposes. It is the responsibility of every organization to establish areasonably secure system to protect its own interests as well as those of itscustomers. And as computer crime steadily grows, so does the need forcomputer security professionals trained in understanding computer crimes, ingathering digital forensic evidence, in applying the necessary security tools,and in collaborating with law enforcement agencies. This paper presents thedesign and implementation of an experimental Computer Security andForensic Analysis (CSFA) laboratory and the tools associated with it. Thelaboratory is envisioned to be a training facility for future computer securityprofessionals.

JCSC 20, 6 (June 2005)

144

INTRODUCTIONComputers and the Internet have become a major part of our lives. The

pervasiveness and the convenience of information technology tend to make most ofsociety deeply dependent on the availability computers and network systems. Each day,many of us carry out banking transactions, purchases, and message exchanges throughemail. As our reliance on such systems grows, so does our exposure to itsvulnerabilities. Day after day, computers are being attacked and compromised. Theseattacks are made to steal personal identities, to bring down an entire network segment, todisable the online presence of businesses, or to completely obliterate sensitiveinformation that is critical for personal or business purposes. It is the responsibility ofevery organization to establish a reasonably secure system to protect its own interests aswell as those of its customers. And as computer crime steadily grows, so does the needfor computer security professionals trained in understanding computer crimes, ingathering digital forensic evidence, in applying the necessary security tools, and incollaborating with law enforcement agencies.

Computer forensic is the identification, preservation, and the analysis ofinformation stored, transmitted, or produced by a computer system or computernetwork. Its main purpose is to establish the validity of the hypotheses used in anattempt to explain the circumstances or the cause of an activity under investigation [1].The practice was initiated by the U.S. military and intelligence agencies in the early1970’s. Although little is known about these activities due to their classifiedenvironments, it is reasonable to presume that they had a counter-intelligence focus viacomputer mainframes. In the 1980’s, the Internal Revenue Service CriminalInvestigations Division (IRS-CID) and Revenue Canada were two of the firstgovernment agencies with an obvious and openly noticeable obligation to carry outforensics on external systems linking to criminal offences. Also in 1984, the FBIestablished the Computer Analysis and Response Team (CART), to provide computerforensic support [2].

There are a number of computer forensic training courses offered today. However,most of them are specifically focused on a certain set of tools. A computer forensicexaminers training course should be broad enough to familiarize the student with allmethodologies of the field. The National Cybercrime Training Partnership (NCTP) wasset up by the U.S. government, to provide guidance and assistance to local, state, andfederal law enforcement agencies. Other U.S. organizations involved in training includeNCJIS (The National Consortium for Justice Information and Statistics), and the High-Tech Crime Investigation Association (HTCIA). In Europe , NATO’s La theGambit Information Security program and Interpol both offer similar training course forallied countries. In the Asia-Pacific region, the Australasian Center for PolicingResearch (ACPR), conducts a number of training course for Australia and New Zealand[3].

A number of proprietary software for computer security and forensic analysis isavailable on the market today. The evaluation methods and criteria for such software aredetailed in [7] and [13]. Generally we can divide the functionality of such tools intothree main categories as describe in [1]:

1. Imaging:

CCSC:Mid-South Conference

145

a. Imaging volatile memory; b. Disk and file imaging; c. Write blockers; d. Integrity code generators and checkers.2. Analysis:

a. Ambient data recovery and searching of raw disk data for text strings,by sectors;

b. Data and file recovery; c. Disk and file system integrity checking tools; d. File conversion; e. Data filtering by date last modified and other file properties; f. Search tools; g. Data mining tools.

2. Visualization: a. Time-lining; b. Link analysis tools.

This paper presents a computer security and forensic analysis project whichincludes the design and implementation of 1) an experimental Computer Security andForensic Analysis (CSFA) laboratory, 2) a computer security and forensic toolkit for thelaboratory, and 3) hands-on activities on computer forensic analysis.

OBJECTIVESThe objectives of the proposed project are as follow:1) To design and implement an experimental computer security and forensic

analysis laboratory with features that will suit both research and pedagogicalactivities. Although the size of the CSFA laboratory will be limited to aproof-of-concept variety, its design will be guided by the need for futurescalability in size and adaptability to new technologies.

2) To provide students the exposure to the spectrum of computer forensic toolsand to the development of forensic toolkits that they can use for computercrime scene investigations.

3) To establish core forensic procedures necessary in performing thoroughinspection of all computer systems and file types, in tracking offenders on theInternet, in proper evidence handling, and in working with law enforcementagencies.

4) To explore the possibility of designing a cross-disciplinary course in the areaof computer networks security, forensic data collection and analysis, andsecurity audit and assessment that will involve two or more academicdisciplines other than computer science.

5) To disseminate the research results and the lessons/experiences gained indesigning and implementing the CSFA laboratory and the hands-on activitiesthat evolved within.

JCSC 20, 6 (June 2005)

146

THE CSFA LABORATORYThe CSFA laboratory consists of five (5) desktop and two (2) notebook computers

taken from previously completed grant projects. All of these computers are configuredwith utmost flexibility to thrive on multiple operating systems, on different networkinterconnections, and on persistent forensic data collection and retrieval activities. Thesecomputers are designated mainly by three categorizations: analysis server, scratch andtest workstation, and evidence collection workstation. The analysis server provides theplatform for forensic analysis and investigation. The scratch and test workstation is usedto simulate hacking activities and vulnerability assessment processes. The evidencecollection workstation is used as a central station for forensic data collection andreplication. The network infrastructure, both wired and wireless, is established usinglegacy devices that were gathered from academic computing system upgrades and alsofrom previously completed grant projects.

In addition to the computing resources described above, various versions ofoperating system, tape drives, floppy drives, and portable disk drives are obtainedthrough our reclamation effort to put some of the old computers, systems, andperipherals to good use.

THE FORENSIC SOFTWARE TOOLSData Analysis Tools

Forensic data analysis is the process of revealing and discovering evidentiaryinformation that may not be apparent or may be completely concealed. With theavailability of data mining techniques, this process may also include intelligentprediction of events and attack-pattern recognition. Several data analysis tools, bothopen source and commercial, are available in the market. A few of these are described inthe following discussions.

Sleuth kit/Autopsy Forensic browser is collection of open source forensic toolsdeveloped by Brian Carrier. It can be used in accessing low-level file systems, insearching image files for data, and in viewing file activities. The kit, describedextensively in [14], may be downloaded from a website repository at [15].

Disk Investigator is a forensic freeware utility that can gather a variety ofinformation from a user’s hard disk [4]. Disk Investigator helps discover all that is“hidden” on a computer hard disk, aids in locating sensitive data with search-viewingfunctions, and displays the drives true contents. By bypassing the operating system anddirectly reading raw drive sectors, Disk Investigator helps the user search file clustersfor specific keywords or content. The freeware utility is available for download from[5]. A snapshot of the Disk Investigator’s graphical user interface (GUI) is depicted inFigure 1.

SectorSpyXP is a powerful computer forensic tool that can be used by lawenforcement or anyone wishing to search for and retrieve evidence left on computer harddrives and diskettes [4]. SectorSpyXP examines all data on a hard drive or diskette at thesector level and even contains detailed documentation on how to use it to perform akeyword search to find and retrieve incriminating evidence. It can be used to retrieve

CCSC:Mid-South Conference

147

lost information, text that has been deleted and removed from the recycle Bin, and eveninformation not found by other file-retrieval programs. This program works onWindows 2000 and XP operating systems. The freeware may be downloaded from thecompany website at [6]. A snapshot of the SectorSpyXP’s graphical user interface (GUI)is depicted in figure 2.

Figure 1. The Disk Investigator GUI

Disk Imaging ToolsIn computer forensic analysis, it is always prudent to avoid working directly on the

evidence. This stems from the fact that physical evidence should always be held pristine.Thus, the need for excellent disk imaging process and tools is paramount. The NationalInstitute of Standards and Technology (NIST) [7] have developed several tools used fordisk drive imaging tool evaluation. The Institute’s requirements for disk imaging toolsare: • The tool should be able to make a bit-stream duplicate or an image of an original

disk or partition. • The tool should never alter the original disk. • The tool should be able to log I/O errors.

JCSC 20, 6 (June 2005)

148

Figure 2. SectorSpyXP GUI • The tool’s documentation should all be correct.

The following discussions present several disk imaging tools, both open-sourceand commercial types, that can be used for evidence-on-disk preservation.

The “dd” (data dump) command is one of the original UNIX utilities that is usedfor disk cloning or duplication. It can extract parts of binary files, write into specifiedsectors of a disk, make boot images, and perform file format conversions. A summary ofall “dd” options can be found in [8].

Acronis True Image 6.0 [12] takes an exact image of a hard disk drive or separatepartitions and performs a complete backup image or a clone of it. Acronis' exclusiveinnovative technology allows creating and restoring complete disk images online inWindows and FAT16/32 and NTFS, as well as the Linux Ext2, Ext3, ReiserFS file systems. SafeBack [9] is used to create mirror-image (bit-stream) files of disks or diskpartitions. It is a self authenticating forensics tool that is used to create evidence gradeimages of disk drives. The self-authentication (integrity preservation) of SafeBack filesachieved through the use of two separate mathematical hashing processes which relyupon the NIST-tested SHA256 algorithm.

EnCase [10] can be used to mount images of hard drives or CDs as read-only localdrives. Together with VMWare [11], a virtual machine infrastructure software, EnCaseenables the booting and examination of a computer under investigation to a state whenthe evidence was first captured.

CCSC:Mid-South Conference

149

FORENSIC LABORATORY PROJECTSThe following laboratory projects are designed to provide hands-on training

exercises in computer forensics analysis. • Given a specific disk imaging tool, design and implement a test methodology that

will provide a measure of assurance of its effectiveness. Refer to the NIST testingmethodologies found in [7] for guidance.

• Given a floppy disk that contains hidden evidence material, perform a thoroughdata analysis and extract the hidden evidence from it.

• Given an image file that has been severely corrupted, recover parts of it throughheader reconstruction and, possibly, value interpolation.

• Perform an analysis of a given ethereal log file and report all findings. (Note: thelogging was done during a simulated attack on a test workstation).

• Given a hard disk, representing a captured evidence material, create workingcopies of a) the entire disk, b) the specific sectors on the disk, and c) the specifiedfiles and folders on the disk. Check the integrity of the working copies.

• Perform a data analysis of a given file representing the dumped system/security logfiles and report all findings. (Note: the log files will contain information onsimulated penetration attempts and system file alterations). Do this task separatelyfor Windows 2000 and Linux operating systems.

• Given a floppy disk as an evidence material, recover all forensic information out ofthis disk. This information will include, but not limited to, deleted files, file activitytimelines, file types, corrupted files, and basic file information such as size, datecreated, ownership, and access modifiers.

CONCLUSIONS AND FUTURE PLANSThis paper outlined the resources found in an experimental computer security and

forensics laboratory and the supported hands-on exercises. The activities and projectsare designed and structured to provide practical experiences while illustrating theory andpossible research areas. As indicated above, the computer security and forensiclaboratory can be implemented using legacy equipment that may be acquired at aminimal cost.

The challenge for the authors will be in the continual development of theseactivities and the introduction of novel practices that will leverage the availability ofstate-of-the-art equipment and system tools. Future work will include: • Forensic analysis of application code • Web services security • Radio Frequency Identifier (RFID) security • Forensic analysis of electronic mails • Development of advanced vulnerability assessment tools.ACKNOWLEDGEMENTS

This paper is based upon a project partly supported by the National ScienceFoundation under grants DUE-9950946 and DUE-0125635. Opinions expressed arethose of the authors and not necessarily of the Foundation.

JCSC 20, 6 (June 2005)

150

REFERENCES

[1] Anderson, A., Collie, B., De Vel, O., McKemmish, R., Mohay, G., Computer andIntrusion Forensics, Artech House, 2003.

[2] Culley, A., “Computer Forensics: Past, Present, and Future,” Information SecurityTechnical Report, vol. 8, pp. 32-36, 2003.

[3] Rogers, M., Seigfried, K., “The Future of Computer Forensics: A Needs AnalysisSurvey,” Computer & Security, vol. 23, pp. 12-16, January 2004.

[4] Schweitzer, D., Incident Response: Computer Forensic Toolkit. Wiley Publishing,Inc, 2003.

[5] website: http://ww.theabsolute.net/sware

[6] website: http://www.majorgeeks.com/download.php?det=2562

[7] website: http://www.cftt.nist.gov

[8] Siever, E., Figgins, S., and Weber, F. Linux in a Nutshell 4th Ed, O’ReillyPublishing, 2003.

[9] website: http://www.forensics-intl.com/safeback.html.

[10] website: http://www.guidancesoftware.com/products/EnCaseForensic

[11] website: http://www.vmware.com

[12] website: http://www.acronis.com

[13] Nelson, B., Phillips, A., Enfinger, F., and Steuart, C. Guide to Computer Forensicsand Investigations. Course Technology. 2004