Chapter 9: Identification of Data

 < Day Day Up > 

Chapter 9: Identification of Data


The Internet—friend or enemy? The popularity of the Internet has grown at incredible rates and today it reaches into the hearts of many corporations and households worldwide. The Internet gives computer users access to a wealth of information. It is also a wonderful mechanism for the exchange of e-mail communications and file attachments globally. International boundaries no longer exist when it comes to the exchange of information over the Internet. This new technology has proven to be ideal for international commerce and has the potential to be a valuable communications tool for exchange of law enforcement and government information. However, the Internet also provides the crooks with communication capabilities that did not exist previously. Through the use of a modem and with just a few clicks of a mouse, criminals can share information worldwide. It is sad but very true. Cyber crime has become a reality in our modern world.

More and more, law enforcement agencies are encountering computers at crime scenes. These computers are used to store the secrets of criminals and are also used in the commission of crimes. Internet-related crimes are clearly on the rise and abuses of corporate and government Internet accounts by employees are becoming commonplace. For example, one recent case involved an employee of a large corporation. He was using his corporate Internet account, on company time, to run his side business. What a deal—thanks to the Internet, he had two day jobs. To make matters worse, he was also using the corporate computers on company time to view and download pornographic images from the Internet. In another case, a law enforcement management official destroyed his 15-year law enforcement career when he was caught using a law enforcement computer to download pornography from the Internet. Just recently, law enforcement officials in Herndon, Virginia were requesting help in the investigation of the rape of a young girl. The girl had been lured from an Internet chat room to meet the rapist at a shopping mall. When the rapist was finally caught, his computer contained crucial evidence in the case.

The law enforcement community is starting to effectively deal with computer-related criminal investigations. Funding is finally being focused on the creation of local and state computer crime units. Law enforcement training organizations such as the National White Collar Crime Center, Search Group, International Association of Computer Investigation Specialists, and the Federal Law Enforcement Training Center are training hundreds of law enforcement computer specialists each year. Some of these training efforts are being directed at Internet-related crimes and more training emphasis will be placed on this important technology issue in the future.

Now, let’s look at how keeping an accurate and consistent sense of time is critical for many computer-forensic-related activities such as data identification. In other words, being able to investigate incidents that involve multiple computers is much easier when the timestamps on files (identified data) and in logs are in sync.

 < Day Day Up > 

 < Day Day Up > 


It seems that, although every computer has a clock, none of them appear to be synchronized—unless the computer in question is running the Network Time Protocol (NTP). With NTP, you can synchronize against truly accurate time sources such as the atomic clocks run by NIST, the U.S. Naval Observatory, or counterparts in other countries around the world.


NTP is a protocol built on top of TCP/IP that ensures accurate local timekeeping with reference to radio, atomic, or other clocks located on the Internet. This protocol is capable of synchronizing distributed clocks within milliseconds over long periods of time. It is defined in STD 12, RFC 1119. The package that implements the latest version of NTP is called xntp™, and was developed at the University of Delaware. You can obtain the latest version of xntp via anonymous ftp to in the file /unix/xntp/xntp-src.tar.Z. You may also find binary distributions there. Filenames for binary distributions will be named xntp-VERSION-OSNAME.tar.Z, (the binary distribution for SunOS is named xntp-3.4h-sunos4.tar.Z).


File names and URLs can change without notice!

So, what does accurate timekeeping have to do with computer forensics? Keeping a consistent sense of time is critical for many computer-forensic-related activities.

Financial organizations rely on accurate timekeeping for their transactions. Many authentication systems, Kerberos being the most prominent example, use dated tickets to control access to systems and resources. Investigating incidents that involve multiple computers is much easier when the timestamps on files and in logs are in sync.

NTP began as a tool that permitted researchers to synchronize workstation clocks to within milliseconds or better. With the growth of the Internet, the mechanisms that enabled NTP clients and servers to securely exchange time data have gone from sufficiently secure to not nearly secure enough. A new version, NTP 4, seeks to fix that, while providing a model for automatic configuration and key exchange. Let’s take a look at time-synchronization systems, and how you can securely use them to set all your clocks accurately.

Time Matters

Why bother having accurate clocks? Isn’t the one that comes in your desktop PC or your Sun Enterprise server adequate? The answer is that accurate timekeeping is an advanced science, an avocation practiced by hundreds of scientists around the world, and the paltry clock chip you have in your PC or expensive server winds up being a bit less accurate than your Swatch watch for several reasons.

Computer clocks, like most electronic clocks, detect the oscillations of a quartz crystal and calculate the passing time based on these oscillations. Not all quartz crystals are the same to begin with, but put one inside of a nice, hot computer that’s also cool whenever it’s turned off, and the crystal’s frequency tends to wander. Also, Unix systems base their notion of time on interrupts generated by the hardware clock. Delays in processing these interrupts cause Unix system clocks to lose time—slowly, but erratically. These small changes in timekeeping are what time scientists call jitter.

Over time, scientists and programmers have developed different techniques for synchronizing clocks over TCP/IP or other network protocols. The time protocol provides a server’s notion of time in a machine-readable format, and there’s also an Internet Control Message Protocol (ICMP) timestamp message. Though these remain available Internet standards, neither is currently sufficient for accurate timekeeping, and, hence, both are considered out-of-date. The Unix r commands include rdate, which permits setting a local clock based on a remote server. There are modem-based programs that contact NIST timeservers and fetch a time message (along with an estimate of round-trip time to account for latency), which you can still use today.

The NTP software includes drivers for a large number of devices—radios that listen to time signals such as WWV, Global Positioning System (GPS) receivers, and even atomic clocks—that serve as references for stratum-one servers. The University of Delaware site includes lists of stratum-one servers in the United States; you can also find stratum-one servers through Web search engines.


WWV is a radio station operated by NIST that maintains an atomic clock used by the scientific community.

Below stratum-one servers are many stratum-two servers, and stratum-three servers are below that, and so on. NTP supports up to 15 different stratums, but being closer to the top implies being closer to the most accurate source of time. To improve each server’s notion of time, servers in the same stratum may peer (that is, act as equals) and perform the same timestamp exchanges done by NTP clients. NTP servers and clients don’t blindly accept another system’s notion of time, even if it comes from a higher stratum. This was NTP’s only security provision for a while.

Clock Filters

Automatically accepting another system’s statement about the current time can be harmful: Suppose the timekeeping system has been taken over by an attacker who needs to turn back the clock so that a replay attack can function. NTP guards against this in several ways.

First, NTP assumes that time moves forward, not backward, although small backward changes are acceptable. Also, if a system has been using NTP, the NTP software assumes that changes in a local clock will be small, generally less than a second. This makes controlling a local clock or making large changes literally a time-consuming process—even a one-second change is a big deal.

NTP goes beyond this by collecting timestamps from many different servers (and peers, if appropriate). NTP maintains a queue comprised generally of eight samples and uses carefully crafted algorithms to compute the best approximation of exact time. For example, the outlyers in the sample (the timestamps with the largest divergence) are discarded. The remaining set of samples is then used to calculate what the local clock should read. On Unix systems, a special system call, adjtime(), makes small adjustments to system time. With multiple sources, the influence of a single, compromised timeserver (a falseticker, in NTP jargon) is completely avoided. You can modify the configuration of ntpd to label a timeserver as untrusted. You can also use the configuration to list trusted timeservers and peers.

By the late 1980s, version 2 had been released. NTP 2 included digital signatures based on a shared secret key so that servers and peers could sign NTP data and prevent an attacker from spoofing packets. NTP uses UDP packets (on port 123), which are easy to spoof because of their stateless nature (no connection setup, as in TCP).


Version 4 of NTP is (most likely) still an Internet draft. Working versions of NTP 4 are being tested, and version 4 may have entered the IETF standards track by the time you read this book.

The most interesting aspects of version 4 are the security improvements. A system called the autokey uses public key algorithms combined with a list of one-way hashes. When a client contacts an NTP server, the client can collect a certificate that contains the server’s public key and independently verifies it. Then, using the enclosed public key, the client can check the signature sent by the server containing a list of keyids. The keyids are used with session keys to perform a quick digital signature check based on MD5.

Using public key cryptography for signing timestamps is just too slow. Public key encryption algorithms aren’t only slow (compared to private key algorithms such as RC4), they’re also inconsistent in that the amount of time used to encrypt may vary by a factor of two—something very unpleasant for those obsessed with keeping accurate time. Using the list of keyids reduces the need for public key encryption to once an hour on average.

Version 4 also supports the Diffie-Hellman key exchange for peers, so that peers can exchange private session keys. Multicast updates of clients are also supported and use the client/server autokey for setting up security.

Next, let’s look at how trade secret information and other sensitive data can easily be identified and secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions.

 < Day Day Up >