15.6 Evidence Recovery

15.6 Evidence Recovery

Recovering digital evidence such as deleted system or network log files from a server involves the techniques provided in Part 2 of this text. Deleted system log fragments can be found in unallocated space by searching for characteristics such as the date or message fields (e.g. "Mar 3," "LOGIN"). Also, it may be possible to repair corrupt UNIX "wtmp" log files or NT Event log files or at least extract some useful information from uncorrupted portions. Notably, it is possible for the "wtmp" file to become corrupted in a way that is not obvious and, when processed uncritically, can associate the wrong user account with the wrong connection. This emphasizes the importance of verifying important log entries before using them to form conclusions.

It is also be possible to recover digital evidence from network traffic. Network traffic relating to a single machine may contain e-mail communications, downloaded files, Web pages viewed, and much more. Interesting items can be recovered from network traffic by extracting individual packets and combining them. For instance, Figure 15.4 shows a network sniffer called Ethereal being used to reconstruct a TCP stream and display the contents of the communication. In this instance, the connection was a request to a Web server for a JPEG image. In this process of reconstruction, Ethereal takes data collected on the physical layer, extracts only the relevant packets from the transport and network layers, and displays the application layer protocol; a HTTP GET request for one image on a Web page.

Figure 15.4: Ethereal (www.ethereal.com) used to reconstruct a TCP Stream relating to one component of a Web page being downloaded.

Ethereal was not designed with evidence collection in mind but it is still useful for examining network traffic. The "Save As" option at the bottom right of the screen can be used to save the data to a file that can be opened with a Web browser, image viewer, or some other suitable software. However, the resulting exported file often contains data that prevent other programs from displaying the file correctly (such as the HTTP request data in Figure 15.4). Although this gives a sense of what communication was occurring, it does not show data as the user saw them.

Other tools for examining network traffic can reconstruct and display files from packets in network traffic more effectively. For instance, NetIntercept provides an images view that arranges all graphics files extracted from network traffic in a gallery or thumbnail arrangement, allowing digital evidence examiners to view them more efficiently. NetIntercept and similar tools can also reconstruct Web pages, enabling digital evidence examiners to view pages as the user saw them, as discussed in Chapter 16. Different network traffic analysis tools can reconstruct and display different types of data including e-mail, FTP, and Instant Messenger with varying degrees of success. So, when an individual downloads a compressed file from an FTP server or IRC, it may be desirable to recover this file from a network capture and examine its contents. Certain data formats are harder to reconstruct from network traffic, requiring special purpose tools. For instance, Review has a module for interpreting and displaying X sessions as detailed in Chapter 4 of the Handbook of Computer Crime Investigation (Romig 2001).

Some commercial tools (e.g. NetIntercept, NetDetector^[8]) have many more analysis features and some are even marketed as digital evidence processing tools. The visualization capabilities of these tools help make examinations of digital evidence from networks more efficient. Regardless of the tool used, when collecting and analyzing network traffic using these systems, digital investigators must take some additional steps to document important details that are not recorded by these tools - such as the MD5 value of tcpdump files containing network traffic, the number of packets dropped, and actions taken by the examiner during analysis of data (i.e. no logs of examiners' actions are created by these tools).

^[8]http://www.niksun.com