Information can be retrieved from many hardware devices, even those not normally associated with a storage function (such as hard drives , CD-ROMs, and floppy disks). Information stored on these devices remains constant or intact. By comparison, devices such as keyboards, monitors , and printers do not permanently store data. These devices are used to send data to and receive data from the computer. After the computer is turned off, these devices do not store information. However, a trained computer forensic investigator using specialized techniques can find data or evidence on these devices even after they have been turned off.
Because technology is constantly changing, keeping up-to-date on new types of devices and methods of communication is important. You also need to determine which of these technologies and devices are permitted in the organization being investigated, because employees frequently add their own devices as a matter of convenience and intruders will use them as a method of gathering information.
Many of the terms used for computers actually describe the capability, use, or size of the computer. Even though the word 'computer' can apply to just about any device that has a microprocessor in it, most of us think of a computer as a device that processes what we input using a keyboard or a mouse and then displays the result on our screen.
One of the first items on your planning agenda should be to list all of the types of input/output (I/O) devices used in the organization. This list will provide information on what tools will be needed to analyze information. It will also give you a good idea of what areas may be susceptible to intrusion and need more monitoring.
Data transfer that occurs between the thinking part of the computer or CPU and an external device or peripheral. For example, when you type on your keyboard, the keyboard sends input to the computer which, in turn , outputs what you type on the screen.
In the early days of computing, mainframes were the main method of storing and processing data. They were huge computers that could fill an entire room. Although the power of computers has increased, the size of computers has decreased. Many mainframes have been replaced by enterprise servers- although you'll still find mainframes in use, particularly in large companies.
A computer that has the capacity to provide services to other computers over a network. Servers can have multiple processors, a large amount of memory, and many hard drives.
Servers can play various roles. By identifying the role that each server plays, you can more easily determine which tools you'll need.
Common server roles include application, file, web hosting, print, e-mail, and FTP. You should also determine where the server is situated. Is it accessed from the internal network only, from the external world, or both? This helps identify its vulnerabilities, as well as protective measures that should be in place on the server. This is important because, due to the anonymity of networks and the Internet, attacks on all types of servers are increasing. The reasons for such attacks can be attributed to anything from simple curiosity to malicious intent.
The term workstation used to refer to extremely powerful desktop computers most often used by research and development teams . Because technology has advanced so rapidly and a lot of processing power can be packed into a small machine, workstation is often used interchangeably with personal computer (PC) or desktop .
A desktop computer that has enhanced processing power, memory, and capabilities for performing a special function, such as software or game development.
A PC designed to be set up in a permanent location because the components are too large to easily transport.
Although they can also be used as stand-alone systems, such as in a home environment, workstations or PCs are typically linked together to form a local area network (LAN). The following illustration shows the relationship between a server and the workstations on a LAN.
You should have an inventory of the workstations in the building, and you should also know who is using workstations from home to connect to the network.
In today's mobile society, telecommuting has become a way of life. Telecommuting saves overhead and energy costs. Many organizations hire contractors without providing workspaces for them in their offices. This is an important factor to keep in mind. Everyone has heard horror stories about people hacking into corporate networks through home computers.
A personal computer intended for generic use by an individual. PCs were originally known as microcomputers because they were built on a smaller scale than the large systems most businesses used.
A very notable case is that of ex-CIA director John Deutch. He had over 17,000 pages of classified documents on unsecured Macintosh computers in two of his homes . National security secrets were stored where almost anyone could access them. The computers, designated for unclassified use only, were connected to modems and regularly used to access the Internet and the Department of Defense (DoD). Family members were also allowed to use the computers. Additionally, unsecured classi
fied magnetic media were found in Deutch's residences. A team of data recovery experts retrieved the data from Deutch's unclassified computers and magnetic media. The results of the inquiry were submitted to CIA senior management.
Deutch pled guilty to keeping government secrets on unsecured home computers in exchange for receiving no prison time. Deutch was pardoned by President Bill Clin
ton hours before his presidency ended.
Workstation security is often overlooked. Yet this is one of the areas that can easily attract intruders because it is often the path of least resistance to deploying an attack.
Personal digital assistants (PDAs) can also be referred to as palmtops, pocket computers, or handhelds. The two major categories they fall into are handheld and palm- sized . The differences between the two are size, display, and method of data entry. Handheld computers tend to be larger, with larger liquid crystal displays (LCDs), and might use a miniature keyboard in combination with touch- screen technology for data entry. Palm-sized computers are smaller and lighter with smaller LCDs and stylus/ touch-screen technology or handwriting recognition programs for data entry. They can also have voice recognition technologies. A typical PDA can function as a cellular phone, fax, web browser, and personal organizer. The following illustration shows two typical PDAs.
personal digital assistant (PDA)
A tightly integrated handheld device that combines computing, Internet, and networking components. A PDA can use flash memory instead of a hard drive for storage.
PDAs are designed to work in conjunction with your desktop or laptop. The communication between the PDA and PC is typically done through a serial or USB port on the PDA. Some PDAs can rest in a stand while they are hooked up to the PC. Besides being able to communicate through a cable, PDAs can use an infrared (IR) port, wireless methods, or telephone modem accessories to transfer data.
PDAs, Palm Pilots, and pocket PCs are all mobile devices. They are very susceptible to theft because they are small, valuable , and frequently contain important information about a company. Many of them use wireless or infrared technology so that any data they transfer can be intercepted if it is not protected.
PDAs are the one of the fastest selling consumer devices in history. You should know if they are used on the network because malicious individuals can use them to transfer sensitive information for later use.
A drive accessible from the outside of the computer into which you can insert and/ or remove a floppy disk. One floppy disk holds up to 1.4MB of data.
Many other devices can be used to transport or transmit data. They mainly consist of removable media. When you think of removable media, you probably think of floppy disks or CDs and DVDs, which are used in floppy drives and CD/ DVD-ROM/RW drives , respectively. However, you should be aware of other devices and determine if any of them are being used.
A drive accessible from outside the computer that is used to read and/or write CDs and DVDs. A compact disc (CD) can store huge amounts of digital information (783MB) on a very small surface. CDs are incredibly inexpensive to manufacture.
Zip disks are slightly larger than conventional floppy disks, and they are about twice as thick. Jaz or Zip disks can be carried in your shirt or blouse pocket and can hold much more data than floppies.
Zip drives and disks come in three sizes: 100MB (which holds the equivalent of 70 floppy disks), 250MB, and 750MB. Zip drives can be used for exchanging large files with someone, putting a system on another computer (such as a laptop computer), and keeping certain files separate from files on a hard disk (for example, hacking utilities). The following illustration shows a Zip drive.
A small, portable, high-capacity floppy disk drive developed by Iomega Corporation and used primarily for backing up or archiving PC files.
A Jaz drive cartridge holds the equivalent of more than 700 floppies. In addition, the Iomega Zip drive comes with a software utility that allows you to copy the entire contents of a hard disk to one or more Zip disks.
Iomega's Jaz drives back up more data and are more sophisticated than Zip drives, but they can be used for the same purposes. The Jaz 2GB drive uses 2GB cartridges, but it also accepts the 1GB cartridge used by the original Jaz. The backup program has a security feature that limits access to the cartridge by using a password. The password is stored on the Jaz media, and the method used to encrypt the password is very weak. To obtain the encryption password, you simply need to issue od-c at a command prompt on the backup file. The password is the first nonzero block past the description (and a 001 ) and usually resides around offset 0470 (octal). You will learn about passwords, encryption, and decryption in Chapter 7, 'Passwords and Encryption.'
A true, replaceable hard disk. Each Jaz cartridge is basically a hard disk, with several platters, contained in a hard, plastic case.
The computer forensics expert must always follow the Scout motto, 'Be prepared!'
While working with a group of computer forensics specialists who were preparing for a trip to a 'far off land' to recover information of 'interest to the nation,' we organized a list of every item that might possibly be needed during their extended stay. The team was assembled based on each member's unique talents and skills. We brainstormed for days, running through every possible scenario we could imagine to determine how best to prepare for the upcoming mission.
The team developed a list incorporating all the normal items you would expect such a trip to require, including strong, secure shipping containers, appropriate commercial forensics recovery tools, a collection of various-sized hard drives, commercial hard drive duplication hardware, and adapters to read an assortment of different forms of media. We collected a copy of each operating system that we anticipated seeing in the field as well as an assortment of application CDs and a variety of other software.
We conducted an intensive 'ramp up' training program to bring all team members 'up to speed' and 'on the same page' with the policies and procedures required for this mission. Each team member was instructed on the legal limits and requirements for conducting searches and seizing evidence in this foreign location. Everyone was reminded that any evidence located might be used in court proceedings at a later date. Everyone was ready to go. We had planned for every possible contingency.
With all the preparation completed and the equipment safely packed away, the team departed for their new assignment, confident they had the training, equipment, and resources necessary to accomplish their mission. The team arrived on site and began to set up their lab equipment in a safe and secure location to protect their equipment and to preserve the integrity of any evidence they processed . Members of the team were assigned to test the equipment and ensure everything was working properly. Other team members were dispatched to locate potential evidence to bring back to the lab for analysis.
Within a few days the team had begun to locate items of interest and began conducting forensics analysis of computers and hard drives. Each case was fully documented and each investigation appeared to be running smoothly. All the prior planning appeared to be paying off and every part of the operation was running successfully. And then, right on time, Mr. Murphy made his much anticipated appearance!
With every well-conceived plan, something always seems to go wrong. Usually it is something very small-something that typically would cost only a minor amount of time and money to fix, had we considered it before the team left home. It is usually something so superficial no one has anticipated it could occur. And, as usual, it was something so important that the team was stopped dead in their tracks until the problem was solved .
After all the planning, all of the training, and all of the preparation, we had forgotten one very important piece of equipment required to complete the mission. We forgot something so old and so outdated that most team members had never even seen one, let alone used one. We had forgotten that in this part of the world not every piece of computer equipment gets updated every 18 months. We had made the cardinal mistake of not fully understanding the environment in which the investigation would be taking place. We had not shipped all the equipment that the team would need. We had forgotten a very simple item.
In this part of the world, the old 5 1/4-inch floppy disks can still be found in use; and the team had located a large collection of these disks that very possibly contained evidence linked to the investigation. The team had no blank 5 1/4-inch media on which to copy the evidence and, of course, no 5 1/4-inch disk drives were in any of the computers in the lab. Even the training had not covered this issue and the younger members of the team had to be instructed in the proper technique for write-protecting these disks to safeguard evidence. New 5 1/4-inch media had to be flown in from another country along with properly working new 5 1/4-inch disk drives. While this issue did not stop the team from ultimately accomplishing their mission, it did cause a minor delay in processing very time-critical information.
What can be learned from this? No matter how much planning and preparation you do for a case, something usually pops up for which you are not equipped. It certainly is nice when you can run down to your local computer superstore and buy whatever you need; but sometimes you will just have to make due until proper supplies arrive . Planning is important, but so is another skill that the Scouts might just want to add to their list-the ability to improvise.
As a rule, these drives are external in that they sit next to your computer and are attached to it by a cable. However, some computers come equipped with an internal Zip or Jaz drive.
Networked printers, webcams, networked fax machines, and networked copiers also have vulnerabilities that can lead to data exposure or denial of service. They can be used as gateways for attacks on other systems. These types of I/O devices are often taken for granted, and their security is rarely questioned. Sometimes organizations use the same printers to print sensitive documents that they use to print public documents, such as announcements for company parties. Don't forget about these types of devices when you inventory the environment.
Frequently, employees just assume that it's okay to install a device on the network or their PC. Such unauthorized installations present security issues to an organization. Once you have inventoried the approved devices in use in the organization you're investigating, it's time to look for installed hardware that has not been approved. You might be surprised at what you will find.
Modems are used via the phone line to dial into a server or computer. Wireless modems convert digital data into radio signals and convert radio signals back into digital signals. Modems are gradually being replaced by high-speed cable and digital subscriber line (DSL) solutions, which are faster than dial-up access.
A shortened version of the words modulator -demodulator. A modem is used to send digital data over a phone line. The sending modem converts data into a signal that is compatible with the phone line, and the receiving modem then converts the signal back into digital data.
However, plenty of modems and modem pools or banks can still be found in corporations and small office/home office environments. Most companies use modems for employees to dial into the network and work from home. These modems are usually configured to be available for incoming calls. War dialing attacks take advantage of these situations and target connected modems that are set to receive calls without any authentication.
War dialing was extremely popular years ago. However, because newer technologies have replaced connected modems that are set to receive calls without any authentication, this may be an unlikely threat for a LAN. It just depends on how advanced an organization's technology is.
Cable and DSL modems are more popular these days. These devices are not prone to dial attacks, but they present a danger because they maintain an always- on connection to the Internet. Cable modems enable Internet access through shared cable medium, which means everything that travels to and from a connected machine can be intercepted by other cable users in the area.
Key loggers record and retrieve everything typed, including e-mail messages, instant messages, and website addresses. To install the hardware key logger, you unplug the keyboard cable from the back of the PC, plug it into one end of the key logger, and then plug the other end back into the PC. See the following graphic for a visual of Allen Concepts' KEYKatcher-mini product.
Device that intercepts, records, and stores everything that the user types on the keyboard into a file. This includes all keystrokes, even passwords.
On June 16, 2004, Peter Borghard, a former network administrator at Netline Services, Inc., a Manhattan-based Internet service provider, was sentenced in Manhattan federal court to five months in prison and five months of home confinement. He was ordered to pay $118,030 in restitution, stemming from his electronic attack on Netline's computer system in January 2003.
Borghard was Netline's computer systems administrator between June and the end of October 2002. He left the company abruptly and without explanation at the end of October 2002. Shortly after quitting, he demanded back salary he claimed that Netline owed him. Netline refused to pay and, in December 2002, Borghard sued Netline to collect approximately $2,000. On two separate dates in January 2003, Netline experienced computer intrusion attacks on its network. The first attack took place on January 15, 2003, and it temporarily crippled the system. Netline's system was down, and its customers were denied e-mail service for approximately 15 hours. On January 25, 2003, Netline was hit with another electronic intrusion and attack.
In the course of the investigation, computer forensics analyses conducted by the FBI revealed that, although Netline's attacker had attempted to erase all electronic traces of his identity, the attacks on Netline's system could be linked by certain computer records to other computers outside Netline that were in use or otherwise controlled by Borghard. Among those outside computers was a computer that was unnoticed but nevertheless being operated by Borghard. It was in Borghard's former cubicle at a company where Borghard had worked prior to joining Netline.
On February 10, 2004, Borghard pled guilty to a felony charge of computer intrusion, admitting that he had committed the attacks on Netline.
As you can see from this case, knowing who has access to what machines is important. The fact that Borghard still had control of a computer at a former place of employment is astounding, yet it happened . Cases have been documented where former employees have accessed networks well after a year past their termination.
(Photograph Courtesy of Allen Concepts, Inc. 2004, www.keykatcher.com)
Key loggers are used by organizations for the following reasons:
As a tool for computer fraud investigations
As a monitoring device for detecting unauthorized access
To prevent unacceptable use of company resources
As a backup tool
So why are they on the list of unauthorized hardware? Simply put, anything can be used for bad intent, and unauthorized individuals can use them to capture logins and passwords. Unless an organization has a policy for using them, they should not be on a network.
Key logging is not restricted to hardware alone. A variety of key logging software programs are readily available on the Internet.
Software key loggers are easier to detect as time goes on because the log files grow. You'll eventually be able to tell when one is being used because available hard-drive space will decrease.
On March 7, 2003, Ko Hakata, 35, a former computer software developer, and Goro Nakahashi, 27, a businessman, were accused of theft and illegally accessing information on the Internet. The Metropolitan Police Department arrested the two men on suspicion of stealing 16 million yen through an online banking scheme that might involve hundreds of victims.
The scheme started when the two secretly installed key catcher software onto computers at Internet cafes. They visited the cafes every couple of weeks to acquire the PIN numbers and passwords of Internet users who had visited the cafes and typed their information into the computers. On September 18, Hakata allegedly used a computer and Internet connection at a cafe in Tokyo's Shibuya Ward to access the accounts at a foreign bank of five self-employed people. Using stolen passwords, Hakata allegedly withdrew about 16.5 million yen from the five accounts and deposited the money in an account created under a fictitious name . Nakahashi then withdrew the money from the account. Police indicated that this case could be the tip of an iceberg.
Police refused to say when the two men, who haven't been charged, were detained. They also would not comment on what happened to the money that was not withdrawn by Nakahashi. If charged with theft, they could face up to 10 years in prison.
Police said Hakata has admitted to paying Nakahashi 1 million yen for his help and spent the remainder on such things as betting on horse races. He also reportedly told police that he recorded so much personal information that it became difficult to keep count of it all. The suspects had installed the software in about 100 computers at 13 Internet cafes since 2001. Police seized 719 ID numbers and passwords from the homes of the two suspects . According to police, Hakata had 720 debit and credit card numbers and the profiles of 195 female users, who had accessed a dating site, in a file he had stored on the Internet, when the police arrested him. They suspect Hakata of being involved in additional crimes.
Besides key loggers and modems, you could find a myriad of unapproved and potentially dangerous devices on an organization's network. The technologies behind many of them will be discussed in the next section. Here is a list of some of the devices:
A Syquest SyJet drive has similar capabilities as the Jaz drive; however, it has a 3.5-inch removable cartridge that holds 1.5GB of data.
A Lexar Media JumpDrive allows yoto plug into a USB port and save up to 512MB of data. Sizes vary, but the drives are typically affordable and no software is required. They are easily portable.
A Pockey drive holds 20GB of data and fits in the palm of your hand.
A microdrive is a tiny hard drive built into small cards that can hold anywhere from 340MB to 30GB of data. It is about the size of a matchbox.
A portable laptop drive can be only 1-inch thick and weigh less than 12 ounces, yet it can store 60GB.
The common factor in all of these devices is that they are small, hold a lot of data, and are easy to transport. Knowing if they are being used on a network can be almost impossible because they are easy to conceal, and their data transfer rates are quite fast. Corporate policy should address the use of these devices.
As new technologies emerge, so do ways for intruders to infiltrate networks. Because technology is always changing, you have to evaluate new technologies before the devices appear on networks. You should spend some time reading about these new technologies as they are developed.
In the early days of computing, each computer came with a limited number of ports to which you could attach devices. Printers connected to parallel printer ports, and most computers had only one port. Modems used the serial port, but so did Palm Pilots and digital cameras . Most computers had two serial ports. New technology was needed to allow for all of the I/O devices people wanted to attach to their computers. All computers now come with one or more Universal Serial Bus (USB) connectors on the back. USB connectors let you attach devices to your computer quickly and easily. Compared to other ways of connecting devices to your computer, USB devices are quite simple. Some of the USB devices that can be attached to your computer are printers, scanners , mice, modems, and storage devices.
Universal Serial Bus (USB)
A connectivity standard that allows for the connection of multiple devices without the need for software or hardware.
You might need to attach more devices to a computer than you have USB ports to attach them. Purchasing an inexpensive USB hub will allow you to connect your additional USB devices to your computer. The following illustration depicts a USB hub.
The USB standard supports up to 127 devices, and USB hubs are a part of the standard. A hub typically has four ports, but it can have many more. Just plug the hub into your computer's USB port, and then plug your devices into the hub.
You can add dozens of available USB ports on a single computer by chaining hubs together using USB cables.
USB standard version 2, which was released in April 2000, can support data rates up to 480Mbps.
USB devices are also hot pluggable . This means they can be attached to and ejected from the computer without turning off the system. No special settings are necessary. Many of the USB devices that hold data are quite small. For example, JMTek offers a USBDrive that is small enough to fit on a key ring. You just plug it into your USB port. The operating system recognizes it immediately, allowing you to transfer files at your convenience. When you're done, simply eject the drive, plug it into another system, and transfer the files from the USB drive to the system. The following is a photo of the drive.
(Photograph Courtesy of JMTek Corporation 2004)
FireWire was originally developed by Apple and now has become the official IEEE 1394 industry standard with more than 60 vendors belonging to the 1394 Trade Association. FireWire has a bandwidth nearly 30 times greater than USB 1, making it the ideal interface for transferring extremely large data files. It supports up to 63 devices on a single bus with speeds of up to 400Mbps for IEEE 1394a and 800Mbps for IEEE 1394b. Connecting to a device is similar to using USB.
An IEEE-1394 technology that is a high- performance, external bus standard that supports data transfer and multimedia.
Just like USB, FireWire is plug-and-play compliant and hot swappable, meaning you can connect and disconnect devices without shutting down your computer.
Because this technology is ideal for high-quality digital, video, and audio, using it is an ideal way to store pornography or proprietary company designs. It can also be used as an additional computer storage peripheral, allowing large amounts of data to be copied and then removed. The EZQuest Cobra+ Slim FireWire/USB is a good example of a FireWire hot-pluggable drive. It is only 1/2-inch thick and weighs 0.7 pounds , yet it offers up to 100GB of storage space. It can copy a 170MB multilevel file directory in 25 seconds.
In order to use the drive, you simply connect one of its two IEEE 1394 inter- faces to the port on your notebook. Just as with many of the USB devices, FireWire hard disk drives hold large amounts of data in a small amount of space.
Standard cables and connectors replace the variety of I/O connectors used by consumer electronics equipment and PCs. FireWire cable is similar to 10BaseT Ethernet cable, which is used to connect computers; however, it is much more flexible. It can accommodate different data types and topologies in alternative networking systems.
Bluetooth was named after Harald Bluetooth, the king of Denmark in the late 900s. It doesn't require any special equipment to work. The devices simply find one another and begin communicating.
A standard developed to allow various types of electronic equipment to make their own connections by using a short- range (10 meter) frequency- hopping radio link between devices.
Bluetooth operates on a frequency of 2.45GHz, which is the same radio frequency band as baby monitors, garage door openers, and newer cordless phones.
The design process makes sure that Bluetooth and other devices don't interfere with one another. Bluetooth uses a technique called 'spread-spectrum frequency hopping.' This means a device will use randomly chosen frequencies within a designated range and hop or change from one range to another on a regular basis. Bluetooth transmitters change frequencies 1,600 times every second.
In addition to the new technologies we have already discussed, a few others are worth mentioning, especially wireless. The world of wireless is rapidly expanding, and you may find yourself investigating issues that involve capturing data through wireless devices. Here are brief descriptions of some of those technologies:
802.1 x is a standard developed for wireless local area networks (WLANs). It utilizes port-based network access control. Current standards range from 802.11a to 802.11j.
Infrared (IR) transmissions use an invisible light spectrum range for device communication so the devices have to be in direct line of sight with each other.
I-Mode is NTT DoCoMo's mobile Internet acccess system that originated in Japan.
BlackBerry is an end-to-end wireless solution developed by Research In
These technologies make our lives easier, yet they can pose a great threat to a network environment. A wireless device advertises that it is out there, making it easy for an intruder to pick up and monitor.