For a long time he remained there, turning over the leaves and dried sticks, gathering what seemed to me to be dust into an envelope and examining with his lens not only the ground, but even the bark of the tree as far as he could reach.
Dr. Watson on Sherlock Holmes
Finding what you are looking for in a computer forensics investigation can be likened to the preceding quote. There are so many places to look because operating systems vary, application programs vary, and storage methods differ . Computer evidence is almost never isolated. It is a result of the stored data, the application used to create the data, and the computer system that produced the activity. Systems can be huge and complex, and they can change rapidly . Data can be hidden in several locations. After you find it, you may have to process it to make it humanly readable.
Begin the discovery process by installing the disk in your analysis system on an open IDE port and boot the system using a floppy boot disk. Be careful not to damage the hard disk when you connect the disk to the IDE cable. IDE interfaces have ports for two devices on each cable. Ideally, you should connect this drive, and only this drive, to the IDE cable on the second IDE inter- face. Next , identify the partitions on the drive using fdisk . Exercise caution when you use fdisk; you don't want to risk modifying the partition table or disk label. In fdisk , you should select the Display Partition Information option to view the name /number, volume label, size , and filesystem associated with every partition on the hard disk. When you are ready to start examine the imaged data, you'll have many places to explore.
The Integrated Drive Electronics (IDE) port is a system-level interface that allows the operating system to recognize a hard drive as part of the system.
To determine what it is you are looking for, you must first determine the type of intrusion or potential crime and the appropriate response. Let's start with a case that would involve the Internet and pictures. For example, an employee is suspected of illegally accessing and downloading pictures of proprietary designs from a competitor's internal website and using these designs in his own work. Due to the nature of the business, this is a serious offense and you have been called to investigate. After your imaged drive is ready to be examined, open your forensic software and start a case, as shown in the following graphic.
A utility that can be run from a bootable floppy disk that displays current disk partition information and allows you to repartition a hard disk.
When a user logs on to a Windows NT, 2000, or XP system for the first time, a directory structure is created to hold that individual user's files and settings. This structure is called the profile, and it has a directory that is given the same name as the user . This profile contains several folders and files. Because this case involves searching for images that were downloaded from the Internet, you can begin by adding evidence from the folders where these files may be stored, as illustrated in the next graphic.
Before a browser actually downloads a web page, it looks in the Temporary Internet Files folder to see if the information is already there. This is done to increase the speed at which the page will load. Web browsers cache the web pages that the user recently visited. This cached data is referred to as a temporary Internet file, and it is stored in a folder on the user's hard drive. All of the HTML pages and images are stored on the computer for a certain amount of time, or they are deleted when they reach a certain size.
An application that allows you to access the World Wide Web. The most common ones are Microsoft Internet Explorer and Netscape.
Sometimes, while a user is viewing web pages, other pages pop up at random. These pop-ups can result in files being written to a user's hard disk without their knowledge. For example, many hacker sites have Trojan horses that automatically download objectionable material (that is, files) to an unsuspecting user's computer without the user's knowledge. The following illustration shows how the information in the Temporary Internet Files folder can be viewed through forensic software.
Space on a hard disk used to store recently accessed data in an effort to improve performance speed.
Information found in the Temporary Internet Files folder could have been unintentionally downloaded by the suspect.
For Netscape files, look in the folder C:\Program Files\Netscape\Users\ username \cache . For Internet Explorer files, look in the folder C:\Windows\Temporary Internet Files .
temporary Internet files
Copies of all the HTML, GIF, JPG, and other files associated with the sites a user has visited on the Internet.
Besides the temporary Internet files, you may also find evidence in the History folder. The History folder contains a list of links to web pages that were visited. The following graphic shows an example of the data contained in this folder (left side of graphic). It also shows why this file may have little or no data. The History feature in Internet Explorer (right side of graphic) has an option for how long the list of visited websites should be kept. The default setting is 20 days. Computer-savvy people often change this default setting to a shorter period, or they click the Clear History button to erase where they have been before they log off the computer.
The Cookies folder is similar to the History folder. It holds cookies or information stored by Internet sites that were visited by the user. A number of utilities that work with forensic software display the contents of a cookie in an easily readable format. One such utility is CookieView, which you can download from http://www.digital-detective.co.uk/freetools/cookieview.asp .
HyperText Markup Language (HTML)
A web-based programming language used to create documents that are por- table from one platform to another.
Many applications create temporary files when the application is installed and when a file is created. These files are supposed to be deleted after the application is installed or when you close the document-but sometimes this doesn't happen. For example, each time you create a document in Microsoft Word, the software creates a temporary file (with a .tmp extension) such as those shown in the following example. The Properties dialog box, shown on the right side of the image, indicates that th WRL3206.tmp file was created quite a while ago. Temporary files can possibly provide some useful evidence.
Small text files that are placed on your computer's hard drive when you browse a website. The file contains a simple unique number that identifies you to the website's computers when you return.
If, during your investigation of the computer, you find no history files, temporary Internet files, or temporary files in the expected folders, you can assume the data has been stored somewhere else so you'll need to dig deeper. Here are some file types you may want to look for:
Files with strange locations
Files with strange names
Filenames with too many dots, or that start with a period ( . ) and contain spaces
Files that have changed recently
MACtime is a common forensic tool that is used to see what someone did on a system. It creates an ASCII timeline of file activity. Other various tools are also available. You can use X-Ways Trace to analyze a drive to locate information about Internet- related files. Such tools can be very useful in gathering evidence (such as the site visited, last date visited, and cache filename).
Let's consider another example. Several employees in a company report that they've received e-mail messages from the support team requesting information to update the database. The e-mail instructs the user to send his logon and password back to the sender. Because IT staff would never request such information from users, you suspect that this is an attempt by an intruder to gain sensitive information. In this instance, one of the first items you may want to look at is the e-mail header . The following graphic shows an example of an e-mail header.
Data contained at the beginning of an electronic message that contains information about the message.
The e-mail header shows the path the message took from its first communication point until it reached the recipient. The first point is the IP address of the e-mail sender as it was assigned by his or her Internet service provider (ISP) . We will go through and analyze the lines in the e-mail header, so you will know how to read and interpret them.
An identifier for a computer or device on a TCP/IP network.
Before communication can begin, a software or device driver must be installed on the computer and a common method of communication or protocol determined. A protocol is a set of rules and conventions that governs how computers exchange information over the network medium. In simple terms, a protocol is the language that computers use to talk to each other. For example, if I only speak and understand English and you only speak and understand French, we will not be able to effectively communicate because we don't know what each other is saying or how to talk to each other. The same holds true for computers.
A set of rules and conventions that governs how computers exchange information over the network medium.
Computers need addresses and protocols to communicate. AN IP address is an identifier for a computer or device on a Transmission Control Protocol/Internet Protocol (TCP/IP) network . Networks using the TCP/IP protocol route messages based on the IP address of the destination. An IP address is 32 bits, or 4 bytes, long and is a decimal number between 0 and 255, which is expressed as four octets in dotted decimal notation. For example, 192.00.132.25 is a valid IP address.
Transmission Control Protocol/Internet Protocol (TCP/IP) network
A network that uses the TCP/IP protocol.
IP address space is divided into five classes: A, B, C, D, and E. The first byte of the address determines to which class an address belongs. The following information will help you understand the different classes of IP addresses:
Network addresses with the first byte between 1 and 126 are Class A. They can have about 17 million hosts each.
Network addresses with the first byte between 128 and 191 are Class B. They can have about 65,000 hosts each.
Network addresses with the first byte between 192 and 223 are Class C. They can have 256 hosts.
Network addresses with the first byte between 224 and 239 are Class D. They are used for multicasting.
Network addresses with the first byte between 240 and 255 are Class E. They are used as experimental addresses.
Certain ranges are reserved for use on internal networks. These addresses are considered nonroutable on the Internet. Here are the private address ranges:
Class A 10.0.0.0 network : Valid host IDs are from 10.0.0.1 to 10.255.255.254 .
Class B 172.16.0.0 through 172.31.0.0 networks : Valid host IDs are from 172.16.0.1 through 172.31.255.254 .
Class C 192.168.0.0 network : Valid host IDs are from 192.168.0.1 to 192.168.255.254 .
Guide to TCP/IP, Second Edition by Laura Chappell and Ed Tittel (2004) and IP Addressing and Subnetting, Including IPv6 by J. D. Wegner et al. (1999) are two useful IP addressing references.
Because of its routing ability, TCP/IP has become the protocol of choice for many internal networks as well as external networks, making it a standard. TCP/ IP calls for data to be broken into packets . The packets are passed across the networks by devices called routers , which read the headers to determine if each packet belongs to its network or should be passed on to another network. This is analogous to sending a letter, and the zip code indicates the ultimate destination for the letter. For example, when a person sends a letter from California to New York, the letter may be transported to various post offices before it actually arrives in New York. If the zip code on the letter does not match the zip code for the area in which it arrives, the letter is forwarded on until it reaches its final destination.
Internet service provider (ISP)
Provides a gateway to the Internet and other online services, primarily as a paid service.
You should become familiar with e-mail and web protocols other than TCP/IP. Here is a list of the most common ones you will see:
Domain Name Service (DNS) resolves the names that users type into a web browser to their proper network addresses. DNS is most commonly used by applications to translate domain names of hosts to IP addresses.
File Transfer Protocol (FTP) performs basic interactive file transfers between hosts, allowing files to be uploaded and downloaded.
Simple Mail Transfer Protocol (SMTP) supports basic message delivery services between mail servers.
Post Office Protocol (POP) is used to retrieve e-mail from a mail server. It downloads the messages to the client, where they are then stored.
Internet Message Access Protocol (IMAP) allows e-mail to be accessed from a computer at home, at the office, and while traveling, without the need to transfer messages or files back and forth between computers.
HyperText Transfer Protocol (HTTP) is a low-overhead web browser service protocol that supports the transport of files containing text and graphics.
Unit of information routed between an origin and a destination. A file is divided into efficient-size units for routing.
That's a lot to absorb . But now, we can finally make sense of the e-mail header. Let's look at it again.
Devices used to forward packets.
When a user sends an e-mail message, the message is transmitted to a forwarding server or an ISP's mail server. The mail server adds a Received: field to the header of the e-mail message. The message will then be passed through additional mail servers before reaching its final destination. As the message is transferred from server to server, each mail server adds its own Received: field to the message header on top of the one from the last server. In the preceding example, the e-mail message has six Received: fields, meaning that it passed through six e-mail servers before reaching the recipient. Reading the header from the bottom up, the information on the bottom line starts with an X . This entry is added by the sender's mail server, which records the time (in coordinated universal time, or UTC) the message was received by the mail server from the sender. Moving up the header, the next X entry shows Internet Mail Service and an ID ( 5.5.2657.72 ). This information indicates that the sender's mail server uses Internet Mail Service and assigned a unique ID to the message. The Received: entry, found several lines above, shows when the next server in the relay received the message. As you follow the information up through the message header, you can trace the path the message traveled through the mail servers (in this case, at wellsfargo.com). The entry at the top was inserted by the last server in the relay before the message was delivered to its destination.
This header was obtained from Microsoft Outlook Express. To view header information, click the Properties of the e-mail, click the Details tab, and then click the Message Source button, as shown in the following figure.
E-mail addresses and messages are stored in a file within the mail program's folder. This file usually has a .pst or .pab extension. Depending on your e-mail software, the steps may vary on how to expose the e-mail header. The following link offers instructions for some of the more popular programs: http:// www.spamcop.net/fom-serve/cache/19.html .
The Recycle Bin, which is present on Windows operating systems, is another place where you might find useful data. It acts as a halfway point for deleted files, so that files can be undeleted by the user if required. Information contained in the Recycle Bin includes the original location of files before they were deleted. The date and time of deletion are recorded in this file. When the Recycle Bin is emptied, this file is deleted along with the other files. You may still be able to recover a deleted file's contents if they have not been overwritten.
Most people believe that when they delete something from their computers, they actually erase the document. This is not necessarily true. When a file is deleted, the first character of the filename is changed to a hex E5. Chapter 2, 'Preparation-What to Do Before You Start,' discussed filesystems and explained that a filesystem keeps a table of contents of the files on the disk. When a file is requested , the table of contents is searched to locate and access the file. When a file is deleted, the actual file is still there, but the table of contents ignores it. We used the Davory Data Recovery utility to recover deleted files from a JumpDrive. The following graphic shows the results.
As you can see, the utility recovered 186 files that we thought were deleted. It also shows the names of files that it could not recover. They were unrecoverable mainly because we moved them instead of deleting them. When files are moved, they are simply placed elsewhere so they still exist. This example illustrates that, even when a file has been deleted or moved, you can still find information about that file.
Let's examine one last scenario that involves password cracking to access systems. As an investigator , you should know what to look for when a system has been hacked.
Passwords are used for many purposes. Users are often untrained in methods for creating complex passwords, or they have trouble remembering more than one. Therefore, they create one easy-to-remember password and use it for everything.
Often, the password file is captured before it can be cracked. On a computer running Windows 98 or an early operating system, passwords are stored in a file with a .pwl extension and one is created for each user. On a computer running Windows 2000 Server or Windows Server 2003, the password file is stored in a database called the Security Accounts Manager (SAM). One of the most popular ways of obtaining passwords is by using a method called brute force . Several programs use this method. L0phtCrack, Crack, and John the Ripper are some of the more popular ones. If you search the Internet for password-cracking tools, you might be amazed at the amount of information you can find. So, where do you look on a computer after it's been broken into? Let's start with the log files.
Systematically trying every conceivable combination until a password is found, or until all possible combinations have been exhausted.
All operating systems come with the ability to audit and log events. In the following example, the Windows computer was set up to log success and failed attempts at logons .
By examining the log, you can see that several failed attempts to log on as Administrator were made within 1 minute. This many failed attempts should alert you that someone could be trying to crack the password. Administrators frequently set the lockout threshold at three to five failed attempts. At the threshold point, the account becomes locked and will thwart further attempts to crack it.
Password-cracking programs have legitimate uses. For example, when a network administrator suddenly quits, is fired , or dies, a password-cracking program can allow an authorized person access to the Administrator account.
There are various other logs that can be reviewed to find evidence of computer entry. On Windows computers, most of these are stored in the C:\Windows\ Security\Logs directory. In Linux, you will find security logs in the /Var/Log/ directory. This contains all root access allowed and all denied access. Other logs are stored in /Var/Adm/Syslog , /Var/Admmessages , and /Var/Adm/Kernel . Log files can be found on routers, intrusion prevention, and intrusion detection systems as well. Telltale signs can appear in logs, offering strong indications that something is amiss. When you are examining security logs to trace an attempt to crack the Administrator password, look for long entries of random characters , password changes, and repeated occurrences of three dots ( ... ). These are all suspicious. Look through the log files to make sure you understand what has happened to a system.
Often perpetrators use tools such as port scanners to find open ports on a system and then upload a remote access program to take control of the system. The longer they can go undetected, the longer they can use the system as a conduit. Of course when this happens, you may be able to find evidence in the log files.
A program that attempts to connect to a list of computer ports or a range of IP addresses.
Your chances of turning up specific evidence might not be very good; therefore, you should look for anything and you might find something. You should be well- informed about recent exploit scripts and newly discovered vulnerabilities. Remaining current can help you identify popular means of attack. Become familiar with how systems work, what services are running, when log entries are created, and what the log entries represent. These areas are where evidence might be found.