Chapter 8. Forensics I | Incident Response: A Strategic Guide to Handling System and Network Security Breaches

‚ < ‚ Free Open Study ‚ > ‚

Computer forensics, sometimes referred to as cyber-forensics, is the detailed examination of computer systems in an investigation. It normally deals with storage media (such as hard and floppy disks), but it is sometimes used to refer to the examination and analysis of network logs as well. The word comes from the adjective used to describe certain legal evidence:

forensic adj. Pertaining to, connected with, or used in courts of law; suitable or analogous to pleadings in court .

forensic medicine n. Medicine in its relations to law; medical jurisprudence. ^[1]

^[1] The Oxford English Dictionary , 2nd Edition, Oxford, Clarendon Press, 1989.

Forensics is generally now used to refer to any systematic or scientific examination of evidence in the investigation of a crime. Network analysis is discussed elsewhere in this book; this chapter and the next will generally deal with examinations on single computers only (although those examinations might include the analysis of logs contained on the computer).

Forensics is arguably the most repeatable and scientific of the incident response disciplines. There is a certain set of rules that, if followed exactly, will make the investigation straightforward and will preserve the integrity of the evidence. The methodology of a forensics examination will not change dramatically from one investigation to the next, even when the scope of the investigation or the technology changes.

Important Note

This chapter (and the next) is not designed to make anyone a forensics expert. Incident response personnel who anticipate a requirement for computer forensics are strongly urged to get proper training before undertaking any forensics task. Improperly trained personnel can, as a minimum, destroy vital data or compromise the chain of evidence such that the information is inadmissible. They can also be held liable in civil or criminal actions if the search and seizure were improperly conducted .

Incident response personnel should be trained in the immediate steps required to secure the evidence scene until properly trained and equipped personnel arrive to conduct the investigation.

Forensics is an extremely valuable tool in the investigation of computer security incidents. It can provide the investigator with direct evidence of the incident. The evidence is difficult (but not impossible ) to counterfeit, allowing for a greater confidence in its authenticity. There are, of course, certain kinds of incidents that lend themselves more readily to forensic examinations.

At the risk of stating the obvious, an incident response team can only conduct forensics on those computer systems to which it has legal access. In most corporate settings, these are limited to company-owned systems. If an insider is suspected of violating acceptable-use policies, his or her corporate workstation can be examined for evidence of those violations. If the company does not own the system, law enforcement assistance (and probable cause) is required to search the home computer. In these cases, the law enforcement agency will probably do the seizure and the forensics examination.

Acceptable-use violations are especially well suited to forensics investigations. The investigator only needs to find evidence that the policy was violated. This can be as simple as an Internet cache file or the remains of an email message. Finding evidence that a computer was used to access other systems, for example, is much more difficult.

Forensics also has certain limitations. Most importantly, a forensics examination can, at best, identify the computer involved in an incident. Without additional evidence (such as eyewitnesses or physical security logs), placing a specific person at that computer is an entirely different question. This issue cannot be overstated. A forensics examination that does not also involve other corroborating evidence sources cannot be conclusive.

Although it is possible to recover some deleted files from computers, tools exist to securely delete files. A skilled attacker can clean the computer of evidence. The absence of incriminating evidence on a computer does not necessarily mean it was not involved in the incident. In some cases, the complete lack of any evidence, however, might indicate that these tools were used and might justify further examinations.

Even without the use of these tools, the evidence might be overwritten through normal usage. Internet browsers retain a history of sites they have visited for a finite period of time (typically two to three weeks). After that time, the history files are overwritten and might not be recoverable. Cache files are overwritten as needed. Windows swap files are overwritten during normal usage, and items written to memory in the swap file might not be available for examination, especially if the computer has been rebooted.

Disk and Data Structures

Disk drives are made up of platters covered in a magnetic media. A hard drive has one or more platters, arranged in a stack. The platters spin at a high rate, on the order of 7,200 to 10,000rpm. There are small sensors that read and write the data to the drive. These "heads" float on a tiny cushion of air above the platters. Hard drives are extremely sensitive to dust or shock . If the heads touch the spinning platters, it causes a "head crash" that can destroy the data on the disk. For this reason, a forensics investigator should never attempt to open or examine a hard disk without the proper tools and environment.

When the disk is formatted, the operating system divides the disk into logical, pie-shaped units known as sectors. Sectors contain a number of units called clusters. The size of a cluster is defined by the overall size of the disk and the operating system. Data is stored in these clusters. When a file is created, the operating system writes the data to the disk. It also writes the location or address of the data clusters to a special table. This table is generically called a file allocation table (FAT). When data is written, the operating system allocates clusters to the data. A cluster could, for example, be 512 bytes in size. If a 1024-byte file is created, it will use two complete clusters. If, however, a 1032-byte file is created, it will use three complete clusters, even though that will leave unused data space in the third cluster. This unused space is known as file slack .

When files are deleted, the data is not overwritten. Instead, the file system simply marks the clusters as available. The next time the system needs to create a file, it can use these clusters (or any other available clusters). Therefore, when files are deleted, the data might still be present on the disk and be recoverable by forensics tools unless it has been overwritten. Even if it has been partially overwritten, the new file might not fully use the file slack from the old file, so some fragments of data might still be present. So-called secure delete programs work by overwriting the files multiple times with random data.

The longer a disk is in use, however, the more likely it is that deleted files will be overwritten. Even the act of booting the machine might create temporary files that can destroy critical evidence. Preservation of the evidence requires that it be seized and protected from modification or damage as quickly as possible following the incident.

Finally, without a clear understanding of the incident and the desired outcome, it is extremely difficult to conduct a forensics examination. The investigators need to clearly understand the scope of the investigation and plan the examination clearly. For example, a user might be accused of posting insider information to a public stock forum (such as RagingBull orYahoo!).As part of the investigation, the computer might be examined for items in the browser history that show that the user visited the site at the date and time of the posting. This could help corroborate other evidence, but the user could simply claim that he was looking at a publicly available stock forum. Unless the URLs in the history clearly delineate between the forum itself and the pages used to post or reply to messages, the evidence is inconclusive. Furthermore, the dates and times on the history files are based on the local system, while those on the posting are based on the web server. If the computer clock has been reset, no correlation is possible. The forensics examiner must plan the investigation carefully in coordination with the rest of the incident response team to narrow the search to an acceptable scope and to define what constitutes a successful (or unsuccessful ) conclusion.

All this assumes, of course, that the investigator is dealing with a relatively unsophisticated user. A suspect is certainly capable of modifying or deleting log, cache, and history files. He or she can also modify the MAC (Modify, Access, Create) dates on any files. Although it might be possible to use data-recovery tools to retrieve some of these deleted files, they can be overwritten or deleted beyond recovery by a skillful user.

‚ < ‚ Free Open Study ‚ > ‚