SUMMARY

As previously explained, computer forensics involves the preservation, identification, extraction, and documentation of computer evidence stored in the form of magnetically encoded information (data).^[iv] Many times the computer evidence was created transparently by the computers operating system and without the knowledge of the computer operator. Such information may actually be hidden from view and, thus, special forensic software tools and techniques are required to preserve, identify, extract, and document the related computer evidence. It is this information that benefits law enforcement and military agencies in intelligence gathering and in the conduct of investigations.

Computer forensic software tools and methods can be used to identify passwords, computer network log-ons, and other information that is transparently and automatically transferred from the computers memory to floppy diskettes, Iomega Zip Disks, and computer hard disk drives. Such computer forensic software tools and methods can also be used to identify backdated files and to tie a floppy diskette to a specific computer.

Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions.

The final part of this chapter discussed a deterrence-based approach as an element of an overall cyber defense strategy. The need for timely and unequivocal identification of attackers is essential for such an approach to be effective. Unfortunately, the technical basis for such identification has not received much attention to date from the research and development community. In addition, there may be some complicating factors for the implementation of the type of identification and forensics capability discussed in this chapter, such as the widespread move to encryption. However, until research and development resources are committed to investigation of the relevant issues, the extent of the challenge cannot be fully understood.

Conclusions Drawn from Identification of Data

• The hiding of data in computer graphic files (steganography)

• Detection of steganography and watermarks

• Steganography jamming techniques and theory

• Data written to ‘extra’ tracks

• Data written to ‘extra’ sectors

• Data written to hidden partitions

• Data stored as unallocated space

• Massive amounts of data written to file slack areas

• Data hidden by diffusion into binary objects, Windows swap, and Windows page files

• Hidden disks within disks

• Floppy diskette data storage anomaly detection

• Data scrubbing of ambient data storage areas. These security processes are especially helpful when computers are transferred from one user to another.

• Data scrubbing of entire storage devices using methods that meet current DoD security requirements

• Shadow Data issues are a potential risk.

• The appending of data to program files, graphics files, and compressed data files. This method is simple and very effective.

• Electronic eavesdropping techniques, threats, risks, and remedies

• Covert capture of keystrokes via hardware and radio interception

• Tempest issues regarding the capture of computer screen images remotely

• Electronic eavesdropping techniques concerning cellular telephones

• Electronic eavesdropping techniques concerning personal pagers

• Search methodologies for use in the identification of foreign language phrases in binary form stored on computer media

An Agenda for Action in Identification of Data

The following is a provisional list of actions for identification of data. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these identification of data topics have been mentioned in passing already:

1. Should you use NTP for security reasons? Really, the better question is why aren’t you using NTP now? SNTP clients are easy to set up and install. You can even set up your own stratum-one servers, slaving them to accurate time sources.

2. WWV broadcasts time signals over short wave, so this information is available worldwide. You can buy special radios that interpret these signals and send them out on serial (and even parallel) cables^[v] to the computers that will serve as your top stratum. The Canadian Bureau of Standards uses a Pentium system with a 90MHz processor as one of its servers, as running NTP and providing timestamps really don’t require a fast processor or loads of memory, just a tiny hard drive to hold the software and the operating system.

3. Use GPS devices. GPS relies on accurate timekeeping for calculating position and movement. GPS devices are fairly inexpensive, although you’ll want to buy ones that already have drivers written for them.

4. Remember to have multiple sources. Note that most Cisco Systems^[vi] routers and switches come with NTP software and are ready for use as NTP servers. (You should disable this service if you’re not using it.)

5. Keeping all your systems synced to accurate time is not a luxury. Good timekeeping is important to many security functions, such as electronic transactions, certain authentication systems, and, in particular, any forensics activity that might ever be required of you. If you find yourself comparing logs from disparate systems, you’ll be exceedingly grateful that you decided to implement NTP.

^[iv]John R. Vacca, The Essential Guide To Storage Area Networks, Prentice Hall, 2002.

^[v]John R. Vacca, The Cabling Handbook, 2nd Edition, Prentice Hall, 2001.

^[vi]John R. Vacca, Planning, Designing, and Implementing High-Speed LAN/WAN with Cisco Technology, CRC Press, 2002.