Computer Forensics

Computer forensics is the process of investigating a computer system to determine the cause of an incident. Part of this process could possibly include evidence-gathering procedures. Forensics, from and interpreting computer media for evidence and root cause analysis. Root cause analysis is the process of determining what the most basic condition or situation is that caused the incident. A root cause analysis may uncover that a security breach was actually caused by a security update that was improperly applied.

Security threats may involve physical media, such as a hard disk, a system log, or the results of forensics software. The investigative process requires a special understanding of the evidentiary process used in legal proceedings. The process of performing a computer forensics analysis will be briefly covered in this section. This section is not intended to make you an expert in the process, and it won't give you the tools necessary to conduct a forensics evaluation. It does, however, explain the process, and it will help you understand what is occurring.

Warning 

Forensic investigations require special training and skills. Do not attempt to conduct a forensic investigation if law enforcement is involved or legal action is contemplated. Use an outside expert in the area to perform the investigation. A single mistake in this process can cause evidence to become inadmissible and worthless.

In the following sections, the general structure of a forensic investigation is presented. This structure is what law enforcement agencies will use in conducting an investigation, and it is relevant to the task of a computer forensics investigation.

Methodology of a Forensic Investigation

The methodology of most forensic investigations can be thought of as the three A's:

  • Acquire the evidence.

  • Authenticate the evidence.

  • Analyze the evidence.

In each of these steps, the important thing is that the evidence not be altered or damaged in any way. If that occurs, using this information in a legal proceeding may not be possible. Rules of evidence require strict adherence to these principles. This section describes these steps in more detail.

Acquiring the Evidence

Acquiring the evidence refers to the process of gathering data from disk media, RAM, and system logs. Forensics experts assemble a suite of software programs called a toolkit to assist in an investigation. The toolkit contains a variety of tools including disk unerase programs, memory dump programs, text viewing, image viewing, and document search tools. Toolkits are generally OS-specific, and they work only on a single type of operating system, such as Windows 2000 or Linux.

Many incidents that occur in a computer system, especially Internet attacks, will only show up in system RAM while the system is running. If the power is turned off, the evidence will be lost because the memory will be reinitialized. In the case of hard drives, preserving evidence is somewhat easier, although disk caching, buffers, and other areas of memory will be erased when a system is powered down.

Forensics experts disagree on the best way to begin an investigation conducted on a live system. Some investigators will immediately pull the plug in order to freeze the state of the drives. Some investigators will logically shut the system down, and others will leave the system powered up.

Pulling the plug on the system freezes disks in the state they were when the power was removed. This may cause disks to become corrupted and valuable data to be lost because not all data has been written to disk. Normally, systems will cache disk writes and write data to the disk media as time progresses. Pulling the plug on the system before all data has been written to the disk, or "flushed," can cause data to be incomplete or corrupted. Shutting down the system logically ensures that the disks will not be corrupted, but it can cause data to be lost. Malicious code may disappear, or a logic bomb that is planted in the system might destroy evidence. Leaving the system powered on prevents the collection of data because system utilities and tools may not accurately report the true status of the machine. In any case, the acquisition of evidence must be thoroughly documented as part of the investigation. Storage and access to the information involves the chain of custody, which is described in the next section.

Authenticating the Evidence

Authenticating the evidence is the process of proving that evidence presented is the evidence collected in an investigation. For evidence to be usable, a process must be established to verify that the evidence presented to a court is the same evidence that was collected at the crime scene. This is especially true in the case of electronic media. It is much more difficult to alter a paper document than it is to alter an electronic file. In the evidentiary process, a forensics investigator must be able to prove that the data being presented as evidence is the same data that was collected on the scene.

Most forensic investigators use a process of encryption and time stamping to preserve and authenticate data. Many forensics investigators will encrypt the files and the drive using MD5 or SHA encryption algorithms. Both of these algorithms provide proof of integrity and time stamping through a hashing function. This will help prove to a court that the evidence was not tampered with. In the future, a security token or certificate may accomplish this task.

Analyzing the Evidence

Analyzing the evidence is the most challenging and interesting part of the forensics process. To accomplish an analysis, you must understand the operating system and application that you are investigating. In some cases, you will be looking for hidden files, partition files, and other systems files. Make sure that you are not actually doing this on the drive or device that you will be using as evidence. Use a duplicate. You also want to make sure that you do not write data to the disk, as this may destroy evidence in the system by overwriting previously deleted files. You can frequently recover data on a disk with the use of the proper utilities. Utility programs, such as Norton Unerase, are very valuable in the data recovery process on Windows-based systems.

Note 

Most operating systems do not delete file information when a file is deleted. The operating system usually deletes an entry in a file allocation table (FAT) that points to the location where the file starts on the disk.

Throughout this process, you should keep a diary of the things you try to do and the things you discover on the disk. The diary will help you remember, in sequential order, the steps you took to gather information in the analysis process.

Chain of Custody

The chain of custody is the log of the history of evidence that has been collected. This log should catalog every event from the time the evidence is collected. A proper chain of custody ensures and demonstrates that the evidence is trustworthy. This log should minimally contain information to answer the following questions:

  • Who collected the evidence?

  • How and where was the evidence taken?

  • Who took possession of it?

  • How was the evidence stored and protected?

  • Who took it out of storage, and for what purpose?

Law enforcement professionals have been specially trained to prevent evidence from being compromised. When evidence is compromised, it is referred to as tainted evidence. Tainted evidence may not be admissible in court, and its admission into evidence can be denied.

Preservation of Evidence

Preservation of evidence requires limited access. In a police or law enforcement situation, the evidence room is a controlled access area, with a single custodian responsible for all access to evidence. This security ensures that physical control of the evidence occurs at all times. Electronic media should be stored in a facility that does not expose it to unusual temperature or humidity variations. You want the evidence usable if it is needed for a trial. It is a good idea to seal evidence into a bag and identify the date, time, and person who collected it. This bag-and-tag process makes tampering with the evidence more difficult. Each time the evidence is handled, it should be bagged again.

Collection of Evidence

Collection of evidence uses the methods identified in the previous section. You want to make sure that records are kept of activities when the investigation starts. All individuals involved in the process should make and retain notes on the investigation and their involvement. It is usually several months from the time an investigation begins to the time a trial starts. It is very likely that your memory of events will become confused or hazy. This time-induced memory lag can give a defendant's attorney the opportunity to discredit you if you do not have your notes to remind you of the steps you took. Should you become involved as a witness, you should anticipate that these notes may not be available to you and you will need to have memorized them for the trial.

start sidebar
Real World Scenario: When to Involve Law Enforcement

A few years ago a small school in Washington State inadvertently became the primary communications portal for hackers nationwide. Hackers broke into a communications system and established a bulletin board and chat room for hacking. The FBI became involved in the investigation. The investigation went on for almost six months. The FBI actively gathered information from this system and arrested 30 hackers nationwide. Most of these hackers were found guilty and sentenced. The investigation revealed that the activities had been occurring for almost six months before the school discovered them.

The decision to involve law enforcement has many consequences to an organization. Most countries have become very concerned about computer abuses, and they have passed laws to direct how law enforcement is to proceed in these matters. Once law enforcement has been called onto the scene of a crime, there is no such thing as dropping charges. Law enforcement is primarily involved with the investigation and prosecution of criminals. When law enforcement becomes involved, they are in essence acting on behalf of the state and will enforce the laws of the land.

The procedures, methods, and activities they perform take precedence over those of an individual company or organization. They can seize evidence, conduct investigations, and question witnesses within the constructs of the law. Before you formally involve law enforcement, it is a good idea to obtain legal advice on how best to proceed.

Law enforcement resources to investigate these types of crimes are limited, and the skills to conduct investigations are in short supply. Many governments have established groups to assist organizations in this process and to answer questions about the process.

end sidebar



CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net