32 Forensic Detection

Hiteishi Diwanji

epgp books

Computer Forensics

  • Hacker has broken the computer systems of a company and evidence has to be collected. Computer investigation analyzes evidences in electronic form which is utilized in the court.

Common forensic equipments are

 

  • Computers
  • Printers
  • Scanners
  • Spare hard drives
  • RAID arrays
  • Digital camera
  • Write blockers

Acquisition

  • Taking possession of certain things in physical forms or make contract for possession.
  • From the site, Forensic analysts capture hard drives, computers, storage medium or relevant objects.
  • Analyst must maintain record of physical evidence gathered from site.
  • Physical evidence and digital forensics provide assistance in recreating the scene of incident and establishing victims’ relationship with suspects.

Steps in acquisition phase:

  • Collect the evidence and prepare document with details of evidence
  • The objects in custody must be kept carefully and must be saved from harm.
  • Recognize, transfer and store the evidence
  • Create copies of suspected evidence.

 

For investigation following items are required:

  • Antisatic bag
  • Faraday bags
  • Cable ties
  • Evidence bags
  • Antistatic bubble wrap
  • Evidence tape
  • Antistatic packing material
  • Packing tape
  • Robust boxes of different sizes

To collect and handle evidence

  • With digital camera, record the process.
  • Note down in document about the condition of computer systems, components attached to them, device cables and other electronic medium.
  • Take photographs of desks, tables or name plates that marks the location of a person who sits there.
  • Pictures of location of mouse – that helps in deciding whether the person is left handed or right handed.
  • With camera take pictures of screen settings of a running system.
  • Note down in document configurations of internal storage devices and other hardware :- make and model of hard drives, size of the hard drive, jumper settings, physical location and drive interface. Also take note of internal components like sound card, graphics card and network interface card.
  • Record numbers that help in identification such as MAC.
  • Start building a proper chain of custody.
  • Evidence integrity must be maintained
  • Evidence must be tagged before putting them into storage.
  • Make tags for evidence and documents. These tags can be prepared or purchased from a variety of companies.

Copy hard drives or fixed disks. Analyst must be given copy for investigation by following three steps.

  • 1) The hard drive must be removed from the computer of the suspect
  • 2) The drive of the suspect must be blocked for write and also put fingerprint.
  • 3) While preparing copy, a clean, wipe drive must be used.

Court considers following evidence:

Drive Removal Hashing

  • Hardware which is blocked for writing permits only reading.
  • Copy performed on suspect’s hard drive. The drive of the suspect possesses popular formats such as USB, FIREWIRE and SCSI.
  • Integrity is maintained using a cryptographic routine for both original and copied data.

Examples of the types of information that is recorded

  • TAG DESCRIPTION
  • Tag 138 Seagate 307AB hard drive S/N: 2GHT0TY1 Size: 500GB
  • Tag 139 IBMLenovo ThinkCenter M91p i7/3.4GHz, S/N: Ile12
  • Tag 140 Nikon digital camera 8 MEG S/N: N01205
  • Tag 141 Transcend 2GB USB S/N: TR23156

Drive Removal Hashing

 

Remove the drive from a laptop

  • These devices are connected to a standard IDE or SATA interface with available adapters.

 

 

 

 

Removal of the suspect’s hard drive

  • For duplicating network capabilities, network cards must be present in original drive as well as in the hardware where copy is to be performed. Both must be working on same protocol for example, TCP/IP.
  • Connectivity can be obtained by a crossover cable or small switch.
  • The investigator must take care that files residing on the computer of suspect is not modified.
  • The investigator must forensically sterilize the target drive. It must be clear that which type of image (physical copy or logical copy) is required.

Drive Wiping

 

The drive must be carefully cleaned, ‘‘wiped,’’ to store evidence before it can be used. Programs used for Drive-wiping overwrite locations which are accessible on the disk.

  • Some Programs iterate a number of times with overwriting process that reduces data recovery possibility.
  • Drive-wiping programs prepare – clean media useful to the forensic analyst.

Logical and Physical Copies

  • Unix system defines block as the smallest unit of storage on the disk while Windows operating system defines cluster. Cluster size depends on the total capacity of the drive. With the increase in Drive capacity, the cluster size increases. Drives formatted as NTFS possess default cluster size of 4 kilobytes.
  • Computer stores files on the drive. In case the file size is not exact multiple of the cluster size, some space is fetched from the next cluster to store the file. Only portion of the fetched cluster is used. The left behind space of fetched cluster is called slack space.

Slack space

  • Cluster = 64 KB
  • 64 KB 64 KB 64 KB 64 KB 64 KB
  • For File size of 139 KB, 2 64 KB clusters are used; from next cluster 11 KB are used and rest 53 KB is slack space.
  • Information beyond the EOF (End of File) is not accessible.
  • Use a forensic software package – to examine and recover this data.
  • While creating image of the drive, check must be performed whether the slack space is copied or not.
  • The hard drive is a physical device. Partition on the hard drive is created before formatting. Operating system can access areas of the drive which are partitioned. Partition and formatting creates one logical drive, C:, or several logical drives (C: and D: drives).
  • In DOS and Windows, the command for partition is “Format”.
  • Disk Management helps in examining partition information for Windows 2000, XP, 2003, or Vista.

Logical copies

  • In logical copy, Files and folders are duplicated.
  • Checksums must be matched.

 

 

 

 

  • Duplication process determines what is to be copied and what not.
  • For complete, exact duplication, physical copy must be performed.

Physical copy

  • Physical copy generates duplication of the original storage media.
  • NTI’s SafeBack (www.forensics-intl.com/safeback.html) is a physical copy program.
  • Physical copy programs perform bit-to-bit copy. All the data from the track, sector, and cluster are copied.

Two categories are defined for creating copy of data:

  1. Free space –
  • – Drive has free space not assigned to any file.
  • – File uses empty Space or deleted space.
  • – Space may still contain file or stored information. To retrieve this, programs are needed.
  1. File slack space
  • Smallest unit in storage is cluster or block with regards to drive. For cluster size of 512 bytes, cluster has free space if information is less than 512 bytes. This portion of the cluster contains data from previous disk writes.
  • Special tools are needed for examination of these areas on the disk.

Imaging the Drive

 

  • Given hard drive or any disk, imaging process prepares a physical copy.
  • Process of Imaging creates clones of the operating system, custom configurations, files containing data, settings, and slack space.
  • User must be comfortable with use of imaging software. The software must be practiced to investigate features.
  • Decide which method for duplication is strong. Methods must meet following:
  1. The evidence is not tampered with.
  2. Documentation of the process is done and able to repeat the process.
  3. All evidence found on site must be recorded.

Authentication

  • Only valid person must handle data at any instance of time. Evidence life cycle includes:
  • Discovery and recognition
  • Protection
  • Recording
  • Collection
  • Identification (tagging and marking)
  • Preservation

Magnetic medium must be prevented from erasing.

Environment for storing must be appropriate.

  • Transportation
  • Presenting the evidence in a court of law
  • Owner gets the evidence back

How to ensure the data is not changed?

  • Use algorithms to ensure integrity by producing fingerprint of the original drive and the copy produced for forensic purpose.
  • For data protection methods used are parity, checksums, or redundancy.
  • Integrity is part of CIA triad. CIA expands to confidentiality, integrity, and availability.
  • C:\›md5sum c:\passfile.txt > checkhashfile

Output:

 

\4345bc316b0bf78c2194b4d635f3bd27 *c:\\passfile.txt

  • The original (passfile.txt) file changes by one-character. Calculate MD5 hash again, append (››) to the file which has previous MD5 value (checkhashfile.txt) and compare the results:
  • C:\›md5sum c:\passfile.txt ›› checkhashfile.txt
  • C:\›type checkhashfile.txt\4345bc316b0bf78c2194b4d635f3bd27 *c:\\passfile.txt\cfbc4c6be5c2de532922001e78694d6a  *c:\\passfile.txt
  • Good practice is to document, label information and store in a protected location offline.
  • Tripwire is an example of program for file integrity.

Trace-Evidence Analysis

  • This process examines the evidence.
  • In case of incident the trace evidence analysis returns true positive.
  • Forensic analyst follows Locard’s exchange principle that when two objects communicate, material gets exchanged.
  • Though the attacker tries to remove evidence, some traces of evidence is left behind.
  • The investigator examines the slack space, cache, registry, browser history, and pagesys  file to discover the potential evidence.

Examine the slack space

  • For examining slack space, a hex editor or other specialized tool is used.
  • Toolkits are available such as AccessData’s Forensic Toolkit, Guidance’s EnCase, Norton’s Disk.
  • Editor such as NTI’s GetSlack, and X-Ways Software’s WinHex can be used.
  • Now a days hard drives are large in size so search for specific evidence on drive must be done manually.
  • To locate evidence under suspicion use automated tool.
  • Programs such as WinHex allow search based on entered words or phrases. Search for words specifically used for investigation for example, terms related to drugs, hacking and other suspicious activities.
  • From the available information, apply deductive reasoning and then look for precise words or file-extension types.
  • For identifying passwords, search for person’s names, family names, friends’ names, mother tongue, and so forth. Suspect’s job area must be observed and clues must be obtained — for example hobbies. People make use of school names, vehicle numbers, or easily identifiable items for passwords.

Cache files

 

Cache is a temporary storage and must be investigated

  • Various mechanisms for caching are applied to store information.
  • Cache is the first place to be checked if any Information is required.

In case, Information not found in cache then the program/application looks in the drive or other storage for information

 

 

•      For checking cached information, type arp /a at the command prompt. Output of the command is, IP address to MAC address mapping for further communication on network.

•      In Windows, initially for 2 minutes information is cached. If communication occurs between systems within that time, then for additional 10 minutes information will be cached.

 

Browser Cache

 

•              Browser cache files are created temporarily having images/text retrieved from recently browsed web pages.

•              The browser settings have parameters to decide the time duration for saving the files and the default size of cache.

•              The web browser history maintains log. The log has listing of web sites visited with date and time.

•              Internet Explorer uses Index.dat file to store information. Index.dat file can never be resized or deleted. There is a button  named “Clear History” in the General tab in the dialog box of “ Internet Options” and upon clicking clears the Internet Explorer history, on click. The file size of Index.dat does not change. In history “the days to keep pages” can be set to 0 (zero) in the General tab, but it does not change the size of the Index.dat. Check to index.dat informs forensic analyst, about the web sites the suspect has visited.

 

  • Forensic Toolkit parses and examines the browser cache. Information stored in cache:
  • Microsoft office applications provide Auto save feature.
  • Hard drive stores temporary versions of documents, spreadsheets in a temporary folder.
  • When computer boots up, temporary variables are set. Temporary file location
  • In windows, default location for temporary files is the path corresponding to the specific user.
  • Open a command prompt, type set command.
  • Sample output of set command:

  • ALLUSERSPROFILE=C:\ProgramData
  • APPDATA=C:\Users\laptop\AppData\Roaming
  • CLASSPATH=C:\Program Files\MySQL\Connector J 5.1.31\mysql-connector-java-5.1.31-bin.jar;C:\Program Files\Java\jdk1.6.0_23\bin;
  • CommonProgramFiles=C:\Program Files\Common Files
  • COMPUTERNAME=LAPTOP-PC
  • ComSpec=C:\Windows\system32\cmd.exe
  • FP_NO_HOST_CHECK=NO
  • HOMEDRIVE=C:
  • HOMEPATH=\Users\laptop
  • JAVA_HOME=C:\Program Files\Java\jdk1.6.0_23\bin
  • LOCALAPPDATA=C:\Users\laptop\AppData\Local
  • LOGONSERVER=\\LAPTOP-PC
  • NUMBER_OF_PROCESSORS=4
  • OS=Windows_NT
  • Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\ WindowsPowerShell\v1.0\;C:\Program Files\WIDCOMM\Bluetooth Software\;C:\ProgramFiles\MySQL\MySQL Utilities 1.4.3\;C:\Program Files\MySQL\MySQL Utilities 1.4.3\Doctrine extensions for PHP\;C:\Program Files\Java\jdk1.6.0_23\bin;C:\Program Files\MiKTeX 2.9\miktex\bin\;C:\Program Files\Skype\Phone\
  • PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
  • PROCESSOR_ARCHITECTURE=x86
  • PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 5, GenuineIntel
  • PROCESSOR_LEVEL=6
  • PROCESSOR_REVISION=2505
  • ProgramData=C:\ProgramData
  • ProgramFiles=C:\Program Files
  • PROMPT=$P$G
  • SystemDrive=C:
  • SystemRoot=C:\Windows
  • TEMP=C:\Users\laptop\AppData\Local\Temp
  • TMP=C:\Users\laptop\AppData\Local\Temp
  • USERDOMAIN=laptop-PC
  • USERNAME=laptop
  • USERPROFILE=C:\Users\laptop
  • windir=C:\Windows

 

  • In Windows, look into the Recent Documents folder and obtain a list of recently opened all documents and files. The list contains file names , last modification dates and times.

Email Evidence

  • Suspects use email services such as Hotmail or Yahoo!, The investigator must perform a low-level search for streams of data residing in slack or free space.
  • In case the suspect is a member of corporate network, the server has back up of the emails or off-site storage contains backup.
  • E-mail format varies. In Unix email gets saved as a text file. With the help of ‘‘grep’’ or paging utility E-mail can be read.
  • Windows Outlook email is a proprietary product. Outlook saves mail in PST files. Copy the PST file of suspect and load into different computer. Default PST file of this computer has been erased. When Outlook restarts, it will prompt the user for the location of the missing PST file. Enter the location of the suspect’s PST file so that it gets loaded.Forensic tool can be used to view the suspect’s email. AccessData’s  Forensic Toolkit supports Outlook, Outlook Express, AOL, Netscape, and others. Search and inspect VCF files. These contain names, addresses, phone numbers and other information. To look for perform a search of the hard drive. View *.vcf. with any text viewing application.

E-mail headers

  • Email headers if examined, tell about the true origin of the email.
  • Hackers run scams related to social-engineering through E-mail.
  • Spammers, identity thieves, and others use email to attract potential victims.
  • Terrorists communicate through email.
  • An email header identifies the sender of the message. The header has fields that include IP Address, Sender, Reply To, and so on.
  • Source name in Email header can be spoofed or forged.
  • It is difficult to hide true IP address that indicates the message originated from and the IP addresses of the systems through which the message was transmitted to reach to the destination.
  • E-mail header registers the traversed path listing in reverse order. The last IP address is the first one which is the IP address of originating server.
  • To identify owner who is assigned a particular IP, use WHOIS or use an online tool such as SamSpade (www.samspade.org) to identify the owner of the IP address.
  • For expertise in email RFC 822 must be referred, at www.ietf.org/rfc.html. The document has complete information about SMTP and email headers.

Deleted/Overwritten Files and Evidence

  • The deleted file goes to recycle bin. The clusters or blocks are marked as unallocated.
  • Clusters are reallocated; old data still resides in the slack space.
  • The drive must be applied low level formatting, so that data can not be retrieved in case of wiping otherwise bit pattern indicates that clusters have been set so that cluster can be overwritten but yet no overwriting has taken place .

Other Trace Evidence

  • Investigate login time and connection times.
  • Ask the network administrator to provide all the information about any user under investigation.
  • Get warrant issued to obtain data from backups.

Legal constraints while collecting data

  • Law enforcement has more rights when performing a search
  • Companies must develop acceptable use policies (AUPs).This document precisely describes employees are allowed to do which activities and which activities are prohibited on company’s systems. This also specifies the actions to be taken if employees do not obey the rules. The AUP should also specify what privacy rights employees have and that the company owns the right to monitor, review, and analyze computer systems.
  • The organization’s legal department must be consulted to find out what can and cannot be done if search is to be carried out and further capturing of devices is needed.
  • If operating in networked environment, information is stored on remote server or other connected network device. From the Backups, audit trails, and other information obtained from computer the suspect was using, location of hidden remote data can be found.
  • User’s area must be searched for disks, zip drives, external hard drives, cards, and any other external media.
  • Documents must be configured as read-only before detailed examination is carried out of the document.
  • Determine who accessed last. Use Audit records, file time and date stamp, along with logon/logoff times
  • Internet service provider (ISP) must be contacted for home users or those having Internet access to gather logon times, IP addresses, and other applicable information.
  • Email accounts of Individuals contain information the suspect is attempting to hide.
  • The logs are maintained for only prespecified time period. Analyst has to perform quick actions when third parties are involved or working with law enforcement.

 

Hidden Techniques

  • This involves looking for files and folders on a computer used by the suspect.

Common File-Hiding Techniques

  • Place the information in an obscure location such as: C:\Winnt\System32\OS2\Drivers.
  • Set the attribute as hidden to block the ordinary user from viewing the file.
  • Search for specific file types such as BMP, DOC, and XLS. Facility for Search in Windows quickly retrieves the type information.
  • On Linux computer, grep command helps in searching the drive.

 

Hiding Technique

 

  • Use file attributes to hide the files or folders.
  • In Windows, attrib command is used to configure file attributes to hide files.
  • To hide a file, issue the command attrib +h password.txt.
  • Open a window explorer and choose Tools➪ Folder Options ➪ View ➪ Show Hidden Files. This shows files and folders, with the +h attribute.
  • The command attrib /s › attributes.txt from root gives complete listing of all hidden files. The attrib command is for listing file attributes. All subdirectories must be traversed for file listing as /s is specified. › redirects the output to a text file. This text file further be inspected for analysis.
  • Check Quick View Plus. Rename a file with incorrect extension: C:\digitalforensics\rename hidefile.txt hidefile.bmp

 

If Windows attempts to open this renamed file, it fails. Quick View Plus opens the same file correctly. Quick View recognizes more than 250 common file types.

 

Advanced File Hiding Techniques

  • Drive formatted with NTFS in Windows hides data without a trace. NTFS allows security at the file and directory level with the help of Alternate Data Streams(ADS).Alternate Data Streams(ADS)
  • The file size remains the same.
  • Without knowledge of the name of the streamed file, the streamed file is invisible. Special software tools are needed.

Steganography

  • Steganography is writing in a secret way.
  • In steganography, image or sound files provide envelope to hide message before sending.
  • In cryptography, the attacker attempts to decrypt a secret message.
  • In steganography, attacker is not aware of existence of the secret message.
  • Steganography spreads data across various bits within the file to hide information.
  • Computer-based pictures or bitmaps are formed by pixels.
  • Each pixel has color. Color range goes from no color (binary 0) to full color (binary255).
  • Sound files are stored in binary values. Sound file contains 4 bytes:

 

225 38 74 130
11100001 00100110 01001010 10000010

 

  • To hide the decimal value 7 (binary 0111), make the following change:
224 39 75 131
11100000 00100111 01001011 10000011

 

Why steganography not widely used?

  • This is a time-consuming process. One carrier file can store a finite amount of data.
  • The amount of data hidden is always less than the total size of the carrier.
  • Holding or transmitting hundreds of carrier files is a suspicious activity.

Antiforensics

  • Antiforensics is the process of running tools and routines that attempt to spoil the forensic process.
you can view video on Forensic Detection

Suggested Reading:

  1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
  2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
  3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
  4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
  5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
  6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
  7. www.snort.org
  8. https://nmap.org