Information and Communications University s1

Total Page:16

File Type:pdf, Size:1020Kb

Information and Communications University s1

INFORMATION AND COMMUNICATIONS UNIVERSITY UNIVERSITY UNDERGRADUATE PROGRAMMES

NAME : EMMANUEL K. KALENGE

COMPUTER NUMBER : 1303282745

MODE OF STUDY : DISTANCE

PROGRAMME : BSC IN INFORMATION SECURITY AND COMPUTER FORENSICS

COURSE : COMPUTER HACKING FORENSICS INVESTIGATION 2

ASSIGNMENT NUMBER : TWO (02)

DUE DATE :

PHONE NUMBER : 0978864054 / 0955363127

EMAIL ADDRESS : [email protected]

POSTAL ADDRESS : ZAMBIA DAILY MAIL LIMITED P.O BOX 31421

LUSAKA, ZAMBIA ANSWERS TO ASSIGNMENT

1. Write a detailed essay about the following topics below. The essay should include the process, tools used and operation. Essay should be 2 – 3 pages:

(a) Intrusions and the honeypots

(b) Application Password Crackers

(c) Windows Admin Login bypass

(d) Audio File Forensics

(e) Data Acquisition and Duplication

(f) Recovering Deleted Files and Partition

(g) Image Files Forensics

(h) Windows Registry Evidence Analysis

(i) Steganography Detection

(j) Forensics Investigations Using Encase

(A) INTRUSIONS AND THE HONEYPOTS

What is an Intrusion? A network intrusion is any unauthorized activity on a computer network. Detecting an intrusion depends on the defenders having a clear understanding of how attacks work. In most cases, such unwanted activity absorbs network resources intended for other uses, and nearly always threatens the security of the network and/or its data. Properly designing and deploying a network intrusion detection system will help block the intruders.

The attack can be any use of a network that compromises its stability or the security of information that is stored on computers connected to it. A very wide range of activity falls under this definition, including attempts to destabilize the network as a whole, gain unauthorized access to files or privileges, or simply mishandling and misuse of software. Added security measures cannot stop all such attacks. The goal of intrusion detection is to build a system which would automatically scan network activity and detect such intrusion attacks. Once an attack is detected, the system administrator is informed and can take corrective action.

As a first step of defense, here's a brief rundown of popular attack vectors: Asymmetric Routing In this method, the attacker attempts to utilize more than one route to the targeted network device. The idea is to have the overall attack evade detection by having a significant portion of the offending packets bypass certain network segments and their network intrusion sensors. Networks that are not set up for asymmetric routing are impervious to this attack methodology.

Buffer Overflow Attacks This approach attempts to overwrite specific sections of computer memory within a network, replacing normal data in those memory locations with a set of commands that will later be executed as part of the attack. In most cases, the goal is to initiate a denial of service (DoS) situation, or to set up a channel through which the attacker can gain remote access to the network. Accomplishing such attacks is more difficult when network designers keep buffer sizes relatively small, and/or install boundary-checking logic that identifies executable code or lengthy URL strings before it can be written to the buffer.

Common Gateway Interface Scripts The Common Gateway Interface (CGI) is routinely used in networks to support interaction between servers and clients on the Web. But it also provides easy openings—such as "backtracking"—through which attackers can access supposedly secure network system files. When systems fail to include input verification or check for backtrack characters, a covert CGI script can easily add the directory label ".." or the pipe "|" character to any file path name and thereby access files that should not be available via the Web.

Protocol-Specific Attacks When performing network activities, devices obey specific rules and procedures. These protocols —such as ARP, IP, TCP, UDP, ICMP, and various application protocols—may inadvertently leave openings for network intrusions via protocol impersonation ("spoofing") or malformed protocol messages. For example, Address Resolution Protocol (ARP) does not perform authentication on messages, allowing attackers to execute "man-in-the-middle" attacks. Protocol- specific attacks can easily compromise or even crash targeted devices on a network.

Traffic Flooding An ingenious method of network intrusion simply targets network intrusion detection systems by creating traffic loads too heavy for the system to adequately screen. In the resulting congested and chaotic network environment, attackers can sometimes execute an undetected attack and even trigger an undetected "fail-open" condition.

Trojans These programs present themselves as benign and do not replicate like a virus or a worm. Instead, they instigate DoS attacks, erase stored data, or open channels to permit system control by outside attackers. Trojans can be introduced into a network from unsuspected online archives and file repositories, most particularly including peer-to-peer file exchanges.

Worms A common form of standalone computer virus, worms are any computer code intended to replicate itself without altering authorized program files. Worms often spread through email attachments or the Internet Relay Chat (IRC) protocol. Undetected worms eventually consume so many network resources, such as processor cycles or bandwidth that authorized activity is simply squeezed out. Some worms actively seek out confidential information—such as files containing the word "finance" or "SSN"—and communicate such data to attackers lying in wait outside the network. What is a Honeypot? Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.

An example of Honey Pot systems installed in a traditional Internet security design: (Image courtesy of https://www.sans.org)

Generally, there are two popular reasons or goals behind setting up a Honey Pot: Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruderâs activities is kept, you can gain insight into attack methodologies to better protect your real production systems. Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute. The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.

Those goals are: The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected. You need to be careful in what traffic you allow the intruder to send back out to the Internet for you donât want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!) You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible. Some caveats exist that should be considered when implementing a Honey pot system. Some of the more important are:

The first caveat is the consideration that if the information gathered from a Honey Pot system is used for prosecution purposes, it may or may not be deemed admissible in court. While information regarding this issue is difficult to come by, having been hired as an expert witness for forensic data recovery purposes, I have serious reservations regarding whether or not all courts will accept this as evidence or if non-technical juries are able to understand the legitimacy of it as evidence.

The second main caveat for consideration is whether hacking organizations will rally against an organization that has set "traps" and make them a public target for other hackers. Examples of this sort of activity can be found easily on any of the popular hackerâs sites or their publications.

Levels or Layers of Tracking The information provided on an intruder depends on the levels of tracking that youâve enabled on your Honey Pot. Common tracking levels include the firewall, system logs on the Honey Pot and sniffer-based tools.

Firewall Logs Firewalls are useful as part of the overall Honey Pot design for many reasons. Most firewalls provide activity-logging capabilities which can be used to identify how an intruder is attempting to get into a Honey Pot. I liken firewall logs to router logs; they can both be set to trap and save packets of a pre-determined type. Remember that when setting up the firewall, you would normally want to log ALL packets going to the Honey Pot system, as there should be no legitimate reason for traffic going to or from the Honey Pot.

Reviewing the order, sequence, time stamps and type of packets used by an intruder to gain access to you Honey Pot will help you identify the tools, methodology being used by the intruder and their intentions (vandalism, data theft, remote launch point search, etc.). Depending on the detail capabilities of logging on your firewall you may or not be able to gain considerable information from these logs.

Another useful function of many firewalls is their notification capabilities. Most firewalls can be configured to send alerts by email or pager to notify you of traffic going to or from your Honey Pot. This can be extremely useful in letting you review intruder activity WHILE its happening.

System Logs Unix and Microsoft NT seem to have the lion share of the Internet server markets. Luckily, both operating systems have logging capabilities built into their operating systems, which help identify what changes or attempts have been made. It should be noted that out-of-the box, Unix offers superior logging capabilities as compared to Microsoft NT.

Some of their out-of-the box logging capabilities include: Microsoft NT Security Available from Event Viewer User Management Needs to be enabled through User Manager Running Services Netsvc.exe needs to be manually run and compared to baseline.

Unix User activity logs utmp, wtmp, btmp, lastlog, messages Syslogd An important option is that it can log to a remote server! The range of facilities and priorities available through syslogd is very good. There are also several tools available that greatly increase the information that can be gathered. Many of the Unix tools are public domain, while many of the Microsoft NT tools are not.

Sniffer Tools Sniffer tools provide the capability of seeing all of the information or packets going between the firewall and the Honey Pot system. Most of the sniffers available are capable of decoding common tcp packets such as Telnet, HTTP and SMTP. Using a sniffer tool allows you to interrogate packets in more detail to determine which methods the intruder is trying to use in much more detail than firewall or system logging alone.

An additional benefit to sniffer tools is that they can also create and store log files. The log files can then be stored and used for forensic purposes.

Honey Pot Solutions Implementation of a Honey Pot solution as part of a security system first involves the decision of whether to purchase a commercial solution or decide to develop your own.

Building a Honey Pot There is a variety of public domain tools and software available that can be useful to help you setup a Honey Pot as well as many sites dedicated to helping guide you through the process. Most tools seem to have originated on the Unix platform, while many have been ported to Microsoft NT.

What you will need to create or develop your own Honey Pot system are a minimum of the following components and considerable configuration time: A Workstation or PC. It appears as though an Intel-based workstation is fine. An operating system. I prefer BSD Unix or RedHat as there are more tools available for the Unix platform than NT.

Commercial Honey Pot Systems There are a variety of commercial Honey Pot systems available. The operating systems most widely supported are Microsoft NT and Unix. As many of the commercial product have been released in the past 12 â 18 months, some of them are still in relatively early versions.

Some of the commercial Honey Pot systems available are:  Network Associates,  Cybercop Sting  Tripwire  Fred Cohen and Associates,  Deception Toolkit  Recourse Technologies,  ManTrap

(B) APPLICATION PASSWORD CRACKERS

The concept of cracking passwords is taking a password and decrypting it, or disabling the password protection of a system and/or network. Since the first passwords were used, there have been methods to try and crack the actual text based version of the password. The reason we can crack passwords is two-fold. The users can select a weak password if the administrator has not enforced a strict password policy, and the other way is because the vendor has done a poor job with the scrambling of the password.

There are several methods of attacking passwords that we will discuss. The methods are,

 Guessing,

 Dictionary,

 Brute force,

 Syllable attack,

 Rule-based,

 Hybrid.

Guessing

In the guessing attack, perpetrators are successful when they are able to guess a person’s password. This can be the result of selection by the user of a blank password. It can also be a result of choosing a simple password such as “password.” Some users think they are smart, and will try a word in reverse like “drowssap.” Another problem is when users select a password based on their kids, spouse, relative, or other personal information that is easy to identify.

Dictionary With this attack you load a file of dictionary words into the password cracking tool, and if the password is one of the words within the dictionary file it is cracked. It is important to note that there are dictionary files available for many languages; therefore, it is a simple process of loading your dictionary for the country you are conducting the testing in.

Brute Force

In the brute force method of password attacking, the concept is to try every possible combination of characters until a password is found. It is the slowest method of attack, but given enough time and resources it will discover any password.

Syllable Attack

This attack is a combination of brute force attack and dictionary attack. The technique usually is used when the password is known to be a non existent word.

Rule-Based

This technique is used when the perpetrator is able to get some information about the password, usually following some form of enumeration that has identified the password policy in place for an organization. For example, if the policy indicates the length of the password is not less than eight characters, and must contain at least numbers and a special character, then the perpetrator will adjust and customize the cracking tool for this.

Hybrid

A hybrid attack is used to find passwords that are a dictionary word with combinations of characters prepended or postpended to it.This attack is surprisingly successful, because in most cases users will select a password that is a dictionary word surrounded by additional characters. Rainbow

The rainbow attack technique works by calculating all the possible hashes for a character set, and storing them in a table.The password hash is presented to the tool that uses the rainbow algorithm, and a table search is made until the password is found. This is a much quicker method than the other types of attack; however, the limitation of the rainbow technique is the size requirements for a table, so you need to think in the terms of terabytes for complex passwords.

PASSWORD CRACKING TOOLS

When it comes to cracking passwords, there are an extraordinary amount of tools that are Available:.

(i) Cain and Abel This is a Windows-based password recovery tool. It uses multiple methods to capture the password hashes. It can get the hash from the network, or dump it from the local machine. Cain and Abel uses dictionary attacks, brute force, and other cryptanalysis techniques to crack the password.

(ii) LCP The LCP tool was developed as a free alternative to the very popular L0phtcrack tool that was the pioneer in cracking passwords on a Windows platform. L0phtcrack is no longer offered, and LCP is an excellent way to get the features that used to be available with l0phtcrack.The tool offers the ability to import from a variety of formats, and uses dictionary, hybrid, and brute force attack methodologies to discover the password.

(iii) Ophcrack Ophcrack is a Windows-based password cracker that uses the concept of the rainbow cracking methodology by conducting the crack from existing rainbow tables.The algorithm deployed is based on the time-memory trade-off technique of precomputing all possible hashes and then applying the hash to the table.

(iv) John the Ripper John the Ripper (JTR) is a fast password cracking tool that will not only crack Windows-based passwords, but also passwords on Unix and Linux systems. The tool runs both within a Unix and a Linux environment. (v) Brutus Brutus is a very fast and flexible password cracking tool that can perform the cracks remotely. It commonly is used to crack Web site passwords. It is a Windows-based tool that can support up to 60 simultaneous target connections.

(C) WINDOWS ADMINISTRATOR LOGIN BYPASS

Passwords can be reset or bypassed on every operating system. On Windows, Linux, and Mac OS X, you can gain access to a computer’s unencrypted files after resetting the password — the password doesn’t actually prevent access to your files. On other devices where you can’t gain access to the files, you can still reset the device and gain access to it without knowing a password. These tricks all require physical access to the device.

There are many ways to reset a Windows password. Windows allows you to create a password reset disk that can reset your password in an approved way — create a disk first and you can use it if you ever need it.

Resetting a password without an official tool is fairly simple. For example, the Offline NT Password & Registry Editor works well for this. First, you’ll need to boot from a special disc or USB drive — either a live Linux system or a specialized Offline NT Password & Registry Editor boot disc. The tool can edit the Windows registry, allowing you to clear the password associated with the user account. You can then boot into Windows and log into the account without a password.

Even if you’re using Windows 8 with a Microsoft account, you can always reset the password of the built-in Administrator account to gain access.

To protect against this, you could password-protect your BIOS and restrict booting from external devices. Someone with physical access to the PC could reset the BIOS password to bypass this. Encrypting your Windows system drive with something like BitLocker would prevent the registry from being accessed and modified with this tool — encryption is the only good protection.

Method 1: Bypass Windows 7 Logon Password in Safe Mode

You can change Windows 7 password from safe mode in following steps:

Step1: Press F8 before the Windows 7 loading screen.

Step2: Choose a Windows 7 safe mode option—"Safe Mode with Command Prompt “→Press "Enter" next. Step3: Type net user and press Enter, all accounts on the Windows 7 PC will be displayed.

Step4: Type your locked user account with a new password in the command prompt, for example, "John 123456" means your new password for net user "Happy".

Step5: After restart your computer, you now can log to your PC with the new password successfully.

(Note: When you recover Windows 7 password from safe mode, an administrator account with known password is necessary. If not, move to Method 2)

Method 2: Bypass Windows 7 Password with a Created Windows 7 Password Reset Disk

If you created a Windows 7 password reset disk in the past, below are the steps of how to get around forgot password on Windows 7:

1. If you enter the wrong password when you attempt to log on, Windows displays a message that the password is incorrect. Click "OK" to close the message.

2. Click "Reset password", and then insert your password reset disk.

3. Follow the steps in the Password Reset Wizard to create a new password.

4. Log on with the new password. If you forget your password again, you can use the same password reset disk. You don't need to make a new one.

(Note: The disk only works in a certain account you've created, if you changed the Windows XP password for that account, it still works. But if you don't have a password reset disk, then the only way to bypass your Windows 7 password is use a third party application.)

(D) AUDIO FILE FORENSICS

Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation of sound recordings that may ultimately be presented as admissible evidence in a court of law or some other official venue. Audio forensic evidence may come from a criminal investigation by law enforcement or as part of an official inquiry into an accident, fraud, accusation of slander, or some other civil incident. The primary aspects of audio forensics are establishing the authenticity of audio evidence, performing enhancement of audio recordings to improve speech intelligibility and the audibility of low-level sounds, and interpreting and documenting sonic evidence, such as identifying talkers, transcribing dialog, and reconstructing crime or accident scenes and timelines. Modern audio forensics makes extensive use of digital signal processing, with the former use of analog filters now being obsolete. Techniques such as adaptive filtering and discrete Fourier transforms are used extensively. Recent advances in audio forensics techniques include voice biometrics and electrical network frequency analysis. The remit of a forensic audio laboratory is to provide audio evidence in criminal or civil investigations. On a day-to-day basis, a forensic audio laboratory will deal with sensitive law-enforcement recordings, 999 emergency calls, audio from mobile phones, DVD, video,

CCTV, computers, solid-state devices, memory cards — in fact, just about every type of recorded audio media there is and has ever been. Many of the tasks will at some point involve forensic enhancement audio for use as evidence at trial. However, general advice and guidance concerning the correct capture and subsequent review of audio material is also essential. This provides what is commonly referred to as 'best evidence'. The principal concerns of audio forensics are i) Establishing the authenticity of audio evidence ii) Performing enhancement of audio recordings to improve speech intelligibility and the audibility of low-level sounds iii) Interpreting and documenting sonic evidence, such as identifying talkers, transcribing dialog, and reconstructing crime or accident scenes and timelines

Forensic Enhancement

Enhancement is a process that involves the expertise of 'cleaning' or 'removing' of unwanted noise from an otherwise unintelligible recording. This can be described as 'audio archaeology': its principal task is to uncover evidence cautiously and without unnecessary damage to the original recording. This provides the listener with the opportunity to hear 'what is said', which is often sufficient to prove or disprove an individual's involvement in crime. Often, the 'enhanced' recording will sound cosmetically worse than the original, but 'what is said' is revealed. This is in complete opposition to the music industry, where cosmetics are everything! On a daily basis, investigations are turning to forensic audio enhancement as a final 'roll of the dice' when all other forensic practices and techniques have failed or are unavailable. Forensic audio alone continues to routinely solve high-profile criminal investigations and convict serious criminals.

If the examiner determines that enhancement is necessary, a variety of audio DSP tools are brought to use.

COMMON DSP METHODS The principle audio forensic enhancement procedures include time-domain level detectors and frequency-domain filters.

(a) TIME-DOMAIN LEVEL DETECTION

Time-domain enhancement treats the amplitude envelope of the recorded audio signal. One example is gain compression, whereby the overall level (loudness) of the signal is adjusted to be relatively constant: quiet passages are amplified and loud passages are attenuated or left alone.

(b) FREQUECY DOMAIN FILTRATION

Frequency-domain methods for forensic audio enhancement often use some form of spectral subtraction. As its name implies, spectral subtraction involves forming an estimate of the noise spectrum (noise power as a function of frequency) and then subtracting this estimate from the noisy input signal spectrum.

The noise-reduced output is created by reconstructing the signal from the subtracted spectrum. Ideally, all the spectral energy below the noise estimate threshold is removed, so if the desired signal components exceed the noise level over much of the frequency range and if the noise estimate is sufficiently accurate, the technique can be useful and effective.

AUDIO FORENSIC TOOLS

There are hundreds if not thousands of Audio Forensic Software. However, the notable ones and most commonly used tools are as below:

 Audio Forensics Software by Tracer Technologies

 Forensics Audio Workstation by SpeechPro

 Forensic Audio Analysis Laboratory Full Solution by Acustek-Technical

(E) DATA ACQUISITION AND DUPLICATION

Data acquisition is the process of gathering evidence or information. This can be done by using established methods to acquire data from a suspected storage media outlet to gain access to information about the crime or other incident, and potentially using that data as evidence to convict a suspect.

In computer forensics, this means using established methods to acquire data from a suspect computer or storage media to gain insight into a crime or other incident and potentially use it as evidence to convict a suspect. The goal of data acquisition is to preserve evidence, so any tools that are used should not alter the data in any way and should provide an exact duplicate. To prevent contamination, any data that is duplicated should be stored on forensically sterile media, meaning that the disk has no other data on it and has no viruses or defects.

Duplication of data is a critical part of any computer forensic investigation. To effectively examine data on a suspect machine, a person performing a forensic examination of the machine needs to create an image of the disk.

When you create a disk image (a bitstream copy), each physical sector of the disk is copied so that the data is distributed in the same way, and then the image is compressed into a file called an image file. This image is exactly like the original, both physically and logically. As an exact duplicate of the data on a suspect machine or storage media, the mirror image includes hidden files, temp files, corrupted files, file fragments, and erased files that have not yet been overwritten. In other words, every binary digit is duplicated exactly.

DATA ACQUISITION TOOLS

Data Acquisition tools may consist of software used to duplicate data, create image files that may be mounted and analysed afterward, or hardware-based solutions that can acquire data from a suspect machine. The following are the common tools utilised in this process:

- The Forensic Toolkit (FTK) Imager by AccessData

- SafeBack by NTI

- DriveSpy by Digital Intelligence Forensic Solutions

- Mount Image PRO by GetData Software Development

- DriveLook by Runtime Software Labs

- SnapBack DatArrest by SnapBack

- SCSIPAK by Vogon

(F) RECOVERING DELETED FILES AND PARTITION

A deleted file is any file that has been logically erased from the file system but may still remain physically on storage media. How a file is deleted can vary. Although for many people, deleting a file means selecting a file and pressing the DEL or Delete button on their keyboard, there are other ways in which a file may be deleted. - Command Line Delete

- Moving Files

- Disk Cleanup

Disk erasing software wipes the disk clean by erasing all the files and overwriting the disk space with a series of ones and zeros. In doing so, every sector of the disk is overwritten, making the data unrecoverable. If anyone attempted to recover data on the disk, they would not be able to retrieve anything because the data is completely destroyed.

When a file is deleted, it doesn’t necessarily mean that the data cannot be completely or partially recovered. Data written on a hard disk generally stays there unless or until it is either overwritten by more data or physically erased by a magnet. Simply deleting the data using operating system file management utilities does not get rid of the data. It only removes the pointer used by the file system to locate that data physically on the disk. The data itself (in the form of the physical changes to the disk’s magnetic surface) is still there and can be recovered using special recovery software.

Data recovery is a process of salvaging data that was lost or deleted.

Deleted File Recovery Tools

Data recovery tools are designed to restore data that has been deleted or corrupted from any number of sources, including hard disks, CDs, DVDs, Blu-ray, HD-DVD, floppy disks, memory cards used in digital cameras, and other storage media. Depending on the capabilities of the software, it will scan the media and search for any damaged, corrupted, or deleted files and display which ones are available for recovery, allowing you to choose which ones will be restored. Some of the most commonly used software is:

- Undelete

- Active@ Data Recovery Software

- R-Undelete

- Easy-Undelete

- WinUndelete

- FileScavenger

- VirtualLab

- Stellar Phoenix

Recovering Deleted Partitions Partitioning a hard disk involves dividing the disk into volumes, which generally appear to the operating system as logical drives, identified by different drive letters. The disk is divided into logical drives for the purposes of performance and organization of the data. Each logical drive can be formatted separately so that each one uses a different file system.

When a partition is deleted, its entry in the partition table is removed. Although it can appear quite imposing that an entire partition of information is no longer visible, the data hasn’t been destroyed from the disk.

Partition recovery tools perform a number of automated tasks that will attempt to restore a damaged or deleted partition and/or restore data from that partition. The following are some of the automated tasks these tools will use to locate and recover data:

■ determining the error on the disk and allowing the user to choose another partition and make it active

■ scanning the disk space for a partition boot sector or damaged partition information, and then attempting to reconstruct the partition table entry. By finding the partition boot sector, it will have all the information necessary to reconstruct the entry in the partition table. Because both NTFS and FAT32 volumes maintain backup boot sectors, you can recover the volume by restoring the boot sector.

■ scanning the disk space for a partition boot sector or data from deleted partition information, and then attempting to reconstruct the partition table entry

A number of tools are available for partition recovery, each of which has various features that can make it easier to restore data that may have been lost from accidental deletion or damage to the partition.

Below are some of the most prominent Partition Recovery Tools:

- Active@ Partition Recovery

- Active@ Disk Image

- DiskInternals Partition Recovery

- GetDataBack

- NTFS Deleted Partition Recovery

- Handy Recovery

- Acronis Recovery Expert

- TestDisk - Parition Table Doctor

(G) IMAGE FILES FORENSICS

One of the most common types of media acquired in a computer forensic examination is image files. An image file is any picture or graphical depiction that has been stored in digital format. Generally, this refers to photographs, drawings, or other graphics that don’t include any motion or animation.

A primary component of an image’s characteristics is how the image was created. Different types of images can be created, which determine how the graphic is displayed, its resolution when it is expanded or reduced in size, the colors displayed, and other elements that make up the overall presentation of the graphic.

The three (3) types of graphics:

(a) Raster Images

(b) Vector Images

(c) Metafile images

(a) Raster Images

Raster images are graphics that are created or captured as a set of pixels that are mapped to a grid.

(b) Vector Images

Vector graphics are generated from mathematical information stored in the graphic, which instructs the program opening the image how to display the position, width, length, direction, and other aspects of objects used to create the picture.

(c) Metafile Images

Metafile graphics are images that can contain a combination of raster, vector, and type data. Because they contain multiple types of data, they can be enlarged or reduced without any loss of resolution, making the image appear the same regardless of resizing. Some types of metafile graphics include: ■ Encapsulated PostScript, which have the file extension .eps

■ Computer Graphics Metafile, which have the file extension .cgm

■ Windows Metafile, which have the file extension .wmf

■ Enhanced Metafile, which have the file extension .emf

Common Image File Formats:

■ BMP (Bitmap) files

■ GIF (Graphics Interchange Format)

■ PNG (Portable Network Graphics)

■ JPEG (Joint Photographic Experts Group)

■ JPEG 2000

■ TIFF (Tagged Image File Format)

Locating and Recovering Image Files

Image File Headers

An image file header is a portion of a file that contains data about the image’s size, resolution, number of colors, and other facts that a program will need to display it properly. File headers provide information on the unique characteristics of files, which make it possible to identify the type of file simply by a few bytes in the beginning. For example, all BMP files have the characters BM in the first two positions of the file data. When an application opens a file, it will read the header to ensure that the image isn’t damaged and can be opened by the program. Such information can be viewed by using a hexadecimal editor such as WinHex or a binary file viewer.

File Fragments Even though a file has been deleted, part of the data may still be found in unallocated space or slack space on the hard disk. Even though part of the data is missing from the file, it is still possible to view the information using a Hex Editor or other tools, and reconstruct the file so that it is restored.

Image File Forensic Tools

You can use image file forensic tools to extract data from an existing image file (i.e., a duplicate of data) so that you can view them. Some of these tools also have built-in image viewers, allowing you to view images without modifying them. Some of the more popular image file forensic tools available include the following:

- GFE Stealth

- P2 eXplorer

- ILook

(H) WINDOWS REGISTRY EVIDENCE ANALYSIS

Windows Registry forensics is an important branch of computer and network forensics. Windows Registry is often considered as the heart of Windows Operating Systems because it contains all of the configuration setting of specific users, groups, hardware, software, and networks. Therefore, Windows Registry can be viewed as a gold mine of forensic evidences which could be used in courts. This paper introduces the basics of Windows Registry, describes its structure and its keys and subkeys that have forensic values. This paper also discusses how the Windows Registry forensic keys can be applied in intrusion detection.

A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices.

The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Although some versions slightly differ, they all are essentially composed of the same structure and serve the main purpose as a configuration database. The Registry replaces configuration files that were used in MSDOS, such as config.sys and autoexec.bat. The primary purpose of config.sys was to load device drivers and the primary purposes of autoexec.bat was to run startup programs and set environment variables - the Registry now handles these functions. In addition to replacing DOS configuration files, the Registry also replaces text-based initialization (.ini) files that were introduced in Windows 3.0. The .ini files - specifically win.ini and system.ini - store user settings and operating system parameters.

Structure of the Windows Registry

By opening the Registry Editor (by typing 'regedit' in the run window), the Registry can be seen as one unified 'file system'. The left-hand pane, also known as the key pane contains an organized listing of what appear to be folders. The five most hierarchal folders are called 'hives' and begin with 'HKEY' (an abbreviation for Handle to a Key). Although five hives can be seen, only two of these are actually 'real', HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts or aliases to branches within one of the two hives. Each of these five hives is composed of keys, which contain values and subkeys. Values are the names of certain items within a key, which uniquely identify specific values pertaining to the operating system, or to applications that depend upon that value.

A common analogy that is often used to help understand the structure of the Windows Registry is a comparison between it and the Windows Explorer file system, both are very similar in their structures. The key pane of the Registry is much like the hierarchical structure of the left-hand pane in the Windows Explorer file system. The keys and subkeys located within the five main hives are similar to folders and subfolders of Windows Explorer, and a key's value is similar to a file within a folder. In the right-hand pane of the Windows Registry - a value's name is similar to a file's name, its type is similar to a file's extension, and its data is similar to the actual contents of a file.

Root Key Functions:

Below are listed the five hierarchical hives seen in Figure 1, with a very basic description of each. Beside the root key is their commonly referred to abbreviation in parenthesis, which will frequently be referred to as throughout the paper.

1. HKEY_CLASSES_ROOT (HKCR)

Information stored here ensures that the correct program opens when it is executed in Windows Explorer. It also contains further details on drag-and-drop rules, shortcuts, and information on the user interface. Alias for: HKLM\Software\Classes

2. HKEY_CURRENT_USER (HKCU) Contains configuration information for the user who is currently logged into the system, including user's folders, screen colors, and Control Panel settings. Alias for a user specific branch in HKEY_USERS. The generic information usually applies to all users and is HKU\.DEFAULT.

3. HKEY_LOCAL_MACHINE (HKLM)

Contains machine hardware-specific information that the operating system runs on. It includes a list of drives mounted on the system and generic configurations of installed hardware and applications.

4. HKEY_USERS (HKU)

Contains configuration information of all user profiles on the system, which concerns application configurations, and visual settings.

5. HKEY_CURRENT_CONFIG (HCU)

Stores information about the systems current configuration. Alias for: HKLM\Config\profile

Examination Tools

Currently, there are many tools available to forensic examiners for extracting evidentiary information from the Registry. The tool used in this paper to analyze and navigate the registry is Registry Editor (regedit.exe). Registry Editor is free and available on any installation of Microsoft Windows XP with administrator privileges.

The Registry as a Log

All Registry keys contain a value associated with them called the 'LastWrite' time, which is very similar to the last modification time of a file. This value is stored as a FILETIME structure and indicates when the Registry Key was last modified. In reference to the Microsoft Knowledge Base, A FILETIME structure represents the number of 100 nanosecond intervals since January 1, 1601. The LastWrite time is updated when a registry key has been created, modified, accessed, or deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, where as a LastWrite time for the registry value cannot.

Harlan Carvey, author of Windows Forensics and Incident Recovery, refers to a tool called Keytime.exe, which allows an examiner to retrieve the LastWrite time of any specific key. Keytime.exe can be downloaded from http://www.windowsir. com/tools.html. Knowing the LastWrite time of a key can allow a forensic analyst to infer the approximate date or time an event occurred. And although one may know the last time a Registry key was modified, it still remains difficult to determine what value was actually changed. Using the Registry as a log is most helpful in the correlation between the LastWrite time of a Registry key and other sources of information, such as MAC (modified, accessed, or created) times found within the file system.

MRU Lists

MRU, or 'most recently used' lists contain entries made due to specific actions performed by the user. There are numerous MRU lists located throughout various Registry keys. The Registry maintains these lists of items incase the user returns to them in the future. It is basically similar to how the history and cookies act to a web browser. One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. The chronological order of applications executed via 'Run' can be determined by looking at the Data column of the 'MRUList' value. The first letter of this is 'g', which tells us that the last command typed in the 'Run' window was to execute notepad. Also, the LastWrite time of the RunMRU key will correlate with the last application executed in 'Run', or in this case application 'g'.

Forensic Evidence from Security Identifiers Each user, group, and computer is assigned a Security Identifier (SID). Access Control List also uses SIDs to distinguish different users and groups. In most real cases, it’s impossible to know the usernames or group names in a computer. SIDs are the only identifiers for different users and groups. In addition, the locations of SIDs are very easy to find.

Forensics Evidence about System Access through User Activities User activities include all of the actions that users have performed on a computer. Here we only focus on those actions that may provide useful information for investigation. In Windows Registry, most of the user activities are recorded in “ntuser.dat”. Fig 4.1 - Structure of the Windows Registry

(I) STEGANOGRAPHY DETECTION

Steganography literally means “covered message” and involves transmitting secret messages through seemingly innocuous files. The goal is that not only does the message remain hidden, but also that a hidden message was even sent goes undetected (Johnson and Jajodia, 1998). There are many tools available (Steganograpy Software Web Page) that can hide messages in images, audio files and video, and steganography is now in common use (Johnson, et al., 2001). Whereas cryptography has been the preferred tool for sending secret messages, relying on complex ciphers to prevent detection, the huge bandwidth of the Internet now offers an alternative or complementary approach.

With the wide use and abundance of steganography tools on the Internet, law enforcement authorities have concerns in the trafficking of illicit material through web page images, audio, and other files. Methods of detecting hidden information and understanding the overall structure of this technology is crucial in uncovering these activities.

Digital image steganography is growing in use and application. In areas where cryptography and strong encryption are being outlawed [1], people are using steganography to avoid these policies and to send these messages secretly.

What is Steganography?

The word steganography comes from the Greek name “steganos” (hidden or secret) and “graphy” (writing or drawing) and literally means hidden writing. Steganography uses techniques to communicate information in a way that is hidden. Steganography hides the existence of a message by transmitting information through various carriers. Its goal is to prevent the detection of a secret message. The most common use of steganography is hiding information from one file within the information of another file. For example, cover carriers, such as images, audio, video, text, or code represented digitally, hold the hidden information. The hidden information may be plaintext, ciphertext, images, or information hidden into a bit stream. The cover carrier and the hidden information create a stegocarrier.

A stegokey, such as a password, is additional information to further conceal a message. An investigator who does not possess the name of the file and the password cannot know about the file’s existence.

Visual Detection

By looking at repetitive patterns, you can detect hidden information in stego images. These repetitive patterns might reveal the identification or signature of a steganography tool or hidden information. Even small distortions can reveal the existence of hidden information.

You can analyze these patterns by comparing the original cover images with the stego images and try to see differences. This is called a known-cover attack. By comparing numerous images, patterns become possible signatures to a steganography tool. A few of these signatures might identify the existence of hidden information and the tools used to embed the messages. With this information, if the cover images are not available for comparison, the derived known signatures are enough to imply the existence of a message and identify the tool used to embed the message.

Tools used to hide information

There are two possible groups of steganographic tools: the image domain and the transform domain. Image domain tools include bit-wise methods that apply least significant bit (LSB) insertion and noise manipulation. The tools used in this group are StegoDos, STools, Mandelsteg, EzStego, Hide and Seek (versions 4.1 through 1.0 for Windows 95), Hide4PGP, Jpeg-Jsteg, White Noise Storm, and Steganos. The image formats used in these steganography methods cannot be lost and the information can be rearranged or recovered.

The transform domain tools include those groups that manage algorithms and image transforms such as Discrete Cosine Transformation (DCT). The DCT is a technique used to compress JPEG, MJPEG and MPEG in which pixel values are converted to frequency values for further processing. This process makes it difficult for visual analysis attacks against the JPEG images. These two methods hide information in more areas of the cover and may manipulate image properties such as luminance or the color palette. These methods will allow more hidden information (about 30 percent the size of the carrier) in a carrier file. JPEG images are used on the Internet because of their compression quality, which does not degrade the image.

(J) FORENSICS INVESTIGATION USING ENCASE

EnCase, by Guidance Software, is considered by many to be the industry standard software tool for computer forensics examinations of media. Law enforcement, government agencies, and many colleges and universities have adopted EnCase Forensic Edition as their de facto software forensic tool.

Guidance Software first released EnCase Forensic edition version 1 on February 20, 1998. This first version ran only on Microsoft Windows Operating systems and was limited to reading the FAT12, FAT16, FAT32, and NTFS file systems. On January 10, 2007, Guidance Software released EnCase version 6.This latest version of EnCase runs on a variety of platforms, including Windows, Linux, and UNIX, and can read over 20 file systems, including TiVo file systems.

Some of the enhanced features of this version include the ability to analyze Microsoft Virtual PC and VMware images as well some PDA (Personal Digital Assistant) platforms. An EnCase image contains a duplicate of the suspect’s media, along with additional information about the case. The evidence file will contain a bit-by-bit copy of the original media copied. A bit-by bit copy is critical when creating an evidence file because it may contain items such as deleted files, folders, and slack space from the original media. The items in the evidence file could be critical in determining the outcome of a computer forensics investigation. In addition to the bit-by-bit copy of the original suspect’s media, the evidence file will also contain information such as the name of the investigator, the case number, current date of acquisition, and other pertinent information about the case. This information is all relevant so that a chain of custody timeline can be established. The added information about the chain of custody is one way that the actual evidence file will differ from the actual suspect’s copied media.

Evidence File Format

When a computer forensic technician uses the EnCase imaging software, files will be saved with the extension .E##, numbered sequentially from E01 up to E99. The evidence file contains both the data from the suspect’s original media, including deleted files, folders, and slack space, as well as information added by the investigator during the acquisition process. This could include such fields as case number, examiner name, evidence number, description, notes, and other fields that will help establish the chain of custody for this particular evidence. Because an EnCase image file contains both the suspect’s media and other case-related information, it differs from an image made using dd or dcfldd. So, while Linux dd could be used to create a bit-by-bit image, that image would not have any case-related information. Using EnCase to acquire evidence files ensures that both the suspect’s data as well as pertinent case information will be retained.

Ensuring File Integrity

Ensuring file integrity is a critical part of the acquisition of every computer forensic investigator. For data to have integrity, it should not have been altered or corrupted. To ensure that the forensic copy of the suspect’s data has integrity, EnCase forensic software does a cyclic redundancy check (CRC) for every block of 64 sectors (mandatory on all versions of EnCase prior to version 5) on the original media.

The other mechanism used in EnCase to ensure data integrity is a Message Digest 5 (MD5) hash. An MD5 hash is an algorithm applied to a data stream. When this algorithm is applied to a set of data, a MD5 hash value is generated.

How You Acquire a File Image

FastBloc, a hardware write-blocker, can be used to acquire file images. You can also use a forensically sound DOS boot disk to acquire file images. Another method for acquiring file images is using LinEn on a live CD that does not auto mount. You can also acquire file images over a network or through a crossover cable.

The Encase interface: REFERENCES

(a) SANS - Information Security Resources. 2016. SANS - Information Security Resources. [ONLINE] Available at: https://www.sans.org/security- resources/idfaq/what-is-a-honeypot/1/9. [Accessed 09 September 2016].

(b) Network Intrusion: Methods of Attack | RSA Conference. 2016. Network Intrusion: Methods of Attack | RSA Conference. [ONLINE] Available at: https://www.rsaconference.com/blogs/network-intrusion-methods-of-attack. [Accessed 09 September 2016].

(c) Wikipedia. 2016. Audio forensics - Wikipedia, the free encyclopedia. [ONLINE] Available at: https://en.wikipedia.org/wiki/Audio_forensics. [Accessed 10 September 2016].

(d) An Introduction To Forensic Audio | Sound On Sound. 2016. An Introduction To Forensic Audio | Sound On Sound. [ONLINE] Available at: http://www.soundonsound.com/techniques/introduction-forensic-audio. [Accessed 10 September 2016].

(e) Forensic Focus. 2016. A Forensic Analysis Of The Windows Registry | ForensicFocus.com. [ONLINE] Available at: http://www.forensicfocus.com/a- forensic-analysis-of-the-windows-registry. [Accessed 13 September 2016].

(f) George Berg. 2000. Automatic Detection of Steganography. [ONLINE] Available at: http://web.cs.ucdavis.edu/~davidson/Publications/IAAI103.pdf. [Accessed 13 September 2016].

Recommended publications