Research in Computer Forensics
Total Page:16
File Type:pdf, Size:1020Kb
CORE Metadata, citation and similar papers at core.ac.uk Provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2002-06 Research in computer forensics Wai, Hor Cheong Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/5910 NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS RESEARCH IN COMPUTER FORENSICS by Hor Cheong Wai June 2002 Thesis Co-Advisors: Daniel F. Warren Dan C. Boger Approved for public release; distribution is unlimited. THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED June 2002 Master’s Thesis 4. TITLE AND SUBTITLE: Research in Computer Forensics 5. FUNDING NUMBERS 6. AUTHOR(S) Hor Cheong Wai 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING Naval Postgraduate School ORGANIZATION REPORT Monterey, CA 93943-5000 NUMBER 9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING N/A AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited. 13. ABSTRACT Computer Forensics involves the preservation, identification, extraction and documentation of computer evidence stored in the form of magnetically encoded information. With the proliferation of E-commerce initiatives and the increasing criminal activities on the web, this area of study is catching on in the IT industry and among the law enforcement agencies. The objective of the study is to explore the techniques of computer forensics from the computer security perspective. Specifically, the thesis looks into the application of forensic principles and techniques, security designs of computer hardware and software, and network protocols, in an effort to discover the trails of the computer hackers. The thesis subsequently packages this knowledge into a curriculum for a twelve weeks resident course at the Naval Postgraduate School. Complementing the research and course materials are surveys conducted on agencies and vendors currently providing computer forensic courses and training, reading materials, and software tools applicable to computer forensic investigation. The purpose of these surveys is to provide a depository of useful information related to this specialized discipline of computer security. It is the hope of the study that students in the future will benefit from the knowledge gathered in this thesis and the exposure gained from the course and laboratory exercises will allow them to correctly respond to computer intrusions and unauthorized activities they may encounter on their C4I systems. 14. SUBJECT TERMS Computer Forensics, Cyber Crime Investigation, Computer Security 15. NUMBER OF PAGES 205 16. PRICE CODE 17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18 i THIS PAGE INTENTIONALLY LEFT BLANK ii Approved for public release; distribution is unlimited RESEARCH IN COMPUTER FORENSICS Hor Cheong Wai Major, Republic of Singapore Navy B.S., National University of Singapore, 1993 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN INFORMATION TECHNOLOGY MANAGEMENT from the NAVAL POSTGRADUATE SCHOOL June 2002 Author: Hor Cheong Wai Approved by: Daniel F. Warren, Thesis Co-Advisor Dan C. Boger, Thesis Co-Advisor Dan C. Boger, Chairman Information Systems Academic Group iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT Computer Forensics involves the preservation, identification, extraction and documentation of computer evidence stored in the form of magnetically encoded information. With the proliferation of E-commerce initiatives and the increasing criminal activities on the web, this area of study is catching on in the IT industry and among the law enforcement agencies. The objective of the study is to explore the techniques of computer forensics from the computer security perspective. Specifically, the thesis looks into the application of forensic principles and techniques, security designs of computer hardware and software, and network protocols, in an effort to discover the trails of the computer hackers. The thesis subsequently packages this knowledge into a curriculum for a twelve weeks resident course at the Naval Postgraduate School. Complementing the course materials are surveys conducted on agencies and vendors currently providing computer forensic courses and training, reading materials, and software tools applicable to computer forensic investigation. The purpose of these surveys is to provide a depository of useful information related to this specialized discipline of computer security. It is the hope of the study that students in the future will benefit from the knowledge gathered in this thesis and the exposure gained from the course and laboratory exercises will allow them to correctly respond to computer intrusions and unauthorized activities they may encounter on their C4I systems. v THIS PAGE INTENTIONALLY LEFT BLANK vi TABLE OF CONTENTS DESCRIPTION OF THE THESIS ........................................................................................1 A. INTRODUCTION............................................................................................1 B. COMPUTER SECURITY EDUCATION IN NPS .......................................2 C. WHY A COMPUTER FORENSIC COURSE IN NPS ................................3 D. WHAT IS COMPUTER FORENSICS ..........................................................6 E. SURVEY OF AGENCIES AND VENDORS PROVIDING COMPUTER FORENSIC COURSES AND TRAINING............................6 F. SURVEY OF READINGS ON COMPUTER FORENSIC .........................7 G. SURVEY OF TOOLS FOR COMPUTER FORENSIC INVESTIGATION ...........................................................................................7 H. DESCRIPTION OF THE COMPUTER FORENSIC COURSE................8 I. MATERIALS FOR COURSE LECTURES..................................................9 J. CONTENTS OF THE COURSE..................................................................10 1. Cyber Crime & Incident Response ..................................................10 2. Introduction to Computer Forensics................................................10 3. Application of Forensic Science to Computers ...............................11 4. Structure for Forensic Investigations...............................................11 5. Computer Forensic Procedures........................................................11 6. Forensics using MAC Times.............................................................11 7. Forensics on Windows .......................................................................12 8. Forensics on Unix...............................................................................12 9. Forensics on the Networks ................................................................12 10. Forensics on an Unknown Program.................................................13 11. Forensics on Intrusion Activities......................................................13 12. Forensics on Wireless Network.........................................................13 K. LABORATORY EXERCISES .....................................................................14 L. SUMMARY OF THE LABORATORY EXERCISES ...............................14 1. Foundstone Forensic Toolkit ............................................................14 3. AccessData Forensic Toolkit.............................................................15 4. Windows Event Log Analysis ...........................................................15 5. DumpEvt (SomarSoft) .......................................................................16 6. Unix Log Analysis ..............................................................................16 7. Network Analysis ...............................................................................17 M. CONCLUSION ..............................................................................................18 vii APPENDIX A: LIST OF AGENCIES AND VENDORS PROVIDING COMPUTER FORENSIC COURSES AND TRAINING...............................................19 APPENDIX B: LIST OF READINGS ON COMPUTER FORENSICS ..........................33 APPENDIX C: LIST OF TOOLS FOR COMPUTER FORENSIC INVESTIGATION ......................................................................................45