Digital Forensics

Digital Forensics

<p>Tim Sheppard CHEM 2111 Dr. Vogel 12/1/08</p><p>Digital Forensics</p><p>Computers are one of the largest advances in human technology and have become an integral part of life. Sadly, like many other advances in technology people use it for immoral purposes. So digital forensics is needed to determine what people have and have not done on a computer </p><p>Since, it is a recent field and the technology is constantly evolving not many people understand how to handle digital evidence. There are some colleges that offer courses in security but it is not a standard part of computer science. In addition to the few colleges that do offer security, courses there are a number of vocational technology schools that offer training cyber security and digital forensics. One of the difficulties with education in digital forensics is there are not many people who have training or experience. This poses a problem because lawyers will call the evidence invalid if the methods used in handling and collection do not ensure data integrity. </p><p>The first thing that matters is how the evidence is collected. The methods used depend on whether or not the computer is on or if the computer is off. In the past, the first thing after finding a computer was to de-power the computer, to protect the data from time bombs, or active deletion. If the suspect had setup his computer to delete incriminating data at a certain time if predefined conditions were not met or if he knew that his computer was about to be seized and was running software to clean the computer depowering would prevent the data from being lost. </p><p>With the changes in technology and hard drive encryption techniques it is now recommended that, the computer is left on. The way modern hard drive encryption is setup, if the computer is shutdown it is possible that the only key to the encryption is on the live hard drive and then the data will be nearly impossible to recover. If the computer is off then it should not be powered up, that way any programs that might damage the data cannot run and also no one can claim that the evidence was planted on the defendant's computer. </p><p>Another important requirement for ensuring the integrity of the evidence is to make sure there is a backup of the evidence and that the original is unmodified. Most of the software packages used in digital forensics guaranty that the original data will be unmodified. Some of the software will make a copy of a live computer. Most digital forensics toolkits can easily make a backup of a hard drive if the hard drive is not in use by the computer. In addition, there are hardware tools that will force the hard drive to be read-only so that it is impossible to modify the data. </p><p>When creating backups and analyzing the data of a hard drive there can be issues depending on what steps the suspect has take to hide/secure the data. The first thing that should be done in any event is to either use an exact copy or attached the drive so that it is read-only, that way the original data is preserved. The simplest and easiest hard drive to retrieve data from is a hard drive with no security at all. The next easiest is where the person only has a password to login to the operating system and none of the data encrypted. To get that data the forensic scientist would only have to boot from a CD and copy the data to another hard drive and them he could put the hard drive in another computer and analyze the data. </p><p>The next easiest is if the user has encrypted the data under his username, so that when he is logged in he has access to his data and the key for the encryption is his login password. </p><p>Depending on the operating systems there are different tools extract the password file and crack it. Most of the password cracking software is written for Linux systems. The theory behind password cracking is that a password hash is compared a table of hashes until a match is found. A hash is an encoded version of a password. </p><p>On a Windows system, the password is stored in one file and the way to decrypt it in another file, the SYSTEM and SAM files. Both files can be extracted and run in a cracking program to find the password. Once the password is found then the computer can be logged in as the suspect and the encrypted data is accessible. </p><p>A tool that is used to extract SAM file is samdump. Then the output of samdump is run through a tool called bkhive. After bkhive has been run the output can be used in a password- cracking program like john the ripper or ophcrack to find the password. John the ripper is a hybrid brute force password cracker; it mainly uses a brute force guessing method. Ophcrack uses rainbow tables to crack passwords more quickly. Rainbow tables are tables used to lookup passwords, the trade off is the amount of memory used to store the rainbow table, there are small rainbow tables of a few hundred megabytes but there are tables as large as ten gigabytes. The most secure passwords are the longest passwords, with the power of modern computers even with upper case and lower case letters, numbers and symbols a short password will be quick to crack no matter the method used. </p><p>The whole hard drive can be encrypted so that none of the data can be read without decrypting it. There are two ways to read the data from an encrypted hard drive. The first way is to have the key, which is unlikely since the person will probably not want his data read. The other way is to break the encryption but depending on the strength of the encryption that can take hours, days or even months. This is one of the safest ways to protect data but can still be defeated with enough time. </p><p>The other way that the whole hard drive can be encrypted is a hardware using either a key within the firmware of the hard drive or a key within the motherboard. These methods still have many of the same shortcomings of the other methods, one of the difficulties is how to manage authentication. If all that has to be there is, the hardware on the motherboard than that does not protect the data at all. Although there are issues with how to handle authentication, hardware encryption is still a very good method for protecting data. None of the data on the hard drive can be accessed until the key is found. </p><p>Once the actual data has been found and decrypted the real analysis can be conducted. </p><p>The first and easiest thing to do is to look at the files that are visible. To see what data is stored on the hard drive and if any of it is valid or useful. If the visible data is not helpful and it is certain that there was data that would be useful but it has been deleted, then the whitespace should be analyzed. </p><p>Whitespace is the area on a hard drive that the operating system says is empty or available but it can contain the data of deleted files. The reason this happens is that when a file is deleted the operating system marks a flag on the memory cells as blank but the cells still hold the data, the only difference is the flag bit. There are secure deletion utilities that will over write the memory cells and eventually when you have new data added, the memory locations where the old data was stored will be written over. Even if the memory cell has been written over, the data may still be recoverable, to be safe the data should be written over at least three times, and that is still not a one hundred percent guaranty. Checking the whitespace for deleted files is another common function in forensics toolkits. Once the program finishes the analysis of the whitespace it will normally show what files it found and if whole files or file fragments were found. The recovered file can them be used to see what was deleted and what the user might have been trying to hide. </p><p>Another way to hide data without deleting it is called Steganography. Steganography is the science of hiding the data so that only those who know about it can find it. One of the common places is to hiding a file is within a picture. A picture is a good file to hide data in because they can be large and the extra size will do unnoticed and depending on the file format it can have many unneeded bits in the file so that it is even harder to tell if there could be a file hidden in the file. Besides checking the whitespace, the visible files need to be checked for file hidden within. Checking for hidden files can take a very long time even with our modern computers. </p><p>If the drive has been physically damaged and cannot be read by connecting it normally, if the data is extremely important there is one thing that can be tried. The process is extremely difficult and requires a second identical hard drive. What has to be done is the damaged/broken hard drive is opened and the 'platter' is removed and exchanged with the platter in the good hard drive. The platter is the magnetic disk inside the hard drive where the data is stored. The process is extremely delicate and it is possibly that all the data could be lost. </p><p>The tools available for digital forensics are numerous and powerful. There is almost no data that cannot be recovered using one of the available tools. With enough time, software can recover, crack or break any computer for the information needed. Although the government uses forensics to track down cyber criminals there are many other uses. Large corporations need digital forensics sometimes, if they lose a valuable file, either by accidence or by sabotage, they need to recover the file. </p><p>No matter where digital forensics is employed, there is always the issue of legality. </p><p>Digital forensics can be a dangerous weapon for either side, it can be good and used to fight immorality, but it can be used to further immorality. Teaching someone how to track someone on a computer also teaches what to do to not be track, so without morality digital forensic techniques can be used to escape justice. Sources: </p><p>Caloyannides, Michael A. Privacy protection and computer forensics. Boston : Artech House, c2004. Carrier, Brian. Open Source Digital Forensics. 2007. 10 November 2008 <http://www.opensourceforensics.org/> Mohay, George M. Computer and intrusion forensics. Boston : Artech House, c2003. National Institute of Justice. Electronic Crime Scene Investigation. 2001. October 20, 2008 <http://www.ncjrs.gov/pdffiles1/nij/187736.pdf>. Pan, Jeng-Shyang. Intelligent watermarking techniques. River Edge, N.J. : World Scientific, c2004. remote-exploit.org. 31 Oct. 2008. Remote-Exploit.org - Supplying offensive security products to the world. 30 Nov. 2008 < http://www.remote-exploit.org >. </p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us