Digital Data Computer Forensics
Digital forensics is the scientific acquisition, analysis, and preservation of data contained in electronic media whose information can be used as evidence in a court of law. Traditional digital forensics started most probably with the seizure of a computer or some media.
For the most part, best practices and methodology have remained unchanged
since the origins of digital forensics.The system is documented; the hard drives are
removed and hooked to a write-blocking device.The imaging utility of choice was
Guidelines for Digital Forensics:
- Do not alter the original media in any way.
- Always work on a duplicate copy, not the original.
- The examination media must be sterile as to ensure that no residual data will interfere with the investigation data.
- The investigator must remain impartial and report the facts.
The Best Practices were not viewed as guidelines; but as absolutes.
Generally, best practices and methodology have remained unchanged since the beginning: the system is documented; the hard drives are removed and connected to a write-blocking device. The imaging utility of choice was used to create a forensic image, and the forensic application of choice is used for examination.
Phases of Digital Forensics
Digital data forensics can be shown into four phases. Some of the work performed may overlap into the different phases, but actually they are very different:
- Collection
-Examination
- Analysis
- Reporting
Collection
Collection is the preservation of evidence for analysis.
The digital evidence needs to be an exact copy (a bit-by-bit duplication of the original media), including unused portions, the deleted files, and anything else that may have been on the device
Often this is done by physically removing the hard drive from the device, connecting it to a write blocking unit, and using some forensic software that makes forensic duplicates. The bit stream copy is then run through a cryptographic hashing algorithm to assure it is an unaltered copy.
(Hashes-Hashes use cryptographic algorithms to create a message digest of the data.
When the hashes match, it is considered that the data is an exact copy.)
Examination
Examination consists of the methodical sifting and combing of the data. It may consist of examining dates, metadata, images, document content, or anything else. Many forensic practitioners use the same step-by-step process for their examination; key word search, obtain web histories, search unallocated space, search file slack.
Forensic Tools
There are many tools that can assist with the forensic examination (both hardware and software), however it is best to use multiple tools. The primary reason is to not miss a piece of evidence due to an issue inherent to the tool - when the multiple
tools agree on a finding it helps remove any doubts surrounding the reliability of the tool. Be sure to have enough drives or storage to hold all the forensic images that will be collected. The preparation should entail wiping the drive so that there is no data that could contaminate the data collected.
Basic Forensic Tools
Hardware
Target hard drives, write blocker, and cables (network, IDE, and SCSI)
Software
Boot disks and drivers for both your forensic system and any system you may encounter, especially for network cards.
Other content
Labels, anti-static bags, pens and markers, blank media: (CDs, DVDs), and a camera.
A final consideration is that data may need to be preserved in order of volatility.
Analysis
The analysis of the digital forensic process is the phase where we look deeper into the data. The analysis is the sum of all the data applied toward the resolution of the incident. During the analysis phase the data from multiple systems or sources is pulled together to create as complete a picture and event reconstruction as possible. It can take huge amounts of time to import logs into various applications, and can take hours to move and copy data between storage systems. Also it might take weeks or months to make the job done
Tools for Data Analysis
There are as many ways to analyze the data as there are log files. There are tradeoffs to any of them, whether it is cost, performance, or complexity. Often tools that are used on a daily basis by system administrators to perform proactive troubleshooting and tuning can be the same tools used for reactive analysis.
Normally, as the tools increase in performance, they also increase in cost and/or complexity. Some of the tools are GREP, PERL scripts, Excel, SQL, and commercial
network forensics tools.
Reporting
The report is a compilation of all the documentation, evidence from the examinations, and the analysis. The report needs to contain the documentation of all the systems analyzed, the tools used, and the discoveries made. The report needs to have the dates and times of the analysis, and detailed results. It should be complete and clear so the results and content are understood perhaps years down the road.
Anti-forensics
Anti-forensics is the movement to exploit weaknesses in the forensic process or tools. It can also be the acts of hiding data from the forensic exam. Techniques can be simple as running a script to perform a touch command on every file to alter the date and time stamps or log and temporary file deletion.
Metasploit:
The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.
Timestomp:
First ever tool that allows you to modify all four NTFS timestamp values: modified, accessed, created, and entry modified.
Slacker:
A tool that allows you to hide files within the slack space of the
NTFS file system.
Transmogrify:
An upcoming tool to defeat forensic tools’ file signature capabilities by masking and unmasking your files as any file type.
Sam Juicer:
A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting the disk.
The Defiler’s Toolkit:
tools that allow a more secure deletion of files on UNIX systems. overwrites or basically wipes the inodes that no longer have a file name associated to it.
Commercial tools:
With the availability of commercial tools to perform secure
deletion, even novice computer users can work to hide their electronic footprints.
Evidence Eliminator:
All-in-all, Evidence Eliminator™ is simply the first and only top-quality professional PC cleaning program that is capable of defeating all known investigative Forensic Software!
Window Washer:
These tools are not foolproof, but they can make the forensic task extremely difficult.