TECHNIQUES OF COMPUTER FORENSICS

Any forensic examination of a computer or digital device starts with the physical “crime scene analysis.” A savvy computer forensics exam-iner treats the targeted computer as a crime scene with all relevant ev-idence being preserved as a part of the examination process. Observing the locus is essential to develop clues to solve problems such as:

1. Finding passwords.

2. Locating filenames.

3. Determining URLs for Web sites visited.

4. Identifying e-mail addresses.

5. Identifying associated media such as USB drives, floppies, etc.

6. Locating peripheral devices used with the computer.

Surveying the locus includes looking for notes, written logs, computer media, peripherals, computer connections, content on the computer screen, and items on the computer’s desktop. (Users often focus only on the content of electronic documents with regard to protecting confi-dentiality. Yet, all of the auxiliary information on notes, on paper doc-uments, and on computer media yields secrets too, or the information points to where sensitive information resides.) The forensic examiner exploits this auxiliary information to aid in searching the contents of the computer.

Beyond eyeballing what is around the computer, the computer foren-sics expert photographs the computer and its immediate environment.

Digital photographs, for example, document all the above listed in the initial observation of the locus. Additionally, recording through pho-tography all of the computer connections and even the internal config-uration of components with in the computer case may be essential to

the investigation. If digital photographs capture critical information, the examiner may take a digital hash of the photograph to establish later that it has not been tampered with by the examiner or by the examina-tion process.

Diagramming the scene may also establish the location of the com-puter and its connections relative to other components or peripherals.

Cataloguing written materials, software, instruction manuals, books and booklets, and associated computer media at the scene will further aid the examiner in understanding the processing done on the computer and will help derive clues as to what to look for in content on the com-puter. Again, users must understand that many information pieces il-lustrate what the user has done with files and documents. Mere deletion or even elaborate expunging of data as outlined in Chapter 5 may not completely erase the digital trail left by the user’s actions or his or her involvement with sensitive information. Document security must be comprehensive and must address all elements of the information cre-ation and storage process in order to be effective.

Low-level forensic examination of the computer would look for “low-lying fruit.” The examiner would check the Recycle Bin, the document list (“My Recent Documents”), common directories such as “Documents and Settings” and “Program Files,” Internet temporary files and cookies, Internet browser “Favorites,” and any stored e-mails for evidence of the suspected activity by the user or the owner of the computer. Any foren-sic examination of a computer should be based upon a theory of the case. In other words, the examiner should know what his or her client or agency is looking for on the machine. The suspected activity may be drug dealing, child pornography, organized crime activity or hidden fi-nancial records. If the purpose of the examination is to gather business intelligence, the intelligence analyst would have specific information tar-geted in the search such as proprietary research data, marketing plans, customer lists, and so on. If the evidence discovered is intended for use in the legal system, the examiner needs to be careful not to alter the con-tent of files and directories or to cause “writes” to the computer’s data.

Beyond a basic, quick look for “low-lying fruit,” the examiner needs to search for text relevant to the theory of the case. Before examining data on the hard drive, however, the forensics expert needs to make a bit stream copy of the targeted disk. He or she copies the drive bit for bit, capturing not only files, but also the slack space and swap file area.

For example, “dd” is one bit by bit copying utility used by the computer

forensics profession. During the copying procedure, the examiner em-ploys a “no write,” usually a hardware device, to prevent any acciden-tal writing to the disk being copied. After the copying is complete, the examiner takes a “hash” of the hard drive and the copy. A hash is a dig-ital fingerprint of the data expressed as a number. The hash acts as a means of demonstrating that the copy’s content matches that of the orig-inal. It also serves as evidence that the copy’s contents have not been al-tered. (See Figure 7.2.)

The search for relevant text to the investigation occurs on the copy of the hard drive not on the original. By following this standard procedure, the original will not be corrupted by the forensic examination. Text searching includes looking for keywords, words patterns, or by em-ploying regular expressions (REGEX) to pick up common patterns such as Social Security numbers, dates of birth, and drivers’ license numbers.

Again, the word patterns the examiner looks for are based upon the theory of the case. Word frequency analysis can provide an overview of what is on a disk in terms of subject areas and topics.

Password guarded files need not be an obstacle to the forensics ex-aminer. The cracking of passwords is definitely part of the stock-in-trade of the computer forensics expert. With tools like L0phtCrack and John

Figure 7.2: Copying

the Ripper, the examiner may attack passwords in one of three ways.

(Other password cracking tools include Legion, NTInfoScan, and Ker-bCrack. These password cracking tools are available on the Internet through a Web search using Google or a similar search engine.) First, a brute force attack simply tries combinations of letters and characters until it hits upon the correct password. Brute force attacks work due to the weakness of most passwords. Passwords are usually too short, less than eight characters. Many are regular words containing only letters. More robust passwords, however, are eight characters or longer and have a mix of letters (upper and lowercase), numbers, and other characters.

The question arises then, what do we make of a password like

“DallasCowboys2007!”? At first look, it appears robust, for it is reason-ably long, it has a mix of upper and lowercase letters, and it has numbers and a nonalphanumeric character in the password. Yet, the password is too recognizable and not random. The second method of attack, known as a dictionary attack, could exploit this password’s design and crack it fairly quickly. A dictionary attack comes in many flavors. On the Internet many different types of dictionaries are available for downloading. These dictionaries can be for a given natural language like English, French, Spanish, and so on, or they can be specialized covering areas of knowl-edge such as American football, Classical mythology, popular music, Star Trek®, and many other areas of lore. Combined with the ability to create combinations and variations from the base or specialized dictionary, the hybrid attack, which is the third method, is quite effective in producing password matches for the likes of “DallasCowboys2007!” Hybrid attacks reveal the principle that the more an investigator knows about the user, the more effective the attack on that user’s passwords can be. Knowing one’s hobbies, interests, relatives, associations, and basic identifiers such as date of birth will help discover passwords by knowing which dictio-naries to use in the attack. People have an “infosphere” about them of information relations that they are comfortable with. This infosphere, when properly exploited, provides the key to sensitive documents.

Searching for images is another stock-in-trade activity for the computer forensics examiner. The tools include a thumbnail viewer to visualize images quickly in a picture sorter format, a forensic suite like EnCase to view images, and an extension searching tool to discover images renamed to other formats like text to hide the their true content. Current technol-ogy permits the location of images fairly quickly on a hard drive; how-ever, eyeballing them all still falls to the examiner. In addition to images,

the examiner will look for steganography tools on the computer, as this information will aid to detecting host files. Recent developments in technology also permit examining the frequency distribution of colors in suspected images as a detection tool for steganography.

The examiner will also look for deleted files and will restore them with an undelete program. The examination will proceed with locating hidden information on the computer with the previously discussed file extension searching program, a tree searching program to examine di-rectories, a slack space detection program, and by setting the com-puter’s control panel so that files with a hidden attribute become visible.

If the computer has stored e-mails, the examiner will search the head-ers for those e-mails to gather IP addresses and e-mail addresses. That information is useful for cross-referencing against data found in Internet temporary files, cookies, browser favorites, and other URLs found on the machine, and of course, the content of the e-mails themselves may offer key information to the investigation.