UNIT IV 1 Contents • Cyber stalking, • Computer Basics for Digital Investigators, • Applying Forensic Science to Computers 2 1. Cyber stalking • stalking behavior is fixation on victims. • this type of investigation challenging and potentially dangerous. • when stalkers have been identified, attempts to discourage them can have the opposite effect. • The law in the United Kingdom is the Protection from Harassment Act 1997. • single upsetting e-mail message is not considered harassment because anti-stalking laws were enacted to protect individuals against persistent terrorism • it is important to gather as much evidence as possible to demonstrate that persistent harassment took place and that the victim reacted to the credible threat in a reasonable manner. 3 1.1 How Cyber stalkers Operate • Cyberstalking works in much the same way as stalking in the physical world. • offenders combine their online activities with more traditional forms of stalking such as telephoning the victim and going to the victim’s home. • A stalker’s ability to frighten and control a victim increases with the amount of information that he/she can gather about the victim. • Databases containing Social Security numbers, credit card numbers, medical history, criminal records, and much more can also be accessed using the Internet. 4 • • • • • • 1.1.1 Acquiring Victims Case studies indicate that many stalkers had prior acquaintance with their victims before the stalking behavior began Investigators should pay particular attention to acquaintances of the victim. However, these studies are limited because many stalking cases are unsolved or unreported. As a rule, investigators should rely more on available evidence than on general studies. 1.1.2 Anonymity and Surreptitious(hidden) Monitoring The Internet has the added advantage of protecting a stalker’s identity and allowing a stalker to monitor a victim’s activities. For example, stalkers acquainted with their victims use the Internet to hide their identity, sending forged e-mail and using Instant Messenger to harass their victims 1.1.3 Escalation(increasing) and Violence Investigators should examine the available evidence closely, protect the victim against further harm • investigators to be cautious when dealing with this case & investigators should 5 1.2 Investigating Cyber Stalking • In every stages of cyber stalking assume that the identity of the cyberstalker is unknown • Therefore, consider the possibility that the victim knows the stalker in physical, but do not assume that in Internet. • There are several stages to investigating a cyberstalking case 6 Investigating Cyber Stalking stages are • Interview victim • Interview others • Victimology and risk assessment • Search for additional digital evidence • Crime scene characteristics • Motivation • Repeat 2. Computer Basics for Digital Investigators A Brief history of Computers Basic operation of Computers Representation of Data Storage media and Data hiding File systems and location of Data Dealing with password protection and Encryption 2.1 A Brief history of Computers • Babbage conceived of a steam-powered “difference engine” that could perform arithmetic operations, • Later in the 1800s, Augusta Ada suggested a binary system rather than decimal and George Boole developed Boolean logic. • German engineer named Konrad Zuse apparently created an electronic binary computer called the Z3 that used old movie film to store his programs and data. 9 2.2 Basic Operation Of Computers • The boot process has three basic stages: 1. the central processing unit (CPU) reset, 2. The power-on self-test (POST), 3. the disk boot. 10 Cont.. Central Processing unit • CPU’s ability to process instructions that it receives. Once the CPU is reset, it starts the computer’s basic input and output system (BIOS) Basic Input and Output System • The BIOS deals with the basic movement of data around the computer. Every program run on a computer uses the BIOS to communicate with the CPU POST and CMOS (complementary metal oxide silicon)Configuration Tool Disk Boot • .POST verifies that all of the computer’s components are functioning properly, including the disk drives, monitor, RAM, and keyboard. • Computers use CMOS RAM chips to retain the date, time, hard drive parameters, and other configuration details while the computer’s main power is off. • Allows to preempt a computer’s primary operating system by providing an alternate operating system on another disk. 2.3 Representation of Data • All digital data are basically combinations of ones and zeros, commonly called bits. • In other words, big-endian architectures place the most significant bytes on the left (putting the big end first) whereas little-endian architectures place the most significant bytes on the right • It is often necessary for digital investigators to deal with data at the bit level, requiring an understanding of how different systems represent data. File Formats and Carving • The common headers in a JPEG image, Word document, and other file types are often referred to as file signatures and can be used to locate and salvage portions of deleted files. • The process of searching for a certain file signature and attempting to extract the associated data is called “carving” because it conceptually involves cutting a specific piece of data out of a larger dataset. 13 2.4 Storage media and Data hiding • Storage media like hard drives, USBs ,magnetic tapes (cluster, sectors, head, track) • There are several common hard drive technologies. • Advanced Technology Attachment (ATA) drives— are simpler, less expensive, and therefore more common than higher performance SCSI drives. • This holds true for newer versions of these technologies: SATA drives are more common than higher performance Serial Attached SCSI drives. 15 Cont.. Data hiding • The individual could store data in the hidden area of the hard drive without other users of the system being aware that such a hidden partition exists. • Forensic examination tools expose such hidden partitions, demonstrating the importance of using tools that are specifically designed to conduct forensic examinations— relying on other methods to view storage media can result in digital investigators missing important information. 16 2.5 File systems and location of Data • File systems such as FAT16, FAT32, NTFS, HFS (Macintosh Hierarchical File system), HFS+, Ext2 (Linux), and UFS (Solaris) keep track of where data are located on a disk, providing the familiar file and folder structure. • Before a file system can be created, a partition must be created to specify how much of the hard drive it will occupy. • The first sector of a hard disk contains the Master Boot Record (MBR) containing a partition table to tell the operating system how the disk is divided. Cont.. Fig. 4.1 General structure of a disk with two partitions Cont.. • When a file is deleted, its entry in the file system is updated to indicate its deleted status and the clusters that were previously allocated to storing are unallocated and can be reused to store a new file. • However, the data are left on the disk and it is often possible to retrieve a file immediately after it has been deleted. The data will remain on the disk until a new file overwrites them • However, if the new file does not take up the entire cluster, a portion of the old file might remain in the slack space. In this case, a portion of a file can be retrieved long after it has been deleted and partially overwritten. 2.6 Dealing with password protection and Encryption Basics of Encryption: • Conceptually, encryption locks data with a key and only people with the appropriate key can unlock the data. • Encryption can sometimes be by-passed or broken using specialized knowledge and equipment but, in many cases, it is not feasible to expend the required resources to break encryption. • Encryption is a process by which a readable digital object (plaintext) is converted into an unreadable digital object (ciphertext) using a mathematical function. • Strong encryption schemes use the equivalent of a password, called a key. Cont.. Private Key Encryption Public Key Encryption Pretty Good Privacy E-mail Encryption • Private key encryption i.e. symmetric key encryption) is that the same key that is used to encrypt a message is also used to decrypt it. Commonly used symmetric key encryption algorithms are DES, IDEA, and Blowfish. • A public key is that anyone could use to encrypt a message and only the intended recipient who possessed the corresponding private key could decrypt the message. Two commonly used public key algorithms are RSA and DSA. • A program that uses both private and public key cryptography is Pretty Good Privacy. • PGP sends both the encrypted text and the encrypted private key to the recipient. Thus, when the recipient receives the encrypted message, he/she uses his/her personal private key to decrypt the randomly generated private key and uses the randomly generated private key to decrypt the message. • Encryption programs like PGP enable individuals to encrypt and sign messages, protecting the contents in transit and providing some assurance that the message is from a specific individual and has not been altered since it was created by the sender. 3. Applying Forensic Science to Computers • Forensic science is useful, offering carefully tested methods for processing and analyzing evidence and reaching conclusions that are reproducible and free from distortion or bias. • Concepts from forensic science can also help digital investigators take advantage of digital evidence in ways that would otherwise not be possible. • Sections or stages are 1. Preparation 2. Survey 3. Documentation 4. Preservation 5. Examination and analysis 6. Reconstruction 7. Reporting results 3.1 Planning • Planning is especially important in cases that involve computers. Whenever possible, while generating a search warrant, • assistance of system administrators might be able to point out oversights or potential pitfalls if he/she is are familiar with the system. This is especially valuable when dealing with large volumes of data in various locations • A final preparatory consideration is regarding proper equipment. Most plans and procedures will fail if adequate acquisition systems and storage capacity are not provided. • Some of the fundamental items that can be useful when dealing with computers as a source of evidence include the following: 1. Evidence bags, tags, and other items to label and package evidence 2. Digital camera to document scene and evidential items 3. Forensically sanitized hard drives to store acquired data 4. Forensically prepared computer(s) to connect with and copy data 5. From evidential hard drives onto forensically sanitized hard drives 6. Hardware write blockers for commonly encountered hard drives (e.g., IDE and SATA) 7. Toolkit, including a flashlight, needle-nose pliers, and screwdrivers 8. For various types and sizes of screws. 24 3.2 Survey • Crime scene is process of finding all potential sources of digital evidence and making decisions about what digital evidence to preserve. • surveying a crime scene for potential sources of digital evidence is a twofold process. First, digital investigators have to recognize the hardware Second, digital investigators must be able to distinguish between irrelevant information and the digital data • Applying the scientific method during the survey process involves developing and testing theories about which items contain relevant digital evidence, why expected items are missing, and where missing items might be found. 3.2.1 Survey of Hardware 25 3.2.2 Survey of Digital Evidence • Different crimes result in different types of digital evidence. • eg cyberstalkers often use e-mail to harass their victims, computer crackers leave evidence in log files • Therefore, the ability to identify evidence depends on a digital investigator’s familiarity with the type of crime that was committed 3.3 Documentation • Documentation is essential at all stages of handling and processing digital evidence, and includes the following: 1. Chain of custody: who handled the evidence, when, where, and for what purpose; 2. Evidence intake: characteristics of each evidential item such as make, model, and serial number; 3. Photos, videos, and diagrams: capturing the context of the original evidence; 4. Evidence inventory: a list or database of all evidential items; 26 • The primary goal of documentation is to establish the authenticity of the evidence. • So, careful note should be made of when the evidence was collected, from where, and by whom. • For example, if digital evidence is copied onto a removable storage media, the label should include the current date and time, the initials of the person who made the copy, how the copy was made, and the information believed to be contained on the storage media. 3.3.1 Case Management • Case management also involves maintaining the physical security of evidential items, and storing multiple copies of digital evidence 27 3.4 Preservation • Once identified, digital evidence must be preserved in such a way that it can later be authenticated • A major aspect of preserving digital evidence is preserving it in a way that minimizes the changes made. 4.4.1 Preserving Hardware • When dealing with hardware as contraband, instrumentality, or evidence, it is usually necessary to collect computer equipment • Additionally, sometimes it simply is not feasible to collect hardware because of its size or quantity. 4.4.2 Preserving Digital Evidence • There are several approaches to preserving digital evidence on a computer: 1. Place the evidential computers and storage media in secure storage for future reference; 2. Extract just the information needed from evidential computers and Storage media; 3. Acquire everything from evidential computer and storage media. 28 • Whether acquiring all data or just a subset, there are two empirical laws of digital evidence collection that should always be remembered: Empirical Law of Digital Evidence Collection and Preservation #1: If you only make one copy of digital evidence, that evidence will be damaged or completely lost. Empirical Law of Digital Evidence Collection and Preservation #2: A forensic acquisition should contain at least the data that is accessible to a regular user of the computer. • In addition, it is important to verify that tools used to copy digital evidence capture all of the desired information, including metadata such as date-time stamps that are associated with acquired files. • To document the integrity of acquired data, some logical evidence container formats maintain the MD5 hash of each acquired item, while others simply calculate the MD5 value of the overall 29 container. 5) Examination and Analysis Forensic examination involves preparing digital evidence to facilitate the analysis stage. There are three levels of forensic examination: (1) Survey/triage forensic inspections (2) Preliminary forensic examination (3) In-depth forensic examination • Nature and extent of a digital evidence examination depend on the known circumstances of the crime and the constraints placed on the digital investigator. • In any case, the forensic examination and subsequent analysis should preserve the integrity of the digital evidence and should be repeatable and free from distortion or bias. 5.1 Filtering/Reduction • The process of filtering out irrelevant, confidential, or privileged data includes the following: 1. 2. 3. 4. 5. 6. 7. Eliminating valid system files and other known entities that have no relevance to the investigation. Focusing on the most probable user-created data. Focusing on files within a restricted time frame. Managing duplicate files, which is particularly useful when dealing with backup tapes. Identifying discrepancies between digital evidence examination tools, such as missed files and MD5 calculation errors. Less methodical data reduction techniques, such as searching for specific keywords or extracting only certain file types can be effective in certain cases. Any method of filtering data has limitations with the associated risk of missing important clues but careful data reduction generally enables a more efficient and thorough digital evidence examination. 5.2 Class/Individual Characteristics and Evaluation of Source • Three fundamental questions that need to be addressed when examining a piece of digital evidence are (ICE): I. What is it (Identification) II. What characteristics distinguish it (Classification Individualization) III. Where did it come from (Evaluation of source) or • The process of identification generally involves ascertaining what a particular digital object is and classifying it based on similar characteristics, called class characteristics. Applying Forensic Science to Computers • The concept of a significant difference is important because it can be just such a difference that distinguishes an object from all other similar objects, that is, it may be an individual characteristic. • Although such characteristics are rarer than class characteristics, it is important to keep in mind that digital evidence may contain a unique characteristic that individualizes it, that is, links it to a particular source with a high degree of probability. Applying Forensic Science to Computers 5.3 Data Recovery/Salvage • In general, when a file is deleted, the data it contained actually remain on a disk for a time and can be recovered. • The details of recovering and reconstructing digital evidence depend on the kind of data, its condition, the operating system being run, the type of the hardware and software, and their configurations. • When a deleted file is partially overwritten, part of it may be found in slack space and/or in unallocated space. It may be possible to extract and reconstitute such fragments to view them in their near original state. • Stored data must be retrieved in such a way as to ensure that its source can be proved in court, and handled in such a way as to maintain the “chain of evidence.” Applying Forensic Science to Computers 6) Reconstruction The three fundamental types of reconstruction: • Functional Analysis • Relational Analysis • Temporal Analysis 6.1) Functional Analysis: How a computer system functioned: 1. To determine if the individual or computer was capable of performing actions necessary to commit the crime. 2. To gain a better understanding of a piece of digital evidence or the crime as a whole. 3. To prove that digital evidence was tampered with. 4. To gain insight into an offender’s intent and motives. For instance, was a purposeful action required to cause damage to the system or could it have been accidental? 5. To determine the proper working of the system during the relevant time period. This relates to authenticating and determining how much weight to give digital evidence. Applying Forensic Science to Computers 6.2)Relational Analysis • In an effort to identify relationships between suspects, victim, and crime scene, it can be useful to create nodes that represent places they have been, e-mail and IP addresses used, financial transactions, telephone numbers called, etc. and determine if there are noteworthy connections between these nodes. • For instance, in large-scale fraud investigation, representing fund transfers by drawing lines between individuals and organizations can reveal the most active entities in the fraud. • Similarly, depicting e-mail messages sent and received by a suspect can help investigators spot likely associates by the large numbers of messages exchanged. Applying Forensic Science to Computers 6.3)Temporal Analysis • When investigating a crime, it is usually desirable to know the time and sequence of events. • Fortunately, in addition to storing, retrieving, manipulating, and transmitting data, computers keep ample account of time. • The simple act of creating a timeline of when files were created, accessed, and modified can result in a surprising amount of information. • Creating a timeline of events can help an investigator identify patterns and gaps, shedding light on a crime and leading to other sources of evidence. Applying Forensic Science to Computers 6.3)Temporal Analysis Digital investigators should seek new ways to represent visually temporal information to help them recognize patterns. Plotting times on concentric circles or a spiral may cause certain patterns to stand out. Applying Forensic Science to Computers 6.4 Digital Stratigraphy • When time markers are destroyed, more imaginative approaches are required to get a sense of when data were created. • Concepts from other fields can be translated into the digital land to develop new analysis techniques such as digital stratigraphy. • Stratigraphy is the scientific study of layers (a.k.a. strata) in geology and archaeology with the aim of determining the origin, composition, distribution, and time frame of each stratum. • Applying this concept to data stored on a disk can be fruitful in some investigations. Applying Forensic Science to Computers 7) Reporting • The last stage of a digital evidence examination is to integrate all findings and conclusions into a final report that conveys the findings to others and that the examiner may have to present in court. • Writing a report is one of the most important stages of the process because it is the only view that others have of the entire process. • Unless findings are communicated clearly in writing, others are unlikely to appreciate their significance. • A well-rendered report that clearly outlines the examiner’s findings can convince the opposition to settle out of court, while a weakly rendered report can fuel the opposition to proceed to trial. • Assumptions and lack of foundation in evidence result in a weak report. • Therefore, it is important to build solid arguments by providing all supporting evidence and demonstrating that the explanation provided is the most reasonable one. 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 Thank You 81