File - e

advertisement
UNIT IV
1
Contents
• Cyber stalking,
• Computer Basics for Digital Investigators,
• Applying Forensic Science to Computers
2
1. Cyber stalking
• stalking behavior is fixation on victims.
• this type of investigation challenging and potentially dangerous.
• when stalkers have been identified, attempts to discourage them
can have the opposite effect.
• The law in the United Kingdom is the Protection from Harassment
Act 1997.
• single upsetting e-mail message is not considered harassment
because anti-stalking laws were enacted to protect individuals
against persistent terrorism
• it is important to gather as much evidence as possible to
demonstrate that persistent harassment took place and that the
victim reacted to the credible threat in a reasonable manner.
3
1.1 How Cyber stalkers Operate
• Cyberstalking works in much the same way as stalking in the
physical world.
• offenders combine their online activities with more traditional
forms of stalking such as telephoning the victim and going
to the victim’s home.
• A stalker’s ability to frighten and control a victim increases with
the amount of information that he/she can gather about the
victim.
• Databases containing Social Security numbers, credit card
numbers, medical history, criminal records, and much more can
also be accessed using the Internet.
4
•
•
•
•
•
•
1.1.1 Acquiring Victims
Case studies indicate that many stalkers had prior acquaintance with
their victims before the stalking behavior began
Investigators should pay particular attention to acquaintances of the
victim. However, these studies are limited because many stalking cases
are unsolved or unreported.
As a rule, investigators should rely more on available evidence than on
general studies.
1.1.2 Anonymity and Surreptitious(hidden) Monitoring
The Internet has the added advantage of protecting a stalker’s identity
and allowing a stalker to monitor a victim’s activities.
For example, stalkers acquainted with their victims use the Internet to
hide their identity, sending forged e-mail and using Instant Messenger
to harass their victims
1.1.3 Escalation(increasing) and Violence
Investigators should examine the available evidence closely, protect the
victim against further harm
• investigators to be cautious when dealing with this case & investigators should
5
1.2 Investigating Cyber Stalking
• In every stages of cyber stalking assume that the identity of
the cyberstalker is unknown
• Therefore, consider the possibility that the victim knows the
stalker in physical, but do not assume that in Internet.
• There are several stages to investigating a cyberstalking case
6
Investigating
Cyber Stalking
stages are
• Interview victim
• Interview others
• Victimology and risk assessment
• Search for additional digital
evidence
• Crime scene characteristics
• Motivation
• Repeat
2. Computer Basics for Digital Investigators
A Brief history of Computers
Basic operation of Computers
Representation of Data
Storage media and Data hiding
File systems and location of Data
Dealing with password protection and Encryption
2.1 A Brief history of Computers
• Babbage conceived of a steam-powered “difference engine”
that could perform arithmetic operations,
• Later in the 1800s, Augusta Ada suggested a binary system
rather than decimal and George Boole developed Boolean
logic.
• German engineer named Konrad Zuse apparently created an
electronic binary computer called the Z3 that used old movie
film to store his programs and data.
9
2.2 Basic Operation Of Computers
• The boot process has three basic stages:
1. the central processing unit (CPU) reset,
2. The power-on self-test (POST),
3. the disk boot.
10
Cont..
Central Processing unit
• CPU’s ability to process instructions that it
receives. Once the CPU is reset, it starts the
computer’s basic input and output system
(BIOS)
Basic Input and Output
System
• The BIOS deals with the basic movement of
data around the computer. Every program run
on a computer uses the BIOS to
communicate with the CPU
POST and CMOS (complementary
metal oxide silicon)Configuration
Tool
Disk Boot
• .POST verifies that all of the computer’s components are
functioning properly, including the disk drives, monitor,
RAM, and keyboard.
• Computers use CMOS RAM chips to retain the date, time,
hard drive parameters, and other configuration details
while the computer’s main power is off.
• Allows to preempt a computer’s primary
operating system by providing an alternate
operating system on another disk.
2.3 Representation of Data
• All digital data are basically combinations of ones and zeros,
commonly called bits.
• In other words, big-endian architectures place the most significant
bytes on the left (putting the big end first) whereas little-endian
architectures place the most significant bytes on the right
• It is often necessary for digital investigators to deal with data at the
bit level, requiring an understanding of how different systems
represent data.
File Formats and Carving
• The common headers in a JPEG image, Word document, and other
file types are often referred to as file signatures and can be used to
locate and salvage portions of deleted files.
• The process of searching for a certain file signature and attempting
to extract the associated data is called “carving” because it
conceptually involves cutting a specific piece of data out of a larger
dataset.
13
2.4 Storage media and Data hiding
• Storage media like hard drives, USBs ,magnetic tapes
(cluster, sectors, head, track)
• There are several common hard drive technologies.
• Advanced Technology Attachment (ATA) drives— are simpler,
less expensive, and therefore more common than higher
performance SCSI drives.
• This holds true for newer versions of these technologies: SATA
drives are more common than higher performance Serial
Attached SCSI drives.
15
Cont..
Data hiding
• The individual could store data in the hidden area of the hard
drive without other users of the system being aware that such
a hidden partition exists.
• Forensic examination tools expose such hidden partitions,
demonstrating the importance of using tools that are
specifically designed to conduct forensic examinations—
relying on other methods to view storage media can result in
digital investigators missing important information.
16
2.5 File systems and location of Data
• File systems such as FAT16, FAT32, NTFS, HFS (Macintosh
Hierarchical File system), HFS+, Ext2 (Linux), and UFS (Solaris)
keep track of where data are located on a disk, providing the
familiar file and folder structure.
• Before a file system can be created, a partition must be
created to specify how much of the hard drive it will occupy.
• The first sector of a hard disk contains the Master Boot Record
(MBR) containing a partition table to tell the operating system
how the disk is divided.
Cont..
Fig. 4.1 General structure of a disk with
two partitions
Cont..
• When a file is deleted, its entry in the file system is updated to
indicate its deleted status and the clusters that were previously
allocated to storing are unallocated and can be reused to store a
new file.
• However, the data are left on the disk and it is often possible to
retrieve a file immediately after it has been deleted. The data will
remain on the disk until a new file overwrites them
• However, if the new file does not take up the entire cluster, a
portion of the old file might remain in the slack space. In this case,
a portion of a file can be retrieved long after it has been deleted and
partially overwritten.
2.6 Dealing with password protection and
Encryption
Basics of Encryption:
• Conceptually, encryption locks data with a key and only
people with the appropriate key can unlock the data.
• Encryption can sometimes be by-passed or broken using
specialized knowledge and equipment but, in many cases, it is
not feasible to expend the required resources to break
encryption.
• Encryption is a process by which a readable digital object
(plaintext) is converted into an unreadable digital object
(ciphertext) using a mathematical function.
• Strong encryption schemes use the equivalent of a password,
called a key.
Cont..
Private Key
Encryption
Public Key
Encryption
Pretty Good
Privacy
E-mail
Encryption
• Private key encryption i.e. symmetric key encryption) is that the same key that is
used to encrypt a message is also used to decrypt it. Commonly used symmetric
key encryption algorithms are DES, IDEA, and Blowfish.
• A public key is that anyone could use to encrypt a message and only the
intended recipient who possessed the corresponding private key could
decrypt the message. Two commonly used public key algorithms are
RSA and DSA.
• A program that uses both private and public key cryptography is Pretty Good
Privacy.
• PGP sends both the encrypted text and the encrypted private key to the
recipient. Thus, when the recipient receives the encrypted message, he/she uses
his/her personal private key to decrypt the randomly generated private key and
uses the randomly generated private key to decrypt the message.
• Encryption programs like PGP enable individuals to encrypt and sign
messages, protecting the contents in transit and providing some
assurance that the message is from a specific individual and has not
been altered since it was created by the sender.
3. Applying Forensic Science to Computers
• Forensic science is useful, offering carefully tested methods for
processing and analyzing evidence and reaching conclusions that are
reproducible and free from distortion or bias.
• Concepts from forensic science can also help digital investigators
take advantage of digital evidence in ways that would otherwise not
be possible.
• Sections or stages are
1. Preparation
2. Survey
3. Documentation
4. Preservation
5. Examination and analysis
6. Reconstruction
7. Reporting results
3.1 Planning
• Planning is especially important in cases that involve
computers. Whenever possible, while generating a search
warrant,
• assistance of system administrators might be able to point out
oversights or potential pitfalls if he/she is are familiar with the
system. This is especially valuable when dealing with large
volumes of data in various locations
• A final preparatory consideration is regarding proper
equipment. Most plans and procedures will fail if adequate
acquisition systems and storage capacity are not provided.
• Some of the fundamental items that can be useful when dealing
with computers as a source of evidence include the following:
1. Evidence bags, tags, and other items to label and package
evidence
2. Digital camera to document scene and evidential items
3. Forensically sanitized hard drives to store acquired data
4. Forensically prepared computer(s) to connect with and copy data
5. From evidential hard drives onto forensically sanitized hard
drives
6. Hardware write blockers for commonly encountered hard drives
(e.g., IDE and SATA)
7. Toolkit, including a flashlight, needle-nose pliers, and
screwdrivers
8. For various types and sizes of screws.
24
3.2 Survey
• Crime scene is process of finding all potential sources of digital
evidence and making decisions about what digital evidence to
preserve.
• surveying a crime scene for potential sources of digital evidence is
a twofold process.
First, digital investigators have to recognize the hardware
Second, digital investigators must be able to distinguish between
irrelevant information and the digital data
• Applying the scientific method during the survey process involves
developing and testing theories about which items contain
relevant digital evidence, why expected items are missing, and
where missing items might be found.
3.2.1 Survey of Hardware
25
3.2.2 Survey of Digital Evidence
• Different crimes result in different types of digital evidence.
• eg cyberstalkers often use e-mail to harass their victims,
computer crackers leave evidence in log files
• Therefore, the ability to identify evidence depends on a digital
investigator’s familiarity with the type of crime that was
committed
3.3 Documentation
• Documentation is essential at all stages of handling and
processing digital evidence, and includes the following:
1. Chain of custody: who handled the evidence, when, where, and
for what purpose;
2. Evidence intake: characteristics of each evidential item such as
make, model, and serial number;
3. Photos, videos, and diagrams: capturing the context of the
original evidence;
4. Evidence inventory: a list or database of all evidential items; 26
• The primary goal of documentation is to establish the
authenticity of the evidence.
• So, careful note should be made of when the evidence was
collected, from where, and by whom.
• For example, if digital evidence is copied onto a removable
storage media, the label should include the current date and
time, the initials of the person who made the copy, how the
copy was made, and the information believed to be contained
on the storage media.
3.3.1 Case Management
• Case management also involves maintaining the physical
security of evidential items, and storing multiple copies of
digital evidence
27
3.4 Preservation
• Once identified, digital evidence must be preserved in such a way that it
can later be authenticated
• A major aspect of preserving digital evidence is preserving it in a way
that minimizes the changes made.
4.4.1 Preserving Hardware
• When dealing with hardware as contraband, instrumentality, or
evidence, it is usually necessary to collect computer equipment
• Additionally, sometimes it simply is not feasible to collect hardware
because of its size or quantity.
4.4.2 Preserving Digital Evidence
• There are several approaches to preserving digital evidence on a
computer:
1. Place the evidential computers and storage media in secure storage for
future reference;
2. Extract just the information needed from evidential computers and
Storage media;
3. Acquire everything from evidential computer and storage media.
28
• Whether acquiring all data or just a subset, there are two
empirical laws of digital evidence collection that should always be
remembered:
Empirical Law of Digital Evidence Collection and Preservation #1: If
you only make one copy of digital evidence, that evidence will be
damaged or completely lost.
Empirical Law of Digital Evidence Collection and Preservation #2: A
forensic acquisition should contain at least the data that is
accessible to a regular user of the computer.
• In addition, it is important to verify that tools used to copy digital
evidence capture all of the desired information, including
metadata such as date-time stamps that are associated with
acquired files.
• To document the integrity of acquired data, some logical evidence
container formats maintain the MD5 hash of each acquired item,
while others simply calculate the MD5 value of the overall
29
container.
5) Examination and Analysis
Forensic examination involves preparing digital evidence to
facilitate the analysis stage.
There are three levels of forensic examination:
(1) Survey/triage forensic inspections
(2) Preliminary forensic examination
(3) In-depth forensic examination
• Nature and extent of a digital evidence examination
depend on the known circumstances of the crime and the
constraints placed on the digital investigator.
• In any case, the forensic examination and subsequent
analysis should preserve the integrity of the digital
evidence and should be repeatable and free from
distortion or bias.
5.1 Filtering/Reduction
• The process of filtering out irrelevant, confidential, or privileged data
includes the following:
1.
2.
3.
4.
5.
6.
7.
Eliminating valid system files and other known entities that have no
relevance to the investigation.
Focusing on the most probable user-created data.
Focusing on files within a restricted time frame.
Managing duplicate files, which is particularly useful when dealing with
backup tapes.
Identifying discrepancies between digital evidence examination tools,
such as missed files and MD5 calculation errors.
Less methodical data reduction techniques, such as searching for specific
keywords or extracting only certain file types can be effective in certain
cases.
Any method of filtering data has limitations with the associated risk of
missing important clues but careful data reduction generally enables a
more efficient and thorough digital evidence examination.
5.2 Class/Individual Characteristics and Evaluation of
Source
• Three fundamental questions that need to be addressed when
examining a piece of digital evidence are (ICE):
I. What is it (Identification)
II. What characteristics distinguish it (Classification
Individualization)
III. Where did it come from (Evaluation of source)
or
• The process of identification generally involves ascertaining
what a particular digital object is and classifying it based on
similar characteristics, called class characteristics.
Applying Forensic Science to Computers
• The concept of a significant difference is important because it
can be just such a difference that distinguishes an object from
all other similar objects, that is, it may be an individual
characteristic.
•
Although such characteristics are rarer than class
characteristics, it is important to keep in mind that digital
evidence may contain a unique characteristic that
individualizes it, that is, links it to a particular source with a
high degree of probability.
Applying Forensic Science to Computers
5.3 Data Recovery/Salvage
• In general, when a file is deleted, the data it contained actually
remain on a disk for a time and can be recovered.
• The details of recovering and reconstructing digital evidence
depend on the kind of data, its condition, the operating system
being run, the type of the hardware and software, and their
configurations.
• When a deleted file is partially overwritten, part of it may be
found in slack space and/or in unallocated space. It may be
possible to extract and reconstitute such fragments to view
them in their near original state.
• Stored data must be retrieved in such a way as to ensure that
its source can be proved in court, and handled in such a way as
to maintain the “chain of evidence.”
Applying Forensic Science to Computers
6) Reconstruction
The three fundamental types of reconstruction:
• Functional Analysis
• Relational Analysis
• Temporal Analysis
6.1) Functional Analysis: How a computer system functioned:
1. To determine if the individual or computer was capable of
performing actions necessary to commit the crime.
2. To gain a better understanding of a piece of digital evidence or the
crime as a whole.
3. To prove that digital evidence was tampered with.
4. To gain insight into an offender’s intent and motives. For instance,
was a purposeful action required to cause damage to the system or
could it have been accidental?
5. To determine the proper working of the system during the relevant
time period. This relates to authenticating and determining how
much weight to give digital evidence.
Applying Forensic Science to Computers
6.2)Relational Analysis
• In an effort to identify relationships between suspects, victim,
and crime scene, it can be useful to create nodes that represent
places they have been, e-mail and IP addresses used, financial
transactions, telephone numbers called, etc. and determine if
there are noteworthy connections between these nodes.
• For instance, in large-scale fraud investigation, representing
fund transfers by drawing lines between individuals and
organizations can reveal the most active entities in the fraud.
• Similarly, depicting e-mail messages sent and received by a
suspect can help investigators spot likely associates by the
large numbers of messages exchanged.
Applying Forensic Science to Computers
6.3)Temporal Analysis
• When investigating a crime, it is usually desirable to know the
time and sequence of events.
• Fortunately, in addition to storing, retrieving, manipulating,
and transmitting data, computers keep ample account of time.
• The simple act of creating a timeline of when files were
created, accessed, and modified can result in a surprising
amount of information.
• Creating a timeline of events can help an investigator identify
patterns and gaps, shedding light on a crime and leading to
other sources of evidence.
Applying Forensic Science to Computers
6.3)Temporal Analysis
Digital investigators should seek new ways to represent visually
temporal information to help them recognize patterns. Plotting
times on concentric circles or a spiral may cause certain patterns
to stand out.
Applying Forensic Science to Computers
6.4 Digital Stratigraphy
• When time markers are destroyed, more imaginative
approaches are required to get a sense of when data were
created.
• Concepts from other fields can be translated into the digital
land to develop new analysis techniques such as digital
stratigraphy.
• Stratigraphy is the scientific study of layers (a.k.a. strata) in
geology and archaeology with the aim of determining the
origin, composition, distribution, and time frame of each
stratum.
• Applying this concept to data stored on a disk can be fruitful in
some investigations.
Applying Forensic Science to Computers
7) Reporting
• The last stage of a digital evidence examination is to integrate all
findings and conclusions into a final report that conveys the findings to
others and that the examiner may have to present in court.
• Writing a report is one of the most important stages of the process
because it is the only view that others have of the entire process.
• Unless findings are communicated clearly in writing, others are
unlikely to appreciate their significance.
• A well-rendered report that clearly outlines the examiner’s findings can
convince the opposition to settle out of court, while a weakly rendered
report can fuel the opposition to proceed to trial.
• Assumptions and lack of foundation in evidence result in a weak report.
• Therefore, it is important to build solid arguments by providing all
supporting evidence and demonstrating that the explanation provided is
the most reasonable one.
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Thank You
81
Download