CYBER SECURITY AND DIGITAL FORENSICS

​

by

Dr. Vikrant Chole

Amity School of Engineering & Technology

MODULE - IV�Types of Computer Forensics Technology

Amity School of Engineering & Technology

Types of Computer Forensics Technology

​

• Cyber forensics focuses on real-time, online evidence gathering rather than the traditional offline computer disk forensic technology.
• Two distinct components exist in the emerging field of cyber forensics technology.
• The first, computer forensics, deals with gathering evidence from computer media seized at the crime scene. Principal concerns with computer forensics involve imaging storage media, recovering deleted files, searching slack and free space, and preserving the collected information for litigation purposes.
• Several computer forensic tools are available to investigators.
• The second component, network forensics, is a more technically challenging aspect of cyber forensics. It involves gathering digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media.
• Network forensics deals primarily with in-depth analysis of computer network intrusion evidence, because current commercial intrusion analysis tools are inadequate to deal with today’s networked, distributed environments.

​

Amity School of Engineering & Technology

• Similar to traditional medical forensics, such as pathology, today’s computer

forensics is generally performed postmortem (after the crime or event occurred).

• In a networked, distributed environment, it is imperative to perform forensic-like examinations of victim information systems on an almost continuous basis, in addition

to traditional postmortem forensic analysis. This is essential to continued

functioning of critical information systems and infrastructures. In the battle against malicious

hackers, investigators must perform cyber forensic functions in support of various objectives.

• These objectives include timely cyberattack containment, perpetrator location and identification, damage mitigation, and recovery initiation in the case of a crippled, yet still functioning, network. Cyber forensics adds inspection of transient and other frequently overlooked elements such as contents or state of memory, registers, basic input/output system, input/output buffers, serial receive buffers, L2 cache, front side and back side system

caches, and various system buffers (drive and video buffers).

• Now let’s briefly look at specific types of computer forensics technology that

are being used by military, law enforcement, and business computer specialists.

Amity School of Engineering & Technology

Amity School of Engineering & Technology

Types of Military Computer Forensic Technology

​

• The U.S. Department of Defense (DoD) cyber forensics includes evaluation and indepth examination of data related to both the trans- and post-cyberattack periods.
• Key objectives of cyber forensics include rapid discovery of evidence, estimation of potential impact of the malicious activity on the victim, and assessment of the intent and identity of the perpetrator.
• Real-time tracking of potentially malicious activity is especially difficult when the pertinent information has been intentionally hidden, destroyed, or modified in order to elude discovery.
• The information directorate’s cyber forensic concepts are new and untested. The directorate entered into

a partnership with the National Institute of Justice via the auspices of the National Law Enforcement and

Corrections Technology Center (NLECTC) located in Rome, New York, to test these new ideas and prototype

tools.

• The Computer Forensics Experiment 2000 (CFX-2000) resulted from this partnership.
• This first of-a-kind event represents a new paradigm for transitioning cyber forensic technology from military research and development (R&D) laboratories into the hands of law enforcement. The experiment used a realistic cyber crime scenario specifically designed to exercise and show the value added of the directorate-developed cyber forensic technology.

Amity School of Engineering & Technology

• The central hypothesis of CFX-2000 is that it is possible to accurately determine the motives, intent, targets, sophistication, identity, and location of cyber criminals and cyber terrorists by deploying an integrated forensic analysis framework.
• The execution of CFX-2000 required the development and simulation of a realistic, complex cyber crime scenario exercising conventional, as well as R&D prototype, cyber forensic tools.
• The cyber forensic tools involved in CFX-2000 consisted of commercial offthe- shelf software and directorate-sponsored R&D prototypes.
• The Synthesizing Information from Forensic Investigations (SI-FI) integration environment, developed

under contract by WetStone Technologies, Inc., was the cornerstone of the technology demonstrated. SI-

FI supports the collection, examination, and analysis processes employed during a cyber forensic

investigation. The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof

containers used to store digital evidence. Investigators can seal evidence in the DEBs and use the SI-FI

implementation to collaborate on complex investigations.

• Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of their contents. The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection.
• The results of CFX- 2000 verified that the hypothesis was largely correct and that it is possible to

ascertain the intent and identity of cyber criminals

Amity School of Engineering & Technology

Types of Law Enforcement: Computer Forensic Technology

​

• As previously defined, computer forensics involves the preservation, identification,

extraction, and documentation of computer evidence stored in the form of magnetically

encoded information (data).

• Often the computer evidence was created transparently by the computer’s operating system and without the knowledge of the computer operator. Such information may actually be hidden from view and, thus, special forensic software tools and techniques are required to preserve, identify, extract, and document the related computer evidence.
• Computer forensics tools and techniques have proven to be a valuable resource

for law enforcement in the identification of leads and in the processing of computer related

evidence.

• Computer forensics tools and techniques have become important resources for use in internal investigations, civil lawsuits, and computer security risk management.

Amity School of Engineering & Technology

• Forensic software tools and methods can be used to identify passwords, logons,

and other information that is automatically dumped from the computer memory

as a transparent operation of today’s popular personal computer operating systems.

• Such computer forensic software tools can also be used to identify backdated files

and to tie a diskette to the computer that created it.

• Law enforcement and military agencies have been involved in processing computer

evidence for years. This section touches very briefly on issues dealing with

Windows NT, Windows 2000, XP and 2003 and their use within law enforcement

computer forensic technology.

• Windows XP and Windows 2003 are operating systems that are often used on

notebook and desktop computers in corporations and government agencies.

Thus, they are currently the operating systems most likely to be encountered in computer

investigations and computer security reviews.

Amity School of Engineering & Technology

Types of Business Computer Forensic Technology

​

Following are the types of business computer forensics technology:

​

• Remote monitoring of target computers
• Creating trackable electronic documents
• Theft recovery software for laptops and PCs
• Basic forensic tools and techniques
• Forensic services available

Amity School of Engineering & Technology

Remote Monitoring of Target Computers

​

• Data Interception by Remote Transmission (DIRT) from Codex Data Systems (CDS), is a powerful remote control monitoring tool that allows stealth monitoring of all activity on one or more target computers simultaneously from a remote command center.
• No physical access is necessary.
• Application also allows agents to remotely seize and secure digital evidence prior to physically entering suspect premises.

Amity School of Engineering & Technology

Creating Trackable Electronic Documents

​

• There are so many powerful intrusion detection tools that allow the user to create trackable electronic documents
• In general, most of these tools identify (including their location) unauthorized intruders who access, download, and view these tagged documents.
• The tools also allow security personnel to trace the chain of custody and chain of command of all who possess the stolen electronic documents.

Amity School of Engineering & Technology

Theft Recovery Software for Laptops and PCs

​

• If your PC or laptop is stolen, is it smart enough to tell you where it is?
• According to a recent FBI report, 98% of stolen computers are never recovered.
• According to Safeware Insurance, 1,201,000 PCs and laptops were stolen in 2002 and 2003, costing owners $7.8 billion dollars.
• According to a recent joint Computer Security Institute/FBI survey, 72% of the Fortune 1000 companies experienced laptop theft.
• Nationwide losses to computer component theft cost corporate America over $11 billion a year.
• So if your company experiences computer-related thefts and you do nothing to correct the problem, there is a 92% chance you will be hit again.
• PC PhoneHome is a transparent theft protection and recovery software system that you install on your laptop or PC. Once installed, it sends an stealth email message to your address every time the computer connects to the Internet.

Amity School of Engineering & Technology

Basic Forensic Tools and Techniques

​

• Today, many computer forensics workshops have been created to familiarize investigators and security personnel with the basic techniques and tools necessary for a successful investigation of Internet and computer-related crimes.

​

• Workshop topics normally include: types of computer crime, cyber law basics, tracing email to its source, digital evidence acquisition, cracking passwords, monitoring computers remotely, tracking online activity, finding and recovering hidden and deleted data, locating stolen computers, creating trackable files, identifying software pirates, and so on.

Amity School of Engineering & Technology

Forensic Services Available

• Through computer forensic evidence acquisition services, forensic experts for companies like Capitol Digital Document Solutions can provide management with a potent arsenal of digital tools at its disposal.
• They have the necessary software and hardware to travel to designated sites throughout the world to acquire an exact image of hard drives, tapes, etc.
• This image is an exact duplication of the source media and allows evaluation within their laboratories with minimal disruption to others.
• Services include but are not limited to

Lost password and file recovery

Location and retrieval of deleted and hidden files

File and email decryption

Email supervision and authentication

Amity School of Engineering & Technology

Threatening email traced to source

Identification of Internet activity

Computer usage policy and supervision

Remote PC and network monitoring

Tracking and location of stolen electronic files

Honeypot sting operations

Location and identity of unauthorized software users

Theft recovery software for laptops and PCs

Investigative and security software creation

Protection from hackers and viruses.

Amity School of Engineering & Technology

Amity School of Engineering & Technology

Amity School of Engineering & Technology

Specialized Forensics Techniques

​

• Threats to the strategic value of your business almost always involve a computer or network because that is where your company’s proprietary information and business processes are located.
• A simple and virtually undetectable fraud that posts a few cents to a phony account can reap a perpetrator thousands of dollars flowing through accounts payable.
• A malicious change to an individual’s personnel records could cost the person a job and a career.
• Divulging a company’s financial records could damage it on Wall Street, in the marketplace, and before shareholders.
• Corporate espionage can steal trade secrets. Posting libelous information on the Internet about a company or individual can damage a reputation beyond recovery.
• Employees of a company might be stealing from it or using company resources to

work for themselves, or they can be using excessive work time to surf

pornographic sites and play games.

Amity School of Engineering & Technology

• Companies employ computer forensics when there is serious risk of information

being compromised, a potential loss of competitive capability, a threat of

lawsuits, or potential damage to reputation and brand.

• Some companies regularly use forensic investigations to check employee computers.
• Computer forensics investigators examine computer hardware and software using legal procedures to obtain evidence that proves or disproves allegations. Gathering legal evidence is difficult and requires trained specialists who know computers, the rules of evidence gathering, and how to work with law enforcement authorities

Amity School of Engineering & Technology

Hidden Data and How to Find It

​

• Today’s technology presents your business with as many problems as it does solutions. Computers that work miracles in your day-to-day operations often malfunction—and you lose valuable data.
• The email that makes communicating so simple, carries deadly viruses that infect your machines and spread, causing massive data losses throughout your network.
• Hackers, both inside and outside your company, can access your information, manipulate it, hide it, steal it, and cause huge losses of data.
• In many cases, documents and files deleted from a computer can be found and recovered using the methods of computer forensics. When files or documents are deleted from a computer, the majority of the actual information is typically left behind.
• Documents and files deleted or hidden even years ago may be recovered through a computer investigation. Deleted or hidden files are one of the prime targets of the computer forensic technician searching for evidence.
• Forensics technicians specialize in professional data recovery and will restore your data quickly—right when you need it. These teams of data recovery experts know how to retrieve your lost data from damaged and corrupt storage media including hard drives, back-up systems, temporary storage units, and more. They can also restore individual corrupt files back to their original condition.

Amity School of Engineering & Technology

Spyware and Adware

​

• Spyware is Internet jargon for advertising supported software (adware). It is a way for shareware authors to make money from a product, other than by selling it to the users.
• There are several large media companies that approach shareware authors to place banner ads in their products in exchange for a portion of the revenue from banner sales.
• This way, you don’t have to pay for the software, and the developers

are still getting paid.

• If you find the banners annoying, there is usually an option to remove them by paying the regular licensing fee.

Amity School of Engineering & Technology

Why Is It Called Spyware?

• While this may be a great concept, the downside is that the advertising companies

also install additional tracking software on your system, which is continuously calling

home, using your Internet connection to report statistical data to the “mothership.”

• While according to the privacy policies of the companies, there will be no

sensitive or identifying data collected from your system and you shall remain

anonymous, the fact still remains that you have a live server sitting on your PC that

is sending information about you and your surfing habits to a remote location.

​

Are All Adware Products Spyware?

• No, but the majority are. There are also products that display advertising but do not

install any tracking mechanism on your system.

Amity School of Engineering & Technology

Is Spyware Illegal?

• Even though the name may indicate so, spyware is not an illegal type of software in any way. However, there are certain issues that a privacy-oriented user may object

to and therefore prefer not to use the product. This usually involves the tracking

and sending of data and statistics via a server installed on the user’s PC and the use

of your Internet connection in the background.

• Millions of people use advertising supported spyware products and could not care

less about the privacy hype.

​

Real Spyware

• There are also many PC surveillance tools that allow a user to monitor all kinds of

activity on a computer, ranging from keystroke capture, snapshots, email logging,

chat logging, and just about everything else.

• These tools are often designed for parents, businesses, and similar environments but can be easily abused if they are Installed on your computer without your knowledge. Furthermore, these tools are perfectly legal in most places, but, just like an ordinary tape recorder, if they are abused, they can seriously violate your privacy.

Amity School of Engineering & Technology

Protecting Data from Being Compromised

​

• In the past 25 years, since the introduction of the personal computer, a great change has taken place in the way people use computers. No longer are they an obscure rarity, but are ubiquitous, and the business without a computer is now an exception.

​

• They are used to assist with most tasks in the workplace. You communicate via email and chat, and even voice and video communication uses computers. You maintain financial records, schedule appointments, and store significant amounts of business records, all electronically.

​

• It should come as no surprise that with this newfound productivity comes a

class of individuals who exploit these benefits to commit crimes and civil

wrongs.

Amity School of Engineering & Technology

• Almost any type of investigation and litigation today may rely on protecting evidence

obtained from computer systems. Digital evidence can often make or break

a case.

• This evidence may be used to establish that a crime has been committed or

assert other points of fact in a court of law, such as identify suspects, defend the innocent,

prosecute the guilty, and understand individuals’ motives and intents.

​

• As previously explained, computer forensics is the science whereby experts extract

data from computer media in such a way that it may be used in a court of law.

In other words, computer forensics is used by experts to protect data from being

compromised. This evidence may include such things as deleted emails or files and

computer logs, spreadsheets, and accounting information.

​

• It is not sufficient to merely have the technical skills to locate evidence on computer

media. Computer forensics experts recover the evidence and maintain a strict

chain of custody to ensure that the evidence is preserved in its original form. These

experts’ knowledge of what to look for and where to look is also important.

Amity School of Engineering & Technology

Avoiding Pitfalls with Firewalls

​

• All the traffic going through a firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers that identify the protocol or service.
• The destination port number of the first packet often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile. This section describes some of the meanings of these port numbers as well as avoiding some of the pitfalls.

​

Port numbers are divided into three ranges:

• The well-known ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic.
• The registered ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services “bound” to these ports, these ports are likewise used for many other purposes that have nothing to do with the official server.
• The dynamic and private ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.

Amity School of Engineering & Technology

• In reality, machines start assigning dynamic ports starting at 1024. However, there are exceptions: for example, Sun starts their RPC ports at 32768.

Suppose you are seeing attempts on the same set of ports from widely varying

sources all over the Internet. Usually, this is due to a “decoy” scan, such as in “nmap.”

One of them is the attacker; the others are not.

​

• Computer forensics and protocol analysis can be used to track down who this is. For example, if you ping each of the systems, you can match up the time to live (TTL) fields in those responses with the connection attempts. This will at least point a finger at a decoy scan. The TTLs should match; if not, then they are being spoofed. Newer versions of scanners now randomize the attacker’s own TTL, making it harder to weed them out.

​

• You can also attempt to go back further in your logs, looking for all the decoy addresses or people from the same subnets. You will often see that the attacker has actually connected to you recently, while the decoyed addresses haven’t.

Amity School of Engineering & Technology

End of Module 4

Amity School of Engineering & Technology