1 / 26

Chapter Eight

Chapter Eight. Forensic Terminology and Criminal Investigation. Who Benefits from Forensic Computer Science. prosecutors - variety of crime where incriminating documents can be found ranging from homicide to financial fraud to child pornography

richard_edik
Download Presentation

Chapter Eight

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Eight Forensic Terminology and Criminal Investigation

  2. Who Benefits from Forensic Computer Science • prosecutors - variety of crime where incriminating documents can be found ranging from homicide to financial fraud to child pornography • civil litigators – personal and business records which relate to fraud, divorce, discrimination, and harassment • insurance companies – mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman’s comp cases • corporations – ascertain evidence relating to sexual harassment, embezzlement, theft, or misappropriation of trade secrets and other internal/confidential information • law enforcement officials – for pre-search warrant preparations and post-seizure handling of computer equipment • individuals – support of claims of wrongful termination, sexual harassment, or age discrimination

  3. Why LE investigations require it • Protects and maintains the integrity of potential evidence by: • maintaining a chain of custody • ensuring that viruses are not introduced • ensuring that evidence or potential evidence remains in an unaltered state (i.e., not destroyed, damaged, or otherwise manipulated during the investigative process.) • enables the creation of forensically sound images for data analysis • prevents allegations of corruption or misconduct • enables the discovery of all relevant files on suspect systems, including overt, hidden, password-protected, slack, swap, encrypted, and some deleted files • enhances the likelihood of timely processing (necessary to protect departments from civil litigation claiming unreasonable interruption of business operations.) • More specifically – establishes procedures for the recovery, preservation, and analysis of digital evidence

  4. Traditional problems in computer investigations • Inadequate resources • Lack of communication and cooperation among agencies • Over-reliance on automated programs and self-proclaimed experts • Lack of reporting • Corruption of evidence • Encryption

  5. Inadequate Resources • The least equipped agencies are the least able to secure external funding for necessary equipment or training . • Even those agencies currently favored by funding entities struggle to justify the exponential costs associated with computer forensics. • Software and training such as that offered by NTI (New Technologies, Inc.) and Litton/TASC may cost as much as $2000/person. • Individualized licensing requires departments to send multiple attendees. • Federal Programs, like those offered at the FBI and FLETC, are also disproportionately attended by large, better funded agencies. • National White Collar Crime Center is a step in the right direction.

  6. Lack of Communication • Traditionally, communication and cooperation between law enforcement agencies has been strained due to competing interests (funding, etc.). • Individual practitioners, however, have developed professional organizations like HTCIA which has encouraged collaboration.

  7. Over-reliance on automated programs & self-proclaimed experts • The familiarity and utilization of automated programs may result in a situation where investigators know just enough to make them potentially hazardous to the very investigation to which they are dedicated.

  8. Lack of Reporting • Many businesses and individual citizens do not perceive the police as technologically advanced. • Often wish to contain the problem within • Believe that they may conduct their own investigation, and then turn it over to the police • Fear of losing consumer confidence

  9. Corruption of Evidence • Many “departmental computer experts” have destroyed cases due to their lack of knowledge of disk structure. • Corporations or private entities which initiate investigations often fail to appreciate the legal complexities of evidence preservation and custodial documentation.

  10. Three Cardinal Rules of Computer Investigations • Always work from an image – leaving the original intact. • Document, Document, Document • Maintain chain of custody

  11. Computer forensic science and disk structure • Investigators must be aware of both the physical and logical structure, disk management, and memory storage.

  12. Simple Terms • Computer - a device capable of storing, transmitting or manipulating data through mathematical and logical processes or operations • Static memory - that area on hard and/or floppy disks in which data and programs are stored • Volatile memory - that area of a computer which holds information during processing and is erased when power is shut down • Semi-permanent storage - that area of a disk that is not dependent upon a power source for its continued maintenance, and which may be changed under the appropriate operating conditions (i.e., storage devices, floppy and fixed disks, magnetic tapes, etc.). This is where the majority of the work and storage is conducted, and where the most processed data is stored. Thus, it is extremely important in computer forensics.

  13. Computer storage - the holding of data in an electromagnetic form for access by a computer processor • Primary storage - data in RAM and other built-in devices • Secondary storage - data on hard disk, tapes, and other external devices • Floppy disks or diskettes - single circular disks with concentric tracks which are turned by spindles under one or more heads • CD-ROMs have a single track, spiraling from the disk edge towards the center which may only be written to once (CDs write data from the center out, and music from the outside in; while CD-RWs act as traditional disk drives which may be written to more than once • Hard/fixed disks - one or more disks comprised of one or more heads which are often fixed inside a sealed enclosure (may have more than two sides if the disk consists of more than one platter)

  14. Disk Structure • Physically, a drive is usually composed of a number of rotating platters. Each platter is divided concentrically into tracks. In turn, tracks are divided into sectors, which are further divided into bytes. Finally, read/write heads are contained on either side of the platters.

  15. Head – Each platter has one head per side. These heads are very close to the surface of the platter, and allow reading of, and writing to, the platter. Heads are numbered sequentially from zero. • Tracks – the concentric bands dividing each platter. Tracks are numbered sequentially beginning with zero. • Cylinder – the set of tracks located in the same position on every platter in the same head position. Unlike physical disk units, cylinders are intangible units. Simply put, they are a cross-section of a disk. (Imagine using a hole puncher on a perfectly positioned stack of paper. The resulting hole would be a visible representation of an empty sector). Each double-sided floppy has two tracks. The same track is on all stacked platters. The set of corresponding tracks on a magnetic disk that lie the same distance from the disk’s edge. Taken together, these tracks form a cylindrical shape. For a hard drive, a cylinder usually includes several tracks on each side of each disk platter.

  16. Data Storage      • On all DOS machines, certain structural rules exist in which physical drives are loaded first, logical drives second, and drivers third.

  17. Physical drives - devices and data at the electronic or machine level • Logical drives- (most important in computer forensics) are allocated parts of a physical drive that are designated and managed as independent units • binary digits or bits – based on principles of two – bits may likened to on/off switches. Collections of bits are interpreted by the computer and transformed into a format for non-mechanical, human consumption. • ASCII – American Standard Character for Information Interchange – most common set of associations between particular binary patterns and characters (ensures compatibility between systems and system components) • This code defines characters for the first 128 binary values (i.e. 0 to 127) • The first 32 of these are used as non-printing control characters which were designed to control data communications equipment and computer printers and displays • Extended ASCII code - provides particular character symbols to binary values 128 through 255

  18. Data Interpretation • Binary system – interpretative rules are associated with a base of 2 with integers represented by 0’s and 1’s. the range of whole numbers that can be represented by a single byte is 0 to 255. Thus, it is often necessary to use 2 bytes to represent whole numbers, and four bytes where greater levels of precision are required. • Hexadecimal system - interpretative rules are associated with a base of 16, with integers ranging from 0 to 9 and A to F. Very useful for investigators as some programs reuse memory blocks without modification.

  19. Fixed units of storage • Sectors – smallest physical storage unit on a disk – an arched-shaped portion of one of the disk tracks (magnetic disks formatted for U.S. versions of Windows contain a standard 512 bytes) • Sectors start with 1, and are numbered sequentially on a track. • Clusters (File Allocation Units) – comprised of one or more adjacent sectors, and represent the basic allocation units of magnetic disk storage • Although size varies with disk size, clusters represent the minimum space allocated to an individual file in DOS. • Clusters make it easier for operating systems to manage files. • Files – composed of one or more clusters – the smallest unit that distinguishes one set of data from another

  20. Logical vs. Physical • Logical file size – the exact size of a file in bytes • Physical file size – the actual amount of space that the file occupies on a disk • File slack - information found within that portion of unused space between the logical end of a file and the physical end of a cluster • may be likened to a table in a restaurant in which a couple is seated at a table for four. Although the extra two chairs are empty, they constructively belong to those individuals until they are finished their meal. • Extremely important for forensics, as the slack may contain the remnants of old files or other evidence, including passwords, old directory structures, or miscellaneous information stored in memory

  21. Partioning • Partition – portion of a fixed disk that the operating system identifies as a single unit (maximum of four) • Windows NT and other operating systems may treat multiple partitions on different physical disk drives as a single disk volume. • Every bootable hard disk includes one disk partition for the OS. • “Extended partions” may be subdivided into a maximum of 23 additional logical disks. • Remember: the partition of the boot drive where the operating system resides must be bootable. • FDISK, MS product, enables user to partition a hard drive. Partitioning creates a master boot record and partition table for the hard disk.

  22. Partitions cont’d • The FAT – partition table describes every logical volume on a disk. • It also identifies corresponding locations, indicates which partition is bootable, and contains the Master Boot Record. • Extremely important in forensic investigations – enables users to hide entire partitions.Investigators unaware of this fact may be confused to see that the logical drive size is contrary to identified characteristics. • Partition data is stored at physical: cylinder = 0; head = 0; sector = 1.

  23. Data Location • File Allocation Table (FAT) – system used to identify and locate files on a disk • 12, 16, 32 bit designations used by DOS indicate how many bits the FAT used to identify where on the disk (appropriate cluster numbers) a file resides. • Every number contained within the FAT identifies a particular cluster. • Information contained therein identifies: • if the cluster is “bad” or available; • if the end of a file is contained within; • the next cluster attached to a file. • FAT32 was created to manage space more efficiently by utilizing smaller cluster sizes. • NTFS – emerging in popularity – is the most efficient way to manage data

  24. Data Management • boot sector – located at the very first sector of the physical disk or absolute sector 0 • Contains code that enables the computer to find the partition table and the operating system • BIOS (Basic Input Output System) – number of machine code routines stored in ROM that includes a variety of commands including those necessary for reading physical disks by sector which are executed upon system booting • bootstrap loader – the first command executed upon system booting

  25. Data Integrity • CRC (Cyclical Redundancy Checksum) – used to identify files by a computer –generated (i.e., calculated) value • MD5 Hash – a 128-bit verification tool developed by RSA which acts as the equivalent of digital DNA. • Odds that 2 different files have the same value is2128. • Brian Deering, NDIC, analogizes the chance of randomly generated matching has values to hitting the Pennsylvania Lottery Super 6 - 5.582 x 10^41 (or 558,205 billion, billion, billion, billion) times before this will occur http://theory.lcs.mit.edu/~rivest/Rivest-MD5.txt • Hashkeeper – program which maintains the hash values of a variety of known files – reduces the amount of information needing to be processed

  26. Conclusions • Computer crime is the wave of the future. • Administrators must establish forensic computer science capabilities, evaluating the feasibility of partnering LE personnel with civilian experts and relying on cooperation of corporate entities. • Proper training must begin with a basic understanding of computer structure and data management.

More Related