Term Report. Forensics for IT

Transcription

1 Term Report Forensics for IT Trisia Yung ACC 626 Professor Malik Datardina June 28, 2012

2 Introduction Technology has enhanced the operational aspects of today s businesses by improving productivity and efficiency. Many businesses have created a competitive advantage and improved their strategy with the use of technology. However, technology has also become an instrument for fraudulent activities such as hacking and access to private information. With the increased need of technology usage in businesses and the society and the conflicting problem of illegal activities conducted using technology, forensic tools have become useful in detecting, solving and proving electronic fraud and crimes (Volonino). Forensics is the use of science to solve matters related to the legal system. Technology has allowed this process to involve advanced techniques and to solve crimes that were committed using electronics. Forensics for information technology can be diverted into two categories: computer forensics and digital forensics. Computer forensics is the collection, preservation, analysis and presentation of electronic evidence for litigation purposes (Bassett). The technological processes used in this area are tools and practices that are forensically capable and accepted. Digital forensics is a product that evolved from computer forensics. It is the application of computer technology to a matter of law, where evidence includes items that are created by technology through human interaction (Daniel). There is a greater focus on the actual applications and processes in digital forensics. The evolution of forensics for information technology shows the growing emphasis and increased usage of technological processes to discover or solve illegal activity (Moscaritolo). The following report will present the tools and techniques used in forensics for information technology. Many issues are encountered through the usage, such as legal barriers, emerging advanced technology and anti-forensic tools and techniques. Important issues and aspects that forensic professionals and C-suite executives should be aware of will also be discussed. The Digital Forensics Process Digital evidence is widely created and stored electronically due to the vast usage of technology. Digital footprints can be created through interaction of humans when using computer applications, whether intentionally or by others on your behalf. In order to discover and analyze such digital evidence and data, structured processes have been established by digital forensic 1

3 professionals. The basic digital forensic process includes acquisition, preservation, analysis and presentation (DFRWS). The initial step of the process is acquisition. This process entails the action of collecting electronic data (Daniel). It could include physically acquiring a hard drive from a crime scene or obtaining an electronic forensic soft copy of certain data files. Other items can include an entire computer system, smartphone device or an USB drive. During this process, the integrity of the digital evidence is important and crucial for the entire digital forensics investigation. The first contact with the digital evidence is initiated through this process so the integrity of the data could be easily altered, damaged or destroyed (Carrier). For example, turning on a computer and opening a few applications could lead to changes to many files. Careful procedures must be allowed as data could easily be unintentionally modified or deleted. The next step of the process is preservation. It is the process of creating a chain of custody that begins once the data is collected and ends once it is released to the user or destroyed (Daniel). This process is important because after the digital evidence is acquired, it must be preserved such that no alterations will prevent it from being defendable in court. There cannot be any break in the chain of custody as it will raise questions on the validity and integrity of the data. The digital evidence must also be stored in a secure location or environment where no intentional destruction can be made by malicious persons or modified accidentally by untrained personnel. An example of good preservation is the use of a chain of custody log, which includes details on each piece of evidence and records each time the data is checked out for use. The third step of the digital forensic process is analysis. It is the process of locating and collecting evidentiary items from digital evidence collected (Daniel). In this step, the nature of the analysis will dictate the approach and techniques used, and this differs under each type of investigation. The forensic professional s training and individual skill will have a large impact for this process. Electronic evidence and data comes in many different forms so the use of tools and techniques to analyze them will differ. Popular tools used for digital forensics will be discussed later in this report. This stage is important because it identifies the evidence and creates the outcome for the entire investigation (Carrier). The final step of the digital forensic process is the presentation of findings. This includes the written forensics report, court testimony and deposition of experts (Daniel). There is no standard 2

4 guideline on what the written forensics report should encompass. The report should have a clear explanation of what was examined, tools used in the analysis process and results of the examination. The process of collecting data and safeguards to preserve the evidence should also be clearly outlined. The background and experience of the examiner is important so the reader should also be informed of examiner s information. Finally, the report should include the actual data recovered to support the findings and conclusions. Digital Forensics Tools and Techniques Many tools are available for digital forensic examiners to apply to their investigation. These tools consist of software and programs that help the examiner to identify, obtain and analyze digital evidence. There is rigorous amount of investigation for each forensic analysis task so forensics software can make the process more efficient and less demanding for examiners. Since crime committed using technology and evidence in digital form is difficult to discover and analyze, software must be used to discover evidence that cannot be discovered by simple tools used in classic forensic investigation. The tools that will be discussed are EnCase, Forensic Toolkit and Paraben. Professionals should acquire and learn the forensic examination software to ease their investigative work. EnCase EnCase is a popular software used in digital forensic analysis. The main functions of EnCase are to provide disk imaging, data verification and data analysis (Arthur). This software is advantageous because it responses to incidents immediately to provide the required analysis on volatile or static data on compromised hardware, servers and computer stations. The software can perform its incident response system anywhere on the network. A common problem or risk with digitial forensics analysis is the possibility of data being altered or erased through the analysis process due to the inconsistency of hardware performance and actions of untrained personnel. EnCase identifies this problem and counteracts it by performing analysis while ensuring data will not be modified, as well as obtaining data and conducting analysis while not disrupting operations of processes (Digital Intelligence). The general EnCase process begins with the storage device seized to be investigated. The integrity of the file is verified by the software using the MD5 hash function. The file is then mounted to eliminate the need to restore the seized hardware device (Arthur). A screen shot of EnCase s user interface is shown in 3

5 Appendix 1. As seen in the screen shot, EnCase is user friendly as it provides an integrated view of all files detected with important details such as access logs and time stamping. EnCase consists of three components: the Examiner software, SAFE (Secure Authentication of EnCase) and Servlet (Bassett). The Examiner is installed on the systems where the digital evidence resides and where there is need for analysis and investigation. SAFE is a tool that authenticates users, provides access rights for administrators, maintains a log for EnCase transactions and acts a platform for secure data transmission. This component of EnCase is an important control tool that provides assurance to users that the software is secure. The third component, Servlet, is installed with the purpose to provide connectivity between Examiner, SAFE and the servers, networks or devices being investigated. It is installed on the actual server, network or device to establish connectivity. EnCase has gained its popularity and is acknowledged by forensic examiners because the three components have been designed to effectively provide a seamless process for the acquisition and analysis of volatile data. These processes work effectively on different networks, servers and hardware that are compromised. The speed at which EnCase can isolate, identify, assess and rectify security breaches and conduct forensic analysis is also a reason for its praise in functionality. The key merits of EnCase are that it is through and accurate. Also, it uncovers information efficiently and can uncover data that was intentionally hidden or deleted. Forensic Toolkit (FTK) Forensic Toolkit is digital forensics software that performs powerful and complete examinations (Bassett). It allows all files of the storage device to be viewed at the same time (Arthur). It contains file filtering and searching functions that is widely used and favoured by forensic examiners. FTK is known for its ability to sort through databases, specifically for recovering deleted and partially deleted s. Since s are one of the most used channels for communication, it is important to be able to identify where fraud or malpractice has been discussed between individuals. Users can search and sort through many files quickly and efficiently by using customized filters. In addition to instant text search, which is available in other forensic software, FTK provides searching and filtering for JPEG image files and internet text. It has the ability to recover deleted files and partitions. Users have praised FTK for its ability to target searches by creating custom file filters. FTK provides sound documentation for the forensic process as it generates audit logs and case reports. One of the key features of FTK is its ability to generate hash values. Hashing functions are used for internal verification and 4

6 guarantees the integrity of files. The drawback of FTK is it does not support data recovery (Arthur). Paraben Paraben is digital forensic examination software. It consists of nine different software applications, which take a different role in the examination process. The nine software applications are: Forensic Replicator, Forensic Sorter, Examiner, Network Examiner, Text Searcher, Case Agent Companion, Decryption Collection Enterprise, Chat Examiner and PDA Seizure (Bassett). Each of these applications has a unique and useful role in the digital forensic examining process. The Forensic Applicator takes the data that is required for investigation and replicates it. The data is exactly the same as it was in the hard drive and media, which ensures data integrity and completeness. The Forensic Sorter sorts the data and classifies it into different categories. The objective of this process is to make the examination process more manageable, easier to find information and faster. The Examiner can recover active and deleted s from multiple platforms such as Outlook Express, MSN mail and others. Network Examiner examines archives on networks. Text searcher allows the examiner to search for specific terms and words in the text and is a powerful searching tool for forensic examination. This application has a user-friendly interface, is compatible with a variety of languages and has searching capabilities for different types of files. It factors out unallocated space and slack so users don t have to worry that their search does not get generated as a result of spacing. Case Agent Companion allows the examiner to view files by case and organize the results. The analysis is logged in a detailed file log for convenient organization. The Decryption Collection Enterprise decrypts encrypted data and recovers passwords. Chat logs can be analyzed using Chat Examiner, but it does not support all chat applications. The PDA seizure function acquires, views and reports data from a PDA device. Overall, Paraben is an integrated and thorough function for digital forensic examination (Bassett). Current Issues of Forensics for IT The key issues surrounding computer and digital forensics are legal system barriers, antiforensics and emerging advanced technology. 5

7 Legal System Barriers Technology constantly changes and improves as a result of advanced research and development. Current legislation is relatively stable and permanent. Digital forensics combines the two concepts by using technology to discover and analyze digital evidence to be presented in court. However, a problem arises as laws are not written with the use of advanced digital investigation techniques and evidence in mind. The uniqueness of using digital forensic tools for data recovery, analysis and preservation propose a challenge for the court system as they often question the validity of the evidence. The key issue with using digital evidence in the legal system is whether the evidence should be admissible. In a court case regarding George Mason University, digital evidence collected and presented in court was deemed to be useless and was not allowed to be presented in court as evidence (Ryan). The evidence was collected and treated with lack of due care and attention. If the information obtained was in fact evidence that could prove an innocent individual to be not guilty, the court system displays serious lack of procedures and guidelines for collecting and using digital evidence. Digital evidence collected for use in the court system are often criticised for multiple issues (a list of the factors considered by court are available in Appendix 2). The digital evidence is challenged on whether the theories or techniques of analysis have been tested or reviewed, whether there are standards governing the process and other factors that relate to lack of regulation and guidelines (Ryan). There are also stringent guidelines for evidence to be admissible in court, such as it needs to be relevant, derived from a scientific method and supported by validation (a list of the guidelines are available in Appendix 2). Digital evidence must be frozen prior to opening the files for investigation because files could be modified or deleted if it is not. Restrictions for using digital evidence include requiring the providing party to warrant trust worthy and accurate information. Although the use of digital forensic software discussed in the previous section can alleviate the data safeguarding and process specification problems, the written legislation does not provide detailed guidance on what is considered trust worthy or accurate. This leads to a lot of evidence being rejected in courts. In order for forensic evidence to be used to its full purpose and functionality, the legal system should provide special guidance on the required acquisition, preservation and analysis process. s and instant messaging records a source of evidence for illegal activity. There have been new regulations for the investigation requirements of electronic evidence, such as Sarbanes- Oxley Act and the Federal Rules of Civil Procedure (Volonino). There are several problems 6

8 when a court issues an evidence preservation order, as disruptions can erupt on the information system and halt operations. Controls may be tampered when the court orders a company to freeze back-up tapes. It is a time consuming and costly process when acquiring records to present in court. In addition, companies do not anticipate for s to be used as e- evidence so they are often poorly managed, leading to sanctions by the courts and disruption to investigations. For digital forensics to become a useful function, courts need to provide companies with better data retention procedures and guidelines. Anti-Forensics The digital forensics tools and software have proven to be effective in discovering evidence of those who committed fraudulent activities using technology. As a result, those who engage in malpractice and fraud over computer hardware, mobile devices and servers or networks will attempt to overcome the forensic tools. There will be ever increasing tools and techniques to counteract digital forensic investigations. These tools and techniques are called anti-forensics, and can be defined as tools, methods and processes that hinder scientific analysis of evidence for the court (Kessler). Data Hiding Dating hiding is accomplished by using hidden written and digital steganography (Peron). This is language or formats that only the selected crime committing individuals will understand. It is relatively easy to use low technology methods to hide data without being detected by automated tools. Certain networks and channels allow data communication over public or private networks that are hidden to investigators, such as the communication protocol TCP/IP (Kessler). Slack and unallocated spaces in the hard drive can also be used to hide data. Data Wiping Data files are destroyed using overwrites during data wiping, also known as artefact wiping (Kessler). This process makes data recovery impossible. Programs that offer data wiping include BC Wipe, Eraser and PGP Wipe. Such programs are offered in the market because some users want to recover storage space and protect privacy. However, traces could be left during data wiping. Trail Obfuscation Trail obfuscation is accomplished by hiding the intended meaning of data communication and making the trail appear confusing to investigators (Peron). Some techniques include spoofing the IP and Medium Access Control. False headers are used for s to confuse investigations, and Simple Mail Transfer Protocol (SMTP) proxies and 7

9 anonymous Secure Shell tunnel servers are used. Server log files and event files can be wiped or altered. Time stamp modification can be done as dates and timestamps on these files are modified to confused investigations (Pajek). Attacks Against Computer Forensic Tools The process of digital forensics is prone to attacks at every stage, whether in acquisition, preservation and analysis (Kessler). Anti-forensics will identify the presence of forensic tools and target their weaknesses so that their functionality cannot be used at its full potential. Forensic tools often use hash totals to check for data integrity. Anti-forensics will modify results of hash totals. This technique is known as hash collision. At the preservation stage, access to the data could be blocked or the tool responsible for the source data is disabled (Pajek). Encryption is also used to protect the information from unauthorized access. Emerging Technology The constant emergence and growth of technology and computer functions prompts a change in the nature of digital evidence. It could impact digital evidence by changing the size, format, function and speed, which complicates the process of gathering information (Ryan). With the increase usage of linked networks, integration of mainframes and computers becoming smaller and faster, digital evidence could arise in unexpected areas and could be difficult to discover. Impact on the Profession Tools and techniques used in computer forensics have become useful for assurance-related professions. Auditors can use the same three steps in the digital forensics process (acquisition, analysis and reporting/conclusion) (Purita) for incident detection. Professionals in the assurance field must be adequately trained to use software such as EnCase and Forensic Toolkit. Although this is not part of the regular competencies of an audit or accounting professional, they must acquire additional training if such individuals decide to take on a forensic analysis role. As previously introduced, there are constantly emerging anti-forensic techniques to counteract digital forensic software. Professionals in the forensics field must have a strong understanding of anti-forensic techniques so they are aware during the investigation process. For example, awareness of the issue of data-hiding prompts investigators to look at slack space for hidden data. 8

10 Forensic examiners will need to work closely with other professionals in IT and law. By working closely with IT professionals, they will have a better understanding of new technology and techniques to use within existing software to provide the most accurate and useful results. Working with legal professionals is required as forensic examiners do the work to provide law enforcement with digital evidence. Overall, professionals need to obtain solid knowledge on computer systems, forensic tools and technology. Impact on C-Suite Executives Digital forensics has become useful for businesses due to the increased usage of technology during everyday operations. Many internal and external parties will try to commit fraudulent activities or attack a company s information system. Digital forensics is the solution for many senior executives when dealing with problems associated with information technology weaknesses and fraud. Due to their lack of background in technology, forensic examiners take over the investigation process and add-value to the business by discovering individuals or events that could be costing the company losses and disadvantage. The senior level executive that should be responsible for the implementation of digital forensics is the Chief Technology Officer, or the highest level C-suite executive related to information technology. The CTO should have an understanding of the forensic software available and the types of tasks that can be carried out in the event that their systems have been compromised or attacked, or their confidential information is altered or stolen. Depending on the size of the company, the CTO could equip the IT team with qualified forensic investigation individuals or hire external forensic examiners. With increased usage and awareness of computer forensics, CTOs should be aware that the reason for this investigative tool is due to increased hackers and attackers. As a result, CTOs should create a solid and robust IT security plan, which includes controls and recovery procedures. This will reduce the risk of the company s IT systems being attacked in the first place. The CTO should be responsible for allocating IT spending that result in a high level of security. The CTO could consult with their auditors for IT control frameworks and advice. The CTO should advise staff to support the forensic investigation by abiding to requirements and using logs to record any retrieval of data. 9

11 Conclusion Digital forensics provides businesses with a tool to investigate and analyze internal and external attacks, fraud and illegal activities. There are wide arrays of tools and techniques that can be used for forensic investigation. EnCase, Paraben and Forensic Toolkit are examples of popular software used in computer forensic analysis that cover the process of acquisition, preservation and analysis. Unfortunately, anti-forensic tools also improve over time and attempt to overcome the forensic tools. Data hiding, data wiping, trail obfuscation and attacks against computer forensic processes and tools are often used as a technique to overcome forensic investigations. The sophistication of anti-forensics will be a challenge for users of forensic investigation findings and examiners involved in the forensic process. Digital forensics also faces the challenges of legal barriers, due to the questionable admissibility of e-evidence in the court room and the lack of legislative guidelines for obtaining e-evidence. New technology is constantly being created so digital forensic professionals will need to capitalize on new technology and software. The importance and usage of digital forensics will increase as business processes become automated. Companies and executives should prepare and take advantage of this capability such that their IT controls and disaster recovery plans encompass the use of digital forensics. 10

12 Appendix 1 Encase User Interface Data Discovery Results Arthur, K.K., and H.S. Venter. "An Investigation Into Computer Forensic Tools." Information and Computer Security Architectures (ICSA) Research Group: Print. 11

13 Appendix 2 The courts suggested several factors to be considered to determine whether digital evidence possesses the requisite scientific validity: whether the theories and techniques employed by the scientific expert have been tested; whether they have been subjected to peer review and publication; whether the techniques employed by the expert have a known error rate; whether they are subject to standards governing their application; and whether the theories and techniques employed by the expert enjoy widespread acceptance. The International HighTech Crime Conference in 1999 adopted the following guidelines to preserve admissibility of digital evidence: Upon seizing digital evidence, action should not change that evidence. When it is necessary for a person to access original digital evidence, that person must be forensically competent. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. [sic] Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. Ryan, Daniel J., and Gal Shpantzer. "Legal Aspects of Digital Forensics." The George Washington University. Web. < 12

14 References "A Road Map for Digital Forensic Research." A Road Map for Digital Forensic Research (2001): Digital Forensic Research Workshop (DFRWS). AFRL/IFGB, 7-8 Aug Web. < Arthur, K.K., and H.S. Venter. "An Investigation Into Computer Forensic Tools." Information and Computer Security Architectures (ICSA) Research Group: Print. Bassett, Richard, Linda Bass, and Paul O'Brien. "Computer Forensics: An Essential Ingredient for Cyber Security." Journal of Information Science and Technology 3.1 (2006): Print. Carrier, Brian. "Open Source Digital Forensics Tools." (2002): Web. 26 May Daniel, Larry, and Lars Daniel. "Overview of Digital Forensics." Digital Forensics for Legal Professionals: Understanding Digital Evidence from the Warrant to the Courtroom. Waltham, MA: Syngress/Elsevier, Print. "Guidance Software Encase Forensic." Digital Intelligence. Web. 26 May < Kessler, Gary. "Anti-Forensics and the Digital Investigator." (2007): 1-7. Web < Moscaritolo, A. (2011, August). Forensic Intel. SC Magazine, 22(8), 28-29,31. < Pajek, Przemyslaw, and Elias Pimenidis. "Computer Anti-forensics Methods and Their Impact on Computer Forensic Investigation." (2009): School of Computing IT and Engineering,. University of East London, United Kingdom. Web. < % pdf>. 13

15 Peron, Christian S.J., and Michael Legary. "Digital Anti-Forensics: Emerging Trends in Data Transformation Techniques." Seccuris Labs (2010): Web. 27 May < Purita, Ryan. "Computer Forensics: A Valuable Audit Tool." Computer Forensics: A Valuable Audit Tool. Internal Auditor, Sept Web. < Ryan, Daniel J., and Gal Shpantzer. "Legal Aspects of Digital Forensics." The George Washington University. Web. < Szeżyńska, Magdalena, Ewa Huebner, Derek Bem, and Chun Ruan. "Methodology and Tools of IS Audit and Computer Forensics The Common Denominator." Advances in Information Security and Assurance 5576 (2009): Print. Volonino, Linda. "Electronic Evidence and Computer Forensics." Communications of the Association for Information Systems (2003): Print. 14