Computer Forensics TooIs

Programmers have created manycomputer forensics applications. For many police departments, the
choice of tools depends on department budgets and available expertise.
Here are a few computer forensics programs and devices that make computer investigations possible:
O isk imaging software records the structure and contents of ahard drive. With such software, it's
possible to not only copy the information in a drive, but also preserve the way files are organized and their
relationship to one another.
O $oftware or hardware write tooIs copy and reconstruct hard drives bit by bit. Both the software and
hardware tools avoid changing any information. Some tools require investigators to remove hard drives
from the suspect's computer first before making a copy.
O ashing tooIs compare original hard disks to copies. The tools analyze data and assign it a unique
number. f the hash numbers on an original and a copy match, the copy is a perfect replica of the original.
O nvestigators use fiIe recovery programs to search for and restore deleted data. These programs locate
data that the computer has marked for deletion but has not yet overwritten. Sometimes this results in an
incomplete file, which can be more difficult to analyze.
O There are several programs designed to preserve the information in a computer's random access
memory(RAM). Unlike information on a hard drive, the data in RAM ceases to exist once someone shuts
off the computer. Without the right software, this information could be lost easily.
O Analysis software sifts through all the information on a hard drive, looking for specific content. Because
modern computers can hold gigabytes of information, it's very difficult and time consuming to search
computer files manually. For example, some analysis programs search and evaluate nternet cookies,
which can help tell investigators about the suspect's nternet activities. Other programs let investigators
search for specific content that may be on the suspect's computer system.
O Encryption decoding software and password cracking software are useful for accessing protected data.
These tools are only useful as long as investigators follow the right procedures. Otherwise, a good
defense lawyer could suggest that any evidence gathered in the computer investigation isn't reliable. Of
course, a few anti-forensics experts argue that no computer evidence is completely reliable.
Whether courts continue to accept computer evidence as reliable remains to be seen. Anti-forensics
experts argue that it's only a matter of time before someone proves in a court of law that manipulating
computer data without being detected is both possible and plausible. f that's the case, courts may have a
hard time justifying the inclusion of computer evidence in a trial or investigation.

nti-Forensics
Anti-forensics can be a computerinvestigator's worst nightmare. Programmers design anti-forensic tools
to make it hard or impossible to retrieve information during an investigation. Essentially, anti-forensics
refers to any technique, gadget or software designed to hamper a computer investigation.
There are dozens of ways people can hide information. Some programs can fool computers by changing
the information in files'headers. A file header is normally invisible to humans, but it's extremely important
-- it tells the computer what kind of file the header is attached to. f you were to rename an mp3 file so that
it had a .gif extension, the computer would still know the file was really an mp3 because of the information
in the header. Some programs let you change the information in the header so that the computer thinks
it's a different kind of file. Detectives looking for a specific file format could skip over important evidence
because it looked like it wasn't relevant.
Other programs can divide files up into small sections and hide each section at the end of other files.
Files often have unused space called sIack space. With the right program, you can hide files by taking
advantage of this slack space. t's very challenging to retrieve and reassemble the hidden information.
t's also possible to hide one file inside another. ExecutabIe fiIes -- files that computers recognize as
programs -- are particularly problematic. Programs called packers can insert executable files into other
kinds of files, while tools called binders can bind multiple executable files together.
Encryption is another way to hide data. When you encrypt data, you use a complex set of rules called
analgorithm to make the data unreadable. For example, the algorithm might change a text file into a
seemingly meaningless collection of numbers and symbols. A person wanting to read the data would
need the encryption's key, which reverses the encryption process so that the numbers and symbols would
become text. Without the key, detectives have to use computer programs designed to crack the
encryption algorithm. The more sophisticated the algorithm, the longer it will take to decrypt it without a
key.
Other anti-forensic tools can change the metadata attached to files. Metadata includes information like
when a file was created or last altered. Normally you can't change this information, but there are
programs that can let a person alter the metadata attached to files. magine examining a file's metadata
and discovering that it says the file won't exist for another three years and was last accessed a century
ago. f the metadata is compromised, it makes it more difficult to present the evidence as reliable.
Some computer applications will erase data if an unauthorized user tries to access the system. Some
programmers have examined how computer forensics programs work and have tried to create
applications that either block or attack the programs themselves. f computer forensics specialists come
up against such a criminal, they have to use caution and ingenuity to retrieve data.
A few people use anti-forensics to demonstrate how vulnerable and unreliable computer data can be. f
you can't be sure when a file was created, when it was last accessed or even if it ever existed, how can
you justify using computer evidence in a court of law? While that may be a valid question, many countries
do accept computer evidence in court, though the standards of evidence vary from one country to
another.

How Computer Forensics Works

When the company Enron declared bankruptcy in December 2001, hundreds of employees were left
jobless while some executives seemed to benefit from the company's collapse. The United
StatesCongress decided to investigate after hearing allegations of corporate misconduct. Much of
Congress' investigation relied on computer files as evidence. A specialized detective force began to
search through hundreds of Enron employee computers using computer forensics.
The purpose of computer forensics techniques is to search, preserve and analyze information on
computer systems to find potential evidence for a trial. Many of the techniques detectives use in crime
scene investigations have digital counterparts, but there are also some unique aspects to computer
investigations.
For example, just opening a computer file changes the file -- the computer records the time and date it
was accessed on the file itself. f detectives seize a computer and then start opening files, there's no way
to tell for sure that they didn't change anything. Lawyers can contest the validity of the evidence when the
case goes to court.
Some people say that using digital information as evidence is a bad idea. f it's easy to change computer
data, how can it be used as reliable evidence? Many countries allow computer evidence in trials, but that
could change if digital evidence proves untrustworthy in future cases.
Computers are getting more powerful, so the field of computer forensics must constantly evolve. n the
early days of computers, it was possible for a single detective to sort through files because storage
capacity was so low. Today, with hard drives capable of holding gigabytes and even terabytes of data,
that's a daunting task. Detectives must discover new ways to search for evidence without dedicating too
many resources to the process.

Five Essential Computer Forensics Tools

By the Numbers
I recently had a look at the most recent CSI security survey. While a lot of things have changed over
the past year, one thing is definitely consistent: attacks happen. At one point, attacks on companies
were as high as 70 percent (in 2000) but today we see that the reported amount is down to as low as
43 percent.
What is interesting is the fact that the number that checked off the unknown box (that is, those that
aren't sure if they were compromised or not) increased to 13 percent. This is still an overall lower
figure if we were to assume that they were compromised, but really, IT security professionals ought to
be aware if their organization is compromised or not.
Of those that were compromised, 47 percent said that they only had 1 to 5 events. What isn't made
obvious is whether the events were small or massive breaches. Granted a single massive event can be
devastating for an organization while 10 small ones can present less of a problem.
And even here, we see that 26 percent are unaware as to how many times they were compromised.
These unknowns present, in my opinion, a reason to be concerned since that opens up the possibility
of continued compromise and the habitual existence of vulnerabilities within a system.
What seems rather disturbing, however, is the belief that the majority of attacks come from external
sources. Of those polled, 51 percent believe that none come from inside and 25 percent said it only
accounted for 1 percent to 20 percent of their breaches. This is something to watch in the next survey
as the economic factors of this year have an impact on employee behavior as well as increased
possibilities for compromise by those desperate for funds.
So the challenge then is how to find those attacks and determine how they got into a system. Since
most of us use a Windows system of some type, it made sense to look through some simple tools to
do forensics against a system to see if it was compromised.
%44s and %echniques
One of the first things that you'd need to do is take the compromised
system out of the picture. ive View, an open source utility, creates
a virtual machine out of the existing system. And if it doesn't detect
Workstation 5.5 or VMware Server 1.x, it will download it for you.
Live View creates a virtual disk out of the system that allows you to
then safely investigate a copy of the system without interfering with
anything installed. On another basis, you could use VMware
Converter to create a vmdk (virtual machine disk) to use in more
recent versions of Server or Workstation.
Once you've rebooted the system you can then go to Merijn and
downloadStartupist. This is a great way to start the investigation of a system and determine what
things might have potentially been put on the system to restart each time the system does. Of course,
you can use HijackThis as an additional tool and rule out obvious malware or other items that tie
themselves into the registry.
The next trick is to determine what additional files, other than the usual, are open. In Linux we
use 841, which lists open files but for Windows, by default, there is no similar command. Instead,
there is penFilesView, a Windows executable that lists all the files and processes - both local and
network based - on the system.
While that's running, Wireshark can let you review all network traffic to see if anything unexpected is
being sent out to another location. If there is, it's worthwhile to enable a firewall to block the traffic or
better yet, just yank out the network cable to avoid the possibility of intellectual property from being
stolen from the system.
This allows us to determine if anything suspicious exists in the system while it's running live. Once this
has been completed, you can look into determining what has been changed.
Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the disk
safely to see what has been finally changed. Forensics of a system is critical to know what has been
compromised. It is one thing to know if we've been attacked but it's another to find out what those
attackers have done to the system.
If we don't look into what happened we may miss out on critical data being compromised or learn how
the system was first broken into. Once this investigation is done, we can then rebuild the system with
appropriate additional security in place to prevent the attack from happen.
And we can do this all at minimal cost, an important factor to consider in this day and age of economic
belt-tightening.