Which of the following is not part of the computer forensics investigation methodology?

Forensic Analysis

A forensic investigator is usually given some remit into the purpose of the investigation, for example, what crime the suspect may be responsible for. Often though, the information shared may not be so specific. The reason for an investigator being given a narrow remit is to prevent the potential for prior knowledge bias. For example, an investigator may simply be asked to supply evidence that the profile of a machine is one which is setup up for malicious hacking, or they may be asked to find evidence to support the supposition that a particular online persona and the suspect are one and the same. In such circumstances it is often desirable to ensure that the evidence found is without bias, and that it is found independently of case specifics (see Chapter 8).

While the focus of the forensic investigation will be governed by the remit presented, in most cases the digital evidence collected will be composed of one or more of the artifacts listed in Table 7.1.

Table 7.1. Digital Evidence Categories

The methods for how these artifacts are discovered will be discussed in the following sections.

Introduction: How Forensics Solved the BTK Murders

In February 2005, Wichita police forensic investigator Mr. Randy Stone unraveled the final clues of a 30-year-old mystery. A couple of days earlier, KSAS Television station had handed the police a 3.5” floppy disk they had received from the infamous BTK (Bind, Torture, Kill) Killer. Responsible for at least 10 murders from 1974 to 1991, the BTK Killer eluded capture while repeatedly taunting the police and his victims. On February 16th, 2005, the BTK Killer sent the television station a 3.5” disk with communication instructions. Among these instructions, the disk contained a file named Test.A.rtf. (Regan, 2006). While the file contained instructions from the BTK Killer, it also contained something else: metadata. Embedded in the Microsoft proprietary Rich Text Format (RTF), the file contained the first name of the BTK Killer and the physical location at which the user had last saved the file.

This narrowed the investigation to a man named Denis at the local Wichita Christ Lutheran Church. Mr. Stone verified that a man named Denis Rader served as a church officer at the Lutheran Church (Regan, 2006). With this information, police requested a warrant for a DNA sample from the medical records of Denis Rader’s daughter (Shapiro, 2007). The DNA sample confirmed what Mr. Stone already knew—Denis Rader was the BTK Killer. A 31-year investigation that had exhausted 100,000 man hours ended with Mr. Stone’s examination of metadata (Regan, 2006).

Computer forensic investigations prove only as good as the investigator and the tools in his or her arsenal. All too often an investigator may have a nagging question but does not have the tool to answer his question. Enter Python. As we have seen in previous chapters, solving complex problems with minimal code proves a strength of the Python programming language. As we will see in the following sections, we can answer questions some pretty complex questions with minimal lines of Python code. Let’s begin by using some unique Windows Registry keys to physically track a user.

Abstract

Metadata is often incredibly useful to a forensic investigator, helping to establish the “who, what, where and how” of computer-based activity. But metadata is also easy to misinterpret—or just miss altogether. This chapter explores some of the risks associated with analyzing metadata and the challenges of drawing reliable conclusions from such analysis. This chapter will focus on defining some of the specific issues encountered when analyzing Microsoft Office metadata, the most common file types forensic investigators encounter. Not only can metadata be altered intentionally to throw off an investigator, but the Microsoft rules that govern how and when metadata is created and updated over time can generate some puzzling and even inexplicable results. After reviewing the types of information that may be obtained from Office metadata, the Chapter will use some specific examples and factual scenarios to demonstrate the intricacies, twists and turns encountered in the process of extracting and interpreting metadata. By gaining insight from an experienced forensic examiner, the reader will learn how to avoid some of the pitfalls of metadata analysis that can lead to misinterpretation of seemingly reliable metadata.

Host Protected Area and Device Configuration Relay Forensic

In Chapter 4, we talked about HPA and DCO. As a computer forensic investigator, what we care about these two areas is our ability to image them and later analyze them using a reliable forensic tool.

Not all computer forensic software vendors offer programs that can access these areas. The most reliable way, which still preferred by law enforcement professionals, is to use hardware tools in order to capture these areas.

In this section, we will show you a commercial application that claims an ability to capture and analyze HPA and DCO. This program is called OSForensics: http://www.osforensics.com (see Fig. 6.79).

Digital Forensics

Forensics is the discipline of science dedicated to the systematic gathering and analysis of evidence to establish facts that can be presented in court. The key to forensics is understanding exactly what happened (not why) and determining who did it. Digital forensics is applying this discipline to computer devices and networks. The most difficult goal in this field is determining attribution (ascribing the actions of an incident to a specific person or organization). This discipline is key to national security for Computer Network Defense. Although the evidence may not end up in a court of law it may be what is needed to authorize a counterattack (virtual or physical).

Let's start with an analogy. In America many places have a beat cop. This is the policeman who patrols a specific set of blocks; they may spend the morning working a traffic accident and an armed robbery investigation, then in the afternoon take care of a domestic disturbance call and write up a vandalism incident. Their job is to enforce the laws within their neighborhood. If one day while walking along they see a man in the alleyway lying on the ground bleeding from a knife stuck in his chest they would immediately call for an ambulance and start basic life saving procedures. If these failed and the man died they would change their priority to preserving evidence to support a criminal investigation. They would call for homicide detectives who would bring along the Crime Scene Investigation (CSI) team. These folks are trained in collecting and analyzing evidence to support the investigation and be able to present it in a court of law. The beat cop could help the detectives with simple tasks like canvassing the area for witnesses but generally they go back to their normal duties. In the virtual world the system administrator is the beat cop for the local network. They ensure the normal operation of the systems and monitor for abnormalities. If they detect a problem they will work to fix it until they determine it is an intrusion. In most organizations then the sys admin will work with management to determine if they want to rebuild they system or investigate to facilitate a prosecution.

The problem with just rebuilding is the threat will simply use the same method to regain entry so some analysis is normally warranted but it may not be in accordance with evidentiary rules. If the decision is to investigate then a determination needs to be made if they just want to know what happened or if it could end up in court. With the possibility of going to court comes the need for specialized skills and qualifications (often in the form of certifications). The systems involved must be treated as evidence. The investigation must be documented and the conclusion must stand up to legal standards. The tools and methodologies used must be able to stand up to review by the opposition. The investigator must be able to present the findings is an understandable way and justify their conclusions. Much like the cop trying to save a life the sys admin can damage evidence if they go too far before calling for help. Also like the beat cop they are not well equipped to testify in a court of law.

Warning

One note for those who watch the CSI TV show, the last thing a digital forensic investigator would do is log into the computer. That is actually destroying evidence.

Digital forensics is similar to physical forensics but there are some key differences: first it is a much newer discipline and in many cases both the judge and jury have difficulty understanding it (compared to something like DNA evidence which in the common public understanding today), second it is very transitory (it is important to baseline the evidence as computer systems are in a constant state of change) and finally it is not a skill set that many LEA officers have (compared to the amount of training they get in handling and analyzing physical evidence). This brings up the challenge of live vs. static analysis. There will be times when the system cannot be pulled offline to analyze so it must be done live, which requires unique tools and procedures.

There are four basic steps to the computer forensics:

Preparation

Acquisition

Analysis

Reporting

We will examine each briefly: Preparation – this is where Tactics, Techniques, and Procedures (TTPs), tools and documentation methodology are developed, Acquisition – this is the collection, preservation and review of the evidence is done; Analysis – this is where the investigator constructs the events into facts about what was done and if possible who did it and reporting – where all the documentation is presented in a format that facilitates the decision needed (this is different in court vs. intelligence activities). This very simple explanation does not reflect the complexity of most investigations. A simple investigation of a laptop could involve network devices it communicated with and mobile devices (i.e., external hard drive, memory sticks, or a Blackberry) that were attached to it. Each of these require different forensic knowledge and tools.

For the physical acquisition here are some tips. First create a cryptographic hash digest of the original media (MD5/SHA-1). A hash is a one way mathematical algorithm that when run against a file or hard-drive creates a bit string signature or message digest. If anything in the file or on the hard-drive changes the message digest changes. This allows copies of files to be used in court as authentic original evidence. The investigator can keep one copy and work on others and never change the original. Next comes the collection of the relevant specimens, which must be validated with the hash digest.

Then using forensics tools like Encase, Forensic Tool Kit, or Helix analyze the evidence documenting everything done and found. These tools will do much of the discovery but in every investigation there may be specific issues that call for unique tools such as developing scripts. Cell phones are a good example of when a new tool may need to be added to the investigator's tool kit. There are open source tools but be careful as they may not stand up in court as well.

Finally develop a report of the findings based on a standard template so that facilitates the ability to accurately testify months or years later on the findings. It is important to keep all notes and logs of the investigation as cases can go from a analytical to a court case years later and you will need to be able to recall specifics based on your records.

Warning

There is no program that will act as a dummy or wizard program to facilitate an untrained individual conducting a digital forensic investigation both because every investigation is unique and because only a trained and certified investigator should be in charge. An investigation done by unqualified personnel will result in compromised results and be unusable.

Host Preparation

Computer systems are not necessarily set up in such a way that their configuration will be friendly to forensic analysis. Take for example NTFS Standard Information Attribute Last Accessed Time date-time stamp on modern Windows systems. Vista is configured by default not to update this date-time stamp, whereas previous versions of Windows would. This configuration is not advantageous for forensic investigators, since date-time stamps are used heavily in generating event timelines and correlating events on a system.

It will benefit an organization to ensure that its systems are configured to facilitate the job of the forensic investigator. Setting up systems to leave a more thorough audit trail will enable the investigator to determine the nature and scope of an intrusion more quickly, thereby bringing the event to closure more rapidly. Some suggestions for preparing systems for forensic analysis include:

Activate OS system and security logging. This should include auditing of:

Account logon events and account management events

Process events

File/directory access for sensitive areas (both key OS directories/files as well as directories containing data important to the organization)

Registry key access for sensitive areas, most especially those that involve drivers and any keys that can be used to automatically start an executable at boot (note that this is available only in newer versions of Windows, not in Windows XP)

Practitioner's Tip: Windows Autorun Locations

Aren't sure which locations to audit? Use the tool autoruns from Microsoft (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) on a baseline system. It will give you a list of locations on the subject system that can be used to automatically run a program. Any location fed to you by autoruns should be set up for object access auditing. Logs of access to these locations can be extremely valuable, and setting them up would be a great start. This same program is useful when performing a forensic examination of a potentially compromised host. For instance, instructing this utility to list all unsigned executables configured to run automatically can narrow the focus on potential malware on the system.

Turn on file system journals, and increase their default size. The larger they are, the longer they can retain data. For example, you can instruct the Windows operating system to record the NTFS journal to a file of a specific size. This journal will contain date-time stamps that can be used by a forensic analyst to investigate file system events even when the primary date-time stamps for file records have been manipulated.

Activate all file system date-time stamps, such as the Last Accessed time previously mentioned in Vista systems. This can be done by setting the following Registry DWORD value to 0: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate

Ensure that authorized applications are configured to keep a history file or log. This includes web browsers and authorized chat clients.

Ensure that the operating system is not clearing the swap/page file when the system is shut down, so that it will still be available to the investigator who images after a graceful shutdown. In Windows this is done by disabling the Clear Virtual Memory Pagefile security policy setting.

Ensure that the operating system has not been configured to encrypt the swap/page file. In newer versions of Windows, this setting can be found in the Registry at HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsEncryptPagingFile.

Ensure that the log file for the system's host-based firewall is turned on, and that the log file size has been increased from the default.

Practitioner's Tip: Host-Based Traces

Right about now, you might be saying something along the lines of “But attackers can delete the log files” or “The bad guys can modify file system date-time stamps.” Of course there are many ways to hide one's actions from a forensic analyst. However, being completely stealthy across an enterprise is not an easy task. Even if they tried to hide their traces, they may be successful in one area, but not in another. That is why maximizing the auditing increases your chances to catch an attacker. To gain more information at the host level, some organizations deploy host-based malware detection systems. For instance, one organization used McAfee ePolicy Orchestrator to gather logs about suspicious activities on their hosts, enabling investigators to quickly identify all systems that were targeted by a particular attacker based on the malware. Let us continue the list for some helpful hints in this area.

Configure antivirus software to quarantine samples, not to delete them. That way if antivirus identifies any malicious code, digital investigators will have a sample to analyze rather than just a log entry to wonder about.

Keep log entries for as long as possible given the hardware constraints of the system, or offload them to a remote log server.

If possible, configure user rights assignments to prevent users from changing the settings identified earlier.

If possible, employ user rights assignments to prevent users from activating native operating system encryption functions—unless they are purposefully utilized by the organization. If a user can encrypt data, they can hide it from you, and this includes user accounts used by an attacker.

Pagefile Pros and Cons

Note that this will leave the pagefile on disk when the system is shut down, which some consider a security risk. Note that some settings represent a tradeoff between assisting the investigator and securing the system. For example, leaving the swap/page file on disk when the system is shut down is not recommended if the device is at risk for an attack involving physical access to the disk. The decision in this tradeoff will depend upon the sensitivity of the data on the device, and the risk of such an attack occurring. Such decisions will be easier if the organization in question has conducted a formal risk assessment of their enterprise.

Report Components

Even if the incident will be handled internally and will not be prosecuted in civil or criminal court, your procedures for creating and documenting your report should be the same (you never know during a forensic investigation whether the incident will become a legal matter). The more detail you can include in your report, the better. You may create summary reports for different individuals, but there should be one all-encompassing report that contains all the details that you included in any of your summary reports and that would be available in the event of a civil or criminal trial.

Publisher Summary

This chapter discusses the role of network administrators and what makes them tick. An understanding of the role of a network administrator and their behavior would help a digital forensic investigator in his or her investigation by facilitating effective communication. Network administrators possess the skills and know-how to keep the computer systems communicating and functioning. Many times people in IT are driven toward results and can take charge and run projects, but may not be personable, be able to relate their feelings, or even be talkative. Alternatively, one may run into people who are on the other end of the spectrum: they don't like to make waves, they are sensitive about people's perceptions of them, and they can be easygoing, but sometimes they can be indecisive. The way one communicates with people in these groups must be different or the conversation may disintegrate. This is known as the dominant, influential, steady, conscientious (DiSC) behavior model. Often network administrators think that their role on the IT staff is above that of their peers. Even in bad economic times, organizations make efforts in to maintain network administration staffing, as it is believed that it is easier to suffer the rude and hostile IT staffer than it is to replace him. Moreover, network admins and forensic specialists command heightened salaries. The chapter discusses social engineering tactics to help one to better understand how adversaries can get access to an enterprise's sensitive data. Methods of social engineering vary; some may use only impersonation or persuasion techniques, whereas others will stick to technology and do most of their work through electronic means.