craiger.forensics.methods.procedures.final.pdf

DRAFT

Computer Forensics Procedures and Methods

J. Philip Craiger, Ph.D., CISSP

Assistant Director for Digital Evidence

National Center for Forensic Science &

Department of Engineering Technology

University of Central Florida 1

Email: philip@craiger.net

To appear in H. Bigdoli (Ed.), Handbook of Information Security . John Wiley & Sons.

DRAFT

Keywords

Digital forensics, computer forensics, network forensics, cyberforensics, digital evidence,

computer evidence, computer crime, incident response, Linux forensics, Windows

forensics, computer forensic tools, computer forensics procedures, disk forensics, media

forensics, intrusion forensics, intrusion detection systems, Knoppix.

DRAFT

Abstract

Computer forensics involves the preservation, identification, extraction and documentation

of digital evidence in the form of magnetically, optically, or electronically stored media. It

is a relatively new science that is becoming increasingly important as criminals

aggressively expand the use of technology in their enterprise of illegal activities. This

chapter is a technical introduction and overview to some of the fundamental methods and

procedures of computer forensics. The topics covered parallel the order in which computer

forensic procedures are typically conducted, beginning with process of creating a bit-

stream image of the evidence and subsequent verification of the evidence using one-way

hash functions. Two forms of forensic analysis are covered, including logical and physical

analysis procedures. Analytic procedures we demonstrate include hash and signature

analysis; keyword and email searches; recovery and analysis of cookies, print spool and

application residual files; slack and unallocated space analysis; manual recovery of deleted

files; behavioral timelines creation; and collecting evidence from running systems. We

close the chapter by describing several commercial tools.

DRAFT

1. Introduction

a. Computer Forensic Tools

b. The Forensic Server

2. Sound Computer Forensic Practice

3. Arriving at the Scene: Initial Response

a. Creating a Forensic Image

b. Verifying Image Integrity

c. Imaging Over a Network

d. Sterilizing Forensic Media

4. Analysis of a Forensic Image

a. Drive Geometry

b. Mounting the Image

c. Reducing our Search Space

i. Hash Analysis

ii. Signature Analysis

d. Searching A Forensic Image

i. Keyword Searches

ii. Finding Files by Type

iii. Email Searches

iv. Swap file

v. Web-based Email

vi. The Windows Swap File

e. I know what you did with your computer last summer…

i. Cookies

ii. Deleted Files and the INFO2 File

iii. Application Residual Files

iv. UNICODE

v. Print Spool Files

f. Physical Analysis

i. What Happens when a File is Deleted

ii. Unallocated Space Revisited

iii. Slack Space

iv. Recovering Deleted Files

v. Dealing with Formatted Drives

g. Behavioral Timelines: What Happened and When?

5. Collecting Evidence from Live Systems

a. Volatile Evidence

b. Log Files as Digital Evidence

c. Reducing the Potential for Evidence Contamination

6. Commercial Tools

7. Conclusion

8. Glossary

9. References

10. Further Reading

DRAFT

Introduction

Computer forensics involves the preservation, identification, extraction and documentation

of computer evidence stored in the form of magnetically, optically, or electronically stored

media. It is a relatively new science that is becoming increasingly important as criminals

aggressively expand the use of technology in their enterprise of illegal activities. Computer

forensic techniques are not as advanced as those of the more mature and mainstream

forensics techniques used by law enforcement, such as blood typing, ballistics,

fingerprinting, and DNA testing. Its immaturity is partly attributable to fast-paced changes

in computer technology, and the fact that it is a multidisciplinary subject, involving

complicated associations between the legal system, law enforcement, business

management, and information technology.

This chapter is a technical introduction and overview to fundamental methods and

procedures of computer forensics. To get the most out of this chapter we have assumed

readers will have technical skills with computers running a variety of operating systems.

The Handbook of Information Security, in particular volume II, has several chapters

related to numerous aspects of computer forensics, including the legal, law enforcement,

and managerial aspects. These chapters include Computer Forensics in Law Enforcement ,

Forensic Science and Computers , and Computer Security Reviews Using Computer

Forensics Tools , Digital Evidence, Digital Courts, Law, and Evidence, Cybercrime and

Cyberfraud, and Hack, Cracker, and Computer Criminals . To fully understand the

practice and implications of computer forensics we urge readers to carefully examine each

of these chapters. And as you read this chapter be aware that computer forensics is a set of

technical activities that occurs with a complex setting of interacting stake holders who

often have conflicting goals. Before conducting a computer forensics investigation we

advise the reader to seek advice from legal counsel to ensure that no local, state, or federal

laws are broken. Nothing in this chapter is intended to be legal advice, and should not be

construed as such.

In this chapter we illustrate both offline and online analyses. An offline analysis occurs

when an investigator powers down the computer and removes it from the network. This

allows the investigator to create an exact copy of the computers hard drive to ensure that

the files remained unchanged, and to ensure all evidence, but condemning, as well as

exculpatory, is collected. In contrast, there are occasions when it is impossible to power

down a computer, requiring an online analysis. For instance, management may not permit

the shutdown of a company’s only e-commerce server. In this circumstance the

investigator must gather as much evidence as possible while the system remains running

and connected to a network. From a purely forensic standpoint, the preferred situation is to

‘freeze’ the computers state by powering down the system. However, in reality this is not

always possible, and investigators should be proficient in methods for gathering evidence

from a running computer system.

We begin this chapter by describing an offline analysis involving desktop computers

running versions of Microsoft Windows™. Windows plays a prominent role because of its

large worldwide market share, and the fact that the law enforcement agencies (Dartmouth,

2002), as well as the FBI’s Computer Analysis and Response Team (Pollitt, 2002, personal

communication) have indicated that the majority of investigations involve computers

running some version of Windows. We conclude this chapter by discussing an online

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: