Computer Forensics Investigation Procedures And Response Pdf To Word
Disclaimer: We have not performed any live investigation. This was a part of our university assignment, wherein we assumed the roles of forensics investigator, determining what methods were applicable. You are welcome to come up with your own findings and resolve the case. We attempted to follow the global methodology, illustrating what a basic forensics investigation report should look like.
Credits Edmand Dester Thipursian – Edmand.dester@gmail.com Sai Thogarcheti – Harikamurthy9@gmail.com Abdullah Al Fahad – candyman961@hotmail.com Chintan Gurjar – chintangurjar@outlook.com Adam Mentsiev – adam.mentsiev@study.beds.ac.uk Alams Titus Mammuan – alamsx11@gmail.com 1. Introduction Computer technology is the major integral part of everyday human life, and it is growing rapidly, as are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To counteract those computer-related crimes, Computer Forensics plays a very important role.
Felix C Freiling
“Computer Forensics involves obtaining and analysing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”. Computer Forensics Boot Camps A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorised access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or Encase) to ensure the computer network system is secure in an organization.
A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team. This report will be focused on private investigations, since an incident occurred at a new start-up SME based in Luton. This report also includes a computer investigation model, data collections and its types, evidence acquisitions, forensics tools, malicious investigation, legal aspects of computer forensics, and finally this report also provides necessary recommendations, countermeasures and policies to ensure this SME will be placed in a secure network environment.
Ifyou tell the truth you don't have to remember anything. Mark Twain — Although it should go without saying, always tell the truth. Present the facts and. You are a computer forensic examiner. If you are called as an expert witness, you will be asked to explain your process for. Lyrically computer forensics investigation procedures and response pdf viewer thyrsuses were the declines. Compact prelusions must nonlinearly foul withe dreary fishing — rod. Wordsmith is straightbacking. Maisonettes are the succulent conciliations. Salicylic halva can foam towards the asha. Mistrusts are the birthrates.
Case Study A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate. The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation.
As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems. Your task is to investigate the team’s suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators. The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched. Deliverables Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following:. Malware investigation.
Digital Forensic Investigation You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant. You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence.
Imaging the target devices’ hard drive and hashing them with MD5 for data integrity. Collection “The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data” (CJCSM 6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation. They are volatile data and non-volatile data (persistent data).
Volatile data is data that exists when the system is on and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data that exists on a system when the power is on or off, e.g. Documents in HD. Since volatile data is short-lived, a computer forensic investigator must know the best way to capture it.
Evidence can be collected locally or remotely. 8.1 Volatile Data: The following figure shows how to capture the volatile data. The forensic workstation must be located in same LAN where the target machine, in this case the Windows NT Server, is located. ‘Cryptcat’ tools can be used in the forensic workstation to listen to the port of the Windows NT server. Create the trusted toolset optical drive in the Windows NT server and open the trusted console cmd.exe and use the following command: cryptcat 6543 -k key To capture the data at the forensic workstation, we use the following command: cryptcat -l -p 6543 -k key Figure 2: Volatile data collection setup Source: Reino, A., (2012) The following table shows the Graphic User Interface tools, and their usage and outcome can be used in the computer forensic investigation. Table 1: Volatile Data Forensic Tools and their usage and outcome Source: Reino, A., (2012) We also use various Windows-based tools to capture the volatile data as follows: HBGray’s FastDump – Local Physical memory acquisition.
HBGray’s F-Response – Remote physical memory acquisition ipconfig – Collecting subject system details. Netusers and qusers – Identifying logged-in users doskey/history – Collecting command history netfile – Identifying the services and drivers Finally, collecting the clipboard content is also very important in a computer forensic investigation. More evidence can be found from a machine which is still running, so if the anomalies are still there in the SME, then we can retrieve a lot of important evidence from the running processes, network connection and the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and so it must be ensured that the affected computers are not shut down in order to collect such evidences. 8.2 Non-Volatile Data Once the volatile data have been captured, then we will look into the non-volatile data.
The first step in non-volatile data collection is to copy the content of entire target system. This is also called “forensic imaging”. Imaging helps to preserve the original data as evidence without any malfunction or changes in data which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using any of those forensic tools. Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic imaging and hard drive cloning is that forensic imaging can’t be accessed without forensic tools, but hard drive cloning can easily be accessed with a mount drive.
Hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie., hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008).
Data collection can be done in offline investigation and online investigation. Forensic imaging can be done with offline investigation. Live network traffic can be done with online investigation by using ethereal or Wireshark tools.
Firewall logs, antivirus logs, and domain controller logs will be collected for the investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be documented in the chain of the custody log documentation.
Chain of the custody log documentation is to maintain the integrity of the evidence from start to end of the investigation until this investigation report will be presented (Nelson, B., et al., 2008). Before carrying out any further processes, we need to image the disk bit by bit, which will access the entire volume and copy the original media, including the deleted files. After the disk is imaged, we should hash everything which will make sure that the data is authentic and the integrity of the data will be maintained throughout the investigation. The hash values must be recorded in multiple locations and we must ensure that we do not make any changes to the data from the time of collection of the data till the end of the investigation. Most tools help in achieving this by accessing the media in a read-only state (SANS, 2010). Target System Hard drives, External Storage devices, and the Windows NT Server Hard drive must be acquired for the digital forensic investigation in this case.
Examination Once we have gathered all the available evidences, we need to conduct the examination by the help of various computer forensic investigation tools. We also examine the file system, Windows registry, Network and Database forensic examination, as follows: 9.1 Files System Examination NTFS is the New Technology File System and NTFS Disk is a file. MFT is the Master File Table which contains information about all files and disks, and it is also the first file in NTFS. The records in the MFT are also called metadata. Metadata is data about data (Nelson, B., et. Files can be stored in MFT in two ways: resident and non-resident.
A file which is less than 512 bytes can be accommodated in MFT as resident files and a file which is more than 512 bytes can be stored outside the MFT as non-resident files. When a file is deleted in Windows NT, the file will be renamed by OS and moved it to Recycle bin with a unique identity. OS stores information about the original path and original file name in info2 file. But if a file is deleted from the Recycle bin, then associated clusters are marked as available for new data. NTFS is more efficient than FAT, as it is faster in reclaiming its deleted space.
NTFS disks are a data stream, which means they can be appended into another existing file. A data stream file can be stored as follows: C: echo textmess file1.txt:file2.txt This file can be retrieved by the following command: C: more. HKEYCURRENTCONFIG: stores information about the present configuration of the system. The Windows registry consists of volatile and non-volatile information. This means an investigator must at least be familiar with each meaning and functionality of the hives, keys, data and values of a Window registry before undergoing any forensic investigation of a computer to obtain a successful forensic investigation report. Autostart Location: is a location in the registry where the applications are set to be launched without a user initiation. With this functionality a malware that affects Luton SME can persistently run when the machine is turned on without a direct user interaction because it was already programed to autostart itself or when a user runs some specific commands or processes.
HKEYLOCALMACHINE SOFTWARE Microsoft WindowsNT CurrentVersion Image File Execution Option is a Windows registry in which an attacker can use the key for redirection of an application original copy to its trojaned copy (Carvey, H., 2005). Luton SME might be under this attack: a redirect of the customer payment page to an illegitimate one. A forensics investigator can examine the autostart location to determine if the Luton SME problem results from an action performed by a user, a malware or by an attacker on the organization. According to (Carvey, H., 2005) the reliable way to access the autolocation is using AutoRuns tools from SysInternals.com which can provide listing of autostart locations. User Activity:action and activities of a user can be investigated in the HKEYCUREENTUSER hive which is created from HKEYUSER SID hive. User information is mapped to the HKEYCURRENTUSER. The NTUSER.DAT holds information about registry specification settings of a user.
Examination of this hive will give a forensic investigator a good clue of activities and actions taken by a user. Most Recent Used (MRU) List: MRU holds recent specific action taken by a user and keeps track of activities for future reference. For example, HKEYCURRENTUSER Software Microsoft Windows CurrentVersion Explorer RunMRU maintains an executed list of commands run by a user.
Each executed command in the run box will add a key value entry to the hive, as shown below: Figure3: Contents of the Explorer RunMRU key. Source: Carvey, H., (2005) A forensic investigator can study this hive to source the lastwrite time of each command from the MRU list as shown above. With this, the SME Luton investigator will be able to analyze from the registry if it was user activity, a malware action or an attack that is affecting the organization. UserAssist: according to (Carvey, H., 2005) UserAssist which is found under the hives HKEYCURRENTUSER Software Mcirosoft Windows CurrentVersion Explorer UserAssist consists of two keys that commonly look like globally unique identifiers that keep encrypted records of each object, application, etc.
A user has accessed on the system. If an investigator has accessed the encrypted record, which is no longer definitive, it might indicate some action the user did to trigger the Malware through an application or any activity he might have done. USB removable Storage: according to Farmer, College and Vermont (2008) all devices connected to the system are being maintained in a computer registry under the following key HKEYLOCALMACHINE System ControlSet00x Enum USBSTOR.
The figure below shows an example of drive IDs of a USB thumb drive: Figure4: Example contents of USBSTOR key, showing device instance IDs. Source: Carvey, H., (2005) Using the hives of the mounted drive, an investigator will have a clue when he/she analyzes the device ID content maintained in the registry to know which device was being mounted on the Luton SME organization. With persistent examination of each value key, an investigator can identify removable USB storage devices and map them to the parentidprefix. Wireless SSIDs: According to (Carvey, H., 2005) SSIDs of wireless networks used on a computer can be found under HKEYLOCALMACHINE Software microsoft WZCSVC Parameters Interface.
When navigating to key values, they contain subkeys which look like globally unique identifiers, which when opened, an investigator can navigate to the ActiveSettings which reveals each wireless SSID in the form of a binary data type. When right-clicked to modify, it reveals the SSIDs in plain written format.
Though IP address and other network information can be found under HKEYLOCALMACHINE System Current ControlSet Services TCPIP Interfaces GUID, an investigator can use this information to tie a user in the Luton SME organization to a particular timeframe if the person’s IP address appears to be discovered under the above Window registry. Windows registry can also be a vital source of proof in a forensic investigation if the investigator knows where to get available data that can be well presentable to the Luton SME organization. Fantastic has tried to analyze some of the basic Windows registry that might have caused the redirection of its Web page, tracked user activity and all necessary programs a user had executed, devices used on the server or any of the organization’s computers, and also revealed the IP address of users. 9.3 Network Forensics Examination The acquiring, collecting and analyzing of the events that take place in the network is referred to as network forensics. Sometimes it’s also known as packet forensics or packet mining. The basic objective of network forensics is the same, which is to collect information about the packets in the network traffic such as the mails, the queries, the browsing of the web content, etc., and keep this information at one source and carry out further inspection (WildPackets, 2010). Network forensics can be applied in two main ways.
University Of Erlangen Nuremberg
The first one is security-related, where a network is monitored for suspicious traffic and any kind of intrusions. It is possible for the attacker to delete all the log files from an infected host, so in this situation the network-based evidence comes to play in the forensics analysis. The second application of network forensics is related to the law enforcement, where the network traffic that has been captured could be worked on to collecting the files that have been transferred through the network, keyword search and analysis of human communication which was done through e-mails or other similar sessions. (Hunt, 2012) 9.3.1 Tools and Techniques of Network Forensics We can perform any operation with a forensically sound bootable DVD/CD-ROM, USB Flash drive or even a floppy disk. First, we need to dump the memory, and this is preferred to be done with a USB Flash drive with enough size.
We must also undertake a risk assessment when we are about to collect volatile data to evaluate if it’s safe and relevant to collect such live data, which can be very useful in an investigation. We should use forensics toolkits throughout the process, as this will help meet the requirements of a forensics investigation.
Computer Forensics
These tools should be trusted, and it can be acquired from among the freely distributed ones to the commercial ones. (7safe, 2013) Some very important and discreet information should be collected from a running machine, with the help of trusted tools such as:. Keyword Searching Before starting the malware analysis, we need to create the malware analysis environment such as VMware and Norton Ghost. VMware is virtual based malware analysis environment and Norton Ghost is dedicated malware analysis environment.
11.1 Static Analysis Static analysis is the type of malware analysis which is used to conduct the analysis without running the malware programming. Static analysis is better than Dynamic analysis in terms of safe analysis. Since the malware program is not running, there is no fear of deleting or changing the files.
It is always best to do the static malware analysis in a different operating system, where the malware is not designed to run or impact. Because an investigator can accidently double click the malware program to run, and it will affect the system.
There are so many ways to do the static analysis such as File Fingerprinting, Virus Scanning, Packer Detection, Strings, Inside the FE File Format and Disassembly (Kendall, K., 2007). 11.2 Dynamic Analysis Dynamic Analysis is the type of malware analysis where malware code runs and observes its behaviour. It is also called Behaviour Malware Analysis.
Dynamic Analysis is not safe to conduct unless we are ready to sacrifice the malware analysis environment. We can analyze the malware by simply monitoring the behaviour of the malware functions. There are many tools to conduct the dynamic malware analysis, but Process Monitor from SysInternals and Wireshark are the most used and freeware tools (Kendall, K., 2007). According to Kendall, K., (2007), in almost all malware cases, a simple static and dynamic malware analysis will find all the answers which will be required by the malware investigators for the particular malware code. Findings After our investigation, we summarize our findings as follows:. Logging and Audit Firewall checks all Web pages entering to the user’s computer.
Each Web page is intercepted and analyzed by the firewall for malicious code. If a Web page accessed by the user contains malicious code, access to it is blocked. At the same time, it displays a notification that the requested page is infected. If the Web page does not contain malicious code, it immediately becomes available to the user.
By logging, we meant collecting and storing information about events that occur in the information system. For example, who and when tried to log on to the system and how this attempt ended, who and what information resources were used, what and who modified information resources, and many others. Audit is an analysis of the accumulated data, conducted promptly, almost in real time (Shiner, D.L.D., and Cross, M., 2002). Implementation of logging and audit has the following main objectives:. Providing information to identify and analyze problems. 13.1 Security Policies The fullest criteria for evaluating organizational level security mechanisms are presented in the international standard ISO 17799: Code of Practice for Information Security Management, adopted in 2000. ISO 17799 is the international version of the British Standard BS 7799.
ISO 17799 contains practical rules for information security management and can be used as criteria for assessing the organizational level security mechanisms, including administrative, procedural and physical security measures (ISO/IEC ). Practical rules are divided into the following sections:. These sections describe the organizational level security mechanisms currently implemented in government and commercial organizations worldwide (ISO1799, 2005).
Several questions arise after considering the above need for some combination of business requirements for the Internet. What software and hardware and organizational measures must be implemented to meet the needs of the organization? What is the risk?
What should be the ethical standards for the organization to carry out their tasks with the help of the Internet? Who should be responsible for that? The basis of the answers to these questions is a conceptual security policy for the organization (Swanson, M., 2001). The next section contains fragments of hypothetical security policies of safe work in the Internet. These fragments were designed based on the analysis of the major types of safety equipment. Security policies can be divided into two categories: technical policy implemented using hardware and software, and administrative policy, performed by the people using the system and the people running it (Swanson, M., 2001).
Common Security Policy for an Organisation:. The cost and impact of countermeasures on the organization’s performance(ISO/IEC ) 14. Reporting A forensic report highlights the evidences in the court and it also helps for gathering more evidences and can be used in court hearings. The report must contain the investigation’s scope. A computer forensic investigator must be aware of the type of computer forensic reporting such as formal report, written report, verbal report and examination plan. A formal report contains the facts from the investigation findings.
A written report is like a declaration or an affidavit which can be sworn to under oath so that it must be clear, precise and detailed. A verbal report is less structured and is a preliminary report that addresses the areas of investigation not covered yet. An examination plan is a structured document that helps the investigator to understand the questions to be expected when he/she is justifying the evidences. An examination plan also helps the attorney to understand the terms and functions which were used in computer forensic investigation (Nelson, B., et al., 2008).
Generally a computer forensic report contains the following functions:. Supporting Documents There are many forensic tools to generate the forensic investigation report such as ProDiscover, FTK and EnCase (Nelson, B., et al., 2008). Conclusions This report contains how to conduct the Computer Forensic Investigation and Malware Investigation in various methods and using various tools. This report also contains the ACPO’s four principal and IS017799 security policy procedures which must be implemented in every organization to improve the security network architecture. It also analysed the First Four Step Forensic Investigation model and why we chose this model to conduct the forensic investigation for this case. It also has important preparation steps before starting the investigation.
Then this report has an analysis part where we analysed the data which we gathered by various methods to yield the findings. This report also has the recommendations to avoid the security breach in future.
Digital forensic investigation is a challenging process, because every incident differs from other incidents. A computer forensic investigator must be competent enough in Technical and Legal to conduct the investigation. Since the evidence which is provided by a computer forensic investigator can be an important part the case, the investigation report must be precise and in detail. References. Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, 'PentestMag' and India based magazine “Hacker5”.
He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol.
He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field. Free Practice Exams. Free Training Tools. Editors Choice.
Related Boot Camps. Related Job Titles. More Posts by Author.
I found a bit of info on the M8 that appears to require opening the radio and removing a jumper to get into 'dealer programming mode'. Specifically, looking into how to reprogram the presets in this thing for a buddy of mine. Info on this model is extremely sparse, though. Didn't get a single hit searching the forum for the.
One response to “Computer Forensics Investigation – A Case Study”.
Books.google.com.tr - Revised and updated to address current issues and technology, System Forensics, Investigation, and Response, Third Edition provides a solid, broad grounding in digital forensics. The text begins by examining the fundamentals of system forensics: what forensics is, the role of computer forensics specialists.
System Forensics, Investigation, and Response.