By Samuel Amoah & Casper Kan
Computer Forensics or Digital Forensics, as popularly called by many, is a science that helps apply criminal laws of a State/Country to crimes committed with a computer and its accessories, or in the process of the crime being committed; a computer might have been used in producing the criminal evidence. This technique involves the seizure of computer and its accessories, to collect digital evidence from the storage media containing data of interest.
This sounds simple right? Not so fast, I will say. The methodology involved in acquiring data from the computer requires due care and documentation, in order to keep the evidence unchanged throughout the course of processing, to the final evidence production stage. These actions are to keep the evidence in its pristine stage, as well as making the whole process followed, reproducible for anyone utilizing the same process arriving at the same conclusion. This is what makes it a science.
Technology is changing very fast, and the way computer users store data is equally changing. Storage media size and types keep changing, network bandwidth and speed have increased to allow easy transfer of data from local computer to different locations, and this poses a challenge to Computer forensic Examiners. Storage media Encryption technologies have also made it difficult for examiners to access data on a local machine which has been powered down, and the suspected user refusing to divulge his decryption key. Under such a situation, it will only take the intervention of the court of law to direct the release of decryption from suspect, or network acquisition of the partitions on the suspect's computer, while he is working on it. Again, this has its own challenges if the system password of the computer is unknown, or the examiner does not have administrator privilege on the target computer. The challenge posed by this problem is minimal when a corporate client machine is the target, as administrators have local administrator right on all client machines on a domain.
Network data acquisition has its draw back, as some tools utilized, install agents on the target machines to enable network connection. The agent installed hence changes the overall MD5 checksum of the drive, and examiner could face a challenge in court if actions taken are not clearly recorded and the changes done to the overall data are not enumerated. An agent on the target machine might be deemed a malware installation, which borders on a crime committed by examiner, hence causing the whole case to be thrown out of court.
There are instances that data on a drive might be corrupted and evidence cannot be obtained. Under such circumstances, an examiner might be compelled to format the drive, and use data recovery tools to recover files on drive. This is where reliance on the registry for events and their time stamps become crucial in trying to pinpoint when an instance occurred, e.g., which USB storage device was attached to the system and when I call this technique destroy and search, as opposed to the popular search and destroy concept used by the military in their combat operations. When this technique is utilized, the "goldmine" to harvest is the unallocated space. The "Simple file Carver tool", by Filesig, does a good job with data carving and every forensic examiner must have one in his arsenal of tools.
In conclusion, one can safely infer that as computer technology evolves, so must digital forensic practices evolve. For instance, the 512 Bytes default sector size for hard drives is changing to 4096 Bytes, which is going to change some of the ways we examine evidence on drives with respect to the definition of slack space and unallocated space. At this point, we are faced with the question of: What happens to the 1024 Bytes size of MFT on NTFS partitions? Are operating systems going to change to adapt to this situation? Are forensic tool vendors going to retool? All I can say for now is; Time will tell.My next article will be on cloud computing and Network Forensics. I will be back.
2010年3月3日 星期三
Cloud Computing and Network Forensics in the Eyes of Computer Forensic Examiner
By Samuel Amoah & Casper Kan
Technology, keeps amazing me. It changes so rapidly that sometimes before one catches up to it; it has evolved to a newer phase, with a whole new set of changes from the previous. This means Users have to keep spending money to keep up, end result being nagging, complaining, and a lot of money spent. This is a form of a vicious cycle that keeps turning. It is through this array of unending expenditure that has brought forth what is now called "Cloud computing".
Cloud computing allows the user to use all resources he/she would otherwise have invested to install on his local machine on a server located somewhere deemed the cloud. This includes storage space, application usage, social networking, etc.., for a fee. The computer user does not have to worry about hard drive crashing, data being stolen from computer, etc. Just pay a fee and you are good to go. Files and application are accessed through the web. This implies all one needs is internet access and an access medium, which could be a portable handheld device, smart phones, or a basic computer.
Many organizations and individuals are already using this technology and have realized its great benefits of being hassle free. However, we may pause to ask ourselves a few questions; do we know where our data is physically located? Do we know how secured our records are? How do we investigate an event should some breach occur? Are we in compliance with Legislation and regulations such as; SOX, HIPPA, etc? As a network administrator in an organization, how much grasp do you have on controls, security and function? These are some of the questions we have to keep asking ourselves. As Computer Forensic Examiners, what do we do to access data that are breached for analysis? Is a search warrant issued in your jurisdiction going to be honored by the location where the servers are located? What limitations are you going to face? Do countries have treaties that will allow cross border search warrants to be executed?
Before we go through all the impediments that might be in the way of investigations, Network Forensics might be a prime solution to buttress your case for further searches. Network Forensics in a conventional way, is the analysis of network traffic logs for tracing events that have occurred. The logs may reveal source and destination IP addresses of systems in question, as well as time stamps and event that occurred, with the type of transaction that took place. This will sometimes lead to dead end, rendering investigations useless. Evidence in question never gets discovered and culprits walk away free, while the victim loses out. E.g. is a case of corporate espionage.
The best way to deal with impediments in cloud computing investigation is to have lawful interception of data crossing the corporate boundaries to the cloud. This is the collection of raw data packet at the data link layer by intelligent tools, namely, Decision Group's E-Detective Capturing Tool and the E-detective Data Decoding Center tool, which decodes raw data in real time and offline as well, into various web application formats. There are other cost effective and easy to use tools by Decision Group that will provide total compliance solutions to companies and law enforcement agencies that are faced with the same impediments I have mentioned.
We cannot revert to the old way of doing things on our network. Cloud computing is a technology of now and it is going to be on the increase with time. We have to be able to adjust to investigating data that has ever crossed the network through the internet to the cloud.
Do we have what it takes to do the job? I believe we all would have to adjust to meet the present test of time. In my next presentation, I will talk about Network Packet Forensics and evidence handling, and how to make it acceptable in the court of Law. I will be back.
Technology, keeps amazing me. It changes so rapidly that sometimes before one catches up to it; it has evolved to a newer phase, with a whole new set of changes from the previous. This means Users have to keep spending money to keep up, end result being nagging, complaining, and a lot of money spent. This is a form of a vicious cycle that keeps turning. It is through this array of unending expenditure that has brought forth what is now called "Cloud computing".
Cloud computing allows the user to use all resources he/she would otherwise have invested to install on his local machine on a server located somewhere deemed the cloud. This includes storage space, application usage, social networking, etc.., for a fee. The computer user does not have to worry about hard drive crashing, data being stolen from computer, etc. Just pay a fee and you are good to go. Files and application are accessed through the web. This implies all one needs is internet access and an access medium, which could be a portable handheld device, smart phones, or a basic computer.
Many organizations and individuals are already using this technology and have realized its great benefits of being hassle free. However, we may pause to ask ourselves a few questions; do we know where our data is physically located? Do we know how secured our records are? How do we investigate an event should some breach occur? Are we in compliance with Legislation and regulations such as; SOX, HIPPA, etc? As a network administrator in an organization, how much grasp do you have on controls, security and function? These are some of the questions we have to keep asking ourselves. As Computer Forensic Examiners, what do we do to access data that are breached for analysis? Is a search warrant issued in your jurisdiction going to be honored by the location where the servers are located? What limitations are you going to face? Do countries have treaties that will allow cross border search warrants to be executed?
Before we go through all the impediments that might be in the way of investigations, Network Forensics might be a prime solution to buttress your case for further searches. Network Forensics in a conventional way, is the analysis of network traffic logs for tracing events that have occurred. The logs may reveal source and destination IP addresses of systems in question, as well as time stamps and event that occurred, with the type of transaction that took place. This will sometimes lead to dead end, rendering investigations useless. Evidence in question never gets discovered and culprits walk away free, while the victim loses out. E.g. is a case of corporate espionage.
The best way to deal with impediments in cloud computing investigation is to have lawful interception of data crossing the corporate boundaries to the cloud. This is the collection of raw data packet at the data link layer by intelligent tools, namely, Decision Group's E-Detective Capturing Tool and the E-detective Data Decoding Center tool, which decodes raw data in real time and offline as well, into various web application formats. There are other cost effective and easy to use tools by Decision Group that will provide total compliance solutions to companies and law enforcement agencies that are faced with the same impediments I have mentioned.
We cannot revert to the old way of doing things on our network. Cloud computing is a technology of now and it is going to be on the increase with time. We have to be able to adjust to investigating data that has ever crossed the network through the internet to the cloud.
Do we have what it takes to do the job? I believe we all would have to adjust to meet the present test of time. In my next presentation, I will talk about Network Packet Forensics and evidence handling, and how to make it acceptable in the court of Law. I will be back.
Deep Packet Inspection and Reconstruction for Network Forensics and Lawful Interception
By Samuel Amoah & Casper Kan
I am back as promised, to talk about Deep Packet Inspection and Reconstruction for the purpose of Network Forensics and Security.
Deep packet inspection technology is based on packet sniffing of network traffic, utilizing a network adapter card set in promiscuous mode, on the network being monitored. The packets sniffed and captured during this process are not interpreted from the header information alone. The data payload is analyzed simultaneously to gather information about session establishment, presentation layer information as well as the application layer information.
The promiscuous mode allows the network interface card to accept and send broadcast messages traversing the network, just as what happens across the ports of a hub serving as the central connection point of all nodes interconnected on the network. These days, hubs have been replaced with switches, which defeat the purpose of sniffing traffic on the entire network, but only traffic emanating from a port on a switch, which has its own broadcast domain. Mac flooding is a way to make the switch act in the same manner as a hub, hence enabling sniffing of packets across all its ports.
The process of deep packet inspection begins with packet capturing, which occurs at the outgoing connection to the internet. Depending on which sections of the network to be monitored, a switch could be carefully configured into a mirror mode, where packets leaving the network are mirrored back to the packet capturing appliance. The other alternative is to do an inline capturing, where cable from the internal network is connected to one port of the capturing appliance, and the other cable connects to another port of the capturing device to the internet interface.
The packets captured are then organized to their various data formats from the inspection and capturing carried out. This data is then decoded by the appliance to allow playback of the data. This playback present the data in the same format it entered the network. This is good, as it presents the data to the viewer in exactly the same way. There are 3 appliances engineered by Decision Group Inc. which carry out the capturing, decoding and playback. The E-detective or Wireless-detective product does real time decoding and plays back data. There is also the E-detective Decoding Center appliance that does both real time decoding and playback of data, or offline decoding of data, either captured by the device or captured from offsite utilizing a network packet sniffing device.
All data decoded is stored in a database on the appliance. This allows investigators the chance to sift through to find evidence should the need ever arise, with less difficulty.
Note of caution: First and foremost, every reader must know that packet sniffing is illegal. Corporations, in protecting their intellectual property, integrity of network traffic, fighting off malware and viruses, can use the sniffing technology with caution. The employees must be made aware of such a process going on, and must be duly informed of that. Secondly, employees must also be given a central location with internet ready computers where they can transact their personal business and check their mails. This network must not be included in the segment being sniffed.
For the purpose of computer forensics, as cloud computing has changed the way data can be stored, the surest way to be able to track back emails and other means of communication via computers, which are mostly used in committing corporate crimes, is to have such a system in place. This will eliminate the need to figure out how to execute search warrants on cloud computing storage sites, which might be thousands of kilometers away, because a replica of the communication is stored onsite.
As national security is on the minds of every government in the world and deemed very important, I believe the art of Lawful packet interception will be very instrumental in tracking down criminals and terrorists, as most of their means of communication is via the internet. Deep packet inspection technology should be instrumental in dealing with such acts. Law enforcement agencies in Taiwan have used this technology from Decision Group to their success.
This is the moment to think seriously about adoption of this technology for lawful usage. Privacy must be considered when having this brain storming section. Just as we are now going through virtual strip searches at airports, privacy must be carefully defined when dealing with national security. There are ways to prevent abuse of this technology.
1: Only sworn law enforcement officials- Corporate Security must have access to the Management interface of the appliance to search for information. In terms of Government investigations, search warrants must be obtained before access to data is granted.
2: Data captured must also be preserved in a manner that follows proper chain of custody procedures.
3: Officers running the appliances must be well trained to carry out their work.
Security, as I always say, is 85% common sense application, and 15% technology. And with the 15%, 90% of it depends on people, and 10% on the equipment.
I will be back.
I am back as promised, to talk about Deep Packet Inspection and Reconstruction for the purpose of Network Forensics and Security.
Deep packet inspection technology is based on packet sniffing of network traffic, utilizing a network adapter card set in promiscuous mode, on the network being monitored. The packets sniffed and captured during this process are not interpreted from the header information alone. The data payload is analyzed simultaneously to gather information about session establishment, presentation layer information as well as the application layer information.
The promiscuous mode allows the network interface card to accept and send broadcast messages traversing the network, just as what happens across the ports of a hub serving as the central connection point of all nodes interconnected on the network. These days, hubs have been replaced with switches, which defeat the purpose of sniffing traffic on the entire network, but only traffic emanating from a port on a switch, which has its own broadcast domain. Mac flooding is a way to make the switch act in the same manner as a hub, hence enabling sniffing of packets across all its ports.
The process of deep packet inspection begins with packet capturing, which occurs at the outgoing connection to the internet. Depending on which sections of the network to be monitored, a switch could be carefully configured into a mirror mode, where packets leaving the network are mirrored back to the packet capturing appliance. The other alternative is to do an inline capturing, where cable from the internal network is connected to one port of the capturing appliance, and the other cable connects to another port of the capturing device to the internet interface.
The packets captured are then organized to their various data formats from the inspection and capturing carried out. This data is then decoded by the appliance to allow playback of the data. This playback present the data in the same format it entered the network. This is good, as it presents the data to the viewer in exactly the same way. There are 3 appliances engineered by Decision Group Inc. which carry out the capturing, decoding and playback. The E-detective or Wireless-detective product does real time decoding and plays back data. There is also the E-detective Decoding Center appliance that does both real time decoding and playback of data, or offline decoding of data, either captured by the device or captured from offsite utilizing a network packet sniffing device.
All data decoded is stored in a database on the appliance. This allows investigators the chance to sift through to find evidence should the need ever arise, with less difficulty.
Note of caution: First and foremost, every reader must know that packet sniffing is illegal. Corporations, in protecting their intellectual property, integrity of network traffic, fighting off malware and viruses, can use the sniffing technology with caution. The employees must be made aware of such a process going on, and must be duly informed of that. Secondly, employees must also be given a central location with internet ready computers where they can transact their personal business and check their mails. This network must not be included in the segment being sniffed.
For the purpose of computer forensics, as cloud computing has changed the way data can be stored, the surest way to be able to track back emails and other means of communication via computers, which are mostly used in committing corporate crimes, is to have such a system in place. This will eliminate the need to figure out how to execute search warrants on cloud computing storage sites, which might be thousands of kilometers away, because a replica of the communication is stored onsite.
As national security is on the minds of every government in the world and deemed very important, I believe the art of Lawful packet interception will be very instrumental in tracking down criminals and terrorists, as most of their means of communication is via the internet. Deep packet inspection technology should be instrumental in dealing with such acts. Law enforcement agencies in Taiwan have used this technology from Decision Group to their success.
This is the moment to think seriously about adoption of this technology for lawful usage. Privacy must be considered when having this brain storming section. Just as we are now going through virtual strip searches at airports, privacy must be carefully defined when dealing with national security. There are ways to prevent abuse of this technology.
1: Only sworn law enforcement officials- Corporate Security must have access to the Management interface of the appliance to search for information. In terms of Government investigations, search warrants must be obtained before access to data is granted.
2: Data captured must also be preserved in a manner that follows proper chain of custody procedures.
3: Officers running the appliances must be well trained to carry out their work.
Security, as I always say, is 85% common sense application, and 15% technology. And with the 15%, 90% of it depends on people, and 10% on the equipment.
I will be back.
訂閱:
文章 (Atom)
