Computer forensics: Donning your detective hat

Computer forensics experts keep busy as more wrongdoing occurs online

"Quincy, ME," the 1970s TV series, showed the dramatic potential of medical examiners. We're waiting now for the premier of "Quincy, CF." Computer forensics is playing an increasingly important role in thwarting wrongdoers at the federal, state and local level. For example, recovered e-mails helped expose the involvement of National Security Adviser John Poindexter and Lt. Col. Oliver North in the Iran-Contra scandal during the Reagan administration.

The ubiquity of computers as a communications tool means that the role of computer forensics -- the practice of examining historical activity on electronic devices when someone suspects inappropriate or illegal activity -- will continue to grow in importance.

And the tools available to forensics analysts are keeping pace with increasingly sophisticated computers and other electronic devices. Forensic tools and the professionals with the qualifications to use them have also become more expensive. Accordingly, it can be a challenge for agency security teams to know when to put them to work.

"If you have reason to believe that a serious crime has been committed and that prosecution is desired, then you should bring in an experienced [forensics] investigator," said Jay Heiser, a research vice president at Gartner Group. But what if you're not sure yet that someone has committed a crime?

"Legislation, such as Sarbannes-Oxley, is making organizations more responsible and making data security and integrity a best practice," said Bill Margeson, chief executive officer at CBL Data Recovery Technologies.

All of the experts we interviewed said agencies could address legislative requirements and the growing number of incidents by establishing an internal forensic policy and creating a toolkit to execute the initial phases of a forensic investigation.

The four phases of forensics

At a high level, forensic activity has four phases: evidence collection, evidence preservation, analysis and reporting.

Of those, the collection phase is the most crucial, especially if agencies suspect illegal activity. Depending on the type of incident, forensic tools can collect activity data from a variety of sources, including servers, users' hard drives, log files, application data, portable devices and security tools, such as intrusion-detection systems.

When forensics experts collect information for an investigation, they typically remove suspected hard drives and make a write-protected image of the contents using a forensic workstation. However, new portable devices allow security employees to boot from a CD on a separate machine and safely extract an image of a hard drive via a USB or Ethernet port.

For user devices such as desktop and laptop PCs and personal digital assistants, you typically want to capture an image of their entire content, whereas on large, multiuser systems, you might only need to see specific folders, such as a user's home directory, or data from specific tables. Both forms of collection are admissible in court as long as the collection process is well-documented and security employees use proper seizure methods.

During the preservation phase, you should use cryptographic checksums to make exact copies of all the collected data. A cryptographic checksum is a mathematical value assigned to a file and used to verify that data has not been changed. If legal action is a likely outcome of your investigation, you can ensure the integrity of the collected images by maintaining checksum copies of the data.

With data images in hand, you can now enter the analysis phase. Sometimes during this phase, you will need to retrieve deleted or encrypted data. A variety of commercial and open-source forensic software can retrieve items, including incriminating evidence, that you might otherwise overlook.

During the next part of the analysis phase, you should search through the collected information for inappropriate or illegal activity. Although you can use Unix- or Windows-based search tools, forensics-based search tools are available to help ensure that you are analyzing the correct data. For example, if a user renamed a file and its extension to try to hide something, the forensic search software could uncover the foul play.

After uncovering the data, the next step is to correlate the information from the investigation's various data sources. For example, you might need to construct a timeline of events. To do so, you could have to mesh network log timestamps and data together with database access and usage logs. Forensic software will often include resources to help you correlate the information.

The final phase of forensic investigations is usually the production of at least one report that describes the investigation's outcome. Reports may include summary information about the event and additional details.

Walking through the phases

With an eye toward the four phases of forensic investigation, we wanted to gauge how effective some of the products mentioned here would be when added to an agency's forensic toolkit. We spent some time assessing AccessData's Forensic Toolkit, Paraben's P2 Power Pack and ASR Data's Smart Linux.

We recommend that you put more than one solution in your toolkit. Only one of the three units we tested, the Paraben P2 Power Pack, attempts to cover all four phases of forensic analysis. And each product had special capabilities.

During the collection phase, we found that all three did an excellent job of creating images. We were able to successfully copy information from several types of file systems, including file allocation table, NT File System, ReiserFS, journaled file system and Ext2/3.

We especially liked Smart Linux's concurrent task capability, which let us simultaneously scan multiple images. We were limited only by the resources of our available hardware. In addition to image collection, we found some other useful seizure capabilities in Paraben's modules. For example, they can collect data from cell phones and PDAs.

Moving to the preservation phase, we used Paraben's P2 Explorer and ASR Data's Smart Linux to generate Message Digest 5 checksums and algorithms for creating digital signatures. We used Smart Linux's tools to validate the images, and by using P2 Explorer, we could guard the information we had uncovered through write-protections.

All three tools provide in-depth analysis capabilities. For example, we were able to use Paraben's Decryption Collection tool to recover passwords. The three tools also provide useful searching functions. Access Data's Forensics Toolkit allowed us to rapidly search text and images. In addition, we used the product's Live Search function to find binary patterns in the collected data.

Access Data and Paraben provide additional analysis tools, including facilities for examining e-mail messages, compressed files, chat sessions and so on. We were able to successfully analyze e-mail messages from Netscape and Yahoo. Paraben's e-mail analysis tools also include support for products such as Lotus Notes. We used this support to inspect an e-mail file based on Lotus Notes Version 6.0. Paraben and Access Data also did a nice job of recovering deleted e-mail messages.

We then used Access Data's support for a number of different archive formats, such as WinZip and tape, to extract the contents of several large archives. Moreover, Paraben's Chat Examiner enabled us to analyze several Yahoo chat sessions with ease.

When it comes to correlating the collected data, Access Data and Paraben include some powerful filtering capabilities that simplify the compilation of potential evidence files. For example, you could use a filter to identify standard operating system files and program files so you can eliminate them from your results.

Of the three products we examined, Paraben's had the best options for addressing the reporting phase of forensics. Using Paraben's Case Agent Companion, for example, we could add notes, bookmark various sections of the data and produce detailed reporting data.

One of the most attractive qualities of these tools -- and many other similar commercial and open-source solutions -- is that you can either download them directly or try out a demo version.

If you're investing in the construction of a forensic toolkit for daily use, you'll likely want to include several products. Given agency budget constraints, you probably want to include commercial and open-source options. However, no matter how well-stocked your toolkit is, you will encounter situations in which you should just call in the cavalry -- an experienced forensics expert.

Turning to outside experts

After agency security employees finish an initial forensic investigation, they may find enough evidence to warrant contacting a forensics expert to conduct a more in-depth investigation. The experts we spoke to said that if agencies were considering legal action, they should contact experts to ensure that all the evidence would be admissible in court.

What should you look for when trying to select a forensics expert? Heiser said he recommends looking for "someone who has had a lot of courtroom experience, especially successful prosecutions."

Jon Berryhill, chief operating officer at Berryhill Computer Forensics, expressed similar sentiments. He advises agency officials to take a close look at experts' experience and references. "That person must be able to communicate clearly on the phone, in person and in writing to be able to explain to the judge, lawyers and jury exactly what happened during the event," he said.

Although you would want to summon an expert when handling serious legal issues, you can take advantage of your internal forensic policy and toolkit to address inappropriate activity. Constructing and maintaining the policy and toolkit can help contain costs while improving compliance with legislation to ensure data security and integrity.

Forensic education and training

We asked our experts how agency security and risk-assessment teams should go about gaining knowledge about forensics and the best ways to expand that knowledge over time. Heiser said a primer, such as the one he co-authored with Warren Kruse, is a good place to start. He added, however, that "the trend lately is toward subject-specific books" on the various aspects of forensics.

Berryhill takes a slightly different approach to gaining forensic knowledge. "Read as much as you can and get as much training as you can. Go to conferences," he said. "After that, the most important thing is to stay connected with the experts who are out there doing forensic work every day." Berryhill suggests that after initial education, agency security employees should seek out a forensics expert to act as a mentor so they can stay informed on the issues and technology advances.

"The best sources of educational materials can be gained by getting in touch with law enforcement organizations," Margeson said. He particularly recommends the High Technology Crime Investigation Association (www.htcia.org).

Indeed, there are many security and law enforcement organizations that regularly offer forensic training. For example, the SANS Institute (www.sans.org) offers monthly courses at various locations throughout the United States and abroad. Moreover, several universities -- including the University of Central Florida, Champlain College and the University of Washington -- offer courses of various lengths to help get you up-to-speed on forensic tools and techniques. Several universities offer forensics-related courses online, too.

Biggs, a senior engineer and freelance technical writer based in Northern California, is a regular Federal Computer Week analyst. She can be reached at maggiebiggs@acm.org.

Online forensic resources

Trinux
URL: trinux.sourceforge.net
Platforms: Linux, Unix

Overview: RAM disk-based Linux distribution that boots from a single floppy or CD. Includes forensic and other security-rated tools such as vulnerability scanning. Addresses the collection, preservation and analysis phases of forensics. Supports OpenSSH (the free version of the Secure Shell protocol) and scripting via Perl, PHP and Python. Product, including source code, can be downloaded from the Internet. Documentation is brief, but support is available via a mailing list and online forums.

The Coroner's Toolkit
URL: www.porcupine.org/forensics/tct.html

Platforms: Unix, Berkeley Software Design's BSD

Overview: Useful for live analysis of compromised machines. Includes tools that address the collection and preservation phases of forensics. Capable of collecting volatile data about a system's current state. Includes command-line tools and a graphical user interface (GUI) front end. Supports Unix file system (UFS) and Ext2/3 file system types. Documentation is minimal, but support is available via a mailing list.

The Sleuth Kit
URL: www.sleuthkit.org
Platforms: Unix, Linux, BSD, Apple Macintosh

Overview: A set of command-line tools based on the Coroner's Toolkit. Includes a GUI called Autopsy. Supports the collection, preservation and analysis phases of forensic investigations. Enables recovery of data stored in the host protected area. Supports file allocation table, NT File System, Ext2/3 and UFS. Documentation available, including material on how to use the kit on Microsoft Windows machines. Support is available via forums, mailing lists and a monthly newsletter.

Open-source forensic solutions

One of the interesting trends in the forensics arena is the strong growth of the number of tools emerging in the open-source community.

Although traditional forensics experts might find this somewhat of a departure from the norm of using commercial products, one of the benefits of using open-source tools is that the source code is also included.

With the source code in hand, it is possible to generate a completely documented procedure while also enabling the forensics expert or security team member to verify that the tool does exactly what it claims.

Another benefit of using open-source tools, of course, is the cost. There is usually no cost associated with such tools unless some form of support is included. This is good for budget-minded agencies that want to put together a basic forensic toolkit.

On the downside, if you choose to use a user-supported open-source tool and you have trouble, help might be limited to e-mail, online forums or mailing lists.

However, security personnel and forensics experts who have a good background in the essentials of Linux, Unix and Windows should not find the going tough.

The other challenging aspect of open-source tools is that availability can change rapidly. For example, one group of developers of a particular tool might choose to cease further development, while a new group might get together to create a tool that addresses a specific need.

Keeping up with the fast pace of the open-source community is a challenge you should take only if you are fully committed to doing so for some time.

Open-source solutions that support Linux, Unix and Windows-based forensics exist. Moreover, many of the Linux- and Unix-based tools can be used to inspect Apple Computer's Macintosh machines, too.

Some open-source tools are full-featured and capable of addressing all phases of a forensic investigation, while others are tightly focused on just addressing one or two phases (e.g., collection support).

To learn more about open-source tools, go to www.opensourceforensics.org/tools/unix.html for Unix or www.opensourceforensics.org/tools/windows.html for Windows-based solutions.

-- Maggie Biggs

Paraben P2 Power Pack

Paraben
www.paraben-forensics.com
(801) 796-0944

Ease of use: *****

Collection: ****

Preservation: ****

Analysis: *****

Reporting: ***

Pricing: The software costs $1,495.

Comments: The P2 Power Pack has modular, pluggable components that can be bought individually. It offers strong Internet application support, can be used with multiple types of images, and has good analysis and reporting tools. Its hardware adapters enable data retrieval from personal digital assistants and wireless phones.

Platforms: The software runs on Microsoft Windows.

Access Data Forensics Toolkit

AccessData
(801) 377-5410
www.accessdata.com

Ease of use: *****

Collection: ****

Preservation: ****

Analysis: *****

Reporting: **

Pricing: The toolkit costs $1,095.

Comments: The product has strong collection, recovery and analysis tools, and supports multiple types of images. It has good file system support and a registry viewer that can retrieve user names and passwords. It also generates audit logs and forensic case reports.

Platforms: The software runs on Microsoft Windows NT, 2000 and XP.

Smart Linux

ASR Data
(512) 918-9227
www.asrdata.com

Ease of use: *****

Collection: ****

Preservation: ****

Analysis: *****

Reporting: **

Pricing: The software costs $2,000, with discounts for law enforcement.

Comments: Smart Linux includes tools for collection, preservation, analysis and reporting and has strong support for various file system protocols, including Unix file system, hierarchical file system, journaled file system, ReiserFS, file allocation table and NT File System. It offers powerful searching capabilities, utilities that enable investigators to wipe data from devices or partitions if needed and utilities to authenticate checksums of the original and retrieved data. It performs concurrent forensic tasks with a scalability limited only by the hardware's capabilities.

Platform: The software runs on Linux.

Forensic resources for the cybersleuth

Books

  • "Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet," second edition, by Eoghan Casey (Academic Press, 2004).
  • "File System Forensic Analysis" by Brian Carrier (Addison-Wesley Professional, 2005).
  • "Forensic Discovery" by Dan Farmer and Wietse Venema (Addison-Wesley Professional, 2004).
  • "Incident Response and Computer Forensics," second edition, by Kevin Mandia, Chris Prosise and Matt Pepe (McGraw-Hill Osborne, 2003).
  • "Know Your Enemy: Revealing the Security Tools, Tactics and Motives of the Blackhat Community," second edition, by the Honeynet Project (Addison-Wesley Professional, 2004).
  • "The Law Enforcement and Forensic Examiner Introduction to Linux: A Beginner's Guide" by Barry J. Grundy (NASA, 2004).
  • "Malware: Fighting Malicious Code" by Ed Skoudis with Lenny Zeltser (Prentice Hall, 2003).
  • "Real Digital Forensics: Computer Security and Incident Response" by Keith J. Jones, Richard Bejtlich and Curtis W. Rose (Addison Wesley Professional, 2005).
  • "Security Warrior" by Cyrus Peikari and Anton Chuvakin (O'Reilly Media, 2004).

Journals

  • Communications of the Association for Computing Machinery, www.acm.org/pubs/cacm
  • Digital Investigation, www.elsevier.com
  • IEEE Transactions on Dependable and Secure Computing, www.ieee.org
  • International Journal of Digital Evidence, www.ijde.org