topic 7A : infocomm security Flashcards
What is digital FORENSICS?
- involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis
- evidence might be required for a wide range of computer crimes and misuses
multiple methods of :
1) discovering data on computer system
2) recovering deleted, encrypted, or damaged file
3) monitoring live activity
4) detecting violations of corporate policy
What is digital EVIDENCE?
- any information that can be extracted from a computer
- in human-readable format
eg :
- recover deleted emails
- investigate post employment termination
- recover evidence from post formatted hard drive
- extract data created by different users
Why evidences are needed?
- wide range of computer crimes and misuses
evidences are needed by local authorities, organization and individual for investigation relating to :
1) fraud
2) extortion
3) virus/trojan distribution
4) unauthorized use of personal information
5) forgery
6) theft of/destruction of intellectual property
7) tracking internet browsing habits
8) software piracy
Who uses digital evidence?
1) criminal prosecutors
- to prosecute suspects by using extracted data as evidence
2) civil litigations
- data discovered on a computer can be used in fraud, divorce, harassment or discrimination cases
3) insurance companies
- evidence discovered can be used to mollify (reduce) costs
4) private corporations
- can be used as evidence in harassment, fraud and embezzlement cases
5) law enforcement officials
- data kept in storage devices often are found to be important evidence in courts and would help in post-seizure handling
6) individual/private citizens
- obtain help from forensic specialists to support claims of harassment, abuse or wrongful termination from employment
Digital forensics for incident response
- malicious code
- unauthorized access
- inappropriate usage
- denial of services
will trigger :
> containment, eradication and recovery
4 phases of digital forensics process
1) collection
- to identify, label, record and acquire data from possible sources
KEY ISSUES : preserve data integrity, collect timely data to avoid losing dynamic data or data from battery powered devices
2) examination
- to search and process large amounts of collected data to assess and extract data of interest
KEY ISSUES : preserve data integrity, need to use suitable automated tools and manual methods
3) analysis
- to analyze results of examination and derive useful information
KEY ISSUES : only use for legally justifiable means. required to handle many events and timelines
4) reporting
- to report results of analysis, including how tools and procedures were selected
- recommend improvements (eg forensic examination of additional data sources, securing identified vulnerabilities)
KEY ISSUE : formality of reporting steps depend on situation
Information handling during COLLECTION phase (non-volatile information)
for non-volatile information :
- includes information, configuration settings, system files and registry settings that are available AFTER reboot
- can be investigated from a backup copy
Information handling during COLLECTION phase (volatile information)
challenges
for volatile information :
1) network information
- communication between system and network
2) active processes
- programs and daemons currently active on the system
3) logged-on users
- users/employees currently using system
4) open files
- libraries in use
- hidden files
- trojans (rootkit) loaded in system
5) can be saved from the system core dump while system is powered on
Challenges for handling information in collection phase
1) anti-forensics software that limits and/or corrupts evidence that could be collected by an investigator
2) performs data hiding and distortion
3) exploits limitations of known and used forensic tools
Handling of data sources for analysis
details of investigation depend on the incident but generally, these are the steps :
- check the recycle bin for deleted files
- check the web browser history files and address bar histories
- check the cookie files
- check the temporary internet files folder
- search files for suspicious character strings
- search the slack and free space for suspicious character strings
- conduct event or timeline analysis
Key factors to determine handling of each phase of forensics by internal/external parties
1) cost
- software, hardware, and equipment used to collect and examine data may carry significant costs
- staff training, labor costs, which are particularly significant for dedicated forensic specialists
2) response time
- personnel located on-site might be able to initiate computer forensic activity more quickly than off-site personnel
- off-site outsourcers located near distant facilities might be able to respond more quickly than personnel located at the organization’s headquarters (FOR ORGANIZATION’S THAT ARE GEOGRAPHICAL DISPERSED)
3) data sensitivity
- some organizations might be reluctant to allow external parties to image hard drives and perform other actions that provide access to data
Methods of hiding data
1) steganography
- the art of storing information in such a way that the existence of the information is hidden
2) watermarking : hiding data within data
- information can be hidden in almost any file format
- file formats with more room for compression are the best (JPEG, GIF, MP3, MPG)
- the hidden information may be encrypted, but not necessarily
- numerous software applications will do this for you (many are available online)
Methods of detecting/recovering data
steg-analysis : the art of detecting and decoding hidden data
- hiding information within electronic media requires alterations of the media properties that may introduce some for of degradation or unusual characteristics
- the pattern degradation or the unusual characteristic of a specific type of steganography method
- steganalysis software can be trained to look for a signature
Steg-analysis methods : detection
1) human observation
- opening a text document in a common word processor may show appended spaces and “invisible” characters
- images and sound/video clips can be viewed or listened to and distortions may be found
> generally, this only occurs if the amount of data hidden inside the media is too large to be successfully hidden within the media
2) software analysis
- even small amounts of processing can filter out echoes and shadow noise within an audio file to search for hidden information
- if the original media file is available, hash values can easily detect modifications
File deletion
- when a user deletes a file on a storage device, the file is not physically deleted
instead, only a pointer in the file allocation table is deleted
- a second file that is saved in the same area may not occupy as many sectors as the first file (there will be possibility that a fragment, with data, from the previous file may still remain)
