COMPUTER FORENSICS. Introduction. Jason Solomon Erik Lattimore

Transcription

1 Jason Solomon Erik Lattimore COMPUTER FORENSICS Introduction Law enforcement is in a perpetual race with criminals in the application of digital technologies, and requires the development of tools to systematically search digital devices for pertinent evidence. Another part of this race, and perhaps more crucial, is the development of a methodology in digital forensics that encompasses the forensic analysis of all genres of digital crime scene investigations [Reith02]. Digital Forensics has been defined as: The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations [Digi01]. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. Mostly, computer forensics experts investigate data storage devices, these include but are not limited to hard drives, portable data devices (USB Drives, External drives, Micro Drives and many more). Forensics experts are responsible for the following activities: (1) identify sources of evidence, whether it be documentary or digital, (2) preserve the evidence that they acquire, (3) analyze the evidence, and (4) present the findings to the appropriate people. All of this must me done in a fashion that adheres to the standards of evidence that are admissible in a court of law. Thus, computer forensics must be techno-legal in nature rather than purely technical or purely legal ( Computer Forensics are not used solely for criminal investigation, there are many other uses as well. Some examples include employee Internet abuse, unauthorized disclosure of corporate information and data, or even industrial espionage. Technology has changed rapidly and drastically over the past twenty or so years. Many of the things that we take for granted today did not exist a mere twenty years ago; take the Internet for example. Today the Internet acts as a worldwide bridge, connecting people from around the world, allowing people to accomplish things that they never thought possible. Thanks to the Internet we no longer have to go to the mailbox to pay our bills, we don't have to wait for

2 the 6 o'clock news to see what the weather is going to be like tomorrow, we don't even have to leave our house to go grocery shopping anymore. The Internet also has its downside. It is an electronic playground for criminals and other mischievous people in this world. These people hang around and pray off those not knowing any better, whether it be senior citizens new to current technology, or children that have more computer access than they should have cause their parents do not monitor them. In particular, the surge of technical adeptness by the general population, coupled with anonymity, seems to encourage crimes using computer systems since there is a small chance of being prosecuted, let alone being caught [Maher00]. According to the Internet Crime Complaint Center (IC3), Internet related crime has been steadily increasing over the past couple of years. In 2005, IC3 processed more than 228,400 complaints that could lead to Internet crime investigations by law enforcement and regulatory agencies nationwide. These complaints were composed of many different fraud types such as auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited , and child pornography. Of these 228,400 complaints, IC3 referred 97,076 of these to federal, state, and local law enforcement agencies for further investigation. The vast majority of cases were fraudulent in nature and involved a financial loss on the part of the complainant. The total dollar loss from these reported cases of fraud was roughly 184 million dollars, with a median dollar loss of $ per complaint. This was up from the 68 million dollar mark that was reported in the year That s a jump of nearly three times what it was the year before numbers are just in, and there are no signs of Internet crime slowing down. The numbers may not have tripled like they did the year before, but the total dollar loss from Internet related crime is up to just under 200 million dollars this year.

3 The development and instantiation of the Internet Crime Complaint Center (IC3) was a major stepping-stone in the right direction. Even though IC3 is not technically a computer forensics task force itself, it serves as a go between, a way of reporting crime and inappropriate online activity to the proper authorities. IC3, which began operation on May 8, 2000, as the Internet Fraud Complaint Center was established as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI) to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. IC3 was intended and continues to emphasize serving the broader law enforcement community, including federal, state and local agencies, which employ key participants in the growing number of Cyber Crime Task Forces. Since its inception, IC3 has received complaints across a wide variety of cyber crime matters, including online fraud (in its many forms), intellectual property rights (IPR) matters, computer intrusions (hacking), economic espionage (theft of trade secrets), child pornography, international money laundering, identity theft, and a growing list of additional criminal matters. (IC Internet Fraud Crime Report) The FBI has slowly started to make steps in the right direction, including $495 million in program increases to enhance counter terrorism, counterintelligence, cyber crime, information technology, security, forensics, training, and criminal programs. Some of this funding has gone towards opening computer forensics teams and facilities such as the Connecticut Computer Crime Task Force (CCCTF). Since opening its doors in March 2003, the CCCTF's work has led to more than 60 indictments. Some recent successes: (1) Tracking down a man distributing pornographic photos of his own grandchildren over the Internet (and thanks to CCCTF's fast work, he was taken into custody just hours before the children were to arrive for a weekend visit); (2) Breaking up a massive online software, movie, music, and videogame pirating ring by spearheading a multinational investigation involving 30 FBI field offices and over 120 search warrants in 11 countries; (3) Busting a thief who stole hundreds of thousands of dollars worth of computer equipment from a defense contractor, then tried to sell it in an online auction; and (4) Capturing two scam artists who stole the credit card numbers of unsuspecting consumers with "phishing" s. ( Computer Forensics is a fairly new field of research, people are just starting to recognize and respect it. Because it is so new, there are very few people that truly understand what is going on; therefore, there is also a lack of books and documentation on the subject. This hopefully will all change over time. I think that the government is taking a fairly decent approach at dealing with computer forensics and cyber crime these days, allocating resources to fund projects and organizations such as the IC3 and the CCCTF as mentioned above. Before IC3, victims of cyber crime had nowhere to turn, but now that is no longer the case. IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, and local level, IC3 provides a central referral mechanism for complaints involving Internet related crimes. Significant and supplemental to partnering with law enforcement and regulatory agencies, it will remain a priority objective of IC3 to establish effective alliances with industry. Such alliances will enable IC3 to leverage both intelligence and subject matter expert resources, pivotal in identifying and crafting an aggressive, proactive approach to combating cyber crime.

4 (IC Internet Fraud Crime Report) In order to triumph in the field of computer forensics, the government is going to have to continue to be aggressive and play an active part in the war on cyber crime. Related Work As mentioned before, a major problem with Digital Forensics is the fact that in many digital crimes, the procedures for accomplishing forensics are neither consistent nor standardized. Many people over the years have tried to create rudimentary guidelines, however; there focus has been primarily on a particular computer system, instead of the general problem at hand. Computer security researchers Dan Farmer and Wietse Venema outlined some basic steps in their Computer Forensics Analysis Class notes [Farmer99]. Their guidelines include steps such as secure and isolate, record the scene, conduct a systematic search for evidence, collect and package evidence, and maintain chain of custody [Farmer99]. These guidelines were a step in the right direction, however the rest of their notes focused primarily on specific UNIX forensics procedures. Their definition of the forensics process and its steps, as well as the specific methods applied to each of these steps could have been abstracted to fit a wide variety of systems, however; the lack of software tools precluded the exploration of non-unix systems. In fact, the lack of software tools on the UNIX platform prompted Farmer and Venema to build their own forensics toolkit, which later became known as The Coroner s Toolkit. One of the tools included in The Coroner s Toolkit is grave-robber. Grave-robber captures ephemeral information (process network state), figures out what it can about the system hardware configuration (especially disks and partitions), and searches the file systems for critical files (configuration files, log files, and other critical files). A major downside of grave-robber is that it is usually run on the original copy of the data, and this goes against the basic rule of computer forensics analysis: do as little processing as possible with the original data, always work from a backup. While a step in the right direction, this toolkit was too focused on one platform. Another set of computer security researchers, Mandia and Prosise, made a viable attempt at outlining a digital forensics process, otherwise known as an incident response methodology. This methodology is comprised of such steps as pre-incident preparation, detection of incidents, initial response, response strategy formulation, duplication, investigation, security measure implementation, network monitoring, recovery, reporting and follow-up [Mandia01]. This methodology serves its intended purpose, that is it provides the depth and breadth of investigating computer crimes, and it remains abstract enough to apply to many different computing systems. This methodology is applicative only when dealing with computer crime. What about a situation where an investigator needs to pull information off of a digital camera or other form of digital medium? Mandia and Prosise do not address the forensics process in terms of other digital devices such as PDA s, cell phones, or even future digital technologies. They re methodology does hone in on the fact that the pre-incident preparation is a very important step when it comes to professionally organizing the forensic process, and this has laid the ground work for many new researchers in this field.

5 The US Department of Justice (DOJ) also attempts to describe the process of computer forensics. The DOJ supports the idea of abstracting the process so that it can be applied to number of different digital medium. Currently, their abstract process includes the phases of collection, examination, analysis, and reporting [Tech01], simple and to the point, which allows for traditional physical forensic knowledge to be applied to electronic evidence. The DOJ took their process a step further and does not make a distinction between forensics applied to computers and forensics applied to other digital media. Instead, the DOJ attempts to build a more generalized process that will eventually encompass digital media as a whole. One thing that I found particularly interesting with the DOJ is that they attempt to list the types of evidence that may be found on electronic devices, the potential locations that this evidence may be found, and the types of crimes that may be associated with that type of evidence. For example, it lists the commonly cited hidden evidence locations such as deleted files, hidden partitions and slack space, but also lists what type of information may be stored there such as social security numbers, source code or images [Reith02]. This information can then be crosschecked against a list of suspected crimes such as identification theft, child pornography, or even bank/credit card fraud. The identification of the types of potential evidence and the possible hiding locations on different electronic devices is a positive step for forensic practitioners to develop a generalized process that can be instantiated with a particular technology to produce meaningful results to a court of law [Reith02]. Another significant contributor to the growing field of digital forensics is the Digital Forensics Research Workshop (DFRW). The DFRW is the first large-scale organization that is lead by academia rather than law enforcement, and in my opinion, this is the direction that we should move. The fact that this organization is lead by academia is important because it will help define and focus the direction of the scientific community towards the challenges of digital forensics [Carr02]. The biggest challenge is that analytical procedures and protocols are not standardized nor do practitioners and researchers use standard terminology [Digi01]. The Digital Forensics Research Workshop has worked towards developing a forensics framework that includes such steps as identification, preservation, collection, examination, analysis, presentation, and decision. This is a good place just to iterate what we said before about standardizing the process being such a large problem with digital forensics. We have talked about the work of three different groups now, all seem to be moving in the right direction and even on the same path to some extent; however, each one has a different protocol, and this prevents them from "being on the same page. Following is a protocol that was devised by three Graduate Students (Mark Reith, Clint Carr, and Gregg Gunsch) at the Air Force Institute of Technology. It can be thought of as having common steps that have been abstractly defined to produce a model that is not dependent on a particular technology or crime. This model can be thought of as an enhancement of the DFRW model. The key components include: Identification recognizing an incident from indicators and determining its type. This is not explicitly within the field of forensics, but significant because it impacts other steps. Preparation preparing tools, techniques, search warrants, and monitoring authorizations and management support.

6 Approach Strategy dynamically formulating an approach based on potential impact on the bystanders and the specific technology in question. The goal of the strategy should be to maximize the collection of untainted evidence while minimizing impact to the victim. Preservation isolate, secure and preserve the state of physical and digital evidence. This includes preventing people from using the digital device or allowing other electromagnetic devices to be used within an affected radius. Collection record the physical scene and duplicate digital evidence using standardized and accepted procedures. Examination in-depth, systematic search of evidence relating to the suspected crime. This focuses on identifying and locating potential evidence, possibly within unconventional locations. Construct detailed documentation for analysis. Analysis determine significance, reconstruct fragments of data and draw conclusions based on evidence found. It may take several iterations of examinations and analysis to support a crime theory. The distinction of analysis is that it may not require high technical skills to perform and thus more people can work on this case. Presentation summarize and provide explanation of conclusions. This should be written in a layperson s terms using abstracted terminology. All abstracted terminology should reference the specific details. Returning Evidence ensuring physical and digital property is returned to proper owner as well as determining how and what criminal evidence must be removed. Again not an explicit forensics step, however any model that seizes evidence rarely addresses this aspect. As you can see, the main goal is of this model is to keep the process very generalized, this way you can apply the process to a wide array of digital media. This is closely modeled after the process of physical forensics that is being used today. Problem Exposition As I ll illustrate, there are many problems attributed to the digital forensics field, and we feel that most can be grouped into two categories. First, there are the more fundamental problems faced by the practice which we believe are a result of the lack of maturity of the field. The notion of digital forensics is a relatively new concept and the treatment of it as a true science is still in its infancy. The days of sysadmins performing ad hoc analysis of their systems is coming to an end, and rightfully so. Unfortunately, as with any change there is some resistance, and re-education involved. The second category is the specific, technical, problems involved with digital forensics today. While some of these problems are just rebirths of issues seen of yesteryear, others are completely new. As technology changes, new issues are raised. It s a

7 perpetual cat and mouse game between the forensics officers and the perpetrators they are studying. As specialists create ways of blocking hackers from thwarting forensics tools and practices, the hackers turn around and invent new exploits. Because of this, the problems of this category will never be completely solved. In general though, it is our feeling that fundamental practices of digital forensics must be standardized and regulated before the true scientific nature of the field can be realized Since we hold the fundamental problems to such utmost importance, it seems only fitting to discuss them first. With that being said, the single, largest problem associated with digital forensics today, is the lack of a standard or consistent methodology. This fact surprises most because they mistake the procedures and tools that are already in place for a true standard methodology. Instead, these tools and procedures were built from the experience of law enforcement, system administrators and hackers simply in an ad hoc fashion instead of originating from the scientific community, where many of the other traditional forensic sciences received their methodologies. This is problematic because evidence must be obtained using methods that are proven to reliably extract and analyze evidence without bias or modification. (An Examination of Digital Forensic Models) A closely related problem is the issue of specialization. In many digital crimes, the procedures for accomplishing forensics are neither consistent nor standardized. Instead, you ll find some rudimentary guidelines for specific situations. For example, two individuals (Farmer and Venema) published a paper a not too long ago on digital forensics procedures but as they applied on the UNIX operating system. As they two gentlemen were writing their paper, they also realized that UNIX lacked the proper software to perform forensics so they also developed a toolkit. Thus was great news for UNIX, but where does that leave forensics specialists when they find themselves working on a Windows machine or what about a Cisco router. The problem gets even worse as you start to consider the need for forensic procedures that apply to cell phones, PDAs, peripherals, and any other digital device that may be invented in the future. How can we cope with such a vast space by using a practice known to any computer scientist: abstraction. The DOJ realized this and has developed its own standards, which generalize across any digital device. In fact, the processes they describe are not much dissimilar from traditional methods to collect physical evidence, but abstracted to apply to digital evidence. For the remainder of this section, we re going to describe and discuss some of the technical problems associated with digital forensics as seen today. As we mentioned before, many of these issues will probably come and go because of their specific nature, but they re still worth noting since many of the general themes reoccur. One such problem is the exponential growth of data. Storage space has exploded in recent years, and data has behaved in an almost gas-like nature where if given room to grow, it will always expand to consume it. The problem created by this trend is that our ability to analyze and filter data hasn t grown at nearly the same right. Processors can t keep up and humans can t keep up with the explosion of data we are seeing. Currently, a typical case is on the order of 200GB to 2TB of data. (Next-Generation Digital Forensics) Computing resources and human resources are incapable of accurately analyzing that volume of data in any sort of timely manner with the tools of today, especially if the criminals were sophisticated in their methods. Fortunately, there are solutions being work on to combat this problem. Computing resources are constantly improving, but the greatest promise

8 to fill the gap comes from the distributed computing field. By coding tools that can harness the resources of a network of computers, things such as searches can happen much quick; however, these tools still rely heavily on human interaction. That has to change in the future as we need to move toward more automated analysis to solve the problem of information overload. And finally: anti-forensics. As the name implies, it s the evil cousin of digital forensics and one of the hottest issues faced by the forensics field. While this cat and mouse game has existed for centuries, we re beginning to see a level of sophistication employed by the bad guys never before seen in the digital forensics realm. To illustrate this growth in sophistication, lets go back to a time of innocence, the 1970s, and examine a practice of data hiding involved in piracy. Back then, it was common for software to be shipped on 5.25 floppies, which were easy to duplicate. To combat this, vendors placed product codes in the upper portions of the disk (beyond track 80) because DOS couldn t address above that so when users tried to copy the software, the codes would be left out. Well, it didn t take long for hackers to discover this and write their own software that would bypass DOS and speak directly with the floppy controller. That way, they could copy the data above track 80. Today, techniques are much more advanced and involve intimate knowledge of file systems and how they re laid out. For example, a file system is broken up into blocks, and if a file doesn t fill a whole block then that space gets unused. Well, there are tools that allow you to code messages inside that slack space, which could go undetectable to the untrained. Additionally, anti-forensics isn t just limited to data storage; there are also modern techniques that apply to current networking protocols. For example, there is software available that allows hidden messages to be transmitted using ICMP echo packets. It works by taking advantage of the options field, which is specified in the TCP standard. In this way, people can place messages inside these packets and entire conversations can take place with the only thing an unsuspecting sysadmin sees is legitimate looking ping requests and replies. Couple some of these techniques with encryption, stenography and new methods yet to be seen, and the future of digital forensics looks bleak. However, fortunately most of these methods are not widely used as it seems human nature is to practice only the bare minimum to get by, so we have time to develop solutions to these problems. As we re doing this though, we should be mindful to not only look for solutions to what we know is possible, but to also consider what can be possible. Our Contribution This last section we talked about some current work that is being done in the field of digital forensics; although these advancements are major steps forward, there is still much work to be done. After reading all the papers and books that we have, we have some ideas that we believe can be used to improve some of the methods and tools that are in use today. Going back to the model that we presented above, we feel that a standardized model will play a large role in future digital forensics investigations and procedures. For example, this methodology can be applied to a range of digital devices, anything from alarm clocks to computers, and even unrealized digital devices of the future. This is important, because if we lay down the groundwork today, the field will naturally change along with the times. Future technologies and the technical details required to forensically analyze them can be instantiated to

9 provide a consistent and standardized methodology for providing new electronic evidence. Having a standardized model like the one discusses above also provides a common framework for law enforcement and the judicial system, helping keep them both on the same page while in a court of law. The smoother the system runs, the easier it is for people to learn how that system works. If you have a system that is full of flaws and bugs, it is going to be nearly impossible to get anything accomplished, nonetheless teach someone how to use it. Another important topic that we want to address is meshing today s computer science nerd with today s law enforcement personnel. We believe that it is much easier for a computer scientist to learn basic law enforcement than it is for a law enforcement agent to learn computer science, but many people in the field nowadays are advocates of exactly the opposite. They believe that it is easier to teach a law enforcement agent how to use computers, but this is the problem. A law enforcement agent doesn t just need to know how to use computers; they need to understand how computers work. They need to have more than the basic understanding of them. In order to perform a thorough and legally acceptable investigation, one that is going to stick in court, the investigator must have the best of both worlds. This being said, it would be a good idea for a school such as Northeastern, that s big on real world experience, to integrate computer science and criminal justice and create a dual major program. I think with technology changing as rapidly as it is, a good number of students would be interested in taking up such a discipline. The program would be a couple of core computer science classes, such as basic programming and networking, and a few core criminal justice classes, to give you introduction on how our legal system works. The students could then go on in their middler year to get a coop experience with a police force in the area, or even if there was some cooperation with the government agencies such as the FBI, CIA, and NSA. I know that the school works with these agencies now to get help students get coops. Once the core curriculum was out of the way and the student has some real world experience, then the last year or so would be spent taking classes that bring the two fields together. I think that the Network Security class here at Northeastern would be a good class that would help tie the two subjects together. After finishing our presentation on Digital Forensics, we actually had a student in the class approach us and tell us that he was a criminal justice major with a computer science minor and his reason for taking the class was because he was interested in exactly this, digital forensics. This would be a good stepping-stone for the future. Conclusion Each year, there has been a steady increase in the number of computer crimes and computer related crimes that are committed each year. As technology evolves and criminals become more sophisticated and tech savvy, our law enforcement agents struggle to keep up. One of the main reasons for falling behind in this race is that we ve been trying to develop new tools to catch these criminals and we forget about implementing standardized forensics procedures. These procedures must be applicable to all current digital crimes, as well as any unrealized crimes of the future. As we discussed in the sections above, many of the procedures that are in place today are simply too technology specific. Without these standard procedures in place, there are countless investigations that are botched every year and unless something is done, these numbers will only continue to rise.

10

11 REFERENCES Davis, Chris, Aaron Philipp, and David Cowen. Hacking Exposed Secrets & Solutions: Computer Forensics. New York: McGraw-Hill/Osborne, Britz, Marjie T. Computer Forensics and Cyber Crime. Upper Saddle River: Pearson Prentice Hall, Slade, Robert M. Software Forensics: Collecting Evidence From the Scene of a Digital Crime. New York: McGraw-Hill, "Federal Bureau of Investigation - Cyber Investigations - Cybercrime." Federal Bureau of Investigation. 01 Mar < IC3 Annual Report. Internet Crime Complaint Center Mar < IC3 Annual Report. Internet Crime Complaint Center Mar < Carr, Clint. Gunsch, Gregg. Reith, Mark. An Examination of Digital Forensic Models. International Journal of Digital Evidence. 1 (3). Fall The Common Digital Evidence Storage Format Working Group. Standardizing Digital Evidence Storage. Communications of the ACM. (49) 2: February Carrier, Brian D. Risks of Live Digital Forensic Analysis. Communications of the ACM. (49) 2: February Casey, Eoghan. Investigating Sophisticated Security Breaches. Communications of the ACM. (49) 2: February Richard III, Golden C and Roussev, Vassil. Next-Generation Digital Forensics. Communications of the ACM. (49) 2: February Berghel, Hal. Hiding Data, Forensics, and Anti-Forensics. Communications of the ACM. (50) 4: April Mandia, K., Prosise, C. Incident Response. Osborne/McGraw-Hill Digital Forensics Research Workshop. A Road Map for Digital Forensics Research Farmer, D., Venema, W. Computer Forensics Analysis Class Handouts

12 Technical Working Group for Electric Crime Scene Investigation. Electronic Crime Scene Investigation: A Guide for First Responders