CS556: Computer Security Computer Forensics

Computer Forensics: A look into the processes, sources, techniques and

importance of this field in today’s electronic age.

Aaron M. Alexander
alexande@cs.colostate.edu
(970) 222-3231

Colorado State University

School of Natural Sciences: Computer Science Department
Fort Collins, CO 80523

December 2003

Keywords: evidence, protection, forensics, prevention, virus, recovery

Abstract

Computers have become an important part of every day life. With so many people using
this technology, it has become apparent that new issues are arising within the computing
environment. New forms of data protection, data recovery, and evidence gathering must
be devised and implemented in the field of computers in order to account for this growth
of electronic information technology. This paper will give some technical insight into
issues concerning computer information and forensics. It will include forms of data
protection and recovery, as well as forms of data intrusion and corruption. The paper
will also cover different sources of electronic evidence that can be found on a variety of
storage devices while searching for certain evidence during investigations.

Introduction

As the risk of malicious attacks against computer systems grows, the need to increase
security measures becomes more important. This growth is also resulting in an increase
in research areas and creates a new arena of study for the computer security sector. There
is a flood of improvements and prevention tactics being used in an effort to hinder
attacks, but no matter how many different approaches of security are developed, there
will always be computer and network attacks that are successful. It is the responsibility
of the computer forensics technicians to catch and punish the criminals responsible for
these attacks, and make sure that the recovery of an attacked system is as complete as
possible.

Forensic evidence gathering has been a long practiced method of investigation processes.
Computer forensics has many meanings, originating back in the late 1980’s by early law
enforcement practitioners who used it as a reference for examining stand-alone
computers for digital evidences of crime. A definition of computer forensics is: the
scientific examination and analysis of data that is kept on, or retrieved from, computer
CS556: Computer Security Computer Forensics

storage media in such a way that the information can be used as evidence in a court of
law.

Computer forensics has become a term that is less widely used by professionals. Most of
today’s attacks deal with computer systems that are on a network. This has revealed a
need to change the old “Computer Forensics” label into a more meaningful one called
“Computer and Network Forensics”. The addition of the term “Network” has become
necessary because of the mainstream attacks being dealt with today, such as: distributed
denial of service attacks, viruses, domain name hijacking, and websites shut down.
These crimes are normally committed via an electronic network.

The techniques used by Computer and Network Forensics are there to discover evidence
in a wide range of crimes varying from theft of trade secrets, to protection of intellectual
property, to general misuse of computers. The main goal of CNF is to provide the ability
to gather sufficient evidence after a crime has been committed in order to prosecute those
who are responsible. This leaves the Computer and Network Forensics studies mainly
suited for law enforcement agencies.

An Approach to Protection

As with any information management system, it is important to maintain the

confidentiality and integrity of the system information. It has been found that the most
effective way of obtaining this security is by using three mutually supportive
technologies: authentication, access control, and audit. Authentication is the act of
making sure the identity of a user is established to some part of the system, usually
through a password. Access control is the act of allowing certain tasks to be completed
between parties, with authentication as a prerequisite. Auditing is the process that
gathers up information about the activity taking place on the system and then analyzing
that data to discover any security violations.

Authentication can be considered the most basic security mechanism by which other
security devices depend. Authentication is the building block upon which access control
and audit are built. This process is described as providing an establishment of identity
between a user and a computer, or more generally, a pair of computers. This
authentication is useful in order to prevent replay attacks on network traffic, and spoofing
attacks between computers. Authentication can be achieved by using passwords, where a
special “code” is required before a user may access a computer. Token-based
authentication is the practice of carrying a credit card size device that contains a unique
private cryptographic key stored on it. Biometric authentication is used for more high-
end applications where voice checks of different phrases or active input such as dynamic
handwriting of signatures are used. These biometric checks must be dynamic in some
way every time they are used in order to prevent replay attacks.

Access Control is based on the idea of implementing an access control matrix. This
matrix contains subjects, objects, and privileges. The subjects are given privileges to
certain objects. There are a few approaches to implementing this mean of protection:
CS556: Computer Security Computer Forensics

access control lists, capabilities, and authorization relations. Access control lists are
implemented where each object is associated with an ACL, showing each subject in the
system the accesses the subject is authorized to execute on the object. The matrix is
stored in columns. Capabilities are more of a dual approach to ACL’s, where each
subject is associated with a list, called the capability list, indicating for each object, the
accesses the subject is authorized to execute on the object. The matrix is stored in rows.
In authorization relations, a table is set up where each row, or tuple, of the table specifies
one access right of a subject to an object.

Access control policies are required to determine how accesses are controlled and access
decisions determined. There are three common ways of achieving this: classic
discretionary policies, classic mandatory policies, and role-based policies. In
discretionary, policies govern the access of users to the information on the basis of the
user’s identity and authorizations that specify, for each user and each object on the
system, the access modes the user is allowed on the object. In mandatory, policies
govern access on the basis of classification of subjects and objects in the system, where
each user and each object in the system is assigned a security level. In role-base, policies
regulate the access of users to the information on the basis of the activities the users
execute in the system. Roles are assigned to users where each role is a set of actions and
responsibilities associated with a particular working activity.

Auditing and intrusion detection is the act of examining the history of events in a system
in order to determine whether and how security violations have occurred or been
attempted. This data is recorded in an audit log, or audit trail. The information that is
usually recorded for each event includes the subject requesting the access, the object
being accessed, the operation requested, the time of the request, the location from which
the request originated, the response of the access control system, the amount of resources
used, and if the operation succeeded or not. The actions requested by privileged users,
such as administrators, should always be logged. This helps prevent misuse of powerful
privileges, and allows the control of penetrations in which the attacker gains a privileged
status.

Authentication, access control, and audit and intrusion detection when put together are
the foundations for building systems that possess the ability to store information with
integrity and confidentiality. They are all precautionary and post-attack approaches to
system security. Every system must have a plan to deter attackers from gaining access to
the system. They must also have a plan in place to handle such attacks if the preventative
measures have failed.

Computer Attack Chronology

Attacks implemented by hackers can range from benign to devastating, depending on the
skill and knowledge of the hacker. Hacker range anywhere from novice users to
experienced computer experts. An interesting observation made over the years has
concluded that no matter what the skill level of the hacker, a pattern seems to have
CS556: Computer Security Computer Forensics

developed among the hacker community. This patterns stages go as: probe, invade,
create mischief, and cover tracks.

• Probing

This first step is where a hacker observes his potential targets. The hackers
might try to create a profile of a certain organization’s structure, network
capabilities and content, and security mechanisms. It is during this stage where
a hacker will determine which target will be the best for his attack and then
devise plans in order to carry out his attack.

• Penetration

After a hacker has probed a potential target, there should be enough information
gained to penetrate the system. In many cases, the target may have
configuration errors, such as open access to the system via FTP, or other file
transfer protocol (TFTP) vulnerabilities giving full system access to the hacker.

• Expanding Capabilities

After a hacker has penetrated the system, the next possible step is to increase his
ability to traverse the system. By exploiting the systems vulnerabilities
discovered by the hacker, he may be able to obtain higher privileges in the
system, such as the ability to access root accounts.

• Creating Mischief

Once a hacker has obtained special privileges on the targeted system, he can now
attempt to accomplish his original task, attacking the system. Here the hacker
can exploit their secret access by installing Trojan Horses, recording system
passwords, delete or manipulate files, or many other forms of malicious
behavior.

• Covering Tracks

Probably the most important step for the hacker is the ability to cover his tracks
after completing his objectives in the targeted system. The common way of
covering tracks is to disable event logging and restoring the system to its original
status before the hacker broke into the system. The hacker will attempt to clear
any event logs and hide all files that would provide evidence of the hacker being
in the system.

These patterns have proved to be a fairly reliable way for a hacker to break into an
unprotected system. However, the positive side to these patterns is the fact that we are
able to examine them in order to find valuable information in preventing such attacks.
CS556: Computer Security Computer Forensics

Such examinations helps prosecutors identify attackers and increase a system’s security
mechanisms.

Computer and Network Forensics

There are different forms of evidence left by criminals on computer systems, be it

criminal or civil, for example: Evidence can be found in event logs kept by system
auditors.; It can be found in criminal cases where incriminating material is found in
documents relating to homicide, child pornography, drug or embezzlement record
keeping, or financial fraud. It can be found in civil cases where material could contain
personal or business records dealing with fraud, divorce cases, harassment, or
discrimination.

Computer and Network Forensics experts are hired by a multitude of sources, ranging
from lawyers, insurance companies looking to discover evidence to decrease the amount
paid in an insurance claim, and individuals looking to support claims of wrongful
termination, sexual harassment, or discrimination.

The ability to gather evidence is the backbone of CNF. In crimes dealing with computer-
related issues, the accumulation of evidence collected comes from many different
components of a system. This information cannot officially become evidence until the
data is used to prove a crime has been committed. Therefore, you cannot technically call
data collected anything other than potential evidence.

One source of potential evidence is files found on a system. Information found on word
documents, spreadsheets, databases, and so on are usually some of the best places to find
valuable potential evidence. Hidden application files that sometimes contain history
information, caches, backup, or activity logs are also very useful forms of potential
evidence. On some occasions, intelligent criminals may try to encrypt files that could
incriminate them, or hide them in a way that makes them unsuspecting to the naked eye.

Since the process of gathering this potential evidence sometimes proves more difficult
than simply finding application files on a computer, it definitely requires someone with
special skills. Experts in CNF are required to specially train to gain the skills necessary
to carry out a forensic investigation. Skills required include the investigative skills of a
detective, the legal skills of a lawyer, and the computer skills of the criminals that carry
out these crimes. The likelihood of one person being an expert in all of these areas is
something of a rarity today due to this field being somewhat new. One way to combat
this problem is by breaking up a CNF specialist into different jobs, with each position
being an expert in his/her specific field of study.

The United States National Security Agency’s information assurance workforce

development programs have come up with an approach to this issue. They have classed
four forensic positions to represent a reasonable approach to developing a reliable CNF
system. Here is an example of spreading out the responsibilities of a CNF specialist:
CS556: Computer Security Computer Forensics

• CNF Technician

A CNF technician position is the more “hands-on” field of study. These people
are responsible for exercising the technical aspects of gathering the evidence.
They are required to have the necessary technical skills to gather information
from computers and the network. Technicians must understand the software and
the hardware on host computers, as well as the network that connects them.

It is sufficient for a CNF technician to only have an associate’s degree from a

two-year college or technical school, but obviously a technician with a four-year
degree that deals with technology is the ideal choice. This may be a requirement
for anyone that aspires to become a CNF professional.

• CNF Policy Maker

The CNF policy maker is a completely different position all together. This
person will be a manager or administrator who establishes CNF policies that will
reflect the enterprise’s broad considerations. The policy maker must see the
impact of forensics in the broader context of business goals and make the hard
decisions that trade off forensics capabilities with issues of privacy and also
morale.

Even though these administrators need to focus on the “big picture”, they also
need to be familiar with computing and forensic sciences. While computer
familiarity is growing in the executive ranks, few senior administrators realize
the need for CNF.

• CNF Professional

The CNF professional plays a critical role as a link between policy and
execution. The professional must have extensive technical skills as well as a
broad and thorough understanding of the legal procedures and requirements
gained through either a broader education or extensive experience. Also, the
CNF professional has to understand the fundamental enterprise business to
ensure that CNF policies are executed properly within the business context.

• CNF Researcher

Although the field of CNF has not yet been fully recognized as an independent
discipline, it is far past the development status it held during the early years of
the Internet. And, there is a demand for educators who specialize in it.
Although the CNF professionals might be able to double as trainers for
elementary computer and evidence discovery classes, graduate degrees are
requited to introduce these courses into higher education.
CS556: Computer Security Computer Forensics

Along with its neighboring discipline (computer and network security), CNF
researcher education will begin with masters programs. It is hard to tell if CNF
research will reach a sufficient basic research categorization to meet the rigid
“contribution of knowledge” requirements of doctoral degrees. Academia will
employ most CNF researchers, although a few will be needed in large federal
and state government agencies. Career progression into the CNF policy maker is
a possibility in certain circumstances.

Due to the multidisciplinary nature of Computer and Network Forensics, we have to

break down its structure into four main categories: evidence collection, evidence
preservation, evidence presentation, and forensic preparation.

• Evidence Collection

The core of any forensic science if information; evidence is nothing more than
information presented in court. Before anyone can present this information,
however, information relative to the malicious act must be discovered and
recovered.

In the area of CNF, simply knowing where to look will frequently uncover
information. Forensic investigators can find information hidden in logs, caches,
swap files, deleted files, and unwritten segments. In networks, information finds
its way into intermediate devices such as router caches, switches, proxy servers,
firewalls, and other types of network devices. It is the responsibility of the
forensic expert to know where to look and understand how to interpret important
tips and clues that can be hidden in the information.

The act of data recover, though, is the result of applying special measures to
extract information from locations where it is known to reside. Probably the best
known example of data recovery is being able to recover information from
electromagnetically wiped or damaged disk drives. Another well-known data
recovery method is the ability to extract deleted files from magnetic devices or
volatile memory. A fact that is not well known throughout the data recovery
community is that network information is rarely available solely through
discovery. Information on a network is partitioned into packets and must be
reconstructed into sessions in order to recover relevant information. The act of
discovering and recovering information is the heart of computer forensics.

• Evidence Preservation

As soon as you have recovered the information, you must follow rigid
requirements to help preserve it for later use in court. This preservation helps
CNF experts answer a couple of important questions: Was the evidence
gathered properly, so that it reflects all the pertinent information on the subject
device when it was collected? Has the evidence been changed since it was
collected?
CS556: Computer Security Computer Forensics

Technology such as secure copying and storage mirroring provide mechanisms

for showing the acquired evidence’s accuracy. The act of mirroring simply
means making an exact copy of an entire storage device; the CNF expert can
extract relevant information from the copy without disturbing the original
device. Secure copying techniques allow investigators to bind the target
information to some other information that verifies the copy’s accuracy.

Cryptographic digital signatures, in conjunction with strong physical security,

provide the potential to protect digital evidence’s integrity even further. With
proper preparation and tools, these signatures can be made tamper-resistant
against even the most sophisticated intruders and can be reconstructed from the
presented evidence to ensure authenticity.

• Evidence Presentation

A problem with digital evidence is that it is usually very hard to present in court,
with the biggest challenge being trying to present evidence that does not really
have any physical character; digital evidence is abstract. This makes it hard to
present to a jury, who, in most cases, may be vaguely familiar with computers,
but does not possess the technical knowledge to understand the evidence being
presented to them.

When presenting the digital information, the presenter must make the evidence
understandable to the normal person by studying case histories and use simple
and sophisticated graphics to represent the digital data. In many cases, however,
there are few computer technicians or data experts who are familiar enough with
the problems in presenting evidence in court or with the mechanisms that can
facilitate the process. It is this situation that makes it necessary for a CNF
specialist to have extensive instruction in theory and methods of effectively
presenting digital evidence in court.

• Forensic Preparation

In most cases forensic efforts start after a malicious act or attack occurs. It has
been realized that much can be done to facilitate forensics investigation before
malicious acts or attacks actually happen. The idea is this can act in much the
way that surveillance cameras help make the case against shoplifters, electronic
mirroring, logging, and marketing help investigators reconstruct malicious acts
and trace attackers. Watermarking, for example, (inserting marks that identify
stolen information after it is discovered) is continually evolving.

These steps show the process of computer and network forensics from start to finish.
This trade requires many skills due to the multiple fields of study involved. Computer
experts, law enforcement officials, and lawyers must all work together in order to
maintain a thorough computer and network forensics investigation.
CS556: Computer Security Computer Forensics

CONCLUSION

Computer and Network Forensics is a growing field. With more and more hackers
springing up each year, the need for people who can prevent them from attacking
systems, and prove their guilt in a court of law when they do break into a system,
increases as well. It has been shown that with there being so many aspects of this field, it
covers a wide range of professional expertise. It seems as though if you were a computer
expert, lawyer, and law enforcement official all wrapped into one package, you would be
the ideal person to take on computer and network forensics. This wide range of skills
required makes it necessary to spread the field out to multiple areas of professionals.

Computers have always been vulnerable to unwanted intrusions. As the sophistication of

computer technology increases, so does the need to anticipate, and safeguard against, a
corresponding rise in computer related criminal activity.
CS556: Computer Security Computer Forensics

REFERENCES

[WaH02] Warren G. Kruse II and Jay G. Heiser, Computer Forensics, Addison-

Wesley, Boston, 2002
[EdL04] Ed Skoudis and Lenny Zeltser, Malware Fighting Malicious Code,
Pearson Education, New Jersey, 2004
[PiS00] Pierangela Samarati and Sushil Jojodia, Data Security, SRI International
and George Mason University, CA and VA, 2000
[PaF01] Partha Pal and Franklin Webber and Richard Schantz and Joseph Loyall,
Intrusion Tolerant Systems, BBN Technologies, MA, 2001
[ShG03] Sharon Gaudin, Internet Recovering From Slammer Attack, Internet News,
2003, http://www.internetnew.com/dev-news/article.php/1574911
[SyM03] Symantec Virus home page (Author N/A), Virus Attacks,
http://www.symantec.com/
[AyY01] Alec Yasinsac and Yanet Manzano, Policies to Enhance Computer and
Network Forensics, IEEE, United States Military Academy, West Point,
NY, June 2001
[AyR03] Alec Yasinsac and Robert Erbacher and Donald Marks and Mark Pollit
and Peter Sommer, Computer Forensics Education, IEEE, 2003
[RaP01] Ravi S. Sandhu and Pierangela Samarati, Authentication, Access Control,
and Intrusion Detection, IEEE, 2001
[LeL00] Leonard J. LaPadula, A Compendium of Commercial and Government
tools and Government Research Projects, MITRE, Bedford MA, 2000