evidence.

3.1.1Using Access Data Forensic Toolkit to Analyze Data

So far. you have used several different features of FTK; this section goes into more detail on its
search and report functions. FTK can perform forensics analysis on the following file systems:

Microsoft FAT12, FAT16, and FAT32

cOMPUTER FORENSICS Page 50

MRCET DEPARTMENT OF IT
Microsoft NTFS (for Windows NT. 2000, XP, and Vista)

Linux Ext2fs and Ext3fs

FTK can analyze data from several sources, including image files from other vendors. It can also
read entire evidence drives or subsets of data, allowing you to consolidate large volumes of data
from many sources when conducting a computer forensics analysis. With FTK, you can store

everything from image files to recovered server folders on one investigation drive.

FTK also produces a case log file, where you can maintain a detailed record of all activities during
your examination, such as keyword searches and data extractions. This log is also handy for
reporting errors to Access Data. At times, however, you might not want the log feature turned on. If

you're following a hunch, for example, but aren't sure the evidence you recover is applicable to the
investigation, you might not want opposing counsel to see a record of this information because he or

she could use it to question your methods and perhaps discredit your testimony. (Chapter 15 covers
testimony issues in more detail.) Look through the evidence first before enabling the log feature to
record searches. This approach isn't meant to conceal evidence; it's a precaution to ensure that your
testimony can be used in court.

FTK has two options for searching for keywords. One option is an indexed search, which catalogs
all words on the evidence drive so that FTK can find them quickly. This option returns search
results quickly, although it does have some shortcomings. For example, you can't search for
hexadecimal string values, and depending on how data is stored on the eve- dense drive, indexing
might not catalog every word. If you do use this feature, keep in mind that indexing an image file
can take several hours, so it's best to run this process ovemight.

The other option is a live search, which can locate items such as text hidden in unallocated space
that might not turn up in an indexed search. You can also search for alphanumeric and
hexadecimal values on the evidence drive and search for specific items, such as phone numbers,
credit card numbers, and Social Security numbers. Figure 9-1 shows the hits found during a live
search of an image of a suspected arsonist's laptop. You can right-click a search hit to add it to
your bookmarks, which includes the result in your final report.

COMPUTER FORENSICS Page 51

 How Authenticode works with VeriSign Digital IDs?

2.Generic Hash
original
Original
code
1.Inspect
certificate
One-Way Hash
Certiticate Hash Algorithm

4.Comparee
certificate **^i, Pub
Signed Code
One-Way Hash

3.Apply Public Key

Authenticode: VeriSign Digital ID process

1. Publisher obtains a Software Developer Digital ID from VeriSign

2. Publisher creates code

3. Using the SIGNCODE.EXE utility, the publisher

.Creates a hash of the code, using an algorithm such as MD5 or SHA

COMPUTER FORENSICS Page 43

MRCET DEPARTMENT OFIT

Encrypts the has using his/her private key

Creates a package containing the code, the encrypted hash, and the publisher's
certificate
4. The end user encounters the package

s. The end user's browser examines the publisher's Digital ID. Using the Verisign root
Public Key, which is already embedded in Authenticode enabled applications, the end
user browser verifies the authenticity of Software Developer Digital ID (which is itself

signed by the VeriSign root Private Key)

6. Using the publisher's public key contained within the publisher's Digital ID, the end
user browser decrypts the signed hash.

7. The end browser runs the code through the same hashing algorithm as the publisher,
creating a new hash.

8. The end user browser compares the two hashes. If they are identical, the browser
messages that the content has been verified by VeriSign, and the end user has the
confidence that the code was signed by the publisher identified in the Digital ID, and the
code hasn't been altered since it was signed.

Time Stamping: Because key pairs are based on mathematical relationships that can
roretically be "cracked" with a great deal of time and effort, it is a well-established
rity principle that digital certificates should expire.
CU
3.7 Developing Standard Procedures for Network Forensics
Network forensics is a long, tedious process, and unfortunately, the trail can go cold
quickly. A standard procedure often used in network forensics is as follows:

Always use a standard installation image for systems on a

network. This image isn't a bit-stream image but an image
containing all the standard applications used. You should also
have the MD5 and SHA-I hash values of all application and OS

files.

When an intrusion incident happens, make sure the

vulnerability has been fixed to prevent other attacks from
taking advantage of the opening.

Attempt to retrieve all volatile data, such as RAM and running

processes, by doing a live acquisition before turning the system
off.

Acquire the compromised drive and make a forensic image of it.

COMPUTER FORENSICS Page 63

MRCET DEPARTMENT OF IT

Compare files on the forensic image to the original installation

image. Compare hash values of common files, such as Win.exe

and standard DLLs, and ascertain whether they have changed.
n computer forensics, you can work from the image to find most of the deleted or hidden files
and partitions. Sometimes you restore the image to a physical drive so that you can run

programs on the drive. In network forensics, you have to restore the drive to see how mal- ware

attackers have installed on the system works. For example, intruders might have trans- mitted a
Trojan program that gives them access to the system and then installed a root kit, which is a
collection of tools that can perform network reconnaissance tasks (using the ls or net stat

command to collect information, for instance), key logging, and other actions.
 5
rlam urudiw iwdimu oumg Aupy -
Jeqal rdy o aalumd amd
wwn
umpua wmw wdumu
Pauw oudnw mulwdoirgu shad
mdr dunal umutn mama
stardands rnuna
) Pwwatuw duns
-Canui dum aqu wpuail
alnatinw a naw
am www .
Scanned with CamSca

umamw amruuuv iden sam wmul

mwna a y w druw, amd wnaw
wwwwn p mrudwn

CF
u w mwwt mdnstand hnw mruian
hand dankn & appyanrkui a mcunnd
&hw
mptw mdumw aw nmdw ak van
i) Da mowphuo
CF
mnus Mnrwd u m
h w amuluan wnd
turmmu s anace
mnuly amouakd
wh
dnnt fule shiainnty.
v) Matdhimg o Divkaa
mpulw a

Suuaaud mg & Lrrs hal mak

mpuiuw a t ww md s wnat n

) Data mpumaw.
CC mud
en g u amuan
hw wi
amd hmw immmma

^wmliwv data A ahs La h harrnd

meududw wm d s aamw n oki.
i)nand Falu
CF enuin showodd rumu amnaw in

Dcannea wItn Läm>Dca

namd lan cow w

nnd y
wwo DOs wraw & ky w m a l l wwmg data

(vil) Intnmut da dlmu Idinliuaav 0iludiny:

CE mu sud um amuua wtt
hw a
malwzud saiwa w
dumly hm
g t u d aompuiuv ha um umd mh
mtinmu
(vi) hu Bort
Mims Rmdami Bruw G
Paoqram
Cnuuils hwid um amunan urih ha
J oS a dud 6 dhamg dala
amd
dusney data at the whww st
MRCET DEPARTMENT OF IT

3.4 Performing Remote Acquisitions

Remote acquisitions are handy when you need to image the drive of a computer far away from

your location or when you don't want a suspect to be aware of an ongoing investiga- tion. This

method can save time and money. too. Many tools are available for remote acquisi- tions; in the

following sections, you use Runtime Software to learn how remote acquisitions are made.

ve
s
Tabe F e

hamrats2 d

M14

o
c

Fig: FTK displaying encrypted files

Expot Fles
Fldn) to oat
A dheced fies Al curently hted tes A
OAhgigled fMe
cade enal tachnes wh enal messages

FleNane Orgns Pteh

De474)5S FrentaterNO NAME FAT 32VPE

FAT
trete FresaterNO NAME #AT
stte3614
PRE FrestaterNO NAME FAT 2
PRK a46231 d-Wuudur. FretawNO NAMEFAT 3ZM
SUM146051XS Frestater0 NAME FATER
Declhaten Pah C\Wak resteterE pari

PHepend eceve nene lo e nene

Append em nunber to hie neme to gueweee ungeress
Append ecpopriete entension lo lile rane i bad'abnerd

Epont HTML viow i avalble

ENpont feved tent view

Fig Exporting encrypted files

cOMPUTER FORENSICS Page 59

MRCET DEPARTMENT OFIT

3.4.1Remote Acquisitions with Runtime Software
Runtime Software (www.runtime.org) offers the following shareware programs for
remote acquisitions:

DiskExplorer for FAT

DiskExplorer for NTFS

HDHOST

Chapter 4 introduced these tools; remember that they're designed to be file system specific, so
there are DiskExplorer versions for both FAT and NTFS that you can use to create raw for
mat image files or segmented image files for archiving purposes.

HDHOST is a remote access program for communication between Iwo computers. The

connection is established by using the DiskExplorer program (FAT or NTFS) corresponding

to the suspect (remote) computer's file system. The following sections show how to make a
live remote acquisition of another computer over a network. To use these tools, it's best to
have computers connected on the same local hub or router with minimal network traffic.
 UNIT-1
INTRODUCTION

1.1 WHATIS COMPUTER FORENSICS?

Computer forensics is the process of methodically examining computer media (hard

disks, diskettes, tapes, etc.) for evidence. In other words, computer forensics is the

collection, preservation, analysis, and presentation of computer-related evidence.

Computer forensics also referred to as computer forensic analysis, electronic discovery.
electronic evidence discovery, digital discovery, data recovery, data discovery, computer

analysis, and computer examination.

be useful in criminal cases, civil disputes, and human resources/
Computer evidence can

employment proceedings.

1.2 USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

assists in Law Enforcement. This can include:

Computer forensics

Recovering deleted files such as documents, graphics, and photos.

the hard drive, places where an abundance of data often

Searching unallocated space on

resides.

those tidbits of data left behind by the operating system. Our experts
Tracing artifacts,
importantly, they know how to evaluate the
know how to find these artifacts and, more

value of the information they find.

that visible accessible to the user -that contain
Processing hidden files- files are not or

and analyzing the date

past usage information. Often, this process requires reconstructing
last modified, last accessed
codes for each file and determining when each file was created,

and when deleted.

is obvious.
Running a string-search for e-mail, when no e-mail client

Page 1
COMPUTER FORENSIcS
1.11 Data Back-up and Recovery

Back-up Obstacles

Back-up Window: The back-up window is the period of time when

back-ups can be run. The back-up window is generally timed to occur during
nonproduction periods when network bandwidth and CPU utilization are low.

Network bandwidth: If a network cannot handle the impact of

transporting hundreds of gigabytes of data over a short period of time, the
organization's centralized backup strategy is not viable.

System throughput: Three VO bottlenecks are commonly found in

traditional backup schemes. These are

1. The ability of the system being backed up to push data to the backup
server

2. The ability of the backup server to accept data from multiple systems
simultaneously
3. The available throughput of the tape device(s) onto which the data is
moved

COMPUTER FORENSICs Page 15

MRCET DEPARTMENT OF IT
Lack-of Resources: Many companies fail to make appropriate
investments in data protection until it is too late.

1.12 The Role of Back-up in Data Recovery

There are many factors that affect back-up. For example:

Storage costs are decreasing: The cost per megabyte of primary

(online) storage has fallen dramatically over the past several years and

continues to do so as disk drive technologies advance.

Systems have to be on-line continuously: Because systems must be

continuously online, the dilemma becomes that you can no longer take files
offine long enough to perfom backup.

The role of Back-up has changed: The role of backup now includes
the responsibility for recovering user errors and ensuring that good data has
been saved and can quickly be restored.