COMPUTER FORENSICS Chapter 2: Understanding Data Recovery
File Systems and Disk Structure Computer Forensics tools
Executing an Investigation
File Systems and Disk Structure
File systems interact with the operating system so that the operating system can find files requested from the hard disk. The file system keeps the table of contents of the files on the disk. While a file is requested, the table of contents is searched to locate and access the file
The directory formation and method for organizing a partition is called a File System. The different file systems replicate different operating system requirements.
The similar hard disk can have partitions with file systems belonging to DOS, NT, or LINUX. When more than one file system type is installed on a hard drive, this is called multi-boot or dual-boot configuration.
Most Hard Disks (HDDs) are designed for installation inside a computer, and for that reason they were referred to as fixed disks. The most common factors that have been used over the past few decades are:
5.25-inch These were the first hard drives that were used on PCs, and they were commonly installed in machines during the 1980s.3.5-inch This is the common size of form factor used in modern PCs.2.5-inch This is the common size of form factor used in laptop/notebook computers.
Computer file system types can be classified into disk file systems, network file systems and special purpose file systems.
Disk file systems are designed to store information on a hard drive disk. FAT, NTFS and UDF are all types of disk file systems.
Network file systems act as a client for file access protocols on a server. FTP, WebDAV and NFS are types of network file systems.
Special purpose file systems are the miscellaneous systems that do not fit into the disk or network file system categories.
Special purpose systems are generally used in Unix-based systems. Flat file systems are one of the most general ways to store data. Information is stored on the same level instead of creating sub-levels of data.
There are sub-categories of file systems as well. Database file systems, for example, identify files by their type, author or other meta data.
Transactional file systems log the access of files by individuals in the hopes of executing all changes at the same time; banks and financial institutions employ this type of file structure in their computer systems to ensure the seamless transfer of money between two accounts and other functions that require autonomy.
Computer Forensics tools
Forensic tools will often trait the ability to acquire evidence from the hard disk.
By imaging (duplicating) data, the information from a machine can be acquired and then analyzed for any information that is applicable to the case.
Computer Forensic tools have been developed for different operating system platforms. Some tools are open source tools and the others are proprietary.
Different tools exist for performing evidence acquisition from live systems and analyzing the evidence. Some commonly used computer forensic tools are listed below:
These computer forensic tools may be evaluated against different criteria such as the completeness in functionality of the tool, the time taken by the tool to perform its function, the ease of use and user friendliness of the tool, cost of the tool, acceptability of the tool in court, and so on
The course of imaging a hard drive involves making a bit-by-bit copy of the drive to a raw image file also called as the analysis drive.
Imaging a suspects hard drive is one of the most critical functions of the computer forensic process. It is most important that no data be written to the suspects hard drive during this process. To ensure this, a software based or hardware based write-blocker technology is used.
Write-blocker tools ensure that any write to the disk being imaged is blocked. It is also essential that every bit copied to the analysis drive is exactly the same as that found in the suspects drive. Plenty of imaging tools have been developed for use in a forensic examination.
Forensic analysis behavior differ based on the type of media being analyzed, the file system used, and so on.
Some of the commonly used analysis tools are :
DriveSpy is a DOS-based forensic tool, developed by Digital Intelligence, Inc. DriveSpy is an extended DOS forensic shell. DriveSpy providesan interface that is similar to the MS-DOS command line, along with new andextended commands. The entire program is only 110KB and easily fits on a DOSboot floppy disk.DriveSpy provides many of the functions necessary to copy and examine drivecontents. All activities are logged, optionally down to each keystroke. If desired,logging can be disabled at will.
The EnCase product line from Guidance Software is one of the most complete forensic suites available. In addition to providing tools and a framework in which to manage a com-plete case, EnCase includes a drive duplicator. The drive imager creates an exact copy of a drive and validates the image automatically. It either creates complete images or splits drive images to economize storage. EnCase can copy virtually any type media, creating an identical image for analysis. EnCase calls this staticdata support
Forensic tool kits generally provide set of tools for performing many activities of a computer forensic investigation. There is no single toolkit has been developed that encompasses all the forensic activities that an investigation might require.
There are two following toolkits that can be used to perform a variety of forensic activities:
TCT (The coroners Toolkit) is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system. The software was presented first in a Computer Forensics Analysis class in August 1999.
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information.It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.
Executing an Investigation
Inevitably and frequently without notice or sufficient preparation, police investigators find themselves confronted with the challenges of high technology.
While in the course of a basic criminal investigation, an investigator comes across computer equipment (hardware & software) that might enclose important evidence, the question that often surfaces is, what should the investigator do?
High technology evidence presents unique and challenging situations for the investigator. In addition to ensuring that the necessary forensic examination and essential preservation of computer evidence is done, the investigator needs specialized training and tools with which to work with.
The use of advanced search programs, access to sophisticated computer equipment, a working knowledge of evidence recovery methods, and a keen understanding of the types of associated computer evidence are all key factors that help investigators find evidence in computers.
When investigators learn that a computer system is involved in some measurable way with the offense, they need to elaborate on "how" the computer was used.
For example, if the police have learned from knowledgeable and reliable sources that a particular person uses a computer data base and spreadsheet program to account for illicit drug sales, then investigators need to include this information in their affidavits.
In many cases, sophisticated drug dealers, money launders, organized crime accountants and others, have effectively used coded/encrypted shipment, financial and customer data files in the furtherance of their criminal activities.
Forensic investigators are allowed to reasonably search in any place where these items (data records) could be located. Investigators should justify their search into these devices based upon some specific training, knowledge and/or experience they obtained, suggesting that the described records can in fact be stored on computer systems.
In the writing of the affidavit, investigators should to be aware of the correct computer terminology when describing the places to be searched and items to be seized.
Examples of specific computer language can often be found in previous search warrants, and selected training materials. In order to help satisfy the particularity requirement, investigators need to describe the particular computer system sought.
When investigators do not know the exact description of the computer, but suspect or know of its use, then using general descriptions and definitions of a computer system might be adequate.
The process of taking down a computer system depends in large upon the scope of the search, according to the systems configuration (LAN, WAN networks, mainframes, servers, PCs, etc.).
If the subject of the warrant is operating on a network, then keep in mind that the ability to store evidence throughout that network is possible.
When conducting controlled searches, investigators should also look at network drives, the network & local backup copies, including mirrored/redundant logical drives, the local disk drives and various removable storage drives, disks and tapes. Investigators must also know that many businesses store their backup information off-site, often with contracted third party vendors.
Prior to the execution of the search warrant, the investigator should get as much information on the type of computer system they are searching for and possibly seizing. Police need to know that computer systems can comprise a number of hardware components and software.
When forensic investigators are dealing with smaller networks, desktops PC and workstations an attempt to justify the taking of the whole system should be based on the following criteria.
When an entire organization is fully involved in an ongoing criminal scheme, with little legitimate business, (in non-essential services) and evidence of the crime is clearly present throughout the network, an entire system seizure might be proper.
In small level desktop situations, investigators must seize the whole system, after requesting to do so in the affidavit. Investigators seizing the whole systems should be justified it by wording their affidavits in such a way so as to refer to the computer as a "system", dependant on set configurations to preserve "best evidence" in a state of original configuration. This may include peripherals, components, manuals, and software.
Forensic Investigators need to seek out critical information from persons present or having direct knowledge of the computer system. The mainly important information that investigators need is information about passwords/security devices on the system.
Computer crime investigators recognize the vulnerability of electronic data and strongly suggest that forensically acceptable image duplication software be used in investigations. After the investigator makes a duplicate image of the seized media (hard drive, floppy, removable drives, etc.) and restores this backup onto another system, the original evidence should be secured away.
The restored backup image (exact copy of the original) now becomes the location to search for electronic evidence.Remember a proper forensic image will copy each sector of the original media, including unused areas, data that is hidden, partially erased and encrypted, allowing the investigator to attempt restoration of data.
A huge number of forensic tools exist that enable investigators to streamline and control their search for evidence in storage devices.
Investigators need to know that encrypted data and various compressed data formats will not allow these types of searches until the data is uncompressed or decrypted.
After the evidence is located, it needs to be understood and interrelated to the case being investigation. Computer investigators utilize specialized viewer and conversion programs that can accommodate many file formats for quick viewing and printing of evidence.
Computer Forensics as a Profession
Computer forensics is a focused, fast growing and interesting field. As business enterprises and organizations become more multifaceted and exchange more information online, ultra-modern crimes are also increasing at a rapid rate. Due to this situation, many companies and professionals are now offering computer forensic services.
A computer forensics investigator is a combination of a private investigator and a computer scientist. Although this unique field requires technical, legal and law enforcement experience, many industries choose professionals with investigative intelligence and technology expertise.
A computer forensics professional can fill a diversity of roles which include a private examiner, an investigator, a corporate compliance professional, and a law enforcement official.
Before becoming a computer forensics professional, we need to be aware that:
The rest of the world is not part of that professionMajority of the general public are excluded from computer forensicsMajority of computer professionals are not skilled in computer forensicsMany computer forensic practitioners come from other disciplines (of computing and from other areas, e.g. audit).
Aspects essential to the computer forensics profession are:
AcademicApplication of computer scienceApplication of forensic scienceNarrow specialismAligned to computer securityCore discipline
A good forensics investigator should always follow these rules:
Examine original evidence as little as possible. Instead examine the duplicate evidence.Follow the rules of evidence and do not tamper with the evidence.Always prepare a chain of custody, and handle evidence carefully.Never go beyond the knowledge base of the forensic investigation.Document any changes in evidence.
In relation to ethical behavior in computer forensics, there is a very thin line between whatis acceptable and what is deemed as malpractice.
Computer forensics exists in an ethical grey area. The forensics investigator needs to balance between self motivation, legal constraints and procedural considerations.
It is also the responsibility of the forensics investigator to help the court on matters within his knowledge. The duty overrides any obligation to the person from whom the forensics investigator receives instructions from or by whom he is paid by.
While investigating cyber crimes, one has to know the laws that cover such crimes. Legal authorizations are needed to access targets of evidence. In order to preserve the admissibility of evidence, proper handling of evidence by a computer forensics expert is required.
Different warrant requirements and other legal constraints apply to different categories of data such as recent, older, interceptable, not interceptable, etc.
Investigators should always consult the legal department of their corporation to understand the limits of their investigation. Privacy rights of suspects should not be ignored.