Wednesday, 17 July 2013

LIFORACE - LIVE FORENSIC ACQUISITION IN CORPORATE ENVIRONMENT

ABSTRACT
Since, traditional digital forensic investigation is conducted after pulling the power plug off the target
machine regardless to the state of machine whether it is “On/Live” or “Off/Dead”. A lot of “volatile” information is stored in the RAM or simply memory of the computer and pulling the power plug from the running computer alters or deletes hundreds of files on the system which could contain crucial information like passwords, network information, running indecent images and other data that could facilitate in examining the case successfully. Hence, the investigator loses a lot of crucial evidence/ information which could be very helpful by pulling the plug. It therefore becomes very vital to perform a “Live” acquisition of the RAM/ Memory of the running machine. The contents of the memory can be acquired and saved on an external forensically wiped drive by using hardware or software based acquisition techniques and tools such as Firewire, Helix Live Response USB, MandiantMDD, Win32dd. The contents of the RAM could later be analyzed using powerful tools such as Volatility, EnCase, FTK.

In order to perform the acquisition of a live/running computer, a tested methodology is very critical and
is considered to be the foundation for “Live” and “Traditional Forensic Investigation”.
The paper will critically analyse the contents of “volatile” memory, techniques and tools to acquire the
RAM and volatile data residing in RAM, and a methodology for conducting a sound Live Forensic Acquisition in Corporate Environment.

Keywords: Live Forensics, Incident Response, Acquisition, Memory, Digital Forensics, RAM, Volatile Data


Wednesday, 7 October 2009

CYBERCRIME AND ITS IMPACT ON BUSINESSES

“CYBERCRIME AND ITS IMPACT ON BUSINESSES”
         
             
               
               MODULE LEADER – DR STILIANOS VIDALIS                               
AUTHOR - INDRA K. DHAON
  BSc. (Hons.) FORENSIC COMPUTING
YEAR - II
  2009 – 2010


TABLE OF CONTENTS
1. INTRODUCTION 4
2. RESEARCH METHODOLOGY 5
3. CYBERCRIME 5-6
4. THREAT AGENTS 6
5. BUSINESS PROCESSES 7
6. CLASSIFICATION OF CYBERCRIME 8-9
7. TYPES OF E CRIME AND THEIR IMPACT ON BUSINESSES 10-17
  7.1 MALWARE 12-13
  7.2 DOS, DDOS AND SPAMMING 14
  7.3 PHISHING/ PHARMING 15-16
  7.4 E- CRIME STATISTICS 17
8. CONCLUSION 18
9. REFERENCES 19
10. BIBLIOGRAPHY 20
11. APPENDIX (i) 21-23

Table of Figures
Figure 1: Threat Agent Categories 6
Figure 2: Business Processes 7
Figure 3: Modern E- Crimes 10
Figure 4: E- Crime Statistics 10
Figure 5: Virus and Worm Statistics 13
Figure 6: Target Specific Attacks 16
Figure 7: Increasing complexity of viruses, worms, malware with time 17
Figure 8: Various E- Crimes 18








1. INTRODUCTION
The contemporary world is using internet based technology in order to meet the ever
increasing consumer (or user) demands, and to enhance their businesses. The increase in use of computers or internet based technologies in businesses and organizations led to the shocking increase in cybercrime . The internet (or businesses using computers) undoubtedly became a primary target for cybercrime. The motives of the cybercriminals was primarily for financial gain, but now their motives have expanded to political, religious, revenge, power, and terrorism. The understanding of the motives behind the attack shall be beneficial in the approach of combating ‘cybercrime’.
This report has been compiled in order to thoroughly analyze cybercrime and its effect
on Small and medium- sized enterprises (SMEs). The reports comprises of the following:
• Cyber Crime
• Goals or Motives behind E- crimes
• Various Threat Agent Categories and their Attributes
• Business Processes
• Cybercrime Classification: Types of E Crime
• Techniques used in order to commit cyber crime and the impact on Business Processes
• Safety Measures in order to combat cybercrime



2. RESEARCH METHODOLOGY
The research method used for this report includes secondary research methods:
• Secondary Research comprises of websites, books, online magazines, and journals.
All references have been appropriately referenced.

3. CYBERCRIME
Cybercrime or E- Crime is any crime which involves the use of a computer. It includes criminal acts such as pharming, phishing, and denial of service attacks etc. which are used by cybercriminals in order to attack an organization or e- commerce companies.
In order to combat cybercrime, it is very important to understand the goals or motives of the cybercriminals who launch attacks such as denial of service or phishing attacks. A threat assessment of an organization should also be carried out, which will analyze the potential vulnerabilities and then will aid in securing the organization’s assets and also combating E-crime.
- Goals or Motives behind E- crimes
According to Jones, A. 2002, there are some commonly accepted motivational drivers, which are: political, social, secular, personal gain, religious, revenge, power, terrorism, and curiosity. Some important definitions that will be useful for this paper in assessing cybercrime include the following:
- Threat is the risk of an attack on a computer system
- Vulnerability is the assessment of exploiting a flaw or weakness
- Motivation is the extent to which an attacker is prepared to exploit a threat.
- Capability is the extent to which an attacker or threat agent is able to utilize a threat.
- Hackers are persons involved in the development of the computing world. Hackers can be called “good people” since they will never intentionally cause disruption or damage to anyone.
- Crackers are persons who are unethical, with malevolent intent. Crackers generally contribute to cybercrimes such as piracy and gain personal satisfaction as well as monetary gain.
4. THREAT AGENTS
The term threat agent is used to denote an individual or group of individuals that can exploit a threat. The various threat agent categories have been illustrated in the figure 1 below and their attributes will be discussed later in the report.
Figure 1: Threat Agent Categories
- (Vidalis, S. 2005)
-
5. BUSINESS PROCESSES
The following types of business processes have been identified:
a) Management, Human Resources (HR) & Finance - Training and monitoring the employees, and building and maintain relationships with customers.
b) Accounting & Technical (IT) Staff - Records of companies profit/ loss, annual turnover is also recorded by the staff, and any technical assistance is provided.
c) Product Development - It is the process where products are developed or produced.
d) Quality & Product/Service Delivery – Quality of the products is maintained or enhanced and delivered to the customers.
e) Sales & Marketing – After production, marketing is necessary in order to promote the products to seek potential customers.
o Advertise and popularize their products amongst people
o Advertising jobs for future employees inside and outside of business
o Allow people to view financial reports or company mission statements
o Allows customers to purchase the finished products. Nowadays, most of the companies offer to sell their products online as well. The payment methods can be using credit/ debit cards or PayPal, which is used by companies using e- commerce.
- (HALL, D. AND OTHERS. 2004)







Figure 2: Business Processes
6. CLASSIFICATION OF CYBERCRIME
It can be classified in to the following four major categories:
A. Cyber crime Against an Individual
B. Cyber crime Against Property
C. Cyber crime Against Organization
D. Cyber crime Against Society
- (ReportCybercrime, 2009)
(A) Against Individuals
i) Email spoofing – Please refer to Appendix (i) Computer Terms for all definitions of
the different types of e- crime attacks
ii) Spamming
iii) Cyber Defamation: This occurs when defamation takes place with the help of
computers or the Internet. E.g. someone publishes offensive matter about someone on a website or sends e-mails containing offensive information.
iv) Harassment & Cyber stalking: Cyber Stalking is following the traces of an individual's
movement over the internet. It can be done with the help of many procedures available such as e- mail, chat rooms.
(B) Against Property
(i) Credit Card Fraud,
(ii) Intellectual Property crimes: These include the following:
• Software piracy: illegal copying of programs, distribution of copies of software.
• Copyright infringement
• Trademarks violations
• Theft of computer source code
(iii) Internet time theft: the usage of the Internet hours by an unauthorized person
(C) Against Organization
i) Unauthorized Accessing of Computer: Accessing the computer/network without
permission of the owner. It can of two types:
  a) Changing/deleting data: Unauthorized changing of data.
  b) Computer voyeur: The criminal reads or copies confidential or proprietary
  information, but the data is neither deleted nor changed.
ii) Denial of Service Attack
iii) Virus attack
iv) Email Bombing
v) Salami Attack: When negligible amounts are removed & accumulated in to
  something larger. These attacks are used for the commission of financial crimes.
vi) Data diddling: This kind of an attack involves changing of raw data just before it is
processed by a computer and then changing it back after the processing is completed.

(D) Against Society
(i) Forgery: currency notes, revenue stamps, mark sheets etc can be forged using computers and high quality scanners and printers.
(ii) Cyber Terrorism: Use of computer resources to intimidate or coerce others.
(iii) Web Jacking: Hackers gain access and control over the website of another, even they change the content of website for fulfilling political objective or for money.
- (ReportCybercrime, 2009)




7. TYPES OF E CRIME AND THEIR IMPACT ON BUSINESSES
The E-crime is increasing every year, with introduction of more advanced and specific techniques being used by the cyber criminals; the crimes are more devastating for businesses or organizations.
MODERN E- CRIMES
Virus
Malware
Denial of Service
Phishing/ Pharming
Credit card fraud
Spyware/Adware
Identify Theft
Spam
Threats from Disgruntled employees
Interception of Wireless LAN communications
Figure 3: Modern E- Crimes







Figure 4: Modern E- Crimes
Figure 4: E- Crime Statistics
7.1 MALWARE AND SPYWARE/ADWARE
i) What is Malware and how does it spread?
Malware is a shortened term for ‘malicious software’ which is programmed with the intention of damaging or controlling a computer without the user consent.
Malware includes virus, trojan horse, worm, spyware, adware, bacteria or rabbits, backdoors, root kits, and logic bombs. Please refer to Appendix (i) by BCRC, 2008 for the definitions of the terms mentioned above.
It is often spread through normal methods of communication such as: 
• Email and instant messages
• Infected website
• Hidden in a program downloaded or installed
• Downloaded from peer-to-peer connections
• Toolbars – eg. Free smileys popup is said to be containing a Trojan
  The programmes track all user online activity to a third party. Key loggers are able to record everything the user (victim) types by keyboard which may include credit card details, important customer details, online banking passwords and other sensitive information.

ii) Effect of Malware on Business
• Spyware: Theft of the user’s and customer’s data. The main aim of spyware software is to steal information and then defraud businesses. Spyware can also be used to embed Trojan horses, viruses and worms to damage a computer and files or consume all the resources of the system. One computer on its own may not produce very devastating results but when linked with other computers on the network, referred to as a Botnet; the results can be extremely destructive.

• Common symptoms of infection of malware on a system include: 
- The system running slowly or becoming less stable by restarting or shutting down on its own.
- Trojan horses and other types of malware consume all resources such as processing power, memory and internet bandwidth which ultimately hangs the system.
• In Russia, malicious hackers used a Trojan horse to gain control over a gas pipeline run by Gazprom.
• In January 2003, the “Slammer” worm caused major problems for IT systems around the world, penetrated the safety monitoring system at a US nuclear plant for nearly five hours.

A. VIRUS
i) What is a Virus and how does it spread?
A computer virus is software or coding written by a programmer used for infecting a computer. The most common method of spreading viruses is via email attachments. Viruses used to be spread through the sharing of floppy disks. Other methods such as disks and USB data sticks present a similar threat. However, infection most commonly occurs through email.
ii) Effect of Virus on Business
The effects a virus can have range from annoying but harmless, such as humorous text or pictures being displayed on the monitor to the more malevolent sort that will delete all of the files on the hard disk. It is these types of virus that can have the most detrimental effect on a business and that is why it is always necessary to have secure backups of all your data. Hence, a virus can affect all the processes of business especially the management process since all the files are crucial for the company.


iii) Prevention from Virus and other Malware:
• Use good Antivirus, anti spyware Software, which is regularly updated with signatures of
latest viruses, trojans, worms, spywares, adwares etc.
• Always ensure a back up of the files to an external hard disk/ USB Disks or to a server
• Do not download unsecure attachments in emails
• Using secure firewall settings
• Train staff to be aware of the methods used to infect a computer. Employers should ensure that their staff / employees are aware of malware and pop-ups. When a pop up window appears, they should just click on the small 'x' in the top right corner.
• If a business has a network of computer users linked to the internet, then it will be safer to physically restrict downloads to individual computers. It can be done using the system administration tools and backed up by an Internet usage policy.
Figure 5: Virus and Worm Statistics
- (Skoudis, Zeltser, 2003)

7.2 DENIAL OF SERVICE ATTACKS (DoS and DDoS) and SPAMMING
Cyber criminals infiltrated computer systems via the use of viruses, Trojan horses and backdoors. This infiltrated system is called a Zombie; and the attacker gains full access to this computer and can control its resources like memory etc. Criminals often build up a network of these ‘Zombie’ computers which can then be used for a Denial of Service (Dos) attack thus disabling a business's online access or website.
Spamming is also done in a similar way by using botnets to continuously bombard emails to the victim’s address, thereby, making it crash or unavailable for any use. There are many software available which allow an attacker to send thousands of emails to the victim’s email address.
In this way a cyber criminal can take out a company’s website for monetary gain or to extort and blackmail a company by persistently blocking their website until payment is made. The computer can be used to carry out specific crimes like spreading virus as the remote user is untraceable. A collection of Zombie computers is called a ‘Botnet’ which is then controlled individually or collectively known as Bot-herders. Bot-herders rent out Botnets to relay Spam and launch phishing scams to steal sensitive data. When several zombie computers or botnets are used to attack a vulnerable system, it is known as Distributed Denial of Service Attack (DDos).
DoS and DDoS attacks are not limited to large companies, cyber criminals and Bot Herders can be hired to attack the websites of any SME irrespective of size. A coordinated attack via thousands of compromised 'Bots' against high-profile sites, saturate the target's bandwidth and capability to respond to legitimate connections. The high volume of traffic going through the website forces it to crash or shut down. For a company that relies solely on its website to trade; it becomes critical to keep it up and running and hence, the Bot herders extort money from the compromised company. Attacks using the concept of DoS and DDos also include Man in the Middle Attack where the information between the router and victim (user) during a transaction process like (details of Banking or Buying an item) is directly sent to the attacker’s address.
7.3 PHISHING/ PHARMING
Phishing is a form of Identity Theft that involves sending out emails randomly to people. Attackers use spoofed emails and fraudulent websites to trick people into giving out their personal financial data. Phishers hijack names of banks, web retailers and credit card companies and send out wave after wave of emails that ask the recipient to click on a link to update their details on what turns out to be a fake website. The message appears to be credible because the email and related website often incorporate the company logo making them look identical to the email or website communications of the legitimate company.
Pharming is similar to Phishing technique as it directs users to fake sites, via forged emails or by a piece of spyware, when they are trying to access legitimate websites. A customer logs on to the website, often using the web address they have stored in their internet browser favourites folder, to what looks like a familiar internet banking site and is unknowingly redirected to a fraudulent site. It is possible for a virus or an attacker to change all the websites in a user’s Favourites folder to scam websites. When the victim visits the fake website and enters the details like credit card or bank details it gets transferred to the attacker’s address.
- (BERR, 2008)
Impact of Phishing/Pharming on Business
• If any business has a website requiring personal information (like banking details or even email addresses and passwords) that is hacked or spoofed then their customers and employees could be victims to the scam as well. If one of their customers attempt to access the company’s site and disclose their personal information; it will result in an identity theft, then clients’ confidence in the company will be shattered.
• If a company’s website is out of operation then it could be losing lot of potential sales. Clients wanting to purchase goods or services may not be able to so, hence, causing lot of loss to the company’s income.

Measures to prevent Phishing/ Pharming
• Install anti-virus and anti-spyware software keep them updated regularly.
• Do not access important websites or your banks website via a link in your favourites list due to the reason mentioned in section 6.4 of the report.
• Always look for small padlock when visiting a bank’s website (indicates that the website is securely certified) and in the address bar, the http: should have changed to https: the extra s indicating the site is secure.
• Scammers are able to spoof websites and are able to put a padlock image on the screen and therefore users should always be very careful when visiting a bank’s website. By clicking on the padlock, the certificate details will be displayed. If nothing happens then it means it is a spoofed website of the bank.








Figure 6: Target Specific Attacks
- (KPMG, 2009)




7.4 E-Crime Statistics

Figure 7: Increasing complexity of viruses, worms, malware with time
- (VIDALIS, S. 2009)
• Around 830,000 businesses in the UK suffered an online/computer related security incident in 2007/08.
• It is estimated that there were 132,800 cases of computer misuse (excluding viruses) in 2007.
• Virus infection dropped now is the fourth most common type of security incident, accounting for 21% of all incidents. In 2006, it accounted for 50% of the worst security breaches for UK business.
- (BERR, 2008)




8. CONCLUSION
In this report the following topics have been thoroughly discussed and examined:
• Cyber Crime
• Goals or Motives behind E- crimes
• Threat Agent Categories
• Business Processes
• Cybercrime Classification: Types of E Crime and techniques
• Techniques used in order to commit cyber crime and the impact on Business Processes
• Safety Measures in order to combat cybercrime









Figure 8: Various E- Crimes
- (BERR, 2008)
The various types of cybercrimes, the various techniques used by cyber criminals and their affects on business processes, were critically analysed and a list in order to prevent those crimes was also provided.


9. REFERENCES
• BCRC, 2008. Cybercrime: Threats and Solutions. [WWW] http://www.bcrc-uk.org/filelib/BCRC%20Final%20Evaluation%20May%2009_1.pdf (28th July 2009)
• BERR, 2008. Information Security Breaches Survey 2008. [WWW] http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf (24TH July 2009)
• HALL D., JONES R., RAFFO C. 2004. Business studies 3rd edition. CAUSEWAY PRESS LTD. LANCS
• JONES, A. 2002. "Protecting the Critical National Infrastructure - Developing a Method for the Measurement of Threat Agents in an Information Environment." Information Security Technical Report February 2002 7(2): 22-36.
• KPMG, 2009. e-Crime Survey 2009. [WWW] http://www.e-crimecongress.org/ecrime2009/documents/e-CrimeSurvey2009_AKJ_KPMG(1).pdf (26th July 2009)
• ReportCybercrime. 2009. [WWW] http://www.reportcybercrime.com/classification.php (20th July, 2009)
• SKOUDIS E., ZELTSER L. 2003. Malware: Fighting Malicious Code. Prentice Hall PTR, ISBN 0131014056
• VIDALIS, S. 2009. Lecture 7: Malware. (24th March 2009)
• VIDALIS, S. and JONES, A. 2005 Analyzing Threat Agents & Their Attributes. UK: University of Glamorgan.


10. BIBLIOGRAPHY
• BLYTH, A. J. C. AND KOVACICH L. (2001). Information Assurance: Computer Communications & Networks. UK, Springer-Verley.
• CONWAY, M. (2003). "Hackers as Terrorists? Why it doesn't compute." Computer Fraud & Security. December 2003 (12): 10-13.
• REYES, A., O’SHEA, K., STEELE, J., HANSEN, J., JEAN, B., RALPH, T. 2007. Cyber Crime Investigations. USA: Syngress Publishing, Inc.
• FORCHT, K. A. (1994). Computer Security Management, Boyd & Fraser.
• GHOSH, S. (2004). "The nature of Cyber-attacks in the Future: a position paper." Information Systems
• SUMMERS, R. C. (1977). Secure Computing: Threats & safeguards, McGraw-Hill.














11. Appendix (i) – Computer Terms
Back Door
A loophole in a computers security system that allows a hacker/malware to access it.

Bots / Botnets
A collection of computers that have been infected with maliciously programmed code. The Bot is the singular; the Botnet refers to a collection of Bots. Botnets are then used to launch a co-ordinated attack against a victim's computer or website, most often resulting in a denial of service. A Botnet is also referred to as a Zombie network

Bot Herder
A Bot herder is the person who is in control of the Botnet. The herder often hires out their net for a length of time to be used for malicious activities such as spamming or DoS.

Bug
A failure, error or flaw in a computer program.

Denial of Service (DoS)
A type of net attack, where a maliciously generated traffic aims at consuming the resources of a server, thus preventing valid traffic from reaching the machine, which regular users experience as "denying" the service that the server should provide, e.g. showing a website.

Distributed Denial of Service (DDoS)
This is a DoS attack, but performed using multiple computers, which then focus the malicious traffic on a victim server, consuming its bandwidth. In most cases, these computers are controlled remotely by hackers and are connected in so called "Botnets". Such computers are also called Zombies.

Hacking
Act of exploiting or investigating software vulnerabilities. Hacking can be thought of as someone physically breaking into your business, looking around, changing a few things and also maybe stealing some items.

Identity Theft
The crime of impersonating someone, using their private information, for financial gain.

Key Logger
A piece of software, generally malware, that logs a users keystrokes, and captures private information, passwords or credit card details.

Mail Bomb
An excessively large amount of email data sent to make the recipients email program crash.

Malware
These are malicious bits of code often embedded into website or emails that once triggered, run harmful programmes on your computer.

Pharming
Similar to Phishing. Fraudsters use fake emails, websites or viruses to direct users into entering personal details into a website, usually login information which is then used to steal money or identities.
Phishing
Activity of defrauding an online account holder of financial information by posing as a legitimate company.

Spam
Irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

Spyware
Unwanted software that secretly monitors a user's activity, scans for private information or gives outsiders control of a computer.

Trojan horse
Program designed to breach the security of a computer system while ostensibly performing some innocuous function.


Virus
Piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.

Worm
A self-replicating programme able to recreate itself to spread from computer to computer over a network. The worm is similar to a virus in that it will likely have malicious intent but unlike a virus it can spread by its own accord.

Zombie
A Zombie is the term usually used to refer to a computer that has been infected and is being used as part of a net.

Thursday, 24 September 2009

FORENSIC TOOL: ENCASE OR FTK

Table of Contents
1.1 Introduction
1.2 Methodology
1.3 Phases of Computer Forensic Investigation
1.4 EnCase 6.11.2- Forensic Edition
1.4.1 EnCase Overview
1.4.2 Features of EnCase
1.4.3 Using EnCase
a) Collection
b) Preservation
- Creating/Opening a Case
- Adding Device or a Raw Image to Case
c) Filtering and Searching (Analysing Evidence); Hashing, Searching and using Filters
d) Reporting
1.4.4 Summary: EnCase
1.5 Forensic Toolkit 1.81.0 - FTK
1.5.1 FTK Overview
1.5.2 Features of FTK
1.5.3 Using FTK
a) Collection
b) Preservation
= Creating/Opening a Case
= Adding Device or a Raw Image to Case
c) Filtering and Searching (Analysing Evidence)
- File Handling
- Searching for Files and Folders
- Carving
d) Reporting
1.5.4 Summary: FTK
1.6 EnCase and FTK Updates
1.7 Comparison of EnCase and FTK
1.8 Conclusion
1.9 References
1.10 Bibliography



1.1 Introduction
This report has been compiled in order to accomplish the objective that is to critically compare and evaluate the two popular computer forensic tools, EnCase and Forensic Toolkit (FTK) based on the four distinct phases of a computer forensic investigation.

A detailed background about EnCase, FTK and their features will be specified. The two forensic tools will be discussed and compared thoroughly according to their features which are utilised during a computer forensic investigation.

The report will be valuable in learning how to use the two forensic tools, their features, and analyse the techniques used to gather, search, raid, and inspect digital evidence.

1.2 Methodology
The research methods used for this report include both primary and secondary research methods:
• Primary Research includes screenshots of the tools.
• Secondary Research comprises of websites, online magazines, journals and polls on forums.
The assignment will be approached logically; detailing the phases of computer
forensic investigation, brief of EnCase and FTK, how to use the two tools (including features) and then finally the comparison and evaluation of the two forensic tools.


1.3 Phases of Computer Forensic Investigation
Forensic Computing is the “process of collecting, identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable”
(McKemmish, 1999)

The different and distinct phases of a computer forensic investigation comprise of:
1. Collection – Collection of evidence from the crime scene. The evidence includes hard disks, laptops, books, flash drives and other accessories.

2. Preservation – Preservation of evidence related to the crime scene. This phase includes imaging of hard disks (or other media), labeling the gathered evidence, then to securely store the evidence in a well protected (safe and secure) environment.

3. Filtering – It can also be called “Analysing”. It is the process where the evidence (data) is filtered and only the evidence (data) related to the crime is analysed and rest of the data is not considered for further investigation.

4. Presenting – It is the process which starts from beginning of the crime scene and is most crucial as every step undertaken by the investigator has to be recorded for verification purposes. This phase is most crucial in order to avoid questioning of the integrity of the investigation and investigation in the court of law.

1.4 EnCase 6.11.2 - Forensic Edition

1.4.1 EnCase Overview
EnCase Forensics is a very popular software and is widely accepted in the court of law in forensic investigation. EnCase is bundled with numerous features which aid in all the four phases of forensic investigation.

1.4.2 Features of EnCase
In the following table, EnCase features and supported operating systems are illustrated:
EnCase 6.11.2 – Forensic Edition (Law Enforcement)

• Operating Systems Supported Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit, AIX, OSX

• File Systems Supported FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS, jfs), LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and TiVo® 1 and TiVo 2.
Now supports Novell file system.

• File Types Support - Supports over 400 different file formats with Stellent's Outside In Viewer Technology
- Now supports Microsoft Office 2007 documents and the mbox format which is quite common among mail user agents

• Image Formats VMware, dd, and Safeback v2 image formats, also supports CD/DVD.
Now supports LinEn utility for Linux systems.
• RAID Supports imaging and analysis of RAID sets
• Dynamic Disk Configurations Support Spanned, Mirrored, Striped, RAID 5, and Basic.
• Search and Analysis Text extraction, Global keyword searches, hash analysis, file signature analysis, file-specific filters and multiple filters to quickly analyze target media.
• Hashing Message Digest 5 (MD5)
• Internet and Email Support Hotmail, Outlook, Lotus Notes, Yahoo, AOL, Netscape, mbox and Outlook Express) and supports Internet Explorer, Mozilla, Opera and Safari.
• Gallery View Displays images of BMPs, JPGs, GIFs, & TIFFs.
• Timeline View Displays a calendar-style graphic of all file activity, and file attributes such files created,
last written or accessed. It scales from days to years, serving as a valuable tool for looking at patterns of file activity.
• Report View Reports can be generated on any file, folder, volume, physical disk or the entire case. Supports reports in RTF or HTML format.
 (Guidance Software, 2008)

According to Guidance Software, 2008 EnCase also supports features such as:
• EnCase Encrypting File System (EFS) Module (for file encryption and decryption)
• EnCase Virtual File System (VFS) Module – to mount computer evidence as a read-only off-line network drive, which allows further examination of the evidence using Windows Explorer and 3rd party tools.
• Network Authentication Server (NAS) Module - provides complete flexibility in EnCase software licensing. NAS enables EnCase software licenses to be utilized in three ways; local on the Examiner computer, remotely with Terminal Services, and across the network using the License Manager.

1.4.3 Using EnCase
a) Collection - With EnCase, investigators can acquire (collect) data from various sources including- hard Disks, floppy disks, CD ROMs, flash drives, digital cameras and other media.
b) Preservation - Guidance Software, 2008 states that the image produced by EnCase is an exact binary duplicate of data on the original media. EnCase verifies the image by generating Message Digest 5 (MD5) hash values of both the original media and the resulting image file (now, an "evidence file"). The 64 sectors of the evidence file are assigned a Cyclical Redundancy Checksum (CRC) value. These CRC values are checked each time the image (“an evidence file”) is accessed.
- Creating/ Opening a Case – To create a case in EnCase, the user has to click on New at the top left of screen, then fill in Name of Case, Examiner Name and click Finish.
- Adding Device or Raw Image to a Case – To add device to case, user should click File>Add Device>Select Device. To add a raw image, user should click File>Add Raw Image/Drag and drop from Image Location (Step 1) or Right click and click Insert (Step 2) and select location of Image.
After this step, in order to acquire the image, the user needs to right click on the media added and click Acquire, then follow the instructions and specified fields to be filled (see circles and arrows in the figure below) and the image is acquired which is an exact binary duplicate of data on the original media.

c) Filtering and Searching
It includes locating, hashing, analyzing and recovering files and folders. The search engine of Encase v6.7 is faster and more efficient than older versions.
EnCase supports EnScript analysis, signature analysis, hashing (MD5), keyword searches, indexing, searching for all email types, application descriptors, bookmarking items, verify evidence files, wipe drive. A diagram has been provided to illustrate different ways of viewing files in EnCase.

-Hashing, Searching and using filters
• EnCase uses MD5 hashing verify the evidence file with the original.
• EnCase v5 features two dialogues for search- one for keyword searching and signature/hash analysis, and one for e-mail and Internet history/cache data. EnCase v6 features a single dialogue box for searching.
• EnCase uses filters which allow examiner to quickly sort relevant evidence files.


d) Reporting
• EnCase supports report in HTML and RTF format.
• The reports are generated automatically as well as manually.



1.4.4 Summary: EnCase
EnCase supports:
• Almost all operating systems (including Microsoft Vista), and File Systems (including Ext2/3 and Novell).
• Most popular image formats for Imaging purpose.
• Imaging and analysis of RAID sets.
• Over 400 different file formats with Stellent's Outside In Viewer Technology.
• Integrated Timeline View - Displays a calendar-style graphic of all file activity, and file attributes last written or accessed.
• Reports in RTF and HTML format

1.5 Forensic Toolkit 1.81.0 – FTK

1.5.1 FTK Overview
The Forensic Toolkit is another very powerful tool used by a good number of forensic investigators. It comes with essential features including powerful file filtering, full text indexing, advanced searching, deleted file recovery, data-carving, email and graphics analysis, hashing, advanced search functionality and many more. A package of FTK includes FTK Imager; Hash Library- Known File Filter (KFF); and Registry Viewer; it may also include Password Recovery Toolkit (PRTK).

1.5.2 Features of FTK
In the following table, FTK features and supported operating systems are illustrated: (AccessData, 2008)

FTK v1.81.0

• Operating Systems Supported Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit, AIX, OSX
• File Systems Supported FAT 12/16/32, NTFS and EXT2/3
• File Types Support Supports over 270 different file formats with Stellent's Outside In Viewer Technology
• Hard Disk Image Formats Support Encase, SnapBack, Safeback 2.0 and under Expert Witness, Linux DD, ICS, Ghost (forensic images only) and SMART
• CD and DVD Image Formats Alcohol (*.mds), CloneCD (*.ccd), ISO IsoBuster, CUE, Nero (*.nrg), Pinnacle (*.pdi), PlexTools (*.pxi), Roxio (*.cif), Virtual CD (*.vc4)
• Searching Live and Indexed Search supported
Uses dtSearch as index search engine which uses two types of search - natural language and Boolean.
• Hashing Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)
• Email Support


• Zip File support - Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN.

- PKZIP, WinZip, WinRAR, GZIP, and TAR
• Graphics Tab Displays most images formats
• Reporting Only HTML format.

1.5.3 Using FTK
a) Collection - With FTK, investigators can acquire (collect) data from various sources including- hard disks, floppy disks, flash drives, digital cameras and other media, and almost all CD/DVD image formats.
b) Preservation – FTK creates a replica of the original media and uses MD5 and SHA-1 hashing to verify the image to original media.
- Creating/ Opening a Case – Start FTK, a screen will appear with dialogue box, asking to create or open a Case. Click “Create a Case”, and follow the figure given below.

- Adding Device or Raw Image to a Case –
To add device or image to a case, user should follow the figure 2.0 below. To add another evidence (in place of raw image) choose any option from Step 7 and follow the instructions.

c) Filtering and Searching (Analysing Evidence)
- File Handling: FTK displays files in a professional and user friendly manner. An investigator can navigate through files by switching different tabs provided – Overview (which gives details- Evidence Items, File Status, and Category), Explore, Graphics, E-Mail, Search, Bookmark. With FTK, files can be viewed in a number of ways including – hex, decimal, picture view as shown in the figure below.
- Searching for Files and Folders
• FTK uses dtSearch engine for powerful search results.
• It also features indexed search as well as Live search as shown below.

- Carving
Recovering files in FTK is also very simple, the user has to click Tools>Data Carving and follow the figure below to recover the different types of files supported by FTK.




d) Reporting
FTK offers a reporting wizard to generate a report in HTML format. The report includes Case Information, File Overview, Evidence List and Case Log.

A diagram has been provided below to demonstrate the reporting feature of FTK. (See Appendix (i) for a sample report of FTK)

1.5.4 Summary of FTK
• Data Duplication, 2008 states that FTK is the most user friendly forensic tool in the market.
• Supports numerous number of image formats.
• Uses dtSearch engine for searching and has excellent features as Live and Indexed Search.
• Supports SHA-1 as well as MD5 hashing
• Reports are in HTML format
• The old version (FTK 1.7) is half the price of EnCase 6.
• Overall, FTK is a very good tool for its features and price.

1.6 EnCase and FTK updates
EnCase (updates from v5 to v6.11) FTK (updates from v1.7 to 1.8 and 2.0)
• EnCase 6.6 now supports Microsoft 2007 documents and mbox formats • Registry viewer for Microsoft Vista updated
• $EFS stream has been added internally to resolve the issue of LEF EFS Encryption Enhancement
• FTK 2.0 is based on integrated Oracle database
• EnCase now supports 64-bit versions of Windows XP, 2003, and Vista operating systems.

• True multi- core processor support
• Support for IPv6 and CIDR notation
• Now provides hard drive serial number
 (Schuster, A. 2007)


1.7 Comparison of EnCase and FTK
The two forensic tools – EnCase and FTK, have been compared (See Appendix (ii) for full comparison details) based on the following criteria:
  • GUI - FTK has been rated the most user friendly forensic tool.
  • VIEW PANES (TABLE PANE) - EnCase supports Timeline view of files which is not supported by FTK.
  • IMAGING OF DEVICES - FTK supports more image formats than encase. But, EnCase has its own image format while FTK does not have its own image format. FTK cannot handle compressed drives like – DoubleSpace
  • FILE SYSTEMS SUPPORTED – EnCase supports more file systems than FTK.
  • SEARCHING - FTK search takes longer, has good features as Live and Indexed Search. EnCase uses its own search engine.
  • RAID - EnCase supports several Dynamic Disk Configuration as compared to FTK.
  • HASHING - FTK supports SHA-1 hashing which is not supported by EnCase.
  • DELETED FILES, BAD SIGNATURE – FTK has a very good feature which highlights if a file contains Bad Signature, it also shows a symbol (x) next to a file which is deleted. EnCase does not highlight a file with Bad signature, it just displays it.
  • CARVING - FTK cannot recover deleted files and filenames on Ext 2/3 File Systems, which are supported by EnCase.
  • SCRIPTING - EnCase uses its own script – EnScript, whereas FTK does not support Scripting
  • REPORTING - FTK includes Report Wizard to create a report. EnCase reports are automatic and supports RTF format which is not supported by FTK.
  • HELP OR USER MANUAL - FTK has a very good help feature and includes user manual. EnCase has very descriptive User Manual.
  • PRICE - Both have almost the same price (the updated versions). Older versions of these tools- FTK 1.7 is less than half price of EnCase 4. (SC Magazine, 2007)

1.8 CONCLUSION
Taking into account the features provided by the two tools, both the tools are essential for a thorough and complete forensic investigation. As both the tools, have some common and some unique special features which aid in the investigation, it is suggested to use both the tools for investigation. In conclusion, if finances are of not primary concern, both EnCase and FTK are recommended.

  • If budget is a concern, Forensic toolkit (v1.7) is economically sound as compared to EnCase v6 which is almost double the price of FTK v1.7. FTK v1.7 provides almost all the features that facilitate in the smooth running and completion of a forensic investigation.
  • If only one tool is to be chosen, EnCase leads FTK due to its advanced features (discussed in the main report) which give EnCase competitive advantage over FTK or any other forensic tool in the market.


1.9 REFERENCES
• AccessData. 2008. FTK v1.81.0. Lindon: AccessData Corp.
• Data Duplication. 2008. [WWW] http://www.dataduplication.co.uk/pdfs/FTK2.0_DataDup.pdf (24th October 2008)
• Guidance Software. 2008. EnCase Forensic. California: Guidance Software Inc.
• Forensic Focus. 2006. [WWW] http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=722 (22nd October 2008)
• Forensic Focus. 2008. [WWW] http://www.forensicfocus.com/index.php?name=Surveys (24th October 2008)
• McKemmish, R. (1999). What is Forensic Computing? Trends and Issues in Crime and Criminal Justice (118).
• Schuster, A. (2007). [WWW] http://computer.forensikblog.de/en/2007/07/updates_to_encase_and_utk.html (27th October 2008)
• SC Magazine, 2007. [WWW]. http://www.scmagazineus.com/Guidance-Software-EnCase-Forensic-v-6/Review/159/ (27th October 2008)

1.10 BIBLIOGRAPHY
• Digital Forensics, 2008. [WWW]. http://www.h11-digital-forensics.com/forensic-toolkit-computer-evidence.php (25th October 2008)
• BROWN, C.L.T. 20005. Computer Evidence: Collection and Preservation. Charles River Media.
• CASEY, E. 2004. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press Inc (London) Ltd.
• SLADE, R.M. 2004. Software Forensics: Collecting Evidence from the Scene of a Digital Crime. McGraw-Hill Education.





1.11 APPENDICES

a) Appendix (i) – Sample Report of FTK

b) Appendix (ii) - Comparison of EnCase and FTK
FEATURES SUPPORTED ENCASE V6.11.2 FTK V1.81.0 CONCLUSION
 GRAPHICAL USER INTERFACE (GUI) Very intuitive, but confusing for new user Very user friendly GUI. Includes tabs – Overview, Explore, Graphics, Search, Email and Bookmarks. FTK has been rated the most user friendly forensic tool.
 VIEW PANES
TABLE PANE • Text
• Hex
• Doc
• Transcript
• Picture
• It also supports Timeline View (to view files in calendar view) • Native View
• Filtered Text
• Text
• Hex
• Internet Explorer EnCase supports Timeline view of files which is not supported by FTK.
 IMAGING OF DEVICES VMware, dd, and Safeback v2 image formats, also supports CD/DVD, EnCase. Encase, SnapBack, Safeback 2.0 and under Expert Witness, Linux DD, ICS, Ghost (forensic images only) and SMART.
Alcohol (*.mds), CloneCD (*.ccd), ISO IsoBuster, CUE, Nero (*.nrg), Pinnacle (*.pdi), PlexTools (*.pxi), Roxio (*.cif), Virtual CD (*.vc4) FTK supports more image formats than encase.

But,
EnCase has its own image format while FTK does not have its own image format.

FTK cannot handle compressed drives like - DoubleSpace

FILE SYSTEMS SUPPORTED FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS, jfs), LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and TiVo® 1 and TiVo 2.
Now supports Novell.

 FAT 12/16/32, NTFS and EXT2/3 EnCase supports more file systems than FTK.


SEARCHING
• Text extraction
• Global keyword
• Hash analysis
• File signature analysis
• File-specific filters
• Multiple filters to quickly analyze target media.
• Uses EnCase search engine
• Live and Indexed Search supported
• Uses dtSearch as index search engine which uses two types of search - natural language and Boolean. FTK search takes longer, has good features as Live and Indexed Search. EnCase uses its own search engine.
RAID • Supports imaging and analysis of RAID sets
• Does not support RAID EnCase supports several Dynamic Disk Configuration as compared to FTK.
 HASHING Message Digest 5 (MD5) Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) FTK supports SHA-1 hashing which is not supported by EnCase.

CARVING • Recovers deleted files from file slack, unallocated space and other areas.
• Can also recover deleted files on Ext 2 and Ext 3 File Systems
• FTK does not recover the filenames for files deleted on ext2 systems.
• FTK does not support recovering deleted files from ext3 volumes because ext3 zeroes out a file's indirect block pointers when it is deleted.
FTK cannot recover deleted files and filenames on Ext 2/3 File Systems, which EnCase supports.
SCRIPTING EnCase uses its own script – EnScript. Does not support Scripting EnCase has an advantage at Scripting



Wednesday, 26 August 2009

Live Forensics: Incident Response

Greetings,

I will be using this Blog as a medium to publish my research and findings of my Final Year Project - Live Forensics: A Methodology.

I will be discussing the various stages in the Forensic Investigation and will be critically analysing the area of Live Forensic Acquisition.
The various hurdles faced by Forensic Investigators during Live Analysis will be critically analysed and the weaknesses in the various proposed Live Forensic Methodologies will be identified in order to propose a Live Forensic Methodology.

The successful completion of my project will enable Forensic Investigators in performing Live Investigations in a forensically sound manner and will comply with all the standards to be met during the investigation.

Your suggestions, discussion and any queries regarding Computer Forensic are most welcome.