7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
Computer forensics: Donning your
detective hat
By Maggie Biggs
Nov 14, 2005
"Quincy, ME," the 1970s TV series, showed the dramatic potential of
medical examiners. We're waiting now for the premier of "Quincy, CF."
Computer forensics is playing an increasingly important role in
thwarting wrongdoers at the federal, state and local level. For
example, recovered e-mails helped expose the involvement of
National Security Adviser John Poindexter and Lt. Col. Oliver North in
the Iran-Contra scandal during the Reagan administration.
The ubiquity of computers as a communications tool means that the
role of computer forensics -- the practice of examining historical
activity on electronic devices when someone suspects inappropriate
or illegal activity -- will continue to grow in importance.
And the tools available to forensics analysts are keeping pace with increasingly sophisticated computers and other electronic
devices. Forensic tools and the professionals with the qualifications to use them have also become more expensive. Accordingly,
it can be a challenge for agency security teams to know when to put them to work.
"If you have reason to believe that a serious crime has been committed and that prosecution is desired, then you should bring in
an experienced [forensics] investigator," said Jay Heiser, a research vice president at Gartner Group. But what if you're not sure yet
that someone has committed a crime?
"Legislation, such as Sarbannes-Oxley, is making organizations more responsible and making data security and integrity a best
practice," said Bill Margeson, chief executive officer at CBL Data Recovery Technologies.
All of the experts we interviewed said agencies could address legislative requirements and the growing number of incidents by
establishing an internal forensic policy and creating a toolkit to execute the initial phases of a forensic investigation.
The four phases of forensics
At a high level, forensic activity has four phases: evidence collection, evidence preservation, analysis and reporting.
Of those, the collection phase is the most crucial, especially if agencies suspect illegal activity. Depending on the type of incident,
forensic tools can collect activity data from a variety of sources, including servers, users' hard drives, log files, application data,
portable devices and security tools, such as intrusion-detection systems.
When forensics experts collect information for an investigation, they typically remove suspected hard drives and make a writeprotected image of the contents using a forensic workstation. However, new portable devices allow security employees to boot
from a CD on a separate machine and safely extract an image of a hard drive via a USB or Ethernet port.
For user devices such as desktop and laptop PCs and personal digital assistants, you typically want to capture an image of their
entire content, whereas on large, multiuser systems, you might only need to see specific folders, such as a user's home directory,
or data from specific tables. Both forms of collection are admissible in court as long as the collection process is well-documented
and security employees use proper seizure methods.
During the preservation phase, you should use cryptographic checksums to make exact copies of all the collected data. A
cryptographic checksum is a mathematical value assigned to a file and used to verify that data has not been changed. If legal
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
1/6
7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
action is a likely outcome of your investigation, you can ensure the integrity of the collected images by maintaining checksum
copies of the data.
With data images in hand, you can now enter the analysis phase. Sometimes during this phase, you will need to retrieve deleted
or encrypted data. A variety of commercial and open-source forensic software can retrieve items, including incriminating evidence,
that you might otherwise overlook.
During the next part of the analysis phase, you should search through the collected information for inappropriate or illegal activity.
Although you can use Unix- or Windows-based search tools, forensics-based search tools are available to help ensure that you
are analyzing the correct data. For example, if a user renamed a file and its extension to try to hide something, the forensic search
software could uncover the foul play.
After uncovering the data, the next step is to correlate the information from the investigation's various data sources. For example,
you might need to construct a timeline of events. To do so, you could have to mesh network log timestamps and data together with
database access and usage logs. Forensic software will often include resources to help you correlate the information.
The final phase of forensic investigations is usually the production of at least one report that describes the investigation's
outcome. Reports may include summary information about the event and additional details.
Walking through the phases
With an eye toward the four phases of forensic investigation, we wanted to gauge how effective some of the products mentioned
here would be when added to an agency's forensic toolkit. We spent some time assessing AccessData's Forensic Toolkit,
Paraben's P2 Power Pack and ASR Data's Smart Linux.
We recommend that you put more than one solution in your toolkit. Only one of the three units we tested, the Paraben P2 Power
Pack, attempts to cover all four phases of forensic analysis. And each product had special capabilities.
During the collection phase, we found that all three did an excellent job of creating images. We were able to successfully copy
information from several types of file systems, including file allocation table, NT File System, ReiserFS, journaled file system and
Ext2/3.
We especially liked Smart Linux's concurrent task capability, which let us simultaneously scan multiple images. We were limited
only by the resources of our available hardware. In addition to image collection, we found some other useful seizure capabilities in
Paraben's modules. For example, they can collect data from cell phones and PDAs.
Moving to the preservation phase, we used Paraben's P2 Explorer and ASR Data's Smart Linux to generate Message Digest 5
checksums and algorithms for creating digital signatures. We used Smart Linux's tools to validate the images, and by using P2
Explorer, we could guard the information we had uncovered through write-protections.
All three tools provide in-depth analysis capabilities. For example, we were able to use Paraben's Decryption Collection tool to
recover passwords. The three tools also provide useful searching functions. Access Data's Forensics Toolkit allowed us to rapidly
search text and images. In addition, we used the product's Live Search function to find binary patterns in the collected data.
Access Data and Paraben provide additional analysis tools, including facilities for examining e-mail messages, compressed files,
chat sessions and so on. We were able to successfully analyze e-mail messages from Netscape and Yahoo. Paraben's e-mail
analysis tools also include support for products such as Lotus Notes. We used this support to inspect an e-mail file based on
Lotus Notes Version 6.0. Paraben and Access Data also did a nice job of recovering deleted e-mail messages.
We then used Access Data's support for a number of different archive formats, such as WinZip and tape, to extract the contents of
several large archives. Moreover, Paraben's Chat Examiner enabled us to analyze several Yahoo chat sessions with ease.
When it comes to correlating the collected data, Access Data and Paraben include some powerful filtering capabilities that simplify
the compilation of potential evidence files. For example, you could use a filter to identify standard operating system files and
program files so you can eliminate them from your results.
Of the three products we examined, Paraben's had the best options for addressing the reporting phase of forensics. Using
Paraben's Case Agent Companion, for example, we could add notes, bookmark various sections of the data and produce detailed
reporting data.
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
2/6
7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
One of the most attractive qualities of these tools -- and many other similar commercial and open-source solutions -- is that you
can either download them directly or try out a demo version.
If you're investing in the construction of a forensic toolkit for daily use, you'll likely want to include several products. Given agency
budget constraints, you probably want to include commercial and open-source options. However, no matter how well-stocked your
toolkit is, you will encounter situations in which you should just call in the cavalry -- an experienced forensics expert.
Turning to outside experts
After agency security employees finish an initial forensic investigation, they may find enough evidence to warrant contacting a
forensics expert to conduct a more in-depth investigation. The experts we spoke to said that if agencies were considering legal
action, they should contact experts to ensure that all the evidence would be admissible in court.
What should you look for when trying to select a forensics expert? Heiser said he recommends looking for "someone who has had
a lot of courtroom experience, especially successful prosecutions."
Jon Berryhill, chief operating officer at Berryhill Computer Forensics, expressed similar sentiments. He advises agency officials to
take a close look at experts' experience and references. "That person must be able to communicate clearly on the phone, in
person and in writing to be able to explain to the judge, lawyers and jury exactly what happened during the event," he said.
Although you would want to summon an expert when handling serious legal issues, you can take advantage of your internal
forensic policy and toolkit to address inappropriate activity. Constructing and maintaining the policy and toolkit can help contain
costs while improving compliance with legislation to ensure data security and integrity.
Forensic education and training
We asked our experts how agency security and risk-assessment teams should go about gaining knowledge about forensics and
the best ways to expand that knowledge over time. Heiser said a primer, such as the one he co-authored with Warren Kruse, is a
good place to start. He added, however, that "the trend lately is toward subject-specific books" on the various aspects of forensics.
Berryhill takes a slightly different approach to gaining forensic knowledge. "Read as much as you can and get as much training as
you can. Go to conferences," he said. "After that, the most important thing is to stay connected with the experts who are out there
doing forensic work every day." Berryhill suggests that after initial education, agency security employees should seek out a
forensics expert to act as a mentor so they can stay informed on the issues and technology advances.
"The best sources of educational materials can be gained by getting in touch with law enforcement organizations," Margeson said.
He particularly recommends the High Technology Crime Investigation Association (www.htcia.org).
Indeed, there are many security and law enforcement organizations that regularly offer forensic training. For example, the SANS
Institute (www.sans.org) offers monthly courses at various locations throughout the United States and abroad. Moreover, several
universities -- including the University of Central Florida, Champlain College and the University of Washington -- offer courses of
various lengths to help get you up-to-speed on forensic tools and techniques. Several universities offer forensics-related courses
online, too.
Biggs, a senior engineer and freelance technical writer b ased in Northern California, is a regular Federal Computer Week analyst.
She can b e reached at maggieb [email protected].
Online forensic resources
Trinux
URL: trinux.sourceforge.net
Platforms: Linux, Unix
Overview: RAM disk-based Linux distribution that boots from a single floppy or CD. Includes forensic and other securityrated tools such as vulnerability scanning. Addresses the collection, preservation and analysis phases of forensics.
Supports OpenSSH (the free version of the Secure Shell protocol) and scripting via Perl, PHP and Python. Product,
including source code, can be downloaded from the Internet. Documentation is brief, but support is available via a mailing
list and online forums.
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
3/6
7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
The Coroner's Toolkit
URL: www.porcupine.org/forensics/tct.html
Platforms: Unix, Berkeley Software Design's BSD
Overview: Useful for live analysis of compromised machines. Includes tools that address the collection and preservation
phases of forensics. Capable of collecting volatile data about a system's current state. Includes command-line tools and a
graphical user interface (GUI) front end. Supports Unix file system (UFS) and Ext2/3 file system types. Documentation is
minimal, but support is available via a mailing list.
The Sleuth Kit
URL: www.sleuthkit.org
Platforms: Unix, Linux, BSD, Apple Macintosh
Overview: A set of command-line tools based on the Coroner's Toolkit. Includes a GUI called Autopsy. Supports the
collection, preservation and analysis phases of forensic investigations. Enables recovery of data stored in the host
protected area. Supports file allocation table, NT File System, Ext2/3 and UFS. Documentation available, including material
on how to use the kit on Microsoft Windows machines. Support is available via forums, mailing lists and a monthly
newsletter.
Open-source forensic solutions
One of the interesting trends in the forensics arena is the strong growth of the number of tools emerging in the opensource community.
Although traditional forensics experts might find this somewhat of a departure from the norm of using commercial
products, one of the benefits of using open-source tools is that the source code is also included.
With the source code in hand, it is possible to generate a completely documented procedure while also enabling the
forensics expert or security team member to verify that the tool does exactly what it claims.
Another benefit of using open-source tools, of course, is the cost. There is usually no cost associated with such tools
unless some form of support is included. This is good for budget-minded agencies that want to put together a basic
forensic toolkit.
On the downside, if you choose to use a user-supported open-source tool and you have trouble, help might be limited to email, online forums or mailing lists.
However, security personnel and forensics experts who have a good background in the essentials of Linux, Unix and
Windows should not find the going tough.
The other challenging aspect of open-source tools is that availability can change rapidly. For example, one group of
developers of a particular tool might choose to cease further development, while a new group might get together to create a
tool that addresses a specific need.
Keeping up with the fast pace of the open-source community is a challenge you should take only if you are fully committed
to doing so for some time.
Open-source solutions that support Linux, Unix and Windows-based forensics exist. Moreover, many of the Linux- and
Unix-based tools can be used to inspect Apple Computer's Macintosh machines, too.
Some open-source tools are full-featured and capable of addressing all phases of a forensic investigation, while others
are tightly focused on just addressing one or two phases (e.g., collection support).
To learn more about open-source tools, go to www.opensourceforensics.org/tools/unix.html for Unix or
www.opensourceforensics.org/tools/windows.html for Windows-based solutions.
-- Maggie Biggs
Paraben P2 Power Pack
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
4/6
7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
Paraben
www.paraben-forensics.com
(801) 796-0944
Ease of use: *****
Collection: ****
Preservation: ****
Analysis: *****
Reporting: ***
Pricing: The software costs $1,495.
Comments: The P2 Power Pack has modular, pluggable components that can be bought individually. It offers strong
Internet application support, can be used with multiple types of images, and has good analysis and reporting tools. Its
hardware adapters enable data retrieval from personal digital assistants and wireless phones.
Platforms: The software runs on Microsoft Windows.
Access Data Forensics Toolkit
AccessData
(801) 377-5410
www.accessdata.com
Ease of use: *****
Collection: ****
Preservation: ****
Analysis: *****
Reporting: **
Pricing: The toolkit costs $1,095.
Comments: The product has strong collection, recovery and analysis tools, and supports multiple types of images. It has
good file system support and a registry viewer that can retrieve user names and passwords. It also generates audit logs
and forensic case reports.
Platforms: The software runs on Microsoft Windows NT, 2000 and XP.
Smart Linux
ASR Data
(512) 918-9227
www.asrdata.com
Ease of use: *****
Collection: ****
Preservation: ****
Analysis: *****
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
5/6
7/19/12
Computer forensics: Donning your detective hat -- Federal Computer Week
Reporting: **
Pricing: The software costs $2,000, with discounts for law enforcement.
Comments: Smart Linux includes tools for collection, preservation, analysis and reporting and has strong support for
various file system protocols, including Unix file system, hierarchical file system, journaled file system, ReiserFS, file
allocation table and NT File System. It offers powerful searching capabilities, utilities that enable investigators to wipe data
from devices or partitions if needed and utilities to authenticate checksums of the original and retrieved data. It performs
concurrent forensic tasks with a scalability limited only by the hardware's capabilities.
Platform: The software runs on Linux.
Forensic resources for the cybersleuth
Books
"Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet," second edition, by Eoghan Casey
(Academic Press, 2004).
"File System Forensic Analysis" by Brian Carrier (Addison-Wesley Professional, 2005).
"Forensic Discovery" by Dan Farmer and Wietse Venema (Addison-Wesley Professional, 2004).
"Incident Response and Computer Forensics," second edition, by Kevin Mandia, Chris Prosise and Matt Pepe (McGraw-Hill
Osborne, 2003).
"Know Your Enemy: Revealing the Security Tools, Tactics and Motives of the Blackhat Community," second edition, by the
Honeynet Project (Addison-Wesley Professional, 2004).
"The Law Enforcement and Forensic Examiner Introduction to Linux: A Beginner's Guide" by Barry J. Grundy (NASA, 2004).
"Malware: Fighting Malicious Code" by Ed Skoudis with Lenny Zeltser (Prentice Hall, 2003).
"Real Digital Forensics: Computer Security and Incident Response" by Keith J. Jones, Richard Bejtlich and Curtis W. Rose
(Addison Wesley Professional, 2005).
"Security Warrior" by Cyrus Peikari and Anton Chuvakin (O'Reilly Media, 2004).
Journals
Communications of the Association for Computing Machinery, www.acm.org/pubs/cacm
Digital Investigation, www.elsevier.com
IEEE Transactions on Dependable and Secure Computing, www.ieee.org
International Journal of Digital Evidence, www.ijde.org
Reader comments
© 1996-2011 1105 Media, Inc. All Rights Reserved.
fcw.com/Articles/2005/11/14/Computer-forensics-Donning-your-detective-hat.aspx?sc_lang=en&p=1
6/6