Module 5
Subject:SociologyPrice: Bought3
Module 5.
Analysis and verification of volatile nonvolatile data. When we talk about examining and analyzing a target computer, what we do is going to depend upon the nature of the investigation. If it is a fraud case, certainly we're going to be looking for e-mails, spreadsheets, and documents. However, if it is a child exploitation case, we're certainly going to be looking for mounds of pictures and video. Nonetheless, we're going to prepare our target drive, where we're going to store the acquisitions, we're going to prepare them in a forensic manner; wipe them and clean them in a forensic way. We're going to document all the hardware components that are attached to the suspect suspects computer. And here we should take note of what's connected to the suspects computer. When you serve a search warrant, you want to look at the wireless router to determine how many devices are connected to it and see which ones might be speaking to the target computer. We're also going to look at the date and time on the CMOS of the target computer to determine in which time zone it is recording data. Regarding metadata, we're going to look at documents and folders and files and we're going to know which ones are important to our investigation. We're going to try to open password protected files as well. Most software suites will prompt you for the password and, if you don't know it, you're going to have to find out what it is. This could be very difficult in some situations. What I typically do in a non-custodial situation (of course again there is no compulsion involved here) and I'm not forcing anyone to divulge something. But in the noncustodial situation, I might ask the suspect "hey, could I have the number of one of your loved ones a phone number." And they'll pull out their phone and they won't know the number and try to bring it up. They'll type in a password to bring up the home screen and when they do that then, if I have probable cause to seize the phone, I'll just take it from them and that's a good way to get the information without having to go through retrieving passwords. These are some advanced items you might want to consider. Indexing. Advanced digital forensic tools have features such as indexing and what that means is, because of the voluminous nature of all the words and key words that are on a on a computer (again we're talking about 1 or 2 or maybe even 3 terabytes of data), To search for those words puts a strain on the computing power of the computer that you're using for your workstation. So what we do is we index all of that to begin with and the computer stores that information so can be retrieved easily. So what I would just do is set the entire acquisition to be indexed and probably turn that on and let it run for 4 or 5 hours and maybe do it overnight and come back in next day. And every word on that acquisition will be indexed and I can search it. When I type in a search term, the word comes up within 2 to 3 seconds. A critical aspect of digital forensics is validating the digital acquisition. As I say this every time, validate all of your data; all of your acquisitions; validate them. There are commonly 3 ways to recover passwords. If we have to do that and we spend time doing that, it takes a great deal of time. We can do it through dictionary attacks; in other words, favorite words stored up in a dictionary file that we can we can attack the the device that way using various favorite passwords. Or there's a brute force attack where we just attack it using a different combination of letters and numbers until it guesses the password correctly. Or we can use the rainbow tables, which are a collection of hash files of passwords or favorite passwords that users have used throughout history. Virtual analysis is somewhat complicated and it's very intimidating to people who don't understand much about it. And to police executives, they sometimes don't even want to know about it and trust their forensic examiner to deal with it. For knowledge sake, virtual machines are just simply operating systems that can be booted up virtually from a host operator system that resides on a hard drive. This is basically what it is and these are used extensively in organizations now, especially in the private sector. Most companies will have all of their proprietary data on a server and virtual machines at employee's desktops will accept that data and the forensic procedures for retrieving these virtual machines start by creating a regular image and acquisition of the target computer. And then you would export those virtual machine files from the target machine while you're doing your exam. Memory and network analysis. Most forensic examiners or police departments don't do this. But if you are called upon to do this, you might want to understand little bit about it. Live acquisitions are necessary to retrieve volatile items such as RAM and running processes. If you walk into a house during a search warrant and the computer is powered up, there is an opportunity there for you to not only image the hard drive of the computer but also image the RAM. In other words, that volatile memory that's floating around in there contains passwords, chats, encryption keys. This is very important information. Because once that machine is turned off or shut down, all of that information goes away and the RAM is wiped clean. Network forensics is the process of collecting and analyzing network data over a network and systematically tracking that network traffic to determine how the attack took place. If there was an attack and you do this through open source software such as Wire Shark, you can spot variations in network traffic and it will help you track these intrusions. For example, we can record our network traffic and capture it as a packet and save it as a file. And then we can look at that through Wire Shark and have time to analyze. We can go through line by line and see what the network traffic there is and if any irregularities exist. We can identify them. For example, I once attended a class where we were able to carve out a picture that was sent over a network and able to carve that picture out as an image file and catch it going over a network. If you want to learn more about this, check out The Honey net Project website. It may help you learn the latest intrusion techniques that attackers are using. We have a difficult job and many times people look to us as the people who can solve eternal problems in 10 minutes and that's not rightly so. But people trust us to do a good job. They trust us to be honorable and well meaning. At the end of our careers, many of us, we look back and at one point when we said we just want to help people... we simply look back now with a greater perspective and say that we simply just didn't trust anyone else to do it. And that's why the Lord put his hand on us to do that. Nehemiah says that I told him of the hand of my God which was good upon me as also the king's words that he had spoken under me and they said Let us rise up and build so they strengthen their hands for this good work Nehemiah 2:18. May the Lord bless you as you seek to do His will.
