Essay: FORENSIC COMPUTING PRACTICE: Assignment 2 Cover Sheet & Instructions for Students



FORENSIC COMPUTING PRACTICE (ITS 61503)

ASSIGNMENT 2

COVER SHEET

HAND OUT DATE: 27TH SEP 2017

HAND IN DATE: 27ND COT 2017

WEIGHTAGE: 10%

INTAKE: AUGUST 2017

Instructions to students:

• The assignment should be attempted in individual.

• Complete this cover sheet and attach it to your assignment – this should be your first page.

Student declaration:

I declare that:

 I understand what is meant by plagiarism

 The implication of plagiarism has been explained to us by our lecturer

 This project is all my work and I have acknowledged any use of the published or unpublished works of other people.

Names of Candidate

Name Student ID

LOW KAI XUAN 0320128

 

Table of Contents

Question 1 3

1.1 Five characteristics for evaluating the computer forensics tools 3

1.2 Factors for setting-up forensic lab 4

Question 2 7

2.1 Factors in determining the budget allocation of forensic lab 7

2.2 Define forensic readiness and explain how it differs from forensic service provision 8

2.3 Reason(s) of why it is good for organizations to be forensic ready 9

Question 3 10

3.1 Methods used in data acquisition. If you need to boot a suspect computer to make an image copy, how should you do it? Name two tools used to make an image copy? 10

3.2 How can you prove that you made no changes to an original image during analysis? Name tools that used. 11

3.3 Reasons of why data duplication is needed. 11

3.4 SWDGE best practices for computer forensics covers many areas of digital forensic. List areas that covers in digital forensic. 11

Question 4 13

4.1 Principles should be followed in recovering digital for chain of custody according to the International Organization on Computer Evidence. 13

4.2 It is predicted that an impending crisis in digital forensics is imminent given a continuation of current trends that have been identified by many observers. Give techniques that are available at our disposal for surviving the coming crisis in digital forensics. 13

Question 5 15

5.1 Mobile device forensics is an ever-evolving field filled with challenges and opportunities when analysing a mobile device for forensic evidence in support of a criminal investigation. The process can be more difficult than traditional computer forensics. Give FIVE (5) reasons for this difficulty. 15

5.2 Define Cyberterrorism and list targets of attack 16

5.3 How does cyberterrorist differ from normal hackers? Give examples. 16

5.4 Challenges to deterrence of cyber terrorism. 17

References 19

Question 1

1.1 Five characteristics for evaluating the computer forensics tools

Recently, computer forensics is a field that growing rapidly and as any field experiencing changing conditions that encountered a number of challenges. For better forensic investigation or research, developers have developed various types of computer forensics tools. The evaluation of computer forensics tools is demanding. A computer forensic tool may help the law enforcement community. A certify computer forensic tool is required to undergo certain methodology testing process.

In Computer Forensic Tool Testing (CFTT) project, NIST has established a set of methodology for validation of a range of computer forensics tools. When a computer forensic tool will be tested, NIST methodology will start acquiring the tool and with a review of the tool documentation. If the documentation is not available, the tool will undergo analyse stage to generate documentation and a list of features along with the requirements for these features, and thus a test strategy. [1]

To ensure the computer forensic tool function properly, the computer forensic examiners need to authenticate the authenticity of the data analysed and validate their findings by referring to versatility, flexibility and robustness. [2] In order to evaluate a computer forensic tool, there are few characteristics are required for consideration:

a) Operating system – The forensic tool run on which OS? Is it supported to run on multiple OS?

b) File system – Is the forensic tool flexible? Does the tool work in both Linux and Windows?

c) Script capabilities – Is it possible the forensic tool to automate repetitive functions and tasks by scripting language?

d) Automated features – Is the forensic tool have any automated features which can help the examiner to reduce the needed time to analyse data?

e) Vendor’s reputation – Is the vendor of the forensic tool provide product support? [3]

 

1.2 Factors for setting-up forensic lab

Establishing a computer forensic lab is not a negligible issue and it is dependent on several number of factors and enforced by a number of regulations and rules. To make up a forensic lab, it needed several parts to build up.

a) Physical requirements

Physical floor space will be managed by the span of the gathering that will involve it. The space ought to be in a safe area or contain suitable measures that will stop unapproved access to the premises. It ought to have a secure walk-in lock up vault which keep intruders from accessing its substance and also shield the substance from fire or heat, smoke, water, and electromagnetic spreads. The seized hardware, and authority confirmed evidentiary duplicates of seized information, will be put away in this vault and, with the proper upheld sign-out or sign in systems, it will serve to maintain up the chain of custody of evidence. Along these lines, access to the vault and its substance ought to be logged and checked consistently.

There likewise should be satisfactory lockable storage room for different particular hardware that will, through the span of examinations, be procured and utilized for different examinations. This space should likewise suit consumables like CDs, DVDs, removable hard drives of different capacities, paper, toner cartridges, and so on. [4]

b) Hardware requirements

Various computers are required, including a network server with huge capacity limit which is ideally arranged for the standard removable hard drives. This server is used for maintaining, document, and administer cases, store different software instruments, and manage one-off specialist hardware. The equipment that must be maintained will incorporate, for instance, gadgets like Rimage CD production units, CopyPro floppy disk readers, printers, and so on. The evidentiary duplicate of seized information is normally composed to CD or DVD and, in light of the substantial limit of current hard drives, this can be a tedious procedure. The Rimage, and different units like it, make it possible to make, number and label the media unattended, creating upwards of 50 CD/DVDs without intervention. Capturing the details or content of floppy disks is considerably additional tedious, and gadgets like the CopyPro can get upwards of 50 floppy disks without intervention. The abilities of these sorts of gadgets may shift from model to display.

Additionally, there should be implemented a separate Internet connection which separate the connection with the computer forensic lab server. The usage of internet is important for the computer forensic examiners for searching and sharing forensics information and communicating with other forensic specialists. There ought to be various workstations that associate with the internal network. This number will rely upon what number of forensic specialists are employed. The workstations will enable them to deal with individual cases at the same time and approach the common devices and resources.

The portable acquisition computers kit is required, each should be configured identically with the standard crime scene investigation suite of instruments and removable hard drives of different limits. Each kit ought to have a robust carrying case that can suit additional hard drives, a variety of related association attachments and converters, and a hard drive compose blocker, for example, FastBlock. The forensic kit will be used for on-site securing and additionally seizure. It is normally best for obtaining to be embraced in the controlled states of the digital forensic lab, however there are conditions where that is not functional and an evidentiary procurement must be attempted nearby. For example, when managing an Internet service provider. These kits should likewise have a variety of forms, labels, tags, pens, tape, evidence bags, an electronic camera, a GPSS, and so on. [4]

c) Software requirements

EnCase, Forensic Toolkit (FTK), Password Recovery Toolkit and so on are the standard forensics software packages. However, the software tools that are used comprise a far wider range that just done cited above. There is no single tool can perform all the forensic investigation job such as acquisition, analysis and reporting, forensic specialist tends to decide the right tool for the right task. Having a right tool for forensic investigation may bring the difference between capturing relevant evidence and not being able to do so. In addition, the standard operational software is needed, it includes LAN software, operating systems, administrative software, graphics software and so on. All the tools will be upgraded frequently, needed funds must be assigned for this ongoing process. [4]

d) Procedural requirements

An important part for operating a successful computer forensic lab is methods and procedures. The main challenges which usually are attacked when the evidence is presented in court of law are credentials and methodology. Along these lines, close consideration must be paid to entirely following and documenting the methodology formally received by the lab in the acquisition, analysis and reporting process. Besides, it is similarly important to have a formal technique that records the handling with and control of evidence keeping in mind the end goal to have the capacity to report the 'chain of evidence'. These are the two fundamental issues that are unique to a computer forensic lab. There are different procedures and policies that ought to be set up and enforced, however they are the standards like Internet usage, email rules, back-up regimes and so on. [4]

e) Budget

In term of outlay of the funds both the hardware and physical premises had constituted the largest amount of the funds. However, all the funds that are been collected will be allocated equally for purchasing new hardware and pushing it’s to the public and this is a continuous process that will go on throughout the whole period. A significant amount of the forensic laboratory budget is being affected due to the continuous purchase of new hardware that consume a huge part of the funding although the software acquisition and upgrades would not cost a significant portion however, the price of operating a forensics laboratory are also one of the factor that are consuming a not huge part of the funding. Hence, it’s best to not overlooked on this matter.

 

Question 2

2.1 Factors in determining the budget allocation of forensic lab

Budget is one of the important element to set up a computer forensic lab, and it is call as capital cost among most of the organization. The consumption includes the cost of purchasing the equipment and software, and obtaining the accommodation and fix up it. It is known as “one off” cost required to obtain the infrastructure and equipment to get into the operational state.

The second factors to determine the budget for allocation of computer forensic lab is the cost of expenses on rental costs and maintenance of the resources, the cost of staff salaries and training expenses, and other ongoing expenses included maintenance and upgrade all the equipment from the computer forensic lab and software licenses.

The budget can actually obtain normally depend on the strength of the business case that has been put forward, and the priority will depend toward the organization and the amount of the organization that can afford. If the amount provided by the organization is not high as the required by the business case. It is necessary to analysis the scope of the tasking of the lab and modify the capability and service which the organization can deliver, to search an alternate source of revenue to support the computer forensic lab. When the organization has explored all of the issues and have some answers, then the organization can start preparing for setting up computer forensic lab.

 

2.2 Define forensic readiness and explain how it differs from forensic service provision

Forensic readiness is an achievement of an appropriate level of capability by an organization in order for it to be collect, preserve, protect and analyse digital evidence. Therefore, it can be efficiently used in legal matters, in disciplinary matters, in an employment tribunal or court of law. [5] In another way, forensic readiness can describe as the capability of an organization to maximize their organization potential in the use of digital evidence while minimizing the spend of an investigation. [6] The requirement of easily adopting a forensic readiness plan is an organization with a good risk assessment and information security framework. [7] Forensic readiness can help an organization centralize their activities so that retrieving of digital evidence becomes easy with reduced problems.

Forensic service provision is different with forensic readiness, it supports a high quality scientific evidence service to the people which locate over the region. Forensic service provision includes in the collection, processing and analysis of forensic and biometrics evidence, processing of video or image and retrieval of digital data from electronic gadgets and electronic devices. The purpose of forensic service is to use forensic science assist them to identify those people that committed crime in the communities. [8] 

2.3 Reason(s) of why it is good for organizations to be forensic ready

a) Blocking opportunity for malicious insiders to cover their tracks.  

The benefit of an organization forensic ready is the employees from the organization become aware that the evidence is frequently gathered by the organization, employees are blocked from carrying out malicious activities because they are fear of being caught by the organization. Organization can monitor and information gather by assisting in detecting malicious insider activity. For an example, an employee trying to infect organization network by malware. Having an organization that forensic ready makes organization easy to discover and trace malicious activity.

   

b) Minimizing the cost of investigations

Having an organization which are forensic ready can help them to minimize their costing because evidence is gathered immediately when an incident occurs. Therefore, costs as well as the disruption of operation will be minimized and investigations will be completed rapidly and efficiently. This is because evidence is gathered once incident occur, all the investigator need to do is analyzed and reviewed network logs.

c) Reducing cost of regulatory or legal requirements for disclosure of data

Besides that, having an organization with forensic background improve other security information and assurance strategies which is data retention, disaster recovery and business continuity. A basic regulatory requirement is included strategies and policies and lack of compliance.

d) Showing due diligence, good corporate governance and regulatory compliance

Others then that, an organization having good information management policies prove that it is on top of incident prevention and response. This actually help the organization to provide a good feeling to their consumer because all their transaction is being secured and protected. In addition, investors have more confidence toward the organization because there are a forensic ready organization. Except that, it may help to encourage good relations within regulatory authorities and law enforcement because of it ensure compliance with regulation. 

Question 3

3.1 Methods used in data acquisition. If you need to boot a suspect computer to make an image copy, how should you do it? Name two tools used to make an image copy?

There is various type of method in data acquisition such as live acquisition, static acquisition and logical acquisition. Usually a live acquisition used when a suspect computer could not be properly shut down to perform static acquisition and data will be collected from local PC or remote network connection. Data which acquired from live acquisition cannot be repeatable because it is continually being altered by the suspect computer’s operating system. Furthermore, static acquisition is for copying a hard-drive from a powered-off system. If disk evidence is preserved properly, static acquisition does not alter data and it is repeatable. Furthermore, a logical acquisition only capture specify files of interest to the case or specific types of files such as Outlook PST files.

To boot a suspect computer to make an image copy, we should send the back the collected evidence to digital forensic lab for data acquisition. Then, investigator can use the tool from the lab for duplicating or copying the image. There are few tools support making an image copy which is:

Products and Features Image File or Internal Verification Imaged to Appropriate Media Copying sector-by-sector or file-by-file

SnapBack Version 2.0 CRC Checksum Hard drive, tape removable media Sector-by-sector

SnapBack DatArrest Version 1.2 MD5 Checksum Hard drive, tape removable media Sector-by-sector

3.2 How can you prove that you made no changes to an original image during analysis? Name tools that used.

To identify the original image is not tampered during analysis, we can use photo forensic tool to identify or check the image hashing code. We actually can compare the hashes belong to the image before and after analysis. For an example, if the hashes of the image before and after was the same, which means the photo is not being tampered or altered or edited.

Photo forensic tools that can be used for checking the original photo is Ghiro Forensic Analysis, tool that implemented for images forensic. Besides that, MetaInventions provide few features for image investigation such as Photo Detective with Investigation Guide to detect photographic manipulation, supported 15 and above algorithms and scientifically validated technique.

3.3 Reasons of why data duplication is needed.

Data duplication is needed because it is an accurate digital reproduction that would help to maintains all contents and attributes of all slack space is transferred. The duplication process will ensure that the examiner storage device is forensically sterile this is to protect the original evidence. [13]. For the investigation process on the system preservation to preserve the crime scene to prevent it from having any changes by those investigation process or attacker. Such process is being used by performing a full disk duplication of all the suspected computer in order to copy the entire content of the disk. [16]

3.4 SWDGE best practices for computer forensics covers many areas of digital forensic. List areas that covers in digital forensic.

a) Evidence Collection [10]

– Evidence that belong to the crime scene cannot be removed, it should be preserved and copied.

– All individuals should not involve in the collection process.

 

b) Evidence Handling [10]

– Condition of evidence should be documented

– External component connections information and details should be documented.

c) Evidence Triage / Preview [10]

– A complete exam shall not be taken place for an evidence triage or preview.

– An evidence triage may not be applicable for all situations.

– An evidence preview may overlook some items that are evidentiary value.

d) Evidence Packaging / Transport [10]

– Every piece of evidence should be secured and protected from tamper, alteration and damages to maintain chain of custody of preserving evidence.

e) Equipment Preparation [10]

– Equipment that need to be used for digital forensic investigation should be validate prior to its use as regarding to SWGDE Recommended Guidelines for Validation Testing.

– All the hardware and software need to be configured to prevent cross contamination.

 

f) Acquisition [10]

– Investigator which taking part in acquisition process should be trained.

– For any errors that encountered during acquisition should be documented for further usage.

– Methods of acquiring data should be forensically sound and verifiable

 

Question 4

4.1 Principles should be followed in recovering digital for chain of custody according to the International Organization on Computer Evidence.

The principles should be following during the digital recovery for chain of custody according to the International Organization on Computer Evidence (IOCE) are:

– All of the general scientific and procedural principles ought to be comply to when managing digital evidence.

– Upon seizing digital evidence, any moves made should not adjust the actual evidence.

– When it is important for individual to access to the original digital evidence, the individual ought to be properly trained for the reason.

– All exercises related to the seizure, access, storage, or transfer of digital evidence must be completely and appropriately reported, preserved, and accessible for review.

– An individual is responsible for all actions taken with respect to digital evidence when digital evidence is in that individual’s possession.

– Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with all six principles. [11]

4.2 It is predicted that an impending crisis in digital forensics is imminent given a continuation of current trends that have been identified by many observers. Give techniques that are available at our disposal for surviving the coming crisis in digital forensics.

There are four techniques that are available at our disposal for surviving the coming crisis in digital forensics which are: [12]

a) Forensic data abstraction

The lack of standardized abstractions and standardized data formats will slow down the progress for research on implementation more parts of system before they produce their initial results. In addition, the lack of interchange format restricts the capability to create tools that can inter-operate.

b) Modularization and composability

Current forensic software faced such diversity of development choices and yet no such framework able for processing DF information. In addition, plug-ins for forensic computation framework should be on call back model that allow to be use in single and multithread or multi-server implementation.

c) Alternative analysis models

– Stream-based disk forensics

Process entire disk images as byte-stream that eliminates time of drive head spends seeking to ensure no data left.

– Stochastic analysis

Process sample and randomly chosen sections of the drive which is fast but small pieces of data might be missed.

– Prioritized analysis

Triage-oriented approach that present critical information in a short time.

d) Data visualization and advanced user interface

The standard WIMP model that are poorly suitable for presenting large amount of forensic data need to develop new approaches.

 

Question 5

5.1 Mobile device forensics is an ever-evolving field filled with challenges and opportunities when analysing a mobile device for forensic evidence in support of a criminal investigation. The process can be more difficult than traditional computer forensics. Give FIVE (5) reasons for this difficulty.

a) Operating systems and manufactures [15]

In the marketplace, all mobile device OS offers approximately same functions and features compare to each other, but the way they store data and access and security features are totally different.

b) Connection issues [15]

Usually connecting a phone with USB connection, and it is worth nothing that most of the popular mobile forensics tools only support Windows OS. Therefore, those tools will slow down the progress because before they connect the mobile device they required install appropriate USB driver.

c) Data Protection [14]

There are difficulties on decrypting passcode from different mobile devices, so it is not possible to extract all encrypted data from the device which is passcode locked.

d) Software assessment [15]

Software developer do not provide a clear and complete understanding of software functionality and features of the mobile devices; therefore, the work might not be as engaged.

e) Different techniques [15]

Different mobile devices required different techniques to “lock” the device’s interface and encrypt the data stored on the phone. In addition, it required different techniques for each different platform smartphone to perform all the investigation.

5.2 Define Cyberterrorism and list targets of attack

Cyber terrorism is used to describe new approach adopted by terrorists to attack cyberspace. There are two ways to describe cyber terrorism which is effects-based and intent-based. As effects-based cyber terrorism is when a computer attack result in effects which are disruptive enough to present a fear comparable to a tradition act of terrorism. However, intent-base cyber terrorism defines as when politically motivated are done to intimate government. [17]

There are list targets of attack as following: [18]

– International terrorists could try to access and disable the signal which flies drones or otherwise controls military technology.

– Global terror networks may disrupt a major website in order to create a public nuisance or inconvenience, or even more seriously, try to stop traffic to a website publishing content with which they disagree.

– Foreign governments may use hackers to spy on U.S. intelligence communications in order to learn about where our troops are located or otherwise gain a tactical advantage at war.

5.3 How does cyberterrorist differ from normal hackers? Give examples.

A normal hacker is politically-motivated, they usually targeting institution that opposing political views compare to their plan. Their most common attack is launching DoS attack, sending large packet to overload a server until it crashes. However, a cyberterrorist is a type of stereotypical attackers, their main target is organization by make money through extortion or disclosure of compromised data. Usually, they will use ransomware or malware to hold the data hostage till the owner of the day pay the monetary award.

Examples of attacks:

a) Healthcare

Usually a normal hacker will be looking for specific patient data, intellectual property or embarrass the institution when they come to healthcare, but cyberterrorist definitely will attack on the healthcare sector which a designed to frame a lesser hacking group to cause panic.

b) Public

The aim of normal hacker is letting the public know by breaking down the websites or leaving message for the public to let the public know their existent as well as sending politically comments. However, a cyberterrorist is to induce fear to the public by spreading viruses to their devices.

c) National Security

If a normal hacker successfully hacks into government website or server, they will be leaving politically messages but a cyberterrorist will share all the confidential information to fear all the citizens.

5.4 Challenges to deterrence of cyber terrorism.

The challenges to deterrence of cyber terrorism as following [17]:

a) Track and identify cyber terrorist

There are some difficulties to track cyber terrorists because they use three methods to hide their track such as spoofing their MAC and IP address, using and public Internet or using a proxy server.

b) High-speed Internet

Cyber terrorist can attack wherever they located because high-speed Internet slow down the process to track cyber terrorists’ location.

c) Expense of equipment

These attacks had become more vulnerable that made it easier to be deployed and to be used due to the advancement of the technology that are budget friendly and easily accessible.

d) Computerized procedure

Manually attacking is no longer been widely used by a lot of the cyber terrorist with the technology provided now a day cyber terrorist can easily attack any target with just a script and it will automatically wider up the attack globally.

 

e) Location

By the help of internet, cyberterrorists can actually attack from anywhere they located. It is difficult to track their location and inform to the community about their path.

 

References

[1] Flandrin, F., Macfarlane, R., & Ramsay, B. (2012). Evaluating Digital Forensic Tools (DFTs). Edinburg Napier University. Retrieved 19 October 2017, from http://www.napier.ac.uk/~/media/worktribe/output-178532/flandrinpdf.pdf

[2] Seth, D. Computer Forensic Software. Academia.edu. Retrieved 19 October 2017, from http://www.academia.edu/14177085/Computer_Forensic_Softwares

[3] Nelson, B., Steuart, C., & Phillips, A. (2015). Guide to Computer Forensics and Investigations: Processing Digital Evidence (5th ed., p. 252). Boston: Cengage Learning.

[4] Wolfe, H. (2003). Setting up an electronic evidence forensics laboratory. Computers & Security, 22(8), 670-672. http://dx.doi.org/10.1016/s0167-4048(03)00004-x

[5] Digital Continuity and Forensic Readiness. (2011). The National Archives. Retrieved 22 October 2017, from http://www.nationalarchives.gov.uk/documents/information-management/forensic-readiness.pdf

[6] Rowlingson, R. (2004). A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3).

[7] Sommer, P. (2012). A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers. Digital Evidence, Digital Investigation, And E-Disclosure, 3rd Edition.

[8] Police, L. Forensic Services | Leicestershire Police. Leics.police.uk. Retrieved 23 October 2017, from https://leics.police.uk/about-us/our-departments/forensic-services

 

[9] Mohd. Saudi, M. An Overview of Disk Imaging Tool in Computer Forensics. SANS Institute InfoSec Reading Room. Retrieved 26 October 2017, from https://www.sans.org/reading-room/whitepapers/incident/overview-disk-imaging-tool-computer-forensics-643

[10] SWGDE Best Practices for Computer Forensics. (2014). Scientific Working Group on Digital Evidence. Retrieved 26 October 2017, from https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Computer%20Forensics

[11] David Bennett (2012) The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations, Information Security Journal: A Global Perspective, 21:3, 159-168, DOI: 10.1080/19393555.2011.654317

[12] Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7. DOI: 10.1016/j.diin.2010.05.009

[13] A., & C. I. (n.d.). Digital Forensic Acquisition and Analysis Tools and its Importance. Retrieved October 27, 2017, from http://worldcomp-proceedings.com/proc/p2012/EEE7656.pdf

[14] 6 Persistent Challenges with Smartphone Forensics. (2016, June 14). Retrieved October 26, 2017, from https://www.forensicmag.com/article/2013/02/6-persistent-challenges-smartphone-forensics

[15] Duc, H. N. (2017, September 21). Mobile Phone Forensics Challenges. Retrieved October 26, 2017, from https://eforensicsmag.com/mobile-phone-forensic-challenges/

[16] Larson, U. (n.d.). Computer Forensics and Digital Investigation. Retrieved October 27, 2017, from http://www.cse.chalmers.se/edu/course/EDA263/oh07/oh714_forensics.pdf

[17] Jian Hua & Sanjay Bapna (2012) How Can We Deter Cyber Terrorism?, Information Security Journal: A Global Perspective, 21:2, 102-114, DOI: 10.1080/19393555.2011.647250

[18] What is Cyber Terrorism? – Definition, Cases & Examples. (n.d.). Retrieved October 26, 2017, from http://study.com/academy/lesson/what-is-cyber-terrorism-definition-cases-examples.html