Chapter Eight Forensic Terminology and Criminal Investigation Computer

Chapter Eight Forensic Terminology and Criminal Investigation Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Who Benefits from Forensic Computer Science • prosecutors - variety of crime where incriminating documents can be found ranging from homicide to financial fraud to child pornography • civil litigators – personal and business records which relate to fraud, divorce, discrimination, and harassment • insurance companies – mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman’s comp cases • corporations – ascertain evidence relating to sexual harassment, embezzlement, theft, or misappropriation of trade secrets and other internal/confidential information • law enforcement officials – for pre-search warrant preparations and post-seizure handling of computer equipment • individuals – support of claims of wrongful termination, sexual harassment, or age discrimination Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Why LE investigations require it • Protects and maintains the integrity of potential evidence by: – – – – maintaining a chain of custody ensuring that viruses are not introduced ensuring that evidence or potential evidence remains in an unaltered state (i. e. , not destroyed, damaged, or otherwise manipulated during the investigative process. ) enables the creation of forensically sound images for data analysis prevents allegations of corruption or misconduct enables the discovery of all relevant files on suspect systems, including overt, hidden, password-protected, slack, swap, encrypted, and some deleted files enhances the likelihood of timely processing (necessary to protect departments from civil litigation claiming unreasonable interruption of business operations. ) More specifically – establishes procedures for the recovery, preservation, and analysis of digital evidence Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Traditional problems in computer investigations • Inadequate resources • Lack of communication and cooperation among agencies • Over-reliance on automated programs and self-proclaimed experts • Lack of reporting • Corruption of evidence • Encryption Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Inadequate Resources • The least equipped agencies are the least able to secure external funding for necessary equipment or training. • Even those agencies currently favored by funding entities struggle to justify the exponential costs associated with computer forensics. • Software and training such as that offered by NTI (New Technologies, Inc. ) and Litton/TASC may cost as much as $2000/person. • Individualized licensing requires departments to send multiple attendees. • Federal Programs, like those offered at the FBI and FLETC, are also disproportionately attended by large, better funded agencies. • National White Collar Crime Center is a step in the right direction. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Lack of Communication • Traditionally, communication and cooperation between law enforcement agencies has been strained due to competing interests (funding, etc. ). • Individual practitioners, however, have developed professional organizations like HTCIA which has encouraged collaboration. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Over-reliance on automated programs & self-proclaimed experts • The familiarity and utilization of automated programs may result in a situation where investigators know just enough to make them potentially hazardous to the very investigation to which they are dedicated. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Lack of Reporting • Many businesses and individual citizens do not perceive the police as technologically advanced. • Often wish to contain the problem within • Believe that they may conduct their own investigation, and then turn it over to the police • Fear of losing consumer confidence Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Corruption of Evidence • Many “departmental computer experts” have destroyed cases due to their lack of knowledge of disk structure. • Corporations or private entities which initiate investigations often fail to appreciate the legal complexities of evidence preservation and custodial documentation. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Three Cardinal Rules of Computer Investigations • Always work from an image – leaving the original intact. • Document, Document • Maintain chain of custody Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Computer forensic science and disk structure • Investigators must be aware of both the physical and logical structure, disk management, and memory storage. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Simple Terms • Computer - a device capable of storing, transmitting or manipulating data through mathematical and logical processes or operations • Static memory - that area on hard and/or floppy disks in which data and programs are stored • Volatile memory - that area of a computer which holds information during processing and is erased when power is shut down • Semi-permanent storage - that area of a disk that is not dependent upon a power source for its continued maintenance, and which may be changed under the appropriate operating conditions (i. e. , storage devices, floppy and fixed disks, magnetic tapes, etc. ). This is where the majority of the work and storage is conducted, and where the most processed data is stored. Thus, it is extremely important in computer forensics. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

• Computer storage - the holding of data in an electromagnetic form for access by a computer processor • Primary storage - data in RAM and other built-in devices • Secondary storage - data on hard disk, tapes, and other external devices • Floppy disks or diskettes - single circular disks with concentric tracks which are turned by spindles under one or more heads • CD-ROMs have a single track, spiraling from the disk edge towards the center which may only be written to once (CDs write data from the center out, and music from the outside in; while CD-RWs act as traditional disk drives which may be written to more than once • Hard/fixed disks - one or more disks comprised of one or more heads which are often fixed inside a sealed enclosure (may have more than two sides if the disk consists of more than one platter) Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Disk Structure • Physically, a drive is usually composed of a number of rotating platters. Each platter is divided concentrically into tracks. In turn, tracks are divided into sectors, which are further divided into bytes. Finally, read/write heads are contained on either side of the platters. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

• Head – Each platter has one head per side. These heads are very close to the surface of the platter, and allow reading of, and writing to, the platter. Heads are numbered sequentially from zero. • Tracks – the concentric bands dividing each platter. Tracks are numbered sequentially beginning with zero. • Cylinder – the set of tracks located in the same position on every platter in the same head position. Unlike physical disk units, cylinders are intangible units. Simply put, they are a cross-section of a disk. (Imagine using a hole puncher on a perfectly positioned stack of paper. The resulting hole would be a visible representation of an empty sector). Each double-sided floppy has two tracks. The same track is on all stacked platters. The set of corresponding tracks on a magnetic disk that lie the same distance from the disk’s edge. Taken together, these tracks form a cylindrical shape. For a hard drive, a cylinder usually includes several tracks on each side of each disk platter. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Data Storage • On all DOS machines, certain structural rules exist in which physical drives are loaded first, logical drives second, and drivers third. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

• Physical drives - devices and data at the electronic or machine level • Logical drives- (most important in computer forensics) are allocated parts of a physical drive that are designated and managed as independent units • binary digits or bits – based on principles of two – bits may likened to on/off switches. Collections of bits are interpreted by the computer and transformed into a format for non-mechanical, human consumption. • ASCII – American Standard Character for Information Interchange – most common set of associations between particular binary patterns and characters (ensures compatibility between systems and system components) • This code defines characters for the first 128 binary values (i. e. 0 to 127) • The first 32 of these are used as non-printing control characters which were designed to control data communications equipment and computer printers and displays • Extended ASCII code - provides particular character symbols to binary values 128 through 255 Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Data Interpretation • Binary system – interpretative rules are associated with a base of 2 with integers represented by 0’s and 1’s. the range of whole numbers that can be represented by a single byte is 0 to 255. Thus, it is often necessary to use 2 bytes to represent whole numbers, and four bytes where greater levels of precision are required. • Hexadecimal system - interpretative rules are associated with a base of 16, with integers ranging from 0 to 9 and A to F. Very useful for investigators as some programs reuse memory blocks without modification. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Fixed units of storage • Sectors – smallest physical storage unit on a disk – an arched-shaped portion of one of the disk tracks (magnetic disks formatted for U. S. versions of Windows contain a standard 512 bytes) – Sectors start with 1, and are numbered sequentially on a track. • Clusters (File Allocation Units) – comprised of one or more adjacent sectors, and represent the basic allocation units of magnetic disk storage – Although size varies with disk size, clusters represent the minimum space allocated to an individual file in DOS. – Clusters make it easier for operating systems to manage files. • Files – composed of one or more clusters – the smallest unit that distinguishes one set of data from another Computer Forensics and Cyber Crime PRENTICE HALL Britz © 2004 Pearson Education, Inc.

Logical vs. Physical • Logical file size – the exact size of a file in bytes • Physical file size – the actual amount of space that the file occupies on a disk • File slack - information found within that portion of unused space between the logical end of a file and the physical end of a cluster – may be likened to a table in a restaurant in which a couple is seated at a table for four. Although the extra two chairs are empty, they constructively belong to those individuals until they are finished their meal. – Extremely important forensics, as the slack may contain the remnants of old files or other evidence, including passwords, old directory structures, or miscellaneous information stored in memory Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Partioning • Partition – portion of a fixed disk that the operating system identifies as a single unit (maximum of four) • Windows NT and other operating systems may treat multiple partitions on different physical disk drives as a single disk volume. • Every bootable hard disk includes one disk partition for the OS. • “Extended partions” may be subdivided into a maximum of 23 additional logical disks. • Remember: the partition of the boot drive where the operating system resides must be bootable. • FDISK, MS product, enables user to partition a hard drive. Partitioning creates a master boot record and partition table for the hard disk. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Partitions cont’d • The FAT – partition table describes every logical volume on a disk. • It also identifies corresponding locations, indicates which partition is bootable, and contains the Master Boot Record. • Extremely important in forensic investigations – enables users to hide entire partitions. Investigators unaware of this fact may be confused to see that the logical drive size is contrary to identified characteristics. • Partition data is stored at physical: cylinder = 0; head = 0; sector = 1. Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Data Location • File Allocation Table (FAT) – system used to identify and locate files on a disk – 12, 16, 32 bit designations used by DOS indicate how many bits the FAT used to identify where on the disk (appropriate cluster numbers) a file resides. • Every number contained within the FAT identifies a particular cluster. • Information contained therein identifies: – – – if the cluster is “bad” or available; if the end of a file is contained within; the next cluster attached to a file. • FAT 32 was created to manage space more efficiently by utilizing smaller cluster sizes. • NTFS – emerging in popularity – is the most efficient way to manage data Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Data Management • boot sector – located at the very first sector of the physical disk or absolute sector 0 – Contains code that enables the computer to find the partition table and the operating system • BIOS (Basic Input Output System) – number of machine code routines stored in ROM that includes a variety of commands including those necessary for reading physical disks by sector which are executed upon system booting • bootstrap loader – the first command executed upon system booting Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Data Integrity • CRC (Cyclical Redundancy Checksum) – used to identify files by a computer – generated (i. e. , calculated) value • MD 5 Hash – a 128 -bit verification tool developed by RSA which acts as the equivalent of digital DNA. – Odds that 2 different files have the same value is 2128. – Brian Deering, NDIC, analogizes the chance of randomly generated matching has values to hitting the Pennsylvania Lottery Super 6 - 5. 582 x 10^41 (or 558, 205 billion, billion) times before this will occur http: //theory. lcs. mit. edu/~rivest/Rivest. MD 5. txt • Hashkeeper – program which maintains the hash values of a variety of known files – reduces the amount of information needing to be processed Computer Forensics and Cyber Crime Britz PRENTICE HALL © 2004 Pearson Education, Inc.

Conclusions • Computer crime is the wave of the future. • Administrators must establish forensic computer science capabilities, evaluating the feasibility of partnering LE personnel with civilian experts and relying on cooperation of corporate entities. • Proper training must begin with a basic understanding of computer structure and data management. PRENTICE HALL Computer Forensics and Cyber Crime Britz © 2004 Pearson Education, Inc.