Download Cyber Forensics Unit-4 Lecture Notes and more Study notes Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
UNIT-IV
Current Forensic Tools
In this, we are going to explores many software and hardware tools used during digital forensics investigations. No specific tools are recommended; instead, the goal is to explain how to select tools for digital investigations based on specific criteria. Forensics tools are constantly being developed, updated, patched, revised, and discontinued. Therefore, checking vendors’ Web sites routinely to look for new features and improvements is important. These improvements might address a difficult problem you’re having in an investigation.
Evaluating computer forensic tool need:
As we know, we need to develop a business plan to justify the acquisition of digital forensics hardware and software. When researching options, consider open-source tools, which sometimes include technical support. The goal is to find the best value for as many features as possible. Some questions to ask when evaluating tools include the following: On which OS does the forensics tool run? Does the tool run on multiple OSs? Is the tool versatile? For example, does it work in both Windows and Linux? Can the tool analyze more than one file system, such as FAT, NTFS, and Ext4? Can a scripting language be used with the tool to automate repetitive functions and tasks? Does the tool have any automated features that can help reduce the time needed to analyze data? What is the vendor’s reputation for providing product support? For open-source tools, how good are the support forums? As you learn more about digital investigations, you’ll have more questions about tools for conducting these investigations. When you search for tools, keep in mind what OSs and file types you’ll be analyzing. For example, if you need to analyze Microsoft Access or SQL Server databases, look for a product designed to read these files. If you’re analyzing e-mail messages, look for a forensics tool that specializes in reading e-mail content. When you’re selecting tools for your lab, keep an open mind, and compare platforms and applications for different tasks. Although many investigators are most comfortable using Windows tools, check into other options, such as Linux and Macintosh platforms.
Types of Digital Forensics Tools Digital forensics tools are divided into two major categories: hardware and software. Hardware Forensics Tools Hardware forensics tools range from simple, single-purpose components to complete computer systems and servers. For example, the Tableau T35es-R2 SATA/IDE eSATA bridge is a single- purpose component that makes it possible to access a SATA or an IDE drive with one device. Some examples of complete systems are Digital Intelligence F.R.E.D. systems (www.digitalintelligence.com/forensichardware.php), DIBS Advanced Forensic Workstations (www.dibsforensics.com/index.html), Forensic Computers’ Forensic Examination Stations and portable units (www.forensic-computers.com), and Ace Laboratory systems (www.acelaboratory.com/catalog/), designed for data recovery of failed drives, a feature that comes in handy in many situations. Software Forensics Tools Software forensics tools are grouped into command-line applications and GUI applications. Some tools are specialized to perform one task. For example, SafeBack, from New Technologies, Inc. (NTI), was designed as a command-line disk acquisition tool. It’s no longer supported, but you can still find it distributed online. However, it’s used more as a reliable fallback when all else fails than a primary tool. Other tools are designed to perform many different tasks. For example, PassMark Software OSForensics, X-Ways Forensics, Guidance Software EnCase, Magnet Forensics AXIOM, and AccessData FTK are GUI tools designed to perform most forensics acquisition and analysis functions. Software forensics tools are commonly used to copy data from a suspect’s drive to an image file. Many GUI acquisition tools can read all structures in an image file as though the image were the original drive and have the capability to analyze image files. Tasks Performed by Digital Forensics Tools All digital forensics tools, both hardware and software, perform specific functions. When you’re testing new tools, you might find it helpful to follow guidelines set up by NIST’s Computer Forensics Tool Testing (CFTT) program, ASTM International’s (formerly the American Society of Testing and Materials) E2678 standard, and the International Organization on Computer Evidence (IOCE). In addition, ISO standard 27037 states that Digital Evidence First Responders (DEFRs) should use validated tools.
Digital Forensics Software Tools:
Whether you use a suite of tools or a task-specific tool, you have the option of selecting one that enables you to analyze digital evidence through the command line or in a GUI. The following are some options for command-line and GUI tools in both Windows and Linux. Computers used several OSs before Windows and MS-DOS dominated the market. During this time, digital forensics wasn’t a major concern. After people started using PCs, however, they figured out how to use them for illegal and destructive purposes and to commit crimes and civil infractions with them. Software developers began releasing forensics tools to help private- and public-sector investigators examine PCs. The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems. One of the first MS-DOS tools used for digital investigations was Norton DiskEdit. This tool used manual processes that required investigators to spend considerable time on a typical 500 MB drive. Eventually, programs designed for digital forensics were developed for DOS, Windows, Apple, NetWare, and UNIX systems. Some command-line forensics tools are created specifically for Windows command-line interface (CLI) platforms; others are created for Macintosh and UNIX/Linux. Because there are many different versions of UNIX and Linux, these OSs are often referred to as “Linux platforms.” The following are several Linux tools for forensics analysis, Those are SMART, Helix Kali Linux Autopsy with Sleuth Kit. SMART: SMART is designed to be installed on numerous Linux versions, including Gentoo, Fedora, SUSE, Debian, Knoppix, Ubuntu, Slackware, and more. You can analyze a variety of file systems with SMART; for a list of file systems or to download an evaluation ISO image for SMART and SMART Linux, go to www.asrdata.com/forensic-software/software-download/. SMART includes several plug-in utilities. This modular approach makes it possible to upgrade SMART components easily and quickly. SMART can also take advantage of multithreading capabilities in OSs and hardware, a feature lacking in other forensics utilities. This tool is one of the few that can mount different file systems, such as journaling file systems, in a read-only format.
Helix 3: One of the easiest suites to use is Helix because of its user interface. Although Helix is no longer a free package, you can go to www.e-fense.com/products.php to learn more about it. What’s unique about Helix is that you can load it on a live Windows system, and it loads as a bootable Linux OS from a cold boot. Its Windows component is used for live acquisitions. Be aware, however, that some international courts haven’t accepted live acquisitions as a valid forensics practice. Kali Linux : Kali Linux, formerly known as BackTrack, is another Linux Live CD used by many security professionals and forensics investigators. It includes a variety of tools and has an easy- to-use KDE interface. You can download the ISO image from www.kali.org. Kali includes several tools, such as Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep. Autopsy and Sleuth Kit: Sleuth Kit is a Linux forensics tool, and Autopsy is the GUI browser interface for accessing Sleuth Kit’s tools. For example, shut down your Windows computer with the Kali disc in the CD/DVD drive, making sure your system is set to boot from the CD/DVD drive before the hard drive. Then do a hard boot to the computer. In the options that are displayed, select Expert Mode. (Note that this mode is forensically sound.) If you’re booting from a laptop, you might have display issues. You can click “scan” to have Kali find the correct settings. (If Kali fails to find these settings, experiment until you finds a setting that works.) After the correct display setting is applied, a GUI is displayed. If prompted, specify whether to load SCSI modules or additional modules from a floppy disk.
Digital Forensics Hardware Tools:
Technology changes rapidly, and hardware manufacturers have designed most computer components to last about 18 months between failures. Hardware is hardware; whether it’s a rack- mounted server or a forensic workstation, eventually it fails. For this reason, you should schedule equipment replacements periodically ideally, every 18 months if you use the hardware fulltime. Most digital forensics operations use a workstation 24 hours a day for a week or longer between complete shutdowns. You should plan your hardware needs carefully, especially if you have budget limitations. Include the amount of time you expect the forensic workstation to be running, how often you expect hardware failures, consultant and vendor fees to support the hardware, and how often to anticipate replacing forensic workstations. The longer you expect the forensic workstation to be running, the more you need to anticipate physical equipment failure and the expense of replacement equipment.
Validating and Testing Forensics Software
Now that you have selected some tools to use, you need to make sure the evidence you recover and analyze can be admitted in court. To do this, you must test and validate your software. The following sections discuss validation tools available at the time of this writing and how to develop your own validation protocols. Using National Institute of Standards and Technology Tools The National Institute of Standards and Technology (NIST) publish articles, provide tools, and create procedures for testing and validating computer forensics software. Software should be verified to improve evidence admissibility in judicial proceedings. NIST sponsors the CFTT project to manage research on forensics tools. For additional information on this testing project, visit www.cftt.nist.gov. The Computer Forensic Reference Data Sets (CFReDS; www.cfreds.nist.gov) has been created recently to provide data sets for tools, training, and hardware testing.
E-Mail Investigations
Exploring the Role of E-mail in Investigations:
E-mail evidence is an important part of any computing investigation, so digital forensicsinvestigators must know how e-mail is processed to collect this essential evidence. In addition,with the increase in e-mail scams and fraud attempts with phishing or spoofing, investigators needto know how to examine and interpret the unique content of e-mail messages. As a computing investigator, you might be called on to examine a phishing e-mail to seewhether it’s authentic. Later, in “Tracing an E-mail Message,” you learn about resources forlooking up e- mail and Web addresses to verify whether they are associated with a spoofedmessage. The Internet links in a phishing e-mail often appear to be correct, such as the U.S.Internal Revenue Service’s Web page, www.irs.gov. Typically, phishing e-mails contain linksto text on a Web page. By using this technique, a phishing message attempts to get personalinformation by luring readers with false promises. When pharming is used, readers might goto the correct Web site address, but DNS poisoning takes them to a fake site. To determinewhether redirection has been used, you need to view the message’s HTML source code andcheck whether an Internet link is a label with a redirect to a different Web address. One of the most noteworthy e-mail scams was 419, or the Nigerian Scam, which originatedas chain letters from Nigeria, Africa. Fraudsters need only access to Internet e-mail to solicit victims,thus saving the costs of international mail and phone calls. Unlike newer, more sophisticatedphishing e-mail frauds, 419 messages have certain characteristic ploys and a typical writingstyle. For example, The sender often promises to reward you financially if you make a minor payment orallow access to your bank account. The messages are usually in uppercase letters and usepoor grammar. Another common scam is a sender stating you have won a lottery andasking you to send money to claim the prize. Example: One noteworthy example of a lawsuit involving spoofing e-mail occurred in February 2001in the Superior Court of Massachusetts: Suni Munshani v. Signal Lake Venture Fund II, LPet al. Suni Munshani claimed he received an e-mail from the CEO of Signal Lake VentureFund instructing him to purchase options (financial warrants) for a total of $25 million. Signal Lake Venture Fund investigated its e-mail servers and didn’t find the e-mail Munshaniclaimed he received.
mail. To retrieve messages from the e-mail server, users identify themselves to theserver, as when logging on to the network. Then e-mails are delivered to their computers. E-mail services on both the Internet and an intranet use a client/server architecture, but theydiffer in how client accounts are assigned, used, and managed and in how users access theire-mail. Overall, an intranet e-mail system is for the private use of network users, and Internete-mail systems are for public use. On an intranet, the e-mail server is generally part of thelocal network, and an administrator manages the server and its services. In most cases, anintranet e-mail system is specific to a company, used only by its employees,for example, for John Smithat Some Company, jsmith is the username, and it is followed by the company’s domain name,somecompany.com, to create the e-mail address jsmith@somecompany.com. In contrast, a company that provides public e-mail services, such as Google, Hotmail, orYahoo!, owns the e-mail server and accepts everyone who signs up for the service by providing a username and password. E-mail companies also provide their own servers and administrators. After users sign up, they can access their e-mail from any computer connected to theInternet. In most cases, Internet e-mail users aren’t required to follow a standardized namingconvention for usernames. They can choose their own usernames (but not the domain name),as long as they aren’t already in use. For digital investigators, tracking intranet e-mail is easier because accounts use standardnames the administrator establishes. For example, jane.smith@mycompany.com is easily recognized as the e-mail address for an employee named Jane Smith. Tracking Internet e-mailusers is more difficult because these accounts don’t always use standard naming schemes, ande-mail administrators aren’t familiar with all the user accounts on their servers. Identifyingthe owner of an e-mail account with an address such as itty_bitty@gmail.com ,for example,is not easy. With the expansion of cloud service providers, many companies are migrating their e- mailservices to the cloud. This setup is convenient because employees can easily access their e- mailfrom anywhere in the world, but it adds a layer of complexity for investigations, dependingon the service level agreement with the cloud provider.
Investigating E-mail Crimes and Violations:
Investigating crimes or policy violations involving e-mail is like investigating other typesofcomputer abuse and crimes. Your goal is to find out who is behind the crime or policy violation,collect the evidence, and present your findings in the court of law.
E-mail crimes and violations depend on the city, state, and country in which the e- mailoriginated. For example, in Washington State, sending unsolicited e-mail is illegal. However, inother states, it isn’t considered a crime. Consult with an attorney for your organization todetermine what constitutes an e-mail crime. Committing crimes with e-mail is common, and more investigators are finding communications that link suspects to a crime or policy violation through e-mail. For example, some people use e- mail when committing crimes such as narcotics trafficking, extortion, sexualharassment, stalking, fraud, child abductions, terrorism, child pornography, and so on.Because e-mail has become a major communication medium, any crime or policy violationcan involve e-mail. Examining E-mail Messages After you have determined that a crime has been committed involving e-mail, access the victim’s computer or mobile device to recover the evidence on it. Using the victim’s e-mail client,find and copy any potential evidence. It might be necessary to log on to the e-mail service andaccess any protected or encrypted files or folders. With a corporate investigation, be sure policies are in place for this action. For a criminal investigation, you need warrants to access orget copies of files on a server. When dealing with a stalker, if you can’t actually sit down atthe victim’s computer, you might have to guide the victim on the phone to open and print acopy of an offending message, including the header. The header contains unique identifyingnumbers, such as the IP address of the server that sent the message. This information helpsyou trace the e-mail to the suspect. Copying an E-mail Message Before you start an e-mail investigation, you need tocopy and print the e-mail involved in the crime or policy violation. You might also want toforward the message as an attachment to another e-mail address, depending on your organization’s guidelines. The following activity shows you how to use Outlook, included with MicrosoftOffice, to copy an e-mail message to a USB drive. (Note: Depending on the Outlook versionyou use, the steps might vary slightly.) You use a similar procedure to copy messages inother e-mail programs. If Outlook or Outlook Express is installed on your computer,follow these steps:
- Insert a USB drive into a USB port.
- Open File Explorer, navigate to the USB drive, and leave this window open.
- Start Outlook by going to the Start screen, typing Outlook, and pressing Enter.
- In the Mail Folders pane, click the folder containing the message you want to copy.
Figure:An Outlook e-mail header
- Select the message header text, and then press Ctrl+C to copy it to the Clipboard.
- Start Notepad, and then press Ctrl+V in a new document window to paste the messageheader text.
- Save the document as Outlook Header.txt in your work folder. Then close thedocument and exit Outlook. e-mail headers in Yahoo!: Follow these steps to view e-mail headers in Yahoo!:
- Log on to your Yahoo! mail account, and click Inbox to view a list of messages.
- Above the message window, click the More list arrow, and click View Full Header(see Figure)
- In the Full Header window, select all the text, press Ctrl+C to copy it, and then clickOK.
- Start Notepad, and then press Ctrl+V in a new document window to paste the messageheader text. Save the document as Yahoo_Header.txt in your work folder. Log offYahoo!, and exit your Web browser.
Figure: Viewing headers in Yahoo! Examining E-mail Headers The next step is examining the e-mail header you saved to gather information about thee-mail and track the suspect to the e-mail’s originating location. The main piece of information you’re looking for is the originating e-mail’s domain address or an IP address. Otherhelpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it’s supplied. To open and examine an e-mail header, follow these steps:
- Open File Explorer and navigate to your work folder.
- Double-click a .txt file containing message header text, such as OutlookHeader.txt. The message header opens in Notepad. The following figure shows a message header copied from an Outlook e-mail. (The e-mail addressesare not real addresses.) Line numbers have been added for reference.
www.arin.net —Use the American Registry for Internet Numbers (ARIN) to map anIP address to a domain name and find the domain’s point of contact. www.internic.com —Like www.arin.net, you use this site to find a domain’s IP addressand point of contact. www.google.com —Use this search engine and others to look for more informationand additional postings on discussion boards. Using one of these Web sites, you can find the suspect’s full e-mail address, such as jim.shu@superiorbicycles.biz, and contact information.
Understanding E-mail Servers:
An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation. As a digital forensics investigator,you cannot know everything about e-mail servers. Your focus is not to learn how a particulare-mail server works but how to retrieve information about e-mails for an investigation. Usually, you must work closely with the network administrator or e-mail administrator, whois often willing to help you find the data or files you need and might even suggest new waysto find this information. To investigate e-mail abuse, you should know how an e-mail server records and handles thee- mail it receives. Some e-mail servers use databases that store users’ e-mails, and others use aflat file system. All e-mail servers can maintain a log of e-mails that are processed. Most e-mail administrators log system operations and message traffic for the followingreasons: Recover e-mails in case of a disaster. Make sure the firewall and e-mail filters are working correctly. Enforce company policy. E-mail logs generally identify the e-mail messages an account received, the IP address fromwhich they were sent, the time and date the e-mail server received them, the time and date theclient computer accessed the e-mail, the e-mail contents, system-specific information, and anyother information the e-mail administrator wants to track. These e-mail logs are usually formatted in plain text and can be read with a basic text editor, such as Notepad or vim. Examining UNIX E-mail Server Logs More than a dozen UNIX e-mail server programs are available. Most produce log files similarto the ones. Postfix and Sendmail are two common UNIX e-mail servers. Sendmail is the default for FreeBSD systems, such as CentOS.
Log files and configuration files can provide helpful information. The configuration file forSendmail is /etc/mail/sendmail.cf, which can help you determine where log files arestored. Sendmail refers to the sendmail.cf file to find out what to do with an e-mail afterit’s received. For example, if the server receives an e-mail from an unsolicited site, a line inthe sendmail.cf file can tell the Sendmail server to discard it. Postfix is another common UNIX e-mail server. Similar toSendmail, it has configuration files,master.cf and main.cf, in the /etc/postfix directory, and e-mails are stored in /var/spool/postfix. Because a UNIX system has a variety of e-mail servers available, the syslog.conf file simplyspecifies where to save different types of e-mail log files. The first log file it configures is/var/log/maillog, which usually contains a record of Simple Mail Transfer Protocol(SMTP) communication between servers. Examining Microsoft E-mail Server Logs Exchange Server, generally called Exchange, is the Microsoft e-mail server software. Exchangeuses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE),which uses several files in different combinations to provide e-mail service. The files most usefulto an investigation are .edb database files, checkpoint files, and temporary files. Exchange servers can also maintain a log called Tracking.log that tracks messages. If theMessage Tracking feature has been enabled and the e-mail administrator selects verbose(detailed) logging, you can see the timestamp, IP address of the sending computer, and thee-mail’s contents or body. Except for special forensics tools, the message-tracking log in verbose mode provides the most information about messages sent and received in Exchange. Another log used for troubleshooting and investigating the Exchange environment is the troubleshooting log. You can read this log, also known as a “diagnostic log,” by using Windows Event Viewer, shown in the following figure, which is available in Administrative Tools. Each event logged has an ID number and a severity level. To examine the details of an e-mail event, double-click the event to open its Event Properties dialog box. This dialog box shows date and time information that might be useful if, for example, you suspect the e-mail server has been tampered with to alter its contents.
Ontrack EasyRecoveryEmailRepair for Outlook and Outlook Express (www.ontrackdatarecovery.ie/data-recovery/email-recovery/) R-Tools R-Mail for Outlook and Outlook Express (www.r- tt.com/outlook_mail_recovery/) MXToolBox for decoding e-mail headers (https://mxtoolbox.com/EmailHeaders.aspx) FreeViewer with free tools for Outlook, Windows Live Mail, Thunderbird, and other servers (www.freeviewer.org/email-forensics/free-tools.html). Using OSForensics to Recover E-mail OSForensics isn’t task or file specific, as other tools are. However, it indexes data on a diskimage or an entire drive for faster data retrieval. It can also filter or find files specific to e-mailclients and servers. You can configure these filters when you enter search parameters. In thisactivity, you learn how to use OSForensics to recover e-mails:
- Start OSForensics and start a new case. In the New Case dialog box, enter your name.For the case name, type InChap11. Fill in the contact details and the organization, andthen click OK. Create a subfolder of your work folder called Chap11, and then createa subfolder called Terry.
- Click the Add Device button. Navigate to the folder where you stored the M57case files, click the hard drive file terry- 2009 - 12 - 11 - 002.e01, and click OK.
- Click the Create Index button in the left pane to start the Create Index Wizard. In theStep 1 of 5 window, click the Use Pre-defined File Types option button, if necessary.Click the Emails and Attachments check boxes, and then click Next. In the Step 2 of5 window, click the Add button. In the Add Start Location dialog box, click theWhole Drive option button, if necessary. Click the list arrow, click terry- 2009 - 12 - 11 - 002.e01, and then click OK. Click Next. In the Step 3 of 5 window, clickStart Indexing. When the indexing has finished, click OK in the message box informing you that errors reading some files might have occurred in the indexing process, ifnecessary.
- Click Search Index in the left pane. In the Enter Search Words text box, type money,and then click Search.
- Click the Emails tab, if necessary. The search should have returned 10 e-mails.Right-click the first e-mail with the subject line “Computer Equipment” and clickOpen.
- To see more details, click View, Headers from the menu. The following figure shows theresults.
- When you’re finished examining the e-mail, close the Email Viewer window, and exitOSForensics.
