COMPUTER FORENSICS

BY HENRY O. QUARSHIE

INTRODUCTION
Computer forensics is a newer field in the legal and law enforcement field. As the computer industry has taken off and more and more people are investing with a computer, the need to understand, examine and present the facts in a case regarding a computer have been essential. The persons who identify and analyse evidence found in a computer are called computer forensic experts. These individuals also present the evidence during legal proceedings.

Computer forensics requires a specialized approach and expertise. It goes far beyond what a typical system support analyst or personnel will do for normal data collection. Instead, the expert in computer forensics must follow legal protocol and still be able to locate the information integral to the case. They will examine the computer to see if it has been an aid in criminal or otherwise illegal activities.

Definition of Computer Forensics

There are a number of slightly varying definitions around. However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.

The objective of this, is to provide digital evidence of a specific or general activity.

WHO CAN USE COMPUTER FORENSIC EVIDENCE?

. A forensic investigation can be initiated for a variety of reasons. The most high profile are usually with respect to criminal investigation, or civil litigation, but digital forensic techniques can be of value in a wide variety of situations, including perhaps, simply re-tracking steps taken when data has been lost.
6

WHO CAN USE COMPUTER FORENSIC EVIDENCE?

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists: Criminal Prosecutors use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography. Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases. Insurance Companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman's compensation cases.
7

Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, theft or misappropriation of trade secrets and other internal/confidential information. Law Enforcement Officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment. Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.

What are the common scenarios?

Wide and varied! Examples include: - Employee internet abuse (common, but decreasing) - Unauthorized disclosure of corporate information and data (accidental and intentional) - Industrial espionage - Damage assessment (following an incident) - Criminal fraud and deception cases - More general criminal cases (many criminals simply store information on computers, intentionally or unwittingly) - and countless others!
9

What will a computer forensics specialist do on the job?

They can take copies of the hard drive; identify and recover lost files; access hidden or protected files; study the residue of previously deleted files and create a detailed report of all the actions on the computer that can be considered suspect or illegal. Throughout the process, they are not permitted to change the data in any way as this would be considered literally tampering with the evidence being collected. The computer forensics expert is specifically trained to prevent altering the data while they search for the remnants and telling signs left on the computer itself.

10

CYBERCRIME
Cybercrime is defined as crime committed on the internet using the computer as either a tool or a targeted victim. It is very difficult to classify crimes in general into distinct groups as many crimes evolve on a daily basis.

11

TYPES OF CYBERCRIME
ELECTRONIC THEFT: Citibank was subjected to over 40 electronic thefts by a former Russian employee of a St Petersburg software house. Together, with a number of accomplices, he managed to transfer approximately $7.5 million to Finland, California, Israel, Germany, Holland & Switzerland
(source:PCB Lawson House U.S.A)
12

 Police in London foiled a massive bank theft, 17th March 2005,the plan was to steal 220m from the London offices of the Japanese bank, Sumitomo Mitsui. They managed to infiltrate the system with keylogging software.

13

 CREDIT CARD FRAUD: An Internet retailer, C. D. Universe Who refused to pay $100,000 to a Russian hacker, known as "Maxim" stole 300,000 Credit Card numbers from their web site. As a result, the hacker posted some 25,000 credit card details on the web, for all to see. (source: PCB Lawson House U.S.A)
14

 ONLINE AUCTION FRAUD: it is the number one Internet fraud in the U. S. Goods often dont arrive, in one case a Russian fraudster ordered goods using a stolen credit card, then sold them on an online auction at a low price to United States citizens, who then wired money to an untraceable Latvian bank.. (source:PCB Laws- on
House U.S.A}
15

 Internet auction fraud accounted for 62 percent of the 97,076 Internet fraud complaints that the Internet Crime Complaint Center U.S,A. referred to lawenforcement agencies for investigation in 2005.

16

 PYRAMID FRAUD It entices the victim with promises of extraordinary returns on investment. Those at the top of the scheme are initially successful, but subsequent investors loose all the money invested. .(source: PCB Lawson
House U.S.A)

17

 FRAUDULENT INTERNET BANKING SITES The Internet allows fraudsters to offer bogus credible banking services. It is difficult for the

consumer to discern between genuine and fraudulent Internet banks. The fraudster does not need to go to great expense to dress up his site as genuine and will entice victims with a promise of high interest rates..(source: PCB Lawson House U.S.A )
18

 PHISHING: This attack occurs when a hacker tries to get people's banking details electronically and then use the details to rob bank accounts.

19

 A phishing email claiming that The National Australia Bank (NAB) is bankrupt caught more than 1,000 of the bank's customers in its net.

It claimed that the bank's ATMs were not working, This caused panic withdrawals. It invited them to click on a link that will provide them with more information.

20

 The link in fact downloads a Trojan onto the hapless banker's machine. This stole their bank login details and password when they follow the rest of the emailed "advice" to go online to check their balance.
(Source channel Register, June 19,2006)

21

 CYBERTERRORISM: This is a very real threat in todays information age. Cyberterrorists have at their disposal weapons that can cause severe destruction. Cyberterrorists, such as Russian cyber gangs can attack anyone, anywhere, blackmailing organizations into paying them millions to prevent the terrorists from destroying their systems.
22

 A group of British hackers allegedly demanded a 10m ransom from Visa, after they claimed they would crash the Visa system if they were not paid. The hackers stole computer "source codes" that are critical to programming. If the system did crash, even for just a day, the cost to Visa would have run into tens of millions of pounds.
(source :PCB Lawson House U.S.A)
23

 LOTTERY SCAM These are emails that tells recipient they have won a sum of money in a lottery. The recipient is instructed to keep the notice secret and to contact an agent. After contacting the "agent", the recipient will be asked to pay money as fees, but will never receive any lottery payment.

24

 At the end of 2005, the U.S. Department of Treasury announced that cybercrime overtook drug trafficking .Cybercrime cost $180 billion. (source:Sun-Sentinel.com June 03, 2006)

25

 While criminal activity via the Internet is still a fairly new phenomenon, the FBI ranks it just behind stopping terrorism and counterintelligence on their list of priorities.

26

 Nigerian 419 scam stole the most money off Internet. Americans reported losing an all-time high of $183 million to Internet fraud in 2005, up 169 percent from $68 million in 2004. (Source: Internet Crime Complaint Center)

27

REPORTS (GHANA)
Man of God in 419 for alleged cyber fraud. He claims to have inherited $39m. .( source Daily Graphic 25th April 2005) 11 Nigerians arrested at a caf at Dzowulu with forged documents designed to deceive potential victims.( source Daily Graphic 20th Aug 2005) Online Fraud security council gets tough. Ghana has been blacklisted and could be totally banned from the use of credit cards. .( source Daily Graphic 19th Sept 2005)
28

Techniques and Tools used in Computer Crime

Computer Virus, spyware, adware, malware. cracking Spamming Phishing Cyberterrorism

29

Computer Virus
A computer virus can be defined by three basic properties: It is a piece of Software (executable code). It is a parasite. It never remains as a named piece of Software. It attaches itself with some other executable code and remains with it.

30

To attach, might mean physically adding to the end of a file, inserting into the middle of a file, or simply placing a pointer to a different location on the disk somewhere where the virus can find it.) It reproduces itself. On activation it always tries to spread by attaching itself with other executable codes also.
31

 Since a virus is an executable code and for its activation it has to attach itself with such a code with which it can get executed. Hence a computer virus can live with Boot Sector. Partition Table. Executable files (EXE, COM, DLL, OVL etc). Macros in MS Office files (Documents, Spreadsheet etc.)
32

TYPES OF VIRUSES
Boot / Partition Viruses. File Viruses Macro Viruses Backdoor Worms Trojans

33

Boot / Partition Viruses.

The Partition Table / Boot Sector virus gets themselves housed at the original Boot / Partition areas and shift the original code to some other location. Most of these viruses remain in the memory, thereby take control of the machine. From here these viruses get themselves attached to the boot sector of the hard drive or other executable.
34

Macro Viruses .
These are viruses, which infect Document files like MS-Word. All MS-Office components (Word, Excel, PowerPoint & Access) support writing macros. Unlike the limited macro powers available in previous generation, these macros provide almost all the functionalities of a computer programming language. Viruses too smell the opportunity and target these Macros.
35

Backdoor
Backdoor have two components. It basically creates a client-server environment. The target machine is converted into a server and the attacker poses as a client taking control of the machine and information.

36

Worms
A Worm is a computer program or a piece of software that has the ability to replicate on its own. It arrives as an e-mail or newsgroup attachment and infect users who run the attachment. The worm alters the host computers windsock32.dll file, the doorway to the internet. Worms can spread rapidly to other machines on the network. E.g. W32 Nimda, W32 sircam.
37

Trojans
A Trojan refers to a program that appears, as something you may think is safe, but hidden inside is usually something harmful, probably a worm or a virus. The lure of Trojans is that you may download a game or a picture, thinking it's harmless, but once you execute this file (run it); the worm or virus gets to work.
38

TECHNIQUE USED BY COMPUTER VIRUS WRITERS

Self-Encryption This hides its code and its destructive property, a virus remains in the file in encrypted format and decrypts itself at the time of execution. This makes the task of studying the virus a tricky affair. Thus the virus now consists of 2 parts, one is the decryption routine and another is the original encrypted code of the virus. If not studied properly, an accidental removal of the virus may result into serious loss of data, so be careful.
39

 Polymorphic nature
The new generation viruses keep on changing and modifying their code. This poly (many) orphic nature makes the virus identification a difficult task. At times the form changes to such an extent that if not studied properly some of its variants evade the virus scanner. Almost all the new viruses are polymorphic in nature.
40

 Stealth Methodology: A virus that actively conceals itself by temporarily removing itself from an infected file that is about to be examined, and then hiding a copy of itself elsewhere on the drive. It can keep a copy of the boot sector and show it as normal to anti-virus software. They also report the correct file size even after infecting a file.
41

SPYWARE
Software that hides itself somewhere on your computer collecting information about you and what you do on the internet and pass on your personal details without you ever knowing. There are currently over 78,000 spyware and adware programs that are infecting innocent Internet users.
42

HOW SPYWARE WORKS

Steal your passwords Steal your Identity SPAM your email account Crash your computer Bombard you with advertising Steal your credit card numbers Download your private files Monitor your emails & Keystrokes Watch the sites you visit
43

Symptoms of SPYWARE
Computer slows down E-mails bounce back E-mails being sent without your knowledge Programs opening and closing CD drive opening and shutting Credit card account and password being tempered with.( offline symptoms) Hijacks your homepage
44

ADWARE
Software that presents advertisements to the user, normally in the form of Pop-up adverts. Adware is installed on a user's computer at some Web sites, "freeware" products, and sometimes, with legitimately purchased commercial software.

45

 Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates.
46

SYMPTOMS OF ADWARE
Slow computer performance New desktop shortcut or switched homepage Annoying pop-ups on your PC

47

HOW ADWARE WORKS

Steals your information Sends deceptive adverts Breaks websites Installs new code to your system

48

CRACKING TECHNIQUES
The following are some of the techniques used by crackers. 1.Remote Penetration: Programs that go out on the Internet (or network) and gain unauthorized control of a computer. 2.Local Penetration: Programs that gain unauthorized access to the computer on which they are run. 3. Remote Denial of Service: Programs that go out on the Internet (or network) and shut down another computer or a service provided by that computer. 4. Local Denial of Service: Programs that shut down the computer on which they are run.
49

 5. Network Scanners: Programs that map out a network to figure out which computers and services are available to be exploited. 6.Vulnerability Scanners: Programs that scour the Internet looking for computers vulnerable to a particular type of attack. 7. Password Crackers: Programs that discover easy-toguess password in encrypted password files. Computers can now guess passwords so quickly that many seemingly complex password can be guessed. 8. Sniffers: Programs that listen to network traffic. Often these programs have features to automatically extract usernames, passwords, or credit card information.
50

Guidelines for Forensic examination and Analysis

Forensics is a science and an art that requires specialised techniques for recovery, authentication, and analysis of electronic data for the purpose of a criminal act. Specific processes exist relating to reconstruction of computer usage, examination, of residual data, authentication of data by technical analysis or explanation of technical
51

 Features of data, and computer usage. This is not something the ordinary network administrator should be carrying out.

52

INTERNATIONAL ORGANISATION ON COMPUTER EVIDENCE

The international organisation on computer evidence(IOCE) was created to develop international principles dealing with how digital evidence is to be collected and handled so various courts will recognise and use the evidence in the same manner.

53

 The international principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes: 1: Consistency with all legal systems 2: Allowance for the use of a common language. 3: Durabilty.
54

 4: Ability to cross international boundaries. 5: Ability to instill confidence in the integrity of evidence. 6: Applicability to all forensic evidence. 7: Applicability at every level, including that of individual, agency, and country.

55

FORENSICS INVESTIGATION PROCESS

To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure the evidence is admissible. Each team or company or team may come up with their own steps, but all are essentially accomplishing the same things.
56

 1: Adhere to your site's Security Policy and engage the appropriate Incident Handling and Law Enforcement personnel. Capture as accurate a picture of the system as possible.

57

 2: When confronted with a choice between collection and analysis you should do collection first and analysis later.

58

3: Computer Time and Date Settings

The time and date that files were created can be important in cases involving computer evidence. However, the accuracy of the time and date stamps on files is directly tied to the accuracy of the time and date stored in the CMOS chip of the computer. Consequently, documenting the accuracy of these settings on the computer is important. Without such information, it will be all but impossible to validate the accuracy of the times and dates associated with relevant computer files.

59

4: Hard Disk Partitions The potential for hidden or missing data exists when computer hard disk drives are involved. As a result, it is important to document the make, model and size of all hard disk drives contained in the computers. This is accomplished by conducting a physical examination of the hard disk drive. The factory information recorded on the outside of the hard disk drive should be documented.
60

5: Operating System and Version The computer may rely upon one or more operating systems. The operating system involved should be documented. The results of findings should be noted and the software and version used should be documented.

61

6: File Catalog The files stored on the computer hard disk drive should be listed and cataloged. The dates and times that the files were created and/or updated should also be recorded. Many times relevant leads can be obtained through the sorting of the files by file date and time. The combination of such information from multiple computers as evidence in the same case can also prove valuable for leads. Such information can be helpful in documenting a conspiracy when sorted file dates and times are evaluated.
62

7: Backups: Normally computer evidence is preserved by making an exact copy of the original evidence before any analysis is performed. It is not enough to just make copies of computer files using a conventional backup program. Valuable evidence may exist in the form of erased files and the data associated with these files can only be preserved through a backup.
63

8: Never run any programs on the computer in

question without taking precautions, e.g. write protection or by making a backup. Also, you should not boot or run the computer using the operating system on the computer in question. It is relatively easy for criminals to rig their computers to destroy hard disk drive content or specific files by planting decoy programs or through the modification of the operating system
64

Take Precautions In The Transport of Computer Evidence. Computer evidence is very fragile. Heat and magnetic fields can destroy or alter it in a very short period of time.

65

ANALYSIS OF A SECURITY SOFTWARE

ONLINE PROTECTION Prevents your system from virus attack by continuously monitoring the system and prevents virus infection from e-mail attachments, Internet Downloads, network, ftp, floppy, Data storage devices, CD-DVD ROM file executables and during suspected file copying. All this is done in the background and you are notified only when a virus infected file is found or a virus like activity is detected.
66

 EMAIL PROTECTION. Mail Protection has been redesigned to provide utmost and best protection to its users. Your e-mail messages are scanned automatically for any malicious code content within.

67

 QUARANTINTE Quarantine helps in safely isolating the infected or suspected files. When a file is added to Quarantine, the files are encrypted and kept inside the Quarantine directory. Being kept in an encrypted form, these files cannot be executed and hence are safe. Quarantine also keeps a copy of infected file before repairing.
68

 MESSENGER It automatically gathers information from the web site and informs you about New Viruses, Hoaxes, Upgrade availabilities and other information. It can be also used from Local Folder or Network path. The messenger starts blinking along with an Audio Alarm whenever there is a new message. Click on the blinking ball to view the message. A detailed log of messages is also maintained.
69

 Virus List Provides an exhaustive database of respective virus names along with their category.

70

 System Information is an essential tool to gather critical information of a Windows based system for following cases: This tool gathers information to detect new Malwares from Running processes, Registry, System files like Config.Sys, Autoexec.bat etc.

71

 REPORTS This provide detailed information about the different modules functioning and virus scan sessions. Examples are Scan reports Online protection reports E-mail reports Scheduler reports
72

 Advanced System Explorer This tool provides all important information related to your computer such as running process, installed BHOs, toolbars installed in Internet Explorer, installed ActiveX, Hosts, LSPs, Startup Programs, Internet Explorer settings and Active network connection. This will help diagnose the system for tracing existence of any new malware or riskware.
73

 Hijack Restore This restores the important Internet Explorer settings to default settings. Internet Explorer settings modified by Malwares, Spywares, Genuine applications and even by you can be easily restored to default setting using Hijack restore. This tool also restores certain other critical operating system settings like registry editor and task manager.
74

 DNAScan This detects new and unknown threats without the need for update. Additionally it copies the suspected file in the quarantine directory before taking any action. These quarantined suspicious files are submitted to a research lab for further analysis. After the detailed analysis it can then be added in the known threat database which will be provided in updates to all the users. This can only be possible if they are detected and eliminated before their wild spread. DNAScan technology successfully traps suspected files with very less false alarms.

75

 WINDOW SPY This tool can be used to find out more information about an application or process whenever required. At times it happens that we keep on getting dialog boxes or messages that are shown by spyware or some malware and we are not able to locate the malware. In such situation this tool can be used to find out more information about the application by dragging the target on to the dialog or window that appears on the screen. This tool will provide following information about the dialog or a window.

76

Application Name Original File Name Company Name File Description File Version Internal Name Product Name Product Version Copyrights Information Comments
77

 ANTI-SPAM Anti-spam tags unwanted emails like spam, phishing emails and porn emails. It blocks unwanted mails coming to your inbox Anti-Spam scans the mail, while scanning it will append the subject of the spam mail with [SPAM] -. A SpamMails folder in the e-mail client gets created automatically and all spam mails will be directly moved to that folder.
78

 Spam is estimated to account for up to 40% of global e-mail traffic and is causing a massive headache for businesses, which are losing billions in productivity.

79

 ANTI-PHISHING This prevents you from accessing phishing and fraudulent websites. Phishing is a fraudulent attempt, usually made through email, to steal your personal information. This automatically scans all accessed web pages for fraudulent activity protecting you against any phishing attack as you surf the internet. Prevents identity theft by blocking phishing websites. So you can do online shopping, banking and website surfing safely.
80

 Phishing is generally attempted through emails. It usually ask for your personal information, such as credit card number, social security number, account number or password. . In order for Internet criminals to successfully "phish" your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested.
81

Privacy Considerations
1:Respect the privacy rules and guidelines of your client and your legal jurisdiction. In particular, make sure no information collected along with the evidence you are searching for is available to anyone who would not normally have access to this information.

82

2:Do not intrude on people's privacy without strong justification. In particular, do not collect information from areas you do not normally have reason to access (such as personal file stores) unless you have sufficient indication that there is a real incident.

83

3: Make sure you have the backing of your company's established procedures in taking the steps you do to collect evidence of an incident.

84

Legal Considerations
Computer evidence needs to be 1:Admissible: It must conform to certain legal rules before it can be put before a court. 2:Authentic: It must be possible to positively tie evidentiary material to the incident.

85

3:Complete: It must tell the whole story and not just a particular perspective. 4: Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity. 5:Believable: It must be readily believable and understandable by a court.
86

Transparency
The methods used to collect evidence should be transparent and reproducible. You should be prepared to reproduce precisely the methods you used, and have those methods tested by independent experts.

87

Collection Steps
1:List what systems were involved in the incident and from which evidence will be collected. 2:Establish what is likely to be relevant and admissible. 3:Don't forget the people involved. Make notes of who was there and what were they doing, what they observed and how they reacted.
88

Chain of Custody
You should be able to clearly describe how the evidence was found, how it was handled and everything that happened to it. The following need to be documented 1: Where, when, and by whom was the evidence discovered and collected.

89

2:Where, when and by whom was the evidence handled or examined. 3:Who had custody of the evidence, during what period. 4:How was it stored. 5: When the evidence changed custody, when and how did the transfer occur.
90