ABSTRACT
The pervasiveness and the convenience of information technology tend to
make most of society deeply dependent on the availability computers and
network systems. As our reliance on such systems grows, so does our
exposure to its vulnerabilities. Day after day, computers are being attacked
and compromised. These attacks are made to steal personal identities, to bring
down an entire network segment, to disable the online presence of businesses,
or to completely obliterate sensitive information that is critical for personal or
business purposes. It is the responsibility of every organization to establish a
reasonably secure system to protect its own interests as well as those of its
customers. And as computer crime steadily grows, so does the need for
computer security professionals trained in understanding computer crimes, in
gathering digital forensic evidence, in applying the necessary security tools,
and in collaborating with law enforcement agencies. This paper presents the
design and implementation of an experimental Computer Security and
Forensic Analysis (CSFA) laboratory and the tools associated with it. The
laboratory is envisioned to be a training facility for future computer security
professionals.
___________________________________________
*
Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy
without fee all or part of this material is granted provided that the copies are not made or
distributed for direct commercial advantage, the CCSC copyright notice and the title of the
publication and its date appear, and notice is given that copying is by permission of the
Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a
fee and/or specific permission.
143
JCSC 20, 6 (June 2005)
INTRODUCTION
Computers and the Internet have become a major part of our lives. The
pervasiveness and the convenience of information technology tend to make most of
society deeply dependent on the availability computers and network systems. Each day,
many of us carry out banking transactions, purchases, and message exchanges through
email. As our reliance on such systems grows, so does our exposure to its
vulnerabilities. Day after day, computers are being attacked and compromised. These
attacks are made to steal personal identities, to bring down an entire network segment, to
disable the online presence of businesses, or to completely obliterate sensitive
information that is critical for personal or business purposes. It is the responsibility of
every organization to establish a reasonably secure system to protect its own interests as
well as those of its customers. And as computer crime steadily grows, so does the need
for computer security professionals trained in understanding computer crimes, in
gathering digital forensic evidence, in applying the necessary security tools, and in
collaborating with law enforcement agencies.
Computer forensic is the identification, preservation, and the analysis of
information stored, transmitted, or produced by a computer system or computer
network. Its main purpose is to establish the validity of the hypotheses used in an
attempt to explain the circumstances or the cause of an activity under investigation [1].
The practice was initiated by the U.S. military and intelligence agencies in the early
1970’s. Although little is known about these activities due to their classified
environments, it is reasonable to presume that they had a counter-intelligence focus via
computer mainframes. In the 1980’s, the Internal Revenue Service Criminal
Investigations Division (IRS-CID) and Revenue Canada were two of the first
government agencies with an obvious and openly noticeable obligation to carry out
forensics on external systems linking to criminal offences. Also in 1984, the FBI
established the Computer Analysis and Response Team (CART), to provide computer
forensic support [2].
There are a number of computer forensic training courses offered today. However,
most of them are specifically focused on a certain set of tools. A computer forensic
examiners training course should be broad enough to familiarize the student with all
methodologies of the field. The National Cybercrime Training Partnership (NCTP) was
set up by the U.S. government, to provide guidance and assistance to local, state, and
federal law enforcement agencies. Other U.S. organizations involved in training include
NCJIS (The National Consortium for Justice Information and Statistics), and the High-
Tech Crime Investigation Association (HTCIA). In Europe, NATO’s Lathe
Gambit Information Security program and Interpol both offer similar training course for
allied countries. In the Asia-Pacific region, the Australasian Center for Policing
Research (ACPR), conducts a number of training course for Australia and New Zealand
[3].
A number of proprietary software for computer security and forensic analysis is
available on the market today. The evaluation methods and criteria for such software are
detailed in [7] and [13]. Generally we can divide the functionality of such tools into
three main categories as describe in [1]:
1. Imaging:
144
CCSC:Mid-South Conference
OBJECTIVES
The objectives of the proposed project are as follow:
1) To design and implement an experimental computer security and forensic
analysis laboratory with features that will suit both research and pedagogical
activities. Although the size of the CSFA laboratory will be limited to a
proof-of-concept variety, its design will be guided by the need for future
scalability in size and adaptability to new technologies.
2) To provide students the exposure to the spectrum of computer forensic tools
and to the development of forensic toolkits that they can use for computer
crime scene investigations.
3) To establish core forensic procedures necessary in performing thorough
inspection of all computer systems and file types, in tracking offenders on the
Internet, in proper evidence handling, and in working with law enforcement
agencies.
4) To explore the possibility of designing a cross-disciplinary course in the area
of computer networks security, forensic data collection and analysis, and
security audit and assessment that will involve two or more academic
disciplines other than computer science.
5) To disseminate the research results and the lessons/experiences gained in
designing and implementing the CSFA laboratory and the hands-on activities
that evolved within.
145
JCSC 20, 6 (June 2005)
146
CCSC:Mid-South Conference
lost information, text that has been deleted and removed from the recycle Bin, and even
information not found by other file-retrieval programs. This program works on
Windows 2000 and XP operating systems. The freeware may be downloaded from the
company website at [6]. A snapshot of the SectorSpyXP’s graphical user interface (GUI)
is depicted in figure 2.
147
JCSC 20, 6 (June 2005)
The following discussions present several disk imaging tools, both open-source
and commercial types, that can be used for evidence-on-disk preservation.
The “dd” (data dump) command is one of the original UNIX utilities that is used
for disk cloning or duplication. It can extract parts of binary files, write into specified
sectors of a disk, make boot images, and perform file format conversions. A summary of
all “dd” options can be found in [8].
Acronis True Image 6.0 [12] takes an exact image of a hard disk drive or separate
partitions and performs a complete backup image or a clone of it. Acronis' exclusive
innovative technology allows creating and restoring complete disk images online in
Windows and FAT16/32 and NTFS, as well as the Linux Ext2, Ext3, ReiserFS file systems.
SafeBack [9] is used to create mirror-image (bit-stream) files of disks or disk
partitions. It is a self authenticating forensics tool that is used to create evidence grade
images of disk drives. The self-authentication (integrity preservation) of SafeBack files
achieved through the use of two separate mathematical hashing processes which rely
upon the NIST-tested SHA256 algorithm.
EnCase [10] can be used to mount images of hard drives or CDs as read-only local
drives. Together with VMWare [11], a virtual machine infrastructure software, EnCase
enables the booting and examination of a computer under investigation to a state when
the evidence was first captured.
148
CCSC:Mid-South Conference
149
JCSC 20, 6 (June 2005)
REFERENCES
[1] Anderson, A., Collie, B., De Vel, O., McKemmish, R., Mohay, G., Computer and
Intrusion Forensics, Artech House, 2003.
[2] Culley, A., “Computer Forensics: Past, Present, and Future,” Information Security
Technical Report, vol. 8, pp. 32-36, 2003.
[3] Rogers, M., Seigfried, K., “The Future of Computer Forensics: A Needs Analysis
Survey,” Computer & Security, vol. 23, pp. 12-16, January 2004.
[4] Schweitzer, D., Incident Response: Computer Forensic Toolkit. Wiley Publishing,
Inc, 2003.
[5] website: http://ww.theabsolute.net/sware
[6] website: http://www.majorgeeks.com/download.php?det=2562
[7] website: http://www.cftt.nist.gov
[8] Siever, E., Figgins, S., and Weber, F. Linux in a Nutshell 4th Ed, O’Reilly
Publishing, 2003.
[9] website: http://www.forensics-intl.com/safeback.html.
[10] website: http://www.guidancesoftware.com/products/EnCaseForensic
[11] website: http://www.vmware.com
[12] website: http://www.acronis.com
[13] Nelson, B., Phillips, A., Enfinger, F., and Steuart, C. Guide to Computer Forensics
and Investigations. Course Technology. 2004
150