Anda di halaman 1dari 8

COMPUTER FORENSICS LABORATORY AND TOOLS*

Guillermo A Francia III and Keion Clinton


Mathematics, Computing, and Information Sciences Department
Jacksonville State University
Jacksonville, Alabama
Emails: gfrancia@jsu.edu, kmclinton@hotmail.com

ABSTRACT
The pervasiveness and the convenience of information technology tend to
make most of society deeply dependent on the availability computers and
network systems. As our reliance on such systems grows, so does our
exposure to its vulnerabilities. Day after day, computers are being attacked
and compromised. These attacks are made to steal personal identities, to bring
down an entire network segment, to disable the online presence of businesses,
or to completely obliterate sensitive information that is critical for personal or
business purposes. It is the responsibility of every organization to establish a
reasonably secure system to protect its own interests as well as those of its
customers. And as computer crime steadily grows, so does the need for
computer security professionals trained in understanding computer crimes, in
gathering digital forensic evidence, in applying the necessary security tools,
and in collaborating with law enforcement agencies. This paper presents the
design and implementation of an experimental Computer Security and
Forensic Analysis (CSFA) laboratory and the tools associated with it. The
laboratory is envisioned to be a training facility for future computer security
professionals.

___________________________________________
*
Copyright © 2005 by the Consortium for Computing Sciences in Colleges. Permission to copy
without fee all or part of this material is granted provided that the copies are not made or
distributed for direct commercial advantage, the CCSC copyright notice and the title of the
publication and its date appear, and notice is given that copying is by permission of the
Consortium for Computing Sciences in Colleges. To copy otherwise, or to republish, requires a
fee and/or specific permission.

143
JCSC 20, 6 (June 2005)

INTRODUCTION
Computers and the Internet have become a major part of our lives. The
pervasiveness and the convenience of information technology tend to make most of
society deeply dependent on the availability computers and network systems. Each day,
many of us carry out banking transactions, purchases, and message exchanges through
email. As our reliance on such systems grows, so does our exposure to its
vulnerabilities. Day after day, computers are being attacked and compromised. These
attacks are made to steal personal identities, to bring down an entire network segment, to
disable the online presence of businesses, or to completely obliterate sensitive
information that is critical for personal or business purposes. It is the responsibility of
every organization to establish a reasonably secure system to protect its own interests as
well as those of its customers. And as computer crime steadily grows, so does the need
for computer security professionals trained in understanding computer crimes, in
gathering digital forensic evidence, in applying the necessary security tools, and in
collaborating with law enforcement agencies.
Computer forensic is the identification, preservation, and the analysis of
information stored, transmitted, or produced by a computer system or computer
network. Its main purpose is to establish the validity of the hypotheses used in an
attempt to explain the circumstances or the cause of an activity under investigation [1].
The practice was initiated by the U.S. military and intelligence agencies in the early
1970’s. Although little is known about these activities due to their classified
environments, it is reasonable to presume that they had a counter-intelligence focus via
computer mainframes. In the 1980’s, the Internal Revenue Service Criminal
Investigations Division (IRS-CID) and Revenue Canada were two of the first
government agencies with an obvious and openly noticeable obligation to carry out
forensics on external systems linking to criminal offences. Also in 1984, the FBI
established the Computer Analysis and Response Team (CART), to provide computer
forensic support [2].
There are a number of computer forensic training courses offered today. However,
most of them are specifically focused on a certain set of tools. A computer forensic
examiners training course should be broad enough to familiarize the student with all
methodologies of the field. The National Cybercrime Training Partnership (NCTP) was
set up by the U.S. government, to provide guidance and assistance to local, state, and
federal law enforcement agencies. Other U.S. organizations involved in training include
NCJIS (The National Consortium for Justice Information and Statistics), and the High-
Tech Crime Investigation Association (HTCIA). In Europe, NATO’s Lathe
Gambit Information Security program and Interpol both offer similar training course for
allied countries. In the Asia-Pacific region, the Australasian Center for Policing
Research (ACPR), conducts a number of training course for Australia and New Zealand
[3].
A number of proprietary software for computer security and forensic analysis is
available on the market today. The evaluation methods and criteria for such software are
detailed in [7] and [13]. Generally we can divide the functionality of such tools into
three main categories as describe in [1]:
1. Imaging:

144
CCSC:Mid-South Conference

a. Imaging volatile memory;


b. Disk and file imaging;
c. Write blockers;
d. Integrity code generators and checkers.
2. Analysis:
a. Ambient data recovery and searching of raw disk data for text strings,
by sectors;
b. Data and file recovery;
c. Disk and file system integrity checking tools;
d. File conversion;
e. Data filtering by date last modified and other file properties;
f. Search tools;
g. Data mining tools.
2. Visualization:
a. Time-lining;
b. Link analysis tools.
This paper presents a computer security and forensic analysis project which
includes the design and implementation of 1) an experimental Computer Security and
Forensic Analysis (CSFA) laboratory, 2) a computer security and forensic toolkit for the
laboratory, and 3) hands-on activities on computer forensic analysis.

OBJECTIVES
The objectives of the proposed project are as follow:
1) To design and implement an experimental computer security and forensic
analysis laboratory with features that will suit both research and pedagogical
activities. Although the size of the CSFA laboratory will be limited to a
proof-of-concept variety, its design will be guided by the need for future
scalability in size and adaptability to new technologies.
2) To provide students the exposure to the spectrum of computer forensic tools
and to the development of forensic toolkits that they can use for computer
crime scene investigations.
3) To establish core forensic procedures necessary in performing thorough
inspection of all computer systems and file types, in tracking offenders on the
Internet, in proper evidence handling, and in working with law enforcement
agencies.
4) To explore the possibility of designing a cross-disciplinary course in the area
of computer networks security, forensic data collection and analysis, and
security audit and assessment that will involve two or more academic
disciplines other than computer science.
5) To disseminate the research results and the lessons/experiences gained in
designing and implementing the CSFA laboratory and the hands-on activities
that evolved within.

145
JCSC 20, 6 (June 2005)

THE CSFA LABORATORY


The CSFA laboratory consists of five (5) desktop and two (2) notebook computers
taken from previously completed grant projects. All of these computers are configured
with utmost flexibility to thrive on multiple operating systems, on different network
interconnections, and on persistent forensic data collection and retrieval activities. These
computers are designated mainly by three categorizations: analysis server, scratch and
test workstation, and evidence collection workstation. The analysis server provides the
platform for forensic analysis and investigation. The scratch and test workstation is used
to simulate hacking activities and vulnerability assessment processes. The evidence
collection workstation is used as a central station for forensic data collection and
replication. The network infrastructure, both wired and wireless, is established using
legacy devices that were gathered from academic computing system upgrades and also
from previously completed grant projects.
In addition to the computing resources described above, various versions of
operating system, tape drives, floppy drives, and portable disk drives are obtained
through our reclamation effort to put some of the old computers, systems, and
peripherals to good use.

THE FORENSIC SOFTWARE TOOLS


Data Analysis Tools
Forensic data analysis is the process of revealing and discovering evidentiary
information that may not be apparent or may be completely concealed. With the
availability of data mining techniques, this process may also include intelligent
prediction of events and attack-pattern recognition. Several data analysis tools, both
open source and commercial, are available in the market. A few of these are described in
the following discussions.
Sleuth kit/Autopsy Forensic browser is collection of open source forensic tools
developed by Brian Carrier. It can be used in accessing low-level file systems, in
searching image files for data, and in viewing file activities. The kit, described
extensively in [14], may be downloaded from a website repository at [15].
Disk Investigator is a forensic freeware utility that can gather a variety of
information from a user’s hard disk [4]. Disk Investigator helps discover all that is
“hidden” on a computer hard disk, aids in locating sensitive data with search-viewing
functions, and displays the drives true contents. By bypassing the operating system and
directly reading raw drive sectors, Disk Investigator helps the user search file clusters
for specific keywords or content. The freeware utility is available for download from
[5]. A snapshot of the Disk Investigator’s graphical user interface (GUI) is depicted in
Figure 1.
SectorSpyXP is a powerful computer forensic tool that can be used by law
enforcement or anyone wishing to search for and retrieve evidence left on computer hard
drives and diskettes [4]. SectorSpyXP examines all data on a hard drive or diskette at the
sector level and even contains detailed documentation on how to use it to perform a
keyword search to find and retrieve incriminating evidence. It can be used to retrieve

146
CCSC:Mid-South Conference

lost information, text that has been deleted and removed from the recycle Bin, and even
information not found by other file-retrieval programs. This program works on
Windows 2000 and XP operating systems. The freeware may be downloaded from the
company website at [6]. A snapshot of the SectorSpyXP’s graphical user interface (GUI)
is depicted in figure 2.

Figure 1. The Disk Investigator GUI

Disk Imaging Tools


In computer forensic analysis, it is always prudent to avoid working directly on the
evidence. This stems from the fact that physical evidence should always be held pristine.
Thus, the need for excellent disk imaging process and tools is paramount. The National
Institute of Standards and Technology (NIST) [7] have developed several tools used for
disk drive imaging tool evaluation. The Institute’s requirements for disk imaging tools
are:
• The tool should be able to make a bit-stream duplicate or an image of an original
disk or partition.
• The tool should never alter the original disk.
• The tool should be able to log I/O errors.

147
JCSC 20, 6 (June 2005)

Figure 2. SectorSpyXP GUI


• The tool’s documentation should all be correct.

The following discussions present several disk imaging tools, both open-source
and commercial types, that can be used for evidence-on-disk preservation.
The “dd” (data dump) command is one of the original UNIX utilities that is used
for disk cloning or duplication. It can extract parts of binary files, write into specified
sectors of a disk, make boot images, and perform file format conversions. A summary of
all “dd” options can be found in [8].
Acronis True Image 6.0 [12] takes an exact image of a hard disk drive or separate
partitions and performs a complete backup image or a clone of it. Acronis' exclusive
innovative technology allows creating and restoring complete disk images online in
Windows and FAT16/32 and NTFS, as well as the Linux Ext2, Ext3, ReiserFS file systems.
SafeBack [9] is used to create mirror-image (bit-stream) files of disks or disk
partitions. It is a self authenticating forensics tool that is used to create evidence grade
images of disk drives. The self-authentication (integrity preservation) of SafeBack files
achieved through the use of two separate mathematical hashing processes which rely
upon the NIST-tested SHA256 algorithm.
EnCase [10] can be used to mount images of hard drives or CDs as read-only local
drives. Together with VMWare [11], a virtual machine infrastructure software, EnCase
enables the booting and examination of a computer under investigation to a state when
the evidence was first captured.

148
CCSC:Mid-South Conference

FORENSIC LABORATORY PROJECTS


The following laboratory projects are designed to provide hands-on training
exercises in computer forensics analysis.
• Given a specific disk imaging tool, design and implement a test methodology that
will provide a measure of assurance of its effectiveness. Refer to the NIST testing
methodologies found in [7] for guidance.
• Given a floppy disk that contains hidden evidence material, perform a thorough
data analysis and extract the hidden evidence from it.
• Given an image file that has been severely corrupted, recover parts of it through
header reconstruction and, possibly, value interpolation.
• Perform an analysis of a given ethereal log file and report all findings. (Note: the
logging was done during a simulated attack on a test workstation).
• Given a hard disk, representing a captured evidence material, create working
copies of a) the entire disk, b) the specific sectors on the disk, and c) the specified
files and folders on the disk. Check the integrity of the working copies.
• Perform a data analysis of a given file representing the dumped system/security log
files and report all findings. (Note: the log files will contain information on
simulated penetration attempts and system file alterations). Do this task separately
for Windows 2000 and Linux operating systems.
• Given a floppy disk as an evidence material, recover all forensic information out of
this disk. This information will include, but not limited to, deleted files, file activity
timelines, file types, corrupted files, and basic file information such as size, date
created, ownership, and access modifiers.

CONCLUSIONS AND FUTURE PLANS


This paper outlined the resources found in an experimental computer security and
forensics laboratory and the supported hands-on exercises. The activities and projects
are designed and structured to provide practical experiences while illustrating theory and
possible research areas. As indicated above, the computer security and forensic
laboratory can be implemented using legacy equipment that may be acquired at a
minimal cost.
The challenge for the authors will be in the continual development of these
activities and the introduction of novel practices that will leverage the availability of
state-of-the-art equipment and system tools. Future work will include:
• Forensic analysis of application code
• Web services security
• Radio Frequency Identifier (RFID) security
• Forensic analysis of electronic mails
• Development of advanced vulnerability assessment tools.
ACKNOWLEDGEMENTS
This paper is based upon a project partly supported by the National Science
Foundation under grants DUE-9950946 and DUE-0125635. Opinions expressed are
those of the authors and not necessarily of the Foundation.

149
JCSC 20, 6 (June 2005)

REFERENCES
[1] Anderson, A., Collie, B., De Vel, O., McKemmish, R., Mohay, G., Computer and
Intrusion Forensics, Artech House, 2003.
[2] Culley, A., “Computer Forensics: Past, Present, and Future,” Information Security
Technical Report, vol. 8, pp. 32-36, 2003.
[3] Rogers, M., Seigfried, K., “The Future of Computer Forensics: A Needs Analysis
Survey,” Computer & Security, vol. 23, pp. 12-16, January 2004.
[4] Schweitzer, D., Incident Response: Computer Forensic Toolkit. Wiley Publishing,
Inc, 2003.
[5] website: http://ww.theabsolute.net/sware
[6] website: http://www.majorgeeks.com/download.php?det=2562
[7] website: http://www.cftt.nist.gov
[8] Siever, E., Figgins, S., and Weber, F. Linux in a Nutshell 4th Ed, O’Reilly
Publishing, 2003.
[9] website: http://www.forensics-intl.com/safeback.html.
[10] website: http://www.guidancesoftware.com/products/EnCaseForensic
[11] website: http://www.vmware.com
[12] website: http://www.acronis.com
[13] Nelson, B., Phillips, A., Enfinger, F., and Steuart, C. Guide to Computer Forensics
and Investigations. Course Technology. 2004

150