Guide to a Secured and Hassle-Free Internet Life

Articles of Computer Forensics and Network Forensics

June 2010

A Report Prepared By

http://www.agdatacom.com/

with support from

eDecision Group http://www.edecision4u.com/

Copyright 2010. AG Datacom Philippines Inc. All Rights Reserved.

Guide to Secured and Hassle-Free Internet Life

Articles of Computer Forensics and Network Forensics OVERVIEW I am sitting on my table and thinking what will be my next topic to discuss. Do I really have initial discussion at all? I was in IT Industry for a long time and really dont have enough time to write something I really want to tackle. Mostly, there are just mainly theoretical that rephrase the statement and add up a new standpoint, or plain technical documentation that tackle one product and another. I am starting think more of that. As a Pre-Sales Manager of AG Datacom Philippines Incorporated, managing all IT products and solutions that helps everyone in terms of their technology needs, from desktop management to most complicated and sophisticated aspect of IT requirements, I want to see the real position of our country, Philippines, in an IT Environment. Something that missed out by the IT people and neglected as it is not really a priority, a high priority right now. But what is really our concern now is that, how we are in IT environment individually? Are we really secured in terms of Internet life? Are you experience any changes during your online transactions or any unknown errors, while surfing? The growing danger from cyber crimes against computers or internet are starting to claim an important attention in our area nowadays. Philippines, I would say, not yet aware enough about internet-related problems such as internet bugs, virus, errors, web unavailable, intrusion and most common attack, hacking, which can able to stole million information on the web in just few coding, few press of the keys and one click of mouse. Isnt amazing? No need for personal contact or interaction, it is just few research, tool to retrieve other account, few tweaks and boom! Hacking Complete. Is everyone around our country aware of it? Even though every time we enter to any online transaction, and see some reminders, we are often ignoring those crucial notes and we just go ahead of our online business to maximize time and for the convenience. I dont argue on that

statement when it comes to convenient output of online processing. No Queue. No Business Operation Time period. No Personal Interaction to annoying staffs. Just input your account details such as your username and password, one click of logon or submit then you got all you need. I am researching on Philippine Law regarding Cyber Crime or any related internet crime laws and punishments, they really exists. But those existing law, are happened to be unenforceable against such crimes. This lack of Legal Protection means business, public and most likely private, are depending on their technical measures in-house to prevent stealing data, deny access or even the worst of all, destroying the information, in full blast. Individual or Self-Protection, which very essential, is not ample to make your cyber world in peaceful and secured. It is still not able to make safe business transactions on World Wide Web. Those laws should be enforced. Inadequate Legal Protection in those countries that are not really implementing rule of law is increasingly less competitive to the global market and economy. In addition to that, law itself is only part of the answer. As we all know that extending the rules of law is a very critical step in order to secure business all over the globe and create a trustworthy environment for people. To provide the self-protection, especially in any private institutions and business groups, organization should focused on the cyber security rules and measures within the premises. As technology dragged by and its fast-faced process, organizations need to commit the resources to educate employees on security practices, develop through plans for the handling of sensitive data, records and transactions, and incorporate robust security technologysuch as firewalls, anti-virus software, intrusion detection tools and authentication servicesthroughout the organizations computer systems. These tools, are mainly for system protection, it is either software or hardware, these are for defending information systems, are complex and expensive to operate. To avoid hassles and expense, system manufacturers and system operators routinely leave security features turned off, needlessly increasing the vulnerability of the information on the systems. Bugs and security

holes with known fixes are routinely left uncorrected. Further, no agreed-upon standards exist to benchmark the quality of the tools, and no accepted methodology exists for organizations to determine how much investment in security is enough. The inability to quantify the costs and benefits, of information security investments leave security managers at a disadvantage when competing for organizational resources. Much work remains to improve management and technical solutions for information protection. [1] Computer Network, either it is wired or wireless, both area of network environment should be implemented with great security in order to breathe in and out peacefully. Wired network can control by the computer policy implemented within the premise. It is easy to secure it by using appropriate devices that can integrate to one another. Now I am thinking ahead, about working on clouds, wirelessly, is it that safe? So I am considering the fact that we have a solution on this kind of issue, when I am thoroughly browsing our variety of IT solutions. I am digging all my stuff in this product, and I am happy to see related articles that I can share here and tackle the important of it all throughout the documentation. Please take note that all articles and related documentation are not my own creation. They are coming from our business partners and we want to share it in order to fully understand what can this issue, affect us individually as well as globally. We cant thank them enough for giving us opportunity to tackle those issues and their respective contribution that can be turned out to be a great solution nowadays.

1.

For more information, cybercrime.pdf

please

visit:

http://www.witsa.org/papers/McConnell-

Challenges of Computer Forensics and Network Forensics

Computer Forensics or Digital Forensics, as popularly called by many, is a science that helps apply criminal laws of a State/Country to crimes committed with a computer and its accessories, or in the process of the crime being committed; a computer might have been used in producing the criminal evidence. This technique involves the seizure of computer and its accessories, to collect digital evidence from the storage media containing data of interest. This sounds simple right? Not so fast, I will say. The methodology involved in acquiring data from the computer requires due care and documentation, in order to keep the evidence unchanged throughout the course of processing, to the final evidence production stage. These actions are to keep the evidence in its pristine stage, as well as making the whole process followed, reproducible for anyone utilizing the same process arriving at the same conclusion. This is what makes it a science. Technology is changing very fast, and the way computer users store data is equally changing. Storage media size and types keep changing, network bandwidth and speed have increased to allow easy transfer of data from local computer to different locations, and this poses a challenge to Computer forensic Examiners. Storage media Encryption technologies have also made it difficult for examiners to access data on a local machine which has been powered down, and the suspected user refusing to divulge his decryption key. Under such a situation, it will only take the intervention of the court of law to direct the release of decryption from suspect, or network acquisition of the partitions on the suspect's computer, while he is working on it. Again, this has its own challenges if the system password of the computer is unknown, or the examiner does not have administrator privilege on the target computer. The challenge posed by this problem is minimal when a corporate client machine is the target, as administrators have local administrator right on all client machines on a domain. Network data acquisition has its drawback, as some tools utilized, install agents on the target machines to enable network connection. The agent installed hence changes the overall MD5 checksum of the drive, and examiner could face a challenge in court if actions taken are not clearly recorded and the changes done to the overall data are not enumerated. An agent on the target machine might be deemed a malware installation, which borders on a crime committed by examiner, hence causing the whole case to be thrown out of court. There are instances that data on a drive might be corrupted and evidence cannot be obtained. Under such circumstances, an examiner might be compelled to format the drive, and use data recovery tools to recover files on drive. This is where reliance on the registry for events and their time stamps become crucial in trying to pinpoint when an instance occurred, e.g., which USB storage device was attached to the system and when I call this technique destroy and search, as opposed to the popular search and destroy concept used by the military in their combat operations. When this technique is utilized, the "goldmine" to harvest is the unallocated space.

The "Simple file Carver tool", by Filesig, does a good job with data carving and every forensic examiner must have one in his arsenal of tools. In conclusion, one can safely infer that as computer technology evolves, so must digital forensic practices evolve. For instance, the 512 Bytes default sector size for hard drives is changing to 4096 Bytes, which is going to change some of the ways we examine evidence on drives with respect to the definition of slack space and unallocated space. At this point, we are faced with the question of: What happens to the 1024 Bytes size of MFT on NTFS partitions? Are operating systems going to change to adapt to this situation? Are forensic tool vendors going to retool? All I can say for now is; Time will tell. My next article will be on cloud computing and Network Forensics.

Cloud Computing and Network Forensics in the Eyes of Computer Forensic Examiner
Technology, keeps amazing me. It changes so rapidly that sometimes before one catches up to it; it has evolved to a newer phase, with a whole new set of changes from the previous. This means Users have to keep spending money to keep up, end result being nagging, complaining, and a lot of money spent. This is a form of a vicious cycle that keeps turning. It is through this array of unending expenditure that has brought forth what is now called "Cloud computing". Cloud computing allows the user to use all resources he/she would otherwise have invested to install on his local machine on a server located somewhere deemed the cloud. This includes storage space, application usage, social networking, etc.., for a fee. The computer user does not have to worry about hard drive crashing, data being stolen from computer, etc. Just pay a fee and you are good to go. Files and application are accessed through the web. This implies all one needs is internet access and an access medium, which could be a portable handheld device, smart phones, or a basic computer. Many organizations and individuals are already using this technology and have realized its great benefits of being hassle free. However, we may pause to ask ourselves a few questions; do we know where our data is physically located? Do we know how secured our records are? How do we investigate an event should some breach occur? Are we in compliance with Legislation and regulations such as; SOX, HIPPA, etc? As a network administrator in an organization, how much grasp do you have on controls, security and function? These are some of the questions we have to keep asking ourselves. As Computer Forensic Examiners, what do we do to access data that are breached for analysis? Is a search warrant issued in your jurisdiction going to be honored by the location where the servers are located? What limitations are you going to face? Do countries have treaties that will allow cross border search warrants to be executed?

Before we go through all the impediments that might be in the way of investigations, Network Forensics might be a prime solution to buttress your case for further searches. Network Forensics in a conventional way, is the analysis of network traffic logs for tracing events that have occurred. The logs may reveal source and destination IP addresses of systems in question, as well as time stamps and event that occurred, with the type of transaction that took place. This will sometimes lead to dead end, rendering investigations useless. Evidence in question never gets discovered and culprits walk away free, while the victim loses out. E.g. is a case of corporate espionage. The best way to deal with impediments in cloud computing investigation is to have lawful interception of data crossing the corporate boundaries to the cloud. This is the collection of raw data packet at the data link layer by intelligent tools, namely, Decision Group's EDetective Capturing Tool and the E-detective Data Decoding Center tool, which decodes raw data in real time and offline as well, into various web application formats. There are other cost effective and easy to use tools by Decision Group that will provide total compliance solutions to companies and law enforcement agencies that are faced with the same impediments I have mentioned. We cannot revert to the old way of doing things on our network. Cloud computing is a technology of now and it is going to be on the increase with time. We have to be able to adjust to investigating data that has ever crossed the network through the internet to the cloud. Do we have what it takes to do the job? I believe we all would have to adjust to meet the present test of time. In my next presentation, I will talk about Network Packet Forensics and evidence handling, and how to make it acceptable in the court of Law.

Deep Packet Inspection and Reconstruction for Network Forensics and Lawful Interception
I am back as promised, to talk about Deep Packet Inspection and Reconstruction for the purpose of Network Forensics and Security. Deep packet inspection technology is based on packet sniffing of network traffic, utilizing a network adapter card set in promiscuous mode, on the network being monitored. The packets sniffed and captured during this process are not interpreted from the header information alone. The data payload is analyzed simultaneously to gather information about session establishment, presentation layer information as well as the application layer information. The promiscuous mode allows the network interface card to accept and send broadcast messages traversing the network, just as what happens across the ports of a hub serving as the central connection point of all nodes interconnected on the network. These days, hubs have been

replaced with switches, which defeat the purpose of sniffing traffic on the entire network, but only traffic emanating from a port on a switch, which has its own broadcast domain. Mac flooding is a way to make the switch act in the same manner as a hub, hence enabling sniffing of packets across all its ports. The process of deep packet inspection begins with packet capturing, which occurs at the outgoing connection to the internet. Depending on which sections of the network to be monitored, a switch could be carefully configured into a mirror mode, where packets leaving the network are mirrored back to the packet capturing appliance. The other alternative is to do an inline capturing, where cable from the internal network is connected to one port of the capturing appliance, and the other cable connects to another port of the capturing device to the internet interface. The packets captured are then organized to their various data formats from the inspection and capturing carried out. This data is then decoded by the appliance to allow playback of the data. This playback present the data in the same format it entered the network. This is good, as it presents the data to the viewer in exactly the same way. There are 3 appliances engineered by Decision Group Inc. which carry out the capturing, decoding and playback. The E-detective or Wireless-detective product does real time decoding and plays back data. There is also the Edetective Decoding Center appliance that does both real time decoding and playback of data, or offline decoding of data, either captured by the device or captured from offsite utilizing a network packet sniffing device. All data decoded is stored in a database on the appliance. This allows investigators the chance to sift through to find evidence should the need ever arise, with less difficulty. Note of caution: First and foremost, every reader must know that packet sniffing is illegal. Corporations, in protecting their intellectual property, integrity of network traffic, fighting off malware and viruses, can use the sniffing technology with caution. The employees must be made aware of such a process going on, and must be duly informed of that. Secondly, employees must also be given a central location with internet ready computers where they can transact their personal business and check their mails. This network must not be included in the segment being sniffed. For the purpose of computer forensics, as cloud computing has changed the way data can be stored, the surest way to be able to track back emails and other means of communication via computers, which are mostly used in committing corporate crimes, is to have such a system in place. This will eliminate the need to figure out how to execute search warrants on cloud computing storage sites, which might be thousands of kilometers away, because a replica of the communication is stored onsite. As national security is on the minds of every government in the world and deemed very important, I believe the art of Lawful packet interception will be very instrumental in tracking

down criminals and terrorists, as most of their means of communication is via the internet. Deep packet inspection technology should be instrumental in dealing with such acts. Law enforcement agencies in Taiwan have used this technology from Decision Group to their success. This is the moment to think seriously about adoption of this technology for lawful usage. Privacy must be considered when having this brain storming section. Just as we are now going through virtual strip searches at airports, privacy must be carefully defined when dealing with national security. There are ways to prevent abuse of this technology. 1: Only sworn law enforcement officials- Corporate Security must have access to the Management interface of the appliance to search for information. In terms of Government investigations, search warrants must be obtained before access to data is granted. 2: Data captured must also be preserved in a manner that follows proper chain of custody procedures. 3: Officers running the appliances must be well trained to carry out their work. Security, as I always say, is 85% common sense application, and 15% technology. And with the 15%, 90% of it depends on people, and 10% on the equipment.

Deep packet inspection needed for combating cybercrime

I know there is the privacy law governing the internet, which is a great idea. At the same time, the same internet service is mostly utilized as a vehicle for attacking networks, be it government or corporations, or individual networks. Just as we have all agreed to be searched thoroughly at the airports before flights, we should allow the Security Agencies to utilize deep packet inspection to help in protecting networks. Sounds interesting right? Yes. So how do we do it right? 1: Packets being captured and kept for a period of time, to allow security agents reach into the packets to find source of attack, should the need arise will be the best solution. At least to the best of my knowledge, such technology exists, and it is easy to use. To learn more on this, visit http://www.edecision4u.com

Articles tackled here are created by Samuel Amoah, is a Certified Computer Examiner, Network Packet Forensics Examiner and Private Investigator. Also, President of CFG Computer Forensics Inc., located at Brampton, Ontario, Canada. Partner of Decision Group.

What is AG Datacom?

AG Datacom Philippines Incorporated is a pioneer in development of computerized call billing system and also the distributor/system integrator for many computer-telecommunication related solutions, which has served to assist many organizations in using their computer-telecommunications assets more efficiently and effectively. Since its inception, AG Datacom has also been expanding from strictly technical product development into active marketing and after-sales service, with the objective of becoming a leading computer-telecommunication solution provider. Why Datacom? Customer Satisfaction is our Business. Our relationship with your company doesn't end after a sale has been closed; rather, it is only just beginning. Our prime after-sales support team has succeeded in satisfying the security needs of the numerous companies in various industries that have invested in our system. Quality Product is our Commitment. We have taken every effort to assure you of a failsafe system by subjecting each product to every conceivable real world disaster that it may encounter. Investment Protection is Yours. We have been successful in making obsolescence a concern of the past. Using our system means you will save your investment when your company growing, because we have complete range so there is no need to buy new system. Upgrading the existing one is enough.

AG DATACOM PHILIPPINES INCORPORATED Suite 1705, 17th Floor Atlanta Center, # 31 Annapolis Street, Greenhills, San Juan, Metro Manila, Philippines 1502

+ (632) 7443243 / 5840988 info@agdatacom.com