Archive for August 2011
Introduction
Computer forensics would be the practice of collecting, analysing and reporting on digital information in ways that is legally admissible. It can be used within the detection and prevention of crime plus any dispute where evidence is stored digitally. Computer forensics has comparable examination stages along with other forensic disciplines and faces similar issues.
With this guide
The guide discusses computer forensics from the neutral perspective. It’s not linked to particular legislation or meant to promote a particular company or product and isn’t written in bias of either law enforcement or commercial computer forensics. It’s aimed towards a non-technical audience and offers a high-level view of computer forensics. This guide uses the definition of “computer”, nevertheless the concepts connect with any device competent at storing digital information. Where methodologies are actually mentioned they can be provided as examples only and never constitute recommendations or advice. Copying and publishing the whole or part of this article is licensed solely within the terms of the Creative Commons – Attribution Non-Commercial 3.0 license
Uses pc forensics
There aren’t many areas of crime or dispute where computer forensics is not applied. Law enforcement officials agencies are already among the earliest and heaviest users of computer forensics and thus have often been the main thing on developments in the field. Computers may constitute a ‘scene of the crime’, one example is with hacking [ 1] or denial of service attacks [2] or they may hold evidence such as emails, internet history, documents or some other files highly relevant to crimes such as murder, kidnap, fraud and drug trafficking. It is not only the content of emails, documents and other files which is often of great interest to investigators but the ‘meta-data’ [3] linked to those files. A pc forensic examination may reveal if a document first appeared over a computer, when it was last edited, if this was last saved or printed and which user completed these actions.
Lately, commercial organisations purchase computer forensics for their benefit in a range of cases including;
* Intellectual Property theft
* Industrial espionage
* Employment disputes
* Fraud investigations
* Forgeries
* Matrimonial issues
* Bankruptcy investigations
* Inappropriate email and internet use within the job place
* Regulatory compliance
Guidelines
For evidence to get admissible it has to be reliable and never prejudicial, meaning that at every stage on this process admissibility ought to be the main point on your personal computer forensic examiner’s mind. A bouquet of guidelines which has been widely accepted to help with this can be a Association of Chief Law enforcement Good Practice Guide for Internet based Electronic Evidence or ACPO Guide in abbreviation. Even though the ACPO Guide is aimed towards United Kingdom police its main principles are applicable to all computer forensics in whatever legislature. Some main principles because of this guide have already been reproduced below (with references to law enforcement officials removed):
1. No action should change data held with a computer or storage media which is often subsequently relied upon problem.
2. In circumstances in which a person finds it essential to access original data held over a computer or storage media, that person should be allowed to do it and also give evidence explaining the relevance and the implications of these actions.
3. An audit trail or any other record of all processes used on computer-based electronic evidence ought to be created and preserved. An unbiased third-party will be able to examine those processes and get exactly the same result.
4. Anyone in command of the investigation has overall responsibility for making certain legislation and these principles are followed.
To conclude, no changes must be created to the initial, stick to access/changes are needed the examiner need to know what they’re doing and to record their actions.
Live acquisition
Principle 2 above may enhance the question: Of what situation would changes with a suspect’s computer by the computer forensic examiner be necessary? Traditionally, your computer forensic examiner will make a copy (or acquire) information at a device that is switched off. A write-blocker[4] could well be familiar with make a precise bit for bit copy [5] on the original storage medium. The examiner is correct then using this copy, leaving the initial demonstrably unchanged.
However, frequently it’s not possible or desirable to interchange some type of computer off. May well be possible to exchange some type of computer if the process would end in considerable financial or any other loss to the owner. It might not be desirable to modify your personal computer off if the process means potentially valuable evidence can be lost. In these circumstances the computer forensic examiner might need to carry out a ‘live acquisition’ which might involve owning a small program within the suspect computer to be able to copy (or acquire) the information for the examiner’s hard disk.
By running this sort of program and attaching a destination drive on the suspect computer, the examiner can certainly make changes and/or inclusions in your your computer that were not present before his actions. Such actions would remain admissible providing the examiner recorded their actions, was mindful of their impact and surely could explain their actions.
Stages of the examination
With the factors like this informative article laptop forensic examination process continues to be divided into six stages. While they are presented in their usual chronological order, it is vital throughout an examination for being flexible. For example, in the analysis stage the examiner could find a whole new lead which would warrant further computers being examined and would mean money to your evaluation stage.
Readiness
Forensic readiness is a crucial and occasionally overlooked stage from the examination process. In commercial computer forensics it may include educating clients about system preparedness; for instance, forensic examinations will provide stronger evidence in case a server or computer’s built-in auditing and logging systems are typically turned on. For examiners there are many areas where prior organisation might help, including training, regular testing and verification of software and equipment, familiarity with legislation, working with unexpected issues (e.g., what to do if child pornography occurs during a commercial job) and making certain that your on-site acquisition kit is complete along with working order.
Evaluation
The evaluation stage includes the receiving of clear instructions, risk analysis and allocation of roles and resources. Risk analysis for law enforcement may include an examination about the likelihood of physical threat on entering a suspect’s property and exactly how wise to manage it. Commercial organisations must also be aware of safety and health issues, while their evaluation would also cover reputational and financial risks on accepting a unique project.
Collection
The key portion of the collection stage, acquisition, have been introduced above. If acquisition is usually to be completed on-site instead of in a very computer forensic laboratory next the stage would come with identifying, securing and documenting the scene. Interviews or meetings with personnel who may hold information that could apply to the examination (that could add the end users with the computer, as well as the manager and person in charge of providing computer services) would usually be carried out at this time. The ‘bagging and tagging’ audit trail would start here by sealing any materials in unique tamper-evident bags. Consideration must also be provided to securely and safely transporting the fabric to the examiner’s laboratory.
Analysis
Analysis is determined by the more knowledge about each job. The examiner usually provides feedback to the client during analysis and because of this dialogue the analysis will take an alternative path or be narrowed to specific areas. Analysis need to be accurate, thorough, impartial, recorded, repeatable and completed from the time-scales available and resources allocated. You can find myriad tools readily available for computer forensics analysis. It can be our opinion that the examiner should use any tool they believe more comfortable with as long as they can justify their choice. The primary requirements of the computer forensic tool is that it does how it is supposed to do as well as the best for examiners to be sure of the is perfect for these to regularly make sure calibrate the knowhow they use before analysis takes place. Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results.)
Presentation
This stage usually necessitates the examiner creating a structured set of their findings, addressing the points in the initial instructions in addition to any subsequent instructions. It would also cover any other information that the examiner deems highly relevant to your research. The report need to be written with all the end reader in your mind; in many cases people with the report is going to be non-technical, therefore, the terminology should acknowledge this. The examiner should likewise expect you’ll participate in meetings or telephone conferences to go over and elaborate on the report.
Review
Combined with readiness stage, the review stage is frequently overlooked or disregarded. This is because of the perceived costs of doing work that’s not billable, or perhaps the need ‘to continue the following job’. However, an evaluation stage included in each examination will help reduce costs and raise the degree of quality by designing future examinations more effective and time effective. A review of a test could be simple, fast and may start during any of the above stages. It may well incorporate a basic ‘what went wrong and exactly how could this be improved’ and a ‘what went well and ways in which could it be integrated into future examinations’. Feedback on the instructing party must also be sought. Any lessons learnt from this stage should be used on your next examination and fed in the readiness stage.
Issues facing computer forensics
The down sides facing computer forensics examiners might be split up into three broad categories: technical, legal and administrative.
Encryption – Encrypted files or computer drives may be impossible for investigators to see devoid of the correct key or password. Examiners must look into how the key or password might be stored elsewhere on my pc or on another computer which the suspect has received usage of. It might also have a home in the volatile memory of the computer (often known as RAM [6] which can be usually lost on computer shut-down; another reason why to consider using live acquisition techniques as outlined above.
Increasing space for storing – Storage media holds ever larger amounts of information which for the examiner means that their analysis computers require sufficient processing power and available storage to efficiently take care of searching and analysing enormous amounts of web data.
New technologies – Computing is undoubtedly an ever-changing area, with new hardware, software and os being constantly produced. Not one computer forensic examiner can be an expert on all areas, though they might frequently be expected to analyse something which they haven’t addressed before. In order to manage this case, the examiner must be prepared and in a position to ensure that you research the behaviour of brand new technologies. Networking and sharing knowledge to computer forensic examiners can be handy in this way as it’s likely other people could possibly have already encountered the identical issue.
Anti-forensics – Anti-forensics is the practice of looking to thwart computer forensic analysis. This will likely include encryption, the over-writing of knowledge making it unrecoverable, the modification of files’ meta-data and file obfuscation (disguising files). Just like encryption above, the data that such methods have been used can be stored elsewhere on the computer or on another computer how the suspect has received use of. Inside our experience, it is very rare to view anti-forensics tools used correctly and often enough to completely obscure either their presence or even the presence of the evidence these people were familiar with hide.
Legal issues
Legal arguments may confuse or distract from your computer examiner’s findings. One example here would be the ‘Trojan Defence’. A Trojan can be a section of computer code disguised as something benign but that has a hidden and malicious purpose. Trojans have several uses, and include key-logging [7], uploading and downloading of files and installing viruses. Legal counsel might possibly believe that actions on the computer just weren’t carried out by an end user but were automated by way of a Trojan minus the user’s knowledge; this kind of Trojan Defence may be proven to work regardless if no trace of your Trojan or another malicious code is discovered for the suspect’s computer. In these instances, a reliable opposing lawyer, supplied with evidence from your competent computer forensic analyst, can dismiss this kind of argument.
Accepted standards – A few plethora of standards and guidelines in computer forensics, handful of which appear to be universally accepted. That is due to a amount of reasons including standard-setting bodies being stuck just using particular legislations, standards being aimed either at police force or commercial forensics but not at both, the authors of such standards not being accepted by their peers, or high joining fees dissuading practitioners from participating.
Fitness to employ – In several jurisdictions there isn’t a qualifying body to discover the competence and integrity of computer forensics professionals. In these instances anyone may continue as being a computer forensic expert, that might bring about computer forensic examinations of questionable quality plus a negative take a look at the profession all together.
Resources and further reading
There will not look like great deal of material covering computer forensics which can be aimed towards a non-technical readership. Though the following links at links at the bottom on this page may prove to be interesting be of curiosity:
Glossary
1. Hacking: modifying your working computer in way which has been not originally intended as a way to benefit the hacker’s goals.
2. Denial of Service attack: an endeavor in order to avoid legitimate users of your computer system from having access to that system’s information or services.
3. Meta-data: at the elementary meta-data is data about data. It is usually embedded within files or stored externally in a separate file and might contain specifics of the file’s author, format, creation date and the like.
4. Write blocker: a hardware device or software application which prevents data from being modified or put into the storage medium being examined.
5. Bit copy: bit is really a contraction with the term ‘binary digit’ and is the essential unit of computing. A bit copy is the term for a sequential copy of every bit over a storage medium, consisting of parts of the medium ‘invisible’ to your user.
6. RAM: Random Access Memory. RAM is usually a computer’s temporary workspace and is also volatile, which means its contents are lost when the computer is powered off.
7. Key-logging: flick of keyboard input giving the ability to read a user’s typed passwords, emails along with other confidential information.
If you are living in Nepal, and also get high speed internet, what exactly are your choices plus the speeds you can obtain. Luckily this year 2011 there exists a large amount of options. The leading ones currently available are NTC adsl, Subisu cable, Wlink, Mercantile now also Ncell.
I opted in for NTC, Ncell, Wlink running some tests and was pleased with NTC and Ncell. Even during load shedding NTC’s internet was working, while Wlink would decrease during load shedding.
Using Wlink, my speed has also been all-around advertised speed however the connection has not been consistent. For eg- I had been downloading folders of 100MB.. the bond broke several times forcing me to restart the download.
Also using NTC adsl using a 256 Kbps speed I had been consistently able to find actual speeds of in close proximity to 256 kbps which can be very surprising. I downloaded a 100mb file and it was slow nonetheless it completed.
I also tested Ncell’s internet we got a download rate of 1MB that was super really good for Kathmandu.
Overall Score
1st – NCELL
2nd- NTC
3rd- Wlink
We are updating my posts after testing on Subisu and Mercantile. If you wish me running anymore tests on other ISP’s or have suggestions comments inform me.
In the mean time there’s been a VOIP controversy. This complete VOIP issue recently been in the press following Paras Shah and Rubel Chawdhary incident. Rubel may be presupposed to be involved in VOIP in Nepal.
Good Himalayan Times, the Nepali government has been putting bandwidth users under scanner to master illegal Voice over ip (VOIP).
After the rampant using illegal VOIP, the authority has decided to monitor the world wide web Protocol (IP) addresses. “We have asked the net Companies (ISPs) to send the important points of bandwidth users and their utility,” said chairman of NTA Bhesh Raj Kanel.
I think this is completely an idiotic move. Even though NTC (Nepal Telecommunications) is depreciating doesnt mean the ultimate way to gain in financial resources are by forcing individuals use its high in price expensive traditional call services. Instead the NTC should understand that select longer a monopoly and this also is really a globalized world. It should allow VOIP by private citizens while at the same time controlling illegal commercialization of VOIP. Simply banning all VOIP isn’t answer. Technology gets cheaper and faster but NTC as well as the government doesn’t recognize that.