Gary C. Kessler & Michael Schirling
Published: 01 Apr 2002
Killers. Spies. Fraudsters. Child pornographers. The crimes are age-old, but computers have changed the landscape for both perpetrators and police.
Serial killer John Robinson lured victims through the Internet. FBI agent-turned-spy Robert Hanssen passed encrypted data to the Russians on floppy disks. Hackers breach e-commerce Web sites to steal customers' financial information. Child pornographers, driven from using the mail, thrive on the 'Net.
Computer-based crime has given rise to a new type of evidence gathering -- or forensics -- and a new breed of investigator. But computer forensics is still a young discipline, and almost no one today has been trained purely as a computer forensic analyst. Some police officers are drawn by an interest in computers, while most independent computer investigators are either former police officers or IT professionals. Forensic scientists and technicians play a critical role in law enforcement and corporate investigations.
What all of these professionals have in common, however, is a need to know about computer and network technology, analysis tools and the law. The art and science of computer forensics calls for solid detective skills combined with sufficient knowledge to find, preserve and document computer-based evidence.
Four computer forensics books, all published within the last year, can help guide not only professional investigators, but also infosec professionals charged with protecting IT resources and tracking intruders.
The four books can be divided into two broad camps: Three are aimed at tracking down the bad guys and obtaining the evidence to nab them. Computer Forensics and Privacy by Michael Caloyannides, on the other hand, is about protecting the good guys from everything from theft to invasion of privacy. For example, if Warren G. Kruse II & Jay G. Heiser, in Computer Forensics: Incident Response Essentials, would write, "when you delete a file, it isn't really removed from the disk; here's how to recover the data," Caloyannides would write, "when you delete a file, it isn't really removed from the disk, here's how the data might be recovered; and here's how to really delete it." The key to the Caloyannides book is the word "privacy" in the title.
The books vary widely in focus, detail and point of view in their treatment of three key forensics issues: procedures, technology and the law. Individually, the texts won't satisfy every interest or environment. Collectively, however, they make for a good working computer forensics library.
Forensics Procedures and Analysis Tools
Computer forensics procedures are both technical and nontechnical. The technical part is made easier -- and in some cases made possible -- by the wide selection of tools the investigator can employ on his forensics workstation.
At the macro level, forensics procedures ensure that evidence is kept intact and validated so that it will stand up to potential court challenges:
- Every step must be meticulously documented, including data recovery logs and chain of custody. If it's a potential crime scene, every component must be photographed.
- Media must be stored in a protective environment to prevent physical damage and/or data corruption.
- The analysis should be performed on an exact copy of the media.
At the micro level, the procedures get down to the nitty-gritty of what the investigator is looking for -- e.g., evidence of insider corporate espionage or how a system has been compromised by an outside attack. This takes the investigator into the heart of the forensics process -- how to pick up the trail and track down the evidence. To get what he needs, he'll need the knowledge and tools to:
- Resurrect "deleted" files.
- Recover passwords.
- Analyze file access, modification and creation times.
- View and analyze system and application logs.
- Determine the activity of users and/or applications on a system.
- Discover IP addresses, host names, network routes and Web site information.
- Analyze e-mails for source information and content.
Kruse & Heiser's treatment of the forensics process is among their book's strengths: The authors have a clear plan and stick to it. They assume relatively little knowledge on the reader's part, and work from a good overview of procedures into specifics.
For example, the introductory chapter is a high-level discussion of acquiring, authenticating and analyzing evidence -- what the authors call "the three A's." Building on that foundation, the next chapter, "Tracking the Offender," is a basic discussion of Internet fundamentals and how to use standard system tools to hunt down bad guys and evidence through DNS, e-mail, newsgroups, etc. Knowledgeable readers will find this information elementary, but both the computer pro and the beginner should find the application of the information to forensics valuable.
Editors Albert J. Marcella Jr. and Robert S. Greenfield take a different approach in Cyberforensics: A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crimes. The book identifies a number of possible offenses-inappropriate use of e-mail, theft of intellectual property, violation of security procedures, etc.-and provides checklists for investigators. For example, for theft of information, the questions include:
- What type of information was stolen?
- Who had access?
- Are access logs available?
It sounds like common sense, and to an extent it is, but the points can be helpful in planning an investigation.
Editor Eoghan Casey offers little in overall guidance on forensic procedures in Handbook of Computer Crime Investigation, though the book has a unique chapter on how to prepare electronic data for criminal or civil discovery. Many of the techniques, such as recovering hidden files and imaging hard drives, are identical to those used in forensics investigations. The chapter is valuable as a guide for organizations that must produce evidence in court, as well as for its technical information.
Caloyannides, because of his unique point of view, ignores forensics investigation procedures in favor of a brief discussion of how forensics is relevant to different classes of individuals -- trial lawyer, private citizen, law enforcement official, employer, employee -- and why they should be concerned about protecting their privacy.
Numerous tools are available to the analyst, but the first thing is to determine what evidence needs to be gathered. In a child pornography case, for example, the investigator will naturally be looking for .jpg, .gif and other image files. Since users can easily change file extensions, however, simply searching for .jpg and .gif extensions is not sufficient; the contents of all files also need to be examined. All nontext files contain a header within the file that identifies the type of contents. Forensics viewers -- such as Conversions Plus by Dataviz (www.dataviz.com) -- can find files where the file type extension doesn't match the file header.
The range of forensics tools also includes:
- Drive-imaging programs such as SafeBack by New Technologies Inc. (NTI) and dd, a standard Unix tool for ensuring that investigators have an exact duplicate of the original.
- Text-search tools, such as the dtSearch suite of products by dtSearch, which work with all popular file types and may include fuzzy logic and synonym searches.
- Forensic suites, such as the Forensic Toolkit by Foundstone, a set of command-line utilities for reconstructing access to Windows NT file systems; and The Coroner's Toolkit, designed by Dan Farmer and Wietse Venema, used for investigating Unix hosts.
One of the most well-known computer forensics tools is EnCase, Guidance Software's (www.guidancesoftware.com) Windows-based analysis software package that's used to perform a thorough analysis of the contents of a system's hard drive. EnCase can perform a wide range of analysis tasks, from examining file contents and verifying file signatures to recovering deleted files and examining file access dates.
In addition to SafeBack, NTI offers more than a dozen command-line utilities for text searches, disk cataloging, locking and securing computers for evidence, etc.
Kruse & Heiser provides the best high-level discussion of this broad spectrum of tools. In a dedicated chapter, they discuss the type and purpose of tools and how they work, with representative examples. The chapter also includes more extensive descriptions of EnCase and the NTI line of utilities. The book also has excellent discussions of forensics tools in context. For example, in their chapter on hostile code, they discuss vulnerability scanners, such as free utilities Nmap and Nessus (www.nessus.org); and password-cracking tools, such as L0phtCrack by @stake, in a chapter on hiding data.
Caloyannides gives only cursory treatment to tools used for forensics investigations. His focus, instead, is on tools that protect data privacy. While the other books may mention disk-wiping utilities to assure that images are made on "clean" disks, Caloyannides evaluates tools that wipe out all traces of files to keep them from falling into the wrong hands.
The credibility of Casey's coverage of tools is undermined by the vested interest of the writers. Detailed chapters about four specific Windows and Unix/Linux forensics tools are authored by people directly affiliated with the vendor or developer of the software that they write about. For example, an extensive chapter, "The EnCase Process," is a thorough, well-illustrated discussion of the product. However, the chapter is written by Guidance's general counsel, which automatically raises conflict of interest issues. Making matters worse, there's a dearth of detailed coverage about other forensics tools.
Finally, Marcella & Greenfield's coverage of tools is sparse. They only have one chapter that delivers a cursory examination of a handful of tools.
Computer and Network Technology
"Because every network is different, combining different technologies in unique ways, no single individual is equipped to deal with every situation," Casey and Keith Seglem observe in the introduction to Casey's book. But that's not all. "The proliferation of handheld devices connected to wireless networks has ushered in an era of pervasive computing." It's become a challenge just tracking down all the systems that may hold clues or evidence -- it's not just the desktop or laptop computer system anymore. In addition, encryption software for everything from e-mail to PDAs is becoming routine, even for the casual user.
The four books vary significantly in the direction, scope and breadth of systems technology, but both Casey and Kruse & Heiser prove far more valuable to the investigator than the other two texts. Kruse & Heiser excels with an approach that's well integrated yet detailed; in tandem, the books cover a lot of ground, each focusing on areas the other might neglect.
"The operating system sees all, but it may not tell you about it," writes Kruse & Heiser. Investigators can't really use forensics tools intelligently without a solid understanding of both Windows and Unix/Linux, including command-line interfaces. Important information and potential evidence can be missed or compromised unless investigators understand how each operating system moves, manipulates and deletes files.
Casey and Kruse & Heiser cover both Windows and Unix forensics analysis. Kruse & Heiser's treatment of operating systems -- particularly Unix -- runs deeper than that of Casey, reflecting the overall greater depth of their technology coverage. The Windows coverage in the two books tends not to overlap, so there's value in reading both.
Kruse & Heiser's Unix treatment is far more thorough and, ultimately, more useful than the book's Windows discussion. Building from the basics, they present, in succession, chapters on an "Introduction to Unix for Forensic Examiners," "Compromising a Unix Host" and "Investigating a Unix Host."
In the Windows chapter, there's an implicit assumption that the reader is familiar with the OS. The discussions of Registry settings and e-mail are particularly valuable, the latter building on an earlier section in the Internet chapter. The chapter promises to cover Windows flavors from 9x on (and actually includes a brief section on Windows 3.1). However, the treatment of NT/2000 feels rushed and abbreviated.
Casey clearly assumes the reader has a working knowledge of Unix, jumping straight into the "how-to's." This single chapter deals with reconstructing evidence from tapes and hard drives, and analysis of Unix systems. The discussion, if not extensive, is specific and on point.
Casey's chapter on Windows also assumes a basic knowledge of the OS. Unlike Kruse & Heiser, the focus is clearly on NT/2000. There's a good discussion of how NTFS works and how to track down files and folders -- deleted and otherwise. The author also explains in some detail how to recover information from the Recycle Bin.
On the downside, the Windows chapter in Casey is also another plug for EnCase. The author is a Guidance VP, and while the tool is only mentioned in the text, the chapter is filled with EnCase screen shots.
Caloyannides deals only with Windows. His treatment is a long list of tips on how to make Windows more secure and private -- such as disabling the built-in microphone and not using virtual memory. However, he doesn't fully explain the underlying rationale for his recommendations. Nevertheless, the information is very specific and worth reading by end users protecting their systems and investigators who want to know what they might be up against.
Marcella & Greenfield focuses solely on Windows investigations, a serious shortcoming. Although the coverage is generally broader than either Casey or Kruse & Heiser -- covering file storage, temporary files, hidden files, Event Viewer, the Registry, etc. -- it's far shallower in depth.
Investigations often involve more than a single computer, whether the target is software piracy, terrorism or theft of corporate financial information. The networked environment not only involves communications protocols, but the network OS environment. An examination of a network or networked computer must cover the entire operating environment, including the file and print servers, e-mail servers, remote access devices and communications servers.
Armed with an understanding of network protocols, particularly TCP/IP, the investigator can study various system, application, packet sniffer and device logs to get a full picture of network activity, since a large number of attacks and compromises occur via the Internet or LAN.
Casey provides a strong chapter on network analysis, covering items such as an overview of TCP
/IP protocols; an introduction to tcpdump; and samples of logs from Unix and Windows, IIS, Web and e-mail servers, routers and modems. Casey also devotes a chapter to wireless network technologies, an area largely ignored in the other books. The chapter details the components of wireless systems, and where -- a mobile device, the network itself or the billing center -- an investigator can harvest information.
By contrast, Kruse & Heiser's networking discussion is much lighter than its coverage of operating systems and technology in general, with relatively little detail on the essentials of logging, sniffing and detecting.
Marcella & Greenfield has a chapter on "Network Intrusion Management and Profiling," which provides good guidelines for formulating an intrusion detection and response plan. However, the chapter is almost devoid of technical information.
Caloyannides's network discussion is mostly limited to brief treatments of securing network data transmission with protocols such as SSL and SSH.
More on Technology
Kruse & Heiser's coverage of general computing security technologies is consistent with the rest of the book, presenting a logical progression of detailed information for the uninitiated. The chapter on encryption, for example, is followed by a chapter called "Data Hiding," which discusses the methods of how "they hide" and "you seek," including breaking encryption, password protection, altered file extensions and steganography. The book also gives the best treatment -- really the only detailed treatment of the four books -- of storage media.
Casey includes an interesting technology chapter on embedded systems -- computers that are appliance -- based and can't be programmed by users. These can include everything from telephones, printers and faxes to microwave ovens and air-conditioning systems.
Caloyannides's strongest contribution in this area is the presentation of privacy-related technologies, such as steganography detection, password cracking and even Van Eck Radiation.
Marcella & Greenfield provide the weakest coverage of general security technology. They have a single chapter on the basics of Internet abuse and one on encryption, but little else.
Laws Related to Computer Forensics
Analysts "should always conduct the investigation as if you are going to trial, just in case you have to," says Carol Stucki in Marcella & Greenfield. Knowledge of the law can mean the difference between a successful prosecution and a judge tossing critical evidence. On the one hand, it can result in the clean firing of an employee who has cracked into confidential files; or, on the other hand, his successful wrongful termination action.
What constitutes a legal search of a stand-alone computer as opposed to one on a network? What can be seized, and under what circumstances? What are the laws governing the securing of evidence and maintaining the chain of evidence? What is legitimate investigation and what is a violation of privacy?
These questions, among others, are determined by federal, state and local laws. In some cases, investigators may also need to be aware of applicable international laws and treaties. Systems and network admins within private organizations also need to be aware of certain legal issues, including when to call for law enforcement assistance and their responsibilities once they report a computer crime.
In addition to Fourth Amendment issues, legislation such as the Electronic Communications Privacy Act (ECPA) and the Privacy Protection Act (PPA) are critical to an investigator's understanding of the legal environment in which he must operate. Individual states may offer additional privacy protections.
Expectations of privacy and consent to search often go hand-in-hand. For example, information on someone's personal home computer is private, and can't be searched unless the individual consents or law enforcement authorities have a search warrant. On the other hand, most companies' policies explicitly state that their computers are for work purposes only, giving the company or an investigator free rein to inspect an employees' computer files and e-mails.
Though none of the books really stands out in this area, Marcella & Greenfield lead the pack, as they devote more than half their book to a collection of relevant laws and guidelines covering the search and seizure of computers, computer crime policies, U.S. national critical infrastructure protection, privacy issues, legal aspects of e-commerce and international computer crime laws. Much of this material has been drafted by federal law enforcement workgroups, which is important because these are the documents that will guide everyday forensics analysis of computers that might have been used for criminal purposes. However, many of these documents are available free on the Internet.
Although all of this constitutes a handy reference, Marcella & Greenfield suffers from the absence of an author's voice giving expert analysis and guidance about the applicability of the legal material.
Caloyannides, with his strong emphasis on protecting information, provides detailed discussion about such topics as civil legal discovery, e-mail, criminal evidence collection and handling, federal guidelines for searching and seizing computers, and how businesses (and individuals) can protect themselves. Where relevant, specific laws are cited in the discussion, with particular attention to the Digital Millennium Copyright Act (DMCA) and Uniform Computer Information Transactions Act (UCITA). The book also covers some of the emerging privacy legislation, particularly the differences in views of data privacy in the United States versus the European Union.
Casey takes a different approach by using case studies to present some of the legal aspects of forensic computing. A case study by Lt. John J. McLean, a Massachusetts police officer who specializes in computer crime investigations, for example, illustrates the decisions police must make about the limits of search warrants when they're confronted with the unexpected. This would be rather dry stuff to read statute by statute, but the case studies breathe life into the subjects. That notwithstanding, the case studies in Casey are limited in scope; the reader would be better served if they were used to illustrate coverage of the law, rather than as substitutes for it.
Kruse & Heiser's treatment of the law is superficial and generally pitched for the non-law enforcement professional. While the rest of the book offers solid information, assuming most of it's new to the reader, the legal section barely gives a civics class-level tutorial on such things as subpoenas, probable cause and recidivism. The only specific laws cited are the U.S. wiretap statute and the statute covering credit cards and access codes, which, among other things, makes possession of computer passwords potentially illegal.
About the authors:
Gary C. Kessler is an associate professor and program director of the Computer Networking major at Champlain College in Burlington, Vt., and an independent consultant and writer.
Michael Schirling is a lieutenant in the Burlington (Vt.) Police Department, directs the Vermont Internet Crimes and Internet Crimes Against Children Task Forces, and is an adjunct instructor at Champlain College.