Jump to content

Computer forensics

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 64.160.121.62 (talk) at 13:55, 24 April 2004 (initial creation). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

(This article is a stub-- please help improve it.)

Computer forensics is the analysis of data processing equipment, typically a home computer or office workstation, to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose.

Understand the Suspects

It is absolutely vital for the forensics team to have a solid understanding of the level of sophistication of the suspect(s). If insufficient information is available to form this opinion, the suspects must be considered to be experts, and should be presumed to have installed countermeasures against forensic techniques. Because of this, it is critical that you appear to the equipment to be as indistinguishable as possible from its normal users until you have shut it down completely, either in a manner which provably prohibits the machine modifying the drives, or in exactly the same way they would.

If the equipment contains only a small amount of critical data on the hard drive, for example, software exists to wipe it permanently and quickly if a given action happens. It is straightforward to link this to the Windows "Shutdown" command, for example. However, simply "pulling the plug" isn't always a great idea, either-- information stored solely in RAM, or on special peripherals, may be permanently lost. Losing an encryption key stored solely in RAM, and possibly unknown even to the suspects themselves by virtue of having been automatically generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely expensive and time-consuming to recover.

Secure the Machine and the Data

Unless completely unavoidable, data should never be analyzed using the same machine it is collected from. Instead, provably complete copies of all data storage devices, primarily hard drives, must be made.

To ensure that the machine can be analyzed as completely as possible, the following sequence of steps must be followed:

1. If the machine is still active, any intelligence which can be gained by examining the applications currently open should be recorded.

If the machine is suspected of being used for illegal communications, such as terrorist traffic, not all of this information may be stored on the hard drive. If information stored solely in RAM is not recovered before powering down, it will be lost. For most practical purposes, it is not possible to completely scan contents of RAM modules in a running computer. Though specialized hardware could do this, the computer may have been modified to detect chassis intrusion (some Dell machines, for example, can do this stock; software need only monitor for it) and removing the cover could cause the system to dump the contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to avoid losing this information.

Modern RAM cannot be analyzed for prior content after erasure and power loss with any real probability of success.

2. The machine should be powered down exactly the same way the suspects power it down.

This is critical if information is normally stored only in memory, is wiped from the drive after booting, and is only committed back to disk when the machine is powered off. Data may be encrypted during this process, but encrypted data is better than nothing.

Keep in mind that many modern machines (ATX motherboards in particular) aren't "off" when they've been powered down-- after the machine has shut down, physically remove power form the supply and wait 30 seconds.

3. Inspect the chassis for traps, intrusion detection mechanisms, and self-destruct mechanisms.

It takes a lot to destroy a hard drive to the point where no data at all can be recovered off of it-- but it doesn't take much to make recovery very, very difficult. Find a hole in the chassis you can use for inspection (cooling fans are a good bet), or pick a safe spot in the chassis to drill one, and use an illuminated fiberscope to inspect the inside of the machine. Look specifically for large capacitors or batteries, nonstandard wiring around drives, and possible incendiary or explosive devices. PC hardware is fairly standardized these days, and you should treat anything you don't recognize as cause for concern until proven otherwise. Look for wires attached to the chassis-- PCs aren't normally grounded this way, so those are cause for concern.

You should SPECIFICALLY look for a wire running from anything to the CMOS battery or "CMOS clear" jumper. CMOS memory can be used to store data on the motherboard itself, and if power is removed from it, the contents will be lost. You must avoid causing CMOS memory to lose power. Encryption keys, etc., may be stored here.

Once you have determined that the case is safe to open, proceed to remove the cover.

4. Fully document the configuration of the system.

Completely photograph the entire configuration of the system. Pay special attention to the order in which the hard drives are wired, since this will indicate boot order, as well as being necessary to reconstruct a RAID array. A little time being thorough here will save you more later.

5. Duplicate the hard drives.

Using a standalone hard-drive duplicator or similar device, COMPLETELY duplicate the ENTIRE hard drive. This should be done at the sector level, making a byte-for-byte copy of every part of the hard drive which can physically store data, rather than duplicating the filesystem. Be sure to note which physical drive each image corresponds to. The original drives should then be moved to secure storage to prevent tampering.

(additional information pending)

See also: encryption steganalysis

Retrieved from "https://en.wikipedia.org/w/index.php?title=Computer_forensics&oldid=3320068"