University of Colorado at Colorado Springs by MikeJenny


									               Technology for Computer Forensics

                                Thesis Proposal


                                 Alicia Castro

                  As part of the requirements for the degree of

                 Master of Engineering in Software Engineering

                   University of Colorado, Colorado Springs

Approved by:                                     Date:

_________________________________                _____________________
Dr. Edward Chow:

Dr. Xiaobo Zhou
__________________________________               _______________________
Committee Member:

Dr. Jugal Kalita
__________________________________               _______________________
Committee Member:
1. Introduction
Background Research

Computer forensics objective is to find legal evidence in computers and digital
storage mediums. The goal of computer forensics is to explain the current state of a
digital artifact. There are many reasons to employ the techniques of computer
forensics like legal cases, data recovery, gathering, evidence against an employee,
debugging, performance optimization or reverse-engineering [1].

Special expertise and tools are required to gather computer forensics data; there are
not easily available products for the average use. There are many forensics toolkits
use by law enforcement agencies; the more common in use is EnCase; because the
results are easier admitted on court. There are also many open source tools like Helix
and Autopsy.
Helix can be used to acquire a live image of a windows system, repair damaged files,
data acquisition, recover a virus damaged system, change Windows passwords,
secure file deletion and much more [2]. Helix itself is not a tool; is a live distribution
that contains a series of forensic tools. Helix has been modified very carefully to not
touch the host computer in any way and it is forensically sound. Helix will not auto
mount swap space, or auto mount any attached devices. Helix also has a special
Windows auto run side for Incident Response and Forensics. Helix focuses on
Incident Report & Forensic tools [3]. Autopsy is also an open source tool. It provides
a HTML-based graphical interface for Sleuth Kit that is similar to a file manager,
showing details about deleted data and file system structures, with results that can be
accessed using a HTML browser. Autopsy does not require any tool to be executed
previously; it can work directly over mounted partitions or over image files generated
by de dd command [4]. Autopsy is the graphical interface to the data collected with
the Sleuth Kit. Encase is recognize as a court validated standard in computer forensic
software. With an intuitive GUI, superior analytics, enhanced email/Internet support
and a powerful scripting engine, EnCase provides investigators with a single tool,
capable of conducting large-scale and complex investigations from beginning to the
end [5]. Encase create images of suspect media. Images are stored in proprietary
formats and contain an MD5 or SHA-1 checksum to validate their authenticity.
Encase makes images that are exact copies of the original byte for byte in order to be
able to fully examine unused parts of the media for deleted files and so forth. After
imaging, Encase can be used to examine the files stored in the image using common
tools such as a document viewer and hex editor. It can also examine parts of the
filesystem not normally exposed to the user, such as deleted file entries, on-disk
checksums and log/journaling data. It can also search for and attempt to recover
deleted files [6].

Forensic tools are used to analyze digital data and often find evidence that someone
did not did not commit a crime. As the tool output may be evidence in a court trial, it
must meet certain legal requirements [7]
Computer-based evidence has only recently become common in court proceedings,
but its impact in the legal system has been significant. Cases are frequently decided
on evidence obtained from computer systems – evidence that many experts claim is
unreliable. Consider the recen case State of Connecticut v. Julie Amero in Norwich,
Connecticut. An elementary school substitute teacher, Ms. Amero was accused, tried
and convicted of contributing to the delinquency of minors because a spyware-
infected school computer in her class displayed pornographic sites/ pop-ups during
her lecture. The legal system’s lack of technical awareness resulted in a conviction
that was eventually overturned but permanently impacted Ms. Amero’s life and
diminished the credibility of our legal system. Judges and juries make inappropriate
assumptions because they expect that computer forensic evidence in real life is as
reliable and conclusive as it is on television. The impact of these assumptions cannot
be undone merely by reversing a court decision. In many cases such as these, the
forensic tools being used are accurate, but the assumptions made about them are
wrong [7].

There are not standards or specifications for tools and there are many versions of each
too. Requirements must be created for each tool type and corresponding test must be
designed that enforce the requirements. Using specific test conditions for all tools
can only go so far at catching bugs because of the large number of possible test [8].

Computer forensics involves obtaining and analyzing digital information for use as
evidence in civil, criminal or administrative cases. The Federal Rules of Evidence
(FRED) has controlled the use of digital evidence since 1970; from 1970 to 1985 state
rules of evidence, as they were adopted by each state, controlled usage of this type of
evidence. Documents maintained on a computer are covered by different rules,
depending on the nature of the document. Many court cases in state and federal
courts have further developed and clarified how the rules apply to digital evidence.
The Fourth Amendment to the US constitution protects everyone’s rights to be secure
in their person, residence, and property from search and seizure. Continuing
development of the jurisprudence of this amendment has played a role in determining
whether the search for digital evidence has established a different precedent, so
separate search warrants might not be necessary. However, when preparing to search
for evidence in a criminal case, to avoid problems many investigators still include the
suspect’s computer and its components in the search warrant [9].

There are two other areas of law related to computer security that are important to
know about. Anyone concerned with computer forensics must know how these laws
affect them:
     Wiretap Act (18 U.S.C. 2510-22)
     Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27)
     Stored Wired and Electronic Communications Act (18 U.S.C. 2701-120)

   Violations of any of these statues during the practice of computer forensics could
constitute a federal felony punishable by a fine and/or imprisonment. Third, the U.S.
Federal rules of evidence about hearsay, authentication, reliability and best evidence
must be understood. In the U.S there are two primary areas of legal governance
affecting cyber security actions related to the collection of network data: (1) authority
to monitor and collect the data and (2) the admissibility of the collection methods. Of
the three areas above, the U.S. Constitution and U.S. Statutory Laws primarily govern
the collection process, while the Federal Rules of Evidence deal mostly with
admissibility [10].
Digital evidence can be any information stored or transmitted in digital form. Because
you can not see or touch digital data directly it is difficult to explain and describe. Is
digital evidence real or virtual? Does data on a disk or other storage medium
physically exist, or does it merely represent real information? U.S. courts accept
digital evidence as physical evidence which means that digital data is a tangible
object, such as a weapon, paper document or visible injury that is related to a criminal
or civil incident. Groups such as the Scientific Working Group on Digital Evidence
(SWGDE) and the International Organization on Computer Evidence (IOCE) set
standards for recovering, preserving and examining digital evidence [11]

2. Project Scope

This thesis addresses software that is used for digital forensics analysis. The goal of
the thesis is to combine various existing technologies and make necessary
enhancements for the law enforcements agencies.

The first part of this thesis provides a brief overview of the necessary precautions and
requirements for data to be used as evidence for an investigation.
    Unique Computer issues: Special Problems with computers
    Initial Considerations: Ascertain, When a business is involved
    Value of technical expert: Involve technical person early.
    Drafting the warrant: Technical and practical considerations, Information
        belonging to third parties, privileged information may be found.
    Execution of the warrant: on scene personnel needed it, Time limit for
        execution and return.
    Follow up warrants: no warrant needed to break passwords or encryption,
        Discovery of evidence of other crimes.
    Consent: consent to search

The second part of this thesis provides an overview of prosecuting cases that involved
    Devices subject to Forensic examination
    Digital storage
    Forensic examination of erased or deleted files, slack spaces and
    Types of evidence
   The third part focuses on the enhancement and testing of the existing software
        EnCase

Existing Forensics Toolkits

      Encase is one of the most popular forensic tool used by law enforcement in
       Colorado. Encase Forensic facilitates the search, identification, collection,
       preservation, analysis and reporting of digital evidence. EnCase Enterprise
       provides network enabled search, identification, preservation, analysis and
       reporting of digital evidence on employee computers and file servers, primarily
       for internal investigations, such as fraud, HR matters and computer incident
       analysis. Both Encase Forensic and Encase Enterprise use the Encase Evidence
       file format, which is the only digital evidence container that has withstood
       numerous challenges and been validated in courts worldwide [3]. Why is it so
       difficult for computer forensic tools to be accepted by the court?

      Encase will view data in many formats (including ZIP file contents), does not
       have to be preloaded onto a system to function, will find evidence that can be
       used in a court of law. The only way to keep Encase from seeing what you have
       done on a system is to DOD wipe a file upon deletion and continually wipe slack
       and free space on disks[12]

      Encase has some new features added in 2008. Those features will be tested during
       the testing phase.

Proposed Design and Improvements

      Testing and analyzing some of the new enhancements (2008) done to EnCase.
      Design new queries for the EnCase Tools. User wants a series of queries of their
       most popular investigations routines. Queries allow you to combine filters or
       conditions into a filter using Boolean logic. Filters are special EnScripts that
       allow you to include only the files that meet your filter conditions. The conditions
       are new starting with EnCase 5. They differ slightly from filters in that conditions
       allow the user to specify parameters with a wizard type interface (with filters, the
       user has to work with code to achieve the same effect [13].
      Develop a Software Project Management Plan (SPMP)
      Develop the Software Requirement Specification (SRS)

3. Thesis Plan & Schedule
1. - Requirement analysis (August 26, 2008-Feb 23, 2009)
      Identify and understand the problem domain
      Identify the problem
      Evaluate possible prototypes
      Define requirements
      Present Proposal and obtain official approval

2. - Planning (January 3, 2009-March, 3, 2009)
      Identify and obtain resources needed
      Define thesis plan and schedule

3. - Design (January 5, 2009-March, 15, 2009)
      Design initial test prototype and evaluate design
      Refine and finalize design

4. - Implementation & Testing (February 5, 2009-April 15, 2009)
      Create prototypes
      Testing prototypes
      Refine prototypes

5. - Project Closure (April 15, 2009-April 28, 2009)
      Present final data and obtain approval
  [1] Computer Forensics

  [2] Steiner, Tim. Computer Forensic Product Analysis: HELIX

  [3] Computer Forensic Software

  [4] Martins, Ricardo. Computer Forensics with The Sleuth Kit and The Autopsy
  Forensic browser.

  [5] Forensic Categories

  [6] Encase

  [7] Peisert, Sean and Bishop, Mat. Computer Forensic in Forensis. Publisher: ACM,
  April 2008

  [8] NIST. Computer Forensic Tool Testing.

  [9] Wright, Timothy E. The field Guide for investigating computer Crime: Search &
  Seizure Basics Part 7, 2000c.

  [10] Nelson, Bill et al., Computer Forensics and Investigations. Canada, 2006

   [11] Nelson, Bill et al., Computer Forensics and Investigations. Canada, 2008

  [12] Computer Forensics. US-CERT

   [13] Guidance Software. EnCase Legal, Journal, second Edition, March 2002.

  [14] Bunting, Steve. Encase Computer Forensics: The Official EnCE, 2007

To top