A journalist from South Africa recently wrote to me with a series of interesting questions about forensics and I had such fun answering that I got his permission to post his questions and my answers in this column and the next.
First, some general resources about computer forensics.
Investigating Computer-Related Crime: A Handbook for Corporate Investigators, by Peter Stephenson.
You may find some good resources in my CJ341 CyberLaw and Cybercrime course lectures at:
In particular, I recommend looking at these:
The journalist asked, “What do the people who work with computer forensics do and how do they do it?”
They collect and secure digital evidence for use in analyzing the occurrence, nature, mechanisms and perpetrators of computer security violations, some of which may be crimes. They understand how information is created and stored in different kinds of digital media and they use specialized procedures and programs to safeguard data again damage and to find relevant data. They also understand the legal requirements for proper chain of custody of evidence as well as restrictions on investigative techniques that are required for effective use in legal proceedings, if any.
“What sort of tricks do cyber criminals use to cover their tracks?”
Depending on whether criminals have physical access to computer systems they are manipulating, they can:
* Use false or temporary identifiers to launch attacks.
* Route their attack through several compromised systems to obscure their trail of IP addresses in the packets they generate.
* Create IP packets with falsified headers.
* Use someone else's compromised ID on the target computer or network.
* Falsify or delete log files (if they can gain root access).
* Store information in difficult-to-get-to parts of disks such as slack space.
“How do the experts sidestep logic bombs and get to the truth?”
Most forensic examiners find out if there is an uninterruptible power supply (UPS) on the computer side of the power cord; if there is not, they pull the plug to stop the computer dead without allowing any shutdown procedures that might result in damage programmed by the criminal. If there is a UPS feeding the computer directly, it may be necessary to do some work with wire cutters inside the computer casing - assuming there are no booby traps.
Once the computer has been halted, the forensic examiner typically removes the disk drive(s) and makes bit-for-bit images (copies) onto non-erasable media. These copies are preserved as primary evidence along with the original disk drive if possible. It's also possible to make a bit-for-bit copy onto a similar hard disk for experimental work. Using forensic utilities, the investigators then searches the entire contents of the disk(s) duplicate(s) looking for interesting information. The hard disk may contain a swap file; that can show part or all of the contents of live memory (RAM) at the time of the last copy to disk before the system was halted. The swap file can therefore have evanescent information that would not normally be seen on disk, such as display or print buffers, passwords in transit through data communications channels, and so on.
More in the next article.
Learn more about this topicSymantec service to fight phishing
Network World, 09/13/04