Friday, 25 March 2011

CYBER FORENSIC



CYBER FORENSIC


Assessment of Cyber Crime Technologies

Available to Law Enforcement
Introduction

The purpose of this task is to identify technology-related tools, methods, and information that are presently being used by, or may otherwise be available for use, by law enforcement agencies in investigating cyber crimes. The use of a computer to create and store information leaves behind “electronic footprints” that can actually make or break a criminal case. Sensitive data such as e-mail, documents, temporary files, passwords, time and date stamps, and other potentially valuable information are written to remote locations on computer hard disk drives and
floppy disks as part of the normal operating process. Most perpetrators are unaware that such information exists, and, therefore, are extremely careless in covering their tracks.
The tools, technology, and software that are currently available for use in uncovering “electronic footprints” are described here. The techniques employed and, where, appropriate, the limitations of these investigative aids are identified. It is important for investigators to know how these tools work and what they can and cannot expect them to do. Computer forensic specialists provide the legal profession with services that allow them to use the seized computer or computer data in court or in their discovery process. These specialists follow strict guidelines in order to provide acceptable data to the court. Descriptions of those guidelines are outside the scope of this paper. However, all
reputable computer forensic investigators follow some basic practices for the preservationof crime scene evidence.

Tool Selection and Assessment Criteria

The types of tools that are discussed were chosen based on our research of currently available technologies that purport to have features and capabilities that may be beneficial to cyber crime investigators. To complete our research, we have interviewed law enforcement personnel, monitored newsgroups and list servers, reviewed developer and vendor information, searched the Internet, and utilized selected tools. While there are many tools currently available, the majority of tools are not widely used by law enforcement.

      We have attempted to identify the majority of forensic tools that are currently available and used by cyber crime investigators. But, the field is evolving, changing, and
advancing at a brisk pace, and we anticipate that the number of tools that are available atthe time of this writing will not reflect the tools that will become available in the near
future.

Cyber Forensic Investigation Methodology
Goals of an Investigation
The current methodology in the investigation of a computer suspected to have been involved in a crime includes:
Identify sources of evidence;
0 Preserve evidence;
0 Extract evidence;
0 Examine/analyze evidence;
0 Organize/report results.
This applies to the investigation of traditional, as well as non-traditional crimes. In the event of a system attack or compromise (a non-traditional crime), it is desirable to gather
additional evidence that will allow the investigator?

To understand how the intruder is entering the system, and possibly where the attack may have originated;
To gather as much evidence of the intrusion as possible;
To ensure that all applicable logs and evidence are preserved;
To discover why the intruder chose the computer;
To obtain information that may narrow the list of suspects;
To obtain the information to justify a trap and trace of the phone line the intruder is using or to procure a subpoena to obtain information from an ISP.
To this end, law enforcement currently uses tools that fall into the following categories.
0 Computer Forensic Tools & Techniques:
o Evidence Collection & Preservation Tools
o Evidence Extraction Tools
o Evidence Examination Tools
o Evidence Organization Tools
0 Incident Forensic Tools & Techniques:
o Statically Linked Binaries

document the accuracy of the system clock as soon as the investigation begins. The correctness, or incorrectness, of the current system time could be a valuable piece of
information when attempting to establish a timeline of events based on file times.
A suspect may have purposely reset the system time in an attempt to throw the
investigator off of the track. Time zone differences or day light savings time changes could also be sources of system clock inaccuracies. When reviewing the dates and times that files were created, modified or last accessed, the current system time information is vital.

Evidence Collection and Preservation Assessment

Although there are many cyber forensics tools available for collecting and preserving evidence from an evidentiary computer, there are limitations to their effectiveness.
0 Today’s off-the-shelf software backs up evidence slowly, and is prone to errors that often require that the duplication process be repeated.
0 Significant technical savvy is required, and in some cases, expensive specialized
training by the software vendor is necessitated.
0 The backup is not always reliable, and often requires the investigator to use separate software programs to ensure authenticity with cryptographic certainty.
0 Backing up large hard drives or multiple computers may be impossible or infeasible, as the data cannot be contained on a single backup device.

Evidence Extraction

Evidence extraction represents one of the most mature technological areas within the forensics arena, though the current tools and methodologies for the extraction process are
not necessarily systematic, and approaches to the investigative process are greatly dependent upon the case under investigation.
Evidence Extraction Tools
Hidden Data Recovery Tools

The second step in the cyber forensics process is evidence extraction. The initial task conducted within the area of extraction involves the location and retrieval of certain types
of ‘hidden”” data. These types of utilities selectively seek out and identify areas within the storage media containing one or more of the types of data from the following list:
‘lo Hidden data is found in areas of the electronic storage media that are not normally accessible by the operating system; the operating system does not retain an active reference to this data.

Deleted files
Slack space
Unallocated memory
Swap space
Temporary files
Temporary Internet cache files
Hidden files

Deleted Files

When a user deletes a file, two things happen; the reference to that file is eliminated (erased) from the file allocation table; the first letter of the file name contained in the directory listing is changed to a ‘special character’ (usually E5 hex). However, the data in that specific storage area remains unchanged until it is overwritten with new data.

Slack Space

Disk storage space is divided into ‘sectors’; these sectors are usually 512 bytes in size. When a file is stored, it may not take up the entire 512 bytes of that particular sector. That
remaining area sits unused by that file. This unused area is referred to as slack space. Slack resides between the end of the file stored in that sector, and the end of the physical
sector.

Unallocated Memory

Allocated memory contains data that is currently ‘in use’, having a corresponding file entry in the file allocation table. Conversely, unallocated clusters may contain data, but
this data is not stored in disk space that the system’s file allocation table currently recognizes as being in use. Therefore, although unallocated memory frequently contains residual data, until it is eventually overwritten to store new data.

Swap Files

Windows-based systems utilize a swap file, temporarily allocated space on the hard drive, which is written to when active memory”’ resources are low, to extend the capacity of
RAM. This is a file that can hold complete documents, emails or other data that can be of significant interest in an investigation.

Temporary Internet Cache Files

Web browser applications (Le. Internet Explorer) retain various temporary files, Internet cache, favorites (bookmarks) and history files. These files provide a ‘record’ of visits to
Internet sites. They also keep copies of other files that were viewed on that site, including all graphic files from that site.

Hidden Files

By changing the attributes of a file, it is possible to hide files that common DOS or WINDOWS commands (such as dir - directory listing) will not reveal to the user. The hidden file will not be displayed, and the casual user may not find its contents.
Hidden files are those that are traditionally sought during the initial stage of a cyber crime investigation, and the capability to locate and extract this type of information is a core requirement for any forensic tool.

Other Extraction Tools

What follows are those additional capabilities that further the processing of the collected data. Historically, the following tasks were done manually, and were very labor intensive. But, as the capabilities of forensic tools have evolved, many tools now automate one or more of the following functions.

File Identification and Processing

A common technique for hiding a file is to ‘change’ the file from one type to another by renaming the file, and appending a different file extension. Forensic practitioners need the ability to identify these changes to the file’s extension. The utility will compare the file’s current extension (e.g. .me) with the file’s actual ‘signature’ in the file header”* to determine if an attempt has been made to ‘hide’ the file. For example, if a file was created as an Adobe Acrobat (.pd! document, and the
extension was later changed to .jpg, the utility will identify that file as being s~spicious.”S~e veral forensic tool suites will examine and compare file signatures with
file extensions.

Known File Filtering

Examining computer files is one of the most time-consuming and labor-intensive activities performed during a forensic analysis. The challenge is to sift through and eliminate the extraneous data as quickly as possible, leaving only that data that bears


further investigation. This should be completed through the use of a technique referred to as known file fi~tering.”~
Known file filtering eliminates from consideration those files that are commonly found on systems, including commonly used utilities, tools and applications (as an example, the
Microsoft Office Suite). The filtering tool creates a hash value for every file encountered on the evidentiary media, and compares that value previously created hashes of common
files known not to have any evidentiary value. File filtering tools, using a Reference Data Set (RDS) of known file profiles and
signatures, can eliminate a high percentage of files from criminal investigations, allowing
investigators to concentrate on those files that are not eliminated through the file filtering
process.

The National Software Reference Library (NSRL)”’ project has created a database of known file profiles and signatures that can be used as a reference data set in legal proceedings concerning criminal evidence investigation, software piracy, copyright
infringement, child pornography, etc. The library provides four different hash values for each application in its library. The algorithms used to produce these hash values are
CRC32, MD4, MD5 and SHA-1. A list of products in their RDS is available for download. I Another function closely related to known file filtering involves the comparison of the
newly created file hash values to a database of hash values for files that have been predetermined to be illegal (such as child pornography images). “The German Federal Criminal Police (Bundeskriminalamt - BKA) have supported the creation and maintenance of German software called PERKEO. PERKEO was developed in order to reduce the time-consuming
work of analyzing computers that are suspected to contain child
pornography. It produces checksums (comparable to electronic
fingerprints) of files that were classified definite child pornography according to German law. The checksums are integrated into a regularly updated database, and used as a basis of comparison when analyzing media seized during an investigation of child pornography. At present, this
database comprises about 14,000 checksums of child pornography, and about 4,000 check sums of bestiality files, as the distribution of bestiality is punishable according to German law.””*

File filtering programs can also be used to identify the use of specified applications. A search for the presence of these programs could lead to evidence of criminal activity. As
an example, the use of a sophisticated graphics program like Photoshop or Illustrator could be an indication that forgery or counterfeiting is taking place.”’

Descriptions of the tools include explanations of how the tools extract benign files, how files are flagged for the investigator, and integrity assurance capabilities of the tools.

Special File Formats

When analyzing the data, investigators may encounter files and images that they cannot view. During the initial forensic search, the investigator may not recognize encrypted data, various compressed data formats, password-protected files and teganographic files. The data requires additional processing, as these types of files are not written to the disk
in plain text, and search utilities cannot identify text data stored in these file formats. Additionally, various other formats12’ require special translators or viewers in order to be examined. Manual evaluation of these files is required, and in the case of encrypted files and steganographic carriers, much work may be involved. Investigators need to be technically prepared to deal with evidence found in these conditions.

Encryption Identification Tools

Recently, encryption technology has developed rapidly and has become very popular. Encryption plays a role in protecting confidential or personal information. However,
criminals may also use encryption to protect their computer records and e-mail communications, which make an investigators job even harder. Before any attempt can be
made to open an encrypted file, it must first be identified within the storage media.
Without the proper tool to locate an encrypted file, it may appear as random, meaningless
characters.

Decryption Tools

There are many commercially available decryption programs that purport to break a variety of encryption schemes. The ability to break a particular scheme is directly related
to the length of the encryption key; the longer the key, the more difficult it will be to
break.

A discussion of decryption technology is beyond the scope of this paper. But, it should be noted that the Digital Millennium Copyright Act may hinder the use of existing tools, as
well as further research into developing better tools for law enforcement purposes.
From a legal standpoint, there is serious concern related to the production of admissible evidence from encrypted data. It must be prove beyond reasonable doubt that the decryption method or technique used was the right one, and that it has produced the correct information from the encrypted data.”’ At this time, there are no decryption programs that can accomplish this with any legal certainty. Given the large number of encryption programs, and the even greater number of encryption possibilities, it will continue to become increasingly more difficult to break encrypted code, and extract admissible evidence for prosecution.

CompressionDecompression Utilities

There are many different applications that will of compress files. Data compression is used quite frequently in backup utilities, spreadsheet applications, and database management systems, to name a few. But, data compression can also be used to hide
and/or disguise ‘sensitive’ data. An investigator must be aware that data may be compressed using any one of the many formats, be able to recognize it, and be equipped with the proper tools in order to decompress and obtain the information contained therein. Assuming the file extension has not been changed, the investigator should be able to identify compressed files based upon the extension of that file.Iz2

Password Recovery Utilities

Some password-protected files can be manipulated in a manner to remove or expose the password. There are many products and services on the market that claim to ‘crack’ the passwords for a variety of applications. Vendors of multiple file-type password
applications include Access Data,Iz3 Lost Password,’z4 Office Recovery,’2s and Elcomsoft.’26 Their products claim to recovery the passwords for a large number of
Applications.

No computer forensic products available today currently incorporate password recovery applications within their toolkits. However, this is not to say that the functionality is not
available through the vendor as a plug-in to their product.’”
These utilities vary in price, with the high-end recovery kits approaching one thousand dollars, so they may be prohibitively expensive from a law enforcement perspective.

Steganography’28D etection Tools

When examining a computer seized as evidence, a law enforcement investigation could be seriously hindered by the possible use of steganography. A suspect, using
steganography, could embed evidence in innocuous files, thus avoiding dete~ti0n.I~T’h is could a particularly difficult problem when investigating a child pornography suspect, as
the only tangible evidence that may be used against him is the possession of the actual images. If these images are ‘hidden’ within other files, no observable evidence may be
located. In order to prevent this threat, investigators must have access to steganography detection and extraction tools. At this time, very few applications exist in the area of steganalysis.
In order to attempt to defeat steganography, investigators must have access to these
utilities. tool that is currently available and two steganography detection tools that are, at the time
of the writing of this report, in developmental stages.

Virus Detection Capabilities

Seized computer hard disk drives and floppy disks should be scanned for the presence of malicious code, such as viruses or worms, that could potentially contaminate both the
evidentiary media and the analyst’s work station. Any viruses found should be documented (the name of the virus, and it’s location on the media), and then removed to
avoid future threat of contamination.
Current forensic tool suites do not include virus-detecting capabilities. Instead, they require the use of third party virus scanning software.

 Evidence Extraction Assessment

While this may be the most developed area for forensic processing capabilities, it is evident that there are many areas in need of work within evidence extraction. The initial extraction capabilities of the forensic tools are quite adequate. That is, locating, identifying and collecting the contents from those portions of storage media that are not accessible by common computing techniques (deleted files, slack and unallocated
space). When identified, these areas can be searched for keywords that are relevant to the case at hand.
Once this task has been accomplished, it is at this point where the tools show their weaknesses. Most forensic tools are incapable of identifying those special file formats that may contain additional information related to the cyber crime.
The reason forensic tools cannot yet find many types of data is that they do not have the ability to identify or open files in their logical format in order to view the contents of the
file, as with compressed files, or those in the Adobe Acrobat format. Even those tools that can identify special formats are limited in the types and number that they recognize. Many times, it is up to the investigator to supply additional file signatures to the utility in order to enable the product to seek out these formats. Once identified, the investigator is then again limited in the viewing capabilities of the individual products. Most will only view a handful of file formats. This leaves the
investigator the added burden of seeking out and obtaining file viewers that support the given format. There is an urgent need for expanded universal file type identification. A broad array of technologies exists in the extraction area, and significant investments, from both public and private sources, have been made in creating these technologies. But, there is limited multi-platform support (i.e. Windows, Solaris, Linux, mobile, and
network extraction) within a common class of tool. Furthermore, there are a limited number of qualified personnel who are skilled in using these tools. Clearly, more tools need to be developed to meet these requirements, and more individuals need to be trained in using both the tools that currently exist and those that are being or will be developed.
Investigators need be aware that encrypted data and various compressed data formats will not allow searches until the data is uncompressed or decrypted. There is a need for forensic tools that can assist in decrypting data, breaking passwords, or accessing protected information contained in electronic organizers, which are becoming more popular. If the data owner refuses to turn over the encryption keys, the investigator is
forced to try and “break” the encryption. This type of brute force attack is time consuming, costly, and often doesn’t work. Successful brute force attacks depend on the strength of the encryption algorithm and the strength of the password. There are very limited rudimentary tools available to aid in breaking passwords and encryption algorithm.If there is any back door access to these devices, the investigators must procure it from
the manufacturers and software vendors.

Evidence Examination

Once the digital evidence has been imaged and filtered during the extraction phase, the cyber forensic investigator must refine and further examine what has been collected. During the examination phase, the investigator uses the available tools to target specific digital evidence. A number of forensic tools exist that allow investigators to further control their search for evidence in the storage media. The examination of a computer should be a methodical process. By doing some initial
groundwork, an investigator can save time and make the examination more successful. “Knowing what information to search for in a forensics examination involves a mixture
of background investigation, deductive reasoning, and common sense.”130 “Depending on the particular crime being investigated, and its relationship with various computer applications, there can be a number of specific files
types to look for. As an example, when investigating child pornography, a search should be conducted not only for the graphic images, but any associated communication and transfer programs that might have been used to capture, download, modify, view and produce the image. Programs and files such as e-mail attachments, original compressed files, news & file retrieval agents, browser programs, dial-up information, file
captures, session logs and many others can have a wealth of valuable information. Associated computer evidence found in various computer files can and often will reveal the time, date, manner, location, email address, history logs, web site, file transfer location, IP Internet address and other useful inf~rmation.”’~’ Due to the shear size of modem hard-disk drives, it is all but impossible for a computer investigator to manually view and evaluate every file on a computer hard drive.
Therefore, investigators need to use specialized forensic tools to locate relevant evidence, and to shorten the time it takes to complete the in~estigati0n.l~~

Evidence Examination Tools

Evidence examination tools aid the investigator in sifting through all of the collected evidence in order to locate those files that have relevance to the case being investigated. Many of the same search type tools that are used during the extraction phase are used during this phase. The difference is that the investigator has now refined his search, so that it focuses on specific pieces of relevant data or information.
The investigators use their experience and training to search the computer for documents, deleted files, images, e-mail, slack space and unallocated disk space that will provide them with evidence. Additional ‘metadata’’33 related to these files must also be collected, such as creation, access, modification and deletion dates, to aid in the creation of a timeline of activity. There are very few tools specifically designed to aid in this process.

File Listing Utilities

A simple listing of all active and deleted fiies stored on the suspect computer can be of great use to the investigator, as the mere name given to a file can help direct the investigator to an area worth further examination. In general, these programs can be used to determine the makeup of a computer hard disk drive. The applications typically create a file list upon the completion of the scanning function. All files and directories are included (as well as deleted ones). They can capture drive, path, file names, times, and dates. The investigator can then browse or search for specific file names, extensions, or creation dates.
Certain utilities have options for viewing directory folders and files, including a Windows Explorer-like tree structure view, and a table containing every file in a given case. The information for each file, such as name, attributes, type, size and creation date is displayed.

Keyword Search

“When analyzing retrieved information, computer forensic specialists look for keywords and phrases within the stream of data obtained during a search. They are trying to determine if the computer was being used to store important information such as dates, phone numbers, names of contacts, etc., in order to piece together materials and provide evidence to support strategies. The keywords, in many cases, are the words of the
street, for example, drug “street talk,” arsonist vocabulary, child pornography descriptors, slang phrases, or other criminal language.

In addition to using keywords to find evidence, investigators must also search for words that would affect their ability to examine a document or file, because that file contains information that may be privileged. For example, in the search of a person’s house for paper documents that may be incriminating, detectives use care to ensure they do not examine
documents that are communications between the suspect and his spouse, attorney or priest. The same care must be taken when examining electronic
document^."'^^ Certain keyword search programs provide the ability to search ‘in context’, that is, the ability to see terms identified by the search, and several words on either side of the term. In this way, the investigator is able to discern the context within which a word or phrase is used, to determine if the usage of the term is relevant to the investigation. contains information on six types of keyword search tools available and the extent of
their search capabilities. The description of the keyword search tools also explains the level of versatility of the respective tools (e.g., options to search slack space, abilities to
make the searches case sensitive, etc.).

Dictionary/KeyWord List

While all of the previously mentioned tools allow the user to create or import their own custom word lists for the application, very few come with pre-compiled lists of words and
phrases that would be associated with a specific crime. The investigator must take the time to generate the set of search terms. This step can be very time consuming. The investigator’s time would better be spent on other tasks. Few forensic tools ship with dictionaries of words and phrases categorized by predefined cyixr crime types135.

File Extension Searches

A file extension is the string of characters that follows the ‘dot’ in a file name. These are used to identify the file format to the computer. The computer recognizes the extension, and uses the associated application to open that file. The ability to sort data by specific file formats (identified by the extension) is a time saving feature, and allows the investigator to quickly locate relevant information.

Often, the analysis focuses on looking for specific types of files. As an example, if an investigator were looking for a letter that the accused criminal may have written, he would do a search on file extensions such as .txt for a plain text document, .doc for a
Microsoft Word document, or .wpd for a Microsoft Wordperfect document. Many tools that do keyword searches also allow the investigator to do searches based on
file extensions.

Other Searches

The standard Find command permits a search for occurrences of a specific word, such as ‘child’. But sometimes, instead of searching for a specific word or phrase, it is more
beneficial to search for a certain ‘pattern’ of characters used in a word or phrase. This pattern could be any word that starts with ‘c’ and has just four letters; or, any word ending with ‘d’ and having five letters, and the second and third letters are within the a certain range of letters (such as the first half of the alphabet). In like manner, the investigator can search for patterns or ‘general formats’ within files, such as telephone numbers, IP addresses, or credit card numbers. Additional delimiters, such as a country, or a word that starts with a specific letter, can narrow the search. If a pattern can be conceived and described, it can be searched. These types of searches are known as wildcard searches, regular expression searches or grep-type searches.


FileAmage Identification and Viewing Utilities

Once suspect files have been extracted, they are now in need of further examination. File viewers that will recognize and allow the viewing of many different file formats are used.
Viewing tool options may include file type selection, file header examination, and file size range. The ability to identify image files quickly is crucial, as images are a very important piece of evidence in child pornography cases, as well as many other types of cyber crimes. In general, tools in this category have the following capabilities:
Powerful file-viewing capabilities, supporting over 250 different file formats.
Displays images of .bmp, .jpg, .gif, and Aflformats.
Allows a rapid review of graphic files by the user; the user need only set a minimum file size as criteria of the search.

Most computer forensic tools or suites do not include an accompanying or integrated image viewer, and those that do are limited in the number of supported images. Most investigators must resort to third party image viewers during the course of their investigation. Several good third-party viewers are on the market, including Quickview Plus, ThumbsPlus, ACDsee, and IFRANv~~w.’~~ In some cases, a recovered file may have a valid header, but corrupted or incomplete data (a ‘partial image’; as an example, lOKb of an original 80Kb imageI3’) can confuse the
viewing program. Many viewers will not display partial files. But, for .gif and .jpg, ThumbsPlus, IRFANview, or Quickview Plus will usually displays partial images.

Evidence Examination Tools Assessment

Evidence viewing requires the investigator to have numerous software programs to view a large variety of file types in their natural format. There are no tools currently available
which act as a universal file format viewer. This makes it difficult for the investigator, especially if the suspect has been using obscure or outdated software to create files and
documents. A universal information viewer is needed, as well as utilities that will associate uncommon file extensions with the specific program used to create that file
type. This feature would be useful, as it is not possible for an investigator to have every native application used to create every file type. At this time, there are no standard taxonomies of words, phrases, data formats, or data
organization that can be applied to specific crimes under investigation and used to search the data. Without them, data searching is rudimentary and very time consuming.
There is also no tool available that allows investigators to identify possible authors based upon their known writings, i.e. vocabulary, grammar, or style. While investigators are under an obligation not to examine privileged information, there
is currently no way for them to know that what they are about to read is privileged, without actually reading it.
As the use of digital evidence becomes more prevalent in court cases, it will be increasingly necessary to develop cyber forensics tools to meet these needs.

 Evidence 0rganization

The organization of digital evidence is critical to any investigation. An investigator must be able to take a piece of evidence and determine how it fits in the larger framework of
the case. This is true whether the evidence is digital or non-digital. The correlation of digital and non-digital evidence is critical to many cases. It is rare that one single source
will provide enough evidence to solve a case. In most cases involving digital evidence, it is easy for the investigator to become swamped by so much data that it is hard to decipher the key pieces of information. It becomes the proverbial ‘search for the needle in a haystack’. With proper case management and information chaining, the investigator can narrow his search to the most likely sources of key evidence. Unfortunately, today, because of the lack of integrated tools, and limited availability investigative software in general, the investigator must
spend a disproportionate amount of time performing manual case management and reporting tasks.

Evidence Organization Tools

Evidence organization tools allow investigators to correlate evidence in several different ways:
0 Among separate investigators/investigations
0 Among digital and non-digital evidence
0 Among separate locations
0 Among separate incidents and or suspects
One of the main reasons that evidence organization is a crucial step in the computer
forensic process is the need for case management. Case management involves the day-today organization of digital and non-digital evidence. When a new piece of evidence is located there are many tasks that need to be completed.
The evidence must be checked for accuracy.
The evidence must be compared to other evidence.
The evidence must be properly documented and stored.
The evidence must be analyzed to determine if it provides leads to other pieces of
potential evidence. The admissibility of evidence must be examined. A strict chain of custody must be established.
A way of proving the evidence’s authenticity must be utilized, i.e. digital signatures.
Many of these tasks must currently be performed manually and are time consuming. By using forensic evidence organization tools, an investigator can practice better case management. These tools can assist an investigator with organizing the forensic evidence

that they find, and help them follow the necessary steps that need to be taken to get the evidence ready for trial.

Link Analysis Tool

The key operation in an investigation is not just the collection of evidence, but understanding how each piece of evidence relates to another. Linking analysis is a very important tool in the investigative process. The ability to create linked charts provides a powerful case visualization tool. These
computer-based link charts enable an investigator to create sub-links, allowing the expansion or collapse of the main chart. Multiple views permit analysts to alternately focus on the main issues, or to examine the background information in detail.
Some of the capabilities of these tools include link analysis or association charts, commodity flow charts, activity charts, network or high volume link analysis charts, timeline/sequence of events charts, case flow/transaction charts, and combined charts showing events and flows. The charts that are produced make it easier for the investigator to document the evidence as they progress with the investigation. This allows them to get
a better understanding of the case, and could result in the investigator being able to solve the case much faster. By using this software, an investigator can draw associations between seemingly disparate pieces of evidence, and make it presentable in a court of
law.

 Time Lining

“In the investigation of a criminal case involving a computer or
computers, the time-line of “computer events” may provide critical information relating to the prosecution of involved persons. Timelines of computer usage can provide valuable information about the computer user and the sequence of events tied to the computer or multiple computers.
This information can help to pinpoint the location of certain individuals, can assist with the determination of alibis, can undercover conversations and correspondences, and ultimately may help to determine the guilt or innocence of those facing criminal charges. The following computer events or evidence may provide direct clues to not only the means, but also the motive, of a criminal act.
0 Content or update time of electronic documents & files
Time and content of e-mail communications and messages
Information about system logon and logoff events Indication of access to specific Internet documents or sites Content of communication with known individuals in chat rooms or through
other collaborative means
Evidence of document destruction or hiding
Knowledge of the forwarding of messages to external devices such as pagers,
voice mail accounts or fax

Time Lining Utilities

While many of the utilities that provide file listing and searching provide the ability to sort files based on specific time-related criteria (date created, modified, last accessed),
they do not provide additional functionality for further analysis of this list. These utilities view and sort a file list. They provide a timeline analysis of file dates and
times regarding files from one or multiple computer hard disk drives and floppy disks. With it, the investigator can:’39
0
Create a timeline of activity based on file access dates;
Create a timeline of activity based on file creation dates;
Create a timeline of activity based on file modification dates;
Create a timeline of activity associated with deleted files.
There are very few tools in this specific area of cyber forensics. Encase has some
features, including a time lining feature released in version 3.0, which help the
investigator organize evidence, but most stand alone tools do not offer any help in this area.

Evidence Organization Tools Assessment

While there are several methodologies currently being used to organize and manage digital evidence, the available tools have limitations that can curtail the effectiveness and
efficiency of an investigation. As of yet, there are no tools available that automatically correlate non-digital evidence
with digital evidence (including phone records, credit card receipts, eye witness testimony, Internet Service Provider (ISP) records, or other forensic evidence).
There is no tool that can effectively correlate computer information from the same computer or case, or make associations among cases or evidence files. Tools need to be developed to help deal with the sheer volume of digital evidence created by even small networks of computers.


No comments:

Post a Comment