Free Essay

Computer Forensics

In:

Submitted By vmanoussos
Words 3983
Pages 16
International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Computer Forensic Analysis in a Virtual Environment
Derek Bem Ewa Huebner University of Western Sydney, Australia

Abstract In this paper we discuss the potential role of virtual environments in the analysis phase of computer forensics investigations. General concepts of virtual environments and software tools are presented and discussed. Further we identify the limitations of virtual environments leading to the conclusion that this method can not be considered to be a replacement for conventional techniques of computer evidence collection and analysis. We propose a new approach where two environments, conventional and virtual, are used independently. Further we demonstrate that this approach can considerably shorten the time of the computer forensics investigation analysis phase and it also allows for better utilisation of less qualified personnel. Keywords: Computer Forensics, Virtual Machine, computer evidence.

Introduction In this paper we examine the application of the VMWare (VMWare, 2007) virtual environment in the analysis phase of a computer forensics investigation. We show that the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence. We propose a new approach when two environments, conventional and virtual, are used concurrently and independently. After the images are collected in a forensically sound way, two copies are produced. One copy is protected using the strict chain of custody rules, and the other is given to a technician who works with it in a virtual machine environment not constrained by formal forensics procedures. Any findings are documented and passed to a more qualified person who confirms them in accordance with forensics rules. An additional advantage is that the virtual machine environment makes it easy to demonstrate the findings to a non-technical audience. An example scenario is described to illustrate our approach. We took a small Windows XP system, created a forensic image of its hard disk, and demonstrated the advantages of using two environments. The example shows that the correct application of a virtual environment approach results in a less time spent on analysing the evidence, giving more chance of discovering important data, and allowing less qualified personnel to be involved in a more productive way. We decided to use only free and readily available utilities to allow everyone to repeat our experiment, and to encourage the reader to try experimenting with their own cases.

www.ijde.org

International Journal of Digital Evidence What is a Virtual Machine

Fall 2007, Volume 6, Issue 2

Virtual machine (also known as ‘VM’) is a software product which allows the user to create one or more separate environments, each simulating its own set of hardware (CPU, hard disk, memory, network controllers, and other components) and its own software. Ideally each virtual machine should behave like a fully independent computer with its own operating system and its own hardware. The user can control each environment independently and, if required, network virtual computers together or connect them to an external physical network. While this approach is powerful and flexible, it requires a lot of additional resources, because each virtual computer uses real hardware components present in the computer it runs on. It should also be noted that virtual machine software is complex, and many compromises and restrictions are to be expected. Anyone attempting to use it should have a good understanding of what can and cannot be achieved. Virtualisation is an old concept, first introduced in the 1960s with the appearance of mainframe computers. It was re-introduced to personal computers in the 1990s, and currently major products available are: Microsoft Virtual PC (Microsoft Virtual PC 2007), VMWare software tools range (VMWare, 2007), an open source (free) software QEMU (Bellard, 2007), and a few others.

Computer Forensics And Virtual Machine Environments The conventional computer forensics process comprises a number of steps, and it can be broadly encapsulated in four key phases (Kruse II & Heiser, 2002): • • • • Access Acquire Analyse (the focus of this paper) Report

During the acquire phase an investigator captures as much live system volatile data as possible, powers down the system, and later creates a forensic (bit by bit) image of all storage devices (Brown, 2005). An image of a storage device is typically acquired using one of many dd based tools (Nelson, Phillips, Enfinger, & Steuart, 2006). This image is stored in the dd format (Rude, 2000), or a proprietary format typically based on dd (Bunting & Wei, 2006). The image is an identical copy of the original disk. It should be noted, however, that the old rule where the image of a hard disk was assumed to be identical with the original hard disk does not necessary apply today. There are many proprietary formats commonly used today which are arguably not identical with the original hard disk; they may include additional metadata like the investigator’s name, notes, or hash values. An example of proprietary format is a recently developed and becoming increasingly popular Advanced Forensic Format (AFF) (Garfinkel, 2005). The AFF goes even further by segmenting the original image where each segment has a header, a name, a 32-bit argument, an optional data payload, and finally a tail. The relevance of this short image format overview is the realisation that computer specialist findings may also

www.ijde.org

2

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

be based on examining an image which is in some ways changed, and is not identical with the original. Because the dd image is the same as the original, it could be copied to the same or a larger hard disk, and booted on another computer system. Such an approach is impractical in recreating the original environment due to too many possible hardware combinations. If the image is booted on a machine with a different hardware configuration, the operating system would discover these differences, and attempt (in some cases unsuccessfully) to install the missing drivers. Furthermore some installed services and software products may refuse to start, or the system could fail to boot at all. Similar issues exist in a VM environment. VM simulates only some basic hardware components; it is not created to provide full support for a wide range of hardware devices. The acquired dd image can not be immediately booted in a VM environment, as VM requires additional files containing information about the environment being booted. Various software tools can solve this problem by creating the additional files with the parameters required by VM. Some of these utilities are: • • • EnCase Physical Disk Emulator (PDE), commercial product (EnCase Forensic Modules, 2007), ProDiscover family of commercial and free computer security tools from Technology Pathways, LLC (ProDiscover, 2007) Live View, free utility offered under Gnu Public License (GPL) (Live View, 2007)

There were some attempts made to use the VM environment for computer forensics data analysis (ebaca, 2006), but it appears that the suitability of the findings obtained this way as evidence in a court of law is questionable. Some investigators concluded rather prematurely that “VMWare has no real value as a forensic tool” (Fogie, 2004). There are many changes to the original environment required to enable the image to boot in the VM environment, and once the system is booted new data will be written to the original image thus modifying it. An image which is known to be considerably changed would be immediately challenged in a court of law as flawed. A computer expert could argue that the changes were not relevant to the evidence being presented, however it is unlikely that such a line of argument would be accepted by the court. The golden rule “Create a bit-wise copy of the evidence in a backup destination, ensuring that the original data is write-protected. Subsequent data analysis should be performed on this copy and not on the original evidence” is undeniably broken in the virtual environment.

The Proposed Parallel Approach Each of the four phases of the computer forensics process mentioned in the previous section is further divided into specific steps, and each has to follow strict procedures. The Australian Institute of Criminology guide (McKemmish,1999) recommends that the process of analyzing computer evidence should comply with the following basic rules: www.ijde.org 3

International Journal of Digital Evidence • • • • Minimal handling of the original. Account for any change. Comply with the rules of evidence. Do not exceed your knowledge.

Fall 2007, Volume 6, Issue 2

There is no commonly accepted computer forensic certification, but it is expected that a person conducting an analysis and presenting the report in the court is an “expert” (Meyers & Rogers, 2004) who possesses relevant specialised knowledge. We propose that the accuracy of the process can be considerably improved, and the total time required to analyse the data can be shortened if the process is expanded to include two parallel investigative streams, as shown in figure 1. In our model we used two levels of computer forensics personnel: less experienced and more experienced, respectively referred to as ‘Computer Technician’ and ‘Professional Investigator.’ This is similar to the roles CNF Technician (Computer and Network Forensic Technician) and CNF Professional (Computer and Network Forensic Professional) in classification proposed by Yasinsac et al (Yasinsac, Erbacher, Marks, Pollitt, & Sommer, 2003). Modus operandi of such a team is as follows: • • Fully trained and more experienced Professional Investigator adheres strictly to computer forensics investigation methods. Less qualified Computer Technician does not have to strictly follow forensic rules, and never has any direct input to the formal reporting process. The role of the Computer Technician is to check the copy of the materials for anything of potential interest and then report the findings to the Professional Investigator.

Access

Acquire

Analyse

Report

Professional Investigator Master image

Computer Technician VM environment: copy of master image, similar to the original

Figure 1: Dual Data Analysis Process In the analysis phase of the computer forensics investigation a copy of the acquired image is given to the Computer Technician. Their task is to boot the image in a www.ijde.org 4

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

virtual machine environment, treat it as a normal, ‘live’ system, and search for all details relevant to the investigation. The methodology used by the Computer Technician invalidates the integrity of the acquired image, but this is of no consequence to the investigation. All findings are passed to the Professional Investigator, who then uses proper computer forensics techniques to confirm the findings, and to make further data searches, if necessary. The findings of the Computer Technician are never included directly in the reporting process. The final report is created by the Professional Investigator, and it only includes the findings confirmed by proper forensic analysis. As we will demonstrate in the following simple example scenario, using the virtual machine environment in tandem with the cooperation between the Computer Technician and the Professional Investigator can deliver better results faster.

The Example Scenario A powered off personal computer was found when the premises of a person suspected of illegal drug trafficking were searched. A computer forensics investigator was requested to assist in the case. The search warrant provided legal authority, and the investigator was asked to check the computer and find all information pertaining to drug trafficking, including details of financial transactions and any relevant letters or documents. The investigator documented the personal computer’s hardware configuration, and acquired the hard disk image using the dd utility from the HELIX bootable forensic CD (E-fense, 2007). SHA-1 and MD5 hash values and relevant case details were recorded, and the chain of custody was created according to local forensic procedures (Hart, April 2004). Two copies of the image named hda1img3.dd were given to two people in the forensic lab: • • the Professional Investigator, who updated the chain of custody document and locked the image in a safe place, the Computer Technician, who updated the chain of custody corresponding to the second image, and also locked the image in a safe place.

The Computer Technician was asked to boot the image in a VM environment, and to use any suitable tools to search the booted system. To facilitate this VMWare Server (VMWare Server, 2007), a free virtualisation product from VMWare, was installed on a separate computer. As expected, the image hda1-img3.dd could not be directly booted in the VM environment. The Computer Technician used Live View software, see figure 2, to create additional files needed to boot the image in VM. The Live View proved to be simple to use and reliable, but any other software with the same functionality could also be used. The Live View messages window creates a comprehensive activity log, which was copied by the Computer Technician and included in the notes. After Live View finished creating files, it automatically offered to boot the image in VMWare.

www.ijde.org

5

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Figure 2: Live View Window The first boot of hda1-img3.dd image in the VMWare Server produced a series of ‘found new hardware’ messages. This was expected, as VMWare simulates different hardware than the hardware of the original Windows XP installation. New devices were identified and installed; all required drivers were common, as they were a part of the standard Windows distribution, and were quickly installed without the need to provide propriety software.

www.ijde.org

6

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Figure 3: VMWare Server Window After the first successful boot of the system the Computer Technician powered the VM machine off, and installed VMWare tools which improve mouse operation and provide a higher VM screen resolution (see the message “You do not have VMWare Tools installed” in left hand bottom corner in figure 3). Before booting the system again the Computer Technician checked the virtual machine settings shown in figure 4, and noted that only four devices were installed: memory, hard disk, CD-ROM and the USB controller. Other devices available to the virtual machine were seen in the Add Hardware Wizard, but they were of no immediate interest. The Ethernet controller was not installed, thus the virtual machine was isolated from any networks and the Internet.

www.ijde.org

7

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Figure 4: Virtual Machine Settings Each time the system was booted the Computer Technician observed the panel which started automatically and indicated an attempt to log on to DriveHQ, as shown in figure 5. These attempts failed, as there was no Internet connection from this virtual machine.

Figure 5: DriveHQ Log On Window The Computer Technician checked the Internet from another computer, and found that the DriveHQ ("Drive Headquarters", 2007) is an Internet virtual storage service which allows a user to store a large volume of any data. To access the DriveHQ account a user name and password were required. The user name ‘kugel’ was visible in the log on panel, but the password was hidden behind a row of dots. In order to find out what the password was the Computer Technician decided to install in the virtual machine additional software called ‘password revealer.’ There are many password revealing tools, and they have different capabilities; in this case some of them failed to reveal the password. Finally a tool named Aqua Deskperience succeeded (Aqua Deskperience, 2007): the password was “just555me” (see figure 6).

www.ijde.org

8

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Figure 6: Aqua Deskperience Reveals Drivehq Account Password The Computer Technician continued the examination of the booted system using standard Windows tools. Windows Explorer did not show any folders or files of relevance to the case being investigated. Web browser bookmarks also did not point to any Web sites which could be relevant. The Computer Technician then checked what additional software was installed on the investigated system, and discovered on the desktop an icon for the Simple File Shredder (Simple File Shredder, 2006) (see figure 7). A quick Internet check showed that the Simple File Shredder is a utility that securely deletes files, making their recovery impossible.

Figure 7: Desktop icons Two important points are worth noting here: 1. The image of the disk used to run the system is no longer identical with the image hda1-img3.dd acquired using forensically sound methods. We installed various new device drivers and new software packages (Aqua Deskperience, possibly a few others as well). Various files and folders were ‘touched’ by checking them in Windows Explorer, and by opening them in their native applications. It would be unrealistic to argue that the image is still valid as evidence; it is now contaminated. 2. The original acquired image hda1-img3.dd is still kept in custody by the Professional Investigator; it is unchanged and forensically valid.

www.ijde.org

9

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

The Computer Technician reported to the Professional Investigator the following basic findings: • • • It is likely that there are not many traces of any files of interest to the investigation, as the person using the computer installed a secure deletion tool. It is possible that all such files have been irrecoverably erased. It is likely that materials of evidentiary value were not kept on the computer, as the owner had a virtual Internet storage account which allowed them to keep all data on a remote server. It was possible to recover the user name and password to the remote storage system account.

Using this information the Professional Investigator can now confirm all the findings using forensically sound methodology and proper forensics software tools. The remote account on DriveHQ can be accessed from another computer, and all files stored there copied and examined. The hda1-img3.dd disk image can still be analysed with computer forensics software for any traces of unshredded files with the knowledge that the likelihood of finding anything of value is small and a large amounts of time should not be dedicated to this task.

Conclusion The simple scenario presented above demonstrates that the cooperation between two teams equipped with different sets of tools, and using personnel with different levels of expertise, can produce much faster results, and will lessen the workload of highly qualified Professional Investigators. The Professional Investigator using proper computer forensics tools and techniques would most likely achieve the same results working in a conventional setup, without using a virtual environment and without the help of a Computer Technician. However the described method of using two environments, conventional and virtual, could save time and increase the chances of finding important evidence. If only conventional image analysing techniques were used in the presented example scenario, considerable skills and significantly more time would be required to find the DriveHQ account, the user name and password. The same information was in plain view when the Computer Technician booted the investigated image in VMWare, and the technician used commonly available tools (e.g. the password revealer) to search the investigated system. It was then considerably easier for the Professional Investigator to benefit from the initial findings, and to conduct a forensically sound and properly documented search on the image. An additional advantage for an organization is that technical personnel can be exposed to computer forensics techniques in stages, without compromising real evidence, yet at the same time providing genuinely valuable input to the process. This approach can be also seen as a part of an internal training process, where a person with little computer forensics experience, but good technical knowledge, is not immediately given the responsibilities of a Professional Investigator, but is first introduced to the forensic process by conducting investigations in a virtual environment. www.ijde.org 10

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

In this paper we described the process of using conventional and virtual environments in the analysis phase of computer forensics investigations. We also proposed the ground rules for cooperation between the Computer Technician and the Professional Investigator. We believe that future research is needed to better formalise the whole process, with emphasis on what is expected from the Computer Technician. Future research in the area is also required to more thoroughly test other available virtualisation software tools, and to find their strengths and weaknesses.

© Copyright 2007 International Journal of Digital Evidence

About the Authors Derek Bem, MElecEng Warsaw, MIEAust, CPEng (d.bem@scm.uws.edu.au ) is a Lecturer in the School of Computing and Mathematics at University of Western Sydney, Australia. Derek has extensive experience in the computer industry, where he worked in IBM and other companies as a hardware and software engineer. Derek is currently coordinating UWS teaching in the Computer Forensics area. Ewa Huebner, MElecEng Warsaw, PhD Sydney, MACS (e.huebner@scm.uws.edu.au ) is a Senior Lecturer in the School of Computing and Mathematics at University of Western Sydney, Australia. Ewa has extensive experience teaching computer science subjects, and she is currently leading the UWS Computer Forensics research group. UWS computer forensics web site can be found at http://www.scm.uws.edu.au/compsci/computerforensics/.

www.ijde.org

11

International Journal of Digital Evidence References

Fall 2007, Volume 6, Issue 2

Deskperience. (2007). Aqua Deskperience. Retrieved 20 January 2007, from http://www.deskperience.com/aqua/index.html Bellard, Fabrice. (2007). QEMU. Retrieved January 17, 2007, from http://fabrice.bellard.free.fr/qemu/index.html Brown, C. L. T. (2005). Computer Evidence: Collection & Preservation. Hingham, MA: Charles River Media. Bunting, S., & Wei, W. (2006). EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide (1st ed.). Indianapolis, IN: Wiley Publishing. CERT, Software Engineering Institute. (2007). Live View. Retrieved February 12, 2007, from http://liveview.sourceforge.net/ Drive Headquarters. (2007). Retrieved 2 November 2006, 2 November 2006, from http://www.drivehq.com/ ebaca. (2006). Penguin Sleuth Kit Virtual Computer Forensics and Security Platform. Retrieved 28 November 2006 from http://www.vmware.com/vmtn/appliances/directory/249 E-fense. (2007). The HELIX Live CD Page. Retrieved 9 February 2007, from http://www.e-fense.com/helix/ Fogie, S. (2004). VOOM vs The Virus (CIH). Retrieved 12 March 2005 from http://www.voomtech.com/VOOM_vs_The_Virus.html Garfinkel, S. (2005). The Advanced Forensic Format 1.0. Retrieved November 13, 2006 from http://www.afflib.org/affdoc.pdf Guidance Software. (2007). EnCase Forensic Modules. Retrieved January 25, 2007, from http://www.guidancesoftware.com/products/ef_modules.asp Hart, S. V. (April 2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. from http://www.ojp.usdoj.gov/nij/pubs-sum/199408.htm Kruse II, W. G., & Heiser, J. G. (2002). Computer Forensics: Incident Response Essentials (1st ed.): Addison Wesley Professional. McKemmish, R. (1999). What is Forensic Computing? : Australian Institute of Criminology. Meyers, M., & Rogers, M. (2004). Computer Forensics: The Need for Standardization and Certification. International Journal of Digital Evidence, 3(2).

www.ijde.org

12

International Journal of Digital Evidence

Fall 2007, Volume 6, Issue 2

Microsoft. Microsoft Virtual PC 2007. Retrieved 22 February 2007, from http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx Nelson, B., Phillips, A., Enfinger, F., & Steuart, C. (2006). Guide to Computer Forensics and Investigations, Second Edition (2nd ed.). Boston, MA: Thomson Course Technology. Rude, T. (2000). DD and Computer Forensics. Retrieved October 23, 2003 from http://www.crazytrain.com/dd.html scar5 Software. (2006). Simple File Shredder. Retrieved 15 December 2006, from http://www.scar5.com/ Technology Pathways, LLC. (2007). ProDiscover. Retrieved January 2, 2006, from http://www.techpathways.com/ VMWare. (2007). VMWare. Retrieved February 14, 2006, from http://www.vmware.com/ VMWare. (2007). VMWare Server. Retrieved February 15, 2006, from http://www.vmware.com/products/server/ Yasinsac, A., Erbacher, R. F., Marks, D. G., Pollitt, M. M., & Sommer, P. M. (2003). Computer Forensics Education. IEEE Security and Privacy, 1(4), pp. 15-23.

www.ijde.org

13

Similar Documents

Free Essay

Computer Forensics

...Computer Forensics Through the Years Prof. Pepin Galarga Computer Forensics Sep 11, 2010 Table of Content Introduction …………………………………………………………………………………Page 2 The Early Years……………………………………………………………….......................Page 3 Early Training Programs …………………………………………………………………....Page 4 Typical Aspects of Computer Forensic Investigations ……………………………………..Page 5 Legal Aspects of Computer Forensics …………………………………………..……...…..Page 6 Conclusion ………………………………………………………………………………….Page 7 References………………………………………………………………………………..…Page 8 Introduction If you manage or administer information systems and networks, you should understand computer forensics. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive. Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is not yet recognized as a formal “scientific” discipline. Image by Flickr.com, courtesy of Steve Jurvetson Computer forensics is the study of extracting, analyzing and documenting evidence from a computer system or network. It is often used by law enforcement officials to seek...

Words: 1382 - Pages: 6

Free Essay

Computer Forensics

...computer forensics Background of Computer forensics: What is most worth to remember is that computer forensic is only one more from many forensic subdivisions. It’s not new, it’s not revolution.. Computer forensics use the same scientific methods like others forensics subdivisions. So computer forensics is not revolution in forensic science! It’s simple evolution of crime techniques and ideas. Forensic origins: Forensic roots from a Latin word, “forensic” which generally means forum or discussion. In the reign of the Romans, any criminal who has been charged with a crime is presented before an assembly of public folks. Both of the complainant and the defendant are to present their sides through their own speeches. The one who was able to explain his side with fervent delivery and argumentation typically won the case. It is important to realize that computer forensics is only one subdivision of forensic science. It is digital, it includes most advanced computer science but still it is only branch of forensic science, an its main goal is  submission of the proven claims of scientific methods and strategies to recover any significant digital traces. Computer Forensic Timeline: 1970s • First crimes cases involving computers, mainly financial fraud 1980’s • Financial investigators and courts realize that in some cases all the records and evidences were only on computers. • Norton Utilities, “Un-erase” tool created • Association of Certified Fraud...

Words: 4790 - Pages: 20

Free Essay

Computer Forensics

...Computer Forensics The world of crime has expanded right along with the explosion of the internet. The modern cyber criminal has veritable global playground in which to steal money and information from unsuspecting victims. Computer forensics is a quickly emerging science against the increasingly difficult battle to bring criminals to justice who perpetrates crimes on others. The computer forensics field is a relatively new investigative tool but enjoys continual advances in procedures, standards, and methodology which is making the identification, preservation, and analyzing of digital evidence a powerful law enforcement apparatus. The job of the cyber forensic professional is to look for clues the attacker left behind on web sites, servers, and even the e-mail message itself that will unravel their sometimes carefully woven veil of secrecy. Attackers come in all forms and from a variety of different circumstances. For instance, an attacker can begin a phishing scam with only a web server they control with very little programming experience and a way to send a lot of e-mail messages. (Jones 4) In order to combat the waves of cyber-attackers, we must utilize Open Source Community applications to combat the continual onslaught of infections, exploitations, and trickery employed everyday against our systems and networks. Today's attacker uses a variety of technologies to employ their methods and understanding those abilities is integral to preparing for an investigation...

Words: 2742 - Pages: 11

Premium Essay

Computer Forensic Analysis and Repor

...Computer Forensic Analysis and Report Nathaniel B. Rollins Jr Kaplan University Computer Forensics I/CF101 Prof: Tatyana Zidarov November 19, 2012 Computer Forensic Analysis and Report A. INTODUCTION I Nathaniel B. Rollins a Computer Forensic Specialist (CFS) with the Metro Police Department (MPD) received a file image from Officer X to conduct a search for electronic evidence. Which he stated was copied from the SNEEKIE BADINUF (COMPLAINANT) computer, with consent. This was verified through COMPLAINANT statement, repot, consent to search form, and chain of custody, provided by Officer X, along with the request for analyzing the evidence. Upon reviewing of her statement filed on May 14 2006, the COMPLAINANT stated she had received an email from a correspondent named NFarious that demanded $5000 in ransom, or the animals would be harmed. The COMPLAINANT also stated her pets had been gone for an entire week, and she was worried that the abductor may already have injured the animals. During a subsequent interview the COMPLAINANT stated that she took out a $20,000 insurance policy on her pets in September 2005 that would not be active for 6 month. The purpose of this investigation is to confer or negate the COMPLAINTANTS involvement with the kidnaping of the animals. B. MATERIALS AVAILABLE FOR REVIEW a. 1 Chain of Custody b. Evidence Log c. Complainants Statement d. Officers Report e. Forensic Disk Image of Computer f. Photos (location...

Words: 1176 - Pages: 5

Premium Essay

Assignment 4 Computer Forensics Tools

...Assignment 4 Computer Forensic Tools Derek Jackson Computer Crime Investigation Professor: Dr. Jessica Chisholm 03/06/2016 When purchasing computer forensics tools and resources for a company, you always want to make sure you are doing the necessary research and determining which of these programs are the best options for the company. This is very important job in any company as you are in charge of not only protecting the company’s data with these tools, but also recovering any information that may have been lost or deleted. There are many programs that are available that can be used to recover deleted files. Two of the programs that you could use are the MiniTool Partition Recovery and PC Inspector File Recovery. The MiniTool Partition Recovery is a free program that has a wizard-based interface which makes it very easy and straightforward to use and understand. You can point the MiniTool Partition Recovery at the problem drive, specify the area to be searched, and it will scan for the missing partition. Then a report will generate that will let you know what the program has found, and you can then recover that partition in a few seconds typically. The only downfall is that you won’t get a bootable recovery disk, so if the partition is damaged then the MiniTool Recovery program won’t be able to recover the deleted partition. The PC Inspector File Recovery allows you to be able to recover a full set of missing files on both FAT and NTFS drives. They are clearly...

Words: 1005 - Pages: 5

Free Essay

Computer Intrusion Forensics

...Computer Intrusion Forensics Research Paper Nathan Balon Ronald Stovall Thomas Scaria CIS 544 Abstract The need for computer intrusion forensics arises from the alarming increase in the number of computer crimes that are committed annually. After a computer system has been breached and an intrusion has been detected, there is a need for a computer forensics investigation to follow. Computer forensics is used to bring to justice, those responsible for conducting attacks on computer systems throughout the world. Because of this the law must be follow precisely when conducting a forensics investigation. It is not enough to simple know an attacker is responsible for the crime, the forensics investigation must be carried out in a precise manner that will produce evidence that is amicable in a court room. For computer intrusion forensics many methodologies have been designed to be used when conducting an investigation. A computer forensics investigator also needs certain skills to conduct the investigation. Along with this, the computer forensics investigator must be equipped with an array of software tools. With the birth of the Internet and networks, the computer intrusion has never been as significant as it is now. There are different preventive measures available, such as access control and authentication, to attempt to prevent intruders. Intrusion detection systems (IDS) are developed to detect an intrusion as it occurs, and to execute countermeasures when detected...

Words: 9608 - Pages: 39

Free Essay

Computer Forensics Analysis Project

...Computer Forensics I (FOR 240-81A) Project #3 Case Background The Suni Munshani v. Signal Lake Venture Fund II, LP, et al suit is about email tampering, perjury, and fraud. On December 18, 2000, Suni Munshani (Plaintiff) filed a suit against Signal Lake Venture Fund. Mr. Munshani claimed that he was entitled to warrants in excess of $25 million dollars from Signal Lake. In February 2001, Signal Lake Venture Fund II, LP, et al. (Defendant) became privy to the court filings in this case. Within the filings there was an email provided by Mr. Munshani from Hemant Trivedi, CEO of one of the portfolio companies, stating he was indeed entitled to the warrants. Mr. Trivedi denied any knowledge of the email, or any such communication with Mr. Munshani. In an effort to prove their innocence, Signal Lake hired a computer forensic group to conduct a private investigation. The investigation did not show any evidence of the supposed email provided to the court by Mr. Munshani. Mr. Trivedi filed an affidavit stating that the email was forged, while Mr. Munshani filed an affidavit stating the email was real. In March 2001, a computer forensics expert, Kenneth R. Shear, was appointed by the court to perform a forensic examination on the questioned message (the message provided by Mr. Munshani) and the comparative message (a second message from Mr. Trivedi found on Mr. Munshani’s computer). Mr. Shear worked for a company called Electronic Evidence Discovery, Inc. (EED). Mr. Shear’s forensic...

Words: 799 - Pages: 4

Premium Essay

Essay On Computer Forensics

...Abstract: Rising era of computer and other technologies as internet and gadgets, explosively increase in number of cybercrime or other crimes using technologies. The growth of computer forensic has taken as huge success to control those crimes which are committed using computers. The main task of computer forensic is to examining and collecting electronic data as evidence from a crime scene. The work of computer forensic is to recover the data which has been hacked or lost by the criminals using different system. The growing dependency on computer forensic has decreased the cybercrime and professionals have to understand the computer technology that is used in computer forensic. Introduction Forensic roots from a Latin word, “forensic” which...

Words: 870 - Pages: 4

Premium Essay

Computer Forensics Operational Manual

...COMPUTER FORENSICS OPERATIONAL MANUAL 1. Policy Name: Imaging Removable Hard Drives 2. Policy Number/Version: 1.0 3. Subject: Imaging and analysis of removable evidence hard drives. 4. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers. 5. Document Control:Approved By/Date: Revised Date/Revision Number: 6. Responsible Authority: The Quality Manager (or designee). 7. Related Standards/Statutes/References: A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12. B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1. C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a). 8. Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops. 9. Policy Statement: A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority. B) Forensic computers are not connected to the Inter-net. C) All forensic archives created and data recovered during examinations are considered evidence. D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes...

Words: 731 - Pages: 3

Free Essay

Computer Forensics Case Analysis

...Project 1 Case Analysis CCJS321 The two cases I have chosen to analyze for Project One is the Max Ray Butler aka “Iceman” cybercrime case and the Albert Gonzalez cybercrime case. I have chosen these two cases because they both had significant impact on the computer forensics field. Both of these cybercrimes are similar in nature because both deal in credit card and identity theft on the grandest scale. Max Ray Butler and Albert Gonzalez were brought to justice after many years of a cyber-forensic investigation that went through a network of multiple U.S. agencies; including the FBI, US Secret Service and US-CERT (United States Computer Emergency Readiness Team) a Department of Homeland Security who were all networked together at the National Computer Forensic Training Academy in Pittsburg, Pennsylvania. Both of these men were given the longest prison sentences ever handed out by a judge for computer crimes of their notoriety and magnitude. Finally, they both set a blue print for digital forensic investigators of the proper procedures to follow in order to capture future want-to-be crime lords. Max Butler aka “Iceman” was a white-hat hacker that went rogue. His story is that, “he was a good hacker hired by the government to test the security of one of their websites, while doing that job he installed a backdoor to their system that would allow him to come in later so he could make some fixes to the system on his own time. Well of course this second part of the...

Words: 1323 - Pages: 6

Free Essay

Assignment 1: Computer Forensics Overview

...Assignment 1: Computer Forensics Overview CIS 417 Computer Forensics Computer forensics is the process of investigating and analyzing techniques to gather and preserve information and evidence from a particular computing device in a way it can be presented in a court of law. The main role of computer analyst is to recover data including photos, files/documents, and e-mails from computer storage devices that were deleted, damaged and otherwise manipulated. The forensics expert’s work on cases involving crimes associated with internet based concerns and the investigations of other potential possibilities on other computer systems that may have been related or involved in the crime to find enough evidence of illegal activities. Computer experts can also use their professional knowledge to protect corporate computers/servers from infiltration, determine how the computer was broken into, and recover lost files in the company. Processes are used to obtain this information and some of the processes are as follows; * Investigation process: Computer forensics investigations will typically be done as part of a crime that allegedly occurred. The first step of the investigation should be to verify that a crime took place. Understand what occurred of the incident, assess the case, and see if the crime leads back to the individual. * System Description: Next step, once you verified the crime did occur, you then begin gathering as much information and data about the specific...

Words: 1397 - Pages: 6

Premium Essay

Computer Forensics and Cyber Crime

...Computer Forensics and Cyber Crime Author Institution Computer Forensics and Cyber Crime A security survey or audit can also be referred to as a vulnerability analysis. A security survey is an exhaustive physical examination whereby all operational systems and procedures are inspected thoroughly (Fischer & Green, 2004). A security survey involves a critical on-site examination and analysis of a facility, plant, institution, business or home to determine its current security status, its current practices deficiencies or excesses, determine level of protection needed, and ways of improving overall security levels are recommended. A security survey can either be done by in-house personnel or by external security consultants. However, outside security experts are preferred their approach to the job would be more objective and would not take some parts of the job for granted therefore resulting to a more complete appraisal of current conditions. A security survey/audit should be carried out regularly so as keep improving to and up to date especially with the growing rate of technology. Overall objectives of a security survey are: determination of current states of security, location various weaknesses in the security defenses, determination of level of protection required and finally give recommendations for the establishment of a total security program (Fischer & Green, 2004). Some weaknesses identified in the process of a security survey may be: vulnerability...

Words: 686 - Pages: 3

Free Essay

Computer Forensics

...Effortless English What is the most important English skill? What skill must you have to communicate well? Obviously, number 1 is Fluency. What is fluency? Fluency is the ability to speak (and understand) English quickly and easily... WITHOUT translation. Fluency means you can talk easily with native speakers-- they easily understand you, and you easily understand them. In fact, you speak and understand instantly. Fluency is your most important English goal. The research is clear-- there is only ONE way to get fluency. You do not get fluency by reading textbooks. You do not get fluency by going to English schools. You do not get fluency by studying grammar rules. The Key To Excellent Speaking Listening Is The Key To get English fluency, you must have a lot of understandable repetitive listening. That is the ONLY way. To be a FANTASTIC English speaker, you must learn English with your ears, not with your eyes. In other words, you must listen. Your ears are the key to excellent speaking. What kind of listening is best? Well, it must be understandable and must be repetitive. Both of those words are important-- Understandable and Repetitive. If you don't understand, you learn nothing. You will not improve. That's why listening to English TV does not help you. You don't understand most of it. It is too difficult. It is too fast. Its obvious right? If you do not understand, you will not improve. So, the best listening material is EASY. That’s right, you should listen mostly...

Words: 1404 - Pages: 6

Premium Essay

Computer Forensics Tools

...Computer Forensics Tools Strayer University E-Support Undelete Plus is powerful software that can quickly scan a computer or storage medium for deleted files and restore them on command. It works with computers, flash drives, cameras, and other forms of data storage. Deleting a file from your computer, flash disk, camera, or the like does not mean it is lost forever. Software doesn’t destroy files when it deletes, it simply marks the space the file was using as being available for re-use. If nothing has needed that space since the deletion, the data is still there and the file can be recovered. Simply scan the device, select the files you want to recover, and click a button to restore the information (Softpedia, 2013). The interface Undelete PLUS is geared up with is very nice and easy to handle. In the right panel, there is the Drives tree. The user can change the view to file types (MP3, PDF, RTF, RAR, ZIP, XML, PNG, etc.) or to folders. In the left, there will be displayed all the files Undelete PLUS was able to detect. The software will inform you of the state of the files it has detected. This way, you will know that if the status reads "very good" then there still is a chance of recovering that file. "Overwritten" status means that the respective file is either corrupted or cannot be recovered. Additional information tell you about the size of the file, format, path, date of its creation and modification. The software is capable of recovering entire...

Words: 1755 - Pages: 8

Free Essay

A History of Modern

...Guide to Computer Forensics and Investigations Fourth Edition Chapter 7 Current Computer Forensics Tools Objectives • Explain how to evaluate needs for computer forensics tools • Describe available computer forensics software tools • List some considerations for computer forensics hardware tools • Describe methods for validating and testing computer forensics tools Guide to Computer Forensics and Investigations 2 Evaluating Computer Forensics Tool Needs • Look for versatility, flexibility, and robustness – – – – – OS File system Script capabilities Automated features Vendor’s reputation • Keep in mind what application files you will be analyzing Guide to Computer Forensics and Investigations 3 Types of Computer Forensics Tools • Hardware forensic tools – Range from single-purpose components to complete computer systems and servers • Software forensic tools – Types • Command-line applications • GUI applications – Commonly used to copy data from a suspect’s disk drive to an image file Guide to Computer Forensics and Investigations 4 Tasks Performed by Computer Forensics Tools • Five major categories: – – – – – Acquisition Validation and discrimination Extraction Reconstruction Reporting Guide to Computer Forensics and Investigations 5 Tasks Performed by Computer Forensics Tools (continued) • Acquisition – Making a copy of the original drive • Acquisition subfunctions: – – – – – – – Physical data copy Logical data copy...

Words: 2076 - Pages: 9