Computer Forensic is very similar to a post-Mortem examination for finding reasons of death. Difference is:
1. Here you have a Computer/Router/Switch/Firewalls/IDS/Hard/Disk/CD/USB/Floppy/Windows Event logs/Proxy server logs/DHCP server logs/Mobile phone/Camera Flash Memory in place of human body.
2. In place of finding reasons of “Death”, we try to:
- Track down the author of a threatening email. (by a psychopath or a terrorist)
- Recover files intentionally deleted by a disgruntled employee.
- Determine the root cause of a computer compromise. (hacker)
In-house Computer Forensics/Digital Forensics
In-house Computer Forensics/Digital Forensics capabilities are must for companies and enterprises. It helps in investigating data leak incidents, intellectual copy right thefts and other critical incidences. Companies dealing with sensitive customer information like credit card numbers, and other financial information would not like to involve an outsider for Computer Forensics.
Different Tools required for the Forensic?
At a minimum, you will need:
- An acquisition tool to perform forensic duplications (back-up) (Example: FTK Imager (new name AccesData), Encase (Windows based GUI or LinEn or DOS Boot), Hardware: Logicube
- Deleted data recovery tool
- Basic text search and manipulations/analysis tools
- A data integrity verification tool
- Complete packages such as EnCase, the NTI suite, and The Coroners Toolkit (TCT) offer support and court-proven solutions for the computer forensic analyst.
- Certification programs from organizations like SANS
Locations where digital evidence may be found include the following:
- The suspect’s machine
- In the case of a hacking incident, the target machine
- Switches, routers, firewalls, and other network devices
- Log servers (proxy logs, DHCP logs, and Windows event logs)
- Media (floppy disks, CD-Rs, CompactFlash cards)
- Other electronic devices (PDAs, cell phones, digital cameras)
Encase is a Computer Forensics/Digital Forensics tool from Guidance Software ( http://www.guidancesoftware.com). It includes tools for data acquisition, deleted data recovery, search & analysis and integrity verification.
Here are some basic steps for carrying out Computer Forensics using Encase:
1. Assume we need to do Forensic Analysis of a compromised/crime-suspected Computer
2. For a computer there are several components for which Computer Forensics can be carried out, such as Disk Drive (DD), RAM, USB storage device, etc. Here, we will focus on Disk Drive only
3. Data Acquisition: The first step a Computer Forensics investigation is to acquisition of the evidence. That is: to obtain a bit-wise replica of the disk drive without compromising its integrity. To ensure integrity of the disk drive, all write-operation must be blocked while imaging. For this, combination of acquisition/imaging software such as EnCase or FTK Imager along with a hardware based Write-Blocker bridge such as Tableau Bridge (http://www.tableau.com/) can be used.
Common Forensics Acquired File Formats are:
a) DD /RAW (“Disk Dump”)
b) AFF (Advanced Forensic Format)
c) E01 (EnCase )
To acquire image with EnCase and Tableau Bridge:
1. Shutdown the crime-suspected computer. Disconnect the target disk drive from and connect to EnCase host system through Tableau Bridge in Read-Only mode.
2. Open EnCase and create a new Case. Click Add Device and navigate to the target disk drive through ‘Local Drives’ icon. Acquire image of the disk drive by right clicking and choosing ‘Acquire’
3. The image is stored in EnCase format chunks: E01, E02, E03,…etc.
Note: EnCase for DOS Utility (DOS based) and EnCase LinEn Utility (Linux based) are available in form of bootable disks. Crime-suspected computer can be shutdown and rebooted from these bootable disks. These bootable disks allow acquisition of data with software based write-blocker.
4. Data Verification: At the completion of the acquisition process, EnCase calculates an MD5 hash. The hash value is written into the evidence file. When we add evidence file to a case, the CRC value is automatically verified and the hash value for the evidence data is recomputed. It helps to ensure that evidence file has not changed since it was acquired.
If you have been provided with a Raw Image (example: DD format Disk Image created through FTK Imager) and its hash value or without hash value, then you can compute hash value through md5deep.exe utility from www.md5deep.sourceforge.net for future references:
md5deep -e filename-dd.001
5. Now, Open EnCase and create your Case
6. If you have got Raw Image, then go to File menu and select “Add Raw Image” ; or if you have got EnCase evidence images, then select to add EnCase evidence files
7. Select the type of image as shown in above image: for Example: Disk
8. Deleted files recovery: EnCase allows for the analysis of data located at various locations on the disk image, such as unallocated space and slack space. With the use of multiple file viewers, files can be quickly searched and identified. , EnCase can also recover remnants of deleted or partially overwritten files.
9. Adding Keywords: Encase provides a search engine to locate information anywhere on the disk image. It is recommended to create a keyword list prior to beginning the case. Starting the Search. EnCase allows GREP (regular expression) search expressions also. We can set keywords by choosing View > Keywords from the main menu.
Search Hits can be found by selecting Cases > Search Hits.
10. By right-clicking and selecting Bookmark, importantfindings can be bookmarked. The bookmarked data can be accessed directly at Cases >Bookmarks
Here are some tips for using EnCase:
- Installation: if after installtion of Encase, you find no “Add raw Image” option in File menu: then probably your HASP Dongle drivers could not install properly. Check it and install it from CD.
- Avoid running Encase on image located at a USB HDD. You may get performance related issues & frequent Encase-hangs. Better first copy the image to your Local SATA/IDE HDD.
- filename-dd.001 : it is a raw image by FTK imager. To do Encase Forensic on this raw image: Go to File menu and select “Add Raw Image”. Then, select Image Type as Disk as shown in image below. Do not select the default that is ‘None’, it will not show Directory/folders graphically. Note: It may take several minutes to load the directory structure, so have patience.
- You can switch from Table view to Disk view. It gives good idea of files chunks.
- You can save your Case at every step of Forensics.
- IP Address Analysis:robtex.com is a very good online DNS Tools collection.Its Blacklist Tab shows whether the IP/site is blacklist or not.