I am the student of International Advanced Diploma in Computer Studies (IADCS). In this course, I have to do Compute Forensic assignment. The assignment title is “Didsbury Mobile Entertainments LTD”. This assignment helps me understanding computer forensics investigation and techniques
Before this assignment, although I am interested in computer forensic, I am hardly used computer forensics toolkit or done any investigation. Because of this assignment, I have learnt many techniques how to investigate computer and done it practically. So, by doing this assignment, I have gained in practical and much valuable knowledge in Computer Forensics.nd a heartfelt thanks to all the people in Myanma Computer Company Ltd. for their warmly welcome during the period of the IADCS course and this assignment developed.
DIDSBURY MOBILE ENTERTAINMENTS LTD
No(5), Duku place, Singapore Jan 10, 2010
Computer forensics involves obtaining and analyzing digital information for figuring out what happened, when it happened, how it happened and who was involved. What is more, it is use as evidence in civil, criminal, or administrative cases.
Reasons for a need for computer forensic investigation
Computer forensics investigation can recover thousands of deleted mails, can know when the user log into the system and what he does, can determine the motivation and intent of the user, can search keywords in a hard drive in different languages and can gain evidence against an employee that an organization wished to terminate. For these reasons, in order to know whether Jalitha has been spending her time on her friend business or not, we need a computer forensic investigation.
Steps to pursue the investigation
In order to pursue the investigation, I would take the following steps:
1) Secure the computer system to ensure that the equipment and data are safe
2) Find every file on the computer system, including files that are encrypted, protected by passwords, hidden or deleted, but not yet overwritten.
3) Copy all files and work on this copy files as accessing a file can alter its original value
4) Start a detailed journal with the date and time and date/information discovered
5) Collect email, DNS, and other network service logs
6) Analyze with various computer forensics tools and software
7) Print out an overall analysis
8) Evaluating the information/data recovered to determine the case
After we know the reasons and steps for investigation, then we should move on to conduct the investigation. However, we should note that the first step of investigation is critical as if the system is not secure, then the evidence or data we found may not be admissible.
ii - a) Report for “The procedures to make sure the evidence holds up in court”
DIDSBURY MOBILE ENTERTAINMENTS LTD
No(5), Duku place, Singapore
Jan 12, 2010
Evidence is any physical or electronic information (such as computer log files, data, reports, hardware, disk image, etc) that is collected during a computer forensic investigation. The purpose of gathering evidence is to help determine the source of the attack, and to introduce the evidence as testimony in a court of law.
Procedures to make sure the evidence holds up in court
In order to make the evidence admissible in court, we need to follow the following steps:
1) Before any evidence can be gathered, a warrant must be issued so that forensic specialist has the legal authority to seize, copy and examine the data
2) Have the responsibility to ensure that the law and the principles we used are met
3) Evidence must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place
4) Tracking the chain of custody is essential for preparing evidence as it shows the evidence was collected from the system in question, and was stored and managed without alteration.
5) Extracted/ relevant evidence is properly handled and protected from later mechanical or electromagnetic damage
6) Preventing viruses from being introduced to a computer during the analysis process
7) To ensure that original evidence must be described in complete details to present reliable evidence on the court
8) Must arrange to answer reliability questions relating to the software we have used
In gathering evidence, authenticity, reliability and chain of custody are important aspects to be considered. By following the above steps, we are proper in handling the evidence holds up in court.
ii - b) Evidence form
Didsbury Mobile Entertainments Ltd
Win Pa Pa Aye
Nature of Case:
Company's policy violation case
Location where evidence was obtained:
On suspect's office desk
Description of evidence:
Model No./ Serial No.
A 4GB flash memory device
Evidence Recovered by:
Win Pa Pa Aye
Date & Time:
Evidence Placed in Locker:
Date & Time:
Evidence Processed by
Description of Evidence
Win Pa Pa Aye
Fully recovered deleted email on the drive which is sent to Radasa's company, including data exchange between the businesses.
Win Pa Pa Aye
Encrypted document hidden inside a bitmap file. Decrypted and saved on another media.
Win Pa Pa Aye
Password-protected document covering the exchange of information with her friend. Password cracked and file saved on another media.
Report for “the way the data is stored, boot tasks and start up tasks for Windows and Linux systems”
To effectively investigate computer evidence, we must understand how the most popular operating systems work in general and how they store files in particular. The type of file system an operating system uses determines how data is stored on the disk. The file system is the general name given to the logical structures and software routines used to control access to the storage on a hard disk system and it is usually related to an operating system. To know the way the data is stored in Windows XP and Linux, we need to get into file systems of Windows and Linux.
The way the data is stored in Windows XP
In Windows XP, although it supports several different file systems, NTFS is the primary file system for Windows XP. So, we will have a look in NTFS as the NTFS system offers better performance and features than a FAT16 and FAT 32 system.
NTFS divides all useful places into clusters and supports almost all sizes of clusters - from 512 bytes up to 64 Kbytes. And NTFS disk is symbolically divided into two parts - MFT (Master File Table) area and files storage area. The MFT consumes about 12% of the disk and contains information about all files located on the disk. This includes the system file used by the operating system. MFT is divided into records of the fixed size (usually 1 Kbytes), and each record corresponds to some file. Records within the MFT are referred to as meta-data and the first 16 records are reserved for system files. For reliability, the first three records of MFT file is copied and stored exactly in the middle of the disk and the remaining can be stored anyplace of the disk. The remaining 88% of disk space is for file storage. Below is the partition structure of NTFS system.
After we know the file system of Windows XP, then we will move on to the file system of Linux.
The way the data is stored in Linux
When it comes to Linux file system, ext2 has been the default file system as it main advantages is its speed and extremely robust. However, there is a risk of data loss when sudden crashes occur and take long time to recover. Sometimes the recovery may also end up with corrupt files. By using the advantage of ext2 and add some data loss protection and recovery speed led to the development of journaling file system - ext3 and ReiserFs. Though ext2, ext3 and ReiserFs are the most popular file system, there are also some other file system used in the Linux world such as JSF and XFS.
As Linux views all file systems from the perspective of a common set of objects, there are four objects - superblock, inode, dentry and file. The superblock is a structure that represents a file system which includes vital information about the system. Moreover, it includes the file system name (such as ext2), the size of the file system and its state, a reference to the block device, and meta-data information. It also keeps track of all the nodes. Linux keeps multiple copies of the superblock in various locations on the disk to prevent losing such vital information.
Every object that is managed within a file system (file or directory) is represented in Linux as an inode. The inode contains all the meta-data to manage objects in the file system. Another set of structures, called dentries, is used to translate between names and inodes, for which a directory cache exists to keep the most-recently used around. The dentry also maintains relationships between directories and files for traversing file systems. Finally, a VFS (Virtual file system) file represents an open file (keeps state for the open file such as the write offset, and so on).
While the majority of the file system code exists in the kernel (except for user-space file systems), (2.3) shows the Linux file system from the point of view of high-level architecture and the relationships between the major file system-related components in both user space and the kernel.
The boot task and start up task of Windows XP
A good understanding of what happens to disk data at startup is also an important aspect as accessing to a computer system after it was used for illicit reasons can alter the disk evidence. First, we will discuss about the Windows XP startup and boot process, and then shift into the startup and boot process of Linux.
Like any other PC system, Windows XP startup by running the POST test, performing an initialization of its intelligent system devices, and performing a system boot process. The boot process begins when the BIOS starts looking through the system for a master boot record (MBR). This record can reside on drive C: or at any other location in the system. When the BIOS execute the master boot record on the hard drive, the MBR examines the disk's partition table to locate the active partition. The boot process then moves to the boot sector of that partition located in the first sector of the active partition. There, it finds the code to begin loading the Secondary Bootstrap Loader from the root directory of the boot drive.
In NTFS partition, the bootstrap loader is named NTLDR and is responsible for loading XP operation system into memory. When the system is powered on, NTLDR reads the Boot.ini file. If boot.ini contains more than one operating system entry, a boot menu is displayed to the user, allowing the user to choose which operating system is to be loaded. Fig (2.4) shows Boot.ini contains two operating systems and allows user to choose.
After the user has selected the desired mode to boot to, NTLDR runs Ntoskrnl.exe and reads Bootvid.dll, Hal.dll and the startup device drivers. After the file system driver has loaded, control is then passed from NTLDR to the kernel. At this time, Windows XP display Windows logo.
Virtually, all applications we installed using the default installation decide that they should start up when windows starts. Under “Startup” tab in the system configuration utility, a list of programs that run when our system boots is listed. Fig (2.6) shows the listed program when our system boots.
The boot task and start up task of Linux
After we have get into the start up process of Windows XP, we will then shift into the startup process of Linux. In Linux, the flow of control during a boot is also from BIOS, to boot loader, to kernel. When you turn on the power, the BIOS perform hardware-platform specific startup tasks. Once the hardware is recognized and started correctly, the BIOS loads and executes the partition boot code from the designated boot device, which contains Linux boot loader.
Linux Loader (LILO) is the Linux utility that initiates the boot process, which usually runs from the disk's MBR. LILO is a boot manager that allows you to start Linux or other operating systems, including Windows. If a system has two or more operating systems, LILO gives a prompt asking which operating system the user wishes to initialize.
When the user chooses the boot option, it then loads the choosing operating system into memory. The boot program, in turn, reads the kernel into memory. When the kernel is loaded, the boot program transfers control of the boot process to the kernel. The kernel then performs the majority of system setup (memory management, device initialization) before spawning separately, the idle process and scheduler and the init process which is executed in user space. The scheduler takes control of the system management. The init process executes scripts as needed that set up all non-operating system services and structures in order to allow a user environment to be created, and then presents the user with a login screen.
We have described about the way the data stored, the boot task and startup task of Windows XP and Linux. After a thorough study of these areas, we can acquire or handle the evidence properly.
a) Features comparison of “EnCase, Access Data's Forensic and ProDiscover”
Features of Guidance EnCase Forensic
* In courts worldwide, forensically acquire data in a sound manner using software with an unparallel record
* Using a single tool and investigate and analyze multiple platforms
* With prebuilt EnScript® modules such as initialized Case and Event Log analysis, it can automate complex and routine tasks, so it save time in analyzing
* Find information despite efforts to hide, cloak or delete
* Can easily handle large volumes of computer evidence, view all relevant files that includes deleted files, file slack and unallocated space
* Directly transfer evidence files to law enforcement or legal representatives as necessary
* Include review options that allow non-investigators to review evidence easily
* Include report options that enable quick report preparation
Features of Access Data's Forensic Toolkit
* Provides integrated solution that is no need to purchase multiple tools to complete a case.
* Provides integrated database that avoid application crashes, lost work and product instability.
* Identify encrypted files automatically from more than 80 applications and crack those files.
* Supports international language that allows us easily search and view foreign-language data in our native format
* Include email analysis that can recover and analyze a wide range of email and web mail formats
* Can generate different industry-standard report formats quickly and concisely
* Collect key information from the registry that include user information, date of application installed, hardware, time zone and recently used information
* While processing takes place, we can view and analyze data
Features of ProDiscover
* To keep original evidence safe, it create bit-stream copy of disk for analyzing that includes hidden HPA section
* For complete disk forensic analysis, it search files or entire disk including slack space, HPA section and Windows NT/2000/XP alternate data streams
* Without alter data on the disk, it can preview all files including metadata and hidden or deleted files
* Support for VMware to run a captured image.
* In order to ensure nothing is hidden, it examine data at the file or cluster level
* To prove data integrity, it can generate and record MD5, SHA1 and SHA256 hashes automatically.
* Examine FAT12, FAT16, FAT 32 and all NTFS file systems including Dynamic Disk and Software RAID for maximum flexibility.
* Examine Sun Solaris UFS file system and Linux ext2 / ext3 file systems.
* Integrated thumbnail graphics, internet history, event log file, and registry viewers to facilitate investigation process.
* Integrated viewer to examine .pst /.ost and .dbx e-mail files.
* Utilize Perl scripts to automate investigation tasks.
* Extracts EXIF information from JPEG files to identify file creators.
* Automated report generation in XML format saves time, improves accuracy and compatibility.
* GUI interface and integrated help function assure quick start and ease of use.
* Designed to NIST Disk Imaging Tool Specification 3.1.6 to insure high quality.
AccessData FTK v2.0
Guidance EnCase Forensic 6.0
Report for Choosing Access Data's Forensic Toolkit
I think Access Data's Forensic Toolkit is the most beneficial for our lab as it provides more forensic examination features than Encase and ProDiscover. In the evidence aspects, Access Data can acquire files and folders than others. So, it can be a powerful tool when we analyze files for evidence. Moreover, it uses database to support large volume of data that can avoid application crashes, lost work and product instability for our lab.
As Access Data is a GUI-based utility that can run in Windows XP, 2000, Me, or 9x operating system and it demo version has most of the same features as full-licensed version, use multi-threading to optimize CPU usage, has task scheduler to optimize time and can view and analyze data while processing takes place, it meets the requirements of our lab. What is more, it supports international language so we can retrieve data no matter which languages they are using.
On top of that, it is powerful in searching, recovery, email and graphic analysis. Because of these reasons and by viewing the above forensic tools comparison chart, I can conclude that Access Data's Forensic Toolkit is the most beneficial for our lab.
b) Forensic Analysis
Report for “Analyzing FAT32, NTFS and CDFS file system Using Access Data's FTK”
a) MD5 hash values of bmp, doc, xls files
All hash values generated by the MD5 before modification is not the same with the hash value generated after modification.
b) Why hash values are same or different
A hash value is a numeric value of a fixed length that uniquely identifies data. Data can be compared to a hash value to determine its integrity. Data is hashed and the hash value is stored. At a later time or after the data has been received from mail, the data is hashed again and compared to the stored hash or the hash value it was sent to determine whether the data was altered.
In order to compare the hash values, the original hashed data must be encrypted or kept secret from all untrusted parties. When it compared, if the compared hashed values are the same, then the data has not been altered. If the file has been modified or corrupted, the MD5 produces different hash values.
In task 4 (a), first we created a doc file with data in this file, then we generated hash values of doc file with MD5. The hash value of info.doc file is da5fd802f47c9b5bbdced35b9a1202e6. After that, we made a modification to that info.doc file and regenerate the hash values. The hash value after modifying is 01f8badd9846f32a79a5055bfe98adeb. The hash value is completely different after modifying.
Then we created a cv.xls file and generated the hash value. Before modifying, the hash value is ef9bbfeec4d8e455b749447377a5e84f. After that we add one record to cv.xls file and regenerated hash values. After modifying, ccfee18e1e713cdd2fcf565298928673 hash value is produced. The hash value changed in cv.xls file after data altered.
Furthermore, we created fruit.bmp file to compare the hash value before and after modification. The hash value before modifying is 8d06bdfe03df83bb3942ce71daca3888 and after modifying is 667d82f0545f0d187dfa0227ea2c7ff6. So, the hash values comparison of bmp files is completely different after data has been modified.
When we encrypted the text file into each image file, the text file is not visible in the image viewing utility and each image file is like its original image file. However, the comparison of the hash values of each image file before and after inserting short messages is completely different. As each image file has been altered by inserting short message, the regenerated hash value is totally different from the original hash values.
On top of that, the original image file size has been changed after inserting short messages. The raster image file has slightly increased its file size after it has been modified. The raster image file size is increased from 50.5 KB to 50.7 KB. However, of the remaining three, two image files vector and metafile have decreased its file size a little sharply. The original file size of vector is 266 KB and has been decreased to 200 KB after modified. The metafile also decreased from 313 KB to 156 KB. Only the bitmap is remains stable as its file size does not increase or decrease.
In a nut shell, we can conclude that the hash value would change if the file has been modified. However, depending on the file format, the file size can increase, decrease or remain stable.
d) Report for “differences of bitmap, raster, vector and metafile”
A bitmap image is a computer file and it is collected with dots or pixels that form an image. The pixel of bitmap is stored like a grid, tiny square. When we use the paint program, we can see the bitmap pixel is like a block and it is draw or clear block by block. A raster image is also a collection of pixels but the image stored pixels in rows to make it easy to print. And raster image is resolution dependent. It cannot scale up to an arbitrary resolution without loss of apparent quality. This is overcome by the vector image.
Vector image is made up of many individual, scalable objects. These objects are defined by mathematical equations rather than pixels, so it always render at the highest quality. There are many attributes in vector like color, fill and outline. The attributes can be changed without destroying the basic object.
Metafile is a combination of raster and vector graphics, and can have the characteristics of both image types. However, if you create a metafile with raster and vector and enlarge it, the area of raster format will lose some resolution while the vector formatted area remains sharp and clear.
If we have lost an image file, before doing anything, we should be familiar with the data patterns of known image file types. Then the recovery process starts. The first step in recovery is to recover fragments file from slack space and free space. The fragment file can locate the header data that is partially overwritten. So, we use Drivespy to identify possible unallocated data sets that contain the full or partial image header values.
To locate and recover the image header, we need to know the absolute starting cluster and ending cluster. If not, we could collect the wrong data. Using Drivespy, we can know started cluster number and file size of image that we want to recover. To know the exact ending cluster, add the total number of clusters assigned to the starting cluster position. As we have known the size of image file, we can calculate the total number of clusters. Then, we can locate the image file and retrieve image header.
After we get the header value, open the file with Microsoft Photo Viewer. If the file has been opened successfully, then recovery of image file has been completed. If not, we need to use the Hex Workshop to examine the header of the file.
Report for “Investigation that prove Naomi's innocence”
Before we begin tracing an email, we should know which email is illegal and what constitutes an email crime. Illegal email includes selling narcotics, extortion, sexual harassment, stalking, fraud, child abductions, and child pornography.
As Jazebel has received an offensive email, so we need to access the victim computer and copy and print the offensive email to recover the evidence contained in the email. Microsoft Outlook, Outlook Express or any other GUI email programs supports for copying the email from inbox to the place that we want to by dragging the message to the storage place. When copying email, the header of the email must be included as it contains unique identifying numbers, such as IP address of the server that sent the message. This helps us when tracing the email.
After copy and printing the message, we should retrieve the email header to get the sender IP address. Right click on the message and choose message options to retrieve the email header. The following shows the header information that retrieved from the mail of the victim computer.
At line 1(10.140.200.11) shows the IP address of the server sending the e-mail, and provides a date and time that the offending e-mails was sent. Although when we see at line 5, the victim is seemed to be Jezebel, however, line 1 identifies that the e-mail that is sent from the IP address (10.140.200.11) is the same as the victim's computer IP address. So, we can conclude that Naomi does not include in sending offensive e-mail. She is innocence and the victim, Jezebel himself, is the one who send the offensive e-mails.
Computer Forensics Textbook