Technology for Computer Forensics Thesis Proposal



Yüklə 29,09 Kb.
tarix08.10.2017
ölçüsü29,09 Kb.
#4008

Technology for Computer Forensics


Thesis Proposal

By

Alicia Castro


As part of the requirements for the degree of


Master of Engineering in Software Engineering
University of Colorado, Colorado Springs

Approved by: Date:


_________________________________ _____________________

Dr. Edward Chow:

(Advisor)
Dr. Xiaobo Zhou

__________________________________ _______________________

Committee Member:
Dr. Jugal Kalita

__________________________________ _______________________

Committee Member:



  1. Introduction

Background Research
Computer forensics objective is to find legal evidence in computers and digital storage mediums. The goal of computer forensics is to explain the current state of a digital artifact. There are many reasons to employ the techniques of computer forensics like legal cases, data recovery, gathering, evidence against an employee, debugging, performance optimization or reverse-engineering [1].
Special expertise and tools are required to gather computer forensics data; there are not easily available products for the average use. There are many forensics toolkits use by law enforcement agencies; the more common in use is EnCase; because the results are easier admitted on court. There are also many open source tools like Helix and Autopsy.

Helix can be used to acquire a live image of a windows system, repair damaged files, data acquisition, recover a virus damaged system, change Windows passwords, secure file deletion and much more [2]. Helix itself is not a tool; is a live distribution that contains a series of forensic tools. Helix has been modified very carefully to not touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows auto run side for Incident Response and Forensics. Helix focuses on Incident Report & Forensic tools [3]. Autopsy is also an open source tool. It provides a HTML-based graphical interface for Sleuth Kit that is similar to a file manager, showing details about deleted data and file system structures, with results that can be accessed using a HTML browser. Autopsy does not require any tool to be executed previously; it can work directly over mounted partitions or over image files generated by de dd command [4]. Autopsy is the graphical interface to the data collected with the Sleuth Kit. Encase is recognize as a court validated standard in computer forensic software. With an intuitive GUI, superior analytics, enhanced email/Internet support and a powerful scripting engine, EnCase provides investigators with a single tool, capable of conducting large-scale and complex investigations from beginning to the end [5]. Encase create images of suspect media. Images are stored in proprietary formats and contain an MD5 or SHA-1 checksum to validate their authenticity. Encase makes images that are exact copies of the original byte for byte in order to be able to fully examine unused parts of the media for deleted files and so forth. After imaging, Encase can be used to examine the files stored in the image using common tools such as a document viewer and hex editor. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files [6].


Forensic tools are used to analyze digital data and often find evidence that someone did not did not commit a crime. As the tool output may be evidence in a court trial, it must meet certain legal requirements [7]

Computer-based evidence has only recently become common in court proceedings, but its impact in the legal system has been significant. Cases are frequently decided on evidence obtained from computer systems – evidence that many experts claim is unreliable. Consider the recen case State of Connecticut v. Julie Amero in Norwich, Connecticut. An elementary school substitute teacher, Ms. Amero was accused, tried and convicted of contributing to the delinquency of minors because a spyware-infected school computer in her class displayed pornographic sites/ pop-ups during her lecture. The legal system’s lack of technical awareness resulted in a conviction that was eventually overturned but permanently impacted Ms. Amero’s life and diminished the credibility of our legal system. Judges and juries make inappropriate assumptions because they expect that computer forensic evidence in real life is as reliable and conclusive as it is on television. The impact of these assumptions cannot be undone merely by reversing a court decision. In many cases such as these, the forensic tools being used are accurate, but the assumptions made about them are wrong [7].


There are not standards or specifications for tools and there are many versions of each too. Requirements must be created for each tool type and corresponding test must be designed that enforce the requirements. Using specific test conditions for all tools can only go so far at catching bugs because of the large number of possible test [8].
Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases. The Federal Rules of Evidence (FRED) has controlled the use of digital evidence since 1970; from 1970 to 1985 state rules of evidence, as they were adopted by each state, controlled usage of this type of evidence. Documents maintained on a computer are covered by different rules, depending on the nature of the document. Many court cases in state and federal courts have further developed and clarified how the rules apply to digital evidence. The Fourth Amendment to the US constitution protects everyone’s rights to be secure in their person, residence, and property from search and seizure. Continuing development of the jurisprudence of this amendment has played a role in determining whether the search for digital evidence has established a different precedent, so separate search warrants might not be necessary. However, when preparing to search for evidence in a criminal case, to avoid problems many investigators still include the suspect’s computer and its components in the search warrant [9].
There are two other areas of law related to computer security that are important to know about. Anyone concerned with computer forensics must know how these laws affect them:

  • Wiretap Act (18 U.S.C. 2510-22)

  • Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27)

  • Stored Wired and Electronic Communications Act (18 U.S.C. 2701-120)

Violations of any of these statues during the practice of computer forensics could constitute a federal felony punishable by a fine and/or imprisonment. Third, the U.S. Federal rules of evidence about hearsay, authentication, reliability and best evidence must be understood. In the U.S there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: (1) authority to monitor and collect the data and (2) the admissibility of the collection methods. Of the three areas above, the U.S. Constitution and U.S. Statutory Laws primarily govern the collection process, while the Federal Rules of Evidence deal mostly with admissibility [10].

Digital evidence can be any information stored or transmitted in digital form. Because you can not see or touch digital data directly it is difficult to explain and describe. Is digital evidence real or virtual? Does data on a disk or other storage medium physically exist, or does it merely represent real information? U.S. courts accept digital evidence as physical evidence which means that digital data is a tangible object, such as a weapon, paper document or visible injury that is related to a criminal or civil incident. Groups such as the Scientific Working Group on Digital Evidence (SWGDE) and the International Organization on Computer Evidence (IOCE) set standards for recovering, preserving and examining digital evidence [11]


  1. Project Scope

This thesis addresses software that is used for digital forensics analysis. The goal of the thesis is to combine various existing technologies and make necessary enhancements for the law enforcements agencies.


The first part of this thesis provides a brief overview of the necessary precautions and requirements for data to be used as evidence for an investigation.

  • Unique Computer issues: Special Problems with computers

  • Initial Considerations: Ascertain, When a business is involved

  • Value of technical expert: Involve technical person early.

  • Drafting the warrant: Technical and practical considerations, Information belonging to third parties, privileged information may be found.

  • Execution of the warrant: on scene personnel needed it, Time limit for execution and return.

  • Follow up warrants: no warrant needed to break passwords or encryption, Discovery of evidence of other crimes.

  • Consent: consent to search

The second part of this thesis provides an overview of prosecuting cases that involved computers.



  • Devices subject to Forensic examination

  • Digital storage

  • Forensic examination of erased or deleted files, slack spaces and steganography

  • Types of evidence

The third part focuses on the enhancement and testing of the existing software forensics.



  • EnCase


Existing Forensics Toolkits



  • Encase is one of the most popular forensic tool used by law enforcement in Colorado. Encase Forensic facilitates the search, identification, collection, preservation, analysis and reporting of digital evidence. EnCase Enterprise provides network enabled search, identification, preservation, analysis and reporting of digital evidence on employee computers and file servers, primarily for internal investigations, such as fraud, HR matters and computer incident analysis. Both Encase Forensic and Encase Enterprise use the Encase Evidence file format, which is the only digital evidence container that has withstood numerous challenges and been validated in courts worldwide [3]. Why is it so difficult for computer forensic tools to be accepted by the court?




  • Encase will view data in many formats (including ZIP file contents), does not have to be preloaded onto a system to function, will find evidence that can be used in a court of law. The only way to keep Encase from seeing what you have done on a system is to DOD wipe a file upon deletion and continually wipe slack and free space on disks[12]



  • Encase has some new features added in 2008. Those features will be tested during the testing phase.


Proposed Design and Improvements


  • Testing and analyzing some of the new enhancements (2008) done to EnCase.

  • Design new queries for the EnCase Tools. User wants a series of queries of their most popular investigations routines. Queries allow you to combine filters or conditions into a filter using Boolean logic. Filters are special EnScripts that allow you to include only the files that meet your filter conditions. The conditions are new starting with EnCase 5. They differ slightly from filters in that conditions allow the user to specify parameters with a wizard type interface (with filters, the user has to work with code to achieve the same effect [13].

  • Develop a Software Project Management Plan (SPMP)

  • Develop the Software Requirement Specification (SRS)



3. Thesis Plan & Schedule
1. - Requirement analysis (August 26, 2008-Feb 23, 2009)

  • Identify and understand the problem domain

  • Identify the problem

  • Evaluate possible prototypes

  • Define requirements

  • Present Proposal and obtain official approval

2. - Planning (January 3, 2009-March, 3, 2009)



  • Identify and obtain resources needed

  • Define thesis plan and schedule

3. - Design (January 5, 2009-March, 15, 2009)



  • Design initial test prototype and evaluate design

  • Refine and finalize design

4. - Implementation & Testing (February 5, 2009-April 15, 2009)



  • Create prototypes

  • Testing prototypes

  • Refine prototypes

5. - Project Closure (April 15, 2009-April 28, 2009)



  • Present final data and obtain approval


References
[1] Computer Forensics

http://en.wikipedia.org/wiki/Computer_forensics
[2] Steiner, Tim. Computer Forensic Product Analysis: HELIX

http://timsteiner.wordpress.com/2008/02/15/67/
[3] Computer Forensic Software

http://www.scm.uws.edu.au/computerforensics/Software/
[4] Martins, Ricardo. Computer Forensics with The Sleuth Kit and The Autopsy Forensic browser.

http://www.ijofcs.org/webjournal/index.php/ijofcs/article/viewFile/6/5
[5] Forensic Categories

http://securitytnt.com/category/tools/forensics/
[6] Encase

http://en.wikipedia.org/wiki/EnCase
[7] Peisert, Sean and Bishop, Mat. Computer Forensic in Forensis. Publisher: ACM, April 2008
[8] NIST. Computer Forensic Tool Testing.

http://www.cftt.nist.gov/

[9] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 7, 2000c. http://www.securityfocus.com/print/infocus/1250



[10] Nelson, Bill et al., Computer Forensics and Investigations. Canada, 2006
[11] Nelson, Bill et al., Computer Forensics and Investigations. Canada, 2008
[12] Computer Forensics. US-CERT

http://www.us-cert.gov/reading_room/forensics.pdf
[13] Guidance Software. EnCase Legal, Journal, second Edition, March 2002. http://www.encase.com/
[14] Bunting, Steve. Encase Computer Forensics: The Official EnCE, 2007
Yüklə 29,09 Kb.

Dostları ilə paylaş:



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya