Computer forensic or digital forensic means applying computer science for the analysis of crimes involving computers to obtain incriminating or exonerative evidence to be used at a court of law. Legal validity of such evidence can be achieved if a specific methodology is applied and a number of principles are obeyed. Transparency and a detailed protocol of all steps taken are critical for any successful undertaking in computer forensics.
Here is another definition of computer forensics by DIBS USA Inc: "Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law."
In addition to technical expertise and credibility of the forensics experts it is important to pay attention to choosing the right tools for the job and using them correctly. These have to work verifiably and must not leave any doubts regarding their results. In many cases Open Source tools provide this reliability because of the openness of their code basis.
Furthermore it is necessary to use a legally accurate language for these highly technical reports while at the same time finding a language well understood by somebody without a degree in computer science.
Sketch of a Forensic Analysis
After an attack the first priority is to secure all devices and storage media. Analyzing all actions by administrators and users after the attack may also help to trace an attacker´s impact on the system.
If the system is still online it is important to secure all transient memory including main memory (storage and processor dump) as well as various log files and temporary directories and files.
In a subsequent step all storage media can be analyzed in detail. If any of these are defective access to them may be gained in a specially equipped lab. In either case, initially all data has to be copied onto a second device without manipulating it in any form. These backup copies can then be analyzed in a read-only manner.
Typically a forensics expert is interested in locating and securing specific log files to reconstruct an attack. If data has been deleted Magic Bytes may provide hints regarding file types. In this arena a number of multi-purpose tools are available (so-called Forensic Toolkits) assisting with resurrecting deleted data.
After a careful analysis of all available data a report is created detailing the steps taken and the tools involved. All results and conclusions are prepared to be used in court.
If an attack is still underway you need to perform a cost-benefit calculation: In the vast majority of cases the affected system(s) should be disconnected from the network immediately to prevent any further damage in particular the deletion of important data or log information. However, if an attacker does not seem to perform any destructive operations it might be advantageous to first analyze the network connection details to obtain even more evidence against him or her.
Forensic ToolkitsForensic Toolkits provide utilities for many important tasks:
- Automated analysis
- Reconstruction of data
- Safe duplication of storage media (non-destructive)
- Analysis of data formats
- Securing of transient data
- Analysis of access and other meta data
The Toolkits must support a large variety of encodings and data formats present in the many popular operating systems. Also, the analysis needs to take place on many different storage levels as each abstraction level has the potential to reveal (different) relevant information.
In particular Open Source solutions are getting more and more popular because it is possible to analyze their functionality and quality on a code basis. Extensions can be implemented relatively easy and third party approval or certification becomes much easier. Limitations or bugs can be identified and resolved in a timely manner.
Preparation and Monitoring of a System
Digital Forensic also calls for preparing a system to be analyzed later so that in case of an incident the subsequent search for evidence is greatly simplified. For example, Intrusion Detection Systems recognize changes in typical usage patterns at run time and alarm a designated person. Special training can help administrator to react better to an attack. Consider this: Shutting down a system or rebooting it can destroy a lot of important information.