Search in ISMS Guides


Wednesday, August 8, 2007

Every Hard Drive Tells a Story

Fraud, extortion and pornography; All in a day’s work. One of the most interesting jobs in IT has to be that of the computer forensic investigator.

Unlike mainstream forensics such as fingerprint analysis, not a great deal is known of this specialist field by the general public. One of the reasons that computer forensics has rapidly evolved over the last few years is that the ubiquitous PC can be found in almost every home and workplace in the land, and every day people visit web sites, send emails and create documents which leave a trail of evidence.

When users delete documents and watch them disappear from the ‘Recycle Bin’, they are permanently deleted, or so they might have thought. Although the documents can no longer be accessed by the user via Windows, what really happens is that the deleted stuff remains on the disk on an area that can be recovered using specialist software and hardware tools.

Forensic investigators need to ensure that the actions that they follow adhere to legally acceptable standards, because if the correct process is not followed they can be certain that a lawyer will be waiting to question the admissibility of evidence. In the UK, the Association of Chief Police Officers’ (ACPO) guidelines are used as the best practice reference.

These procedures can be summarised into four main phases: Collection, Examination, Analysis and Reporting. It is vital that evidence contained on computers and computer related storage media is preserved and recovered in such a way that it can be demonstrated to the courts that the actions of the investigator has not changed the evidence.

No WriteTo demonstrate the sensitivity of this point, the mere act of turning on a computer will change some of the data held within it. The data from a computer hard drive will commonly be recovered by connecting the hard drive to a write protected device (pictured) and then using specialist forensic software to make a forensic image of the hard drive.

The write protected device prevents any changes being made to the evidential hard drive, therefore maintaining the integrity of the original evidence.

The forensic image is an exact copy of the hard drive (or other media), from the very start of the media to the end. Unlike a backup of media that just includes the accessible files, a forensic copy includes all areas of the media including unallocated space. It is within this unallocated space that the data that appeared to be deleted from the recycle bin resides. Following analysis of an investigation, strictly factual reporting of the information found is required.

So, what are some applications of computer forensics? At the basic level, data files that have been accidentally deleted may be recovered (if no backups are available), but it gets more interesting than that. In one case performed in tandem with a UK police force, our investigators were able to dismiss the allegations of the defendant who claimed that the malicious software on his computer was responsible for the illegal images that were found on it. This was performed by interrogating the machine and locating all malicious software present and active, then investigating each instance of the malicious software.

During the investigation, a recovered keystroke logger output text file was discovered in unallocated disk space, although the keystroke logger software and log file had actually been deleted. This important artefact had recorded the defendant’s keystrokes, including him typing incriminating web site addresses and his conversations using instant messaging software.

Heard about Voice Phishing?

Not to be confused with a Babel fish, an emerging con that utilises technology has been dubbed ‘voice phishing’, and it’s a new spin on an old crime. In a nutshell, here is how it works:

  • Victim receives an email asking them to verify their identity by phoning a telephone number
  • Victim calls number (set up by the criminals) and is greeted by a recorded voice message asking for an account number etc.

This bid to trick users into handing over confidential information is a variation on phishing, which utilises an email and bogus web site combination. Sadly, it seems that there is no end in sight to the ways in which the criminals are attempting to dupe people out of their hard-earned money.

Alan Phillips MBCS
Alan Phillips is a registered BCS security practitioner and contributing author of IT Security training courses at 7Safe, an independent Information Security services consultancy delivering an innovative portfolio of services including Penetration Testing, ISO 27001 Consulting, Forensic Investigation and Information Security training courses

No comments: