Read an Excerpt
The Official CHFI Study Guide (Exam 312-49)
By Dave Kleiman
Elsevier ScienceCopyright © 2007 Elsevier Inc.
All rights reserved.
Computer Forensics in Today's World
Exam objectives in this chapter:
* The History of Forensics
* The Objectives of Computer Forensics
* Computer-Facilitated Crimes
* Reasons for Cyber Attacks
* Computer Forensic Flaws and Risks
* Computer Forensics: Rules, Procedures, and Legal Issues
* The Computer Forensic Lab
* Laboratory Strategic Planning for Business
* Elements of Facilities Build-out
* Electrical and Power Plant Considerations
* Essential Laboratory Tools
As is often the case with security compromises, it's not a matter of if your company will be compromised, but when.
If I had known the employee I hired was going to resign, break into my office, and damage my computers in the span of three days, hindsight being 20/20, I would have sent notification to the security guards at the front door placing them on high alert and made sure he was not granted access to the building after he resigned. Of course, I in hindsight, I should have done a better job of hiring critical personnel. He was hired as a computer security analyst and security hacker instructor; and was (or should have been) the best example of ethical conduct.
Clearly, we see only what we want to see when hiring staff and you won't know whether an employee is ethical until a compromise occurs. Even if my blinders had been off, I would have never seen this compromise coming. It boggles the mind to think that anyone would ruin or jeopardize his career in computer security for so little. But he did break into the building, and he did damage our computers; therefore, he will be held accountable for his actions, as detailed in the following forensic information. Pay attention when the legal issues are reviewed. You will learn bits and pieces regarding how to make your life easier by knowing what you really need to know "when" your computer security compromise occurs.
Computer forensics is the preservation, identification, extraction, interpretation, and documentation of computer evidence. In Chapter 9 of Cyber Crime Investigations, digital forensics is referred to as "the scientific acquisition, analysis, and preservation of data contained in electronic media whose information can be used as evidence in a court of law."
In the case involving the Hewlett-Packard board of directors, seasoned investigators within HP and the primary subcontracting company sought clarity on an investigative method they were implementing for an investigation. The investigators asked legal counsel to determine whether the technique being used was legal or illegal. Legal counsel determined that the technique fell within a gray area, and did not constitute an illegal act. As a result, the investigators used it and were later arrested. This situation could befall any cyber crimes investigator.
In the Hewlett-Packard case, legal counsel did not fully understand the laws relating to such methodologies and technological issues. The lesson for investigators here is not to assume that an action you've taken is legal just because corporate counsel told you it was. This is especially true within the corporate arena. In the HP case, several investigators were arrested, including legal counsel, for their actions.
In this CHFI study guide, you will learn the concepts of computer forensics and how to prepare for the EC-Council's Computer Hacker Forensic Investigator exam. This chapter will review the objectives of computer forensics. It will also discuss computer-facilitated crimes, the reasons for cyber crime, the computer forensics flaws and risks, modes of attack, digital forensics, and the stages of forensic investigation in tracking cyber criminals. The chapter also covers various stages of building a computer forensics laboratory.
The History of Forensics
Forensics has been around since the dawn of justice. Cavemen had justice in rules set to protect home and hearth. Francis Galton (1822–1911) made the first recorded study of fingerprints, Leone Lattes (1887–1954) discovered blood groupings (A, B, AB, and 0), Calvin Goddard (1891–1955) allowed firearms and bullet comparison for solving many pending court cases, Albert Osborn (1858–1946) developed essential features of document examination, Hans Gross (1847–1915) made use of scientific study to head criminal investigations. And in 1932, the FBI set up a lab to provide forensic services to all field agents and other law authorities across the country. When you look back at these historic forensic events, you see patterns of confidence in the forensic information recovered and analyzed. You will see in this study guide, today's computer forensics is clearly a new pattern of confidence, acceptance, and analysis.
The Objectives of Computer Forensics
Cyber activity has become an important part of the everyday lives of the general public. According to the EC-Council, eighty-five percent of businesses and government agencies have detected a security breach. The examination of digital evidence (media) has provided a medium for forensic investigators to focus on after an incident has occurred. The ultimate goal of a computer forensic investigator is to determine the nature and events concerning a crime and to locate the perpetrator by following a structured investigative procedure.
Investigators must apply two tests for evidence for both computer forensics and physical forensics to survive in a court of law:
* Authenticity Where does the evidence come from?
* Reliability Is the evidence reliable and free of flaws?
* Theft of intellectual property This pertains to any act that allows access to patent, trade secrets, customer data, sales trends, and any confidential information.
* Damage of company service networks This can occur if someone plants a Trojan horse, conducts a denial of service attack, installs an unauthorized modem, or installs a back door to allow others to gain access to the network or system.
* Financial fraud This pertains to anything that uses fraudulent solicitation to prospective victims to conduct fraudulent transactions.
* Hacker system penetrations These occur via the use of sniffers, rootkits, and other tools that take advantage of vulnerabilities of systems or software.
* Distribution and execution of viruses and worms These are some of the most common forms of cyber crime.
Cyber crime comprises three things: tools to commit the crime, targets of the crime (victim), and material that is tangential to the crime.
Cyber crime is motivated by many different things. Often it's the thrill of the chase, and a desire for script kiddies to learn. Sometimes cyber crime is committed by psychologically motivated criminals who need to leave a mark. Other times such crimes are committed by a person or group that is out for revenge; perhaps it's a disgruntled employee or friend who wants to embarrass the target. Most likely, a cyber criminal is being paid to gain information; hackers involved in corporate espionage are the hardest to uncover and often are never seen.
Our dependency on the computer has given way to new criminal opportunities. Computers are increasingly being used as a tool for committing crimes, and they are posing new challenges for investigators, for the following reasons:
* The proliferation of PCs and Internet access has made the exchange of information quick and inexpensive.
* The use of easily available hacking tools and the proliferation of underground hacking groups have made it easier to commit cyber crimes.
* The Internet allows anyone to hide his identity while committing crimes.
* E-mail spoofing, creating fake profiles, and committing identity theft are common occurrences, and there is nothing to stop it, making investigation difficult.
* With cyber crimes, there is no collateral or forensic evidence, such as eye witnesses, fingerprints, or DNA, making these crimes much harder to prosecute.
Reasons for Cyber Attacks
Today, cyber attacks are committed by individuals who are more organized. Cyber crime has different connotations depending on the situation. Most of us equate cyber crime with what we see on TV and in the news: porn, hackers gaining access to sensitive government information, identity theft, stolen passwords, and so on. In reality, these types of computer crimes include more often than not, theft of intellectual property, damage of company service networks, embezzlement, copyright piracy (software, movie, sound recording), child pornography, planting of viruses and worms, password trafficking, e-mail bombing, and spam.
Cyber criminals are taught to be more technically advanced than the agencies that plan to thwart them. And today's criminals are more persistent than ever. According to the EC-Council, computer crime is any illegal act involving a computer, its system, or its applications. A computer crime is intentional, not accidental (we discuss this in more detail in the "Legal Issues" section, later in this chapter).
Computer Forensic Flaws and Risks
Computer forensics is in its developmental stage. It differs from other forensic sciences as digital evidence is examined. There is a little theoretical knowledge to base assumptions for analysis and standard empirical hypothesis testing when carried out lacks proper training or standardization of tools, and lastly it is still more 'art" than "science.
Modes of Attack
There are two categories of cyber crime, differentiated in terms of how the attack takes place:
* Insider attacks These involve a breach of trust from employees within an organization.
* External attacks These involve hackers hired by either an insider or an external entity whose aim is to destroy a competitor's reputation.
Stages of Forensic Investigation in Tracking Computer Crime
A computer forensic investigator follows certain stages and procedures when working on a case. First he identifies the crime, along with the computer and other tools used to commit the crime. Then he gathers evidence and builds a suitable chain of custody. The investigator must follow these procedures as thoroughly as possible. Once he recovers data, he must image, duplicate, and replicate it, and then analyze the duplicated evidence. After the evidence has been analyzed, the investigator must act as an expert witness and present the evidence in court. The investigator becomes the tool which law enforcement uses to track and prosecute cyber criminals.
For a better understanding of the steps a forensic investigator typically follows, consider the following, which would occur after an incident in which a server is compromised:
1. Company personnel call the corporate lawyer for legal advice.
2. The forensic investigator prepares a First Response of Procedures (FRP).
3. The forensic investigator seizes the evidence at the crime scene and transports it to the forensic lab.
4. The forensic investigator prepares bit-stream images of the files and creates an MD5 # of the files.
5. The forensic investigator examines the evidence for proof of a crime, and prepares an investigative report before concluding the investigation.
6. The forensic investigator hands the sensitive report information to the client, who reviews it to see whether they want to press charges.
7. The FI destroys any sensitive client data.
It is very important that a forensic investigator follows all of these steps and that the process contains no misinformation that could ruin his reputation or the reputation of an organization.
Computer Forensics: Rules, Procedures, and Legal Issues
A good forensic investigator should always follow these rules:
* Examine original evidence as little as possible. Instead, examine the duplicate evidence.
* Follow the rules of evidence and do not tamper with the evidence.
* Always prepare a chain of custody, and handle evidence with care.
* Never exceed the knowledge base of the FI.
* Make sure to document any changes in evidence.
* If you stay within these parameters your case should be valuable and defensible.
Digital forensics includes preserving, collecting, confirming, identifying, analyzing, recording, and presenting crime scene information.
Excerpted from The Official CHFI Study Guide (Exam 312-49) by Dave Kleiman. Copyright © 2007 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.