d

Computer Forensics: The Complete Documentation

• This category contains 43 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Adventures in Computer Forensics

Published on 2001, by Diana J. Michaud, ©SANS Institute.

What exactly do forensic analysts do? How can this type of work help law enforcement or corporate security managers? If you want to solve a puzzle isn’t it often best to have all the pieces? Computer forensics is one piece to the investigative puzzle. There must be some need to conduct this type of investigation. Security managers and law enforcement alike must have proper authorization before conducting this type of analysis on a computer. Security managers should get this in writing as part of their security policy. Check with your lawyers and be aware of privacy laws and how they apply even in the corporate setting. The privacy laws may go beyond a consent to search and consent to monitoring. We can often help piece together past events by looking at recovered files, internet cache, and slack space. Sometimes, just looking at what someone wanted to get rid of is a good place to start, other times you will need to dig a little deeper and look at areas of the hard disk that the normal user does not usually have access to. When these cases are tried in court, the defense will spend time trying to discredit the analyst. It is their job to create doubt in the procedures you have used to conduct your analysis, and possibly that it wasn’t his client that put the information there. As the analyst it is your job to report what you found not to speculate, or follow down the path of doubt the defense tries to create. You must be able to stand up against some professional and personal scrutiny. Lawyers don’t like to take cases that have "issues". Don’t let your procedures be one of those issues. It is important for the analyst to be able to find the evidence on a computer and be able to articulate how you found the evidence. It is great to be able to retrieve evidence from a computer, but having an idea of how it works, how data is saved in various operating systems, and being able to describe this to someone else is crucial. Cases are often won on perception of the facts not just the facts. Others will need to understand what you are talking about, be it a criminal or civil case. I like to use the acronym PPAD. This stands for Preserve the data to ensure the data is not changed, Protect the evidence to ensure no one else has access to the evidence, Analyze the data using forensically sound techniques, and Document everything.

Autopsy of a successful intrusion (well, two actually)

Published on 2002-05-09, by Floydman, ©Infosecwriters.com.

This paper consists of the recollection and analysis of two network intrusion that I have performed as part of my duties as a computer security consultant. The name of the company I worked, as well as their customers that I hacked into, will remain anonymous for obvious reasons. The goal of this paper is to show real life cases of what computer security looks like in the wild, in corporate environments. I will try to outline the principal reasons why these intrusions were successful, and why this kind of performance could be achieved by almost anybody, putting whole networks at risks that their owner don"t even begin to realize yet.

Basic Steps in Forensic Analysis of Unix Systems

Published on unknown, by David Dittrich, www.washington.edu.

The preface to "Techniques of Crime Scene Investigation" begins: One especially important element to crime solving is the effective use of science and technology. Science and technology applied to the solution of criminal acts, or forensic science, solves crimes by assisting police investigators to identify suspects and victims, clearing innocent persons of suspicion and ultimately bringing the wrongdoer to justice.

Building a Low Cost Forensics Workstation

Published on 2003, by GAIC Security Essentials, ©SANS Institute.

This paper will outline the fundamentals of computer forensic investigation and then, based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.

Case for Forensics Tools in Cross-Domain Data Transfers (A)

Published on 2002-08-29, by Dwane Knott, ©SANS Institute.

Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. Two of these are movement of data across security domains (cross-domain) and computer reuse. The cross-domain transfer problem must address the contents of the file space as well as the contents of slack and free space. Three options are presented and discussed. One is selected as most practical and more fully discussed. Since this option involves the use of forensics software, a software tool is selected and its application discussed. The final discussion is protecting against inadvertent data compromise when reusing computers or salvaging them. Forensics software has a role here also.

Cisco Router Forensics

Published on August 01, 2002, by Thomas Akin, www.blackhat.com.

Routers have long been used as resources for footprinting a network before an attack. Now they are increasingly becoming the target of attack themselves. A compromised router allows an attacker to not only easily map out the network, but provides means of rerouting traffic and bypassing firewalls and IDS systems.

Computer Forensics

Published on 2005, by US-CERT, ©US-CERT.

This paper will discuss the need for computer forensics to be practiced in an effective and legal way, outline basic technical issues, and point to references for further reading. It promotes the idea that the competent practice of computer forensics and awareness of applicable laws is essential for today’s networked organizations.

This subject is important for managers who need to understand how computer forensics fits as a strategic element in overall organizational computer security. Network administrators and other computer security staff need to understand issues associated with computer forensics. Those who work in corporate governance, legal departments, or IT should find an overview of computer forensics in an organizational context useful.

Computer Forensics — We've had an incident, who do we get to investigate?

Published on 2002, by Karen Ryder, ©SANS Institute.

Computer forensics is used to conduct investigations into computer related incidents, whether the incident is an external intrusion into your system, internal fraud, or staff breaching your security policy. The computer forensic method to be used is determined by the company’s management. In deciding which method to use, whether it is in-house, law enforcement or private sector computer forensic specialists, management needs to understand what is computer forensics, the rules of computer forensics, and the implications of mishandling evidence. In Australia, there are eight different ‘Evidence Act’s’, which govern the rules of evidence that investigators need to be aware of in order to present evidence that will be legally acceptable in any Australian court. This is particularly important for National companies where

Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000

Published on 2001-12-04, by Norman Haase, ©SANS Institute.

The purpose of this paper is to be an introduction to computer forensics. Computer forensics is a newly emerged and developing field which can be described as the study of digital evidence resulting from an incident. It involves collection and analysis of digital data within an investigative process. Other important steps include incident preparation, detection and recovery. All these procedures should be documented and conducted according to a standard methodology (Mandia & Prosise, 2001; McMillan, 2000). After introducing some important incident response considerations I will focus on a strategies for dealing with compromised Windows NT/2000. My hope is that this paper might be of some assistance in handling your own incidents and investigations. This paper is about investigating Windows hosts and conducting an analysis in order to promote growth and learning as opposed to a "how-to" guide to gather legal evidence in view of criminal prosecution.

Detailed Forensic Procedure for Laptop computers

Published on 2003-06-11, by Matt Pierce, ©SANS Institute.

Forensic analysis is the process of accurately documenting and interpreting information for presentation to an authoritative group. In most situations that group would be a court of law, but management will often request forensic preservation of information as well. Due to the easily changeable nature of digital information, great care must be put into the handling of any forensic analysis. Evidence grade information must be unbiased, and complete before it can be relied upon. Not only must the data be collected, but also the original media must be preserved. Furthermore it is necessary to record the state of the computer that produced the data. Laptop computers present additional technical issues. The hardware in a laptop computer has typically been modified for energy preservation and size. These modifications can frustrate a forensic examiner’s normal use of tools and procedures. This document will discuss what forensic analysis is and why it is important. Also discussed will be how laptop computers affect forensic analysis. Finally, this document will describe three procedures for developing forensic information from a laptop computer running a Microsoft operating system.

Developing a Computer Forensics Team

Published on 2001, by Christine Vecchio-Flaim, ©SANS Institute.

Efforts to establish sound information assurance programs are rapidly evolving due to increased connectivity, enhanced technology, and the continuous introduction of operating and application systems software. The information assurance practitioner is repeatedly faced with new challenges to keep up with these changes. In parallel, these changes in technology have greatly affected the role of investigators. Law enforcement investigations, civil litigation, private investigation, and corporate investigations are all affected. Regardless if the situation is a criminal matter, civil matter, or a corporate internal personnel issue, investigators must be cognizant to fact that computers touch every facet of our lives.

Digital Evidence: Standards and Principles

Published on April 2000, by Federal Bureau of Investigation, www.fbi.gov.

The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies.

Digital Media Forensics

Published on 2000-05-08, by Michael Allgeier, ©SecurityFocus.

The area of digital media forensics is not just the art of finding deleted or hidden data; it is also the understanding of the underlying technologies behind the various tools used and the ability to present scientifically valid information. Digital media forensics is a growing science that governmental agencies have long practiced, with the commercial sector not far behind. Many governmental agencies are far ahead of most companies when it comes to searching, seizing, and analyzing information systems and the proper accountability of digital evidence. With secrets and lives to lose if sensitive information were released to the wrong people, the reasons behind their expertise are understood. The ability to identify the person(s) responsible for the compromise or theft and means of transmittal is paramount for further protection and control of sensitive information. Many companies are now focusing on the problem of industrial espionage and the control of proprietary information. Current economic espionage estimations indicate US companies lose over 50 billion dollars each year with the possibility of 150 billion dollars per year lost by the year 2003. Putting an exact dollar amount on the value of lost proprietary information is impossible, but needed to prompt decision makers. Even with encryption, access control and auditing tools, digital media forensics is a key aspect for information security officers.

Electronic Crime Scene Investigation: A Guide for First Responders

Published on 2001, by U.S. Department of Justice, ©U.S. Department of Justice.

The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laundering, trafficking, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence.

Field Guide for Investigating Computer Crime: Overview of a Methodology for the Application of Computer Forensics - Part Two (The)

Published on 2000-06-25, by Timothy E. Wright, ©SecurityFocus.

Previously, in An Introduction to the Field Guide for Investigating Computer Crime, we considered the basics of computer crime and computer forensics. We began with a definition for computer fraud and abuse, then discussed evidence and the importance of chain of custody, and finished up with an outline of the skills and tools needed to investigate computer crime. With all of that behind us, we can turn our sights toward the heart of the matter: a methodology for investigating computer crime.

Field Guide for Investigating Computer Crime: Search and Seizure Basics - Part Three (The)

Published on 2000-07-28, by Timothy Wright, ©SecurityFocus.

Previously, in Overview of a Methodology for the Application of Computer Forensics we took a high level tour of a formal, methodical process for investigating computer crime. Our tour consisted of an overview of the two endeavors which comprise this process: search and seizure, and information discovery. Along the way, we considered why a formal method for investigating computer crime is truly necessary, and we related our method back to the well-known scientific method. Now, we're ready to take the plunge into the gritty details of the search and seizure forensic activity. However, a word of warning is in order: things become reasonably involved from this point on; try not to get overwhelmed. Keep in mind that the degree of complexity in the search and seizure process can always be scaled back in accordance with an organization's investigation policies (e.g., high profile cases are given the full treatment, low profile cases are given a less involved treatment).

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures

Published on 2001, by Zenomorph, ©cgisecurity.com.

Port 80 is the standard port for websites, and it can have a lot of different sec urity issues. These holes can allow an attacker to gain either administrative access to the web site, or even the web server itself. This paper looks at some of the signatures that ar e used in these attacks, and what to look for in your logs.

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two

Published on March 2002, by Zenomorph, ©cgisecurity.com.

Port 80 is the standard port for websites, and it can have a lot of different security issues. These holes can allow an attacker to gain either administrative access to the website, or even the web server itself. This second paper was written to help the average administrator and developer to have a better understanding of the types of threats that exist, along with how to detect them.

Fist! Fist! Fist! Its all in the wrist: Remote Exec

Published on 2004-07-13, by grugq, ©Phrack Magazine.

The infrastructue of anti-forensics is built on the three strategies of data destruction, data hiding and data contraception. The principles of data contracteption, and a technique for executing a data contraception attack are presented. This technique provides the ability to execute a binary on a remote system without creating a file on the disk.

Forensic Analysis of a Live Linux System, Part One

Published on 2004-03-22, by Mariusz Burdach, ©SecurityFocus.

During the incident response process we often come across a situation where a compromised system wasn't powered off by a user or administrator. This is a great opportunity to acquire much valuable information, which is irretrievably lost after powering off. I'm referring to things such as: running processes, open TCP/UDP ports, program images which are deleted but still running in main memory, the contents of buffers, queues of connection requests, established connections and modules loaded into part of the virtual memory that is reserved for the Linux kernel. All of this data can help the investigator in offline examination to find forensic evidence. Moreover, when an incident is still relatively new we can recover almost all data used by and activities performed by an intruder.

Forensic Chain-of-Evidence Model: Improving the Process of Evidence Collection in Incident Handling Procedures (The)

Published on September 2002, by Atif Ahmad, ©University of Melbourne.

This paper suggests that administrators form a new way of conceptualizing evidence collection across an intranet based on a model consisting of linked audit logs. This methodology enables the establishment of a chain of evidence that is especially useful across a corporate intranet environment. Administrators are encouraged to plan event configuration such that audit logs provide complementary information across the intranet. Critical factors that determine the quality of evidence are also discussed and some limitations of the model are highlighted.

Forensics and the GSM mobile telephone system

Published on 2003, by Svein Yngvar Willassen, ©International Journal of Digita.

The GSM system has become the most popular system for mobile communication in the world. Criminals commonly use GSM phones, and it is therefore a need for forensic investigators to understand which evidence can be obtained from the GSM system. This paper briefly explains the basics of the GSM system. Evidence items that can be obtained from the Mobile Equipment, the SIM and the core network are explored. Tools to extract such evidence from the components of the system exist, but there is a need to develop more sound forensic procedures and tools for extracting such evidence. The paper concludes with a short presentation on the future UM

Future of computer forensics: A needs analysis survey (The)

Published on 2004, by Marcus K. Rogers and Kathryn Seigfried, ©Marcus K. Rogers and Kathryn Seigfried.

The current study was a pilot study and attempted to add to the growing body of knowledge regarding inherent issues in computer forensics. The study consisted of an Internet based survey that asked respondents to identify the top five issues in computer forensics. 60 respondents answered the survey using a free form text field. The results indicated that education/training and certification were the most reported issue (18%) and lack of funding was the least reported (4%). These findings are consistent with a similar law enforcement community study (Stambaugh et al., 2001). The findings emphasize the fragmented nature of the computer forensics discipline. Currently there is a lack of a national framework for curricula and training development, and no gold standard for professional certification. The findings further support the criticism that there is a disproportional focus on the applied aspects of computer forensics, at the expense of the development of fundamental theories. Further implications of the findings are discussed as well as suggestions for future research in the area.

Guidelines on PDA Forensics

Published on 2004, by Wayne Jansen and Rick Ayers, ©National Institute of Standards and Technology.

Personal Digital Assistants (PDAs) are a relatively recent phenomenon, not usually covered in classical computer forensics. This guide attempts to bridge that gap by providing an in-depth look into PDAs and explaining the technologies involved and their relationship to forensic procedures. It covers three families of devices — Pocket PC, Palm OS, and Linux-based PDAs — and the characteristics of their associated operating system. This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present on PDAs, as well as available forensic tools.

IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot

Published on March 18, 2003, by Alan Neville, ©SecurityFocus.

An attacker has compromised a Sun Solaris server on a production network using an exploit for the dtspcd service in CDE; a Motif-based graphical user environment for Unix systems. You are the senior security engineer of the Security Operations Center (SOC) for your company and are required to find out how the box was compromised and by whom. Using only a Snort binary capture file from the remote log server, you are to conduct a complete analysis of all IDS captures, log files, and an inspection of the file system.

Introduction to the Field Guide for Investigating Computer Crime - Part One (An)

Published on 2000-04-17, by Timothy E. Wright, ©SecurityFocus.

As computers and the Internet continue to pervade and invade our lives, the potential for harm caused by computer crime increases manifold. Unfortunately, there is a deficit of information about what computer crime is, and how it should be investigated. As a result, such criminal acts become more widespread and costly to our society each year. The relatively new field of Computer Forensics attempts to manage this problem by providing a thorough, efficient, and secure means of investigating computer crime. This article and those which follow, will endeavor to provide a field guide for the computer fraud and abuse investigator. In a plain and approachable manner, this guide will cover a generic method for the application of computer forensics. Beginning here with a discussion of the basics, the field guide will address questions and issues fundamental to investigating computer crime, and detail a method for doing search and seizures of physical computer evidence, and information discovery of logical computer evidence. For those readers who are not computer fraud and abuse investigators, it is hoped that common sense will be imparted about what and what not to do as the victim of a computer crime.

Issues Discovering Compromised Machines

Published on 2004-10-25, by Anton Chuvakin, ©SecurityFocus.

One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field of security, made an outrageous claim that most of the Fortune 2000 companies have already been penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify the validity of this, I decided to look at the problem of reliably discovering the compromised machines on corporate networks. Reliability is of key importance here as there are lots of ways to obtain a suspicion that the machine is "owned" or infected, but sadly there are few truly reliable ways to discover that short of full forensic analysis, likely requiring physical access to a machine as well as shutting it down for a potentially long time.

Know Your Enemy: A Forensic Analysis

Published on 2002-05-09, by Lance Spitzner, ©Infosecwriters.com.

This paper is a continuation of the Know Your Enemy series. The first three papers covered the tools and tactics of the black-hat community. This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces. There is also an online, interactive version of this paper published by MSNBC.

Law Enforcement and Forensic Examiner Intoduction to Linux (The)

Published on 2004, by Barry J. Grundy, ©Barry J. Grundy.

This purpose of this document is to provide an introduction to the GNU/Linux (Linux) operating system as a forensic tool for computer crime investigators. There are better books written on the subject of Linux (by better qualified professionals), but my hope here is to provide a single document that allows a user to sit at the shell prompt (command prompt) for the first time and not be overwhelmed by a 700-page book.

Lessons Learned Repository for Computer Forensics (A)

Published on 2002, by Warren Harrison, George Heuston, Mark Morrissey, David Aucsmith,, ©International Journal of Digita.

The Law Enforcement community possesses a large, but informal, community memory with respect to digital forensics. Large, because the experiences of every forensics technician and investigator contribute to the whole. Informal because there is seldom an explicit mechanism for disseminating this wisdom except “over the water cooler”. As a consequence, the same problems and mistakes continue to resurface and the same solutions are re-invented. In order to better exploit this informal collection of wisdom, the key points of each experience can be placed into a Repository for later dissemination. We describe a web-based Lessons Learned Repository (LLR) that facilitates contribution of Lessons, and their subsequent retrieval.

Macintosh forensic analysis using OS X

Published on 2002, by Peter Hawkins, ©SANS Institute.

Computer forensic analysis is a method of studying and acquiring digital evidence in a manner that ensures the data's integrity. The duty to perform such an analysis often falls upon a police officer in his quest to gather valuable evidence of a crime. Sometimes, however, system administrators and security professionals are required to partake in such functions when they suspect that someone has tampered with their system. The ability to do a proper analysis using sound forensic practices that are accepted in a court of law, opens the door to the possibility of pursuing criminal or civil action against the perpetrator. The purpose of this paper is to describe sound forensic techniques as they pertain to the Macintosh. In order to accomplish this task, I must first describe basic forensic techniques that apply to all computer systems. Then I will provide a brief history of the various Macintosh models and operating systems, as each one can provide some intriguing problems. Finally, I will follow this up with a specific outline of how to perform the proper analysis of a Macintosh computer system using an OS X based system as the analysis machine. The result of this paper will be a useful reference to those people who may be required to perform a computer forensic analysis on a Macintosh.

Maintaining System Integrity During Forensics

Published on August 01, 2003, by Jamie Morris, ©SecurityFocus.

Deciding how to maintain the integrity of a system for use in a forensic examination can be a little like deciding which club to use to get out of the rough on the last hole of a golf tournament, i.e. the stakes are high and you never know if you've made the right choice until it's too late to change your mind (note: this analogy only works if you play golf as badly as I do. If you're a good golfer, or if you don't play golf at all, you'll have to come up with one of your own). While the use of good judgement may be more art than science, if we keep in mind certain basic principles and remember to think before we act we should give ourselves the best possible chance of a successful forensic outcome. These basic principles are the bedrock upon which any notions of a "best practice" must be constructed and will be the basis of this article.

MFP: The Mobile Forensic Platform

Published on 2003, by Frank Adelstein, ©International Journal of Digita.

Digital forensics experts perform investigations of machines for “triage” to see if there is a problem, as well as to gather evidence and run analyses. When the machines to be examined are geographically distributed, an investigator could benefit greatly if he could conduct the investigation, or even its initial stages, remotely.

Overview of disk imaging tools in computer forensics

Published on 2001, by Madihah Mohd. Saudi, ©SANS Institute.

The objective of this paper is to educate users on disk imaging tool ; issues that arise in using disk imaging, recommended solutions to these issues and examples of disk imaging tool. Eventually the goal is to guide users to choose the right disk imaging tool in computer forensics.

Overview of Steganography for the Computer Forensics Examiner (An)

Published on July 2004, by Gary C. Kessler, ©Gary C. Kessler.

Steganography is the art of covered or hidden writing. The purpose of steganography is covert communication-to hide the existence of a message from a third party. This paper is intended as a high-level technical introduction to steganography for those unfamiliar with the field. It is directed at forensic computer examiners who need a practical understanding of steganography without delving into the mathematics, although references are provided to some of the ongoing research for the person who needs or wants additional detail. Although this paper provides a historical context for steganography, the emphasis is on digital applications, focusing on hiding information in online image or audio files. Examples of software tools that employ steganography to hide data inside of other files as well as software to detect such hidden files will also be presented.

Practical Approaches to Recovering Encrypted Digital Evidence

Published on 2002, by Eoghan Casey, ©International Journal of Digita.

As more criminals use encryption to conceal incriminating evidence, forensic examiners require practical methods for recovering some or all of the encrypted data. This paper presents lessons learned from investigations involving encryption in various contexts. By presenting successful and unsuccessful case examples, this paper gives forensic examiners a clearer understanding of the feasibility and limitations of various approaches to dealing with encryption. Additionally, by demonstrating how encryption has been successfully dealt with in past investigations, this paper provides examiners with techniques that we can apply in our work and encourages us to aggressively confront encryption.

Pros and Cons of using Linux and Windows Live CDs in Incident Handling and Forensics

Published on 2007-01-14, by Ricky D. Smith, ©SANS Institute.

This paper describes the examination of the use of five different live CDs in the six-step incident handling process and the subsequent forensic examination of the machines. A brief synopsis of the six step incident handling process to provide the background for the testing conducted. The first part of the examination will be an evaluation of the ability of the live CD to be used for incident response by a first responder. After the first response capability is evaluated, an examination of the capability of the live CDs to carry out the initial forensics imaging will be conducted. The test procedures used on a Windows XP and Linux machines are described including the sets of commands that simulate the first responder actions each operating system. The advantages and disadvantages of using each live CD for incident response and their effect on the forensic process are examined on the basis of the testing.

Recovering and Examining Computer Forensic Evidence

Published on October 2000, by Federal Bureau of Investigation, www.fbi.gov.

The world is becoming a smaller place in which to live and work. A technological revolution in communications and information exchange has taken place within business, industry, and our homes. America is substantially more invested in information processing and management than manufacturing goods, and this has affected our professional and personal lives. We bank and transfer money electronically, and we are much more likely to receive an E-mail than a letter. It is estimated that the worldwide Internet population is 349 million (CommerceNet Research Council 2000).

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations

Published on July 2002, by United States Department of Justice, www.cybercrime.gov.

In the last decade, computers and the Internet have entered the mainstream of American life. Millions of Americans spend several hours every day in front of computers, where they send and receive

Smart Anti-Forensics

Published on 2005, by Steven McLeod, ©Forensic Focus.

This paper highlights an oversight in the current industry best practice procedure for forensically duplicating a hard disk. A discussion is provided which demonstrates that although the forensic duplication process may not directly modify data on the evidence hard disk, a hard disk will usually modify itself during the forensic duplication process.

The paper highlights some consequences, for example that an attacker who has compromised the computer containing the hard disk can programmatically detect that the hard disk has been forensically duplicated, or otherwise powered on and accessed via a mechanism other than via the operating system installed on the hard disk.

Suggestions are provided to help minimise the changes made to the hard disk during the forensic duplication process. These suggestions minimise the likelihood that an attacker will notice the system administrator or forensic analyst performing an investigation of the suspected compromised computer.

Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer

Published on 2004, by Ernest Baca, ©Infosecwriters.com.

Since beginning my endeavors with computer forensics, I have always wanted the ability to boot up a suspects computer just to see what the user saw when he was using the computer. So many times I have done computer forensic exams in which proprietary software is used. Simply looking at directory structures sometimes just doesn't cut it. Also, how many times did I make case agents go out and buy accounting software in order to run the target's data, not to mention figuring out which files to extract.

Web Browser Forensics, Part 1

Published on 2005-03-30, by Keith J. Jones and Rohyt Belani, ©SecurityFocus.

Electronic evidence has often shaped the outcome of high-profile civil law suits and criminal investigations ranging from theft of intellectual property and insider trading that violates SEC regulations to proving employee misconduct resulting in termination of employment under unfavorable circumstances. Critical electronic evidence is often found in the suspect's web browsing history in the form of received emails, sites visited and attempted Internet searches. This two-part article presents the techniques and tools commonly used by computer forensics experts to uncover such evidence, through a fictitious investigation that closely mimics real-world scenarios.

While you read this article, you may follow along with the investigation and actually analyze case data. To actively participate in the investigation, you need to download the associated Internet activity data from the SecurityFocus archives.

Web Browser Forensics, Part 2

Published on 2005-05-11, by Keith J. Jones and Rohyt Belani, ©SecurityFocus.

Welcome to part two of the Web Browser Forensics series. In part one, we began investigating the intrusion of the Docustodian document management server hosting a law firm's data. The server appeared to have been compromised by a group of hackers who were using it as a repository for their MP3s, MPEGs, and pirated software.

In part one, we also performed a review of the Internet Explorer history and cached files on the system used by Joe Schmo, the primary suspect of the intrusion. Analysis of the web browsing history revealed Internet searches for license cracks and hacking books; however, all this malicious activity appeared to have been performed while Joe was on vacation with his family in Florida.

In part two we now set out to determine who used Joe's machine while he was on vacation. We will proceed by examining further investigative leads that involve performing an in-depth review of the web activity of all other browsers installed on Joe's hard drive.