Types of Computer Forensics Technology
1. TYPES OF MILITARY COMPUTER FORENSIC TECHNOLOGY
Key objectives of cyber forensics include rapid discovery of evidence, estimation of
potential impact
of the malicious activity on the victim, and assessment of the intent and identity of the
perpetrator.
Real-time tracking of potentially malicious activity is especially difficult when the
pertinent
information has been intentionally hidden, destroyed, or modified in order to elude
discovery.
✔ National Law Enforcement and Corrections Technology Center (NLECTC) works
with criminal justice
professionals to identify urgent and emerging technology needs.
✔ NLECTC centers demonstrate new technologies, test commercially available
technologies and
publish resultslinking research and practice.
National Institute of Justice (NU) sponsors research and development or identifies best
practices to
address those needs.
1/ The information directorate entered into a partnership with the NIA via the auspices of
the NLECTC,
to test the new ideas and prototype tools. The Computer Forensics Experiment 2000
(CFX-2000)
resulted from this partnership.
COMPUTER FORENSIC EXPERIMENT-2000 (CFX-2000) ****
CFX-2000 is an integrated forensic analysis framework.
✔ The central hypothesis of CFX-2000 is that it is possible to accurately determine
the motives, intent,
targets, sophistication, identity, and location of cyber criminals and cyber terrorists by
deploying an
integrated forensic analysis framework.
✔ The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-
shelf software and
directorate-sponsored R&D prototypes. CFX includes 51-F1 integration environment.
1/ The Synthesizing Information .from Forensic Investigations (51-F1) integration
environment supports
the collection, examination, and analysis processes employed during a cyber-forensic
investigation.
The 51-F1 prototype uses digital evidence bags (DEBs), which are secure and
tamperproof containers
used to store digital evidence.
✔ Investigators can seal evidence in the DEBs and use the SI-FI implementation to
collaborate on
complex investigations.
✓ Authorized users can securely reopen the DEBs for examination, while automatic audit
COMPUTER FORENSICSUNIT I - PART II1
of all actions
ensures the continued integrity of their contents.
�The teams used other forensic tools and prototypes to collect and analyze specific features
of the
digital evidence, perform case management and timelining of digital events, automate
event link
✓ The results of CFX-2000 verified that the hypothesis was largely correct and that it is
analysis, and perform steganography detection.
possible to
ascertain the intent and identity of cyber criminals.
As electronic technology continues its explosive growth, researchers need to continue
vigorous R&D
of cyber forensic technology in preparation for the onslaught of cyber reconnaissance
probes and
attacks.
2. TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY
Computer forensics tools and techniques have become important resources for use in
internal
investigations, civil lawsuits, and computer security risk management. Law enforcement
and military
agencies have been involved in processing computer evidence for years.
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer evidence
processing
standards.
1. Preservation of Evidence
✔ Computer evidence is fragile and susceptible to alteration or erasure by any
number of occurrences.
✔ Computer evidence can be useful in criminal cases, civil disputes, and human
resources/
employment proceedings.
Black box computer forensics software tools are good for some basic investigation tasks,
but they do
not offer a full computer forensics solution.
SafeBack software overcomes some of the evidence weaknesses inherent in black box
computer
forensics approaches.
1.7 SafeBack technology has become a worldwide standard in making mirror image
backups since 1990.
MIRROR IMAGE BACKUP SOFTWARE - SAFEBACK *****
SafeBack is used to create mirror-image (bit-stream) backup files of hard disks or to make
a mirror-
image copy of an entire hard disk drive or partition.
1/ SafeBack image files cannot be altered or modified to alter the reproduction. This is
because
SafeBack is an industry standard self-authenticating computer forensics tool that is used
to create
�evidence-grade backups of hard drives.
PRIMARY USES
✔ Used to create evidence-grade backups of hard disk drives on Intel-based
computer systems.
✔ Used to exactly restore archived SafeBack images to another computer hard disk
drive of equal or
larger storage capacity.
✔ Used as an evidence preservation tool in law enforcement and civil litigation
matters.
Used as an intelligence gathering tool by military agencies.
PROGRAM FEATURES AND BENEFITS
DOS based for ease of operation and speed.
Provides a detailed audit trail of the backup process for evidence documentation purposes.
Checks for possible data hiding when sector cyclic redundancy checks (CRCs) do not
match on the
target hard disk drive. These findings are automatically recorded in the SafeBack audit log
file.
1/ Allows the archive of non-DOS and non-Windows hard disk drives (Unix on an Intel-
based computer
system).
1 Allows for the backup process to be made via the printer port.
3
✔ Duplicate copies of hard disk drives can be made from hard disk to hard disk in
direct mode.
SafeBack image files can be stored as one large file or separate files of fixed sizes. This
feature is
helpful in making copies for archive on CDs.
✔ Tried and proven evidence-preservation technology with a 10 years legacy of
success in government
agencies.
Does not compress relevant data to avoid legal arguments that the original computer
evidence was
altered through data compression or software translation.
It is fast and efficient. In spite of the extensive mathematical validation, the latest version
of
SafeBack runs faster than prior versions. Processing speeds are much faster when state-of-
the-art
computer systems are used to make the backup.
3/ Makes copies in either physical or logical mode at the option of the user.
✔ Copies and restores multiple partitions containing one or more operating systems.
17 Can be used to accurately copy and restore most hard disk drives including Windows
NT, Windows
2000, and Windows XP in a raid configuration.
✔ Accuracy is guaranteed in the backup process through the combination of
mathematical CRCs that
provides a level of accuracy that far exceeds the accuracy provided by 128-bit CRCs
(RSA MD5).
✔ Writes to SCSI tape backup units or hard disk drives at the option of the user.
�TROJAN HORSE PROGRAMS
✔ The computer forensic expert should be able to demonstrate his or her ability to
avoid destructive
programs and traps that can be planted by computer users bent on destroying data and
evidence.
Such programs can also be used to covertly capture sensitive information, passwords, and
network
logons.
COMPUTER FORENSICS DOCUMENTATION
✔ Without proper documentation, it is difficult to present findings.
17 If the security or audit findings become the object of a lawsuit or a criminal
investigation, then
documentation becomes even more important.
FILE SLACK
✔ Slack space in a file is the remnant area at the end of a file in the last assigned disk
cluster, that is
unused by current file data, but once again, may be a possible site for previously created
and
relevant evidence.
Nf Techniques and automated tools that are used by the experts to capture and evaluate
file slack.
DATA-HIDING TECHNIQUES
✔ Trade secret information and other sensitive data can easily be secreted using any
number of
techniques. It is possible to hide diskettes within diskettes and to hide entire computer
hard disk
drive partitions. Computer forensic experts should understand such issues and tools that
help in the
i▪ dentification of such anomalies.
ANADISK - DISKETTE ANALYSIS TOOL *****
It is primarily used to identify data storage anomalies on floppy diskettes and generic
hardware in the
form of floppy disk controllers; bias are needed when using this software
PRIMARY USES
✔ Security reviews of floppy diskettes for storage anomalies
Duplication of diskettes that are nonstandard or that involve storage anomalies
Editing diskettes at a physical sector level
37 Searching for data on floppy diskettes in traditional and nontraditional storage areas
Formatting diskettes in nontraditional ways for training purposes and to illustrate data-
hiding
techniques
PROGRAM FEATURES AND BENEFITS
DOS-based for ease of operation and speed.
No software dangle. Again, software dongles get in the way and they are restrictive.
✔ Keyword searches can be conducted at a very low level and on diskettes that have
been formatted
�with extra tracks. This feature is helpful in the evaluation of diskettes that may involve
sophisticated
data-hiding techniques.
N7 All DOS formats are supported, as well as many non-DOS formats (Apple Macintosh,
Unix TAR, and
many others). If the diskette will fit in a PC floppy diskette drive, it is likely that AnaDisk
can be used
to analyze it.
11( Allows custom formatting of diskettes with extra tracks and sectors.
17 Scans for anomalies will identify odd formats, extra tracks, and extra sectors.
✔ Data mismatches, concerning some file formats, are also identified when file
extensions have been
changed in an attempt to hide data.
Ai( This software can be used to copy almost any diskette, including most copy-protected
diskettes.
