According to Mohay (2003, p.113), computer forensics was first used in the 1970s by the US military and intelligence agencies. Daniel (2011, p.14) notes that computer forensics began in 1984. During this year, the FBI created a program called the Magnetic Media Program. In its initial year, this program dealt with three cases. The program later evolved to become the FBI Computer Analysis and Response Team (CART) program (Daniel, 2011, p.14). As of 2009, the number of Computer Forensic labs run by the FBI had increased to fourteen.
The use of computer forensics has been employed by government agencies in an attempt to decrease criminal offences relating taxation and revenue collection (Mohay, 2003, p.114). Most of these were government agencies such as the Internal Revenue Service Criminal Investigation division. Mohay (2003, p.114) suggests that the introduction of the IBM personal computer created problems in dealing with computer investigations. This was due to the ability of using these computers to alter data without a trace and the ability to delete or hide data. Consequently, the availability of the personal computer provided criminals with easier ways of carrying out their activities. The rise of crime related to computing resulted to the need of developing new approaches of addressing problems caused by the new technology, and thus the need for Computer Forensics. There has been the introduction of law enforcement programs that use computer forensics (Daniel, 2011, p.15). Examples include Operation Fairplay that deals with child pornography and Internet Crimes Against Children (ICAC) that train law enforcers on how to deal with Internet predators (Daniel, 2011, p.15).
Benefits of Computer Forensics
According to the Ec-Council (2009), computer forensic provides a number of benefits especially since there is an increase in electronic crimes. In addition, financial losses resulting from computer crimes have increased the need of using computer forensic technology in an effort to reduce such losses. In various organizations, computer forensic can be used to ensure that integrity of computer systems is maintained. In addition, computer forensics helps the organization to record vital information in cases where the computer network may be compromised. Consequently, computer forensics will assist the organization in extracting, processing, and interpreting information that can be used to prosecute criminals that have interfered with the integrity of the network (Ec-Council, 2009, p.2-2). Furthermore, the use of computer forensics is essential in tracking down terrorists and cyber criminals from various parts of the world by tracking of IP addresses that the criminals and terrorists use for communication. Further, computer forensics proves to be useful in cases of email spamming and child pornography. In the process of using computer forensics technology, organizations save time and money.
Tools used in Computer Forensic Analysis
Tools used in computer forensic analysis may be categorized in various groups such as traffic analysis and evidence gathering tools. Some of these tools may be available through free download while others need to be purchased. Traffic analysis tools include Wireshark and Cain & Abel. Evidence gathering tools include ProDiscover, Password Recovery Toolkit, Hex Workshop, and the FKT Imager (Daniel, 2011, p.37).
Using Wireshark to Capture, Filter and Inspect Packets
Wireshark is used to capture packets in real time and display them in an arrangement that can be read by humans (Kurose, 2007, p.1). In computer forensics, wireshark is used to inspect the network traffic of a suspicious program and analyze the traffic flow on the network.
Once wireshark has been installed, the interface to use is selected. For instance, in this case analysis is being done for a wireless network so the wireless interface (NVIDIA nForcce MCP Networking Adapter Driver) is selected.
After selecting the interface’s name, packets start to appear. Wireshark captures every packet sent from the system and received by the system. If using a promiscuous mode, selected in the capture options, other packets on the network will be displayed.
The color-coding of the traffic assists in identification of the type of traffic on a quick look (Hoffman, 2012). The dark blue color indicates DNS traffic, the green indicates the TCP traffic, and black indicates TCP packets with problems whereas the light blue signifies UDP traffic. This makes it easier to identify the packets with problems.
When inspecting a particular traffic, for instance, DNS traffic, the filter tool is used to narrow the search, which makes the inspection simpler. Only the DNS packets will be shown.
Using Cain and Abel for Traffic Analysis
Cain and Abel software is used to create a mechanism similar to phone tapping where traffic from another computer can be intercepted. This process is referred as ARP cache poisoning (Sanders, 2011, p.27). Once the Cain and Abel program is launched, the sniffer tab is the one used for traffic analysis. Prior to this, the IP addresses of the analyzer system, remote system (where traffic will be captured) and the router from which the remote system is downstream should be noted down. Clicking on the sniffer tab displays an empty table.
For scanning, activate the sniffer as follows. Click on the second icon on the left that resembles a NIC. Select the interface that is going to be sniffed. The interface should be connected to the network where the scanning will be done. A list of available hosts can be created by selecting the (+) symbol. Selecting this symbol opens up a MAC Address Scanner dialog box. In this dialog box, the All Hosts in my subnet button is selected to scan the whole network.
After clicking OK, the empty table will be filled with a list of all available hosts attached to the network. To perform the ARP poisoning, the APR tab is selected, which brings an APR window. Using the (+) icon on the program standard bar, a new window with two selection panels appears. One pane has the list of the available hosts on the network. Selecting one IP address will on this pane that will be sniffed results to all the hosts in the network being displayed in the right pane apart from the target’s machine IP address (Sanders, 2011, p.29). Selecting the IP address of the router directly above that of the target machine and clicking OK, results to the IP address being displayed in the main application window. To finish the process of setting up the ARP cache poisoning, the yellow and black symbol is selected, which allows the analysis of the system to begin. All communications between the target and the router will be intercepted.
Tools used for File Recovery
Using ProDiscover to recover evidence from a USB drive
The first step is to ensure that the write-protect switch is on the write-protect mode if the USB has one. Then connect the USB drive to the computer. Start the ProDiscover software from the program list as an administrator. The main window of the ProDiscover is indicated below (Nelson, Phillips, and Steuart, 2010, p.49).
Select the capture image from the menu. This opens up a Capture Image Dialog box.
In the source drop down list, select the source drive as the USB drive. Then select the destination of where to save the image. Preferably, the image should be saved on the desktop. Save the image on a separate drive. As a technician, I will type my name in the Technician Name text box. Capture the image and the ProDiscover will begin the process of acquiring the image from the USB drive.
Once the image is acquired, data located in the image needs to be located. Firstly, the image is loading the image using ProDiscover. A new project is created from the file menu. The new project dialog box is shown below.
In the results area select a result to view its contents. If it is a word document, import it and save it in a different location for further analysis.
Using FTK to Recover evidence from a USB Drive
The first step to do is to launch the FTK program. After the program launches, use the Start a new case button to start a new case. In the new case dialog box that opens enter the relevant details for the investigator name, case number and a case name (Nelson, Phillips, and Steuart, 2010, p.183). Clicking the next button directs one to Forensic Examiner Information dialog box, where information that will appear in the final report is recorded. Once this is filled, the next dialogue box is the Evidence Processing Options. The Data Carve check box is unchecked to ensure that processing is fast. After this, the next dialog box is the Refine Case-Default dialog box. In this box, the Include All Items button is selected.
In the Refine Index Dialog box accept the default settings and proceed. In the Add Evidence to Case Dialog box that appears, the Add Evidence button is selected. A second Add to Evidence to Case box appears and the Acquired Image of Drive option button is selected. A dialog box opens, which is used to locate the image saved on the computer. In the Evidence Information dialog box, additional information is added such as the local evidence time zone.
The default settings in the Add Evidence to Case dialog box are used.
Click finish in the Case Summary box to initiate analysis.
Once the analysis is complete, the extracted files can be viewed to look for the required evidence (Nelson, Phillips, and Steuart, 2010, p.185).
Using Hex Workshop
Hex workshop is used to identify the file system and file types that may exist in a USB drive (Nelson, Phillips, and Steuart, 2010, p.203). Run the Hex program as an administrator. Once the Hex workshop opens, open the drive by clicking the Disk button. Select the USB drive and Hex Workshop indicates the file system in the drive.
Using Password Recovery Toolkit to gain Evidence
This tool is used in cases where access to evidence is limited by presence of passwords (Lewis, 2007, p.128). In a scenario, where the files have been protected by password the approach used is as follows. Once the Password Toolkit is started, clicking on the Password recovery toolkit brings up a Licensed Recovery Module dialog box.
The file to be recovered is selected and imported. The type of cracking application is then selected. This could be brute force or dictionary attack (Lewis, 2007, p.128). The password cracking operation starts as indicated below.
The password recovery operation may take a short time or even days to recover depending on the complexity of the password that was used. Once cracked, the password will be displayed in the password window as shown below.
Daniel, L. (2011). Digital Forensics for Legal Professionals: Understanding Digital Evidence Ec-Council. (2009). Investigation Procedures and Response, Book 1. New York: Cengage Learning.
Forensic Analysis Using FTL Imager. Retrieved from http://cse.spsu.edu/raustin2/coursefiles/forensics/Lab3.pdf
Hoffman, C. (2012). Using Wireshark to Capture, Filter and Inspect Packets. Retrieved from http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
Kurose, J.F. & Ross, R.W. (2007). Wireshark Lab: Getting Started. Retrieved from http://www.eng.tau.ac.il/~netlab/resources/booklet/Wireshark_INTRO.pdf
Lewis, J. A. (2007). Corporate computer forensics training system text manual. Volume I. Leslie, Mich: Cyber Defense and Research Initiative.
Mohay, G. (2003). Computer and Intrusion Forensics. Norwood: Artech House.
Nelson, B., Phillips, A. & Steuart, C. (2010). Guide to Computer Forensics and Investigations. Boston: Cengage Learning.
Sanders, C. (2011). Practical packet analysis using Wireshark to solve real-world network problems (2nd ed.). San Francisco, CA: No Starch Press.
Wiles, J., Cardwell, K. & Reyes, A. (2007). The Best Damn Cybercrime and Digital Forensics Book Period. Burlington: Syngress.