Computer Forensics

Computer Forensics
Dr. Tony K.Y. Chan, Siddhartha Sanyal
German Abstract
Auch die Strafverfolgung muss
sich im Zeitalter der Informationstechnologie anpassen. Straftaten
werden zunehmend mit Hilfe der
neuen Medien ausgeübt. Das
bringt mit sich, dass Beweise in
elektronischer Form vorliegen. Die
Computer Forensik beinhaltet die
Sicherstellung und Wiedergewinnung von Daten, die Identifizierung von elektronischem Beweismaterial und die Vorlage der
Ergebnisse. Der Schwerpunkt dieser Arbeit liegt in der Sicherstellung von Daten. Dazu müssen die
Daten auf ein geeignetes Medium
kopiert werden, das die Grundlage
weiterer forensische Untersuchungen ist. Beim Kopieren muss die
Datenintegrität gewährleistet werden, um eine Zerstörung der
gespeicherten Beweise zu vermeiden. Das gilt für Daten, die in Verzeichnissen und Dateien vorliegen
leicht zugänglich sind, als auch für
Daten, die in versteckten Bereichen des Mediums gespeichert
worden sind.
With the advent of the information technology age, the needs of
law enforcement have changed.
Traditional crimes, both criminal
and corporate, are now being
maintained electronically. Leads
that used to be on paper have
now become electronic. Chances
are that the diary describing the
details of a crime or the methods
used by a criminal would be
recorded on a floppy disk or hard
disk drive rather than on paper in
a file. Records that might indict a
company of fraud and mal practices could be found on a hard
disk than on a piece of paper.
Criminal activity has also changed
from a physical dimension, in
which evidence and investigations
are described in tangible terms, to
a cyber dimension. Computer
forensic science addresses the specific needs of law enforcement to
make the most of this new form
of electronic evidence. Computer
forensic science is the science of
acquiring, preserving, retrieving,
and presenting data that has
been processed electronically and
stored on computer media.
Acquisition of data involves the
successful transfer of data from
the suspect storage media onto a
storage media that would then be
subject to forensic examination.
Although forensic laboratories are
very good at ensuring the integrity of the physical items in their
control, computer forensics also
requires methods to ensure the
integrity of the information contained within those physical items.
The challenge to computer forensic science is to develop methods
and techniques that provide valid
and reliable results while protecting the real evidence-the information-from harm. Hence we need
to clone the suspect storage
media. An exact replica of the evidence should be made. This is
achieved by using information
security protocols such as the use
of a hash algorithm. An examiner
responsible for duplicating the
evidence must first decide an
appropriate level of verification
to weigh the time constraints
against very large files.
Hash functions compress a string
of arbitrary length to a string of
fixed length. They provide a
unique relationship between the
Figure 1: Architecture of the
embedded hard
disk cloning system
CG
topics 5/2002 19
Figure 2: Generation of message
digest using the
MD5 hash algorithm
It is important to conduct examination and come out with conclusions, which are acceptable in a
court of law. This is particularly
true for investigations being
undertaken by the law enforcement agencies.
Point of contact
Siddhartha Sanyal
Center for Advanced Media Technology, Singapore
Email: [email protected]
input and the hash value and
hence replace the authenticity of
a large amount of information
(message) by the authenticity of a
much smaller hash value (authenticator). The calculated hash,
which is much smaller than the
original string is then appended
to the end of a message before it
is transferred. At the receiving
end, the hash is recalculated and
compared with the appended
hash. If both are found to be
matching then the message was
transmitted without errors. Otherwise the message is retransmitted.
In the computer forensic context,
hash algorithms make sure that
the data cloned is exactly the
same as that on the suspect hard
disk or floppy disk. Another algorithm that can be used is the SHA.
It computes a condensed representation of a message or a data
file. When a message of any
length < 264 bits is inputted, the
SHA-1 produces a 160-bit output
called a message digest. The message digest can then be input to
the Digital Signature Algorithm
(DSA), which generates or verifies
the signature for the message.
Once the data has been cloned
and its integrity ensured, the next
step is the actual examination.
Computer evidence represented
by physical items such as chips,
20
CG
topics 5/2002
central processing units, storage
media, monitors, and printers can
be described easily and correctly
as a unique form of physical evidence. The logging, description,
storage, and disposition of physical evidence are well understood.
Forensic laboratories should have
detailed plans describing acceptable methods for handling physical evidence. To the extent that
computer evidence has a physical
component, it does not represent
any particular challenge. However, the evidence, while stored in
these physical items, is dormant
and exists only in a speculative
electronic form. The result that is
reported from the examination is
the recovery of this dormant
information. To complicate the
matter further, computer evidence almost never exists all by
itself. It is a product of the data
stored, the application used to
create and store it, and the computer system that directed these
activities.
Computer forensics unlike traditional forensics cannot expect similar results out of every submission.
Each investigation searches for a
clue related to that particular
case. The wide array of Operating
systems and application programs
make investigation tough. Even
the methods of storage differ.