Computer Forensics
Transcrição
Computer Forensics
Computer Forensics Dr. Tony K.Y. Chan, Siddhartha Sanyal German Abstract Auch die Strafverfolgung muss sich im Zeitalter der Informationstechnologie anpassen. Straftaten werden zunehmend mit Hilfe der neuen Medien ausgeübt. Das bringt mit sich, dass Beweise in elektronischer Form vorliegen. Die Computer Forensik beinhaltet die Sicherstellung und Wiedergewinnung von Daten, die Identifizierung von elektronischem Beweismaterial und die Vorlage der Ergebnisse. Der Schwerpunkt dieser Arbeit liegt in der Sicherstellung von Daten. Dazu müssen die Daten auf ein geeignetes Medium kopiert werden, das die Grundlage weiterer forensische Untersuchungen ist. Beim Kopieren muss die Datenintegrität gewährleistet werden, um eine Zerstörung der gespeicherten Beweise zu vermeiden. Das gilt für Daten, die in Verzeichnissen und Dateien vorliegen leicht zugänglich sind, als auch für Daten, die in versteckten Bereichen des Mediums gespeichert worden sind. With the advent of the information technology age, the needs of law enforcement have changed. Traditional crimes, both criminal and corporate, are now being maintained electronically. Leads that used to be on paper have now become electronic. Chances are that the diary describing the details of a crime or the methods used by a criminal would be recorded on a floppy disk or hard disk drive rather than on paper in a file. Records that might indict a company of fraud and mal practices could be found on a hard disk than on a piece of paper. Criminal activity has also changed from a physical dimension, in which evidence and investigations are described in tangible terms, to a cyber dimension. Computer forensic science addresses the specific needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Acquisition of data involves the successful transfer of data from the suspect storage media onto a storage media that would then be subject to forensic examination. Although forensic laboratories are very good at ensuring the integrity of the physical items in their control, computer forensics also requires methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence-the information-from harm. Hence we need to clone the suspect storage media. An exact replica of the evidence should be made. This is achieved by using information security protocols such as the use of a hash algorithm. An examiner responsible for duplicating the evidence must first decide an appropriate level of verification to weigh the time constraints against very large files. Hash functions compress a string of arbitrary length to a string of fixed length. They provide a unique relationship between the Figure 1: Architecture of the embedded hard disk cloning system CG topics 5/2002 19 Figure 2: Generation of message digest using the MD5 hash algorithm It is important to conduct examination and come out with conclusions, which are acceptable in a court of law. This is particularly true for investigations being undertaken by the law enforcement agencies. Point of contact Siddhartha Sanyal Center for Advanced Media Technology, Singapore Email: [email protected] input and the hash value and hence replace the authenticity of a large amount of information (message) by the authenticity of a much smaller hash value (authenticator). The calculated hash, which is much smaller than the original string is then appended to the end of a message before it is transferred. At the receiving end, the hash is recalculated and compared with the appended hash. If both are found to be matching then the message was transmitted without errors. Otherwise the message is retransmitted. In the computer forensic context, hash algorithms make sure that the data cloned is exactly the same as that on the suspect hard disk or floppy disk. Another algorithm that can be used is the SHA. It computes a condensed representation of a message or a data file. When a message of any length < 264 bits is inputted, the SHA-1 produces a 160-bit output called a message digest. The message digest can then be input to the Digital Signature Algorithm (DSA), which generates or verifies the signature for the message. Once the data has been cloned and its integrity ensured, the next step is the actual examination. Computer evidence represented by physical items such as chips, 20 CG topics 5/2002 central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence. The logging, description, storage, and disposition of physical evidence are well understood. Forensic laboratories should have detailed plans describing acceptable methods for handling physical evidence. To the extent that computer evidence has a physical component, it does not represent any particular challenge. However, the evidence, while stored in these physical items, is dormant and exists only in a speculative electronic form. The result that is reported from the examination is the recovery of this dormant information. To complicate the matter further, computer evidence almost never exists all by itself. It is a product of the data stored, the application used to create and store it, and the computer system that directed these activities. Computer forensics unlike traditional forensics cannot expect similar results out of every submission. Each investigation searches for a clue related to that particular case. The wide array of Operating systems and application programs make investigation tough. Even the methods of storage differ.