Computer Forensics, Research Paper Example

Abstract

The current analysis takes a look at the field of computer forensics. An extremely deep discipline, there is plenty of variety in its methods, applications, and the tools that are used. Each of these themes will be touched upon in the current analysis. Most notable will be a look at a few examples of applications that are used in the field. With only a brief space to examine the field, this analysis will not be able to reach the incredible depth and variety that is present in computer forensics. The overall direction of the analysis will be to observe the depth of the techniques, as well as the powerful features of applications in the field. With regard to the depth of computer forensics, the current analysis will aim to take a look at these themes and shed some light on its importance.

The field of computer forensics has grown significantly. Today it is known as one that is widely acceptable within the legal system. Utilizing a variety of techniques and methods, computer forensics can be an effective and versatile way to examine evidence, for a variety of cases. The current analysis will take a look at the techniques that drive this field, including a few examples of such programs.

Types of Techniques

Computer forensics makes use of a wide variety of techniques. As the field is “currently employed in fraud, theft, drug enforcement and almost every other enforcement activity” (n.d.), according to Battula, Rani, Prasad, and Sudha, it is no surprise that computer forensics utilizes a full set of tools. The breadth of these tools is equal to its application, which is certainly quite widespread.

Generally speaking, forensic investigators will use tools to look for hidden, encrypted, or damaged files. This can be done by isolating the computer in question, where a digital copy of the hard drive can be made. Evidence that is taken from the computer can be prepared not only for depositions and discovery, but actual litigation.

One of the most-seen areas in computer forensics is the retrieval and/or analysis of deleted files. As Battula has described, there are a number of ways to damage the hard drive and destroy files: the physical destruction of a hard drive, overwriting a drive, and degaussing a drive; and destroying files through erasing and overwriting (n.d.). In order to retrieve them, investigators make use of tools and programs that counteract these methods.

Overall, there are several techniques that take place during such investigations. Live analysis, cross-drive analysis, steganography, and others are also involved. Certainly, a wide variety of techniques are seen in just one area of computer forensics, in the aforementioned category of retrieving deleted files. This brief look will be supplemented with some real-life examples of tools that are used in the investigation.

Forensic Program Examples

In the overview of computer forensic techniques, a wide variety of techniques were observed to see how they are utilized in an investigation. However, a more direct link can be observed in this short analysis by looking at some examples in the field. The following programs are used in forensic analyses and utilize some of these methods.

The Sleuth Kit (TSK)

Digital investigator Brian Carrier created a collection of tools and utilities that can be used to extract data from images and perform investigations. It is a free, open source suite that includes a number of command-line based utilities that is beyond the grasp of this analysis. According to Carrier (2011), The Sleuth Kit (TSK) is available on Linux, Mac OS X, Windows, CYGWIN, Open & FreeBSD, and Solaris.

The tools within TSK were however originally compiled in Linux. This means that a knowledge of this language is generally needed to navigate this basic, yet powerful, program. Additionally, the user will need to know basic file systems associated with computer forensics, including NTFS, FAT, and EXT3, according to Marcos (2005).

The set of tools within TSK work within multiple layers to approach the data needed. The initial “File System Layer” includes a number of partitions present, which can then be analyzed with the tools on TSK, such as the “fsstat” program, which displays details of the volume in ASCII format. It is followed by the “Content Layer,” “Metadata Layer,” and finally the “Human Interface Layer.”

Overall TSK works within these layers to extract data, in regards to the many tools at the user’s disposal. For instance, there is a command line tool that can check for a Host Protected Area (HPA), which “is an area of disk that is often not seen by disk imaging applications (Marcos 2005).” One of TSK’s advantages is its ability to view deleted and hidden content, which is due to (according to Carrier, 2011) how the tools do not rely on the OS to process the file systems.

As TSK provides a number of powerful tools, it may be a bit above the head of some individuals. If the user does not understand the unpolished set of tools that TSK offers, they are advised to use a front-end application to employ a friendly interface. This leads directly into the Autopsy Brower, though there are other choices. The newer PTK Forensics is a commercial alternative, for instance.

Autopsy Browser

Autopsy Browser, or more formally the Autopsy Forensic Browser (Carrier 2011), is a graphical interface that is specifically designed for use with TSK. Not only is it made easier and more pleasant for the user, it is not just for elementary users. The Autopsy Browser is a common way to approach the forensics tools and UNIX utilities in TSK.

The Autopsy Browser integrates the impressive number of tools and features of TSK seamlessly. One interesting feature is the choice of analysis modes, where a live analysis (as opposed to a “dead analysis” from a dedicated analysis system) can be performed from an untrusted environment. The live analysis mode eliminates saving data to the local disk.

The interface supports a number of useful functions that works hand-in-hand with TSK. The program supports plenty of evidence search techniques: file listing, file content, hash databases, file type sorting, timeline of file activity, keyword search, meta data analysis, data unit analysis, and image details. There are also several types of features in case management: case management, event sequencer, notes, image integrity, reports, logging, open design, and client server model (Carrier 2011).

Not all of these features are directly related to that of TSK. In other words, although it is a graphical interface, it allows the user to take advantage of the interface for more efficient work. Logs, MD5 values, and other elements are created, for instance. As Autopsy is HTML-based, other investigators can concurrently work on a server at any given time from their system. These and other features specific to Autopsy Browser are thus significant.

Microsoft Log Parser

Microsoft Log Parser is another powerful and open-source application. It is interestingly not exclusive to forensic software, however. The command line utility was originally included with the IIS 6.0 Resource Kit Tools.

The program provides “university query access” to data, including log files, CSV files, XML files, and others (Microsoft 2011). It even has the ability to access key data sources such as the Registry, Event Log, and the file system. Versatility is a strong point of the application, as queries and outputs, as it will be demonstrated, can be customized into specialty targets, such as SYSLOG, SQL, or a chart.

To briefly approach the main part of the program, the input/output formats, there are an impressive options in both regards. To the current version of Log Parser (2.2), the program can extract information from TSV, NCSA, W3C, and XML standards. Input formats pertaining to the Windows Event Log, those generated by IIS, Active Directory objects (including registry keys, files and directories, and registry keys), and formats that parses NetMon capture files. The user can also write custom input format plug-ins if none of the available input formats are suitable.

Log Parser unsurprisingly has plenty of output formats for the user. The user is able to save to text files from CSV, TSV, W3C, and XML files. Custom templates that save to text files, records to a SQL database, Syslog standards, and Excel-style charts are among the many possibilities as well.

In addition to the input/output formats, perhaps the other main portion of the program is the core engine. It is in the dialect of the SQL language, which holds together the functions on both side of the queries of the program. There are plenty of queries with the language, such as sorting, aggregating data, and sending results to an output format to display distilled information, that serve the user well. The program can be used from the command line, the executable file, and from other applications.

Overview of Tools

The three open-source tools briefly covered all have a place in the world of data forensic tools. While no tool can take care of the many functions needed from an investigator, these tools are rather powerful. They certain have an impressive array of abilities, and offer more potential going forward (as many open-source applications continue to evolve, of course).

The tandem of TSK and the Autopsy Browser offer a great deal of potential. The sheer variety in regards to the functions available are indeed impressive. The other program, the Microsoft Log Parser, also has a great deal of functionality, especially when its custom queries come into play (in addition to the wealth of data types supported).

These programs represent powerful applications that can extract, order, and find data for investigators, in addition to other functions. Relevant to the Microsoft Log Parser, there are even additional functions for the program. As open-source programs, these applications represent important developments in the field, with a vast array of functions and abilities that were only briefly covered.

Conclusion

By taking a look at common computer forensic methods, a look into the wide and varied field can be made. Not only are there plenty of methods for investigators to undertake in an investigation, but there is significant variety in terms of application. The breadth is extensive, across the board.

Today computer forensics is used to battle many fronts. As computer crime has increased, along with computer-related crime, such methods are used . It is also utilized in basic information gathering. These techniques and methods can be used for murder, fraud, child pornography, and other investigations.

Looking at sample programs in this field, a glimpse into the dynamic field of computer forensics can be found. Using common investigational methods, these computer programs can become a powerful tool for investigators. On a variety of operating systems, and able to analyze a variety of files with output functions, these programs are incredibly versatile. Other programs certainly follow suit, and perhaps improve upon the features and functions in the examples that were observed.

Overall, what results is a field that is incredibly deep and varied. With only a brief look at certain items in the field, most notably the overarching techniques used and a few programs, a short glimpse into the field can be found. Computer forensics is a discipline that extends to many areas of law, appropriately.

References

Battula, B. P., Rani, B. K., Prasad, R. S. & Sudha, T. (n.d.). Techniques in Computer Forensics: A Recovery Perspective, International Journal of Security, 3 (2), 27-35.

Carrier, Brian. (2011). “Autopsy Overview.” The Sleuth Kit. Retrieved from http://www.sleuthkit.org/autopsy/index.php

Carrier, Brian. (2011). “Sleuth Kit Overview.” The Sleuth Kit. Retrieved from http://www.sleuthkit.org/sleuthkit/

Marco, Chris. (2005). “Introduction to The Sleuth Kit (TSK).” Retrieved from http://www.markosworld.com/forensics/cmarko-tskintro.pdf

Microsoft. (2011). Log Parser 2.2. Microsoft Download Center. Retrieved from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en