Computer Crime Investigator's Toolkit

by Ronald L. Mendell [Published on 16 Oct. 2002 / Last Updated on 23 Jan. 2013]

Also Practical explanation. Unix, DOS, Windows, Browsers, e-mail and networks covered.

What I've tried to do is devise a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. I hope to get you into the spirit of the hunt. Learning to think how a criminal looks at twisting, altering, hiding, and diverting information will definitely make the game more interesting. This is a pathfinder, a starting point to discovering other resources.

Part One will cover:

  1. DOS Tricks
  2. Unix Tricks

Part Two continues with:

  1. Windows Tricks
  2. Browsers
  3. Passwords

Part Three will discuss:

  1. Perl Scripting
  2. Networking Fundamentals
  3. Tracing Email

Part Four concludes with:

  1. Understanding Slack Files
  2. Understanding Cryptography Basics


Not So Dead DOS

For those who grew up in the IT field with MS-DOS, they found Unix and scripting not all that cryptic. Knowing command line instructions gives one a backstage pass to what's happening behind the GUI. Understanding how to examine a computer using MS-DOS with Windows 95 and 98 gives an investigator a firm foundation for other tricks of the trade. When users get cute with trying to hide information, MS-DOS can uncover the hidden structure. So, forget any notion that MS-DOS is dead; it will be a valuable forensic tool for some time to come.

Before we go into the specifics of DOS tricks, keep in mind that any time you examine a computer you run the risk of changing the evidence. These articles will not give you enough knowledge to make you a certified computer forensics expert. Accordingly, in a sensitive, crucial case a bitstream backup copy of the hard drive and possibly a memory dump of the RAM need to be done by a qualified specialist prior to examination. Copies of floppies need to done with DOS Diskcopy (version 6.22) with the /v switch turned on. The rule needs to be "preserve and then examine." Chain of custody issues also become a problem if the copy is not properly hashed and then digitally signed.

Users may try to hide files by using extended ASCII characters in the file name. "Find" searches for "Joes_2000_files" may not pull up "Joe?_2000_files." The Alt key depressed while entering the character number on the numeric pad generates these characters. For example, Alt + 241 is "±." Alt + 156 is "?." Having an ASCII chart is vital to figuring out which key sequence will produce nonstandard characters not found on the keyboard. Most MS-DOS manuals and Dan Gookin's DOS Secrets will have the chart. On the Web you can find a chart at http://www.jimprice.com/ascii-128-255.gif for the extended set. For a general discussion of ASCII try http://www.jimprice.com/jim-asc.htm. To locate these files, make sure your "Find" utility has good parsing capability (finding "Joe" no matter the adjacent characters). Or, consider searching using a specialized "regular expression" engine described in http://www.sans.org/infosecFAQ/cracking.htm (see "Passwords").

Another way to hide files is by using the DOS command "Attrib." Attrib +h hides a file from directory listings produced by the "Dir" command. However, the command dir /a:h will list all the hidden files in a directory. Remember, the Dir command can be an effective tool to view what's in a hard drive's file structure even if running Windows. Just go to the DOS prompt.

DEBUG has a lot of dust on it, something almost forgotten. Yet it is a tool still found in MS-DOS in Windows 95 and 98. It lets you view in hexadecimal and ASCII format what's in a file, on a floppy, or on a hard drive. A poor man's hex editor, it can fill in when a more sophisticated viewer is not at hand. It is useful for dumps of data and for writing assembly language programs. (Hex editors are nifty tools to have too. For more information on keeping one in your toolkit, see the Resources section below.)

Also, don't forget the Undelete and Unformat tools available in MS-DOS. They can move the picture of a hard drive one step back, if needed, in examining a computer, but they do require caution in execution. Their use may result in unforeseen data loss. They cannot be used with Windows 98, or NT. Windows 95 can do Undelete with a bit of sleight of hand, as we shall see later in the Windows section. But if you're checking an old machine, a dinosaur, running Windows 3.1 or MS-DOS 5.0-6.22, the commands may come in handy. For syntax specifics see http://www.computerhope.com/undelete.htm and http://www.computerhope.com/unformat.htm. And, don't forget there are a lot of dinosaurs out there, so keep those old MS-DOS reference books.


Wild, Wild Unix

Unix serves as a wonderful training ground for computer security specialists. It teaches about access permissions for objects; learning about those rwx's in directory listings gives one an appreciation for granular security. It builds on MS-DOS knowledge: hidden files are "dot files" in Unix. They become visible by the "ls-al" command (very similar to dir /a:h). Unix expands on MS-DOS' piping and redirection capabilities. Searching or manipulating files and directories using FIND and SORT, an investigator, for example, can search a directory for inactive files (by date) and pipe the results into a report file.

Using Unix's scripting capabilities (similar to DOS batch files), an investigator may create combinations of commands into specialized programs to conduct security audits and to do file checking as a part of an inquiry. The GREP command searches files or directories that contain a particular character string. This capability provides for granular searching.

For example, /usr/bin/grep 'ron' trade > ronlist searches for all occurrences of "ron" in the file "trade" and prints them into "ronlist."

Unix also has the capability to list processes actively running on the machine by executing the command ps -ef. Processes may be deleted using the Kill command. The Top, Head, and Tail commands allow examination of portions of logs or process lists. Here are some examples of each:

ps -ef UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout

ps -ef | head
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Sep 07 ? 0:04 sched
root 1 0 0 Sep 07 ? 242:49 /etc/init -
root 2 0 0 Sep 07 ? 0:39 pageout

ps -ef | tail
johnjones 29805 29696 0 Nov 23 pts/26 0:00 -bash
happy 10732 10731 0 0:01 <defunct>
root 3450 12314 0 Nov 22 ? 0:04 /usr/local/sbin/sshd

top

last pid: 11027; load averages: 4.31, 4.70, 4.99 01:20:40
272 processes: 198 sleeping, 65 zombie, 6 stopped, 3 on cpu
CPU states: 0.5% idle, 15.9% user, 15.3% kernel, 68.3% iowait, 0.0% swap
Memory: 8192M real, 914M free, 876M swap in use, 1172M swap free

PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
7596 peter 132 0 0 60M 60M cpu4 378:00 5.45% smd
22049 john 139 10 0 48M 48M cpu8 214:29 3.91% smd
3130 carl 136 58 0 45M 44M sleep 169:59 2.69% smd

Unix also serves to introduce regular expressions, a powerful means to search for strings. And, later we'll see that regular expressions can serve as the basis for cracking passwords. Used in conjunction with Unix commands and scripts, AWK is a program language especially suited for regular expression searching. AWK searches for patterns and manipulates them when needed.

In the statement awk '$1 < $2 {print $0, $1/$2}' file1 > file2, a file called "file1" with two columns of numbers pipes into a new file called "file2" with columns 1 and 2 as previously, but also adds a third column which is the ratio of the numbers in columns 1 and 2. The ">" shows the piping into "file2," and the "<" shows that the program takes the input from "file1." AWK has the ability to search for specific transactions in logs and generate reports for the investigator.


Resources


Print Sources

Dougherty, Dale and Arnold Robbins, Sed & Awk, O'Reilly, 1997.

Gookin, Dan, DOS Secrets, Computer Publishing Enterprises, 1990.

Lasser, Jon, Think Unix, Que, 2000.

Microsoft, MS-DOS Version 5.0, Microsoft, 1991.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Zaenglein, Norbert, Disk Detective, Paladin Press, 1998.


URLs


ASCII

http://www.jimprice.com/jim-asc.htm

http://www.jimprice.com/ascii-128-255.gif


Hex Editors

"Free 'Hex' Editors"
http://www.geocities.com/Athens/6939/HexEds,htm

"Winhex"
http://www.winhex.com/winhex/

"Hextool"
http://www.durward.com/hextool/

Ronald L. Mendell's article on Hex Editors
http://securityportal.com/articles/hexeditors20001208.html

"About DEBUG"
http://www.computerhope.com/rdebug.htm


MS-DOS

"A Listing and an Explanation of Commands"
http://www.computerhope.com/msdos.htm


Unix

"The Unix Reference Desk"
http://www.geek-girl.com/unix.html

"Solaris Man Pages"
http://docs.sun.com/

"About AWK"
http://sparky.rice.edu/~hartigan/awk.html

"An AWK Reference"
http://www.gnu.org/manual/gawk/html_mono/gawk.html

© Copyright 1999, 2000 SecurityPortal, Inc. All rights reserved.


Computer Crime Investigator's Toolkit: Part II
Tuesday, January 16, 2001
Ronald L. Mendell (ronmen9938@britannica.com) for SecurityPortal
Windows Tricks

In examining a computer using Windows, important information may be under your very nose. Don't forget to check the Recycle Bin for deleted files long forgotten by the user. If you have a specific file name that you are looking for, don't overlook using the Windows Find utility to search the hard drive. Also, checking for temp files created by the word processing program may uncover evidence the user thought was safe from prying eyes just because he never intentionally saved it from RAM to disk. Users forget that many programs like MS Worda automatically save work-in-progress (WIP) as temp files.

In Windows 3.1, remember that you can use Undelete and Unformat to recover information. And yes, as indicated before, these dinosaurs are out there. Expect old versions of word processors too, so maintaining a library of "obsolete" manuals and software has great investigative value.

Using Undelete in Windows 95 requires copying Undelete.exe from DOS to the Command subfolder. Then you have to restart the computer in DOS. And, you will have to lock and unlock to the folder that contained the deleted file and do the Undelete procedure. Doing this sort of manipulation is not child's play, so in critical cases make sure full bitstream backups take place first and use the services of a computer forensics specialist.

Unerase and Unformat are available through Norton Utilities. You can use them from the Norton Utilities Emergency/Data Recovery Disk. Both options are available from the disk's command menu. Unformat, however, will not work with DOS 5.0 or earlier. When unformatting, pay attention to the list of files and directories Norton identifies that may be lost when executing the process.

Browser Fun

Finding cache and "cookie" files tell where a user has been on the Internet. Whether anyone likes it or not, these small text files create a "paper trail." They become a silent electronic witness.

In Win 3.1 you use the File Manager to find the Netscape folder and then the subfolder marked Cache. The Cache folder contains the history of where the user's been on the Web including graphics, URLs, and even email information. Netscape Navigatora has the cookies stored in "cookies.txt" that Notepad reads easily.

In Win 95 Disk Detective recommends pulling up File Manager from Winfile in Windows Explorer and locating the respective folder for the browsers used on the computer. (Just enter "winfile" at the RUN box from the Startup Menu.)

In Win 98 use Windows Explorer to get to \windows\cookies and \windows\temporary Internet files.

Internet Explorer's History function is incredibly easy to use and most users aren't even aware that it is tracking their every move in cyberspace. You can access it in the IE browser whether it is in the online or offline mode. Just go to the Toolbar in the browser and click on History, and you get to see the computer's recent URL activity.

NSClean and IEClean are commercial utilities for Netscape and Internet Explorer that enable one to see and to wipe clean virtually all historical record in the respective browsers. These are powerful tools to peek at every thing the browser has done. The URLs for these tools are:

http://www.nsclean.com/

http://www.nsclean.com/ieclean.html

Passwords

The screensaver password is often the easiest to defeat. Usually to bypass it in Windows 95 and 98, one simply has to reset the computer and then immediately right-click on the Desktop. Then go to Properties and then Screensaver, and change the password before the screensaver has a chance to cut in again.

The Network Password may be bypassed with clicking on Cancel in the password box. Windows will let you into the local machine. However, the personal settings of the user may not be visible on the Desktop because Windows doesn't know who is coming in.

Industrial Strength Passwords prevent a lot of security problems for users. Fortunately for computer investigators, most users do not use them. The striking quality of strong passwords is that they are statistically random, a product of a Random Password Generator. They are very difficult to crack. (If you are interested in obtaining a generator, simply enter "Random Password Generator" as a search on Google, and you'll get pages full of download sites. Protect Your Privacy on the Internet has a whole chapter on the subject. You will realize passwords considered strong by the user are illusions. People do not generate statistically random passwords.)

Password cracking is usually child's play for investigators armed with cracking tools available off the Internet. But before you start using a cracker, learn some theory first. An excellent place to do this is to read "Password Cracking Using Focused Dictionaries" found at http://www.sans.org/infosecFAQ/cracking.htm. In this article you will learn how most users make mistakes in selecting passwords, how the use of regular expressions and a search matrix makes cracking apparently "strong" passwords simple, and how dictionary attacks work.

Password Recovery is often a matter of some simple research. Cryptologia, a journal dedicated to cryptography (indexed at http://www.math.utah.edu:8080/ftp/pub/tex/bib/toc/cryptologia.html#) has articles from time to time on the weaknesses of certain password protections on various software packages. Assume always that the password protection for off-the-shelf software will be weak, so crackers learn of the flaws quite readily. These flaws become public knowledge on the Internet. As a part of the research for this article, I ran "Password Recovery," "MS Word Passwords, " "WordPerfect Passwords," and "Windows Passwords" on Google. Each search produced pages of resources about recovery utilities or advice on how to do the recoveries.




Resources

Print Sources

Pfaffenberger, Bryan, Protect Your Privacy on the Internet, John Wiley, 1997.

Rathbone, Andy, Windows 95 for Dummies 2nd Edition, IDG Books, 1997.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Zaenglein, Norbert, Disk Detective, Paladin Press, 1998.

URLs

Windows

"Microsoft Windows Page"
http://www.microsoft.com/windows/default.asp

Browsers

"CNET Topic: Browsers" (A good overview of browsers including those that are not IE or Netscape.)
http://www.cnet.com/internet/0-3773.html

http://www.nsclean.com/ieclean.html

http://www.nsclean.com/

Passwords

"Password Cracking Using Focused Dictionaries" (An interesting article on the philosophy of cracking passwords.)
http://www.sans.org/infosecFAQ/cracking.htm

"Password Crackers: Downloads"
http://www.hackersclub.com/km/files/password_cracker

"index to Cryptologia"
http://www.math.utah.edu:8080/ftp/pub/tex/bib/toc/
cryptologia.html


Computer Crime Investigator's Toolkit: Part III
Tuesday, January 16, 2001
Ronald L. Mendell (ronmen9938@britannica.com) for SecurityPortal
Perl is a programming language adept at processing lists and strings. If you want to search log files and output the information, Perl is a very useful tool. Some computer writers have characterized the language as the duct tape of computing. The New Hacker's Dictionary describes it as the "Swiss-Army Chainsaw." Its compactness, flexibility, and relative ease of use make it attractive to hackers of all persuasions.

While one doesn't have to be a master programmer to be a computer crime sleuth, being able to read code helps generate insight. If you find a Perl script useful for checking the aging of passwords, for example, understanding how the program works goes a long way toward implementing the tool properly. And, you learn during the process how to develop your own tools. Some investigators may prefer C or C++ as a starting point. That preference has some merit since quite a few computer security tools are available written in those languages. But the most important skill is to learn a code and then build on that knowledge. More common ground exists between languages than you might realize.

The commonalities include:

  1. Comments. These lines of code document what is happening in the program. The compiler does not act on these lines, but they may be the most important lines of code. They serve as a record of why and how the program works. Perl tells the compiler that a line is a comment by beginning it with the pound sign, "#." (# This is an example of a comment line in Perl.) Learning to read comments tells a computer sleuth what's going on in a program.

  2. Conditionals. Acting as decision points in the program, they usually take the form of the IF, THEN, ELSE statement. In Perl the statement takes the form of:

if ($a = = 21) { print "Happy Birthday Scully!\n" }

else { print "Mulder's been abducted!\n" }

Notice the THEN is implied through using the braces (known as the "block"). The "= =" simply means "equal to." The "\n" tells the compiler to start a new line after the string expression.

  1. Variables. "$a" is a variable. It is a place to store a value in memory. Perl identifies variables by beginning them with "$." $Rons_Paycheck_Amount is a variable in Perl. Perl declares or assigns variables by a simple statement, $Rons_Paycheck_Amount = 1000.00. You'll note the difference between the logical equal sign used for assigning "=" and the mathematical equal sign "= =."

  2. Loops. When the need arises for the computer to do something repetitive, loops do the trick. A loop consists of a counter value, which tells a loop where to start counting from; a conditional statement, which tells the loop what conditions to terminate under; and an increment, which tells the loop at what rate to count down or up. A possible Perl loop would be:

4

$Counter = 19;

# This statement assigns the counter element a starting value of 19. Note most # Perl statements end with the semicolon ";" unless terminated by a block.

while ($Counter > 0 ) {

print "Still processing" ;

$Counter - = 1 ;

} # The "while" statement gives the terminating condition, when $Counter equals # zero.

# The phrase "- = 1" is the declining increment reducing the $Counter variable by

# one each cycle of the loop.

print "\n Counter reduced to zero.\n" ;

# When the loop terminates, the last "print" statement executes.

Other commonalities include functions, which are subroutines, arrays and other data structures, and variations on conditionals and loops. But this very basic introduction gives you some starting points to commence reading Perl code. If you want to see some Perl security scripts for Unix/Linux, go to http://www.softpanorama.org/Security/perl_sec_scripts.shtml.


Networking Basics

Perhaps, with the exception of cryptography, no other area of computer security is as arcane as networking. Myriad acronyms dominate networking discussions. Problems often emerge at several levels of abstraction. Security holes are often subtle, missing the attention of even experienced analysts. Yet, every computer crime professional must have some grasp of networking, even though networking may not be the main focus of their work. Any computer crime may spill over into a network.

A good test of one's network security knowledge is to read Stephen Northcutt's article, "Intelligence Gathering Techniques" at http://www.microsoft.com/technet/security/intel.asp. He covers topics such as host mapping, ICMP echo requests, UDP echo requests, Broadcast ICMP, detection of scans, netmask-based broadcasts, port scans, scanning for a particular port, complex scripts, random port scans, FTP bounce, NetBios traces, stealth attacks, SYN/ACK, and inverse mapping.

If the article is a real head spin for you, it is time to do some networking study, which is nothing to be ashamed of. Many a network engineer and architect has reams of books to refer to on their desks; they are in them all the time just to do their daily jobs. Realizing what you don't know is a healthy approach in this business. (If you want to see some Network security tools such as TAMU, COPS, and SATAN, ftp to wuarchive.wustl.edu and look at /packages/security.)

Possible attacks include:

  • Web Spoofing. An attacker's server becomes the de facto ISP to the user's browser. A user thinks he or she is reaching, say http://www.microsoft.com/, when actually the user is receiving content from the hacker. An insidious attack when you consider the user may be supplying confidential data to the spoofed site.

  • Denial of Service. A common attack facing most public or commercial Websites. The trick lies in the attacker overloading the site's routers or servers with bogus packets, usually SYNs.

  • Sniffers. An attacker builds intelligence against your site by monitoring your traffic and picking off passwords and user data.

  • DNS Spoofing. The hacker compromises the DNS server and changes the IP address database, redirecting user URL calls to sites of the hacker's choice.

  • Mobile Code Attacks. Using Java applets or ActiveX controls, the attacker plants Trojan horses into your local machine. This malicious code can be embedded into HTML pages, making it especially vicious. And, external Web pages aren't the only concern. Any computer crime investigator looking at HTML pages on a local machine should examine any links using the source code viewer first. Links can contain booby traps that can plant viruses or Trojan horses on the investigator's disks or that can delete files on the machine's hard drive. Always assume any local machine contains booby traps.

  • IP Spoofing. An attacker fakes the IP address of a machine the server recognizes or trusts in order to gain entry. An interesting book describing IP attacks and the general process of investigating network and Internet attacks is Takedown by Tsutomu Shimomura with John Markoff, Hyperion, 1996.


Tracing Email

When you want to know from which machine an email originated, specialized search engines on the Web can help. The one available for the Americas is http://www.arin.net/whois/. Most people who send and receive email never see the detailed header information for a piece of electronic mail. Yet, many email services like MS Outlook allow you to see the full header when you select it under viewer options. The key phrase to pay attention to is "Received: from."

A sample email header (with alterations for security reasons) is below:

Received: from hotmail.com (f54.pav1.hotmail.com [64.4.31.54]) by exchange.anyplace.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)

id XBMVVB8A; Fri, 1 Dec 2000 05:04:58 -0600

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Fri, 1 Dec 2000 03:06:19 -0800

Received: from x.x.x.x by pv1fd.pav1.hotmail.msn.com with HTTP; Fri, 01 Dec 2000 11:06:19 GMT

X-Originating-IP: [x.x.x.x]

From: "Anyone" <XXXXXX@hotmail.com>

To: ronmen9938@britannica.com

Subject: Test

Date: Fri, 01 Dec 2000 05:06:19 -0600

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

Message-ID: <F546hm8Ua8d9Ee4zadT0000a828@hotmail.com>

X-OriginalArrivalTime: 01 Dec 2000 11:06:19.0949 (UTC) FILETIME=[BBB795D0:01C05B86]

The first "Received: from" phrase indicates that the last server to transmit the email was f54.pav1.hotmail.com with IP address 64.4.31.54. That server received the email from the fictionalized MS Exchange server at "anyplace.com" using Simple Mail Transfer Protocol (SMTP).

What a search on ARIN produced for IP address 64.4.31.54:

MS Hotmail (NETBLK-HOTMAIL)
1290 Oakmead Pkwy Ste 218
Sunnyvale, CA 94086
US
 
Netname: HOTMAIL
Netblock: 64.4.0.0 - 64.4.63.255
 
Coordinator:
Myers, Michael (MM520-ARIN) icon@HOTMAIL.COM
408-222-7330
 
Domain System inverse mapping provided by:
 
NS1.HOTMAIL.COM 207.82.250.83 NS3.HOTMAIL.COM
209.185.130.68
 
Record last updated on 11-Feb-2000.
Database last updated on 30-Nov-2000 19:05:05 EDT.
 

The next "Received: from" tells you what server at Hotmail.com received the email from anyplace.com. The next two lines tell you the IP address of the machine at machine anyplace.com sent the email to, or generated the email at, Hotmail.com before it was transmitted to ronmen9938@britannica.com. In this case that machine's address has been fictionalized to x.x.x.x. But the real IP address could be run on ARIN for identification. The same goes for the domain name. The "From" line gives the sender's email address at Hotmail.com.

Tracing emails will continue to play an ever-increasing role in computer crime investigation. To see how it played a role in a recent Texas homicide case, read "Murder via the Internet" at http://securityportal.com/topnews/murdervia20000721.html.


Resources

Print Sources:

Casey, Eoghan, Digital Evidence and Computer Crime, Academic Press, 2000.

Hayden, Matt, Networking in 24 Hours, Sams, 1998.

Hoffman, Paul E., Perl 5 for Dummies, IDG Books, 1997.

Mendell, Ronald L., Security Management, June 1999, "Is the Internet Just a Web of Misinformation?"

Raymond, Eric S., The New Hacker's Dictionary 3rd Edition, MIT Press, 1996.

Sharrar, Kristopher A. and Granado, Jose, Security Management, March 1997, "Confessions of a Hard Drive."

Shimomura, Tsutomu with John Markoff, Takedown, Hyperion, 1996.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Tiwana, Amrit, Web Security, Digital Press, 1999.

URLs:


Perl

http://www.perl.org/
http://www.perl.com/perl/


Security scripts

http://www.softpanorama.org/Security/perl_sec_scripts.shtml


Intrusion Detection

Intrusion Detection Pages
http://www.cerias.purdue.edu/coast/intrusion-detection/welcome.html


Attacks

Attacks on IP Networks
http://www.docs.uu.se/~carle/datakomm/Notes/Networkin/51_AttacksOnIP.html

Network Intelligence
http://www.microsoft.com/technet/security/intel.asp

Whois Service
Internic and IP Address Searches:
http://rs.internic.net/cgi-bin/whois

Links to several registries
http://networksolutions.com/cgi-bin/whois/whois

American Registry for Internet Numbers (ARIN)
http://www.arin.net/whois


Email

Tracing Email
http://www.usus.org/elements/tracing.htm


Computer Crime Investigator's Toolkit: Part IV
Tuesday, January 23, 2001
Ronald Mendell (ronmen9938@britannica.com) for SecurityPortal


Slack Files

Slack space occurs on a hard drive or floppy when a file gets partially overwritten after deletion. The new file does not completely fill in the space created by the old file's data. So, a slack space of residual data remains in the area between the end of file (EOF) boundary of the new file and the end of the cluster. On a given disk, then, large amounts of "hidden data" exist. These fragments may offer considerable evidence about what was deleted from the disk.

Bitstream copying will preserve slack space. Simple copying will not. Once safely backed up, the contents of slack space will be visible by using software such as Hex editors and the Norton Utilities. Such examination needs to be done by a qualified computer forensics specialist. If you need a list of questions to ask an examiner to evaluate his or her qualifications, try this Web page: http://www.keycomputer.net/equest.htm. A good article giving an overview of examining a computer is in the March 1997 issue of Security Management, "Confessions of a Hard Drive" by Kristopher A. Sharrar and Jose Granado.

Slack space may reveal

  1. Evidence of pornography.
  2. Records of criminal activity or transactions.
  3. Deleted email used for illegal purposes.
  4. Files used in scams and to commit frauds.
  5. Stolen proprietary files and databases.
  6. Downloads from the Internet and the Web.
  7. Stolen or pirated software.

Digital Evidence and Computer Crime by Eoghan Casey also has a good overview of slack space on hard disks and how bitstreaming preserves the evidence.


Cryptography

Cryptography is a vast subject, and it can be as abstract as quantum physics. The average computer sleuth, though, does not have to know the inner workings of designing cryptographic algorithms. But, he or she does need to know the difference between simple and complex cryptography.

Simple cryptography is much like the decoder rings found in cereal boxes when you were a kid. The classic cipher along this vein is Caesar's Cipher, which rotated the alphabet three letters to the right. In other words, in the ciphertext the letter H substitutes for the letter E in the plaintext. A modern version of this substitution cipher is ROT13, where the shift is thirteen (13) letters.

Another simple technique is to XOR (apply a logical OR to) the plaintext. For a more sophisticated method, using a Vigenere Square (an alphabet matrix: http://www.trincoll.edu/depts/cpsc/cryptography/vigenere.html) produces a more difficult substitution cipher. Unfortunately, these methods are way too easy for computers to break and result in very weak ciphers and encrypted passwords.

The fact that certain letters in English have a higher frequency than others ("e" being the most common) makes these ciphers vulnerable. Yet, some software packages continue to use them for cryptographic protection. Such software may claim to have a secret, proprietary algorithm for encryption. A computer sleuth can check the strength of a package's cryptography by having it encrypt some known text. If repetitions in letter patterns and frequencies are apparent (you can guess where the letters A or E are), then the encryption is weak. Breaking it using the resources found in the URLs below should be straightforward.

Strong, complex cryptography, suitable for the computer age, takes the form of PGP, Triple DES, Blowfish, RSA, Twofish, and other publicly documented strong algorithms. Tested in the public arena by experts, they will stand up to cryptanalysis for reasonable periods of time, provided they are implemented properly. And, they are only as good as the security precautions used to protect them. If a user is careless about safeguarding the keys used in the cipher, no matter how good the algorithm, the message will be compromised. So checking a computer and the floppies nearby for unencrypted files containing keys is a standard investigative step. If the user has employed complex cryptography to protect a file or password and you can't find the keys, bring in a qualified computer forensics expert to develop a strategy for accessing the data.



Resources


Print Sources

Casey, Eoghan, Digital Evidence and Computer Crime, Academic Press, 2000.

Sharrar, Kristopher A. and Granado, Jose, Security Management, March 1997, "Confessions of a Hard Drive."

Singh, Simon, The Code Book, Doubleday, 1999.

Smith, Richard E., Internet Cryptography, Addison-Wesley, 1997.

Syngress Editors, Hack Proofing Your Network: Internet Tradecraft, Syngress, 2000.

Tiwana, Amrit, Web Security, Digital Press, 1999.


URLs


Slack Files

"Tutorial"
http://www.spnc.demon.co.uk/ilook/help/tutor_extract.htm

"The Third Step- Preserve the Electronic Crime Scene" by Michael R. Anderson.
http://www.forensics-intl.com/art7.html

"Forensic Procedures for Computers"
http://www.cops.org/forensic_examination_procedures.htm

"An Examiner's qualifications"
http://www.keycomputer.net/equest.htm


Vigenere Square and Cryptography

"The Vigenere Cipher"
http://www.trincoll.edu/depts/cpsc/cryptography/vigenere.html

"Index of /pub/security/cryptography/cryptanalysis" (Has C program, vigsolve.c, for cracking Vigenere ciphers.)
http://sunsite.bilkent.edu.tr/pub/security/cryptography/cryptanalysis/?S=A

"A course on classic cryptography," Lesson One covers letter frequencies and distributions in English.
http://www.fortunecity.com/skyscraper/coding/379/lesson1.htm

"A brief introduction to cryptology"
http://www.ridex.co.uk/cryptology/#_Toc439908877

© Copyright 1999-2001 SecurityPortal, Inc. All rights reserved.


 

Featured Links