22-09-2016, 04:38 PM
[attachment=71499]
ABSTRACT
Digital forensics is the science of identifying, extracting, analyzing and presenting the digital evidence that has been
stored in the digital devices. Various digital tools and techniques are being used to achieve this. Our paper explains forensic
analysis steps in the storage media, hidden data analysis in the file system, network forensic methods and cyber
crime data mining. This paper proposes a new tool which is the combination of digital forensic investigation and crime
data mining. The proposed system is designed for finding motive, pattern of cyber attacks and counts of attacks types
happened during a period. Hence the proposed tool enables the system administrators to minimize the system vulnerability.
Introduction
Computer forensics is the process that applies computer
science and technology to collect and analyze evidence
which is crucial and admissible to cyber investigations.
Network forensics is used to find out attackers’ behaviours
and trace them by collecting and analyzing log and
status information.
A digital forensic investigation is an inquiry into the
unfamiliar or questionable activities in the Cyber space
or digital world. The investigation process is as follows
(As per National Institute of Standards and Technology)
[1]. Figure 1 shows the complete phases of Digital Forensic
investigation processes.
Collection phase: The first step in the forensic process
is to identify potential sources of data and acquire forensic
data from them. Major sources of data are desktops,
storage media, Routers, Cell Phones, Digital Camera etc.
A plan is developed to acquire data according to their
importance, volatility and amount of effort to collect [2].
Examination: Once data has been collected, the next
phase is to examine it, which involves assessing and extracting the relevant pieces of information from the
collected data [2].
Analysis: Extracted and relevant data has been analysed
to draw conclusions. If additional data is sought for
detail investigation will call for in depth data collection.
Reporting: This is the process of preparing and presenting
the outcome of the Analysis phase.
Digital Forensic Science covers Computer forensics,
Disk forensics, Network forensics, Firewall forensics,
Device forensics, Database forensics, Mobile device forensics,
Software forensics, live systems forensics etc.
2. File System Forensics
The File system investigation is the identification, collection
and analysis of the evidence from the storage media.
File systems or file management systems is a part of operating
system which organize and locate sectors for file
storage [3,4].
2.1. Basic Steps in Storage Media Investigation
1) Replication of forensic image: Nonintrusive acquisition
of a replicated image of data extracted from the
questioned device.
2) For integrity perform Hash value calculation.
3) Conducting a file-fragment recovery procedure to
recover files and folders to a new location.
4) Examine all files especially deleted files.
5) Reviewing typical evidentiary objects such as:
a) Analyse free spaces, slack spaces and bad sectors.
b) Application software file c) Digital camera, printer and ancillary devices.
d) E-mails, Games & Graphics images.
e) Internet chat logs & Network activity logs.
f) Recycle folders.
g) System and file date/time objects.
h) User-created directories, folders, and files.
i) Latent data extraction from page, temp, and registry
space.
6) Copy the content of the evidentiary object into text
files.
7) Searching for key-term strings.
8) Reviewing file notations.
9) Scrutinize applications or indications of as file eradications,
file encryption, file compressors or file hiding
utilities.
10) Preparing evidence summaries, exhibits, reports,
and expert findings based on evidentiary extracts and
investigative analysis.
2.2. Hidden Evidence Analysis in the File System
Suspects can hide their sensitive data in various areas of
the file system such as Volume slack; file slack, bad
clusters, deleted file spaces [5].
1) Hard Disk: The maintenance track/Protected Area
on ATA disks are used to hide information. The evidence
collection tools can copy the above contents.
2) File System Tables: A file allocation table in FAT
and Master File Table (MFT) in NTFS are used to keep
track of files. Figure 2 shows MFT structure. MFT entries
are manipulated to hide vital and sensitive information
[5].
3) File Deletion: When a file is deleted, the record of
the file is removed from the table, thereby making it appear
that it does not exist anymore. The clusters used by
the deleted file are marked as being free and can now be
used to store other data. However, although the record is
gone, the data may still reside in the clusters of the hard
disk. That data we can recover by calculate starting and
end of the file in Hex format and copy it into a text file
and save with corresponding extension.
Recover a JPEG file
a) Open file in the hex format.
b) Check the file signature.
c) Copy From starting signature upto ending signature.
d) For example (JPEG/JPG/JPE/JFIF file starting signature
is FF D8 FF E1 XX XX 45 78 69 66 00 (EXIF in
ascii Exchangeable image file format trailer is FF D9).
e) Open the file with corresponding application.
4) Partition Tables: Information about how partitions
are set up on a machine is stored in a partition table,
which is a part of the Master Boot Record (MBR). When
the computer is booted, the partition table allows the
computer to understand how the hard disk is organized
and then passes this information to the operating system.
When a partition is deleted, the entry in the partition table
is removed, making the data inaccessible. However,
even though the partition entry has been removed, the
data still resides on the hard disk.
5) Slack Space: A file system may not use an entire
partition. The space after the end of the volume called
volume slack that can be used to hide data. The space
between Partitions is also vulnerable for hiding data, file
slack space is another hidden storage. Figure 3 shows
slack spaces in a Disk.
When a file does not end on a sector boundary, operating
systems prior to Windows 95 a fill the rest of the
sector with data from RAM, giving it the name RAM
slack. When a file is deleted, its entry in the file system is
updated to indicate its deleted status and the clusters that
were previously allocated to storing are unallocated and
can be reused to store a new file. However, the data are
left on the disk and it is often possible to retrieve a file
immediately after it has been deleted. The data will remain
on the disk until a new file overwrites them however,
if the new file does not take up the entire cluster, a
portion of the old file might remain in the slack space. In
this case, a portion of a file can be retrieved long after it
has been deleted and partially overwritten.
6) Free Space: However, when a file is moved from
one hard disk or partition to another, it is actually a
multistep process of copying and deleting the file. First, a
new copy of the file is created on the target partition.
After the file has been copied, the original file is then
deleted. This process also requires some housekeeping in
the FAT or MFT tables. A new entry is created in the
table on the partition where it has been copied, whereas
the record for the deleted file is removed from the table
on its partition. When a file get deleted, that space considered
as free space, there also criminal can hide sensitive
information [6].
7) Faked Bad Clusters: Clusters marked as bad may be
used to hide data. In NFTS, bad clusters are marked in
metadata file called $BadClus, which is in MFT entry 8
Originally, $BadClus is a sparse file which file size is set
to the size of entire file system. When bad clusters are
detected, they will be allocated to this file. The size of
data that can be hidden with this technique is unlimited.
Suspects can simply allocate more clusters [6].
3. Network Forensic Analysis
Network forensics is capturing, recording and analysis of
network events in order to discover the source of cyber
attacks. In network forensics there are two major types of
investigation [7,8] i.e. Network Traffic Analysis & Log
Files Analysis.
3.1. Network Traffic Analysis
Network traffic analysis can be used to reconstruct and
analyse network-based attacks, inappropriate network
usage. The content of communications carried over networks,
such as e-mail, chat etc can also support of an
investigation. A Packet Sniffer tool is used for capturing
network traffic. The header information encapsulated in
the captured packet can be analysed by the forensic analyst
[8,9].
This is very important when an investigation conducting
on active network intrusions or attacks. Some cases
evidences are available only in running processes or
RAM.
Procedure for Network Live Acquisition
1) Create a bootable forensic CD.
2) Perform Remote access to the suspected machine or
insert bootable CD in suspects machine directly.
3) Record or keep a log of all the actions of forensic
investigator.
4) If need to take out away the evidence then use
USB.
5) Next, Take a copy of the physical memory using a
forensic tool example memfetch.
6) Create an image of the drive.
7) For Intrusion first check Root kit is installed or not,
for that root kit revealers are available.
8) Perform hash value of the created image for integrity
checking.
3.2. Network Investigation Tools
There is a powerful windows tools available at Sysinternals:
Filemon shows file system activity.
RegMon shows all Registry data in real time.
Process Explorer shows what files, registry keys and
dynamic link libraries (DLLs) are loaded at a specific
time.
Pstools is a suite created by SysInternals that includes
the following tools.
PsExec—Run processes remotely.
PsGetSid—Displays the security identifier of a computer.
PsKill—Kills processes by name or processes ID.
PsList—Lists detailed information about processes.
PsLoggedOn—Displays who’s logged on locally.
PsPassword—Allows user to change account passwords.
PsService—Enables to view and control services.
PsShutDown—Shut down and optionally restarts a
computer.
PsSuspend—Allows to suspend processes.
Tcpdump and Ethereal—Packet sniffers.
3.3. Log Files Analysis
During investigation to recognize malicious activities by
mining user log files. Access logs can contain vast amount
of data regarding each user activities [10].
Analysis steps:
1) Input a server log file;
2) Identify each sessions;
3) Log file parser converts dump file into formatted
order;
4) Using a Search function find the required data. Or
Data mining algorithms give relations or sequential patterns.
4. Data Mining for Digital Forensics
Cyber Crime Data mining is the extraction of Computer
crime related data to determine crime patterns. With the
growing sizes of databases, law enforcement and intelligence
agencies face the challenge of analysing large
volumes of data involved in criminal and terrorist activities.
Thus, a suitable scientific method for digital forensics
is data mining. Crime data mining is classified as
follows [11,12].
1) Entity extraction has been used to automatically
identify person, login ID, Password, ID no, IP of the system,
and personal properties from reports or logs.
2) Clustering techniques such as “concept space” have
been used to automatically associate different objects
(such as persons, organizations, hardware systems) in
crime records [12].
3) Deviation detection has been applied in fraud detection,
network intrusion detection, and other crime analyses
that involve tracing abnormal activities [12].
4) Association rule has been applied to finding aassociations
and sequential patterns between web transactions
are based on the Apriori Algorithm.
Mining results shows motive, pattern and counts of
similar types of attacks happened during a period.
ABSTRACT
Digital forensics is the science of identifying, extracting, analyzing and presenting the digital evidence that has been
stored in the digital devices. Various digital tools and techniques are being used to achieve this. Our paper explains forensic
analysis steps in the storage media, hidden data analysis in the file system, network forensic methods and cyber
crime data mining. This paper proposes a new tool which is the combination of digital forensic investigation and crime
data mining. The proposed system is designed for finding motive, pattern of cyber attacks and counts of attacks types
happened during a period. Hence the proposed tool enables the system administrators to minimize the system vulnerability.
Introduction
Computer forensics is the process that applies computer
science and technology to collect and analyze evidence
which is crucial and admissible to cyber investigations.
Network forensics is used to find out attackers’ behaviours
and trace them by collecting and analyzing log and
status information.
A digital forensic investigation is an inquiry into the
unfamiliar or questionable activities in the Cyber space
or digital world. The investigation process is as follows
(As per National Institute of Standards and Technology)
[1]. Figure 1 shows the complete phases of Digital Forensic
investigation processes.
Collection phase: The first step in the forensic process
is to identify potential sources of data and acquire forensic
data from them. Major sources of data are desktops,
storage media, Routers, Cell Phones, Digital Camera etc.
A plan is developed to acquire data according to their
importance, volatility and amount of effort to collect [2].
Examination: Once data has been collected, the next
phase is to examine it, which involves assessing and extracting the relevant pieces of information from the
collected data [2].
Analysis: Extracted and relevant data has been analysed
to draw conclusions. If additional data is sought for
detail investigation will call for in depth data collection.
Reporting: This is the process of preparing and presenting
the outcome of the Analysis phase.
Digital Forensic Science covers Computer forensics,
Disk forensics, Network forensics, Firewall forensics,
Device forensics, Database forensics, Mobile device forensics,
Software forensics, live systems forensics etc.
2. File System Forensics
The File system investigation is the identification, collection
and analysis of the evidence from the storage media.
File systems or file management systems is a part of operating
system which organize and locate sectors for file
storage [3,4].
2.1. Basic Steps in Storage Media Investigation
1) Replication of forensic image: Nonintrusive acquisition
of a replicated image of data extracted from the
questioned device.
2) For integrity perform Hash value calculation.
3) Conducting a file-fragment recovery procedure to
recover files and folders to a new location.
4) Examine all files especially deleted files.
5) Reviewing typical evidentiary objects such as:
a) Analyse free spaces, slack spaces and bad sectors.
b) Application software file c) Digital camera, printer and ancillary devices.
d) E-mails, Games & Graphics images.
e) Internet chat logs & Network activity logs.
f) Recycle folders.
g) System and file date/time objects.
h) User-created directories, folders, and files.
i) Latent data extraction from page, temp, and registry
space.
6) Copy the content of the evidentiary object into text
files.
7) Searching for key-term strings.
8) Reviewing file notations.
9) Scrutinize applications or indications of as file eradications,
file encryption, file compressors or file hiding
utilities.
10) Preparing evidence summaries, exhibits, reports,
and expert findings based on evidentiary extracts and
investigative analysis.
2.2. Hidden Evidence Analysis in the File System
Suspects can hide their sensitive data in various areas of
the file system such as Volume slack; file slack, bad
clusters, deleted file spaces [5].
1) Hard Disk: The maintenance track/Protected Area
on ATA disks are used to hide information. The evidence
collection tools can copy the above contents.
2) File System Tables: A file allocation table in FAT
and Master File Table (MFT) in NTFS are used to keep
track of files. Figure 2 shows MFT structure. MFT entries
are manipulated to hide vital and sensitive information
[5].
3) File Deletion: When a file is deleted, the record of
the file is removed from the table, thereby making it appear
that it does not exist anymore. The clusters used by
the deleted file are marked as being free and can now be
used to store other data. However, although the record is
gone, the data may still reside in the clusters of the hard
disk. That data we can recover by calculate starting and
end of the file in Hex format and copy it into a text file
and save with corresponding extension.
Recover a JPEG file
a) Open file in the hex format.
b) Check the file signature.
c) Copy From starting signature upto ending signature.
d) For example (JPEG/JPG/JPE/JFIF file starting signature
is FF D8 FF E1 XX XX 45 78 69 66 00 (EXIF in
ascii Exchangeable image file format trailer is FF D9).
e) Open the file with corresponding application.
4) Partition Tables: Information about how partitions
are set up on a machine is stored in a partition table,
which is a part of the Master Boot Record (MBR). When
the computer is booted, the partition table allows the
computer to understand how the hard disk is organized
and then passes this information to the operating system.
When a partition is deleted, the entry in the partition table
is removed, making the data inaccessible. However,
even though the partition entry has been removed, the
data still resides on the hard disk.
5) Slack Space: A file system may not use an entire
partition. The space after the end of the volume called
volume slack that can be used to hide data. The space
between Partitions is also vulnerable for hiding data, file
slack space is another hidden storage. Figure 3 shows
slack spaces in a Disk.
When a file does not end on a sector boundary, operating
systems prior to Windows 95 a fill the rest of the
sector with data from RAM, giving it the name RAM
slack. When a file is deleted, its entry in the file system is
updated to indicate its deleted status and the clusters that
were previously allocated to storing are unallocated and
can be reused to store a new file. However, the data are
left on the disk and it is often possible to retrieve a file
immediately after it has been deleted. The data will remain
on the disk until a new file overwrites them however,
if the new file does not take up the entire cluster, a
portion of the old file might remain in the slack space. In
this case, a portion of a file can be retrieved long after it
has been deleted and partially overwritten.
6) Free Space: However, when a file is moved from
one hard disk or partition to another, it is actually a
multistep process of copying and deleting the file. First, a
new copy of the file is created on the target partition.
After the file has been copied, the original file is then
deleted. This process also requires some housekeeping in
the FAT or MFT tables. A new entry is created in the
table on the partition where it has been copied, whereas
the record for the deleted file is removed from the table
on its partition. When a file get deleted, that space considered
as free space, there also criminal can hide sensitive
information [6].
7) Faked Bad Clusters: Clusters marked as bad may be
used to hide data. In NFTS, bad clusters are marked in
metadata file called $BadClus, which is in MFT entry 8
Originally, $BadClus is a sparse file which file size is set
to the size of entire file system. When bad clusters are
detected, they will be allocated to this file. The size of
data that can be hidden with this technique is unlimited.
Suspects can simply allocate more clusters [6].
3. Network Forensic Analysis
Network forensics is capturing, recording and analysis of
network events in order to discover the source of cyber
attacks. In network forensics there are two major types of
investigation [7,8] i.e. Network Traffic Analysis & Log
Files Analysis.
3.1. Network Traffic Analysis
Network traffic analysis can be used to reconstruct and
analyse network-based attacks, inappropriate network
usage. The content of communications carried over networks,
such as e-mail, chat etc can also support of an
investigation. A Packet Sniffer tool is used for capturing
network traffic. The header information encapsulated in
the captured packet can be analysed by the forensic analyst
[8,9].
This is very important when an investigation conducting
on active network intrusions or attacks. Some cases
evidences are available only in running processes or
RAM.
Procedure for Network Live Acquisition
1) Create a bootable forensic CD.
2) Perform Remote access to the suspected machine or
insert bootable CD in suspects machine directly.
3) Record or keep a log of all the actions of forensic
investigator.
4) If need to take out away the evidence then use
USB.
5) Next, Take a copy of the physical memory using a
forensic tool example memfetch.
6) Create an image of the drive.
7) For Intrusion first check Root kit is installed or not,
for that root kit revealers are available.
8) Perform hash value of the created image for integrity
checking.
3.2. Network Investigation Tools
There is a powerful windows tools available at Sysinternals:
Filemon shows file system activity.
RegMon shows all Registry data in real time.
Process Explorer shows what files, registry keys and
dynamic link libraries (DLLs) are loaded at a specific
time.
Pstools is a suite created by SysInternals that includes
the following tools.
PsExec—Run processes remotely.
PsGetSid—Displays the security identifier of a computer.
PsKill—Kills processes by name or processes ID.
PsList—Lists detailed information about processes.
PsLoggedOn—Displays who’s logged on locally.
PsPassword—Allows user to change account passwords.
PsService—Enables to view and control services.
PsShutDown—Shut down and optionally restarts a
computer.
PsSuspend—Allows to suspend processes.
Tcpdump and Ethereal—Packet sniffers.
3.3. Log Files Analysis
During investigation to recognize malicious activities by
mining user log files. Access logs can contain vast amount
of data regarding each user activities [10].
Analysis steps:
1) Input a server log file;
2) Identify each sessions;
3) Log file parser converts dump file into formatted
order;
4) Using a Search function find the required data. Or
Data mining algorithms give relations or sequential patterns.
4. Data Mining for Digital Forensics
Cyber Crime Data mining is the extraction of Computer
crime related data to determine crime patterns. With the
growing sizes of databases, law enforcement and intelligence
agencies face the challenge of analysing large
volumes of data involved in criminal and terrorist activities.
Thus, a suitable scientific method for digital forensics
is data mining. Crime data mining is classified as
follows [11,12].
1) Entity extraction has been used to automatically
identify person, login ID, Password, ID no, IP of the system,
and personal properties from reports or logs.
2) Clustering techniques such as “concept space” have
been used to automatically associate different objects
(such as persons, organizations, hardware systems) in
crime records [12].
3) Deviation detection has been applied in fraud detection,
network intrusion detection, and other crime analyses
that involve tracing abnormal activities [12].
4) Association rule has been applied to finding aassociations
and sequential patterns between web transactions
are based on the Apriori Algorithm.
Mining results shows motive, pattern and counts of
similar types of attacks happened during a period.