Forensics Journal - Stevenson University 2011 | Page 48
STEVENSON UNIVERSITY
The crucial requirements for a successful steganographic system are
“perceptual and algorithmic undetectability” (Wang 78). Furthermore,
these systems must be comprised of an ability to meet three primary
goals, “security of the hidden communication; size of the payload; and
robustness against malicious and unintentional attacks” (Wang 79). These
attacks refer to the techniques used by digital forensic examiners to detect
the presence of obfuscated or hidden data streams in any file, directory, or
system volume. Steganalysis is the methodology used by forensic investigators to make these discoveries on a given system. According to Wang,
steganalysis involves two primary steps, “visual analysis” (Wang, 80) and
“statistical analysis” (Wang, 81). Visual analysis uses the human eye or a
computer-based inspection to discover the hidden data, while statistical
analysis is used to reveal the alterations in a given file’s behavior, such as
file size, that results from embedding additional data into the host file.
and removable media evidence collection, data integrity verification,
and data control, i.e. data catalogued, stored, and transported, commensurate with chain of custody protocols.
DATA ANALYSIS
During the data analysis phase, the examiner will conduct an initial
survey in order to identify obvious artifacts of digital tampering and
determine the skill level of the attacker or suspect. Various techniques
are employed, such as keyword searches, extraction of unallocated slack
space, file mapping and hidden data discovery in order to obtain pertinent evidence for follow-on examination, analysis, and event reconstruction. The data analysis phase is the critical component of the examination
process. It is further subdivided as “survey, extract, and examine” (Beebe
156). In the survey sub-phase, mapping activities are performed in order
to describe and provide detailed information regarding various digital
components. Survey actions include file system mapping, enumerating
logical partitioning structures, determining disk layout, and discovering
locations and irregularities associated with found artifacts. This sub-phase
familiarizes the examiner with the analyzed object, the suspect or criminal’s skill level, and the location of obvious and potential digital evidence.
Digital forensic examiners must use an objectives-based approach to
discover hidden data due to the characteristics of obfuscation techniques.
The following sections will discuss the approach offered and how each
phase of that methodology can serve the examiner in a more constructive
manner.
PHASES OF APPROACH
In the extraction sub-phase, the examiner performs keyword searches,
deconstructs proprietary formats (such as the metadata in a .doc file),
conducts hidden data mining, filters, matches patterns, and analyzes file
signatures or headers. Data extraction enables forensic investigators to
avoid corrupting source files and volumes while simultaneously archiving
the extracted items for use in the final phase. The examination sub-phase
allows examiners to reconstruct events based upon the extracted data, i.e.
confirm the presence or absence of proposed evidence. Additionally, it
addresses the questions “who, what, when, where, why, and how (event
reconstruction)” (Beebe 156). Examination is performed through log
reviews, image and text viewing, chronology of file modification, correlation to actual user activity, and reviewing decrypted files if available. For
example, in a scenario regarding the presence of child pornography on
a computer system, the data analysis phase provides the mechanisms to
recover images, correlate possession of images to the suspect, demonstrate
suspect knowledge of possession and/or distribution of images, reconstruct the events surrounding image procurement (time and method),
apply anti-obfuscation techniques, and confirm and/or refute possible
defenses by the suspect. The data analysis phase leverages the examination
procedures and framework for a more thorough investigation process.
According to Beebe and Clark, the five basic phases of any digital investigation are preparation, incident response, data collection, data analysis,
and incident closure (150). Preparations for initial incident response are
performed by victim organizations and are not with the scope of this
paper. Data collection and analysis are performed by forensic examiners.
Incident closure represents a combined effort by the victim organization
and the forensic examiner.
INCIDENT RESPONSE
The incident response phase includes seven components that foster the
“initial pre-investigation response to a suspected computer crime related
incident” (Beebe 150). These activities are initial detection of unauthorized activity, activity reporting, incident validation, damage assessment,
incident containment, coordination with stakeholders, and investigation
plan formulation.
DAT H