Forensics Journal - Stevenson University 2011 | Page 49
FORENSICS JOURNAL
onto an input of data resulting in an arbitrary representation of the data’s
digital fingerprint. A hash has three distinct strengths that make it crucial
to any examination. First, it offers a one-way algorithm, such that “it is
impossible to regenerate input data from the hash value” (Forte 14). Second, it is unique in that the same hash value will never be generated from
two different inputs when applied to the same algorithm. Finally, hash
functions offer repeatability because any given piece of data will always
generate the same hash value when applied to the same hash algorithm.
INCIDENT CLOSURE
Incident closure is focused on investigation termination, identification,
and presentation of lessons learned during the examination process.
Critical reviews are conducted which provide the identification of vulnerabilities and application of countermeasures during the examination
process. Best practices are identified during the presentation findings so
they might be incorporated into future processes and procedures, e.g.,
developing an acceptable use policy or security policy. During this phase,
evidence disposal might also be recommended if it is required to justify
prosecution of a suspected criminal. All collected evidence pertaining to
the incident is then catalogued, documented, and preserved.
TOOL KIT VULNERABILITIES
Many forensic tool kits remain susceptible to vulnerabilities that can
be leveraged by cyber criminals to thwart and hamper the discovery
processes. Anti-forensics attack the forensic effort by “negatively affecting the integrity of the digital evidence comprising the crime scene” and
“disrupting the digital evidence available to forensic examiners in a given
investigation” (Sartin 4). In the scope of anti-forensics, two overarching
concepts comprise the primary methods of defeating the forensic effort.
The first, data obfuscation, covers the tracks of cyber criminals or hackers
through the destruction of digital evidence that might lead to the discovery of various artifacts. This is achieved by file system modifications in
order to mislead the examiner, or backdoor program removal. However,
the potential digital fingerprint left behind remains a problem for the
cyber criminal. The second concept is that of data hiding which “masks
evidence rather than destroying it” (Sartin 5). Three methods of hiding
data are data encryption, file packing, and exploiting hidden disk areas.
Data encryption applied to data at-rest hides the nature and the extent of
the system intrusion but only applies to persistent data types such as files,
directories, registry keys, etc. Encryption may be applied to data in transit
such as SSH, SFTP, and SSL, rather than to the data itself. File packing
“combines two files to form a single file” (Sartin 6). This method is especially useful to hackers and cyber criminals because signature-based detection engines only look for the malicious file as a whole, and not for two
separate components working in tandem. For example, a hacker could
pack a backdoor program with a legitimate operating system service to
mask malicious evidence and to hide indication of unwanted execution. Hiding data in hidden disk areas, such as directories not shown by
default, delays initial discovery; however, it is easily detectable.
The proposed framework is incomplete without knowledge of the methods and tasks available for examiners to leverage. Steganalysis is one of the
primary methods used to accomplish investigation goals. Since steganalysis is a complex discipline, only a brief overview of the more prevalent
and common methodologies employed will be addressed.
STEGANALYSIS
Steganalysis is the searching for and discovery of artifacts related to the
installation and/or removal of steganography tools on a system. Steganography tools are used to perform data hiding or obfuscation. These
tools tend to leave a digital footprint on a computer system, regardless of
whether or not the tool has been removed by the user. Forensic examiners
perform detection activities within the system to determine which tools
might have been, or remain resident. The two primary detection types are
signature based, i.e. “searches files for known byte patterns left by steganography programs” (Zax 28) and blind detection where examination
is performed on “statistical properties of files exposed to steganographic
algorithms” (Zax 28) as an indicator that something is hidden on the
system.
Often, steganography tools leave artifacts that can be detected and
forensically discovered in multiple ways. The most notable artifacts
found are residual hash values or file/directory names, name and value
combinations of registry keys, evidence in most recently used (MRU)
lists, or evidence in temporary caches on the system. In addition to the
artifacts that would lead to the discovery of installed and/or uninstalled
steganography tools, are the detection systems used. Most forensic tools,
such as EnCase®, automate the search for indicators by analyzing multiple
system locations and components such as hard drive data, allocated and
unallocated files in a cluster, deleted files, file or volume slack, open files
with associated temporary directories, and hidden processes (Frith 6).
Fur ѡ