by May 5, 2003 0 comments

What if, despite all the security, your systems get compromised, and you suspect that critical information has been stolen. Surely, you don’t want the hacker to go away scot free? This is where computer forensics can help. It is the art of investigating and analyzing computers for potential legal evidence against a hacker. It involves an investigative bend of mind along with the skill to use the right tools to find evidence. You should also know where to look and not tamper a compromised system such that it kills potential evidence. You must first isolate the system to prevent possible evidence from getting actually overwritten. 

Where to look?
Log files are the best place to start. All network OSs have a logger that keeps track of the activities taking place on it. So apps, services and system activities are all logged. Besides these, a lot of applications also keep their own log of activities. Even if the attacker tries to remove traces, keep in mind that destroying traces can also leave evidence. A simple example is a disruption in the regular pattern you see in your log file. Swap files, unallocated space and file slack are important sources of evidence. Unallocated space is the space leftover once the data has been deleted. File slack depends on how files are stored in a computer. In Windows systems, for instance, files are stored in clusters. Multiple clusters are used for storing files, and it’s rare that a file’s size will exactly match the size of clusters. So, from where a file ends in a cluster till the end of the last cluster assigned to the file is called file slack, and whenever there’s this sort of slack, the computer tries to fill up this space using data
from the RAM. This information could be potential legal evidence for a forensic specialist. 

Instant messengers have become a fairly common tool for business communication. The only problem is that the free ones, like Yahoo Messenger, MSN Messenger and ICQ send their messages as plain text. So, anyone with even a very basic sniffer can see all the text going back and forth without any extra effort. 

There are corporate IMs like IBM Lotus Sametime and Interactive Networks’ Instant that can encrypt chat text.

Forensic tools
Once the various sources for information are known, different types of tools can be used to extract data. For example, there are filters that will identify and extract all English communication from a swap file. This could be used to find out what commands were run. There are also tools to lock evidence computers, and create duplicates of floppies and

Lastly, there’s a technique to recover data from magnetic media even if it’s been erased or overwritten multiple times. This involves going down to the microscopic level. Surprisingly, even after the data has been deleted, you can find its traces in the magnetic patterns on the media. Such solutions, however, can be extremely expensive and be used only by governments. 

Anil Chopra

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.