Transcript Chapter 18

Chapter 18
FORENSIC SCIENCE
ON THE INTERNET
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 1
Introduction
• The Internet, often referred to as the
“information superhighway,” has opened a
medium for people to communicate and to
access millions of pieces of information from
computers located anywhere on the globe.
• No subject or profession remains untouched by
the Internet, and this is also true for forensic
science.
• A major impact of the Internet will be to bring
together forensic scientists from all parts of the
world, linking them into one common
electronic community.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 2
A Network of Networks
• The Internet can be defined as a “network of
networks.”
– A single network consists of two or more computers
that are connected to share information.
– The Internet connects thousands of these networks
so all of the information can be exchanged
worldwide.
• Connections can be made through a modem, a
device that allows computers to exchange and
transmit information through telephone lines.
• Higher speed broadband connections are
available through cable lines or through DSL
telephone lines.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 3
A Network of Networks
• Computers can be linked or networked
through wire or wireless (WI-Fi)
connections.
• Computers that participate in the
Internet have a unique numerical
Internet Provider (IP) address and
usually a name.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 4
The World Wide Web
• The most popular area of the Internet is the
World Wide Web.
• It is considered a collection of pages stored in
the computers connected to the Internet
throughout the world.
• Web browsers allow the user to explore
information stored on the Web and to retrieve
Web pages the viewer wishes to read.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 5
The World Wide Web
• Several directories and indexes on the Internet,
known as search engines, are available to assist
the user in locating a particular topic from the
hundreds of thousands of web sites located on
the Internet.
• Commercial Internet service providers connect
computers to the Internet while offering the
user an array of options.
– A keyword or phrase entered into a search
engine will locate sites on the Internet that
are relevant to that subject.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 6
Electronic Mail (e-Mail)
• The service that is most commonly used in
conjunction with the Internet is electronic mail
(e-mail).
• This communication system can transport
messages across the world in a matter of
seconds.
• Extensive information relating to forensic
science is available on the Internet.
• The types of Web pages range from simple
explanations of the different fields of forensics
to intricate details of forensic science
specialties.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 7
Forensic Analysis of the Internet
• It is important from the investigative
standpoint to be familiar with the evidence left
behind from a user’s Internet activity.
• A forensic examination of a computer system
will reveal quite a bit of data about a user’s
Internet activity.
• The data described on the next few slides would
be accessed and examined utilizing the forensic
techniques outlined in Chapter 17.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 8
Internet Cache
• Evidence of Internet web browsing typically
exists in abundance on the user’s computer.
• Most web browsers (Internet Explorer, Netscape,
and Firefox) utilize a system of caching to
expedite web browsing and make it more
efficient.
• This web browsing Internet cache is a potential
source of evidence for the computer investigator.
• Portions of, and in some cases, entire visited web
pages can be reconstructed.
• Even if deleted, these cached files can often be
recovered.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18- 9
Internet Cookies
• To appreciate the value of the “cookie” you
must first understand how they get onto the
computer and their intended purpose.
• Cookies are placed on the local hard disk drive
by the web site the user has visited.
• This is, of course, if the particular web browser
being used is set to allow this to happen.
• A cookie is used by the web site to track certain
information about its visitors.
• This information can be anything from history
of visits or purchasing habits, to passwords and
personal information used to recognize the user
for later visits.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-10
Internet History
• Most web browsers track the history of web page
visits for the computer user.
• This is probably done merely for a matter of
convenience.
• Like the “recent calls” list on a cell phone, the
Internet history provides an accounting of sites
most recently visited, with some storing weeks
worth of visits.
• Users have the availability to go back and access
sites they most recently visited, just by accessing
them through the browser’s history.
• The history file can be located and read with
most popular computer forensic software
packages.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-11
Bookmarks and Favorite Places
• Another way users can access websites quickly is
to store them in their “bookmarks” or “favorite
places.”
• Like a pre-set radio station, Internet browsers
allow a user to bookmark websites for future
visits.
• A lot can be learned from the bookmarked sites of
a person. Perhaps you might learn what online
news a person is interested in or what type of
hobbies he/she has.
• You may also see that person’s favorite child
pornography or computer hacking sites
bookmarked.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-12
Internet Communications
• Computer investigations often begin or are
centered around Internet communication.
• It may be:
– A chat conversation amongst many people
– An instant message conversation between just two
individuals
– Or the back and forth of an e-mail exchange
• Human communication has long been a
source of evidentiary material.
• Regardless of the type, investigators are
typically interested in communication.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-13
Value of the IP address
• In our earlier discussion, it was stated that in
order to communicate on the Internet a
device needs to be assigned an Internet
Protocol (IP) address.
• The IP address is provided by the Internet
Service provider from which the device
accesses the Internet.
• Thus it is the IP address that might lead to
the identity of a real person.
• If an IP address is the link to the identity of a
real person, then it would quite obviously be
very valuable for identifying someone on the
Internet.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-14
IP Address Locations
• IP addresses are located in different places
for different mediums of communications.
• E-Mail will have the IP address in the header
portion of the mail.
– This may not be readily apparent and may
require a bit of configuration to reveal.
– Each e-mail client is different and needs to be
evaluated on a case-by-case basis.
• In the case of an Instant Message or Chat
session, the particular provider (the one
providing the mechanism of chat—AOL,
Yahoo, etc.) would be contacted to provide
the users IP address.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-15
Difficulty with IP Addresses
• Finding IP addresses may be difficult.
– E-mail can be read through a number of clients or
software programs.
– Most accounts offer the ability to access e-mail
through a web-based interface as well.
– Often the majority of chat and instant message
conversations are not saved by the parties
involved.
• Each application needs to be researched and
the computer forensic examination guided by
an understanding of how it functions.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-16
Hacking
• Unauthorized computer intrusion, more commonly
referred to as hacking, is the concern of every
computer administrator.
• Hackers penetrate computer systems for a number of
reasons.
– Sometimes the motive is corporate espionage and other
times it is merely for bragging rights within the hacker
community.
– Most commonly though, it is a rogue or disgruntled
employee, with some knowledge of the computer network,
who is looking to cause damage.
• Despite the motivation, corporate America is frequently
turning to law enforcement to investigate and prosecute
these cases.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-17
Locations of Concentration
• Generally speaking, when investigating
an unauthorized computer intrusion,
investigators will concentrate their
efforts in three locations:
– Log files
– Volatile memory
– Network traffic
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-18
Logs
• Logs will typically document the IP address of
the computer that made the connection.
• Logs can be located in several locations on
computer network.
• Most servers that exist on the Internet track
connections made to them through the use of
logs.
• Additionally the router, ( the device responsible
for directing data) might possibly contain logs
files detailing connections.
• Similarly, devices known as firewalls might
contain log files which list computers that were
allowed access to the network or an individual
system.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-19
Use of Volatile Data
• Many times, in cases of unlawful access to a computer
network, some technique is used by the perpetrator to
cover the tracks of his IP address.
• Advanced investigative techniques might be necessary to
discover the true identity.
• Where an intrusion is in progress the investigator might
have to capture volatile data (data in RAM).
• The data existing in RAM at the time of an intrusion may
provide valuable clues into the identity of the intruder, or
at the very least the method of attack.
• Like the case of the instant message or chat conversation
the data that exists in RAM, needs to be acquired.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-20
An Additional Standard Tactic
• Another standard tactic for investigating
intrusion cases is documenting all programs
installed and running on a system.
• By doing this the investigator might discover
malicious software installed by the
perpetrator to facilitate entry.
• This is accomplished utilizing specialized
software designed to document running
processes, registry entries, and any installed
files.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-21
Live Network Traffic
• The investigator may want to capture live
network traffic as part of the evidence
collection and investigation process.
• Traffic that travels the network does so in the
form of data packets.
• In addition to containing data these packets
also contain source and destination IP
addresses.
• If the attack requires two-way
communication, as in the case of a hacker
stealing data, then it needs to be transmitted
back to the hacker’s computer.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-22
The Destination IP Address
• To get there, the destination IP address is
needed.
• Once this is learned, the investigation can
focus on that system.
• Moreover, the type of data that is being
transmitted on the network may be a clue as
to what type of attack is being launched, if
any important data is being stolen, or types
of malicious software, if any, that are
involved in the attack.
CRIMINALISTICS
An Introduction to Forensic Science, 9/E
By Richard Saferstein
PRENTICE HALL
©2007 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-23