Transcript THE INTERNET

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-1



The Internet, often referred to as the
“information superhighway,” has opened a
medium for people to communicate and to
access millions of pieces of information from
computers located anywhere on the globe.
No subject or profession remains untouched by
the Internet, and this is so for forensic science.
A major impact of the Internet will be to bring
together forensic scientists from all parts of the
world, linking them into one common
electronic community.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-2




The Internet is often described as a “network of
networks”
The Internet connects thousands of networks
through a modem.
A modem is a device that allows computers to
exchange information through telephone lines.
Cable lines help with higher speed connections
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-3
Computers can be linked or networked
through wire or wireless (WI-Fi)
connections.
 Computers that participate in the
Internet have a unique numerical
Internet Provider (IP) address and usually
a name.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-4




The World Wide Web is a collection of pages
stored in the computers.
Each page has a specific web browser that
makes his accessible to the public. (They also
have a specific URL)
Many web pages can be found by using search
engines.
You can search thousands of topics by typing in
keywords.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-5
The service that is most commonly used in
conjunction with the Internet is electronic
mail (e-mail).
 This communication system can transport
messages across the world in a matter of
seconds.
 In order to send and receive e-mails, you
must have an e-mail address.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-6
Ižt is important from the investigative
standpoint to be familiar with the evidence
left behind from a user’s Internet activity.
 ž
A forensic examination of a computer
system will reveal quite a bit of data about
a user’s Internet activity.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-7
Evidence of Internet web browsing exists in
abundance on the user’s computer.
 ž
This web browsing Internet cache is a
potential source of evidence for the
computer investigator.
 Even if the files have been deleted, they
can still be recovered.
 Allows investigators to recreate some or all
of a visited webpage.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-8



ž ookies are placed on the local hard disk drive by
C
the web site the user has visited. (only if the website
is set up to allow them to be placed.)
žA cookie is used by the web site to track certain
information about its visitors.
žThey can store history of visits or purchasing habits,
to passwords and personal information used for
later visits.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-9
Most web browsers track the history of web
page visits for the computer user.
 ž
The internet history creates a list of websites
most recently visited, some storing weeks
worth of visits.
 ž
The history file can be located and read
with most popular computer forensic
software packages.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-10
ž nother way users can access websites
A
quickly is to store them in their “bookmarks”
or “favorite places.”
 A bookmark can reveal a person’s interests
or hobbies.
 It can also reveal any criminal activity that
they have saved.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-11
Computer investigations often begin or
are centered around Internet
communication.
 It may be:

› a chat conversation amongst many
people,
› an instant message conversation between
just two individuals,
› or the back and forth of an e-mail
exchange.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-12



in order to communicate on the Internet a
device needs to be assigned an Internet
Protocol (IP) address.
žThe IP address is provided by the Internet
Service provider from which the device
accesses the Internet.
žThis means that the IP address might lead
to the identity one specific person, making
them valuable to computer investigators
everywhere.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-13
žIP addresses are not always found in the
same place.
 They may not be seen right away, and it
may take some searching to reveal it.
 ž
In the case of an Instant Message or Chat
session, the particular provider would be
contacted to provide the users IP address.
(an IP address comes in a sequence of
numbers. The numbers can be any
number from 0 to 255. ex: 66.94.244.13)

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-14
 F
žinding IP addresses may be difficult.



›E-mail can be read through a number of
clients or software programs.
›Often the majority of chat and instant
message conversations are not saved by
the parties involved.
žEach application needs to be researched
and the computer forensic examination
guided by an expert with an
understanding of how it functions.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-15


Hacking is penetrating another person’s
computer without authorization.
A hacker may have many motives:
 In some cases the hacker wants
information, and other times it’s merely
to show off skills.
 An employee may also hack a network
to do some form of damage to a
company
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-16

Generally speaking, when
investigating an unauthorized
computer intrusion, investigators will
concentrate their efforts in three
locations:
› log files
› volatile memory
› network traffic
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-17




žLogs will typically document the IP
address of the computer that made the
connection.
žMost servers that exist on the Internet track
connections made to them through the
use of logs.
Firewalls might contain logs of who was
allowed access to that specific network.
The router might hold log files of
connections
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-18
The technique that the computer is
hacked with might lead to an identity.
 When intruding, the intruder might have to
capture volatile data(located in RAM),
providing clues to their identity
 Data only stores in RAM if connected to
power, so pulling the plug could erase all
data in RAM.
 Data from instant messages may possibly
remain.

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-19
An investigator can also document all
installed and running programs.
 This may lead to discovery of malicious
software used to hack the system.
 This process involves using special
software designed to document these
items

FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-20



Live network traffic travels in “data
packets” and also contain the source
and destination IP address.
This is useful if the attack required two
way communication.
(ex: A hacker steals data that needs
to be transmitted back to his/her
computer.)
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-21



To get there, the destination IP address is
needed.
Once this is learned, the investigation can
focus on that system.
Moreover, the type of data that is being
transmitted on the network may be a clue
as to what type of attack is being
launched, if any important data is being
stolen, or types of malicious software, if
any, that are involved in the attack.
FORENSIC SCIENCE
An Introduction
By Richard Saferstein
PRENTICE HALL
©2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-22