This post was republished to Triathlon John at 17:51:12 17/12/2014
Introduction to computer forensics and investigations
These are my notes from the course provided by OpenLearn, they are not intended to provide guidance in a work environment and I accept no responsibility for how these are used – they are simply my notes made from studying.

Introduction

Area glamorised by television shows and movies.
Other terms also used to describe area include:

• Computer forensics
• Forensic computing
• Network forensics
• Incident response
• Incident management
• Forensic investigations

Learning outcomes

• Gain an understanding of computer forensics both in business & private world
• Identify some of the current techniques & tools for forensic examinations
• Describe & identify basic principles of good professional practise for a forensic computing practitioner
• Become familiar with some forensic tools & know how to apply them in different situations

Setting the scene

Tools

• USBDeview
  • Shows list of and history of USB devices plugged into computer
  • http://download.cnet.com/USBDeview/3000-2094_4-10614190.html?tag=mncol;1
• Helix 3
  • Incident response & computer forensics
  • Live CD built on Ubuntu
  • http://www.e-fense.com/products.php

Exercise 1

• Blain’s laptop/netbook was left unlocked in kitchen area.
• Blain gained unauthorised access to Crispin’s PC.
• Blain deceived person who challenged him over use of PC.

• Should have reported evidence to senior management
• Investigations must:
  • Be properly commissioned
  • Clearly define purpose
  • Clearly define scope – single instance or determine any of cases
• Continuity of evidence
• Contamination of evidence – once plugged in to laptop, data is written to USB
• Breach of
  • Right to privacy
  • Institutional rules
  • Code of conduct
• Proportionality test
• Circumstantial evidence
  • Cache page of eBay ad
• Affected evidence reliability
  • Blain’s use of Crispin’s computer contaminates files
• Work on forensic copy
• Keep contemporaneous notes

Summary:

• Ensure investigation is properly commissioned and scoped by management
• Ensure you have received signed authorisation from senior management and ensure that they determined necessity and proportionality
• Make sure evidence is gathered in a forensically sound manner, so that others can reproduce your actions
• Take care not to contaminate the evidence through your actions
• Make sure evidence is stored and handled securely. Preferably use tamper-proof bags which are signed and dated
• Ensure you make contemporaneous notes, either in a bound notebook or specialised note-taking software, such as CaseNotes

A bit of practical fun

Download USBDeview and Helix using the links above.
USBDeview is an exe which can be run from its folder.
Helix is an ISO which needs to be burnt to disc.
Finding passwords

• Certain protocols keep passwords secret or do not store them but many do such as web browsers
• Helix has several ‘password viewer’ tools on page 3 of Incident Response section
  • Password protected MS Outlook PST files
  • MS Messenger
• System Information for Windows (SIW)
  • Provides comprehensive list of hardware and software resources
  • Can find number of passwords including those for
    • ISP
    • Amazon
    • eBay
    • other e-commerce retailers
  • http://www.gtopala.com/
• Windows Secret Explorer
  • Finds and displays even more passwords
  • http://lastbit.com/wse/default.asp

Windows File Analyzer (WFA)

• Designed for XP
• Only .dat functionality works on Vista and Win 7
• C:\$Recycle.Bin win Vista and Win 7
• Functions:
  • Analysing thumbnails
    • db
    • Can display thumbnails of images no longer in folder
    • Not always reliable – program wrong or db corrupt?
    • Use http://www.thumbnailexpert.com/ for Vista and Win 7
  • Analysing shortcuts
    • Most desktop and Start menu items, including Recent Items, are lnk files
    • Provides:
      • Path to substantive document
      • Created date/time
      • Last accessed date/time
      • MAC address
      • Computer name from NetBIOS
    • Last accessed times may appear the same – issue with program?
  • Analysing index.dat
    • dat contains list of web pages cached on local computer
    • Interrogates index.dat and cookies to list all URLs it can find
    • IECacheView is free tool for analysing cache
    • NetAnalysis is commercial tool used by forensic practitioners
  • Analysing the Recycle Bin (Win XP)
    • Windows uses INFO2 hidden file (one for each partition)
    • This option allows for viewing of that file
  • http://www.mitec.cz/wfa.html

Additional activity

The activities reviewed previously would allow for someone to investigate the web sites visited by the user of a computer. They could prove the likelihood of a user visiting a specific website and performing certain actions – the images viewed as one example. It is likely necessary for more advanced software to be used to provide solid evidence and also correct procedures to be followed.

Summary

Demonstrated what kind of artefacts are left behind on a user’s computer.
Provided a look at different tools that can be used to carry out an investigation although the quality of the results between the two were varied.
Outlined how an investigation should be conducted correctly in order to produce evidence which would be submissible.