Conectronica Revista Maganize industrial de electronica

In this article an area of the security with a great level of denominated growth is approached forensic security (ligature to the answer of incidents and the management of digital evidences), in her is to pick up plans and digital evidences of computer or network (abiertos data, strangers, potentially not known and hidden) and to as much use this digital information for legal, administrative procedures like improving the security of an organization.

The dark side of computer forensics is the pathologist techniques that persecute quite the opposite, that is to say, the destruction, the concealment (for example with esteganografía) and the contraception of data, that is to say, using for example options of noncreation of data, would be the case of a remote execution of binary but without creating disc file some. The digital forensic security (to computer forensics or forensic computing) is growing in interest day to day at world-wide level. Market the USA related to the forensic security hopes that for 2009 it is of 630 million dollars. eDiscovery consists of responding quickly and of defensive form to legal requests and investigation of electronic evidences and to reduce of significant form the risk and the costs associated with the reactive methods, on the other hand the digital forensic security implies the preservation, identification, extraction, documentation and interpretation of computer means to analyze the root cause and/or evidencial. eDiscovery and the digital forensic security at the moment constitutes two fundamental pillars of the security programs. They are needed generally as it leaves from an answer for incidents in fulfillment norms as PCI (Payment Card Industry dates security standard), HIPAA (Health Insurance Portability Accountability Act), GLBA (Gramm-Leach-Bliley Act), SOX (Sarbanes-Oxley Act), FFIEC (Federal Financial Institutions Examination Council), DPA (Data Protection Act, UK), Basel II, LOPD-RMS (Statutory law of Protection of Data Regulation of Safety measures), LSSI-CE (Law of Services of the Society of the Information and Electronic Commerce), PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), FISMA (Federal Information Security Management Act), etc. A digital evidence is any data stored or transmitted using computers that a theory proves or refutes of how a crime happened or of the elements implied critics of the crime like alibi or intention. Also it can define a digital evidence like any information, subject of human intervention or no, that can be extracted of a computer. It must be in readable format by the people or able to be interpreted by a person with experience in the subject. Some examples are: to recover thousands of erased electronic mails, to realise investigation after the dismissal of an employee, to recover digital evidences after formatting the hard disk, to realise investigation after several users have taken the control from the system. The operating systems are more and more complex in lines of code and number of files that use. For example a superficial examination of files prevents to notice itself of names of files that have been able to deposit of malicious form. The file of CMS32.dll Windows (Console Messaging Subsystem Library) is true, but however wow32.dll (32 bit wow subsystem library) is malicious; the file kernel32.dll is correct but however kerne132.dll is malicious.

Characterization of computer forensic. Answer to incidents

Different definitions of computer forensics exist: (1) the process to identify, to preserve, to analyze and to present the digital evidences of a way that is acceptable legally in any seen judicial or administrative. That is to say, it recovers data using the evidence rules. (2) Implica to obtain and to analyze digital data to secure evidences in administrative, civil or criminal cases. (3) Implica scientifically to examine and to analyze storage media data of computers so that these data can be used as digital evidences in the courts. (4) Application of scientific method for digital storage medias to establish information based on the facts for judicial revision. (5) Implica to preserve, to identify, to extract, to document and to interpret storage medias of computer in search of evidences and/or analysis of the root cause. Diverse methods are used like: (i) To discover data in a computer system. (II) To recover information of erased, based files or damaged. (III) To monitor the had activity. (IV) To detect violations of the corporative policy. Collected allows the arrest, the persecution, the dismissal of the employee and the prevention of future illegal activity. A digital evidence is any information that can be or nonsubject to human intervention that can be extracted of a computer, it must be in readable format by the people and able to be interpreted by a person with experience in the subject. Examples of application of computer forensics are: to recover thousands of erased electronic mails, to realise investigation after dismissing an employee, recovering evidences after formatting a hard disk, realising investigation after many users have taken control from the computer. (6) the use of specialized techniques to recover, to authenticate and to analyze electronic data when a case implies questions related to the reconstruction of the use of the computer, to examine residual data, to authenticate data for technical analysis or explanation of technical characteristics of data and use of the computer. Computer forensics requires specialized experts who go beyond the collection of normal data and techniques of preservation available for end users or personnel of support of the system. The answer to incidents persecutes the following objectives: to identify, to designate or to guard evidences, to review any existing newspaper than or have become in the system and/or as the intrusion were detected, to begin a new newspaper or to maintain or the existing one, to install monitoring tools (sniffers, detectors of ports), without restarting the system or affecting the processes in execution to realise a copy of the physical disc, to capture network information, to capture processes and files in use (DLL, exe, etc.), to capture configuration information, to pick up and to sign data.

Figure 2. Attacks and defenses in the phase of data acquisition of the forensic security.

Reasons of antiforensics. Fundaments

Computer antiforensics is the application of scientific methods to digital storage medias to invalidate the information based on facts to use in law procedures. Anti-forensics it is software that limits and/or modifies evidences that a forensic investigator could gather after an incident. It allows to hide or to distort the data of the digital evidences, operates the limitations of the well-known and used forensic tools. It operates with different operating systems Windows, Linux, Unix, etc. is placed in the computer before or after its acquisition. The reasons of computer antiforensics are diverse, can be used stops: (1) Validate forensic tools and techniques. It can improve processes like JDFP. (2) Release one divides culprit who flock or modifies data to be saved of being expelled from the work or in a judicial process. (3) Blame one divides to innocent infiltrating false data. The foundations of computer antiforensics (AF) are: (a) Suppositions. The data are evidences, we trusted our tools and our analysts will find everything. (b) Process. To understand the best process than the good technicians. To theorize on weaknesses, To make test of the theory. (c) It attacks. Three areas can be distinguished: (i) To attack the data. To use techniques of contraception, concealment, destruction of very low level, manipulation and manufacture. (II) To attack the tools. To find gaps in the cover of the tools, to make tricks to falsify the analysis of the tools. (III) To attack the analysts. The information is to be able and the attackers escape knowledge. The attackers need only a place to hide, the analysts must verify them all the places.

Figure 3. Guide for the processing of evidences in forensic security.

Computer forensics. What can reveal. Where to look for evidences

A forensic investigation of hacking of computer is the process to detect attacks of hacking and to extract suitably evidences to report the possible crime and to realise audits to prevent future attacks. Computer forensics is the application of techniques of analysis and investigation of computer to determine the digital evidences legal potentials. Computer forensic can reveal: (1) the form which the intruder entered the corporative network. (2) Show the way. (3) Show the intrusion techniques. (4) Permits to pick up digital plans and evidences. A forensic investigator can neither solve the case by itself nor of predicting what suspects, will only limit itself to provide hypothesis. Evidences can be looked for in: (i) Computers of the surroundings, in the form of log, files, data of the atmosphere, tools. (II) Firewall, in the form of logs, whether is the victim of the attack as if he is an intermediary for the victim.(III) Devices of network interconnection (like switches, bridges, to router, etc.), in the form of logs and buffers. (IV) Computer of the victim, in the form of logs, files, data of the atmosphere, altered files of configuration, troyanos files surpluses, robbed files that do not agree his hash, troyanos, virus, worms, files stored, altered rest of Web, etc. The forms to hide files: (a) To use the own operating system, for example Windows to hide files. (b) To cause that the text has the same color of the bottom of the screen. (c) To change the extension of the file, for example to happen of .doc to .xls. (d) To erase discs and to use a utility of recovery. (e) To use estaganografía. (f) To drain recycle bin. Some resources for forensic security: (1) The Coroner `s Toolkit (gratuitous) http://www.porcupine.org/forensics/tct.htm. (2) Tool TASK (gratuitous) http://atstake.com/research/tools/task. (3) Tool EnCase (commercialized) http://www.guidancesoftware.com. (4) Tool DriveSpy (commercialized) http://www.digitalintel.com.

Figure 4. Phases of the Forensic Network.

Forensic security in businesses. Who utiliz the forensic security. Phases of the forensic security

An increasing field of applications and great interest for the area of knowledge of the security of the denominated information exists to computer forensic, for example in the scope of the businesses it is used to identify and to follow the track of: robberies/destruction of intellectual property, nonauthorized activity, habits of navigation by Internet, reconstruction of events, to infer intentions, to sell bandwidth of a company, software piracy, harassment sexual, claim of unwarranted dismissal. The forensic security uses an increasing group of people among others: (1) the people who persecute to delinquents and criminals. One is based on the obtained evidences of the computer and networks that the investigating suspicion and uses as it demonstrates. (2) civil and administrative Litigations. The data of businesses and people shortages in a computer can be used in cases of harassment, discrimination, divorce, fraud, etc. or to improve the security. (3) Insurance agencies. The digital evidences open pies in computers can be used to compensate costs (fraud, compensation to workers, brought about fire, etc.). (4) private Corporations. The obtained evidences of the computers of the employees can be used as it demonstrates in cases of harassments, fraud and embezzlements. (5) Police that apply the laws. They are used to endorse orders of registry and manipulations post-seizure. (6) individual private Citizens/. They obtain the services of forensic professional specialists to support denunciations of harassments, abuses, inadmissible dismissals of use, etc. or to improve the security. The phases of computer forensic are: (1) Acquisition or collection of data of evidences. One is to obtain physical or remote possession of the computer, all the correspondences of network from the system and external physical storage devices. One includes the authentication of evidences, the chain of safekeeping, the documentation and the preservation of evidences. (2) Identification and data analysis. To identify what data can recover and recover executing them electronically diverse tools of computer forensic and software suites. An analysis automated with tools is realised. The analysis manual is realised with experience and formation. (3) Evaluation. To evaluate the information/recovered data to determine not and how if they can be used or against the suspect with a view to dismissing the employee or taking it in to opinion. (4) Presentation of the discoveries. Presentation of evidences open pies so that they are understood by lawyers and personal nontechnician. It can be oral or written presentation. Some of the weaknesses of the forensic process are: (1) In the phase of collection of data. If a chain of safekeeping or incomplete collection of data is identified. (2) In the phase of data analysis. If an inadequate methodology, formation or tools are used. (3) In the phase of presentation of the discoveries. If facility exists to seed the doubt in the presented/displayed findings. It is then tried to act and to operate vulnerabilities in the three areas.

Figure 5. Positive and negative aspects of the digital evidences. Potential sources of electronic digital evidences.

Challenges of the forensic security. Management of evidences

The information and data that look for after the incident and take shelter in the investigation must suitably be handled. This can be: (1) volatile Information. As much: (i) Information of network. Communication between the system and the network. (II) Active processes. At the moment active programs in the system. (III) Logged users. Users and employees who at the moment use the system. (IV) Open files. Hidden bookstores in use, files, troyanos/rootkit loaded in the system. (2) nonvolatile Information. One includes information, data of configuration, files of the system and data of the registry that are available after the re-start. This information is investigated and reviewed from a copy of backup. The fixed hard disks can be with SAT connection at speed of 5400 rpm and capacity of 320 GB, extraíbles discs 140 GB and speed can be Seagate of capacity 15K rpm with connection SCSI.

Figure 6. Techniques to desocultar information in forensic security,

The management of evidences has the same objectives that the forensic security, these are: (a) Admissibility of evidences. Legal rules exist that determine if the potential evidences can or not to be considered by a court. The evidences must be obtained so that the authenticity makes sure and validity and must not have alteration some. (b) The computer procedures search do not have to damage, to destroy or to jeopardize the evidences. (c) To come up that they introduce virus in the computer during the analysis process. (d) It must protect of possible mechanical or electromagnetic damages the extracted evidences/revealed. (e) A continuous chain of safekeeping is due to establish and to maintain. (f) The amount of times is due to limit that the operations of businesses are affected. (g) One is not due to disclose and any information of the client is due to respect (from ethical and legal the point of view) who inadvertently can have been acquired during a forensic exploration.

Questions around the forensic security. Final aspects

Our group of investigation has been taking working for more than fifteen years in the field of the forensic security and its areas related like antiforensia, the management of evidences and the answer to incidents. Unfoldings have been evaluated hardware and software in network. The connection between the forensic security and the test of penetration to improve the security of an organization is evident.

This article is framed in the activities developed within project LEFIS-APTICE (financed by Socrates 2005-2007. European Commission).

Bibliography - Areitio, J. “solid Integration between the management of incidents and the forensic analysis of security of the information”. Conectrónica magazine. Nº 103. January 2007. - Areitio, J. “Analysis around the technologies for the information concealment”. Conectrónica magazine. Nº 109. Julio 2007. - Areitio, J. “Identification and analysis of the systems of detection and prevention of intrusions”. Conectrónica magazine. Nº 112. November 2007. - Areitio, J. “Security of the Information: Networks, Computer science and Information systems”. Cengage Learning Paraninfo. 2008. - Kruse, W.G and Heiser, J.G. “Computer Forensic: Incident Response Essentials”. Addison Wesley. 2009. - Carr, H., Snyder, C. and Bailey, B. “Management of Security Network”. Prentice-hall. 2008. - NcNab, C. “Network Security Assessment”. O'Reilly. 2007. - Foreman, P. “Vulnerability Management”. Auerbach Publications. 2009. - Hoopes, J. “for Virtualization Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis and Honeypotting”. Syngress. 2008. - Mandia, K. and Prosise, C. “Incident Response and Computer Forensics”. 2nd Edition. McGraw-Hill. 2003. - Jones, K.J., Bejtlich, R. and Rose, C.W. “Real Forensics Digitalis: Computer Security and Incident Response”. Addison-Wesley. 2005. - Carrier, B. “Cases out System Forensics Analysis”. Addison-Wesley. 2005. - Jones, R. “Internet Forensics”. Average, Inc. O'Reilly 2005. - Casey, E. “Digital Evidence and Computer Crime”. Academic Press. 2nd Edition. 2004. - Solomon, M., Barrett, D. and Broom, N. “Computer Forensics JumpStart”. John Wiley and Sons. 2004. - Malin, C.H., Casey, E. and Aguilina, J.M. “Malware Forensics: Investigating and Analyzing Malicious Code”. Syngress. 2008. - Srihari, S.N and Franke, K. “Computational Forensics”. Springer. 2008. - Newman, R.C. “Computer Forensics: Evidence, Collection and Management”. Auerbach Publications. 1st Edition. 2007. - Singh, A. “Vulnerability Analysis and for Defence the Internet”. Springer. 2007. - Sammes, A.J and Jenkinson, B. “Forensic Computing”. Springer. 2007. - Dowd, M., McDonald, J. and Schuh, J. “The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities”. Addison-Wesley. 2006. - Buchanan, W.J. “Introduction to Forensic Network”. Auerbach Publications. 2009. - Lee, W., Wang, C. and Dagon, D. “Botnet Detection: Countering the Largest Security Threat”. Springer. 2007. Author: Prof. Dr. Javier Areitio Bertolín - E.Mail: jareitio@eside.deusto.es