Investigating Child Pornography

The book I read to research this post was Digital Child Pornography: An Investigative Guide by Chad Steel which is an excellent book that I read at kindle unlimited. This book it appears is the only one on kindle unlimited on this topic and does a really good job of explaining how it is investigated. I’m quite interested in digital forensics but in this day and age of paedo’s using sites like XboxLive.com to groom children and setting up groups on Facebook if you are for example a parent you perhaps should read this book. Traditionally these people used invitation only backrooms in adult bookshops. For a long time it was on the decline perhaps the worst thing about the internet has been the proliferation of this. Some misguided people think they are just browsing when they view this kind of thing but there is a very real problem that on these sites they often request all sorts of sick perversions that the owners then provide. In Britain there is talk of them passing a law making requesting child porn a crime. Often they use P2P sites some of the older ones being bit torrent and limewire. These sites often don’t check what is being uploaded apart from being illegal in themselves. There is all sorts of weird so called genres with in this and even having something like manga if it is based around this kind of thing is illegal to possess. Bear in mind even if you format your hard drive after having this kind of stuff on it can still be recovered. They can use special wiping software though. At one time to prosecute someone for having indecent images they had to prove a financial transaction of some kind had taken place. This often led to law enforcement dropping many cases because of the difficulties investigating it. When law enforcement interview a suspect they will usually start small and try and get him to admit to a lesser offence say downloading child porn and build on that gradually by trying to get him to admit to more serious things. They will also often use technical terms and if the suspect doesn’t ask what they mean and appears to understand them that also is a sign he is guilty. They have to be careful about pressuring a suspect and must give him regular breaks etc we have all heard of cases like where someone is pressured so much they say something like look what do I have to say to get out of here. Obviously that kind of thing can result in an unsafe conviction. I did quite enjoy this book and do recommend it.

Real Digital Forensics

The book I read to research this post was Real Digital Forensics by Keith J Jones et al which is a very good book that I bought from Amazon. This book is around 640 pages so is quite a substantial size. It is quite a technical book that takes you by the hand in a kind of tutorial in what to do if your computer network gets a virus or other malware in both Linux and Windows. Some of the steps seem quite easy and might seem a bit obvious like using a digital camera to photograph evidence that is on the screen or pulling a cable out of whatever you access the internet with if you fear confidential information is being accessed. A lot of viruses are killed if you restart the computer or network and while restarting the network might be a problem you might also not want to prior to collecting evidence. It is because the hacker is trying to remain obvious they often allow the malware to be killed easily. Other times of course it will be necessary to run anti-virus which you should run regularly anyway and also make sure it has effectively disinfected the computer because some malware requires unusual steps to be taken. I had one that required the computer to have system restore turned off while the process was running for example. Anti-virus also applies to any devices like mobile phones and tablets and this book recommends a program called Hotsync which is a free program you can download for PDA’s. This book doesn’t cover things like Android as I think it is a few years old. You also should check what ports are being used and what files are being accessed as well as where suspect files have come from. If a computer or network is breached there is bound to be evidence like this. A virus will typically keep trying different ports to try and access other computers and the internet which is another tell tale sign. You can often use a program called Snort in one of its versions for this. Another program ideal for wireless networks is Wireshark. I did quite enjoy this book and do recommend it. I think ideally you want this book open while you repeat the steps rather than just read it.

 

Building A Computer Forensics Business

The book I read to research this post was Building A Computer Forensics Business by Ron McFarland Ph.D. which is a very good book that I read at kindle unlimited. This book is about the nitty gritty of running a Digital Forensics business and it does a good job in that respect. It doesn’t go into much detail about digital forensics but then there are plenty of books on that subject and you should be quite knowledgeable about it if you are considering going into business. Your main emphasis should be specializing with in the subject and doing a few things really well. You can subcontract out work you are less competant at. The author even has a commodore 64 because you never what possibly antiquated hardware you may be called upon to analyze. Certainly you should have lots of different types of cables especially things like firewire and the USB variants. A lot of their work involves checking the work of employees for possible violations in companies. They are often required to interview employees in things like corporate networks being hacked or espionage. They are sometimes asked to come up with company policies for new employees to abide. If you are required to be an expert witness in court there will normally be quite a lot of wait time and time spent reviewing case notes in addition to forensic work which all has to be billed for. You frequently have to attend training courses in different aspects of your work so you must charge a high hourly rate to make up for this. The place you work in must be very secure with surveillance cameras around it and you must make person sign as they come in or out as often someone like a defence attorney will want to know is there any way the evidence could be tampered with. Anybody who has to evidence must sign to they have done called a chain of custody. Employees must also be safe there from potential crimiinals who may try to get revenge on the company. I did quite enjoy reading this book which I think is around 90 pages so is quite short. I do recommend it.

Computer Forensics Evidence

The book I read to research this post was Introduction To Computer Evidence For Lawyers by Barrister Karl Obayi which is a very good book that I read at kindle unlimited. This book is written by a computer forensic expert and a lawyer who works for a law firm based at London and Lagos. Most lawyers are a bit unknowledgeable about computer forensics and this book addresses that. It doesn’t go into the legal procedures for presenting evidence because they should be well versed in that. It’s funny that a lot of lawyers can use say Powerpoint for a presentation or Word for a letter yet are a bit in the dark on this subject. Some lawyers know next to nothing about computers leaving any kind of work to the secretary. There is a huge amount of potential evidence in many trials probably too much for the existing digital forensic infrastructure too handle and much of it is overlooked. It isn’t just computers but things like game consoles, smartphones and digital cameras to name but a few. It has to be made clear if say the prosecution call an expert witness he is under no pressure to come up with corroborating evidence, he is working independently. They will often have meetings at least 2 weeks before the trial date to debrief. A lot of supposed experts aren’t really experts. It surprising how often people think people like computer engineers who may have excellent qualifications in their field but aren’t computer forensic experts. Also say if they need to assess what is on an android smartphone they need a specialist to do that. A lot of computer forensic specialists have to turn down work because they aren’t specialists in that type of work. It only takes one transgression of justice and that expert or laboratory becomes useless in future cases. This is a book I really enjoyed reading even though I’m not a lawyer or computer forensic expert. I have an interest in it though and I definitely recommend the book.

 

Computer Forensics D

This is the last in my series of blog posts on computer forensics based on what I have learnt from the Infinite Skills course. A big thing in computing is virtualization where you can run something like a potential virus or suspect driver in a sandbox where it can run but the damage it can do is limited. There is 2 types of virtualization, one where it runs on the operating system and one where the operating system runs on the virtualization software. This also lets you run multiple operating systems on the same computer. Examples of virtualization software are VMware & Hyper-V. There is a website at http://totalvirus.com where you can have a suspect file or URL analyzed for viruses and the service is free. Often if your computer becomes infected you will want to remove the virus but also know what damage the virus has done in order to mitigate any problems.

There are a lot of utilities that will let you copy the contents of a smartphone to a computer and many are free. One issue is you must prove the contents came from the phone which is sometimes contested. On most smartphones the system memory is on a separate partition to the storage. You will also have to analyze the sim card separately. On an android phone most files are named descriptively but there is more room for misnaming files on an iphone. If you are interrogatting a symbian phone you will usually have to use the tools that came with the phone which can cause problems. Most software that interrogates an iphone only works on an Apple Mac. This kind of software will often reconstruct images on the computer which you may have to check. Often on smartphones the contacts list is on the sim card. Some software will also bypass the pin number or password if it’s not available but you might not be able to access everything without it. To get this kind of software it’s best to either do a search in a search engine like google or look on bulletin boards on the internet.

Computer Forensics C

This is another blog post in my series on Computer Forensics based on the course I am doing with Infinite Skills. In this post I am going to look at network security and hacking. There are many types of hacking and in the types of hacking like denial of service attacks there are many different types of those. There are a lot of websites devoted to downloaders of denial of service attack tools. Many of these are out of date and haven’t been updated so won’t work on a newish network. There is a type of denial of service attack called ARP poisoning which doesn’t necessarily knock the computer out of action but adds data to the computers workload and is when you listen in via a program to the traffic going to and from that computer. Wireshark is probably the industry standard program for tracking traffic on a wireless network but there is a program called network miner which is a bit simpler to use. There is another type of attack called a brute force attack which is when a computer is bombarded with random passwords often done sequentially until it accepts the right one. There are programs where you just set the program up and it will do this automatically. There is a thing called white hat cracking and penetration testing which is when a computer hires someone to test the soundness of their network. No network will stand up forever to an attack but you have to give the hacker such a difficult time he will think it isn’t worth the bother. If a network is under attack you shouldn’t reboot it or interogate the server. Rebooting will make you lose any trace of the virus in a lot of cases. Running diagnostic software on the server is liable to tip off the hacker who can then take appropriate action. You should run the diagnostic software on one of the workstations and access the network from there. In a very serious attack sometimes the network administrator will literally pull out the broadband or network cable  and it doesn’t cause as much damage as you might think although they have probably as a result lost the ability to trace where the virus came from.

 

Computer Forensics B

This is the latest in my series of posts on Computer Forensics based on the course I am doing with Infinite Skills.  I will first look at the computer forensics software Encase which is probably the market leader and it’s primary purpose is to find and analyze files. It can analyze a sector on a hard drive and tell the type of file and even partially recover a deleted file. If you select a file within the Encase program various information about its properties will be shown when you press report. Another very similar program is FTK although that works in Linux. Encase works with Windows. There are also various in built programs like Windows Process Manager that can be used in connection with computer forensics. Many computer forensics use AFF or advanced forensic files as the file structure within the software. Encase has its own proprietary file system. In general computers should have NTFS as their file system as you can attach conditions as to who can do what within a program. FAT 32 good as it is doesn’t have this permissions feature. CD’s tend to use either ISO1660 or Joliet as their file structure.

Computer Forensics A

I have started a video training tutorial in Computer Forensics by Infinite Skills and will be writing some of what I learn in a series of daily blog posts. Computer forensics conjures ideas of some one analyzing what is on a computer and then giving a testimony in a court but these skills are also useful to other professionals like a malware analyst working for an anti virus software developer or a security or network administrator. To become a computer forensic expert who need to understand a lot of different disciplines like the various operating systems and how to use the specialist software and file types to name a few. You particularly need to understand the Unix & Windows operating systems. You will copy what is on a computer and normally work on the copy and will use write blocking hardware or software to copy the hard drive. You can’t change anything on the suspect computer otherwise the evidence becomes inadmissable. You also must be ethical and many certifications like CISSP & Ethical Hacker have detailed codes of ethics for their members. You must never take a case which involves a subject you aren’t knowledgeable about as the case is likely to be thrown out and also you must never swap sides or be paid according to the outcome whether guilty or not guilty. One job you must do is check the properties of programs and files on a suspect computer and to do this you right click and choose properties. In particular you are looking for any changes or modifications to the program and when it was installed. File types and saved work are also important. If you are working in Windows there is a program called Compare It which compares 2 files and tells you in the form of a hash tag if they are identical or not. On Linux there is MD5Sum which does a similar job. I will be continuing this tomorrow.

Android Forensics

The book I read to research this post was Android Forensics by Andrew Hoog which is a very good book which I read at http://safaribooksonline.com

This book is a how to guide to doing digital forensics on an android smartphone. Most of the software used in the tutorials is open source although in some cases it’s free to people who are employed in digital forensics labs but the rest of us have to pay for it. Much of the process of interrogating  a smartphone is very complicated. There is a very interesting section on the history of android which was developed by Android Inc before Google bought them out.  It’s based on the Linux 2.6 Kernel. There is also an operating system called Minix which is a sort of Linux or Unix software that runs on Apple Macs,

When interrogating a phone ideally the sim card should be removed and the wireless carrier contract should be suspended to make sure the data doesn’t change in anyway way. Also put it in a faraday bag to prevent unwanted transmissions. Sometimes the SD card has to be removed but the smartphone has to be turned off to do this and there is a chance if you have something like a virus some of them disappear once you do this making it impossible to trace. There is a couple of file systems mentioned but I think the book is showing its age and they may be obsolete on the latest phones. One is FAT 32 which of course had widespread use with windows pc’s. The other is YAFFS2 or Yet Another Flash File System and you might find one of these on older machines. I enjoyed reading this book although I would advice a complete beginner to read something else.

Malware Forensics

The book I read to research this post was Malware Forensics Field Guide For Windows Systems by Eoghan Casey et al which is an excellent book which I bought from kindle. This book looks at the legal aspects mostly according to American law and also looks at the technical aspects of dealing with a virus infestation on either a network or desktop pc. It lists loads of software that can do the various jobs, far too many to list here and looks at doing the basics with some of this software. Eoghan is a bit of a legend in Digital Forensics and I have read quite a lot of books by him. There is also quite a lot of posts on different aspects of digital forensics at my computing blog at http://scratbag.me & my technology blog at http://scratbagroberts.com

If your computer is attacked by malware it’s best to analyze it in a live state which means with out re booting it which will often destroy any evidence. Many professionals use MD5 or Memory Digest 5 to copy the hard drive. One problem facing you in this job is there is various types of memory that all need to be copied. Another problem is what you copy it to, in most cases it will be an external hard drive due to the enormous amount of data. Also copying it to writable media like dvdr’s takes longer. A good program that will copy a network to another network hard drive is Encase Enterprise. A lot of malware nowadays contains keyloggers to find things like passwords, something to locate credit card numbers & an email address for this information to be sent to. One way you can spot malware is you use a port sniffer like wireshark it will constantly try to access the internet to send its newfound information. This book is nearly 1,000 pages and covers every aspect of malware and I really enjoyed reading it.