Technology for Computer Forensics

Thesis Proposal

By

Alicia Castro

As part of the requirements for the degree of

Master of Engineering in Sofware Engineering

University of Colorado, Colorado Springs

Approved by: Date:

_________________________________ _____________________

Dr. Edward Chow:

(Advisor)

__________________________________ _______________________

Committee Member:

__________________________________ _______________________

Committee Member:

1. Introduction

Background Research

Computer forensics objective is to find legal evidence in computers and digital storage mediums. The goal of computer forensics is to explain the current state of a digital artifact. There are many reasons to employ the techniques of computer forensics like legal cases, data recovery, gathering evidence against an employee, debugging, performance optimization or reverse-engineering[2, 4].

Special expertise and tools are required to gather computer forensic data; thesere are not easily available products for the average user. There are many forensics toolkits used by law enforcement agencies; the more common in use is EnCase; because the results are easier admitted on court. There are also many open source tools like Helix and Autopsy.

The forensic tools are used to analyze digital data and often find evidence that someone did or did not commit a crime. As the tool output may be evidence in a court trial, it must meet certain legal requirements [1].

The proper way to test forensic tools is by using an open method. Requirements must be created for each tool type and corresponding tests must be designed that enforce the requirements. Using specific test conditions for all tools can only go so far at catching bugs because of the large number of possible test [14].

2. Project Scope

The currentThis thesis addresses software that is used for digital forensics analysis. The goal of the design thesis is to combine various existing technologies and make necessary enhancements for the law enforcement agencies.

The first part of this thesis provides a brief overview of the necessary precautions and requirements for data to be used as evidence for an investigation.

· Unique Computer issues: Special Problems with computers

· Initial Considerations: Ascertain, When a business is involved

· Value of technical expert: Involve technical person early.

· Drafting the warrant: Technical and practical considerations, Information belonging to third parties, privileged information may be found.

· Execution of the warrant: on scene personnel needed it, Time limit for execution and return.

· Follow up warrants: no warrant needed to break passwords or encryption, Discovery of evidence of other crimes.

· Consent: consent to search

The second part of this thesis provides an overview of prosecuting cases that involved computers.

· Devices subject to Forensic examination

· Digital storage

· Forensic examination of erased or deleted files, slack spaces and steganography

· Types of evidence

The third part focuses on the enhancement and testing of the existing software forensics.

· EnCase

· Recover my files

· MountImagePro

Existing Forensic toolkitsToolkits

· Encase is one of the most popular forensic tool used by law enforcement in Colorado. Encase Forensic facilitates the search, identification, collection, preservation, analysis and reporting of digital evidence. EnCase Enterprise provides network enabled search, identification, preservation, analysis and reporting of digital evidence on employee computers and file servers, primarily for internal investigations, such as fraud, HR matters and computer incident analysis. Both Encase Forensic and Encase Enterprise use the Encase Evidence file format, which is the only digital evidence container that has withstood numerous challenges and been validated in courts worldwide [3]. Why is it so difficult for computer forensic tools to be accepted by the court?

· Encase will view data in many formats (including ZIP file contents), does not have to be preloaded onto a system to function, will find evidence that can be used in a court of law. The only way to keep Encase from seeing what you have done on a system is to DOD wipe a file upon deletion and continually wipe slack and free space on disks[5].

· Encase has some new features added in 2008. Those features will be tested during the testing phase.

Proposed Design and Improvements

· Testing all the new enhancements (2008) done to Encase.

· Design new queries for the Encase Tools. Users want a series of queries of their most popular investigation routines.

· Find an open source forensic tool and adapt it to the user’s needs

3. Thesis Plan & Schedule

1. - Requirement analysis (August 26, 2008- Dec12, 2008)

· Identify and understand the problem domain

· Identify the problem

· Evaluate possible prototypes

· Define requirements

· Present Proposal and obtain official approval

2. - Planning (January 3, 2009-January 10, 2008)

· Identify and obtain resources needed

· Define thesis plan and schedule

3. - Design (January 5, 2009-January 15, 2009)

· Design initial test prototype and evaluate design

· Refine and finalize design

4. - Implementation & Testing (January 5, 2009-March 5, 2009)

· Create prototypes

· Testing prototypes

· Refine prototypes

5. - Project Closure (March 5, 2009-April 20, 2009)

· Present final data and obtain approval

4. Deliverables

1. - Source code to be adapted to EnCase and/or an open source toolkit.

2. - Thesis report documenting the design, implementation and testing of the product

3. - An analysis report on the usability and maintainability of the product

References

[1] Brian Carrier. Defining Digital Forensic Examination and Analysis Tools.

http://www.utica.edu/academic/institutes/ecii/ijde/

[2] Detailed look at Steganographic Techniques and their use in an Open-System Environment.

http://www.sans.org/reading_room/whitepapers/covert/677.php

[3] Forensic Steganalysis

http://www.ws.binghamton.edu/fridrich/Research/EI5681-63_KS.pdfsis

[4] Guidance Software. EnCase Legal, Journal, second Edition, March 2002. Available at

http://www.encase.com/

[5] Mount Forensic Images. http://www.mountimage.com/

[6] NIST. Computer Forensic Tool Testing.

http://www.cftt.nist.gov/

[7] Recover my Files. http://www.recovermyfiles.com/

[8] Review of data hiding in digital images.

ftp://skynet.ecn.purdue.edu/pub/dist/delp/pics99-stego/paper.pdf

[9] Simson L Garfinkel. A challenge for Forensic Research.

http://www.simson.net/ref/2007/Forensic_Corpora.pdf

.

[10] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 3, 2000c. http://www.securityfocus.com/print/infocus/1246

[11] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 4, 2000c. http://www.securityfocus.com/print/infocus/1247

[12] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 5, 2000c. http://www.securityfocus.com/print/infocus/1248

[13] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 6, 2000c. http://www.securityfocus.com/print/infocus/1249

[14] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 7, 2000c. http://www.securityfocus.com/print/infocus/1250

[15] Wright, Timothy E. The field Guide for investigating computer Crime: Search & Seizure Basics Part 8, 2000c. http://www.securityfocus.com/print/infocus/1251

1