pavilion dv7 battery

pavilion dv7 battery
HomePortalCalendarFAQSearchMemberlistUsergroupsRegisterLog in

Display results as :
Rechercher Advanced Search
Latest topics
August 2018
free forum

Share | 

 Expert Witness Computer Counter-forensics

Go down 

Posts : 376
Join date : 2011-09-04

PostSubject: Expert Witness Computer Counter-forensics   Tue Sep 13, 2011 1:34 pm

Digital Evidence Triad:

This fragile nature of electronic evidence, coupled with the complexity and skill necessary to conduct an assessment that will bear the scrutiny of the court of law, causes it to become important to independently confirm and verify the findings from the forensic assessor.

Case preparations involving medical evidence must consider three core areas in greater detail, exploring each facet from evidence to assess no matter whether Best Practice and prevailing regulations have been completely adhered to. This also ensures even a full appreciation of the attainable digital evidence, which could be placed into the context from the allegations and accompanying actual physical evidence. These three spheres tend to be:

1: Search & Seizure: The means with which the target media (e. h. hard disks and CD's on the suspect or at a specific location) were acquired by law enforcement agents and their subsequent preservation through the 'chain of custody'.

3: Preservation of Evidence Containment as well as protection of evidence exhibits so that you can ensure fragile and volatile digital evidence is neither corrupted nor tainted.

3: Forensic Assessment & Analysis Evaluation of media and garbage to furnish law enforcement providers with forensically sound evidence which might be presented in a courts of law.

Efforts geared towards thwarting or impacting about the forensic computing process are levelled at a number of these spheres.

Real Safeguards:

In the context of countering digital forensic practitioners, physical security is using the principle that if some type of computer system cannot be noticed, then it cannot be seized via the authorities for examination.

Locked cabinets and steel laptop cables will frustrate efforts to clear out devices from the suspect's building; however, they will be defeated given adequate effort and resources. More advanced approaches towards protecting computing devices feature concealing key computer drives or media inside of the floorboards, in the loft space or in out-house facilities for example a garage. This can afford a degree of security and ensure that devices remain hidden via investigators. Communication with the device is possible without telltale cabling, depending instead upon encrypted wireless signals.

Anti-tamper devices, like specialist alarm units which reside within computer shell, can be used that will upset and hinder the actual search and seizure operation. More complex approaches towards asset protection consist of integrated 'anti-seizure' devices which are attached to the computer drive. These are designed for you to corrupt the computer hard drive data should any attempt be made to remove the disk or access the system without use of a special hardware symbol and password.

File & Application form Security:

Investigators will naturally gravitate in opposition to files and folders that could have titles of relevance with the case in hand. Possibly the simplest approach to smothering files or folders would be to rename them to a thing innocuous and unlikely that will arouse suspicion.

A more considered solution to hiding information involves any moving of user information, such as textual reports or financial spreadsheets, into archives which usually contain only files required because of the computer for operation (e. h. the system32 or config folders).

Even though approaches help conceal information belonging to the curious or casual phone, but the material will undoubtedly be uncovered over the course of a comprehensive forensic evaluation from the computer drive.

A different approach involves changing just how the computer operating system interprets files. Microsoft WindowsTM, by far the most prevalent desktop computing atmosphere, identifies files and the program that you should used when they are usually now being opened by the extension for this filename. Extensions take the proper execution of a full stop and three letters appended to a filename - for instance the popular. doc extension that indicates a Microsoft WordTM article.

A somewhat crude but nevertheless effective approach to obscuring information would be to change the associated report extensions. This could create a Word document (. doc extension) appearing as a bitmap graphic (. bmp extension). When a user attempts to open up the file, the default program from the file-type, Microsoft PaintTM in this case, will be invoked. Because file data is actually in Microsoft Word framework, Microsoft Paint will not get to render the information and can return an error.

Such efforts may very well help sensitive materials pass inside of the nose of casual observersand individuals intent on identifying files of the particular type, such because graphical images which have the extensions including. bmp or maybe. jpeg.

A more conventional approach towards protection of information may be to employ passwords. Starting along with Microsoft Office 95, it became possible in order to password protect office productivity files to counteract unauthorised access. Well equipped forensic laboratories have specialist equipment permitting dictionary and brute-force disorders (trying all possible character combinations) against password secure files and programs, so unless a particularly complex pass-phrase can be used the security might be broken fairly quickly.

Most users employ passwords dependant on words found in the actual English dictionary or words that have meaning to them, such as name of their wife or pet. These passwords will not be complex enough to forestall concerted efforts to burst the security. Passwords considering non-English words, greater than eight characters in total and using both information and non-alphanumeric characters (e. h. exclamation or punctuation marks) offer a level of complexity that's extremely difficult to separate.

However, password protection can have serious shortcomings which might be exploited by forensic researchers. Protection of this design usually places a barrier up in the beginning of the file, which suggests if this safeguard will be by-passed, the actual data contained within will be extracted. A classic example is known as a forensic examiner using a plain text editor, such because Notepad, to open the password protected document. Many controls, safeguards and features which can be in place through Microsof company Word are thus circumvented.

Taking file and application level protection to another location level is the exercise of cryptography - that science of securing information using reversible transformations. The word "cryptography" has its roots with the greek terms "cryptos", significance secret, and "graphy", significance writing. Simple ciphers, often known as mono-alphabetic or Caesar techniques, involve the substitution of letters. The development associated with digital computing revolutionized cryptography and made today's highly confusing and secure cryptographic techniques possible.

With the introduction about Microsoft Windows XPTM a good enhanced security feature often called Encrypting File System (EFS) is becoming readily available to desktop computer users. EFS is a cryptographic support system that permits files, folders and even chapters of the hard disk file system to be encrypted using a variant of the Data Encryption Standard (DES) formula.

Attacking cryptographic materials is referred to as cryptanalysis and requires highly experienced consultants for every reasonable chance of good results. Attacks can be levelled about the protocol (i. e. the mechanics on the encryption system employed), this protected file/data, or that interface and environment (i. age. the manner in which the user has interacted with the cryptosystem and/or computer system to bring about the secured material).

An increasingly complex approach to concealing information involves placing the software within or around yet another open and public base, a practice known because stegonography. Classic examples of stego' can include invisible inks or the employment of grilles to cover a written message and tell you only selected words as well as phrases. In a electronic context, stegonography involves embedding that code that constitutes one file, for instance the graphical image, into the code structure to a secondary file.

The use of stegonography could be difficult to detect even with choose specialist forensic tools as employed correctly can make it easy for suspect material to evade even just about the most astute investigator. When put together with cryptography, stegonography can be an especially powerful means of safeguarding both the presence and content in information.

Another approach to concealing information may be to embed data in special sections of the file system building. Alternative Data Streams (ADS) was first a design feature introduced inside the Microsoft WindowsTM operating system with the NTFSTM file system as a method to provide compatibility with the Macintosh Hierarchical File SystemTM (HFS).

That the Macintosh's file system works that could be uses both data together with resource forks to store its contents. The data fork ideal for the contents of the document while the resource fork is to identify file type and additional pertinent details. There has become a marked increase in using these streams by malicious hackers wanting to store their files after they have compromised a pc. Not only that, it offers also been seen that viruses along with other types of malware are now being placed there as good. The crux of the matter is that these streams aren't going to be revealed using normal seeing methods, whether via a command prompt or with the Windows Explorer.

Whilst data embedded within ADS will continue to be invisible during all frequent operations, forensic examiners can certainly identify such material utilizing complex data analysis applications. When information is encrypted, stuck within other file signal (stegonography), and finally hidden during an ADS, it is likely that the material will be safe from even the most astute investigators.

Internet Seclusion:

The Internet is an important tool for business and leisure but is also a compelling resource for all those commissioning or researching offender activities.

Reading email or browsing online (WWW) leaves traces about the host computer which is recovered by forensic investigators to give an indication as that will website visited, terms suited for search engines and chitchats held in online chat-rooms.

Whilst popular browser applications like Internet Explorer and Mozilla feature routines to get rid of personally identifiable information, a more considered method of eliminating any local remnants of online activity would involve the employment of a specialist application such as 'Evidence Eliminator'.

To put a layer of security between your computer and Internet, therefore protect against any potential eavesdropping about the telephone/broadband network, an approach often called Onion Routing may be employed. Developed by American researchers Onion Routing employs a complex line of relays, routers and encryption protocols to guarantee anonymity and confidentiality of traffic.

Whilst investigators without the capacity or capability to commence complex cryptographic evaluations may be baffled to identify the material of such protected world wide web content, it may be potential to glean useful information using 'traffic analysis'. Here the intention is usually to identify patterns and norms. In particular, it may not be possible to determine what website an particular person is accessing, but through cataloguing the traffic it might be possible to say, having certainty, when a user was online. Should this be protected with physical surveillance that may attest the individual was alone in the premises under observation at a particular moment in time, then should further evidence emerged at a later point (perhaps on account of performing a forensic analysis of the suspect's computer, following the search/seizure order), it can neatly tie the suspect with the computer keyboard.

Exploiting Forensic Plan:

Whilst the approaches previously discussed have aimed at obscuring or concealing whether the physical computer units or the digital information contained therein, the following techniques are centered on thwarting the forensic procedure for examination of digital press.

Operations upon files and folders are recorded through timestamps, which provide details in respect of when the file/folder was made, when it was final accessed, and when the actual file/folder was last edited. Timestamp data is recorded automatically because of the operating system and provides crucial evidence as to actions and times/dates once they occurred. However, appreciating how valuable timestamp data is usually to investigators, tools have been having to do with various Hacking groups to permit manual or automatic modification of timestamps. This technique is referred to as "fuzzing" and can make attribution of the file - or who has been at the keyboard at a specific point that - near impossible. On top of that, fuzzing taints the evidence so the integrity of the timestamps is damaged to a degree that would make them inadmissible in a the courtroom of law.

ACPO Guidelines with the seizure of computer products, suggest immediate disconnection on the power unit, so regarding preserve information on the system computer drive(s). This is undoubtedly Standard Operating Procedure (SOP) by investigators throughout the world, but it does need one very serious disadvantage. By disconnecting the power, any information stored in the volatile memory (e. h. RAM) will automatically be lost and are not retrieved. Hacking tools have evolved to exploit this investigative procedure; having scripts and software programs that run exclusively in memory making sure that no traces will survive in the disk should the computer be seized by the authorities. It is accepted as only a matter of time before this counter- forensics technique becomes much more widely adopted by the ones intent on using computers for the commission or support regarding criminal enterprise.

Legal Wording:

Whilst not a security technique or forensic give protection to, some criminals have exhibited remarkable forward planning to provide a precaution if they one day have to stand trial for an offence.

In legal circles we have seen a number of high profile cases involving computer abuse/misuse, the spot that the line of defence may be that the computing device have been under the control associated with unknown third party. Many times the assertion is the computer may be broken into by the Hacker, who used it as a platform for the purpose of perpetrating their crime. This has become known as the 'Trojan defence' together with was applied successfully with regards to R v Aaron Caffrey, who was simply charged with breaking into laptops owned by the National port authority in Houston. It is known for criminals in order to purposefully infect their laptops with viruses and harmful code, laying the foundations for such a defence should the need ever arise.

The technical arguments in respect of whether computer code, that's what essentially all electronic media is, can constitute obscene media have always been agreed in the rulings about R v Fellows along with R v Arnold. With matters involving obscene images and media, the modern ruling in R v. Porterhas put flesh in the bones of the argument in regards to what constitutes 'possession' in the technical sense. In this case typically the presiding Judge gave directions regarding whether the jury could very well consider that deleted pics, recoverable only using sophisticated forensic means, could always be considered in the possession from the owner.

Recently the Residence announced plans to start off enforcing provisions outlined in part 3 of the Legal requirements of Investigatory Powers Action (RIPA). The wording of this act would make it an offence for an individual or entity to refuse or be unable to disclose passwords or encryption first considerations specifically requested by the authorities on an investigation. One argument against these provisions is going without shoes reverses the burden involving proof and makes a party guilty of an offence should they be in a legitimate position to be unable to comply with a disclosure buy.

One of the main criticisms of the act, however, is whether or not it will have the desired effect in enabling criminals mistreating or leveraging technology to suitably punished. The oft-quoted example is that of individual arrested on feeling of possessing obscene images and media. Should the actual computer drive be really encrypted, the authorities may seek to coerce the decryptions suggestions for getting started via RIPA. However, it'd clearly not be within the individual's best interests for you to comply, as this would reveal the extent of their cache and almost certainly create a punishment that would far outweigh truley what would be shared as punishment for non-compliance when using the RIPA provisions.

Security v .. Accessibility:

When considering security regulators and countermeasures a careful balance should be achieved, as to the right way to maintain reasonable accessibility to the data whilst ensuring confidentiality.

A collection of obscene imagery could, for instance, be grouped into one archive that is certainly strongly encrypted and that resulting code embedded to the file structure of an innocuous file that's in turn buried deep with the computer's file system. This computer drive may then be concealed within all the loft crawl space and communications using the device achieved using encrypted mobile protocols. Clearly this would afford a very good degree of secrecy to the material, but does allow it to become increasingly difficult to access or retrieve for just about any practical purposes.

The accessibility angle is used to the main advantage of investigators, who will routinely scan suspect premises for cordless communication signals or comply with computer data or power cables to name any hidden devices.


Criminals and those carrying out offences involving the implement or support of information technology continue to use various method to thwart the efforts of investigators to secure a digital evidence. Whilst countermeasures are the crude yet novel (e. h. burying devices under the floorboards) with the highly sophisticated (e. h. encrypting information and smothering the code within redundant elements of the computer file system) - it will be clear that defensive practices of the nature are becoming progressively prevalent. Equally, these efforts are becoming worryingly effective in effecting the efforts of police force and have contributed significantly within the police either training their own specialist investigators or looking to find an expert witness aided by the requisite skills.

History has taught all of us that attacks against solutions - whether physical or even digital in nature - only increase in efficiency and effectiveness after some time.

This article is not really a 'how-to' guide and certain details from both the defensive and offensive perspectives happen to be intentionally omitted. The techniques described outlined in this article are documented in several public resources and in many instances employed quite regularly as a result of criminals abusing or misusing systems.

It is considered more harmful to the forensic industry to operate under a veil in security and operate having a false sense that the actual practices employed are above reproach.

It is hoped who by highlighted this disturbing trend a lot of the challenges and limitations in current forensic computing practice could be appreciated. Furthermore, this can stimulate informed discussions they'll lay the foundations pertaining to research into fresh procedures for countering counter- forensic practices.
Back to top Go down
View user profile
Expert Witness Computer Counter-forensics
Back to top 
Page 1 of 1
 Similar topics
» The Next Pendaflex Organizer Contest *usa only*
» selenium ide addon is not compatible with firefox 4.then how to record?
» ForumTshiab no

Permissions in this forum:You cannot reply to topics in this forum
pavilion dv7 battery :: Your first category :: Your first forum-
Jump to: