[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SIMSON SAYS: Gumshoes must tread carefully, but wealth of cluescan be found

--- begin forwarded text

To: <[email protected]>
Date: Thu, 12 Aug 1999 18:49:58 -0400
Subject: SIMSON SAYS: Gumshoes must tread carefully, but wealth of 
clues can be found
From: [email protected]
Reply-to: [email protected]

The tricks, tools of a computer sleuth

Gumshoes must tread carefully, but wealth of clues can be found

By Simson L. Garfinkel, 08/12/99

Computer forensics is a relatively new and little-known branch of computer
security. Like other kinds of forensics, computer forensics are a set of
techniques for collecting and explaining evidence - especially evidence that
might be gathered during a criminal investigation. What makes it different
is that instead of examining fingerprints or DNA, a computer forensics
specialist focuses on data left inside a computer system.

The inside of a computer, it turns out, is a surprisingly difficult place
from which to collect evidence. One reason is that computers have a lot of
places where evidence can hide. My desktop machine has 128 megabytes of RAM
and more than 20 gigabytes of hard disk space, roughly the equivalent 3.5
million pages of typewritten text. In this much space it can take a trained
investigator days or even weeks to search it effectively.

A second issue complicating the task: It is easy to damage or destroy
evidence in the process of looking for it.

Finally, there is the problem of willful destruction: to keep themselves
from getting caught, many computer criminals will delete files, modify
programs, and otherwise alter a computer system after they have broken into
it. To be successful, a computer forensics specialist needs to be able to
step around this damage and still find what he or she is looking for.

Last week, a pair of flamboyant computer security experts, Dan Farmer and
Wietse Venema, taught a one-day course on computer forensics at IBM's
Yorktown Heights' research laboratory. Called ''Murder on the Internet
Express,'' the course discussed techniques for analyzing a computer system
to find telltale signs left behind by someone using a computer. They
discussed common tactics computer criminals use to destroy evidence, and why
these approaches frequently fail. And finally, the pair previewed some new
forensics tools they plan to release tomorrow.

There are three primary ways in which computer users leave tracks in a
computer systems. The first kinds of tracks are in the log files - records
most computers keep that detail the machine's activities. Log files are most
common when you use services on the Internet. When you call up the Internet
from a home PC, a record of your phone call is kept in a log file. Likewise,
whenever you send electronic mail or view a Web page, that information is
also recorded. If an investigator can get access to the log files, they can
be used to paint a comprehensive picture of what the person has been doing
on line.

A second way is to look at files on the computer itself. Both the UNIX and
the Windows operating systems keep very detailed records of when each file
was created, last modified, and last read. By examining these times for
every file on the computer, an investigator can create a very detailed
picture of what a person did.

A third way is to bypass the computer's files entirely, and instead just
examine the hard drive. That's because information written to the hard disk
stays there until it is overwritten. Because computer users almost never
fill their hard drives all the way, it's common to find information on the
disk that was deleted long ago.

One of the main uses of computer forensics today is figuring out what has
happened after someone has broken into a computer system. With good tools,
an analyst can determine when the break-in happened, how the intruder
obtained access, and which files were examined or modified. Forensics tools
can also be used to inspect the system to see whether any traps were left
behind. For example, the attacker might have left a ''tripwire'' or
''timebomb'' that would automatically wipe out the system. Alternatively,
the attacker might have created a ''back door'' so he or she could gain
covert access at a later time.

Forensics also can be used by police to analyze computers seized during a
criminal investigation. Earlier this summer I learned that the FBI has been
using disk recovery tools such as Power Quest's Lost and Found to assist in
child pornography investigations.

In one case they were able to see how a suspect had installed a copy of
America Online, downloaded some questionable images, and then apparently
deleted both the images and the AOL program. A few months later, he
allegedly did the same thing again - installing AOL, downloading images, and
deleting it all again. Lost and Found let the investigators almost literally
look into the past, because parts of the AOL program and the downloaded
images were still on the suspect's hard disk, even though they had been
technically ''deleted.''

Programs like Lost and Found and Norton Utilities, which combine forensics
with data recovery, have been available for the Windows platform for years.
The big news at IBM last week was that Farmer and Venema are releasing a
series of forensics programs for the UNIX and Linux operating systems.
Called ''The Coroner's Toolkit,'' the tools make it much easier to conduct a
detailed examination of a UNIX system. That's important, since UNIX is the
dominant operating system among Internet servers and, thanks to Linux, is
becoming more common on desktop machines as well.

Of course, computer forensics tools can also be used to spy on employees and
other legitimate computer users. Indeed, says Farmer, ''Spying and abuse are
now easier than ever. It is pretty trivial to find out what people using
computers are up to.''

Those are strong words, especially considering their source. Three years ago
Farmer and Venema released a security auditing program called ''SATAN'' on
the Internet, to the dismay of many computer specialists. SATAN generated
hostile responses because it could be used by system administrators to
secure computers and by attackers to break into systems. It remains to be
seen whether or not The Coroner's Toolkit will generate a similar response.

The Coroner's Toolkit is scheduled to be released tomorrow. Look for it on
line at www.fish.com/security/forensics.html

Technology writer Simson L. Garfinkel can be reached at
[email protected]

This story ran on page C4 of the Boston Globe on 08/12/99.
� Copyright 1999 Globe Newspaper Company.

SIMSON-SAYS is Simson's column on computer issues that appears weekly
in The Boston Globe and other newspapers.

Please feel free to pass this column on to a friend.
If you wish to subscribe to SIMSON-SAYS, just send an e-mail message
with the word "subscribe" as its first line to [email protected].

This message (C) Simson L. Garfinkel.

This message sent to the email address [email protected]
as part of the simson-says mailing list
To remove yourself from this mailing list, follow this link:

--- end forwarded text

Robert A. Hettinga <mailto: [email protected]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'