Why forensic analysis needs to give up Nintendo

The predominance of our current forensic analysis methodologies leave examiners woefully behind in seemingly never-ending game of catch-up with those committing computer crimes. As intrusions and other computer crimes continue to increase in sophistication, forensic examiners need to grow beyond their current toolkits and innovate in their methods of forensic data collection and analysis. The age of “Nintendo forensics” has drawn to a close.

In the 1990s, many computer intrusion incidents were committed by pranksters, joy-riders on the Information Superhighway, bent on causing mayhem because they could. Loading the Trojan horse application ‘du jour’ on a system and opening and closing the CD-Rom drive tray became more than a nuisance for many system administrators and helpdesk technicians. However, the increase in online banking, online shopping, and in short, more and more people taking their lives online has lead to an economic drive and financial goal to these intrusions.

Many of the hosting organisations, such as banks, other financial institutions and healthcare organisations, are taking more strenuous measures to protect themselves (in part due to regulatory requirements, rather than their own initiative), yet they are still being successfully penetrated. As the defences around these castles are being built, the attackers are increasingly turning their sites on the target-rich environment of the relatively under-protected home users.

The traditional forensic analysis methodology has been to unplug the system, remove and acquire a forensic image (bit-by-bit, exact copy) of the hard drive, and then analyse the acquired image using a file-based approach, within both the active file system as well as unallocated sectors. As the systems themselves become more sophisticated, the examiners tools have struggled to keep up, allowing for automated searches, as well as running anti-virus scanning applications.

Further data reduction is automated through the use of libraries of cryptographic hash tables for both ‘known good’ and ‘known bad’ files, the key word here being ‘known’. Increasingly, malware authors are creating custom and even new versions of their tools, and some have even created point-and-click interfaces that allow for the automated creation of the custom malware. On a regular basis, forensic examiners see examples of Trojans, backdoors, and worms that are not recognized by name, or even as malicious in nature, when examined by over 30 separate anti-virus scanning applications.

Another issue that forensic examiners need to be able to deal with is anti-forensics, or steps actively taken to subvert forensic analysis. Anti-forensic techniques go beyond simple deletion of files, to the point of obfuscating file contents through encryption, as well as modification file metadata, such as access and creation times. Not only are these techniques being addressed in public forums, but tools to automate their implementation are being released to the public, as well. Further, many examiners do not seem to be aware that some operating systems, such as Microsoft’s Windows XP and Vista, implement their own version of anti-forensic techniques simply in how they operate.

In the face of these innovations and issues, forensic examiners can no longer rely solely on traditional analysis techniques and must themselves innovate in their collection and analysis techniques. Examples of this type of innovation are discussed (with a primary focus on systems running the Microsoft Windows family of operating systems) in my book Windows Forensic Analysis. Registry analysis can give the examiner a picture of the user’s activity, such as viewing graphic image files, even after the files themselves have been deleted, or if the files were kept on a removable storage device.

Collecting and analysing data from a live system will provide additional insight for the examiner as well. For example, collecting volatile data from the system, such as running processes, network connections, logged on users, and so on, will provide information that the examiner can use to obviate the use of the ‘Trojan defence’, prior to that card being played.

Taking this a step further, collecting and parsing the contents of physical memory (such as RAM) will allow the examiner to view a snapshot not only of active processes and other data from the system, but also see processes that have recently exited, as well as extract full versions of executable image files that may have been obfuscated by encryption and/or compression while at rest on the hard drive.

One hurdle to such innovations in analysis techniques is that the market for such things is relatively limited. Forensic analysis applications such as ProDiscover from Technology Pathways and EnCase from Guidance Software provide ample means to collect data, but provide only a basic framework for the analysis of collected data. Both applications, however, do provide a modicum of extensibility through the use of a scripting interface, allowing examiners to extend the capabilities of the applications to meet their needs, without waiting (or paying) for those additional capabilities.

ProDiscover makes use of the ubiquitous Perl scripting language. The use of scripting languages allow the examiner to perform data reduction, translation (parsing binary data or data obfuscated with ROT-13 encryption into readable form), as well as correlation in order to create a more comprehensible and understandable view of the available data.

Most professions and professionals recognise the need to grow a base of knowledge, as well as provide for innovation in the development and use of various techniques and methodologies. Forensic examiners and investigators have the additional external stimulus of having to keep up with developments in technology, as well as computer or cyber crimes. We have the tools available to do this, and it is simply a matter of realising that this needs to be done.

Harlan Carvey is author of Windows Forensics and Incident Recovery, published by Syngress and available from Amazon and other retailers: see a sample chapter and the table of contents (both PDFs). He is a computer forensics and incident response who provides emergency incident response and computer forensic analysis services to clients throughout the US.

Comment index