Page 5 Pgina 5

55 PREFACE PREFACIO Computer forensics has become an essential tool forensics de la computadora se ha convertido en una herramienta esencial in the identification of misuse and abuse of en la identificacin del mal uso y abuso de systems. sistemas. Whilst widely utilised within law Aunque ampliamente utilizado en el derecho enforcement, the rate of adoption by organisations la ejecucin, la tasa de adopcin por las organizaciones has ha been somewhat sido un tanto slower, ms lento, with con many muchas organisations focusing upon the traditional organizaciones que se concentran en la tradicional security countermeasures to prevent an attack from contramedidas de seguridad para evitar un ataque de occurring in the first place. Such an approach is Este enfoque es certainly essential, but it is also well understood sin duda esencial, pero tambin se entiende bien that no system or network is completely secure. que ningn sistema o red es totalmente seguro. Therefore, organisations will inevitably experience Por lo tanto, las organizaciones, inevitablemente, la experiencia a una cyberattack. ciberataque. Moreover, Por otra parte, traditional tradicionales countermeasures do little to combat the significant contramedidas hacen poco para combatir la significativa threat that exists from within the organisation. amenaza que existe dentro de la organizacin. Computer forensics is an invaluable tool for an forensics de la computadora es una herramienta de valor incalculable para un organisation in understanding the nature of an organizacin en la comprensin de la naturaleza de un incident and being able to recreate the crime. incidente y ser capaz de recrear el crimen. The purpose of this pocket book is to provide an El propsito de este libro de bolsillo es proporcionar una introduction to the tools, techniques and introduccin a las herramientas, tcnicas y procedures utilised within computer forensics, and procedimientos utilizados en la informtica forense, y in particular focus upon aspects that relate to se centrar en particular en los aspectos que se relacionan con organisations. las organizaciones. Specifically, the book will look to: En concreto, el libro se ver a:

 develop the general knowledge and skills Desarrollar los conocimientos generales y habilidades required to understand the nature of computer necesarios para comprender la naturaleza de la computadora forensics; forense; provide an appreciation of the technical proporcionar una apreciacin de la tcnica complexities that exist; and complejidades que existen, y allow the reader to understand the changing permitir al lector comprender el cambio nature of the field and the subsequent effects la naturaleza del campo y los efectos posteriores that it will have upon an organisation. que tendr en una organizacin.
Page 6 Pgina 6

Preface Prlogo 66 This will allow managers to better appreciate the Esto permitir a los gestores para comprender mejor el purpose, importance and challenges of the domain, propsito, la importancia y los retos del dominio, and allow technical staff to understand the key y permitir que el personal tcnico para entender la clave processes and procedures that are required. procesos y procedimientos que se requieren. The final section of the text has been dedicated to La seccin final del texto se ha dedicado a resources that will provide the reader with further recursos que proporcionar al lector con ms directions for reading and information on the tools instrucciones para la lectura y la informacin sobre las herramientas and applications used within the computer forensic y aplicaciones que se utilizan dentro de la informtica forense domain. dominio.
Page 7 Pgina 7

77 ABOUT THE AUTHOR SOBRE EL AUTOR Dr Nathan Clarke is a senior lecturer at the Centre El Dr. Nathan Clarke es profesor en el Centro for Security, Communications and Network para la Seguridad, Comunicaciones y redes Research at the University of Plymouth and an Investigacin de la Universidad de Plymouth y un adjunct lecturer with Edith Cowan University in profesor adjunto con la Universidad Edith Cowan en Western Australia. Australia Occidental. He has been active in research l ha sido activo en la investigacin since 2000, with interests in biometrics, mobile desde el ao 2000, con intereses en la biometra, mviles security, intrusion detection, digital forensics and de seguridad, deteccin de intrusos, anlisis forense digital y information security awareness. informacin acerca de la seguridad. Dr Clarke is also El Dr. Clarke es tambin

the undergraduate and postgraduate Programme el Programa de pregrado y postgrado Manager for information security courses at the Administrador de los cursos de seguridad de la informacin en el University of Plymouth. Universidad de Plymouth. During his academic career, Dr Clarke has Durante su carrera acadmica, el Dr. Clarke authored over 50 publications in referred autor de ms de 50 publicaciones en que se refiere international journals and conferences. revistas y conferencias internacionales. He is the l es el current co-chair of the Workshop on Digital actual co-director del Taller de Digital Forensics & Incident Analysis (WDFIA) and of Forense y Anlisis de Incidentes (WDFIA) y de the Human Aspects of Information Security & los aspectos humanos de Seguridad de la Informacin y Assurance (HAISA) symposium. Garanta (HAISA) simposio. Dr Clarke has El Dr. Clarke ha also served on over 40 international conference Tambin sirvi en ms de 40 conferencias internacionales events and regularly acts as a reviewer for eventos y regularmente acta como revisor de numerous journals, including Computers & numerosas revistas, incluyendo computadoras y Security , IEEE Transactions on Information De seguridad, transacciones de IEEE de la Informacin Forensics and Security , The Computer Journal Forense y Seguridad, El Diario Equipo and Security and Communication Networks . y Seguridad y Redes de Comunicaciones. Dr Clarke is a Chartered Engineer, a member of El Dr. Clarke es un ingeniero colegiado, miembro de the Institution of Engineering and Technology la Institucin de Ingeniera y Tecnologa (IET) and British Computer Society, and is active (IET) y la British Computer Society, y participa activamente as a UK representative in International Federation como representante del Reino Unido en la Federacin Internacional for Information Processing (IFIP) working groups para el Tratamiento de la Informacin (IFIP) grupos de trabajo relating to Information Security Management, relativas a la Informacin de Gestin de Seguridad, Information Security Education and Identity Informacin de la Educacin de Seguridad e Identidad Management. Gestin.
Page 8 Pgina 8

Acknowledgements Agradecimientos 88 Further Ms information informacin can puede be se found que se encuentran at en

www.plymouth.ac.uk/cscan . www.plymouth.ac.uk / CsCAN. ACKNOWLEDGEMENTS AGRADECIMIENTOS Thanks are due to Prof Steven Furnell for his Debo dar las gracias a Steven Furnell profesor por su insightful feedback on the draft version of the perspicaces comentarios sobre el borrador de la manuscript. manuscrito. Thanks are also due to my partner, Gracias tambin a mi pareja, Amy, whose invaluable support has helped Amy, cuyo valioso apoyo ha ayudado a immensely. inmensamente.
Page 9 Pgina 9

99 CONTENTS NDICE Chapter 1: The Role of Forensics within Captulo 1: El papel de la forense en Organisations ....................................................10 Organizaciones ................................................. ... 10 Chapter 2: Be Prepared Proactive Forensics Captulo 2: Est preparado Forense proactiva ............................................................................17 .................................................. .......................... 17 Chapter 3: Forensic Acquisition of Data ........26 Captulo 3: Adquisicin de Datos de Carcter Legal ........ 26 Chapter 4: Forensic Analysis of Data .............34 Captulo 4: Anlisis Forense de datos ............. 34 Chapter 5: Anti-Forensics and Encryption ....46 Captulo 5: Lucha contra el forense y el cifrado .... 46 Chapter 6: Embedded and Network Forensics Captulo 6: Embedded y Forense de redes ................................................... .........................52 .................................................. .......................... 52 Conclusion.........................................................58 Conclusin ................................................. ........ 58 Resources...........................................................60 Recursos ................................................. ......... . 60 Specialist books in Computer Forensics.........60 Especialista en los libros en la computadora Forensics ......... 60 Software and tools ..........................................64 Software y herramientas .......................................... 64 Web resources.................................................69 recursos de la Web ................................................ .69 ITG Resources...................................................73 ITG Recursos ................................................ ... 73
Page 10 Pgina 10

10 10 CHAPTER 1: THE ROLE OF FORENSICS CAPTULO 1: EL PAPEL DE LOS FORENSES WITHIN ORGANISATIONS DENTRO DE LAS ORGANIZACIONES

The importance of information security within an La importancia de la seguridad de la informacin dentro de un organisation is becoming better understood. organizacin es cada vez mejor comprendido. Regulation, legislation and good governance are Reglamento, la legislacin y el buen gobierno son all motivators for organisations to consider the role todos los motivadores para que las organizaciones consideran el papel information security plays in protecting data. seguridad de la informacin desempea en la proteccin de datos. Whilst better understood, the adoption of good Si bien entiende mejor, la adopcin de buenas information security practices is far from uniform prcticas de seguridad de informacin dista de ser uniforme across all organisations, with enterprise companies en todas las organizaciones, con las empresas de la empresa faring better than many smaller organisations who yendo mejor que muchas organizaciones de menor tamao que are trailing in their knowledge and deployment of se estn quedando en el conocimiento y el despliegue de secure practices. prcticas seguras. With the significant growing Con el significativo crecimiento threat arising from cybercrime and related amenazas derivadas de la delincuencia ciberntica y relacionados activities, it is increasingly important that all actividades, cada vez es ms importante que todos los organisations address the issue of ensuring good las organizaciones a abordar la cuestin de asegurar una buena information security. seguridad de la informacin. In order to appreciate the need for computer Con el fin de apreciar la necesidad de equipo forensics within an organisation, it is important to forenses dentro de una organizacin, es importante look at the nature and scale of the threat that mirar la naturaleza y la magnitud de la amenaza que exists. existe. Unfortunately, truly understanding the scale Desafortunadamente, la verdadera comprensin de la escala of the threat is difficult as the reporting of de la amenaza es difcil, ya que la notificacin de cybercrime ciberdelincuencia is es relatively relativamente patchy. irregular. Many Muchos organisations see such reporting as something that ver los informes de organizaciones como algo que will affect their brand image and reputation. afectar a su imagen de marca y reputacin. Whilst discussions are being held in some Mientras que los debates se celebran en algunos

countries about implementing laws to force pases sobre la implementacin de las leyes a la fuerza organisations into reporting incidents, at this stage organizaciones de los incidentes de presentacin de informes, en esta etapa the industry relies upon survey statistics to la industria se basa en estadsticas de encuestas de appreciate the threat. apreciar la amenaza. Many such surveys exist, but Muchos de estos estudios existen, pero four in particular, used together, provide a good cuatro en particular, se utilizan conjuntamente, proporcionan una buena oversight of the cybercrime landscape: supervisin del paisaje ciberdelincuencia:
Page 11 Pgina 11 1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 11 11 Computer Crime and Security Surve y Delitos Informticos y Surve de Seguridad y 11 by the por el Computer Security Institute (CSI) an annual Computer Security Institute (CSI) - anual survey that typically has over 500 respondents encuesta que normalmente tiene ms de 500 encuestados with a focus upon the United States and a con especial atencin a los Estados Unidos y un skew towards Enterprise organisations. inclinacin hacia las organizaciones empresariales. This Este survey is a regularly cited source for encuesta es una fuente citada regularmente para understanding the nature of the threat. comprender la naturaleza de la amenaza. Global Information Security Survey Encuesta de Seguridad Global de la Informacin 22 by Ernst por Ernst and Young another annual survey, but with a y Young - otra encuesta anual, pero con un wider perspective. perspectiva ms amplia. In 2009, the survey had En 2009, la encuesta haba almost 1900 organisations from over 50 casi 1.900 organizaciones de ms de 50 countries across all major industries. pases en todas las industrias principales. Information Security Breaches Survey Informacin infracciones de seguridad Encuesta 33 by the por el UK Department for Business, Enterprise and Reino Unido Departamento de Negocios, Empresa y Regulatory Reform (BERR) a UK-focused Reforma Regulatoria (BERR) - uno en el Reino Unido se centr survey with over a 1000 respondents (in 2008). encuesta con ms de 1.000 encuestados (en 2008). In comparison to the previous two surveys, the En comparacin con las dos anteriores encuestas, el

nature of the respondent group in this survey is naturaleza del grupo de encuestados en este estudio es far more focused upon SMEs rather than mucho ms centrado en las PYME en lugar de Enterprise organisations. Las organizaciones empresariales. It is possible, Es posible, therefore, to appreciate a different perspective por lo tanto, para apreciar una perspectiva diferente on the problem. sobre el problema. 11 CSI Computer Crime and Security Survey , Richardson CSI Delitos Informticos y Seguridad de la encuesta, Richardson R, Computer Security Institute (2008). R, Instituto de Seguridad Informtica (2008). www.gocsi.com www.gocsi.com 22 Outpacing Change: Ernst & Yo ung's 12th Global Superando el Cambio: Ernst & Yo ung de 12 Mundial Information Security Survey , Ernst & Young (2009). Informacin de las encuestas de Seguridad, Ernst & Young (2009). www.ey.com/publication/vwLUAssets/12th_annual_GISS www.ey.com/publication/vwLUAssets/12th_annual_GISS /$FILE/12th_annual_GISS.pdf / $ FILE/12th_annual_GISS.pdf 33 Information Security Breaches Survey , BERR (2008), Seguridad de la Informacin infracciones Encuesta, BERR (2008), Crown Copyright. Copyright de la Corona. www.berr.gov.uk/files/file45714.pdf www.berr.gov.uk/files/file45714.pdf
Page 12 Pgina 12 1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 12 12 Global Internet Security Threat Rep o rt Seguridad de Internet de la amenaza mundial Rep o rt 44 by por Symantec once a twice-yearly publication, Symantec - una vez al ao la publicacin en dos ocasiones, the report is now published annually. el informe se publica anualmente. This Este report differs from the previous three in that it informe difiere de los ltimos tres en que does not rely upon people to report the no confiar en la gente a la memoria del findings. resultados. Instead, Symantec acquire the En cambio, Symantec adquirir la information from a variety of sensors and informacin de una variedad de sensores y systems deployed throughout the world. sistemas desplegados en todo el mundo. The La report therefore provides a far more por lo tanto proporciona un informe mucho ms statistically reliable picture on the nature and estadsticamente imagen fiable de la naturaleza y scale of the threat; however, it fails to illustrate magnitud de la amenaza, sin embargo, no se ilustran what the consequences are of those threats and cules son las consecuencias de esas amenazas y

what efforts are being made to better secure lo que se estn haciendo esfuerzos para mejorar seguridad systems. sistemas. Taking a snapshot of the most current surveys at Tomar una instantnea de la corriente en la mayora de las encuestas the time of writing, it is clear that the nature and el momento de escribir, es evidente que la naturaleza y seriousness of the threat is considerable. gravedad de la amenaza es considerable. Looking Mirando at the mainstay of cybercrime, malicious software en el pilar de la delincuencia informtica, el software malintencionado (malware), it can be seen that they still provide a (Malware), se puede ver que todava proporcionan una significant threat to systems. amenaza significativa para los sistemas. The CSI survey in La encuesta de CSI en 2008 reported that 50% 2008 inform que el 50% of de respondents encuestados experienced a virus incident (which includes other experimentado un incidente de virus (que incluye otros forms of malware). las formas de malware). The BERR survey reports this La encuesta informa de este BERR as lower at 35% in 2008 overall; however, notably como la reduccin en un 35% en 2008 en general, sin embargo, en particular when analysing for Enterprise organisations only, en el anlisis de las organizaciones de empresa solamente, this number shoots back up to 68%. este nmero de brotes de copia de seguridad a 68%. This Este demonstrates at present, Enterprise organisations demuestra en la actualidad las organizaciones empresariales, are a far larger target for attackers. es un objetivo mucho ms grande para los atacantes. Indeed, En efecto, Symantec's report has identified that threats are El informe de Symantec ha identificado que las amenazas son increasingly cada vez ms being siendo targeted dirigidos to a specific especfica 44 Symantec Global Internet Security Threat Report: Symantec Internet Security de la amenaza mundial del informe: Trends for 2008 , Symantec (2009). Tendencias para el 2008, Symantec (2009). http://eval.symantec.com/mktginfo/enterprise/white_pap e http://eval.symantec.com/mktginfo/enterprise/white_pap e rs/b-whitepaper_internet_security_threat_report_xiv_04 rs/bwhitepaper_internet_security_threat_report_xiv_04 -2009.en-us.pdf -2009.en-us.pdf
Page 13 Pgina 13

1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 13 13 organisations or individuals, and the CSI survey organizaciones o individuos, y la encuesta de CSI also reported that 27% of respondents had Tambin inform que el 27% de los encuestados haba experienced targeted attacks experimentado los ataques dirigidos within their dentro de sus organisation. organizacin. An underlying theme in this changing threat Un tema subyacente en este cambiante de las amenazas landscape is the move towards financial reward. paisaje es la evolucin hacia una recompensa financiera. Symantec reports that the underground economy is Symantec reporta que la economa sumergida es generating millions of dollars in revenue from generando millones de dlares en ingresos procedentes de cybercrime-related activity. Relacionados con la actividad de la ciberdelincuencia. Previously, financial Anteriormente, financieros reward was infrequently a key driver of recompensa era raro que un motor clave de la cybercrime. ciberdelincuencia. Hackers would break into systems in Los hackers que rompen en los sistemas de order to demonstrate their technical ability over Para demostrar su capacidad tcnica en those administrating the systems, and malware los que la administracin de los sistemas, y el malware writers created viruses and worms that would escritores crean los virus y gusanos que se maximise their infection and spread throughout the maximizar su infeccin y propagacin en todo el Internet. De Internet. However, since the beginning of the Sin embargo, desde el comienzo de la millennium the surveys have shown an increasing milenio, las encuestas han mostrado un aumento focus being given towards threats that provide a enfoque que se da a las amenazas que proporcionan una financial reward to the attacker. compensacin econmica para el atacante. Advancedfee Avanzado-tarifa fraud and phishing or 419 scams are two examples y el phishing o 419 fraudes son dos ejemplos of widespread threats aimed at providing financial generalizada de las amenazas dirigidas a prestacin de servicios financieros reward. recompensa. As awareness of these widespread threats Mientras que el conocimiento de estas amenazas generalizadas increases, so the threat evolves towards more aumenta, por lo que la amenaza que evoluciona hacia una mayor targeted threats, such as spear phishing. amenazas especficas, tales como "spear phishing". Whilst the previous two trends are focused upon Si bien los ltimos dos tendencias se centran en

the threats that enter the system from outside the las amenazas que entran en el sistema desde fuera de la organisation, the surveys point to a considerable organizacin, las encuestas apuntan a una considerable threat coming from inside. amenaza que viene desde el interior. The CSI survey put this La encuesta de CSI sta second to virus incidents at 44% of respondents, en segundo lugar a incidentes de virus en 44% de los encuestados, with the BERR survey at 21%. con la encuesta BERR a 21%. Moreover, the Por otra parte, el BERR survey in particular noticed a significant encuesta BERR, en particular, not una significativa swing from external to internal threat, with over oscilan entre externa a la amenaza interna, con ms de two-thirds of the worst incidents coming from dos tercios de los peores incidentes procedentes de inside misuse. el interior de mal uso. Organisations, therefore, may face a Las organizaciones, por lo tanto, podra enfrentar una considerable threat from their own employees. amenaza considerable de sus propios empleados.
Page 14 Pgina 14 1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 14 14 This becomes more concerning when you Esto se vuelve ms preocupante cuando se appreciate that much of the traditional information cuenta de que mucha de la informacin tradicionales security mechanisms are focused upon ensuring mecanismos de seguridad se centran en asegurar that attackers from outside the system cannot get que los atacantes desde fuera del sistema no puede obtener in. Little consideration is frequently given to the in Poca consideracin se administra con frecuencia a la attackers from within the system. los atacantes en el sistema. Whilst the nature of the threat has changed Si bien la naturaleza de la amenaza ha cambiado significantly, it is essential to realise that it is still significativamente, es esencial tener en cuenta que todava es evolving. evolucin. Although it is difficult to predict what Aunque es difcil predecir lo que form the threat will take in the future largely by forma la amenaza tendr en el futuro en gran parte por doing so will itself ensure the threat evolves in a Si lo hace, se encargar de la amenaza que se desarrolla en un different direction it is important to ensure diferente direccin - es importante para asegurar information security is not simply a reactive seguridad de la informacin no es simplemente una reaccin

system that deploys new countermeasures upon sistema que implementa nuevas medidas en identification of new threats, but proactively seeks identificacin de nuevas amenazas, pero busca en forma proactiva to develop controls, practices and policies to assist para desarrollar los controles, las prcticas y polticas de asistencia in their identification and prevention. en la identificacin y prevencin. The discussion up to this point has focused upon La discusin hasta ahora se ha centrado en cybercrime. ciberdelincuencia. However, it is also important to Sin embargo, tambin es importante appreciate that information systems are not simply apreciar que los sistemas de informacin no son simplemente the target of crime but are frequently used as a tool el blanco de la delincuencia, pero se utilizan con frecuencia como una herramienta for crime. para el crimen. Many forms of traditional crime, such Muchas formas de delincuencia tradicional, tales as money como dinero laundering, fraud, blackmail, lavado de dinero, fraude, extorsin, distribution of child pornography and illegal drug distribucin de pornografa infantil y las drogas ilegales distribution, can all be facilitated by the use of distribucin, se vern facilitadas por el uso de computers. computadoras. Indeed, given the ubiquitous nature of En efecto, dada la naturaleza ubicua de information systems and the efficiency gains sistemas de informacin y el aumento de la eficiencia achieved in using them for financial record alcanzado en el uso de los registros financieros de keeping and communication, it is difficult to mantenimiento y la comunicacin, es difcil envisage many crimes of this nature not using prevn muchos crmenes de esta naturaleza no usar computers. computadoras. Within an organisational perspective, it Dentro de una perspectiva de organizacin, is important to ensure you do not simply protect Es importante asegurarse de que no se limitan a proteger your systems from cybercrime threats, but also los sistemas de las amenazas de los delitos informticos, sino tambin ensure they are not being used to facilitate asegurarse de que no se estn utilizando para facilitar la traditional crime.
Page 15 Pgina 15 1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 15 15 Digital forensics is a growing specialism that anlisis forense digital es una especializacin cada vez mayor que

assists organisations in the identification of ayuda a las organizaciones en la identificacin de misuse. mal uso. In comparison to many areas of traditional En comparacin con muchas reas de la tradicional information security, such as authentication and seguridad de la informacin, tales como la autenticacin y access control, it is relatively new, born out of the control de acceso, es relativamente nueva, nacida de la need to be able to identify exploitation of deben ser capaces de identificar la explotacin de electronic systems in a manner that would be sistemas electrnicos de una manera que sera deemed acceptable by the juridical system. considerado aceptable por el sistema jurdico. Within Dentro digital forensics, a number of more specific sub- forense, un nmero de ms subcategories exist, such as computer, network and categoras existentes, tales como ordenadores, redes y embedded forensics. incrustado forense. Each in turn seeks to Cada vez, en busca understand their specific technology platform to entender su plataforma de tecnologa especfica para capitalise upon the evidence being captured. capitalizar la evidencia de ser capturado. For Por instance, within computer forensics, tools, ejemplo, en informtica forense, herramientas, techniques and procedures have been developed to tcnicas y procedimientos han sido desarrollados para extract evidence from hard drive and volatile extracto de las pruebas de disco duro y voltiles media. medios de comunicacin. Significant time has been focused upon tiempo significativo se ha centrado en understanding the nature of file systems in order to comprender la naturaleza de los sistemas de archivos con el fin de ensure all artefacts are identified, and to appreciate asegurar que todos los objetos son identificados, y apreciar the nature of the data. la naturaleza de los datos. Within embedded forensics, Dentro de forenses integrados, such as mobile devices or game consoles, the tales como dispositivos mviles o consolas de juego, el nature of the underlying architecture means that naturaleza de la arquitectura subyacente significa que different tools and procedures are required in order diferentes herramientas y procedimientos necesarios para to extract relevant artefacts in a forensically sound para extraer los objetos relevantes en un anlisis forense de sonido manner. manera. A key driver to date for the use of computer Un factor clave a la fecha para el uso de la computadora forensics has been from law enforcement and the forense se ha de hacer cumplir la ley y la

identification of traditional crime. identificacin de la delincuencia tradicional. This quickly Esto rpidamente moved on to cybercrime, but is still largely within se traslad a los delitos informticos, pero sigue siendo en gran medida dentro the sphere of law enforcement and their need to el mbito de aplicacin de la ley y su necesidad de analyse systems in a legally acceptable manner in analizar los sistemas en una aceptable forma legalmente en order to bring the guilty to justice. para llevar a los culpables ante la justicia. However, Sin embargo, although this driver has not changed, organisations aunque este conductor no ha cambiado, las organizaciones are increasingly identifying the importance of se identifican cada vez ms la importancia de establishing a computer forensics expertise. establecimiento de un forense conocimientos de computadoras. Whilst Si bien organisations might not always seek criminal or organizaciones no siempre se puede buscar criminales o
Page 16 Pgina 16 1: The Role of Forensics within Organisations 1: El papel de los forenses en las Organizaciones 16 16 civil compensation for the attacks against their reparacin civil por los ataques en contra de su systems, it has become accepted that the tools, sistemas, se ha aceptado que las herramientas, techniques and procedures developed for digital tcnicas y procedimientos desarrollados para cmaras digitales forensics provides an effective and sound forense proporciona una eficaz y racional methodology for analysing systems. metodologa de anlisis de sistemas. The primary La primaria motivation for using forensics is incident motivacin para el uso forense es incidente management and the ability to identify which files gestin y la capacidad de identificar los archivos have been affected and how the malware has se han visto afectados y cmo el programa malicioso infected the system, with a view to closing the infectado el sistema, con el fin de cerrar la vulnerability. vulnerabilidad. Forensics within the organisation Forense dentro de la organizacin can also be used to identify possible insider misuse Tambin puede utilizarse para identificar uso indebido de informacin privilegiada posible of systems or information. o de los sistemas de informacin. An organisation Una organizacin equipped with a well-trained computer forensic equipado con una formacin en informtica forense bien capability is able to both reactively and proactively capacidad es capaz tanto de forma reactiva y proactiva

defend against attacks from both inside and defenderse de los ataques tanto desde dentro como outside the organisation. fuera de la organizacin. The primary focus within the digital forensic El foco principal en el digital forense industry has been on computer forensics and as la industria ha estado en la informtica forense y como such the focus of this pocket book will largely be como el enfoque de este libro de bolsillo en gran medida se on computer forensics. en informtica forense. However, many of the Sin embargo, muchos de los processes and procedures documented within the procesos y procedimientos documentados en el forthcoming chapters are also appropriate for use prximos captulos tambin son apropiadas para su uso within the other areas. en las dems zonas. In addition, a chapter has Adems, un captulo also been included to discuss specific aspects of Tambin se han incluido para discutir aspectos concretos de la network and embedded forensics as both of these red y forense incrustado como estos dos are becoming increasingly important within a se estn volviendo cada vez ms importante dentro de un world where mobile devices are ubiquitous and mundo en el que los dispositivos mviles estn en todas partes y anti-forensic techniques are more commonplace. -Forense tcnicas de lucha contra son ms comunes. The next three chapters focus upon the core Los tres captulos siguientes se centran en el ncleo procedural aspects of computer forensics: the aspectos de procedimiento de informtica forense: la proactive stance, acquisition and analysis. actitud proactiva, la adquisicin y anlisis.
Page 17 Pgina 17

17 17 CHAPTER 2: BE PREPARED PROACTIVE CAPTULO 2: ESTAR PREPARADO - PROACTIVA FORENSICS FORENSES Within an organisation, undertaking forensics is Dentro de una organizacin, empresa de medicina forense es not a simple task and involves a series of no es una tarea sencilla e implica una serie de procedural and technical aspects that if not carried aspectos tcnicos y de procedimiento que si no se llevan out correctly will affect the forensic value of the a cabo correctamente afectar el valor forense de la investigation and the resulting evidence. investigacin y la evidencia resultante. It is Es therefore essential that these are developed, por lo tanto esencial que estos se desarrollan, implemented and tested prior to tackling an implementado y probado antes de abordar un

incident. incidente. Being proactive about the design of a Ser proactivo sobre el diseo de un forensic expertise within your organisation will servicios de mdicos forenses dentro de su organizacin ensure that your incident response team is able to asegurarse de que su equipo de respuesta a incidentes es capaz de respond effectively and efficiently. responder con eficacia y eficiencia. This chapter En este captulo se introduces the steps necessary to be proactive, and presenta las medidas necesarias para ser proactivos, y discusses the key procedural aspects that need to discute el procedimiento aspectos clave que deben be followed during an investigation. debern seguirse durante la investigacin. Being proactive is not simply about ensuring the Ser proactivo no se trata simplemente de garantizar la correct procedures are in place for dealing with an procedimientos correctos en el lugar para hacer frente a una incident, or about ensuring staff have the incidente, o de garantizar el personal tenga la necessary training to forensically acquire and formacin necesaria para adquirir y forense analyse machines running Windows mquinas de analizar con Windows , Linux, Unix , Linux, Unix and Mac (plus many others). y Mac (adems de muchos otros). It is possible to go Es posible ir further in the forensic readiness and consider the ms en la preparacin forenses y considerar la organisational IT infrastructure. organizacin infraestructura de TI. Optimising the IT Optimizacin de la TI infrastructure for use within incident analysis will infraestructura para su uso en anlisis de incidentes se enable more efficient analysis of systems whilst permiten un anlisis ms eficiente de los sistemas, mientras que minimising the operational impact on systems. minimizar el impacto en los sistemas operativos. For Por instance, if an organisation has a file server that is ejemplo, si una organizacin tiene un servidor de archivos que se critical to operations and is under a 24/7 service crticas para las operaciones y se encuentra bajo un servicio 24 / 7 level agreement, then it would be difficult to take a acuerdo de nivel, entonces sera difcil tomar una system down for forensic acquisition of data sistema abajo para la adquisicin de forenses de datos particularly as this can take some time when especialmente en lo que esto puede tomar algn tiempo, cuando dealing with large storage volumes. hacer frente a grandes volmenes de almacenamiento. Establishing El establecimiento de
Page 18 Pgina 18 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva

18 18 redundancy within the IT architecture would assist redundancia en la arquitectura de TI ayudara in ensuring critical systems remain operational yet para asegurar los sistemas crticos siguen funcionando an provide a facility to provide incident analysis. de constituir un servicio para proporcionar anlisis de incidentes. The most effective deployment of a forensics team La efectiva implementacin de la mayor parte de un equipo forense is as an aspect of the organisation's Computer es como un aspecto de organizacin de la computadora del Security Incidence Response Team (CSIRT) Incidencia Security Response Team (CSIRT) more commonly referred to as Computer ms comnmente conocida como Computer Emergency Response Team (CERT). Equipo de Respuesta a Emergencias (CERT). Whilst no Aun cuando no se definitive standard exists to date, Carnegie Mellon norma definitiva existe hasta la fecha, Carnegie Mellon University's CERT have compiled a handbook for CERT de la Universidad ha compilado un manual para the development, implementation and management el desarrollo, ejecucin y gestin of a CSIRT. de un CSIRT. 55 The handbook provides a robust El manual ofrece un robusto framework for the handling and assessment of marco para el tratamiento y evaluacin de incidents, and clearly defines the role for forensics incidentes, y define claramente el papel de los forenses as one belonging to incident analysis. como uno que pertenece a anlisis de incidentes. Whilst it is out of the scope of this text to describe Si bien est fuera del alcance de este texto para describir the framework in detail, it is worth highlighting el marco en el detalle, cabe destacar the specific aspects relating to setting up a los aspectos especficos relativos a la creacin de un forensics team. equipo de forenses. Computer forensics is a highly forensics de la computadora es una gran human-centric humana centrada en process, proceso, requiring que requieren trained capacitados specialists with the specific knowledge of especialistas con los conocimientos especficos de operating systems and forensic software. sistemas operativos y software forense. This Este therefore places a large burden upon recruitment por lo tanto supone una carga de gran momento de la contratacin and training of staff. y la formacin del personal. Furthermore, once trained, Adems, una vez capacitados, given that new operating systems function teniendo en cuenta que los sistemas operativos nueva funcin

differently and frequently come equipped with de manera diferente y con frecuencia estn equipadas con new file systems, resources are required for archivo de los nuevos sistemas, los recursos son necesarios para continued training. la formacin continua. The scope of training will El mbito de formacin depend upon the variety of systems an depender de la variedad de sistemas de un organisation is using; fewer file systems result in organizacin utiliza; resultado de los sistemas de archivo de menos de 55 Handbook for Computer Security Incident Response Manual de Respuesta a Incidentes de Seguridad Informtica Teams (CSIRTs) , West-Brown, M et al, CERT Carnegie (CSIRT), West-Brown, M et al, Carnegie CERT Mellon (2003). Mellon (2003). www.cert.org/csirts www.cert.org / CSIRT
Page 19 Pgina 19 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 19 19 less training. menos formacin. The nature of undertaking forensics La naturaleza de la empresa de medicina forense means you do not only need an individual with an significa que no slo necesita una persona con una excellent technical knowledge of systems, but you tcnica excelente conocimiento de los sistemas, pero are also looking for someone who has an tambin estn buscando a alguien que tiene una inquisitive mind, and is able to identify leads and inquisitiva mente, y es capaz de identificar clientes potenciales y follow them through the data. seguir a travs de los datos. Given the complex Dada la compleja nature of file systems and the large storage naturaleza de los sistemas de archivos y el almacenamiento de grandes capacities of hard drive media, it simply is not cost capacidades de los medios de comunicacin el disco duro, simplemente no es el costo effective to examine every aspect of the drive. eficaz para examinar todos los aspectos de la unidad. It is Es therefore necessary to understand and appreciate por tanto, necesario para comprender y apreciar the nature of the crime, the resulting evidence that la naturaleza del delito, la evidencia de que might exist and where such evidence might reside pudieran existir y que esas pruebas pueden residir on the media. en los medios de comunicacin. The results and findings of the Los resultados y conclusiones de la forensic investigation are very much down to the investigacin forense estn muy abajo a la examiner and their ability to professionally examinador y su capacidad de profesional analyse the data. analizar los datos.

The actual process of computer forensics is El proceso real de la informtica forense es inherently a reactive approach to the identification inherentemente un enfoque reactivo a la identificacin of misuse of systems, whether that is cyber or de uso indebido de los sistemas, ya sea ciberntico o computer-assisted crime. Con ayuda de la delincuencia informtica. But how do you know Pero cmo saber when to undertake a forensic investigation of a cuando para llevar a cabo una investigacin forense de un system? sistema? Because of the nature of forensics, Debido a la naturaleza de la ciencia forense, specifically the time and resources required to especficamente el tiempo y los recursos necesarios para investigate a system, routine investigation of investigar un sistema, la investigacin de rutina de systems is simply infeasible. sistemas es simplemente inviable. An organisation will Una organizacin investigate a system based upon one or more investigar un sistema basado en una o ms factors causing concern to an administrator. factores que causan preocupacin a un administrador. Traditional security controls are frequently used controles de seguridad tradicionales se utilizan con frecuencia for cyber-related activities, such as Intrusion para actividades relacionadas con la ciberntica-, como de intrusos Detection System (IDS) alarms, a system Detection System (IDS) de alarmas, un sistema operating outside of normal parameters, unusual que operan fuera de los parmetros normales, inusual processes running on a system, log files containing procesos que se ejecutan en un sistema, archivos de registro que contiene spurious entries, network logs showing large las entradas falsas, la red de registros que muestra grandes volumes of traffic entering or leaving the network, volmenes de trfico que entra o sale de la red, or end-users reporting discrepancies. o los usuarios finales de informacin discrepancias.
Page 20 Pgina 20 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 20 20 Having established that something is amiss, Una vez establecido que algo est mal, forensics can now be utilised to identify what has forense ahora se puede utilizar para identificar lo que ha happened. sucedido. Whilst literature differs a little on the Si bien la literatura difiere un poco en el number of stages that a forensics procedure nmero de etapas que un procedimiento de anlisis forense requires, all agree on the general principle of the requiere, todos estn de acuerdo en el principio general de la

process. proceso. Amongst the most robust and popular Entre los ms robustos y populares models proposed is the Digital Forensics modelos propuestos es el anlisis forense digital Workshop Taller 66 model. modelo. It establishes seven key stages Se establece siete etapas clave to the process: en el proceso: Identification the initial identification that Identificacin - la identificacin inicial de que something is wrong and requires forensic algo anda mal y requiere forenses investigation. investigacin. Preservation to ensure data is acquired in a Preservacin - para asegurar que los datos se adquiere en un forensically sound manner with an appropriate forense forma de sonido con una adecuada chain of custody being maintained. cadena de custodia se mantiene. Collection the use of approved software and Coleccin - el uso de software autorizado y hardware and appropriate legal authority hardware y la autoridad legal apropiada where necessary in collecting the evidence. cuando sea necesario en la recopilacin de la evidencia. Examination through the use of filtering and Examen - mediante el uso de filtrado y data extraction techniques identify artefacts of tcnicas de extraccin de datos de identificacin de objetos interest. de inters. Analysis understand the chronology of Anlisis - comprender la cronologa de events and link together artefacts in order to eventos y vincular objetos con el fin de understand the complete picture. comprender el panorama completo. Presentation document and present the Presentacin - Documento y el presente findings in an appropriate manner. hallazgos de una manera apropiada. Decision in a legal situation this would be Decisin - en una situacin jurdica sera whether sufficient evidence exists to proceed si existen pruebas suficientes para proceder with a criminal case. con una causa penal. Within an organisational Dentro de una organizacin environment, it could be the point at which a medio ambiente, podra ser el punto en el que un 66 DFRWS Technical Report: A Road Map for Digital DFRWS Informe Tcnico: Una hoja de ruta para Digital Forensic Research , Palmer, G, DFRWS (2001). Investigacin Forense, Palmer, G, DFRWS (2001). www.dfrws.org/2001/dfrws-rm-final.pdf www.dfrws.org/2001/dfrws-rm-final.pdf
Page 21 Pgina 21 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 21 21 decision is made to proceed with civil toma la decisin de proceder con la sociedad civil

proceedings or an action is taken against an procedimiento o una accin es tomada en contra de un employee. de los empleados. The core underlying principle within computer El principio bsico subyacente dentro de la computadora forensics is preservation of data. forense es la preservacin de los datos. Therefore, during Por lo tanto, durante all stages of examination and analysis a forensic todas las etapas del examen y el anlisis de un forense examiner will work on duplicates of the original examinador de trabajo en los duplicados del original evidence rather than the original. pruebas en lugar del original. Should changes En caso de cambios occur to the data, an additional duplicate of the ocurren a los datos, otros dos ejemplares de la original can be made. original se puede hacer. In order to facilitate the Con el fin de facilitar la preservation of evidence, it is important to ensure preservacin de las pruebas, es importante para asegurar an appropriate chain of custody throughout the una cadena de custodia adecuada durante todo el forensic investigation, from the initial capture of investigacin forense, desde la captura inicial de the hardware through to collection, examination, el hardware a travs de la recogida, el examen, analysis and presentation. anlisis y presentacin. At all stages, it should En todas las etapas, se debe be clear who had been handling the data and when. estar claro quin haba sido el manejo de los datos y cundo. At no time should the evidence remain En ningn momento las pruebas siguen siendo unsupervised or freely accessible. sin supervisin o de libre acceso. In the UK, En el Reino Unido, examiners adhere with the Association of Chief examinadores se adhieren a la Asociacin de Jefes Police Officers (ACPO) guidelines. Oficiales de Polica (ACPO) directrices. 77 These Estos comprise of four principles: forman parte de cuatro principios: 1. 1. No action taken by law enforcement N las medidas adoptadas por aplicacin de la ley agencies or their agents should change data agencias o sus agentes deben cambiar los datos held on a computer or storage media which celebrada en una o almacenamiento de los soportes informticos que may be subsequently relied upon in court. puede ser invocada posteriormente en el tribunal. 2. 2. In circumstances where a person finds it En los casos en que una persona se encuentra necessary to access original data held on a necesarios para acceder a los datos originales en un lugar

computer or on storage media, that person computadora o en medios de almacenamiento, esa persona must be competent to do so and be able to debe ser competente para ello y ser capaces de 77 Good Practice Guide for Computer-Based Electronic Gua de Buenas Prcticas de electrnica basada en PC Evidence , 7Safe, ACPO (2007). La evidencia, ACPO 7Safe (2007). www.7safe.com/electronic_evidence/ACPO_guidelines_c www.7safe.com/electronic_evidence/ACPO_guidelines_c omputer_evidence.pdf omputer_evidence.pdf
Page 22 Pgina 22 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 22 22 give evidence explaining the relevance and prestar declaracin explicando la pertinencia y la the implications of their actions. las consecuencias de sus acciones. 3. 3. An audit trial or other record of all Un ensayo de auditora o cualquier otro registro de todos los processes procesos applied aplicada to a computer-based basado en computadora electronic evidence should be created and pruebas electrnicas deben ser creados y preserved. conserva. An independent third party should Un tercero independiente debe be able to examine those processes and ser capaz de examinar los procesos y achieve the same result. lograr el mismo resultado. 4. 4. The person in charge of the investigation La persona a cargo de la investigacin (the case officer) has overall responsibility for (El oficial de caso) tiene la responsabilidad general de ensuring that the law and these principles are garantizar que la ley y estos principios son adhered to. cumplen. Whilst the intention of the organisation in Si bien la intencin de la organizacin en performing an investigation might not be one of realizar una investigacin no puede ser una de involving the police or seeking compensation participacin de la polica o de indemnizacin through civil actions, care should always be taken a travs de acciones civiles, la atencin se debe tomar siempre in following these principles in case such a en el seguimiento de estos principios en caso de que esta decision is required at a later stage. la decisin es necesaria en una fase posterior. For instance, Por ejemplo, in many investigations the true consequences of en muchas investigaciones las verdaderas consecuencias de insider misuse might not be understood until after uso indebido de informacin privilegiada no puede ser entendida sino hasta despus de the investigation has taken place. la investigacin ha tenido lugar. If the Si el investigation did not follow the guidelines and investigacin no sigui las directrices y

good forensic practice, the value of the evidence forenses de buenas prcticas, el valor de las pruebas found would be in question. se encuentran en cuestin. In addition to the personnel requirements for Adems de los requisitos de personal para establishing a forensics expertise, thought must se establece una experiencia forense, el pensamiento debe also be given to the equipment required to perform Tambin se da al material necesario para llevar a cabo such activities. tales actividades. The subsequent chapters provide Los captulos siguientes se explican an insight into the techniques and tools required to una visin de las tcnicas y herramientas necesarias para perform a forensic investigation, with the realizar una investigacin forense, con la Resources section providing a reference. seccin de Recursos proporciona una referencia. However, Sin embargo, for the moment the dialogue will concentrate on por el momento el dilogo se centrar en the initial set-up requirements. la configuracin inicial requisitos. In order to perform Para llevar a cabo forensic analysis of systems, it is imperative that anlisis forense de sistemas, es imprescindible que
Page 23 Pgina 23 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 23 23 the machine performing the analysis is a trusted la mquina de realizar el anlisis es de confianza one that has not been compromised. que no se ha visto comprometida. Typically this Normalmente, este would involve having a stand-alone computer or, implicara tener un solo equipo, de pie o, within a larger environment, a closed network with dentro de un entorno ms amplio, una red cerrada con minimal network connections to essential services. conexiones de red a los servicios esenciales mnimos. A large role of the investigation will be to Un papel importante de la investigacin ser undertake string searches of the drive for specific realizar bsquedas de cadenas de la unidad especfica para la keywords or file formats. palabras clave o formatos de archivo. With large storage Con el almacenamiento de grandes devices this takes time, so having sufficient dispositivos esto lleva tiempo, as que tener suficiente processing capacity and high-speed drives would capacidad de procesamiento y unidades de alta velocidad que assist in speeding up the process. ayudar a acelerar el proceso. A myriad of Una gran cantidad de hardware and software components are then componentes de hardware y software son entonces required to perform the actual investigation. necesarios para realizar la investigacin actual. Given Teniendo en cuenta

the nature of the task, it is also important the la naturaleza de la tarea, tambin es importante la investigation takes place in a restricted room with investigacin se lleva a cabo en una habitacin tapada con strict physical access control. control de acceso fsico estricto. Maintaining the El mantenimiento de la integrity of the investigation is paramount if the integridad de la investigacin es de suma importancia si el organisation decides they wish to utilise the organizacin decide que desea utilizar el evidence for any formal civil or criminal pruebas de un oficial civil o penal proceedings. procedimientos. It is worth highlighting that as computer forensics Cabe destacar que el equipo forense como is a relatively new discipline, the speed of change es una disciplina relativamente nueva, la velocidad del cambio regarding what is considered standard operating respecto a lo que se considera normalizados procedure is rapid. procedimiento es rpido. New developments within the Nuevos desarrollos en el area are pushing the envelope of what computer rea estn empujando el sobre de qu equipo forensics is able to achieve. forense es capaz de lograr. A decade ago, Hace una dcada, computer forensics involved the use of some informtica forense implic el uso de algunos elementary tools and hexadecimal editors that herramientas elementales y editores hexadecimales que allowed you to view the actual data. le ha permitido ver los datos reales. Tools have Herramientas han since been developed that permit the extraction of desde entonces se ha desarrollado que permita la extraccin de files and whole file systems in a forensically sound archivos y sistemas de archivos todo en un forense de sonido manner. manera. This has reduced the technical level of Esto ha reducido el nivel tcnico de expertise required in many cases and has certainly experiencia necesaria en muchos casos y sin duda ha speeded up dramatically acelerado drsticamente the process el proceso de of de examination. examen. The flip side to this is, unfortunately, La otra cara de esto es, por desgracia, that examiners now have to deal with far larger que los examinadores de ahora tienen que tratar con mucho mayor
Page 24 Pgina 24 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 24 24 storage capacities than they did a decade ago. capacidad de almacenamiento de lo que hizo hace diez aos una.

These advancements are continually being made. Estos avances se estn realizando continuamente. For instance, the meaning of the term proactive in Por ejemplo, el significado del trmino en la dinmica forensics is beginning to change from the forense est empezando a cambiar de la proactive development of a forensic capability and desarrollo proactivo de una capacidad de forenses y design of organisation infrastructure to support diseo de la infraestructura de la organizacin para apoyar forensic and incidence analysis to the detection of y la incidencia de anlisis forense para la deteccin de attacks. ataques. This is an extremely useful attribute for an Este es un atributo muy til para una organisation to have as it means forensics is no organizacin que ya que significa forense no es longer merely a reactive tool to identify what has ya ms que una herramienta de reactivos para identificar lo que ha gone wrong, but can also be used as a mechanism ido mal, pero tambin puede ser utilizado como un mecanismo for alerting that something has gone wrong. para alertar de que algo ha ido mal. It is Es imperative imperativo for de forensic forense investigators investigadores and y organisations to stay on top of these developments organizaciones para estar al tanto de estos desarrollos as they frequently improve the efficiency and ya que con frecuencia mejorar la eficiencia y effectiveness of investigations. eficacia de las investigaciones. Finally, when looking to establish a forensics Por ltimo, cuando se busca establecer un forense expertise within your organisation there a variety experiencia dentro de su organizacin hay una gran variedad of factors that must be considered: de los factores que deben ser considerados: People cost of setting up the team in terms of Personas - El costo de instalacin de los equipos en trminos de recruitment, initial and ongoing training reclutamiento, formacin inicial y permanente Forensic laboratory development of a Laboratorio Forense - el desarrollo de un forensic laboratory with sufficient equipment laboratorio forense con el equipo suficiente to carry out forensic investigations para llevar a cabo las investigaciones forenses Developing appropriate incident response Desarrollo de respuesta a incidentes apropiados procedures and understanding their effect and procedimientos y la comprensin de sus efectos y impact upon the organisation impacto en la organizacin Organisational policy modifications to the organizacin poltica - las modificaciones a la

security policy and employee contracts may be poltica de seguridad y contratos de los empleados puede ser required to permit forensic investigation of necesarios para permitir la investigacin forense de la employee systems los sistemas empleados Organisational IT infrastructure (optional) infraestructura de TI de organizacin (opcional) development of the IT infrastructure to desarrollo de la infraestructura de TI para facilitate forensic investigations. facilitar las investigaciones forenses.
Page 25 Pgina 25 2: Be Prepared Proactive Forensics 2: Est preparado - Forense proactiva 25 25 In order to understand the basics of undertaking a Con el fin de entender los fundamentos de una empresa forensic investigation, two key elements need to investigacin forense, dos elementos clave necesidad de be discussed. deben discutirse. Chapter 3 deals with the first, that of Captulo 3 trata de la primera, la de forensic acquisition of hard drive data, and adquisicin forense de datos del disco duro, y Chapter 4 introduces the techniques used to Captulo 4 presenta las tcnicas utilizadas para examine and analyse media. examinar y analizar los medios de comunicacin. Page 26 Pgina 26 26 26 CHAPTER 3: FORENSIC ACQUISITION OF CAPTULO 3: ADQUISICIN DE FORENSES DATA DATOS A key theme in the digital forensics procedure is Un tema clave en el procedimiento de anlisis forense digital es one of preservation of data. una de conservacin de los datos. This is no more Esto no es ms important than at the acquisition stage where the importante que en la fase de absorcin en el investigator has to deal with the original suspect investigador tiene que hacer frente a la sospecha inicial system. del sistema. Securing data at this stage is imperative Proteger los datos en esta etapa es imprescindible for the integrity of the investigation. de la integridad de la investigacin. This chapter En este captulo se focuses upon the procedures and tools available se centra en los procedimientos y herramientas disponibles for the acquisition of data on a computer system. para la adquisicin de datos en un sistema informtico. It Es will also give consideration to the decisions an tambin tomar en consideracin a las decisiones un examiner will have to make during the process and examinador tendr que hacer durante el proceso y

the effects they have upon the data integrity. los efectos que tienen sobre la integridad de los datos. A computer system fundamentally has two sources Un sistema informtico tiene fundamentalmente dos fuentes of data that are of interest to a forensic examiner: de datos que son de inters para un examinador forense: volatile and non-volatile memory. y no la memoria voltil voltiles. Volatile Voltiles memory primarily relates to the main RAM of a la memoria se refiere principalmente a la memoria RAM principal de un computer, but also includes cache memory and equipo, pero tambin incluye la memoria cach y even register memory. incluso registro de memoria. Forensic investigations Investigaciones forenses typically focus upon the main memory, as this has normalmente se centran en la memoria principal, ya que esto ha a significantly larger capacity than the other two, una mayor capacidad de manera significativa que los otros dos, with systems commonly having 24 gigabytes con los sistemas comnmente con 4.2 gigabytes (GBs) of data. (GB) de datos. Non-volatile memory relates to all La memoria no voltil se refiere a todos los other media types that do not lose their data when otros tipos de medios que no pierden sus datos cuando the power source is removed. la fuente de alimentacin se elimina. Hard drives are Los discos duros son amongst the most common forms of memory, with entre las formas ms comunes de la memoria, con capacities now in terabytes. capacidades ahora en terabytes. However, a variety of Sin embargo, una variedad de removable-based media are now also commonly Basado en medios extrables son tambin comnmente found (eg USB keys/Thumb Drives, iPods and que se encuentran (por ejemplo, memorias USB / Thumb Drives, iPods y SD cards) with varying storage capacities in the Tarjetas SD) con diferentes capacidades de almacenamiento en el gigabyte range. rango de gigabytes. The first decision a forensic examiner is faced La primera decisin de un examinador forense se enfrenta with is what to do with the suspect machine once con es qu hacer con la mquina una vez sospechoso
Page 27 Pgina 27

3: Forensic Acquisition of Data Datos de: 3 Forense Adquisicin 27 27 an incident has been identified. un incidente que ha sido identificado. If the system is Si el sistema es switched off, the decision is somewhat simpler as apagado, la decisin es algo ms simple como all volatile memory will likely have been lost. toda la memoria voltil probablemente se han perdido. If Si

the system remains powered on, the forensic el sistema permanece conectado, los forenses investigator needs to decide whether to power it investigador debe decidir si el poder se off immediately, or to perform a live acquisition of inmediatamente, o para realizar una adquisicin en vivo de the RAM and analysis of the system. la memoria RAM y el anlisis del sistema. Unless the A menos que el examiner has a suspicion that damage could be examinador tiene la sospecha de que los daos podan ser done to this or other systems by keeping the hecho u otros sistemas de esto manteniendo la machine running, they will typically perform a live funcionamiento de la mquina, por lo general lleva a cabo un vivo acquisition and analysis. adquisicin y anlisis. Examples of damage in Ejemplos de daos en this situation could include a process running on esta situacin podra incluir un proceso que se ejecuta en the machine that is forensically wiping the hard la mquina que es forense limpiar el disco duro drive, a virus or worm that is corrupting data, or a unidad, un virus o un gusano que se daen los datos, o un machine being used to attack another system. mquina que se utiliza para atacar a otro sistema. When undertaking a live acquisition and analysis it Al llevar a cabo una adquisicin en vivo y anlisis, is imperative that no (or in reality as little as Es imperativo que no (o en realidad tan slo possible) changes are made to the memory. es posible) se realizan cambios en la memoria. In En order to preserve the RAM memory, the first task a fin de preservar la memoria RAM, la primera tarea of the examiner is to forensically copy this data. del examinador forense es copiar los datos. Once copied, a number of other tools can then be Una vez copiado, un nmero de otras herramientas se puede used to extract useful operating information about utiliza para extraer informacin til de funcionamiento sobre the system. el sistema. A wide variety of feely available tools Una amplia variedad de herramientas disponibles sentimentales exist that would be used during the live analysis to existir para que se utilizar durante el anlisis en vivo de capture pertinent data. captura de los datos pertinentes. These include: Estos incluyen: arp.exey arp.exey net.exey net.exey attrib.exey attrib.exey netusers.exey netusers.exey cmd.exey cmd.exey openports.exey openports.exey dd.exey dd.exey ps.exey ps.exey

drivers.exey psfile.exey dumpel.exey psloggedon.exey Fport.exey pstat.exey hostname.exey routekitrevealer.exey ipconfig.exey route.exey
Page 28 Pgina 28

3: Forensic Acquisition of Data 28 28 netstat.exe sniffer.exe In order to ensure the integrity of the information received during the live analysis, it is important to ensure you use versions of the tools belonging to you (ie trusted) not those that might inherently be on the system being analysed. As such, it is Como tal, es common for forensic examiners to develop their own suite of tools for use in live acquisition and analysis. anlisis. The range of tools will depend upon the systems being analysed and the information you wish to capture. Increasingly more commonplace are commercial offerings that provide all the utilities on a single CD or USB drive. For Por example, e-fense, 88 a provider of forensic applications and tools, is one company that provides a self-contained USB key with all the tools and applications required to perform live acquisition and analysis. The Windows Forensic Toolchest TM 9 is an alternative open source tool specifically designed for automated incident response and audit. Once the live analysis is complete, the system can be powered down and taken to the forensic laboratory for acquisition of non-volatile memory. The acquisition of hard drive media (and that of removable media) can be achieved in a number of ways: maneras: Physically remove the drive from the suspect machine and connect it to the trusted forensic machine. de la mquina. The method of connection to the

88 Live Response, e-fense (2009). www.e-fense.com 99 Windows Forensic Toolchest, McDougal, M, (2009). www.foolmoon.net/security
Page 29 Pgina 29

3: Forensic Acquisition of Data 29 29 forensic system will depend upon the type of drive (ie IDE, SCSI, SATA) and what the forensic system is able to accept. A wide Una gama variety of cables, connectors and converters exist to facilitate this. Having a good mixture of this equipment whilst setting up the forensic laboratory is essential in saving time. When Cuando connecting the drive it is standard procedure to use a write blocker in serial between the suspect drive and the forensic machine. The La hardware write blocker will not permit any write signals from entering the suspect drive and thus affect the integrity of the data. Again Una vez ms write blockers can be purchased that are able to function with a variety of hard drive types. 10 10 Use a network to establish a connection with the suspect machine. The standard approach here, if the suspect machine is within your physical control, is to boot the machine using a trusted CD or USB memory stick that contains an una application aplicacin to a enable permiten network red communications and drive acquisition to take place. su lugar. Your forensics machine then contains the client connection and retrieves the drive image in a forensically sound manner. EnCase 's LinEn is a popular example of this. este. 11 11 From an organisational perspective, it is not always possible to follow the previous steps when acquiring hard drive media. Many organisations 10 10 Forensic Bridges, Tableau (2010).

www.tableau.com 11 11 EnCase eDiscovery, Guidance Software (2010). www.guidancesoftware.com

Page 30 Pgina 30

3: Forensic Acquisition of Data 30 30 have mission critical systems that simply must remain on. permanecer encendido. Therefore, the ideal is not always available. disponible. Farmer and Venema 12 12 suggest four levels of data acquisition, in order of increasing accuracy: precisin: individual filesy back-up repositoriesy individual disk partition bit-for-bit y acquisition adquisicin entire disk bit-for-bit acquisition. y If the evidence is stored or still remains within existing files, then both the first two approaches would be successful in identifying the artefacts. The advantage of the latter two approaches is the wealth of information that can be obtained from unallocated clusters of memory and the operating system sistema de itself. s mismo. The La latter este ltimo two are also distinguishable from the former by the bit-for-bit acquisition process. proceso de adquisicin. To forensically acquire a drive, the ideal is to acquire every bit of information from the drive, so that a complete picture can be formed of the data that is stored. Thinking realistically this is logical as people will always tend to hide their criminal activities, and often by the time the forensic investigation has begun, much of the evidence may no longer reside on the active file system. A variety of bit-for-bit tools exists to facilitate the duplication process. The main decision to consider is whether you want a raw duplicate copy or a compressed image. The original method of 12 12 Forensic Discovery , Farmer, D, and Venema, W, Addison Wesley (2005), ISBN: 0321525507.

Page 31 Pgina 31

3: Forensic Acquisition of Data 31 31 forensically copying drives was by creating a raw duplicate image of the drive. The Unix command 'dd' was widely adopted for this as it performed a bit-for-bit copy. This would mean, in order to copy a 250GB drive, the examiner would also need a 250GB or larger drive to store the duplicate image. It is also important when reusing drives in the forensic laboratory that drives are either new or forensically wiped to ensure data from the previous investigation does not leak through to the new investigation. The newer method of imaging is to compress the image. Applications designed to do this tend to be proprietary, but have the advantage of being able to add additional metadata to the image and compress the overall size of the image, making storage of image data far more efficient. eficiente. Guidance Software, AccessData and New Technologies, Inc. (NTI) all provide data acquisition tools that create compressed images (see Resources section for more information). The chapter began by referring to the fact that preservation of data is imperative at this stage. The La process of ensuring preservation of data comes from traditional information security and the need to ensure integrity of data. The universal tool used for this is the Hash Function. A Hash Function is able to take a variable length input and produce a fixed length output that will uniquely identify the input, often referred to as a fingerprint of the data. Two algorithms have traditionally been utilised:
Page 32 Pgina 32

3: Forensic Acquisition of Data 32 32 Message Digest 5 (MD5) a 128-bit output created by Ronald Rivest 13 13 Secure Hashing Algorithm (SHA-1) a 160bit output published by NIST 14 14 By hashing and acquiring a fingerprint of the suspect drive before acquisition and then comparing that output with the hashed output of the duplicate drive, an examiner is able to verify that an exact bit-for-bit copy of the drive has been produced. producido. Hashing can also be applied to files,

folders or partitions to ensure that upon acquisition and subsequent analysis the examiner has not modified the data in any way. Once the drive or partition has been acquired and the integrity verified, the examiner need no longer work with the original suspect drive or system. Indeed, it is standard procedure to carefully store the original evidence under lock and key in order to maintain the chain of custody, giving careful consideration to environmental factors that might impact upon the quality of the evidence (eg placing hard drives near magnetic sources). Creating a second duplicate of the drive is also common practice to help ensure the original drive is never required again. If changes are made to the duplicate drive, the second drive can be used to reimage the drive. 13 13 The MD5 Message-Digest Algorithm , Rivest, R, Network Working Group RFC1321 (1992). www.ietf.org/rfc/rfc1321.txt 14 14 FIBS PUB 180-1: Secure Hash Standard , NIST (1995). (1995). www.itl.nist.gov/fipspubs/fip180-1.htm
Page 33 Pgina 33

3: Forensic Acquisition of Data 33 33 Acquisition and storage of hard drive media is an essential step in the computer forensics procedure. Whilst tools are freely available to undertake this process, careful consideration is required over the hardware, software and procedures an organisation is to take; incompatibilities between hard drive interfaces, access to the BIOS for modifying the boot sequence, driver versions, organisational policies and logistics can all hinder the acquisition. However, once successfully acquired, the drive can then be analysed.
Page 34 Pgina 34

34 34 CHAPTER 4: FORENSIC ANALYSIS OF DATA DATOS The purpose of this chapter is to provide an insight into how to undertake an analysis of a forensic image. imagen. General topics will be discussed, such as dead analysis and file carving. However, the Sin embargo, el nature of an analysis is very much dependent upon

the underlying file system being used by the operating system. del sistema operativo. Owing to its popularity, this chapter will specifically focus upon the Windows file and operating system. How to identify forensic evidence from various aspects of the system, such as file slack, e-mail, Internet history and virtual memory, will all be discussed. The process of forensically analysing images very much depends upon the suspected nature of the incident. incidente. For instance, malware incidents will leave very different artefacts to cases where employees have been misusing computer systems (eg (Por ejemplo, downloading descargar and/or y / o distributing pornography). la pornografa). For those incidents involving people, it is also important to consider the technical capability of the individual involved. Those with more technical knowledge potentially have the ability to hide data within the system more effectively, therefore requiring a different approach and level of analysis. The analysis of the drive can be achieved in two ways: live and dead analysis. Traditionally, the Tradicionalmente, el forensic procedure has focused upon dead analysis analysing the forensic image from your trusted forensic system. The data on the image never changes and the integrity of the data is therefore
Page 35 Pgina 35

4: Forensic Analysis of Data 35 35 simpler to maintain. For most investigations, this form of analysis is sufficient. A live analysis is where you would utilise the operating system (OS) on the suspect image to collect evidence booting from the suspect image. Within dead analysis, forensic file system analysers are able to interpret a specific file system, and subsequently recreate the file system for you. In order to achieve this the analysers must understand the exact nature of the file system from the location and operation of the file system, to interpreting the file record metadata. metadatos. Prior to these tools being available, the forensic examiner would have difficulty in establishing file pathways and understanding the structure of the file system, without performing a live analysis where the host OS would interpret

the file system for the examiner. File system analysers also allow the examiner to acquire all the metadata about the files and folders, such as modified, accessed and created timestamps, which is essential in understanding an investigation. Numerous such analysers now exist: EnCase ,, FTK FTK and Autopsy are three popular tools (see Resources section for more information). Figure 1 Figura 1 below provides an illustration of the output that can be seen from such a tool. The tool has a number of key areas: the file system tree view (on the upper left in Figure 1); a folder list (on the upper right in Figure 1); and a detailed file view (lower right in Figure 1).
Page 36 Pgina 36

4: Forensic Analysis of Data 36 36 Figure 1: Screenshot of the file system from EnCase In addition to recreating the file system, these tools will also identify and list deleted folders and files that are still present within the file system. The La extent to which the file is actually still present depends upon the state of the system at any particular point in time. momento determinado. Various situations arise with regards to deleted files: The file system still contains the record with all metadata and file data. The file system contains the record with metadata, but the file contents themselves have been overwritten. The file system no longer contains the record with metadata, but the file contents still exist on the image. In addition to these situations, the nature of the file contents can also be partially overwritten. The La ability for a forensic examiner to retrieve the
Page 37 Pgina 37

4: Forensic Analysis of Data 37 37 information in a partially overwritten case depends upon which bytes of the file are overwritten and which tools are being used. In the first two cases,

the analyser will list what information is available within the file system view and, where possible, link to the file itself. In the final situation, the file system is unable to list the file, but performing file carving and string searches on the complete drive can reveal these. Before proceeding to explain forensic analysis further, it is necessary to briefly introduce file systems. sistemas. Each file system operates differently and is technically complicated, but their operation can be highly valuable to a forensic examiner; they will frequently perform tasks that a user is unaware of and that could contain artefacts of interest. de inters. For instance, when deleting a file in Windows Windows , a user may consider the file to be removed from the drive, whereas the file system simply marks the entry in the file system as available. disponible. In order to be able to undertake a forensic analysis of a system it is therefore imperative that the examiner has the knowledge and understanding of the system in order to ensure they know where to look for evidence. A number Un nmero of specific texts have been written on the different file systems to assist the forensic examiner information on these are located in the Resources section. seccin. The discussion from this point will cover the New Technology File System (NTFS) and the Windows Windows OS. OS. However, many of the techniques and procedures are also valid for other systems. The discussion will focus upon the primary methods used to analyse a system:
Page 38 Pgina 38

4: Forensic Analysis of Data 38 38 common techniques for investigationy exploring user activity and communicationy file carvingy virtual memoryy registry.y If you are performing an investigation where the source of evidence is not a bit-for-bit copy (ie a back-up dataset) the only approaches available to the examiner are the first and second methods. The La remaining approaches assume a bit-for-bit copy of

the hard drive with the final two methods only available if the drive image has an OS installed on it. que. Common investigative techniques include simple searches through the file system for file and data of interest to the investigation. The 'My Documents' folder for an individual could be valuable source of evidence if the person concerned has been saving information pertaining to the incident. Looking through the Recycle Bin and within the deleted folders and files would also be a useful place to start. A primary tool for the investigator is being able to search through the drive for keywords or file types. If you are looking for images, you can perform a search to find all jpeg or bitmap images, etc. A very simply hiding technique used by novice computer users is to modify the file extension to something else in order to avoid such searches. However, most commercially available tools such as EnCase and y FTK FTK , are able to verify the signature of the files to ensure the file extension matches the file header. cabecera. These keyword searches are able to scan through the entire disk, including unallocated clusters. grupos.
Page 39 Pgina 39

4: Forensic Analysis of Data 39 39 In order to reduce the number of files requiring analysis, it is useful to remove all files that pertain to the OS and standard applications. Hash values of every file can be compared to a reference source. de origen. Those with matching hash values are trusted files and can therefore be removed from the analysis. el anlisis. NIST has developed the National Software Reference Library (NSRL), 15 15 which is que es freely available and integrates into many forensic analysers. This significantly reduces the burden upon the investigator. It is also extremely useful in malware and hacking investigations as it quickly becomes evident which OS files have been infected or modified. Once the basic level of analysis has been

completed and all the obvious places of interest have been investigated, the examiner can turn to analysing application-specific especfica de la aplicacin data. de datos. As Como applications tend to create temporary information during their operation, these can be used to identify what has been happening. Which Qu applications the examiner will investigate will depend upon the nature of the investigation; if the incident is concerned with illegal access to a database system, the focus for the investigator will be upon the database application logs. Common Comn applications that are investigated, however, include web browsers, e-mail and instant messenger clients, and office documents. In each En cada of these cases, the files (temporary or not) created by the application tend to be proprietary and are therefore stored in a proprietary format. The La choices for the examiner in this situation are: 15 15 National Software Reference Library, NIST (2010). www.nsrl.nist.gov
Page 40 Pgina 40

4: Forensic Analysis of Data 40 40 Obtain information from the Software Vendor on the structure and format of the file. View Ver the file in hexadecimal and translate the contents. contenido. Install the application on a forensics machine. Extract the file of interest and use the application to view the file contents. Use an inbuilt viewer within the forensics tool to view the file. For common applications such as web browsers, email clients and image viewers, commercial forensic tools contain an inbuilt viewer to view the proprietary files. For example, Figure 2 below illustrates the view from EnCase when analysing e-mail. e-mail. For other applications, the examiner will need to extract the file and use the application to view the file. It is extremely time intensive to go to the effort of understanding and translating the file structure. estructura. However, with many organisations having bespoke applications this is sometimes

necessary. es necesario. Figure 2: An illustration of EnCase 's e-mail history view

Page 41 Pgina 41

4: Forensic Analysis of Data 41 41 Before discussing file carving, it is worthwhile to introduce the concept of file slack. File slack is one reason why bit-for-bit duplication of drives is useful to the examiner. File slack is an area of memory on the drive that can contain valuable information from deleted files. In order to Con el fin de understand file slack, some hard drive and operating system details are required. The smallest El ms pequeo area of memory on a hard drive is referred to as a sector. del sector. In Windows En Windows , a sector is typically 512 bytes. bytes. Sectors are then grouped into clusters, with a cluster having 1128 sectors. From a file system perspective, the smallest data area that is indexed are clusters. As illustrated in Figure 3, when the OS is writing to a disk, should the file it is writing not be an exact multiple of the cluster size, then an area of memory will be left remaining. This is Esto es referred to as file slack. Every complete unused sector within the cluster simply does not change. Therefore, any contents previously stored on those sectors will remain. In addition, the hard drive itself must write in sector chunks. Should the file contents stop midway through a sector, the OS will fill the remaining sector with data. In older En mayores versions of Windows (such as Windows 98) the contents for this used to come from the RAM, which potentially is an extremely useful source of evidence; however, newer versions of the OS simply zero out that space. This type of slack is commonly referred to as RAM slack.
Page 42 Pgina 42

4: Forensic Analysis of Data 42 42 Figure 3: RAM and file slack

The problem with file slack is that it simply contains file data. In many cases, all of the metadata associated to the file and stored in the file system (the Master File Table (MFT) in NTFS) is lost. Therefore, the examiner would not know the file existed. This is where a process called file carving comes in very useful. File Archivo carvers do not need any metadata knowledge of the file but simply trawl through the disk looking for file headers and footers. Once the start and end of a file have been identified, the file can be extracted or carved from the disk. In addition to Adems de file slack, file carving is also extremely useful when searching through unallocated areas of memory. la memoria. 16 16 Given the dynamic nature of the file system, many files in slack space and unallocated memory no longer have the complete file contents still intact. Frequently, only partial file fragments exist with bits of the header, footer or file contents missing. 16 16 Unallocated areas of memory are clusters that the file system is not currently using. However, this is not to say these clusters were not previously used and therefore will still contain the file contents of what was previously stored there.
Page 43 Pgina 43

4: Forensic Analysis of Data 43 43 Moreover, many files are stored on disk in nonsequential order (ie fragmented), making it difficult for a file carver to simply extract all data from the beginning of the header to the end of the footer. Therefore, a variety of file carving mechanisms have been develop to assist in extracting the files such as semantic carving, fragment recovery carving and SmartCarving (see Resources section for further information). Within a Windows OS, there are two further aspects of particular interest to a forensic examiner: the virtual memory and the Registry. When a system does not have sufficient RAM memory to operate, the OS creates a space on the hard drive and uses this to extend the RAM capacity. capacidad. Referred to as virtual memory, this file can be considerable in size and contain RAM-

based memory from the previous session. During Durante each new session, the memory is overwritten with the new session data although file slack data of previous sessions can still remain. This is one Esta es una reason why care should be taken when booting from the suspect drive, as previous session information will be overwritten and lost. The size El tamao of this file can be in the order of gigabytes. Whilst Si bien the discussion has focused upon hard drive analysis, RAM-based data can also be extremely useful in understanding what the user and/or system was doing during the last session. This area Esta rea of memory can also contain a variety of artefacts such as encryption keys and passwords. The La virtual memory, therefore, is a useful source to examine further. On Windows XP systems, this file is named 'pagefile.sys' and can be located under the root directory of the drive. Analysing Anlisis this type of file, however, is more difficult than
Page 44 Pgina 44

4: Forensic Analysis of Data 44 44 others because of the lack of file structure. With Con other files, a header, footer and file structure exists for understanding the file. With the virtual memory, this understanding remains with the active OS and therefore the file contains no structure. estructura. As a result, the examiner needs to perform a series of string searches on the file in order to try and identify relevant artefacts. The remaining area of discussion for this chapter is the Registry. The Registry is a hierarchical database that contains the configuration settings for the OS and applications. It is the Registry that also contains the user's authentication credentials. As a vast source of information about the system, what has been installed, when the system was last running, who the users are, what network cards are present, etc, the Registry is an extremely useful source of evidence. fuente de evidencia. The Registry is not stored on the file system as a single file, but is stored principally in five files: Sam, Security, Software, System, Default. 17 17 The OS is responsible for creating the Registry when loading. Obviously, Obviamente, when forensically analysing the system, unless you

are performing a live analysis, the Registry will not exist as a whole but as separate files. In this En este situation, like the procedure for proprietary files, you can extract the files and then use a Registry viewer to understand the contents, or use some commercial software like EnCase or FTK and y use the built-in Registry viewer to extract the information for you. 17 17 '' Windows Registry Information for Advanced Users', Microsoft (2008). http://support.microsoft.com/kb/256986
Page 45 Pgina 45

4: Forensic Analysis of Data 45 45 The chapter has provided a preliminary insight into the forensic analysis of media, demonstrating that evidence can be located in a variety of areas. Even data thought to be lost for some time, might still reside on the drive in unallocated memory or file slack. Unfortunately, owing to the dynamic nature of the file system, it is difficult to predict exactly what will or will not be present at any point in time. punto en el tiempo. It is therefore imperative that Por tanto, es imperativo que systems are acquired speedily upon identification of an incident. For links to further information on forensic analysis of computers please refer to the Resources section.
Page 46 Pgina 46

46 46 CHAPTER 5: ANTI-FORENSICS AND ENCRYPTION CIFRADO As computer forensics becomes better understood, a variety of tools and techniques have been developed to hide evidence, remove artefacts or restrict forensic analysis. Tools, for instance, include the ability to forensically delete Internet histories so that organisations are not able to establish misuse, and the ability to modify timestamps so that establishing a chronology of an incident is impossible. This chapter will introduce En este captulo se introducir the topic of anti-forensics and encryption, and

explain to what extent it can hinder a forensic investigation. investigacin. The use of cryptography to secure the data is increasing and introduces a significant barrier for the forensic examiner. The nature of the La naturaleza de la encryption can vary from complete hard drive encryption through either hardware or software means or encryption of particular folders and files. Indeed, it is not uncommon to use both approaches, as the key used to encrypt the drive is universal to all contents on the drive, and there might be files that a user wishes to protect further. The forensic examiner must consider each and decide upon an appropriate procedure. In some cases it is possible to retrieve the key material through legal means, with legislation such as the UK Regulation of Investigatory Powers Act
Page 47 Pgina 47

5: Anti-Forensics and Encryption 47 47 (RIPA), 18 18 but this is only open to law enforcement agencies to enforce. 19 19 Therefore, from an organisational perspective, the examiner will need to look to other approaches. Cracking the cryptography is certainly not a viable approach. Modern cryptography is far too effective for brute force attacks. Establishing whether known weaknesses or vulnerabilities exist against the specific technology or application and being able to break the protocol is a possibility. But again, Pero, de nuevo, examiners would only ever use known weaknesses rather than looking to find one. The most effective El ms eficaz method is to locate the key material and crack the password that protects it if required. A variety of Una variedad de password crackers exist with varying functionality from recovering Windows log-in passwords and revealing cached passwords to recovering passwords from sniffing the network. Table 1 Tabla 1 below illustrates a few of the more notable examples. ejemplos. Tool Name Description Cain & Abel

Recovers a variety of passwords from Windows systems los sistemas de 18 18 Regulation of Investigatory Powers Act, Crown Copyright (2000). www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_1 19 19 It is an interesting aside from an organisational perspective, however, to highlight the need for an organisation to manage and store their key material. Failure to provide the key material when requested will result in a breach of the act.
Page 48 Pgina 48

5: Anti-Forensics and Encryption 48 48 L0phtCrack Windows password recovery Ophcrack Ophcrack Cracks Windows passwords contraseas using Rainbow tables. Interestingly, this tool is also able to crack the more secure NTLM hashes as well as the LM. LM. Table 1: Password cracking software From a forensics perspective, one of the most valuable opportunities for capturing this data is during a live analysis. After all, if the system is up and running, the hard drive is being decrypted, and if applications are in operation that require passwords, the key material required in achieving this could well be contained within the RAM. However, this is not necessarily a simple task, as the examiner has to trawl through gigabytes of unstructured data in search of the key. In addition to being a legitimate tool advocated by information security practitioners, encryption is also a tool that assists an attacker in obfuscating the data, and thereby making the tool a valuable asset for any hacker. Indeed, a number of tools reside in the grey space between legitimate and illegitimate. ilegtimo. Packers, virtualisation

and y steganography all have legitimate purposes, but are also frequently used by hackers to evade detection. deteccin. It is outside the scope of this text to discuss every aspect; however, steganography in particular is a topic being given an increasing focus. enfoque.
Page 49 Pgina 49

5: Anti-Forensics and Encryption 49 49 Steganography is the science of hiding data where nobody (apart from the sender and intended recipient, if applicable) suspects the existence of the el message. mensaje. With Con cryptography, whilst information is unreadable without the key material to decrypt the message, the examiner is still aware of the existence of the message which in itself will raise sufficient suspicion to want to decode the message. el mensaje. With steganography, the data to be kept secure is hidden within another, typically benign, file. Whilst the examiner is aware of the benign file, they have no awareness of the hidden data effectively acting as a covert channel. The La data or file to be hidden is placed within a carrier file. archivo. Whilst carrier files could be anything, images, music and video files are frequently used. There No are also a variety of mechanisms used to achieve steganography the earliest types simply modified the least significant bits of information that determine the meaningful content of the original file. archivo. With images, this would result in an image that is indistinguishable from the original using the naked eye. Whilst tools such as StegAlyzerSS 20 20 and y StegSecret 21 21 attempt to detect the presence of steganography, given the variety of mechanisms for how this can be achieved, the reliability of such tools is questionable. They can only test and detect for steganography using mechanisms and 20 20 StegAlyzerSS Steganography Analyser Signature Scanner, SARC (2010). www.forensicpeople.com/products.asp?tProductGroupId

=5&tProductId=50 21 21 'StegSecret: A Simple Steganalysis Tool ;)', Munoz, A, (2007). http://stegsecret.sourceforge.net

Page 50 Pgina 50

5: Anti-Forensics and Encryption 50 50 approaches that are known about. If you Si subsequently apply cryptography to the hidden message prior to applying steganography, the challenge of identifying whether the image has hidden data becomes one of probabilities as the extracted data will simply appear to be random. With the presence of user-friendly steganography tools such as S-Tools, 22 22 the ability for the technically nave to utilise steganography is very simple, yet the ability for examiners to identify sources of steganography is increasingly challenging. un reto. In addition, there are a variety of tools whose purpose is completely illicit. The Metasploit AntiForensics Project, 23 23 for instance, have developed a number of tools that would directly affect the value of information obtained during an investigation: Timestomp can modify all four NTFS timestamp values Slacker allows you to hide files within the file slack of the NTFS system SAM Juicer dumps the hashes from the SAM and does so without leaving any trace on the hard drive. el disco duro. The existence of such tools is beginning to raise some questions over the reliability of evidence gleamed from forensic investigations, with some suggesting that such evidence has little legal 22 22 S-Tools (2010). Available from Disponible desde www.jjtc.com/Security/stegtools.htm 23 23 'Metasploit Anti-Forensics Project', Liu, V, (2010). www.metasploit.com/research/projects/antiforensics
Page 51 Pgina 51

5: Anti-Forensics and Encryption 51 51 grounding. puesta a tierra. 24 24 It is certainly evident with such tools that caution should be placed on the evidence obtained from simply the forensic investigation of a single system. Rather a wider variety of sources are required, both forensic and traditional, to ensure that a more appropriate perspective of the incident is obtained. 24 24 'The Rise of Anti-Forensics', Berinato, S, CXO Media (2007). (2007). www.csoonline.com/article/221208/The_Rise_of_Anti_ Forensics Forense
Page 52 Pgina 52

52 52 CHAPTER 6: EMBEDDED AND NETWORK FORENSICS The aim of this chapter is to provide an insight into the establishing discipline of embedded and network forensics. With embedded devices now encompassing a variety of everyday systems such as mobile phones, personal video recorders (PVRs) and game consoles, the ability to analyse those systems for forensic evidence can be key to establishing what happened in an incident. Furthermore, whilst computer and embedded forensics are able to establish evidence and events within systems, the increasing connectivity of devices means large volumes of evidence may reside on a variety of network appliances. Network Red forensics is useful for evidence gathering as it often provides a valuable overview of communications, and frequently is not within the control of the perpetrator and therefore subject to abuse. abuso. Whilst computer forensics has formed the mainstay of digital forensics, the ubiquitous nature of mobile devices 25 25 has made them increasingly interesting targets for investigation. Indeed with over 3 billion mobile subscribers worldwide, penetration of mobile devices is higher than PCs. Moreover, the last decade has seen the mobile device transition from a simple telephony device,

25 25 Whilst the term mobile device refers to mobile phones, Smartphones, Personal Digital Assistants (PDAs), netbooks, notebooks and laptops, the primary focus of the discussion is with respect to mobile phone/Smartphone devices.
Page 53 Pgina 53

6: Embedded and Network Forensics 53 53 with minimal forensic evidence other than calling behaviour, to full-functioning mobile computers with the ability to access a variety of dataorientated services. As such, the potential value of evidence on mobile devices has also increased substantially. sustancialmente. Analysing the anatomy of a mobile device, it can be seen that forensic evidence typically resides on one of three areas: the Subscriber Identity Module (SIM); on-board memory; and an external storage card. tarjeta. The primary purpose of the SIM is to enable authentication of the device to the mobile network. However, it also has a limited space of memory to store contact details, calls made and received, and details of text messages. The SIM also stores a variety of network- and device-based information, but this tends to be of more interest to law enforcement investigations where they also have the ability to analyse the mobile operator's network. red. From an organisational perspective, an examiner would be more interested in establishing whether the device is being misused. Call and text records could certainly provide some evidence. The newer USIM (for use on the 3G networks) does have the capacity to store more information than the standard SIM. The other areas of memory, the on-board and external storage cards, have the opportunity to deliver more as their storage capacities are far larger. The simpler of the two memories to analyse are the external storage cards (eg SD memory). These can be analysed using the same software and techniques discussed for hard drives. Whilst not containing an operating system, the media does have a standard file system and file system analysers are compatible. On- Enboard memory is a little more challenging for the
Page 54 Pgina 54

6: Embedded and Network Forensics 54 54

examiner largely because of the myriad of device technologies that exist in the market place. These Estos devices all typically connect to computers with a variety of non-standardised connections, if they connect at all, with the phones themselves running a number of different operating systems. The La forensic examiner therefore needs to come equipped with the necessary hardware and software to be able to forensically image and analyse the data. Until more recently, the tools and techniques available were few and far between, frequently requiring bespoke implementations to extract the image from specific models of device. The situation has now improved with a number of commercial vendors providing solutions to forensically analyse a wide variety of the common models the Oxygen Forensic Suite 26 26 and y Paraben's Device Seizure 27 27 are two such products. On-board memory also tends to be largely volatile in nature, so procedures are necessary to ensure the device remains sufficiently powered in order to retain the contents. Mobile devices represent one form of embedded device. dispositivo. However, as technology penetrates every aspect of life, so a large variety of other embedded devices have come along. The degree to which El grado en que they will have a use within an investigation will largely depend upon the nature of the investigation, with some devices storing very little data and others storing much more. The general El general 26 26 Oxygen Forensic Suite, Oxygen Software (2010). www.oxygen-forensic.com/en 27 27 Paraben Device Seizure v3.3, Paraben (2010). www.paraben-forensics.com/catalog/product_info.php?p roducts_id=405
Page 55 Pgina 55

6: Embedded and Network Forensics 55 55 rule of thumb is if the device is able to store information, it potentially has some value to an investigation. investigacin. Game consoles, such as the Sony PlayStation PlayStation

and Microsoft 's Xbox can both contain 250GB hard drives, are network connected and have Internet browsers capable of accessing email, instant messenger and the Internet. Users Usuario effectively have the ability to use the console as a normal computer therefore potentially having the same evidentiary value as normal PCs. Other Otros embedded devices could include PVRs, satellite navigation and MP3 players to name a few of the more common devices. Forensically acquiring and analysing these devices is currently still confined to specialist companies and research laboratories. Whilst it will not be long before such tools and procedures do exist, the only problem is keeping up with the speed of change in technology new mobile and embedded devices are being developed regularly. con regularidad. This poses a significant challenge to forensic examiners. The final area of discussion focuses upon network forensics. forense. This area of analysis has become useful for a variety of reasons: To provide a means for establishing an incident has taken place and requires investigation. investigacin. To analyse network traffic and understand the nature of a cybercrime attack. To analyse network traffic from a suspect computer when the computer is not available for computer forensics.
Page 56 Pgina 56

6: Embedded and Network Forensics 56 56 To analyse network traffic records when the data retrieved from computer forensics cannot be trusted. To provide a fuller picture for the forensic investigation. investigacin. The first of these reasons is by far the most significant for network forensics. Indeed, the terms network forensics and incident analysis frequently are used interchangeably to describe the same process that of reconstructive traffic analysis. From an incident readiness perspective, your organisation needs to establish appropriate network monitors within the IT infrastructure to capture all network-based traffic. The purpose of El propsito de these monitors is simply to capture all data within

the network for subsequent analysis should it be deemed necessary; for instance, should an IDS alarm, examiners then have the network traffic data to search through to identify the problem. This requires some thought in terms of the volumes of data being captured, the ability of the network capture not to drop packets, and the storage and management of the data. In terms of practical tools, network forensics to date utilise fundamental tools for the capture and analysis of data, many open source. A network Una red sniffer such as tcpdump 28 28 can be used for the traffic capture, and tools such as Wireshark 29 29 can be used se puede utilizar to analyse traffic and provide protocol analysis. 28 28 tcpdump (2009). www.tcpdump.org 29 29 Wireshark Foundation (2010). www.wireshark.org
Page 57 Pgina 57

6: Embedded and Network Forensics 57 57 NetworkMiner 30 30 is also Tambin se an open source NFAT for Windows Windows that interestingly provides a hostcentric perspective of the network traffic. Embedded devices and network forensics are also useful as additional sources to verify or corroborate evidence found on a system. With Con network forensics, the system is typically not under the control of the suspect, so a greater degree of trust can be attributed to the findings. With embedded devices, the volume of such devices and their differing technical constructions make removal of all evidence difficult. With the Con el increasing growth of anti-forensic techniques, verifying and corroborating evidence will become increasingly important as single sources of evidence become less reliable. 30 30 NetworkMiner (2010).

http://networkminer.sourceforge.net
Page 58 Pgina 58

58 58 CONCLUSION CONCLUSIN The forensic examination of electronic systems has undoubtedly been a huge success in the identification of cyber and computer-assisted crime. la delincuencia. Organisations are placing an increasing importance on the need to be equipped with appropriate incident management capabilities to handle misuse of systems. Computer forensics is an invaluable tool in the process. The domain of computer forensics has grown considerably in the last decade. Driven by Impulsado por industry, focus was initially placed upon developing tools and techniques to assist in the practical application of the technology. In more En ms recent years, an increasing volume of academic research is being produced exploring various new approaches to obtaining forensic evidence. Each Cada year, these new advances provide significant practical enhancements to forensic examiners. Whilst these advances are being made, so too are advancements in technology, with larger hard drive media, Storage Area Networks (SANs), increasing variety of mobile and embedded devices, ubiquitous networking across different stakeholder networks (corporate, fixed line ISP, mobile ISP, cellular mobile network) and the interaction of all these technologies within a single incident. incidente. As the majority of incidents benefit from forensic analysis, the burden placed upon the forensic examiner to ensure an appropriate level of analysis and examination has taken place is increasing significantly. aumentar de manera significativa.
Page 59 Pgina 59 Conclusion Conclusin 59 59 Appreciating the change of technology, and understanding the nature of the threat, the evolving discipline of anti-forensics and increasing application of cryptography, the domain of forensics has an extremely challenging and exciting future ahead of it. However, the need for Sin embargo, la necesidad de organisations to equip themselves with a forensic capability is becoming essential in order to combat and manage incidents effectively.

Page 60 Pgina 60

60 60 RESOURCES RECURSOS The computer forensics industry is well supported with software and reading material, much of which is freely available online. The purpose of this El propsito de esta section is to provide a reference guide for computer forensic materials. The reference is split into the following sections: specialist computer forensic books y software and tools for undertaking all stages ofy the forensic process useful online resources.y Specialist books in Computer Forensics General books Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility Fondo para el Jones, A, Valli, C Publisher: Butterworth-Heinemann Editorial: Butterworth-Heinemann ISBN: 978-18561-710-4 Computer Forensics Informtica Forense Newman, C Publisher: Taylor and Francis Ltd ISBN: 978-08493-561-0 Computer Forensics: Incident Response Essentials Essentials Kruse, W, Heiser, J Publisher: Addison Wesley ISBN: 978-020170-719-9
Page 61 Pgina 61

Resources Recursos 61 61 Digital Evidence and Computer Crime Casey, E Publisher: Academic Press ISBN: 978-012163-104-8 Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data Garrison, C Publisher: Syngress ISBN: 978-159749-537-0 EnCase Computer Forensics: The Official EnCE EnCase Certified Examiner Study Guide Gua Bunting, S Publisher: John Wiley and Sons

ISBN: 978-047018-145-1 Forensic Computing: A Practitioner's Guide Sammes, J, Jenkinson, B Publisher: Springer ISBN: 978-18462-837-0 Handbook of Digital Forensics and Investigation Investigacin Casey, E Publisher: Academic Press ISBN: 978-012374-267-4 Incident Response and Computer Forensics Mandia, K, Prosise, C Publisher: McGraw-Hill Osborne ISBN: 978-007222-692-2 Incident Response: Computer Forensics Toolkit Schweitzer, D Publisher: John Wiley and Sons ISBN: 978-076452-636-7
Page 62 Pgina 62

Resources Recursos 62 62 Malware Forensics: Investigating and Analyzing Malicious Code Malin, C, Casey, E, Aquilina, J Publisher: Syngress ISBN: 978-159749-268-3 Real Digital Forensics: Computer Security and Incident Response Respuesta a Incidentes Jones, K, Bejtlich, R, Rose, C Publisher: Addison Wesley ISBN: 978-032124-069-9 File and operating system specific books File System Forensic Analysis Carrier, B Publisher: Addison Wesley ISBN: 978-032126-817-4 Macintosh OS X, iPod and iPhone Forensic Analysis DVD Toolkit Varsalone, J Publisher: Syngress ISBN: 978-159749-297-3 UNIX Forensic Analysis DVD Toolkit Pogue, C, Altheide, C, Haverkos, T Publisher: Syngress ISBN: 978-159749-269-0 Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environments Ambientes Barrett, D, Kipper, G

Publisher: Syngress ISBN: 978-159749-557-8

Page 63 Pgina 63

Resources Recursos 63 63 Windows Forensic Analysis with DVD Toolkit Carvey, H Publisher: Syngress ISBN:978-159749-422-9 Windows Forensics: The Field Guide for Corporate Computer Investigations Steel, C Publisher: John Wiley and Sons ISBN: 978-047003-862-8 Network forensic books Mastering Windows Network Forensics and Investigation Investigacin Anson, S, Bunting, S Publisher: John Wiley and Sons ISBN: 978-047009-762-5 Computer Forensics: Investigating Network Intrusions and Cyber Crime EC-Council Publisher: Course Technology ISBN: 978-143548-352-9 CISCO Router and Switch Forensics: Investigating and Analyzing Malicious Activity Liu, D (Editor) Publisher: Syngress ISBN: 978-159749-418-2 Network Forensics: Tapping the Internet Garfinkel, S Publisher: O'Reilly Media Editorial: O'Reilly Media
Page 64 Pgina 64

Resources Recursos 64 64 Mobile device forensics iPhone Forensics: Recovering Evidence, Personal Data and Corporate Assets Zdziarski, J Publisher: O'Reilly Media Editorial: O'Reilly Media ISBN: 978-059615-358-8 Software and tools The tools listed in the following pages are primarily related to the acquisition and analysis of a Windows -based system from a Windows

 -based forensic station. However, a number of the tools also provide wider OS compatibility, with all of the case management tools for instance supporting the majority of common file systems. There are of course also a wide variety of other forensic tools that operate on Unix and Mac OS X platforms links to general websites for more information can be found in the Web resources section. seccin. Case management tools Case management tools are software applications or distributions capable of handling the complete forensic investigation from acquisition through to examination, analysis and presentation. Guidance Software Guidance software produces several forensicrelated products. Their primary product, EnCase ,, is amongst the market leaders in providing forensic investigation of media.
Page 65 Pgina 65

Resources Recursos 65 65 Other products available from Guidance Software include: incluyen: EnCase Enterprisey EnCase eDiscoveryy EnCase Portabley Web: Web: www.guidancesoftware.com AccessData AccessData produces several products within the digital forensic domain. A market leader, its primary product the Forensic Toolkit provides proporciona full case management of investigations. Other products available from AccessData include: FTKy Mobile Phone Examiner AccessDatay Enterprise Empresa AccessDatay

eDiscovery AccessDatay Classified Spillage Solution password cracking toolsy Web: Web: www.accessdata.com e-fense e-fense produces a series of products. The La principal product HELIX has its foundations in the open source domain, with a self-bootable CD that contains a suite of tools for undertaking a variety of forensic investigation activities. The majority of La mayora de los the tools available on the CD were produced by other developers and are made freely available. HELIX 3 PRO is now available to purchase from e-fense.
Page 66 Pgina 66

Resources Recursos 66 66 Other products by e-fense also include: HELIX 3 Enterprisey Live Responsey Web: Web: www.e-fense.com Technology Pathways Technology Tecnologa Pathways Rutas also tambin provide case management software in the form of their ProDiscover Forensics software. Their other product, ProDiscover Incident Incidente Response, provides over the network preview and acquisition of data. de los datos. Web: Web: www.techpathways.com The Sleuth Kit An open source suite of tools for forensic investigation. investigacin. The kit is not a simple application as with many of the previous commercial tools, but does provide a comprehensive toolkit for the analysis of hard drive media. To support the usability, the kit also includes Autopsy, an HTML

front-end tool. Web: Web: www.sleuthkit.org Data acquisition tools The tools listed below are in addition to the case management tools listed above which are all able to acquire images from hard drives. AccessData FTK Imager Web: Web: www.accessdata.com
Page 67 Pgina 67

Resources Recursos 67 67 EnCase LinEn Web: Web: www.encase.com New Technologies SafeBack Web: Web: www.forensics-intl.com Paraben Data Arrest Web: Web: www.paraben-forensics.com File carving tools Adriot Photo Forensics Web: Web: http://digital-assembly.com DataLifter File Extractor Web: Web: www.datalifter.com/products.htm Foremost Todo Web: Web: http://foremost.sourceforge.net PhotoRec Web: Web: www.cgsecurity.org/wiki/PhotoRec PhotoRescue Web: Web: www.datarescue.com/photorescue Scalpel Bistur Web: Web: www.digitalforensicssolutions.com/Scalpel Simple Carver Suite Web: Web: www.simplecarver.com Live analysis tools The following is not a complete list of tools available for live analysis as new tools are frequently being developed. It does, however, Lo hace, sin embargo, encompass the core tools that would be of use. The La

majority are freely available online, and more

Page 68 Pgina 68

Resources Recursos 68 68 information about a specific tool can be found online. en lnea. arp.exe nslookup.exe cmd.exe cmd.exe ntfsinfo.exe dd.exe promiscdetect.exe dir.exe ps.exe fport.exe psfile.exe handle.exe pslist.exe hostname.exe psloggedon.exe ipconfig.exe psservice.exe md5sum.exe rootkitrevealer.exe Mem.exe route.exe nbtstat.exe sha1sum.exe net.exe tracert.exe netstat.exe whoami.exe Password cracking tools AccessData Password Recovery Toolkit Web: Web: www.accessdata.com Cain & Abel Web: Web: www.oxid.it/cain.html John the Ripper John the Ripper Web: Web: www.openwall.com/john L0phtCrack Web: Web: http://l0phtcrack.com Ophcrack Ophcrack Web: Web: http://sourceforge.net/projects/ophcrack

RainbowCrack Web: Web: http://project-rainbowcrack.com

Page 69 Pgina 69

Resources Recursos 69 69 Web resources Web de recursos Assistant Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Electronic Evidence Evidencia A UK guide developed to provide guidelines for law enforcement officers when seizing and undertaking empresa computer-based basado en computadora forensic forense investigations. investigaciones. Web: Web: www.7safe.com/electronic_evidence/ACPO_guidelines_ computer_evidence.pdf CERT Software Engineering Institute, Carnegie Mellon University Carnegie Mellon University A website providing information and guidance on incident response and forensics. Publications Publicaciones include: incluyen: First Responder's Guide to Computer y Forensics Forense Handbook for Computer Security Incidenty Response Teams Web: Web: www.cert.org CSO Online 'The Rise of Anti-Forensics' by Scott Berinato (June 2007) An interesting article discussing the growing focus upon anti-forensic tools and techniques. Web: Web: http://csoonline.com/article/print/221208 Digital Forensic Research Workshop (DFRWS) A volunteer organisation focused upon sharing knowledge on digital forensics. They hold an
Page 70 Pgina 70

Resources Recursos 70 70 annual conference from which some of the most notable advancements in forensic research are published. publicado. The website contains an archive of the conferences and the papers published. Web: Web:

www.dfrws.org ForensicsWiki A useful resource for defining and describing digital forensics terms. The site is updated regularly and includes links to the latest research findings within the domain. Web: Web: www.forensicswiki.org Metasploit Anti-Forensics Project A website providing news and tools on the topic of anti-forensics. Web: Web: http://metasploit.com/research/projects/antiforensics NIST Computer Forensics Reference Data Sets (CFReDS) Project The project has created a number of forensic test cases that can be used to test forensic software and for the training of forensic investigators. Web: Web: www.cfreds.nist.gov NIST Computer Forensics Tool Testing Project A project to establish a methodology for testing the reliability of forensic tools. The project has created specifications for what forensic tools should achieve and test scenarios to use to evaluate tools. Web: Web: www.cftt.nist.gov
Page 71 Pgina 71

Resources Recursos 71 71 NIST Computer Security Resource Centre A website providing links to NIST projects and publications relating to information security. The La Incident Response family of publications include: SP800-101 Guidelines on Cell Phone y Forensics Forense SP800-83 Guide to Malware Incidenty Prevention and Handling SP800-61 Rev.1 Computer Security Incident y Handling Guide Gua de Manejo SP800-86 Guide to Integrating Forensicy Techniques into Incident Response SP800-72 Guidelines on PDA Forensicsy Web: Web: http://csrc.nist.gov NIST National Software Reference Library (NSRL) A freely available database of hash values of

trusted OS and application files. To be used to eliminate trusted file from forensic investigations. Web: Web: www.nsrl.nist.gov SANS Institute Mobile Device Forensics by Andrew Martin A detailed technical guide to mobile device forensics. forense. Web: Web: www.sans.org/reading_room/whitepapers/forensics/mobi le_device_forensics_32888?show=32888.php&cat=foren sics
Page 72 Pgina 72

Resources Recursos 72 72 US Government Accountability Office (GAO) Public and Private Entities Face Challenges in Addressing Cyber Threats A 2007 study looking at the challenges in addressing cyber threats. The report includes aspects for forensic investigators. Web: Web: www.gao.gov/new.items/d07705.pdf
Page 73 Pgina 73

73 73 ITG RESOURCES IT Governance Ltd. sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today's organisations, directors, managers and practitioners. los profesionales. The ITG website ( www.itgovernance.co.uk ) is the international one-stopshop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy. www.itgovernance.co.uk/computer_forensics.aspx is the information page from our website for co mputer forensics resources. Other Websites Otros sitios web Books and tools published by IT Governance Publishing (ITGP) are available from all business booksellers and are also immediately available from the following websites: web: www.itgovernance.co.uk/catalog/355 provides proporciona information and online purchasing facilities for every currently available book published by ITGP. www.itgovernanceusa.com is a US$-based website that

delivers the full range of IT Governance products to North America, and ships from within the continental US. EE.UU.. www.itgovernanceasia.com provides a selected range of ITGP products specifically for customers in South Asia. www.27001.com is the IT Governance Ltd. website that deals specifically with information security management, and ships from within the continental US. Pocket Guides For full details of the entire range of pocket guides, simply simplemente follow seguir the el links enlaces at en www.itgovernance.co.uk/publishing.aspx .
Page 74 Pgina 74

ITG Resources 74 74 Toolkits ITG's unique range of toolkits includes the IT Governance Framework Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate IT governance framework for your organisation. Full details can be found at www.itgovernance.co.uk/ products/519 . For a free paper on how to use the proprietary CalderMoir IT Governance Framework, and for a free trial version versin of de the el toolkit, see ver www.itgovernance.co.uk/calder_moir.aspx . There is also a wide range of toolkits to simplify implementation of management systems, such as an ISO/IEC 27001 ISMS or a BS25999 BCMS, and these can all be viewed and purchased online at: http://www.itgovernance.co.uk/catalog/1 Best Practice Reports ITG's range of Best Practice Reports is now at www.itgovernance.co.uk/best-practice-reports.aspx . These offer you essential, pertinent, expertly researched information on an increasing number of key issues, including Web 2.0 and Green IT. Training and Consultancy IT Governance also offers training and consultancy services across the entire spectrum of disciplines in the information governance arena. Details of training courses

can be accessed at www.itgovernance.co.uk/training.aspx and descriptions of our consultancy services can be found at http://www.itgovernance.co.uk/consulting.aspx . Why not contact us to see how we could help you and your organisation?
Page 75 Pgina 75

ITG Resources 75 75