Network Computer Forensics

Date/Time:
Monday 9 October 2006

Speaker:
Russell May, Manager of Special and Partner Projects, Guidance Software Inc.

Description:

In a follow-up to the hugely popular ‘Computer Forensics’ talk earlier this year, Russell May introduced himself and gave a brief summary of his background, which included twenty-eight years experience in the West Midlands police force culminating in a spell as head of the High-Tech Crime Unit. Russell now works for Guidance Software, which specialises in developing software to assist in retrieving digital information for forensic purposes.

The presentation

Russell began by re-stating the basic rules that must be followed when examining computers and other digital devices. Failure to follow these rules makes it very likely that any forensic evidence gathered will not be accepted in court.

A key difference between network computer forensics and stand-alone computer forensics is that in network computer forensics the machine under examination is not powered down - the analysis is conducted on a live machine from a central location.

This allows a machine to be examined without interfering with the work that its user(s) need to carry out. This analysis can be performed without the user being aware, although it is usually only done covertly in relation to investigation by the intelligence services.

The EnCASE tool

As a case study, Russell then gave an overview of the EnCASE tool that can be used for forensic analysis of networked computers. This consists of the following components:

  • EnCASE SAFE - a server used to authenticate users, administer access permissions and conduct secure data transmission;
  • EnCASE Examiner - an application used by the forensic analyst, similar to the stand-alone tool demonstrated at the previous talk;
  • EnCASE Servlet - a small (c. 380k) application that is installed and run on the machine(s) to be inspected and which operates at a much lower level than the operating system (for example, it can directly access the hard disc controller);
  • Concurrent Connection - a VPN-like connection between the machine running Examiner and the target machines running the servlets.

Deploying the servlets on remote machines requires Administrator rights to those machines. Also, firewalls between the various nodes need to allow communications.

The tool provides additional facilities that are required for performing network forensic analysis. A snapshot of RAM can be taken from a target machine for examination.

As the tool works at a lower level than the operating system, it can create a list of running processes by examining heap and memory usage, thus revealing processes that are ‘hidden’ to the operating system (or at least the end-user).

Similarly, a view of the file system is built from sector information so that files and partitions can be seen that are not recognised by the operating system.

Conclusion

Russell then demonstrated the analysis tools using three laptops connected to form a small network, and a lively question and answer session rounded off another fascinating evening.