Channels ▼

Trends in Digital Forensics

Marty Musters graduated with a Bachelor of Mathematics and Computer Science from the University of Waterloo. He is a CISSP and a CFE (Certified Fraud Examiner) and a member of the High Tech Crime Investigation Association (HTCIA). Marty is the director of Forensics at NCI (Net Cyclops) and can be reached at

Digital forensics has been forced to change. In the past, when someone was suspected of a crime or behavior that was in violation of corporate policy, the typical process would be to seize the hard drive after hours, take a bit stream image, analyze the drive and compile a report.

Of course this is becoming an increasingly difficult task. More and more companies now have a global presence with offices spread around the world. What's more, these distributed networks have thousands, if not tens of thousands of PCs attached to them.

Thus the new trend in digital forensics is to to use the corporate network to immediately respond to incidents. It allows us to capture and analyze volatile data, including active network sessions and running processes. It even allows us to see what ports and IP addresses these processes are communicating with.

It is far better to see what is actually happening as opposed to trying to piece it together after the fact from fragments found across the drive. Much information is lost when a computer is turned off, specifically the Random Access Memory (RAM). More and more we are seeing sophisticated users hide their tracks by using something like a third party e-mail program that is not part of the corporate network and then using a cleansing program to erase any Internet history on the hard drive. Although the proxy server will still show entries to this third party e-mail program it does not capture nearly enough information to be useful. By using a product for "live" investigations one can track exactly what is being said and to whom.

Let me illustrate the scenario with an example. Sally is allegedly selling narcotics using the corporate network and doing it on company time. She does this routinely during the day. Since Sally works at the corporate headquarters, you wait till Sally goes home and take a forensic image of her hard drive. Once done, you analyze the image and find nothing that will link her to the allegations. You do notice that her Internet history is always cleaned at the end of the day.

When you use your forensic software to try and recover that Internet history, you find that it is gone. What you do find is that Sally has loaded a popular Internet history erasing program on her computer and faithfully runs it several times per day. Clearly you are suspicious about why she would be doing this, but you have no evidence to support the allegations.

Next you check the Internet proxies to see what Internet sites she is visiting. You find that she spends a lot of time on Hotmail. At this point all you can confront her with is her spending too much time on personal sites (Hotmail), but you have nothing to prove the allegation of selling drugs.

So, what are your options? You could put a keylogging program on her machine. However, she may notice, and besides your current desktop security software detects keyloggers, so this option doesn't work. You could use an external key catcher (A hardware device that effectively catches all of the key strokes from the keyboard, by sitting between the keyboard and the processor). This is problematic in that it could be noticed by the user. These two options also assume that you have access to the computer which may not be the case as the computer could be located on the other side of the world.

Which brings us to the latest trend in digital forensics for security minded corporations. Online digital forensics over the network. Since we suspect strongly that Sally is using Hotmail to broker her drug deals we watch the proxy servers for traffic to Hotmail. Once we see this traffic begin we have a look at her machine in real time. In this way we can dump and analyze the memory and find out lots of key information, such as the content of the e-mails, what is in the Internet cache files at the time and the IP addresses of other machines that she may be communicating with.

The good news is that we can do all of this even if the machine is located in another country. Other features include the ability to traverse the registry of the target machines in a live state. Files can also be acquired over the network.

The only downside is if you are running on a slow network, it can be cumbersome and time-consuming to acquire the entire drive. The theory of course is that you are able to narrow your search considerably by doing an online analysis, and through this analysis you know what you are looking for. You then acquire the evidence related to the crime.

There are two market-leading products with two different implementation strategies -- Encase Enterprise, from Guidance Software, and LiveWire, from WetStone Technologies. Both accomplish the same result in that they both have the ability to dump, search and analyze memory and the files on the remote computer, however LiveWire does it without needing to have a program (service) running on the machine being analyzed. With Encase Enterprise a service must previously be installed and running on the machine in order to allow for the machine to be accessed. This makes the deployment in the corporation not only complex, since any service must co-exist with other services, it also makes it very costly.

With LiveWire no such service needs to be running, making it extremely useful for a forensic consultant to go to a site, bring their laptop with them, attach to the network and forensically acquire both the memory and the hard drive information of any computer on the network, including servers. All that is required is an administrator user ID and password of the machine being targeted. This makes LiveWire extremely useful, easier and far more cost effective than its competitor.

There is also a growing trend to encrypt the data stored on hard drives, particularly portable computers like laptops and notebooks. Although we as forensic examiners have some tools to get past these encryption schemes, they are not always successful. A live investigation allows us to use calls to the operating system of the target machine to extract and decipher the data.

With increasingly complex network infrastructures geographically dispersed across the globe, "live" investigations are the trend we are heading towards.

Courtesy Computer Security Institute.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.