Computer forensics plays an important role in fighting terrorism and criminal activity. The fact is that bad guys use computers, internet and other modern communication tools to communicate and to store their plans. We would be naive if we would think that they can barely open Word or Excel. They are aware of all the risks and they protect themselves with modern encryption algorithms and general protective measures. Fighting criminal activities is very different from discovering occasional violations on company computers.
Many traces can be hidden if the software used for criminal activity or otherwise unwanted is not present on the computer disk and runs in the memory of the computer. It is very easy to start some process and then successfully cover all traces that were left behind. In such case analyzing disk data makes no sense because nothing suspicious could be discovered. The only solution to this problem are tools that can protect volatile data like live memory.
The static analysis of computer data (i.e. the analysis of a hard disk removed from the computer) is usually not enough because many advanced techniques can be used to erase all traces from file systems and the only relevant data remains only in memory. Theoretically, it would be possible to freeze computer memory by liquid nitrogen and this would significantly increase chances to recover the data but this approach is not practical. Analysis of live volatile data in a computer is essential for any serious forensic analysis.
There are many open source and professional commercial forensic tools that can make a snapshot of crucial volatile data for later analysis. Such tools can discover open ports, virtual disk drives, VPN connections and other resources not visible to the normal user. In some cases also the whole disk drive or individual partition can be encrypted so it is important to make an image of it before the system is shut down. Once all the data is safely stored it can be analyzed regardless of the state of the computer.
A logical question would be, for example, what can be done to successful hide some processes running in the computer memory? Theoretically, it would be possible to eliminate traces from the memory when the process is not active or when it waits for some input. But even for such approaches there are some solutions. It is possible to create memory snapshots at periodic intervals and sooner or later the secret process will show itself.
For many computer users the most requested computer forensic service is recovering lost files. Check the http://digitaldatarecovery.org/ website for some practical tips on digital data recovery and practical advices to recover important files from broken hard disks or flash memories.
Computer forensics is becoming increasingly important part of the efforts to detect and prevent terrorist activities. But the game will never end. More advanced hiding techniques will lead to more advanced discovery techniques which will lead to even more advanced hiding techniques, etc.
No comments:
Post a Comment