CST 610 Project 5 Digital Forensics Research Assignment

profileManny4747
Project5Resources.docx

Project 5 Resources

The deliverables for this project are as follows:

1. Digital Forensics Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.

This project will provide an introduction to digital forensic analysis.

Digital forensic analysis is used to review and investigate data collected through digital communications and computer networks. The National Institute for Standards and Technology (NIST) has defined four fundamental phases for forensic analysis: collection, examination, analysis, and reporting. You will learn more about these concepts as you navigate throughout the steps of this project and read the literature and links found in each step.

There are four steps that will lead you through this project. Begin with Step 1: "Methodology." The deliverables for this project are as follows:

1. Digital Forensic Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.

Step 1: Methodology

The methodology for digital forensics follows a systems process. Identify the requirements, purpose, and objectives of the investigation. Click the links below to review information that will aid in conducting and documenting an investigation:

Secure Programming Fundamentals

It is important that programmers follow secure coding methods and adopt safe practices in the development stage, rather than trying to implement them at a later stage.

One of the fundamental secure programming practices is input validation, which is performed to prevent attacks from external sources. The National Institute of Standards and Technology (NIST) also emphasizes its importance for safe programming in its "Guide to Secure Web Services":

Write all web service code in languages that automatically perform input validation, such as Java and C#, or if writing in C or C++, ensure that all expected input lengths and formats are explicitly specified, and that all inputs received are validated to ensure that they do not exceed those lengths or violate those formats. Error and exception handling should be expressly programmed to reject or truncate any inputs that violate the allowable input lengths/formats (Singhal et al., 2007).

Another fundamental practice to ensure security is access control, which is implemented to prevent unauthorized access, resulting in intentional or unintentional changes to the code. In addition it is important to include security tools and architectures that can detect code errors and prevent attacks. Finally, it is useful to develop mitigation strategies by modeling possible threats and testing the code.

References

Singhal, A., Winograd, T., & Scarfone, K. (2007).  Computer security: Guide to secure web services: Recommendations of the National Institute of Standards and Technology (Special Publication 800-95). http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Forensics Fundamentals

Digital forensic analysis is performed to review and investigate data collected through digital communications and computer networks. In  Guide to Integrating Forensic Techniques into Incident Response, the National Institute of Standards and Technology (NIST) has defined four fundamental phases for forensic analysis: collection, examination, analysis, and reporting.

During collection, data related to a specific event is identified, labeled, recorded, and collected, and its integrity is preserved. In the second phase, examination, forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity.

Examination may use a combination of automated tools and manual processes.

The next phase, analysis, involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

The final phase involves reporting the results of the analysis, which may include describing the actions performed, determining what other actions need to be performed, and recommending improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process. (Kent et al., 2006).

Forensic analysis is used by organizations and businesses for several purposes, such as applying internal actions, managing legal matters, maintaining network security, and detecting and preventing cyberthreats.

References

Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006).  Computer security: Guide to integrating forensic techniques into incident response: Recommendations of the National Institute of Standards and Technology: Special Publication 800-86. http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

Learn about the investigation methodology. Consider secure programming fundamentals. Define the digital forensics analysis methodology and the phases of the digital forensics fundamentals and methodology, including the following:

1. preparation

2. extraction

3. identification

4. analysis

This information will help you understand the process you will use during an investigation.

Step 2: Tools and Techniques

Forensics Analysis Tools

Forensic analysis is performed with tool kits designed for various platforms, including Windows, Linux, and Mac. The tool kits have several functions created to perform specific tasks, such as disk imaging, file recovery, e-mail parsing, hash and image analysis, memory capture, password recovery, P2P analysis, string search, etc., with technical parameters.

An extensive catalog of forensic tools, compiled by the National Institute of Standards and Technology (NIST), is being updated by "adding new functions based on the work of the Computer Forensics Tool Testing (CFTT) project" (NIST, 2014).

References

National Institute of Standards and Technology. (2014). Computer forensics tool catalog. http://toolcatalog.nist.gov/index.php

Web Log and Session Analysis

Log and session analysis is used to collect information about accessibility of web servers and use of websites. According to Quirk (2010):

Log-file analysis software reads the records, called log files, on the webserver, which record all clicks that take place on the server. Web servers have always stored all the clicks that take place in a log file, so the software interprets data that have always been available. A new line is written in a log file with each new request. For example, clicking on a link, making an Ajax call, or submitting a form will each result in a new line being written.

While logs record clicks on the server, sessions emphasize user time spent on the websites. Quirk (2010) defines session as "interaction by an individual with a website consisting of one or more page views within a specified period of time." Both logs and sessions are useful for deriving analytics about user behaviors and patterns.

References

Quirk eMarketing. (2010). Online marketing essentials. http://2012books.lardbucket.org/books/online-marketing-essentials/s18-web-analytics-and-conversion-o.html

Hash Analysis

Hashing is a method used to change data characters into keys so that they are indexed and can be accessed quickly. The method is also used for data encryption and decryption by authenticating digital signatures.

The Forensic Tool Taxonomy from the National Institute of Standards and Technology (NIST) provides details of hash analysis and algorithms for different systems including Windows, Mac, and Linux (NIST, 2014). The algorithms are used for several applications, including computing, creating and managing hash sets, searching and filtering files, and eliminating duplicate files. 

References

National Institute of Standards and Technology. (2014). Forensic tool taxonomy. In  Computer forensics tool catalog. http://toolcatalog.nist.gov/taxonomy/index.php?ff_id=16

Step 3: Explore Forensic Tools

I will provide the lab document.

This hands-on lab will introduce you to FTK Imager, a forensics tool. You will use your lab findings in the last step when you compile your research paper.

Step 4: Digital Forensics Research Paper

Now that you have learned the basics of digital forensics analysis and methodology, and have experienced one of the common forensic tools, use the material presented in this project as well as research you have conducted outside of the course materials to write a research paper that addresses the following:

1. digital forensics methodology

2. the importance of using forensic tools to collect and analyze evidence (e.g., FTK Imager and EnCase)

3. hashing in the context of digital forensics

4. How do you ensure that the evidence collected has not been tampered with (i.e., after collection)? Why and how is this important to prove in court?

The deliverables for this project are as follows:

2. Digital Forensics Research Paper: This should be a five-page double-spaced Word document with citations in APA format. The page count does not include diagrams or tables.