Hardware

The science of computer forensics

This week, I am introducing some tools used in computer forensics and investigations. This will probably be so much "ho-hum" to those of you already in the trade, but I thought this would be of interest to other TechRepublic members.

This week, I am introducing some tools used in computer forensics and investigations. This will probably be so much "ho-hum" to those of you already in the trade, but I thought this would be of interest to other TechRepublic members.

As usual, I have linked to specific products that I'm familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don't get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.

Feel free to suggest other such products in the comments section.

HotPlug

The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study -- without having to first shut it off.

Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.

Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system -- with the UPS, can then be loaded onto a trolley to be carted off.

Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method -- it's quite fascinating, really.

Write protection devices

As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands -- be it while duplicating the data or performing a forensic analysis.

You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.

The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer's P-ATA interface, PCI Card, USB, and FireWire ports.

ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.

Mouse Jiggler

This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.

The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.

Wiebetech sells two versions, including a "Slow Jiggler" in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a "Fast Jiggler," whose only use is as part of a practical joke.

The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.

Network Taps

As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.

Do note that some higher-end network switches come with a "monitoring port" that can be used to the same effect.

Net Optics makes a variety of network taps over here.

Feel free to tell us about other tools used for computer forensics and investigations in the comments section.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

13 comments
pinballfrank
pinballfrank

Polarity? This is all well and good providing that all extension leads, power strips and wall outlets are wired correctly ie: the 'active-neutral'conductors. Does this device alert one to incorrect polarity?

tony
tony

There is a nifty little tool that can be found here: www.frontlineforensics.com

paulmah
paulmah

Feel free to tell us about other tools used for computer forensics and investigations in the comments section.

tony
tony

What did people think of that website and the tool?. I am the author of it and would be interested if anyone in this community would give constructive feedback or possible leads I could follow up on. I and my team are dedicated in helping capture pedophiles

oyuuni
oyuuni

An important innovation in computer forensics for corporate investigations is live acquisition. In a corporate scenario where taking a computer away may constitute loss of revenue new software makes it possible to acquire evidence while the suspect is still going about their work. WetStone Technology have got a good product that does this.

oyuuni
oyuuni

An important innovation in computer forensics for corporate investigations is live acquisition. In a corporate scenario where taking a computer away may constitute loss of revenue new software makes it possible to acquire evidence while the suspect is still going about their work. WetStone Technology have got a good product that does this.

paulmah
paulmah

Well, not really. Network taps generally come with specialized features catered specifically at monitoring network traffic. Depending on specific manufacturer/model, they might sport feature like POE support, 100% monitoring of traffic (including Layer 1 and Layer 2 errors), automatic/transparent pass-through on loss of power. Also, models up to 10Gbps or taps sporting fiber connections are also available. Obviously, if all you need is to troubleshoot a mis-behaving network software, then a network tap is probably an overkill. For clandestine, or 24/7 monitoring of a mission-critical enterprise network however, this might be the only way to go. Regards, Paul Mah. Edit: Clarity

catseverywhere
catseverywhere

You really should stress (and maybe expound upon) the fact that preventing writes TOTALLY is absolutely essential in some circumstances. My friend who does some forensics for the local police (drugs, child porn etc) uses a number of tools, I'll have to ask him about it and maybe report back with his recommendations. But he has had cases where the defense has hired him to prove "law enforcement" screwed up when they seized a computer. It seems, in typical lawyerly BS, someone can get off on a totally non-related technicality, even though there's 20GB of hideous porn or crack sales records on the machine. (yes some drug dealers use quick books) But if there has been so much as a cache sync written to the drive all bets are off. Any write to disk while in his (or the police's) possession is an absolute no-no. Sounds like too stressful a vocation for my taste. BTW he said he won't do kiddie porn cases anymore. Don't blame him. [EDIT] I just looked at the taps you linked. The above fellow has a nifty little hand held device that apparently does more than a tricorder. It can be toggled between addressable or not. He uses it for network troubleshooting, but he says he has also used it to tap into someone's broadband cable where it enters the house, in order to suck contents off hard drives in machines connected through a LAN to the cable. Of course he's assuming people aren't using a hardware firewall, and they usually aren't. It has some amount of internal storage, or he can pump the data over the wire to a server somewhere. (he wouldn't tell me the protocol) He says this thing cost over $8,000, but good luck trying to buy one. Designed by "Q," no doubt.

Michael Kassner
Michael Kassner

Other than PoE, Ethernet hubs will do exactly what the other device advertised and a lot cheaper. As for ATM and fiber they also have non-intelligent devices that do exactly the same. Managed switches can be thrown into promiscuous mode and have PoE. So I do not see any advantage to purchasing something special just for monitoring.

robo_dev
robo_dev

Outside the house, you've either got DSL, FIOS, or CATV cable. You cannot just tap into a cable modem data stream, nor can you go upstream on the connection if you did. For cable modem at the layer-1 level you're talking about QAM modulated radio signals that use 56 bit DES or 128bit AES encryption. That device is a modem, not a router. Can you tap into a voice modem call at layer-1 and control the modem through it's interface? of course not. The user's cable-modem does not have the capability to be multi-homed to another device. (read the DOCSIS specs) Could you passively monitor the encrypted data stream? Yes. Could he decrypt DES or AES data in real time on a handheld computer while establishing an upstream connection? NO. With DSL or FIOS it's the same story. DSL or FIOS is ATM over the phone line. While you could grab all the ATM packets you want, you cannot just insert an ATM client on the DSL line and be part of the conversation, nor could you 'jump' the modem part of the DSL or FIOS modem. If you wanted to do that, why not do it at the DSLAM? It's probably a nice warm wiring closet and you get the same results. While you might be able to do some passive monitoring and capture of the ATM data stream, you can't take control of anything upstream that way. If the person had ethernet on the side of their house, then his device could work. However a $20 dlink firewall would block his efforts. If somebody is not using a hardware firewall, he could hack their computers from his office, not the side of the house. Plus he would need at least four or five different boxes (DSL, FIOS, CMTS, Analog dial-up, WLAN, Cellular)

paulmah
paulmah

You probably won't want to swap in a normal hub into a mission-critical junction (Like a Web farm) to monitor for problems. Besides, I don't think there are many hubs that scale beyond 100 Mbps. But as you pointed out, a network tap is a rather niche device. If you don't see a need for it, then you really don't need it. For certain situations, they represent a clean and quick snap-in solution to tap into a network that is not dependent upon the support of the existing infrastructure/equipment. Regards, Paul Mah.

Editor's Picks