Malware Forensic Computing - Assignment Example

?Malware Forensic Computing This report is a discussion about malware used by cyber criminals to do cyber attacks, and respective computer forensics investigation. An introduction has been given which gives a better understanding of the topic. Common cyber crimes and types of malware are discussed. The forensic investigative procedure is explained with the help of a case study. Then, social, ethical and moral issues regarding identity theft have been discussed both from the user’s and the investigator’s side. 2. Introduction Forensic computing and malware forensics have become exceptionally significant areas in technological studies demanding special consideration so as to protect the security rights of e-consumers. Before going into the niceties of the subject matter, let’s first get introduced to what forensic computing actually is and what is malware forensics. 2.1. Computer Forensics Computer forensics or cyber forensics is a very imperative topic in information systems and networks management. Forensics is the structured procedure of gathering, examining and showing facts and evidences to the court of law, and thus, forensic computing is defined as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” (US-CERT 2008). This involves the seeking, locating and securing the electronic data so as to provide evidence. This electronic or magnetically encoded data may include text messages, databases, pictures, e-mail, websites, spyware, malware, and so on. The evidence collected is strong and indisputable as compared to any other branch of forensic science because a copy that is made of the collected data is identical to the actual data and there is no room left for dispute. The whole concept revolves around the idea that a structured investigation is carried out to find out what exactly happened to the computer, when it happened, how it happened, and who did it. This is just like solving a murder case and performing postmortem. The operator does not know that the evidence information is transparently being created and stored by the computer’s operating system which can only be extracted through computer forensics software tools and techniques. The crimes include misuse of computer systems, attack on computer systems, using a computer system to work against another system, failure of a computer system, and the list continues. Computer forensics security solutions focus not only on recovery but also on prevention of security threats in order to provide securer solutions that are quicker and cheaper than the conventional techniques. These solutions include intrusion detection system (IDS), internet security system, biometric security system, net privacy system, firewall set-ups, network disaster security system, identity theft prevention system, identity management security system, and so on (Vacca 2005: 146). 2.2. Malware Forensics Malware is the malicious code that computer intruders use to do a cyber attack, and malware forensics is the forensic computing techniques used by the investigators to detect and analyze this malicious code or malware (Ligh et al. 2010). Since cyber attackers are becoming increasingly aware if computer forensics techniques, they are designing much more sophisticated malicious codes that are at times hard to detect and analyze. Casey, Malin and Aquilina (2008) state that “By employing techniques that thwart reverse engineering, encode and conceal network traffic, and minimize the traces left on file system, malicious code developers are making both discovery and forensic analysis both difficult.” 2.2.1. Types of Malware The most common instances of malware are the viruses, worms, Trojan horses, scareware, and exploits. Viruses get installed in the computer files through email scams, websites, downloads, etc. Worms work the same way as viruses. Scareware is a malware that resembles anti-virus applications and tells the user to install it to remove detected viruses when it itself contains malicious code that gets embedded in the system’s memory and files. Trojan horses also tend to befool the user by pretending to be real applications. Exploits get embedded in security holes in the operating system or other valid applications. These types of malware intrude the computer system through email attachments, links to malicious websites, storage devices like USBs or CDs, files that are downloaded from the internet, pop-ups and content injection. 3. Backdoor Malware and Identity Theft This section highlights a specific kind of malware called backdoor malware that is used by computer intruders to get full access to the victim’s files and data through bypassing all anti-virus softwares, firewalls and other intrusion detection systems. Identity theft is the crime that involves stealing of a person’s private information “in order to impersonate that person in a legal sense”, according to Vacca (2005: 137). When a person’s identity is stolen, he is at great risk of facing a terrifying number of monetary and individual dealings done in his name by the thief. Identity theft brings great damage to the victim’s name and reputation as the victim is solely left responsible for whatever financial or personal loss he faces. The thief, after stealing the victim’s personal information through backdoor malware, can misuse it by, for instance, applying for loans in the victim’s name, changing his billing address, obtaining driving license, applying for jobs, applying for insurance or new banking accounts, getting authorization for electronic transfers by using the victim’s electronic signature, or any other fraud. If the criminal steals a person’s social security number (SSN), has all chances to get to his detailed personal information, according to Social Security Administration (2009: 2). The thief can then have access to all identification information from the databases and other data repositories that use SSNs as primary keys through the use of malware. He can then use his credit card information to apply for loans, do shopping and the leave the victim to pay the bills. The situation may lead to bankruptcy which can blow the victim out of his senses. However, malware forensics has played its part in helping law enforcement agencies in gathering digital evidence, analyzing the malicious code, and identifying stolen identities as well as the criminals involved (Newman 2009). 4. Identity Theft and Forensic Investigation Procedure 4.1. Digital Data Before getting into the details of investigative procedure, let’s get to know types of digital data that is to be gathered. There are two types of this data. Persistent data is data which is stored in the computer’s memory or ROM (Read Only Memory) permanently and remains there even if the computer is powered off. Volatile data is data which is stored in RAM (Random Access Memory) and gets deleted when the system is powered off. This volatile data can be of more importance and thus it should be made sure that the computers should be kept on if they were on at the scene of crime. 4.2. Investigative Procedure It is important for computer forensic investigators to follow a structured approach to solve identity theft cases done through backdoor malware (see Figure 1). Computer crime involving ID theft can be grouped as physical security breaches, personnel security breaches, communications and data security breaches, and operations security breaches (Icove et al., cited in Angelopoulou 2007). A detailed investigation of the case requires that the malicious code is analyzed independently to get a more systematic approach towards case solving. The digital examination of the malicious code requires great expertise at the investigator’s end. The evidence or the malicious code that is collected is the valuable asset and has to be dealt with sensitivity as it will help in deciding the specifications of the crime. The detected malicious code is so delicate that it can be altered with one mistaken tap on the keyboard or one inadvertent press of a key. The investigator will have to look for any counterfeit documents, fake checks and bogus bank statement in black and white, in addition to looking for digital evidence residing inside the fraudster’s computer system. According to Angelopoulou (2007), what makes the process lengthy is that the investigator has to go through two investigative categories, that is, going through the victim’s system and through the criminal’s system. The digital data found in the victim’s computer will help in obtaining evidence and that found in the fraudster’s computer will prove it. The main theme of the investigation is that what information might have been stolen (for example, in a financial fraud ID theft, basic things to be investigated are stolen identity, credit record, transactions, billing, and claims for new bank accounts or loans) and what procedure might have been used to steal this information. It is important for the investigator to have a warrant issued first. Pladna states that “just like the need for a warrant to search someone and their property, everyone involved in the computer forensics process needs authorization from the proper authorities to monitor and collect information related to a computer intrusion” (2008: 4). Moreover, clauses of respective laws and legislations must be followed in order to legalize the whole process. Pladna has listed three laws that forensic investigation should follow, namely, “Wiretap Act (18 U.S.C. 2510-22); Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27); and the Stored Wired and Electronic Communication Act (18 U.S.C 2701-120)”. Both the victim’s and the fraudster’s computers must be kept in the same state in which they were before investigation (Wilson 2008: 20). 5. The Case Study Mr. Smith sent his computer’s hard disk to the computer forensic lab to be scrutinized. He was suspecting one of his employees, Mr. Robert, to be involved in identity theft through the use of backdoor malware which he might have installed in his computer system. How would he expect the forensic investigation to proceed? In such a case, the digital investigation starts on certain basic phases, which include: 5.1. Analysis In this phase, the investigator will have to clearly observe the activities taken place and taking place. He will collect the digital media as input and copy the source which is the hard disk in this case. The source will help in the analysis of ID theft data that will serve as evidence. This analysis will tell whether that data belongs to Mr. Smith or Mr. Robert, and who of the two the victim is. The data has to be analyzed from both the claimant and the suspect’s end because the inputs from the two sides guide the investigation to two different standpoints. 5.2. Hypothesis In this phase, the investigator will have to decide how to proceed and which strategies to follow based on the findings of observation and the evidential data. 5.3. Prediction This phase is to support the hypothesis, like asking questions like who took the data, how was it stored and why was it brought out of the storage. The investigator will make the Mr. Robert’s profile from two inputs- victim and criminal- which will help him in clarifying who is the victim. 5.4. Testing This phase is important so as to evaluate the whole investigative process. During this phase, the digital data will be retrieved to have it examined. After collecting all necessary files to be inspected, the unallocated or free disk space on the hard drive is scrutinized because it may contain traces of deleted files and folders. To restore deleted files which exist as strings, bit-stream-copy method is used (Pladna, 2008: 7). These retrieved files or gathered evidential data have to be protected so as to eliminate chances of inadvertent alterations. 5.5. Presentation When the evidence has been collected and analyzed, the investigator will take it to a separate place where the computer forensic report is prepared for presentation to the court. 6. Required Softwares The ID theft through backdoor malware investigative procedure requires a number of special softwares and hardware tools. The investigator must be well equipped with softwares that help to make backups of the digital data, encrypt and decrypt the data and track Internet Protcol addresses. He should have complete knowledge of software for data recovery and system restore. Moreover, there is a very helpful hardware imaging tool that makes bit-by-bit copies of digital data. The forensic investigator must have good knowledge of how to use these tools so as to successfully accomplish the task. 7. Ethical, Moral and Social Issues There are some socio-ethical issues regarding malware forensic computing and identity theft that should be considered both at the system’s user’s end and at the forensic investigator’s end. 7.1. For System’s User It is important to educate the users of computer systems and the internet about “intellectual property rights issues, privacy/ surveillance issues, access to data issues and issues of human-computer interaction” (Stahl, Carroll-Mayer & Norris 2006: 298). They should know that the other person’s identity is something that is his own property and not theirs; that they have no right upon others’ personal information, and they cannot use or disclose it without the owner’s permission. 7.2. For Forensic Investigator Since computer forensics is a newly emerging field, not much has been written and said about ethical norms for the admissibility of evidence to the court. However, the security professionals should be familiar with laws and legislation that have been passed in order to make sure that malware attacks like identity theft do not take place. They should be aware of privacy rights and ethical and moral clauses found in these laws so that they may be able to better solve the case. They must know what legal issues are involved in handling a standalone computer system. Only then, the evidence will be admissible in the court. Before starting the investigative procedure, an investigator must have a search warrant issued before handling the suspect’s computer system. The magistrate is liable to issue the search warrant after the investigator submits and affidavit that should state the cause of investigation and the limits of the suspect’s privacy that is going to be violated. The time that the computer is to be analyzed is also pre-decided by the magistrate or the warrant. 8. Summary Since, the number of computer users is increasing day by day, cyber crime is also increasing at the same rate, and identity theft done through the use of malware is one such crime. It intimidates our computers and personal safety. The identification security breach is always there thanks to highly technical tools and malware helping the criminals to carry out the crime easily. Computer forensics has, however, helped a great deal in analyzing the malicious code and recovering from ID theft cases. The procedure might be lengthy but time can be saved by following a well-structured approach as described in this report. There are laws regarding e-consumers’ data protection that need to be followed. The malware forensic investigators have to be very specific in following rules and regulations in order to make their evidence admissible to the court. They have to follow the socio-ethical norms and respect the citizens’ liberty. The users must be aware of the risk they face while storing their personal information in their computer systems so that they play their role in combating the malwares leading to identity theft. Figure 1. Structured Approach to Investigative Procedure References Angelopoulou, O 2007, ‘The “solitary” of ID theft towards computer crime incidents’, ID Theft: A Computer Forensics’ Investigation Framework, viewed 9 August 2011, Casey, E, Malin, CH, & Aquilina, JM 2008, ‘From malware analysis to malware forensics’, Malware Forensics: Investigating and Analyzing Malicious Code, illustrated edn., Syngress, USA. Ligh, M, Ligh, MH, Adair, S, Richard, M, & Harstein, B 2010, Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, illustrated edn., John Wiley and Sons, USA. Newman, RC 2009, Computer Security: Protecting Digital Resources, Jones & Bartlett Publishers, USA. Pladna, B 2008, ‘Procedures for gathering evidence’, Computer Forensics Procedures, Tools, and Digital Evidence Bags: What They Are and Who Should Use Them’ viewed 9 August, 2011, Social Security Administration 2009, ‘Identity theft and your social security number’, Social Security (Publication No. 05-10064), viewed 9 August, 2011, Stahl, B, Carroll-Mayer, M, & Norris, P 2006, ‘Legal, professional, and ethical consent’, Forensic Computing: The Problem of Developing a Multidisciplinary University Course, viewed 9 August 2011, US-CERT 2008, ‘What is computer forensics?’ Computer Forensics, viewed 9 August 2011 Vacca, JR 2005, ‘Identity theft’, Computer Forensics: Computer Crime Scene Investigation, 2nd edn., Cengage Learning, USA. Wilson, D 2008, ‘Scene of the crime vs. the crime scene’, Forensic Procedures for Boundary and Title Investigation, illustrated edn., John Wiley and Sons, USA. Read More