headermask image

Data Triage Blog

Computer Forensic Focus On Keystroke Logging

August 12, 2008 – 12:43 am

Computer forensics or digital forensics has extremely gone under rapid forensic application of computer investigation and is often followed up with expert witness in court. Computer forensics is something which you really need to do regularly in investigation process which will help, boost business and will also present evidence through out the legal process.

To protect your company, business on internet against hacking, you have to know the tactics employed by the hackers which will help you prevent the fraud by staying one step ahead of them. The data generally is hacked by means of phishing, spyware, malware programs, insider attacks, keystroke logging etc. In this article i would like to discuss on the keystroke logging.

Have doubt on what exactly is keystroke logging?

Keystroke logging or keylogging is a method of capturing information and recording user keystrokes through hardware or software program.

The keystroke logging are done remotely to steal credit card and bank account numbers, usernames, passwords and also some times to monitor personal files, emails and FTP to spy them. These keyloggers can be installed through download programs and also through physical access to the computer.

How exactly it works - The key logger uses a web server and appends the browser redirecting it to web pages and when the client downloads the web page and Java script, it redirects to hackers site unknowingly and keyboard logger is installed and the individual user names, passwords, bank pin card numbers are sent to hacker’s website.

Hardware keyloggers are external attachment (a small cable) within the keyboard and the port. This external attachment can be the USB memory stick, external hard drives which are placed on back of the computer and are hard to spot. These devices are invisible to the computer’s user, as these hardware keyloggers are placed inside the keyboard or next to keyboard port.

Software key logger is a program which is installed on a machine with administrative privileges. It can be the device driver that replaces the existing input /output driver with embedded key logging functionality. The functionality will have many options such as encrypting, decrypting and sending the files to a destination across the internet. The log files were hard to find from the operating system files though you go for directory listing of hidden files, as they are hidden.

You can prevent this unsecured accessing of data from web server from being affected by the keystroke loggers through comprehensive intrusive prevention system that defends your network which consists of signature deployment, anomaly detection, and protocol recognition and also you can go for anti-key loggers (software program) to detect key loggers.

These computer forensic tools provide a solution to individuals in detecting the key loggers and for further assistance and help you can go for www.Datatriage.com, which is the best Computer Forensic Expert providing the effective approach to support your online investigation.

As we know these key loggers are simple and easy to install, the best that can be done manually is to prevent keylogging by adopting a good security practices. By having restricted privileges to the users by making them part of the user group, and having administrator group with strong password policy, and also perform physical check of hardware loggers.

imtiaz | Computer Forensics, Keylogging | Comments (0)

Email Discovery as Electronic Evidence

July 22, 2008 – 7:52 am

In today’s legal discovery world, electronically stored information requires special attention in litigation. The recent emphasis on producing electronically stored information requires an e-discovery team to apply legal principles to information technology. But electronically stored information in some cases drive them out of business, especially in companies as they are unaware to find electronically stored information, especially Email and associated attachments. Most email discovery efforts relate to the collection and review of Email as they remain one of the highest risk areas.

Email is most popularly used by all the people for communication of personal or business related matters. Currently more than 1000 million Email accounts are in use Worldwide, with an average of more than 4 Email accounts per person. With the Email accounts, all your incoming, saved, and sent mail is stored on a mail server with in IMAP folders. As we know we all rely on Email to operate our businesses in our personal lives, it is important to take preventive measures to avoid the ultimate disaster of unrecoverable Email.

The message index in the Email s lists the messages and is stored as entries in a database associated with the file structure. When you delete mail messages the attachments of the deleted file are also deleted as well. How ever you can restore them as they are only moved to a special deleted message folder called Trash folder, like the files in Recycle bin. These deleted Email s still remain on a computer hard drive, servers or retained on back-up tapes.

After deleting the Email from the folder, it reduces the size of the database file by eliminating this vacant space. Once they get deleted they restore it in the trash folder, which can be easily retrieved. These files are not removed from an index of the files, they just move to the trash directory and the space is considered to be available for writing new data.

But if an Email in the trash folder is deleted again then it is no longer indexed and no longer readily accessible. But these files are not truly deleted; they still exist on your hard drive. These deleted files have not been erased, but in most of the cases they can be easily retrieved. To retrieve the data from the trash files, forensic examination is required to locate and retrieve them. In some circumstances, these mails may be impossible to retrieve from the server, hard drive or pc because they have been overwritten by other files.

Even if your Email is completely lost, then these mail recovery tools are used to scan the entire hard disk, locate and recovers the deleted Email and also repairs the database if it is corrupted.

Imagine your Email database deleted or the file system corrupted. If that happens, you would need an undelete tool to get the files back. Though the database becomes corrupted, the data content may still exist, but the structure of the file may be wrong such that the mail cannot list the messages. Then you need to use email discovery tools typically to scan your hard disk and list a whole bunch of files with damaged, crippled file names.

As different mail programs store data in different formats like word, Excel, csv, pdfs etc, you must use a data recovery tool that supports the mail software you are using. For Outlook Express or Windows Mail, Mail Recovery is effective and easy to use, For Microsoft outlook files to recover, you need Outlook recovery, and for Mozilla thunderbird mail folders you can recover by using a text editor as they are plain text files.

To avoid severe legal sanctions, you need an easy way to search for relevant Email in order to quickly meet legal discovery requests. In fact, an effective Email discovery solution can help mitigate these legal risks. www.Datatriage.com is one of the leading experts in the field of email discovery, which restores electronically stored information in Email and associated attachments.

imtiaz | Articles, Computer Forensics, Electronic Discovery | Comments (0)

Hard Drive Recovery for Your Valuable Data

July 10, 2008 – 8:22 am

The most valuable assets of a company or an organization reside in files on computer hard drives. This is the main storage element in the system. In many cases the electronic evidence on the hard drive requires special skill and experience in data recovery to identify and retrieve the data. The current crisis of the system can be attributed to a number of factors, such as the inability to access a hard drive especially when back-ups are not available.

Hard drive crashes, Virus attacks or losing your valuable files through accidental deletion can be quite disturbing in your work. Unfortunately the data loss caused by such a failure will lead to financial losses in an organization, as well as to personal life. If the data disaster caused by a hard drive failure is not immediately managed properly, then the data loss can become permanent.

Hard drives are mechanical magnetic storage devices that are extremely susceptible to failure such as head crashes, circuit board shorts, electrostatic shocks, power surges, overheating, etc. To a major extent power failure could damage the hard drive. While Power surges and sags damage hard drives to crash and corrupt Windows systems, databases and other programs and services which need safer shutdown. Unless you have good surge protectors, UPS and backup generators, you can’t always believe to have good and safe data.

Hard drive crashes and Disk Failures in general can be broadly classified into five categories they are…

  • Firm ware corruption
  • Electronic failure
  • Mechanical failure
  • physical corruption
  • Logical corruption

Like other software, firmware can have bugs. When powered on, if the hard disk spins up and is not recognized by the computer then it can be altered as firmware failure. Sometimes the computer will properly recognize the hard drive spin up, but during boot up process it just hangs up before it starts up. The hard disk firmware is soft and corruption in it will not allow the computer to interact with the hard disk. The data in the disk could be recovered if the repair in the drive is rectified and reprogrammed. Recovery requires small level of programming and manipulation of the hard drive.

An electronic failure problem is based on the controller board of the actual hard disk failure where the computer power supply also acts as a source of fluctuations on the hard disk.

Mechanical hard disk failures are due to components internal to the hard disk itself. The data on the hard disk will become inaccessible as soon as an internal component goes wrong .This can be diagnosed, when the system is powered ON it makes a tickling sound. Do not attempt to open a hard disk if you suspect a mechanical fault because there is also a chance that you will destroy any chance of successfully recovering the data. Most common in recovery is unusual disturbing, which a hard disk recovery specialist alone could handle.

When your hard drive is making a ticking or a scratching noise due to bad parts, head crash, water damaged hard drive, and fire damaged hard drive can be caused and will indicate a physical failure. The aperture arm in the hard drive can fail motors or the platters can become damaged and lose the data that they hold.

In case of logical crash the damage is caused by the user such as invalid entry in file allocation, accidentally formatting the drive, loss of file system on a fragmented drive.

Of all these crashes you either need a hard drive recovery specialist or hard drive recovery software where hard drive recovery can work on all kinds of damages. www.datatriage.com is the specialists in data recovery where they retrieve the lost data by using the state of the art data recovery tools for crashed hard disk drives or damaged hard disk.

imtiaz | Data Recovery | Comments (0)

Technical Considerations in Review Process of E-Discovery

June 25, 2008 – 7:05 am

Decision-making, backing up your data and managing a review database to acquire digital data in your company is no longer a solvency for your problem in E-discovery, though you decide to go with the legal attorney for review process in E-Discovery. Data collection plays a key role in review process. There are some technical issues that need to be considered, which will help the legal team in identifying potential problems as well as successful review in E-Discovery.

Following are checklist of technical issues that can aid in this review process of E-discovery:

ISP (Internet service provider) will look simple but in most cases they are overlooked. Reliability, network speed and throughput can have a tremendous impact supplied by the ISP. Consult your network engineer and find who you’re ISP (Internet service provider) is and how reliable are they. So that Ip addresses at the main location can be rerouted. For eg: When you access your personal E-mail from your own Internet service provider, chances are your E-mail comes to you from your ISP’s E-mail servers in one of three ways POP (Post office protocol), IMAP (Internet mail access protocol), MAPI (Messaging Application Programming Interface) or HTTP (Hyper text transfer protocol),which helps in finding out the e-mail.

Bandwidth: Routers, hubs, firewalls, cables, and modems all these will effect the actual bandwidth. The bandwidth fluctuates time to time. An average sampling of this bandwidth should be taken every day. This is very important because the reviewers are going to access the data online and check whether they have the actual bandwidth speed. Use the online support tools to measure the speed of bandwidth that provide upload and download speed.

Map out the number of hops associated with each computer and review location Tracert is a network command tool used to show the route taken by the packets across an IP network i.e. the information from your computer to one you specify. This tracert command lists all the routers it passes through, until it reaches its destination and will also tell you how long each ‘hop’ from the router to router takes. This will provide lots of relevant information to the networker.

Use web analytic software to view the reviewers and location This will impact adversely if 100 reviewers are trying to access the same information, resources or website from the same physical location at the same time, verses only 10 reviewers doing the same. By making a list of total number of reviewers and their physical access location, we can estimate how long a review will take and from which place.

Software Configuration In order to ensure that Web usage is consistent it is necessary to ensure that software’s are configured in a consistent manner. You should ensure that the Web server is configured so that appropriate information is recorded and that changes to relevant server options or data processing are documented.

Not all the time the web usage data might give true indication of usage of data. This is due several factors such as effects of caches, cookies, browser types, auditing tools, etc. Despite these reservations collecting and analyzing usage data can provide valuable information.

Fire wall operation The loss of files, e-mails, financial records can be avoided in conjunction with the other security issues, with the help of Firewall. Firewall is necessary for almost every review process, because they it plays a vital role in overall performance of network. Check whether your firewall is blocking your ports or whether it is accessing the internet through identified specific ports? Most of the firewall has the devices such as NAT(Network address translation) which protects you by hiding the internal ip address to outsiders from reaching your internal network and also inspects the incoming visitors, and also has additional features by terminating the VPN (Virtual private network) which allows the users to securely communicate using encrypted traffic.

Data collection always plays a key role in review process of E-Discovery. After gathering the information based on the checklist of technical issues make a decision by sharing with your technical support team, whether these are with in normal parameters. This will enable the legal team to address for developing the solutions to potential issues and will set up a successful E-Discovery review. www.datatriage.com is the best practice for the corporate firms, who possess both the technical and legal knowledge to set up a successful claim.

 

datatriage | Articles, Electronic Discovery, electronic data discovery | Comments (0)

E-Forensics Supports Your Ongoing Investigation by Capturing The Legal Defensible Data

June 12, 2008 – 12:19 am

E-Forensics is the application of electronic investigation, which has the capabilities of recovering data or visible to the user in legal proceedings. The deleted files often contain the Electronic files that do not show up which is important to your case, but identifying the deleted files plays the key role in e-forensic.

The latest technology of e-forensics makes sure that the information is legally justifiable by maintaining a proper document chain of custody, identifying the electronic data capturing methods and gain the knowledge of latest technologies used in e-forensics.

Electronic discovery is the process of extracting data from electronic documents that contains electronic data such as e-mail, word processing files, accounting files ,spread sheets, presentation files, databases, CAD and some form of computer records stored, where the CPU caches are generally managed by hard drives which includes cache memory, magnetic disks, optical disks such as DVD’S,CD’S. Often such information or data that is recorded on any type of electronic media has the possibility of discovery of data in the claim, which can be shown as evidence.

E-forensic applies special scientific methods to determine the scope and presence of information contained on digital media. E-forensic differs from electronic discovery and is used only in case of potential crime involved. The data that is not accessible by the user which includes information such as deleted files, hidden files, web based files, password protected files and special devices such as ipods, Mp3 player’s, storage area network and cellphones can also be discovered with E-forensics

Capturing electronic media forensically:

The original media is copied using specific capture applications with features so that there are no changes made to the original one. Security Hash algorithms are provided to take initial measurement of each file. A form of digital finger print is applied before and after processing activities to prove whether the file is changed or not during processing. Most common types of hash algorithms use MD5 (128 bit algorithm) and SHA1 (160 bit algorithm) which is primarily used in computer forensics.

There are two methods to copy the process: Bit-by-Bit copy and Forensic image.

* Bit-by-Bit Copy: To make the exact copy of the device, each specific byte in the device is copied to the new device and the write blocker software or hardware is utilized to prevent any changes to the data. This creates the exact copy that requires no manipulation of the data to recreate the original media.

* Forensic Image: All the files on original media are contained inside the forensic image file, where it contains a wrapper which protects the files. To create this image file special software is required and this cannot be altered without the change of hash algorithm. In addition a cross validation test is performed to validate the process.

By this process of capturing the data, e-forensic tool provides a solution to the individuals, government agencies and private industry in tracking the things by this scientific equipment tool which provides the required analyzes and interpretation to a court. www.DataTriage.com is the best e-forensic service expert providing the cost effective approach to support ongoing investigation.

imtiaz | Computer Forensics, E-Forensics, Electronic Discovery | Comments (0)