Information Technology Reference
In-Depth Information
The State of the Art in Digital Forensics
D A R I O F O R T E
CISM, CFE,
University of Milano at Crema
Italy
Abstract
We are in an historical moment where computing is part of the social life. It
does mean that computers are also part of crimes, both physical and virtual. In
this an idea of the state of the art of the digital forensic will be provided, with
special emphasis on UNIX operating systems and log file management. Included
will also be an overview of current scientific research on the topic and illustra-
tions of a number of potential issues that are often the subject of discussions in
courtrooms the world over.
1. Introduction ........................................ 254
1.1.SomeBasicsofDigitalForensics......................... 254
2.ToolsandTechniquesforForensicInvestigations ................... 256
2.1.ThePreservationPhase:ImagingDisks ..................... 256
2.2. Survey and Search Phase: Seeking Evidence under UNIX ........... 261
3.Logs:CharacteristicsandRequirements ........................ 264
3.1.TheNeedforLogIntegrity:NeedsandPossibleSolutions........... 264
3.2.AnExampleofLogFileIntegrityProblem:Syslog............... 265
3.3.MoreIntegrityProblems:WhentheLogsArriveontheLogMachine..... 268
3.4.LogTimeStampingManagement:ProblemsandPossibleSolutions ..... 269
3.5.NormalizationandDataReduction:ProblemsandPossibleSolutions..... 271
3.6. Correlation and Filtering: Needs and Possible Solutions ............ 272
3.7. Requisites of Log File Acquisition Tools ..................... 274
4.Experimentation:UsingGPLToolsforInvestigationandCorrelation ........ 275
4.1.TheIRItalyProject ................................ 275
4.2.FurtherDevelopments:IRItalyVersion2 .................... 278
5. SecSyslog and Covert Channels in Detail: Introduction and Definition ........ 279
5.1.Categories ..................................... 280
5.2.NetworkCovertChannels:CurrentUse ..................... 280
5.3. Covert Channels Using ICMP Tunnels ...................... 285
5.4.DNS ........................................ 286
