KR20080096031A - How to get volatile evidence of computer - Google Patents

Abstract

The present invention relates to a method of safely obtaining volatile data or important data when a computer system is compromised and the network is unavailable. The first investigator goes directly to the incident and volatile by a script made in the form of CD or USB. Collecting data and generating and storing the hash value, and storing the stored data and the hash value in a server which is a safe system, and in the authentication of the volatile data, the hash value stored together with the data and the hash value stored in the server It is a method of comparing and analyzing the stored volatile data to prove that it is integrity data unchanged.

Description

A collection method of volatile evidence data with computer}

1 is a flow chart of a forensic procedure.

2 is a flowchart of a volatile data acquisition and verification procedure according to the present invention.

3 is the contents of a CD stored in accordance with the present invention.

The present invention relates to a method of safely obtaining volatile data or important data when a computer system is compromised and the network is unavailable. The first investigator goes directly to the incident and volatile by a script made in the form of CD or USB. Collecting data and generating and storing the hash value, and storing the stored data and the hash value in a server which is a safe system, and in the authentication of the volatile data, the hash value stored together with the data and the hash value stored in the server It is a method of comparing and analyzing the stored volatile data to prove that it is integrity data unchanged.

Digital evidence can be classified into original digital evidence and copy digital evidence. Another way to classify 'documented' evidence is to classify it as descriptive and documentary evidence.

Basically, submitted documents must be original unless the original document has been destroyed and there are no special exceptions. That is, the presenter must show that the content of the evidence is intact and that no changes have been made to the evidence since it was seized. Otherwise it cannot be admitted as evidence in a court of law and must not be admitted.

There are several requirements for evidence that can be adopted in court. Evidence must be credible, relevant (substantiate the facts about the event), and material (substantiate the subject matter associated with the event).

Unlike general crimes, many difficulties arise in dealing with computer-based crimes.

In particular, data temporarily stored in the system memory of a computer is called volatile data. The memory stores data using power, and the data stored in the memory disappears when the system is powered off.

The IEEE Internet draft, "Guidelines for Evidence Collection and Archiving," suggests collecting first-hand evidence of a computer's volatility.

This is because the most volatile evidence in a computer is most likely to be lost. The 'volatile data order' is the register and cache, routing table, ARP cache, process table, kernel statistics, system memory contents, temporary file system, and disk data.

The process of collecting the volatile data raises one problem.

In other words, the state of the system is changed while collecting volatile data. Some computer experts recommend investigators or crime scene technicians documenting a running process, network status and connection information, a 'dump' of RAM data, and storing and executing the above to perform a task or command.

Computer digital materials are not only easy to copy, but also difficult to distinguish between originals and copies, and are very easy to manipulate, create, transmit and delete. Therefore, in order for digital data to have legal evidence, it must be carried out in a special procedure and method throughout the entire process of collecting, storing, analyzing and reporting the data. These processes and methods for making digital data legally documented are collectively called 'computer forensics'.

Computer forensics is primarily a method of identifying and proving the facts of an action that takes place on the basis of digital data embedded in a computer.

The method can be used to detect corruption or obtain evidence of employees during corporate activities as well as civil and criminal criminal investigations. In particular, it is important to secure important evidence in the settlement of disputes with customers.

In today's increasingly high-tech crime through digital media, the process of proving and dealing with the integrity of obtaining hard disk data or digital evidence from computer systems is urgently needed. Therefore, there is a need for a procedure for proving that the data stored in the computer forensics is an unchanged integrity data.

According to the present invention, a hash value generated as a file in a removable storage medium (CD, USB memory, etc.) that is a script for extracting variable volatile data and used as an integrity means of original data in a disk forensic type in the removable storage medium. Proof of the change of data through the installation, and by installing the authentication server on the Internet to transfer the hash value at the time of the volatile data is made in the form of a file to the authentication server, the hash value of the authentication server and the removable when submitting evidence Its purpose is to provide a way to verify that evidence has not changed by comparing and verifying the hash values stored on disk.

Hereinafter, preferred examples of the present invention will be described with reference to the accompanying drawings.

Figure 1 shows a simplified forensic procedure.

Procedures for processing evidence in forensics are obtained after the evidence has been obtained and analyzed. Evidence reports should be presented along with the evidence, and each piece of evidence must be tagged to demonstrate that there is no problem with the process. The following sections describe each step in detail.

Obtaining evidence;

Acquisition of evidence involves various activities such as seizing the target computer used in crime to generate copy data from original data, storing the contents of volatile memory, and finding backup data. In the process of obtaining evidence, the evidence should not be inadvertently damaged. As a simple example, if a file's last access time changes because of a click, it becomes difficult to prove that the document at the time of the event was created. Therefore, in order to maintain the integrity of the original data, the process of obtaining evidence requires processes such as data imaging, checking the time of the computer used in crime, photographs of the monitor screen, and checking the running process.

Evidence analysis step;

As an analysis step for the acquired evidence, various techniques are used in the analysis. In general, programs used in forensics provide evidence acquisition and analysis. For analysis, the file is first identified using the imaging copied during the acquisition process. If evidence of crime is found during the verification process, documenting the verification process of the file and documenting the original data was not directly touched, thus providing integrity of the original data. That is, the file of the copy data has changed the execution time, but the file of the original has not changed the execution time, and it can show that the file exists on the criminal's computer. These analyzes include criminals recovering deleted files, concealing and finding encrypted data.

Evidence storage step;

If selected as evidence, the integrity of the evidence should be provided and maintained. Even when a crime occurs in the general society, that is, the evidence does not become effective due to contamination in the process of storing and managing the evidence. Suspicion may occur. Therefore, for the storage of evidence, transport must have a case or storage place that is safe from shock and physical attack.

Report writing step;

Evidences that go through a series of steps from the acquisition, analysis, and storage of the evidence should be tagged and documented. Such documentation should provide an indication of the acquisition process and provide justification as evidence when taken as evidence. In particular, it should be possible to prove that the evidence has not been manipulated in such a way that the expert can verify the process of obtaining and analyzing the evidence. Because digital evidence is easy to create, mistakes can be suspected even if it is legitimate. Therefore, a series of processes must be clearly understood, and documentation is necessary to prevent problems even when verified by a third party expert.

Based on the forensic procedure described above, the volatile data acquisition and verification procedures according to the present invention will be described.

2 illustrates a volatile data acquisition and verification process according to the present invention.

The order of acquiring flawless volatile data according to the present invention

Arriving at the crime scene and checking the current state of the evidence (S_10);

Storing the volatile data in the form of a script that automatically executes a command when the CD is executed in the computer at the event site, and simultaneously generates and stores a hash value (S_20);

Preparing a collection time of the data stored in the CD, a name of an on-site evidence obtainer, and related evidence (S_30);

Moving the data stored in the removable storage device to a safe place where a network can be used (S_40);

Transmitting the stored data, the acquired person's name, and a hash value to an authentication server (S_50);

Comparing the hash value with the authentication of the person who acquired the data and confirming whether the data is identical (S_60);

Checking whether the hash value stored in the authentication server and the hash value stored in the portable storage device match to verify that the stored data is integrity (S_70);

If the hash value is matched in the above step to submit to the relevant institutions (S_80);

Is made of.

In the step of checking whether the hash value is matched with the authentication of the person who obtained the data, it is preferable that the consent of the concerned person is proved to be the same person by a certificate issued by the certification authority and is not accessible to other people.

The important thing in the above process is that the command automation CD is used. The command automation CD automatically executes the commands simply by executing the CD to prevent errors due to the uniformity of the evidence and the immaturity of the original evidence. It is preferable to be produced in the form of script.

If the storage space of the CD is insufficient, it is advisable to respond to the situation by recreating the CD or making it into USB memory with the help of a professional. This is because, as the storage space of a computer is rapidly increased, all data cannot be stored on a single CD.

The space for saving files created by the commands created on the CD can be saved back to floppy disk or USB memory. In recent years, USB memory has been activated, but if a new type of portable storage device is developed in the future, it will be obvious that the new portable storage device is also included in the scope of the present invention.

The floppy drive is a device that should be avoided because of lack of storage space and common use of computers.

The hash function used above will be described.

Hashing algorithms are called hash functions. In addition to fast data retrieval, hashing is used to encrypt and decrypt digital signatures. The digital signature is converted using a hash function, and then the hash value (called the summary message) and the digital signature are sent separately. The receiver extracts a summary message from the signature using the same hash function used by the sender and compares the extracted summary message with the summary message already received. The digital signature is valid only when the comparison result is the same.

The hash function is used to index the original value or key and is used again whenever the data associated with that value is retrieved. However, hashing always works in one direction. Thus, there is no need for backward engineering to extract the hash function by analyzing the hashed values. In fact, the ideal hash function should not be deduced by such an analysis. Also, good hash functions should not produce the same hash value for two different inputs. If so, a collision occurs. A hash function with very low collision risk is considered a good hash function.

Encryption and decryption algorithms vary. However, in the present invention, a method of verifying data using a hash algorithm, which is a representative encryption / decryption algorithm, is described as an embodiment, but a method of performing the procedure of the present invention using another algorithm is naturally included in the scope of the present invention. something to do.

Fig. 3 shows the contents of a CD made by the above procedure.

Looking at the contents of the CD, there are automatically generated hash values and data.

If you have a lot of files, you can also have a compressed file compressed with a compression program. Unpack the archive and create a document with the date and time at the time of creation of the volatile data with the hash value in it.

The observer's signature is important data that later proves that the volatile data has been obtained securely by the CD at that location and time. In the content of the document, there is a separate part including the time at which the file was acquired and the generated hash value. It can also be signed to verify the identity of the data physically and logically, and at the same time double verify the integrity at the time of creation.

The RFC 3227 document defines the main uses of volatile data, but there are a number of scripts that can be written to extract volatile data on a case-by-case basis.

The above script cannot be produced and applied as a single script file in all cases, that is, the CPU, memory, hard disk, VGA card, network adapter, operating system (OS), software version of the computer, etc. You can't apply the script every time you do it.

Therefore, it is advisable to create and use some standard scripts, and to create a script that is suitable for the situation whenever it is out of standard.

The script to be produced as a standard is divided into Windows and Linux. First, the script contents of Windows are written as follows.

Standard script content for Windows

1) abnormal network

   ① Check for abnormal network connection

   ② Check the process mapped with the abnormal network

   ③ Check for abnormal NetBIOS connection

2) Check for abnormal processes

3) Check for abnormal service

4) Check the autorun program registered in the registry

Standard script content for Linux

1) Collect important configuration file information

2) Collect file vulnerability information

3) Collect system log information

4) Collect System Memory Information

It is preferable to make the above standard and to use scripts for other operating systems or unusual issues or in other cases. The reason for using the command script in the form of CD is to reduce the omission and errors caused by the investigator's mistake.

Unlike the script used as an example in the present invention, it is also a good way to produce a script that can respond to infringement incidents for each institution. Volatile data can be changed once it has been acquired, so care must be taken. Acknowledgments of related parties cannot be obtained at that time, so accurate data must be obtained at once.

When data is collected by the above method, the collected contents are compressed in the form of a compressed file, and at the same time, the generated time and hash values are generated.

Finally, a single printout is generated, and the printout is a document that obtains the generated time, hash value, and the consent of the person concerned. The document is read and signed by the owner or the related person.

The person acquiring the data must be signed by the relevant official. The document can be an important resource later when the court asks for proof of impeccable data.

As described above, the present invention has been described through an embodiment, but the implementation of the present invention may be variously changed within the scope of the claims.

As described above, in the present invention, the volatile data is generated in a file format on a removable storage medium (CD, USB memory, etc.) by a script for extracting variable volatile data, and the original data in a disk forensic type on the removable storage medium. The hash value used as a means of integrity of the data proves the change of the data, the authentication server on the Internet is collected and the hash value is transmitted to the authentication server at the same time. Providing a hash of can provide a way to prove that the evidence has not changed.

Claims (3)

The method of acquiring and verifying volatile data in computer crime is Arriving at the crime scene and checking the current state of the evidence (S_10); Storing the volatile data in the form of a script that automatically executes a command when the CD is executed in the computer at the event site, and simultaneously generates and stores a hash value (S_20); Preparing a collection time of the data stored in the CD, a name of an on-site evidence obtainer, and related evidence (S_30); Moving the data stored in the removable storage device to a safe place where a network can be used (S_40); Transmitting the stored data, the acquired person's name, and a hash value to an authentication server (S_50); Comparing the hash value with the authentication of the person who acquired the data and confirming whether the data is identical (S_60); Checking whether the hash value stored in the authentication server and the hash value stored in the portable storage device match to verify that the stored data is integrity (S_70); If the hash value is matched in the above step to submit to the relevant institutions (S_80); Method of securing computer volatile evidence, characterized in that consisting of. The method according to claim 1, If the computer is Windows, the script format for automatically executing the command, A method of acquiring computer volatile evidence, characterized by an abnormal network connection check, a process mapped to an abnormal network, an abnormal NetBIOS connection check, an abnormal process check, an abnormal service check, or an auto-launch program registered in the registry. The method according to claim 1, If the computer is Linux, the script format for automatically executing the command is How to obtain computer volatile evidence characterized by collecting important configuration file information, file vulnerability information collection, system log information collection, and system memory information collection.

Images