Call for Paper - January 2023 Edition
IJCA solicits original research papers for the January 2023 Edition. Last date of manuscript submission is December 20, 2022. Read More

Obfuscating Live Computer Forensic Investigative Process on a Windows 7 Operating System: A Criminal's Perspective

Print
PDF
International Journal of Computer Applications
© 2015 by IJCA Journal
Volume 122 - Number 6
Year of Publication: 2015
Authors:
Dinesh Mothi
10.5120/21701-4814

Dinesh Mothi. Article: Obfuscating Live Computer Forensic Investigative Process on a Windows 7 Operating System: A Criminal's Perspective. International Journal of Computer Applications 122(6):1-7, July 2015. Full text available. BibTeX

@article{key:article,
	author = {Dinesh Mothi},
	title = {Article: Obfuscating Live Computer Forensic Investigative Process on a Windows 7 Operating System: A Criminal's Perspective},
	journal = {International Journal of Computer Applications},
	year = {2015},
	volume = {122},
	number = {6},
	pages = {1-7},
	month = {July},
	note = {Full text available}
}

Abstract

Live forensic investigation is conducted when the computer system is turned on whilst the data is gathered in a forensically sound manner, from the physical memory, in the form of evidence. As time progressed, criminals have been developing methodologies by which live analysis could be defeated. One such method implemented by the criminals is that of a rookit being installed on the victim's machine. A rookit can be dangerous, and very risky to deal with from an investigator's point of view, because it has the power to subvert the kernel of an operating system. This paper presents, how easy it is for a criminal to thwart the process of live forensic investigation by downloading and installing free software tools; needing, no prior knowledge of the windows 7 operating system's kernel, and how frustrating it would be for the investigator to examine the computer system and make a valid forensic report. Thus, making live analysis a daunting task for the forensic investigator on field. Finally, a mathematical formula is derived for detecting the presence of hidden processes in the memory.

References

  • Thomas Sudkamp (1986), Inference propagation in emitter, system hierarchies, Proceedings of the ACM SIGART International Symposium on Methodologies for Intelligent Systems, ACM Press New York, NY, USA, pp 165-173
  • Amihai Motro, Philipp Anokhin and Aybar C. Acar (2004), 'Utility-based Resolution of Data Inconsistencies Information Quality in Informational Systems', Proceedings of the 2004 international workshop on Information quality in information systems, ACM Press New York, NY, USA, pp 35-43.
  • Brian D. Carrier 2006, 'Risks of Live Digital Forensic Analysis', Communications of the ACM, Vol. 49, No. 2, pp. 56-61.
  • Pei-Hua Yen, Chung-Huang Yang, Tae-Nam Ahn (2009), 'Design and Implementation of a Live-analysis Digital Forensic System', International Conference on Convergence and Hybrid Information Technology, Proc. ACM, pp. 239-243.
  • John G. Levine, Julian B. Grizzard and Henry L. Owen (2006), 'Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection'. In IEEE Security and Privacy, Proc. ACM pp 24-25.
  • Iain Sutherland , Jon Evans , Theodore Tryfonas , Andrew Blyth (2008), 'Acquiring volatile operating system data tools and techniques, ACM SIGOPS Operating Systems Review, v. 42 n. 3, pp. 65-73.
  • Luka Milkovic (2012) 'Defeating Windows Memory Forensics', INFIGO Information Security, Available at: http://www. youtube. com/watch?v=RPVmLhP7K6U (Accessed 18th January 2013)
  • S. Mocas (2003) 'Building Theoretical Underpinnings for Digital Forensics Research', Portland State University, Digital Investigations, pp. 1-10.
  • D. Dittrich (2002) 'Root Kits and Hiding Files/Directories/ Processes after a Break-In', Available at: http://staff. washington. edu/dittrich/misc/faqs/rootkits. faq. (Accessed 5th August 2011)
  • B. Carrier (2009) 'The Sleuth Kit and Autopsy', Available at: http://www. sleuthkit. org/autopsy/desc. php (Accessed 18th August 2011)
  • B. Westbrook and B. Zornado (2001), Proposal for electronic records management task force, Available at: http://www. uclibraries. net/sopag/erm/ERMTFReport. pdf (Accessed 27th September 2011)
  • C. Pogue, C. Altheide and T. Haverkos (2008), UNIX and Linux Forensic Analysis DVD Toolkit, Syngress Publishing.
  • F. Adelstein (2006), Live forensics: diagnosing your system without killing it first, Communications of the ACM, Vol. 49, No. 2, pp. 63-66.
  • Harlan Carvey (2005), 'Windows Forensics and Incident Recovery', Addison Wesley, Burlington.
  • Bill Blunden (2009), The Rootkit Arsenal: Escape and Evasion, Jones and Bartlett Learning, Texas.
  • Kevin Mandia, Chris Prosise, and Matt Pepe (2003), 'Incident Response and Computer Forensics', McGraw-Hill Osborne Media, 2 edition.
  • Information Security and Forensics Society (ISFS) (2004), Computer Forensics, Part 2: Best Practices, Available at: http://www. isfs. org. hk/publications/ComputerForensics/ComputerForensics_part2. pdf (Accessed 21th August 2011)
  • Steve Anson and Steve Bunting. 2007 Mastering Windows Network Forensics and Investigation. Wiley Publishing Inc.
  • Internet Engineering Task Force, url: https://www. ietf. org/rfc/rfc3227. txt
  • Microsoft, url: http://www. microsoft. com/en-us/windows