| The widespread use of personal computers by domestic users and corporations in the past few years has resulted in an enormous amount of information being stored electronically. Computers are used in electronic crime in different ways. In some cases, computers provide the means of committing crime. In other cases, computers merely serve as convenient storage devices for evidence of crime. Such persistent electronic material may, in certain cases, constitute critical evidence of criminal activity. Digital evidence is being increasingly used in the legal system. Proper collection and automated analysis procedures are essential to preserve computer data and present it as evidence in court of law. Digital forensics is a methodology for preserving, collecting and analyzing evidence in the digital format. Computer forensics deals with identifying and analyzing evidence obtained from a single machine while network forensics deals with the same operations in a connected digital world.In this dissertation, techniques to gather and analyze digital evidence for the purposes of proving guilt or innocence, or intrusion analysis are discussed. The following problems are addressed. (1) An important problem in digital forensics is to record a checkpoint of a disk drive, which has been mounted as a file system on a host machine, in a low-intrusive manner. An algorithm that records a consistent checkpoint of a disk that has a Unix-like file system without disrupting the disk's normal operations is presented. (2) Magnetic media such as hard drives have become central to our means of storing and processing data. Data in a hard disk may be modified or deleted. A log-based technique is proposed to recover information from a hard drive even if the data has been overwritten. Using the proposed algorithm, multiple snapshots of a file, as they existed at different time instants in the past, can be retrieved. (3) Analysis of system events and the way in which they are related can help detect the entry points of computer intrusions. Intrusion detection systems alert the system administrators about an intrusion but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. After an intrusion, the system administrators have to examine huge log files for connections from unusual network locations or unusual activity in the system. An improved backtracking tool is discussed that helps the system administrator by providing a substantially reduced dependency graph of the events related to an intrusion. The dependency graph benefits intrusion analysis by reducing the search space and search time. (4) Security holes or vulnerabilities in system utilities allow an attacker to gain unauthorized privileges, gain unauthorized access to protected data or interfere with the work of others. A malicious program can act by exploiting a window of opportunity between the points of execution of a system utility, thereby gaining unauthorized access to resources of a system. An algorithm that analyzes system events and detects synchronization flaws in system programs is proposed. The algorithm uses an interleaving of a system utility and a malicious program to predict binding based race condition attacks. |
