investigating cyber-crime (2013) - aglr.yolasite.com cyber-crime _2013... · operating systems,...
TRANSCRIPT
IInnvveessttiiggaattiinngg CCyybbeerr--CCrriimmee ((22001133))
bbyy
OOppeerraattiinngg SSyysstteemmss,,
FFiilleennaammeess aanndd EExxtteennssiioonnss
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 2
EErriicc EE.. AAbbrreeggoo
This report examines and identifies some of the critical components of computer
operating systems and how those components may serve as evidence involved in a cyber
crimes investigation.
Today it is not unusual to see many in our global community utilizing many
technological advances and recent developments in communications, software,
hardware and cyber related security. Social networking for example, or personal and
business banking as well as work and entertainment capabilities have become the norm
through use of this technology.
Cell phones, laptops, the internet and other electronic devices are the current
staple of conducting electronic transactions, business and personal communications
including various file sharing capabilities involving electronic documents, images, music
and videos for example.
The internet and its related technology also has illustrated the benefits to our
global community, however, as technology advances, so too are the apparent negative
aspects of this technology, as those with criminal intentions would opt to convert these
beneficial attributes into something more insidious, such as identity theft, hacking and
child pornography.
As such, law enforcement and related technicians around the world work to
prevent, track and apprehend cyber-based criminals; meaning people that would use
computer electronics to commit crimes and of which those crimes can include use of
computer peripheral attachments such as printers that may be used to produce
counterfeit money for instance. All computer crimes do not necessarily take place on the
internet, but the computer itself.
For the cyber-based criminal there are cyber-based investigators, or law
enforcement personnel known better as computer forensic investigators. The “general
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 3
tasks of these investigators involve identifying digital information or artifacts that can
be used as evidence when working with electronic or digital evidence” (Nelson, B.,
Phillips, A., & Steuart, C., 2010). Parts of those tasks include the “collection,
preservation, and documentation of such evidence”. Additionally, “analyzation,
identification, and organization of this form of evidence” is critical to an investigation.
Here, this paper explores various elements of computer based evidence such as
the differences between a file header and a file name extension, common file name
extensions used for images and videos, file paths and why they’re important to high-tech
crime investigators as well as discussing how operating systems keeps track of several
different file properties for each data file, including the importance of the Date Modified
versus Date Accessed information.
What is the difference between a file header and a file name extension? Which is more
useful to an investigator (more reliable)?
The terms, “file headers, or file names, and file-name extensions, or file
extensions, are two key components that make up the identity of a computer file”
(White, M. (2012). The file name serves as a way for “both to the user of the file and the
computer running it -being able to identify it. Particularly when a user or the computer
is searching for a given document, image, video or music file. For investigators, “there
are many possibilities for what the information contained in a file header or file name
extension can represent”.
Additionally, “a file header or file name is the string of text before the dot in a file
that describes the contents of the file and can be made up of numbers, letters and other
characters”. For instance, because this paper is in the form of an electronic document,
the file name of the document will be followed by (.doc), such as “Eric_Abrego-Unit 2–
Assignment.doc”.
The file header or file name is the portion that contains “Eric_Abrego-Unit 2–
Assignment” where the “.doc” represents the type of file it is; a [MS] Word formatted
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 4
document, or in other words, the “.doc” is considered the file-name extension, while
further, “if a file header or file name is not locked, it can be renamed, since the purpose
of a file header is to help identify a file for the user”.
A computer forensics expert understands that the “file-name extension is the text
including and following the dot that indicates the file type; in this instance, “it identifies
the file as a document file; i.e. a type of text file while noting that “file-name extensions
are most commonly three characters long” i.e., .avi, .jpg, .pdf, etc. This data and
information as well, will prove reliable for the investigator.
The importance of understanding file-name extensions and their functions is
paramount to both the user and the computer and for this purpose, that it is “generally
not advisable to change file-name extensions, since the computer relies on knowing or
recognizing which program to use to open the file and which icon to use to display the
file” (White, M. (2012). In other words, “changing this part of the file can result in files
that can no longer be opened, however, and to the benefit of the investigator; “altered
file-name extensions can also be changed back to their original format”.
List five common file-name extensions used for images and videos.
Of the various file name extensions; there exists five common file-name
extensions that are used for images and videos. Of the file-name extensions
representative of images for instance, the “JPEG” or .jpg extension is the most
“common digital photo or graphics file format, and because JPEGs are compressed files,
thus making file sizes smaller; it makes this file type popular on the Internet”.
There is also the “Bitmap” format, with a file-name extension of .bmp that is
representative of “Bitmap graphics”, and though “common to paint programs”, photo
images can be converted to .bmp and are available in this format. The other would be
GIF format, with the file-name extension .gif. This “Graphics Interchange Format” or
file type “holds low-resolution graphics or an animation” that are commonly seen on
website pages, such as the spinning or glowing text or advertisements with objects that
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 5
are moving on the web page, i.e., a spinning planet, barking dog or a person walking for
instance.
The video formats, or file-name extensions such as “AVI” (.avi), stands for “Audio
Video Interleaved (movie files)” and are commonly associated with video that is shot
with a cell phone’s video capability or lower quality digital cameras for instance.
Additionally, the “Movie” format or otherwise, file-name extension .mov is
typical to the “QuickTime or Apple movie file formats”, where the “MPEG” format is the
“common movie file format that features file compression” (Knetzger, M. and Muraski,
J. (2008); it also is the most commonly used on PC versus Mac computers as well as
being utilized on most websites that contain videos with a file-name extension .mpg,
and in which the file-name extension .mpg, we’ll learn is subsequently located within
what’s known as the larger file path.
What is a file path and why is it important to high-tech crime investigators?
A computer or operating system “file path” can be described as a guide that
serves in identifying -a start point and a path to reaching or locating an end point or
certain type of file- such as a saved homework document/file, i.e. “homework.doc” or a
saved image for the home work, such as a homework image/file, i.e. “homework.jpeg”
extension. As understood, these two types of file-name extensions are contained in what
is called a file path. More technically, “a file path is the exact description of where on the
disk drive a file exists” (Knetzger, M. and Muraski, J. (2008).
In a related example, we can assume that there is a file called ‘Investigating Cyber
Crimes.doc’ which is located on the C drive which is located within a folder called
‘CJ316: Homework’. An investigator or user will understand that “the Homework folder
is on the first level, or root, of the C drive” and as such, “the complete file path for this
file would be as follows: C:\ CJ316: Homework \ Investigating Cyber Crimes.doc”.
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 6
The “backslash character (\) however, represents folder levels”; meaning that if
there was a “subfolder named “Unit 2 Assignment” in which the “Investigating Cyber
Crimes.doc” was located instead, and the subfolder “Unit 2 Assignment” was located in
the main folder named “Homework”; the complete file path would then be as follows;
C:\ CJ316: Homework \ Unit 2 Assignment \ Investigating Cyber Crimes.doc”.
For the high-tech crime investigator, “documenting the exact file path of an
evidence file or contraband file is very important” as it would be no different than
documenting evidence located in a physical crime scene location. For example, finding a
gun in the front room of a suspect’s house, and hidden under the right side of the couch
cushion. Like the example provided in the reading material, “it is not enough to say the
gun was in the front room”. In this instance, ‘a much better description is to say the gun
was located under the right side cushion of the couch that is located in the northeast
side of the front room on the 1st floor’…”that degree of specificity is every bit as
important with digital evidence files” (Knetzger, M. and Muraski, J. (2008).
Author’s, Knetzger, M. and Muraski, J. (2008) emphasize the importance of
understanding (computer) directory structures as “vital to any first responder, especially
when he or she must describe where a piece of evidence is found on a computer”, further
noting that in a cyber crimes investigation; “the first responder must be able to describe
the exact file path where the evidence resides on the suspect computer”.
Operating systems keep track of several different file properties for each data file. List
the different file properties and discuss the importance of the Date Modified versus Date
Accessed information.
As part of the learning experience and understanding the process of investigating
cyber crime, or the related “computer forensics”, we understand that because the “the
operating system saves file properties, such as the date and time files are modified,
created, or accessed”; this information or data contributes greatly in a cyber crimes
investigation. For the investigator, the “operating system (OS) file properties offers a
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 7
means of tracking when files were created, modified or deleted…and generally have a file
last accessed date” (Knetzger, M. and Muraski, J. (2008).
It is also important to note that often the user name or origins can be identified
as well as the associated “key distinctions between accessed and modified” files, as the
term “accessed -merely means the file was opened or examined, but no changes were
made to it, or meaning that it was not modified” (Knetzger, M. and Muraski, J. (2008).
More importantly, “a forensic investigator should take every precaution to never make
changes to (modify) the crime scene, emphasizing that although “accessing the file is
necessary to see what it is; technology crime investigators must never modify a file”.
Among other computer based avenues regarding file properties and/or data files;
cyber crimes investigators understand that “ISPs [as well] may log the date, time,
account user information, and ANI (Automatic Number Identification), or [even the]
caller’s line identification at the time of connection” (NIJ (2007). Meaning that, “if [ISP]
logs are kept, they may be kept for a limited time depending on the established policy of
the ISP” as such, and “in the event that no general legal requirement exists for log
preservation or an ISP does not store logs that are necessary for the investigation,
preparing and submitting a preservation letter” is recommended (NIJ (2007).
CONCLUSION
In the battle to prevent cyber crimes, investigators must understand the critical
components of computer operating systems and how those components may serve as
evidence involved in a cyber crimes investigation. The ability to successfully “rebuild
evidence or repeat a situation to verify that the results can be reproduced reliably is just
as important as collecting computers and processing a criminal or incident scene”
(Nelson, B., Phillips, A., & Steuart, C., 2010). The key here is that, these sorts of
“investigations must be done systematically and for the purposes of minimizing
confusion, reducing the risk of losing evidence, and avoiding damaging the evidence”.
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 8
REFERENCE
Knetzger, M. and Muraski, J. (2008). Investigating High-Tech Crime. Prentice Hall,
ISBN: 0131886835
Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to computer forensics and
investigations (4th ed.). Belmont, CA: Cengage Learning. ISBN: 9781435498839
NIJ (2007). Investigations Involving the Internet and Computer Networks. Retrieved
from https://www.ncjrs.gov/pdffiles1/nij/210798.pdf
White, M. (2012). Difference Between a File Header & a File Name Extension. Retrieved
from http://www.ehow.com/info_8481151_difference-header-file-name-
extension.html
Matrix Blue Free Hd Wallpaper (2013). Retrieved from
http://www.wallsave.com/wallpaper/1600x1200/matrix-blue-free-hd-
204485.html
OPERATING SYSTEMS, FILE-NAMES AND EXTENSIONS 9
Eric Abrego © (2013) Abrego Group Legal Research