Signature Analysis in computer forensics and potential issues
Depending on the type of content in an investigation, the type of tool or analysis method will be chosen. For example, forensic investigations around text require the use of different methods or tools than that of graphic images. Computer forensics can be a very time-consuming and daunting task. Automated methods can help reduce the time it takes to search once parameters have been reduced and set. A signature analysis is one automated procedure used a method in forensics. File signatures can reveal whether or not graphical files are what they are purported to be. Different file types have different type of signatures or file headers that define what type of file it is. This allows computer programs to recognize it. The International Standards Organization (ISO) has standardized thousands of file types. Users can attempt to hide data by changing files so that programs will not recognize the file type and will not be able to open the file. This can make it appear to other users that the file is broken when that isn’t the case. A signature analysis can determine if this is what is occurring. A signature analysis will determine the following:Bad Signatures – the extension exists but the header is incorrect and is not in the file signature table.Alias – the header in the file signature table is incorrect indicating the file extension has been changed.Match – indicates the extension and header matches.Unknown – indicates the file extension and the header are both not listed in the file signature table.
Signature Analysis and ERAD
One tool that can be used is software referred to as ERAD, which stands for Enterprise Response, Audit and Discovery. The tool’s architecture is made up of three components, SAFE server, an Examiner and a SERVLET. ERAD has been used in forensics nationwide and has also been used to present and analyze evidence in court for trials. The software allows investigators the ability to analyze digital media over Local Area Networks (LAN) or Wide Area Networks (WAN). This provides organizations with cost savings and speeds up the forensics process .
Network Intruders & Spoofing
One method an intruder might use to remain hidden on a corporate network is Internet Protocol (IP) spoofing, which would allow them to impersonate another system with an authorized IP for the network. In the event that a true IP address can be identified and an attack can be attributed to the true IP address when the intruder is detected on the network. Finding the true IP address can provide information on where an attack originated and IP traceback technology can provide information on an attack packet’s network path. There are ways to protect networks that include firewalls which will control access based on IP addresses. Another method is implementing intrusion detection systems (IDS) to detect attacks on computer systems. IDSs can provide information which can help identify an attack packets’ source through IP addresses.