(Accounting professor Conan C. Albrecht, Ph.D., teaches an ACFE course, "Advanced Computer-Aided Fraud Prevention & Detection" with W. Michael Kramer, J.D., CFE. Albrecht says one of the participants' favorite sections of the course is the discussion on the free computer forensic program, Knoppix. — ed.)
Sophisticated computer forensics programs could be a bit pricey for your examinations. Knoppix, a free offspring of the open-source Linux operating system, may be just what you need.
Sam the fraud examiner receives a tip during a routine audit that John, a purchasing manager, has been taking bribes from a preferred customer. Sam needs to look on John's office computer but John has installed software that logs all system activities, and he regularly changes his password to prevent others from accessing his computer.
But Sam has a secret weapon. With permission from the company's legal counsel, he enters John's office one night after work, slips a CD into John's computer, and pushes the "on" button. Soon Sam is able to view and extract spreadsheets, database information, and email correspondence, and John will never know because Windows never boots. What's on that CD Sam put into John's computer? It's "Knoppix" a free forensic analysis tool that you can download from a Web site.
Recent large corporate frauds and ensuing legislation have pushed fraud examiners, accountants, and law enforcement to acquire computer forensic skills. The high price of sophisticated computer forensics programs can leave many professionals without sufficient tools to complete their work. Fortunately, the "open-source" community has provided many tools such as Knoppix that make complex forensic analysis possible at almost no cost.
The Knoppix software, when loaded into a CD drive, allows investigators to access suspect computers without leaving digital footprints. All files are accessed in read-only mode, bypassing most Windows passwords, and allowing unhindered access to suspects' systems. Also, Knoppix requires no installation and includes scores of forensic tools and applications that can be used to analyze a computer.
In the opening case, fraudster John's thoughtfully selected passwords are useless when Sam uses Knoppix because Windows never has a chance to prompt Sam for them. Even though Sam can read John's files, John's disk timestamps are not updated because the disk is accessed in read-only mode. Sam transfers the relevant files to his 512 MB USB keychain drive, shuts down John's computer and leaves. The entire process takes about two hours. Except for Sam's possible fingerprints, John's computer is exactly as it was when Sam entered the office.
Knoppix: Child of Linux
As you may know, Linux (usually pronounced lih-nucks in English) is the Unix-like operating system created in 1991 by Linus Torvalds, a second-year student at the University of Helsinki . Torvalds created the open-end source system so that, unlike the ubiquitous Windows, users can read the software code and contribute improvements. The system contains software developed during the last 30 years of computer programming. While Linux is quite different than Windows, it sports a modern, graphical user interface, a wide variety of programs, and many helpful "newbie" sites on the Web. The best part? Not only is Linux rock solid and rich with software, it is entirely free both in cost and in source. The Linux operating system (including most of its programs) is released under an open-source license, which allows you to use, copy, and distribute it freely.
Knoppix (pronounced with a hard "K") is a relatively new, self-booting distribution of Linux. While a Windows installation CD comes with just a few basic programs (Notepad, Paint, etc.), a Linux installation CD bundles thousands of programs, including several office suites and networking software such as Web browsers and email clients, and forensic utilities to search disks, clone drives, and view files.
Knoppix requires no installation; it automatically discovers devices and disks at boot time and runs entirely from the CD. To use it, you simply place the disc in a CD drive and press the "on" switch on your computer. When the computer senses the self-booting CD, it runs Knoppix directly without touching the hard drive, never leaves any digital tracks, and circumvents most password protection measures because Windows is essentially bypassed.
Knoppix was originally developed as a Linux advocacy tool and rescue disk but has matured to support a wide variety of uses. As of publication time, the Knoppix Web site lists 57 descendent projects, focusing on multimedia use, localization, and " most importantly " forensics. The "Knoppix STD" (security tools distribution) and the "Penguin Sleuth Kit" are self-booting CDs that focus on forensics, examination, and evidence collection.
To obtain Knoppix simply download the CD image onto any computer with a CD burner, make the CD, and reboot. The graphical Knoppix operating system will be up and running within five minutes. To return to Windows, shut down Knoppix, remove the CD, and reboot; Windows will never know Knoppix has run.
Tools of the Trade
Knoppix programs can be grouped into two categories: traditional tools and full applications. The traditional Unix1 tools, which are small and used for a single purpose, are accessed in Knoppix via the command line.
A full application such as "The Sleuth Kit" (formerly proprietary and known as "TASK"), combined with the "Autopsy" graphical front end, is an easy-to-use application that provides case management, image integrity, keyword searching, and other automated operations. The Sleuth Kit views regular and deleted files, performs bit-for-bit copies of disks, accesses low-level disk structures, provides a timeline of file activities, categorizes and sorts files, searches with regular expressions, 2 creates thumbnails of files, keeps notes, and generates reports. The Sleuth Kit is included in the Knoppix STD and Penguin Sleuth Kit CDs.
Knoppix also includes several office suites for word processing, spreadsheets, and presentations. The OpenOffice suite " accessible from the main Knoppix toolbar " investigates Word, PowerPoint, and Excel files on a suspect's computer. And again, because Knoppix mounts the hard drive in read-only mode, time stamps on files are not updated, and your activity in documents is not recorded.
Knoppix can directly run Windows programs such as QuickBooks. The distribution includes the "WINdows Emulator" ("Wine") and "Bochs." Many programs can run directly from the user's hard drive (again, in read-only mode) to provide native viewers for different files.
The Specifics
Now that you are familiar with Knoppix and some of its investigative tools, let's see how these Knoppix programs can help you accomplish common forensic activities.
Preparing a Hard Drive Hard-drive preparation includes at least two activities: 1) creating a bit-for-bit clone and 2) calculating a checksum value. Bit-for-bit copying is a more rigorous copy process than regular copying: it clones regular files, deleted files, empty space, swap space, and all other information on a hard drive. Both The Sleuth Kit and the traditional "dd" command provide this functionality. A more advanced version of dd (included in the CD) clones a hard drive across the Internet to another computer, mitigating the need to connect a firewire or other local hard drive.
If only specific files are desired (rather than an entire drive), the "ftp" and "scp" programs allow copying to any computer on the Internet. Knoppix recognizes USB pin drives, CD burners, and disk drives. Examiners could even open the Mozilla Web browser, navigate to a Web-based email site such as Hotmail, and send the desired files to their mailboxes. For example, suppose you had evidence that leads you to believe someone has committed fraud in your entity. If your company policy allows, you could boot the person's computer after hours into Knoppix and clone their entire drive to a secure, offsite location. Using the "Evolution" email client, you could open their local email folders and review and/or copy all their emails, which allow you to look for co-conspirators or accomplices.
Two programs, "md5sum" and "sha1sum," calculate checksum hashes on individual files or entire hard drives. These algorithms, hardened and proven through decades of use, use encryption techniques to provide assurance that data has not been modified during investigation. If the same number (called a hash) is achieved before and after analysis, then you are assured with mathematically robust algorithms that analysis didn't affect the data. You could use these tools in court to prove you didn't alter data during investigation.
Searching "˜My Documents' Since the "My Documents" folder contains most of the data files on a Windows computer, many fraud examiners analyze this folder manually. Knoppix provides "Konqueror," a Windows-like file manager that contains type mappings to allow simple "double-click" opening of appropriate programs for many file types. "OpenOffice" is a Microsoft-Office clone that opens Word documents, Excel spreadsheets, and PowerPoint presentations. The "Gimp" is a powerful graphics editor that opens most graphics files, such as those downloaded from the Internet. "Mplayer" and several audio players open movies and music files. The distribution contains several Web browsers that read Internet Explorer's cache directory, which show recent sites a user has visited. If all else fails, the "strings" command extracts readable text from any source, be it a binary file, partition, or disk.
Pattern Searching If your search in the My Documents folder didn't yield the data you were searching for, the next step would be a keyword search across the entire disk using a powerful pattern-recognition language previously referred to as "regular expressions." Regular expressions are not hard to learn, and they provide significantly more searching power than typical keyword searches. The Sleuth Kit provides several functions to allow searching in different ways. At a more basic level, the "grep" command can be chained with "find," "strings," or other commands to powerfully search networks, hard drives, files, email caches, and swap partitions.
Password Cracking While grep and strings can find readable text in any file, native access to password-protected files (using Quickbooks or Word, for example) requires more advanced password cracking. Among other included tools, "John the Ripper" is an advanced password program that uses dictionary attacks in 20 languages, password hashes, and other methods to recover passwords from files.
What's the Catch?
Because forensics computer tools can cost from $2,000 to $10,000, Knoppix might sound too good to be true. Knoppix does have some limitations and caveats.
You'll be on a steep learning curve when using the traditional tools such as dd, strings, and grep. While the distribution boots to a graphical, icon-oriented desktop, many of the tools have only a text-based interface. If you are serious about Knoppix, I suggest you purchase one of the many Linux books and learn more about its core operating system.
Knoppix cannot circumvent two specific types of passwords: BIOS passwords and encrypted files. BIOS passwords are kept in the motherboard of a computer and are required before the CD, hard drive, or any other device runs. The common circumvention of BIOS passwords is removing the motherboard battery or moving the hard drive to another machine. However, both of these techniques require modification of the machine and thus aren't traceless. This isn't a serious limitation because most applications, such as office suites, accounting programs, and graphics packages use weak password systems and can be cracked using any number of methods. (Simply search the Internet for the type of file you need to open.) On the other hand, advanced encryption algorithms, such as "triple-DES" and "AES," have stood the test of time and are very difficult to crack. John the Ripper can crack poorly chosen passwords (such as birthdates, spouse names, etc.) in these algorithms, but a wisely chosen password is likely beyond the reach of most investigators. Fortunately, very few users encrypt files or disks; I've yet to investigate a system that used robust encryption methods with wisely chosen passwords.
Be Responsible and Ethical
Obviously, you'll want to be responsible and ethical when using Knoppix. The assumption underlying Knoppix and other open-source software is that the majority of users worldwide are honest, upstanding members of the digital community, and providing free tools for them increases robustness, security, and cooperation.
The Knoppix CD, and its descendent forensics projects, are traceless, self-booting products that allow fraud examiners to investigate and analyze target computers without modifying the underlying systems in any way. Give Knoppix a try it could be a good alternative.
Conan C. Albrecht, Ph.D., is assistant professor of information systems and Rollins Fellow at the Marriott School of Management at Brigham Young University in Provo , Utah and is an ACFE faculty member.
Primary Knoppix Distribution (self-booting CD)
http://www.knoppix.net
Penguin Sleuth Kit (self-booting CD)
http://www.linux-forensics.com/
Knoppix STD (self-booting CD)
http://www.knoppix-std.org/
The Sleuth Kit
http://www.sleuthkit.org/
Information on Linux
http://www.linux.org/
Linux Newbies
http://www.linuxnewbie.org/
Mastering Regular Expressions (book)
http://www.oreilly.com/catalog/regex/
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 11 mins
Written By:
Adrian Harrington
Robert E. Holtfreter, Ph.D., CFE
Read Time: 9 mins
Written By:
John Bandler, Esq., CFE, CISSP, GCIH
Read Time: 11 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Adrian Harrington
Read Time: 11 mins
Written By:
Adrian Harrington
Robert E. Holtfreter, Ph.D., CFE
Read Time: 9 mins
Written By:
John Bandler, Esq., CFE, CISSP, GCIH
Read Time: 11 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Adrian Harrington
