known by many names forensic analysis electronic discovery electronic evidence discovery digital...
TRANSCRIPT
Introduction to Computer Forensics
Introduction to Computer Forensics
Known by many names forensic analysis electronic discovery electronic evidence discovery digital discovery data recovery data discovery computer analysis computer examination
Intro to Computer Forensics
Computer Forensics is the process of methodically examining computer media for evidence The collection, preservation, analysis,
and presentation of computer-related evidence
Much more than the recovery of data▪ The goal of recovering data is retrieve lost
data▪ The goal of forensics is to retrieve AND
interpret as much information about it as possible
Intro to Computer Forensics
Computer Crime Computers can be involved in a wide
variety of crimes▪ murder, terrorism, counterintelligence,
economic espionage, counterfeiting, drug trafficking, and sexual exploitation ▪ Other?
Intro to Computer Forensics
Computer Crime (cont.) A computer can play one of three roles in
a computer crime (sometimes combined)▪ Target of the crime▪ Instrument of the crime▪ evidence repository, storing information about
the crime Knowing what role a computer played in
a computer crime will help tailor the analysis to that particular role
Intro to Computer Forensics
Computer Forensic Objective To recover, analyze, and present
computer-based material in such a was that it is usable as evidence in a court of law.
Computer Forensic Priority Primarily concerned with forensic
procedures, rules of evidence, and legal processes
Secondarily concerned with computers ACCURACY is the absolute priority
Intro to Computer Forensics
Computer Forensics Specialist Must take several careful steps to
identify and attempt to retrieve possible evidence that may exist on a subject computer system▪ Protect the subject computer during the
forensic examination from any possible alteration, damage, or data corruption▪ Discover all files on the subject system.▪ Recover all (or as much as possible)
discovered deleted files
Intro to Computer Forensics Computer Forensics Specialist
▪ Reveal the contents of hidden files as well as temporary or swap files
▪ Access (if possible and legally appropriate) the contents of protected or encrypted files
▪ Analyze all possibly relevant data found in special areas of a disk (unallocated space, slack space, HPA, etc.)
▪ Print out an overall analysis of the subject system▪ Provide an opinion of the system layout, file
structures, discovered data, attempts to hide or delete data, attempts to protect or encrypt data, and anything else relevant
Intro to Computer Forensics
Computer Forensics Specialist▪ Provide expert consultation and/or testimony
Evidence Collection and Data Seizure
Why Collect Evidence
Electronic evidence can be very expensive to collect Processes are strict and exhaustive Systems affected may be unavailable for
regular use for long periods of time Analysis of data collected must be
performed, which can take a very long time
Why Collect Evidence
Two reasons to collect evidence Future Prevention▪ If you don’t know what happened, you won’t
be able to stop someone from doing it again▪ Cost of collection may be high, but repeated
compromise will almost certainly be higher
Why Collect Evidence
Two reasons to collect evidence (cont.) Responsibility▪ Two parties in after an attack: attacker and
victim▪ Attacker is responsible for the damage done
Only adequate evidence will prove the attacker’s actions and bring them to justice
▪ Victim is responsible to the community Information gathered after a compromise can be
examined and used by others to prevent further attacks
May also have a legal requirement to perform analysis e.g. If the attack was part of a larger attack
Evidence Collection Options Two options
Pull system from network and begin collecting evidence▪ May leave you with insufficient evidence▪ Dead man switch may destroy evidence once
removed from the network Leave system online and begin monitoring for
the intruder▪ May alert intruder, causing them to destroy evidence▪ Potential liability if attacker launches further attacks
from your network Your decision must be based on the situation
Types of Evidence
Real evidence Any evidence that speaks for itself without relying
on anything else Testimonial Evidence
Evidence supplied by a witness▪ Subject to perceived reliability of the witness
Can be almost as powerful as real evidence Hearsay
Evidence presented by a person who was not a direct witness
Generally inadmissible in court Should be avoided
Rules of Evidence
Five rules of collecting electronic evidence Admissible Authentic Complete Reliable Believable
Rules of Evidence
Admissible Most basic rule Must be able to be used in court Failure to comply with this rule is
equivalent to not collecting the evidence at all
Rules of Evidence
Authentic Must be able to show that evidence
relates to the incident in a relevant way If it can’t be positively related to the
incident, it can’t be used The integrity and chain of custody of the
evidence must be intact
Rules of Evidence
Complete Don’t just collect evidence that shows
one perspective of the incident▪ Collect evidence that can prove the attacker’s
actions▪ Collect evidence that could prove their
innocence▪ If attacker was logged in during incident, you must
also show who else was logged in and why you think they didn’t do it
▪ This is called exculpatory evidence and is very important in proving a case
Rules of Evidence
Reliable Evidence collection, examination,
analysis, preservation and reporting procedures and tools must be able to replicate the same results over time
Evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity
Rules of Evidence
Believable Evidence should be clearly
understandable and believable to a jury▪ No point presenting a binary dump of process
memory if the jury has no idea what it means▪ If evidence is presented in a formatted,
human understandable version, you must be able to show the relationship to the original binary evidence otherwise the jury can be lead to think the evidence was fabricated
Rules of Evidence
G8 Principles – Procedures Relating to Digital Evidence When dealing with digital evidence, all
general forensic and procedural principles must be applied.
Upon seizing digital evidence, actions taken should not change that evidence.
When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
Rules of Evidence
G8 Principles – Procedures Relating to Digital Evidence All activity relating to the seizure, access, storage
or transfer of digital evidence must be fully documented, preserved, and available for review.
An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.
Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
Rules of Evidence
Do’s and Don’ts Minimize handling▪ Once a copy is made of the original data,
DON’T TOUCH IT – only handle secondary copies▪ Remove any avenues for change
Account for any changes & keep detailed logs▪ Sometimes evidence alteration is unavoidable▪ Document the nature, extent, and reasons for
any changes
Rules of Evidence
Do’s and Don’ts (cont.) Comply with the Five Rules of Evidence▪ If you don’t follow them, you’re wasting your
time Do not exceed your knowledge▪ If you don’t understand what you are doing,
you can’t account for any changes you make and you can’t describe what exactly you did▪ Acquire knowledge before you proceed!
Rules of Evidence
Do’s and Don’ts (cont.) Follow your local security policy▪ If you fail to comply with your local security policy,
the evidence may be inadmissible▪ You could also end up in trouble yourself
Capture as accurate an image of the system as possible▪ Relates to minimizing the handling (corruption?) of
the original data▪ Differences between the original system and the
master copy count as changes and must be accounted for
Rules of Evidence
Do’s and Don’ts (cont.) Be prepared to testify▪ Without the collector of the evidence being
present to validate the documents created during evidence collection process, the evidence becomes hearsay (i.e. inadmissible)▪ If you aren’t willing to testify, stop before you
start collecting evidence▪ You will need to testify at multiple points in
time – you must be able to replicate your actions to prove the same result
Rules of Evidence
Do’s and Don’ts (cont.) Work fast▪ The faster you work, the less likely the data is
going to change▪ Volatile evidence may vanish completely if
not collected in time▪ If multiple systems are involved, work on
them in parallel▪ Be methodical
Rules of Evidence
Do’s and Don’ts (cont.) Proceed from volatile to persistent evidence▪ Some electronic evidence is more volatile than others
are▪ Collect the most volatile evidence first
Don’t run any programs on the affected system▪ Attacker may have left trojaned programs and
libraries on the system▪ What you think could be an innocent command, like
“ipconfig”, may cause a system to destroy evidence▪ If you MUST run a program on the affected system,
use a known “good” copy of the program (e.g. from a cd-rom)
Rules of Evidence
Do’s and Don’ts (cont.) Don’t shutdown before collecting
evidence▪ NEVER NEVER NEVER shutdown a system
before you collect the evidence▪ All volatile evidence will be lost▪ Attacker may use startup/shutdown scripts to destroy
evidence▪ Temporary files may be wiped out
▪ REBOOTING IS EVEN WORSE! Never boot from the system drive again – only use copies!
Volatile Evidence
Not all evidence on a system will last very long Some evidence resides in storage that
requires constant power Other evidence may be stored in
information that is constantly changing When collecting evidence, proceed
from the most volatile to the least volatile
Volatile Evidence
To determine what evidence to collect first, prepare an order of volatility e.g.▪ Registers and cache▪ Routing tables▪ Arp cache▪ Kernel statistics and modules▪ Main memory▪ Temporary system files▪ Secondary memory▪ Router configuration▪ Network topology
4 Steps for Collecting and Analyzing Evidence
Identification of Evidence Distinguish between evidence and junk
data Know what the data is, where it is
located, and how it is stored Preservation of Evidence
Preserve evidence as close as possible to its original state
Any changes made MUST be documented
4 Steps for Collecting and Analyzing Evidence
Analysis of Evidence Extract the relevant information and
recreate the chain of events Requires in-depth knowledge of what
you are looking for and how to find it Ensure those analyzing the evidence are
fully qualified
4 Steps for Collecting and Analyzing Evidence
Presentation of Evidence Communicate the meaning of the
evidence Manner of presentation is very important Must be understandable by a layman▪ If a jury can’t understand the evidence, it is
worthless Must remain technically correct and
credible
Collecting and Archiving
Once a plan of attack is developed and the desired evidence is identified, the collection process can begin
Storage of the collected evidence is also important – it can affect how the data is perceived
Collecting and Archiving
Logs and Logging Run some type of system logging▪ Keep logs secure▪ Back up logs (a simple file copy should
suffice)▪ Create a HASH of the log files (MD5, SHA-1) to
ensure integrity▪ Encrypt the logs to ensure confidentiality
▪ Use a syslog server if possible▪ Logs stored on a compromised system are at risk of
being altered or destroyed by the attacker
Collecting and Archiving
Monitoring Monitoring network traffic can be useful
for many reasons▪ Gather statistics▪ Watch for irregular activity▪ Trace where an attack came from and what
the attacker is doing
Methods of Collection
Two basic forms of collection Freezing the scene▪ Take a snapshot of the system in its
compromised state▪ Ensure appropriate authorities are notified
Honeypotting▪ Create a replica system to lure the attackers
for further monitoring▪ Sandboxing can be performed to limit what
the attacker can do while still on the compromised system
Artifacts
Whenever a system is compromised, there is almost always something left behind by the attacker Code fragments Trojaned programs Running processes Log files Etc
Collection Steps
Basic evidence collection steps Find the evidence Find the relevant data Create an order of volatility Remove external avenuesof change Collect the evidence Document EVERYTHING
Controlling Contamination: The chain of custody
Once data is collected, it must be protected from contamination Verified duplicates should be used for analysis Never use original evidence for analysis
Keep a chain of custody A detailed list of what was done with the original
evidence, once it was collected▪ Who found the data▪ When and where it was transported and by who▪ Who had access to the data and what did they do with
it This will be questioned in legal proceedings
Duplication and Preservation of Digital Evidence
Computer Evidence
Computer evidence is odd, to say the least Any information related to an incident in physical
or binary (digital) form that may be used to support or prove the facts of an incident.
Exists on computer HDs, and FDs at three difference locations, two of which are not visible to the computer user
Such evidence is fragile and can be destroyed by something as simple as normal operation of the computer
Computer evidence is frequently challenged in court
Computer Evidence
Computer evidence (cont.) Confusion exists over the legal
classification▪ Is it documentary evidence?▪ Would require reams of printout under the best
evidence rule
▪ It is demonstrative evidence?▪ Would require a true-to-life sample of the
reconstructed evidence
The problem of establishing the expertise of computer forensics experts also exists
Computer Evidence
Three basic evidence rules to gain admissibility Authentication▪ Showing a true copy of the original
The best evidence rule▪ evidence that most closely matches the original or
real evidence. This can be original media or it may be the most forensically sound copy of the data (a bit-stream copy) available
Exceptions to the hearsay rule▪ When a confession or business or official records are
involved
Computer Evidence Processing Steps
Computer evidence is fragile Compounded by destructive programs
and hidden data Normal operations of a computer can
destroy evidence▪ unallocated space▪ file slack▪ swap files▪ etc…
Computer Evidence Processing Steps
Every case is different and the investigator must apply flexibility to the approach taken
Some general guidelines can be used as a template for the investigator to follow
Computer Evidence Processing Steps
General guidelines Collect volatile evidence first▪ evidence that resides in volatile memory
Halt the computer▪ Do NOT use the shutdown option in the OS▪ Pull the plug from the wall▪ This will prevent the OS from performing any cleanup
tasks and shutdown scripts
▪ Be careful of whole disk encryption!
Computer Evidence Processing Steps
General guidelines (cont.) Document the hardware configuration▪ Before dismantling the computer, take pictures
of the system from all angles to document how the computer is connected
▪ Label each wire ▪ Once the case is opened take more pictures
from all angles (once the system is in a secure location)
▪ Document all components▪ Include model numbers, serial numbers, burned in
addresses (MAC), etc.
Computer Evidence Processing Steps
General guidelines (cont.) Transport the computer to a secure
location▪ Ensure that a chain of custody is established▪ It is imperative that the subject computer is
treated as evidence and stored out of reach of curious users▪ Operating a seized computer will destroy
evidence and violate the chain of custody
Computer Evidence Processing Steps
General guidelines (cont.) Make a bit stream copy of the hard
disk(s)▪ Do not operate the computer to perform this
step▪ Do not perform any analysis on the original
data▪ Only perform analysis on the bit stream copy
of the original data
Computer Evidence Processing Steps
General guidelines (cont.) Mathematically authenticate data on all
storage devices▪ You must prove that the original evidence was
not altered▪ Generate one-way hashes of all storage
devices▪ MD5 – 128-bit digest▪ SHA-1 – 160-bit digest
Computer Evidence Processing Steps
General guidelines (cont.) Document the system date and time▪ Dates and times associated with computer
files are extremely important▪ If the time is incorrect, then all file
timestamps will be incorrect as well▪ In order to account for time differences, it is
essential to document system date and time at the time the computer is taken into evidence
Computer Evidence Processing Steps
General guidelines (cont.) Make a list of key search words▪ Due to size of hard drives, it can be virtually
impossible to manually view and evaluate all files▪ Searching for specific keywords can be used
to help find relevant evidence▪ Usually some information is known about the
allegations▪ Avoid using common words
Computer Evidence Processing Steps
General guidelines (cont.) Evaluate file slack▪ File slack is a data storage area that most
computer users are unaware of▪ File slack is a significant source of security
leakage▪ File slack can be used by the computer to
store the contents of memory dumps that occur as files are closed▪ Specialized forensic tools are required to view
and evaluate file slack▪ Search file slack for keywords
Computer Evidence Processing Steps
General guidelines (cont.) Evaluate unallocated space (erased files)▪ Unallocated space may contain data
associated with deleted files▪ Search unallocated space for keywords
Computer Evidence Processing Steps
General guidelines (cont.) Document filenames, dates, and times▪ From an evidence standpoint, filenames,
creation timestamps, and last modified timestamps are critical▪ Catalog all allocated and erased files▪ Files can be sorted by timestamp to establish
a timeline of usage Can retrace an attackers actions based on what
files were accessed and when
Computer Evidence Processing Steps
General guidelines (cont.) Identify file, program, and storage anomalies▪ Encrypted, compressed, and graphic files (etc.) store
data in binary format▪ Text data stored in these formats cannot be identified by a
text search program▪ Manual evaluation is required
▪ Depending on the type of file involved, the contents should be viewed and evaluated as potential evidence
▪ Based on what files have been deleted on a system, you can potentially make inferences as to what that attacker is/was attempting to do
Computer Evidence Processing Steps
General guidelines (cont.) Document your findings▪ Document all actions you take▪ Document all findings and evidence that are found▪ Include proof of licensing for whatever forensic tool
is used ▪ Use of pirated software will compromise an entire case
▪ Document the software and methods used to collect evidence
▪ A digital camera and digital recorder can be useful when documenting
▪ Document EVERYTHING!
Computer Evidence Processing Steps
General guidelines (cont.) Retain copies of software used▪ Keep a copy of the exact version of any
software used to collect evidence▪ Create a hash of any software used to collect
evidence▪ Different versions of software may produce
different results▪ You may be required to prove your results
through duplication. Using the same version of the software used will aid in this