computer forensics peter caggiano. outline my background what is it? what can it do and not do?...
Post on 02-Jan-2016
214 Views
Preview:
TRANSCRIPT
Computer Forensics
Peter Caggiano
Outline
My Background What is it? What Can it do and not do? Goals Evidence Types of forensics Future problems How to enter the field Questions?
Background
Stockton College BS Computer Science Minor in Mathematics
The George Washington University MS Computer Science Concentrations:
Information Assurance Computer Forensics
Work Experience
PG Lewis & Associates Corporate Forensics and Data Recovery
Department of State Computer Investigations and Forensics
Nuclear Regulatory Commission Office of the Inspector General
Computer Forensics
Computer forensics is the discipline of acquiring, preserving, identifying and examining digital media
The application of computer science and mathematics to the reliable and unbiased collection, analysis, interpretation and presentation of digital evidence.
What Is Computer Forensics?
Is often more of an art, than a science. Follows clear, well-defined
methodologies. Uses the same basic techniques as
other forensics areas.
What Forensics Can Do
High tech investigations Incident response Email recovery and analysis Document and file discovery Data collecting
While still preserving MAC times Other volatile data
What Forensics Can Do Uncover and document evidence and
leads Corroborate other evidence Assist in showing patterns of events Connect computers and people Reveal an end-to-end path of events
leading to a compromise attempt, successful or not
Extract data that may be hidden, deleted or otherwise not directly available
What Forensics Can’t Do
Create evidence Tie the suspect to the incident
Only system or profile Prove innocence or guilt Be instantaneous
Goals
Details of investigation will depend on the circumstances and goals, but the steps are always the same.
Goals: Support Law Enforcement To determine the root case of an event to
prevent re-occurrence Re-construct the series of events surrounding the
incident Assist in more types of investigations than just
digital
Evidence
All forms of digital media Hard drives CD’s Floppy disks USB drives Flash memory Tape drives Cameras Etc.
Evidence Categories Beyond Hard Drives Logs
Managing devices Hosts/systems Servers
Interviews Involved personnel Business and
technical managers Device
configuration files
Network maps Event observation
timelines Notes
Meetings Passwords
Response team notes and observations
Types of Forensics
Traditional vs.
Incident Response
Basic Methodology
Identification Preparation Approach strategy Preservation Collection Examination Analysis Presentation Returning evidence
Traditional Forensics
Referred to as ‘Dead’ Forensics Analysis done in a ‘Post Mortem’ state
After the system has lost power Two basic rules
Harm Nothing Preserve Everything
Harm Nothing
Writeblocker (Hardware, Firmware, Software) Preserves the integrity of the original
evidence Work of a ‘Forensic Image’ of original
evidence, never original evidence Don’t handle original evidence longer
than it needs to be
Forensic Image
An exact, bit by bit copy of a piece of media without altering the original data.
Includes slack space, unallocated, and hidden partitions.
Preserves MAC times An exact “snapshot” of the hard drive
at that given time
Writeblockers
Hardware Only true hardware writeblocker is the
Floppy tab Firmware
Intermediate device between the evidence and the system
Intercepts the write signal from the system and prevents any alteration of data
Software Secure Linux environment Connecting file systems as ‘Read Only’ to
the system HFS partition connected to a Windows system
Preserve Everything
Contact system administrators Data can be on remote servers
Image entire disks not just volumes Physical vs. Logical layer
Image all peripheral media
Common tools
MacForensicsLab FTK EnCase iLook Pro Discover Many specialized tools
Incident Response
Also known as Live Forensics Growing field because of the
expanding roll of networks Vital to preserve volatile data Unlike Traditional Forensics, original
evidence must be altered To retrieve needed data, must use the
system in question
What Incident Response Can Do
Show a path that the intruder took over the network
Reveal intermediate intrusions Preserve data that would be lost
during Tradition Forensic Investigations
Create leads to expand investigation
What Incident Response Can’t Do Solve the case alone
Traditional Forensics is still needed Tie the suspect to the attack
Only system Create data that is not present
Collecting the evidence
Information gathering Volatile memory and configurations
Enumerating Files or ambient data
Compromised system Attack system
Log entries in intermediate devices
What to look for
Footprinting Files or ambient data on attack computer
and log entries in intermediate devices
Probing for weaknesses Files or ambient data on attack computer Log entries
Intermediate devices Compromised system
Tools
Mostly open source tools Helix
Live Linux environment and response suite
Backtrack Network mapping and penetration (if
needed) Custom batch and script files
Big Picture
Use all the data collected to tie all the events together in support of the overall investigation.
Future Problems
Large data sets Steganography Cell phones PDA’s Encryption
How to enter the field
Law Enforcement Mostly point and click Don’t always understand the technical
side Technical
Don’t understand the entire scope of the investigation
Understands the ‘behind the scene’ actions of the tools
Forensic Analyst Requires Knowledge of
Computer Hardware and Software Operating Systems File Systems Special “Forensics” Hardware and
Software Networks General technical support
Preparation from Stockton
Technical support Programming Computer security basics Analytical approach Networks Sound fundamentals
Preparation from GW
SFS Scholarship Hands on forensic practical In-depth computer security Network security practices Hacking
SFS Scholarship www.sfs.opm.gov
Roughly 15 schools nationwide Pay for up to 2 years of school Pay you to go to school
NSA Center of Excellence Concentrate in all areas of computer security Not all centers are scholarship schools
In return: 1 to 1 Years of education to government
employment
Questions?
Contact Information
Peter Caggiano908.581.3630
caggiano.pa@gmail.com
top related