ce 795 - digital forensics
TRANSCRIPT
CE 795 - Digital Forensics
Lecture 1 - 23 Shahrivar
Mehdi KharraziDepartment of Computer Engineering Sharif University of Technology
Acknowledgments: Lecture slides are from Advanced Digital Forensics and Data Reverse Engineering course thought by Zhiqiang Lin at University of Texas at Dallas. When slides are obtained from other sources, a a reference will be noted on the bottom of that slide. A full list of references is provided on the last slide.
Fall 1392 CE 795 -Lecture 1
Outline
• Overview • Course Goals • Course Style
• Course Content• Foundations• Techniques • Tools • Applications
• Course Policy
[Lin 11]
Fall 1392 CE 795 -Lecture 1
What is Digital Forensics
• Digital Forensics is a branch of forensic science (in relation to computer crime) focusing on the recovery and investigation of material (essentially data) found in digital devices
[Lin 11]
Fall 1392 CE 795 -Lecture 1
More broadly, what is Data Reverse Engineering
• Data reverse engineering deals with the problem of• What information is stored in a computer system • How this information can be extracted and used
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Course Goals
• The general goal is to introduce the current techniques of data reverse engineering used in both research and practice.
• Students will• Learn about latest research from the literature• Learn to use different tools• ....
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Course Style
• This course was originally taught in seminar-style. Each student will be expected to• Read the most recent papers• Present and lead the discussion on one topic • Write the summary on the topic of choosing
• What should we do here?
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Outline
• Overview • Course Goals • Course Style
• Course Content• Foundations• Techniques • Tools • Applications
• Course Policy
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Operating System
• Operating System• Manages the electronic device (e.g., computer, smart-phone)• Organizes data (especially memory)• Provides common services (API) for execution of various application
software
[Lin 11]
Fall 1392 CE 795 -Lecture 1
File System
• File system• Organizes data expected to be retained after a program terminates• Provides procedures (API) to store, retrieve and update data• Manages the available space on the device(s) which contain the file
system
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Compiler
• Transforms source code written in a programming language into object code.
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Outline
• Overview • Course Goals • Course Style
• Course Content• Foundations• Techniques • Tools • Applications
• Course Policy
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Data Structure Reverse Engineering
• Data Structure• Data in computer is usually structured• Program is used to process data• Data structure can be reverse engineered
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Data Structure Reverse Engineering
• Uncovering the syntax and semantics of the data structure.• Syntax
• Layout• Size• Offset
• Semantics• Meaning• Context
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Data Structure Reverse Engineering
• State of the art techniques:• REWARDS [NDSS’10]: Dynamic analysis • TIE [NDSS’11]: Static + Dynamic • HOWARD [NDSS’11]: Dynamic analysis
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Two types of data analysis
• Data exists in a computer system in two medias: Memory and Disk
• Memory Analysis• Analyzing data which is in volatile memory
• File Analysis• Analyzing data which is in persistent disk
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Outline
• Overview • Course Goals • Course Style
• Course Content• Foundations• Techniques • Tools • Applications
• Course Policy
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Memory Tools
• Graph based approach• Using road map to navigate data • Crash/gdb utility (Linux) [USENIX 2005] • LiveKD/WinDBG (Windows)• Volatility• KOP [CCS’09]
• Value-invariant based approach• Using constant value (or range) to look for data • Value-invariant [CCS’09]• ColdBoot [USENIX Security’07]• ...
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Disk Tools
• Sleuthkit http://www.sleuthkit.org/• foremost http://foremost.sf.net/, Linux based file carving program• FTimes http://ftimes.sourceforge.net/FTimes/index.shtml, a system baselining
and evidence collection tool• The Open Computer Forensics Architecture http://ocfa.sourceforge.net/• Scalpel http://www.digitalforensicssolutions.com/Scalpel/ Linux and Windows
file carving program originally based on foremost.
[Lin 11]
Fall 1392 CE 795 -Lecture 1
How to extract the analyzing data
• Memory• Crash Dumps• LiveKd Dumps• Hibernation Files• Virtual Machine Imaging• dd (/dev/mem or /dev/kmem), Win32dd • fmem, a kernel module (/dev/fmem)• ...
• Disk• Data is persistent. Directly fed to the analysis system
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Outline
• Overview • Course Goals • Course Style
• Course Content• Foundations• Techniques • Tools • Applications
• Course Policy
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Digital Forensics
• Recovering evidence from digital data to support or refute a hypothesis before a criminal court:• Computer forensics • Network forensics • Database forensics • Mobile device forensics
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Kernel Rootkit Defense
• Kernel level malware which hides kernel object and enables a continued privileged access
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Malware Analysis
• Malicious software• Consists of programming (code, scripts, active content, and other
software) designed to disrupt or deny operation• Gathers information that leads to loss of privacy or exploitation• Gains unauthorized access to system resources and other abusive
behavior
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Game Hacking/Cheating
• Modification of a platform’s system memory during game play, or modification of files that comprise a game, to achieve a desired effect during game play.• Building a bot• Manipulating memory • Operating a proxy• Map hacking [IEEE S&P 2011]
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Information Leakage in Cloud Computing
• Virtual machine shares the hardware, and data could be leaked from one VM to another.
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Program Analysis
• Data flow integrity [OSDI’06]• Value-invariant discovery (e.g., DAIKON)• Value-based profiler• Software-piracy detection using values [ICSE’11]
[Lin 11]
Details on the Course
27
Fall 1392 CE 795 -Lecture 1
Administrivia
• Website:• sharif.edu/~kharrazi/courses/40795-921/• You are expected to check the website regularly
• Mailing List• Register for it• Registration link will on the website
Fall 1392 CE 795 -Lecture 1
Administrivia
• Prerequisites• Computer networks• Data and network security
• Grading (tentatively)• 20% Class Participation• 15% Paper Presentation• 35% Homework• 30% Final
Fall 1392 CE 795 -Lecture 1
References
• Lot’s of research papers
30
Fall 1392 CE 795 -Lecture 1
Policies
• Late Homework• One day late will cost you 25%, two days 50%, and three days 75%.• No homework will be accepted after the third day.
• Cellphones• Please turn them off before entering class.
• Cheating and Copying• First time you are caught you will get a zero for the task at hand.• Second time you are caught you will fail the course.• Providing your assignment to someone else is considered cheating on
your behalf.
31
Fall 1392 CE 795 -Lecture 1
Summary
• Data is a critical aspect of computer system. Reverse Engineering of data is possible
• Reverse Engineered data has a wide impact on many applications
• Next Lecture• Overview of how a simple forensic investigation goes ...
[Lin 11]
Fall 1392 CE 795 -Lecture 1
Acknowledgments
• [Lin 11] CS 6V81-05, Advanced Digital Forensics and Data Reverse Engineering – Course Overview, Zhiqiang Lin, Department of Computer Science The University of Texas at Dallas, 2011