digital forensics i lecture overview -...

Digital Forensics I

CSCI 415: Computer and Network Security Dr. Nazli Hardy Adapted from Computer Forensics and Investigations, Nelson, Phillips, Enfinger, Stewart

Lecture Overview

Introduction

– Overview of the industry and resources

Assessing the Case

– Employee Termination Investigations

– Media Leak Investigations

– Industrial Espionage Investigations

Taking a Systematic Approach

Securing the Evidence

Network & Email Forensics

Digital Image Forensics

http://www.millersville.edu/

Digital Forensics I


Introduction

Real Life Case Studies

– Framed by a virus?

– The Nigerian connection

– Saved by Facebook

– A “hopeful” artist?

– Cracking Stuxnet, a 21st-century cyber weapon (TED video)


http://www.cbc.ca/technology/story/2009/11/09/tech-internet-virus-child-porn.html

http://www.truthdig.com/report/item/20091110_digital_dumping_the_global_e-cycling_scam/?ln

http://www.cnn.com/2009/CRIME/11/12/facebook.alibi/index.html?eref=rss_us

http://news-briefs.ew.com/2011/01/12/lawsuit-obama-hope-poster/

http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html





Digital Forensics I


Introduction: Digital Forensics

Computer Forensics: investigates data that can be retrieved from a

computer's hard disk or other storage media

Computer forensics investigators:

– focus on retrieving information from the computer and/ or its component

parts

• active, archival, latent

Network Forensics: yields information about how a perpetrator or an

attacker gained access to a network

Network forensics investigators:

– use log files to determine when users logged on, frequency, URLs

visited and for how long, how they logged on, from what location etc.


Digital Forensics I


Computer/ Network forensics specialists may be (and often are) the same

person - they may have a specialized function in investigative group

Hot career – why?

Types of cases in which digital forensics is employed …?

– Child Pornography:

– Civil Litigation http://www.computerworlduk.com/news/it-

business/18996/judge-orders-schools-to-stop-laptop-spying/

– And?



http://www.computerworlduk.com/news/it-business/18996/judge-orders-schools-to-stop-laptop-spying/
















Digital Forensics I


How is computer forensics different from normal data recovery?

– Inculpatory or

– Exculpatory



Digital Forensics I


Brief History

Relatively new field

Paradox of Computer/ Network/ Digital Forensics:

1970’s:

– electronic crimes – mainframe

– computer users were experts and only certain industries used

computers

– white-collared fraud – banking industry

• one half-cent crime


Digital Forensics I


Brief History

1970’s:

– The Federal Rules of Evidence controlled the use of digital evidence

• code of evidence law

1980s/ 1990s:

– Due to increasing number of cases involving digital evidence, the

Computer Analysis and Response Team (CART) was formed

• provides assistance to FBI field offices

Current Examples:

– CART teamed up with DoD’s Computer Forensics Laboratory (DCFI)

• the Philly Division

– SANS

– CERT @ CMU

– ISFCE


http://federalevidence.com/rules-of-evidence

http://www.fbi.gov/news/stories/2013/january/piecing-together-digital-evidence

http://www.fbi.gov/philadelphia/about-us/our-people-and-capabilities/people

http://digital-forensics.sans.org/

http://www.cert.org/digital-intelligence/

http://www.cert.org/digital-intelligence/

https://www.isfce.com/cert_body.htm

Digital Forensics I


Examples of Crimes Solved Using Forensics

Criminal Type of Crime Type of E-Evidence

Dennis Rader Serial killer Deleted files on a floppy disk used by

the criminal at his church’s computer

Lee Boyd Malvo, John Allen

Muhammad

Snipers Laptop computer found in the car,

that contained maps with icons

pinpointing shooting scenes

Lisa Montgomery Murder and fetus-

kidnapping

E-mail communication between the

victim and criminal—tracing an IP

address to a computer at criminal’s

home

Let’s not forget one of the most famous corporate cases that has involved a substantial amount of

computer forensics …..


http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=1065&issue_id=122006

http://investors.guidancesoftware.com/releasedetail.cfm?releaseid=218506

Digital Forensics I


Crimes Solved Using Forensics (Cont.)

Criminal Type of Crime Type of E-Evidence

Peter Chapman (Ashleigh Hall) FB/ Murder Used FB to arrange meeting

Scott Peterson Murder GPS data from his car and cell

phone; Internet history, currents, map

Robert Durall (“computer

expert”)

Murder Web browser history “Kill + Spouse,”

“Accident + Deaths.” “smothering”

Neil Entwistle Murder of wife and baby Web browser history “how to kill

people,” before the murders and

various escort services after the

murders

Alejandro Avila Rape and murder E-evidence of child pornography on

his computer

Zacarias Moussaoui Terrorism E-mail, files from his computers


http://www.seattleweekly.com/1998-09-23/news/arresting-the-web/



http://articles.cnn.com/2006-02-14/justice/entwistle.documents_1_joseph-matterazzo-escort-services-neil-entwistle?_s=PM:LAW

http://articles.cnn.com/2006-02-14/justice/entwistle.documents_1_joseph-matterazzo-escort-services-neil-entwistle?_s=PM:LAW

Digital Forensics I

Digital Forensic Software

Below are examples of some widely used digital forensic software

companies

EnCase from Guidance Software (~ $2,500 per user)

FTK from AccessData (~ $600 per user)

Digital Intelligence

Paraben

Passware

Further list of tools

List of free forensic tools


http://www.guidancesoftware.com/encase-forensic.htm



http://accessdata.com/products/digital-forensics/ftk

http://accessdata.com/products/digital-forensics/ftk

http://www.digitalintelligence.com/

http://www.paraben-forensics.com/

http://www.lostpassword.com/kit-forensic.htm

http://www.digitalintelligence.com/forensicsoftware.php

http://forensiccontrol.com/resources/free-software/

Digital Forensics I

Who Works on Digital Forensics Cases?

Governmental (NSA, CIA, FBI)

State/ Local

International (Interpol, MI5)

Examples of private security companies

– www.arcsight.com

– www.clearswift.com

– www.datasec.co.uk

– www.integralis.com

– www.forensics-intl.com

– www.pentasafe.com

– www.savvydata.com

– www.vestigeltd.com

– www.vogon-international.com

– www.vordel.com

– Money contingent on experience and success rate


http://www.arcsight.com/

http://www.clearswift.com/

http://www.datasec.co.uk/

http://www.integralis.com/

http://www.forensics-intl.com/



http://www.pentasafe.com/

http://www.savvydata.com/

http://www.vestigeltd.com/

http://www.vogon-international.com/



http://www.vordel.com/

Digital Forensics I

Some Certifications for Computer/ Digital Forensic Experts

Global Information Assurance Certification (GIAC )

Certified Forensics Analyst (CFA)

Certified Computer Forensics Examiner (CCFE) certification. The test

candidate must pass a multiple choice exam with a score of 70% or higher.

Encase Certified Examiner (EnCE) certification

Certified Information Systems Auditor (CISA)

The International Society of Forensic Computer Examiners’ Certified

Computer Examiner (CCE)


http://en.wikipedia.org/wiki/GIAC

http://en.wikipedia.org/w/index.php?title=GCFA&action=edit&redlink=1

http://www.iacertification.org/ccfe_certified_computer_forensics_examiner.html

http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm

http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Pages/default.aspx?utm_source=multiple&utm_medium=multiple&utm_content=friendly&utm_campaign=cisa

http://www.isfce.com/ccelist.htm

Digital Forensics I

Some Journals and References of Interest

Digital Forensics Magazine

Cyrptologia

International Journal of Digital Evidence

International Journal of Forensic Computer Science

International Journal of Digital Crime and Forensics

Journal of Digital Forensics, Security and Law

Journal of Digital Investigation

Journal of Digital Forensic Practice

Small Scale Digital Device Forensic Journal

The Journal of Applied Digital Forensics and eDiscovery


http://www.jdfsl.org/

Digital Forensics I

Conferences Related to Digital Forensics

American Academy of Forensic Science

Conference on Digital Forensics, Security and Law

Department of Defense CyberCrime Conference

Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)

EuSecWest

EuroForensics-Forensics Sciences Conference and Exhibition

Computer Security Foundations Symposium

International Conference on Security and Privacy in Communication Networks

USENIX Security Symposium

International Workshop on Security in Cloud Computing

DEF CON Hacking Conference


http://www.aafs.org/

http://www.digitalforensics-conference.org/

http://www.dodcybercrime.com/




http://www.dimva.org/

http://eusecwest.com/

http://eusecwest.com/

http://www.euroforensics.com/



http://csf2012.seas.harvard.edu/

http://securecomm.org/2012/show/home

http://static.usenix.org/event/sec12/

http://www.ece.iit.edu/~ubisec/workshop.htm

http://www.defcon.org/

Digital Forensics I


Forensics Investigation Methods

– Protect the suspect system

– Discover all files (text/ video/ audio/ pictures/ emails etc.)

– Recover deleted files

– Reveal contents of hidden files

– Access protected or encrypted files

– Use steganalysis to identify hidden data

– Analyze data in unallocated and slack space

– Print an analysis of the system

– Provide an opinion of the system layout

– Provide expert testimony or consultation

Methods used by investigators must achieve many of these objectives:


Digital Forensics I


Assessing the Case

Imagine that you are the Computer Forensics Specialist… before you start,

there are some things to consider

Situation: corporate employee abuse case, pornography, murder/ homicide/

suicide … take copious notes on…

– types of evidence

– operating systems

– locations of evidence

– descriptions of evidence

– antistatic bags, tapes, tags, labels

and ________________


Digital Forensics I



Digital Forensics I

Digital Crime Scene Investigation



Digital Forensics I


Typical Nature of Corporate Cases

Forensics experts are called in for several types of cases. Some common

examples are:

– Employee Termination Cases

– Media Leak Investigations

– Industrial Espionage Investigations

some other examples


http://www.vestigeltd.com/solutions/case-types

Digital Forensics I


Employee Termination Cases

majority of these involve the abuse of corporate assets

predominant in contributing to hostile work environment

– distributing emails/ pictures that are offensive

– examples at Brooklyn and MU

2 main types of Investigations:

– Internet abuse

– email/ IM/ text abuse


Digital Forensics I

Employee Termination Cases (see Lab 6)

Headers and IP addresses, are common sources of forensic investigations

What is a header?

To find email headers go to this link:

http://mail.google.com/support/bin/answer.py?hl=en&answer=22454

What is an IP address?

xxxx.xxxx.xxxx.xxxx

e.g. IP address for Millersville University is: 166.66.64.xxxx

To find your IP address or any IP address go to this link:

http://ip-lookup.net/

http://www.hostip.info/

http://whatismyipaddress.com/

cmd


http://mail.google.com/support/bin/answer.py?hl=en&answer=22454




http://www.hostip.info/

http://whatismyipaddress.com/

Digital Forensics I



Internet Abuse Investigations

Firstly – what constitutes ‘abuse’- you must be versed with the laws of your state and the corporate policies

As the forensics expert, you need the following, for starters:

– your analysis toolkit (ProDiscover, X-Ways Forensics, EnCase, FTK etc.)

– the organization’s Internet server logs (from the administrator)

– the suspect computer’s IP address (from the administrator)

– all the disk drives

– AND??


Digital Forensics I



Email/ IM/ Text Abuse Investigations

– most often include emails that are inappropriate, threats, harassments

– Detroit mayor: http://www.washingtonpost.com/wp-

dyn/content/article/2008/01/25/AR2008012503043.html

– Mike Matson: http://qctimes.com/news/local/mike-matson-under-

investigation-over-casino-related-email/article_28bcfbb0-22d1-11e2-

816f-0019bb2963f4.html?comment_form=true

As the forensics expert, you need the following:

– electronic copies of emails (header data)

– phone records for texts – what are you looking for here?

– email server logs – or the server that houses back ups

– .pst files (Outlook)

– company policies

– What else?


http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503043.html




http://qctimes.com/news/local/mike-matson-under-investigation-over-casino-related-email/article_28bcfbb0-22d1-11e2-816f-0019bb2963f4.html?comment_form=true























Digital Forensics I


Media Leak Cases

Why is the leaking of information a critical problem for many organizations?

examples:

– Holder article

– Citi analyst and FB leak

As the forensics expert, you need to do the following:


http://www.journalgazette.net/article/20121018/NEWS03/121019479/1066/NEWS03

http://www.heraldnet.com/article/20121027/BIZ/710279913



Digital Forensics I


Industrial Espionage

Involves either previously “trusted” employees or disgruntled employees or

seemingly ignorant employees.

– 60% of employees who leave or are fired from their jobs, steal (?) data

– Survey

– Coca-Cola example

These are most often treated as criminal investigations

As the forensics expert, you need to do the following:

– examine all email/ download records of suspects

– server logs

– print jobs

– related Internet newsgroups/ message boards for postings/ inquiries

– surveillance cameras

– phone records


http://usatoday30.usatoday.com/money/industries/food/2006-07-05-coke-info_x.htm




Digital Forensics I


Motives for Cybercrimes: the 5 W’s

Finding the motive - answering the 5 Ws helps in criminal investigations:

– Who?

– What?

– Where?

– When?

– Why?

Possible motives:

– Financial gain, including extortion and blackmail

– Cover up a crime

– Remove incriminating information or correspondence

– Steal goods or services without having to pay for them

– Industrial espionage

– Framing

– Pranksters?

– What else?


Digital Forensics I


The 3 C’s of E-Evidence – some guidelines

Care

Control

Chain of Custody

– These guidelines are more burdensome for easily altered digital data – e.g. e-

mail evidence; the investigator would have to establish the origin of the

message, the integrity of the system in which the message was transmitted, and

the chain of custody of the message

– E-evidence may be affected by magnetic forces, so they should not be placed in

a vehicle of truck that also contains electromagnetic equipment (similar to blood

needing to be kept at the proper temperature)

– The operations used to actually collect, copy, analyze, control, and present e-

evidence cannot modify the original item being studied in any manner

– Everyone who touches evidence can contaminate it – therefore a strict chain of

custody is essential in computer forensic investigations – each piece of original

evidence that is seized should have a chain of custody log associated with it


Digital Forensics I


Sample of Chain of Custody Form


Digital Forensics I


Establishing Chain of Custody

During an investigation, the following procedures should be followed to ensure the chain of custody:

1. A record or evidence log should be kept to show when all items of evidence, such as server logs, computers, hard drives, and disk, are received or seized and where they are located

2. If the items are released to auditors, authorities, or the court, those release dates should be recorded

3. Access to evidence should be restricted throughout the investigations and any subsequent proceedings

4. To preserve the chain of custody, the original hard disk should be placed in an evidence locker and appropriate notations should be made in the evidence log

5. All computer forensics should be performed in the mirror image copy (which should be write-protected) – never on the original


digital forensics i lecture overview -...

Documents