The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP AppSecWashington DC 2009

Digital ForensicsWorry about data loss

Motashim Al RaziOWASP member

alrazimotashim@gmail.com

2

What is Digital Forensics? • Branch of forensic science – uses scientific method

• The preservation, recovery, analysis and reporting of digital artifacts including information stored on:

- Computer/laptop systems (hard drives)

- Storage media (USBs, CDs, DVDs, cameras, etc.)

- Mobile phones

- Electronic documents

• Typically used reactively, move toward proactive- Reactive: court cases, incident response

- Proactive: mobile app security audits, continuous forensic monitoring

3

Storage Devices

There are 3 main types of storage devices used today:1. Hard-disk drive (HDD) – Contains a spinning

magnetic drive used to store non-volatile data.2. Solid-state drive (SSD) – Contains internal microchips

for the purpose of storing non-volatile data.3. NAND Flash memory Typically found in smart phones, USB thumb drivers and other portable devices

Not removable like typical HDD or SSD

Very unique characteristics from standard HDD (limited writes/erase)

In constant state of change (FTL)

4

Acquisition strategiesForensics Analysts can acquire/receive data 3 different

ways• Backup Files- Backup files are provided from the “custodian”. This could include backup software from corporations, PST file, iTunes backup, etc.

• Logical Acquisition

- A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves date/time)

• Physical Acquisition- Creates an exact digital replica of the storage medium

- Can recover deleted data

- This process requires specialized analysis tools and techniques

- Drive management firmware may still affect acquisition (FTL, bad blocks, etc.)

5

Image Verification

• Hash value – A calculated hex signature based on a set of data.

- A hash value can be used to verify forensic image integrity. One slight change in source will cause “avalanche” effect in hash value

- In order to prove that two data sets are identical, their hash values must match.

- In some instances, hash values are not stable (NAND Flash) so a hash of the data as it’s extracted is taken but won’t necessarily match if source is imaged again.

• Common hash techniques- mad5 (128-bit value)

- Sha256 (256-bit value)

• md5 of “Andrew Hoog” = 9bdbad9aecd74fce6e6bb48ee18100b8

6

7

8

How to acquire a forensic image

• If possible, connect drive to a physical write blocker - This prevents any writes to the drive

- There are software techniques but not as effective

- Generally, impossible with NAND Flash devices

• Forensically acquire device with software- Open source: dd, dcfldd and dc3dd

- Free: FTK imager and many others

- Commercial: FTK, EnCase, etc.

• Perform verification of source and image with hash signature and record in Chain of Custody.

9

Digital evidence

• What Constitutes Digital Evidence?– Any information being subject to human intervention or not, that can be extracted

from a computer.– Must be in human-readable format or capable of being interpreted by a person with

expertise in the subject.• Computer Forensics Examples

– Recovering thousands of deleted emails– Performing investigation post employment

termination– Recovering evidence post formatting hard

drive – Performing investigation after multiple

users had taken over the system

10

Reasons For Evidence

• Wide range of computer crimes and misuses– Non-Business Environment: evidence collected by Federal, State and local

authorities for crimes relating to: • Theft of trade secrets• Fraud• Extortion• Industrial espionage• Position of pornography• SPAM investigations• Virus/Trojan distribution• Homicide investigations• Intellectual property breaches• Unauthorized use of personal information• Forgery• Perjury

11

Reasons For Evidence (cont)

• Computer related crime and violations include a range of activities including:– Business Environment:

• Theft of or destruction of intellectual property• Unauthorized activity• Tracking internet browsing habits• Reconstructing Events• Inferring intentions• Selling company bandwidth• Wrongful dismissal claims• Sexual harassment• Software Piracy

12

Who Uses Computer Forensics?• Criminal Prosecutors

– Rely on evidence obtained from a computer to prosecute suspects and use as evidence

• Civil Litigations– Personal and business data discovered on a computer can be used in fraud, divorce,

harassment, or discrimination cases• Insurance Companies and Banking sector

– Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc)

– When an entity is compromised and CHD has been stolen then the entity must be investigated by an authorized forensic company. (Commonly referred to as a QIRA or QFI)

• Private Corporations– Obtained evidence from employee computers can

be used as evidence in harassment, fraud, and embezzlement cases• Law Enforcement Officials

– Rely on computer forensics to backup search warrants and post-seizure handling• Individual/Private Citizens

– Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

13

How do computer forensics relate to Law enforcement?

Controller

Detection centre

Cyber police Computer forensics lab

Magistrate court for civil offence and

high court for criminal offence.

14

Case Study

Banking Industry Executive Level Financial FraudCase Study – Digital Forensics

Case Type – Internal Corporate Fraud

Environment – Complex Multi-Location Network and

Desktop computer forensics

Industry – Banking

15

Scenario:• A large accounting firm was hired to audit certain activities

• related to loans to individuals on the Board of Directors of a

• medium size, publicly traded bank (the “Bank”). During the Audit, the auditors needed to examine

• several computer systems used by certain Bank employees as well as by certain Board Members.

• digital forensic examiners were immediately dispatched and sent in to arrange for the forensic

• analysis of the computer systems and to search for corroborating evidence in support of the audit

• team’s suspicions and findings. The systems analysts forensically analyzed included laptop

• computers issued to managers in the loan origination department, desktop systems used by

• managers and board members. Email (Exchange) servers as well as Voicemail Systems were examined

16

Existing law for digital forensics in Bangladesh

There is a specific version in ICT act-2006.• 8th chapter, part-2• No. 68: Cyber tribunal Implementation, criminal

investigation, trial, Appeal etc.• Part-3, No. 82: Cyber Appeal tribunal.

17

International Guideline

• National Institute of Science and Technology – NIST• Association of Chief Police Officers – ACPO (UK)• It is a major part of IS auditing.

Summary & Conclusion