image source: thecomputerforensics.info. dr. hwajung lee › associate professor in the department...
TRANSCRIPT
Computer Forensics(Digital Forensic)
SUMMER BRIDGE PROGRAM
DR. HWAJUNG LEEDR. ASHLEY PODHRADSKY
Image Source: thecomputerforensics.info
DAY ONE
3
Who am I?
Dr. Hwajung Lee› Associate Professor
in the department of Information Technology
at Radford University› Email: [email protected]
Image Source: computerforensicsinfo.org
Sa-rang and Coco
4
5
Who is your TA?
Ms. Eileen Hindmon› in the department of Information
Technology› at Radford University
Image Source: racktopsystems.com
6
Our Plan for This Week DAY ONE (Monday)
› Lecture and TWO activities Activity One: Who are you? Activity Two: Digital Forensic Cases
DAY TWO (Tuesday)› Lecture and ONE activity
Activity Three: Acquiring an Image of Evidence Media and Recovering a Deleted File
DAY THREE (Wednesday)› Lecture and TWO activities
Activity Four: Cookies and Grabbing Passwords with Wireshark Activity Five: Encryptor and Decryptor
DAY FOUR (Thursday) Activity Six: Writing a wrap-up report Activity Seven: Preparing the Friday Presentation
DAY Five (Friday) Presentation in the closing sessionSummer Bridge Program at Radford University
7
Activity ONE:Who are you?
Image Source: newenglandcomputerforensics.com
8
Activity ONE:Who are you?
What is your name? What is your school? What is your favorite indoor/outdoor activity? What is your favorite time of day/day of the
week/month of the year? Why? When you have 2 hours of free-time, how do
you pass the time? What do you expect from this class and
Summer Bridge Program? Anything else?
Image Source: newenglandcomputerforensics.com
9
In This week, We will talk about…
What is computer forensics? Computer Forensics in the news When is computer forensics used? History of computer forensics Describe how to prepare for computer
investigations Computer Forensics Example-
AccessData FTK Imager, Wireshark, Encryptor & Decryptor
Image Source: e-crimebureau.com
Forensic
Adj. - “of, relating to, or used in courts of law or public debate or argument" › From the Latin term forensis (forum)
Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun
Digital Forensics – still poor English expression
I think “Forensic IT” is a better expression
Source: class note by Rob Guess
11
Understanding Computer Forensics (1)
Computer forensics› Involves obtaining and analyzing digital
information › Investigates data that can be retrieved
from a computer’s hard disk or other storage media, including tasks of recovering data that users have hidden or deleted and using it as envidence. Evidence can be inculpatory (“incriminating”) or exculpatory
Image Source: en.wikipedia.org
Understanding Computer Forensics (2)
Types of Evidence› Exculpatory
Proves Innocence› Inculpatory
Proves Guilt › Tampering
Proves Malfeasance or Mishandling
Source: class note by Rob Guess
13
Understanding Computer Forensics (3)
Related Fields› Network forensics
Yields information about how a perpetrator or an attacker gained access to a network
› Data recovery Recovers information that was deleted by
mistake or intentionally Typically you know what you’re looking for
› Disaster recovery Uses computer forensics techniques to
retrieve information their clients have lost due to natural or man made disaster
Computer Crime
Computer as an Instrument of Crime› Remote System Penetration› Instrument of Fraud › Used to Deliver Threats / Harassment› DoS Attacks
Computer as a Victim of a Crime› System Compromise
Repository of Evidence Incidental to Crime› Contraband Items › Electronic Discovery in Civil Litigation
Source: class note by Rob Guess
The Importance of Being Digital People live and work in increasingly digital
modes Nearly every crime now involves some
form of digital evidence 3~4% of people will commit a crime given
the opportunity Internet based crime presents a lower
overall risk to the offender when compared to “real world” crime
This naturally encourages criminals to adapt digital modes
Source: class note by Rob Guess
Digital Evidence
Name some examples of digital evidence› ________________________› ________________________› ________________________› ________________________
Source: class note by Rob Guess
Image Source: nacvaquickread.wordpress.com
Sources of Digital Evidence
Open Computer Systems› PC’s, Servers, Etc
Communication Systems › Telecommunications Systems› Transient Network (content) Data › Non-transient (log) Data
Embedded Computer Systems › PDAs, Cell Phones, iPods, iPhone, Etc
Source: class note by Rob Guess
Crimes Involving Digital Evidence
Traditional crimes Theft of Trade Secrets Harassment Intrusion Events Malicious Code
Child Pornography Inappropriate Use Others?
Source: class note by Rob Guess
20
Activity TWO: Digital Forensic Cases (1)
BTK Killer› http://precisioncomputerinvestigations.wor
dpress.com/2010/04/14/how-computer-forensics-solved-the-btk-killer-case/
Michael Jackson› http://www.dfinews.com/news/michael-jack
son-death-trial-showcases-iphone-forensics
Caylee Anthony› http://www.christianpost.com/news/casey-
anthony-trial-computer-expert-unearths-chloroform-internet-searches-50980/
21
Activity TWO: Digital Forensic Cases (2)
The Dangers of Internet› http://precisioncomputerinvestigations.wor
dpress.com/2010/04/13/the-dangers-of-the-internet/
Facebook and Skype Forensics› Findings of a Facebook Forensic Analysis
http://precisioncomputerinvestigations.wordpress.com/2010/03/09/findings-of-a-facebook-analysis/
› Chat History http://precisioncomputerinvestigations.word
press.com/tag/skype-forensics/
22
Activity TWO: Digital Forensic Cases (3)
What Computer Forensics Can Do For You› http://precisioncomputerinvestigations.wo
rdpress.com/2010/04/08/what-computer-forensics-can-do-for-you/
Corporate Fraud – A Case Study› http://precisioncomputerinvestigations.wo
rdpress.com/2010/03/29/corporate-fraud-a-case-study/
Corporate Investigation – A Case Study› http://precisioncomputerinvestigations.wo
rdpress.com/2010/03/24/corporate-investigation-a-case-study/
DAY TWO
700 AD Chinese Use Fingerprints for ID 1248 AD First recorded application of
medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation
Origins of Forensic Science
Source: class note by Rob GuessImage Source: thecomputerforensics.info
Outlaw son of a Baker In return for a suspension of arrest and a
jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)
Introduced record keeping, ballistics, plaster casts for footprint analysis, etc
Founded the first modern detective agency and credit bureau
Eugene Francois Vidoca
Source: class note by Rob Guess
French Law Officer Anthropometry/Bertillonage
- Early system of biometrics using measurements of body parts to ID perpetrators / victims
Introduced use of crime scene photography and mug shots
Alphonse Bertillon (1853~1914)
Source: class note by Rob Guess
Image Source: http://www.britannica.com/EBchecked/topic/62827/Alphonse-Bertillon
Student of Bertillon Professor of forensic medicine at the
University of Lyons Established the First Crime Laboratory Developed Edgeoscopy and Poreoscopy
› Standard 12 Points to ID a fingerprint Developed Forensic Microscopy
Edmond Lacard
Source: class note by Rob Guess
28
Edgeoscopy and Poreoscopy› The figure below shows a high resolution
fingerprint image and images, highlighting the pores, ridge contours, and edgeoscopic points.
Summer Bridge Program at Radford University
Input Pores Ridge contoursEdgeoscopic pointsSource: http://sourceforge.net/apps/mediawiki/level3tk/index.php?title=Main_Page
29
Microscopy › the technical field of using microscopes to
view samples and objects that cannot be seen with the unaided eye (objects that are not within the resolution range of the normal eye).
Summer Bridge Program at Radford University
Source: http://en.wikipedia.org/wiki/Microscopy
A Brief History of Computer Forensics (1)
1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know
enough about computers to ask the right questions
Or to preserve evidence for trialFraction of a penny crime
30
A Brief History of Computer Forensics (2)
1980s› Norton DiskEdit soon followed
And became the best tool for finding deleted file
› Apple produced the Mac SE A Macintosh with an external EasyDrive hard
disk with 60 MB of storage
31
A Brief History of Computer Forensics (3)
Since 1990s Tools for computer forensics were available International Association of Computer
Investigative Specialists (IACIS) www.iacis.com
Training on software for forensics investigations
ExpertWitness for the MacintoshFirst commercial GUI software for computer
forensicsCreated by ASR Data (www.asrdata.com)
32Portable Forensic ToolsImage Source: atp-p51.com
33
Understanding Case Law
Technology is evolving at an exponential pace› Existing laws and statutes can’t keep up change
Case law used when statutes or regulations don’t exist
Case law allows legal counsel to use previous cases similar to the current one› Because the laws don’t yet exist
Each case is evaluated on its own merit and issues
34
Preparing for Computer Investigations
Computer investigations and forensics falls into two distinct categories› Public investigations› Private or corporate investigations
Public investigations› Involve government agencies responsible
for criminal investigations and prosecution› Organizations must observe legal guidelines
Law of search and seizure› Protects rights of all people, including
suspects
35
Preparing for Computer Investigations
Private or corporate investigations Deal with private companies, non-law-
enforcement government agencies, and lawyers Aren’t governed directly by criminal law or
Fourth Amendment issues Governed by internal policies that define expected
employee behavior and conduct in the workplace Private corporate investigations also involve
litigation disputes Investigations are usually conducted in civil
cases
36
Understanding Corporate Investigations
Private or corporate investigations Involve private companies and lawyers who
address company policy violations and litigation disputes
Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage
37
Understanding Corporate Investigations
Establishing company policies› One way to avoid litigation is to publish and
maintain policies that employees find easy to read and follow
› Published company policies provide a line of authority For a business to conduct internal investigations
› Well-defined policies Give computer investigators and forensic examiners
the authority to conduct an investigation Displaying Warning Banners
› Another way to avoid litigation
38
Professional conduct Determines your credibility Includes ethics, morals, and standards of behavior
Maintaining objectivity means you must form and sustain unbiased opinions of your cases
Maintain an investigation’s credibility by keeping the case confidential In the corporate environment, confidentiality is
critical In rare instances, your corporate case might
become a criminal case as serious as murder
Maintaining Professional Conduct
39
Maintaining Professional Conduct
Role of computer forensics professional is to gather evidence› Forensic Investigators are not police officers, it
is our duty to show what happened, not prove guilt or innocence.
Collect evidence that can be offered in court or at a corporate inquiry› Investigate the suspect’s computer› Preserve the evidence on a different computer
Chain of custody› Route the evidence taken from the time you
find it until the case is closed or goes to court
40
Taking a Systematic Approach
Steps for problem solving› Make an initial assessment about the type of
case you are investigating› Determine the resources you need› Obtain and copy an evidence disk drive› Identify the risks- Mitigate or minimize the
risks› Analyze and recover the digital evidence› Investigate the data you recover› Complete the case report› Critique the case
42
Securing Your Evidence
Use evidence bags to secure and catalog the evidence
Use computer safe products› Antistatic bags› Antistatic pads
Use well padded containers Use evidence tape to seal all openings Power supply electrical cord. Write your initials on tape to prove that
evidence has not been tampered with Consider computer specific
temperature and humidity ranges
43
Understanding Data Recovery Workstations and Software
Investigations are conducted on a computer forensics lab (or data-recovery lab)
Computer forensics and data-recovery are related but different
Computer forensics workstation› Specially configured personal computer› Loaded with additional bays and forensics
software To avoid altering the evidence use:
› Forensics boot disk, Write-blockers devices, Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools
Sources of File System Evidence
File Slack Free Space - “Unallocated” Clusters Deleted Files Page File / Swap Partition Unpartitioned “Free” Space Host Protected Areas
Source: class note by Rob Guess
45
Understanding Bit-Stream Copies (1)
Bit-stream copy Bit-by-bit copy of the original storage
medium Exact copy of the original disk Different from a simple backup copy
Backup software only copy known filesBackup software cannot copy deleted files,
e-mail messages or recover file fragments
46
Understanding Bit-Stream Copies (2)
Bit-stream image File containing the bit-stream copy of all
data on a disk or partition Also known as forensic copy
47
Class Activity THREE: Acquiring an Image of Evidence Media and Recovering a Deleted File
First rule of computer forensics› Preserve the original evidence
Conduct your analysis only on a copy of the data
Use FTK Imager to create a forensic image› http://accessdata.com/support/adownloads
Your job is to recover data from deleted files
DAY THREE
Web Browsing Application
World Wide Web allows users to access resources (i.e. documents) located in computers connected to the Internet
Documents are prepared using HyperText Markup Language (HTML)
A browser application program is used to access the web
The browser displays HTML documents that include links to other documents
Each link references a Uniform Resource Locator (URL) that gives the name of the machine and the location of the given document
Let’s see what happens when a user clicks on a link
Source: Communication Networks, Leon-Garcia and Widjaja
User clicks on http://www.nytimes.com/ URL contains Internet name of machine (
www.nytimes.com), but not Internet address Internet needs Internet address to send
information to a machine Browser software uses Domain Name System
(DNS) protocol to send query for Internet address DNS system responds with Internet address
Q. www.nytimes.com?
A. 64.15.247.200
1. DNS
Source: Communication Networks, Leon-Garcia and Widjaja
Browser software uses HyperText Transfer Protocol (HTTP) to send request for document
HTTP server waits for requests by listening to a well-known port number (80 for HTTP)
HTTP client sends request messages through an “ephemeral port number,” e.g. 1127
HTTP needs a Transmission Control Protocol (TCP) connection between the HTTP client and the HTTP server to transfer messages reliably
TCP Connection RequestFrom: 128.100.11.13 Port 1127To: 64.15.247.200 Port 80
2. TCP
ACK, TCP Connection RequestFrom: 64.15.247.200 Port 80 To:128.100.11.13 Port 1127
ACK
Source: Communication Networks, Leon-Garcia and Widjaja
HTTP client sends its request message: “GET …” HTTP server sends a status response: “200 OK” HTTP server sends requested file Browser displays document Clicking a link sets off a chain of events across
the Internet! Let’s see how protocols & layers come into play…
GET / HTTP/1.1
200 OK
3. HTTP
Content
Source: Communication Networks, Leon-Garcia and Widjaja
53
ACTIVITY FOUR:Cookies and Grabbing Passwords with Wireshark
Wireshark› http://www.wireshark.org/download.html
Grabbing cookies› http://www.httprecipes.com/1/2/cookies.php Source: The website is provided By Heaton Research, Inc.
Grabbing Password› http://www.httprecipes.com/1/2/forms.php Source: The website is provided By Heaton Research, Inc.
Summer Bridge Program at Radford University
Attacking Analysis
Evasion of Detection› Avoid Writing to Disk› Make Data look Innocent
Evidence Hiding › Presence of Encrypted Data*› Evidence of Steganography*› ADS*, Files Within Files, Slack Space, Bad
Blocks Insertion
› Insert Erroneous or Misleading Data› Randomize / Modify File System MAC Times
Red Flags* Source: class note by Rob Guess
Encryption Terms
Plaintext – Original Message Algorithm – Transformation Procedure Key – Variable used to scramble
message Ciphertext – Resulting garbled output
Source: class note by Rob Guess
56
ACTIVITY FIVE:Encryptor and Decryptor
PKI Demo Applet› http://cisnet.baruch.cuny.edu/holowczak/cl
asses/9444/rsademo/
Summer Bridge Program at Radford University
Steganography (1)
The Science of Hiding Information› History – Tablets, shaved heads› Now - Images, sounds, other files
Data is frequently encrypted› Frequency analysis can detect this
Source: class note by Rob Guess
Steganography (2)
Source: http://petitcolas.net/fabien/steganography/image_downgrading/index.html
The image in which we want to hide another image:‘Arctic hare’ – Copyright photos courtesy of Robert E. Barber, Barber Nature Photography ([email protected])
Steganography (3)
Source: http://petitcolas.net/fabien/steganography/image_downgrading/index.html
The image we wish to hide: ‘F15’ – Copyright photo courtesy of Toni Lankerd, 18347 Woodland Ridge Dr. Apt #7, Spring Lake, MI 49456, U.S.A. ([email protected])
DAY FOUR
61
Activity Six:Write a Wrap-up report: 1 hour
Please include the following in your report and email it to me at [email protected] › What is your name?› What did you learn from this class?› What do you like most in this class?› Do you have any suggestions to improve
this class?› Any memo to me (Instructor) and TA?› Anything else?
Summer Bridge Program at Radford University
62
Activity SEVEN:Prepare the Friday presentation
Today’s plan› Brainstorming: about 30 minutes› Prepare the presentation: about 2 hours
Presentation Length: 10 minutes
Summer Bridge Program at Radford University
Any Questions?