introduction to computer forensics - sonntag · » "we define computer forensics as the...

July 2016

Michael Sonntag

Introduction to Computer Forensics

What is "Computer Forensics"?

▪ Computer Forensics (CF) is obtaining digital evidence› Analogue evidence is usually not considered here: Use "ordinary"

forensics to gather/evaluate

Analogue computers are almost non-existing today!

» This may originate in running systems or parts of them› Hard disks, flash drives, PDAs, mobile phones, telephones, copiers, “pads”,

game devices, TVs, smart watches, smart home systems etc.

» Can be evidence for computer crimes (computer fraud, hacking, …) or any other crime (documents with plans for x) or for various other uses (data recovery)

▪ One indispensable issue is "data integrity“ and “origin”

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 2

Data is easily changeable:Evidence is then and only then usable in proceedings, if it is

ensured, that it has not been changed!


▪Other definitions:

» "Analytical techniques to identify, collect, preserve and examine evidence/information which is magnetically stored or encoded"

› Problem: "magnetically" Flash disks, running systems?

› Better: "in computerized systems and their parts"

» "We define computer forensics as the discipline that combines elements of law and computer science to collect and analyzedata from computer systems, networks, wireless communi-cations, and storage devices in a way that is admissible as evidence in a court of law."

› Focus on legal proceedings; there are many other uses as well!

Note that this almost the "highest" form: If evidence is sufficient for criminal proceedings, it can be used for everything else as well!

• Civil proceedings

• Arguments for insurance companies

• Admonishment/dismissal of employees

• Information for business decisions

• …



▪Other definitions:

» "A technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a crime or other computer use that is being inspected.“› Systematic: We don‘t just start the suspect’s laptop, open the mail program

and read a few of his E-Mails.

» “Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.”› „Identification“: All hard disks of one model look the same which is it?

› Root cause analysis: Server crashed OS file missing Who deleted it How did this person get in why is this bug (still) present

» “Forensics” = “To bring to the court” (“forum”)


Important elements of a definition

▪Elements of computer forensics:

» “Digital data”: No analogue data, only data for/from automatic processing (printouts too!)

» “History”: Only small parts ( further effects) affect the future› Most of it is “digital archaeology”!

» “Systematic”: We don’t collect just “something”; we follow procedures to acquire and investigate the data we need later

» “Preserve”: Evidence might be needed later on› Someone else should be able to repeat it

› Might be needed as evidence in legal proceedings

» “Find”: Most elements of CF are not documented and must first be identified (e.g. what registry key will change when)

» “Evaluate”: Why did this change happen?› Finding some reason is simple, but have we identified all of them?

Timestamp is set on copying Was set File was copied!But what other actions exist that change timestamps identically?


Preserve first, then find!

Investigative aims: Technical

▪CF should answer some/all of these questions:

» Has something happened at all?› Random effect (e.g. memory error), bugs, …

» When did it happen?› How long had the attacker access to our files?

» What has happened and what are the effects?› What are the results from the intrusion?

» Who (=which computer system) was responsible for it? › Can we identify an IP address?

» How did he do it?› So we can block this in the future

» Why did it happen?› Accident - Deliberately; Indiscriminate - Targeted; Damage - Gain; …

▪Uncovering what really occurred on a technical level


Investigative aims: Other

▪CF should answer some/all of these questions:

»What damage was caused?› Directly, cost of recovery, additional costs (loss of reputation, lost sales

etc.) – Not necessarily task of computer forensics expert!

»Who (=which person) was responsible for it?› Ascribing IP addresses, domain names etc. to natural or legal persons

(including their names or other unique identification elements)

»Providing evidence and a report for court proceedings› We don’t just need to know it, we must be able to prove it too!

Includes the method(s) of investigation, keeping evidence intact, …

› What are we unable to prove?

To minimize the impact on legal proceedings/avoid them

› How “good” is the evidence?

▪Commercial/legal aspects are also part of computer forensics!


Process of forensic investigations


Presentation of resultsPresentation, report, expertise,

explanation in court, …

InvestigationDesired analysis + estimate on correctness/probabilities

Validation: Unchanged? Intentionally manipulated?

Data acquisition„Chain of Custody“: Identity & Integrity

Documentation

AssignmentWhat is to be investigated?

Location, content & time restrictions

Identification

Preservation

Collection

The basic principles of CF

▪ No action to secure/collect evidence should affect its integrity

» It becomes much less worth/completely worthless!

▪ Examiners should be trained

» Only investigate as far as your knowledge goes

▪ All activities should be logged

» Seizure, examination, storage, and transfer› Complete chain of custody (including its security measures)

» Documented, preserved, and available for review› Proof for the chain of custody

▪ Investigations must be accurate and impartial

» Computer forensic prosecutor/attorney/judge› Describe what was actually found

And what should have been found, but was missing!

› Describe how reliable these facts are

› What conclusions can possibly/reasonably/defintively be drawn from it?


The basic principles of CF

▪ Similar (identical) principles, but seen from the viewpoint of the police» No action taken by law enforcement agencies or their agents should

change data held on a computer or storage media which may subsequently be relied upon in court.

» In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

» An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

» The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.


Association of Chief Police Officers: Good Practice Guide for Computer-Based Electronic Evidence, http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf

Integrity

Chain of Custody / Logging / Preservation

Training / Integrity

Legality

Requirements for forensics procedures

▪ How do we ensure these principles?

▪ Follow standard/accepted procedures, which must fulfil:

1. Acceptance: Method and procedure must be described in publications and be generally accepted› New methods/procedures are possible, but may need proof of working

and correctness

2. Believability: Robustness and functionality of methods must have been proven

3. Repeatability: If another persons does the same things to the same base material, the results must be identical

4. Integrity: No undetected changes (side effects) may be introduced through investigation; integrity must be provable

5. Reasons & consequences: Logical connections between events and traces in the evidence must be possible

6. Documentation: Every step in the investigation must be adequately documented


When to use CF?

▪ To provide digital evidence of specific activity

» In general, proving non-activity might also be the goal, but this is more difficult and only sometimes possible!

▪ For legal proceedings

» Criminal cases: Child pornography, (computer) fraud, ...

» Civil cases: Hacking, information theft, industry espionage, …

▪ Recovering data

» (Inadvertently) deleted information

▪ Identifying weaknesses

» After a break in, identify the method employed to prevent it in the future

▪ Identifying the attack/attacker

» Verify, whether an incident actually happened and who was responsible for it


When to use CF? Concrete examples

▪ Misuse of ICT by employees

» Unauthorized disclosure of data

» Internet (WWW, E-Mail, …) abuse

» Using illegal data (stolen)/programs (copyright)

» Private use of company resources

▪ Exploiting ICT

» Industrial espionage

» Hacking of systems

» Infiltration (zombie, trojans, viruses, …)

» Business crimes: Fraud (offline), bribery, falsifying balances, cartels…

▪ Damaging ICT

» Web page defacements

» Denial of Service attacks

» Crashing computers

» Deleting programs/data


When to use CF?

▪ Some more prosaic examples:

» Any normal crime› Plans on computer

› Tracing communication or money

» Computer crimes› Phishing

› “Money mules“

› Stealing eMoney (e.g. bitcoins, online poker ”chips”)

» Disputes between companies› We did deliver the product

› The delivery was too late, defective, …

› The SW installation/service/repair was not performed correctly

› Information theft, intentionality of trade mark misuse, …

» Companies vs. consumers› Details: See above!

› Addition: Often "computer company" vs. "laymen"


When to use CF?

▪ Problematic example: "Prove, that we did not receive this E-Mail"

» Can we really do that?› We can "easily" prove the receipt of the E-Mail, we just have to find it on

the mail server (or traces of it)!

» But proving the negative?› If we don't find any trace on the mail server, this could mean

we did not search thoroughly enough,

it was there, but later on accidentally deleted and overwritten,

it was there and then intentionally and cleverly deleted, or

it was never on the server at all (deleted in transit, …)!

› But there is normally no way to prove which of these options describe what actually occurred

» Potential options: Third parties (logs, replies, …), traces of destroying evidence (no proof, but bad in court!)

» Is it hopeless? No!› No trace at all though making a thorough search Receipt unlikely


When NOT to use CF!

▪ Immediately acting when having any suspicion

» Plan first: Evidence is destroyed very easily!

» Locate an expert for doing this type of computer forensics

▪ At the last minute: Do it as soon as possible

▪ Because I’m interested: Girl-/Boyfriend, spouses etc.

» Pot. typical area for CF, but should not be used “lightly”!

▪ “Special” groups are involved

» Parliam. representatives, medical doctors, attorneys, clergy› These are often privileged regarding evidence

▪ Because the activity is against company policy/immoral/…

» If the (suspected) behaviour is not illegal, it is much more difficult to investigate it legally!

▪ Using your own staff for important investigations

» Use external independent experts (=third party!)Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 16

Who should/may use CF?

▪ Authorization required for accessing data

» See privacy laws!

▪ Live monitoring, hacking, password cracking etc. tools are legally "dangerous"!

» Possession alone might be criminal› Good explanation and evidence for its necessity/legal use might be

required!

▪ Personnel to "do" CF:

» System administrators in their own area› With restrictions, additional permissions/consent/…!

» Experts for courts or private investigations› "Expert" is not a legal/protected name Anyone can use it!

» Everyone on their own system› Note: A second person (e.g. husband/wife) uses the system Consent by this person is necessary!


Who needs CF?

▪ State prosecutors/police: Criminal proceedings

» Whether there is a crime to investigate

» Who/why/how was it committed?

» Initial cause for search warrants

▪ Private persons: Civil proceedings

» Personal data misuse, mobbing, persistent harassment, fraud, divorce proceedings, wrongful termination of employment

▪ Private companies: Civil proceedings

» Data theft, fraud, mobbing, employee misconduct

▪ Insurance companies: Damage proceedings

» Intentional damage or accidental, actual value of damage, repair costs


Ethical considerations

▪ What is worse?

» Failing to convict a person that actually is guilty?

» Convicting a person that actually is innocent?

▪ Computer forensics must (should strife to as much as possible) always assume a neutral point of view

» Including: Admit if wrong or if you don’t know

» Show evidence both for and against the accused

» Avoid desire to win as well as presumption of guilt

» Keep an open mind

▪ UK Civil procedure rules 35.3:

» It is the duty of an expert to help the court on the matters within his expertise.

» This duty overrides any obligation to the person from whom he has received instructions or by whom he is paid.

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 19http://www.criminal-courts-review.org.uk/chpt11.pdf

Evidence


“Evidence”

▪Circumstantial evidence (German: “Indiz”):

» A hint, which (alone or together with others) allows to conclude that a certain fact exists

▪Evidence (German: “Beweis”):

» A hypothetical situation is accepted as a fact by the judge (rarely: jurors) because he is convinced of it

› The circumstantial evidence is presumed to be true

» Types of evidence are often strictly regulated› Note: This is a legal distinction and has typically no influence on what can

be used as evidence. They are just treated differently.

Example: A witness is treated differently than objects

» Used to fulfil the burden of proof

▪ In English the difference is more vague!

▪Computer forensics: We deal with circumstantial evidence, but normally its just called “evidence”!


Types of evidence

▪ Who was it: Identifying information

» Typical data: IP addresses, login names, passwords› Language of the words used may also be interesting!

▪ What was done: Traces of actions

» Typical data: Log files, shell history files, event log

» Especially important: Various application-internal logs and non-standard configurations› The “standard” files are more likely to be cleaned by attackers!

▪ What was added: Data itself

» Typical data: Additional program code, user accounts, program configurations› Code: New/changed programs, modified source code

▪ What was removed: Remains of data

» Typical data: Deleted files (destroyed data as well as his own “intermediate” files), encrypted files


Types of evidence

▪ When was it: When was it created/deleted/changed?

» Typical data: timestamps

▪ „Best evidence“: Only the original piece of evidence is admissible (USA; stems from UK - mostly defunct there)

» Copies can only be used if the original no longer exists or cannot be obtained

» In CF this is problematic, as the “original”, e.g. the hard disk, is not very useful. Printouts of the content might be only copies. › But see Federal rules of evidence 1001 (d) “[…] For electronically stored

information, “original” means any printout — or other output readable by sight — if it accurately reflects the information. […]”

» Continental law/UK: Try to use the original, but copies are always possible. Being a copy might affect the believability or weight of the evidence – depending on spec. circumstances.


Inadmissible evidence

▪ Sometimes evidence is not admissible or protected

» E.g. communication with attorney

▪ But this might not be apparent from the start or intermingled with admissible content!

▪ Precautions for this:

» Never explicitly search for such information

» Ensure there is a way of “excluding”/”masking” … part of the data that was collected

» Inform the relevant personnel that something was discovered› And inform them of the very coarse category, but never the content!

» Wait for instructions how to handle this

» Do not ever give out this information except permitted or required to do so by the correct authority!


Digital evidence

▪ Digital evidence is

» Stored in computers: Disks, memory, …› Not: Printouts, fingerprints on DVDs etc.

» Being transmitted between computers: (W)LAN, E-Mails, …› Not: Voice telephone communication (but …!) etc.

▪ Analogue evidence:

» Fingerprints, fibres, body fluids, physically damaged disk, …

▪ Evidence requires interpretation.

» What does it mean that this Bit is “0”?

» An E-Mail header exists: Who added it? What does it mean?

» Requires a lot of tools: Are they working correctly?

» How many steps of interpretation are necessary?

» How reliable is the interpretation?

▪ We will talk only about digital evidence in this course!


Basic problems of digital evidence

▪ Everything can be manipulated – without any trace

» But how difficult is it in the concrete case? Any traces for this?

» What would have to be done/how long would it take?

» Digital data is typically not intended to be manipulation-proof› Exception: Digital signatures

› Hash values: Nice, but little use in this regard!

▪ Main aspects in court:

» Time: Timestamps, logs etc.

» Authenticity: Is it "original" or manipulated?› Note: "Truthful" is something different altogether …

» Location: Where was the computer/PDA/phone at a time?

» Originator: Who was logged in/the author?

» Delivery: Did the "message" (E-Mail, phone, …) reach the recipient (and when; see above!)› Note: Differentiation often necessary: Computer and human!


Where to find evidence

▪ Disks: Hard disks, SSDs, memory cards/sticks, tapes, …

» The typical "storage medium"

» Note: These can be very small and very easily hidden› They might also pose as "normal" objects

Example: USB memory stick in pocket knife!

▪ Devices: Mobile phones, PDAs, music players, game consoles, toys (comp.-controlled), smart watches …

» Directly or on disks contained therein

» Also a storage medium; usually may contain arbitrary data› In addition to the "normal" data like music, contacts etc!

▪ “Recorders”: Cameras/dash cams, audio recorders, GPS trackers, wearables/health monitors, TVs,…

» Similar to devices: Own data + any other stored data


Where to find evidence

▪ Digital copiers/printers

» Might add a serial number to each copied/printed sheet

» May contain old scanned pages

▪ Media equipment: Media-PC, Internet-TV, satellite receivers, Internet-radio, hard disk recorders for TV etc.

» Often contain some storage element inside

» May contain history traces

» May contain unique identifiers for data stored online under a pseudonym (the identifier)

▪ Generally: If there’s a CPU in it, it can store any data!

» Similar: If it has a USB socket, a network socket, or a WLAN antenna (visibility!) Must be investigated› Bluetooth etc. Might contain data, so check for its abilities

» Only very rarely this is NOT the case!


A few examples of hidden storage…


Analysis of evidence

▪ Various aims of analysis for evidence exist

» What is necessary depends on› Legal requirements

E.g. “possession” required for the specific paragraph considered

› The questions to be answered

» Be careful to not be “steered” through defining very restrictive aims to a certain result!

▪ All evidence should be

» Crosschecked

» Tied to suspect

» Explicitly define ambiguities or uncertainties


Analysis: Ownership of evidence

▪ Was the suspect using the computer when the object was accessed, created, or modified?

▪ Was the object located in an area created by the suspect?

▪ Is the suspect the owner of the object?

» See file system permission!

▪ Is the suspect solely responsible for the equipment containing the object?

▪ Is the access to the equipment controlled by the suspect?

» Physically or through electronic means (access control, encryption etc)


SANS Institute: Forensic Plan Guide. http://computer-forensics.sans.org/community/papers/gcfa/forensic-investigation-plan-cookbook_283

Analysis: Use of evidence

▪ Has the suspect accessed, created or modified the object?

» Timestamps

» Sometimes: Which part of it?

▪ Has the suspect been in direct contact with the object?

» Opening a document› “Did”

▪ Has the suspect had indirect contact with the object?

» Access to directory with file & did view directory› “Could have done”



Analysis: Access of evidence

▪ Does the suspect have the knowledge to be able to access, create, or modify the object?

» Books, Internet history, education, …

▪ Does the suspect have the capabilities (tools) to be able to access, create, or modify the object?

» Slack space, steganography etc need SW to access

▪ Has the suspect actually accessed the object and how?

» Timestamps, sending in mail, …



Analysis: Knowledge of evidence

▪ Does the object possess any internal attributes that directly involve the suspect?

▪ Is the object protected, obscured, or hidden by any means?

▪ Is the object name similar to other object names the suspect has used?

▪ Does the object contain words, terms, or phrases used by the suspect?

▪ Does the object contain parts of images or things similar to the suspect?

▪ Was the file password protected by a password known by the suspect?



Legal considerations

▪ Computer forensic evidence should be

» Admissible: Don’t collect anything, which would not be allowed in court later› It is useless; and probably illegal too!

» Authentic: The evidence should be tied to the incident› Don’t go on “fishing expeditions”

» Complete: Not only the “damaging” parts, but all of it› Don’t suppress or ignore anything else

If in doubt, collect too much and ignore it later in evaluation!

» Reliable: Collection, handling, and evaluation should ensure veracity and authenticity› See "Chain of Custody"!

» Believable: Should be believable and understandable in court› And for laymen too (accused, jury, …)


Legal considerations

▪ “The truth, the whole truth, and nothing but the truth”

▪ This old and common oath formula contains three important elements, also applying to CF

» The truth: Do not alter anything (=Change)

» The whole truth: Do not suppress anything (=Delete)

» Nothing but the truth: Do not invent anything (=Add)


"Burden of proof"

▪Note: Not an “obligation to prove"!

» You are not (legally) required to prove anything … unless you want to "win" the proceedings, of course!

» If something cannot be proven, this is disadvantageous for the party which bears the burden of proof

› False Obvious

› Practically important: Unknown, no evidence/witnesses, expert could not find anything conclusive…!

» The other side can just say “no” – and this is enough (for now)

Who loses if we can’t find out?


"Burden of proof"▪Typical basic rules:

» You state that something is true› You bear the burden of proof

» Civil procedures: Everybody proves what would be advantageous for them› And must claim it (legal problem!)

» Criminal procedures State must prove everything!

» If the court is convinced (different levels in law!), the burden of proof switches to the other party to prove the opposite

▪Explicit deviations/special rules exist in many laws

» E.g. legal presumptions: The law assumes that someone is at fault this party must then prove that they did everything they could/other explanations exist which are more likely/…


Admissibility of evidence: General

▪ Digital information is no evidence as such alone

» Illegal image on disk? How did it come to be there? Unknown!› Was it the accused, someone else through his account,

the police, a hacker who broke in over the network, … ?

› Additional information can help if present

Physical access to computer, logon-history, encryption etc.

▪ A very important aspect (value, not admissibility as such!) is the person collecting and interpreting the evidence

» If this person is trusted No modifications took place later

» When a conclusion is stated as a fact, the person will not be very useful, as judges will not believe them› Fact = Observable

Example: Free space on disk is 100 MB

› Conclusion = Fact + interpretation/general rules

Example: Windows will be slow (no swap file) and programs might crash if more space is required for log files/backups/…


Admissibility of evidence

▪ Continental law:

» Generally all evidence is admissible, regardless how obtained› Exclusions exist, but are few/very rarely apply!

› But what evidence is worth depends on

How it was collected and stored

By whom it was collected

Who analyzed it

How it was analyzed

Whether the conclusions are supported by facts

Whether the conclusions are "state of the art"

» Typically the judge (or rarely a jury) decides

▪ Common law:

» Facts might also be fixed by parties!› If agreed upon, judge/jury cannot discuss it any more

» Esp. USA: "fruit of the poisonous tree" doctrine› Evidence obtained unlawfully may not be used


Admissibility of evidence

▪ Note: There is no "court-approved forensic SW"!

» Neither in the USA nor the EU/Austria there is a certification/approval for what "things"/"devices"/"SW" might/must be used for investigation

▪ But: Investigation must be done according to the current “state of the art”!

» Employing the "usual" SW is typically state of the art

» Other software might also be used, but could require additional explanation in court› Typically the case in the USA!

» Europe: Person of investigator is often more important› Officially certified court expert, reputation, experience etc.

› Method is only important if another expert criticizes it

Or the court knows/suspects from other cases that it might be suspect/wrong/incorrectly applied, …


USA: The “Daubert” test

▪ Evidence is admissible, if

» the reasoning or methodology underlying a test is scientifically valid, and

» whether that reasoning/methodology properly can be applied to the facts

▪ It consists of:

» It can or has been tested: › “Does it work at all?” The first user must do extensive tests!

» Its has been subjected to peer review and publication› “Do at least some others think it is correct or not obviously incorrect?”

» The (potential) rate of error is known› “When/how often does it not work, what prerequisites exist?”

» It has gained general acceptance in the relevant scientific discipline› “Most others think/verified it is correct.”


The forensic process


The sequence of actions in CF

▪ Secure and isolate

» Remove all other personnel

» Keep reliable independent witness (police, other third party)› To protect against "The investigator added this data!“

› Practice mostly: Both parties to case + their attorneys

▪ Record the scene

» Photograph, write down› Example: Mouse on left or right side? Left-/Right-handed

› How are the systems connected (plugs, WLAN!)?

› What is the current state (running; screen content; …)

» Often quite a mess + lots of computers/devices/cables/…› You won't remember exactly where the disk was and whether it was

powered (especially after some month/years)

Example: Disk behind desk? Fell down or deliberately hidden?

Example: Computer running Might act as a server

› Cabling might also be reconstructed, at least partially



▪ Conduct a systematic search for data evidence

» All kinds of computers and storage mediums› E.g. steganography impossible without programs Disks, …

» Everything which has, even if only transient, data on it

▪ Conduct a systematic search for non-data evidence› “Conventional" search, but important for data investigation

» Especially: Notes with passwords, hints for online services used, tokens, PIN/TAN/PUK

» Printouts in waste paper basket, …

» Stacks of empty storage media ("commercial distribution")

» Invoices for services (domain names, hosting, VPNs, …)

» One-time passwords/codes/payment (e.g. vouchers)

▪ Start chain of custody

» “Bag & Tag”, here potentially before: Data duplication



▪ Collect and package evidence

» Keep it safe (no loss/destruction) and secure (no changes)› Secure wrapping; external influences

› Magnetic media: Shielding against magnetic fields

Modern hard disks are quite resilient, but not all such media are as safe (e.g. magnetic stripe cards)!

› Flash cards, SSDs, memory sticks etc: Static electricity

› CD-ROM, DVD…: Direct sunlight, high temperature

» Ideally: Make copies there and package & take both!

▪ Interview persons with potentially important knowledge

» Encryption keys, passwords, location of further devices etc.

▪ Maintain chain of custody

» Keep log on who has access and restrict this access



▪ Inspect and evaluate data

» Perhaps triage: Immediate brief investigation› What to impound, already some illegal material found arrest

› “Triage”: Typ. sorting in three groups: Legal / Unknown / Illegal

» Detailed investigation in lab (from copy of media!)

» Create final report› What was done, what was found, what was not found, what should have

been found, how searched, confidence in results, …

▪ Present the results

» In a report

» Potentially also before the court or some other group› Oral (cross-)examination probable

▪ Potentially answer questions/respond to counter-expertises


Securing evidence: General aspects

▪ Evidence must be secured in a "trustworthy" way

» Nobody should later be able to question the authenticity

▪ Evidence should be collected as fast as possible, but without destroying anything

» This might mean keeping some devices powered, but others without power› Supply with power: Mobile phones, PDAs, tablets, fax…

› Store without power: Flash disks, hard drives, computers

» Disconnect any communication to/from the device Attention: Not necessarily immediately!

› E.g. mobile phones: Shielding (no powering off!)

› Computers: Network cables, phone lines, serial lines etc.

» Check with other forensic experts: Fingerprints› Obtaining traces may damage electronic media!


Securing evidence

▪ Secure the scene

» Preserve potential fingerprints, ensure personnel safety

» Immediately restrict access to computers› Physically; electronically comes next!

» Document current state (hardware & software)

▪ Secure the computer as Evidence

» If the computer is "OFF", do not turn it "ON"› Disconnect all power sources; unplug from wall AND computer

› Place evidence tape over each drive slot

› Photograph/diagram and label back of components with existing connections

› Label all connectors/cable ends to allow reassembly as needed

› Package components and transport/store components as "fragile"

› Keep away from magnets, radio transmitters, heated seats, etc.

▪ Interview all persons/witnesses

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 49Source: US Secret Service

Securing evidence

» If the computer is "ON"› Stand-alone computer (non-networked)

Consult computer specialist

If specialist is not available

• Photograph screen

• Disconnect all power sources; unplug from wall AND computer

• Continue as with offline computer!

› Networked or business computers / Routers

Consult a computer specialist for further assistance, because pulling the plug could:

• Severely damage the system

• Disrupt legitimate business

• Create officer and department liability

» If the computer is "OFF“: Do not turn it on

▪ Please note: Typical procedure for non-experts

» Experts will (try to) acquire the runtime-state first!


Scientific Working Group on Digital Evidence: Best Practices for Computer forensicshttp://www.oas.org/juridico/spanish/cyb_best_pract.pdf

Securing evidence: Live computers

▪ Better: Obtain as much information from the running system as possible; only then "shutdown" the system

» General rule: Do not alter the state (On On, Off Off)!

Obtain a complete copy of the state

» Copy of the whole memory› With as little changes as possible!

Some additional software MUST be started for transfer!

» Output of various "state" commands, e.g. running processes, open network connections, open files/shares, …

Remove power cable from computer› Generally some files might be destroyed, so the computer might not boot

anymore. But much less data is lost/changed in this way than when shutting it down!

"Delete paging file on shutdown", "Clear privacy data when I close Firefox", …

» Not from wall socket: There might be a UPS somewhere!

» Laptops: Remove battery (both if present) as wellSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 51

Pulling the plug – Or not?

▪ Other recommendations are a bit more sophisticated

▪ Servers: Shutdown

» Much data can be destroyed when a file/database/E-Mail server is "killed", which can be a problem for companies› Data is lost, computer must be reinstalled/backups restored, …

› Could be problematic for investigation too: Garbled files, ToC, …

Especially all kinds of databases loose caches, need to be reconstructed etc.

» Little danger of deletion/modification scripts› These might be shut down at any point in time by someone else

(e.g. by UPS in case of power failure!)

»Hibernation is typically not available here

▪ Appliances: Pull the plug

» Typically built to survive this without any problem/damage

» The runtime data must be copied before, of course!› Which might be very difficult or practically impossible anyway



▪ Workstations: Pull plug / Hibernate

» Little damage to be done by killing it

» Usually full control by a single person “Traps” much likelier

» Restore much quicker and easier

» Affects only a single person, not a whole huge company!

»Problem: Modern OS use e.g. DB for storing their internal data› Pulling the plug might result in loss of much data

› Reduce the problem by letting the computer “rest”: Wait for some time (hard-drive activity dies) to make sure any open transactions have been persisted

Not fool proof – some DB will empty caches only if new data arrives

» If hard disk encryption is used, capturing the memory is the only chance of accessing the necessary key› Encryption based on hardware (self-encrypting disk): Acquisition while still

running is the only chance of obtaining any data at all!



▪ Workstations: Pull plug / Hibernate

» Alternative (if available!): Hibernation› Little chance for destruction/traps, PLUS a full memory image!

Drawback: Previous hibernation file is overwritten (but which cannot be used to reconstruct a running system anyway!)

› But make sure this is not actually a shutdown/has been disabled

› In my opinion better than pulling the plug!

» Summary:1) Copy memory

2) Copy all data from media

3a) Hibernate

3b) Pull plug


Removing the battery

▪ Mobile phones/PDAs: Pulling the plug = remove battery

» Should we really do this?

» Currently it may be unlocked, but after boot it’s definitely not

» Shutdown will wipe decryption keys from memory

» Leaving it on requires power (potentially for a long time)

» When on it might connect to anywhere and send/retrieve data

» When on it might be contacted: Remote wipe

» Typical solution: Faraday bag + power bank

▪ SIM cards:

» Starting a phone with it Will immediately connect Bad!

» Starting without Some will immediately wipe Bad!

» Solution: Cloning a SIM card: Special devices which produce exact copies, just without network access possibility› Note: Might be difficult, as not the whole SIM can be copied (protected

areas!). Public identification data like IMSI is no problem, however!Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 55

The order of volatility

▪ Registers, memory caches

▪ Routing table, arp cache, kernel statistics

▪ Established network connections, running processes

▪ Memory

▪ Opened file systems with encryption

▪ Temporary file systems (RAM disks)

▪ Storage media in use

▪ Remote data (on other systems)

▪ Backup media: Disks not in use, tapes

▪ WOM: CD-ROMs, DVDs

Evidence should be secured/collected in this order !

▪ Separately: Analogue material» Physical configuration (cabling of devices; network topology), paper,

fingerprints, DNA, …Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 56

Practical sequence for a computer

▪ Document system and actual time, ascertain privileges

▪ Show active processes

» Plus environment, libraries, loaded modules, …

▪ List current network configuration

» Established connection, listening sockets› Plus all data, e.g. which application they belong to

▪ Copy of memory

» Complete or processes only, depending on possibility› Complete copy typically requires administrator login!

▪ Duplicate swap space

» Could be deleted/modified during shutdown

▪ Duplicate encrypted storage media

▪ Stop/Hibernate system

▪ Duplicate rest of storage mediaSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 57

Chain of Custody

▪ Guaranteeing identity and integrity of the evidence

▪ Requirements:

Ensure the piece of evidence on hand is the same as was taken from the suspect/scene of crime/….› Serial numbers All hard disks/USB devices/… look exactly the same!

› “This is THE hard disk in front of the court!”

Ensure there was no tampering with it› Witnesses of actions, trust in the person

› “The data on the hard disk has not been changed (while I had it)!”

Document the transition to the next custodian› Who got it next, i.e. when was a chance for tampering

Lying around somewhere? Handed to an untrusted person? …

› “I am trustworthy, and the next handler is too!”

» Repetition of and until the presentation in court


Chain of Custody

▪ Normally not that important:

» Falsifying a fingerprint stored on a clear plastic tape is difficult (replacement is easier, but also simpler to detect!), but modifying digital data is (technically) trivial and leaves no traces!

▪ But: Digital evidence has a very nice property here:Hash values can reliably prove "no tampering"!

» Acquire as early and trustworthy as possible: "Since then"!› I.e., we get an almost ABSOLUTE guarantee for no-tampering!

Not “He is trustworthy, so he didn’t change it”, but “It has objectively not been changed with extremely high probability”

» Store it "securely", e.g. on paper with signature of third person

» The “original” of data (not: medium!) is typically unimportantOnly the content is relevant, so› “Normal” chain of custody for the physical medium

› “Hash” for the data on it

And “normal” chain of custody for the hash printout!


Chain of Custody

▪ You have to document

1. Where, when, by whom was evidence discovered & collected› Plus: “Identity” of the evidence

Example: The hard disk with serial number S was found on desk X by person A at time T

2. Where, when, by whom was evidence handled or examined› Plus: How it was examined

Example: Person A investigated it at time T with program P in lab L

3. Who had custody of the evidence during what period› Plus: How was it stored then

Example: Person A stored it in the safe in the lab L at T1

4. Changes of custody: When and how did the transfer occur Example: Person A gave it personally to person B at time T2

Example: It was sent by registered mail from A to B at time T2 with package number Y

▪ Not everything needs to be on a single tag (especially 2)!


Interviewing personnel/witnesses

▪ Information to obtain:

» Owner

» User names, passwords› PW: Account, BIOS, E-Mail, configuration, network, ISP, applications, token

codes, …

» Procedures for access (log in method)

» E-Mail addresses, online services/applications used, ISP

» Purpose of the system, person(s) using it

» Security schemes (self-destruct systems; e.g. delete scripts)

» Offsite data: Backups, online replications, cloud services…

» Documentation of the system: Version numbers

» Existence & use: Encryption, Steganography!

▪ Note also when information is not provided!› Or what turns out to be incorrect

» Won't help the investigation, but may be important in courtSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 61

Gathering further useful information

▪ Wastepaper baskets:

» Printouts of information

» Invoices, E-Mails: Hints to online services used

▪ Backside of keyboards, drawers, post-its: Passwords/hints

▪ Cables (esp. plugged in), chargers, packaging, manuals: Associated equipment

▪ Packaging: Serial numbers, IMSI/IMEI, PIN, PUK

▪ Other devices: Synchronization targets

▪ Media: Stacks of empty media (type; commercial!)

▪ Dust/no dust on connector sockets (USB, firewire, …)

▪ Installed software (esp. “crapware”): Synchronization, backup, company-specific

▪ Wireless networks: Some devices must create them


Guiding the search for information

▪ The aim of the search is most important

» Is it a search for "something illegal", a specific crime, or whether the image "xyz.jpg" is present on the computer?

» Uncovering all information that is recoverable is possible, but also a lot of work (and therefore extremely expensive!)!

▪ Assessing the proficiency of the suspect

» What kind of "hiding" can reasonably be expected?› If unknown, always assume the worst, i.e. expert techniques!

▪ When to stop:

» If something matching has been found; or must all, respectively most of, such data be recovered?

» Financial considerations (expenses)


The Heisenberg principle - Analogon

▪ It is impossible to completely capture an entire running computer system at a single point in time from within

» Every kind of "copying the state" will change the state itself!

▪ The goal to reach:

» With as little changes as possible

» Without distortion (like installing additional software)

» Without bias (like adding hardware/software)› With additional hardware, the data state alone can be captured

completely and without modifications ( Theoretically!)

▪ Decisions are necessary: what to do (+ with what tools!)

» Generally: Try to obtain as much information as possible without changing too much

» Trivial examples: Display running processes and photograph the output on screen› Even better: Use your own (statically linked) program from a CD


Documenting the investigation

▪ The following elements should be documented for each step of an investigation» Start time

» Person investigating

» Description of the investigative step

» Reason for this step› What do we expect to gain from it?

» Tools and their version which are employed

» Parameters used for the tools

» Result of the analysis

» End time

» Ensure integrity of the results and the documentation› Hash values for all digital results

» Ensure authenticity and confidentiality: Sign & encrypt› Paper: Sign & lock away

» Archive the tools used


Documenting actions

▪ All actions during an investigation must be documented

» This starts with acquiring the evidence!› Writing down and photographing when/how the computer was found,

which state it was in, etc.

▪ Running systems: Every single command entered must be documented with the time and the complete results

» Ideally the log and the result should be stored as a file with a checksum to verify its integrity

▪ Offline systems:

» The state must be exactly documented, e.g. checksums over the whole disk

» Every step of the examination should be documented like in a running system

▪ Generally: Also document the tools (make, version…) used!


Documenting actions

▪ Methods of documentation

» Pen & paper: For non-electronic actions› Disk is duplicated, computer is unplugged, …

» Other “analogue” documentation: Photos, audio commentary› Might be digital today, but are not the action itself

» Electronic log: If possible, e.g. protocol of all commands (and their output) issued during investigation› Depends on the system/software used

▪ Chain of custody: Important for the documentation too!

» Pen & Paper: Number pages, don’t leave partly empty, sign every page, separate signature for “end of document"

» Digital documentation: Photos, audio logs, … should contain metadata (e.g. time and serial number of camera) if possible


Documenting actions: “script”

▪ The “script” command copies the in- and output to a file

» Note: The commands should be only “normal” text commands› E.g. “vi” (“graphical” editor) will not be represented correctly!

» End with Ctrl+D (or “exit”)

▪ Example: “script –f log.txt”» Script started on Tue 05 Jul 2011 01:24:13 PM CEST

[root@mail backup]# date

Tue Jul 5 13:24:18 CEST 2011

[root@mail backup]# ls –al

total 36

drwxr-xr-x 3 root root 4096 Jul 5 13:24 .

drwxr-xr-x 25 root root 12288 May 17 21:49 ..

drwxr-xr-x 5 root root 4096 Jul 5 04:06 db

-rw-r--r-- 1 root root 0 Jul 5 13:24 log.txt

[root@mail backup]# exit

exit

Script done on Tue 05 Jul 2011 01:24:32 PM CEST

▪ Don’t forget: Hash value, read-only, store on other disk…!


Documenting time/time difference

▪ Very important for the evaluation later

» Note: We can’t know the difference between the computer time and the real time at some point in the past: Only now!

▪ Time on investigation system should be very precise

» Use NTP or similar for synchronisation (and take care of timezone and DST!)

▪ Time on investigated system should NOT be changed!

» Only the difference should be documented

▪ Practical problem: How to do this!

» Solution 1: Document time on investigated system and manually add (paper, not file!) the “real” time at that moment

» Solution 2: Connect both systems, redirect output to second system, call “date” on first system, note timestamp of created logfile (not the timestamp within it!) on second system

» Solution 3: Photograph system clock + radio clockSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 69

Crime Information needs


Information according to crimes

▪ Electronic intrusion

» Configuration files

» Executable programs and source code/scripts

» Open ports, running processes (esp. servers)

» Logs: Activity, connection, programs, communication, …

▪ Fraud

» Address books, calendars: Physical, E-Mail etc.

» Images: Cheques, currency, Western Union, signatures, products, …

» Credit card data, esp. CVC

» Office documents: Letters, spreadsheets, databases

» Banking/accounting software: Dedicated and online

» Internet activity: Logs, caches, cookies, …

» Account information: eBay, banks, …

» Communication history: E-Mails, chat logs



▪ Undesirable communication (threats, spam, mobbing)

» Address information: E-Mail, telephone, …

» Documents: Background information, diaries, legal etc.

» Communication: Letters, E-Mails, SMS, chat logs, …

» Internet activity: Cache, logs, cookies

» Accounts: Online communication facilities

» Images: Person, products, fakes

» Software: Mass mailers, text/image/PDF generators

» Financial information: Accounts, banking



▪ Violence: Child abuse/pornography, domest. violence, death

» Images, especially hidden ones, and videos

» Date and time stamps

» Internet activity: Cache, logs, cookies, access time, searches

» Software: Communication, photo, P2P

» Address information and communication: E-Mails, chats, tel.

» Documents: Legal, medical



▪ Identity theft

» Personal information: Name, address, credit card, …

» Communication: Especially copies of other person's, obtaining/buying information online

» Software: Generators (names, credit card numbers), imaging (scanner, photo modification)

» Images: Certificates, forms, signatures

» Documents: Forms, letters, orders, …

» Electronic signatures

» Internet activity: Cache, logs, searches



▪ Copyright

» Software: P2P, CD/DVD-burning, encryption, recoding, key generators, cracks

» Documents: Serial numbers, authorization information

» Internet activity: Cache, logs, searches, cookies

» Images: Covers, license forms

» Communication information: E-Mail, chat

» Accounts: Web-Sites, FTP, shops



Employee issues

▪ Pornography surfing, time-wasting, …

» Internet activity: Cache, logs, searches, cookies› Special problem: Streaming media. Only URL left; content might have

changed; security measures to prevent downloading, …

» Images: Undesirable content

» Communication information: Chat


» Logs: Firewall, Web-proxy

▪ Administrator IT abuse

» Logs: Servers, firewalls, proxies, routers

» Data: Additional data stored somewhere

» Programs: New services (FTP, webserver, …)

» Databases: DBs


Signs for an attack


Common signs to look for

▪ Additional users?

» All new accounts are suspicious: Why are they there? Who created them? Automatically through software installation?

» Administrative/high rights or any other special permissions?

» When were they created? Was the Administrator active/logged in at that point in time?

» Passwords modified (not: user changed and it doesn’t work)?› Or empty passwords?

» Additional permissions of existing users (promoted to admin)?

▪ Additional processes?

» Might be hard to detect, as especially Windows runs many processes in the background for the OS itself.

» What are they doing: Network connections/listening?

» What executables are they based on?



▪ Suspicious webserver data?

» Because a webserver is almost everywhere and typically accessible anonymously!

» Especially the error logs: Signs of attacks

» Especially the access logs: Scripts previously not executed/URLs not retrieved or not existing

» Signs for SQL injection, shellcode etc?

» Additional files/directories in the webserver location?

▪ Security software alerts?

» IDS/IPS/firewall/… alerts (Attention: False positives!)?

» rkhunter, chkrootkit, …?

» Full antivirus scan shows something?

▪ Strange permissions?

» Multiple root users, permissions differently from above/below



▪ Log modifications?

» Logging deactivated (partially)?

» Missing log files/log archives?

» Temporal “holes” in log files (no entries for some time)

» Additional software installed/login events/…?

▪ Temporary files?

» Anything new in /tmp, C:\Temp, C:\Windows\Temp, …which does not look like the normal files there?

» Linux: Any kind of source code?

» Windows: Executables/DLLs?

» Delete everything, reboot Still empty/expected files only?

▪ Databases: injected data?

» Fulltext search for injected JavaScript, SQL code, HTML …?



▪ Suspicious activities of users?› Depends heavily on what users are expected to do: Mail store only or

developing software?

» Linux (shell history!): sudo, nc, ssh, scp, ftp, telnet, ?sh, chmod, chown, useradd, ln, mkdir, …

» Windows: Downloaded executables, frequent logins/logouts, started programs, …

» Any other logins: SSH, sftp, WebDAV, …?

» Web applications: Who logged in when (esp. admin!)?

▪ Indirectly: Software release state Updates available?» Any known unpatched security problems?


Problems of CF


Technical problems of CF

▪ Anything done to a system changes it

» Especially problematic for running systems

» Usually less of a problem for hard disks› Reading data might change the content microscopically…; + SMART (!)

▪ You can never trust the system under investigation

» It may be hacked, modified by the owner etc.

▪ Proving you did not change anything is difficult

» You must be "above suspicion" & precautions Process!

▪ The past can never be known

» We can only find hints what might have possibly been› The content could have been manufactured by someone!

› This can be pretty good evidence, but no absolute proof

▪ Not everyone knows everything

» Every forensic examination is limited by the examiner!


Systematic problems of CF

▪ Identifying the attacker: IP addresses are often the only traces of “hacking”; commonly they cannot be identified

» No information available anymore

» Used a proxy (=other hacked computer; commercial proxy service) without any logs on that one

▪ Finding traces: If the attacker is good, once he has com-promised the system he can hide his tracks very well

» Note: It is very easy to forget something, but you can hide almost every trace!› Exceptions: Already backed up, external systems (network sniffers/IDS on

other system not yet hacked, …)

▪ Note: Many investigations are successful

» E.g. child pornography is difficult to hide and still "use"

» He may not forget to perform all security precautions even once › And when he does, he won't immediately notice that he forgot!


Bias of the investigator

▪ Very dangerous; must be held back as far as possible

» To avoid it completely is probably impossible for a human …

▪ Dangers:

» Limitation of investigation› “This can’t be found here”, “I’m sure this didn’t happen”, …

» Limitation of interpretation› You find a picture of a naked child: Is it child pornography in the legal

sense? Or just a picture of your newborn child?

» Limitation of certainty› “Obviously this was the reason”

▪ Common: Confirming a theory instead of disproving it

» Therefore: Explicitly look for things which would invalidate your current assumption› E.g. "File was copied; if so, then MAC should …" Are they?


Distributed data

▪ Today much data is not stored on "the" PC anymore

» Cloud Computing (e.g. Amazon Simple Storage Service; S3)

» Webmail accounts: Send mail to yourself, or create a draft

» “Online hard disks"› Example: Sharehoster, Dropbox/OneDrive and similar services

» VPN networks to other systems› One more computer somewhere…

▪ Getting a copy of one system is often not enough today!

» Find traces of the existence of remote information

» Find traces of the remote information itself› Caches, paging file, file slack, local copies, …

» Try to access this remote information› By seizure, copying, access over the network, get it to send the data back…

» Try to find authentication data for remote services› Passwords, access tokens, cookies etc.


(De-)Duplication

▪ Data often exists in numerous copies

» Installation package and installed version

» Temporary files, old versions

» Quoted content (E-Mail sequences!)

» Full copies in different locations› E-Mail with CC/BCC, local file vs. stored on server (“Windows offline files”)

» Backups, shadow copies, restore points

▪ De-duplication can significantly reduce work/duration

▪ Potential problems:

» When is something a duplicate?› Is a quoted mail one? Or is it something different?

» Which is the “original” (if we care about this)?

» How to exclude the duplicates?

» How to still keep (cross-)references to the duplicates?


Computer forensics vs. encryption

▪ Encryption is becoming an increasing problem

» Many services are now moved to the cloud (=no physical access, so no brute force attack possible)

» Many services now use secure encryption

▪ Generally: More encryption, better encryption algorithms (not mathematically, but what is actually used!), better passwords used by users

▪ Problematic example: Apple MacBook

» Single USB-C port No memory dump

» Memory chips are soldered on

» FileVault turned on by default (>= OS X 10.10 “Yosemite”)

» But: Automatic backup to iCloud› Can be disabled

› Does not contain full disk, only selected data



▪ CF does work, but doesn't bring usable results if the data dis-/recovered is encrypted

» Depends strongly on the kind of encryption!

▪ For some SW decryption programs are readily available

» Especially the (old) integrated encryption of MS Office and Zip!

» Sometimes based on weaknesses, short keys, or key copies› But otherwise just brute force attacks: High computing power, special

software, and long time may be necessary!

» Sometimes passwords are not meant to be secure, but rather to prevent accidents (e.g. backup passwords)

▪ Especially problematic: Hardware

» Tokens, self-encrypting hard disks, smartcards etc.› Extracting the key is typically impossible or requires an enormous amount

of effort; note that the key/password might (temporarily) exist also somewhere else, e.g. the main memory



▪ When really good encryption is used, there is almost no chance of decryption without the key (or brute forcing it)

» One of the reasons for hidden searches: Get at the data before/after it has been en-/decrypted!

» But: Very often passwords are known words ( lists!), are written down somewhere, stored in a safe, …› Important to search the environment for any clues!

» See also the importance of copying the memory› Either the password is still present (very bad implementation) or at least

the cryptographic key (necessary to work)

» “Cryptographic containers” that are not in use Try to find traces of password/key or hashed passwords for cracking!› Breaking password hashes is therefore an important part of CF

› Brute forcing the password has fair chances of being successful

Depends on the security of the password



▪ Austrian Cybercrime Competence Center

» Hardware-supported password cracking available: Hash values and symmetric encryption; no asymmetric encryption› Additionally: Heuristics to detect the algorithm used for encryption

› Slow: CPU, Fast: GPU, Fastest: FPGA

› They do have a few cards with multiple FPGAs for cracking

» Requirements for password cracking requests:› Kind of data: Container, file, pcap, hash value

› Algorithm used

› Optional: Length of password; does it have a salt?

› Optional: Other passwords of this user or parts of them

› Optional: Probable passwords as well as additional information on the user (date of birth, name, personal information like soccer club etc)

› Optional: Other data to create word lists, especially memory dumps

Hibernations files(s), swap file


Kinds of encrypted data

▪ BIOS: Boot password verified in BIOS before even touching any disk Extremely secure» As only used with TPM!

▪ Disks: Full disk encryption. Typically requires brute-force attack (unlikely) or a RAM dump (difficult)

▪ Registry: Passwords etc. Requires additional data or brute force attacks

» Some elements can also be simply replaced (=overwrite)

▪ Hashed passwords: Brute force attacks

» Unless you are lucky and a very bad implementation is used

▪ Cloud: Requires password or token

» Brute force typically not possible! “Commonly” supported: iCloud, Dropbox, MS OneDrive

▪ Mobile devices: Logical/physical extract., JTAG, Chip-offSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 92

Data hiding methods: Storage

▪ Numerous approaches to hide data exist:

» Through the operating system› Mark as "hidden", "system", ...; use ADS; “dot-files”

» Renaming/Changing file extension : "order.txt" "cmd.com"

» RAM slack: End of file End of sector

» File slack: End of file end of cluster

» Partition slack: End of partition end of track

» Disk slack: End of last partition end of disk

» Unallocated/bad/reserved sectors

» Delete file/partition; format disk

» Steganography

» Encryption: Not really hidden, but “unusable”› But see: Hidden containers

» Put in the middle of enormous amount of data


Data hiding: Common problems

▪ Several methods are "unstable“

» Later actions might (or will) destroy the data

▪ Many approaches require special programs

» These must be stored somewhere

» “Manually” doing it is only very rarely possible

▪ Hiding data still results in changes

» Two images: One before, one after

» “Explain the difference!” This is not part of a file, so why has some unused area on the disk changed?

▪ If the method is known, its use might be easily proven

» Which then will need some explanation› “Knowledge of illegality”

▪ Raw searches uncover it trivially Encryption necessary


Data hiding: Communication

▪ Numerous approaches to hide data exist:

» Employ unused flags in headers

» Use extensions/additional headers› Typically integrated for compatibility with future versions!

» Use a different channel, e.g. DNS for surfing the web› Questions contain requests, answers the responses; additional splitting

into „packets“ may be necessary

» Reordering, e.g. HTTP headers› Very nice, as there is no „standard“ sequence – but e.g. browser SW A will

always use a certain sequence

» Delays, jitter, errors: Artificially introduced can also convey data

» LSB of voice/video communication

» Book cipher: Replace information according to a predetermined schedule (e.g. personal ad „Selling oranges cheap“ could mean „Buy Apple shares“ or „Attack tomorrow“)


What is “Steganography”?

▪ Steganography: Hiding messages within normal data

» Intention: There is no sign that data exists at all

▪ Typical "recipients": graphics, HTML, text, executables

» Common problem: Only a small part of content data can be used for hiding information Large "cover" for little “secrets"!

▪ Areas of use:

» Where encryption is illegal

» When the fact of communication itself should be hidden

▪ First encrypt, then employ steganography

» Makes detection through statistics much harder!

▪ Relation to computer forensics:

» Hiding data in "inaccessible" places is steganography too

» Examples: Various slack spaces, alternate data streams› Rather easy to uncover, if presence is known!


Problems of Steganography

▪ Not very resilient:

» Data hidden in images is easily destroyed through recoding

» Text can be reformatted

▪ Not all base data is suitable:

» Many files are exactly "known": E.g. OS files cannot be used to hide data within them› See also the problems caused by signed code!

▪ Complicated to use: Additional tools necessary

» These can be found on the computer, disks, USB sticks, …› But need not necessarily be installed!

▪ Large pieces of seemingly “useful” base material needed

» This is not always available or is a hint to hidden data

▪ Requires a high level of knowledge to be "good"

» Free tools are available, but these are often easily detected!


CF vs. Steganography

▪ In practice, Steganography seems to be rather rare

» There are much easier methods for hidden communication!› E.g. the personal ad columns with certain pre-defined texts

› If the text to hide is very long (or multiple pictures, videos), Steganography is problematic even today

» Use obscure service/username & hope not to attract attention

▪ Still, looking for hints that it has been applied should be part of every major investigation

» Are there any traces of Steganography programs?

» Is there suspicious data?

▪ Brute force attacks, e.g. using steganalysis programs on all images on a computer, are probably less useful

» Requires a long time and it is very improbable to find anything› Mostly the programs only "support" specific tools for hiding!

▪ If the original is known, simple comparison sufficesSlide: Jörg R. MühlbacherIntroduction to Computer Forensics 98

Common errors of a CF process

Common errors



▪ No incident response plan

» At some time an incident will happen. If there are no plans what to do in which sequence, most probably the wrong things will be done!

» Requirements:› Who should be alarmed when

› Rules for escalation

› Guidelines for quickly assessing the problem

Without changing anything!

› Should be clearly documented and available without the system

I.e. ideally on paper!

▪ Underestimation of the incident

» Third parties or other systems might also be affected› Example: Laptop was stolen Data on laptop is “gone”

But: Remote access to company servers possible?



▪ Delayed detection of an incident or response to it

» E.g. the earlier the disks are copied, the more information will still be present

» Reduction of the time the attacker has for performing changes or hiding his tracks› As soon as it is definite that an incident occurred “full alarm”!

› Keep any “preliminary” investigations for later & for experts

▪ Management is informed late or incompletely

» External investigations might be costly: The management needs full information (as far as available)

» Responsible for business continuity/contingency measures outside of the IT area

» Decision on whether to involve the police or through whom

» Special measures might be necessary Must be authorized



▪ Incomplete documentation of activities

» Chain of Custody (see before)

» But also for other (non-IT) measures› Might be extremely important in the legal area: Did you do everything (or:

enough) to reduce the damage? (Insurance!)

› Did you do enough to prevent damage to third parties? (Liability!)

» If no documentation exists, going to court might still be an option later (although with less valuable evidence)

▪ Digital evidence is protected inadequately

» If the option for a court proceeding should remain open, very strict standards for access to relevant data are necessary› Checksums for everything!

» Evidence should be stored on read-only devices (today’s hard disk sizes typ. prevent this!), offline, and physically secured


Common practical mistakes

▪ Quickly entering some commands to find the problem

» This will change timestamps, add data, destroy data etc.

» These executables might have been modified by an attacker!

▪ Using graphical tools

» This is no problem as such, but graphical tools require lots of libraries and typically do many things in addition (e.g. active desktop showing webpages, logging activities/MRU lists)

▪ Killing suspicious processes

» As long as it is running, we might observe it and copy its RAM

▪ Entering commands without a protocol

» We will later not be able to identify which results occurred as side-effects of the command we entered!

▪ Installing addition. software (for recovery, investigation…)

» Destroys a lot of data, is potentially useless



▪ Writing protocols on the disk under investigation

» Will again destroy data; potentially modified by malware

▪ Waiting for the problem to solve itself

» Attackers are unlikely to go away on their own….

▪ Immediately pulling the plug of everything in reach

» Documenting the current state and acquiring live data is typically preferable; losses in the meantime or probably small

▪ Repairing the system/blocking connections on firewall/…

» It works again, but is the door for the intrusion closed?

» Tips off the intruder; some observation can be useful



▪ Damaged devices/data is not documented as such

» If something is physically damaged Document (photo, log)

» If data turns out to be damaged: Document that (and when/how) this was identified

» Very important for potential liability: “The investigator destroyed/damaged it”

▪ Some things are not that easy to decide Support of management for (afterwards decided as such!) incorrect decisions is necessary!


Report on investigations


Final report: General information

▪ Identity of the examiner

▪ Identification of the case, e.g. case numbers

» Who commissioned the report?

▪ Subject of examination

» List of and serial numbers of disks/components/…

» Source of the equipment› Personally taken from suspect, received from police/court etc.

▪ Procedural history

» When was what piece of evidence received, examined, passed on, reported upon, …› Chain of custody!

» Description of examination: Who did what when in which way› Which techniques were used; state of the art?


Final report: General information

▪ Results and conclusions

» Facts (see next slide): What was found

» Conclusions: What can be derived from that?› This must conform to a very high degree and state assumptions!

Example: Time of computer matches "real" time, file access date is 10.11.12 (facts) File was accessed at that time

• Note: Changing the clock, who used the computer, network connections, …?

› Includes a reliability assessment:

Not necessarily with a percentage, but should have it if possible!

"Might perhaps be", e.g. 10%

"Almost assuredly", e.g. 99,999%

» What was not investigated?› But might be interesting

› Reason for this "omission"

› What therefore cannot be deduced from the things investigated

› What could be in there and what could never (?) be in there


2010/2012?October/November?

Final report: Content

▪ Summary of findings (non-technical language!)

▪ Detailed findings:

» Specific files matching the search› And other files supporting the findings

» String searches, keywords searches, and text string searches

» Internet-evidence: Web traffic analysis, chat logs, cache files, E-Mail, newsgroup activity, ICQ/Skype/… activity

» Graphic image analysis

» Ownership status of all files found› Who of the users owned them/when were they created/accessed

» Techniques used to hide data or limit access to it› Steganography, encryption, hidden attributes/partitions/streams

› Incorrect file names (e.g. JPEG files with ".bin" extension)

▪ Annex: Printouts, digital copies, documentation


Confidence levels

▪ Any conclusions should contain a reliability assessment

» There is always some uncertainty…

» But: Didn’t we want to find out the truth, the whole truth and nothing but the truth?› Yes, but the world is imperfect (and money often limited ☺!)

▪ Informal categories:

» Possibly (Eventuell)

» Perhaps/Very possibly (Vielleicht)

» Probably (Wahrscheinlich)

» Most probably (Sehr wahrscheinlich)

» Almost definitely (Mit an Sicherheit grenzenderWahrscheinlichkeit)

» Definitely (Mit Sicherheit): This category is absent!


Confidence levels: Casey’s C-Scale


Certainty level Description/Indicators Qualification

C0 Evidence contradicts “known” facts. Erroneous/Incorrect

C1 Evidence is highly questionable. Highly uncertain

C2 Only one source of evidence that is not

protected against tampering.Somewhat uncertain

C3 The source(s) of evidence are more difficult to

tamper with but there is not enough evidence to

support a firm conclusion or there are

unexplained inconsistencies in the available

evidence.

Possible

C4 Evidence is protected against tampering or

multiple independent sources of evidence agree

(which are not protected against tampering).

Probable

C5 Agreement of evidence from multiple

independent sources that are protected against

tampering. However, small uncertainties exist

(e.g. temporal error, data loss).

Almost certain

C6 The evidence is tamper-proof and

unquestionable. No other explanation is possible

at all.

Certain

Casey, Eoghan: Digital Evidence and Computer Crime2, London 2004, 175

Examples: CF investig. guidelines

▪ OLAF: European Anti-Fraud Office▪ OLAF carries out external investigations. Part of the investigation procedure includes

collecting data, which can be in paper-based, digital or electronic format. The aim of this leaflet is to give basic information about OLAF's computer forensic procedure, which relates to the collection of digital or electronic data.

▪ At the onset, OLAF will inform you of the purpose and the legal basis of the investigation and provide you with a copy of the Investigation Authority.

▪ An experienced computer forensic examiner (CFE) using specialised tools will:

1. explain to you the steps involved and may request the assistance of your IT staff;

2. identify the data carriers/devices and take photographs to provide documentary evidence of their physical surroundings and layout;

3. produce an inventory of the hardware components which could hold the data, such as laptop or computer hard disks or external disks, hard disks of servers, back-up data carriers (tapes, DVDs, CDs etc), USB memory devices, external drives, pocket PCs, smart phone, analyses of network activity;

4. create a forensic disk image of the entire contents of the data carrier which becomes a "forensic evidence file", available if required for court or other proceedings. Each image has a unique "hash" value, which makes it possible to check if a copy is identical. The collected data will remain on the "forensic evidence file" and cannot physically be erased, or removed from the forensic log files. This ensures the integrity of the data and part imaging is not possible.

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 112http://ec.europa.eu/anti_fraud/documents/forensics-leaflet/external_en.pdf

Examples: CF investig. guidelines5. The CFE will ask you to sign the Computer Forensic Operation Report, which records each

step of the OLAF computer forensic procedure. This report forms part of OLAF's investigation file.

6. You will receive a copy of the report, which includes your rights as a data subject.

▪ The forensic disk image is then registered and secured in OLAF's premises. The CFE works on a forensic working copy.

▪ As part of the investigation process, OLAF examines the data in the forensic working copy in its secure forensic laboratory using specialised computer forensic software and hardware to make the searched data readable.

▪ Automated processes and searches, for example by keywords, are used to identify case relevant data, which will be extracted and placed in the OLAF investigation file.

▪ Your data will be stored for a maximum of 20 years after the end of the investigation and follow-up and then destroyed.

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 113http://ec.europa.eu/anti_fraud/documents/forensics-leaflet/external_en.pdf

Examples: CF investig. guidelines

▪ European Investment Bank Group (EIB)….

3. Computer forensic procedures in case OLAF does not intervene

3.1 Setting of achievable objectives:

▪ Conducting computer forensic operations and examinations is also an extremely labourintensive and resourceful job. Considering that complexity and the scarcity of forensic computing resources, choices needed to make such operations more efficient and more operationally effective, involve the following planning:

1. Be specific about the added value of a forensic operation. Where, how and when can forensic examiners assist this investigation? Is it necessary?

2. Set achievable objectives beforehand. Investigators should accurately outline the scope of the envisaged operation at the preparatory stage. During the operation, further selective data capturing may be necessary. Live data examination where possible may help target the scope of the operation.

3. Realise objectives set i.e. the operation must be feasible with the resources that are available.

4. Timely achievement of objectives set. Ensure that deadlines are met in time, to avoid jeopardising the whole operation e.g. expiry of the legal time limit.

5. Measure the outcome of a data acquisition or seizure e.g. that relevant material for and against the person was found and reference included in the final case report.

Slide: Jörg R. MühlbacherIntroduction to Computer Forensics 114http://www.eib.org/attachments/strategies/anti_fraud_procedures_20130703_en.pdf

Conclusions

▪ Obtaining some information from hard disks is easy

» Ensuring it is complete and usable in courts is difficult!

» There is only a single chance …

▪ A wide variety of hard- and software exists, which must be treated differently and contains various information

» Specialization is needed for in-depth investigation

▪ Huge amount of data on modern devices is a problem

» Try to reduce the scope of investigation› Lists of "known good" files

» Automate examination› Keyword searches, deleted file recreation etc.

▪ Expensive software needed

» Some investigation also possible with cheaper tools

» Open source software available partly


Thank you! Questions?

Thank you!

Any questions?

https://www.ins.jku.at

Introduction to Computer Forensics 116

Michael Sonntag

[email protected]

+43 (732) 2468 – 4137

S3 235 (Science park 3, 2nd floor)

http://www.ins.jku.at

mailto:[email protected]

Literature

▪ Casey, Eoghan: Digital Evidence and Computer Crime2, London 2004

▪ NIJ Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. http://www.ojp.usdoj/nij

▪ NIJ Report: Electronic Crime Scene Investigation: A Guide for First Responders. http://www.ojp.usdoj/nij

▪ dns: An introduction to: Computer Forensicshttp://www.dns.co.uk/NR/rdonlyres/5ED1542B-6AB5-4CCE-838D-D5F3A4494F46/0/ComputerForensics.pdf

▪ RFC 3227: Guidelines for Evidence Collection and Archiving

▪ Kuhlee/Völzow: Computer Forensik Hacks
