Lecture 2

CSCE 590

Summer 2003

Forensics

• Forensic science is the science exercised on behalf of the law in the just resolution of conflict

• Crime reconstruction is the process of gaining a more complete understanding of a crime using available evidence

• Forensics are only a subset of the Incident Response Process

Incident Response

1. Prepare for incidents

2. Detect incidents

3. Investigate

4. Formulate response strategy

5. Respond

6. Follow up

Prepare for Incidents• Compile incident response/forensic toolkits• Write, publish, and practice incident response

procedures• Increase logging on machines and network• Backups• Cryptographic checksums• Patching, hardening, NTP• Banners• Network measures – IDS, access control/firewalls,

document topologies, encryption, authentication• User education

Preparation:Policies and procedures

• Risk analysis• Determine response stance

– Ignore incident – reinstall and go– Surveillance and counterintelligence data collection– Full investigation and prosecution

• Issues for response stance– Business issues (publicity? Expensive investigation?)– Legal issues (employee privacy?)– Political issues (CEO surfin’ porn)– Technical capabilities

Preparation:Policies and procedures

• Policies that allow you to fully investigate instead of relying on default law– Trap and trace on your network– Full content monitoring of traffic– Search and review employee machine– Coordinating with upstream sites

• Consent of user – AUPs– Employee vs. intruder consent

• Stored communications vs. intercepted communications• The textbook was published in 2001! Beware!

Detect Incidents

• Intrusion detection systems• Unusual activity• User notice suspicious activity• Someone reports it (defacements or

complaints)• Other logs – system logs, firewall logs, anti-

virus• Periodic audits

Investigate

• Who, what, where, when, how, maybe why

• Initial incident response:– Focuses on verification of an incident – Gathers evidence for later analysis – Issues: recovery and downtime – Triage to prevent further incidents– Mostly non-law enforcement involved at this

point

Response

• Formulate response strategy – many factors may be taken into consideration, combined with response stance, and management approval

• Respond – investigate, recover, report findings

• Follow up – analyze process, implement new security measures or processes, lessons learned

Investigation Analogy• Knife and bleeding, moaning, body in room found

by staff member • Who do you call first, EMT or police? • How do they work together to preserve evidence

and yet save the life? • If the EMT disturbs the evidence is it still

admissible? • Are EMTs trained in how to preserve evidence? • Real EMTs can see a dead body, computer EMTs

can’t necessarily see it• Sysadmins are trained to keep their systems

running, not to preserve a crime scene

Types of Clues

• Relational: an object is in relation to other objects and how they interact with/to each other. Relational reconstruction can include geographic locations of computers and people and any communication between them.

Types of Clues

• Functional: the way something works or how it was used. How a particular system or application works and how it was configured at the time of the crime. Examining an exact replica to figure out how a rootkit works or an exploit.

Types of Clues

• Temporal: the times related to evidence and events. Timeline of events can identify patterns and gaps or lead to other sources of evidence. Various system clocks and time zones must be taken into account.

Relationships of Source to Evidence

• Production: the source produced the evidence– Email headers

– MAC addresses

• Segment: the source is split into parts and the parts of the whole are scattered. Key is linking fragments to the source– File fragment on a floppy

– A few network packets

Relationships of Source to Evidence

• Alteration: the source is an agent or process that alters or modifies the evidence– Crowbar on a door leaves a characteristic impression

– An exploit leaves impressions on the altered system. But an exploit can be copied and distributed to many offenders and they all leave the same impression

• Location: the source is a point in space. Not so easy to find geographically in the digital realm

Compare and Contrast

• Comparison and significant difference: try to determine pieces of evidence came from the same source by similarities or significant differences

• Decide if differences are significant• Total agreement between evidence and exemplar

can't be practically expected• Want truly significant differences• Differences due to natural variation should be

explained, otherwise the value of the match is diminished

Four Computer Forensic Principles

• Minimize data loss

• Record everything, change nothing

• analyze on copies

• report findings

Evidence Dynamics

• Any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent, between the time the evidence is transferred and the time the case is adjudicated

• Forensic examiners rarely get to examine digital evidence in its ‘original state’ and should expect anomalies

Computer Related Evidence Dynamics: Examples

• Offender covering behavior: perpetrator deletes logs and exploit files

• Victim actions: victim deleting emails in distress or embarrassment

• Secondary transfer: someone uses computer after crime and innocently alters or destroys evidence

• Witnesses: a sysadmin could delete suspicious accounts to keep the intruder from using them

• Nature/Weather: magnetic field, static electricity

Computer Related Evidence Dynamics: Examples

• Decomposition: tape decaying over time• Forensic examiners: may by accident or necessity,

relocate, obscure, or obliterate evidence. (Scraping blood sample from a floppy resulting in damage and data loss)

• Emergency response technicians: goal to prevent further damage. Can add artifact-evidence, obliterate patterns, relocate evidence, or cause transfers– Fire damage and resulting water damage– Secure from further misuse or attacks

Difficulties Obtaining Evidence

• Distributed nature of networks and jurisdiction, complex procedures for digital evidence exchange - only practical for serious crimes

• Anonymity and deniability are easy with computers and networks

• Easily deleted or changed- time is of the essence to preserve it - big log files, network traffic, volatile memory

• Requires a wide range of technical expertise

Difficulties Obtaining Evidence

• Huge volumes of data – terabytes?• Decryption without keys • Steganography • Example: Rubberhose project (Marutukku)

– combines encryption and data hiding in a filesystem that makes data recovery and reconstruction very difficult.

– http://www.rubberhose.org/ - The Idiot Savants' Guide to Rubberhose

Preserve the Crime Scene

• Do not write to original media• Do not kill any processes• Do not accidentally touch time stamps• Do not use untrusted tools• Do not change the system before evidence seizure

(power off, patch, update)– Could unplug network cable if necessary

• Interview the people at the crime scene– Especially sys admin or person who found it

Volatile Data Collection• Minimize data loss, record everything, change

nothing. Uh-oh! That’s impossible!• Doing nothing also changes the system!• Do not pull power cord, you risk corrupting non-

volatile data and lose volatile evidence:– Registers and cache contents– Contents of memory – Information about running processes – Network connections – Mounted file systems – Current users– Swap, page, and temporary files

• A computer had explosives rigged to power switch

Collect the Most Volatile Evidence First

• Memory • Swap space or page file • Network status and connections • Processes running • Storage media • Removable media

– Make sure all files are synched on media, processes aren’t using it, etc

• Port scan? – Some backdoors and covert channeling tools log

attempts and the IP address – system change

Record Keeping

• May have to duplicate setup in lab– Cameras

• Explain how you took down the computer• May be called upon to testify – 2 years later

– Notes can be used as a refresher

– Can be admitted as evidence if you can’t remember what you did

– Shows your methods were scientific and unbiased

– Video or audio could show your mistakes in methodology or collection methods or a bias

Chain of Custody

• Establishes continuity of possession and proof of the integrity of handling of the collected evidence

• Helps maintain strict access to it• Each piece of evidence should have a chain of

custody log associated with it:– Tag hard drives separate from the system

– use md5 hashes with electronic files, especially if they are being transferred across electronic medium

Chain of Custody

• Evidence tag: – Date and time it was seized– Case number and item (tag) number of evidence and

any hash numbers– Consent required? If yes – signature of owner– Location and who it was obtained from (owner)– Make, model, and serial number– Name of person who collected the evidence– Description of evidence– Full name and signature of person receiving evidence

The Chain

– Log of people who handle the evidence during investigation

– Record a transaction• Each time it changes possession

• Each time it moves from one media type to another

– What to record• Who it was received from and location it was in

• Date of receipt

• Reason evidence transferred custody

• Who received it and where it was received or located

• Reading for Lectures 2-5: – Mandia/Prosise: Chapters 2-5, 9– Casey: Chapter 2 (in Reading Room)

• Homework 1: Due Monday, June 9, 2003