Introduction to Computer Forensics

Subrahmani BabuScientist-’C’, Computer Forensic Laboratory

Indian Computer Emergency Response Team (CERT-In)Department of Information Technology Govt of IndiaDepartment of Information Technology, Govt of India.

babu_sivakami@cert-in.org.in

Topics to be Covered• What is Computer Forensics• Why it is important to the OrganizationWhy it is important to the Organization• Role of First Responder• Difference b/w Copying and Imaging• Types of Evidences• Types of Evidences• List free Forensic Tools• Importance of Write blockers• Demo (if time available)• Demo (if time available)

Definition

F i d i d f th l ti dForensics derived from the latin word‘Forensis’ which means that "of or beforethe forum” as in olden days. It entered theEnglish vocabulary in the 17th century as theEnglish vocabulary in the 17th century as theterm “forensics”.(The word forensics

“t b i t th t ” )means “to bring to the court.” )

Source : http://www.computerforensis.com/

Computer Forensics Process

Forensics is the process of singForensics is the process of usingscientific knowledge for collecting,g ganalyzing, and presenting evidenceto the courtsto the courts.

Stakeholders in CF

Vi ti C i i l• Victim or Criminal• First Responder (From LawFirst Responder (From Law

Enforcement )C t F i E t d• Computer Forensics Expert and

• Judiciaryy

Why it is important

• Legal action against the criminal based on severity of the incident

• To File a case, we need have to preserve , pthe evidence

• It should be admissible in the court of law• It should be admissible in the court of law

Role of First Responders

• Identifying the crime scene• Protecting the crime scene• Preserve the Digital Evidence (Volatile &• Preserve the Digital Evidence (Volatile &

Non Volatile evidence)• Maintain chain of custody form• Proper packing & Transport to Lab• Proper packing & Transport to Lab.• Document Everything (Crime scene

details, Hard disk details, etc.,)

Role of Forensic Analyst

• Create required Forensic Images of the original suspected media.

• Preserve the Original suspected mediaPreserve the Original suspected media• Maintain chain of custody form• Examination with Forensic Images• Use Standards & Procedures• Use Standards & Procedures• Use Standard Forensic Tools• Report Findings

What you can expect from the CF Experts?

• Evidences from– Deleted Files– Unallocated Clusters and slack space

Formatted Hard Drives– Formatted Hard Drives– Data Carving and – Password recovery

DifferencesDifferences

Bi l i l F i• Biological Forensics– Examinations with

O i i l id

• Computer Forensics– Examinations with

Original evidences (Samples)

Images (Duplications) of Original evidences

Stages in Computer Forensics

• Identification• Preservation• Preservation• Analysis and• Report Preparations

Classifications

• Disk ForensicsNet ork Forensics• Network Forensics

• Handheld Devices Forensics• Email Forensics• Registry Forensics• Registry Forensics• OS(Windows, Linux) Forensics• Source Code Forensics• Browser ForensicsBrowser Forensics

Basic rules• Never work on original evidence.• Never mishandle evidence.• Use proper software utilities to retrieveUse proper software utilities to retrieve

evidence from the media.D t thi hil h dli th• Document everything while handling the suspected media

Types of Evidence• Volatile Evidence

R i P• Non Volatile Evidence

W d D t– Running Processes– Active N/W

Connections

– Word Documents– Email messages

D t bConnections– Passwords, Disk

Encryption Keys are

– Databases– Internet History

fEncryption Keys are available

– Email accounts login

– Registry information– Deleted files,

U ll t d Cl tEmail accounts login passwords

– Memory resident

Unallocated Clusters, Slack space evidencescould be recoveredy

malwarescould be recovered

Free Forensic ToolsVolatile evidence collection tools• Volatile evidence collection tools– Nigilant32, Helix– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – WFT (Windows Forensics Toolchest)

M DD– MemoryzeDD• Volatile evidence Analysis toolsy

– MemParser– WMFT– WMFT– Volatility Framework,– PyFlag

Free Forensic Tools – contd…Forensic Imaging Tools• Forensic Imaging Tools– True Back from CDAC, TVM– DD (Forensic Acquisition Utilities),– FTK ImagerFTK Imager, – Helix, DEFT… (more than 15 Forensic Live

CD)CD)• Analysis tools

– SIFT from SANS containing 32 tools– TSK, Autopsy browser, PTKTSK, Autopsy browser, PTK– PyFlag

» Best site: www e-evidence info» Best site: www.e-evidence.info

DD – Disk Dump

• Available in Linux OS•Rewritten for windows FAUD l d f thi li k•Download from this link

•http://gmgsystemsinc.com/fau/

Syntax:

dd.exe -v if=\\.\F: of=h:\filename.img conv=noerror --chunk 2GiB l l t2GiB –localwrt

Hardware or Software Acquisition

• Hardware:– ImageMaster Solog– Logicube Forensic MD5– Talon

H d 3 f V T h– Hardcopy3 from Voom Tech• Software:

Cyber Check Suite– Cyber Check Suite– EnCase– Forensic Toolkit (FTK)Forensic Toolkit (FTK)– SafeBack– DriveSpy– Paraben– DD command : Unix/Linux

Imaging –vs- CopyingWhi h i B t?Which one is Best?

Copying of Disk

Newfile docNewfile doc

Suspected disk(Source)

Sterile disk(Target)

Test.docTest.docNewfile.docNewfile.doc

Cert-in_trainee.pptCert-in_trainee.ppt

Search &seizure .pdfSearch &seizure .pdf

MD5: f55573e2a21c4161d1eb45c014646956

Active files

Deleted filesDeleted files

20CERT-In, New Delhi

Imaging of the Disk

Newfile docNewfile doc

Suspected disk (Source) Sterile disk (Target)

Test.docTest.docNewfile.docNewfile.doc

Cert-in_trainee.pptCert-in_trainee.ppt

1010101010101010101010000011

Search &seizure .pdfSearch &seizure .pdf

1010101010101010101010000011111111010100011010101011011111111111111111101000000000010101011010101011010101101010

111111010100011010101011011111111111111111101000000000010101011010101011010101101010

MD5: f55573e2a21c4161d1eb45c014646956

1010110101010110101010101010101100101010101000000000000010101101010101101010101010101011001010101010000000000000

Active filesActive files

Deleted files 21

Is Imaging Always Possible?

• NO – It may sometimes be necessary to accessthe original machine to recover evidencethe original machine to recover evidence

Computer Forensic examiner must be able to• Computer Forensic examiner must be able toexplain and demonstrate the methodologies andprocesses used to acquire evidenceprocesses used to acquire evidence

• Findings must be repeatable by an independent• Findings must be repeatable by an independent3rd party

Dead versus Live Acquisition

• Dead Acquisition - occurs when the datafrom the suspects computer is beingp p gcopied without the assistance of thesuspect’s OSsuspect s OS.

• Live Acquisition – occurs when thesuspect’s OS is still running and beingsuspect s OS is still running and beingused to copy data.

Forensic Image File Formats

• RAW – only contains the data from the source device.Very easy to compare data with the source (e.g. dd-images)images).

• Embedded Image – contains data from the source plusadditional descriptive data about the acquisition (e.g.p q ( ghash values, dates, times). EnCase & FTK areexamples.

• Some RAW imaging tools will create descriptive data butSome RAW imaging tools will create descriptive data butthis is saved to a separate file.

• Many acquisition tools that create embedded images areproprietary (e g Encase FTK)proprietary (e.g. Encase, FTK).

• Most analysis tools will import a RAW image, making thisthe most flexible format.

Types of Data Acquisition

• Physical copy (entire physical disk) is thepreferred method.preferred method.

• Logical copy (disk partition or volume)• Data acquisition format (RAW/Compressed)Data acquisition format (RAW/Compressed)• Command-line acquisition (low overheads –

use less system resources. May run fromy yfloppy disk or thumb drive)

• GUI acquisitionq• Remote acquisition (over a network)• Verification

– Checksum : CRC32– Hashing : MD5, SHA1

Very Important

• Connect your Suspected Storage Media (Hard Disk USB Drive etc )Through HARDWAREDisk, USB Drive, etc )Through HARDWARE WRITE-BLOCKERI id difi i• It avoids unnecessary modification on your media and helps to maintain Integrity of the

idevidence.• Make sure that Source and Destination media

are readily connected with forensic work station• Now you may launch True Back (Forensic y y (

Imaging Software)

Write Blockers

S/W Write Blocker H / W Write Blocker

• Software should be enable prior to

• Hard ware device Th S t dienable prior to

connect the t d M di

• The Suspect media should be

suspected Media.– Ex:

connected through this device.

UsbWriteProtect

Drive Imaging Hardware

• Forensic mobile field system (MFS)– Laptop with NIC– Portable workstation

Hard Disk Information

BIOS - Date

IP Address

TOOL BOX

Entire System

CPU -Inside

Rearview - CPU

Primary Memory

Secondary Memory

1 ” HDD1 ” HDD3.5” HDD3.5” HDD 2.5” HDD2.5” HDD

1. HDD1. HDD

1” HDD1” HDD 0.85” HDD0.85” HDD

References• File System Forensic Analysis by brian carrier• http://www.e-evidence.info• http://www Blackhat comhttp://www. Blackhat.com• http://www.sans.org/reading_room/index.php• http://www.crime-research.org/articles/• http://geschonneck com/security/forensics/• http://geschonneck.com/security/forensics/• http://www.cerias.purdue.edu/research/forensics/resources.php• http://www.forensicfocus.com• http://csrc nist gov/publications/nistir/• http://csrc.nist.gov/publications/nistir/• http://www.utica.edu/academic/institutes/ecii/publications/articles/B4A8B3F3-94D2-

F7E5-D32D97CF1539EBB4.pdf• http://www cdactvm inhttp://www.cdactvm.in• http://www.guidancesoftware.com

Thanks & DemonstrationThanks & Demonstration