known by many names forensic analysis electronic discovery electronic evidence discovery digital...

Introduction to Computer Forensics

Introduction to Computer Forensics

Known by many names forensic analysis electronic discovery electronic evidence discovery digital discovery data recovery data discovery computer analysis computer examination

Intro to Computer Forensics

Computer Forensics is the process of methodically examining computer media for evidence The collection, preservation, analysis,

and presentation of computer-related evidence

Much more than the recovery of data▪ The goal of recovering data is retrieve lost

data▪ The goal of forensics is to retrieve AND

interpret as much information about it as possible


Computer Crime Computers can be involved in a wide

variety of crimes▪ murder, terrorism, counterintelligence,

economic espionage, counterfeiting, drug trafficking, and sexual exploitation ▪ Other?


Computer Crime (cont.) A computer can play one of three roles in

a computer crime (sometimes combined)▪ Target of the crime▪ Instrument of the crime▪ evidence repository, storing information about

the crime Knowing what role a computer played in

a computer crime will help tailor the analysis to that particular role


Computer Forensic Objective To recover, analyze, and present

computer-based material in such a was that it is usable as evidence in a court of law.

Computer Forensic Priority Primarily concerned with forensic

procedures, rules of evidence, and legal processes

Secondarily concerned with computers ACCURACY is the absolute priority


Computer Forensics Specialist Must take several careful steps to

identify and attempt to retrieve possible evidence that may exist on a subject computer system▪ Protect the subject computer during the

forensic examination from any possible alteration, damage, or data corruption▪ Discover all files on the subject system.▪ Recover all (or as much as possible)

discovered deleted files

Intro to Computer Forensics Computer Forensics Specialist

▪ Reveal the contents of hidden files as well as temporary or swap files

▪ Access (if possible and legally appropriate) the contents of protected or encrypted files

▪ Analyze all possibly relevant data found in special areas of a disk (unallocated space, slack space, HPA, etc.)

▪ Print out an overall analysis of the subject system▪ Provide an opinion of the system layout, file

structures, discovered data, attempts to hide or delete data, attempts to protect or encrypt data, and anything else relevant


Computer Forensics Specialist▪ Provide expert consultation and/or testimony

Evidence Collection and Data Seizure

Why Collect Evidence

Electronic evidence can be very expensive to collect Processes are strict and exhaustive Systems affected may be unavailable for

regular use for long periods of time Analysis of data collected must be

performed, which can take a very long time


Two reasons to collect evidence Future Prevention▪ If you don’t know what happened, you won’t

be able to stop someone from doing it again▪ Cost of collection may be high, but repeated

compromise will almost certainly be higher


Two reasons to collect evidence (cont.) Responsibility▪ Two parties in after an attack: attacker and

victim▪ Attacker is responsible for the damage done

Only adequate evidence will prove the attacker’s actions and bring them to justice

▪ Victim is responsible to the community Information gathered after a compromise can be

examined and used by others to prevent further attacks

May also have a legal requirement to perform analysis e.g. If the attack was part of a larger attack

Evidence Collection Options Two options

Pull system from network and begin collecting evidence▪ May leave you with insufficient evidence▪ Dead man switch may destroy evidence once

removed from the network Leave system online and begin monitoring for

the intruder▪ May alert intruder, causing them to destroy evidence▪ Potential liability if attacker launches further attacks

from your network Your decision must be based on the situation

Types of Evidence

Real evidence Any evidence that speaks for itself without relying

on anything else Testimonial Evidence

Evidence supplied by a witness▪ Subject to perceived reliability of the witness

Can be almost as powerful as real evidence Hearsay

Evidence presented by a person who was not a direct witness

Generally inadmissible in court Should be avoided

Rules of Evidence

Five rules of collecting electronic evidence Admissible Authentic Complete Reliable Believable

Rules of Evidence

Admissible Most basic rule Must be able to be used in court Failure to comply with this rule is

equivalent to not collecting the evidence at all

Rules of Evidence

Authentic Must be able to show that evidence

relates to the incident in a relevant way If it can’t be positively related to the

incident, it can’t be used The integrity and chain of custody of the

evidence must be intact

Rules of Evidence

Complete Don’t just collect evidence that shows

one perspective of the incident▪ Collect evidence that can prove the attacker’s

actions▪ Collect evidence that could prove their

innocence▪ If attacker was logged in during incident, you must

also show who else was logged in and why you think they didn’t do it

▪ This is called exculpatory evidence and is very important in proving a case

Rules of Evidence

Reliable Evidence collection, examination,

analysis, preservation and reporting procedures and tools must be able to replicate the same results over time

Evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity

Rules of Evidence

Believable Evidence should be clearly

understandable and believable to a jury▪ No point presenting a binary dump of process

memory if the jury has no idea what it means▪ If evidence is presented in a formatted,

human understandable version, you must be able to show the relationship to the original binary evidence otherwise the jury can be lead to think the evidence was fabricated

Rules of Evidence

G8 Principles – Procedures Relating to Digital Evidence When dealing with digital evidence, all

general forensic and procedural principles must be applied.

Upon seizing digital evidence, actions taken should not change that evidence.

When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.

Rules of Evidence

G8 Principles – Procedures Relating to Digital Evidence All activity relating to the seizure, access, storage

or transfer of digital evidence must be fully documented, preserved, and available for review.

An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession.

Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

Rules of Evidence

Do’s and Don’ts Minimize handling▪ Once a copy is made of the original data,

DON’T TOUCH IT – only handle secondary copies▪ Remove any avenues for change

Account for any changes & keep detailed logs▪ Sometimes evidence alteration is unavoidable▪ Document the nature, extent, and reasons for

any changes

Rules of Evidence

Do’s and Don’ts (cont.) Comply with the Five Rules of Evidence▪ If you don’t follow them, you’re wasting your

time Do not exceed your knowledge▪ If you don’t understand what you are doing,

you can’t account for any changes you make and you can’t describe what exactly you did▪ Acquire knowledge before you proceed!

Rules of Evidence

Do’s and Don’ts (cont.) Follow your local security policy▪ If you fail to comply with your local security policy,

the evidence may be inadmissible▪ You could also end up in trouble yourself

Capture as accurate an image of the system as possible▪ Relates to minimizing the handling (corruption?) of

the original data▪ Differences between the original system and the

master copy count as changes and must be accounted for

Rules of Evidence

Do’s and Don’ts (cont.) Be prepared to testify▪ Without the collector of the evidence being

present to validate the documents created during evidence collection process, the evidence becomes hearsay (i.e. inadmissible)▪ If you aren’t willing to testify, stop before you

start collecting evidence▪ You will need to testify at multiple points in

time – you must be able to replicate your actions to prove the same result

Rules of Evidence

Do’s and Don’ts (cont.) Work fast▪ The faster you work, the less likely the data is

going to change▪ Volatile evidence may vanish completely if

not collected in time▪ If multiple systems are involved, work on

them in parallel▪ Be methodical

Rules of Evidence

Do’s and Don’ts (cont.) Proceed from volatile to persistent evidence▪ Some electronic evidence is more volatile than others

are▪ Collect the most volatile evidence first

Don’t run any programs on the affected system▪ Attacker may have left trojaned programs and

libraries on the system▪ What you think could be an innocent command, like

“ipconfig”, may cause a system to destroy evidence▪ If you MUST run a program on the affected system,

use a known “good” copy of the program (e.g. from a cd-rom)

Rules of Evidence

Do’s and Don’ts (cont.) Don’t shutdown before collecting

evidence▪ NEVER NEVER NEVER shutdown a system

before you collect the evidence▪ All volatile evidence will be lost▪ Attacker may use startup/shutdown scripts to destroy

evidence▪ Temporary files may be wiped out

▪ REBOOTING IS EVEN WORSE! Never boot from the system drive again – only use copies!

Volatile Evidence

Not all evidence on a system will last very long Some evidence resides in storage that

requires constant power Other evidence may be stored in

information that is constantly changing When collecting evidence, proceed

from the most volatile to the least volatile

Volatile Evidence

To determine what evidence to collect first, prepare an order of volatility e.g.▪ Registers and cache▪ Routing tables▪ Arp cache▪ Kernel statistics and modules▪ Main memory▪ Temporary system files▪ Secondary memory▪ Router configuration▪ Network topology

4 Steps for Collecting and Analyzing Evidence

Identification of Evidence Distinguish between evidence and junk

data Know what the data is, where it is

located, and how it is stored Preservation of Evidence

Preserve evidence as close as possible to its original state

Any changes made MUST be documented


Analysis of Evidence Extract the relevant information and

recreate the chain of events Requires in-depth knowledge of what

you are looking for and how to find it Ensure those analyzing the evidence are

fully qualified


Presentation of Evidence Communicate the meaning of the

evidence Manner of presentation is very important Must be understandable by a layman▪ If a jury can’t understand the evidence, it is

worthless Must remain technically correct and

credible

Collecting and Archiving

Once a plan of attack is developed and the desired evidence is identified, the collection process can begin

Storage of the collected evidence is also important – it can affect how the data is perceived


Logs and Logging Run some type of system logging▪ Keep logs secure▪ Back up logs (a simple file copy should

suffice)▪ Create a HASH of the log files (MD5, SHA-1) to

ensure integrity▪ Encrypt the logs to ensure confidentiality

▪ Use a syslog server if possible▪ Logs stored on a compromised system are at risk of

being altered or destroyed by the attacker


Monitoring Monitoring network traffic can be useful

for many reasons▪ Gather statistics▪ Watch for irregular activity▪ Trace where an attack came from and what

the attacker is doing

Methods of Collection

Two basic forms of collection Freezing the scene▪ Take a snapshot of the system in its

compromised state▪ Ensure appropriate authorities are notified

Honeypotting▪ Create a replica system to lure the attackers

for further monitoring▪ Sandboxing can be performed to limit what

the attacker can do while still on the compromised system

Artifacts

Whenever a system is compromised, there is almost always something left behind by the attacker Code fragments Trojaned programs Running processes Log files Etc

Collection Steps

Basic evidence collection steps Find the evidence Find the relevant data Create an order of volatility Remove external avenuesof change Collect the evidence Document EVERYTHING

Controlling Contamination: The chain of custody

Once data is collected, it must be protected from contamination Verified duplicates should be used for analysis Never use original evidence for analysis

Keep a chain of custody A detailed list of what was done with the original

evidence, once it was collected▪ Who found the data▪ When and where it was transported and by who▪ Who had access to the data and what did they do with

it This will be questioned in legal proceedings

Duplication and Preservation of Digital Evidence

Computer Evidence

Computer evidence is odd, to say the least Any information related to an incident in physical

or binary (digital) form that may be used to support or prove the facts of an incident.

Exists on computer HDs, and FDs at three difference locations, two of which are not visible to the computer user

Such evidence is fragile and can be destroyed by something as simple as normal operation of the computer

Computer evidence is frequently challenged in court

Computer Evidence

Computer evidence (cont.) Confusion exists over the legal

classification▪ Is it documentary evidence?▪ Would require reams of printout under the best

evidence rule

▪ It is demonstrative evidence?▪ Would require a true-to-life sample of the

reconstructed evidence

The problem of establishing the expertise of computer forensics experts also exists

Computer Evidence

Three basic evidence rules to gain admissibility Authentication▪ Showing a true copy of the original

The best evidence rule▪ evidence that most closely matches the original or

real evidence. This can be original media or it may be the most forensically sound copy of the data (a bit-stream copy) available

Exceptions to the hearsay rule▪ When a confession or business or official records are

involved

Computer Evidence Processing Steps

Computer evidence is fragile Compounded by destructive programs

and hidden data Normal operations of a computer can

destroy evidence▪ unallocated space▪ file slack▪ swap files▪ etc…


Every case is different and the investigator must apply flexibility to the approach taken

Some general guidelines can be used as a template for the investigator to follow


General guidelines Collect volatile evidence first▪ evidence that resides in volatile memory

Halt the computer▪ Do NOT use the shutdown option in the OS▪ Pull the plug from the wall▪ This will prevent the OS from performing any cleanup

tasks and shutdown scripts

▪ Be careful of whole disk encryption!


General guidelines (cont.) Document the hardware configuration▪ Before dismantling the computer, take pictures

of the system from all angles to document how the computer is connected

▪ Label each wire ▪ Once the case is opened take more pictures

from all angles (once the system is in a secure location)

▪ Document all components▪ Include model numbers, serial numbers, burned in

addresses (MAC), etc.


General guidelines (cont.) Transport the computer to a secure

location▪ Ensure that a chain of custody is established▪ It is imperative that the subject computer is

treated as evidence and stored out of reach of curious users▪ Operating a seized computer will destroy

evidence and violate the chain of custody


General guidelines (cont.) Make a bit stream copy of the hard

disk(s)▪ Do not operate the computer to perform this

step▪ Do not perform any analysis on the original

data▪ Only perform analysis on the bit stream copy

of the original data


General guidelines (cont.) Mathematically authenticate data on all

storage devices▪ You must prove that the original evidence was

not altered▪ Generate one-way hashes of all storage

devices▪ MD5 – 128-bit digest▪ SHA-1 – 160-bit digest


General guidelines (cont.) Document the system date and time▪ Dates and times associated with computer

files are extremely important▪ If the time is incorrect, then all file

timestamps will be incorrect as well▪ In order to account for time differences, it is

essential to document system date and time at the time the computer is taken into evidence


General guidelines (cont.) Make a list of key search words▪ Due to size of hard drives, it can be virtually

impossible to manually view and evaluate all files▪ Searching for specific keywords can be used

to help find relevant evidence▪ Usually some information is known about the

allegations▪ Avoid using common words


General guidelines (cont.) Evaluate file slack▪ File slack is a data storage area that most

computer users are unaware of▪ File slack is a significant source of security

leakage▪ File slack can be used by the computer to

store the contents of memory dumps that occur as files are closed▪ Specialized forensic tools are required to view

and evaluate file slack▪ Search file slack for keywords


General guidelines (cont.) Evaluate unallocated space (erased files)▪ Unallocated space may contain data

associated with deleted files▪ Search unallocated space for keywords


General guidelines (cont.) Document filenames, dates, and times▪ From an evidence standpoint, filenames,

creation timestamps, and last modified timestamps are critical▪ Catalog all allocated and erased files▪ Files can be sorted by timestamp to establish

a timeline of usage Can retrace an attackers actions based on what

files were accessed and when


General guidelines (cont.) Identify file, program, and storage anomalies▪ Encrypted, compressed, and graphic files (etc.) store

data in binary format▪ Text data stored in these formats cannot be identified by a

text search program▪ Manual evaluation is required

▪ Depending on the type of file involved, the contents should be viewed and evaluated as potential evidence

▪ Based on what files have been deleted on a system, you can potentially make inferences as to what that attacker is/was attempting to do


General guidelines (cont.) Document your findings▪ Document all actions you take▪ Document all findings and evidence that are found▪ Include proof of licensing for whatever forensic tool

is used ▪ Use of pirated software will compromise an entire case

▪ Document the software and methods used to collect evidence

▪ A digital camera and digital recorder can be useful when documenting

▪ Document EVERYTHING!


General guidelines (cont.) Retain copies of software used▪ Keep a copy of the exact version of any

software used to collect evidence▪ Create a hash of any software used to collect

evidence▪ Different versions of software may produce

different results▪ You may be required to prove your results

through duplication. Using the same version of the software used will aid in this

known by many names forensic analysis electronic discovery electronic evidence discovery digital...

Documents

computer media

presentation of computer

possible slide

computer crime computers

computer forensics specialist

subject computer system

computer forensic priority

computer forensic objective