computer forensics in thecomputer forensics in the campus ... · require information forensics...
TRANSCRIPT
Computer Forensics in theComputer Forensics in the Campus Environment
Scott L KsanderScott L. [email protected]
8/23/06 | Slide 1Scott L. Ksander
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 2Scott L. Ksander
• References
Some Background
• The Dean of Students at Purdue University estimates that 25% of all disciplinary cases p yinvolve some sort of computer evidence
• The Director of the FBI now expects 50% of all cases handled by the FBI to involve at least one computer forensic examination
• Local law enforcement agencies and prosecutors expect 20-40% of all cases will require information forensics
8/23/06 | Slide 3Scott L. Ksander
require information forensics
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 4Scott L. Ksander
• References
Incident Response Methodology (PDCAERF)
Digital Forensics/Evidence ManagementDigital Forensics/Evidence Management
Preparation Detection Containment Analysis Eradication Recovery Follow-up
Feed Back
8/23/06 | Slide 5Scott L. Ksander
Feed Back
8/23/06 | Slide 6Scott L. Ksander
Context of Computer Forensics
•Homeland Security
•Information Security
•Corporate Espionage
•White Collar Crime
•Child Pornography Digital ForensicsComputer Forensics•Traditional Crime
•Incident Response
•Employee Monitoring
i
Computer Forensics
•Privacy Issues
•????
8/23/06 | Slide 7Scott L. Ksander
History & DevelopmentFrancis Galton (1822-1911)
– First definitive study of fingerprintsSir Arthur Conan Doyle (1887)
– Sherlock Holmes mysteriesLeone Lattes (1887-1954)
– Discovered blood groupings (A,B,AB, & 0)g p g ( )Calvin Goddard (1891-1955)
– Firearms and bullet comparisonAlbert Osborn (1858-1946)( )
– Developed principles of document examinationHans Gross (1847-1915)
– First treatise on using scientific disciplines in criminal
8/23/06 | Slide 8Scott L. Ksander
g pinvestigations.
Communities
There at least 3 distinct communities within Digital Forensics– Law Enforcement– Military– Business & Industry
• Possibly a 4th – Academia
8/23/06 | Slide 9Scott L. Ksander
The ProcessThe primary activities of DFS are investigative in nature.The investigative process encompasses
– Identification– Preservation
Collection– Collection– Examination– Analysis – Presentation– Decision
8/23/06 | Slide 10Scott L. Ksander
Computer Forensic Activities
Computer forensics activities commonly include:
the secure collection of computer data– the secure collection of computer data – the identification of suspect data– the examination of suspect data to determine p
details such as origin and content – the presentation of computer-based information
the application of a country's laws to computer– the application of a country s laws to computer practice.
8/23/06 | Slide 11Scott L. Ksander
The 3 As
The basic methodology consists of the 3 As:
– Acquire the evidence without altering or damaging the original
– Authenticate the image– Analyze the data without modifying ity y g
8/23/06 | Slide 12Scott L. Ksander
“The Computer”Computer as Target of the incident
– Get to instructor’s test preparation– Access someone else’s homework– Access/Change a grade– Access financial information– “Denial of Service”
Computer as Tool of the incidentComputer as Tool of the incident– Word processing used to create plagiarized work– E-mail sent as threat or harassment– Printing used to create counterfeit material– Printing used to create counterfeit material
Computer as Incidental to the incident– E-mail/file access used to establish date/timelines– Stored names and addresses of contacts or others
8/23/06 | Slide 13Scott L. Ksander
potentially involved in the incident
General Types of Digital Forensics“N k” A l i“Network” Analysis
– Communication analysis– Log analysis– Path tracingPath tracing
Media Analysis– Disk imaging– MAC time analysis (Modify, Access, Create)
C t t l i– Content analysis– Slack space analysis– Steganography
Code Analysisy– Reverse engineering– Malicious code review– Exploit Review
8/23/06 | Slide 14Scott L. Ksander
The “puzzle” is a combination of all the above pieces
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 15Scott L. Ksander
• References
Principle of Exchange
“..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived ”person arrived.
(Edmund Locard 1910)(Edmund Locard, 1910)
8/23/06 | Slide 16Scott L. Ksander
Forensic Principles
1. When dealing with digital evidence, all of the general forensic and procedural principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that idevidence.
3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
4 All activity relating to the seizure access storage or transfer of4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.
5. An Individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possessiondigital evidence while the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
8/23/06 | Slide 17Scott L. Ksander
General Evidence Dos & Don’ts
1. Minimize Handling/Corruption of Original Data 2. Account for Any Changes and Keep Detailed Logs of Your Actions 3 Comply with the Five Rules of Evidence3. Comply with the Five Rules of Evidence 4. Do Not Exceed Your Knowledge 5. Follow Your Local Security Policy and Obtain Written Permission 6. Capture as Accurate an Image of the System as Possible 7 B P d t T tif7. Be Prepared to Testify 8. Ensure Your Actions are Repeatable 9. Work Fast 10. Proceed From Volatile to Persistent Evidence 11. Don't Run Any Programs on the Affected System 12. Document Document Document!!!!
Source: AusCERT 2003 (www auscert org)
8/23/06 | Slide 18Scott L. Ksander
Source: AusCERT 2003 (www.auscert.org)
5 Rules of EvidenceAdmissible
Must be able to be used in court or elsewhere
AuthenticEvidence relates to incident in relevant way
Complete (no tunnel vision)Complete (no tunnel vision)Exculpatory evidence for alternative suspects
ReliableReliableNo question about authenticity & veracity
Believable
8/23/06 | Slide 19Scott L. Ksander
Clear, easy to understand, and believable by a jury
Evidence Life Cycle
Collection & identification
Storage, preservation, and transportation
Presentation
Return to production, owner, or court
8/23/06 | Slide 20Scott L. Ksander
Chain of Custody
Protects integrity of the evidenceEffective process of documenting the complete
journey of the evidence during the life of the casejourney of the evidence during the life of the caseAllows you to answer the following questions:
– Who collected it?– How & where?– Who took possession of it?
H it t d & t t d i– How was it stored & protected in storage?
– Who took it out of storage & why?
8/23/06 | Slide 21Scott L. Ksander
Who took it out of storage & why?
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 22Scott L. Ksander
• References
Forensic Mindset
Digital Forensic Mindset – Condensed Definition:
– Using your skills to determine what has occurred or,
– What most likely occurred as opposed to what is possible
– You do NOT work for anyone but the TRUTH!
8/23/06 | Slide 23Scott L. Ksander
Forensic Mindset
The tools used are not nearly as important as the person using them!the person using them!
The examination should not occur in aThe examination should not occur in a vacuum.
Find out all you can about what is already known.
8/23/06 | Slide 24Scott L. Ksander
Organizing the Investigation
Use your knowledge to examine the system to answer; could it have happened that way or
t?not?Don’t make it more complicated than it has to
be start with the obvious!be – start with the obvious!Examples:
Ch k f th t ill– Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.)
8/23/06 | Slide 25Scott L. Ksander
)
Organizing the Investigation
MAC information – what was happening on the system during the time frame you arethe system during the time frame you are interested in?
What was being “written” “changed” orWhat was being written , changed or “accessed”?
8/23/06 | Slide 26Scott L. Ksander
Why use imagesIn keeping with the second IOCE principle, care must be taken not to
change the evidence.Most media are “magnetic based” and the data is volatile:
– Registers & CacheRegisters & Cache– Process tables, ARP Cache, Kernel stats– Contents of system memory– Temporary File systems
D t th di k– Data on the diskExamining a live file system changes the state of the evidence (MAC
times)The computer/media is the “crime scene”Protecting the crime scene is paramount as once evidence is
contaminated it cannot be decontaminated.Really only one chance to do it right!
8/23/06 | Slide 27Scott L. Ksander
Why Create a Duplicate Image?
A file copy does not recover all data areas of the device for examinationthe device for examinationWorking from a duplicate image
– Preserves the original evidencePreserves the original evidence– Prevents inadvertent alteration of original
evidence during examinationevidence during examination– Allows recreation of the duplicate image if
necessary
8/23/06 | Slide 28Scott L. Ksander
y
Why Create a Duplicate Image?
Digital evidence can be duplicated with no degradation from copy to copy
Thi i t th ith t th f f– This is not the case with most other forms of evidence
8/23/06 | Slide 29Scott L. Ksander
Bitstream vs. Backups
Are backups sufficient?– Ideally NO!
Practically it may be the only method available– Practically it may be the only method available
Most O/Ses only pay attention to the live filesystem y p y ystructure– Slack, residue, deleted, etc. are not indexed
Backups generally do not capture this data and they also modify the timestamps of data, contaminating h i li
8/23/06 | Slide 30Scott L. Ksander
the timeline.
Bitstream vs. Backups
Forensic Copies (Bitstream)– Bit for Bit copying captures all the data on the
copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.)
Often the “smoking gun” is found in the residual data.
Logical vs. physical image
8/23/06 | Slide 31Scott L. Ksander
Disk Imaging Tools Requirements
The tool shall make a bit-stream duplicate or an image of an original disk or partition.g g p
The tool shall not alter the original disk.The tool shall be able to verify the integrity of a disk
image file.The tool shall log I/O errors.The tool’s documentation shall be correctThe tool s documentation shall be correct.
8/23/06 | Slide 32Scott L. Ksander
MAC Times
• Time attributes (Modified, Accessed, Changed).• Allow an investigator to develop a time line or g p
Chronology of the incident• The time line is vital when examining logs, & event files• Improperly accessing or searching a system can alterImproperly accessing or searching a system can alter
the time lines destroying evidence or erasing trails.
8/23/06 | Slide 33Scott L. Ksander
Drive Imaging Tools
SafeBack (www.forensics-intl.com)Ghost (www.symantec.com)
– Newest version of Ghost has a forensic “switch” now
DD (standard unix/linux utility)DD (standard unix/linux utility)– #dd if=device of=device bs=blocksize
Encase (www.encase.com)( )MarewareFTK (www.accessdata.com)
8/23/06 | Slide 34Scott L. Ksander
Drive Imaging Hardware
Forensic mobile field system (MFS)
L t ith NIC– Laptop with NIC– Portable workstation
8/23/06 | Slide 35Scott L. Ksander
Rules of ThumbMake 2 copies of the original media
– 1 copy becomes the working copy– 1 copy is a library/control copypy y py– Verify the integrity of the copies to the original
The working copy is used for the analysisThe library copy is stored for disclosure purposes or in the y py p p
event that the working copy becomes corruptedIf performing a drive to drive imaging (not an image file) use
clean media to copy to!Shrink wrapped new drives– Shrink wrapped new drives
– Next best, zero another driveVerify the integrity of all images!
8/23/06 | Slide 36Scott L. Ksander
Disk Write Blockers
Prevent data been written to the suspect drive
Ensure the integrity of the suspect drive
Software Write Blockers v. Hardware
8/23/06 | Slide 37Scott L. Ksander
Hardware Write Block
A hardware write blocker (HWB) is a hardware device that attaches to a computer system with the primary purpose of intercepting and preventing (orpurpose of intercepting and preventing (or ‘blocking’) any modifying commands from ever reaching the storage device.
Physically, the device is connected between thePhysically, the device is connected between the computer and a storage device.
Some of its functions include monitoring and filtering any activity that is transmitted or received betweenany activity that is transmitted or received between its interface connections to the computer and the storage device.
8/23/06 | Slide 38Scott L. Ksander
Forensic Boot Disk
General principles:– Used to boot suspect systems safely– Contains a filesystem and statically linked
utilities (e.g., ls, fdisk, ps, nc, dd, ifconfig, etc )etc.)
– Recognizes large partitions (+2 or + 8 Gb)– Places the suspect media in a locked or– Places the suspect media in a locked or
read-only state– Does not swap any data to the suspect
8/23/06 | Slide 39Scott L. Ksander
p y pmedia
Forensic Boot Disk
Open source bootable images:
– Helix (http://www.e-fense.com/helix/)
– Trinux(http://trinux.sourceforge.net/)
– BartPE
8/23/06 | Slide 40Scott L. Ksander
(http://www.nu2.nu/pebuilder/)
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 41Scott L. Ksander
• References
Computer People are from Mars
Law Enforcement is from VenusLaw Enforcement is from Venus
8/23/06 | Slide 42Scott L. Ksander
Advantage of Computer People
Natural curiosity“Obsessed” with detailProblem/puzzle solving in their
profession/passionIntuitive thinkersLook for “creative” solutions
8/23/06 | Slide 43Scott L. Ksander
Advantage of Law Enforcement
Trained investigators Interviewing skills and creativityInterviewing skills and creativityFact-finding is their life Understanding the criminal psycheUnderstanding the criminal psyche Access to additional resourcesC ti thi t th i id tCan tie things to other incidentsBroad data collection reach
8/23/06 | Slide 44Scott L. Ksander
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 45Scott L. Ksander
• References
8/23/06 | Slide 46Scott L. Ksander
8/23/06 | Slide 47Scott L. Ksander
8/23/06 | Slide 48Scott L. Ksander
8/23/06 | Slide 49Scott L. Ksander
8/23/06 | Slide 50Scott L. Ksander
8/23/06 | Slide 51Scott L. Ksander
Forensic Field kitsDocumentation Tools
– Cable tags.– Indelible felt tip markers.– Stick-on labels.
Disassembly and Removal Tools– A variety of nonmagnetic sizes and types of:– Flat-blade and Philips-type screwdrivers.p yp– Anti-static Straps– Hex-nut drivers.– Needle-nose pliers.– Secure-bit drivers.– Small tweezers.– Specialized screwdrivers (manufacturer-specific, e.g., Compaq,– Macintosh).– Standard pliers.
8/23/06 | Slide 52Scott L. Ksander
– Star-type nut drivers.– Wire cutters.
Forensic Field kitsPackage and Transport Supplies
– Antistatic bags.Antistatic bubble wrap– Antistatic bubble wrap.
– Cable ties.– Evidence bags.g– Evidence tape.– Packing materials (avoid materials that can
produce static such as Styrofoam orproduce static such as Styrofoam or Styrofoam peanuts).
– Packing tape.
8/23/06 | Slide 53Scott L. Ksander
– Sturdy boxes of various sizes.
Forensic Field kits
Items that also should be included within a kit are:– Rubber Gloves****– Hand truck– Hand truck.– Large rubber bands.– List of contact telephone numbers for assistance.
M if i l– Magnifying glass.– Printer paper.– Seizure disk.– Small flashlight.– Unused removable media (CD, DVD, etc)– Blank & Zeroed Hard Drives
8/23/06 | Slide 54Scott L. Ksander
– Blank & Zeroed Hard Drives
8/23/06 | Slide 55Scott L. Ksander
8/23/06 | Slide 56Scott L. Ksander
8/23/06 | Slide 57Scott L. Ksander
8/23/06 | Slide 58Scott L. Ksander
8/23/06 | Slide 59Scott L. Ksander
8/23/06 | Slide 60Scott L. Ksander
8/23/06 | Slide 61Scott L. Ksander
8/23/06 | Slide 62Scott L. Ksander
8/23/06 | Slide 63Scott L. Ksander
8/23/06 | Slide 64Scott L. Ksander
8/23/06 | Slide 65Scott L. Ksander
8/23/06 | Slide 66Scott L. Ksander
8/23/06 | Slide 67Scott L. Ksander
8/23/06 | Slide 68Scott L. Ksander
8/23/06 | Slide 69Scott L. Ksander
8/23/06 | Slide 70Scott L. Ksander
Software Toolkit
Directory Snoop (http://www.briggsoft.com)ThumbsPlus (http://www.cerious.com)( p )WinHex (http://www.winhex.com)Mount Image (http://www.mountimage.com)g ( p g )
Autopsy Forensic BrowserAutopsy Forensic BrowserFTK
8/23/06 | Slide 71Scott L. Ksander
Things That Will Be Covered On The Final
Computer evidence is not just about computer crime or incident response
K d t bli h d f i i i lKnow and use established forensics principlesMindset and technique are more important than toolsEstablishing relationships is the key to successEstablishing relationships is the key to successHow to start building your forensic toolkitThings to expect in the campus environmentg p pChallenges and expected defensesReferences
8/23/06 | Slide 72Scott L. Ksander
Just saying “Hi”“Thought you
might be ginterested”
Notify potentialNotify potential victims
8/23/06 | Slide 73Scott L. Ksander
18 USC 2703(f)“Preservation
letter”Preserve for 90
daysdaysONLY
t ti lretrospectively
8/23/06 | Slide 74Scott L. Ksander
18 USC 2703(f)“… without
notice … nor … any disruption indisruption in service”
8/23/06 | Slide 75Scott L. Ksander
Subpoena often follows
“… requested qnot to disclose the existencethe existence of this subpoena”subpoena
8/23/06 | Slide 76Scott L. Ksander
Subpoena“Provide all
records, ,documents, logs, andlogs, and subscriber information”information
8/23/06 | Slide 77Scott L. Ksander
Search WarrantSometimes
“Sealed”
8/23/06 | Slide 78Scott L. Ksander
Operational plan for Search Warrants
“No warning shots.”shots.
8/23/06 | Slide 79Scott L. Ksander
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 80Scott L. Ksander
• References
Challenges
NIJ 2001 Study• There is near-term window of opportunity for law
enforcement to gain a foothold in containingenforcement to gain a foothold in containingelectronic crimes.
• Most State and local law enforcement agencies report that they lack adequate training, equipmentreport that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime.
• Greater awareness of electronic crime should beGreater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.
8/23/06 | Slide 81Scott L. Ksander
General ChallengesComputer forensics is in its infancyDifferent from other forensic sciences as the media that is
examined and the tools/techniques for the examiner are products of a market-driven private sector
No real basic theoretical background upon which to conduct empirical hypothesis testing
N t f i l d i tiNo true professional designationsProper trainingAt least 3 different “communities” with different demandsS f “f ”Still more of a “folk art” than a true science
8/23/06 | Slide 82Scott L. Ksander
Specific ChallengesNo International Definitions of Computer CrimeNo International agreements on extraditionsMultitude of OS platforms and filesystemsIncredibly large storage capacityIncredibly large storage capacity
– 100 Gig Plus– Terabytes– SANs
Small footprint storage devices– Compact flash– Memory sticks
Thumb drives– Thumb drives– Secure digital
Networked environmentsRAID systems
8/23/06 | Slide 83Scott L. Ksander
Grid computingEmbedded processors
Specific Challenges
Where is the “crime scene?”Cyberspace
Perpetrator’s Victim’s System System
Electronic CrimeElectronic Crime
Scene
8/23/06 | Slide 84Scott L. Ksander
General Defense Strategies
Not Me Defense (aka SODDI, TODDI)Mind Numbing Detail DefenseMind-Numbing Detail DefenseIndict the Examiner Defense
(aka Dennis Fung Defense)(aka Dennis Fung Defense)
8/23/06 | Slide 85Scott L. Ksander
Things That Will Be Covered On The Final
• Computer evidence is not just about computer crime or incident responseK d t bli h d f i i i l• Know and use established forensics principles
• Mindset and technique are more important than toolstools
• Establishing relationships is the key to success• How to start building your forensic toolkit• Things to expect in the campus environment• Challenges and expected defenses
8/23/06 | Slide 86Scott L. Ksander
• References
NHTCU
National Hi-Tech Crime Unit (UK)The ACPO Good Practice Guide for Computer based Electronic Evidence (2003)
http://www.nhtcu.orghttp://www.nhtcu.org
8/23/06 | Slide 87Scott L. Ksander
DOJ - CCIPS
Searching and Seizing Computers and g g pObtaining Electronic Evidence in Criminal Investigations
http://www.cybercrime.gov/s&smanual2002.htm
8/23/06 | Slide 88Scott L. Ksander
NIJ Guide
Electronic Crime Scene Investigation:Electronic Crime Scene Investigation: A Guide for First Responders
http://www.ncjrs.org/pdffiles1/nij/187736.pdf
8/23/06 | Slide 89Scott L. Ksander
Questions Before Elvis Leaves The Building?
8/23/06 | Slide 90Scott L. Ksander