computer forensics, the investigators persepective
TRANSCRIPT
-
8/14/2019 Computer Forensics, The Investigators Persepective
1/53
Computer Forensics,
The Investigators Persepective
Paul T. Mobley Sr. ([email protected])
Computer Forensics Consultant
Jawz Inc.
-
8/14/2019 Computer Forensics, The Investigators Persepective
2/53
What is Computer Forensics?
Computer Forensics can be defined simply,
as a process of applying scientific and
analytical techiniques to computerOperating Systems and File Structures in
determining the potential for Legal
Evidence.
-
8/14/2019 Computer Forensics, The Investigators Persepective
3/53
Overview of Presentation
Why is Evidence identification and
Preservation required?
Who benefits from Computer Forensics?
General Types of Forensic Examinations
requested.
Process of Forensics. Tools of the trade.
What is the Examiner looking for?
-
8/14/2019 Computer Forensics, The Investigators Persepective
4/53
Why is Evidence important?
In the legal world, Evidence is
EVERYTHING.
Evidence is used to establish facts.
The Forensic Examiner is not biased.
-
8/14/2019 Computer Forensics, The Investigators Persepective
5/53
Who needs Computer Forensics?
The Vicitm!
Law Enforcement
Insurance Carriers
Ultimately the Legal System
-
8/14/2019 Computer Forensics, The Investigators Persepective
6/53
Who are the Victims?
Private Business
GovernmentPrivate Individuals
-
8/14/2019 Computer Forensics, The Investigators Persepective
7/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
8/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
9/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
10/53
ID the perpetrator.
ID the method/vulnerability of the
network that allowed the perpetrator to
gain access into the system.
Conduct a damage assessment of the
victimized network.
Preserve the Evidence for Judicial action.
Reasons for a Forensic Analysis
-
8/14/2019 Computer Forensics, The Investigators Persepective
11/53
Types of Forensic Requests
Intrusion Analysis
Damage Assement
Suspect Examination
Tool Analysis
Log File Analysis Evidence Search
-
8/14/2019 Computer Forensics, The Investigators Persepective
12/53
Intrusion Analysis
Who gained entry?
What did they do?
When did this happen?
Where did they go?
Why the chosen network? How did they do this?
-
8/14/2019 Computer Forensics, The Investigators Persepective
13/53
Damage Assesment
What was available for the intruder to see?
What did he take?
What did he leave behind?
Where did he go?
-
8/14/2019 Computer Forensics, The Investigators Persepective
14/53
File Recovery
Deleted Files
Hidden Files
Slack Space
Bad Blocks
Steganography X-Drives
NTFS Streams
-
8/14/2019 Computer Forensics, The Investigators Persepective
15/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
16/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
17/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
18/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
19/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
20/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
21/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
22/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
23/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
24/53
NTFS Streams
The Forensic ToolKit 1.4 from NT OBJECTives, Inc.
Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved
AFind - File access time finder
SFind - Hidden data streams finder
HFind - Hidden file finder
-
8/14/2019 Computer Forensics, The Investigators Persepective
25/53
Tool Analysis
What tools were used?
How were the executed?
What language were they written in?
File Comparison with Suspects File.
-
8/14/2019 Computer Forensics, The Investigators Persepective
26/53
Log File Analysis
Events.
What Events are monitored?
What do the event records reveal?
Firewall/Router/Server log files?
TripWire Database?
Modem/FTP/Telnet/RAS
-
8/14/2019 Computer Forensics, The Investigators Persepective
27/53
Evidence Search
Image Files
Software applications
Deleted Files
Hidden Files
Encrypted Files
Hidden partitions Keyword Search
Known Remote Access Tools
-
8/14/2019 Computer Forensics, The Investigators Persepective
28/53
Forensics Process
Preparation
Protection
Imaging
Examination
Documentation
-
8/14/2019 Computer Forensics, The Investigators Persepective
29/53
Preparation Confirm the authority to conduct analysis/search of media.
Verify the purpose of the analysis and the clearly defined desired
results.
Ensure that sterile media is available and utilized for imaging. (ie..Free
of virus, Non-essential files, and verified before use.) Ensure that all software tools utilized for the analysis are tested and
widely accepted for use in the forensics community.
-
8/14/2019 Computer Forensics, The Investigators Persepective
30/53
Legal Overview
Employer Searches in Private-Sector Workplaces
Warrantless workplace searches by private
employers rarely violate the Fourth Amendment. So long
as the employer is not acting as an instrument or agent of
the Government at the time of the search, the search is a
private search and the Fourth Amendment does not
apply. See Skinner v. Railway Labor Executives Assn,489 U.S. 602, 614 (1989).
Consult with your Legal Counsel
-
8/14/2019 Computer Forensics, The Investigators Persepective
31/53
Protection
Protect the integrity of the evidence.
Maintain control until final disposition.
Prior to Booting target computer,DISCONNECT HDD and verify CMOS.
When Booting a machine for Analysis,
utilize HD Lock software.
-
8/14/2019 Computer Forensics, The Investigators Persepective
32/53
Typical CBD Files
-
8/14/2019 Computer Forensics, The Investigators Persepective
33/53
Imaging
Utilize disk imaging software to make an exact
image of the target media. Verify the image.
When conducting an analysis of target media, utilizethe restored image of the target media; never utilize
the actual target media.
-
8/14/2019 Computer Forensics, The Investigators Persepective
34/53
Imaging
Software
-
8/14/2019 Computer Forensics, The Investigators Persepective
35/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
36/53
Examination
The Operating System
Services
Applications/processes
Hardware
LOGFILES!
System, Security, and Application
File System
-
8/14/2019 Computer Forensics, The Investigators Persepective
37/53
Examination Continued
Deleted/Hidden Files/NTFS Streams
Software
Encryption Software
Published Shares/Permissions
Password Files
SIDS
Network Architecture/Trusted Relationships
-
8/14/2019 Computer Forensics, The Investigators Persepective
38/53
Off-Site Storage
X-Drives
FTP Links
FTP Logs
Shares on internal networks
-
8/14/2019 Computer Forensics, The Investigators Persepective
39/53
Security Identifers
SIDS can be used to ID the perpetrator.
Security is used within Win2K to ID a user.
Security is applied to the SID.
-
8/14/2019 Computer Forensics, The Investigators Persepective
40/53
Where to find the SID
-
8/14/2019 Computer Forensics, The Investigators Persepective
41/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
42/53
SID Structure
Domain Identifier: All values in the series,
excluding the last value ID the Domain.
Relative Identifier (RID) is the last value.This IDS the Account or Group
S-1-5-21-838281932-1837309565-
1144153901-1000
-
8/14/2019 Computer Forensics, The Investigators Persepective
43/53
Documentation
Document EVERYTHING
Reason for Examination
The Scene
Utilize Screen Capture/Copy Suspected files
All apps for Analysis/apps on Examined system.
-
8/14/2019 Computer Forensics, The Investigators Persepective
44/53
Users
-
8/14/2019 Computer Forensics, The Investigators Persepective
45/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
46/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
47/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
48/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
49/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
50/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
51/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
52/53
-
8/14/2019 Computer Forensics, The Investigators Persepective
53/53
Closing
Forensic Techniques are based on the File
System of the media to be examined
Utilizing an NTFS partition enhancessecurity. If further increases the Forensic
examiners chances of recovering useful
evidence. The Investigator is looking for evidence to
establish a FACT(s).