computer forensics, the investigators persepective

8/14/2019 Computer Forensics, The Investigators Persepective

1/53

Computer Forensics,

The Investigators Persepective

Paul T. Mobley Sr. ([email protected])

Computer Forensics Consultant

Jawz Inc.


2/53

What is Computer Forensics?

Computer Forensics can be defined simply,

as a process of applying scientific and

analytical techiniques to computerOperating Systems and File Structures in

determining the potential for Legal

Evidence.


3/53

Overview of Presentation

Why is Evidence identification and

Preservation required?

Who benefits from Computer Forensics?

General Types of Forensic Examinations

requested.

Process of Forensics. Tools of the trade.

What is the Examiner looking for?


4/53

Why is Evidence important?

In the legal world, Evidence is

EVERYTHING.

Evidence is used to establish facts.

The Forensic Examiner is not biased.


5/53

Who needs Computer Forensics?

The Vicitm!

Law Enforcement

Insurance Carriers

Ultimately the Legal System


6/53

Who are the Victims?

Private Business

GovernmentPrivate Individuals


7/53


8/53


9/53


10/53

ID the perpetrator.

ID the method/vulnerability of the

network that allowed the perpetrator to

gain access into the system.

Conduct a damage assessment of the

victimized network.

Preserve the Evidence for Judicial action.

Reasons for a Forensic Analysis


11/53

Types of Forensic Requests

Intrusion Analysis

Damage Assement

Suspect Examination

Tool Analysis

Log File Analysis Evidence Search


12/53

Intrusion Analysis

Who gained entry?

What did they do?

When did this happen?

Where did they go?

Why the chosen network? How did they do this?


13/53

Damage Assesment

What was available for the intruder to see?

What did he take?

What did he leave behind?

Where did he go?


14/53

File Recovery

Deleted Files

Hidden Files

Slack Space

Bad Blocks

Steganography X-Drives

NTFS Streams


15/53


16/53


17/53


18/53


19/53


20/53


21/53


22/53


23/53


24/53

NTFS Streams

The Forensic ToolKit 1.4 from NT OBJECTives, Inc.

Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved

AFind - File access time finder

SFind - Hidden data streams finder

HFind - Hidden file finder


25/53

Tool Analysis

What tools were used?

How were the executed?

What language were they written in?

File Comparison with Suspects File.


26/53

Log File Analysis

Events.

What Events are monitored?

What do the event records reveal?

Firewall/Router/Server log files?

TripWire Database?

Modem/FTP/Telnet/RAS


27/53

Evidence Search

Image Files

Software applications

Deleted Files

Hidden Files

Encrypted Files

Hidden partitions Keyword Search

Known Remote Access Tools


28/53

Forensics Process

Preparation

Protection

Imaging

Examination

Documentation


29/53

Preparation Confirm the authority to conduct analysis/search of media.

Verify the purpose of the analysis and the clearly defined desired

results.

Ensure that sterile media is available and utilized for imaging. (ie..Free

of virus, Non-essential files, and verified before use.) Ensure that all software tools utilized for the analysis are tested and

widely accepted for use in the forensics community.


30/53

Legal Overview

Employer Searches in Private-Sector Workplaces

Warrantless workplace searches by private

employers rarely violate the Fourth Amendment. So long

as the employer is not acting as an instrument or agent of

the Government at the time of the search, the search is a

private search and the Fourth Amendment does not

apply. See Skinner v. Railway Labor Executives Assn,489 U.S. 602, 614 (1989).

Consult with your Legal Counsel


31/53

Protection

Protect the integrity of the evidence.

Maintain control until final disposition.

Prior to Booting target computer,DISCONNECT HDD and verify CMOS.

When Booting a machine for Analysis,

utilize HD Lock software.


32/53

Typical CBD Files


33/53

Imaging

Utilize disk imaging software to make an exact

image of the target media. Verify the image.

When conducting an analysis of target media, utilizethe restored image of the target media; never utilize

the actual target media.


34/53

Imaging

Software


35/53


36/53

Examination

The Operating System

Services

Applications/processes

Hardware

LOGFILES!

System, Security, and Application

File System


37/53

Examination Continued

Deleted/Hidden Files/NTFS Streams

Software

Encryption Software

Published Shares/Permissions

Password Files

SIDS

Network Architecture/Trusted Relationships


38/53

Off-Site Storage

X-Drives

FTP Links

FTP Logs

Shares on internal networks


39/53

Security Identifers

SIDS can be used to ID the perpetrator.

Security is used within Win2K to ID a user.

Security is applied to the SID.


40/53

Where to find the SID


41/53


42/53

SID Structure

Domain Identifier: All values in the series,

excluding the last value ID the Domain.

Relative Identifier (RID) is the last value.This IDS the Account or Group

S-1-5-21-838281932-1837309565-

1144153901-1000


43/53

Documentation

Document EVERYTHING

Reason for Examination

The Scene

Utilize Screen Capture/Copy Suspected files

All apps for Analysis/apps on Examined system.


44/53

Users


45/53


46/53


47/53


48/53


49/53


50/53


51/53


52/53


53/53

Closing

Forensic Techniques are based on the File

System of the media to be examined

Utilizing an NTFS partition enhancessecurity. If further increases the Forensic

examiners chances of recovering useful

evidence. The Investigator is looking for evidence to

establish a FACT(s).

computer forensics, the investigators persepective

Documents