intro to comp forensics

8/9/2019 Intro to Comp Forensics

1/80

1

Introduction to ComputerForensics


2/80

2

Roadmap Incidents & Crimes and Responding to

themVulnerabilities, Threats, Incidents/Crimes

Types of incidents/crime

o! computers & net!or"s !or" #$Forensic perspecti%e' (oot )e*uence

o! data is stored and ho! can it be %ie!ed'


3/80

3

Roadmap

Forensic In%estigations +becti%es of in%estigations The process

o! to handle e%idence


4/80

4

o! computers !or"- $ Forensicperspecti%e'

o! computers !or" #$ Forensicperspecti%e'

(oot )e*uence

o! data is stored and ho! can it be%ie!ed'


5/80

5

o! Computers .or"' Computer Components

.hat happens !hen you turn thecomputer on'

.hat is a File )ystem'

o! is data stored on dis"s'

o! data is represented incomputers and ho! it can be loo"ed

at' o! is data in !indo!s 000

encrypted'


6/80

6

Components of computers

Central 1rocessing 2nit #C12

(asic Input and +utput )ystem #(I+)

3emory

1eripherals #dis"s, printers, scanners,etc


7/80

7

(oot )e*uence .hat happens !hen you turn the

computer on' C12 reset- !hen turned on, C12 is reset and

(I+) is acti%ated

1o!er4+n )elf Test #1+)T performed by (I+)-Verify integrity of C12 and 1+)T

Verify that all components functioning properly

Report if there is a problem #beeps

Instruct C12 to start boot se*uence

#)ystem con5guration & data/time information isstored in C3+) !hen the computer if o671+)T results compared !ith C3+) to reportproblems


8/80

8

(oot )e*uence 8is" boot- 9oading of the operating system from

dis" into memory7 The bootstrap is in Read4+nly43emory7

I31+RT$:T 1+I:T) C3+) chip contains important e%idence on the

con5guration7 If the battery po!ering C3+) isdo!n, important e%idence may be lost #3oussaouicase, 00;

If the computer is rebooted, the data on the harddis" may be altered #for e


9/80

9

oo e*uence- mpor an1oints

It is a good idea to obtain (I+)

pass!ord from user7 Resetting C3+)pass!ord can change system settingsand hence alter e%idence7 For e


10/80

10

The File )ystem File system is li"e a database that tells

the operating system !here is !hatdata on the dis"s or other storagede%ices7

F$T in 3)48+) is a =at table that pro%ideslin"s to their location on dis"s7 (ut3icrosoft>s :TF) is similar to uni< 5lesystems7

In uni< systems, it consists of a #inodetable pro%iding pointers from 5leidenti5ers to the bloc"s !here they arestored, and a directory7


11/80

11

The File )ystem 3ounting a 5le system is the process of ma"ing

the operating system a!are of its e


12/80

12

The File )ystem-

Important 1oints Formatting a hard dri%e does not

erase data, and therefore the data

can be reco%ered 9o!4le%el formatting does erase

data7 o!e%er, special %endor

soft!are is needed to lo!4le%elformat hard dis"s


13/80

13

8is" )torage

8ata is stored on the dis" o%er concentriccircles called tracks#heads7 .hen the

dis"s are stac"ed, the set of trac"s !ithidentical radius collecti%ely are called acylinder7 The dis" is also di%ided into!edge4shaped areas called sectors7

8is" capacity is gi%en by the product ofnumber of cylinders, trac"s, and sectors7?ach sector usually stores B bytes7


14/80

14

8is" )torage

Doned (it Recording #D(R is usedby dis" manufacturers to ensure

that all trac"s are all the samesiEe7 +ther!ise the inner trac"s!ill hold less data than the outer

trac"s7


15/80

15

8is" )torage The trac"s on dis"s may be one of

(oot trac" #containing partition and bootinformation

Trac"s containing 5les

)lac" space #unused parts of bloc"s/clusters

2nused partition #if the dis" is partitioned 2nallocated bloc"s #usually containing data

that has been @deletedA

#.hen the program e


16/80

16

8is" )torage- Important1oints

ard dri%es are di6icult to erase

completely7 Traces of magnetism canremain7 This is often an ad%antage, sincee%idence may not ha%e been erasedcompletely by the perpetrator7 )uch

e%idence can be reco%ered using one ofthe data reco%ery ser%ices #such as!!!7ontrac"7com, !!!7datareco%ery7net, !!!7actionfront7com, !!!7ibas7net

Files @deletedA may be partiallyreco%ered since their fragments may stillbe in unallocated bloc"s

8i " )t I t t
http://www.ontrack.com/http://www.datarecovery.net/http://www.actionfront.com/http://www.ibas.net/http://www.ibas.net/http://www.actionfront.com/http://www.datarecovery.net/http://www.ontrack.com/


17/80

17

8is" )torage- Important1oints

Traces of information can remain onstorage media such as dis"s e%en afterdeletion7 This is called remanence7 .ithsophisticated laboratory e*uipment, it isoften possible to reconstruct theinformation7 Therefore, it is important topreser%e e%idence after an incident7

$ perpetrator can hide data in the inter4partition gaps #space bet!een partitionsthat are speci5ed !hile partitioning thedis" and then use dis" editing utilities toedit the dis" partition table to hide them7

8i )t I t t


18/80

18

8is )torage- Important1oints

The perpetrator can hide data in :T )treams,

and such streams can contain e


19/80

19

s orage- mpor an1oints

For linu< systems, 98? #9inu< 8is"

?ditor at lde7sourceforge7net is asimilar utility a%ailable under nulicense7

Main Lesson:Do not depend ondirectories or windows explorer.Get to the physical data stored onthe disk drives. Do not look only

at the partitioned disk.Incriminating data may belurking elsewhere on the disk.


20/80

20

8ata Representation .hile all data is represented ultimately

in binary form #ones and Eeroes, use ofeditors that pro%ide he


21/80

21

8ata Representation-Important point

One should be careful in

using such editors, sincedata can be destroyedinadvertently.


22/80

22

Computer :et!or"s

o! are internet communicationsorganised'

o! the internet protocols !or"'

.hat are some of the%ulnerabilities caused by theinternet protocols'


23/80

23

:et!or"ing

The Internet 3odel-

$pplication 9ayer #http, telnet, email client,G Transport 9ayer- Responsible for ensuring data deli%ery7

#1ort4to41ort (Protocols: TCP and UDP) #?n%elope name-segment

:et!or" 9ayer- Responsible for communicating bet!eenthe host and the net!or", and deli%ery of data bet!een t!o nodeson net!or"7 #3achine4to43achine #1rotocol- I1 #?n%elope name-datagram #?*uipment- Router

8ata 9in" 9ayer- Responsible for transporting pac"etsacross each single hop of the net!or" #:ode4to4:ode #1rotocol-ethernet #?n%elope name- Frame #?*uipment- ub

1hysical 9ayer- 1hysical media #Repeater4to4repeater#?*uipment- Repeater


24/80

24

Routing

#)ource-http-//!!!7albany7edu/Hgoel/classes/spring00/3)IJ/internet7ppt

Application Layer

Transport Layer

Network Layer

Link Layer

Physical Network

Application Layer

Transport Layer

Network Layer

Link Layer

essa!e

Packet

"ra#e "ra#e

$ata!ra# $ata!ra#

Network Layer

Link Layer

Physical Network

%ost &%ost A

'o(ter

1 l


25/80

25

$ protocol de5nes the format and the order of messages

e


26/80

26

)ome 1rotocolVulnerabilities

TCP Connection +riented )er%ice(?stablishconnection prior to data e


27/80

27

)ome 1rotocolVulnerabilities

P Connectionless )er%ice(:o handsha"eprior to data e


28/80

28

8igital ?%idence

)ources of e%idence on theinternet'

?%idence can reside on thecomputers, net!or" e*uipment#routers, for e


29/80

29

?%idence on !or"stations &)er%ers

9ocations #8is"s

8is" partitions, inter4partition gaps #not allpartitions may ha%e 5le systems7 For e


30/80

30

?%idence on !or"stations,)er%ers

9ocations #continued 2nallocated space #space not yet

allocated to 5les7 $lso includes recentlydeleted 5les, some of !hich might ha%ebeen partially o%er!ritten

9ocations #3emory or R$3 Registers & Cache #usually not possible

to capture7 Cache can be captured as

part of system memory image R$3

)!ap space #on dis"

?%idence on )er%ers & :et!or"


31/80

31

?%idence on )er%ers & :et!or"?*uipment

Router systems logs

Fire!all logs of successful andunsuccessful attempts

)yslogs in /%ar/logs for uni

intro to comp forensics

Documents