Lies, Damn Lies and CSI
Upcoming SlideShare
Loading in...5

Lies, Damn Lies and CSI



403 Labs Consultant Dave Russell discusses the portrayal of computer forensics in pop culture versus the reality of the forensic investigation process.

403 Labs Consultant Dave Russell discusses the portrayal of computer forensics in pop culture versus the reality of the forensic investigation process.



Total Views
Views on SlideShare
Embed Views



2 Embeds 180 178 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Lies, Damn Lies and CSI Lies, Damn Lies and CSI Presentation Transcript

  • Lies, Damn Lies and NCIS CSI
    What Really Happens in a Computer Forensics Practice
    Dave Russell
    Consultant, 403 Labs, LLC
  • Introductions
    Dave Russell – Consultant, 403 Labs
    Alphabet soup: QSA, PA-QSA, CISSP, CSSLP, GCFA, a few others
    Involved in security 10+ years, previous background in writing programs
    Big fan of “crime shows,” though I prefer those based on facts – which is what led to this presentation!
  • Introductions
    403 Labs works primarily in the Payment Card Industry (PCI) space
    Help clients protect cardholders and their data
    Provide various types of assessment services
    Work a large number of forensic cases of all types, criminal and civil
    Interact with all levels of law enforcement – local, state, and federal
    Assist in prosecutions
    More alphabet soup: ASV, QSA, PA-QSA, recently approved PFI (still awaiting listing)
  • About This Presentation
    There is a lot of misinformation about computer forensics
    TV shows and movies do not help
    Important for the general public to be aware of what computer forensics is (and is not)
    More important to make sure those who utilize such services are aware of what the discipline can and can’t provide
  • Before We Begin
    I know, I know – many of these “lies” are added to spice up the story
    The problem is… people BELIEVE them!
    A prosecutor lamented that, as a result of shows like this, juries expect an evidence “bombshell” clearly linking the suspect to the crime
    Misinformation is bad!
  • The Example That Started This
    CSI: “I’ll create a GUI interface in Visual Basic, see if I can track an IP…”
  • Why This Is Awful
    GUI: Graphical User Interface
    What does a graphical interface have to do with anything?
    Visual Basic: a programming language
    “I’m going to talk to the suspect in English, see if I can get a confession.” The language is irrelevant!
    IP: the address where “the killer” is chatting
    You can’t just “track” an IP, you have to be on the network
    I bet this is how LEOs feel about Law and Order…
  • Truth-O-Meter: CSI Lie
    You cannot simply “track an IP”
    These people are watching a “real-time” display of a site – they have no connection to monitor (other than their own)
    An IP, quite possibly, means nothing to an investigator, at least not at first
    Probably going to point to their ISP, who has to tell you who it belongs to
    Anyone there heard of a subpoena?
  • The Forensics Lab Version
    IPs can point to an individual, but it’s tricky
    Start by working with the web site (or their host) to tap the network, or get logs of the originating IP
    Real-time data can be collected using tools like tcpdump or Wireshark
    Find the ISP for that block, and see who owns that IP (time-specific)
    LEOs knock on their door, and we hope it’s not some open wireless access point in use
    While the police kick in the door, the suspect, seeing this across the street, takes off with his laptop
  • The Forensics Lab Version
    Examine access point’s connection data (called an ARP table) to find out what physical device was connected – Leads to a MAC address
    MAC addresses are unique identifiers (if not spoofed), IPs are not
    Hope the suspect wasn’t forging that information (which they can)
    Eventually possible to figure out what device has that MAC address, find the laptop and the guy in front of it
  • Not So Easy!
    In this case, the computer forensic team is primarily providing network forensics
    Connections are very fickle things, and details move around
    Timing, and experience in quickly gathering data, is everything
    IP != person
    As a U.S. attorney put it, “I need to show that it’s their rear end in that chair”
    Many layers need to be decoded before even getting close – a network background is critical
  • Another CSI Example
    At a crime scene, an investigator walks up to a computer, turns it on and starts accessing the suspect’s email
  • Why This is Awful
    Well, I’m sure THAT evidence will be admissible!
    A good lab takes PAINSTAKING effort to maintain evidence integrity - Saying you looked at it at a suspect’s house is probably not going to fly
    Really? No password on the system?
    My *aunt* uses a password
    You’ve already destroyed valuable evidence
    Rule #1: Alter evidence as little as possible
    Logging into a system is relatively traumatic
  • Truth-O-Meter: Sadly True
    Non-experts destroy evidence all the time
    Particularly true in corporate environments – they have the RIGHT to examine a system, but it should be done properly
    Maintain integrity
    Don’t destroy valuable evidence
    People who “know computers” think they can do forensics
  • The Forensics Lab Version
    Investigator takes notes on the environment in which the system was found, as well as photos
    The entire system is seized
    If the system was already on, additional measures are carried out to get things like live memory (passwords, etc. can live there)
    The hard drive is extracted and bit-for-bit copied (usually twice)
    Only one copy is used for analysis
  • The Forensics Lab Version
    The drive is connected to a “write blocker” to prevent data from being modified
    Software designed to index and search content is run on the hard drive (such as Encase or FTK)
    Analysis of the email, pictures, documents and other data can be carried out
    Using gathered data, other systems, etc. can possibly be accessed
    Also possible to figure out motive and such – “rear end in chair” kinds of things
  • Law And Order
    A kidnapper has abducted a girl and refuses to give up her location
    Police, aware of his obsession with virtual reality environments, eventually realize that his virtual reality “home” may be where the girl is located
    With the help of the game creator, they are able to track down the real-life location and save the girl
  • Truth-O-Meter: Plausible
    Virtual reality (“VR”) evidence has been used to aid in prosecution
    A case in Central Wisconsin involved a wireless service provider offering broadband Internet to the area
    Disgruntled former employee wanted to disrupt the service provider, and other customers, and use the Internet himself
  • The Real Case
    Suspect allegedly bragged about his activities in the VR game “Everquest”
    Local FBI engaged yours truly (who happened to play the game) to sort through game evidence and work with the game provider to help prove the case
    Subpoenas of game records, as well as forensic evidence recovered off of the suspect’s computer contained dates, times and incriminating statements after analysis
  • Live Free Or Die Hard
    Former NSA employee trying to raise alarm bells about the risks to infrastructure
    Decides to carry out a demonstration “fire sale” (and steal some money, of course)
    Takes out traffic infrastructure, energy, communication, etc.
  • Live Free Or Die Hard
    Let’s focus on SCADA system attacks
    SCADA : Supervisory Control and Data Acquisition
    The bad guy reroutes natural gas traffic to a single station, causing it to explode
    Lots of interest in detecting and analyzing these systems and attacks
    See: Stuxnet
  • Truth-O-Meter: Over The Top, But…
    Definitely some truth to it
    Famous video of a generator being destroyed by a staged attack
    Stuxnet attacked primarily Iranian (and other) industrial systems
    Scary when discussing nuclear controls
    What can a lab do?
  • Preliminary Forensics
    Testing of systems is essential – engage penetration testing teams well-versed in SCADA
    Simulate real attacks (harder in certain environments!)
    Have a forensic team perform “clean-up” – black box analysis may be particularly revealing
  • What Could Be Found?
    Pathways in – the more realistic (and comprehensive), the better
    Evidence left behind after an attack may lead to more comprehensive signatures and detection methods
    Real-life attacks like Stuxnet should be studied in-depth
    Other attacks are being found…
  • A More Generic Example
    The grainy video footage that magically gets cleaned up by hitting the “Enhance” button (or, better yet, simply telling your computer, “enhance”)
    Look, I can see the reflection of some critical piece of evidence in the suspect’s eye!
  • Truth-O-Meter: Partial Lie
    There is no magic “enhance” button
    It is possible (sometimes) to substantially improve the quality of a photo
    Videos often need to be deconstructed into a series of images
    Depending on how the image was captured, data from more than one frame may be present in an image
  • Fixing Images In A Lab
    Deinterlacing video
    Many video images are not what they seem! Lower quality video is usually a combination of two frames, which differ by 1/60th of a second – 60 frames/second
    When describing anything in motion, 1/60th of a second can be an eternity
    Deinterlacing attempts to correct this
    Results are very inconsistent
    Worse results with more motion
  • Fixing Images In A Lab
    Now that we have images from the video, enhance their details
    Requires complex filters and a trained eye to know how to apply them
    Images are pixels – they have a value, and there are only so many of them
    Creating more detail from something grainy (where the pixels don’t exist) is impossible
    All we can do is estimate the content we want
  • Fixing Images In A Lab
    Basics of image enhancement
    Contrast/brightness adjustment
    Limiting the focus of the enhancement
    Requires “making up” data
    A lot of different algorithms for doing this
    Compression (like JPEG or GIF files) makes it harder still
    Results are highly variable
  • Example Software
    Photo from:
  • Let’s Wrap Up With Real Life
    An animal rights group obtains information on university staff members, ostensibly for the purpose of inciting violence
    Utilize computers at a local copy shop to obtain information and create pamphlets to “out” staff and include an ominous warning
    A wise system administrator, in conjunction with a victim, helped LEOs track them down
    Four charged – trial is still ongoing (initially dismissed, charges may be re-filed)
  • The Forensics Behind It All
    LEOs got subpoenas and worked with forensic analysts to connect the suspects, video footage, the pamphlets and access to various pieces of information
    Involved a LOT of log analysis, packet tracing and some custom scripting
  • How Does A Lab Track This?
    Examination of patterns
    In this case, an administrator noticed suspicious access to 11 staff members targeted
    After working with campus security and law enforcement, logs were able to locate the source IP
    Some footwork was needed to track back the address to a nearby Kinko’s
  • How Does A Lab Track This?
    “Certain information” within the Kinko’s logs definitively linked the computer to the access
    Video footage showed the suspects using the computer at the time of the access
    Video footage at the café where pamphlets appeared linked one of the suspects to the act
  • Why Engage A Specialist?
    Evidence integrity and admissibility is crucial
    Computer forensic investigators specialize in maintaining integrity, which can be VERY difficult!
    Computer data changes frequently
    Simply looking at certain data can change it
    Need to be able to explain every single thing that has, or could have been, altered
  • Why Engage A Specialist?
    Everyone seems busier these days
    Plenty of forensics investigators are backed up
    Unusual systems or programs
    Certain systems, applications, etc. require some pretty particular knowledge
    Our game discussion
    More information may be extractable if you can find someone who knows the specifics
  • Why Engage A Specialist?
    Pulling resources aside to work on an internal investigation may be more costly than realized
    Training of individuals is VERY expensive
    In the case of working with law enforcement, it might be possible to work at a lesser rate or even possibly pro-bono
    Talk with me more about this if interested
  • Why Engage A Specialist?
    Custom viruses and other malware require even more detailed skillsets!
    Firms specializing in this are often backed up
  • When To Engage A Specialist?
    As soon as digital evidence comes into scope!
    Do not take chances – powering on a system or accessing a device must be done carefully to avoid data loss or integrity problems
    Second set of eyes may be helpful – a good defense attorney may use their own experts
  • Questions?
    Dave Russell
    403 Labs
  • Thank You!
    Dave Russell
    403 Labs