Lies, Damn Lies and CSI


Published on

403 Labs Consultant Dave Russell discusses the portrayal of computer forensics in pop culture versus the reality of the forensic investigation process.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lies, Damn Lies and CSI

  1. 1. Lies, Damn Lies and NCIS CSI<br />What Really Happens in a Computer Forensics Practice<br />Dave Russell<br />Consultant, 403 Labs, LLC<br />
  2. 2. Introductions<br />Dave Russell – Consultant, 403 Labs<br />Alphabet soup: QSA, PA-QSA, CISSP, CSSLP, GCFA, a few others<br />Involved in security 10+ years, previous background in writing programs<br />Big fan of “crime shows,” though I prefer those based on facts – which is what led to this presentation!<br />
  3. 3. Introductions<br />403 Labs works primarily in the Payment Card Industry (PCI) space<br />Help clients protect cardholders and their data<br />Provide various types of assessment services<br />Work a large number of forensic cases of all types, criminal and civil<br />Interact with all levels of law enforcement – local, state, and federal<br />Assist in prosecutions<br />More alphabet soup: ASV, QSA, PA-QSA, recently approved PFI (still awaiting listing)<br />
  4. 4. About This Presentation<br />There is a lot of misinformation about computer forensics<br />TV shows and movies do not help<br />Important for the general public to be aware of what computer forensics is (and is not)<br />More important to make sure those who utilize such services are aware of what the discipline can and can’t provide<br />
  5. 5. Before We Begin<br />I know, I know – many of these “lies” are added to spice up the story<br />The problem is… people BELIEVE them!<br />A prosecutor lamented that, as a result of shows like this, juries expect an evidence “bombshell” clearly linking the suspect to the crime<br />Misinformation is bad!<br />
  6. 6. The Example That Started This<br />CSI: “I’ll create a GUI interface in Visual Basic, see if I can track an IP…”<br />
  7. 7. Why This Is Awful<br />Terms<br />GUI: Graphical User Interface<br />What does a graphical interface have to do with anything?<br />Visual Basic: a programming language<br />“I’m going to talk to the suspect in English, see if I can get a confession.” The language is irrelevant!<br />IP: the address where “the killer” is chatting<br />You can’t just “track” an IP, you have to be on the network<br />I bet this is how LEOs feel about Law and Order…<br />
  8. 8. Truth-O-Meter: CSI Lie<br />You cannot simply “track an IP”<br />These people are watching a “real-time” display of a site – they have no connection to monitor (other than their own)<br />An IP, quite possibly, means nothing to an investigator, at least not at first<br />Probably going to point to their ISP, who has to tell you who it belongs to<br />Anyone there heard of a subpoena?<br />
  9. 9. The Forensics Lab Version<br />IPs can point to an individual, but it’s tricky<br />Start by working with the web site (or their host) to tap the network, or get logs of the originating IP<br />Real-time data can be collected using tools like tcpdump or Wireshark<br />Find the ISP for that block, and see who owns that IP (time-specific)<br />LEOs knock on their door, and we hope it’s not some open wireless access point in use<br />While the police kick in the door, the suspect, seeing this across the street, takes off with his laptop<br />
  10. 10. The Forensics Lab Version<br />Examine access point’s connection data (called an ARP table) to find out what physical device was connected – Leads to a MAC address<br />MAC addresses are unique identifiers (if not spoofed), IPs are not<br />Hope the suspect wasn’t forging that information (which they can)<br />Eventually possible to figure out what device has that MAC address, find the laptop and the guy in front of it<br />
  11. 11. Not So Easy!<br />In this case, the computer forensic team is primarily providing network forensics<br />Connections are very fickle things, and details move around<br />Timing, and experience in quickly gathering data, is everything<br />IP != person <br />As a U.S. attorney put it, “I need to show that it’s their rear end in that chair”<br />Many layers need to be decoded before even getting close – a network background is critical<br />
  12. 12. Another CSI Example<br />At a crime scene, an investigator walks up to a computer, turns it on and starts accessing the suspect’s email<br />
  13. 13. Why This is Awful<br />Well, I’m sure THAT evidence will be admissible!<br />A good lab takes PAINSTAKING effort to maintain evidence integrity - Saying you looked at it at a suspect’s house is probably not going to fly<br />Really? No password on the system?<br />My *aunt* uses a password<br />You’ve already destroyed valuable evidence<br />Rule #1: Alter evidence as little as possible<br />Logging into a system is relatively traumatic<br />
  14. 14. Truth-O-Meter: Sadly True<br />Non-experts destroy evidence all the time<br />Particularly true in corporate environments – they have the RIGHT to examine a system, but it should be done properly<br />Maintain integrity<br />Don’t destroy valuable evidence<br />People who “know computers” think they can do forensics<br />
  15. 15. The Forensics Lab Version<br />Investigator takes notes on the environment in which the system was found, as well as photos<br />The entire system is seized<br />If the system was already on, additional measures are carried out to get things like live memory (passwords, etc. can live there)<br />The hard drive is extracted and bit-for-bit copied (usually twice)<br />Only one copy is used for analysis<br />
  16. 16. The Forensics Lab Version<br />The drive is connected to a “write blocker” to prevent data from being modified<br />Software designed to index and search content is run on the hard drive (such as Encase or FTK)<br />Analysis of the email, pictures, documents and other data can be carried out<br />Using gathered data, other systems, etc. can possibly be accessed<br />Also possible to figure out motive and such – “rear end in chair” kinds of things<br />
  17. 17. Law And Order<br />A kidnapper has abducted a girl and refuses to give up her location<br />Police, aware of his obsession with virtual reality environments, eventually realize that his virtual reality “home” may be where the girl is located<br />With the help of the game creator, they are able to track down the real-life location and save the girl<br />
  18. 18. Truth-O-Meter: Plausible<br />Virtual reality (“VR”) evidence has been used to aid in prosecution<br />A case in Central Wisconsin involved a wireless service provider offering broadband Internet to the area<br />Disgruntled former employee wanted to disrupt the service provider, and other customers, and use the Internet himself<br />
  19. 19. The Real Case<br />Suspect allegedly bragged about his activities in the VR game “Everquest”<br />Local FBI engaged yours truly (who happened to play the game) to sort through game evidence and work with the game provider to help prove the case<br />Subpoenas of game records, as well as forensic evidence recovered off of the suspect’s computer contained dates, times and incriminating statements after analysis<br />
  20. 20. Live Free Or Die Hard<br />Former NSA employee trying to raise alarm bells about the risks to infrastructure<br />Decides to carry out a demonstration “fire sale” (and steal some money, of course)<br />Takes out traffic infrastructure, energy, communication, etc.<br />
  21. 21. Live Free Or Die Hard<br />Let’s focus on SCADA system attacks<br />SCADA : Supervisory Control and Data Acquisition<br />The bad guy reroutes natural gas traffic to a single station, causing it to explode<br />Lots of interest in detecting and analyzing these systems and attacks<br />See: Stuxnet<br />
  22. 22. Truth-O-Meter: Over The Top, But…<br />Definitely some truth to it<br />Famous video of a generator being destroyed by a staged attack<br />Stuxnet attacked primarily Iranian (and other) industrial systems<br />Scary when discussing nuclear controls<br />What can a lab do?<br />
  23. 23. Preliminary Forensics<br />Testing of systems is essential – engage penetration testing teams well-versed in SCADA<br />Simulate real attacks (harder in certain environments!)<br />Have a forensic team perform “clean-up” – black box analysis may be particularly revealing<br />
  24. 24. What Could Be Found?<br />Pathways in – the more realistic (and comprehensive), the better<br />Evidence left behind after an attack may lead to more comprehensive signatures and detection methods<br />Real-life attacks like Stuxnet should be studied in-depth<br />Other attacks are being found…<br />
  25. 25. A More Generic Example<br />The grainy video footage that magically gets cleaned up by hitting the “Enhance” button (or, better yet, simply telling your computer, “enhance”)<br />Look, I can see the reflection of some critical piece of evidence in the suspect’s eye!<br />
  26. 26. Truth-O-Meter: Partial Lie<br />There is no magic “enhance” button<br />It is possible (sometimes) to substantially improve the quality of a photo<br />Videos often need to be deconstructed into a series of images<br />Depending on how the image was captured, data from more than one frame may be present in an image<br />
  27. 27. Fixing Images In A Lab<br />Deinterlacing video<br />Many video images are not what they seem! Lower quality video is usually a combination of two frames, which differ by 1/60th of a second – 60 frames/second<br />When describing anything in motion, 1/60th of a second can be an eternity<br />Deinterlacing attempts to correct this<br />Results are very inconsistent<br />Worse results with more motion<br />
  28. 28. Fixing Images In A Lab<br />Now that we have images from the video, enhance their details<br />Requires complex filters and a trained eye to know how to apply them<br />Images are pixels – they have a value, and there are only so many of them<br />Creating more detail from something grainy (where the pixels don’t exist) is impossible<br />All we can do is estimate the content we want<br />
  29. 29. Fixing Images In A Lab<br />Basics of image enhancement<br />Contrast/brightness adjustment<br />Limiting the focus of the enhancement<br />Sharpening/de-blurring<br />Requires “making up” data<br />A lot of different algorithms for doing this<br />Compression (like JPEG or GIF files) makes it harder still<br />Results are highly variable<br />
  30. 30. Example Software<br />Photo from:<br />
  31. 31. Let’s Wrap Up With Real Life<br />An animal rights group obtains information on university staff members, ostensibly for the purpose of inciting violence<br />Utilize computers at a local copy shop to obtain information and create pamphlets to “out” staff and include an ominous warning<br />A wise system administrator, in conjunction with a victim, helped LEOs track them down<br />Four charged – trial is still ongoing (initially dismissed, charges may be re-filed)<br />
  32. 32. The Forensics Behind It All<br />LEOs got subpoenas and worked with forensic analysts to connect the suspects, video footage, the pamphlets and access to various pieces of information<br />Involved a LOT of log analysis, packet tracing and some custom scripting<br />
  33. 33. How Does A Lab Track This?<br />Examination of patterns<br />In this case, an administrator noticed suspicious access to 11 staff members targeted<br />After working with campus security and law enforcement, logs were able to locate the source IP<br />Some footwork was needed to track back the address to a nearby Kinko’s<br />
  34. 34. How Does A Lab Track This?<br />“Certain information” within the Kinko’s logs definitively linked the computer to the access<br />Video footage showed the suspects using the computer at the time of the access<br />Video footage at the café where pamphlets appeared linked one of the suspects to the act<br />
  35. 35. Why Engage A Specialist?<br />Evidence integrity and admissibility is crucial<br />Computer forensic investigators specialize in maintaining integrity, which can be VERY difficult!<br />Computer data changes frequently<br />Simply looking at certain data can change it<br />Need to be able to explain every single thing that has, or could have been, altered<br />
  36. 36. Why Engage A Specialist?<br />Time!<br />Everyone seems busier these days<br />Plenty of forensics investigators are backed up<br />Unusual systems or programs<br />Certain systems, applications, etc. require some pretty particular knowledge<br />Our game discussion<br />More information may be extractable if you can find someone who knows the specifics<br />
  37. 37. Why Engage A Specialist?<br />Cost<br />Pulling resources aside to work on an internal investigation may be more costly than realized<br />Training of individuals is VERY expensive<br />In the case of working with law enforcement, it might be possible to work at a lesser rate or even possibly pro-bono<br />Talk with me more about this if interested<br />
  38. 38. Why Engage A Specialist?<br />Difficulty<br />Custom viruses and other malware require even more detailed skillsets!<br />Firms specializing in this are often backed up<br />
  39. 39. When To Engage A Specialist?<br />As soon as digital evidence comes into scope!<br />Do not take chances – powering on a system or accessing a device must be done carefully to avoid data loss or integrity problems<br />Second set of eyes may be helpful – a good defense attorney may use their own experts<br />
  40. 40. Questions?<br />Dave Russell<br />Consultant<br />403 Labs<br />drussell[at]403labs[dot]com<br />877.403.LABS<br /><br />
  41. 41. Thank You!<br />Dave Russell<br />Consultant<br />403 Labs<br />drussell[at]403labs[dot]com<br />877.403.LABS<br /><br />