Lies, Damn Lies and CSI

2,885 views
2,773 views

Published on

403 Labs Consultant Dave Russell discusses the portrayal of computer forensics in pop culture versus the reality of the forensic investigation process.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,885
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Lies, Damn Lies and CSI

  1. 1. Lies, Damn Lies and NCIS CSI<br />What Really Happens in a Computer Forensics Practice<br />Dave Russell<br />Consultant, 403 Labs, LLC<br />
  2. 2. Introductions<br />Dave Russell – Consultant, 403 Labs<br />Alphabet soup: QSA, PA-QSA, CISSP, CSSLP, GCFA, a few others<br />Involved in security 10+ years, previous background in writing programs<br />Big fan of “crime shows,” though I prefer those based on facts – which is what led to this presentation!<br />
  3. 3. Introductions<br />403 Labs works primarily in the Payment Card Industry (PCI) space<br />Help clients protect cardholders and their data<br />Provide various types of assessment services<br />Work a large number of forensic cases of all types, criminal and civil<br />Interact with all levels of law enforcement – local, state, and federal<br />Assist in prosecutions<br />More alphabet soup: ASV, QSA, PA-QSA, recently approved PFI (still awaiting listing)<br />
  4. 4. About This Presentation<br />There is a lot of misinformation about computer forensics<br />TV shows and movies do not help<br />Important for the general public to be aware of what computer forensics is (and is not)<br />More important to make sure those who utilize such services are aware of what the discipline can and can’t provide<br />
  5. 5. Before We Begin<br />I know, I know – many of these “lies” are added to spice up the story<br />The problem is… people BELIEVE them!<br />A prosecutor lamented that, as a result of shows like this, juries expect an evidence “bombshell” clearly linking the suspect to the crime<br />Misinformation is bad!<br />
  6. 6. The Example That Started This<br />CSI: “I’ll create a GUI interface in Visual Basic, see if I can track an IP…”<br />
  7. 7. Why This Is Awful<br />Terms<br />GUI: Graphical User Interface<br />What does a graphical interface have to do with anything?<br />Visual Basic: a programming language<br />“I’m going to talk to the suspect in English, see if I can get a confession.” The language is irrelevant!<br />IP: the address where “the killer” is chatting<br />You can’t just “track” an IP, you have to be on the network<br />I bet this is how LEOs feel about Law and Order…<br />
  8. 8. Truth-O-Meter: CSI Lie<br />You cannot simply “track an IP”<br />These people are watching a “real-time” display of a site – they have no connection to monitor (other than their own)<br />An IP, quite possibly, means nothing to an investigator, at least not at first<br />Probably going to point to their ISP, who has to tell you who it belongs to<br />Anyone there heard of a subpoena?<br />
  9. 9. The Forensics Lab Version<br />IPs can point to an individual, but it’s tricky<br />Start by working with the web site (or their host) to tap the network, or get logs of the originating IP<br />Real-time data can be collected using tools like tcpdump or Wireshark<br />Find the ISP for that block, and see who owns that IP (time-specific)<br />LEOs knock on their door, and we hope it’s not some open wireless access point in use<br />While the police kick in the door, the suspect, seeing this across the street, takes off with his laptop<br />
  10. 10. The Forensics Lab Version<br />Examine access point’s connection data (called an ARP table) to find out what physical device was connected – Leads to a MAC address<br />MAC addresses are unique identifiers (if not spoofed), IPs are not<br />Hope the suspect wasn’t forging that information (which they can)<br />Eventually possible to figure out what device has that MAC address, find the laptop and the guy in front of it<br />
  11. 11. Not So Easy!<br />In this case, the computer forensic team is primarily providing network forensics<br />Connections are very fickle things, and details move around<br />Timing, and experience in quickly gathering data, is everything<br />IP != person <br />As a U.S. attorney put it, “I need to show that it’s their rear end in that chair”<br />Many layers need to be decoded before even getting close – a network background is critical<br />
  12. 12. Another CSI Example<br />At a crime scene, an investigator walks up to a computer, turns it on and starts accessing the suspect’s email<br />
  13. 13. Why This is Awful<br />Well, I’m sure THAT evidence will be admissible!<br />A good lab takes PAINSTAKING effort to maintain evidence integrity - Saying you looked at it at a suspect’s house is probably not going to fly<br />Really? No password on the system?<br />My *aunt* uses a password<br />You’ve already destroyed valuable evidence<br />Rule #1: Alter evidence as little as possible<br />Logging into a system is relatively traumatic<br />
  14. 14. Truth-O-Meter: Sadly True<br />Non-experts destroy evidence all the time<br />Particularly true in corporate environments – they have the RIGHT to examine a system, but it should be done properly<br />Maintain integrity<br />Don’t destroy valuable evidence<br />People who “know computers” think they can do forensics<br />
  15. 15. The Forensics Lab Version<br />Investigator takes notes on the environment in which the system was found, as well as photos<br />The entire system is seized<br />If the system was already on, additional measures are carried out to get things like live memory (passwords, etc. can live there)<br />The hard drive is extracted and bit-for-bit copied (usually twice)<br />Only one copy is used for analysis<br />
  16. 16. The Forensics Lab Version<br />The drive is connected to a “write blocker” to prevent data from being modified<br />Software designed to index and search content is run on the hard drive (such as Encase or FTK)<br />Analysis of the email, pictures, documents and other data can be carried out<br />Using gathered data, other systems, etc. can possibly be accessed<br />Also possible to figure out motive and such – “rear end in chair” kinds of things<br />
  17. 17. Law And Order<br />A kidnapper has abducted a girl and refuses to give up her location<br />Police, aware of his obsession with virtual reality environments, eventually realize that his virtual reality “home” may be where the girl is located<br />With the help of the game creator, they are able to track down the real-life location and save the girl<br />
  18. 18. Truth-O-Meter: Plausible<br />Virtual reality (“VR”) evidence has been used to aid in prosecution<br />A case in Central Wisconsin involved a wireless service provider offering broadband Internet to the area<br />Disgruntled former employee wanted to disrupt the service provider, and other customers, and use the Internet himself<br />
  19. 19. The Real Case<br />Suspect allegedly bragged about his activities in the VR game “Everquest”<br />Local FBI engaged yours truly (who happened to play the game) to sort through game evidence and work with the game provider to help prove the case<br />Subpoenas of game records, as well as forensic evidence recovered off of the suspect’s computer contained dates, times and incriminating statements after analysis<br />
  20. 20. Live Free Or Die Hard<br />Former NSA employee trying to raise alarm bells about the risks to infrastructure<br />Decides to carry out a demonstration “fire sale” (and steal some money, of course)<br />Takes out traffic infrastructure, energy, communication, etc.<br />
  21. 21. Live Free Or Die Hard<br />Let’s focus on SCADA system attacks<br />SCADA : Supervisory Control and Data Acquisition<br />The bad guy reroutes natural gas traffic to a single station, causing it to explode<br />Lots of interest in detecting and analyzing these systems and attacks<br />See: Stuxnet<br />
  22. 22. Truth-O-Meter: Over The Top, But…<br />Definitely some truth to it<br />Famous video of a generator being destroyed by a staged attack<br />Stuxnet attacked primarily Iranian (and other) industrial systems<br />Scary when discussing nuclear controls<br />What can a lab do?<br />
  23. 23. Preliminary Forensics<br />Testing of systems is essential – engage penetration testing teams well-versed in SCADA<br />Simulate real attacks (harder in certain environments!)<br />Have a forensic team perform “clean-up” – black box analysis may be particularly revealing<br />
  24. 24. What Could Be Found?<br />Pathways in – the more realistic (and comprehensive), the better<br />Evidence left behind after an attack may lead to more comprehensive signatures and detection methods<br />Real-life attacks like Stuxnet should be studied in-depth<br />Other attacks are being found…<br />
  25. 25. A More Generic Example<br />The grainy video footage that magically gets cleaned up by hitting the “Enhance” button (or, better yet, simply telling your computer, “enhance”)<br />Look, I can see the reflection of some critical piece of evidence in the suspect’s eye!<br />
  26. 26. Truth-O-Meter: Partial Lie<br />There is no magic “enhance” button<br />It is possible (sometimes) to substantially improve the quality of a photo<br />Videos often need to be deconstructed into a series of images<br />Depending on how the image was captured, data from more than one frame may be present in an image<br />
  27. 27. Fixing Images In A Lab<br />Deinterlacing video<br />Many video images are not what they seem! Lower quality video is usually a combination of two frames, which differ by 1/60th of a second – 60 frames/second<br />When describing anything in motion, 1/60th of a second can be an eternity<br />Deinterlacing attempts to correct this<br />Results are very inconsistent<br />Worse results with more motion<br />
  28. 28. Fixing Images In A Lab<br />Now that we have images from the video, enhance their details<br />Requires complex filters and a trained eye to know how to apply them<br />Images are pixels – they have a value, and there are only so many of them<br />Creating more detail from something grainy (where the pixels don’t exist) is impossible<br />All we can do is estimate the content we want<br />
  29. 29. Fixing Images In A Lab<br />Basics of image enhancement<br />Contrast/brightness adjustment<br />Limiting the focus of the enhancement<br />Sharpening/de-blurring<br />Requires “making up” data<br />A lot of different algorithms for doing this<br />Compression (like JPEG or GIF files) makes it harder still<br />Results are highly variable<br />
  30. 30. Example Software<br />Photo from: http://www.oceansystems.com/forensic/forensic-Photoshop-Plugins/how_clearid_works.htm<br />
  31. 31. Let’s Wrap Up With Real Life<br />An animal rights group obtains information on university staff members, ostensibly for the purpose of inciting violence<br />Utilize computers at a local copy shop to obtain information and create pamphlets to “out” staff and include an ominous warning<br />A wise system administrator, in conjunction with a victim, helped LEOs track them down<br />Four charged – trial is still ongoing (initially dismissed, charges may be re-filed)<br />
  32. 32. The Forensics Behind It All<br />LEOs got subpoenas and worked with forensic analysts to connect the suspects, video footage, the pamphlets and access to various pieces of information<br />Involved a LOT of log analysis, packet tracing and some custom scripting<br />
  33. 33. How Does A Lab Track This?<br />Examination of patterns<br />In this case, an administrator noticed suspicious access to 11 staff members targeted<br />After working with campus security and law enforcement, logs were able to locate the source IP<br />Some footwork was needed to track back the address to a nearby Kinko’s<br />
  34. 34. How Does A Lab Track This?<br />“Certain information” within the Kinko’s logs definitively linked the computer to the access<br />Video footage showed the suspects using the computer at the time of the access<br />Video footage at the café where pamphlets appeared linked one of the suspects to the act<br />
  35. 35. Why Engage A Specialist?<br />Evidence integrity and admissibility is crucial<br />Computer forensic investigators specialize in maintaining integrity, which can be VERY difficult!<br />Computer data changes frequently<br />Simply looking at certain data can change it<br />Need to be able to explain every single thing that has, or could have been, altered<br />
  36. 36. Why Engage A Specialist?<br />Time!<br />Everyone seems busier these days<br />Plenty of forensics investigators are backed up<br />Unusual systems or programs<br />Certain systems, applications, etc. require some pretty particular knowledge<br />Our game discussion<br />More information may be extractable if you can find someone who knows the specifics<br />
  37. 37. Why Engage A Specialist?<br />Cost<br />Pulling resources aside to work on an internal investigation may be more costly than realized<br />Training of individuals is VERY expensive<br />In the case of working with law enforcement, it might be possible to work at a lesser rate or even possibly pro-bono<br />Talk with me more about this if interested<br />
  38. 38. Why Engage A Specialist?<br />Difficulty<br />Custom viruses and other malware require even more detailed skillsets!<br />Firms specializing in this are often backed up<br />
  39. 39. When To Engage A Specialist?<br />As soon as digital evidence comes into scope!<br />Do not take chances – powering on a system or accessing a device must be done carefully to avoid data loss or integrity problems<br />Second set of eyes may be helpful – a good defense attorney may use their own experts<br />
  40. 40. Questions?<br />Dave Russell<br />Consultant<br />403 Labs<br />drussell[at]403labs[dot]com<br />877.403.LABS<br />www.403labs.com<br />
  41. 41. Thank You!<br />Dave Russell<br />Consultant<br />403 Labs<br />drussell[at]403labs[dot]com<br />877.403.LABS<br />www.403labs.com<br />

×