• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Computer Forensics | Patricia Watson | 2004

Computer Forensics | Patricia Watson | 2004






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Computer Forensics | Patricia Watson | 2004 Computer Forensics | Patricia Watson | 2004 Presentation Transcript

    • Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
    • Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
    • Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
    • Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
    • Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
    • Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
    • Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
    • Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
    • Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
    • Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
    • Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
    • Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
    • Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
    • Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
    • Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
    • Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
    • Computer Forensics – Patricia M Watson Computer Forensics • Questions?