Your SlideShare is downloading. ×
Computer Forensics | Patricia Watson | 2004
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Computer Forensics | Patricia Watson | 2004

671

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
671
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
  • 2. Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
  • 3. Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
  • 4. Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
  • 5. Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
  • 6. Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
  • 7. Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
  • 8. Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
  • 9. Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
  • 10. Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
  • 11. Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
  • 12. Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
  • 13. Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
  • 14. Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
  • 15. Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
  • 16. Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
  • 17. Computer Forensics – Patricia M Watson Computer Forensics • Questions?

×