Computer Forensics – Patricia M Watson
Linux: A Powerful Computer Forensics Tool
Patricia M Watson
Computer Forensics – Patricia M Watson
What is Computer Forensics?
Computer forensics involves the preservation,
identific...
Computer Forensics – Patricia M Watson
What Skills Must Forensics Analyst Have?
• A broad range of technical, investigativ...
Computer Forensics – Patricia M Watson
Computer Forensics Training
• The SANS Institute – Global Information Assurance
Cer...
Computer Forensics – Patricia M Watson
Why is Computer Forensics Important?
• Computers are used to commit crimes
 Fraud,...
Computer Forensics – Patricia M Watson
Forensics in a Nutshell
• Incident response
o Verify the incident
o Evidence Seizur...
Computer Forensics – Patricia M Watson
Forensics “The Legal Issues”
• Federal (cyber crime is federal)
o Title 18 – commun...
Computer Forensics – Patricia M Watson
Places for Data to Hide As organized by SANS.org
• Physical Layer
 Areas allocated...
Computer Forensics – Patricia M Watson
The “Tools”
• Although there is no universal forensic solution, Linux based
tools a...
Computer Forensics – Patricia M Watson
Tools – “The Basics”
• dcfldd – Modified version of dd which provides the ability t...
Computer Forensics – Patricia M Watson
Type of Forensic Toolkits
• Data Analysis Toolkits: Designed to analyze data, best ...
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File System Layer:
 fsstat – displays details
about th...
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• Data Layer:
 dstat – provides statistics on a given da...
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• Metadata Layer:
o istat – displays statistics about a g...
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File Name Layer:
 fls – lists file and directory entri...
Computer Forensics – Patricia M Watson
Forensic Resources
• Handbook for Computer Security Incident Response Teams
(CSIRTs...
Computer Forensics – Patricia M Watson
Computer Forensics
• Questions?
Upcoming SlideShare
Loading in...5
×

Computer Forensics | Patricia Watson | 2004

829
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
829
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Computer Forensics | Patricia Watson | 2004

  1. 1. Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
  2. 2. Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
  3. 3. Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
  4. 4. Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
  5. 5. Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
  6. 6. Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
  7. 7. Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
  8. 8. Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
  9. 9. Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
  10. 10. Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
  11. 11. Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
  12. 12. Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
  13. 13. Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
  14. 14. Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
  15. 15. Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
  16. 16. Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
  17. 17. Computer Forensics – Patricia M Watson Computer Forensics • Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×