Codebits 2010


Published on

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Codebits 2010

  1. 1. Computer Forensics! <ul><li>The Digital CSI </li></ul><ul><li>What, Why and How! </li></ul>
  2. 2. Synopsis Not exactly by this order! <ul><li>Who am I? </li></ul><ul><li>Introduction to Computer Forensics </li></ul><ul><ul><li>Computer Forensics: What and Why? </li></ul></ul><ul><ul><li>Forensic Investigation: The process </li></ul></ul><ul><ul><li>Forensic Data </li></ul></ul><ul><ul><li>Types of Forensic Investigations </li></ul></ul><ul><ul><li>Hardware and Software used in forensic investigation </li></ul></ul><ul><ul><li>Forensic Techniques </li></ul></ul><ul><li>Web Forensics </li></ul><ul><li>Conclusion </li></ul>
  3. 3. Who Am I ? <ul><li>Tiago Henriques </li></ul><ul><li>22 y.o. </li></ul><ul><li>Portuguese </li></ul><ul><li>BSc Software Engineering – University of Brighton </li></ul><ul><li>MSc By Research in Information Security and Computer Forensics – University of Bedfordshire </li></ul><ul><li>PhD in Wireless Sensor Networks – University of Bedfordshire </li></ul><ul><li>Lecturer – University of Bedfordshire </li></ul><ul><li>Running the CST – Computer Security group at University </li></ul><ul><li>Topics of interest: Cryptography, Pentesting, Information Security, Computer Forensics, Vulnerability research, Wireless sensor networks, Electronics </li></ul>
  4. 4. Computer Forensics <ul><li>Computer Forensics is an area inside forensic sciences that deals with the scientific examination and analysis of data held on, or retrieved from a computer or any kind of storage media in a way that this data can be used as evidence in the court of law. </li></ul>
  5. 5. Computer Forensics First things first <ul><li>Television CSI != Computer Forensics Investigator </li></ul><ul><li> What does this mean ? </li></ul>
  6. 6. Computer Forensics <ul><li>Most of what you see on television does NOT represent what we do, how we do it and the speed at what we do it! </li></ul>
  7. 7. Computer Forensics on TV Fail 1 <ul><li>We don’t do any IP tracking in GUI Interfaces designed in Visual Basic to track the killers IP address </li></ul><ul><li>We acquire logs and from there we follow what can be called a digital trail. It is very rare for us to do work on a live machine. </li></ul>
  8. 8. Computer Forensics on TV Fail 1
  9. 9. Computer Forensics on TV Fail 2 <ul><li>We are NOT Digital Artists! </li></ul><ul><li>“ Please enhance that Image” </li></ul><ul><li>We don’t do any image enhancement, we do indeed acquire them to be used as evidence, but any enhancements will be done by Digital artists who are hired as consultants when needed. </li></ul>
  10. 10. Computer Forensics on TV Fail 2
  11. 11. Computer Forensics on TV Fail 3 <ul><li>Speed! On television they seem to do all actions in what is equivalent to one hour or two. Forensics is all about methodology and has as main objective accuracy. </li></ul><ul><li>Acquisitions (more details on this later!) takes a LOT of time! </li></ul><ul><li>Analysis (more details on this later!) takes even MORE time! </li></ul><ul><li>Report Writing (more details on this later!) takes some time but not as much as the other two. </li></ul>
  12. 12. Computer Forensics Real life <ul><li>After pointing out all the different things that Computer Forensics investigators DON’T do, we still have a MAIN question we haven’t answered! </li></ul><ul><li>What do we do?!?!?! </li></ul>
  13. 13. Computer Forensics Real life <ul><li>The objective in computer forensics is quite straight forward! </li></ul><ul><li>It is to recover, analyze and present computer based material in such a way that it is useable as evidence in the court of law. </li></ul><ul><li>The key phrase here is: “Useable as evidence in the court of law”. It is essential that none of the equipment or procedures used during the examination of the Image we are analyzing obviate this single requirement. </li></ul>
  14. 14. Computer Forensics Real life <ul><li>The science of computer forensics is concerned primarily with forensic procedures, rules of evidence and legal processes. </li></ul><ul><li>It is only secondarily concerned with computers! </li></ul><ul><li>Therefore, in contrast to all other areas of computing where speed is the main concern, in computer forensics the main and absolutely priority is accuracy! </li></ul><ul><li>“ Complete work as efficiently as possible” – Means that we should do it as fast as possible BUT without sacrificing accuracy! </li></ul>
  15. 15. Computer Forensics Real life <ul><li>The science of computer forensics is concerned primarily with forensic procedures, rules of evidence and legal processes. </li></ul><ul><li>It is only secondarily concerned with computers! </li></ul><ul><li>Therefore, in contrast to all other areas of computing where speed is the main concern, in computer forensics the main and absolutely priority is accuracy! </li></ul><ul><li>“ Complete work as efficiently as possible” – Means that we should do it as fast as possible BUT without sacrificing accuracy! </li></ul>
  16. 16. Computer Forensics Real life <ul><li>The main challenge in Computer Forensics is of course “finding evidence that can be used as data” because users also store a lot of what a forensic investigator would consider as trash data (aka data that is of no use to the investigation). </li></ul>
  17. 17. Computer Forensics Real life <ul><li>One VERY important point that we need to take into account is: </li></ul><ul><li>ELECTRONIC EVIDENCE IS VERY FRAGILE AND CAN EASILY BE MODIFIED </li></ul><ul><li>And if modified it is unusable as evidence in the court of law </li></ul>
  18. 18. Computer Forensics Permission <ul><li>A very important point to take into consideration is PERMISSION! </li></ul><ul><li>When we get a request to perform a forensic investigation in a certain device we must make sure that the person requesting the forensic investigation has the right to give us permission to investigate it. </li></ul><ul><li>Example: “ Wife comes with a laptop to the forensic examiner, and says “ I believe my husband is cheating on me here is his laptop please check for information” </li></ul><ul><li>In a case like this we CANNOT do this investigation as the wife does not HOLD the RIGHT to give us permission because the device doesn’t belong to her, and if the husband decided to he could prosecute us. </li></ul>
  19. 19. Computer Forensics Process <ul><li>A forensic investigation consists of 4 main sections: </li></ul><ul><ul><li>Assessment – Assess the situation and decide how to do the acquisition </li></ul></ul><ul><ul><li>Secure Collection of Computer Data (Acquisition) – Sometimes we visit the crime scene to make the acquisition. </li></ul></ul><ul><ul><li>Examination of the acquired data – Generally conducted back at the laboratory using proper hardware/software </li></ul></ul><ul><ul><li>Presentation of the report showing evidence found and how it affects the investigation in a court of law </li></ul></ul>
  20. 20. Computer Forensics Types of Forensics investigations
  21. 21. Computer Forensics Types of Forensics investigations <ul><li>Can anyone guess what is the most common type of crime investigated in Digital Forensics? No? I Will Give you a hint! </li></ul>
  22. 22. Computer Forensics Types of Forensics Investigations <ul><li>Multiple types of crimes are investigated: </li></ul><ul><ul><li>Child pornography (Highest amount of cases ± 90%) </li></ul></ul><ul><ul><li>Fraud </li></ul></ul><ul><ul><li>Data stolen </li></ul></ul><ul><ul><li>Hacking </li></ul></ul><ul><ul><li>Other Crimes </li></ul></ul><ul><ul><ul><li>Murder </li></ul></ul></ul><ul><ul><ul><li>Blackmailing </li></ul></ul></ul><ul><ul><ul><li>Theft planning </li></ul></ul></ul><ul><ul><ul><li>Harassment </li></ul></ul></ul><ul><ul><ul><li>Cheating </li></ul></ul></ul>
  23. 23. Computer Forensics - Back to process <ul><li>When doing a forensic investigation there are multiple factors that we need to take into account such as: </li></ul><ul><ul><li>Is the computer we acquiring data a server or workstation ? </li></ul></ul><ul><ul><li>What operating system is it running ? </li></ul></ul><ul><ul><li>Did we correctly block any writing operation to the storage device? </li></ul></ul><ul><ul><li>Was there any sort of malware installed on this machine ? </li></ul></ul><ul><ul><li>What file system is that system using? </li></ul></ul><ul><ul><li>Are we dealing with a computer? A PS3? A Nintendo Wii ? A watch that has an embedded USB flash drive? A mobile phone ? (We might have to analyse any device that has some sort of storage and/or a TCP/IP Stack) </li></ul></ul><ul><ul><li>Are there any encrypted partitions ? </li></ul></ul><ul><ul><li>Is there any hidden information in different disk sectors ? </li></ul></ul><ul><ul><li>If we find some pictures, do they have some sort of steganography techniques applied them, therefore hiding some information? </li></ul></ul><ul><ul><li>Is this a case where we have to contradict a trojan defence? </li></ul></ul>
  24. 24. Computer Forensics - Devices <ul><li>As mentioned in the previous slide we might need to investigate MULTIPLE types of devices, but which devices exactly? </li></ul>
  25. 25. Computer Forensics Tools <ul><li>Computer Forensics uses tools that can be both Software and Hardware based! </li></ul><ul><li>Software: </li></ul><ul><ul><li>Encase </li></ul></ul><ul><ul><li>FTK </li></ul></ul><ul><ul><li>Autopsy </li></ul></ul><ul><ul><li>dd </li></ul></ul><ul><ul><li>Hex Editors </li></ul></ul>
  26. 26. Computer Forensics - Tools <ul><li>Hardware: </li></ul><ul><ul><li>Write Blockers </li></ul></ul><ul><ul><ul><li>USB Blockers </li></ul></ul></ul><ul><ul><ul><li>IDE Blockers </li></ul></ul></ul><ul><ul><ul><li>SATA Blockers </li></ul></ul></ul><ul><ul><ul><li>SD Card Blockers </li></ul></ul></ul><ul><ul><li>Fred Workstations </li></ul></ul><ul><ul><li>Evidence Bags </li></ul></ul><ul><ul><li>Painters Bucket ( Mobile Forensics!) </li></ul></ul>
  27. 27. Computer Forensics - Tools <ul><li>Hardware: Fred Workstations </li></ul>
  28. 28. Computer Forensics - Tools <ul><li>Hardware: Write Blockers </li></ul>
  29. 29. Computer Forensics Tools - Hardware <ul><li>Hardware: Write blockers </li></ul>
  30. 30. Computer Forensics Tools - Software <ul><li>Encase – Prime forensic software runs on Microsoft Windows </li></ul>
  31. 31. Computer Forensics Tools - Software <ul><li>FTK – Another great forensic software also runs on Microsoft Windows </li></ul>
  32. 32. Tools - Software <ul><li>Sleuthkit -Autopsy – Free, runs on Windows, OS X and Linux </li></ul>
  33. 33. Tools - Software <ul><li>Backtrack 4 – With version 4 of this distro forensic capabilities were included </li></ul><ul><li>Helix - Linux commercial distro focused on computer forensics </li></ul><ul><li>DEFT – SANS Linux distro used for computer forensics. (Very GOOD with a huge range of tools) </li></ul><ul><li>Penguin Sleuth – not commonly used, Linux based with a good range of forensic tools </li></ul><ul><li>Farmer’s boot CD – again not commonly used </li></ul>
  34. 34. Tools <ul><li>As one might notice these forensic tools are quite expensive! </li></ul><ul><li>I found a secret way of having access to all these tools! </li></ul>Academia is a good way to have access to all the different tools and to get into Industry
  35. 35. University Forensic Lab - Photos
  36. 36. University Forensic Lab - Photos
  37. 37. University Forensic Lab - Photos
  38. 38. University Forensic Lab - Photos
  39. 39. University Forensic Lab - Photos
  40. 40. University Forensic Lab - Photos
  41. 41. University Forensic Lab - Photos
  42. 42. Computer Forensics <ul><li>You need to have knowledge in many areas: </li></ul><ul><ul><li>Operating systems – Linux, Windows, OS X etc… </li></ul></ul><ul><ul><li>Programming languages – Scripts can help you automate some tasks </li></ul></ul><ul><ul><li>Number bases and characters – ASCII, Hexadecimal, Octal, Binary </li></ul></ul><ul><ul><li>Networking – Network forensics requires high knowledge in networking and packet analysis </li></ul></ul><ul><ul><li>Hardware Knowledge – different media storage will have different interfaces which will use different write blockers </li></ul></ul><ul><ul><li>HUGE ‘Out-of-the-box’ mind set! </li></ul></ul><ul><ul><li>Imagine you have a word document (.doc) to analyse. How would you do it? </li></ul></ul>
  43. 43. Computer Forensics Hex Editors <ul><li>Hex Editor! Why ? </li></ul><ul><ul><li>Word documents when opened using microsoft word can contain macros that delete or modify data, and even microsoft word it self does modify some parts of the file such as metadata related to the date when the file was last opened or modified etc… </li></ul></ul>
  44. 44. File Formats: <ul><li>How do Operating Systems now what file are what format </li></ul><ul><li>File extensions ? </li></ul><ul><ul><li>.txt </li></ul></ul><ul><ul><li>.docx </li></ul></ul><ul><ul><li>.jpg </li></ul></ul><ul><li>Magic Numbers ? </li></ul>
  45. 45. Magic numbers in files <ul><li>Magic numbers implement strongly typed data and are a form of inband signalling to the controlling program that reads the data type(s) at program run-time. </li></ul>
  46. 46. Types of Evidence <ul><li>Address Books </li></ul><ul><li>Audio/Video files </li></ul><ul><li>Backup files </li></ul><ul><li>Calendars </li></ul><ul><li>Compressed Files </li></ul><ul><li>Configuration files </li></ul><ul><li>Cookies </li></ul><ul><li>Database files </li></ul><ul><li>Documents </li></ul><ul><li>Email files </li></ul><ul><li>Encrypted files </li></ul><ul><li>Hidden files </li></ul><ul><li>History files </li></ul><ul><li>Image/graphics files </li></ul><ul><li>Internet bookmarks/favourites </li></ul><ul><li>Log files </li></ul><ul><li>Metadata </li></ul><ul><li>Misnamed files </li></ul><ul><li>Password-Protected files </li></ul><ul><li>Printer spool files </li></ul><ul><li>Steganography </li></ul><ul><li>Swap files </li></ul><ul><li>System files </li></ul><ul><li>Temporary files </li></ul>
  47. 47. Types of Evidence <ul><li>Running processes. </li></ul><ul><li>Executed console commands. </li></ul><ul><li>Passwords in clear text. </li></ul><ul><li>Unencrypted data. </li></ul><ul><li>Instant messages (IMs). </li></ul><ul><li>Internet Protocol (IP) addresses. </li></ul><ul><li>Trojan Horse(s). </li></ul><ul><li>Who is logged into the system. </li></ul><ul><li>Open ports and listening applications. </li></ul><ul><li>Registry information. </li></ul><ul><li>System information. </li></ul><ul><li>Attached devices </li></ul>
  48. 48. Types of Evidence + Size <ul><li>Storage these days is cheap. </li></ul><ul><li>We have to look for multiples types of data </li></ul><ul><li>Huge Storage + Multiple types of data = Sad Forensic Examiner </li></ul>
  49. 49. NTFS A D S <ul><li>NTFS Alternative Data Streams </li></ul><ul><li>Data streams </li></ul><ul><ul><li>Ways data can be appended to existing files </li></ul></ul><ul><ul><li>Can obscure valuable evidentiary data, intentionally or by coincidence </li></ul></ul><ul><li>In NTFS , a data stream becomes an additional file attribute </li></ul><ul><ul><li>Allows the file to be associated with different applications </li></ul></ul><ul><li>You can only tell whether a file has a data stream attached by examining that file’s MFT entry </li></ul>
  50. 50. NTFS Alternative Data Streams NTFS File System (visible) ADS (invisible) porn.mpg malware.exe tracking.dat Textfile.txt Textfile.txt Textfile.txt:tracking.dat Textfile.txt:malware.exe Textfile.txt:porn.mpg
  51. 51. Hiding Data in Files <ul><li>Jpeg file format does not specify the size of the file </li></ul><ul><li>It looks for the start of file and end of file markers and reads what is between them, ignoring any additional data </li></ul><ul><li>Can add additional files to the jpg using the windows copy command in binary mode from the command line </li></ul><ul><li>copy /b secret.jpg + meeting.txt.rar lizard.jpg </li></ul><ul><li>Can read the extra information by opening lizard.jpg with winrar </li></ul>
  52. 52. Metadata <ul><li>If we are working on a case where we find a camera, metadata is an extremely useful piece of evidence! </li></ul><ul><li>Metadata is pretty much data about data, but what sort of data is stored on a camera image? </li></ul><ul><ul><li>Geolocation </li></ul></ul><ul><ul><li>Camera model </li></ul></ul><ul><ul><li>Time </li></ul></ul><ul><ul><li>Date </li></ul></ul><ul><li>Not only can this data be used to prove that a certain camera took a certain photo but sometimes we can also put a person at the location. </li></ul>
  53. 53. Web Forensics and Network Forensics <ul><li>Web forensic is nothing more then a normal forensic investigation but on server logs both for network and disk activities etc… </li></ul><ul><li>Typically web servers are the main targets of these investigations </li></ul>
  54. 54. Web Forensics and Network Forensics <ul><li>Security event logs </li></ul><ul><li>Connection logs </li></ul><ul><li>Disk events logs </li></ul>
  55. 55. Web Forensics and Network Forensics <ul><li>There are some unique forensic challenges associated with preserving digital evidence on networks. </li></ul><ul><li>So, how can evidence on a network be collected and documented in a way that demonstrates its authenticity, preserves its integrity, and maintains chain of custody? </li></ul>
  56. 56. Web Forensics and Network Forensics <ul><li>In the case of log files, it is relatively straightforward to make copies of the files, calculate their message digest values (or digitally sign them), and document their characteristics (e.g., name, location, size, MAC times). </li></ul><ul><li>Networked systems can also contain crucial evidence in volatile memory, evidence that can be lost if the network cable is disconnected or the computer is turned off. For instance, active network connections can be used to determine the IP address of an attacker. So one of the things that should be done is output active connections to a file. (But never on V.B. GUI applications) </li></ul>
  57. 57. Web Forensics and Network Forensics <ul><li>Protect the web application (could be several servers) during forensics examination from any possible alteration or data corruption. </li></ul><ul><li>Discover all files needed for the forensics investigation. This includes: </li></ul><ul><ul><li>Web server(s) and application server(s) logs </li></ul></ul><ul><ul><li>Server side scripts which are used by the web application </li></ul></ul><ul><ul><li>Web server(s) and application server(s) configuration files </li></ul></ul><ul><ul><li>Any 3rd. party installed software logs and vital files. </li></ul></ul><ul><ul><li>Operating system logs and vital system files </li></ul></ul><ul><ul><li>Remember that the files may be spread over several computer systems, which together comprise the web application. </li></ul></ul><ul><li>Analyze the collected data; try to create an exact chain of events. (techniques will be explained later) </li></ul><ul><li>Summarize findings, and make a log of all files and data extracted from the web application. </li></ul>
  58. 58. WHY? OH WHY? <ul><li>After all this the pain of: </li></ul><ul><ul><li>Knowing all different skills and tools needed for computer forensics </li></ul></ul><ul><ul><li>Dealing with all the hiding and encryption methodologies </li></ul></ul><ul><ul><li>Dealing with all the laws and government issues </li></ul></ul><ul><ul><li>High prices on the tools needed for us to do our job. </li></ul></ul><ul><li>And in the end of the day you might still have to analyze some horrid pictures such as pedophilia and murder cases. </li></ul><ul><li>WHY WOULD SOMEONE WANT TO GO INTO COMPUTER FORENSICS? </li></ul>
  59. 59. OH! This is why! A – You feel pretty good about yourself when you manage to send a murderer a pedophile or any other type of criminal to be prosecuted! B – The reason why we all go to work everyday! £ $ € ! That’s 4166£ per month which is equivalent to 4991€!
  60. 60. Computer Forensics Conclusion <ul><li>Computer Forensics is a relatively new area in Computing/Forensic Sciences which is currently in expansion, with new research and novel methods showing up daily. </li></ul><ul><li>Computer Forensics is one of the highest paid IT subjects. </li></ul><ul><li>Many countries have yet to create forensic laboratories and accept this evidence in the courts of law </li></ul><ul><li>A university degree in this area is a good way to get into the industry. </li></ul>
  61. 61. Workshop <ul><li>Files Will be shared by me, USB sticks (boohoo) and ill have my laptop on network sharing it as well. </li></ul><ul><li>It’s a step by step workshop (meaning you need to solve step 1 to get to step 2) </li></ul><ul><li>You will know when you’ve finished it </li></ul><ul><li>Pre-reqs </li></ul><ul><ul><li>Know basic linux </li></ul></ul><ul><ul><li>Know what computer forensics is about (aka viewing this talk) </li></ul></ul><ul><ul><li>Lots of pacience it is NOT easy! </li></ul></ul>
  62. 62. Kudos <ul><li>Codebits 2010 Organization </li></ul><ul><li>Artur Martins for telling me about Codebits. </li></ul><ul><li>University of Bedfordshire for letting me take a few days off to come to Codebits. </li></ul><ul><li>Bruno Morisson for being an amazing team mate at the Security Competition and at the qualifiers. </li></ul><ul><li>Nuno Loureiro for his revenge on the security quiz after facing my Forensics workshop a few months ago :D </li></ul><ul><li>You guys for coping until the end! </li></ul>
  63. 63. Questions?