Digital forensics


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Digital forensics

  1. 1. Information Systems 365/765 Lecture 8 Digital Forensics
  2. 2. Digital Forensics• Also known as Computer Forensics• A system in your enterprise has been compromised• You want to track down suspicious activity• Where do you begin?
  3. 3. Digital Forensics• Defined: Pertains to legal evidence found in computers and digital storage mediums.• Goal: To explain the current state of a “digital artifact.”• A digital artifact is a computer system, storage media (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
  4. 4. Digital Forensics• Can be as simple as retrieving a single piece of data• Can be as complex as piecing together a trail of many digital artifacts
  5. 5. Why Use Digital Forensics?• In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
  6. 6. Why Use Digital Forensics?• To recover data in the event of a hardware or software failure.• To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
  7. 7. Why Use Digital Forensics?• To gather evidence against an employee that an organization wishes to terminate.• To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
  8. 8. Chain of Custody• “Chain of Custody” is a fancy way of saying “The ability to demonstrate who has had access to the digital information being used as evidence”• Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law.
  9. 9. Chain of Custody• One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court.
  10. 10. 5 Steps in Performing Digital Forensics• Preparation (of the investigator, not the data)• Collection (the data)• Examination• Analysis• Reporting
  11. 11. Preparation• The investigator must be properly trained to perform the specific kind of investigation that is at hand.• Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case.
  12. 12. Collecting Digital Evidence• Digital evidence can be collected from many obvious sources, such as:• Computers• Cell phones• Digital cameras• Hard drives• CD-ROM• USB storage flash drives
  13. 13. Can You Think of Non-Obvious Sources?• Non-obvious sources could include:• Settings of digital thermometers• Black boxes inside automobiles• RFID tags• Web pages (which must be preserved as they are subject to change).
  14. 14. !!BE CAREFUL!!• Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken.
  15. 15. Create Proof of Non-Alteration• For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigators notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
  16. 16. Important Data Handling Practices• Handle the original evidence as little as possible to avoid changing the data.• Establish and maintain the chain of custody.• Documenting everything that has been done.• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
  17. 17. The Personal Interview• Some of the most valuable information obtained in the course of a forensic examination will come from the computer user:• System configuration• Applications• Encryption keys
  18. 18. Who Performs the Analysis• Special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data.• One should not examine digital information unless one has the legal authority to do so.
  19. 19. Live vs. Dead Analysis• Traditionally computer forensic investigations were performed on data at rest--- for example, the content of hard drives. This can be thought of as a dead analysis.
  20. 20. Live vs. Dead Analysis• Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
  21. 21. Live vs. Dead Analysis• In recent years there has increasingly been an emphasis on performing analysis on live systems• Why? -- Some attacks leave no trace on the hard drive• Why? -- Cryptographic storage, with keys only stored in memory!
  22. 22. Live Analysis -- Imaging Electronic Media• The process of creating an exact duplicate of the original evidenciary media is often called Imaging• Standalone hard-drive duplicator or software imaging tools ensure the entire hard drive is completely duplicated.
  23. 23. Live Analysis -- Imaging Electronic Media• During imaging, a write protection device or application is normally used to ensure that no information is introduced onto the evidentiary media during the forensic process.
  24. 24. Collecting Volatile Data• If the machine is still active, any intelligence which can be gained by examining the applications currently open is recorded.• If information stored solely in RAM is not recovered before powering down it may be lost.
  25. 25. A Great Tool Which YOU Can Impress People With• Knoppix• An OS which runs directly from a CD• Will not alter data on hard disk• Great for grabbing copies of files from a hard disk!• Can be loaded from a USB flash drive
  26. 26. Knoppix• Can also scan RAM and Registry information to show recently accessed web-based email sites and the login/password combination used. Additionally these tools can also yield login/password for recently access local email applications including MS Outlook.
  27. 27. Knoppix
  28. 28. Encase
  29. 29. Freezing Memory• RAM can be analyzed for prior content after power loss• Freezing the memory to -60 degrees Celsius helps maintain the memory’s charge (state)• How practical is this?
  30. 30. Analysis• All digital evidence must be analyzed to determine the type of information that is stored upon it• FTK• Encase• Sleuth Kit
  31. 31. Analysis of Data• Comprised of:• Manual review of material on the media• Reviewing the Windows registry for suspect information• Discovering and cracking passwords• Keyword searches for topics related to the crime• Extracting e-mail and images for review.
  32. 32. Reporting• Written• Oral Testimony• Both• Subject matter area specialists
  33. 33. Examples of Digital Forensics Cases• Chandra Levy• Washington D.C. Intern for Representative Gary Condit• Vanished April 30, 2001
  34. 34. Examples of Digital Forensics Cases• She had used the web and e-mail to make travel arrangements and communicate with her parents.• Information found on her computer led police to search most of Rock Creek Park, where her body was eventually found one year later by a man walking his dog.
  35. 35. Examples of Digital Forensics Cases• BTK Killer• Convicted of a string of serial killings that occurred over a period of sixteen years• Towards the end of this period, the killer sent letters to the police on a floppy dsk.
  36. 36. Examples of Digital Forensics Cases• Metadata is defined as “data about data”• Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"• This evidence helped lead to Dennis Raders arrest.