Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011


Published on

This was a CLE course for digital evidence given to the Illinois State Bar Association for a seminat on Nov. 18, 2011 in Chicago.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011

  1. 1.
  2. 2. Agenda  Types of “actionable” computer crime  Incident response vs computer forensics  Laws related to computer crime or forensics  Obstacles to computer crime prosecution  2 key elements of digital evidence  Data acquisition  Forensics: Network, Memory, Hard Drive, Logs  CourtroomUsage
  3. 3. Types of “actionable” computer crime  IdentityTheft  Electronic Fraud (ACH or Credit Card)  Trade Secret / IPTheft  Spamming  Website Defacement / Denial of Service  Unauthorized Access / Misuse of Access  Cyberbulling / Unauthorized Sexting / Etc.  Child Pornography  National Security Issues
  4. 4. Incident Response vs. Forensics  Incident response = “Something bad happened, fix it”  Forensics = Acquisition of evidence for potential litigation  Can include e-Discovery  Organizations should have prepared in advance for this decision  Some incidents are not worth pursuing in criminal or civil court  Forensics is much more time-consuming and expensive  In both cases, how someone “got in”, what did they do once there  May not be concerned with attribution
  5. 5. When to do forensics?  When it’s a criminal matter…  When a civil case will likely be prosecuted…  When insurance requires it…  As litigation prevention…  When there is a large $ loss involved…
  6. 6. Laws related to computer crime and/or forensics  Wire fraud (18 USC § 1343)  Computer Fraud and Abuse Act (18 USC § 1030)  Electronic Communications Privacy Act (18 USC § 2510)  Stored Communications Act (18 USC § 2701)  Digital Millennium Copyright Act (17 USC § 512 et al) **
  7. 7. Obstacles to Computer Crime Prosecution  Ownership of Hardware  Big issue with Cloud Computing  Ownership of Data  Physical Access to Data  Expectation of Privacy  Not supposed to monitor users if they reasonably believe their actions are private  Chain of Custody / Evidence Preservation  Hard to have a case if chain of custody is broken or evidence has been corrupted  International Law
  8. 8. 2 Key Elements of Digital Evidence  Chain of Custody  Similar to “physical” evidence  If chain is broken, could end your case  Integrity of Evidence  Digital evidence is much more volatile  Often examining copies… are they “real”?  Suspect could destroy evidence if they are on to you
  9. 9. Chain of Custody  Physical possession of data is standard chain of custody  How do you prove chain of custody on electronic information?  Prevention of evidence contamination  Analyze only digital copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”
  10. 10. Integrity of Evidence  Prevention of evidence contamination  Analyze only copies  Use “write-blockers” for physical drives  Difficult for “live system” analysis  Keeping notes for all tasks performed on “live system”  Use cryptographic “hashing” to prove evidence isn’t contaminated
  11. 11. Cryptographic hashing  Hashing uses an encryption algorithm to generate a pseudo- random string of text to represent a unique file (or hard drive)  Small changes cause large changes in the hash  Example: “Illinois State Bar Association.” vs “Illinois State Bar Association!”  MD5:  Acaf1670a9acc228a40f02fe034aea6e vs cb0149671f638b3b7d3e0abd4e40f010  SHA1:  Ee9e70de1206ff87cc2d87d7d660c5cc0ac299cf vs 66d00acfc4ee228443317f1cf19cfb3d69b3ef13  Hash Collisions  Use multiple algorithms to avoid doubt
  12. 12. Data Acquisition  In all cases, physical access is required by someone  In “old days” we’d rip power out of computer and take the system.  Evidence collection now is most “volatile” to least “volatile  Network traffic  Memory  Hard drives  System logs (assuming configured right)  May capture volatile data multiple times
  13. 13. Network Forensics  In essence, the same as wiretapping a phone call except with data  Most network switches allow for capturing live traffic from a machine  What are you looking for:  Who is talking to this machine  Who is this machine talking to  When is it happening  What is being communicated  Encryption?
  14. 14. Network Forensics example
  15. 15. Memory Forensics  Must be done on a “live” machine, memory disappears without power  Hibernation / Sleep mode in laptops  Contains:  All running programs (even those deleted from the disk)  Any encryption keys in use (makes for easy decrypting)  In some cases, passwords  Memory is constantly changing  Evidence “changes” over time, may have to work with multiple memory files
  16. 16. Hard Drive Forensics  Can be done on a “live system” or a system that is off  On a “live system” data is constantly changing, which can be problematic  Involves a bit-copy of a drive into a “virtual drive” file for examination  Hashes taken before and after to ensure no data is contaminated  Drive left in safe, all analysis done on copies “virtual drive”
  17. 17. Hard Drive Forensics  Hard drives are collections of ones and zeroes, even when mostly empty  File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).  When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files.  Government standards require multiple “wipes” of a drive to confirm deletion  Data may hide also in “slack space”
  18. 18. Hard Drive Forensics  So you have a drive image, now what?  Index drive for evidence.  Search for all deleted files  Search for all files added, deleted or modified at a certain time  Search files for specific strings  Search for files of a specific type  Examine key system files (configuration files, startup scripts, system registry)  Depends heavily on the nature of the incident  Iterative process that is more art than science
  19. 19. Hard Drive Forensics  MAC times stand for “modified”, “accessed”, “created” and may also include a deletion time.  All files have MAC times associated with them (even deleted ones).  These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm on Jan 11th, you’d look for any file with a MAC time near that same time).
  20. 20. Windows Registry  Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command).  Most recently used programs  Most recently entered commands  Most recently viewed documents  Typed URLs in IE  Unique hardware addresses for USB keys accessed on system  This can be used to create a “timeline” of activity on the machine
  21. 21. Log Forensics  Over 90% of all computer crime incidents where recorded in system logs  Servers associated with a subject computer may have valuable information  E-mail logs can show all mail sent from a target computer  DHCP / DNS logs may show when the machine was on and who it was communicating with  If configured, can show who accessed a machine even if the machine has had its own logs wiped  Web server logs can show attacks in progress and how servers were exploited
  22. 22. Log Forensics  E-mails all come with headers that give a wealth of information to identify the sender.  Can show:  IPAddress of sender  Can show all mailservers users  Potentially can show true username of sender  Shows when message really sent  Gives unique message ID which can be used to track messages in mail server logs
  23. 23. E-mail Headers Example Envelope-to: Delivery-date: Wed, 03 Aug 2011 12:06:16 -0500 Received: from ([]) by with esmtp (Exim 4.69) (envelope-from <>) id 1Qoetc-0001aE-01 for; Wed, 03 Aug 2011 12:06:16 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAB1/OU4yLK7Y/2dsb2JhbAA/Aw6CP5cljW6COAEFCCACAz4ODQMCDQoBNwIXPgEBBAEdyQ2DPoMEBIdam05V X-IronPort-AV: E=Sophos;i="4.67,311,1309737600"; d="xml'?rels'?docx'72,48?scan'72,48,208,217,72,48";a="146462351" Received: from ([]) by with ESMTP; 03 Aug 2011 17:06:14 +0000 X-Previous-IP: Received: from BernardiHome (unknown[]) by (Postfix) with ESMTPA id B4A0930C095; Wed, 3 Aug 2011 17:06:12 +0000 (UTC) From: "don bernardi" <> To: "'Stephanie Beine'" <>, "'Rich Kaplan'" <>, <>, <>, < > Cc: "'Jeremy Karlin'" <>, "'Stephen M Komie'" <stephen_m_komie@komie-and->, "'John J. Rekowski'" <>, <>, "'Tiffany Bordenkircher'" <>, <> References: <> In-Reply-To:<> Subject: nov 18,2011 ISBA seminar Date: Wed, 3 Aug 2011 12:06:07 -0500 Message-ID: <005c01cc51ff$a43b93e0$ecb2bba0$@com> MIME-Version:1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005D_01CC51D5.BB658BE0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcwOY1oNT74/g+iGTFi9Z6maxNsonhDmfBEw Content-Language: en-us
  24. 24. File Metadata  Many file types include metadata in them to indicate the creating user, when modified, etc.  Metadata can be examined even on machines you don’t control  Cell phones can be notorious about including metadata with image files.  This may even include GPS coordinates of where a picture was taken.  Office documents (especially with track changes) can show every person who touched a file  In some cases, can include content that has been “redacted” when viewed normally.
  25. 25. File Metadata example
  26. 26. Other data sources  Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files and location data  Tablets and iPads  Online social network content (in particular, media)  Blog comments, forum posts  Webmail accounts  Google
  27. 27. Courtroom Usage  How to make the technically complex very simple  Preserve chain of custody and evidence of integrity!  Forensic report  Usually very long, includes boiler plate examples  Executive summary to make it accessible  Either dissuade cross-examination or poke holes in other side
  28. 28. Questions? John Bambenek 312 – 725 – HACK (4225)