Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Computer Forensics | Patricia Watson | 2004

1,092 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Computer Forensics | Patricia Watson | 2004

  1. 1. Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
  2. 2. Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
  3. 3. Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
  4. 4. Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
  5. 5. Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
  6. 6. Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
  7. 7. Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
  8. 8. Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
  9. 9. Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
  10. 10. Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
  11. 11. Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
  12. 12. Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
  13. 13. Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
  14. 14. Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
  15. 15. Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
  16. 16. Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
  17. 17. Computer Forensics – Patricia M Watson Computer Forensics • Questions?

×