Computer Forensics


Published on


Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Computer Forensics

  1. 1. Computer Forensics By Rob Ferrill
  2. 2. Forensics in a Nutshell <ul><li>Evidence Seizure </li></ul><ul><li>Investigation and Analysis </li></ul><ul><li>Reporting Results </li></ul>“ Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system” Farmer and Venema
  3. 3. Do You Have a Plan <ul><li>Planning and Policy </li></ul><ul><ul><li>Do you have an incident response policy in place? </li></ul></ul><ul><ul><li>External Incident </li></ul></ul><ul><ul><ul><li>Intrusions, viruses, denial of service, theft of service </li></ul></ul></ul><ul><ul><li>Internal Incident </li></ul></ul><ul><ul><ul><li>Intellectual property theft, malicious intent, policy abuse </li></ul></ul></ul>
  4. 4. Forensic Fortifying Your Network <ul><li>System time </li></ul><ul><ul><li>GMT or local </li></ul></ul><ul><ul><li>Use Network Time Protocol </li></ul></ul><ul><li>Network logs </li></ul><ul><ul><li>Firewalls, IDS, e-mail, file servers </li></ul></ul><ul><li>Backups </li></ul><ul><ul><li>Critical servers and tertiary servers </li></ul></ul><ul><li>Hash databases </li></ul>
  5. 5. Forensic Definitions <ul><li>Evidence </li></ul><ul><li>Best Evidence </li></ul><ul><li>Chain of custody </li></ul><ul><li>Images </li></ul><ul><li>Dirty word list </li></ul><ul><li>Incident response forensics </li></ul><ul><li>Media analysis </li></ul>
  6. 6. Evidence <ul><li>Definition: Something that tends to establish or disprove a fact </li></ul><ul><li>What potentially can be the smallest piece of evidence? </li></ul><ul><ul><li>4 bytes </li></ul></ul><ul><ul><li>An IP address in hex </li></ul></ul>
  7. 7. Best Evidence Rule <ul><li>Definition: Original writing must be offered as evidence unless it is unavailable, in which case other evidence, like copies, notes, or other testimony can be used. </li></ul><ul><li>Accurate representation of original data on a system </li></ul><ul><li>Extracted data may be introduced as evidence </li></ul>
  8. 8. Chain of Custody <ul><li>Chain of custody </li></ul><ul><ul><li>Establishes each person who has had custody of the evidence </li></ul></ul><ul><ul><li>Establishes continuity of possession </li></ul></ul><ul><ul><li>Proof of integrity of the handling of the evidence collected </li></ul></ul>
  9. 9. Chain of Custody Items (2) <ul><li>Chain of custody items </li></ul><ul><ul><li>Full name and signature of person receiving evidence </li></ul></ul><ul><ul><li>Case number and item (tag) number of evidence </li></ul></ul><ul><ul><li>Hash values (if available, MD5sum is fine) of evidence if able to obtain </li></ul></ul><ul><ul><li>Pertinent technical data (drive geometry) </li></ul></ul>
  10. 10. Chain of Custody Items <ul><li>Chain of custody items </li></ul><ul><ul><li>Date and time item was seized </li></ul></ul><ul><ul><li>Location and who it was obtained from </li></ul></ul><ul><ul><li>Make, model, and serial number </li></ul></ul><ul><ul><li>Name of individual(s) who collected evidence </li></ul></ul><ul><ul><li>Description of evidence </li></ul></ul>
  11. 11. Image <ul><li>What is an “image”? </li></ul><ul><li>Bit-for-bit copy of the original evidence gathered from a system </li></ul><ul><li>Could include: </li></ul><ul><ul><li>Hard drive (logical or physical) </li></ul></ul><ul><ul><li>Memory </li></ul></ul><ul><ul><li>Removable media </li></ul></ul>
  12. 12. Dirty Word Lists <ul><li>Specific keywords to your case </li></ul><ul><li>List that is used to search for hits on your hard drive </li></ul><ul><li>Modified during an investigation while you perform your analysis </li></ul>
  13. 13. Evidence Integrity <ul><li>Ensure that the evidence has not been altered </li></ul><ul><li>Bit-image copies </li></ul><ul><li>Locked and limited access cabinet </li></ul><ul><li>Use cryptographic hashes to ensure integrity of original evidence and copies </li></ul>
  14. 14. Evidence Hashes <ul><li>Electronic evidence is used as input </li></ul><ul><li>Non-reversible </li></ul><ul><li>No two “different” files can create the same hash </li></ul><ul><li>Ideal way to ensure integrity </li></ul>
  15. 15. Forensic Incident Response <ul><li>Incident response </li></ul><ul><ul><li>Initially focuses on verification of incident </li></ul></ul><ul><ul><li>Techniques highlight gathering evidence </li></ul></ul><ul><ul><ul><li>Minimize data and evidence loss </li></ul></ul></ul><ul><ul><ul><li>Avoid adding data to the system through actions </li></ul></ul></ul><ul><ul><ul><li>Recovery and downtime major concerns </li></ul></ul></ul><ul><ul><li>Initial concern is to triage the incident to prevent further potential damage to evidence </li></ul></ul>
  16. 16. Media Analysis <ul><li>Media analysis </li></ul><ul><ul><li>Focuses on processing copies of evidence gathered at incident scene (i.e. an image) </li></ul></ul><ul><ul><li>Is not considered evidence gathering but evidence analysis </li></ul></ul><ul><ul><li>Primarily used to find specific data pertaining to the crime </li></ul></ul><ul><ul><li>Uses forensic workstations and automated tools to parse through gigabytes of data </li></ul></ul>
  17. 17. Forensic Principles <ul><li>Four forensic principles = success </li></ul><ul><ul><li>Minimize data loss </li></ul></ul><ul><ul><li>Record everything </li></ul></ul><ul><ul><li>Analyze all data collected </li></ul></ul><ul><ul><li>Report your findings </li></ul></ul>
  18. 18. Recording Your Actions <ul><li>Four reasons to take good notes: </li></ul><ul><ul><li>May have to duplicate setup </li></ul></ul><ul><ul><li>Explain how you took down the computer </li></ul></ul><ul><ul><li>May be called upon to testify </li></ul></ul><ul><ul><li>Witness’ notes can be used as a refresher </li></ul></ul>
  19. 19. Think. Like. A. Hacker. <ul><li>Some incidents are just the tip of the iceberg </li></ul><ul><ul><li>Usually one system compromised means you will find others </li></ul></ul><ul><ul><li>Always investigate due to this fact </li></ul></ul><ul><li>Wiretap? </li></ul><ul><ul><li>Contemplate watching the hacker enter back into the system </li></ul></ul><ul><ul><li>See what he is doing and what he is after </li></ul></ul>
  20. 20. Avoiding Common Mistakes <ul><li>Adding your own data to the system </li></ul><ul><li>Killing any processes on the system </li></ul><ul><li>Accidentally touching timestamps </li></ul><ul><li>Using un-trusted commands or tools </li></ul><ul><li>Adjusting the system prior to evidence seizure (power off, patching, updates) </li></ul>