The document outlines topics related to computer forensics including types of computer crimes, incident response versus computer forensics, laws related to the field, challenges with prosecution, key aspects of digital evidence like chain of custody and integrity, methods of data acquisition from networks, memory, hard drives and logs, and considerations for courtroom presentation.
2. Agenda
Types of “actionable” computer crime
Incident response vs computer forensics
Laws related to computer crime or forensics
Obstacles to computer crime prosecution
2 key elements of digital evidence
Data acquisition
Forensics: Network, Memory, Hard Drive, Logs
CourtroomUsage
3. Types of “actionable” computer
crime
IdentityTheft
Electronic Fraud (ACH or Credit Card)
Trade Secret / IPTheft
Spamming
Website Defacement / Denial of Service
Unauthorized Access / Misuse of Access
Cyberbulling / Unauthorized Sexting / Etc.
Child Pornography
National Security Issues
4. Incident Response vs. Forensics
Incident response = “Something bad happened, fix it”
Forensics = Acquisition of evidence for potential litigation
Can include e-Discovery
Organizations should have prepared in advance for this decision
Some incidents are not worth pursuing in criminal or civil court
Forensics is much more time-consuming and expensive
In both cases, how someone “got in”, what did they do once
there
May not be concerned with attribution
5. When to do forensics?
When it’s a criminal matter…
When a civil case will likely be prosecuted…
When insurance requires it…
As litigation prevention…
When there is a large $ loss involved…
7. Obstacles to Computer Crime
Prosecution
Ownership of Hardware
Big issue with Cloud Computing
Ownership of Data
Physical Access to Data
Expectation of Privacy
Not supposed to monitor users if they reasonably believe their
actions are private
Chain of Custody / Evidence Preservation
Hard to have a case if chain of custody is broken or evidence has
been corrupted
International Law
8. 2 Key Elements of Digital
Evidence
Chain of Custody
Similar to “physical” evidence
If chain is broken, could end your case
Integrity of Evidence
Digital evidence is much more volatile
Often examining copies… are they “real”?
Suspect could destroy evidence if they are on to you
9. Chain of Custody
Physical possession of data is standard chain of custody
How do you prove chain of custody on electronic
information?
Prevention of evidence contamination
Analyze only digital copies
Use “write-blockers” for physical drives
Difficult for “live system” analysis
Keeping notes for all tasks performed on “live system”
10. Integrity of Evidence
Prevention of evidence contamination
Analyze only copies
Use “write-blockers” for physical drives
Difficult for “live system” analysis
Keeping notes for all tasks performed on “live system”
Use cryptographic “hashing” to prove evidence isn’t
contaminated
11. Cryptographic hashing
Hashing uses an encryption algorithm to generate a pseudo-
random string of text to represent a unique file (or hard drive)
Small changes cause large changes in the hash
Example: “Illinois State Bar Association.” vs “Illinois State Bar
Association!”
MD5:
Acaf1670a9acc228a40f02fe034aea6e vs cb0149671f638b3b7d3e0abd4e40f010
SHA1:
Ee9e70de1206ff87cc2d87d7d660c5cc0ac299cf vs 66d00acfc4ee228443317f1cf19cfb3d69b3ef13
Hash Collisions
Use multiple algorithms to avoid doubt
12. Data Acquisition
In all cases, physical access is required by someone
In “old days” we’d rip power out of computer and take the
system.
Evidence collection now is most “volatile” to least “volatile
Network traffic
Memory
Hard drives
System logs (assuming configured right)
May capture volatile data multiple times
13. Network Forensics
In essence, the same as wiretapping a phone call except
with data
Most network switches allow for capturing live traffic from
a machine
What are you looking for:
Who is talking to this machine
Who is this machine talking to
When is it happening
What is being communicated
Encryption?
15. Memory Forensics
Must be done on a “live” machine, memory disappears
without power
Hibernation / Sleep mode in laptops
Contains:
All running programs (even those deleted from the disk)
Any encryption keys in use (makes for easy decrypting)
In some cases, passwords
Memory is constantly changing
Evidence “changes” over time, may have to work with
multiple memory files
16. Hard Drive Forensics
Can be done on a “live system” or a system that is off
On a “live system” data is constantly changing, which can
be problematic
Involves a bit-copy of a drive into a “virtual drive” file for
examination
Hashes taken before and after to ensure no data is
contaminated
Drive left in safe, all analysis done on copies “virtual drive”
17. Hard Drive Forensics
Hard drives are collections of ones and zeroes, even when
mostly empty
File tables connect files to actual “addresses” on the drive to
where the data that comprises that file is stored and attributes
of the file (like MAC times).
When files are deleted, the actual data still exists. The file is
simply “unlinked” from the addresses it uses on the drive and
those parts of the drive can be later overwritten with new files.
Government standards require multiple “wipes” of a drive to
confirm deletion
Data may hide also in “slack space”
18. Hard Drive Forensics
So you have a drive image, now what?
Index drive for evidence.
Search for all deleted files
Search for all files added, deleted or modified at a certain time
Search files for specific strings
Search for files of a specific type
Examine key system files (configuration files, startup
scripts, system registry)
Depends heavily on the nature of the incident
Iterative process that is more art than science
19. Hard Drive Forensics
MAC times stand for “modified”, “accessed”, “created”
and may also include a deletion time.
All files have MAC times associated with them (even
deleted ones).
These times can help provide a search pattern for
“important” files to an incident. (i.e. if something
happened at 3pm on Jan 11th, you’d look for any file with a
MAC time near that same time).
20. Windows Registry
Windows Operating systems keep a wide variety of
information in the system registry (can be accessed live
using RegEdit command).
Most recently used programs
Most recently entered commands
Most recently viewed documents
Typed URLs in IE
Unique hardware addresses for USB keys accessed on
system
This can be used to create a “timeline” of activity on the
machine
21. Log Forensics
Over 90% of all computer crime incidents where recorded in
system logs
Servers associated with a subject computer may have valuable
information
E-mail logs can show all mail sent from a target computer
DHCP / DNS logs may show when the machine was on and who
it was communicating with
If configured, can show who accessed a machine even if the
machine has had its own logs wiped
Web server logs can show attacks in progress and how servers
were exploited
22. Log Forensics
E-mails all come with headers that give a wealth of
information to identify the sender.
Can show:
IPAddress of sender
Can show all mailservers users
Potentially can show true username of sender
Shows when message really sent
Gives unique message ID which can be used to track
messages in mail server logs
23. E-mail Headers Example
Return-path:dbernardi@frontier.com
Envelope-to: jcb@bambenekconsulting.com
Delivery-date: Wed, 03 Aug 2011 12:06:16 -0500
Received: from out01.dlls.pa.frontiernet.net ([199.224.80.228]) by chicago.bambenekconsulting.com with esmtp (Exim 4.69)
(envelope-from <dbernardi@frontier.com>) id 1Qoetc-0001aE-01 for jcb@bambenekconsulting.com; Wed, 03 Aug 2011
12:06:16 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result:
Av8EAB1/OU4yLK7Y/2dsb2JhbAA/Aw6CP5cljW6COAEFCCACAz4ODQMCDQoBNwIXPgEBBAEdyQ2DPoMEBIdam05V
X-IronPort-AV: E=Sophos;i="4.67,311,1309737600"; d="xml'?rels'?docx'72,48?scan'72,48,208,217,72,48";a="146462351"
Received: from relay01.dlls.pa.frontiernet.net ([199.224.80.244]) by out01.dlls.pa.frontiernet.net with ESMTP; 03 Aug 2011
17:06:14 +0000 X-Previous-IP: 50.44.174.216
Received: from BernardiHome (unknown[50.44.174.216]) by relay01.dlls.pa.frontiernet.net (Postfix) with ESMTPA id
B4A0930C095; Wed, 3 Aug 2011 17:06:12 +0000 (UTC)
From: "don bernardi" <dbernardi@frontier.com>
To: "'Stephanie Beine'" <sbeine@genetictechnologies.com>, "'Rich Kaplan'"
<kapla111@umn.edu>, <experts@forensicDJS.com>, <jharman@genetictechnologies.com>, <jcb@bambenekconsulting.com
>
Cc: "'Jeremy Karlin'" <jkarlin@alcornkarlin.com>, "'Stephen M Komie'" <stephen_m_komie@komie-and-
associates.com>, "'John J. Rekowski'" <jjrekowski@co.madison.il.us>, <rja@dupageco.org>, "'Tiffany Bordenkircher'"
<tbordenkircher@isba.org>, <jheaton@isba.org>
References: <4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com>
In-Reply-To:<4F46AA8D5DFD674586F982B62079DD43059204B612@34093-MBX-C01.mex07a.mlsrvr.com>
Subject: nov 18,2011 ISBA seminar
Date: Wed, 3 Aug 2011 12:06:07 -0500
Message-ID: <005c01cc51ff$a43b93e0$ecb2bba0$@com>
MIME-Version:1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005D_01CC51D5.BB658BE0"
X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcwOY1oNT74/g+iGTFi9Z6maxNsonhDmfBEw
Content-Language: en-us
24. File Metadata
Many file types include metadata in them to indicate the
creating user, when modified, etc.
Metadata can be examined even on machines you don’t control
Cell phones can be notorious about including metadata with image
files.
This may even include GPS coordinates of where a picture was
taken.
Office documents (especially with track changes) can show
every person who touched a file
In some cases, can include content that has been “redacted”
when viewed normally.
26. Other data sources
Cell phones (certainly smart phones) are huge data
repositories and can even store a significant amount of
computer files and location data
Tablets and iPads
Online social network content (in particular, media)
Blog comments, forum posts
Webmail accounts
Google
27. Courtroom Usage
How to make the technically complex very simple
Preserve chain of custody and evidence of integrity!
Forensic report
Usually very long, includes boiler plate examples
Executive summary to make it accessible
Either dissuade cross-examination or poke holes in other
side