Computer Forensics Bootcamp

© 2013 nCircle. All Rights Reserved.
Forensics Bootcamp

Introduction

What is Forensics?
• Scientific tests or techniques used in
the investigation of crimes
• The use of scientific methods and techniques,
such as genetic fingerprinting, to solve crimes
• Forensic science (often shortened to forensics)
is the application of a broad spectrum of
sciences to answer questions of interest to a
legal system. This may be in relation to a crime
or a civil action.

What is Computer Forensics?
Computer Forensics
A methodical series of techniques and
procedures for gathering evidence, from
computing equipment and various storage
devices and digital media, that can be
presented in a court of law in a coherent and
meaningful format

Types of Cyber Crime
• Theft of intellectual property
• Financial Fraud
• Damage of company service networks
• Distribution and execution of viruses and
worms
• Hacker system penetrations
• Distribution of child pornography
• Use of a computer to commit a traditional
crime (emails, data management, files.)

Legal Issues

Legal Issues
• 4th Amendment – Searches & Seizures
• 4th Amendment – Privacy
• 5th Amendment – Self Incrimination
• Chain-of-Custody

4th Amendment
• The Fourth Amendment (Amendment
IV) to the United States Constitution is the
part of the Bill of Rights which guards
against unreasonable searches and
seizures when the searched party has a
"reasonable expectation of privacy".
• Search warrants need probable cause and
need to describe the place to be searched,
and the persons or items to be seized.

Chain-of-Custody
(aka Chain of Evidence)
• Chain of Custody (CoC) refers to the
chronological documentation or paper
trail, showing the
seizure, custody, control, transfer, analysis, a
nd disposition of evidence, physical or
electronic.
• Because evidence can be used in court to
convict persons of crimes, it must be handled
in a scrupulously careful manner to avoid
later allegations of tampering or misconduct.

Question ?
As related to computer forensics, why is the
4th amendment an important
consideration?
a. Free speech
b. Defense against self incrimination
c. Search & seizure
d. Social rights

Digital Media

Two Types of Data
• Volatile - RAM
• Non-volatile
– ROM, PEOM, EEPROM
– Hard Drives (to include Solid State Drives (SSD))
– USB Devices
– Flash cards
– Optical Media – CDs, DVDs, Blue-ray (BD), ….
– Floppy disks, ZIP disks
– Cameras, mp3 players, tablets, game
consoles, GPS units, smart phones, smart
watches, …

Write Blockers
• Two types of write blockers:
hardware and software
• Prevention of data “spoilation” = the compromise
of data integrity by intentionally or inadvertently
altering the data from its “original” form.
• Reads Allowed and Writes Prevented!
• Another name for a write blocker is a “Forensic
Bridge”

Some Data Hiding Techniques
• Slack Space and Unallocated Space
• Rootkits
• Alternate Data Streams (ADS)
• File Signatures
• Steganography

Question ?
What function does a
Write Blocker perform?
a. Allows writes
b. Blocks reads
c. Prevents Reads
d. Prevents writes

The Forensic Process

• Preparation
• (Containment)
• Collection
• Examination
• Analysis
• Reporting

(Preparation)
• Training
• Policies & Procedures
• Equipment (Forensic Kit)
– Laptop computer w/ forensic software
– Boot disks and CDs of tools (forensically
sound)
– Digital cameras, pens, notepad
– Sterile media, write blockers, cables
– Anti-static bags, faraday bags, tags, stickers
– Chain-of-custody and other forms

(Containment)
• Establish immediate control
of the crime scene
– Limit and track physical access
– Limit network / remote access
• Detach computers of interest from wireless and
physical network cables
– Power off computers as necessary

(Collection)
• Photograph the scene to include monitor
screens. Get the system time
• Collect volatile data
• Image non-volatile data on site?
• Shut down the system safely
• Unplug the system and tag all cables
• Bag and tag all non volatile devices for transport.
Collect peripheral devices as necessary.

(Collection – Mobile devices)
• Photograph main screen
• Do not turn device off
• Find charger to keep device from losing
charge (example seizure kit)
• Place in a Faraday bag to prevent remote
access

(Examination & Analysis)
• Image the non-volatile media (i.e. make
exact bit-stream copies of the media using
imaging hardware or software)
• Images must be hashed
• Analyze the bit stream image using
forensic analysis software, e.g.:
EnCase, FTK,…
• Prepare a report of findings

Question ?
During the forensic process exact “bit
stream” images are made of non-volatile
media. Part of this process uses a
technique called _______ to verify the
integrity of the image?
a. read blocking
b. checksums
c. hashing
d. transforms

Forensic Analysis
Techniques

Forensic Analysis
Techniques
• Searching:
– Keyword, email, web, viewers
• File Signatures
• Slack Space and unallocated space
• Data carving
• Steganography
• Passwords (Dealing with encryption)

Searching: Keywords
• To effectively search through
a suspect’s media an investigator
needs to add relevant keywords
1) Add keywords
2) Specify keyword search criteria (e.g. what
and where tosearch – e.g. slack space)
3) Conduct keyword search

Searching: email & social media
• Most forensic analysis tools have built-in
email searching and viewing tools
• Tools to view various formats of email
– Outlook (.pst)
– Outlook Express (.dbx)
– Linux/Unix mbox format
– Macintosh: Safari
– Webmail formats:
Yahoo, AOL, Google, Hotmail

Searching: web artifacts
• Most forensic analysis tools
have web artifact search and viewing tools
• Web artifacts
– History
– Cached files and images (temporary files)
– Cookies

File Signature Analysis
• This type of analysis allows investigators to
verify file types
• A savvy suspect can change file extension in
order to attempt to avoid detection. Example:
Changing the .doc extension on a file to .dll
• A file signature analysis looks at the file header
in order to determine what type of file it actually
is

Data Carving (1 of 2)
• Data Carving is a technique used in the
field of Computer Forensics when data
can not be identified or extracted from
media by “normal” means due to the fact
that the desired data no longer has file
system allocation information available to
identify the sectors or clusters that belong
to the file or data.

Data Carving (2 of 2)
• Currently the most popular method of Data
Carving involves the search through raw
data for the file signature(s) of the file
types you wish to find and carve out.

Slack Space and Unallocated Space
• Most forensic analysis tools (e.g. EnCase)
have the ability to look at (view) and
search (keyword search) slack space and
unallocated space
• Viewing of slack space and unallocated
space is done by a hex/ASCII viewer.
Tools like EnCase and FTK have this type
of viewer built in.

Concealment cipher = Steganography (example)
Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm
Saint Olga planting Christianity in Russia

Steganography
• Detection techniques are crude
• Usually done by looking for
evidence of steganography use,
e.g. Steg programs on system
• Advanced analysis includes
Steg detection programs
(that typically use statistical
analysis techniques)

Question ?
A suspect changes a file extension of his MS
word file from .doc to .dll to attempt to hide
his file. The method used to detect this
type of activity is called?
a. Steganography
b. Data Carving
c. File signature analysis
d. Slack space analysis

Question ?
A criminal hides the contents of a
spreadsheet with the details of his illicit
financial activities in a JPEG image. This
is an example of which technique?
a. Data Carving
b. Cryptography
c. Data Blinking
d. Steganography

Incident Handling &
Forensics

Incident Response Process
• Identification
– Incident identification
– Notifying appropriate personnel
• Action
– Isolation and Containment
– Gathering Evidence
– Analysis and Reporting
• Closure
– Restoration
– Lessons Learned

The Response Team
• Cross-functional with a high level of authority
– Dedicated – with clearly defined roles & responsibilities
– Not just computer security: Management, Info sec,
IT/network, legal, public relations
• Well Trained
– Rehearsals and training appropriate to risk
– Trained in Forensics
– Forensics tools and equipment
• Policies and Procedures
– Appropriate to Risk (Risk Management)
– Lessons learned / constant refinement

When to Involve Law Enforcement
• Use forensic processes whenever
possible
• As a general rule: Involve law
enforcement when corporate policy or
the law says so
• You are compelled by law to report
certain incidents, e.g. disclosure of
credit card info.
• Establish and ongoing relationship
with corporate legal and appropriate
law enforcement agencies, e.g.
Infragard.

Make Sneaking Hard
• Detection systems -- appropriate with risk
• Logging, Logging, logging!!!
(Firewall, router, system…)
• Monitoring
– Intrusion detection systems
– File Integrity monitoring systems
– Vulnerability and Configuration management systems
– Attack Path Analysis
• Warning Banners, Expectations of use, Expectations of privacy
• Physical Security systems

Question
s?
http://connect.ncircle.com
Continue the conversation at

Computer Forensics Bootcamp

More Related Content

What's hot

Viewers also liked

Similar to Computer Forensics Bootcamp

More from nCircle - a Tripwire Company

Recently uploaded

Computer Forensics Bootcamp