More Related Content Similar to Computer Forensics Bootcamp (20) More from nCircle - a Tripwire Company (9) Computer Forensics Bootcamp3. © 2013 nCircle. All Rights Reserved.
What is Forensics?
• Scientific tests or techniques used in
the investigation of crimes
• The use of scientific methods and techniques,
such as genetic fingerprinting, to solve crimes
• Forensic science (often shortened to forensics)
is the application of a broad spectrum of
sciences to answer questions of interest to a
legal system. This may be in relation to a crime
or a civil action.
4. © 2013 nCircle. All Rights Reserved.
What is Computer Forensics?
Computer Forensics
A methodical series of techniques and
procedures for gathering evidence, from
computing equipment and various storage
devices and digital media, that can be
presented in a court of law in a coherent and
meaningful format
5. © 2013 nCircle. All Rights Reserved.
Types of Cyber Crime
• Theft of intellectual property
• Financial Fraud
• Damage of company service networks
• Distribution and execution of viruses and
worms
• Hacker system penetrations
• Distribution of child pornography
• Use of a computer to commit a traditional
crime (emails, data management, files.)
7. © 2013 nCircle. All Rights Reserved.
Legal Issues
• 4th Amendment – Searches & Seizures
• 4th Amendment – Privacy
• 5th Amendment – Self Incrimination
• Chain-of-Custody
8. © 2013 nCircle. All Rights Reserved.
4th Amendment
• The Fourth Amendment (Amendment
IV) to the United States Constitution is the
part of the Bill of Rights which guards
against unreasonable searches and
seizures when the searched party has a
"reasonable expectation of privacy".
• Search warrants need probable cause and
need to describe the place to be searched,
and the persons or items to be seized.
9. © 2013 nCircle. All Rights Reserved.
Chain-of-Custody
(aka Chain of Evidence)
• Chain of Custody (CoC) refers to the
chronological documentation or paper
trail, showing the
seizure, custody, control, transfer, analysis, a
nd disposition of evidence, physical or
electronic.
• Because evidence can be used in court to
convict persons of crimes, it must be handled
in a scrupulously careful manner to avoid
later allegations of tampering or misconduct.
10. © 2013 nCircle. All Rights Reserved.
Question ?
As related to computer forensics, why is the
4th amendment an important
consideration?
a. Free speech
b. Defense against self incrimination
c. Search & seizure
d. Social rights
12. © 2013 nCircle. All Rights Reserved.
Two Types of Data
• Volatile - RAM
• Non-volatile
– ROM, PEOM, EEPROM
– Hard Drives (to include Solid State Drives (SSD))
– USB Devices
– Flash cards
– Optical Media – CDs, DVDs, Blue-ray (BD), ….
– Floppy disks, ZIP disks
– Cameras, mp3 players, tablets, game
consoles, GPS units, smart phones, smart
watches, …
13. © 2013 nCircle. All Rights Reserved.
Write Blockers
• Two types of write blockers:
hardware and software
• Prevention of data “spoilation” = the compromise
of data integrity by intentionally or inadvertently
altering the data from its “original” form.
• Reads Allowed and Writes Prevented!
• Another name for a write blocker is a “Forensic
Bridge”
14. © 2013 nCircle. All Rights Reserved.
Some Data Hiding Techniques
• Slack Space and Unallocated Space
• Rootkits
• Alternate Data Streams (ADS)
• File Signatures
• Steganography
15. © 2013 nCircle. All Rights Reserved.
Question ?
What function does a
Write Blocker perform?
a. Allows writes
b. Blocks reads
c. Prevents Reads
d. Prevents writes
17. © 2013 nCircle. All Rights Reserved.
The Forensic Process
• Preparation
• (Containment)
• Collection
• Examination
• Analysis
• Reporting
18. © 2013 nCircle. All Rights Reserved.
The Forensic Process
(Preparation)
• Training
• Policies & Procedures
• Equipment (Forensic Kit)
– Laptop computer w/ forensic software
– Boot disks and CDs of tools (forensically
sound)
– Digital cameras, pens, notepad
– Sterile media, write blockers, cables
– Anti-static bags, faraday bags, tags, stickers
– Chain-of-custody and other forms
19. © 2013 nCircle. All Rights Reserved.
The Forensic Process
(Containment)
• Establish immediate control
of the crime scene
– Limit and track physical access
– Limit network / remote access
• Detach computers of interest from wireless and
physical network cables
– Power off computers as necessary
20. © 2013 nCircle. All Rights Reserved.
The Forensic Process
(Collection)
• Photograph the scene to include monitor
screens. Get the system time
• Collect volatile data
• Image non-volatile data on site?
• Shut down the system safely
• Unplug the system and tag all cables
• Bag and tag all non volatile devices for transport.
Collect peripheral devices as necessary.
21. © 2013 nCircle. All Rights Reserved.
The Forensic Process
(Collection – Mobile devices)
• Photograph main screen
• Do not turn device off
• Find charger to keep device from losing
charge (example seizure kit)
• Place in a Faraday bag to prevent remote
access
22. © 2013 nCircle. All Rights Reserved.
The Forensic Process
(Examination & Analysis)
• Image the non-volatile media (i.e. make
exact bit-stream copies of the media using
imaging hardware or software)
• Images must be hashed
• Analyze the bit stream image using
forensic analysis software, e.g.:
EnCase, FTK,…
• Prepare a report of findings
23. © 2013 nCircle. All Rights Reserved.
Question ?
During the forensic process exact “bit
stream” images are made of non-volatile
media. Part of this process uses a
technique called _______ to verify the
integrity of the image?
a. read blocking
b. checksums
c. hashing
d. transforms
25. © 2013 nCircle. All Rights Reserved.
Forensic Analysis
Techniques
• Searching:
– Keyword, email, web, viewers
• File Signatures
• Slack Space and unallocated space
• Data carving
• Steganography
• Passwords (Dealing with encryption)
26. © 2013 nCircle. All Rights Reserved.
Searching: Keywords
• To effectively search through
a suspect’s media an investigator
needs to add relevant keywords
1) Add keywords
2) Specify keyword search criteria (e.g. what
and where tosearch – e.g. slack space)
3) Conduct keyword search
27. © 2013 nCircle. All Rights Reserved.
Searching: email & social media
• Most forensic analysis tools have built-in
email searching and viewing tools
• Tools to view various formats of email
– Outlook (.pst)
– Outlook Express (.dbx)
– Linux/Unix mbox format
– Macintosh: Safari
– Webmail formats:
Yahoo, AOL, Google, Hotmail
28. © 2013 nCircle. All Rights Reserved.
Searching: web artifacts
• Most forensic analysis tools
have web artifact search and viewing tools
• Web artifacts
– History
– Cached files and images (temporary files)
– Cookies
29. © 2013 nCircle. All Rights Reserved.
File Signature Analysis
• This type of analysis allows investigators to
verify file types
• A savvy suspect can change file extension in
order to attempt to avoid detection. Example:
Changing the .doc extension on a file to .dll
• A file signature analysis looks at the file header
in order to determine what type of file it actually
is
30. © 2013 nCircle. All Rights Reserved.
Data Carving (1 of 2)
• Data Carving is a technique used in the
field of Computer Forensics when data
can not be identified or extracted from
media by “normal” means due to the fact
that the desired data no longer has file
system allocation information available to
identify the sectors or clusters that belong
to the file or data.
31. © 2013 nCircle. All Rights Reserved.
Data Carving (2 of 2)
• Currently the most popular method of Data
Carving involves the search through raw
data for the file signature(s) of the file
types you wish to find and carve out.
32. © 2013 nCircle. All Rights Reserved.
Slack Space and Unallocated Space
• Most forensic analysis tools (e.g. EnCase)
have the ability to look at (view) and
search (keyword search) slack space and
unallocated space
• Viewing of slack space and unallocated
space is done by a hex/ASCII viewer.
Tools like EnCase and FTK have this type
of viewer built in.
33. © 2013 nCircle. All Rights Reserved.
Concealment cipher = Steganography (example)
Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm
Saint Olga planting Christianity in Russia
34. © 2013 nCircle. All Rights Reserved.
Steganography
• Detection techniques are crude
• Usually done by looking for
evidence of steganography use,
e.g. Steg programs on system
• Advanced analysis includes
Steg detection programs
(that typically use statistical
analysis techniques)
35. © 2013 nCircle. All Rights Reserved.
Question ?
A suspect changes a file extension of his MS
word file from .doc to .dll to attempt to hide
his file. The method used to detect this
type of activity is called?
a. Steganography
b. Data Carving
c. File signature analysis
d. Slack space analysis
36. © 2013 nCircle. All Rights Reserved.
Question ?
A criminal hides the contents of a
spreadsheet with the details of his illicit
financial activities in a JPEG image. This
is an example of which technique?
a. Data Carving
b. Cryptography
c. Data Blinking
d. Steganography
38. © 2013 nCircle. All Rights Reserved.
Incident Response Process
• Identification
– Incident identification
– Notifying appropriate personnel
• Action
– Isolation and Containment
– Gathering Evidence
– Analysis and Reporting
• Closure
– Restoration
– Lessons Learned
39. © 2013 nCircle. All Rights Reserved.
The Response Team
• Cross-functional with a high level of authority
– Dedicated – with clearly defined roles & responsibilities
– Not just computer security: Management, Info sec,
IT/network, legal, public relations
• Well Trained
– Rehearsals and training appropriate to risk
– Trained in Forensics
– Forensics tools and equipment
• Policies and Procedures
– Appropriate to Risk (Risk Management)
– Lessons learned / constant refinement
40. © 2013 nCircle. All Rights Reserved.
When to Involve Law Enforcement
• Use forensic processes whenever
possible
• As a general rule: Involve law
enforcement when corporate policy or
the law says so
• You are compelled by law to report
certain incidents, e.g. disclosure of
credit card info.
• Establish and ongoing relationship
with corporate legal and appropriate
law enforcement agencies, e.g.
Infragard.
41. © 2013 nCircle. All Rights Reserved.
Make Sneaking Hard
• Detection systems -- appropriate with risk
• Logging, Logging, logging!!!
(Firewall, router, system…)
• Monitoring
– Intrusion detection systems
– File Integrity monitoring systems
– Vulnerability and Configuration management systems
– Attack Path Analysis
• Warning Banners, Expectations of use, Expectations of privacy
• Physical Security systems
42. © 2013 nCircle. All Rights Reserved.
Question
s?
http://connect.ncircle.com
Continue the conversation at