Role of a Forensic Investigator


Published on

This presentation describes the roles & responsibilities of a forensic investigator.

Published in: Technology, Business
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Role of a Forensic Investigator

    1. 1. FORENSIC INVESTIGATIONS by DR. SACHIN PANDEY Roles & Responsibilities Of An Investigator
    2. 2. Computer Forensics - The search for, and the collection of evidence from computer systems in a standardized and well documented manner to maintain its admissibility and probative value in a legal proceeding. "Forget Trash-Can diving. Computers harbor more personal information and secrets than anyone can discard into a 20-gallon trash container. A typical computer holds information people once stored in wallets, cameras, contact lists, calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and correspondence. Practically every investigation can benefit from the proper analysis of the suspect's computer systems."
    3. 3. What is Cyber Security? <ul><li>Preventing a problem from occurring in your system </li></ul><ul><li>Protecting people, data, software, hardware & facilities </li></ul><ul><li>Requires a wide-range of preparation </li></ul><ul><ul><li>Awareness, planning, policies, procedures, tools, technologies, training, education, dedication, ‘soft-skills’ & common sense </li></ul></ul><ul><li>Preparation ranges from Security to Cyber Forensics </li></ul>
    4. 4. Preparation Spectrum <ul><li>Security : </li></ul><ul><li>Preparation </li></ul><ul><li>Prevention </li></ul><ul><li>Detection </li></ul><ul><li>Minimize Problem </li></ul><ul><li>Cyber Forensics : </li></ul><ul><li>Investigation </li></ul><ul><li>Analysis </li></ul><ul><li>Recovery </li></ul><ul><li>Improved preparation </li></ul>Security Event Time line
    5. 5. Cyber Security Changes
    6. 6. Early 2000’s Cyber Security <ul><li>Problems seen as event driven </li></ul><ul><ul><li>Wait for a problem to occur </li></ul></ul><ul><li>Attack simulation not usually performed </li></ul><ul><li>Network admin proud of hacker’s lack of success (hero after the fact). </li></ul><ul><li>Posture primarily </li></ul><ul><ul><li>Reactive, not proactive </li></ul></ul><ul><li>Security more of an add-on, not integrated </li></ul>
    7. 7. Pre 9/11…. <ul><li>Major vulnerabilities were laptops </li></ul><ul><ul><li>Theft, loss of data </li></ul></ul><ul><li>Desktop workstations vulnerable to viruses </li></ul><ul><ul><li>Installing virus protection software </li></ul></ul><ul><ul><li>Constantly upgrading </li></ul></ul><ul><li>Defenses primarily </li></ul><ul><ul><li>Access control software </li></ul></ul><ul><ul><li>Front door to applications </li></ul></ul><ul><ul><li>Emphasis on authorized users </li></ul></ul>
    8. 8. Attacks Rising
    9. 9. Rise in Cyber Crime
    10. 10. Distribution of Spam senders
    11. 11. $ Billions 2000 Increasing Impact of Malware on Economy 2001 2002 2003 2004 2005 2006 2007
    12. 12. Vulnerabilities On The Rise
    13. 13. Statistics of Vulnerabilities
    14. 14. Vendor Specific Vulnerabilities
    15. 15. Consequences of Exploitation As part of its analysis of each vulnerability, the X-Force records the primary consequence of exploitation. The consequences are defined as the most common effect of exploitation and are divided into nine categories described below : • Bypass Security – An attacker can bypass security restrictions such as a firewall, proxy, IDS system or a virus scanner. • Data Manipulation – An attacker is able to manipulate data stored or used by the host associated with the service or application.
    16. 16. <ul><li>• Denial of Service – An attacker can crash or disrupt a service or </li></ul><ul><li>system to take down a network. </li></ul><ul><li>• File Manipulation – An attacker can create, delete, read, modify or </li></ul><ul><li>overwrite files. </li></ul><ul><li>Gain Access – An attacker can obtain local and remote access. This </li></ul><ul><li>also includes vulnerabilities by which an attacker can execute code or </li></ul><ul><li>commands, because this usually allows the attacker to gain access to </li></ul><ul><li>the system. </li></ul><ul><li>• Gain Privileges – Privileges can be gained on the local system only. </li></ul><ul><li>• Obtain Information – An attacker can obtain information such as file </li></ul><ul><li>and path names, source code, passwords or server configuration details. </li></ul><ul><li>• Informational – Service name disclosure. </li></ul><ul><li>• Other </li></ul><ul><li>The trend from 2006 continues, as the number one consequence of </li></ul><ul><li>exploitation remains Gain Access, with a total of 51.6 percent of vulnerabilities. </li></ul><ul><li>Consequences 2007 </li></ul>
    17. 17. Top Ten Cyber Threats
    18. 18. Labor Demand Picture - Cyber Security <ul><li>89% of businesses expect large scale cyber attack within 2 years </li></ul><ul><li>@60% feel they are unprepared to defend themselves </li></ul><ul><li>4/5 feel the US generally is unprepared to defend </li></ul><ul><li>Many large scale attacks are unreported (confidence issues)‏ </li></ul><ul><li>Better mousetraps make better mice </li></ul>
    19. 19. 1950 1998 2007 On the Other Hand Demand for the Skilled Investigator is Rising : Over the past 50 years, the need for “skilled” investigators has grown from 20% to 65% of the available workforce. Professional Unskilled Skilled
    20. 20. Role & Responsibilities of the forensic Investigator <ul><li>Confirms or dispels the compromise </li></ul><ul><li>Determine extent of damage </li></ul><ul><li>Answer: Who, what, when, where, how and why </li></ul><ul><li>Gathering data in a forensically sound manner </li></ul><ul><li>Handle and analyze evidence </li></ul><ul><li>Present admissible evidence in court </li></ul>
    21. 21. Challenges <ul><li>How to choose the appropriate tools and techniques </li></ul><ul><ul><li>Retaining the admissible information stored in computers and other devices </li></ul></ul><ul><ul><li>Minimizing the risk of losing important information or destroying data. </li></ul></ul><ul><li>How to effectively enhance our lab materials with new exposures of threats and technologies as well. </li></ul>
    22. 22. Goal Of The Cyber Forensic Investigator <ul><li>To be capable of performing cyber forensic investigation using appropriate tools and procedures . </li></ul><ul><ul><li>Identify and employ tools used for tracking, gathering, preserving and analyzing evidence. </li></ul></ul><ul><ul><li>Learn the procedures used to gather and preserve this evidence to ensure admissibility in court. </li></ul></ul><ul><ul><li>Emphasis on applying classroom knowledge to real world applications through hands-on exercises in a controlled environment. </li></ul></ul>
    23. 23. What is important? <ul><li>Process of investigation </li></ul><ul><li>Techniques and tools </li></ul><ul><li>Ethics, privacy, and legal issues </li></ul>
    24. 24. Different elements faced during investigation <ul><li>Processor/Hardware (x86, Sun, Mac, etc)‏ </li></ul><ul><li>OS (Win/Unices/Mac/others)‏ </li></ul><ul><li>Application (task-specific, general)‏ </li></ul><ul><li>Filesystem (NTFS/UFS/ext/hpfs)‏ </li></ul><ul><li>Storage (local, networked, NAS, SAN, raid)‏ </li></ul><ul><li>Other (PDA / cellphones / cameras / memory sticks & cards / MP3 players / etc)‏ </li></ul>
    25. 25. A trained computer forensic examiner should: Make forensic duplicate drive images and document all files on the hard drive and the procedures used to obtain them. <ul><li>Use only DOS utilities or Linux DD to make forensic copy. </li></ul><ul><li>NEVER ALLOW A MACHINE TO BOOT INTO WINDOWS! </li></ul><ul><li>Windows updates timestamps on ALL files it touches!! </li></ul><ul><li>Forensic copy preserves source drive above all else. </li></ul><ul><li>Use MD5 File Hash to Verify Copy. </li></ul><ul><li>Take Lots of Digital Pictures, Document everything! </li></ul><ul><li>Maintain a record of chain of custody of all computer media </li></ul>
    26. 26. <ul><li>Recover deleted files. </li></ul><ul><li>Recover data from a reformatted drive. </li></ul><ul><li>Recover data in file slack and unallocated portions of drive. </li></ul>A trained computer forensic examiner can:
    27. 27. What is File Slack? The DOS file system, file allocation table (FAT) was never designed to handle storage device with more than 32767 units of data. 32767 is the largest number that can be represented with 16 bits. Data is written in sectors of 512 bytes (hard drives, floppy), or 2048 bytes (CD-ROM). This set an arbitrary limit on disk storage devices of 512x32767 = 16MB. To accommodate larger drives the concept of “clusters” was invented. Clusters are a group of sectors written as a single atomic unit. The larger the drive capacity the more sectors are grouped into clusters. ( up to 128 sectors )‏
    28. 28. What is File Slack ? FAT16 Clustering up to 128 sectors of 512 bytes allowed the original 16 bit FAT (FAT16) to handle devices up to 2GB. FAT32 When devices grew over 2GB file allocation system had to go to a 32bit FAT (FAT32) this will allow for drive capacity to grow to 17 TB. ( 32bit max: 268,435,455 Clusters )‏
    29. 29. What is File Slack? With clustering came file slack. RAM Slack If the file you are writing is shorter than the number of bytes in the clusters you have allocated for your file, the file system will pad the data out to the end of the current sector with “RAM slack”. RAM slack is random data that happens to be in RAM memory at the time the file is written. It can contain any data that you were working on since you last booted the PC. Such as emails, word documents, graphics, etc.
    30. 30. What is File Slack ? Drive Slack Unlike RAM slack which comes from working storage, “drive slack” is data left on the drive from a previous file. After completing the last partial sector with RAM slack, subsequent whole sectors in the last cluster are left as is with whatever data was written there previously. This is possible because deleting a file only removes it from the FAT, the data remains on the drive until the sector it occupies is overwritten by a subsequent file.
    31. 31. A Trained Computer Forensic Examiner can: Work with File Hashes A file hash is a mathematical calculation made from every byte in a file. It creates a unique digital fingerprint for that file. Using File hashes a forensic examiner can: Quickly locate and catalog every (graphic) file on a PC hard drive, and flag child pornographic images using a national database of known images. Identify known system and software files that can safely be ignored. KFF - Known File Filter NIST, INORP Databases of File Hashes Hash Keeper
    32. 32. Forensic Recovery - Seizure Take pictures to document area around the computer. You may find removable media, or clues to your subject’s passwords in your photos.
    33. 33. <ul><li>BIOS PW? </li></ul><ul><ul><li>Default/backdoor pws </li></ul></ul><ul><ul><ul><li>AMI = 589589, amisw, ami </li></ul></ul></ul><ul><ul><ul><li>Award = AWARD_SW, AWARD_PW, condo, j262 </li></ul></ul></ul><ul><ul><li>Jumper? </li></ul></ul><ul><ul><li>Remove drive </li></ul></ul>Bypassing/cracking system and application passwords
    34. 34. Forensic Recovery - Physical Copy Tip : Add a clean slave drive to subject’s computer, or remove hard drive(s) and copy on your system. Do a physical copy (sector by sector) to the clean media.
    35. 35. A trained computer forensic examiner can: MS OFFICE FORENSICS Every PC leaves a unique electronic fingerprint on every MS Office document it creates. (“GUID”) The “GUID” is unique to the PC and the logged in user. We can examine these documents to determine on which machine a document was created, and when and by whom it was created. “ GUIDClean.exe allows users to detect, display and modify the Global Unique Identifiers (GUID) that some MS Office products (Word and Excel) place in user's documents. An argument can be made that these GUID strings are a breach of users' privacy and may be used to track documents and bind them to particular users or particular machines.”
    36. 36. A trained computer crime investigator can: Trace and validate email messages stored on the hard drive. With a court order we can get additional information from the internet service providers to help ascertain the source and author of the email. Check email headers for spoofs. Software that can be used: E-mail Examiner v5.8 , Network E-mail Examiner v2.1. 
    37. 37. A trained computer forensic examiner can: Recover passwords from most Windows application software, and those used by Windows 9x, Windows NT, and Novell Netware servers. Decrypt encrypted data and messages. Software that can be used: Winhex ,Stego Suite , Decryption Collection Enterprise v4.0.
    38. 38. A Trained computer forensic examiner can: Locate and identify all &quot;mal-ware&quot; (viruses, worms, Trojans and other malicious software) and Vulnerabilities on the hard drive and on the network. Software that can be used: DragonSoft ,Gargoyle Investigator Forensic Pro ,LiveWire Investigator Edition and LiveDiscover Forensic Edition
    39. 39. Thank You For more information feel free to contact us at E-Mail: [email_address] URL: blog: http://www.agapeFORENSIC.COM