Digital Forensics Analysis

Security’s weakest link…

The Human Factor -

Judith Vergara
February, 2003
What is Digital Forensics Analysis?

o The gathering and analysis

of information for use in
legal proceedings.

o Relatively new discipline.

 The Current Debate

o Is Digital Forensics a Science?

o Science: A systematic activity requiring

study and method.
-Webster’s
Old School -It is NOT a science

o The majority of law enforcement personnel

that have worked with forensics do not have a
formal education in science or computers.

o Their expertise is gained by experience and/or

training. They do not consider “data” as being
scientific.

o The “Science” of forensics is limited to hair and

blood samples, DNA, fibers, etc.
Old School -It is NOT a science, con’t.

o Software tools used in digital forensics are not

reviewed or approved by any governmental
body.

o Processes used in the development of digital

forensic tools and capabilities are not
considered to be scientific.

o Tools are developed by individuals, based on

the needs of the community, and subsequently
released to the general public.
 New School - It IS a science

o The integral component

of digital analysis is
being able to PROVE
the validity of the data
gathered.
Acquisition of Digital Evidence

o “Evidence” implies that the collector

of evidence is recognized by the
courts.

o The process of collecting is assumed

to be a legal process.

o The appropriate Uniform Rules of

Evidence or Federal Rules of Evidence
apply.
Legal Definition – The Frye Test

o The test for admissibility of

scientific evidence is:

o Burden of proving that his

methodology or his opinion were
generally accepted in the relevant
scientific community.

http://www.law.com
Certification

Certified Forensic
Computer Examiner
(CFCE)

http://www.iacis.com
 International Association of Computer
Investigative Specialists
IACIS

o IACIS is an international volunteer non-

profit corporation.
o Composed of law enforcement professionals
dedicated to education in the field of
forensic computer science.
o Members represent Federal, State, Local
and International Law Enforcement
professionals.
o Regular IACIS members have been trained
in the forensic science of seizing and
processing computer systems.
 The Integral Piece That Encompasses
All Entities

Digital Forensics Research Workshop http://dfrws.org

What happened to initiate contact?

o Defacement of Web pages – destruction of property

o Malicious DBS alteration
o Murder
o Pornography usage
o To prove an alibi
o Sabotage to the organization
o Extortion
o Theft of corporate intellectual property
o Computer-controlled building functions
o Computer network being used as jump-off point
o Military weapons systems altered
o Satellite communication system takeover
Before You Arrive – Ask Questions!

o Have the compromised systems been secured? If not, do

so immediately.
o Is there an IDS in place?
o Who first noticed the incident?
o Any suspects? Is the attacker still online?
o Are there Security policies/procedures in place?
o Has law enforcement been contacted?
o Copy of the network architecture?
o Hardware platforms in use?
o What size are the compromised hard drives?
o Is the compromised system classified?
o Will System Administrator or other company experts be
available at my disposal?
o Does the crime scene area forbid electronic communication
devices – i.e. cell phones?
 What Do I Do Now?

o FBI Investigative Techniques

n Check records, logs, and documentation
n Interview personnel
n Conduct surveillance
n Prepare search warrant
n Search the suspect’s premises if
necessary
n Seize evidence

oDigital Evidence: Standards & Principals http://www.fbi.gov

On Site: Pre-Briefing @15 Minutes
with all involved personnel.

o Get updated situation status.

o Ask additional questions.

n Some to the group.
n Some by individual.
n Use discretion and tact!

o BE INFORMED – Know your limits!

Department of Justice, Search and Seizure
Guidelines:
http://www.usdoj.gov/criminal/cybercrime.html
 Tools of the Trade

Critical:
1. ALWAYS maintain
chain of custody.
2. Keep the evidence in a
secured area with
proper access controls.
3. Perform analysis on
images – never on the
original.

http://www.cftt.nist.gov National Institute of Standards Testing

 Tools of the Trade, con’t.

o SafeBack – To obtain a bitstream backup

(bit-by-bit copy of the hard drive) of the
compromised system.
o GetTime – To document the time and date
settings of a victim computer. Reads from
CMOS.
o FileList, FileCnvt, Excel – 1. Catalogs
contents of the disk and 2/3. is used to
read output of FileList programs.
o GetFree – To obtain the content of all
unallocated space (deleted files) on the
analysis computer.

All tools available by New Technologies, Inc.

http://www.Forensics-Intl.com
 Tools of the Trade, con’t.

o Swap Files and GetSwap – 1. If MS OS

system contains static swap files, copy
these files to Zip Drive. 2. Obtain data
found in computer “swap” or “page” files.
o GetSlack – To capture data contained in
the file slack of the hard drive on the
analysis computer.
o Filter_I – To make binary data printable
and to extract potentially useful data from
a large volume of binary data.
 Tools of the Trade – Predominate Usage

o EnCase
o Intuitive GUI that enables examiners to easily manage
large volumes of computer evidence and view all
relevant files, including "deleted" files, file slack and
unallocated space.
o Automates core investigative procedures.
o The integrated functionality of EnCase allows the
examiner to perform all functions of the computer
forensic investigation process.
o EnCase's EnScript, is a powerful macro-programming
language and API that allows investigators to build
customized and reusable forensic scripts.

http://www.guidancesoftware.com/whitepapers/v4_eee_features.pdf
 Caution

o Always use a write-block utility when

using imaging and analysis utilities!

o SafeBack (previous slide)

o Hardware utility –
n FastBloc: Full documentation/usage for IDE
hard drives available at:
http://www.guidancesoftware.com/support/download
s/FastBlocWP.pdf
 Operation Enduring Freedom
Analysis and Recovery

o Forensics is playing a critical role.

n Terrorist factions are using computers
and related equipment in their
communication network.
n When identified, forensic analysis must
occur in a expeditious manner.
n Information found could suggest possible
targets, movements, communication
methods, and location.
 The Message of an Expert

o "Continued corroboration between

public and private sector
organizations working in the field of
digital forensics must continue, if this
area is to become recognized as one
of the forensic sciences".

-Daniel Kalil, 11 February, 2003

-Digital Forensics Specialist

ohttp://www.rl.af.mil
 Additional References
o Cyberforensics Science & Technology Center, Air
Force Research Laboratory, New York. Daniel J. Kalil,
Digital Forensics Specialist. http://www.rl.af.mil

o American Academy of Forensic Sciences

http://www.aafs.org

o Internationasl Journal of Digital Evidence

http://www.ijde.org

o Cyber Crime Investigator’s Field Guide, (2002)

Auerback Publications, Bruce Middleton.
http://www.auerback-publications.com
 A very special “Thank-you”
to Daniel Kalil
Digital Forensics Specialist, Northrop Grumman
IT TASC
Cyberforensics Science & Technology Center
Air Force Research Laboratory/IFGB
for being so patient and responsive to my
incessant questions. His knowledge
and expertise has ignited a spark that
will last a lifetime!