Scribd
Upload
21 views34 pages

Cips 2014 0152

The document outlines the principles and practices of computer forensics, focusing on the collection and handling of digital evidence. It emphasizes the importance of maintaining the integrity and authenticity of evidence, as well as the legal implications of digital evidence in criminal investigations. Key topics include types of digital evidence, volatile and non-volatile data, and best practices for evidence collection at crime scenes.

Uploaded by

rpram346
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views34 pages

Cips 2014 0152

The document outlines the principles and practices of computer forensics, focusing on the collection and handling of digital evidence. It emphasizes the importance of maintaining the integrity and authenticity of evidence, as well as the legal implications of digital evidence in criminal investigations. Key topics include types of digital evidence, volatile and non-volatile data, and best practices for evidence collection at crime scenes.

Uploaded by

rpram346
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Computer Forensics:

Digital Evidence & its Seizing

Omveer Singh, GCFA


Additional Director
(In-charge, Cyber Forensics Lab)

Cyber Forensics Lab


Indian Computer Emergency Response Team (CERT-In)
Department of Information Technology
Ministry of Communications & Information Technology
Government of India
New Delhi
06/12/2013 CERT-India 1
Agenda
• Digital Evidence
• Legal issues
• Volatile & Non-volatile Digital Evidence
• Volatile Data Collection Process
• Acquisition of RAM data
• Handling of Digital Evidence at site of
Crime
• References

06/12/2013 CERT-India 2
Digital Evidence

06/12/2013 CERT-India 3
Digital Evidence

• Latent, like fingerprints or DNA


• Extremely fragile & resilient; can be easily
altered, damaged or destroyed
• Can cross borders with ease & speed
(networked systems)
• Some of the common practices – curiosity
may destroy digital evidence.
• If analysed directly, it will loose its integrity
and will not be admissible in any court
06/12/2013 CERT-India 4
Digital Evidence should be -

1. Admissible, conform to legal


requirements
2. Authentic, relevant to the case
3. Complete, & not just extracts
4. Reliable - collected & handled
appropriately
5. Believable & understandable

06/12/2013 CERT-India 5
Legal Issues
• MAC details of the files as digital
evidence in the seized original hard disk
(hence its image too) must be earlier
than the noticing / reporting of criminal
incident as well as the date & time of its
seizure.
• If it is not so, digital evidence will be
diagnosed as a tampered evidence and
court can not accept it as an admissible
evidence.
06/12/2013 CERT-India 6
Sources of Digital Evidence:

• Hard Drive(s) • Voice mail


• CD, DVDs • e-Diary
• USB Mem. • Scanner, Printer
Devices • Fax, Photocopier M/c
• Mag. Tapes • Digital Phone Set
• RFID Tags • iPods
• PDAs • Cellphone
• Smart Cards • DigiCam
• Web pages • Config’n settings of
digital devices

06/12/2013 CERT-India 7
Digital Evidence - Types
• Volatile (Non-persistent)
Memory that loses its contents, as soon as
power is turned off; e.g. Data stored in RAM
(semiconductor storage)
(System BIOS: CMOS RAM - battery powered)
• Non-volatile (Persistent)
No change in contents, even if power is turned
off; e.g. Data stored in a tape / hard disk
(magnetic storage), CD / DVD (optical storage),
data cards, USB Thumb Drives – Flash
memory).
06/12/2013 CERT-India 8
Volatile Digital Evidence
(may be in main memory)

Order of Volatility :

1. Registers & Cache 6. Main Memory (RAM)


2. Routing Tables 7. Temporary System files
3. ARP Cache 8. Secondary Memory
4. Process Table 9. Router Configuration
5. Kernel Statistics & 10. Network Topology
Modules

06/12/2013 CERT-India 9
Volatile Data from a live system:
Why it is so much important?
• Current running state & system configuration
details
• Activities performed / in progress
• Root cause of the incident
• Timeline of the incident
• Time, date, user responsible for the incident
• Network connection details
• Once system is shutdown / rebooted, volatile
data is lost for ever
06/12/2013 CERT-India 10
Tools for acquisition of
Physical Memory (RAM) Dump

• dd (fau)
[ex C:\>dd if=\\.\PhysicalMemory of=e:\ramdump.img conv=noerror]

• Win32DD, Win64DD
• WinEN (Helix 3)
• Nigilant32
• FTK Imager (AccessData)
– Easiest to use (GUI), freeware

06/12/2013 CERT-India 11
Digital Evidence:
Volatile Active System Information

• System Profile • Start up files


• System Date & Time • Files accessed
• Command history • Clipboard data
• System Uptime • Logged in users
• Running Processes • DLLs or shared libraries
• Open files

06/12/2013 CERT-India 12
System Profile by ‘Systeminfo’ (Win)

(Tool: msinfo32.exe in DOS mode)


• Date of OS installation
• System Uptime
• Registered Owner
• BIOS Version
• System Directory
• Log-on Server
• N/w Interface Card(s) installed
06/12/2013 CERT-India 13
System Information
Click: Start  Programs  Accessories  System Tools 
System Information

06/12/2013 CERT-India 14
Digital Evidence:
Volatile N/w connectivity
Information

• State of N/w connection


• Open connections
• Open ports
• Routing information
• N/w interface
• ARP Cache

06/12/2013 CERT-India 15
System Time v/s Std. Time
• Always compare suspected system time with the
standard time; is there any time difference?
• Difference, if noticed, must be recorded
• Same process must be carried out for the other
associated systems and servers providing the
logs
• Photograph the system monitor showing the
system time along with a watch having standard
time
• By the above, reconciliation of access logs from
the servers and suspected system will be easier
06/12/2013 CERT-India 16
Digital Evidence may be in form of …
• Email messages • Web history
(deleted too) • Cache files
• Office files • Cookies
• Deleted files of all • Registry
kinds • Unallocated Space
• Encrypted Files • Slack Space
• Compressed Files • Web/e-Mail Server
• Temp files access logs
• Recycle Bin • Domain access logs

06/12/2013 CERT-India 17
Volatile Data Collection Process
• Collect system uptime, incident’s date & time, and
command history from the suspicious system.
• Run forensic tools or OS commands, to know date
and time of actions to establish a timeline / trail of
events.
• Document all forensic collection activities including
s/w tools / commands used in logbook.
• Collect all types of volatile information from system
and network.
• End the forensic collection by recording the used
commands along with date and time of use.
06/12/2013 CERT-India 18
Scenario 1:
If computer is in ON state, then -
1. Must have the RAM dump using tools (will be
used to extract user-ids & passwords)
2. Note the System H/w, N/w configuration
3. Note the Processes / Applications running
4. Note the documents / files – open / being
accessed or accessed after system up
5. Note Network connectivity details
6. Pull the power chord (laptop – remove battery)
to power OFF the system
7. Now follow as given in Scenario 2

06/12/2013 CERT-India 19
Scenario 2:
If computer is already OFF, then -
• Disconnect all the Hard Disks, except CD/DVD
Drive (to boot from it)
• Label the connections (for later restoration)
• Ensure that any of the connected drives is not
having any CD, DVD or USB Drives, etc
• Power ON the system and enter into BIOS?
• Photograph the monitor showing BIOS
• Document the boot sequence
• Change the boot sequence to “boot from CD/DVD”;
and note it. ...cont’d
06/12/2013 CERT-India 20
Scenario 2:
If computer is already OFF, then -
• Save the BIOS & shutdown the system
• Restore all the drive connections
• Connect another hard disk to system disk controller
card as a destination drive for storing the image of
system hard disk
• Insert a bootable CD/DVD, having tools for imaging
and password recovery; and boot the system
• System is ready for imaging the hard disk
• RAM dump is irrelevant in this case
• Document all your actions
06/12/2013 CERT-India 21
Volatile Data Collection Tools
Windows Linux

• COFEE (given by Microsoft to • cat : system profile


LEAs only; Computer Online • uname : machine’s
Forensic Evidence Extractor) profile
• systeminfo : system profile • Uptime, w : user
• psinfo -s : s/w installed uptime info
• Psuptime : system uptime info
• Net statistics : system uptime
info
• WFT (win forensic toolchest)

06/12/2013 CERT-India 22
Tools (Win) for Running Processes

• Netstat –ab : process & pid info


• Listdlls <process> : cmd line & dll(s)
• Pslist <process> : duration of process
• Pslist –me <process> : virtual memory usage
• Pulist : active processes (running)
• Pmdump : active process memory dump

06/12/2013 CERT-India 23
Some Useful Tools

Windows Linux
• Msconfig • Autoruns, autorunsc
• Autoruns, autorunsc • Ls
• Netusers • Chkconfig – list
• PsLoggedOn : • Inittab : run level
local/remote logged • Netusers
users

06/12/2013 CERT-India 24
Tools for network user details

• Netusers : local / remote users


• NTLast <session> : login attempts logs
• Who –all (linux) : all local+remote logged
users
• Last (linux) : history of logged on users
• Lastlog (linux) : last login time
• Cat /etc/passwd (linux) : user a/c info

06/12/2013 CERT-India 25
Tools for HW Config’n

Windows Linux
• Fport : open ports • Netstat –anp
• Netstat –anb : TCP/IP • Ifconfig : NIC config’n
connections • Arp –a : IP Addr, MAC
• Net share : network Addr of NIC
shares • Netstat –rn : routing info’n
• Netstat –r : routing info’n
• Arp –a : IP Addr, MAC
Addr of NIC

06/12/2013 CERT-India 26
Digital Evidence Handling at Crime
Site
• Document the Crime Scene - OS (Ver.),
BIOS date & time (and difference, if any),
H/w & S/w Configuration, IP / MAC address
• Computer System : shutdown / power off ?
• Identify Evidence & Authenticate through a
Hashing Algo. (MD5)
• Always make the bit-stream copy (forensic
image) of the seized storage media

06/12/2013 CERT-India 27
Digital Evidence Handling at Crime
Site (contd ..)

• Label all the connecting cables and


photograph them
• Document the chain of custody
• Preserve the evidence before packing for
transportation
• Securely pack & transport the Evidence to
lab

06/12/2013 CERT-India 28
06/12/2013 CERT-India 29
Digital Evidence Handling at Crime
Site (contd ..)
• Store the seized org. evidence in a protected
storage (Air bubbled PVC, antistatic bag)
• Transfer the Computer System to a secure
location
“Best Practices for Seizing Electronic
Evidence Ver. 3” may be downloaded from -
http://www.forwardedge2.usss.gov/pdf/bestPr
actices.pdf

06/12/2013 CERT-India 30
References
• “Electronic Fingerprints – computer evidence comes
of Age” by Michael R. Anderson
• “Electronic Crime Scene Investigation – A Guide for
First Responders” by National Institute of Justice,
USA; (http://www.ojp.usdoj.gov/nij)
• “Forensic Examination of Digital Evidence : A guide
for Law Enforcement” by National Institute of
Justice, USA; (http://www.ojp.usdoj.gov/nij)
• “Forensics – Tools”;
http://www.forinsect.de/index.html
• Training Material on Information Security by
Carnegie Mellon University, Pitsburgh, USA

06/12/2013 CERT-India 31
References (contd..)
• Collecting Electronic Evidence After a System
Compromise” by Matthew Braid, SANS Security
Essentials.
• “Computer Forensics – An Overview” by Dorothy
A. Lunn, SANS Institute;
http://www.giac.org/practical/gsec/Dorothy_Lunn
_GSEC.pdf
• “Manual for Investigation of Computer Related
Crimes” by Ashok Dohare
• Course Contents : SANS SEC508

06/12/2013 CERT-India 32
06/12/2013 CERT-India 33
06/12/2013 CERT-India 34

You might also like