Introduction to Computer Forensics and Hashing

What is Forensics?
Forensics is the art and study of argumentation and formal debate. It uses the application of a broad spectrum of sciences to answer questions of interest to the legal system. Forensic Science is the science and technology that is used to investigate and establish facts in criminal or civil courts of law.
2

Criminal Justice Fundamentals

How a case usually plays out:

Law Enforcement notified of crime Evidence is gathered may require search warrants Suspects are developed Interviews or interrogations are conducted Suspect is charged Case w/evidence is turned over to prosecutor

What is Computer Forensics?

Computer forensics is forensics applied to information stored or transported on computers It involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis Procedures are followed, but flexibility is expected and encouraged, because the unusual will be encountered.
4

What is Computer Crime?

Three situations where you might find evidence on a digital device:

Device used to conduct the crime

Child Pornography/Exploitation Threatening letters Fraud Embezzlement Theft of intellectual property Incident Response Security Breach

Device is the target of the crime

Device is used to support the crime

What is evidence in terms of Computer Forensics?

Can be anything!

As small as a few bytes Could be, and hopefully will be complete files

Could be Deleted Could be Encrypted A few Words A couple of sentences Hopefully some paragraphs

Likely will be fragments of files

Registry entries, or log entries!

6

Where do we find it?

Storage Media

RAM Log Files Registry

How might the information be stored?

Might be plain data with no hidden agenda The data could be encrypted Data could be hidden Could be hostile code

Data Encryption
Encrypting data could guard the data in two ways.

Protect data

Use of Ciphers Files might need to be decrypted Decryption program generally stored fairly close to the file to be decrypted. Probably password protected.

Prove integrity

Data Hiding

Data could be obfuscated

encryption is some method of modifying data so that it is meaningless and unreadable in its encrypted form. It also must be reasonably secure, that is it must not be easily decrypted without the proper key. Anything less than that is obfuscation. This is data that is rendered unusable by some means, but is not considered as a serious form of encryption.

Data could be compressed Data could be hidden in plain sight innocent looking data has alternate meaning Data could be hidden within File system

10

Data Hiding (contd.)

Data could be hidden in a file

Steganography - science of writing hidden messages in such a way

that no-one apart from the sender and intended recipient even realizes there is a hidden message

Invisible names Misleading names Obscurity No names

Hidden data might not be in file

Slack, swap, free space

Removable Media
11

Hostile Code

Presume that any unknown code is hostile.

Guilty until proven innocent.

Any code used by an unauthorized person to gain advantage or power over someone else should be considered hostile.
Remote access Data gathering Sabotage Denial-of-service Eluding detection Resource theft Circumvention of access control mechanisms Social status
12

How do we go about the business of Computer Forensics?

Three As of Computer Forensics Acquire the evidence without altering or damaging the original. Authenticate that your recovered evidence is the same as the originally seized data. Analyze the data without modifying it.
13

Acquire the evidence

How do we seize the computer? How do we handle computer evidence?

What is chain of custody? Evidence collection Evidence Identification Transportation Storage

Documenting the Investigation

14

Authenticate the Evidence

Prove that the evidence is indeed what the criminal left behind.
Contrary to what the defense attorney might want the jury to believe, readable text or pictures dont magically appear at random. Calculate a hash value for the data

MD5

SHA-1,SHA-256,SHA

-512

15

Analysis

Always work from an image of the evidence and never from the original.
Prevent damage to the evidence Make two backups of the evidence in most cases.

Analyze everything, you may need clues from something seemingly unrelated.

16

Tools

Password crackers Hard Drive Tools

Fdisk on Linux

CD-R Utilities Text search tools Drive Imaging

Viewers

QVP Diskview

Safeback Linux dd

Thumbsplus Unerase tools

Disk Wiping Forensic Toolkits Forensic Computers

17

Forensic Software
Forensic Toolkit The Coroners Toolkit Sleuth Kit Encase ILook

18

Digital Crime Scene Investigation Process

No one right way to do it!

System Preservation Phase

Evidence Searching Phase

Event Reconstruction Phase

Carrier, B., Page. 5, Figure 1.1

19

System Preservation Stage

Crime Scene Preservation

Depending on the situation, this will vary. Take pictures of everything.

Room

setup Connections Open windows on computers

Label all wires and connections. Bag and Tag all evidence.

20

System Preservation (cont.)

Evidence Preservation
Seize all hardware that is necessary to reconstruct evidence Jam or disable all wireless connections if possible Make 2 (3) copies of all media Authenticate all copies of media with MD-5 and SHA-1 hash algorithms

21

Evidence Preservation
The data has to be protected physically and logically. Physically, make sure when transporting hard drives that it is stabilized and is not damaged by excessive vibrations. Another thing to look out for is static electricity. Logically preserving evidence means that that the information contained on the drive down to the last bit never changes during seizing, analysis and storage.
22

Evidence Preservation Write Blockers

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands. These can be in the form or hardware or software blockers. It is very important that some type of write blocker is tested and used when working with data.
23

Evidence Preservation Write Blockers (contd.)

On our systems, we would use software write blockers to preserve the integrity of the data. We have included a tool that would do that (disable_usb_write.reg). BEFORE attaching the usb drive, the write-blocker needs to be invoked. Now, the usb drive can be attached, and this would ensure that nothing would be written on the usb drive. In a real scenario, a hardware write blocker would provide much stronger protection.
24

Evidence Preservation Making Copies

With the write blocker in place, you can now make several copies of the image. It is important that an image is made of the hard drive and not a copy or a backup. The reason for this is that an image will make sure to preserve important information such as slack space, time stamps, unallocated space and file system structures, which would not necessarily be there in a copy or a backup.
25

Evidence Preservation Making Copies (contd.)

It is a good idea to make at least 2 working images one to be used as a backup and one to work on. In our tools folder, there is a Image command that actually uses the dd command to create an image of a hard drive. Most texts also suggest making a third image for discovery.
26

Evidence Preservation Authenticating and Hash Functions

It is now necessary to prove that all of these images are exactly the same, down to the very last bit! A hash function is any well-defined procedure or mathematical function for turning some kind of data into a relatively small integer. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
27

Evidence Preservation Hashing (contd.)

In authentication, hashing is used to create a set of numbers that represent a drive or set of files. This is similar to fingerprinting someone. With hashing, a finger print is created from the evidence. No details about the evidence can be determined from the hash value, but if the evidence is altered in any way, the hash value will also change.

28

Evidence Preservation Hashing (contd.)

Two examples of hash functions are MD5 and SHA-1. MD5 was developed by Professor Ronald L. Rivest of MIT. The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint of the input.

29

Evidence Preservation Hashing (contd.)

SHA stands for Secure Hash Algorithm. The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA). The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA384, and SHA-512. SHA-1 produces a message digest that is 160 bits long; the number in the other four algorithms' names denote the bit length of the digest they produce.
30

Evidence Preservation Hashing (contd.)

Hashing tools can be found in the tools directory. The md5sum tool produces an md5 message digest (hash value). The hashcalc application can also create hash values using different hashing methods. The hashing is done on the data itself, and not on the names of files. There are existing databases of hash values for images, that can be used to find child pornography.
31

Evidence Searching Stage

Once everything is preserved, analysis must begin. Forensics is a science, so there should be a hypothesis from which to work. Direct searching activities to support this hypothesis.

32

Evidence Searching (cont.)

If you are looking for a specific file, i.e., child porn, compare hash values. If you are looking for keywords, most software gives you a search capability. Be specific to what you are looking for:

If you are looking for web activity, look in web files; history, cache, cookies, etc.

33

Event Reconstruction Stage

Last phase of investigation. Trying to answer the question of what happened and how. Evidence discovered during searching phase is reconciled with non-digital evidence to create a sequence of events to support the hypothesis.

34

General Guidelines

Use a write-blocking device to prevent accidentally writing to the suspect media. Always work from a copy, not from the original. Authenticate the copy so that you can prove that evidence discovered was on the original media. Minimize file creation on working media to prevent over-writing of free space. Be especially careful of opening files, especially without a write-blocker, because CMA times will change.
35