Computer Forensics 1
Computer Forensics 1
Definition
What is Computer Forensics??
Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Evidence might be required for a wide range of computer crimes and misuses Multiple methods of
Discovering data on computer system Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy
Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
CEECS (Certified Electronic Evidence Collection Specialist Certification) Awarded to individuals who complete the CEECS regional certification course Also awarded to individuals in the Certified Forensic Computer Examiner course that successfully pass the written test
Recertification
Every three years must complete recertification process
Must be in good standing with IACIS Complete proficiency test
Collecting Evidence
Make Exact copies of all hard drives & disks using computer software
Date and Time stamped on each file; used for timeline
Discover files
Normal Files Deleted Files Password Protected Files Hidden Files Encrypted Files
Reveal all contents of hidden files used by application and operating system Access contents of password protected files if legally able to do so Analyze data Print out analysis
Computer System All Files and data Overall opinion
Provide expert
Presents the potential for exposing privileged documents Legal practitioners must have extensive computer knowledge
Large Corporations
Embezzlement Insider Trading
Martha Stewart Case
Homicides
Scott Peterson Trial
Embezzlement
John Gotti, Bugsy Siegal
Financial Fraud
ENRON
Civil Litigations
Fraud Divorce Breach of Contract Copy right
Insurance Companies
False Accident Reports Workmans Compensation Cases
Definition (cont)
What Constitutes Digital Evidence?
Any information being subject to human intervention or not, that can be extracted from a computer. Must be in human-readable format or capable of being interpreted by a person with expertise in the subject.
Computer Forensics .
Mostly a success story - < 14 years Data from computers can be reliably preserved and presented in court Deleted data can be recovered Events can be reconstructed Intentions can be inferred Lots of good products and procedures to support .
(c)Peter Sommer 2002
Computer Forensics .
deployed in:
hacking fraud paedophiliac rings defamation immigration fraud narcotics trafficking credit card cloning software piracy electoral law obscene publication perjury forgery murder sexual harassment data theft industrial espionage divorce
Computer Forensics .
But this has been mostly about DISK forensics, specifically disks in PCs What about: evidence from large systems? evidence from remote sites? evidence from networks? evidence from data eavesdropped in transmission?
(c)Peter Sommer 2002
Computer Forensics .
Are the very high standards now existing for disk forensics creating unrealistic expectations for all other forms of computer-derived evidence?
Evidence from scientists and experts only part of the overall mix
Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy
Civil Litigations
Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases
Insurance Companies
Evidence discovered on computer can be used to mollify costs (fraud, workers compensation, arson, etc)
Private Corporations
Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
Individual/Private Citizens
Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment
Identification
This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
Evaluation
Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court
Handling Evidence
Admissibility of Evidence
Legal rules which determine whether potential evidence can be considered by a court Must be obtained in a manner which ensures the authenticity and validity and that no tampering had taken place
No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer Preventing viruses from being introduced to a computer during the analysis process Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage
Evidence Recovery
The process of evidence extraction can be easy or complicated depending on the nature of the incident and the type of computer or network upon which the incident took place. What do I extract and What do I leave behind?- Extract and collect as much as you can
An investigator should start the job only when the items are at hand
Forensic toolkit forensic workstation A search kit Search and evidence forms and sketch plan sheets Evidence bag Stil, digital, etc cameras Disk boxes Mobile phone Empty disks Flash light Evidence container Etc
Preserving Evidence
Catalog and package evidence in a secure bags or containers Back pu the original data including doing a disk imaging of all suspected media. Document and timestamp Implement a credible control access system Encryptions Trusted tools to be used Validate and authenticate the data
Transporitng Evidence
Initiating An Investigation
DO NOT begin by exploring files on system randomly Establish evidence custodian - start a detailed journal with the date and time and date/information discovered If possible, designate suspected equipment as off-limits to normal activity. This includes back-ups, remotely or locally scheduled house-keeping, and configuration changes Collect email, DNS, and other network service logs
Contact security personnel [CERT], management, Federal and local enforcement, as well as affected sites or persons
Incidence Response
Identify, designate, or become evidence custodian Review any existing journal of what has been done to system already and/or how intrusion was detected Begin new or maintain existing journal Install monitoring tools (sniffers, port detectors, etc.) Without rebooting or affecting running processes, perform a copy of physical disk Capture network information
Handling Information
Information and data being sought after and collected in the investigation must be properly handled Volatile Information
Network Information
Communication between system and the network
Active Processes
Programs and daemons currently active on the system
Logged-on Users
Users/employees currently using system
Open Files
Libraries in use; hidden files; Trojans (rootkit) loaded in system
BIOS
Understanding how the BIOS works Familiarity with the various settings and limitations of the BIOS
(cont)
Software
Familiarity with most popular software packages such as Office
Forensic Tools
Familiarity with computer forensic techniques and the software packages that could be used
Anti-Forensics
Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems In place prior to or post system acquisition
Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks Step 5: Mathematically Authenticate Data on All Storage Devices
Must be able to prove that you did not alter any of the evidence after the computer came into your possession
Step 6: Document the System Date and Time Step 7: Make a List of Key Search Words Step 8: Evaluate the Windows Swap File
Step 10: Evaluate Unallocated Space (Erased Files) Step 11: Search Files, File Slack and Unallocated Space for Key Words Step 12: Document File Names, Dates and Times Step 13: Identify File, Program and Storage Anomalies Step 14: Evaluate Program Functionality Step 15: Document Your Findings Step 16: Retain Copies of Software Used
The hidden information may be encrypted, but not necessarily Numerous software applications will do this for you: Many are freely available online
Partition waste space is the rest of the unused track which the boot sector is stored on usually 10s, possibly 100s of sectors skipped
After the boot sector, the rest of the track is left empty
Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a (specified) # of unsuccessful tries, it copies (if possible) the information to another sector and marks (flags) the sector as bad so it is not read from/written to again
users can control the flagging of bad sectors Flagged sectors can be read to /written from with direct reads and writes using a hex editor
Change file names and extensions i.e. rename a .doc file to a .dll file
Encryption: The problem with this is that existence of data is not hidden, instead it draws attention to itself.
With strong enough encryption, it doesnt matter if its existence is known
Software analysis
Even small amounts of processing can filter out echoes and shadow noise within an audio file to search for hidden information If the original media file is available, hash values can easily detect modifications
Frequency scanning
Software can search for high, inaudible frequencies
Data hidden on disk is much easier to find. Once found, if unencrypted, it is already recovered Deleted data can be reconstructed (even on hard drives that have been magnetically wiped) Check swap files for passwords and encryption keys which are stored in the clear (unencrypted) Software Tools
Scan for and reconstruct deleted data Break encryption Destroy hidden information (overwrite)
Follow an accepted procedure to prepare a case The U.S. Department of Justice has a document you can download that reviews proper acquisition of electronic evidence Searching and Seizing Computers Chain of custody
Route the evidence takes from the time you find it until the case is closed or goes to court
69
Law enforcement officers should follow proper procedure when acquiring the evidence
Digital evidence can be easily altered by an overeager investigator
70
71
Companies often establish policies for computer use by employees. Employees misusing resources can cost companies millions of dollars Misuse includes:
Surfing the Internet Sending personal e-mails Using company computers for personal tasks
72
76
79
80
81