Post on 18-May-2015
description
© 2013 nCircle. All Rights Reserved.
Forensics Bootcamp
© 2013 nCircle. All Rights Reserved.
Introduction
© 2013 nCircle. All Rights Reserved.
What is Forensics?
• Scientific tests or techniques used in the investigation of crimes
• The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes
• Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.
© 2013 nCircle. All Rights Reserved.
What is Computer Forensics?
Computer ForensicsA methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format
© 2013 nCircle. All Rights Reserved.
Types of Cyber Crime
• Theft of intellectual property• Financial Fraud• Damage of company service networks• Distribution and execution of viruses and
worms• Hacker system penetrations• Distribution of child pornography• Use of a computer to commit a traditional
crime (emails, data management, files.)
© 2013 nCircle. All Rights Reserved.
Legal Issues
© 2013 nCircle. All Rights Reserved.
Legal Issues
• 4th Amendment – Searches & Seizures
• 4th Amendment – Privacy• 5th Amendment – Self Incrimination• Chain-of-Custody
© 2013 nCircle. All Rights Reserved.
4th Amendment
• The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy".
• Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.
© 2013 nCircle. All Rights Reserved.
Chain-of-Custody(aka Chain of Evidence)
• Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.
• Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.
© 2013 nCircle. All Rights Reserved.
Question ?
As related to computer forensics, why is the 4th amendment an important consideration?
a. Free speechb. Defense against self incriminationc. Search & seizure d. Social rights ?
© 2013 nCircle. All Rights Reserved.
Digital Media
© 2013 nCircle. All Rights Reserved.
Two Types of Data
• Volatile - RAM• Non-volatile– ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD))– USB Devices– Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), ….– Floppy disks, ZIP disks– Cameras, mp3 players, tablets, game consoles,
GPS units, smart phones, smart watches, …
© 2013 nCircle. All Rights Reserved.
Write Blockers
• Two types of write blockers: hardware and software
• Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form.
• Reads Allowed and Writes Prevented!
• Another name for a write blocker is a “Forensic Bridge”
© 2013 nCircle. All Rights Reserved.
Some Data Hiding Techniques
• Slack Space and Unallocated Space• Rootkits• Alternate Data Streams (ADS)• File Signatures• Steganography
© 2013 nCircle. All Rights Reserved.
Question ?
What function does aWrite Blocker perform?
a. Allows writesb. Blocks readsc. Prevents Readsd. Prevents writes ?
© 2013 nCircle. All Rights Reserved.
The Forensic Process
© 2013 nCircle. All Rights Reserved.
The Forensic Process
• Preparation• (Containment)• Collection• Examination• Analysis• Reporting
© 2013 nCircle. All Rights Reserved.
The Forensic Process(Preparation)
• Training• Policies & Procedures• Equipment (Forensic Kit)– Laptop computer w/ forensic software– Boot disks and CDs of tools (forensically
sound)– Digital cameras, pens, notepad– Sterile media, write blockers, cables– Anti-static bags, faraday bags, tags, stickers– Chain-of-custody and other forms
© 2013 nCircle. All Rights Reserved.
The Forensic Process(Containment)
• Establish immediate control of the crime scene– Limit and track physical access– Limit network / remote access• Detach computers of interest from wireless
and physical network cables
– Power off computers as necessary
© 2013 nCircle. All Rights Reserved.
The Forensic Process(Collection)
• Photograph the scene to include monitor screens. Get the system time
• Collect volatile data• Image non-volatile data on site?• Shut down the system safely• Unplug the system and tag all cables• Bag and tag all non volatile devices for
transport. Collect peripheral devices as necessary.
© 2013 nCircle. All Rights Reserved.
The Forensic Process(Collection – Mobile devices)
• Photograph main screen• Do not turn device off• Find charger to keep device from
losing charge (example seizure kit)• Place in a Faraday bag to prevent
remote access
© 2013 nCircle. All Rights Reserved.
The Forensic Process(Examination & Analysis)
• Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software)
• Images must be hashed• Analyze the bit stream image using
forensic analysis software, e.g.: EnCase, FTK,…
• Prepare a report of findings
© 2013 nCircle. All Rights Reserved.
Question ?
During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image?
a. read blockingb. checksumsc. hashingd. transforms
?
© 2013 nCircle. All Rights Reserved.
Forensic Analysis Techniques
© 2013 nCircle. All Rights Reserved.
Forensic AnalysisTechniques
• Searching:– Keyword, email, web, viewers
• File Signatures• Slack Space and unallocated space• Data carving• Steganography• Passwords (Dealing with encryption)
© 2013 nCircle. All Rights Reserved.
Searching: Keywords
• To effectively search through a suspect’s media an investigator needs to add relevant keywords
1) Add keywords2) Specify keyword search criteria (e.g. what and where to search – e.g. slack space)3) Conduct keyword search
© 2013 nCircle. All Rights Reserved.
Searching: email & social media
• Most forensic analysis tools have built-in email searching and viewing tools
• Tools to view various formats of email– Outlook (.pst)– Outlook Express (.dbx)– Linux/Unix mbox format–Macintosh: Safari–Webmail formats: Yahoo, AOL, Google,
Hotmail
© 2013 nCircle. All Rights Reserved.
Searching: web artifacts
• Most forensic analysis tools have web artifact search and viewing tools • Web artifacts– History– Cached files and images (temporary
files)– Cookies
© 2013 nCircle. All Rights Reserved.
File Signature Analysis
• This type of analysis allows investigators to verify file types
• A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll
• A file signature analysis looks at the file header in order to determine what type of file it actually is
© 2013 nCircle. All Rights Reserved.
Data Carving (1 of 2)
• Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.
© 2013 nCircle. All Rights Reserved.
Data Carving (2 of 2)
• Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.
© 2013 nCircle. All Rights Reserved.
Slack Space and Unallocated Space
• Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space
• Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.
© 2013 nCircle. All Rights Reserved.
Concealment cipher = Steganography (example)
Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm
Saint Olga planting Christianity in Russia
© 2013 nCircle. All Rights Reserved.
Steganography
• Detection techniques are crude
• Usually done by looking for evidence of steganography use, e.g. Steg programs on system
• Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)
© 2013 nCircle. All Rights Reserved.
Question ?
A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called?
a. Steganographyb. Data Carvingc. File signature analysisd. Slack space analysis
?
© 2013 nCircle. All Rights Reserved.
Question ?
A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique?
a. Data Carvingb. Cryptographyc. Data Blinkingd. Steganography
?
© 2013 nCircle. All Rights Reserved.
Incident Handling & Forensics
© 2013 nCircle. All Rights Reserved.
Incident Response Process
• Identification– Incident identification– Notifying appropriate personnel
• Action– Isolation and Containment– Gathering Evidence– Analysis and Reporting
• Closure– Restoration– Lessons Learned
© 2013 nCircle. All Rights Reserved.
The Response Team
• Cross-functional with a high level of authority– Dedicated – with clearly defined roles & responsibilities– Not just computer security: Management, Info sec,
IT/network, legal, public relations
• Well Trained– Rehearsals and training appropriate to risk– Trained in Forensics – Forensics tools and equipment
• Policies and Procedures– Appropriate to Risk (Risk Management)– Lessons learned / constant refinement
© 2013 nCircle. All Rights Reserved.
When to Involve Law Enforcement
• Use forensic processes whenever possible
• As a general rule: Involve law enforcement when corporate policy or the law says so
• You are compelled by law to report certain incidents, e.g. disclosure of credit card info.
• Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.
© 2013 nCircle. All Rights Reserved.
Make Sneaking Hard
• Detection systems -- appropriate with risk
• Logging, Logging, logging!!! (Firewall, router, system…)
• Monitoring– Intrusion detection systems– File Integrity monitoring systems– Vulnerability and Configuration management systems– Attack Path Analysis
• Warning Banners, Expectations of use, Expectations of privacy
• Physical Security systems
© 2013 nCircle. All Rights Reserved.
Questions?
http://connect.ncircle.com
Continue the conversation at