10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf ·...
Transcript of 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf ·...
![Page 1: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/1.jpg)
10th National Investigations Symposium
AVOIDING FORENSIC PITFALLS
First Responders Guide to
Preserving Electronic Evidence
6 November 2014
![Page 2: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/2.jpg)
Bronwyn Barker Electronic Evidence Specialist
![Page 3: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/3.jpg)
Investigation
5 W’s:
Who, what, when, where & why
5 stages:
Identification
Collection
Preservation
Analysis
Presentation
3
![Page 4: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/4.jpg)
Identification – types of evidence
4
![Page 5: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/5.jpg)
Mobile phones
5
![Page 6: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/6.jpg)
New types of evidence
6
![Page 7: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/7.jpg)
Social media
7
![Page 8: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/8.jpg)
Cloud services
8
![Page 9: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/9.jpg)
Collection
Search warrants
(keyword searching)
Power to obtain documents eg s22 ICAC Act
Photograph
Labels
Chain of custody
Computer date/time
9
![Page 10: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/10.jpg)
Preservation
Forensic imaging of devices
Types of forensic files:
• Physical image - E01
• Logical image - AD1
Retain documents in original format ie emails to retain internet headers
Retain metadata – author, time/date, authenticity, reliability
Write blockers
Social discovery
Master copy, working copy
10
![Page 11: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/11.jpg)
Issues
Encryption – on disc & files
Backups in proprietary format eg. Timecapsule, Windows Backups, Norton Ghost
Legacy tape formats
Password protection on files
Wipe iPhones remotely
Sheer size of data – time it takes to image, move around on HDDs, review
Data in the cloud
Data in data centres
Data offshore
Social media
Deleting data
Backing up own data 11
![Page 12: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/12.jpg)
Anti-forensics
Delete
Delete & use a cleaner
Delete & disk defragmentation
Using an anonymiser website
Wipe the entire drive
Replace the drive
Lost the computer
Store the data on an external media – USB thumb drive or SD card
Change the dates & times to cause confusion
Forensically image the drive thereby leaving no trace of access to the original media
12
![Page 13: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/13.jpg)
Memory acquisition
Volatile data
Will change evidence
Return outweighs risk
Without memory image there is little chance to bypass whole
disk encryption
13
![Page 14: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/14.jpg)
So why collect system memory?
Processes
Network connections
Open files
Configuration parameters
Encryption keys -> bit locker
Memory only exploits, root kit technology
14
![Page 15: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/15.jpg)
Evidence Encryption
Full disk image
Live logical image evaluation
Logical imaging
15
![Page 16: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/16.jpg)
Solid State Drives
Better speeds
Quieter than ordinary hard dries
No cooling on the fly
No mechanical parts
Consume less power during operation
16
![Page 17: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/17.jpg)
SSD Trim and Wear Leveling
Wear Leveling
SSD storage only good for x # of writes
Data around to ensure that even use of SSD storage
around drive
TRIM
Clear data stored in flash that is deleted
Effectively “clearing free space”
Once a week on a Windows 7/8 computer
17
![Page 18: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/18.jpg)
SSD to pull or not to pull
Risk to SSD associated with power loss
Live acquisition – best practice
Possible remediation
18
![Page 19: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/19.jpg)
Email forensics
Where are the files?
How do we acquire them forensically?
What can we find?
Host based email
Email servers
Cloud based email
Mobile email
19
![Page 20: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/20.jpg)
Host based email
Email stored on the local machine
Identify all email storage locations
- find via filetype searches
- review email client configuration info
- search for index and message files
Potential for password protection
Search for deleted email archives
20
![Page 21: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/21.jpg)
Microsoft Outlook
PST
No encryption
Compressible encryption
High encryption
Password protection
OST
21
![Page 22: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/22.jpg)
Microsoft Outlook Express
DBX
Plain text
Deleted messages can be recovered
Until compacted
Windows Mail
After windows 7
22
![Page 23: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/23.jpg)
Email servers
Most corporate environments employ dedicated mail
servers
Could be hosted offsite
Business considerations make getting forensic copied
difficult
Expect massive amounts of data
Deleted mail exists, but is less likely to be found
23
![Page 24: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/24.jpg)
Webmail
Email typically stored on ISP servers
- Possible exception for POP or IMAP
User IP address and subscriber info may be available
from ISP
Look for webmail addresses
Cached copies can be recovered
- Web 2.0 technology reduces chances
- Data carving can be successful
24
![Page 25: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/25.jpg)
Compressed Webmail remnants
Webmail is often transferred in a compressed format
Internet cache will contain gzip compressed files
Must be unzipped to view HTML data
File signature analysis may be required to identify
compressed files
25
![Page 26: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/26.jpg)
Webmail remnants - Yahoo
26
![Page 27: 10 National Investigations Symposiumcdn.nsw.ipaa.org.au/docs/10 NIS/Browyn Barker - pres.pdf · 2017-05-18 · Encryption – on disc & files Backups in proprietary format eg. Timecapsule,](https://reader033.fdocuments.in/reader033/viewer/2022050303/5f6bdec5e9e43e024240abe1/html5/thumbnails/27.jpg)
Forensic Email Analysis
1. Review installed applications
2. Locate and acquire local email archives
3. Identify and export server based mailboxes
4. Search for evidence of cloud based email
27