15681 Forensic Examination
Transcript of 15681 Forensic Examination
-
8/3/2019 15681 Forensic Examination
1/23
-
8/3/2019 15681 Forensic Examination
2/23
While all computer forensic cases are
unique, examiners should develop their owndocumented standard operating procedures(SOPs) and follow them consistently.
These SOPs will help protect the integrityand authenticity of evidence by ensuring
that all data is acquired, analyzed, andpreserved in a systematic and consistentmanner.
-
8/3/2019 15681 Forensic Examination
3/23
Vary according to the IT environment, typeof case, status of the system, requiredresources to acquired and analysis ofevidence.
A computer forensic examiner should seek toobtain the following information prior toconducting the analysis:
1. What is suspected or needs to be proven?;2. Any specific information about times and
dates to support time-line analysis ofactivities;
-
8/3/2019 15681 Forensic Examination
4/23
3. Any specific keywords and text strings;
4. Access to any other supporting computerevidence already in possession of theinvestigator to support evidence correlation,such as proxy logs (logs of Internet browser
activity from firewalls and proxy servers).5. A description of the computer skill level of
the suspect;
6. If the system is used for business ratherthan a personal computer, as detailed adescription as is available about the networkenvironment in which the system waslocated and what the systems primaryfunction was.
-
8/3/2019 15681 Forensic Examination
5/23
Live System Processing:
Sometimes evidences are found on livesystems and shut down systems.
Every forensic examiner should thereforehave an understanding of the protocols forsafely acquiring volatile data from live
systems, not just analyzing static file systemstructures from magnetic media.
-
8/3/2019 15681 Forensic Examination
6/23
The order of volatility for systemevents, and therefore the order in
which they need to be acquired duringforensic processing, is as follows:
1. Registers, peripheral memory, caches;
2. Memory (virtual, physical);
3. Network state;4. Running processes, open files, media mount
points;
5. Logical file system;
6. Physical hard drive, floppies and backuptapes;
7. CD-ROMs and printouts
-
8/3/2019 15681 Forensic Examination
7/23
Prior to carrying out forensic examinations,the following should be considered:
1.On live systems avoid tools that use agraphical user interface: Command lineutilities, and in particular, statically linkedbinary files, are best utilized as they are
more likely to leave little or no footprint onthe evidence system if they are properlyutilized.
2.Validate your tools: Only utilize tools fromtrusted sources and personally verify theiractions and that they work as advertized.
-
8/3/2019 15681 Forensic Examination
8/23
3. Keep copies of the tools on removablemedia.
4. Document, document, document:Documentation of exactly what is done and
when it is done during every facet of aninvestigation cannot be overemphasized.
-
8/3/2019 15681 Forensic Examination
9/23
These implement the three phases of theCFSAP model (secure, analyze, present) witheach phase comprising several steps.
1. Securing evidence: Establishing forensically sterileconditions: the media utilized for dataacquisition must be completely wiped of
non-essential data. Following a complete, documented,
logical process in acquiring evidencefrom the system- Use of SOPs, proper
documentation
-
8/3/2019 15681 Forensic Examination
10/23
Using a known trusted command shelland tools for acquiring data from asystem: The computer forensic examiner,should, if possible, carry out all actions usinga known, trusted kernel and applications thathe/she can be sure has not been
compromised or modified. Data acquisitionvolatiles Copying system files for analysis Logical volume imaging on live systems Shutting down the computer Documenting the hardware
configuration of the system Documenting the system date and time:
-
8/3/2019 15681 Forensic Examination
11/23
Continuity of evidence (chain ofcustody)
Data acquisitionmagnetic media Authentication of copied and imaged
media Malicious code protection Archiving media images
-
8/3/2019 15681 Forensic Examination
12/23
2. Analyzing secured data: Logical analysis of the media structure Operating system configuration
information Document file names, dates, and times
File signature recognition Identifying file content and type
anomalies: Evaluating program functionality: Text string and key word searching Evaluating virtual memory Evaluating ambient data
-
8/3/2019 15681 Forensic Examination
13/23
3. Presenting the results of analysis
Document, document, document: Asindicated previously, documentation shouldbe contemporaneous, that is, notes shouldbe taken at the time, not prepared from
memory, hours or days later.
Retaining copies of software used:Aspart of the documentation process, copiesof the software used to carry out theimaging and analysis should be retained
with the output of the forensic toolinvolved.
-
8/3/2019 15681 Forensic Examination
14/23
4. Limited examinations: In somecircumstances it may be legally or
operationally impractical to carry out acomplete forensic acquisition andexamination. This may be due to:
Physical equipment limitations requiring
examination of the original evidence on thepremises, with appropriate precautions.
Sheer quantity of data to search due to sizeof the media
Considerations with respect to businessimpact of shutting down the system
Legal constraints that may be applied to
the search and seizure process.
-
8/3/2019 15681 Forensic Examination
15/23
So much corroborative evidence has alreadybeen identified that makes further evidence
redundant and further search unnecessary. Circumstances beyond the examiners
control prevent the examination from beingconducted fully.
-
8/3/2019 15681 Forensic Examination
16/23
Techniques used for analysis include:
1.System Usage Analysis
2. Internet Usage Analysis
3.Time-line analysis4.Link Analysis
5.Password Recovery
-
8/3/2019 15681 Forensic Examination
17/23
General system analysis: This seeks toidentify user(s) of the system, the systemname, its apparent primary function, andany other characteristics that can bedetermined from the operating system andapplication configurations. Usernames andpasswords will be important particularly ifencrypted files are identified during theanalysis.
-
8/3/2019 15681 Forensic Examination
18/23
Internet usage analysis: The following typesof information that should be sought:
1.Network host and connectivity information
2. Internet browser history3.E-mail use
4.Other network applications
-
8/3/2019 15681 Forensic Examination
19/23
Time-line analysis: dates and times are socritical in criminal investigations. Time linesof computer usage can provide valuableinformation about the computer user and thesequence of events affecting the computer.
-
8/3/2019 15681 Forensic Examination
20/23
Link analysis: Its utility in visualizinginformation obtained during analysis needsto be recognized and considered.
-
8/3/2019 15681 Forensic Examination
21/23
Password recovery and cryptanalysis:Password protection and encryption poseunique problems for law enforcement.Password recovery using brute forcepassword attack using specialized programs
-
8/3/2019 15681 Forensic Examination
22/23
Information presented may include what istermed the real evidence, such as thefollowing:
1. The output from the forensic tools utilized;
2. Printed command line histories and monitorsnapshots;
3. Handwritten notes and checklists;
4. Audio and video recordings;5. Diagrams and manuals.
-
8/3/2019 15681 Forensic Examination
23/23
Supporting props: Due to the complexities ofa computer forensic examination, it may benecessary to attempt to simplify theinformation, and present it in a format morereadily understandable to a Court in the formof demonstrative evidence.