Computer Forensics Bootcamp

© 2013 nCircle. All Rights Reserved.

Forensics Bootcamp


Introduction


What is Forensics?

• Scientific tests or techniques used in the investigation of crimes

• The use of scientific methods and techniques, such as genetic fingerprinting, to solve crimes

• Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action.


What is Computer Forensics?

Computer ForensicsA methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format


Types of Cyber Crime

• Theft of intellectual property• Financial Fraud• Damage of company service networks• Distribution and execution of viruses and

worms• Hacker system penetrations• Distribution of child pornography• Use of a computer to commit a traditional

crime (emails, data management, files.)


Legal Issues


Legal Issues

• 4th Amendment – Searches & Seizures

• 4th Amendment – Privacy• 5th Amendment – Self Incrimination• Chain-of-Custody


4th Amendment

• The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures when the searched party has a "reasonable expectation of privacy".

• Search warrants need probable cause and need to describe the place to be searched, and the persons or items to be seized.

http://en.wikipedia.org/wiki/United_States_Constitution

http://en.wikipedia.org/wiki/United_States_Bill_of_Rights

http://en.wikipedia.org/wiki/Search_and_seizure

http://en.wikipedia.org/wiki/Expectation_of_privacy


Chain-of-Custody(aka Chain of Evidence)

• Chain of Custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.

• Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct.

http://en.wiktionary.org/wiki/paper_trail

http://en.wikipedia.org/wiki/Evidence


Question ?

As related to computer forensics, why is the 4th amendment an important consideration?

a. Free speechb. Defense against self incriminationc. Search & seizure d. Social rights ?


Digital Media


Two Types of Data

• Volatile - RAM• Non-volatile– ROM, PEOM, EEPROM – Hard Drives (to include Solid State Drives (SSD))– USB Devices– Flash cards – Optical Media – CDs, DVDs, Blue-ray (BD), ….– Floppy disks, ZIP disks– Cameras, mp3 players, tablets, game consoles,

GPS units, smart phones, smart watches, …


Write Blockers

• Two types of write blockers: hardware and software

• Prevention of data “spoilation” = the compromise of data integrity by intentionally or inadvertently altering the data from its “original” form.

• Reads Allowed and Writes Prevented!

• Another name for a write blocker is a “Forensic Bridge”


Some Data Hiding Techniques

• Slack Space and Unallocated Space• Rootkits• Alternate Data Streams (ADS)• File Signatures• Steganography


Question ?

What function does aWrite Blocker perform?

a. Allows writesb. Blocks readsc. Prevents Readsd. Prevents writes ?


The Forensic Process


The Forensic Process

• Preparation• (Containment)• Collection• Examination• Analysis• Reporting


The Forensic Process(Preparation)

• Training• Policies & Procedures• Equipment (Forensic Kit)– Laptop computer w/ forensic software– Boot disks and CDs of tools (forensically

sound)– Digital cameras, pens, notepad– Sterile media, write blockers, cables– Anti-static bags, faraday bags, tags, stickers– Chain-of-custody and other forms


The Forensic Process(Containment)

• Establish immediate control of the crime scene– Limit and track physical access– Limit network / remote access• Detach computers of interest from wireless

and physical network cables

– Power off computers as necessary


The Forensic Process(Collection)

• Photograph the scene to include monitor screens. Get the system time

• Collect volatile data• Image non-volatile data on site?• Shut down the system safely• Unplug the system and tag all cables• Bag and tag all non volatile devices for

transport. Collect peripheral devices as necessary.


The Forensic Process(Collection – Mobile devices)

• Photograph main screen• Do not turn device off• Find charger to keep device from

losing charge (example seizure kit)• Place in a Faraday bag to prevent

remote access


The Forensic Process(Examination & Analysis)

• Image the non-volatile media (i.e. make exact bit-stream copies of the media using imaging hardware or software)

• Images must be hashed• Analyze the bit stream image using

forensic analysis software, e.g.: EnCase, FTK,…

• Prepare a report of findings


Question ?

During the forensic process exact “bit stream” images are made of non-volatile media. Part of this process uses a technique called _______ to verify the integrity of the image?

a. read blockingb. checksumsc. hashingd. transforms

?


Forensic Analysis Techniques


Forensic AnalysisTechniques

• Searching:– Keyword, email, web, viewers

• File Signatures• Slack Space and unallocated space• Data carving• Steganography• Passwords (Dealing with encryption)


Searching: Keywords

• To effectively search through a suspect’s media an investigator needs to add relevant keywords

1) Add keywords2) Specify keyword search criteria (e.g. what and where to search – e.g. slack space)3) Conduct keyword search


Searching: email & social media

• Most forensic analysis tools have built-in email searching and viewing tools

• Tools to view various formats of email– Outlook (.pst)– Outlook Express (.dbx)– Linux/Unix mbox format–Macintosh: Safari–Webmail formats: Yahoo, AOL, Google,

Hotmail


Searching: web artifacts

• Most forensic analysis tools have web artifact search and viewing tools • Web artifacts– History– Cached files and images (temporary

files)– Cookies


File Signature Analysis

• This type of analysis allows investigators to verify file types

• A savvy suspect can change file extension in order to attempt to avoid detection. Example: Changing the .doc extension on a file to .dll

• A file signature analysis looks at the file header in order to determine what type of file it actually is


Data Carving (1 of 2)

• Data Carving is a technique used in the field of Computer Forensics when data can not be identified or extracted from media by “normal” means due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data.

http://www.hddoctor.net/computer-forensics/


Data Carving (2 of 2)

• Currently the most popular method of Data Carving involves the search through raw data for the file signature(s) of the file types you wish to find and carve out.


Slack Space and Unallocated Space

• Most forensic analysis tools (e.g. EnCase) have the ability to look at (view) and search (keyword search) slack space and unallocated space

• Viewing of slack space and unallocated space is done by a hex/ASCII viewer. Tools like EnCase and FTK have this type of viewer built in.


Concealment cipher = Steganography (example)

Source: http://www.textscience.com/NetworkServiceAndSecurityInWeb2-0.htm

Saint Olga planting Christianity in Russia


Steganography

• Detection techniques are crude

• Usually done by looking for evidence of steganography use, e.g. Steg programs on system

• Advanced analysis includes Steg detection programs (that typically use statistical analysis techniques)


Question ?

A suspect changes a file extension of his MS word file from .doc to .dll to attempt to hide his file. The method used to detect this type of activity is called?

a. Steganographyb. Data Carvingc. File signature analysisd. Slack space analysis

?


Question ?

A criminal hides the contents of a spreadsheet with the details of his illicit financial activities in a JPEG image. This is an example of which technique?

a. Data Carvingb. Cryptographyc. Data Blinkingd. Steganography

?


Incident Handling & Forensics


Incident Response Process

• Identification– Incident identification– Notifying appropriate personnel

• Action– Isolation and Containment– Gathering Evidence– Analysis and Reporting

• Closure– Restoration– Lessons Learned


The Response Team

• Cross-functional with a high level of authority– Dedicated – with clearly defined roles & responsibilities– Not just computer security: Management, Info sec,

IT/network, legal, public relations

• Well Trained– Rehearsals and training appropriate to risk– Trained in Forensics – Forensics tools and equipment

• Policies and Procedures– Appropriate to Risk (Risk Management)– Lessons learned / constant refinement


When to Involve Law Enforcement

• Use forensic processes whenever possible

• As a general rule: Involve law enforcement when corporate policy or the law says so

• You are compelled by law to report certain incidents, e.g. disclosure of credit card info.

• Establish and ongoing relationship with corporate legal and appropriate law enforcement agencies, e.g. Infragard.


Make Sneaking Hard

• Detection systems -- appropriate with risk

• Logging, Logging, logging!!! (Firewall, router, system…)

• Monitoring– Intrusion detection systems– File Integrity monitoring systems– Vulnerability and Configuration management systems– Attack Path Analysis

• Warning Banners, Expectations of use, Expectations of privacy

• Physical Security systems


Questions?

http://connect.ncircle.com

Continue the conversation at

http://connect.ncircle.com/

http://connect.ncircle.com/

Computer Forensics Bootcamp

Technology

Transcript of Computer Forensics Bootcamp