Digital Forensic & Tools - profiles.uonbi.ac.ke · Digital forensic • Can we relate: – Forensic...
42
Digital Forensic & Tools C4DLab Chepken K.C 6/10/2016 1
Transcript of Digital Forensic & Tools - profiles.uonbi.ac.ke · Digital forensic • Can we relate: – Forensic...
Digital Forensic & Tools
C4DLab
Chepken K.C6/10/2016 1
Introduction: Digital Forensics
• Investigations– You know this better than I do--Tell me aboutit!!!
• Digital investigation– Answers questions about digital events
• Digital forensic investigation– Answer questions about digital events so theresults are admissible in court
C4DLab
• Investigations– You know this better than I do--Tell me aboutit!!!
• Digital investigation– Answers questions about digital events
• Digital forensic investigation– Answer questions about digital events so theresults are admissible in court
Introduction: Digital Forensics• Digital forensics is about the investigation ofcrime including using digital/computermethods• More formally: “Digital forensics, also known ascomputer forensics, involved the preservation,identification, extraction, and documentationof computer evidence stored as data ormagnetically encoded information”, by JohnVacca
C4DLab
• Digital forensics is about the investigation ofcrime including using digital/computermethods• More formally: “Digital forensics, also known ascomputer forensics, involved the preservation,identification, extraction, and documentationof computer evidence stored as data ormagnetically encoded information”, by JohnVacca
Introduction: Digital Evidence
• Digital evidence may be used to– analyze cyber crime (e.g. Worms and virus,),– physical crime (e.g., homicide) or– crime committed through the use of computers(e.g., child pornography, GBV)
C4DLab
• Digital evidence may be used to– analyze cyber crime (e.g. Worms and virus,),– physical crime (e.g., homicide) or– crime committed through the use of computers(e.g., child pornography, GBV)
Introduction: Computer Forensics
• Computer forensics is the scientificexamination and analysis of data held on, orretrieved from, computer storage media insuch a way that the information can be usedas evidence in a court of lawC4DLab
• Computer forensics is the scientificexamination and analysis of data held on, orretrieved from, computer storage media insuch a way that the information can be usedas evidence in a court of law
Computer forensics• Computer forensics activities commonly include:
– the secure collection of computer data– the identification of suspect data– the examination of suspect data to determine detailssuch as origin and content– the presentation of computer-based information tocourts of law– the application of a country's laws to computer practice.
C4DLab
• Computer forensics activities commonly include:– the secure collection of computer data– the identification of suspect data– the examination of suspect data to determine detailssuch as origin and content– the presentation of computer-based information tocourts of law– the application of a country's laws to computer practice.
Digital forensics
• Digital forensics try to answer questions:– Who,– what,– when,– where,– why, and– how
C4DLab
• Digital forensics try to answer questions:– Who,– what,– when,– where,– why, and– how
Digital forensic• Can we relate:
– Forensic Pathology- Sudden unnatural or violent deaths– Forensic Anthropology- Identification of human skeletalremains– Forensic Entomology- Insects and criminal matters– Forensic Psychiatry- assessment and treatment ofmentally disordered offenders– Forensic Psychology-Psychology and law– Forensic Odontology- Dental– Forensic Engineering- Investigations of materials etc
• And now “Digital Forensics”
C4DLab
• Can we relate:– Forensic Pathology- Sudden unnatural or violent deaths– Forensic Anthropology- Identification of human skeletalremains– Forensic Entomology- Insects and criminal matters– Forensic Psychiatry- assessment and treatment ofmentally disordered offenders– Forensic Psychology-Psychology and law– Forensic Odontology- Dental– Forensic Engineering- Investigations of materials etc
• And now “Digital Forensics”
Digital forensics
• Digital forensics– Once an attack has occurred or a digital/cybercrime committed
• need to decide who committed the crime• This brings about Computer/digitalinvestigations---
– Leading to looking for evidenceC4DLab
• Digital forensics– Once an attack has occurred or a digital/cybercrime committed
• need to decide who committed the crime• This brings about Computer/digitalinvestigations---
– Leading to looking for evidence
Computer Evidence• Computer Evidence MUST be
– Authentic: not tampered with– Accurate: have high integrity– Complete: no missing points– Convincing: no holes– Conform: rules and regulations– Handle change: data may be volatile and time sensitive– Handle technology changes: tapes to disks; MAC to PC– Human readable: Binary to words
C4DLab
• Computer Evidence MUST be– Authentic: not tampered with– Accurate: have high integrity– Complete: no missing points– Convincing: no holes– Conform: rules and regulations– Handle change: data may be volatile and time sensitive– Handle technology changes: tapes to disks; MAC to PC– Human readable: Binary to words
Securing evidence
• To secure and catalog evidence largeevidence bags, tapes, tags, labels, etc. maybe used• Tamper Resistant Evidence Security Bagsrequired
– The police know this too wellC4DLab
• To secure and catalog evidence largeevidence bags, tapes, tags, labels, etc. maybe used• Tamper Resistant Evidence Security Bagsrequired
– The police know this too well
Gathering Evidence: Considerations
– Securing evidence– Gathering evidence– Analyzing evidence– Understanding the rules of evidence– Processing law enforcement crime scenes– Steps to Processing Crime and Incident Scenes
C4DLab
– Securing evidence– Gathering evidence– Analyzing evidence– Understanding the rules of evidence– Processing law enforcement crime scenes– Steps to Processing Crime and Incident Scenes
Investigation process
• The investigative process encompasses– Identification– Preservation– Collection– Examination– Analysis– Presentation– Decision
C4DLab
• The investigative process encompasses– Identification– Preservation– Collection– Examination– Analysis– Presentation– Decision
Digital forensic Investigation process
C4DLab
Typical investigation phases1. Acquisition2. Recovery3. Analysis4. Presentation
C4DLab
1. Acquisition2. Recovery3. Analysis4. Presentation
Acquisition (1)
• Analogous to crime scene in the “real world”• Goal is to recover as much evidence withoutaltering the crime scene• Investigator should document as much aspossible
C4DLab
• Analogous to crime scene in the “real world”• Goal is to recover as much evidence withoutaltering the crime scene• Investigator should document as much aspossible
Acquisition (2)
• Maintain Chain of Custody
– Chain of custody (CoC), in legal contexts, refersto the chronological documentation or papertrail, showing the seizure, custody, control,transfer, analysis, and disposition of physical orelectronic evidenceC4DLab
• Maintain Chain of Custody
– Chain of custody (CoC), in legal contexts, refersto the chronological documentation or papertrail, showing the seizure, custody, control,transfer, analysis, and disposition of physical orelectronic evidence
Acquisition (3)• Determine if incident actually happened• What kind of system is to be investigated?
– Can it be shut down?– Does it have to keep operating?
• Are there policies governing the handling of theincident?• Is a warrant needed?
C4DLab
• Determine if incident actually happened• What kind of system is to be investigated?
– Can it be shut down?– Does it have to keep operating?
• Are there policies governing the handling of theincident?• Is a warrant needed?
Acquisition (4)• Get most fleeting information first
– Running processes– Open sockets– Memory– Storage media
• Create 1:1 copies of evidence (imaging)• If possible, lock up original system in the evidencelocker
C4DLab
• Get most fleeting information first– Running processes– Open sockets– Memory– Storage media
• Create 1:1 copies of evidence (imaging)• If possible, lock up original system in the evidencelocker
Recovery
• Goal is to extract data from the acquiredevidence• Always work on copies, never the original
– Must be able to repeat entire process fromscratch• Recover the data, deleted data, “hidden”data
C4DLab
• Goal is to extract data from the acquiredevidence• Always work on copies, never the original
– Must be able to repeat entire process fromscratch• Recover the data, deleted data, “hidden”data
Recovery: File systems
• Get files and directories• Metadata
– User IDs– Timestamps (MAC times)– Permissions, …
• Note: It is possible to recover some deleted filesC4DLab
• Get files and directories• Metadata
– User IDs– Timestamps (MAC times)– Permissions, …
• Note: It is possible to recover some deleted files
Recovery: Encrypted data
• Depending on encryption method, it mightbe infeasible to get to the information.• Locating the keys is often a better approach.• A suspect may be compelled to reveal thekeys by law.
C4DLab
• Depending on encryption method, it mightbe infeasible to get to the information.• Locating the keys is often a better approach.• A suspect may be compelled to reveal thekeys by law.
Recovery: File residue
• Even if a file is completely deleted from thedisk, it might still have left a trace:– Web cache– Temporary directories– Data blocks resulting from a move– Memory
C4DLab
• Even if a file is completely deleted from thedisk, it might still have left a trace:– Web cache– Temporary directories– Data blocks resulting from a move– Memory
Analysis
• Methodology differs depending on theobjectives of the investigation:– Locate contraband material– Reconstruct events that took place– Determine if a system was compromised– Authorship analysis
C4DLab
• Methodology differs depending on theobjectives of the investigation:– Locate contraband material– Reconstruct events that took place– Determine if a system was compromised– Authorship analysis
Analysis : Contraband material
• Locate specific files– Databases of illegal pictures– Stolen property
• Determine if existing files are illegal– Picture collections– Music or movie downloads
C4DLab
• Locate specific files– Databases of illegal pictures– Stolen property
• Determine if existing files are illegal– Picture collections– Music or movie downloads
Presentation• An investigator that performed the analysismay have to appear in court as an expertwitness.• For internal investigations, a report orpresentation may be required.• Challenge: present the material in simple termsso that a jury or CEO can understand it.
C4DLab
• An investigator that performed the analysismay have to appear in court as an expertwitness.• For internal investigations, a report orpresentation may be required.• Challenge: present the material in simple termsso that a jury or CEO can understand it.
DF Investigator Profile• Understanding of relevant laws• Knowledge of file systems, OS, and applications
– Where are the logs, what is logged?– What are possible obfuscation/confusion techniques?– What programs and libraries are present on the system andhow are they used?
• Know what tools exist and how to use them (exampleslater)• Be able to explain things in simple terms
C4DLab
• Understanding of relevant laws• Knowledge of file systems, OS, and applications
– Where are the logs, what is logged?– What are possible obfuscation/confusion techniques?– What programs and libraries are present on the system andhow are they used?
• Know what tools exist and how to use them (exampleslater)• Be able to explain things in simple terms
Recovery- File deletions• Most file systems only delete directoryentries but not the data blocks associatedwith a file.• Unless blocks get reallocated the file may bereconstructed
– The earlier the better for good chances– Depending on fragmentation, only partialreconstruction may be possible
C4DLab
• Most file systems only delete directoryentries but not the data blocks associatedwith a file.• Unless blocks get reallocated the file may bereconstructed
– The earlier the better for good chances– Depending on fragmentation, only partialreconstruction may be possible
Examples of Computer Forensic tools
• The objective for discussing these tools is tounderstand the forensic investigation activitiesdiscussed above can easily be done with thehelp of software applications--ComputerForensic tools• The list is not exhaustive by any means
– Let us fisrt watch the video– sourceshttps://www.youtube.com/watch?v=zjK-JThLg_Y– http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
C4DLab
• The objective for discussing these tools is tounderstand the forensic investigation activitiesdiscussed above can easily be done with thehelp of software applications--ComputerForensic tools• The list is not exhaustive by any means
– Let us fisrt watch the video– sourceshttps://www.youtube.com/watch?v=zjK-JThLg_Y– http://www.gfi.com/blog/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
Computer Forensic tools
• Use can be for– an internal human resources case,– an investigation into unauthorized access to aserver,– learn a new skill,
C4DLab
• Use can be for– an internal human resources case,– an investigation into unauthorized access to aserver,– learn a new skill,
Computer Forensic tools• The tools can be used to conduct
– memory forensic analysis,– hard drive forensic analysis,– forensic image exploration,– forensic imaging and mobile forensics.
• They all provide the ability to bring back in-depth information about what’s happening in asystem.C4DLab
• The tools can be used to conduct– memory forensic analysis,– hard drive forensic analysis,– forensic image exploration,– forensic imaging and mobile forensics.
• They all provide the ability to bring back in-depth information about what’s happening in asystem.
Computer Forensic tools: SIFT
• The SANS Investigative Forensic Toolkit(SIFT)– A complete investigative toolkit– Runs on a Linux life CD– Has wealth of application to conduct an in-depth forensic or incident responseinvestigation
C4DLab
• The SANS Investigative Forensic Toolkit(SIFT)– A complete investigative toolkit– Runs on a Linux life CD– Has wealth of application to conduct an in-depth forensic or incident responseinvestigation
Computer Forensic tools: The Sleuth Kit (+Autopsy)
• An open source digital forensics toolkit• Can be used to perform in-depth analysis of various filesystems.• Autopsy is essentially a GUI that sits on top of The SleuthKit.• It comes with features like
– Timeline Analysis, Hash Filtering, File System Analysis andKeyword SearchingC4DLab
• An open source digital forensics toolkit• Can be used to perform in-depth analysis of various filesystems.• Autopsy is essentially a GUI that sits on top of The SleuthKit.• It comes with features like
– Timeline Analysis, Hash Filtering, File System Analysis andKeyword Searching
Computer Forensic tools: FTK Imager
• Is a data preview and imaging tool that allows youto– Examine files and folders on local hard drives,network drives, CDs/DVDs, and review the content offorensic images or memory dumps.– Export files and folders from forensic images to disk, reviewand recover files that were deleted from the Recycle Bin(providing that their data blocks haven’t been overwritten),and– Mount a forensic image to view its contents in WindowsExplorer.
C4DLab
• Is a data preview and imaging tool that allows youto– Examine files and folders on local hard drives,network drives, CDs/DVDs, and review the content offorensic images or memory dumps.– Export files and folders from forensic images to disk, reviewand recover files that were deleted from the Recycle Bin(providing that their data blocks haven’t been overwritten),and– Mount a forensic image to view its contents in WindowsExplorer.
Computer Forensic tools: DEFT• Runs Linux Live CD• Bundles some of the most popular free and opensource computer forensic tools available.• It aims to help with Incident Response, CyberIntelligence and Computer Forensics scenarios.• Contains tools for Mobile Forensics, NetworkForensics, Data Recovery
C4DLab
• Runs Linux Live CD• Bundles some of the most popular free and opensource computer forensic tools available.• It aims to help with Incident Response, CyberIntelligence and Computer Forensics scenarios.• Contains tools for Mobile Forensics, NetworkForensics, Data Recovery
Computer Forensic tools: Volatility
• Extracts digital artifacts from RAM dumpsgiving details of running processes, opensockets, DLLs loaded etc
C4DLab
Computer Forensic tools: LastActivityView
– Allows you to view what actions were taken by auser and what events occurred on the machine.– Any activities such as running an executable file,opening a file/folder from Explorer, an applicationor system crash or a user performing a softwareinstallation will be logged.– The information can be exported to a CSV / XML /HTML file. T
C4DLab
– Allows you to view what actions were taken by auser and what events occurred on the machine.– Any activities such as running an executable file,opening a file/folder from Explorer, an applicationor system crash or a user performing a softwareinstallation will be logged.– The information can be exported to a CSV / XML /HTML file. T
Computer Forensic tools:HXD
• Hex editor that allows you to perform low-level editing and modifying of a raw disk ormain memory (RAM).• Features include searching and replacing,exporting, checksums/digests, an in-builtfile shredder, concatenation or splitting offiles, generation of statistics and more.
C4DLab
• Hex editor that allows you to perform low-level editing and modifying of a raw disk ormain memory (RAM).• Features include searching and replacing,exporting, checksums/digests, an in-builtfile shredder, concatenation or splitting offiles, generation of statistics and more.
Computer Forensic tools: CAINE
• CAINE (Computer Aided INvestigativeEnvironment) is Linux Live CD that containsa wealth of digital forensic tools.• Features include
– a user-friendly GUI,– semi-automated report creation and tools forMobile Forensics,– Network Forensics, Data Recovery and more.
C4DLab
• CAINE (Computer Aided INvestigativeEnvironment) is Linux Live CD that containsa wealth of digital forensic tools.• Features include
– a user-friendly GUI,– semi-automated report creation and tools forMobile Forensics,– Network Forensics, Data Recovery and more.
Computer Forensic tools: Mandiant RedLine
• RedLine offers the ability to perform memoryand file analysis of a specific host.• It collects information about
– running processes and drivers from memory, and– gathers file system metadata, registry data, eventlogs, network information, services, tasks, andInternet history
• to help build an overall threat assessmentprofile.C4DLab
• RedLine offers the ability to perform memoryand file analysis of a specific host.• It collects information about
– running processes and drivers from memory, and– gathers file system metadata, registry data, eventlogs, network information, services, tasks, andInternet history
• to help build an overall threat assessmentprofile.
Computer Forensic tools: PlainSight
• PlainSight is a Live CD based on Knoppix (aLinux distribution)• Allows you to perform digital forensic taskssuch as
– viewing internet histories, USB device usageinformation gathering, examining physicalmemory dumps, extracting password hashes,and more.C4DLab
• PlainSight is a Live CD based on Knoppix (aLinux distribution)• Allows you to perform digital forensic taskssuch as
– viewing internet histories, USB device usageinformation gathering, examining physicalmemory dumps, extracting password hashes,and more.
