Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf ·...
Transcript of Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf ·...
![Page 1: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/1.jpg)
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 5
DF Analysis Techniques
![Page 2: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/2.jpg)
0011 0010 1010 1101 0001 0100 1011
Current, Relevant Topics
• Wells Fargo is notifying an unspecified number of employees that their personal data, including names, Social Security numbers (SSNs), as well as some health insurance and prescription drug information, may have been compromised following the theft of a laptop computer…
• …did not comply with established policies for safeguarding sensitive data. The company no longer works for Wells Fargo.
Computerworld.com
![Page 3: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/3.jpg)
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Samuel Ashmore: File Encoding and Detection • Samuel Ashmore: Encryption and Password
Recovery (EC) • Earl Eiland: Timeline Analysis • Mayuri Shakamuri: Data Mining for Digital
Forensics (EC)• Sage LaTorra: Steganography Detection (EC) • Ryan Ware: File Extension Renaming and
Signaturing (EC)
![Page 4: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/4.jpg)
0011 0010 1010 1101 0001 0100 1011
Next Week’s Presentations
• Moses Schwartz: Email Analysis -Client and Web
• Johnathan Ammons: Web Analysis • James Guess: IRC Analysis
![Page 5: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/5.jpg)
0011 0010 1010 1101 0001 0100 1011
Our Goal is to Begin to Develop Solid and Lasting Analytical Skills
• We will explore the factors that drive the need for data analysis
• We will begin to understand the process of data analysis and the bounds of accuracy
• We will present a few approaches and tools• We will attempt to develop an instinct for
one approach over another• This will require a greater degree of class
participation• Where there are blanks, you will be
expected to contribute
![Page 6: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/6.jpg)
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Brainstorming session• Investigation centric analysis• Data centric analysis• General tools and methods
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
![Page 7: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/7.jpg)
0011 0010 1010 1101 0001 0100 1011
Module 1
Brainstorming Session
![Page 8: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/8.jpg)
0011 0010 1010 1101 0001 0100 1011
Rules
• Dialogue not debate– Seek understanding– Ask questions from a point of true curiosity– Spend less time thinking about your own idea
and more time actively listening– Build on ideas to strengthen them
• Share your ideas– Write them down and pass them forward if you
chose not to speak up
![Page 9: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/9.jpg)
0011 0010 1010 1101 0001 0100 1011
Brainstorming Topic• Pick a crime or offense to be investigated
– Broad or specific, your choice– E.g., corporate data theft, illegal wiretapping, kidnapping,
terrorism, system intrusion, phishing, identity theft, etc.
• Attempt to answer these questions:– How can DF be used in the investigation?– What data are available?– How “good” are the data?– How can the data be analyzed to find truth?– What tools can make the job easier?– What preparation and collection might help?
![Page 10: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/10.jpg)
0011 0010 1010 1101 0001 0100 1011
Module 2
Investigation Centric Analysis
![Page 11: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/11.jpg)
0011 0010 1010 1101 0001 0100 1011
Motivation
• An investigation-centric view is extremely useful in defining the analysis goals and methods
• Our brainstorming session was guided by a piece of the investigation context (crime)
• Data almost always exists in an investigative context– Possession of digital contraband, kidnapping,
insider trading, etc.• Details of the investigation allow analysts to
focus on certain data types, content, and relationships
![Page 12: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/12.jpg)
0011 0010 1010 1101 0001 0100 1011
Digital Forensic Goal is to Move From the Specific to the Abstract
Data
Encoding Method(e.g., ASCII, bin)
Organization(e.g., Timeline)
Context(e.g., Exploit)
Relationship(e.g., Correlation)
Relevance(e.g., Coincidence)
Knowledge/Ability
Motivation/Intent
HumanComponent
InformationComponent
Truth
Increasing Abstraction
![Page 13: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/13.jpg)
0011 0010 1010 1101 0001 0100 1011
Types of Investigations(based on role/duty)
• Criminal (law enforcement)– Examples: murder, fraud, digital contraband
• Corporate (corp. employee)– Examples: network intrusion, data theft, etc.
• Private (self or private investigator)– Example: marital infidelity
• ________– ________
![Page 14: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/14.jpg)
0011 0010 1010 1101 0001 0100 1011
Each Type of Investigation Has Significant and Subtle Differences
• Sources of data– Available data?– Unavailable data?– Quality of data (related to the investigation)?
• Questions to be answered• Required quality of results• Availability and coupling with other
investigative efforts
Remember: All this is guided by law and policy
![Page 15: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/15.jpg)
0011 0010 1010 1101 0001 0100 1011
Module 3
Data Centric Analysis
![Page 16: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/16.jpg)
0011 0010 1010 1101 0001 0100 1011
Motivation
• Once the investigative goals, context, and details are understood, certain types of data lend themselves to specific analysis methods
• There are limits on the bounds of accuracy in the digital world, as in the physical world
• Technology presents more data analysis challenges than solutions
![Page 17: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/17.jpg)
0011 0010 1010 1101 0001 0100 1011
General Approach
• Obtain a clear understanding of the investigative goals, context, and details
• Think through possible sources of data– As in the brainstorming session
• Collect and preserve data• Develop a strategy for data analysis• Perform analysis
![Page 18: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/18.jpg)
0011 0010 1010 1101 0001 0100 1011
Potential Sources of Digital Data• Computers (end devices)
– HDD, FDD, Memory, Flash Devices, input/output devices, support chipsets, etc.
• Networks (communication systems)– Logs, routes, ISP configuration, switch tables,
network management, etc.• Many others
– Cell phones, PDAs, pagers, printers, BlackBerry, GPS, smart cards, traffic management systems, automobile computers, point of sale terminals, telephone logs, etc.
• ____________________
![Page 19: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/19.jpg)
0011 0010 1010 1101 0001 0100 1011
Limits to the Quality of Data
• Non-exclusive access to digital systems• Existence of botnets and zombie machines• Lack of Internet attribution and identity
management• Easy replication and fabrication of data• Unclear language and language differences• Missing network packets• _________________• _________________
Access. Social. Technical. Identity. Incomplete Measurement. Others?
![Page 20: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/20.jpg)
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (1 of 3)“media analysis”
• Data from storage media– Volume data– Files– File meta data– Slack space and file slacks (win95)– Unallocated space
• Deleted files– Space not assigned to a volume– ________
MBC MPT
![Page 21: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/21.jpg)
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (2 of 3)• Volumes
– Accounting for all disk blocks– Recover deleted partitions– Investigate un-partitioned space– Investigate volume meta-data regions
• File system– Analysis of file organization
• _________– Types of files
• _________– Files of interest
• _________– File meta data (time lines)
• _________– Misnamed files
• _________– ________
![Page 22: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/22.jpg)
0011 0010 1010 1101 0001 0100 1011
Storage Media Analysis (3 of 3)
• Deleted files– ________
• Slack space– ________
• Unallocated space– ________
![Page 23: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/23.jpg)
0011 0010 1010 1101 0001 0100 1011
Cell Phones
• Call logs• Contacts• Text messages• Pictures• Geo-location over time• ________
![Page 24: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/24.jpg)
0011 0010 1010 1101 0001 0100 1011
Network Data• Active connections
– Client or server– Protocol– Address– Nature of data– Duration of connection
• Logs– ________
• Looking for indications of malicious insider activity• Attempting to measure impact of crime
![Page 25: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/25.jpg)
0011 0010 1010 1101 0001 0100 1011
Live System Data
• Encase Enterprise• Windows registry• Open network connections• Running processes• ________
![Page 26: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/26.jpg)
0011 0010 1010 1101 0001 0100 1011
Places for data to hide on a HDD(non-exhaustive list)
• Physical Media– Areas allocated for diagnostics– Residual magnetic impressions (due to jitter in write process)– Other devices with storage or state-preservation
• Low-level format– Redundant sectors– Sectors marked as bad (unavailable to wiping programs)– Sector overhead?– Positioning and synchronization platter?
• Partition– Inter-partition gaps– Unallocated space– “hidden” partitions– Boot records and partition tables
• High-level format– Alternate data streams (NTFS)– Hidden files (.<filename> or “hidden” attribute)– Open, but deleted files– Deleted files (unstable)– Paging/swap file
• Applications– Documents (do you know what you are looking for)– Files with deceptive names (hidden in the noise, e.g., /dev)– Modified OS utilities (e.g., file system mounted over real file system, ls)– Code (as comments)– Databases (registry, history, etc.)– Encoding (steganography, metadata, encryption, bit-shifting, substitution, etc.)
• Where else?
![Page 27: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/27.jpg)
0011 0010 1010 1101 0001 0100 1011
In Class Exercise
• Where can data hide on other devices and systems?
• Some examples include:– As continuous network traffic– In printer memory– In system backups– Distributed among many computers (P2P)
![Page 28: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/28.jpg)
0011 0010 1010 1101 0001 0100 1011
Module 4
General Tools and Methods
![Page 29: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/29.jpg)
0011 0010 1010 1101 0001 0100 1011
Common Analysis Methods• Key word search (most mature)• MAC time line analysis• Encrypted file cracking• Relationship analysis• Causal analysis• Operating system logs and records
– Registry (windows)– User account logs– Various system logs
• Application specific analysis, e.g., email• Executable and binary analysis• ________
![Page 30: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/30.jpg)
0011 0010 1010 1101 0001 0100 1011
The Sleuth Kit Tools(learn through hands-on labs)
• File system layer (partitions, file systems)– fsstat – first used in lab 3 to determine block size
• File name layer (file name structures) – ffind– fls
• Meta-data layer (inodes, directory entries, file attributes)– icat– ifind– ils– istat– mac-robber
• Data unit layer (disk blocks)– dcat – first used in lab 3 to extract disk blocks– dls – first used in lab 2 to copy unallocated space and slack space– dstat– dcalc – first used in lab 3 to compute absolute block to recover
![Page 31: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/31.jpg)
0011 0010 1010 1101 0001 0100 1011
How Would You…
• Determine if a system has been compromised?
• Determine if a suspect has been involved in theft of intellectual property?
• Determine if an employee has been stealing and selling trade secrets?
• Determine the impact of a successful network intrusion?
• ________?
![Page 32: Digital Forensics Lecture 5 - New Mexico Institute of ...df/lectures/5 Analysis Techniques.pdf · Digital Forensics Lecture 5 DF Analysis Techniques. 0011 0010 1010 1101 0001 0100](https://reader034.fdocuments.in/reader034/viewer/2022042218/5ec4769595fe5563720f5d6c/html5/thumbnails/32.jpg)
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator