Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC...
-
Upload
chester-horn -
Category
Documents
-
view
219 -
download
0
Transcript of Introduction to Computer Forensics Brent Williams MSTM, CWNA, CWSP, CNE, MCSE, A+, N+ KSU ETTC...
Introduction toComputer Forensics
Brent WilliamsMSTM, CWNA, CWSP, CNE, MCSE, A+, N+
KSU ETTCSlides at: www.speakwisdom.com
Caveat
• I am not dispensing legal advice• Use what you hear, read, and do at
your own risk• Consult with your legal advisor when
conducting an investigation
The Need forComputer Forensics
• Anyone can access anything via the internet
• Students, faculty, staff and parents doing bad stuff!
• Technology is more sophisticated– Faster– More portable
• Schools have perceived responsibility
Concerns• Pornography
– Child Pornography
• Emails– Threatening– Relationship related
• Instant Messages• Web sites (MySpace)
– Bullying– Faculty pages
PDA’s and Cell Phones
• Palm– Fading?– Lots of aps and storage (flash)– Infrared and BlueTooth beaming
• Windows Mobile– Lots of storage (flash)– Familiar interface– Easily networked (WiFi, Bluetooth)– View photos and movies– Capture images, sound
More Threats
• Downloads– To School PCs
• CDs/DVDs• Social Networking Sites
– FaceBook– MySpace
• Phishing– Emails & Web sites
Objectives
•Gain Basic Knowledge– What is Computer Forensics?– Concepts – Procedures– What Not to Do?– What to do Next?
•Learn some basic techniques•Raise level of awareness
Do You Have a DutyTo Report?
• Yes, if you suspect a crime has been committed
• Yes, if you suspect “sexual exploitation” including conduct involving child pornography.
• Once you bring in police, you stop forensic work.
Kinds of Forensics
• PC/Laptop– Files, email, internet activity
• Device– Cell phone– PDA– MP3 Player (iPod!)
• Network – Internet traffic– Local/wireless traffic
Places
• High Technology Crime Investigation Association– www.htcia.org
• Atlanta HTCIA– www.atlhtcia.org
• Southeast Cybercrime Summit– www.southeastcybercrimesummit.com
Places
• Access Data (FTK)– www.accessdata.com
• X-Ways Forensics (winhex)– www.x-ways.com
• ProDiscover– www.techpathways.com
• Helix– www.e-fense.com
Certification
• Certified Computer Examiner– http://www.certified-computer-
examiner.com/index.html
• More– Google search “computer forensics”
• Books– Plenty!– Check Amazon, BN, etc.
Build a Response Team
• Cover all bases– Legal, Technical, Law Enforcement, PR
• Attorney or Legal Advisor• Strong “Geek”
– Vast knowledge required
• School Law Enforcement Person, Local Police
• Public Relations
Incident Response Plan
• Response plan– Who is called?– How others are notified?
• Clear process– Who has responsibility for what?– Decision Points
• Policy issue / Legal issue
• Coordinate with law enforcement– As appropriate
Someone Must Know Your Hardware & Software
• Servers• Workstations• PDAs• CD-ROM, CD/DVD• Webcams• Modems• Key Loggers• USB Devices• Wireless
• Windows– 9x, 2000, 2003, XP
• Unix/Linux• OS X• DOS• FAT• NTFS• EXT2/EXT3
Someone Must Know Auditing and Logging
• Know where OS keep logs• Know kinds of OS logs
– Windows• Event viewer• Auditing
• Date and time of device• Date and time of log entries• File/Directory date & time stamps
Will this End Up in Court?
• Assume your case will!• Courts require ample unaltered
evidence• Evidence must be processed properly• Specially trained team should always
conduct investigation
Main Emphasis of Forensics
• Identify the Evidence• Determine how to preserve the
evidence• Extract, process, and interpret the
evidence• Ensure that the evidence is
acceptable in a court of law
Evidence
• Computer evidence is fragile • Courts know that digital evidence is
easily planted/altered• You must be able to show that
evidence is pristine and unmodified!
• See www.cybercrime.gov
Evidence
• Can include any form of electronic data
• Can include devices– Computers– CD-ROMs– Floppies– Cellular Telephones– Pagers– Digital Cameras
Rules• More latitude in schools/businesses
– Internal processes– Governed by policy documents– Expectation of privacy
• Law enforcement works under more restrictive rules– Subpoenas & search warrants– Chain of command– Agency boundaries
What to “Prosecute”?
• Harm inflicted?• Violation of Written Policy?• Policy communicated to
teacher/student/parents?• Investigation conducted by trained
personnel?• Successful investigation?
Problem in School Systems
• Security and Forensics projects don’t generate revenue– Or FTEs
• Hard to get “higher up” to understand need– Until superintendent and board picture is
in the paper
• Money for training• Politics of position
Training
• Training team is essential• They need to
– Learn basic procedures– Gain expertise in technical areas
• Sufficient Personal Interest?– Get Certified– Get degree
End User Training
• Users need to be aware– School System Policies– Requirements to guard information– Laws– Awareness Illegal Activities– Social Engineering– Spyware
• Consider Yearly Seminar• Splash Screen
Do It Right!
• Photograph system scene• Take Notes (two present)• Get the basics
– System Model/SN– HD model and SN– System Date/Time– Bios BOOT info
• Power Down (pull plug)– Laptop – Pull battery
Evidence Gathering
• Have secure-erased drives ready• Get Suspect Drive Image
– Attach a write-blocker– Get two or more images of the drive
• Seal original drive– Place a copy of the drive back in the PC
(if appropriate)
• Original drive should be locked away• Control Chain of Custody
Preparing an Evidence Drive• Use large drives• Have several• Secure-erase all drives
– Record date, time, and method
• Store in locked area• Software to Secure Erase?
– Helix– WinHex Pro– ProDiscover
Prepare Evidence Drive
–Connect to Analysis PC–WinHex Pro
•Select Physical Media (not Logical Drive)
•Edit / Fill Sectors / hex 00•Will take several minutes
– (25 min for 40Gb)
Image Options
• Boot suspect PC with Helix– Easiest for laptops
• Attach USB evidence drive• Use AIR or similar tool to image drive
Image Options
• Remove HD from Suspect, place as Slave in Analysis PC– Use Write Blocker
• Remove HD from PC, place in USB Case– Use Write Blocker
• Protect the original!
Other Image Options
• Use USB Evidence Drive– Boot PC with Knoppix or Helix CD
– Open terminal window– dd if=/dev/hda of=/dev/sda– Speed: 1 hour per GB
– Boot PC with Helix CD– Open terminal window– Dcfldd if=/dev/hda of=/dev/sda– Speed: 4 min per GB
Other Image Options
– GHOST!•Boot with BartPE CD
– Open command window– Ghost32 –ir –fnf– (Image Raw, No Fingerprint)– Speed: 2 min per GB
– GHOST!• Version 7.5 or later• Boot with Ghost Floppy
– Ghost –ir -fnf
What is the Hash?
• Used to verify that image is accurate• MD5 suspect drive or partition• MD5 image• Should match• Record!
Analysis• Work on Image, not Original• Time Consuming! • Tools Allow
– Finding deleted files• Images• Email• IE cache
– Searching for text (“drugs”, etc.)– Show Hidden Files– Show Hidden Partitions or Drives
Definitions
• Unallocated Space– Space never used on a hard drive– Space made available by deleted files
• Slack Space– Space in a cluster not used by file data
1. Examine Suspect HD
• Boot Suspect PC with Helix• Hidden Drive? (QTPARTED)• Browse with File Manager
– See images, open documents– See hidden partition
• Use Retriever – Path \media\sda1– Find images
1a. Examine USB Evidence Drive Image in Windows
• Use Windows Disk Management MMC to look at Partition
• MyComputer• Search• Wrong Extension?• Encrypted?• MS TweakUI
– Can be used to hide drive letters
4. Examine in Windows
• Examine PC with Helix Windows– System Information
• Drive letter discrepancy?
– Incident Response• Windows Forensics Toolchest• Security Reports • (others want NetCat)
– Scan for Images• (no path information)
– Windows Search (for files)– Disk Management (for drives, partitions)
WinHex
• Open .dd file• Specialist
– Interpret file as disk
• View all .jpg’s in file system– Tools, Disk Tools, Explore Recursively– You can add path column
• Look for .dbx files
WinHex
• Find .jpg’s in Unallocated space– Tools, Disk Tools, File Recovery by Type
• Find text in files– Search, Find Text (or Simultaneous
Search)
Email - Outlook Express
• Local Settings\Application Data\Identities\…\Microsoft\Outlook Express
• OE Reader (free)• Mail stored in .dbx files• Similar tools for Outlook .pst files
Passwords and Encryption
• NTPassword– http://home.eunet.no/pnordahl/
ntpasswd/
• Password Tools– http://www.passwordportal.net/– http://www.brothersoft.com/
downloads/crack-password.html– http://www.elcomsoft.com/index.html– http://www.accessdata.com/
PRODISCOVER
• Create Case• Add Image• Content View
– Examine Deleted Files•Click check box on interesting file•Make comment•Gallery view
PRODISCOVER
• Content Search– Search for pattern
• Drugs, sex, etc.
– Click Search Results• Finds anything: docs and email!• Search for *.jpg
PRODISCOVER
• What about files with wrong ext?– Pick Folder on Left Side– Tools – Signature Matching– Export Report