Solving Computer Crime: An Introduction to Digital

Forensics

Golden G. Richard III, Ph.D.Dept. of Computer Science

Gulf Coast Computer Forensics Laboratory (GCCFL)

golden@cs.uno.edu

Digital Forensics

Definition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.”

Devices include computers, PDAs, cellular phones, videogame consoles…

Examples of Digital Evidence Computers increasingly involved in criminal and corporate

investigations Digital evidence may play a supporting role or be the

“smoking gun” Email

– Harassment or threats– Blackmail– Illegal transmission of internal corporate documents

Meeting points/times for drug deals Suicide letters Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or

attacks– Use of a machine as a spam email generator– Use of a machine to distribute illegally copied software

Major Issues Identification of potential digital evidence

– Where might the evidence be? Which devices did the suspect use?

Preservation of evidence– On the crime scene…– First, stabilize evidence…prevent loss and contamination– If possible, make identical copies of evidence for

examination Careful extraction and examination of evidence Presentation

– “The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore ‘HITLIST.DOC’…”

– “The suspect attempted to hide the Microsoft Word document ‘HITLIST.DOC’ but I was able to recover it without tampering with the file contents.”

Legal: Investigatory needs meet privacy

Preservation of Evidence: Hardly trivial…

Living room Basement/closet

wireless connection

“Dear Susan, It’s not your

fault…

Just pull the plug? Move the mouse for a quick peek?

Tripwires

tick…tick…tick…

Volatilecomputing

Preservation: Imaging

When making copies of media to be investigated, must prevent accidental modification or destruction of evidence!

Write blockers: Use them. Always.

dd under Linux DOS boot floppies Proprietary imaging solutions

Drivelock write blocker

Extraction and Examination

Know where evidence can be found Understand techniques used to hide or

“destroy” digital data Toolbox of techniques to discover hidden

data and recover “destroyed” data Cope with HUGE quantities of digital data… Ignore the irrelevant and target the relevant

Where’s the evidence?

Undeleted files, expect some names to be incorrect Deleted files Windows registry Print spool files Hibernation files Temp files (all those .TMP files!) Slack space Swap files Browser caches Alternate partitions On a variety of removable media (floppies, ZIP,

Jazz, tapes, …)

Fallacy vs. Fact in Digital Forensics Many digital forensics tools and techniques

are quite complex… Very difficult to cover in a short lecture To illustrate investigative procedures for

digital forensics, a fact vs. fallacy approach Fallacy: User attempting to hide evidence

believes one thing… Fact: But in fact… Look at a few fact vs. fallacy scenarios… Then, one more advanced topic

Fallacy: File was deleted, it’s gone! Users often mistake normal deletion of files for

“secure” deletion Deleted files recoverable using forensics tools Why? Filesystem makes a small change in its bookkeeping

info to mark a file as deleted Data associated with file is NOT erased Example: FAT32 (Windows), first character of

filename is changed to 0xEF in directory entry to “delete” file

Forensics software changes one character in directory entry, file reappears

To prevent recovery, must perform secure overwrite of the file or physically destroy the media

Fallacy: I renamed the file, I’m safe! “childporn.jpg” “winword.exe” Renaming files is an ineffective defense against

digital forensics investigation Technique # 1:

– Most file types (e.g., JPEG image) have a structure that can be recognized directly, regardless of the filename a user chooses

– e.g., JPEG files contain 0x4a464946 or 0x45786966 in the first block of the file

Technique # 2:– Cryptographic hashing provides a mechanism for

“fingerprinting” files– File contents is matched quickly, regardless of name– Hashes equivalent, file contents equivalent– Think: fingerprints don’t care about hair color…

Aside: Hashing Typical algorithms: SHA-1, MD5 Example:

C:> md5sum golden.jpgb28f08b004a7251a418e089ef3bb7409 *golden.jpgC:> rename golden.jpg winword.exeC:> md5sum winword.exeb28f08b004a7251a418e089ef3bb7409 *winword.exe

Can automate checking of hashes Huge dictionaries exist with hashes for known files:

http://www.nsrl.nist.gov/index/prodname.index.txt …and known child pornography files Can quickly disregard known files and target the

interesting stuff

Fallacy: I format-ed the drive, whew! Formatting a drive does not prevent recovery of

digital evidence In fact, format typically overwrites less than 1% of

drive contents Why does it take so long? Format is reading disk

blocks to determine if bad blocks exist Format wipes out directories, so names of files are

lost A lot of the data can still be recovered by sifting

through data that remains after the format operation For example, file carving tools reconstruct files by

examining the initial and terminal bytes of the file See digital forensics Technique # 1 under file

renaming fallacy

Fallacy: Media mutilation == Miller time!

Example # 1: Cutting a floppy into pieces Example # 2: Opening a hard drive, removing the

platters, throwing them into the trash Unless the damage is extreme, mutilation of magnetic

media is insufficient to prevent recovery Media can be reassembled and partial recovery

performed Even strong magnetic fields are insufficient… Older “military grade” degausser for erasing hard

drives was so strong that it bent the platters inside the drive

Your bulk tape eraser isn’t going to do the job To destroy data: multiple overwrites (software) or

complete destruction of hardware

That’s One Big Degausser!

Fallacy: I used Web-based email… Fallacy: Use of web-based email rather than storing email

messages directly on a computer is safer (in terms of thwarting recovery attempts)

It’s not. Even if you never download the email and immediately delete all messages on the server!

Recently viewed web pages are stored in web browser’s cache

Cache is often in a hard-to-find place… Internet Explorer Tools Internet Options Delete Files

clears the cache in IE See slide on recovery of deleted files for futility quotient Files stored in browser cache are not securely deleted when

the cache is cleared Browser cache mining tools bring recently viewed web

pages, including web-based email messages, back to life in a flash

Recovery of web-based emails

Fallacy: Application uninstalls are easy… Illegal application installed… Fear ensues… Application is uninstalled… (Am I safe?) …application files can still be undeleted, proving

application was installed Further steps to obscure installation: Securely

overwrite application files Now am I safe? Nope. Remnants of installation can likely still be found in the

Windows registry Basically, if a user installs software and wants to

permanently eradicate any traces, must securely erase the entire drive or destroy the hardware

Fallacy: I encrypted my files… On encrypted file systems, if file is ever printed and spool

directory isn’t encrypted, fragments may be left behind On some systems (e.g., Windows 2000), a “recovery agent”

is able to read all encrypted files For Windows 2000, this is the administrator account, thus

just need to break administrator password Problem: keys for truly secure encryption schemes are long Search for slips of paper Search for unencrypted password lists Search PDAs, phones, and organizers for passwords and

encryption keys Software or hardware keystroke loggers Van Eck radiation If the file can’t be decrypted, the name of the file may still be

useful in prosecution

Beowulf, Slayer of Poorly Chosen Passwords…

How good are your passwords?

Steganography

“Techniques for hiding information within other information”

Historical– Tattoos– Text on wood under wax layer on a wax tablet– “Invisible” ink (e.g., writing with lemon juice)

Modern– Much more sophisticated– Employ powerful encryption techniques– Hide documents w/in an image, video, or audio file– Hidden documents can be harmless, or child pornography,

bomb plans, …

Stego (2)

Stego (3)

Stego (4)

Slipped insidethe 2nd cactuspicture by “jphide”…

Embedding in this case is not obvious (visually)…and image w/ embedded Golden is actually smaller (in bytes) than original

Statistical analysisby “stegdetect” guessescorrectly that somethingis hidden. But jphide uses Blowfish to scramble the order of embedded data, sosuccessful extraction isvery unlikely unless thepassword is known.

Core

Igniter

Stego (5)

This “bomb” diagram, however,is not detected inside the cactus picture…

Bluepipe: On the Spot Digital Forensics

Cu Bootable Bluepipe CD Removable media

Target

Bluetooth or 802.11dongle 3G/VPN

Remote investigator(s)

Handheld Bluepipe client

Legal Issues

Investigative needs vs. the right to privacy Search warrant laws, e.g., Fourth Amendment to the

U.S. Constitution Wiretap laws Chain of custody Admissibility of evidence in court: Daubert

– Essentially:• Has theory or technique in question been tested? • Is error rate known? • Widespread acceptance within a relevant scientific community?

Patriot Act– Greatly expands governmental powers in terms of

searching, wiretap w/o prior notification

The Other Side: Privacy

We’ve concentrated on the cool technology, but… The existence of sophisticated digital forensics

techniques is a great enabler for fascism Actively fight laws that don’t appropriately balance

privacy with need for investigation Secure file deletion software Overwriting files with zeros is good enough unless a

tunneling electron microscope is available… Volatile computing Physical destruction of media

– Grind the media into powder– Vats of acid or molten steel

Resources Books

– Digital Evidence and Computer Crime (E. Casey, Academic Press)– Computer Forensics and Privacy (M. Caloyannides, Artech House)

Websites– http://www.dfrws.org

• Lots of references related to digital forensics, including a link to an interesting e-journal…

• http://www.ijde.org/ (International Journal of Digital Evidence)– http://vip.poly.edu/kulesh/forensics/list.htm

• tons of stuff, including a bunch of online papers– http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu

• Huge collection of forensics-related software Commercial digital forensics software

– Encase– FTK (Forensics Tool Kit)– ILook (law enforcement only)– WinHex

Presentation available:

http://www.cs.uno.edu/~golden/teach.html

golden@cs.uno.edu

Office: Math 346

?