U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond...
-
Upload
patience-thompson -
Category
Documents
-
view
217 -
download
0
Transcript of U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond...
![Page 1: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/1.jpg)
U T D C S GModule 0x01: ForensicsKevin ‘Hexstr Morgan’ Dickinson
Josh ‘HoboBeard’ Hammond
Christ ‘PossibleSloth’ Walz
![Page 2: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/2.jpg)
Week 0x01: Intro
• What it be• How it’s used• Concepts and terminology• Demonstration: Acquiring evidence• File system basics• Popular tools• Demonstration: EnCase 6 and FTK 4 overview• Important resources
![Page 3: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/3.jpg)
Week 0x02: In-Depth
• File carving and data recovery• Application artifacts• Web browsers, Dropbox
• Windows forensics• Registry, prefetch, hiberfil/pagefile, VSS, LNK files, USB
activity, shellbags, thumbs.db
• Mobile forensics• SQLite DBs, user dictionary, vulnerabilities
![Page 4: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/4.jpg)
Week 0x02: In-Depth
• Investigative techniques• Activity timeline, keyword searches, hash matching, skintone
analysis
• Physical memory• Encryption keys, system activity (processes, network
connections), etc.
• Anti-forensics• Encryption, steganography, timestamp manipulation
• Anti-anti-forensics• Breaking encryption, password cracking, timestamp
manipulation detection
![Page 5: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/5.jpg)
Week 0x03: Examination
![Page 6: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/6.jpg)
Week 0x01: Intro
![Page 7: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/7.jpg)
What is computer forensics?• “(…) a branch of forensic science encompassing the
recovery and investigation of material found in digital devices, often in relation to computer crime”
• Defensibility is key – best practices, documentation, etc.• Largely community driven, lots of research and hard work
by many smart people• Described as both “an art and a science” – SANS institute
Intro
![Page 8: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/8.jpg)
![Page 9: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/9.jpg)
Intro
Law enforcement• Criminal investigations (murder, fraud, etc.)
Litigation• Civil lawsuits• IP theft, subpoenas
Corporate• Internal investigations• Incident response (network intrusions)
![Page 10: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/10.jpg)
Intro
How is it relevant?• We store an incredible, increasing amount of data on our day-to-
day devices
Examples• Sued after being involved in a car accident - texting and driving?• Employee leaves company, suspected of copying off sensitive
documents on last day of work• Corporate network gets compromised - what sensitive resources
might have been accessed, by whom?• Person accused of “unlawful access to a computer resource”,
warrant issued, digital devices seized for analysis• General purpose creepin’
![Page 11: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/11.jpg)
Intro
• Challenges• Requires broad knowledgebase, many different skills, highly detail oriented• Fast paced, constantly changing – new artifacts and roadblocks all the time• New releases every few weeks/months – OSes, applications, hardware (eg:
phones)
• Commercial products are often slow to respond to changes (eg: ReFS)• Reversing, writing new code, testing testing testing…
• Server-side (cloud) computing – physically inaccessible, complex topologies
• Skills and Specialities• Reverse engineering• Incident response• Memory analysis
![Page 12: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/12.jpg)
Terminology
• What it means to be ‘forensically sound’• Difficult to define as it is situational and discretionary• Ideally speaking, an exact 1:1 unaltered representation of an
original data source
• Physical data – bitstream representation of a device’s entire contents (including unallocated space)• eg: /dev/sda or \\.\PhysicalDrive0• Considered the most ‘forensically sound’ but not always possible
• Logical data – a specific ‘logical’ subset of data such as a partition or volume• eg: /dev/sda1 or \Device\Harddisk0\Partition0
![Page 13: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/13.jpg)
Metadata
• Conceptually broad – basically ‘data about data’ • Used in file systems to provide file info independently of
files• MAC (Modified/Accessed/Created times), ownership info,
etc.
• Various file formats use specific metadata• OLE – MS Office• ID3v1/2 – Audio• EXIF data - Images
• Used to convict the BTK Killer
![Page 14: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/14.jpg)
Disk Concepts
• Sector• Smallest physically addressable unit on a storage device (LBA)• 512 bytes most common, 4K becoming popular
• Block• See above (they are essentially the same thing)
• Cluster• NTFS-specific term for a group of sectors• Smallest logically addressable unit on a storage device• Known as block group in EXT2/3/4, allocation blocks in HFS(+)• 4096 bytes default in NTFS, HFS+, EXT3/4 (8 contiguous 512B sectors)• Important concept as it relates to data carving
![Page 15: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/15.jpg)
Disk Concepts
![Page 16: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/16.jpg)
Disk Concepts
• Unallocated space• VERY important - basis for much of forensics• Areas of a storage device not currently assigned to file(s) by
the file system• Likely contains unspeakable things you thought were gone• Captured during physical imaging (but not logical)
• Slack space• Leftover space between the end of a data stream and the
end of a cluster
![Page 17: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/17.jpg)
Disk Concepts
• Slack space (continued)• Can be used to hide data on disk (not well)• Popular capable forensic suites will look for this• “FUN FACT”: Microsoft used to ‘fill in’ space on disk between
the end of a file and end of a cluster by writing random areas from memory – REALLY BAD, THIS IS SO BAD
• Hidden areas• Host Protected Area (ATA-4) – ‘SET MAX ADDRESS’ ATA
command• Device Configuration Overlay (ATA-6) – adjusts number of
sectors visible to the machine at a low level
![Page 18: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/18.jpg)
Cryptographic Hashes
• Hashes• Described as (mostly) unique ‘digital fingerprint’• Important basis for much of forensics• One-way function• Used to uniquely match individual files, evaluate integrity
of evidence (disk images), etc.• MD5/SHA1/SHA256 - most common• hexstr@here /#: md5sum –b /tmp/disk0.001
![Page 19: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/19.jpg)
Cryptographic Hashes
• Hash Sets• Lists of known hashes for system files, popular programs, etc.• Similar to a rainbow table – reverse lookup• Largest repository maintained by NIST (
http://www.nsrl.nist.gov/Downloads.htm)• Extremely useful for filtering out irrelevant data or quickly
identifying known files• Law enforcement agencies will use privately maintained hash
sets for easily identifying contraband files (eg: child pornography)
![Page 20: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/20.jpg)
Forensic Imaging
• Imaging• Duplicating some data source (eg: hard disk, memory, etc.) for post-
mortem review, almost always first step in an investigation• Critical to utilize writeblocking to prevent changes to evidence• Used to be disk-to-disk (cloning) - many issues with this (sterility)• Resulting evidence image often encapsuled as a binary file• Two popular formats - .001 (DD style) or .E01 (Encase)• DD output is a raw binary file• E01 has internal checksums, self-validating, compressible
![Page 21: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/21.jpg)
Forensic Imaging
• Writeblocking• Maintains integrity of a data source by preventing changes
to source media• Absolutely critical as a best practice• Numerous hardware and software based methods available• Not always possible (live servers, encryption, etc.)
![Page 22: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/22.jpg)
Forensic Imaging
• Hardware Writeblockers• Tableau TD1/2/3 (duplicator)• SATA, IDE, USB, 1394, SCSI, etc.• Cache (simulate) disk writes or simply ignore write
requests to device
• Software Writeblockers• Linux Live CDs (Helix, Backtrack, etc.)• Prevent drives from mounting, no disk integrity checks
• USB via Windows Registry (http://www.gaijin.at/en/dlusbwp.php)
![Page 23: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/23.jpg)
Forensic Imaging
• Software Imagers• AccessData FTK Imager – Windows, OSX, Linux http://
www.accessdata.com/support/product-downloads• DD, DCFLDD, DDRescue…
• What is an image• hexstr@here /#: dd if=/dev/sda of=/tmp/disk0.001 bs=512
• What is not an image• Symantec Ghost (alters timestamps)
• Other uses• General purpose backups – mount, restore, etc..
![Page 24: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/24.jpg)
Demo: Acquiring Evidence
![Page 25: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/25.jpg)
File System: FAT
• Two copies of FAT stored for redundancy• Divided into equal-sized clusters (previous slide)• Simple: files stored as a singly linked list of clusters• Table entry marked as one of following (FAT16 shown):• Allocated (value is the next cluster in the chain)• End of chain marker (0xFFF8 - 0xFFFF)• Unused (0x0000)• Bad cluster (0xFFF7)• Source: http://www.forensicswiki.org/wiki/FAT#FATs
![Page 26: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/26.jpg)
File System: FAT
Directory table• Special kind of file• Each file/subdir listed as 32byte entry• Contains name, extension, attribute• Last modified time, address of first cluster, size
![Page 27: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/27.jpg)
File System: EXT
• Inodes• Files associated with an inode number• Stores metadata on files and directories• Two types of inodes• Direct – fixed number, stored in file system portion• Indirect – flexible number, stored in data portion • Chains like FAT: Doubly indirect, triply indirect…
• Tip: ‘ls –i’ shows inode numbers
![Page 28: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/28.jpg)
File System: EXT
![Page 29: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/29.jpg)
File System: Journaling
• Keeps track of changes to be made in a circular log• On crash, system reads journal and makes changes to
regain consistent state• All entries are checksummed, if they don’t match - don’t
replay
![Page 30: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/30.jpg)
File Carving
• Basic file carving• Typically uses predictable file headers/signatures to
independently identify files without the use of other (file system) information
• Cornerstone of forensics - restore deleted files• Generally limited to contiguous clusters, cannot find data
fragmented across a disk unless the format is predictable (eg: SQLite)
• Advanced file carving• Interesting research being done on this• Based on very complex statistics to predict likely file chains
![Page 31: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/31.jpg)
Forensic Suites
• Guidance Software EnCase• Industry standard, highly extensible
• AccessData Forensic Toolkit (FTK)• Cellebrite UFED• Open source• Scalpel – file carving• Volatility – powerful memory analysis
![Page 32: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/32.jpg)
Demo: EnCase 6 and FTK 4
![Page 33: U T D C S G Module 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz.](https://reader036.fdocuments.in/reader036/viewer/2022062517/56649eb25503460f94bb99ee/html5/thumbnails/33.jpg)
Resources
• http://www.forensicfocus.com• http://www.forensicswiki.org• http://computer-forensics.sans.org/blog• http://www.appleexaminer.com/• http://hexstr-morgan.blogspot.com/• http://tech.groups.yahoo.com/group/win4n6/messages