CERT-In 1
Computer Forensics
Omveer SinghAdditional Director / Scientist ‘E’
Indian Computer Emergency Response Team (CERT-In)Department of Information Technology
Ministry of Communications & Information TechnologyGovernment of India
New Delhi
CERT-In 2
Agenda• Cyber Forensics • Computer crime investigation Methodology• Storage Media Forensics• Digital Evidence Examination Process
– Acquisition, Analysis, Interpretation, Presentation
• Imaging the digital evidence (storage media)• Computer Forensics Toolkits • Anti-Forensics, Steganography• References
CERT-In 3
What is Computer forensics…?
Most of the time, criminal leave some clues, traces or trail at the crime scene and that is searched for as an evidence.
But sometimes the evidence being analysed is not a bloodstain, a footprint, or a tool mark, but the evidence is in electronic form.
CERT-In 4
But a “trail” of electronic fingerprints ...
The bits and bytes of data hidden inside a computer can be forensically pieced together.
How the investigator pieced these secrets from the electronic media together, is called Computer forensics.
CERT-In 5
What is Computer Forensics?
A process of applying scientific & analytical techniques to computers, networks, digital devices, & files to discover or recover admissible evidence.
CERT-In 6
Computer Forensics
Computer Forensics is not just about Computer, it is essentially about:
• Correct processes of investigation• Rules of evidence• Integrity of evidence• Clear and concise reporting of factual
information• Provision of expert testimony.
CERT-In 7
Computer forensic investigations
• Computer Crime Investigation• Cyber Crime Investigation• Detection and Investigation of
Malicious Applications• Data recovery
CERT-In 8
– Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.
– Evidence might be required for a wide range of computer crimes and misuses
– Multiple methods of – Discovering data on computer system– Recovering deleted, encrypted, or damaged file information– Monitoring live activity– Detecting violations of corporate policy
– Information collected assists in arrests, prosecution, termination of employment, and preventing future illegal activity
What is Computer Forensics??
CERT-In 9
• What Constitutes Digital Evidence?– Any information being subject to human intervention or
not, that can be extracted from a computer.– Must be in human-readable format or capable of being
interpreted by a person with expertise in the subject.• Computer Forensics Examples
– Recovering thousands of deleted emails– Performing investigation post employment termination– Recovering evidence post formatting hard drive – Performing investigation after multiple users had taken
over the system
What is Computer Forensics??
CERT-In 10
Computer Forensics – why ?• Some of the common practices may destroy
digital evidence. Direct analysis will make it unacceptable in a court of law
tempered evidenceDigital Evidence is -• Latent, like fingerprints or DNA• Extremely fragile & resilient; can be altered,
damaged or destroyed easily• Can transcend borders with ease & speed
(networked systems)
CERT-In 11
Computer Crime Investigation Methodology
• Analysis of evidence is carried out virtually at a physical location (lab).
• Search for some direct information from the evidence that may have significance in the case.
• Computer Forensics traditionally rely upon the data inadvertently left on disk by the SW application programs / tools.
CERT-In 13
Subcategories of Computer Forensic Analysis
• Source Code Analysis • Network Analysis• Storage Media Analysis
CERT-In 14
Source Code Forensics
• To examination Software Source Code for malicious signatures
• To determine software ownership or software liability issues. – Review of actual source code. – Examination of the entire development
process, e.g., development procedures, documentation review, and review of source code revisions.
CERT-In 15
Who Uses Computer Forensics?• Criminal Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as evidence
• Civil Litigations– Personal and business data discovered on a computer can
be used in fraud, divorce, harassment, or discrimination cases
• Insurance Companies– Evidence discovered on computer can be used to mollify
costs (fraud, worker’s compensation, arson, etc)• Private Corporations
– Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
CERT-In 16
Computer Forensics - Objectives
• To identify the digital evidence (should be acceptable in a court of law)
• To investigate and analyse the digital evidence & find the relevant data / documents
• To reconstruct the chain of events • To identify the computer & user (?) responsible
for the crime.
CERT-In 17
Computer Forensic Investigations
Limitation :• Investigation can only identify the system & user-id
through which the cyber crime was performed and not the person, who carried out the cyber crime.
Solution : • Follow security policy strictly• Login Id & Password should not be shared• Have physical access controls• Have video recording & monitoring facility for the
systems with critical importance
CERT-In 18
Computer Forensic Investigation – 2 roles
• First Responder– record the crime site scene– collect volatile evidence– image the disks (??)– contain intrusion (if any)– preserve, protect, pack, seal the evidence– transport for analysis
• Digital Evidence Computer Forensics Examiner (Investigator)
CERT-In 19
Duties of First Responder
To coordinate with –
• Law enforcement Agencies (Police)
• Organisation, management• Forensic Investigator• Court of Law
CERT-In 20
First Responder’s Toolkit
• Log Book– To record all actions /events with date & time
chronologically• Safe Boot CD / Floppy• Digital camera (or cellphone with digicam)• Tools for
– Imaging of media (non volatile data collection)– Volatile data collection
CERT-In 21
First Responder’s Log Book• Timeline of events• Audit trail during collection of evidence• Who is performing the forensic collection?• History of executed forensic tools and
commands• Generated output from forensic tools &
commands• Date & time of executed commands & tools• Expected system changes or effects due to use
of tools
CERT-In 23
Storage Media Forensics
• Storage Media Forensics is the process of acquiring and analyzing the data stored on some form of physical storage media.
– includes recovery of hidden/deleted data/files.
CERT-In 24
• Office files• Deleted files of all
kinds• Encrypted Files• Compressed Files• Hidden Files • Hidden Partitions• Bad File Extensions
• Cache files• Registry• Unallocated Space• File Slack• Metadata• Recycle Bin• Temp files• Hidden Data in files
Storage media to be examined for finding/recovery of relevant evidence in :
CERT-In 26
Forensic Examination Process of Digital Evidence
• Acquisition–Imaging & Authentication
• Analysis• Interpretation• Presentation
CERT-In 27
4 Steps of Computer Forensics
Acquisition• Physically or remotely obtaining possession of
the computer, all network mappings from the system, and external physical storage devices
Analysis• This step involves identifying what data could
be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
CERT-In 28
4 Steps of Computer ForensicsInterpretation• Evaluating the information/data recovered to
determine if and how it could be used again the suspect for employment termination or prosecution in court
Presentation• This step involves the presentation of evidence
discovered in a manner which is understood by lawyers, non-technical staff/management, and suitable as evidence in a court of law
CERT-In 30
Digital Evidence : Search & Seizure
• Formulate Plan• Approach & Secure Crime Scene• Document Crime Scene Layout• Identify suspected system(s)• Seize Evidence• Preserve & Protect Evidence• Pack, Seal & Transport Evidence
CERT-In 31
Seizing of Digital Evidence
• Search Warrant• Legal Authorisation• Case Profile• Evidence Seizure Note• ISP log details• Remote storage locations• Potential evidences• Skill level of users
CERT-In 32
Case Profile Documentation
• How was the incident detected?• What is the scenario of the incident?• What time did the incident occur?• Who or what reported the incident?• What hardware & software are involved?• Who are contacts for the involved personnel?• How critical is the suspicious computer?
CERT-In 33
Handling the digital evidence
• Handle the original evidence as little as possible to avoid changing the data.
• Establish and maintain the chain of custody.
• Documenting everything that has been done.
• Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
CERT-In 34
Digital Evidence should be -
1. Admissible, conform to legal requirements
2. Authentic, relevant to the case3. Complete, & not just extracts4. Reliable - collected & handled
appropriately5. Believable & understandable
(called 5 rules for electronic evidence)
CERT-In 35
Digital / Electronic Evidence – Why ?
• Wide range of computer crimes and misuses– Non-Business Environment: evidence collected by Law
Enforcement Agencies (LEAs) for crimes relating to: • Theft of trade secrets• Fraud• Extortion• Industrial espionage• Position of pornography• SPAM investigations• Virus/Trojan distribution• Homicide investigations• Intellectual property breaches• Unauthorized use of personal information• Forgery• Perjury
CERT-In 36
• Computer related crime and violations include a range of activities including:– Business Environment:
• Theft of or destruction of intellectual property• Unauthorized activity• Tracking internet browsing habits• Reconstructing Events• Inferring intentions• Selling company bandwidth• Wrongful dismissal claims• Sexual harassment• Software Piracy
Digital / Electronic Evidence – Why ?
CERT-In 37
Digital Evidence - Types
• Volatile Storage (Non-persistent data)Memory loses its contents, if power turned off. RAM (except the CMOS RAM used in BIOS) contents are volatile.
• Non-volatile Storage (Persistent data)No change in memory contents, if power turned off. Tape or disk (magnetic/optical storage), ROM are non-volatile.
CERT-In 38
Order of Volatility of Digital Evidence
1. Registers & Cache2. Routing tables3. ARP Cache4. Process Table5. Kernel statistics &
modules
6. Main memory (RAM)7. Temporary System files8. Secondary Memory9. Router Configuration10.Network Topology
CERT-In 39
Digital Evidence Handling at Crime Site
• Document the Crime Scene - OS (Ver.), BIOS date & time (and difference, if any), H/w & S/w Configuration, IP / MAC address
• Computer System : shutdown / power off ?• Identify Evidence & Authenticate through 32 /
64 bit Hash (CRC, MD5 checksum)• Make Bit-stream copy / image of the seized
storage media
CERT-In 40
Digital Evidence Handling at Crime Site (contd ..)
• Label of all the connecting cables and have photographs
• Document the chain of custody• Preserve the Evidence before packing for
transportation• Securely pack & transport the Evidence to lab
CERT-In 41
• Store the seized org. evidence in a protected storage
• Transfer the Computer System to a locked secure location“Best Practices for Seizing Electronic Evidence Ver. 3” may be downloaded from -http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
Digital Evidence Handling at Crime Site (contd ..)
CERT-In 42
Digital Evidence Handling : Best Practices
• Follow the organisation’s Security Policy• Maintain integrity of org. evidence• Secure the original evidence• Never work on original evidence• Minimise handling of original data & its
corruption • Document the changes noticed, if any and log
all the actions
CERT-In 43
Digital Evidence Handling : Best Practices (contd ..)
• Always backup the discovered information• Document (log) all the investigative activities• Don’t exceed your knowledge• Always remember – you are required to testify in
a court of law• Ensure your actions are repeatable
CERT-In 44
Digital Evidence Handling : Best Practices (contd ..)
• Capture accurate bit image of the original evidence
• Proceed the data collection from volatile to non-volatile evidence
• Don’t shutdown system before collecting volatile evidence
• Don’t run any application on the affected system• Don’t alter the discovered information
CERT-In 47
Processing Evidence from Computer Crime Site
• Start the Lab Evidence Log• Mathematically authenticate the Storage
Media (Disk)• Generate Bit stream backup (image) of
the Storage media, hard disk(s), etc.• Proceed with the Forensic Examination
CERT-In 48
Why Create a Duplicate Image?
• A file copy does not recover all data areas of the device for examination
• Examining a live file system changes the state of the evidence (MAC times)
• Working from a duplicate image – Preserves the original evidence– Prevents inadvertent alteration of original evidence during
examination– Allows recreation of the duplicate image if necessary
CERT-In 49
Logical Vs Physical Backup
• What is logical back up?
A logical back up copies the active directories and file of a logical volume. It does not capture other data that may be present on the media such as deleted files or residual data stored in the slackspace.
• What is forensic imaging (physical backup)?
Generating a bit for bit copy of the original media including free space and slack space, also called physical back up.
CERT-In 50
Disk (digital evidence) Imaging• Maintain integrity & security of the org. evidence –
use HW write blockers• Bit by bit copy; no change in the sequence &
location of data – exact replica, but may stored in a different type of media
• Usually done by copying sector by sector• Forensically sound copy of org. of the evidence• Above means – swap file, unallocated space &
file slack is also copied• Time consuming process
CERT-In 51
Disk Imaging Tools Requirements
• The tool should make a bit-stream duplicate or an image of an original disk or partition.
• The tool should not alter the original contents of the disk.
• The tool should be able to verify the integrity of a disk image file.
• The tool should log I/O errors.• The tool’s documentation should be correct.
CERT-In 52
Disk Imaging Hardware
• Forensic mobile field system (MFS)– Laptop with NIC– Portable workstation
CERT-In 53
Points to remember when imaging a hard disk
• Ensure the suspected disk is connected through H/W write blocker.
• The destination disk should be a freshly wiped disk, even if it is new.
• Entire disk imaging is better than partition (Volume) wise imaging.
• Every action should be documented.
CERT-In 54
Disk Write Blockers
• Prevent writing of data to the suspect original drive
• Ensure the integrity of the suspect original drive
• Software Write Blockers v/sHardware Write Blockers
CERT-In 55
Hardware Write Blocker
• A hardware write blocker (HWB) is a hardware device that is physically connected between the computer system and the storage device with the primary purpose of preventing (or ‘blocking’) any inadvertent writing to the storage device.
• Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.
CERT-In 56
Disk Imaging Tools• dd (linux, win)• SafeBack (win)• SnapBack DatArrest• Drive Image Pro• R-Drive Image• FTK’s built-in feature
SW based imaging takes lot of time. To save to use HW based drive imaging equipments
CERT-In 58
Authentication
• Original evidence, once identified, MUST be used only with write blockers for avoiding inadvertent writing of data to it.
• On acquisition of original evidence, immediately make its forensic image (using write blockers) and compute the MD5 hash value of its image files.
• For making a forensic image / cloning of hard disk (evidence) always use freshly wiped Hard Disk.
• Always make at least two clones of original evidence and authenticate these by verifying their MD5 hash values with that of the original forensic image.
CERT-In 59
Verification of Integrity of Evidence• A hash function is a well-defined mathematical function
for calculating the digest of data (evidence as a file) into a hexadecimal integer. The value returned by a hash function is called hash value, hash code, checksum, message digest or simply hash.
• Like a fingerprint of a file• Can not provide any other detail about the data / file
(evidence)• If evidence is altered in anyway, its hash value will also
change.• MD5 (128 bit), SHA-1 (160 bit)
CERT-In 60
Why data hashing needed?• Digital data is vulnerable to intentional or unintentional
alteration• Integrity of digital evidence is required to be maintained,
starting from seizure till analysis• Forensic examiners have to ensure that digital evidence
is not compromised during the computer forensic analysis process.
• To do this, we need a digitalized tag for managing the digital evidence– A fingerprint of the digital evidence could be a digitalized tag
CERT-In 61
Integrity of Digital Evidence
Integrity check through verification of –
• Message Digest Algo.Ver.5 checksum / hash value – 128 bits (32 Hex Digits)
• SHA – 160 bits (40 Hex Digits)
Proof of Integrity of image of the digital evidence -
Tool : md5sum.exe (win, linux)
> md5sum <filename>
Demonstration
CERT-In 75
Methods of Hiding Data • Watermarking: Hiding data within data
– Information may be hided in any of the file formats.
– Media files with more room for compression are the best-
• Image files (JPEG, GIF)• Sound files (MP3, WAV)• Video files (MPG, AVI)
– Hidden information may be encrypted too– Many tools are freely available online
CERT-In 76
Methods of Hiding Data• Media files contain images, sounds. These
files are exploited using new controversial logical encodings: steganography.
• Steganography: The art of storing information in such a way that its existence is hidden as well as not detectable by a general user.
CERT-In 78
Methods of Hiding Data• Hard Drive/File System manipulation
– File Slack is the space b/w last byte of a file and first byte of next cluster. Logical end of a file comes before physical end ofthe cluster in which it is stored. The remaining bytes in the cluster are remnants of previously deleted files or directories stored in that cluster.
• File Slack can be accessed and written using a hex editor or a tool.
• This does not change “used space” information of the drive, dir or file
– Partition waste space is the rest of the unused track on which the boot sector is stored on – usually 10s, possibly 100s of sectors are skipped
• After the boot sector, the rest of the track is left empty
CERT-In 79
File Slack
• Green : Space used by file for data storage (Sectors 1 to 5).
• Red : Unused sectors in the last cluster. File Slack or Slack Space (Sectors 6 to 8)
• Blue : RAM Slack (Sector 5)
(1 Cluster = 8 Sectors = 8 * 512 Bytes = 4096 Bytes = 4 KB; i.e. min. size of a file in NTFS on a hard disk)
CERT-In 80
Tool
• Slacker– For hiding a file in slack space>slacker –s <filename> <metadata>
– For restoring a file from slack space>slacker –r <metadata>
CERT-In 81
Methods of Hiding Data• Hard Drive/File System manipulation cont…
– Hidden drive space is non-partitioned space in-between partitions
• The File Allocation Table (FAT) is modified to remove any reference to the non-partitioned space
• The address of the sectors must be known in order to read/write information to them
– Bad sectors occur when the OS attempts to read info from a sector unsuccessfully. After a (specified) # of unsuccessful tries, it copies (if possible) the information to another sectorand marks (flags) the sector as bad so it is not read from / written to again
• users can control the flagging of bad sectors• Flagged sectors can be read to / written from with direct
reads and writes using a hex editor
CERT-In 82
Methods of Hiding Data• Hard Drive/File System manipulation
cont…– Extra Tracks: most hard disks have more than the
rated # of tracks to make up for flaws in manufacturing (to keep from being thrown away because failure to meet minimum #).
• Usually not required or used, but with direct (hex editor) reads and writes, they can be used to hide/read data
– Change file names and extensions – i.e. rename a .doc file to a .dll file
CERT-In 83
Host Protected Area (HPA)
• The Host Protected Area is a special area of the disk that can be used to save data.
• The size of this area can be configurable using ATA commands
• Many disks have size of 0 by default• HPA introduced in ATA-4• Generally used to store Vendor Information, that
can not be erased by user when they format the DISK
CERT-In 84
Host Protected Area (HPA)• HPA can be set at the end of the disk• 1 GB is Host Protected Area
CERT-In 85
Device Configuration Overlay (DCO)
• In addition to HPA, data can also be hidden using DCO.
• Introduced in ATA-6
CERT-In 87
NTFS : Alternate Data Streams (ADS)
• NTFS supports multiple streams of data, ADS, to store file details
• Added to NTFS for supporting Mac Hierarchical FS• Files can be hidden in ADS, but mostly undetected• Allows multiple files (streams) to be attached to ANY
file• Windows does not have any built in tool for listing
ADS– Files stored in an ADS will not show up in listings– File size of carrier does not show an increase
CERT-In 88
ADS - Characteristics• ADS have no attributes of their own• The Streams can only be executed if called directly by a
program with full path to the file given.• None of the Internet protocols enabling file transfer such as
SMTP, FTP etc. support streams. This means that ADS can't be sent via Internet. However, files containing ADS can be sent across a local LAN provided the target drive is in the NTFS format.
• In certain cases, streams have been used to remotely exploit a web server. Some web servers are susceptible to having their file source read via the: $DATA stream. If a server side script such as PHP or ASP is running on a web server which is not patched properly, instead of getting output as a result of processing the script, the source code of the ASP/PHP file could be viewed by using a URL like this: – http://www.abcd.com/index.asp::$DATA
CERT-In 89
Creating & Executing ADS• Type (command to create ADS)
C:\>type notepad.exe>try.txt:virus.exe(To create an ADS file virus.exe and attached it to the file try.txt. In the directory you will just see try.txt, and not virus.exe. Run LADS, and you will see the ADS.)
• Start (command to execute ADS, FoundStone)C:\>start /B try.txt:virus.exeImp. note: The /B option allows the attacker to run the command without spawning a new window (which could alert the user that something is going on without his knowledge)
– As you can see from the snapshot, there is no change in the size of the try.txt. The only visible change is in the modification date and time of the try.txt program which is overlooked by many users
89
CERT-In 90
List the ADSC:\test>lads c:\ (http://www.heysoft.de)
- Displays all the ADS files created in this folder
CERT-In 91
LNS • List NTFS Streams
(http://ntsecurity.nu/toolbox/lns/)• LNS is a tool that searches for NTFS streams
(alternate data streams or multiple data streams). This can be useful in a forensic investigation.
CERT-In 92
SFind (Foundstone)
• SFind scans the disk for hidden data streams and lists the last access times.
CERT-In 93
Other ADS Detecting Tools
• Streams (SysInternals) – Works same as LADSC:\>streams –s c:\
• Crucial ADS• ADS Detector (a plug in for Internet Explorer)• ScanADS (Kodeit)
CERT-In 95
Hijackthis• Hijackthis is an award winning tool which examines certain key areas of
the Registry and Hard Drive and lists their contents.• Hijackthis includes many other tools such as StartupList log, Ads Spy,
Hosts file manager, etc. which make it one great tool for any administrator. (http://www.merijn.org/files/hijackthis.zip)
CERT-In 96
Deleting ADS from a file
• An ADS attached to a file can be removed by using the following methods:1. Using tools such as ADS Spy, Hijackthis,
Streams.exe, or from the streams tab in the properties window of a file
2. Copying the file to a Non-NTFS file system such as FAT32 which does not support ADS
3. Moving the contents of the main unnamed stream into another file by using the following command:c:\>ren file.txt try.txtc:\>type try.txt>file.txtc:\>del try.txt
CERT-In 98
While Examining Digital Evidence -
• Trust none - Verify all & everything• Never rely on a single tool. Use multiple tools to
cross-validate the results• Follow organisation’s Security Policy• Always backup the discovered information• Never exceed your knowledge• Always remember that you are required to
testify in a court of law• Ensure that your actions are repeatable
CERT-In 99
Evidence Examination
• Preparation• Extraction
– Physical– Logical
• Analysis of extracted data– Timeframe Analysis– Data hiding Analysis– Application & file analysis– Ownership & possession
• Conclusion
CERT-In 100
Analysis of Digital Evidence
• Analysis of data on storage media• Discovery/cracking of passwords• Keyword searches• Extracting emails• Extracting picture files
CERT-In 101
Objectives of Evidence Analysis
• Whether system user exceeded or abused his access privileges ?
• Whether the specific system transaction was made during the given period of time & who did it ?
• Accounting for the activities of user(s) on the system during the given period of time
• Tracking of e-mail message(s) back to its source
CERT-In 102
Methodology for Evidence Analysis1. Refer the case profile & make a list of relevant keywords2. Evaluate all log files (including Firewall, IDS, Router, etc,
as applicable)3. Upgrade the list of relevant keywords based on the
above4. Search the evidence for keywords5. Keyword Search Results - Document the file names with
date & time6. Update the list of keywords based on data in relevant
files & Go to 47. Record all - observed v/s expected files, folders,
binaries, www data, emails, file conditions, etc.
CERT-In 103
Digital Evidence : Analysis
• Manual analysis of encrypted, compressed and graphics files
• Have more than one copy of the bit stream image of storage media for analysis / examination
• Applications (executable files) – run & learn their purpose. (Destructive processes ?)
• Recycle Bin / Trash
CERT-In 104
Digital Evidence : Analysis
• Discover & evaluate swap, temp / tmp, file slack, meta-data and artifacts
• Explore & evaluate all allocated as well as unallocated space (for recovery of hidden / deleted files / partitions) in the bit stream image through tool.
• Never go beyond the task assigned
CERT-In 105
Password Discovery Tools• Asterisk Logger• AsterWin IE• Network Password Recovery• Protected Storage PassView• Passware• MessenPass (for IM)• Mail PassView (e-mail)• Brute Force• AccessData FTK• Rainbow Tables
CERT-In 107
Digital Evidence Analysis Strategy
• It is better to analyse the digital evidence in an isolated virtual environment, such as VMWare
• Have vmware image of 2-3 most used operating systems (e.g. win, linux)
• Only 1 case should be analysed on 1 virtual machine
• A system may have more than 1 virtual machine of same or diff. OS
CERT-In 108
Windows Registry• Some applications’ password are stored there• Some SW applications register name, company, license,
address and time/date of installation• Uninstallation of a program leave forensic ‘residue’• Browser settings• Registry keys
– Used by various malware– The ubiquitous "Run" Key– Services
• ClearPagefileAtShutdown Registry Key• StartUp directories
CERT-In 109
Forensic Analysis on Registry Analysis• contain important information such as :
– Usernames and Passwords for programs, e-mails, IP Address and Internet sites
– A history of internet sites accessed, including date, time and queries.
– List of recently accessed files– A list of software installed in the system.
• The registry information primarily stores in windows XP and 2000 in the following files.– SAM– SYSTEM– SECURITY– SOFTWARE– NTUSER.DAT
These files may be seen in the folder \windows\system32\config\
CERT-In 110
What is Windows Registry?
• Windows Registry– is a central hierarchical database used in MS
Windows systems– has many system configuration information
• hardware�software settings / installed device driver
• Computer forensics analyst– can discover a lot of information pertaining to the
suspect
CERT-In 111
Registry: A Wealth of Information
Information that can be recovered include:– System Configuration– Devices on the System– User Names– Personal Settings and Browser Preferences– Web Browsing Activity– Files Opened– Programs Executed– Passwords
111
CERT-In 112
History of Registry
• DOS– config.sys / autoexec.bat
• Windows 3.0– program.ini / control.ini / win.ini / system.ini
• Windows 3.1– included 1st Windows registration table
• Since Windows NT– NT Registry (more flexible & capable)
112
CERT-In 113
NT Registry
• Windows XP has 5 registry files– HKEY_CLASSES_ROOT (HKCS)– HKEY_CURRENT_USERS (HKCU)– HKEY_LOCAL_MACHINE (HKLM)– HKEY_USERS (HKU)– HKEY_CURRENT_CONFIG (HKCC)
113
CERT-In 114
Windows Registry Hives
• Windows Registry’s path on Windows XP – %SystemRoot%system32%config
114
Registry Hives Related files
HKEY_LOCAL_MACHINE/SAM Sam, Sam.log
HKEY_LOCAL_MACHINE/Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE/System System, System.alt, System.log, System.sav
HKYE_CURRENT_CONFIG System, System.alt, System.log, System.sav, NTUser.dat, NTUser.dat.log
HKEY_USERS/DEFAULT Default, Default.log, Default.savHKEY_CURRENT_USER
HKEY_USERS/[SID] NTUser.dat, NTUser.dat.log
CERT-In 115
Registry Managing Tools
• Regmon : http://www.sysinternals.com• WinResCue : http://www.superwin.com• Crawler : http://www.4developers.com• Tweak : http://www.jockesoft.com• Winboost : http://www.magellass.com• Reganal : http://www.balwork.com
115
CERT-In 118
Registry Forensics
• Yahoo messenger– Chat rooms– Alternate user identities– Last logged in user– Encrypted password– Recent contacts– Registered screen names
CERT-In 119
Registry Forensics
• System:– Computer name– Dynamic disks– Install dates– Last user logged in– Mounted devices – Windows OS product key– Registered owner– Programs run automatically– System’s USB devices
CERT-In 124
Windows Information
• HKLM\Software\Microsoft\Windows NT\CurrentVersion• This key contains information about installed software
and Windows– CSDVersion : installed service pack– InstallDate : Windows’ install date
• Unix 32 bit Hex Value – Big Endian
– PathName & SystemRoot : Windows’ installed path– ProductID & ProductName : Microsoft Product ID– RegisteredOwner– RegisteredOrganization– Network Cards
124
CERT-In 126
System Configuration Registry
• HKLM/System– Need to find the current system control registry key
to see the user’s configuration setting– ControlSet00x : system configuration setting subkey– MountedDevices, used by Logical Disk Manager, has
all the known volumes– Select subkey remembers which control sets exist on
the machine
126
CERT-In 128
Windows Shut Down Time
• HKLM/System/ControlSet00x/Control/Windows– Information related to Windows– ShutdownTime : Windows shut down time– Windows 64Bit Date & Time (Little Endian)
128
CERT-In 129
System Time Information
• To verify the system time, checking BIOS time take precedence over the others
• System time is depend on BIOS time• Procedure of confirming the system installed date and
shut down time– To check BIOS time after power-on– To confirm the current control set in the registry– To verify the Time Zone Information– To identify install date and shutdown time
129
CERT-In 130
IP address & MAC address
• HKLM/System/ControlSet00x/Services/CLSID/Parameters/ Tcpip– DefaultGateway / IPAddress
• HKLM/Software/Microsoft/Windows NT/ CurrentVersion/ NetworkCards– Network card information installed on the system– ServiceName specifies which driver runs the card
• HKLM/System/MountedDevices– \??\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}– Last 12 digits is MAC address
130
CERT-In 132
Auto Run Program Information• The programs which run automatically without user’s
permission whenever the system boots may be malicious• HKLM/Software/Microsoft/Windows/CurrentVersion/Run
– This key specifies programs to run when Windows start• HKLM/Software/Microsoft/Windows NT/CurrentVersion/
Windows– AppInit_DLLs : .dll files run when GUI application program runs– Malicious attacker can run .dll files which he wants without
announcing the user
132
CERT-In 133
External Storage Information
• HKLM/System/ControlSet00x/Enum/IDE– This key contains information about storage devices connected via IDE
cable– Key includes manufacturers and model number
• HKLM/System/ControlSet00x/Enum/USBSTOR– This key contains information about storage devices connected via USB port– [Device Type]&Ven_[Vendor]&Prod_[Product ID]&Rev[Version]– Example : Disk&Ven_ALTECH&Prod_AnyDrive2.0&Rev_2.00
• HKLM/System/ControlSet00x/Enum/USB– This key contains information about devices connected via USB port
133
CERT-In 134
Windows XP Registry• Earlier in win.ini, system.ini• Located in %SystemRoot%\system32\• Organised in 5 sections – termed ‘Hives’• Each hive has keys and subkeys, which contain a value entry• Each value entry has a name, data type and value• Windows XP Registry Hives
– HKEY_CLASSES_ROOT (file name-OLE-streams)– HKEY_CURRENT_USER (sid-user-desktop)– HKEY_LOCAL_MACHINE (configuration, memory, last
boot)– HKEY_USERS (all user account profiles)– HKEY_CURRENT_CONFIG (running image)
• Note about .SAV files
CERT-In 135
Computer Forensic Tool Kits (FTK)
• Provides integrated Graphics User Interface (GUI) to the set of tools used in FTK
• Ease of use, follows the steps in sequence• Investigator need not bother about tools & their
usage syntax, results & documentation
CERT-In 136
Toolkit Features• Imaging • Integrity/Authentication through hash
value• Deleted files• Files with bad extension• Files with Slack • Encrypted/compressed files• Display of file contents• Display of file contents in hex format• Report preparation
CERT-In 137
Computer Forensic Tool Kits
•CyberCheck Suite (C-DAC) : Commercial•EnCase (Guidance) : Commercial•FTK (AccessData) : Commercial•Helix : Freeware•Autopsy (GUI) + Sleuth Kit : Freeware•TCT (The Coroner’s Toolkit) : Freeware•Knoppix STD : Freeware•ProDiscover : Commercial
CERT-In 142
Documentation & Reporting
• Case Profile• Objective• Computer System
Details• Offenses• Investigated by• Examined at• Tools used
CERT-In 143
• Processing– Assessment– Imaging– Analysis– Findings
• Conclusion• Summary• Glossary
Documentation & Reporting(cont’d …)
CERT-In 144
Entries to be included in the Report…
• Ensure the report should be addressed to the case forwarding agency’s address.
• Details about the Chain of Custody i.e. when, who, what , etc,. the case is registered, seized and forwarded to the forensic laboratory
• Number of total pages of the Report including annexure like Glossary, hard copies of vital evidences
CERT-In 145
Entries to be included in the Report…
• Details about received suspected media– i.e. Forensic Lab Marking of Exhibits (Suspected
Media).– Make of the Exhibits.– Model of the Exhibits– Serial number of the Exhibits.– Capacity / Size of Exhibits– Interface of the Exhibits (IDE, SATA, IDE1.5 (laptop
hard disk, SSD (Solid State Disk; Flash memory tech)
CERT-In 147
Entries to be included in the Report…
• Details about Sterile disk, i.e. Markings on Sterile (or new) hard disk.– Make of the Sterile disk.– Model of the Sterile disk. – Serial number of the Sterile disk.– Capacity / Size of the Sterile disk.– Cylinders, Heads, sectors, etc.
CERT-In 148
Entries to be included in the Report…
• How Imaging was carried out– Whether offline or through RJ45 cross cable (network
acquisition) using NIC.– Whether Hardware write-blocker was used (for
connecting the suspected disk) or not.– Jumper position of the both hard disks (suspected and
sterile).
CERT-In 149
Entries to be included in the Report…
• Disk details report which includes– Complete Hard Drive (suspected Media) Information.– Volumes (No. of Partitions) Information.– Label name of the Volumes.– Used space and Unused space, and etc,.– File Systems, Type and version of OS.
CERT-In 152
Entries to be included in the Report…
• If softcopy provided to the Investigation agency then details about– What are the files and their names– File Attributes (metadata).– CD/DVD make, Serial numbers, label name and
should be signed by the forensic investigator.– Ensure that multisession writing facility for CD/DVD is
disabled.
CERT-In 153
Entries to be included in the Report…
• If Encrypted (password protected) files found then – Number of the Files– Name of the Files– Passwords of concern Files if able to recover– List of the un-recover passwords files.– File path in the Hard disks.– Page no. of concern encrypted file could be found
from the annexure.
CERT-In 154
Entries to be included in the Report…
• What are the Forensic Software tools have been used…– Name of the Software tool.– Should be legally licensed.– It’s Version.– Manufacturer’s address.– Details about Third party tools and their versions.– Examples: Encase, FTK, Cyber Check Suite, Helix, Email
Examiner, Email Tracer, WFA, WFT, Resource Hacker and etc,.
CERT-In 155
Entries to be included in the Report…
• Mention the current date if NOT matches with system date (suspected media).
• If Difference is encountered then photograph BIOS screen and same is enclosed in the report also
• The page number of concern issue.
CERT-In 156
Log Files of Case Analysis
• While analyzing the case, the Log files (Audit trail) is automatically created by FTKs.
• Hard copy of these files should be included and entry should be made in the report.
• Ex: FTK analysis, Helix System information, Physical memory acquisition and etc,.
CERT-In 157
Glossary in the Report
• Glossary of technical terms, easily understandable by the police / judiciary, should be enclosed with the report and same should be mentioned in the report
• Page numbers of Glossary of the Technical Terms
• Ex: Unallocated space, Slack space, IMEI, ESN, IMSI, MSISDN, MMS, Deleted, Archive, overwritten, etc.
CERT-In 158
Status about Exhibits
• How was the condition of the exhibits at the time of receipt in the forensic laboratory.
• Whether it was in good (sealed) condition or not.• The entries should be made, if the exhibits were
physically damaged. If so, its photograph showing physical damage should be attached.
CERT-In 159
Entries on damaged EXHIBITS
• Details about Not examined exhibits.
• Technical reasons, why examination could not be possible -Example: Spindle rotation, Circuit problem, Physically damaged or any other reasons.
CERT-In 160
Entries on Forensic Analysis - 1
• Log files• System files• User created files• Recovered folders• Unallocated space• Slack space• cookies
CERT-In 161
Entries on Forensic Analysis - 2• Temporary Internet files• Web cache• Chat files• Email communications &
Attachments• Encrypted files• Picture files• Mpeg or Media files
CERT-In 162
Entries on Forensic Analysis - 3
• Registry analysis• IP address• MAC address• Mounted devices• Pirated Movies, songs• Pirated Software• Executable files (.exe)
and Library (.dll) files
CERT-In 163
Entries on Forensic Analysis - 4
• Pornography• Obscene Pictures• Child Pornography• Cyber stalking• Cyber squatting• Web Jacking• User ID’s and
Passwords and etc,.
CERT-In 164
Report on Anti Forensics
• Name of software like File Shredder• Wiping Tools• Formatted dates• Operating system installed dates• Steganography• Encrypted files and • Complete Installed software list
CERT-In 165
Courtroom Preparations & Evidence Rules
• Take the time to acquire a basic working knowledge of the technical aspects of digital evidence in general
• Allow enough time to master the specific technical details of the case at hand.
• Evidentiary issues : Authentication and hearsay that arise in connection with digital evidence.
CERT-In 166
The Report should …
• Present an understandable theory based on the analysis & interpretations; and try to bring out the facts.
• Clarify the nature of the technological issues.– Is the electronic evidence associated with a ‘high
technology’ crime.
CERT-In 167
The Report should …
• Identify & explain the source and nature of the digital evidence in the case.– Are the computers storage for evidence of crime or
are they contraband (illegal imports, smuggled goods) evidence.
– What hardware, software, operating system and system configurations were used by victim or accused.
– Was the evidence found on a stand-alone personal computer or a network.
CERT-In 168
The Report should …
• include the hard copy of email messages or other digital evidence, which is to be presented in the court
• Analysis Report & Interpretation may be a voluminous document, for which a executive summary should also be provided.
CERT-In 169
Presenting the Evidence in the court room
• Have clean copies of exhibits• Provide documents regarding seizure of exhibits• Ensure adequate set-up time• Ensure stand-by-mode, sound and screen
savers are deactivated in the PC system.• Remember where equipment were left off at last
break.• Remember to protect the court room record with
descriptions of referenced exhibits.
CERT-In 170
BIOS Mismatches
Intel Duo 2 1.8 Ghz16:03:3324/06/2008
Floppy, CD,HDD512 MB16:03:3324/06/2008BIOS
Boot sequenceMemorySystem
TimeSystem Date
CERT-In 171
Supporting Materials
• List of Supporting Materials– That are included with the report,
such as hardcopy of particular items of Evidence, digital copies of evidence (CD), and Chain of Custody Documentation.
CERT-In 172
Analysis of the evidence image : A Sample Case Study (Scan 24)
A USB pen drive along with the narcotics has been seized by police from a person, who was supplying narcotics to students of schools in a locality. Seized data storage media is to be analysed for evidence for police to find some supporting document for rejection of the bail application of the accused
Demonstration
CERT-In 173
Anti-Forensics : Challenges ?
• Rootkits based cyber crimes• Tools on RAM (Diskless)• Disk sanitisers (Wipe, Cipher) • Compressed files with password• Encrypted files with password• Evidence Eliminator Applications• Windows Washer Application
CERT-In 174
Anti-Forensics
• Backdoors, e.g. ‘Santa’ (Remote Desktop Access)
• Cleaning the Registry – regedit• Disk Scrubbers – Secure Delete• Hidden, inactive or encrypted Partitions• Special RAM based PCs• Special Steganography tools
CERT-In 175
SSteganography & Steganalysis- Deployment Scenario
Algo. – Unknown (like password)
Message
Cover
Algo.
Stegano-graphy
Encoder
StegoObj-ect
Detec-tion
Extraction&
Reconstru-ction of message
User 1 User 2
Difficulties in Steganalysis :Org. Cover not available,
Stego-key / Algorithm not known
Message – Plain text, cipher text
Cover – Image, audio or video file
Forensic objectives
Suspected IP Addresses
Courtsey : C-DAC, Kolkata
CERT-In 176
Image before hiding
Image after hiding
LSB pattern before hiding
LSB pattern after hiding
Message embedding sometimes introduces random noise, which changes statistical property of images.
IIntroduction to Steganalysis
Here the randomness of LSB pattern has been increased after hiding
The increase in LSB (Least Significant Bit) may act as a clue for steganalysis. Courtsey : C-DAC, Kolkata
CERT-In 177
Original
Tampered
LSB of Original
LSB of tampered
The role of steganalysis is to inspect suspected packages, determine whether or not they have a payload of encoded information into them, and, if possible, recover that payload.
IIntroduction to Steganalysis
Original and Tampered images are visually identical
Least Significant Bits (LSBs) where message bits are hidden
Contd..Courtsey : C-DAC, Kolkata
CERT-In 178
References
• “Electronic Crime Scene Investigation – A Guide for First Responders” by National Institute of Justice, USA; (http://www.ojp.usdoj.gov/nij)
• “Forensic Examination of Digital Evidence : A guide for Law Enforcement” by National Institute of Justice, USA; (http://www.ojp.usdoj.gov/nij)
• “Forensics – Tools”; http://www.forinsect.de/index.html• “Collecting Electronic Evidence After a System
Compromise” by Matthew Braid, SANS Security Essentials.
CERT-In 179
References (contd..)
• “Computer Forensics – An Overview” by Dorothy A. Lunn, SANS Institute; http://www.giac.org/practical/ gsec/Dorothy_Lunn_GSEC.pdf
• “Manual for Investigation of Computer Related Crimes” by Ashok Dohare
• Course Contents : SANS SEC508• HoneyNet Project Website – Computer Forensics
Challenges• “File System Forensic Analysis” by Brian Carrier
(Addison Wesley)
Top Related