CNS 320 Week1 Lecture
Transcript of CNS 320 Week1 Lecture
-
8/22/2019 CNS 320 Week1 Lecture
1/63
1
CNS 320: COMPUTER FORENSICS& INCIDENT RESPONSE
Week 1
Copyright 2013, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/ -
8/22/2019 CNS 320 Week1 Lecture
2/63
Your Fearless Leader
(I am Geek. See my alphabet soup!)
John McCashCompTIA Sec+, GCIH, GAWN(expired), GCFA,
GCFE, EnCE, GREM, SANS Lethal Forensicator23-years in IT
Specialized in Security for the last 15 years, andForensics & Incident Response for the last 4
Extensive experience in digital forensics, incidentresponse , and security/system/networkadministration on diverse platforms in veryheterogenious environments
BS and MS in CS from Bradley University (1988)Currently works for a major telecommunications
equipment provider (Technical Lead of APTResponse Team), and is a contributor to theSANS forensic blog. 2
-
8/22/2019 CNS 320 Week1 Lecture
3/63
3
Course Description
Introduction to the topics ofComputer Forensics and Incident
Response on Windows Systems PREREQUISITES:
Familiarity with Windows and Linux
computer usage Familiarity with Windows and Linux
Administration & Internals Helpful
-
8/22/2019 CNS 320 Week1 Lecture
4/63
Content in Flux
Course originally developed with an eye towardprocess and legal issues (Ive stripped out almost allof that old content, but a few elements remain)
Materials are still under revision
Im trying to provide a significant amount of technicaland practical content which you may be able toactually apply
I will work with you as a class to make this course asinteresting as possible without (I hope) leaving manyof you in the dust
Be aware that the most interesting & useful of thecontent will require its underpinnings to be force-fedat a rather rapid rate, which will increase the difficulty
Students at the SANS Institute refer to this process asdrinking from the fire hose
4
-
8/22/2019 CNS 320 Week1 Lecture
5/63
Apologies in Advance
Course Design Challenges Selecting digestible information subsets
Organizing the material
In many disciplines, specifics follow logicallyfrom generalities based on consistent rules
IMHO Forensics is much more empirical,more like an infinite progression of
narrowly defined specialties, with lots ofcase-by-case variation
Ive attempted to select material for theclass which is both representative anduseful
5
-
8/22/2019 CNS 320 Week1 Lecture
6/63
Why all the deep background?
(assuming you dont expect to be
designing your own forensic tools)
Forensic tools frequently do squirrely things
You will need to recognize when thishappens, and possibly figure out what the
results should have been by hand
You will likely need to explain to a non-technical person (or a jury) exactlyhow/why a tool produced a given result
You will want to know that certaininformation is available (and where) evenwhen a tool youve had to use did notprovide it
6
-
8/22/2019 CNS 320 Week1 Lecture
7/63
Push-Button Forensic Tools
Good In that they can free up time for a ForensicAnalyst and enable him to spend that effort on moreproblematic areas
Bad In that they can be error-prone, and a lazy orclueless analyst relying on their output can make
improperly-based assertions which can be refuted, orat the least cast doubt on other findings
Always cross-check & verify results on which importantassertions are based using different tools, and properlyexplain any significant anomalies
You should always know, at least in a general way,from what artifact a result was obtained, and be able,with reasonable effort, to backtrack & manually stepthrough the methodology used to create it
Note that these statements represent my moderate
viewpoint on a somewhat controversial topic 7
-
8/22/2019 CNS 320 Week1 Lecture
8/63
8
Syllabus
As you can see, weve got a lab as aclassroom
Well be making use of that each week
I hope to cover practical application ofeach element immediately afterintroducing it in lecture
30-50% of each class period will bedevoted to lab
-
8/22/2019 CNS 320 Week1 Lecture
9/63
9
Syllabus
DIGITAL EVIDENCE DEFINITION &USAGE (Briefly)
Authentication and Chain of Custody
Courtroom Usage
FORENSIC PROCESSES
Collection
Examination Analysis
Reporting
-
8/22/2019 CNS 320 Week1 Lecture
10/63
Syllabus
WINDOWS FORENSIC TOOLS & ARTIFACTS Windows Disk Partitioning NTFS Registry Fundamentals
Malware Detection & Analysis in Memory Link Files & Win7 Jumplists Application Metadata Log Analysis Timelines
Incident Response Lifecycle Preparation Identification Containment Eradication Recovery Follow-Up & Lessons Learned 10
-
8/22/2019 CNS 320 Week1 Lecture
11/63
Syllabus
Additional material, if theres time
Browser & Web Forensics
Internet Explorer
Firefox
Google Chrome
-
8/22/2019 CNS 320 Week1 Lecture
12/63
CNS-320 Week-By-Week
Week 1:
Lab: Physical & Logical Imaging
Week 2
Lab: NTFS Examination & Analysis
Week 3
Lab: Registry Examination & Analysis
Week4
Quiz over week 1-3 content
Week 6: Labs
Week 7: Quiz #2
Week 9: Labs
Week 10: Quiz #3, Review 12
-
8/22/2019 CNS 320 Week1 Lecture
13/63
13
D2L
We will be using D2L, one of CDMsCourse Management Systems. Thesystem can be found at
https://d2l.depaul.edu. Lectures (Powerpoint)
Assignments
Grades
Documents Syllabus
Etc
https://d2l.depaul.edu/https://d2l.depaul.edu/ -
8/22/2019 CNS 320 Week1 Lecture
14/63
Class Participation
Please feel free to interrupt. There are no stupid questions, only stupid
instructors. Be a loudmouth! Youll get more out of the
class that way. So will everyone else. The only reason you have an instructor
instead of just reading out of a book andtaking tests is so you can ask about things
that arent in the materials. The more questions you ask, the more
youll learn, as will the rest of the class. If I say something that makes no sense,
for gods sake stop me! I probably justconfused at least half of you! 14
-
8/22/2019 CNS 320 Week1 Lecture
15/63
Labs
Familiarize you with tools hands-on
Ensure everyone can perform
demonstrated tasks Let you ask questions when tools
dont perform as expected
Despite not being graded, this is themost important portion of the class
15
-
8/22/2019 CNS 320 Week1 Lecture
16/63
16
Communications with Instructor
Email is preferred.
Please include CNS 320 in the subject lineof all email communications
You may request a scheduledtelephone/web conference.
My email address [email protected]
Cell phone 847-660-3373 (Please callonly between 5:00 PM and 9:00 PM)
Office hours: Thursdays, 9:00-10:30 pm
mailto:[email protected]:[email protected] -
8/22/2019 CNS 320 Week1 Lecture
17/63
17
Grading
Three Quizzes (20% each)
Final Exam (40%)
-
8/22/2019 CNS 320 Week1 Lecture
18/63
18
Final Exam
Final 11/15/2012
Exam Format
Short Answer Content will be drawn from lecture
slides & notes
-
8/22/2019 CNS 320 Week1 Lecture
19/63
Primary Textbook
Windows Forensic AnalysisToolkit 3rd EditionBy: Harlan Carvey
Publisher: SyngressPub. Date: January 15, 2012Print ISBN-13: 978-1-59749-727-5Web ISBN-13: 978-1-59749-728-2Available as an ebook at
http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275
19
http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275 -
8/22/2019 CNS 320 Week1 Lecture
20/63
Optional Reference
File System Forensic AnalysisBy: Brian Carrier
Publisher: Addison-Wesley Professional
Pub. Date: March 17, 2005
Print ISBN-10: 0-321-26817-2
Print ISBN-13: 978-0-321-26817-4Available as an ebook at
http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172
20
http://www.informit.com/authors/author_bio.aspx?ISBN=9780321268174http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-analysis/0321268172http://www.informit.com/authors/author_bio.aspx?ISBN=9780321268174 -
8/22/2019 CNS 320 Week1 Lecture
21/63
Other Course Materials
Other course materials will be availableon the web, including the DePaulUniversity Libraries' website at
http://www.lib.depaul.edu/ Lecture slides & reading assignments will
be posted on D2L each week the night
before class
21
http://www.lib.depaul.edu/http://www.lib.depaul.edu/ -
8/22/2019 CNS 320 Week1 Lecture
22/63
Partial list of Forensic Blogs (for future
reference or research)
Didier Stevens - http://blog.didierstevens.com/ ForensicIT.EU - http://forensicit.eu/ SANS Computer Forensics, Investigation, and Response - http://computer-
forensics.sans.org/blog Matthieu Suiche - http://www.msuiche.net/ Volatility - http://volatility.tumblr.com/ Computer Forensics/E-Discovery Tips/Tricks and Information (Mark McKinnon) -
http://cfed-ttf.blogspot.com/ int for(ensic){blog;} (Andreas Schuster) - http://computer.forensikblog.de/en/ A Geek Raised by Wolves (Jesse Kornblum) - http://jessekornblum.livejournal.com/ (Lance Mueller) Computer Forensics, Malware Analysis & Digital Investigations -
http://www.forensickb.com/ Windows Incident Response (Harlan Carvey) - http://windowsir.blogspot.com/ forensic . seccure . net (Mariusz Burdach) - http://seccure.blogspot.com/ Forensic Computing (Mike Murr) - http://www.forensicblog.org/ Forensic Focus Blog (Jaimie Morris) - http://forensicfocus.blogspot.com/ Forensic Incident Response (Hogfly) - http://forensicir.blogspot.com/ Hacking Exposed Computer Forensics Blog -
http://hackingexposedcomputerforensicsblog.blogspot.com/ digfor (Andre Ross) - http://digfor.blogspot.com/ Computer Forensics and Incident Response - http://breach-inv.blogspot.com/ ForensicZone - http://forensiczone.blogspot.com/ The Digital Standard - http://thedigitalstandard.blogspot.com/
22
http://blog.didierstevens.com/http://forensicit.eu/http://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://www.msuiche.net/http://volatility.tumblr.com/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://computer.forensikblog.de/en/http://jessekornblum.livejournal.com/http://www.forensickb.com/http://www.forensickb.com/http://windowsir.blogspot.com/http://seccure.blogspot.com/http://www.forensicblog.org/http://forensicfocus.blogspot.com/http://forensicir.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://digfor.blogspot.com/http://breach-inv.blogspot.com/http://forensiczone.blogspot.com/http://thedigitalstandard.blogspot.com/http://thedigitalstandard.blogspot.com/http://forensiczone.blogspot.com/http://breach-inv.blogspot.com/http://breach-inv.blogspot.com/http://breach-inv.blogspot.com/http://digfor.blogspot.com/http://hackingexposedcomputerforensicsblog.blogspot.com/http://forensicir.blogspot.com/http://forensicfocus.blogspot.com/http://www.forensicblog.org/http://seccure.blogspot.com/http://windowsir.blogspot.com/http://www.forensickb.com/http://jessekornblum.livejournal.com/http://computer.forensikblog.de/en/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://cfed-ttf.blogspot.com/http://volatility.tumblr.com/http://www.msuiche.net/http://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://computer-forensics.sans.org/bloghttp://forensicit.eu/http://blog.didierstevens.com/ -
8/22/2019 CNS 320 Week1 Lecture
23/63
Computer Forensics Podcasts
Forensic 4cast -http://www.forensic4cast.com/
Cyberspeak -http://cyberspeak.libsyn.com/
Inside the Core (Mac) -http://insidethecore.com/
23
http://www.forensic4cast.com/http://cyberspeak.libsyn.com/http://insidethecore.com/http://insidethecore.com/http://cyberspeak.libsyn.com/http://www.forensic4cast.com/ -
8/22/2019 CNS 320 Week1 Lecture
24/63
24
Academic Integrity
Student Resources at DePaul. Plagiarism is a major form of academic dishonesty
involving the presentation of the work of another asone's own. Plagiarism includes but is not limited to thefollowing: The direct copying of any source, such aswritten and verbal material, computer files, audio disks,
video programs or musical scores, whether published orunpublished, in whole or part, without properacknowledgement that it is someone else's. Copying ofany source in whole or part with only minor changes inwording or syntax, even with acknowledgement.Submitting as one's own work a report, examinationpaper, computer file, lab report or other assignment thathas been prepared by someone else. This includesresearch papers purchased from any other person oragency. The paraphrasing of another's work or ideaswithout proper acknowledgement.
http://academicintegrity.depaul.edu/Resources/Students/index.htmlhttp://academicintegrity.depaul.edu/Resources/Students/index.html -
8/22/2019 CNS 320 Week1 Lecture
25/63
25
Definition of Plagiarism
Plagiarism involves using the work ofanother person and presenting it as yourown.
Outright copying of someone else's writing isthe most clear-cut form of plagiarism.
But other forms exist.
Mosaic
Paraphrase
Insufficient acknowledgement
-
8/22/2019 CNS 320 Week1 Lecture
26/63
26
Other plagiarism resources
North Carolina State University
Georgetown University
Stanford University
Northwestern University
http://www.lib.ncsu.edu/scc/tutorial/plagiarism/more.htmlhttp://www.georgetown.edu/honor/plagiarism.htmlhttp://www.stanford.edu/dept/vpsa/judicialaffairs/students/plagiarism.htmhttp://www.northwestern.edu/uacc/plagiar.htmlhttp://www.northwestern.edu/uacc/plagiar.htmlhttp://www.stanford.edu/dept/vpsa/judicialaffairs/students/plagiarism.htmhttp://www.georgetown.edu/honor/plagiarism.htmlhttp://www.lib.ncsu.edu/scc/tutorial/plagiarism/more.html -
8/22/2019 CNS 320 Week1 Lecture
27/63
Terminology
Internet Security Glossary - RFC 4949 by R. W. Shirey
http://www.ietf.org/rfc/rfc4949.txt
Microsoft Solutions for SecurityGlossary http://www.microsoft.com/security/glossa
ry.mspx
SANS Glossary of Security Terms http://www.sans.org/resources/glossary.
php
27
http://www.ietf.org/rfc/rfc4949.txthttp://www.microsoft.com/security/glossary.mspxhttp://www.microsoft.com/security/glossary.mspxhttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.sans.org/resources/glossary.phphttp://www.microsoft.com/security/glossary.mspxhttp://www.microsoft.com/security/glossary.mspxhttp://www.ietf.org/rfc/rfc4949.txt -
8/22/2019 CNS 320 Week1 Lecture
28/63
Terminology
Legal Terms
Nolos Legal Dictionary
Findlaw Legal Dictionary
28
http://www.nolo.com/lawcenter/dictionary/wordindex.cfmhttp://dictionary.lp.findlaw.com/http://dictionary.lp.findlaw.com/http://www.nolo.com/lawcenter/dictionary/wordindex.cfm -
8/22/2019 CNS 320 Week1 Lecture
29/63
Outline of Tonights Material
Digital Evidence & Forensic Processes
Digital Evidence
What is it?
How do we find it?
How do we preserve it?
Lab: FTK Imager Usage
Memory Imaging using FTK Imager
Physical Disk Imaging
Logical Disk Imaging
29
-
8/22/2019 CNS 320 Week1 Lecture
30/63
What/Where is Digital Evidence?
Everybody knows its on computerhard disks
Where else can digital evidence befound?
Think outside the box for a minute. Itsalmost everywhere
30
-
8/22/2019 CNS 320 Week1 Lecture
31/63
What/Where is Digital Evidence?
Computer Hard Drives, Memory, BIOS Settings
Printers, Copiers/Multifunction Devices, and othercomputer peripherals may actually be completeembedded computer systems
Integrated components may also be embedded systems Flash Drives with significant storage capacity are now
very small, and can easily be hidden
Network Hardware; Switches, Routers, Firewalls, WAPs,Web Proxy Gateways
SIEMS & other log aggregation systems Phones, other portable electronic devices, game
consoles & peripherals, even some refrigerators
The Cloud
31
-
8/22/2019 CNS 320 Week1 Lecture
32/63
Data is Easily Hidden
32
-
8/22/2019 CNS 320 Week1 Lecture
33/63
Sometimes even a whole system
33
-
8/22/2019 CNS 320 Week1 Lecture
34/63
Example of Reliability & Completeness
Issues
Casey Anthony acquitted in 2011 Discrepency between results of parsing of a
Firefox v2 history.dat file with NetAnalysisand Cacheback used to cast doubt on the
forensic analysis Firefix v2 history.dat file was recovered from
unallocated space NetAnalysis reported 8878 records (there were
actually 9075 possibly determined by hand)
and one visit to chloroform.html Cacheback 2.8 RC2 reported 8571 records and84 visits (incorrect!) to chloroform.html.
After subsequent revision, Cacheback matched9048 records in the file.
34
-
8/22/2019 CNS 320 Week1 Lecture
35/63
Digital Forensic Artifacts
Any change made as a result of anevent of interest
Locards Exchange Principal Our job is to sift Digital Evidence for
Forensic Artifacts
35
-
8/22/2019 CNS 320 Week1 Lecture
36/63
Forensic Processes
Goals
Collect evidence, ensuring itsintegrity over the entire forensic
lifecycle
Analyze & Report on Evidence
Present findings, deriving facts aboutthe issue of concern from the evidence,and ensuring that all such derivedfacts are properly qualified
36
-
8/22/2019 CNS 320 Week1 Lecture
37/63
Formal Forensic Frameworks and
Processes (NIST)
National Institute of Standards and Technology (NIST) specialpublication 800-86, Guide to Integrating Forensic Techniques intoIncident Response
37
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdfhttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf -
8/22/2019 CNS 320 Week1 Lecture
38/63
Formal Forensic Frameworks and
Processes (DFRWS)
38
-
8/22/2019 CNS 320 Week1 Lecture
39/63
Digital Forensics Specialties
Network Forensics
Log Analysis
OS Forensics
Windows UNIX
MacOS-X
Linux
Solaris, HPUX, IRIX Other
Embedded SystemsForensics
Mobile DeviceForensics
Apple iOS
Android Other
Malware Forensics
Application
Forensics Databases
Web Apps
39
-
8/22/2019 CNS 320 Week1 Lecture
40/63
Evidence Preservation
Physical evidence items protectedusing chain of custody process
Documents every individual with accessto item at any time from collectionforward
Minimizing number of entries is key
Digital items protected usingredundant copies and cryptographichashes
40
-
8/22/2019 CNS 320 Week1 Lecture
41/63
Chain of Custody
Chain of custody establishesAuthenticity (legal term)
Goal: To ensure no alteration of theoriginal evidence during collection,storage or analysis
Requires documenting procedures usedin the collection, storage and analysis
of evidence
41
-
8/22/2019 CNS 320 Week1 Lecture
42/63
Chain of Custody
A piece of paper or electronicallystored information, without anyindication of its creator, source, or
custodian may not be authenticatedunder Federal Rule of Evidence 901.
42
-
8/22/2019 CNS 320 Week1 Lecture
43/63
Real-World Chain of Custody and
Evidence Handling Procedures
(One stringent example. Not the only way.)
Physical Elements Prenumbered evidence tags & tamper evident
bags w/labels for collector, date/time,location, signature. Specific number ranges provided to designated
evidence collectors to provide redundantcollector identification
Paper log forms (may be a single form, but iftwo, no overlap other than reference number) Inventory collection
Chain of custody transfer information
Evidence lockup database 43
-
8/22/2019 CNS 320 Week1 Lecture
44/63
Physical Evidence Collection
Evidence items tagged, bagged, labeled bycollector
Bag & tag numbers and in-situ collectioninformation for each item documented on paper
inventory collection forms Collection process may be recorded using
timestamped photos or audio/video recordings.These recordings may themselves be treated asevidence items, requiring tamper-evidenthandling.
Evidence tag # is permanently assigned toevidence item
Evidence bag # & label info provide chain of
custody assurance from collection to log-in 44
-
8/22/2019 CNS 320 Week1 Lecture
45/63
On-Site Electronic Evidence Collection
Reasons
Triage (to determine whether an evidenceitem is to be physically collected or not, or to
identify subsets of existing evidence, such asa very large RAID array, that must becollected)
Volatile data which may otherwise not
survive transport to evidence lockup (welldiscuss this in more detail next week)
45
-
8/22/2019 CNS 320 Week1 Lecture
46/63
On-Site Electronic Evidence Collection
Digital evidence collected onto pre-wiped virginmedia, then tagged, bagged, time/date/locationnoted, & signed for, just like physical evidence
Documentation
Written account of actions
Potentially tool log files, which could be written to thesame media as the collected evidence
Collection process may be recorded using
timestamped photos or audio/video recordings. Theserecordings may themselves be treated as evidenceitems, requiring tamper-evident handling.
46
-
8/22/2019 CNS 320 Week1 Lecture
47/63
Evidence Log-In
Performed back at evidence lock-up Data from paper inventory collection forms
is transcribed into evidence lockup database
Data from tamper evident evidence bags isalso transcribed into database
If no collector noted on forms, this isinferred from numbers, and that fact noted
Copies of collection recordings may be
attached Chain of custody form initially filled out &
entered by receiving lockup representative,including lockup receipt date/time
Items scheduled for examination 47
-
8/22/2019 CNS 320 Week1 Lecture
48/63
Initial Evidence Examination
1. Chain of custody form updated by technician
2. Bag opened by evidence technician andevidence physically examined for descriptiveinfo omitted at time of original collection
3. Additional data documented by technician &recorded into database with notation as tosource. Electronic info may also be added.
4.
All technician activities documented andpossibly audio/video recorded
5. Forensic imaging of original evidence mayalso be done at this point
6. Original evidence then returned to lockup 48
-
8/22/2019 CNS 320 Week1 Lecture
49/63
Subsequently
Chain of custody form joins evidenceitem permanently
Each time evidence is returned to lockup,
chain of custody data is updated indatabase
Multiple copies of all forensic data may
be made for subsequent directexamination, but chain of custody onthese need not be tracked
49
-
8/22/2019 CNS 320 Week1 Lecture
50/63
Chain of Custody at this Point
1. Collector
2. Evidence lockup
3. 1st
Examining Evidence Technician4. Evidence lockup
Minimizing the number of entries iskey to good chain of custodyprocedure
50
-
8/22/2019 CNS 320 Week1 Lecture
51/63
Chain of Custody Paper Form Elements
Evidence tag number
Original collection bag number
Collector name
Date & time collected Data for each custodian (multiple blanks
for subsequent entries): Name & Organizaton
Date & time received
Signature
Notes (to identify bag opening & anyirregularities)
51
-
8/22/2019 CNS 320 Week1 Lecture
52/63
Inventory Paper Form Elements
Evidence number of item
Evidence collection bag number
Evidence # of collection recording
Collector name
Collection date/time
Collection location (address, room, etc.)
Unique evidence description (couldinclude explicit fields for color, model,serial#, and possibly a space for attachedphoto)
52
-
8/22/2019 CNS 320 Week1 Lecture
53/63
Imaging
An image is a bit-for-bit copy of a piece of digitalevidence (disk, flash, RAM, DVD etc.)
Forensic images can be stored and accessed in avariety of standard formats such as Raw, E01, or AFF
Images are typically validated as unchanged by useof one or more of a number of cryptographic hashalgorithms (md5, sha1, sha256)
On dead systems, disk imaging should be performedvia a hardware write-blocker to ensure that originalevidence is unchanged
On live systems, it is almost certain that the imagehash for a disk in use or system memory will notmatch
Exact methodologies will vary from organization toorganization
53
-
8/22/2019 CNS 320 Week1 Lecture
54/63
Physical vs. Logical Imaging
Physical Image Full image ofcomplete physical disk devicecontent
Logical Image Image of a logicalvolume mounted on a live system.
Portion of a physical device
RAID spread across several differentphysical devices
Mounted encrypted volume
Mounted network volume54
-
8/22/2019 CNS 320 Week1 Lecture
55/63
Hashing
Cryptographic hashes are algorithms thatcan be applied to arbitrarily long sequencesof data bytes with the aim of producing amuch shorter result which is still unique
Mathematically infeasible to reverse
For some such algorithms, there are knowncollisions & mechanisms for producing them
If this is a risk, the simplest method to avoidis to use two different hashes (MD5 & SHA1for example)
Most commonly used: MD5, SHA1, SHA256
55
-
8/22/2019 CNS 320 Week1 Lecture
56/63
Cryptographic Hash Algorithms
MD5 32 character output
6830723bbaade6e72dbbfb5c91466c9e
SHA1- 40 character output
7d6ae63b1201e68e5e686c10eabbd7eef76cf19e
SHA256 64 character output
b21f00291949d848e4fe0f94ac76dcc40d68c6ffad873f515a7304f54566ce6e
56
-
8/22/2019 CNS 320 Week1 Lecture
57/63
More Hashing Algorithms
A lgorithm Output size(bits)
Internalstate
size[1]
Blocksize
Lengthsize
Wordsize
Rounds
Collision Second
Preimage
Preimage
GOST 256 256 256 256 32 256 Yes (2105) Yes (2192) Yes (2192)
HA VAL 256/224/192
/160/128
256 1,024 64 32 160/128/
96
Yes No No
M D2 128 384 128 - 32 864 Yes (263.3) No Yes (273)M D4 128 128 512 64 32 48 Yes (3) Yes (264) Yes (278.4)
M D5 128 128 512 64 32 64 Yes (220.96) No Yes (2123.4)
PANAM A 256 8,736 256 - 32 - Yes No No
RadioGatn Up to
608/1,216 (19
words)
58
words
3 words - 164 - With flaws
(2352 or 2704)
No No
RIPEM D 128 128 512 64 32 48 Yes (218) No No
RIPEM D-128/256 128/256 128/256 512 64 32 64 No No No
RIPEM D-160 160 160 512 64 32 80 Yes (251:48) No No
RIPEM D-320 320 320 512 64 32 80 No No No
SHA-0 160 160 512 64 32 80 Yes (233.6) No No
SHA-1 160 160 512 64 32 80 Yes (251) No No
SHA-256/224 256/224 256 512 64 32 64 Yes (228.5:24) No Yes (2248.4:42)
SHA -512/384 512/384 512 1,024 128 64 80 Yes (232.5:24) No Yes (2494.6:42)
Tiger(2)-192/160/128 192/160/128 192 512 64 64 24 Yes (262:19) No Yes (2184.3)
Best known attacks(complexity:rounds)[2]
-
8/22/2019 CNS 320 Week1 Lecture
58/63
Fuzzy Hashing
Method of measuring similarity between differentfiles Ssdeep is the most commonly used fuzzy hashing
utility.
Most effective on files containing large amounts oftext, less so with purely binary data, but YMMV.
Fuzzy hashing is also referred to as contexttriggered piecewise hashing (CTPH)
A complete explanation of CTPH can be found athttp://dfrws.org/2006/proceedings/12-Kornblum.pdf
58
http://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdfhttp://dfrws.org/2006/proceedings/12-Kornblum.pdf -
8/22/2019 CNS 320 Week1 Lecture
59/63
Free Imaging & Analysis Tools
Helix3 (not Helix3 Pro or Helix3Enterprise) - https://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b2
7967246d7ec8f9fa2d AccessData FTK Imager
http://accessdata.com/support/adownloads#FTKImager, as well as partof Helix3
SANS SIFT Kit - http://computer-forensics.sans.org/community/downloads
59
C l U d G l P
https://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://computer-forensics.sans.org/community/downloadshttp://accessdata.com/support/adownloadshttp://accessdata.com/support/adownloadshttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2dhttps://www.e-fense.com/store/index.php?_a=viewProd&productId=11&ccUser=f6e155820240b27967246d7ec8f9fa2d -
8/22/2019 CNS 320 Week1 Lecture
60/63
Commonly Used General Purpose
Forensic Tool Suites
EnCase (Guidance Software)
FTK Forensic Toolkit (AccessData)
SANS Linux SIFT Kit (Free) Helix (Free, but discontinued)
60
-
8/22/2019 CNS 320 Week1 Lecture
61/63
SIFT Kit Contents
The Sleuth Kit (File system Analysis Tools) log2timeline (Timeline Generation Tool) ssdeep & md5deep (Hashing Tools) Foremost/Scalpel (File Carving) WireShark (Network Forensics) Vinetto (thumbs.db examination) Pasco (IE Web History examination) Rifiuti (Recycle Bin examination) Volatility Framework (Memory Analysis) DFLabs PTK (GUI Front-End for Sleuthkit)
Autopsy (GUI Front-End for Sleuthkit) PyFLAG (GUI Log/Disk Examination) Regripper (Registry Analysis) 100s more tools -> See Detailed Tool Listing
61
-
8/22/2019 CNS 320 Week1 Lecture
62/63
Reading for Next Week1. MFT Section in Chapter 4 of Windows Forensic Analysis Toolkit 3rd Edition
By: Harlan CarveyPublisher: SyngressPub. Date: January 15, 2012Print ISBN-13: 978-1-59749-727-5Web ISBN-13: 978-1-59749-728-2Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597497275
2. Digital Forensics: Detecting time stamp manipulation - http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/
3. NTFS $I30 Attributes: Evidence of Deleted and Overwritten Files http://forensicmethods.com/ntfs-index-attribute4. Skim Chapters 5 (PC-based Partitions), 8 (File System Analysis), 11 (NTFS Concepts), 12 (NTFS Analysis), and 13
(NTFS Data Structures) of
File System Forensic Analysis Try to actually read through the section on Index Attributes and Data Structures. Iknow its a little opaque, but its a really good reference, and I dont know of a more readable summary thatgoes into any significant detail.
By: Brian CarrierPublisher: Addison-Wesley ProfessionalPub. Date: March 17, 2005Print ISBN-10: 0-321-26817-2Print ISBN-13: 978-0-321-26817-4Available as an ebook at http://proquestcombo.safaribooksonline.com.ezproxy2.lib.depaul.edu/book/networking/forensic-
analysis/0321268172
62
http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://forensicmethods.com/ntfs-index-attributehttp://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/http://computer-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/ -
8/22/2019 CNS 320 Week1 Lecture
63/63
Questions?