Computer Forensics | Patricia Watson | 2004
-
Upload
patriciawatson -
Category
Technology
-
view
104 -
download
2
description
Transcript of Computer Forensics | Patricia Watson | 2004
![Page 1: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/1.jpg)
Computer Forensics – Patricia M Watson
Linux: A Powerful Computer Forensics Tool
Patricia M Watson
![Page 2: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/2.jpg)
Computer Forensics – Patricia M Watson
What is Computer Forensics?
Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis.
Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
![Page 3: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/3.jpg)
Computer Forensics – Patricia M Watson
What Skills Must Forensics Analyst Have?
• A broad range of technical, investigative, procedural, and legal skills
Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody
• The ability to function in a complex, dynamic environment Computer technology as well as legal and regulatory environments
are constantly changing
• The ability to testify in a court of law Reproduce incident, interpret results, be prepared for cross-
examination
![Page 4: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/4.jpg)
Computer Forensics – Patricia M Watson
Computer Forensics Training
• The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)
http://www.giac.org/certifications/security/gcfa.php
• New Technologies Inc. – Computer Forensics Certification administered by Oregon State University
http://www.forensics-intl.com/forensic.html
• CompuForensics – in association with the University of Georgia offer computer forensics certificate courses
http://www.gactr.uga.edu/is/cf/
• Certified Information System Security Professional (CISSP)
http://www.cissp.com/ispc/cf-bootcamp.asp
![Page 5: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/5.jpg)
Computer Forensics – Patricia M Watson
Why is Computer Forensics Important?
• Computers are used to commit crimes Fraud, theft of intellectual property, threatening letters
• Computers are victims of crimes Remote attacks, viruses, worms, Trojans
• Computers provide record of activities that are useful in an investigation of an alleged crime
Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
![Page 6: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/6.jpg)
Computer Forensics – Patricia M Watson
Forensics in a Nutshell
• Incident response o Verify the incident o Evidence Seizure
o Collect volatile and non-volatile data (live system)
• Investigation and analysis o Image System (dead system) o Data recovery
• Reporting results o Record your actions
![Page 7: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/7.jpg)
Computer Forensics – Patricia M Watson
Forensics “The Legal Issues” • Federal (cyber crime is federal)
o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases
penalties
o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection
• State laws vary
• Admissible evidence Law enforcement personnel activities are restricted (warrants, privacy, consent)
Law enforcement must follow chain of custody
Private citizens must follow company policies
Policy should address both legal and business environments
![Page 8: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/8.jpg)
Computer Forensics – Patricia M Watson
Places for Data to Hide As organized by SANS.org
• Physical Layer Areas allocated for diagnostics, sector overhead, sectors marked as bad
• Data Layer Slack space, swap space, free space, unallocated space (file fragments)
• Metadata Layer Corrupted inodes (Linux), resident data as alternate data streams (NTFS)
• File System Layer Superblock, boot sector
• File Name Layer When files are deleted, the file system will hide the file name from the user,
but much data can be recovered using forensic tools.
![Page 9: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/9.jpg)
Computer Forensics – Patricia M Watson
The “Tools”
• Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:
They are FREE
Open source – You can modify/improve
You can verify tool integrity (cryptographic hashes) You can image any type of media as raw format Greater versatility – No platform dependencies
![Page 10: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/10.jpg)
Computer Forensics – Patricia M Watson
Tools – “The Basics”
• dcfldd – Modified version of dd which provides the ability to perform
hashing on the raw data collected # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt
• dd – Powerful utility used for truncating files, splitting images, or sanitizing
disk or partitions # dd if=/dev/zero of=/dev/hda#
• Cryptographic Hashes – Provide evidence integrity and
authentication md5sum, sha1
• mount loop # mount –o ro,loop imagepath mountpoint
• strings, grep, fgrep, file – Used for keyword searches
![Page 11: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/11.jpg)
Computer Forensics – Patricia M Watson
Type of Forensic Toolkits
• Data Analysis Toolkits: Designed to analyze data, best for live system analysis
o The Coroner’s Toolkit (TCT) Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host http://www.fish.com/tct
• Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis
o The Sleuth Kit (TSK) Designed by Brian Carrier, the TSK is a collection of file system analysis tools with
NO platform dependency. http://sleuthkit.sourceforge.net Autopsy is the graphical interface to TSK
![Page 12: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/12.jpg)
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File System Layer: fsstat – displays details about the file system
![Page 13: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/13.jpg)
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• Data Layer: dstat – provides statistics on a given data unit, i.e.
allocation status dls – copies unallocated contents form data units to
STDOUT, the –s flag extracts slack space on NTFS and FAT systems
dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)
dcat – displays the contents of any disk block to STDOUT
![Page 14: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/14.jpg)
Computer Forensics – Patricia M Watson
The TSK Tool Organization • Metadata Layer:
o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status
o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches
o ils - lists general details of inodes, most often used to collect inodes of deleted files
o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
![Page 15: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/15.jpg)
Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File Name Layer: fls – lists file and directory entries in a directory inode.
Since “fls” is processing the directory content, it can display the data from deleted files
ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
![Page 16: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/16.jpg)
Computer Forensics – Patricia M Watson
Forensic Resources
• Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf
• Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/
• US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf
• USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf
• Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5
• Know Your Enemy 2nd Edition. The Honeynet Project.
![Page 17: Computer Forensics | Patricia Watson | 2004](https://reader035.fdocuments.us/reader035/viewer/2022081907/54c87e304a79590d7f8b457f/html5/thumbnails/17.jpg)
Computer Forensics – Patricia M Watson
Computer Forensics
• Questions?