Computer Forensics | Patricia Watson | 2004

Computer Forensics – Patricia M Watson

Linux: A Powerful Computer Forensics Tool

Patricia M Watson


What is Computer Forensics?

Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis.

Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5


What Skills Must Forensics Analyst Have?

• A broad range of technical, investigative, procedural, and legal skills

Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody

• The ability to function in a complex, dynamic environment Computer technology as well as legal and regulatory environments

are constantly changing

• The ability to testify in a court of law Reproduce incident, interpret results, be prepared for cross-

examination


Computer Forensics Training

• The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)

http://www.giac.org/certifications/security/gcfa.php

• New Technologies Inc. – Computer Forensics Certification administered by Oregon State University

http://www.forensics-intl.com/forensic.html

• CompuForensics – in association with the University of Georgia offer computer forensics certificate courses

http://www.gactr.uga.edu/is/cf/

• Certified Information System Security Professional (CISSP)

http://www.cissp.com/ispc/cf-bootcamp.asp

http://www.fish.com/tct

http://sleuthkit.sourceforge.net/



http://www.giac.org/certifications/security/gcfa.php





Why is Computer Forensics Important?

• Computers are used to commit crimes Fraud, theft of intellectual property, threatening letters

• Computers are victims of crimes Remote attacks, viruses, worms, Trojans

• Computers provide record of activities that are useful in an investigation of an alleged crime

Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)


Forensics in a Nutshell

• Incident response o Verify the incident o Evidence Seizure

o Collect volatile and non-volatile data (live system)

• Investigation and analysis o Image System (dead system) o Data recovery

• Reporting results o Record your actions


Forensics “The Legal Issues” • Federal (cyber crime is federal)

o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases

penalties

o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection

• State laws vary

• Admissible evidence Law enforcement personnel activities are restricted (warrants, privacy, consent)

Law enforcement must follow chain of custody

Private citizens must follow company policies

Policy should address both legal and business environments


Places for Data to Hide As organized by SANS.org

• Physical Layer Areas allocated for diagnostics, sector overhead, sectors marked as bad

• Data Layer Slack space, swap space, free space, unallocated space (file fragments)

• Metadata Layer Corrupted inodes (Linux), resident data as alternate data streams (NTFS)

• File System Layer Superblock, boot sector

• File Name Layer When files are deleted, the file system will hide the file name from the user,

but much data can be recovered using forensic tools.


The “Tools”

• Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:

They are FREE

Open source – You can modify/improve

You can verify tool integrity (cryptographic hashes) You can image any type of media as raw format Greater versatility – No platform dependencies


Tools – “The Basics”

• dcfldd – Modified version of dd which provides the ability to perform

hashing on the raw data collected # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt

• dd – Powerful utility used for truncating files, splitting images, or sanitizing

disk or partitions # dd if=/dev/zero of=/dev/hda#

• Cryptographic Hashes – Provide evidence integrity and

authentication md5sum, sha1

• mount loop # mount –o ro,loop imagepath mountpoint

• strings, grep, fgrep, file – Used for keyword searches


Type of Forensic Toolkits

• Data Analysis Toolkits: Designed to analyze data, best for live system analysis

o The Coroner’s Toolkit (TCT) Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host http://www.fish.com/tct

• Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis

o The Sleuth Kit (TSK) Designed by Brian Carrier, the TSK is a collection of file system analysis tools with

NO platform dependency. http://sleuthkit.sourceforge.net Autopsy is the graphical interface to TSK

http://www.erg.abdn.ac.uk/users/gorry/course/intro-pages/es-is.html

http://www.erg.abdn.ac.uk/users/gorry/course/intro-pages/sap.html


The TSK Tool Organization

• File System Layer: fsstat – displays details about the file system



• Data Layer: dstat – provides statistics on a given data unit, i.e.

allocation status dls – copies unallocated contents form data units to

STDOUT, the –s flag extracts slack space on NTFS and FAT systems

dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)

dcat – displays the contents of any disk block to STDOUT


The TSK Tool Organization • Metadata Layer:

o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status

o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches

o ils - lists general details of inodes, most often used to collect inodes of deleted files

o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files



• File Name Layer: fls – lists file and directory entries in a directory inode.

Since “fls” is processing the directory content, it can display the data from deleted files

ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address


Forensic Resources

• Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf

• Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/

• US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf

• USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf

• Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5

• Know Your Enemy 2nd Edition. The Honeynet Project.

http://www.gactr.uga.edu/is/cf/

http://www.cissp.com/ispc/cf-bootcamp.asp


Computer Forensics

• Questions?

Computer Forensics | Patricia Watson | 2004

Technology

Transcript of Computer Forensics | Patricia Watson | 2004