Computer Forensics,

The Investigators Persepective

Paul T. Mobley Sr. (pmobley@jawzinc.com) Computer Forensics Consultant Jawz Inc.

What is Computer Forensics?

Computer Forensics can be defined simply, as a process of applying scientific and analytical techiniques to computer Operating Systems and File Structures in determining the potential for Legal Evidence.

Overview of Presentation

• Why is Evidence identification and Preservation required?

• Who benefits from Computer Forensics?

• General Types of Forensic Examinations requested.

• Process of Forensics.

• Tools of the trade.

• What is the Examiner looking for?

Why is Evidence important?

• In the legal world, Evidence is EVERYTHING.

• Evidence is used to establish facts.

• The Forensic Examiner is not biased.

Who needs Computer Forensics?

• The Vicitm!

• Law Enforcement

• Insurance Carriers

• Ultimately the Legal System

Who are the Victims?

•Private Business•Government•Private Individuals

• ID the perpetrator.

• ID the method/vulnerability of the network that allowed the perpetrator to gain access into the system.

• Conduct a damage assessment of the victimized network.

• Preserve the Evidence for Judicial action.

Reasons for a Forensic Analysis

Types of Forensic Requests

• Intrusion Analysis

• Damage Assement

• Suspect Examination

• Tool Analysis

• Log File Analysis

• Evidence Search

Intrusion Analysis

• Who gained entry?

• What did they do?

• When did this happen?

• Where did they go?

• Why the chosen network?

• How did they do this?

Damage Assesment

• What was available for the intruder to see?

• What did he take?

• What did he leave behind?

• Where did he go?

File Recovery

• Deleted Files

• Hidden Files

• Slack Space

• Bad Blocks

• Steganography

• X-Drives

• NTFS Streams

NTFS StreamsThe Forensic ToolKit 1.4 from NT OBJECTives, Inc. Copyright(c)1998 NT OBJECTives, Inc. All Rights Reserved

AFind - File access time finder

SFind - Hidden data streams finder

HFind - Hidden file finder

Tool Analysis

• What tools were used?

• How were the executed?

• What language were they written in?

• File Comparison with Suspect’s File.

Log File Analysis

• Events.

• What Events are monitored?

• What do the event records reveal?

• Firewall/Router/Server log files?

• TripWire Database?

• Modem/FTP/Telnet/RAS

Evidence Search

• Image Files• Software applications• Deleted Files• Hidden Files• Encrypted Files• Hidden partitions• Keyword Search• Known Remote Access Tools

Forensics Process

• Preparation

• Protection

• Imaging

• Examination

• Documentation

Preparation• Confirm the authority to conduct analysis/search of

media.

• Verify the purpose of the analysis and the clearly defined desired results.

• Ensure that sterile media is available and utilized for imaging. (ie..Free of virus, Non-essential files, and verified before use.)

• Ensure that all software tools utilized for the analysis are tested and widely accepted for use in the forensics community.

Legal OverviewEmployer Searches in Private-Sector Workplaces

         Warrantless workplace searches by private employers rarely violate the Fourth Amendment.  So long as the employer is not acting as an instrument or agent of the Government at the time of the search, the search is a private search and the Fourth Amendment does not apply.  See Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 614 (1989).  

•Consult with your Legal Counsel

Protection

• Protect the integrity of the evidence. Maintain control until final disposition.

• Prior to Booting target computer, DISCONNECT HDD and verify CMOS.

• When Booting a machine for Analysis, utilize HD Lock software.

•Typical CBD Files

Imaging

• Utilize disk “imaging” software to make an exact image of the target media. Verify the image.

• When conducting an analysis of target media, utilize the restored image of the target media; never utilize the actual target media.

•Imaging Software

Examination

• The Operating System

• Services

• Applications/processes

• Hardware

• LOGFILES!

• System, Security, and Application

• File System

Examination Continued

• Deleted/Hidden Files/NTFS Streams

• Software

• Encryption Software

• Published Shares/Permissions

• Password Files

• SIDS

• Network Architecture/Trusted Relationships

Off-Site Storage

• “X-Drives”

• FTP Links

• FTP Logs

• Shares on internal networks

Security Identifers

•SIDS can be used to ID the perpetrator.•Security is used within Win2K to ID a user.•Security is applied to the SID.

Where to find the SID

SID Structure

• Domain Identifier: All values in the series, excluding the last value ID the Domain.

• Relative Identifier (RID) is the last value. This ID’S the Account or Group

• S-1-5-21-838281932-1837309565-1144153901-1000

Documentation

• Document EVERYTHING

• Reason for Examination

• “The Scene”

• Utilize Screen Capture/Copy Suspected files

• All apps for Analysis/apps on Examined system.

Users

Closing

• Forensic Techniques are based on the File System of the media to be examined

• Utilizing an NTFS partition enhances security. If further increases the Forensic examiners chances of recovering useful evidence.

• The Investigator is looking for evidence to establish a FACT(s).