CSE4482 11 Forensics

CSE 4482CSE 4482Computer Security Management:Computer Security Management:

Assessment and ForensicsAssessment and Forensics

Instructor: N. Instructor: N. VlajicVlajic, Fall 2010, Fall 2010

Computer Forensics

Required reading:Required reading:

http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/index.html

Learning ObjectivesLearning ObjectivesUpon completion of this material, you should be able to:

• Define computer forensics.

• Explain what makes ‘digital evidence’ admissible in court.

• List the key stages of Computer Investigation Process.

Interesting story:http://www.youtube.com/watch?v=9ofeAPk0yMg

IntroductionIntroduction• Computer – involves obtaining & analyzing digital

information in such a way that it isuseable as evidence in civil, criminalor administrative cases (i.e. in court)

like archaeologist excavating a site,computer investigators retrieve informationfrom a computer (hard drive) or other storage media (USB drives, DVDs, CDs, Zip drives, floppy disks, …)

data is often not easy to find or decipher!

Forensics

Computer Forensics Computer Forensics ≠≠ Network ForensicsNetwork Forensics

Computer Forensics Computer Forensics ≠≠ Data RecoveryData Recovery

• Network – yields information about how an attackergained access to a network and whatexactly he accessed in the network

when / how / from which location the attackerlogged on to the network, and which URLs andfiles, … he looked at / modified / left behind

Forensics

http://www.soleranetworks.com/network-forensics/what-is-network-forensics

Introduction (cont.)Introduction (cont.)


• Data – involves recovering information from acomputer / storage media that wasdeleted by mistake or lost during a server crash or a power surge

in data recovery, you typically know what you are looking for, and it is not (absolutely)necessary to:

ensure that no data /evidence has been damagedor altered in the process; make detailed documentation of all processes, analyzed results and conclusions; etc.

Recovery

• Role of Computer – in a safe (minimally invasive)manner gather digital evidencefrom a suspect’s computer &determine whether the suspect:

(a) committed a crime – in lawenforcement incidents

(b) violated a company policy –in private-sector incidents

if the evidence suggests that oneof the above has been committed,forensics professional should startpreparing the case - document the evidence so that it is useablein court

ForensicsProfessional


Digital EvidenceDigital Evidence• Locard’s Principle – postulated by 20th century

forensics scientist EdmondLocard (France)

‘every contact leaves a trace’

When a person commits a crime something is When a person commits a crime something is always left at the scene of the crime that was always left at the scene of the crime that was

not present there when the person arrived.not present there when the person arrived.

• Digital – any information, stored or transmitted indigital form, that a party to a court case may use at a trial

examples: emailsdigital photographsword processing documentsspreadsheetsinternet browser historiescontents of computer memoryATM transaction logsGPS tracks, …

to be accepted in court, digital evidencemust meet certain criteria …

Evidence

Digital Evidence (cont.)Digital Evidence (cont.)


1) Admissibility of – to be acceptable by court, digitalevidence must be obtained withauthorization

investigator must obtain a searchwarrant, court order or consent,before collecting digital evidence –otherwise evidence may be rejected

Digital Evidence

2) Authenticity – must be confirmed that digit. evidenceis the same as when it was collected

often difficult to prove, as digital data canbe easily altered - deliberately or accidentally

may also require the proof that the systemthat generated digital evidence was workingproperly during the relevant time

(Reliability orIntegrity) ofDigital Evidence

Computer Investigation (cont.)Computer Investigation (cont.)Example: Case Study – Amex vs. Vinhnee (2005)

In this case, American Express (Amex) claimed that Mr. Vinhneehad failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence.

Among other problems, the court said that Amex failed to provideadequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records.

The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on thecircumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“

http://www.proofspace.com/technology/discovery.php

Computer Investigation (cont.)Computer Investigation (cont.)Example: Case Study – Amex vs. Vinhnee (2005)

Steps you can take to give your digital data better chance ofbeing admitted into evidence in a court:

1. Document your access control and backup procedures andpolicies and test effectiveness of your controls.

2. Have the changes to your databases and content/recordmanagement system routinely recorded and logged.

3. Protect your electronic record from post-archival tamperingwith modern data integrity and trusted time-stampingtechnologies.

4. Document the audit procedures you use to provide assuranceof the continuing authenticity of the records.

http://www.proofspace.com/technology/discovery.php

Example: CD Universe Prosecution Failure“An extortion attempt involving credit card numbers stolenfrom the computers of Internet retailer CD Universe occurred in January 2000.

Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …

Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcementhad found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. Thechain of custody had not been properly established.

Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learnHow Maxim got into the company’s network, FBI agents andEmployees from three computer security firms accessed original files instead of working from a forensic copy. …”


• Chain of Custody – documentation aimed to provethat, from the time it was seized,the evidence:1) was handled and preserved

properly, and2) was never at risk of being

compromised;

must include detailed informationabout:

where the evidence was stored

who had access to the evidence

what was done to the evidencee.g. when it was handed over fromone person/organization to another


Example: Chain-of-Custody Form

http://www.niiconsulting.com/checkmate/wp-admin/images/0206/cocfrm.jpg


3) Hearsay Rule – hearsay = secondhand or indirectevidence such as an overheardconversation or any statement madeout of court and not under oath(generally not accepted in court)

digital evidence that is (may be) hearsay:any human generated data

example: emails, chat-logs, etc.not easy to prove that statements / claims madein these documents are trueexceptions: business records

digital evidence that is NOT hearsay: any digital data collected by a computerwithout any interaction by a person

example: router logs, ATM receipts, …

Computer Investigation PhasesComputer Investigation Phases• Computer – in working with digital evidence, 4

investigation phases should be appliedassess – analyze the scope of investigation &adequate actions to be taken

acquire – gather, protect, & preserve originalevidence

analyze – correlate digital evidence with eventsof interest that will help you make a case

report – gather & organize collected evidence/information and write a report

InvestigationPhases

http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/index.html

Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)

IT professionals who are unprepared for conducting aforensic computer investigation can easily ruing the suspect’s

data & make a case impossible to prosecute.

So, if you are not sure how to conduct a forensic investigation (e.g. which tools to employ) – don’t!,

or you might become subject of an investigation.

• Warnings!!!

Also, before beginning (each phase of) investigation,determine whether law enforcement should be involved.


Assess theSituation

Phase 1:1)1) Notify Decision Makers & Get Authorization

to conduct a computer investigation, you needto obtain proper authorization unless existingpolicies and procedures provide incident responseauthorization

2)2) Review Applicable Policies and Lawsdetermine if you have legal authority to conductan investigation, i.e. whether the organization have policies/procedures that address the privacyrights of employees, contractors, etc.many companies state in their policies that thereshould be no expectation of privacy in the use ofcompany’s equipment …


Phase 1: 3)3) Identify Investigation Team Membersorganizations should establish a forensics team– possessing an appropriate set/blend of skills –as a part of incident res. / disaster rec. processforensics team should be kept as small as possibleto ensure data confidentiality and minimize thechances of unwanted information leaks

if the organization does not have personnel withnecessary skills, a trusted external investigation team should be engaged

4)4) Conduct a Thorough Assessmentconduct a documented assessment of the situation(to prioritize necessary actions & justify resourcesfor investigation), which would clearly identify:

impacted (& potentially) impacted partiesimpact of the incident on current & potential businessnumber of networks & computers involved, etc.

Assess theSituation


Phase 1:Assess theSituation

4)4) Conduct a Thorough Assessment (cont.)thorough assessment may require you to:

obtain the network topology documentationcapture network traffic over a period of timeuse tools to examine the state of software applicat.& OSs on affected computers, etc.

best practices of assessment process:build a timeline and map everything to itsecurely store any records or logs generatedidentify and interview anyone who might be involved;document all interview outcomes

5)5) Prepare for Evidence Acquisitionbefore you move on acquiring the data, ensurethat you have generated proper documentationunderstand that if the incident becomes more thanan internal investigation, this documentation may be reviewed and/or used in court

Phase 2: 1)1) Build Computer Investigation Toolkitto acquire data appropriately, a laptop/workstationwith a range of software and hardware tools isneeded, and typically should include:

write-protected backup devices

tools for creating bit-to-bit copy (image) of a harddrive – ideally a hardware duplicator

(older versions of) operating system(s)

password recovery tools

cables

camera, …

ideally, such toolkits would be created in advance

for a more detailed list of tools see:

http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/appendix_resources.html

Acquire theData



Phase 2: 2)) Collect the Datacreate a bit-wise copy of the evidence in a backupdestination, ensuring that the original data iswrite-protected

subsequent data analysis should be performed on this copy and not on the original evidence

verify the data you collect by creating a checksumand digital signatures when possible to prove thatthat the copied data is identical to the original

when you must capture volatile data, carefullyconsider the order in which you collect data -volatile data can be easily destroyed

e.g. running processes, data loaded into memory,routing tables and temporary files can be lostforever when the computer is shut down

you may need a combination of command-linetools + camera to capture some of volatile data

Acquire theData


Phase 2: 3)) Store and Archiveevidence must be stored and archived in a waythat ensures its safety and integrity

best practices:store the evidence in a tamperproof location

ensure no unauthorized personnel has access tothe evidence

protect the storage from magnetic fields

make a least to copies of the evidence, and storeone copy in a secure offsite location

clearly document ‘chain of custody’

Acquire theData


• Bit-wise Copy – aka bit-stream copy or hard driveclone = bit-by-bit copy of originaldrive and is its exact duplicate

must be done in ‘hardware’, and isdifferent from a simple back-up copy!

back-up software only copies files that are stored in a folder or are of a known file typeback-up software does NOT copy deleted filesor e-mails or recover file fragments

manufacturer & model of the target driveshould be the same as the original

if you replace the source disk with the targetdisk the system will work

hard drive image = clone content in a filetypically done in ‘software’

of a Hard Drive

http://www.itechnews.net/2010/04/01/startech-satdock22r-sata-hard-drive-duplicator/#more-36307


Example: Tools for Hard-Drive Imaging

ProDiscover, Guide to Computer Forensics, … pp. 124FTK Imager, Guide to Computer Forensics, … pp. 128

Remote Network Disk Acquisition with ProDiscover, pp. 140


Phase 3: 1)1) Analyze Network Datasome investigations may require analysis of network (firewall, proxy server, IDS logs)

typically information to look for:data and time of an event

IP address and username

resources being accessed, …

2)2) Analyze Host Datasome investigations may require that componentsof a host’s operating system be examined

in addition to the standard computer related info(make, ROM, RAM, etc.), other info to look for:

any malicious applications and processes, includingthose scheduled to run during the boot process

clock drift information, …

Analyze theData


Phase 3: 3)3) Analyze Storage Mediastorage media collected during Data Acquisition phase will contain many files – identify those thatare relevant for investigation

when accessing files, use ‘file viewers’ instead ofthe original application that has created the file toavoid accidental damage (when possible)

files stored in NTFS alternate data stream format may appear to contain 0 bytes when viewedthrough Windows Explorer

Windows Sysinternal Streams tool reveals such fileshttp://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

collect file meta-data – information on the time offile creation, last access, and last writing

tools to use: ProDiscover, FTK

Analyze theData


Phase 4: 1)1) Gather and Organize Informationgather all documentation and notes from 3 earlierstages (Assess, Acquire, Analyze)create a detailed list of all evidence collectedidentify parts that are relevant to the investigationidentify parts that support your conclusions

2)2) Write the Reportorganize the report in proper categories:

Purpose of ReportAuthor of Report

Incident Summary (in non-technical language)

Evidence (with information on what, who, when andhow collected the digital evidence)

Details (describing what was analyzed, methods andtools used, and finding obtained)

Conclusion (including the reference to specificevidence that lead to this conclusion)

Report theInvestigation

CSE4482 11 Forensics

Documents

Transcript of CSE4482 11 Forensics