CSE4482 11 Forensics
Transcript of CSE4482 11 Forensics
![Page 1: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/1.jpg)
CSE 4482CSE 4482Computer Security Management:Computer Security Management:
Assessment and ForensicsAssessment and Forensics
Instructor: N. Instructor: N. VlajicVlajic, Fall 2010, Fall 2010
Computer Forensics
![Page 2: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/2.jpg)
Required reading:Required reading:
http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/index.html
![Page 3: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/3.jpg)
Learning ObjectivesLearning ObjectivesUpon completion of this material, you should be able to:
• Define computer forensics.
• Explain what makes ‘digital evidence’ admissible in court.
• List the key stages of Computer Investigation Process.
Interesting story:http://www.youtube.com/watch?v=9ofeAPk0yMg
![Page 4: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/4.jpg)
IntroductionIntroduction• Computer – involves obtaining & analyzing digital
information in such a way that it isuseable as evidence in civil, criminalor administrative cases (i.e. in court)
like archaeologist excavating a site,computer investigators retrieve informationfrom a computer (hard drive) or other storage media (USB drives, DVDs, CDs, Zip drives, floppy disks, …)
data is often not easy to find or decipher!
Forensics
Computer Forensics Computer Forensics ≠≠ Network ForensicsNetwork Forensics
Computer Forensics Computer Forensics ≠≠ Data RecoveryData Recovery
![Page 5: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/5.jpg)
• Network – yields information about how an attackergained access to a network and whatexactly he accessed in the network
when / how / from which location the attackerlogged on to the network, and which URLs andfiles, … he looked at / modified / left behind
Forensics
http://www.soleranetworks.com/network-forensics/what-is-network-forensics
Introduction (cont.)Introduction (cont.)
![Page 6: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/6.jpg)
Introduction (cont.)Introduction (cont.)
• Data – involves recovering information from acomputer / storage media that wasdeleted by mistake or lost during a server crash or a power surge
in data recovery, you typically know what you are looking for, and it is not (absolutely)necessary to:
ensure that no data /evidence has been damagedor altered in the process; make detailed documentation of all processes, analyzed results and conclusions; etc.
Recovery
![Page 7: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/7.jpg)
• Role of Computer – in a safe (minimally invasive)manner gather digital evidencefrom a suspect’s computer &determine whether the suspect:
(a) committed a crime – in lawenforcement incidents
(b) violated a company policy –in private-sector incidents
if the evidence suggests that oneof the above has been committed,forensics professional should startpreparing the case - document the evidence so that it is useablein court
ForensicsProfessional
Introduction (cont.)Introduction (cont.)
![Page 8: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/8.jpg)
Digital EvidenceDigital Evidence• Locard’s Principle – postulated by 20th century
forensics scientist EdmondLocard (France)
‘every contact leaves a trace’
When a person commits a crime something is When a person commits a crime something is always left at the scene of the crime that was always left at the scene of the crime that was
not present there when the person arrived.not present there when the person arrived.
![Page 9: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/9.jpg)
• Digital – any information, stored or transmitted indigital form, that a party to a court case may use at a trial
examples: emailsdigital photographsword processing documentsspreadsheetsinternet browser historiescontents of computer memoryATM transaction logsGPS tracks, …
to be accepted in court, digital evidencemust meet certain criteria …
Evidence
Digital Evidence (cont.)Digital Evidence (cont.)
![Page 10: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/10.jpg)
Digital Evidence (cont.)Digital Evidence (cont.)
1) Admissibility of – to be acceptable by court, digitalevidence must be obtained withauthorization
investigator must obtain a searchwarrant, court order or consent,before collecting digital evidence –otherwise evidence may be rejected
Digital Evidence
2) Authenticity – must be confirmed that digit. evidenceis the same as when it was collected
often difficult to prove, as digital data canbe easily altered - deliberately or accidentally
may also require the proof that the systemthat generated digital evidence was workingproperly during the relevant time
(Reliability orIntegrity) ofDigital Evidence
![Page 11: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/11.jpg)
Computer Investigation (cont.)Computer Investigation (cont.)Example: Case Study – Amex vs. Vinhnee (2005)
In this case, American Express (Amex) claimed that Mr. Vinhneehad failed to pay his credit card debts, and took legal action to recover the money. But the trial judge determined that Amex failed to authenticate its electronic records, and therefore Amex could not admit its own business records into evidence.
Among other problems, the court said that Amex failed to provideadequate information about its computer policy & system control procedures, control of access to relevant databases & programs, how changes to data were recorded or logged, what backup practices were in place, and how Amex could provide assurance of continuing integrity of their records.
The judge pointed out that, "... the focus is not on the circumstances of the creation of the record, but rather on thecircumstances of the preservation of the record so as to assure that the document being proffered is the same as the document that originally was created ...“
http://www.proofspace.com/technology/discovery.php
![Page 12: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/12.jpg)
Computer Investigation (cont.)Computer Investigation (cont.)Example: Case Study – Amex vs. Vinhnee (2005)
Steps you can take to give your digital data better chance ofbeing admitted into evidence in a court:
1. Document your access control and backup procedures andpolicies and test effectiveness of your controls.
2. Have the changes to your databases and content/recordmanagement system routinely recorded and logged.
3. Protect your electronic record from post-archival tamperingwith modern data integrity and trusted time-stampingtechnologies.
4. Document the audit procedures you use to provide assuranceof the continuing authenticity of the records.
http://www.proofspace.com/technology/discovery.php
![Page 13: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/13.jpg)
Example: CD Universe Prosecution Failure“An extortion attempt involving credit card numbers stolenfrom the computers of Internet retailer CD Universe occurred in January 2000.
Someone calling himself “Maxim” said that he had copied 300,000 credit card numbers from their database in December 1999. Maxim threatened to post that confidential data on the Internet unless he was paid $100,000 …
Six months after Maxim had broken into CD Universe, US authorities were unable to find him. Even if law enforcementhad found him, they probably would not have been able to prosecute the case because e-evidence collected from the company’s computers had not been properly protected. Thechain of custody had not been properly established.
Although it was not clear exactly how the CD Universe evidence was compromised, it seemed that in the initial rush to learnHow Maxim got into the company’s network, FBI agents andEmployees from three computer security firms accessed original files instead of working from a forensic copy. …”
![Page 14: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/14.jpg)
Digital Evidence (cont.)Digital Evidence (cont.)
• Chain of Custody – documentation aimed to provethat, from the time it was seized,the evidence:1) was handled and preserved
properly, and2) was never at risk of being
compromised;
must include detailed informationabout:
where the evidence was stored
who had access to the evidence
what was done to the evidencee.g. when it was handed over fromone person/organization to another
![Page 15: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/15.jpg)
Digital Evidence (cont.)Digital Evidence (cont.)
Example: Chain-of-Custody Form
http://www.niiconsulting.com/checkmate/wp-admin/images/0206/cocfrm.jpg
![Page 16: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/16.jpg)
Digital Evidence (cont.)Digital Evidence (cont.)
3) Hearsay Rule – hearsay = secondhand or indirectevidence such as an overheardconversation or any statement madeout of court and not under oath(generally not accepted in court)
digital evidence that is (may be) hearsay:any human generated data
example: emails, chat-logs, etc.not easy to prove that statements / claims madein these documents are trueexceptions: business records
digital evidence that is NOT hearsay: any digital data collected by a computerwithout any interaction by a person
example: router logs, ATM receipts, …
![Page 17: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/17.jpg)
Computer Investigation PhasesComputer Investigation Phases• Computer – in working with digital evidence, 4
investigation phases should be appliedassess – analyze the scope of investigation &adequate actions to be taken
acquire – gather, protect, & preserve originalevidence
analyze – correlate digital evidence with eventsof interest that will help you make a case
report – gather & organize collected evidence/information and write a report
InvestigationPhases
http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/index.html
![Page 18: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/18.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
IT professionals who are unprepared for conducting aforensic computer investigation can easily ruing the suspect’s
data & make a case impossible to prosecute.
So, if you are not sure how to conduct a forensic investigation (e.g. which tools to employ) – don’t!,
or you might become subject of an investigation.
• Warnings!!!
Also, before beginning (each phase of) investigation,determine whether law enforcement should be involved.
![Page 19: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/19.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Assess theSituation
Phase 1:1)1) Notify Decision Makers & Get Authorization
to conduct a computer investigation, you needto obtain proper authorization unless existingpolicies and procedures provide incident responseauthorization
2)2) Review Applicable Policies and Lawsdetermine if you have legal authority to conductan investigation, i.e. whether the organization have policies/procedures that address the privacyrights of employees, contractors, etc.many companies state in their policies that thereshould be no expectation of privacy in the use ofcompany’s equipment …
![Page 20: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/20.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 1: 3)3) Identify Investigation Team Membersorganizations should establish a forensics team– possessing an appropriate set/blend of skills –as a part of incident res. / disaster rec. processforensics team should be kept as small as possibleto ensure data confidentiality and minimize thechances of unwanted information leaks
if the organization does not have personnel withnecessary skills, a trusted external investigation team should be engaged
4)4) Conduct a Thorough Assessmentconduct a documented assessment of the situation(to prioritize necessary actions & justify resourcesfor investigation), which would clearly identify:
impacted (& potentially) impacted partiesimpact of the incident on current & potential businessnumber of networks & computers involved, etc.
Assess theSituation
![Page 21: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/21.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 1:Assess theSituation
4)4) Conduct a Thorough Assessment (cont.)thorough assessment may require you to:
obtain the network topology documentationcapture network traffic over a period of timeuse tools to examine the state of software applicat.& OSs on affected computers, etc.
best practices of assessment process:build a timeline and map everything to itsecurely store any records or logs generatedidentify and interview anyone who might be involved;document all interview outcomes
5)5) Prepare for Evidence Acquisitionbefore you move on acquiring the data, ensurethat you have generated proper documentationunderstand that if the incident becomes more thanan internal investigation, this documentation may be reviewed and/or used in court
![Page 22: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/22.jpg)
Phase 2: 1)1) Build Computer Investigation Toolkitto acquire data appropriately, a laptop/workstationwith a range of software and hardware tools isneeded, and typically should include:
write-protected backup devices
tools for creating bit-to-bit copy (image) of a harddrive – ideally a hardware duplicator
(older versions of) operating system(s)
password recovery tools
cables
camera, …
ideally, such toolkits would be created in advance
for a more detailed list of tools see:
http://www.utwente.nl/itsecurity/algemeen/intern/how_tos/fundamental_computer_investiga.doc/appendix_resources.html
Acquire theData
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
![Page 23: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/23.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 2: 2)) Collect the Datacreate a bit-wise copy of the evidence in a backupdestination, ensuring that the original data iswrite-protected
subsequent data analysis should be performed on this copy and not on the original evidence
verify the data you collect by creating a checksumand digital signatures when possible to prove thatthat the copied data is identical to the original
when you must capture volatile data, carefullyconsider the order in which you collect data -volatile data can be easily destroyed
e.g. running processes, data loaded into memory,routing tables and temporary files can be lostforever when the computer is shut down
you may need a combination of command-linetools + camera to capture some of volatile data
Acquire theData
![Page 24: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/24.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 2: 3)) Store and Archiveevidence must be stored and archived in a waythat ensures its safety and integrity
best practices:store the evidence in a tamperproof location
ensure no unauthorized personnel has access tothe evidence
protect the storage from magnetic fields
make a least to copies of the evidence, and storeone copy in a secure offsite location
clearly document ‘chain of custody’
Acquire theData
![Page 25: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/25.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
• Bit-wise Copy – aka bit-stream copy or hard driveclone = bit-by-bit copy of originaldrive and is its exact duplicate
must be done in ‘hardware’, and isdifferent from a simple back-up copy!
back-up software only copies files that are stored in a folder or are of a known file typeback-up software does NOT copy deleted filesor e-mails or recover file fragments
manufacturer & model of the target driveshould be the same as the original
if you replace the source disk with the targetdisk the system will work
hard drive image = clone content in a filetypically done in ‘software’
of a Hard Drive
http://www.itechnews.net/2010/04/01/startech-satdock22r-sata-hard-drive-duplicator/#more-36307
![Page 26: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/26.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Example: Tools for Hard-Drive Imaging
ProDiscover, Guide to Computer Forensics, … pp. 124FTK Imager, Guide to Computer Forensics, … pp. 128
Remote Network Disk Acquisition with ProDiscover, pp. 140
![Page 27: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/27.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 3: 1)1) Analyze Network Datasome investigations may require analysis of network (firewall, proxy server, IDS logs)
typically information to look for:data and time of an event
IP address and username
resources being accessed, …
2)2) Analyze Host Datasome investigations may require that componentsof a host’s operating system be examined
in addition to the standard computer related info(make, ROM, RAM, etc.), other info to look for:
any malicious applications and processes, includingthose scheduled to run during the boot process
clock drift information, …
Analyze theData
![Page 28: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/28.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 3: 3)3) Analyze Storage Mediastorage media collected during Data Acquisition phase will contain many files – identify those thatare relevant for investigation
when accessing files, use ‘file viewers’ instead ofthe original application that has created the file toavoid accidental damage (when possible)
files stored in NTFS alternate data stream format may appear to contain 0 bytes when viewedthrough Windows Explorer
Windows Sysinternal Streams tool reveals such fileshttp://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
collect file meta-data – information on the time offile creation, last access, and last writing
tools to use: ProDiscover, FTK
Analyze theData
![Page 29: CSE4482 11 Forensics](https://reader035.fdocuments.us/reader035/viewer/2022062903/577ccdc11a28ab9e788caa42/html5/thumbnails/29.jpg)
Computer Investigation Phases (cont.)Computer Investigation Phases (cont.)
Phase 4: 1)1) Gather and Organize Informationgather all documentation and notes from 3 earlierstages (Assess, Acquire, Analyze)create a detailed list of all evidence collectedidentify parts that are relevant to the investigationidentify parts that support your conclusions
2)2) Write the Reportorganize the report in proper categories:
Purpose of ReportAuthor of Report
Incident Summary (in non-technical language)
Evidence (with information on what, who, when andhow collected the digital evidence)
Details (describing what was analyzed, methods andtools used, and finding obtained)
Conclusion (including the reference to specificevidence that lead to this conclusion)
Report theInvestigation