Cybercrime and Computer Forensics Seminar

Chicago Bar AssociationMar 25th, 2011

John C. A. BambenekChief Forensic Examiner, Bambenek Consultingjcb@bambenekconsulting.comhttp://www.bambenekconsulting.com312-725-HACK (4225)

Agenda

Types of Actionable Computer Crime Incident Response versus Forensics Laws Related to Computer Forensics Chain of Custody and Data Acquisition Hard drive Forensics Registry Examination Memory Forensics Network Forensics Log / Server Forensics File Metadata

Types of Actionable Computer Crime

Identity Theft Electronic Fraud (ACH or Credit Card) Spamming Website Defacement / Denial of Service Unauthorized Access / Misuse of Access Cyberbulling Trade Secret Theft National Security Issues

Obstacles to Cybercrime Prosecution

Relatively new are in the law / law not caught up with technology

International in scope / non-extradition treaty countries

Limited resources & skillsets within law enforcement

Near constant level of criminal activity

Organized crime involvement and sophisticated business models

Security tool development lags criminal tool development

Incident Response vs. Forensics

Incident response = “Something bad happened, fix it”

Forensics = Acquisition of evidence for potential litigation Can include e-Discovery

Organizations should have prepared in advance for this decision

Some incidents are not worth pursuing in criminal or civil court

Forensics is much more time-consuming and expensive

In both cases, how someone “got in”, what did they do once there May not be concerned with attribution

Laws Relating to Forensics

Wire fraud (18 USC § 1343)

Computer Fraud and Abuse Act (18 USC § 1030)

Electronic Communications Privacy Act (18 USC § 2510)

Stored Communications Act (18 USC § 2701)

Digital Millennium Copyright Act (17 USC § 512 et al) **

Legal Issues Relating to Forensics

Ownership of Hardware Big issue with Cloud Computing

Ownership of Data

Expectation of Privacy Not supposed to monitor users if they reasonably believe their actions are private

Chain of Custody / Evidence Preservation Hard to have a case if chain of custody is broken or evidence has been corrupted

What kinds of evidence can be collected?

Physical drives

System memory

Network transmissions

System/Server Logs

Other sources?

Chain of Custody

Physical possession of data is standard chain of custody

How do you prove chain of custody on electronic information? Cryptographic hashing

Prevention of evidence contamination Analyze only digital copies Use “write-blockers” for physical drives Difficult for “live system” analysis Keeping notes for all tasks performed on “live system”

Hashing

Hashing uses an encryption algorithm to generate a pseudo-random string of text to represent a unique file (or hard drive) Small changes cause large changes in the hash

Example: “Chicago Bar Association.” vs “Chicago Bar Association!”

MD5: 03d4d59b4619362bd565ac5330f831ca vs 1f08610821af98d38f1b577a580f1f38

SHA1: 7b41514f4ab916eb93da4d0301a39ea430b617d8 vs 3262f20679f1771afee3fc9b3c397ac02f04290a

Hard drive data acquisition

Can be done on a “live system” or a system that is off

On a “live system” data is constantly changing, which can be problematic

Involves a bit-copy of a drive into a “virtual drive” file for examination

Hashes taken before and after to ensure no data is contaminated

Drive left in safe, all analysis done on copies “virtual drive”

Hard drive basics

Hard drives are collections of ones and zeroes, even when mostly empty

File tables connect files to actual “addresses” on the drive to where the data that comprises that file is stored and attributes of the file (like MAC times).

When files are deleted, the actual data still exists. The file is simply “unlinked” from the addresses it uses on the drive and those parts of the drive can be later overwritten with new files. Government standards require multiple “wipes” of a drive to confirm deletion

Data may hide also in “slack space”

Hard drive basics

So you have a drive image, now what? Search for all deleted files Search for all files added, deleted or modified at a certain time Search files for specific strings Search for files of a specific type Examine key system files (configuration files, startup scripts, system registry)

Depends heavily on the nature of the incident

Iterative process that is more art than science

MAC times

MAC times stand for “modified”, “accessed”, “changed” and may also include a creation time.

All files have MAC times associated with them (even deleted ones).

These times can help provide a search pattern for “important” files to an incident. (i.e. if something happened at 3pm Jan 11th, you’d look for any file with a MAC time near that same time).

Windows Registry

Windows Operating systems keep a wide variety of information in the system registry (can be accessed live using RegEdit command). Most recently used programs Most recently entered commands Most recently viewed documents Typed URLs in IE Unique hardware addresses for USB keys accessed on system

This can be used to create a “timeline” of activity on the machine

Memory Forensics

Must be done on a “live” machine, memory disappears without power*

Contains: All running programs (even those deleted from the disk) Any encryption keys in use (makes for easy decrypting) In some cases, passwords

Memory is constantly changing

Evidence “changes” over time, may have to work with multiple memory files

Network forensics

In essence, the same as wiretapping a phone call except with data

Most network switches allow for capturing live traffic from a machine

What are you looking for: Who is talking to this machine Who is this machine talking to When is it happening What is being communicated Encryption?

Log forensics

Servers associated with a subject computer may have valuable information

E-mail logs can show all mail sent from a target computer

DHCP / DNS logs may show when the machine was on and who it was communicating with

If configured, can show who accessed a machine even if the machine has had its own logs wiped

Web server logs can show attacks in progress and how servers were exploited

E-mail Forensics

E-mails all come with headers that give a wealth of information to identify the sender.

Can show: IP Address of sender Can show all mailservers users Potentially can show true username of sender Shows when message really sent Gives unique message ID which can be used to track messages in mail server

logs

E-mail headers

Return-path: <kthompson@davismcgrath.com>Envelope-to: jcb@bambenekconsulting.comDelivery-date: Tue, 15 Mar 2011 12:13:56 -0500Received: from mailhost.davismcgrath.com ([12.233.219.123])

by thebox.pentex-net.com with esmtp (Exim 4.69)(envelope-from <kthompson@davismcgrath.com>)id 1PzXoi-0000mf-Fwfor jcb@bambenekconsulting.com; Tue, 15 Mar 2011 12:13:56 -0500

Received: from DM48WXP (unverified [192.168.3.69]) by mailhost.davismcgrath.com (Rockliffe SMTPRA 9.3.1) with ESMTP id <B0002606529@mailhost.davismcgrath.com> for <jcb@bambenekconsulting.com>; Tue, 15 Mar 2011 12:16:42 -0500From: "Kevin A. Thompson" <kthompson@davismcgrath.com>To: <jcb@bambenekconsulting.com>References: <201033962-1299187478-cardhu_decombobulator_blackberry.rim.net-1091018849-@bda678.bisx.prod.on.blackberry> <051601cbd9e9$bd0fae80$372f0b80$@com>

<e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com>In-Reply-To: <e71cae025b2bd4be5a4422d9f71c3322.squirrel@bambenekconsulting.com>Subject: RE: CBA - CLE/Seminar?Date: Tue, 15 Mar 2011 12:16:39 -0500Message-ID: <020b01cbe334$bf146320$3d3d2960$@com>MIME-Version: 1.0Content-Type: text/plain;

charset="US-ASCII"Content-Transfer-Encoding: 7bitX-Mailer: Microsoft Office Outlook 12.0Thread-Index: AcvhtQ/DNjyl3vl3Rr+AKt9z5zMFkwBf6MAAContent-Language: en-us

File Metadata

Many file types include metadata in them to indicate the creating user, when modified, etc.

Metadata can be examined even on machines you don’t control Cell phones can be notorious about including metadata with image files. This may even include GPS coordinates of where a picture was taken.

Office documents (especially with track changes) can show every person who touched a file

In some cases, can include content that has been “redacted” when viewed normally.

Other data sources

Cell phones (certainly smart phones) are huge data repositories and can even store a significant amount of computer files

Tablets and iPads

Online social network content (in particular, media)

Blog comments, forum posts

Webmail accounts

Google

Questions?

John Bambenek

jcb@bambenekconsulting.com

http://www.bambenekconsulting.com

312 – 725 – HACK (4225)