Evidentiary Methods II: Evidence Acquisition Computer Forensics BACS 371.
-
Upload
dwayne-potter -
Category
Documents
-
view
223 -
download
3
Transcript of Evidentiary Methods II: Evidence Acquisition Computer Forensics BACS 371.
Basic Forensic Methodology
Acquire the evidence (legally) Authenticate that it is the same as the
original Analyze the data without modifying it
3
Photographing Systems
Before you do anything, begin documentation by photographing all aspects of the system…
Monitor Desk and surrounding area All 4 sides of PC Labeled cables still connected
4
Evidence Acquisition Process1
Disassemble the Case of the Computer Identify storage devices that need to be acquired
(internal/external/both) Document internal storage devices and hardware
configuration Drive condition (make, model, geometry, size, jumper
settings, location, drive interface, …) Internal components (sound card, video card, network card –
including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both)
Controlled boots Capture CMOS/BIOS info (boot sequence, time/date,
passwords) Controlled boot from forensic CD to test functionality
(RAM, write-protected storage, …) Controlled boot to capture drive config (LBA, CHS, …)
1Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
5
Role of the First Responder
Scene of the Cybercrime1
Do No Harm! Identify the Crime Scene Protect the Crime Scene Preserve Temporary and Fragile Evidence
A guide for First Responders2
Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of
Evidence Forensic Examination
1Scene of the Cybercrime, Shinder & Tittel, p.5532Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001
6
Role of Investigators1
Establish Chain of Command Conduct Crime Scene Search Maintain Integrity of Evidence
1Scene of the Cybercrime, Shinder & Tittel, p.554
7
Role of Crime Scene Technician1
Preserve volatile evidence and duplicate disks
Shut down systems for transport Tag and log evidence Transport evidence Process evidence
1Scene of the Cybercrime, Shinder & Tittel, p.555
8
Computer Seizure Checklist1
Photograph the monitorPreserve Volatile DataShutdown SystemsPhotograph the System Setup
PC – all sides Label all connections
Unplug system and peripherals – mark & tag
Bag and tag all componentsBitstream Copy of Disk(s) - (offsite usually)
Verify integrity of copies - (offsite usually)
1Scene of the Cybercrime, Shinder & Tittel, p.557
9
Evidence Logs
Lists all evidence collected Description of each piece of evidence
with serial numbers & other ID information
Identifies who collected the evidence and why
Date and Time of collection Disposition of Evidence All transfers of custody11
Evidence Tag
• Place or person from whom item was received
• If item requires consent for search
• Description of items taken
• Information contained on storage device
• Data and time item was taken
• Full name and signature of individual initially receiving evidence
• Case and tag number
13
Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope
Evidence Label
14
Evidence Analysis Logs
How each step is performed Who was present What was done Result of procedure Time/date
Document all potential evidence Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata)
15
Evidence Log
Tag # Date Action Taken By
Location
1 13 Jan 01 Initial Submission Matt Pepe Maxtor 600GB (593843420)
1 15 Mar 01 Moved evidence to tape Matt Pepe 4mm tape #01101
1 15 Mar 01 Examined Evidence using EnCase
Matt Pepe FRED #7
• Evidence Tag Number• Date• Action Taken• Person performing action• Identifying information
Case Number: 123412
16
Preserve Volatile Data1
Order of Volatility2
Registers and Cache Routing Table, ARP Cache, Process Table, Kernel
Statistics Contents of System Memory (RAM) Remote Logging and Monitoring Data Physical Configuration, Network Topology Temporary File Systems Data on Disk Archival Media
1Scene of the Cybercrime, Shinder & Tittel, p.5592Guidelines for Evidence Collection and Archiving, IEEE, February 2002
17
Collecting Volatile Data
Tool Purpose
netstat View current network connections
nbstat View current network connections
arp View addresses in ARP (Address Resolution Protocol) cache
plist List running processes (or view in Task Manager)
ipconfig Gather information about the state of the network
18
Foundstone Tools
Pasco An Internet Explorer activity forensic analysis tool
Galleta An Internet Explorer Cookie forensic analysis tool
Rifiuti A Recycle Bin Forensic Analysis Tool
Vision Reports all open TCP and UDP ports
NTLast Security Audit Tool for WinNT
Forensic Toolkit
Tools to examine NTFS disk partition for unauthorized activity
ShoWin Show information about Widows – reveal passwords
BinText Finds ASCII, Unicode, and Resource strings in a file
23
Things to Avoid1
Don’t Shutdown until volatile evidence has been collected
Don’t trust the programs on the system – use your own secure programs
Don’t run programs which modify access times of files
1Guidelines for Evidence Collection and Archiving, IEEE, February 2002
24
Acquire the EvidenceTo shutdown, or to not shutdown, that is the question!
Do so Without damaging or altering the original
Should you let the machine run, or pull the plug?? Run
• Retains maximum forensic evidence Pull Plug
• Removes a compromised computer from potentially affecting the whole network
• How to pull the plug From the back of the PC When the hard drive is not spinning
• Sound• Drive Light• Vibration25
Making Backups
File Backup vs. Bitstream Copy Use Forensically Sterile media Make 2 backup copies (one to work with
and one to store) Don’t access the original again!
26
Level of Effort to Protect Evidence…
If the evidence is going to be used in court VS.If the evidence is going to be used for
internal investigation
Evidence method should be the same for both situation in case it ever goes to court
The more documentation the better27
Forensic Analysis CYA
Virus Check Forensic computer Media being processed
Collect System Information Complete computer hardware inventory
CHKDISK/SCANDISK Look for “orphan clusters”
Check for hidden partitions Document everything!
28
MD5 Hashing
Wikipedia Entry Cryptographic Hash Function
A hash function must be able to process an arbitrary-length message into a fixed-length output
Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC)
29
Integrity of Evidence+
Method Description Common Types Advantages Disadvantages
Checksum Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result.
CRC-16CRC-32
Easy to compute Fast Small data
storage Useful for
detecting random errors
Low assurance against malicious attack
Simple to create data with matching checksum
One-Way Hash
Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one-way function.
SHA-1MD5MD4MD2
Easy to compute Can detect both
random errors and malicious alterations
Must maintain secure storage of hash values
Does not bind identity with data
Does not bind time with data
Digital Signature
Secure method for binding identity of signer with digital data integrity methods such as one-way hash values. Uses public key crypto system.
RSADSAPGP
Binds identity to integrity operation
Prevents unauthorized regeneration of signature
Slow Must protect
private key Does not bind
time with data
+Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org (Oct 25, 2005) 31
Hashing Algorithms1
Algorithm Description
MD2 Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines.
MD4Developed by Rivest in 1990. Using a PC, collisions can now be found in this version in less than one minute.
MD5Developed by Rivest in 1991. It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force.
SHASHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function.
HAVAL A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5.
1Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 30532
MD5 Hash
“[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”1
1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html 33
MD5 Hash
128-bit number representing a “fingerprint” of a file
Odds of two different files having the same MD5 Hash are 1 in 2128
MD5 issues??? Collisions – Two different files generating the
same hashhttp://
marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf
SHA Collisionshttp://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf
34
Hash Try It…
http://www.sha1-online.com/
http://www.digital-detective.co.uk/freetools/md5.asp
http://www.miraclesalad.com/webtools/md5.php
Hash Converter: http://hash.online-convert.com/sha1-generator
35
Admissibility of Evidence
The whole point of all of this is to make sure that the evidence is admissible. Which means it is…
RelevantSubstantiates an issue that is in
question in the case Competent
Reliable and credible Obtained legally
36
5 Mistakes of Computer Evidence
1. Turn on the Computer (don’t do it!)
2. Get Help from the Computer Owner3. Don’t Check for Computer Viruses 4. Don't Take Any Precautions In The
Transport of Computer Evidence5. Run Windows To View Graphic Files
and To Examine Files
1 Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson 37