Legal Issuess in Computer Forensics2

8/11/2019 Legal Issuess in Computer Forensics2

1/26

Computer Forensics

Jake Cunningham

Network AnalystOffice of Information Technologies

UMASS Amherst.


2/26

Computer Forensics

Todays Topics

This lecture is intended to give a general overview ofthe field of Computer Forensics. Due to timeconstraints I have left out specific details about

tools,techniques and operating procedures.

Definitions

Situations one may conduct a forensic analysis.

Role of the Forensic Investigator

Legal Issues to Consider


3/26

Computer Forensics

Definitions:

The Merriam-Webster Dictionary definesforensic(s) as:

the application of scientific knowledge to legalproblems; especially : scientific analysis ofphysical evidence (as from a crime scene)


4/26

Computer Forensics

Definitions:

Weitse Venema and Dan Farmer (Authors of TheCoroners Toolkit) defined Computer Forensics as:

Gathering and analyzing data in a manner as free fromdistortion or bias as possible to reconstruct data orwhat has happened in the past on a system(http://www.fish.com/forensics/class.html)


5/26

Computer Forensics

When might one do a forensics analysis of a computer?

Analyze an intrusion or unauthorized use. Trace the activities of the intruder on the system

Analyzing and/or reverse engineer malware installed/left

behind by an intruder.

Monitor/Analyze authorized users behavior on a

computer Employees use (or mis-use) of a computer

Law Enforcement in the course of a criminal investigation


6/26

Computer Forensics

Six Steps of Incident Handling:

Preparation

Identification

Containment

Eradication

Recovery

Follow-up

Computer Forensics is the Identification

step of Incident Response.


7/26

Computer Forensics

Role of Forensic Investigator

During an incident you may:

Have the role of the Incident Handler and work witha forensic investigator

Have the role of the Forensic Investigator and workwith a Incident Handler

Have the roll of both Incident Handler and ForensicInvestigator.


8/26


9/26

Computer Forensics

What Happened? Was there an incident What is it? What was changed on the system? What activity happened on the system? What files/applications were modified, accessed, or

created?

Where did it happened? What systems/services were affected? What relationships do those systems have to others? Where did the intruder/user come from (local/remote) Where did the intruder/user go to using the affected

computer?


10/26

Computer Forensics

When did it happen? When did the suspicious/anomalous activity start? When did it end?

When did important/key events occur?

How did it happen? Virus what was the infection vector?

Intruder How did they gain access or elevate privileges onthe system?

Authorized user How did they gain access to files,websites or conduct inappropriate behavior?


11/26

Computer Forensics

Collecting Evidence:

Rule #1 of Incident Response or ForensicInvestigation:

ALWAYS TAKE GOOD NOTES!

Document everything! You WILL forget the detailsif you dont write them down.


12/26

Computer Forensics


To ensure that evidence is not altered,corrupted ordestroyed: Make sure you understand the OS and the ramifications of

your actions on the system while collecting evidence. Always work with tools that you are familiar with and are

known to be good. For example: Use a customized incident response CD with

statically linked binaries.

Always analyze the filesystem and storage media bit copiesrather than the original evidence disk.


13/26

Computer Forensics


Interview parties involved (if timing is appropriate)

Take inventory of all devices involved. (make, model, s/n)

If system(s) up and running consider: Gather running process info

Get a dump of memory

Gather info about active network connections

- Screen captures (if appropriate)

Make bit copies of physical media (Hard Disks,floppies,ZipDisks,thumb drives etc.)


14/26

Computer Forensics


Tools to gather process and network info Unix:

ps, lsof, top, (look in /proc Linux), netstat

Windows: Task Manager, fport, pslist,ps, tcpview, netstat


15/26

Computer Forensics


What to look for in process, network info Depends on nature of investigation

System Intrusion/Computer User Investigation: Processes listening on suspicious network ports

Verify well know process names listening on well known ports

Non-standard process names

Look for open or established network connections. Check for remote shares and remote user logins


16/26

Computer Forensics


Tools to make bit copies of media

Encase (commercial)

FTK imager (commercial)

Safeback (commercial)

dd,dfldd, for Unix and Windows (open source)

Various Hardware based duplicators (commercial) Too many to list them all.


17/26

Computer Forensics


Tools to analyze bit copies of media(some examples too many to list them all)

Encase (commercial)

FTK (commercial)

ProDiscover (commercial)

X-WAYS Forensics (commercial) SMART for Linux (commercial)

Shadow (commercial)

Sleuthkit/Autopsy (free)


18/26

Computer Forensics


What to look for when analyzing filesystem bitcopies: Depends on nature of investigation

System Intrusion: Timeline of events

When were files Modified,Accessed,Created (MAC times)

Show all deleted Files Recover deleted files

Analyze log files and/or auditing data Recent logins


19/26

Computer Forensics


Filesystem Analysis cont.

Computer user investigation: Log files, auditing records to determine logins, login times,

where logged in from.

Web sites visited (web browser history)

Contents of web browser cache

Contents of images,emails and documents

Show and recover deleted files Search filesystem for keywords

C m t F si s L l Iss s t


20/26

Computer Forensics Legal Issues toConsider:

Note:

I am not a lawyer I am by no means a legal expert.

This is NOT legal advice. These are simply things toconsider when performing a forensic analysis orresponding to an incident.

ALWAYS check with the legal counsel of youremployer before conducting a forensic analysis, orinvestigation.

Computer Forensics Le al Issues to


21/26

Computer Forensics- Legal Issues toConsider:

While investigating ALWAYS avoid:

violating someones rights

Breaking the law yourself

Compromising the investigation by not following properprocedure.

Computer Forensics Legal Issues to


22/26

Computer Forensics - Legal Issues toConsider:

One should be aware of Federal ,State,Provincial and Local

computer laws when responding to an incident or performing aforensic analysis. (to cover yourself, not necessarily toprosecute)

U.S. Federal Laws to consider: Computer Fraud and Abuse Act (18 U.S.C. 1030):

Criminalizes attacks,intrusions and damage to protected computers

Wiretap Act (18 U.S.C. 2511) Criminalizes interception of voice and electronic communications.

Electronic Communications Privacy Act (ECPA 18 U.S.C. 2701-12) Governs access to stored voice and electronic communications and

data.

Computer Forensics Legal Issues to


23/26

Computer Forensics- Legal Issues toConsider:

Does company policy allow for analysis of computerwithout court subpoena?

Have employees signed a waiver or consented to anacceptable use policy which allows:

Network monitoring/traffic interception Access to any stored data on company computers

Does the waiver or policy cover personal computers

connected to the company network?

There are many things to consider, this is simply to

give you an idea of some of the issues you mayencounter.


24/26

Computer Forensics: Anti-Forensics

Anti-Forensics: Destroying or Hiding data to limit thesuccess of a forensic investigation.

Defilers Toolkit Alters inode data on ext2filesystems.

http://www.phrack.org/phrack/59/p59-0x06.txt

Metasploit Antiforensics

http://www.metasploit.com/projects/antiforensics/

Burneye Encrypts ELF binaries Attempts to defeat reverse engineering

burndump is a burneye un-wrapper.
http://www.phrack.org/phrack/59/p59-0x06.txthttp://www.phrack.org/phrack/59/p59-0x06.txt


25/26

Computer Forensics: Anti-Forensics

Anti-Forensics continued

File encryption, encrypted filesystems, encrypted

disks

Magnetic Degausser Destroy the magnetic field on

magnetic media.

Commercial secure deletion or disk wiping

programs.

Good ol fashioned physical destruction of media

(sledge hammer etc)


26/26

Computer Forensics

Conclusion:

Every incident/investigation is unique.

The right thing to do comes from experience andlessons learned.

Any questions?

Legal Issuess in Computer Forensics2

Documents

Transcript of Legal Issuess in Computer Forensics2