Lies, Damn Lies and NCIS CSIWhat Really Happens in a

Computer Forensics Practice

Dave Russell

Consultant, 403 Labs, LLC

Introductions

• Dave Russell – Consultant, 403 Labs• Alphabet soup: QSA, PA-QSA, CISSP,

CSSLP, GCFA, a few others• Involved in security 10+ years, previous

background in writing programs• Big fan of “crime shows,” though I prefer

those based on facts – which is what led to this presentation!

Introductions

• 403 Labs works primarily in the Payment Card Industry (PCI) space– Help clients protect cardholders and their data– Provide various types of assessment services– Work a large number of forensic cases of all types,

criminal and civil– Interact with all levels of law enforcement – local,

state, and federal– Assist in prosecutions– More alphabet soup: ASV, QSA, PA-QSA, recently

approved PFI (still awaiting listing)

About This Presentation

• There is a lot of misinformation about computer forensics

• TV shows and movies do not help• Important for the general public to be aware

of what computer forensics is (and is not)• More important to make sure those who

utilize such services are aware of what the discipline can and can’t provide

Before We Begin

• I know, I know – many of these “lies” are added to spice up the story

• The problem is… people BELIEVE them!• A prosecutor lamented that, as a result of

shows like this, juries expect an evidence “bombshell” clearly linking the suspect to the crime

• Misinformation is bad!

The Example That Started This

• CSI: “I’ll create a GUI interface in Visual Basic, see if I can track an IP…”

Why This Is Awful

• Terms– GUI: Graphical User Interface

• What does a graphical interface have to do with anything?

– Visual Basic: a programming language• “I’m going to talk to the suspect in English, see if I can

get a confession.” The language is irrelevant!

– IP: the address where “the killer” is chatting• You can’t just “track” an IP, you have to be on the

network

I bet this is how LEOs feel about Law and Order…

Truth-O-Meter: CSI Lie

• You cannot simply “track an IP”• These people are watching a “real-time”

display of a site – they have no connection to monitor (other than their own)

• An IP, quite possibly, means nothing to an investigator, at least not at first– Probably going to point to their ISP, who has

to tell you who it belongs to

• Anyone there heard of a subpoena?

The Forensics Lab Version

• IPs can point to an individual, but it’s tricky• Start by working with the web site (or their host) to

tap the network, or get logs of the originating IP– Real-time data can be collected using tools like tcpdump

or Wireshark

• Find the ISP for that block, and see who owns that IP (time-specific)

• LEOs knock on their door, and we hope it’s not some open wireless access point in use– While the police kick in the door, the suspect, seeing this

across the street, takes off with his laptop

The Forensics Lab Version

• Examine access point’s connection data (called an ARP table) to find out what physical device was connected – Leads to a MAC address– MAC addresses are unique identifiers (if not

spoofed), IPs are not– Hope the suspect wasn’t forging that information

(which they can)

• Eventually possible to figure out what device has that MAC address, find the laptop and the guy in front of it

Not So Easy!

• In this case, the computer forensic team is primarily providing network forensics– Connections are very fickle things, and details move

around– Timing, and experience in quickly gathering data, is

everything

• IP != person – As a U.S. attorney put it, “I need to show that it’s their

rear end in that chair”

• Many layers need to be decoded before even getting close – a network background is critical

Another CSI Example

• At a crime scene, an investigator walks up to a computer, turns it on and starts accessing the suspect’s email

Why This is Awful

• Well, I’m sure THAT evidence will be admissible!– A good lab takes PAINSTAKING effort to maintain

evidence integrity - Saying you looked at it at a suspect’s house is probably not going to fly

• Really? No password on the system?– My *aunt* uses a password

• You’ve already destroyed valuable evidence– Rule #1: Alter evidence as little as possible

• Logging into a system is relatively traumatic

Truth-O-Meter: Sadly True

• Non-experts destroy evidence all the time• Particularly true in corporate environments

– they have the RIGHT to examine a system, but it should be done properly– Maintain integrity– Don’t destroy valuable evidence

• People who “know computers” think they can do forensics

The Forensics Lab Version

• Investigator takes notes on the environment in which the system was found, as well as photos

• The entire system is seized– If the system was already on, additional

measures are carried out to get things like live memory (passwords, etc. can live there)

• The hard drive is extracted and bit-for-bit copied (usually twice)– Only one copy is used for analysis

The Forensics Lab Version

• The drive is connected to a “write blocker” to prevent data from being modified

• Software designed to index and search content is run on the hard drive (such as Encase or FTK)

• Analysis of the email, pictures, documents and other data can be carried out

• Using gathered data, other systems, etc. can possibly be accessed

• Also possible to figure out motive and such – “rear end in chair” kinds of things

Law And Order

• A kidnapper has abducted a girl and refuses to give up her location

• Police, aware of his obsession with virtual reality environments, eventually realize that his virtual reality “home” may be where the girl is located

• With the help of the game creator, they are able to track down the real-life location and save the girl

Truth-O-Meter: Plausible

• Virtual reality (“VR”) evidence has been used to aid in prosecution– A case in Central Wisconsin involved a

wireless service provider offering broadband Internet to the area

• Disgruntled former employee wanted to disrupt the service provider, and other customers, and use the Internet himself

The Real Case

• Suspect allegedly bragged about his activities in the VR game “Everquest”

• Local FBI engaged yours truly (who happened to play the game) to sort through game evidence and work with the game provider to help prove the case

• Subpoenas of game records, as well as forensic evidence recovered off of the suspect’s computer contained dates, times and incriminating statements after analysis

Live Free Or Die Hard

• Former NSA employee trying to raise alarm bells about the risks to infrastructure

• Decides to carry out a demonstration “fire sale” (and steal some money, of course)

• Takes out traffic infrastructure, energy, communication, etc.

Live Free Or Die Hard

• Let’s focus on SCADA system attacks– SCADA : Supervisory Control and Data

Acquisition

• The bad guy reroutes natural gas traffic to a single station, causing it to explode

• Lots of interest in detecting and analyzing these systems and attacks

• See: Stuxnet

Truth-O-Meter: Over The Top, But…

• Definitely some truth to it– Famous video of a generator being destroyed

by a staged attack

• Stuxnet attacked primarily Iranian (and other) industrial systems

• Scary when discussing nuclear controls• What can a lab do?

Preliminary Forensics

• Testing of systems is essential – engage penetration testing teams well-versed in SCADA

• Simulate real attacks (harder in certain environments!)

• Have a forensic team perform “clean-up” – black box analysis may be particularly revealing

What Could Be Found?

• Pathways in – the more realistic (and comprehensive), the better

• Evidence left behind after an attack may lead to more comprehensive signatures and detection methods

• Real-life attacks like Stuxnet should be studied in-depth

• Other attacks are being found…

A More Generic Example

• The grainy video footage that magically gets cleaned up by hitting the “Enhance” button (or, better yet, simply telling your computer, “enhance”)

• Look, I can see the reflection of some critical piece of evidence in the suspect’s eye!

Truth-O-Meter: Partial Lie

• There is no magic “enhance” button• It is possible (sometimes) to substantially

improve the quality of a photo• Videos often need to be deconstructed

into a series of images– Depending on how the image was captured,

data from more than one frame may be present in an image

Fixing Images In A Lab

• Deinterlacing video– Many video images are not what they seem!

Lower quality video is usually a combination of two frames, which differ by 1/60th of a second – 60 frames/second

– When describing anything in motion, 1/60th of a second can be an eternity

– Deinterlacing attempts to correct this• Results are very inconsistent• Worse results with more motion

Fixing Images In A Lab

• Now that we have images from the video, enhance their details– Requires complex filters and a trained eye to

know how to apply them– Images are pixels – they have a value, and

there are only so many of them– Creating more detail from something grainy

(where the pixels don’t exist) is impossible– All we can do is estimate the content we want

Fixing Images In A Lab

• Basics of image enhancement– Contrast/brightness adjustment– Limiting the focus of the enhancement– Sharpening/de-blurring

• Requires “making up” data• A lot of different algorithms for doing this

– Compression (like JPEG or GIF files) makes it harder still

– Results are highly variable

Example Software

Photo from: http://www.oceansystems.com/forensic/forensic-Photoshop-Plugins/how_clearid_works.htm

Let’s Wrap Up With Real Life

• An animal rights group obtains information on university staff members, ostensibly for the purpose of inciting violence

• Utilize computers at a local copy shop to obtain information and create pamphlets to “out” staff and include an ominous warning

• A wise system administrator, in conjunction with a victim, helped LEOs track them down

• Four charged – trial is still ongoing (initially dismissed, charges may be re-filed)

The Forensics Behind It All

• LEOs got subpoenas and worked with forensic analysts to connect the suspects, video footage, the pamphlets and access to various pieces of information

• Involved a LOT of log analysis, packet tracing and some custom scripting

How Does A Lab Track This?

• Examination of patterns– In this case, an administrator noticed

suspicious access to 11 staff members targeted

• After working with campus security and law enforcement, logs were able to locate the source IP

• Some footwork was needed to track back the address to a nearby Kinko’s

How Does A Lab Track This?

• “Certain information” within the Kinko’s logs definitively linked the computer to the access

• Video footage showed the suspects using the computer at the time of the access

• Video footage at the café where pamphlets appeared linked one of the suspects to the act

Why Engage A Specialist?

• Evidence integrity and admissibility is crucial– Computer forensic investigators specialize in

maintaining integrity, which can be VERY difficult!

• Computer data changes frequently• Simply looking at certain data can change it• Need to be able to explain every single thing that

has, or could have been, altered

Why Engage A Specialist?

• Time!– Everyone seems busier these days– Plenty of forensics investigators are backed up

• Unusual systems or programs– Certain systems, applications, etc. require

some pretty particular knowledge• Our game discussion

– More information may be extractable if you can find someone who knows the specifics

Why Engage A Specialist?

• Cost– Pulling resources aside to work on an internal

investigation may be more costly than realized

– Training of individuals is VERY expensive– In the case of working with law enforcement, it

might be possible to work at a lesser rate or even possibly pro-bono

• Talk with me more about this if interested

Why Engage A Specialist?

• Difficulty– Custom viruses and other malware require

even more detailed skillsets!– Firms specializing in this are often backed up

When To Engage A Specialist?

• As soon as digital evidence comes into scope!– Do not take chances – powering on a system

or accessing a device must be done carefully to avoid data loss or integrity problems

• Second set of eyes may be helpful – a good defense attorney may use their own experts

Questions?

Dave RussellConsultant403 Labs

drussell[at]403labs[dot]com877.403.LABS

www.403labs.com

Thank You!

Dave RussellConsultant403 Labs

drussell[at]403labs[dot]com877.403.LABS

www.403labs.com