Computer Forensics BACS 371 Evidentiary Methods II Evidence Acquisition

OK, What do we do first?

Basic Forensic Methodology

 Acquire the evidence  Authenticate that it is the same as the original  Analyze the data without modifying it

Photographing Systems

Before you do anything, begin documentation by photographing all aspects of the system…



Monitor



Desk and surrounding area



All 4 sides of PC



Labeled cables still connected

Evidence Acquisition Process

1   Disassemble the Case of the Computer  Identify storage devices that need to be acquired (internal/external/both)   Document internal storage devices and hardware configuration  Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …)  Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both) Controlled boots  Capture CMOS/BIOS info (boot sequence, time/date, passwords)   Controlled boot from forensic CD to test functionality (RAM, write protected storage, …) Controlled boot to capture drive config (LBA, CHS, …) 1 Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf

Forensic Analysis CYA

 Virus Check  Forensic computer  Media being processed  Collect System Information  Complete computer hardware inventory  CHKDISK/SCANDISK  Look for “orphan clusters”  “Tech” Program for Forensic computer

Role of the First Responder

 

Scene of the Cybercrime 1

  

Do No Harm!

Identify the Crime Scene Protect the Crime Scene  Preserve Temporary and Fragile Evidence

A guide for First Responders 2

     Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of Evidence Forensic Examination 1 Scene of the Cybercrime, Shinder & Tittel, p.553

2 Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001

Role of Investigators

1  Establish Chain of Command  Conduct Crime Scene Search  Maintain Integrity of Evidence 1 Scene of the Cybercrime, Shinder & Tittel, p.554

Role of Crime Scene Technician

1  Preserve volatile evidence and duplicate disks  Shut down systems for transport  Tag and log evidence  Transport evidence  Process evidence 1 Scene of the Cybercrime, Shinder & Tittel, p.555

Computer Seizure Checklist

1  Photograph the monitor  Preserve Volatile Data  Shutdown Systems  Photograph the System Setup  PC – all sides  Label all connections  Unplug system and peripherals – mark & tag  Bag and tag all components  Bitstream Copy of Disk(s)  Verify integrity of copies (offsite usually) (offsite usually) 1 Scene of the Cybercrime, Shinder & Tittel, p.557

Preserve Volatile Data

1  Order of Volatility 2  Registers and Cache  Routing Table, ARP Cache, Process Table, Kernel Statistics  Contents of System Memory (RAM)  Remote Logging and Monitoring Data  Physical Configuration, Network Topology  Temporary File Systems  Data on Disk  Archival Media 1 Scene of the Cybercrime, Shinder & Tittel, p.559

2Guidelines for Evidence Collection and Archiving, IEEE, February 2002

Collecting Volatile Data

Tool

netstat

Purpose View current network connections

nbstat

View current network connections

arp plist

View addresses in ARP (Address Resolution Protocol) cache List running processes (or view in Task Manager)

ipconfig

Gather information about the state of the network

netstat – current network connections

arp – addresses in ARP cache

ipconfig – state of network

Foundstone Tools

Pasco Galleta Rifiuti Vision NTLast Forensic Toolkit ShoWin BinText An Internet Explorer activity forensic analysis tool An Internet Explorer Cookie forensic analysis tool A Recycle Bin Forensic Analysis Tool Reports all open TCP and UDP ports Security Audit Tool for WinNT Tools to examine NTFS disk partition for unauthorized activity Show information about Widows – reveal passwords Finds ASCII, Unicode, and Resource strings in a file

Things to Avoid

1  Don’t Shutdown until volatile evidence has been collected  Don’t trust the programs on the system – use your own secure programs  Don’t run programs which modify access times of files 1 Guidelines for Evidence Collection and Archiving, IEEE, February 2002

Acquire the Evidence

To shutdown, or to not shutdown, that is the question!

 Without damaging or altering the original  Let the machine run, or pull the plug??

  Run • Retains maximum forensic evidence Pull Plug • Removes a compromised computer from potentially affecting the whole network • How to pull the plug   From the back of the PC When the hard drive is not spinning • Sound • Drive Light • Vibration

Making Backups

 File Backup vs. Bitstream Copy  Use Forensically Sterile media  Make 2 backup copies (one to work with and one to store)  Don’t access the original again!

Level of Effort to Protect Evidence…

If the evidence is going to be used in court VS.

If the evidence is going to be used for internal investigation  Evidence method should be the same for both situation in case it ever goes to court  The more documentation the better

MD5 Hashing

      Wikipedia Entry Cryptographic Hash Function  A hash function must be able to process an arbitrary length message into a fixed-length output Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC)

MD5 Hashing Algorithm

1 One MD5 operation — MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation.

<<<

s

denotes a left bit rotation by s places; s varies for each operation. denotes addition modulo 2 32 There are four possible functions F, a different one is used in each round: 1 Wikipedia

Integrity of Evidence

+ Method Checksum Description Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result.

Common Types CRC-16 CRC-32 Advantages     Easy to compute Fast Small data storage Useful for detecting random errors Disadvantages  Low assurance against malicious attack  Simple to create data with matching checksum One-Way Hash Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one way function.

SHA-1 MD5 MD4 MD2   Easy to compute Can detect both random errors and malicious alterations  Must maintain secure storage of hash values  Does not bind identity with data  Does not bind time with data Digital Signature Secure method for binding identity of signer with digital data integrity methods such as one way hash values. Uses public key crypto system.

RSA DSA PGP   Binds identity to integrity operation Prevents unauthorized regeneration of signature    Slow Must protect private key Does not bind time with data + Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org

(Oct 25, 2005)

Hashing Algorithms

1 Algorithm MD2 MD4 MD5 SHA HAVAL Description Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines.

Developed by Rivest in 1990. Using a PC, collisions can now be found in this version in less than one minute.

Developed by Rivest in 1991. It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force.

SHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function.

A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5.

1 Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305

MD5 Hash

“[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.” 1 1 http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

MD5 Hash

 128-bit number representing a “fingerprint” of a file  Odds of two different files having the same MD5 Hash are 1 in 2 128  MD5 issues???

 Collisions – Two different files generating the same hash http://www.cryptography.com/cnews/hash.html

 SHA Collisions http://online.wsj.com/article_print/SB111084838291579428.html

Hash Try It…

 http://block111.servehttp.com/hash  http://bfl.rctek.com/tools/?tool=hasher  http://www.digital detective.co.uk/freetools/md5.asp

 http://www.miraclesalad.com/webtools/md5.php

Attributes of Secure, Auditable Date/Time Stamps

     Accuracy  Time is from an authoritative source and is accurate Authentication  Source is authenticated by National Measurement Institute Integrity  Time not subject to corruption during “handling” Non-Repudiation  Association between event or document and the time cannot later be denied Accountability  Third party can verify that due process was applied and no corruption transpired

Steps for Secure Timestamping

1.

2.

3.

Traceability to Legal Time Sources Time Distribution Secure Digital Timestamping

Digital Evidence Collection Toolkit

1   Documentation Tools    Cable tags Indelible felt tip markers Stick-on labels Disassembly and Removal Tools          Flat-blade and Philips-type screwdrivers Hex-nut drivers Needle-nose pliers Secure-bit drivers Small tweezers Specialized screwdrivers Standard pliers Star-type nut drivers Wire cutters   Package and Transport Supplies         Antistatic bags Antistatic bubble wrap Cable ties Evidence bags Evidence tape Packing materials Packing tape Sturdy boxes of various sizes Other Items   Gloves Hand truck        Large rubber bands List of contact telephone numbers for assistance Magnifying glass Printer paper Seizure disk Small flashlight Unused floppy diskettes (3 ½” and 5 ¼”) 1 Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ

Handling, Transportation, Storage

 Static Electricity  External RF signals  Heat  Humidity  Sunlight??

Documenting Evidence

 Evidence is Tagged  Evidence Logs  Evidence Analysis Logs  Admissibility of Evidence

Evidence is Tagged

 Place name or initials on item  Date/Time  Case Number  Physical marking is preferable  If not markable, bag evidence  Use latex gloves  Create and use an Evidence Kit

Evidence Logs

 Lists all evidence collected  Description of each piece of evidence with serial numbers  Identifies who collected the evidence and why  Date and Time of collection  Disposition of Evidence  All transfers of custody

Evidence Analysis Logs

  How each step is performed     Who was present What was done Result of procedure Time/date Document all potential evidence      Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata)

5 Mistakes of Computer Evidence

1.

2.

3.

4.

5.

Run the Computer Get Help from the Computer Owner Don’t Check for Computer Viruses Don't Take Any Precautions In The Transport of Computer Evidence Run Windows To View Graphic Files and To Examine Files 1

Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson

Admissibility of Evidence

 Relevant  Substantiates an issue that is in question in the case  Competent  Reliable and credible  Obtained legally