Transcript Computer Forensics BACS 371
Computer Forensics BACS 371 Evidentiary Methods II: Evidence Acquisition
2
OK, What do we do first?
3
Basic Forensic Methodology
Acquire the evidence (legally) Authenticate that it is the same as the original Analyze the data without modifying it
4
Photographing Systems
Before you do anything, begin documentation by photographing all aspects of the system…
Monitor
Desk and surrounding area
All 4 sides of PC
Labeled cables still connected
Evidence Acquisition Process
1 Disassemble the Case of the Computer Identify storage devices that need to be acquired (internal/external/both) Document internal storage devices and hardware configuration Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …) Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both) Controlled boots Capture CMOS/BIOS info (boot sequence, time/date, passwords) Controlled boot from forensic CD to test functionality (RAM, write protected storage, …) Controlled boot to capture drive config (LBA, CHS, …) 5 1 Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Role of the First Responder
Scene of the Cybercrime 1
Do No Harm!
Identify the Crime Scene Protect the Crime Scene Preserve Temporary and Fragile Evidence
A guide for First Responders 2
Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of Evidence Forensic Examination 6 1 Scene of the Cybercrime, Shinder & Tittel, p.553
2 Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001
Role of Investigators
1 Establish Chain of Command Conduct Crime Scene Search Maintain Integrity of Evidence 7 1 Scene of the Cybercrime, Shinder & Tittel, p.554
Role of Crime Scene Technician
1 Preserve volatile evidence and duplicate disks Shut down systems for transport Tag and log evidence Transport evidence Process evidence 8 1 Scene of the Cybercrime, Shinder & Tittel, p.555
Computer Seizure Checklist
1 Photograph the monitor Preserve Volatile Data Shutdown Systems Photograph the System Setup PC – all sides Label all connections Unplug system and peripherals – mark & tag Bag and tag all components Bitstream Copy of Disk(s) Verify integrity of copies (offsite usually) (offsite usually) 9 1 Scene of the Cybercrime, Shinder & Tittel, p.557
Handling, Transportation, Storage
Static Electricity External RF signals Heat Humidity Sunlight 10
Evidence Logs
Lists all evidence collected Description of each piece of evidence with serial numbers & other ID information Identifies who collected the evidence and why Date and Time of collection Disposition of Evidence All transfers of custody 11
Computer Evidence Worksheet
12
Evidence Tag
13 • Place or person from whom item was received • If item requires consent for search • Description of items taken • Information contained on storage device • Data and time item was taken • Full name and signature of individual initially receiving evidence • Case and tag number
Evidence Label
14 Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope
Evidence Analysis Logs
How each step is performed Who was present What was done Result of procedure Time/date Document all potential evidence Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata) 15
Evidence Log
Case Number: 123412
Tag # Date
1 1 1
Action
13 Jan 01 15 Mar 01 15 Mar 01 Initial Submission Moved evidence to tape Examined Evidence using EnCase • Evidence Tag Number • Date • Action Taken • Person performing action • Identifying information
Taken By
Matt Pepe Matt Pepe Matt Pepe
Location
Maxtor 600GB (593843420) 4mm tape #01101 FRED #7 16
Preserve Volatile Data
1 Order of Volatility 2 Registers and Cache Routing Table, ARP Cache, Process Table, Kernel Statistics Contents of System Memory (RAM) Remote Logging and Monitoring Data Physical Configuration, Network Topology Temporary File Systems Data on Disk Archival Media 17 1 Scene of the Cybercrime, Shinder & Tittel, p.559
2Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Collecting Volatile Data
Tool
netstat
Purpose View current network connections
nbstat
View current network connections
arp plist
View addresses in ARP (Address Resolution Protocol) cache List running processes (or view in Task Manager)
ipconfig
Gather information about the state of the network 18
netstat – current network connections
19
nbstat – NetBIOS name resolution
21
arp – addresses in ARP cache
22
ipconfig – state of network
Foundstone Tools
Pasco Galleta Rifiuti Vision NTLast Forensic Toolkit ShoWin BinText 23 An Internet Explorer activity forensic analysis tool An Internet Explorer Cookie forensic analysis tool A Recycle Bin Forensic Analysis Tool Reports all open TCP and UDP ports Security Audit Tool for WinNT Tools to examine NTFS disk partition for unauthorized activity Show information about Widows – reveal passwords Finds ASCII, Unicode, and Resource strings in a file
Things to Avoid
1 Don’t Shutdown until volatile evidence has been collected Don’t trust the programs on the system – use your own secure programs Don’t run programs which modify access times of files 24 1 Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Acquire the Evidence
To shutdown, or to not shutdown, that is the question!
Do so Without damaging or altering the original Should you let the machine run, or pull the plug??
Run • Retains maximum forensic evidence Pull Plug • Removes a compromised computer from potentially affecting the whole network • How to pull the plug From the back of the PC When the hard drive is not spinning • Sound • Drive Light • Vibration 25
Making Backups
File Backup vs. Bitstream Copy Use Forensically Sterile media Make 2 backup copies (one to work with and one to store) Don’t access the original again!
26
Level of Effort to Protect Evidence…
If the evidence is going to be used in court VS.
If the evidence is going to be used for internal investigation Evidence method should be the same for both situation in case it ever goes to court The more documentation the better 27
Forensic Analysis CYA
Virus Check Forensic computer Media being processed Collect System Information Complete computer hardware inventory CHKDISK/SCANDISK Look for “orphan clusters” Check for hidden partitions Document everything!
28
MD5 Hashing
Wikipedia Entry Cryptographic Hash Function A hash function must be able to process an arbitrary length message into a fixed-length output Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC) 29
Integrity of Evidence
+ Method Checksum Description Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result.
Common Types CRC-16 CRC-32 Advantages Easy to compute Fast Small data storage Useful for detecting random errors Disadvantages Low assurance against malicious attack Simple to create data with matching checksum One-Way Hash Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one way function.
SHA-1 MD5 MD4 MD2 Easy to compute Can detect both random errors and malicious alterations Must maintain secure storage of hash values Does not bind identity with data Does not bind time with data Digital Signature Secure method for binding identity of signer with digital data integrity methods such as one way hash values. Uses public key crypto system.
RSA DSA PGP Binds identity to integrity operation Prevents unauthorized regeneration of signature Slow Must protect private key Does not bind time with data + Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org
(Oct 25, 2005) 31
Hashing Algorithms
1 Algorithm MD2 MD4 MD5 SHA HAVAL Description Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines.
Developed by Rivest in 1990. Using a PC, collisions can now be found in this version in less than one minute.
Developed by Rivest in 1991. It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force.
SHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function.
A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5.
1 Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305 32
MD5 Hash
“[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.” 1 33 1 http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
MD5 Hash
128-bit number representing a “fingerprint” of a file Odds of two different files having the same MD5 Hash are 1 in 2 128 MD5 issues???
Collisions – Two different files generating the same hash http://marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf
SHA Collisions http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf
34
Hash Try It…
http://www.sha1-online.com/ http://www.digital-detective.co.uk/freetools/md5.asp
http://www.miraclesalad.com/webtools/md5.php
Hash Converter: http://hash.online-convert.com/sha1-generator 35
Admissibility of Evidence
The whole point of all of this is to make sure that the evidence is admissible. Which means it is… Relevant Substantiates an issue that is in question in the case Competent Reliable and credible Obtained legally 36
5 Mistakes of Computer Evidence
1.
2.
3.
4.
5.
Turn on the Computer (don’t do it!) Get Help from the Computer Owner Don’t Check for Computer Viruses Don't Take Any Precautions In The Transport of Computer Evidence Run Windows To View Graphic Files and To Examine Files 37 1
Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson