Computer Forensics BACS 371 Evidentiary Methods II: Evidence Acquisition

2

OK, What do we do first?

3

Basic Forensic Methodology

 Acquire the evidence (legally)  Authenticate that it is the same as the original  Analyze the data without modifying it

4

Photographing Systems

Before you do anything, begin documentation by photographing all aspects of the system…



Monitor



Desk and surrounding area



All 4 sides of PC



Labeled cables still connected

Evidence Acquisition Process

1   Disassemble the Case of the Computer  Identify storage devices that need to be acquired (internal/external/both)   Document internal storage devices and hardware configuration  Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …)  Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … Disconnect storage devices (power, data, or both) Controlled boots  Capture CMOS/BIOS info (boot sequence, time/date, passwords)   Controlled boot from forensic CD to test functionality (RAM, write protected storage, …) Controlled boot to capture drive config (LBA, CHS, …) 5 1 Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf

Role of the First Responder

 

Scene of the Cybercrime 1

  

Do No Harm!

Identify the Crime Scene Protect the Crime Scene  Preserve Temporary and Fragile Evidence

A guide for First Responders 2

     Secure and Evaluate the Scene Document the Scene Collect Evidence Packaging, Transportation, and Storage of Evidence Forensic Examination 6 1 Scene of the Cybercrime, Shinder & Tittel, p.553

2 Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001

Role of Investigators

1  Establish Chain of Command  Conduct Crime Scene Search  Maintain Integrity of Evidence 7 1 Scene of the Cybercrime, Shinder & Tittel, p.554

Role of Crime Scene Technician

1  Preserve volatile evidence and duplicate disks  Shut down systems for transport  Tag and log evidence  Transport evidence  Process evidence 8 1 Scene of the Cybercrime, Shinder & Tittel, p.555

Computer Seizure Checklist

1  Photograph the monitor  Preserve Volatile Data  Shutdown Systems  Photograph the System Setup  PC – all sides  Label all connections  Unplug system and peripherals – mark & tag  Bag and tag all components  Bitstream Copy of Disk(s)  Verify integrity of copies (offsite usually) (offsite usually) 9 1 Scene of the Cybercrime, Shinder & Tittel, p.557

Handling, Transportation, Storage

 Static Electricity  External RF signals  Heat  Humidity  Sunlight 10

Evidence Logs

 Lists all evidence collected  Description of each piece of evidence with serial numbers & other ID information  Identifies who collected the evidence and why  Date and Time of collection  Disposition of Evidence  All transfers of custody 11

Computer Evidence Worksheet

12

Evidence Tag

13 • Place or person from whom item was received • If item requires consent for search • Description of items taken • Information contained on storage device • Data and time item was taken • Full name and signature of individual initially receiving evidence • Case and tag number

Evidence Label

14    Case Number and Evidence Tag Number Date and Time the evidence was collected Brief Description of items in envelope

Evidence Analysis Logs

  How each step is performed     Who was present What was done Result of procedure Time/date Document all potential evidence      Filename Where on disk data are located Date and time stamps Network information (MAC address, IP address) Other file properties (metadata) 15

Evidence Log

Case Number: 123412

Tag # Date

1 1 1

Action

13 Jan 01 15 Mar 01 15 Mar 01 Initial Submission Moved evidence to tape Examined Evidence using EnCase • Evidence Tag Number • Date • Action Taken • Person performing action • Identifying information

Taken By

Matt Pepe Matt Pepe Matt Pepe

Location

Maxtor 600GB (593843420) 4mm tape #01101 FRED #7 16

Preserve Volatile Data

1  Order of Volatility 2  Registers and Cache  Routing Table, ARP Cache, Process Table, Kernel Statistics  Contents of System Memory (RAM)  Remote Logging and Monitoring Data  Physical Configuration, Network Topology  Temporary File Systems  Data on Disk  Archival Media 17 1 Scene of the Cybercrime, Shinder & Tittel, p.559

2Guidelines for Evidence Collection and Archiving, IEEE, February 2002

Collecting Volatile Data

Tool

netstat

Purpose View current network connections

nbstat

View current network connections

arp plist

View addresses in ARP (Address Resolution Protocol) cache List running processes (or view in Task Manager)

ipconfig

Gather information about the state of the network 18

netstat – current network connections

19

nbstat – NetBIOS name resolution

21

arp – addresses in ARP cache

22

ipconfig – state of network

Foundstone Tools

Pasco Galleta Rifiuti Vision NTLast Forensic Toolkit ShoWin BinText 23 An Internet Explorer activity forensic analysis tool An Internet Explorer Cookie forensic analysis tool A Recycle Bin Forensic Analysis Tool Reports all open TCP and UDP ports Security Audit Tool for WinNT Tools to examine NTFS disk partition for unauthorized activity Show information about Widows – reveal passwords Finds ASCII, Unicode, and Resource strings in a file

Things to Avoid

1  Don’t Shutdown until volatile evidence has been collected  Don’t trust the programs on the system – use your own secure programs  Don’t run programs which modify access times of files 24 1 Guidelines for Evidence Collection and Archiving, IEEE, February 2002

Acquire the Evidence

To shutdown, or to not shutdown, that is the question!

 Do so Without damaging or altering the original  Should you let the machine run, or pull the plug??

  Run • Retains maximum forensic evidence Pull Plug • Removes a compromised computer from potentially affecting the whole network • How to pull the plug   From the back of the PC When the hard drive is not spinning • Sound • Drive Light • Vibration 25

Making Backups

 File Backup vs. Bitstream Copy  Use Forensically Sterile media  Make 2 backup copies (one to work with and one to store)  Don’t access the original again!

26

Level of Effort to Protect Evidence…

If the evidence is going to be used in court VS.

If the evidence is going to be used for internal investigation  Evidence method should be the same for both situation in case it ever goes to court  The more documentation the better 27

Forensic Analysis CYA

 Virus Check  Forensic computer  Media being processed  Collect System Information  Complete computer hardware inventory  CHKDISK/SCANDISK  Look for “orphan clusters”  Check for hidden partitions  Document everything!

28

MD5 Hashing

      Wikipedia Entry Cryptographic Hash Function  A hash function must be able to process an arbitrary length message into a fixed-length output Hash Function Hash Collision Check Digit Cyclic Redundancy Check (CRC) 29

Integrity of Evidence

+ Method Checksum Description Method for checking for errors in digital data. Uses 16- or 32-bit polynomial to compute 16 or 32 bit integer result.

Common Types CRC-16 CRC-32 Advantages     Easy to compute Fast Small data storage Useful for detecting random errors Disadvantages  Low assurance against malicious attack  Simple to create data with matching checksum One-Way Hash Method for protecting data against unauthorized change. Produces fixed length large integer (80~240 bits) representing digital data. Implements one way function.

SHA-1 MD5 MD4 MD2   Easy to compute Can detect both random errors and malicious alterations  Must maintain secure storage of hash values  Does not bind identity with data  Does not bind time with data Digital Signature Secure method for binding identity of signer with digital data integrity methods such as one way hash values. Uses public key crypto system.

RSA DSA PGP   Binds identity to integrity operation Prevents unauthorized regeneration of signature    Slow Must protect private key Does not bind time with data + Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org

(Oct 25, 2005) 31

Hashing Algorithms

1 Algorithm MD2 MD4 MD5 SHA HAVAL Description Developed by Ronald L. Rivest in 1989, this algorithm was optimized for 8-bit machines.

Developed by Rivest in 1990. Using a PC, collisions can now be found in this version in less than one minute.

Developed by Rivest in 1991. It was estimated in 1994 that it would cost $10 million to create a computer that could find collisions using brute force.

SHA-1 was a federal standard used by the government and private sector for handling sensitive information and was the most widely used hashing function.

A variation of the MD5 hashing algorithm that processes blocks twice the size of MD5.

1 Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305 32

MD5 Hash

“[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.” 1 33 1 http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

MD5 Hash

 128-bit number representing a “fingerprint” of a file  Odds of two different files having the same MD5 Hash are 1 in 2 128  MD5 issues???

 Collisions – Two different files generating the same hash http://marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf

 SHA Collisions http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf

34

Hash Try It…

 http://www.sha1-online.com/  http://www.digital-detective.co.uk/freetools/md5.asp

 http://www.miraclesalad.com/webtools/md5.php

Hash Converter: http://hash.online-convert.com/sha1-generator 35

Admissibility of Evidence

The whole point of all of this is to make sure that the evidence is admissible. Which means it is…  Relevant  Substantiates an issue that is in question in the case  Competent  Reliable and credible  Obtained legally 36

5 Mistakes of Computer Evidence

1.

2.

3.

4.

5.

Turn on the Computer (don’t do it!) Get Help from the Computer Owner Don’t Check for Computer Viruses Don't Take Any Precautions In The Transport of Computer Evidence Run Windows To View Graphic Files and To Examine Files 37 1

Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson