Computer Forensics - Long Island University
Download
Report
Transcript Computer Forensics - Long Island University
What you will find in this presentation
◦ What is computer forensics?
◦ The four “A”s
◦ How disk storage works in your case
How files live on disk
Where evidence might reside
What is slack space?
What is unallocated space?
◦ Hex & Ascii representation
◦ Tools
◦ Steganography, recovering hidden data
Requirements
Glossary
Digital version of “CSI”
Finds evidence of incidents on digital
equipment
◦
◦
◦
◦
◦
◦
Computers & drives
PDA’s
iPods
Cell phones
Digital camera & flash cards
Network equipment
Evidence must stand up in court
Acquire
Archive
Analyze
Attest
Crime Scene Considerations
Identify and acquire the evidence
Safeguard and process physically
◦ Prints and trace evidence
Handling of Magnetic media (drives and floppies, etc)
◦ Keep away from magnets, machinery which generate
magnetic fields and static electricity (no plastic evidence
bags to generate static electricity)
Note where found, under what circumstances
Nature of material expands where it might be hidden
◦ Between pages of a book
◦ Inside a device
Locate material which may assist
◦ User manuals, lists, password which might be written down
Identify sources of information
◦ hard drives
◦ disks (floppy, CD, DVD)
◦ other devices
Digital cameras
Cell phones
PDA’s
Technician must understand technology
required to ‘archive’ information
Once seized as evidence, the technician will
then create a bit-for-bit forensic image and
make it available to the analyst
Image is a ‘bit-for-bit’ snapshot of the disk
◦ This image is used by the analyst
◦ The image contains everything on the disk
Files, deleted files, “dead space” on disk, etc…
Can’t read it directly
The forensic software ‘interprets’ the image and “sees” all the
files on the disk
NEVER use the original media unless no other
alternative… always use the bit-for-bit image if
possible
◦ If you ever need to use the original material, document it
along with the reason
2008 CSI Challenge
◦ Teams will be provided a ‘bit-for-bit image’ for analysis
◦ Your team will not have to create this image
Examination of your evidence
In Forensic Toolkit (FTK)
◦ Create a New or Open an Existing case
◦ Add evidence to the case
Drive (hard disk, floppy, USB flash drive, etc)
Previously acquired bit-image
2008 CSI Challenge teams will use this option
A Folder and its contents
Individual files
Find the evidence
◦ Examine the structure of the disk itself
hidden data
◦ Suspicious files
Renamed, altered or deleted
◦ Search for ‘strings’
◦ ( a string is a group of characters, such as a name,
credit card number, or even a fragment of a word)
in files
in deleted files
in ‘dead space’ (slack or unallocated, explained later)
Look for ‘stuff’ in plain sight
Look for hidden evidence
◦ Files, emails, etc
◦ Files renamed to appear as different file types
Word document renamed as a ‘jpg’ image file
Stego’d file (see later)
◦ Encrypted files
Password required
Locate password
In existing evidence
At crime scene
Guess password (important dates, names, etc)
Might require personal knowledge about suspect’s background
‘Crack’ the password using a computer program
(not an option for 2008 CSI Challenge… not enough time)
File anomalies (irregularities)
◦ File name does not match the file type
An internal “signature” in the file indicates the type of file
Signatures are also called “magic numbers”
“JFIF” inside a file might mean it’s really a JPG image file and not a
text file or whatever the filename indicates
◦ File times are inconsistent
MAC times (Modification-Access-Creation)
It’s possible for creation time to be post-modification time,
depending on OS and how file copied, etc..
Compressed files (zip or other format)
◦ May be passworded, contain many files bundled into one
file
◦ You should know how to “unzip” a file if it’s compressed or
“zipped”
File ends in ‘.zip’
Critical thinking: the investigative part!
◦ incriminating evidence
(or exculpatory… excluding a suspect)
◦ discovering new avenues of inquiries
Emails
Recently used documents
visited websites
Snippets or fragments of information
Including slack space…
Saving the evidence for future use once
you’re done with the case
◦ In case you need to review your work
Reporting of analysis results
◦ written competency
Testimony
◦ expert witness
◦ verbal and non-verbal skills
Any reporting of results by 2008 CSI
Challenge teams should be clear, legible,
using whole sentences to state your findings
This is a basic explanation of how
information is stored on a computer’s disk
◦ Byte
The basic unit of storage
Roughly equivalent to a ‘character’
1,000,000 byte =1 Megabyte (1 Mb)
Holds about a million typewritten characters
◦ Sector
How bytes are organized on disk
512 bytes per sector
◦ Cluster
A group of sectors
Floppy disk: 1 sector per cluster
Hard drive: depends on system
Sectors are grouped into ‘clusters’
a cluster can be
◦
◦
◦
◦
1
2
4
8
sector/cluster
sectors/cluster
sectors/cluster
sectors/cluster
(512 bytes)
(1024 bytes)
(2048 bytes)
(4096 bytes)
on a floppy, we use one sector / cluster
when we need space for a file, the system
gives us a cluster (not just a sector)
When we write a file using a cluster
◦ We have “left over” room in the cluster
This is called “slack space”
Information can reside in slack space
Cannot say that the person who wrote the file in that cluster
also put that slack information into that cluster
Clusters can be reused once a file is deleted
They’re put back into a pool of unallocated clusters
◦ (they don’t belong to any file)
◦ If these clusters haven’t been used for writing a
new file, it’s possible to recover this ‘deleted’ file
Cluster (512 bytes)
we write about 100 bytes
◦ the rest is ‘slack’
This is
Dear
Sir;
anWe
example
have read
of ayour
cluster
proposal,
containing
and information….blah
… no thanks
blah blah…
No, for the 2008 CSI Challenge you might see
hexadecimal notation of the disk’s data,
along with the “English” readable data
◦ This is presented so that you’ll recognize it when
you see it while using FTK (see the next screen)
◦ You will not be responsible for knowing “hex”
◦ Computers really only know “numbers”
Certain numbers (values) are associated with letters of
the alphabet
For example a value of “44” in hexadecimal is a capital
“D”, and a hex “20” is a space, a “64” value is a small “d”
This is called the ASCII code
Upper Case “D”
Software such as FTK (which you will be using) contain tools that
allow you to:
◦ Acquire an evidence image
◦ Identify deleted files
Possibly recover a deleted file
◦ Search the bit image
◦ Search for string of text (last name, etc)
Identify files containing the string
Identify that area as belonging to a file, or in slack space
◦ Examine attributes of files
Hidden
Deleted
File times
Mismatch between file name and actual file type
‘bad signature’ (txt file might actually be a ‘jpg’ file)
Show thumbnails of picture type files
◦ Export files (or fragments) (collect them in one spot)
◦ Bookmark critical findings (highlight relevant findings)
◦ Document case for report (times, investigator, etc)
Existing software
◦ Word, Adobe, etc
Open files of that format
◦ Analyst must know how the application software
works
PKZIP, WinZip, WinRAR
◦ Extract compressed files
Steganograhpy (S-Tools)
◦ Extract files from a “stego’d” file
◦ S-Tools will use BMP, GIF or WAV files as
‘containers’ to hide other files
◦ Can be used to reveal and extract hidden files
Forensic ToolKit (AccessData)
Demo version allows examination of cases
with a max of 5000 files
◦ Add your evidence image file
◦ Analyze it
◦ Document your results
You will use FTK to add your evidence to a
new case and analyze it
Hidden information inside a file
A file inside a file (container file and message file)
Can be passworded / encrypted
The “container” (stego’d) file is either a “bmp” or
“gif” image type
◦ Can also be an ‘audio’ file
On a hard drive, or on someone’s iPod, etc…
Files can be included in a Word (or other
document), such as webpages or be a “standalone”
file on someone’s hard drive
S-Tools can be downloaded to reveal stego’d
evidence
Laptop
◦ CD / ROM drive
◦ Software
Windows XP or Vista
Microsoft Office (2003 or better)
Access Data’s Forensic ToolKit (FTK)
S-tools
WinZip or capability to unzip files on your drive
Should already be built into Windows when you right-click
on a zipped filename
Tutorials (including this) can be found on the
website
ASCII
◦ Computers only know numbers. ASCII is a ‘code’
that associates numbers with letters or characters
of the alphabet.
Bit
◦ Binary digit; a ‘one’ or a ‘zero’
Byte
◦ Grouping of eight bits, representing a numerical
value from 0 to 255
◦ Can also represent a “character” or letter of the
alphabet
Bit-for-bit image
◦ Also known as a bitstream image
◦ A “snapshot” of a piece of evidence, taken in a
forensically sound manner (no alteration of original
evidence)
Bitstream image
◦ See bit-for-bit image
Cluster
◦ A group of sectors. Files are written by the system
using clusters
Floppy clusters are 1 sector per cluster
Hard drives vary (common to find 8 sectors / cluster)
Compression (of files)
◦ a method of making a large file smaller, by
eliminating repetitive sequences of characters
See “zip” files
Encryption
◦ Used to make information unreadable unless you
have a password
Evidence
◦ Something that provides proof
Could be a hard drive, floppy, USB device, paper notes
or anything containing information
Hexadecimal
◦ Numerical representation used by computer
scientists. See ASCII code
Password
◦ A mechanism which prevents a person from accessing a file
unless a user provides the correct password or passphrase.
Slack or slack space
◦ That area of a cluster belonging to a file, which is “left
over.” Information can be contained in slack space.
Steganography
◦ “Hidden writing.” The process of hiding information inside a
container file. The container picture typically looks no
different after having hidden data inside it. Software such
as S-Tools is used both to hide as well as reveal
information.
Zip file
◦ A compressed file. A zip can contain a single file, or
many files. The zip file can contain a directory
(folder) structure, along with all the files in that
folder. Zip files can also be passworded.
Good luck to all contestants
End of PowerPoint presentation