Transcript CS 447/557 Computer Forensics

CS496
Computer Forensics
Lecture 3
The Investigative Process
Winter 2010
1
Introduction
• Last time
– History, need and challenges of computer
forensics
• Today
– Investigative process
– Look at process of gathering digital evidence
• Examples of how evidence can be used to connect
a perpetrator to the crime
2
Take Away Points
1. Importance of having an investigative
process that’s documented and
repeatable
– Want an unbiased investigative process that
accurately captures and reports evidence
2. Certain steps in an investigative process
Same no matter what model is used
3
Goal of Investigation
• Uncover and present the truth of a crime
or event by the evidence gathered
– True for both criminals in physical world and
intruders in computer world
– The types of evidence will be different
• Investigative process will be the same!
4
Investigative Process
• Why is it important for there to be an
investigative process?
– Sanctioned by our court system
5
Impact of Investigation
• Allegations of wrong doing
– People can lose their freedom
– Reputation can be destroyed
– Extreme case, lose their lives
• Investigative process is similar to scientific
method
– Develop several theories with hypotheses
– Seek evidence to disprove each hypothesis
– Trying to determine what happened based on
evidence and avoid preconceived ideas
6
Digital Evidence
• Want to uncover links between suspect
and crime scene
– If a crime occurred, it should be traced
– Physical world
• Evidence includes hair, fingerprints or fibers
• Witness reports
– Digital world
• Evidence is digital information in the form of files,
and time stamps
7
Digital Evidence
• Example
– Individual sends threatening message via a
Web based e-mail service like Hotmail
• What evidence could be gathered?
8
Digital Evidence
• Example
– Browser stores files, links and other
information on hard disk along with date-time
related information
– All on suspect's computer
– Web server used to send message
– Access logs, e-mail logs, IP addresses
– Stores message sent in suspect's e-mail
account
9
Digital Evidence
• Example continued
– Piece together evidence from suspect's
computer and Web server
• Match programs and tools
• Examine time information
– Did the time the message was received
match about the time it was sent
10
Digital Evidence
• Example 2
– Intruder gains unauthorized access to Unix
system from Windows PC using a stolen
Internet dial-up account and uploads various
tools to Unix machine via FTP
– You have access to both machines
– What evidence might could be gathered?
11
Digital Evidence
• Example 2 continued
– Tools now on both Windows and Unix systems
– Characteristics of tools on both systems match
• Date-time stamps,
• Exact copies – size and version match
– Windows applications used to connect to Unix
Telnet, SS
• Keep record of target IP address/hostname
– Directory listings from Unix system
• Intruder’s hard drive if swapped to disk while being
displayed by Telnet or SSH
12
Digital Evidence
• Example 2 continued
– Stolen account/password likely stored
somewhere on Intruder’s system
• Sniffer log or in list of stolen accounts from other
systems
– Unix system
• Log-in records
• FTP transfer logs showing connection and file
transfers
• Transferred tools can have associated user and
group information
13
Digital Evidence
• Additional systems may be involved
– ID logs – Intrusion detection systems
– NetFlow logs – Routers
– Other logs – Firewall or other systems
• More corroborating evidence can attain
– Greater the weight of evidence provided in a
court of law
14
Digital Evidence
• Example 3
– Child porn from the Internet
– Evidence traced from Suspect to FTP Server
Suspect’s PC
Dial-up Server
File date-time
stamps, modem,
FTP logs
TACACS logs
and ANI Records
Router
Netflow logs
ANI –
Automatic Number ID
TACAC – User authentication
FTP Server
Logon and
transfer logs
15
Digital Evidence
• Example 3 Continued
– Dial-up connection can be traced through the
various systems to the FTP Server
– Client Side
• Date-time stamps of porn files shows when files were
downloaded
• Logs from FTP client show when each file
downloaded and from where
Log entry: 98.11.12.1 19:53 A
C:\download\image12.jpg<--192.168.1.45/home/johnh/image12.jpg
WS_FTP image downloaded from FTP server 192.168.1.45 on Nov. 12 1998 at
16
1953 hours from remote directory /home/johnh
Digital Evidence
• Example 3
– Suspect's ISP
• Dial-up Server logs at suspect's ISP could show that a
specific IP address was assigned to suspect's user
account at the time
– FTP Server
• Logs on FTP server may confirm files were
downloaded to suspect’s IP address at time in
question
• Following FTP server transfer log entry shows a file
with same name and size found on suspect’s
computer being downloaded to IP address assigned to
suspect at time in question
Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/johnh/image12.jpg a_or user
17
Locard’s Exchange Principle
• Main goal of investigation to link crime to
the suspect by discovering threads
between suspect, victim and crime scene
• A principle in criminal investigation called
Locard’s Exchange Principle
– Anyone or anything entering a crime scene
takes something of the scene with them and
leaves something of themselves behind
18
Locard’s Exchange Principle
• Physical world
– Offender leaves fingerprints, or hair at scene
– Takes fiber, blood or other material away
• One piece of evidence
– Strong possibility suspect was at the crime
scene
• Two pieces of evidence
– Much stronger link between suspect and
crime scene
19
Locard’s Exchange Principle
Crime
Scene
Evidence
Victim
Suspect
20
Investigative Methodology
• Want investigative process structured so
that
– Complete investigation is done
– Evidence is handled properly
– Mistakes are minimized
• Investigation is broken up into levels at
which various activities occur
• There is a process model
– Looks like a software engineering model
– Waterfall model
21
Investigative Process Model
Persuasion and testimony
Ends with testimony
Reporting
Analysis
Organization and Search
Case
Management
Reduction
Harvesting
Recovery
Preservation
Identification of seizure
Incident/Crime scene protocols
Assessment of worth
Incident Alerts or accusation
Begins with Incident alert
22
Investigative Process Model
• At the top of the process model
– Role of investigator is finished
– Pass on work, evidence to prosecutors or
other decision makers
• Decide whether to continue with case or not
– Note: Steps shown are in a stair-step
sequence
• But stages interrelated and steps may need to be
re-visited
• Thus, stages have feedback mechanisms
23
Process Model
• Logical Flow of Events that seeks to provide
1. Acceptance – Professional agreement on
methods
2. Reliability – Methods trusted to support findings
3. Repeatability – Process applied by all,
independent of time and place
4. Integrity – Evidence gathered can be trusted
5. Cause and Effect – Logical connection between
suspects and evidence
6. Documentation – Critical for testimony
24
Important Steps
• Look at few of more important steps
– Accusation
– Assessment of worth
– Identification of seizure
– Analysis
– Reporting
25
Investigative Process Model
• Accusation or Intruder Alert
– Intrusion log or more traditional or citizen
reporting criminal activity
– Likely some part of scene of crime contains
digital evidence
26
Investigative Process Model
• Accusation continued
– Response
• Must weigh the evidence
– Look at sources plus human factors
– May have to do some preliminary fact gathering and data
analysis before deciding what happened and whether it
was criminal or malicious
• Example: Significant loss of files
– Due to a power surge or computer failure instead of
deliberate erasure
– Employee incompetence as opposed to deliberate
» Format C:\ (by mistake)
27
Investigative Process Model
• Assessment of Worth
– Try to find out the severity of a problem
• Potential for significant loss
– Reputation of company trashed for leaking private
individuals information
• Wider system compromise
– Not just one computer, but infiltration throughout the
company
• Physical injury
– If damage can be contained without further
loss, may not be worth a full investigation
28
Investigative Process Model
• Identification or Seizure
– Once scene is secured, potential evidence of
an alleged crime or incident must be seized
– Documentation is very important in digital
evidence seizure step
• Must record details about each thing seized as
evidence in order to establish its authenticity and
establish a chain of custody
• Chain of custody – who handled the evidence
since it was seized – More on this later
29
Investigative Process Model
• Identification or Seizure continued
– Digital World
• Seizure occurs, but some or all of the state or
character may be lost immediately upon seizure
due to volatility of electronic devices
• Once system is powered down, all RAM is lost
• Methods and software allows for capture of this
information
30
Investigative Process Model
• Analysis
– Scrutiny of Data
– Review images, determine motivation,
opportunity for crime or event
– Fusion and correlation
• Bring together data from many sources
• Example: Many crimes have a time-line associated
with event, put data in chronological order
31
Investigative Process Model
• Reporting
– View of investigative process
– Contain important details from each step
– Reference to protocols followed, methods used
to gather evidence
– Each step should be carefully documented
32
Reporting Example
• View recommendations and example from
a Department of Justice document
http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
33
Summary
• Investigative Methodology
• Model of Investigation helps with establishing a
more scientific approach to investigation
• Important for both physical and digital evidence
– Huge potential impact since people's reputations or
freedoms are on the line
• Challenges of digital evidence is its transient
nature
– Can be lost for good if not careful
• Not all cases are worth pursuing
– Must weigh evidence to see if case should be pursued
34
Finish
– More on Digital Evidence
– Reading: Chapter 2
– See Assignments Page, Assignment 1
• Check out link to Justice Document
35