Transcript Slide 1
Introduction to Computer Forensics and Computer Crime
Stan Mitchell, ACE, CFCE, EnCE [email protected]
615-566-3744
Computer Forensics
Computer Forensics began in the mid-80s as a response to a demand for service from Law Enforcement, in particular the FBI Now, many local Police Departments now have forensic capabilities Demand in private sector led to privatized Computer Forensic Labs In the past, we looked for the “paper trail” in folders, boxes, cabinets, rooms, and warehouse Today, that same “paper trail” is more likely to be stored electronically on a computer hard drive or similar computer media
Electronic Discovery vs.
Computer Forensics
Electronic Discovery Defined
Electronic Discovery may be defined as: – The process of collecting, processing, and producing electronic documents, e-mail messages, database records, etc … from a computer hard drive or other electronic media...
then loaded into some type of litigation database or delivered on individual CD-ROMs with an accompanying viewer program … allowing for review of the files by the end-user.
– So what one has at the end of the electronic discovery process is a massive database of documents that have been copied from electronic media and delivered in a reviewable format
Computer Forensics Defined
Computer forensics may be defined as: The retrieval and analysis of data...
from a seized computer hard drive or other electronic media...
performed in such a manner that the results are...
reproducible by another examiner who...
following the same steps, reaches the same conclusions Computer forensics has also been described as an “electronic autopsy” of a digital media, because specialized training, hardware/software tools and techniques are all required to make a forensic image of the drive, then analyze the data and the various levels at which that data is stored
Computer Forensics Defined
Identification Preservation Extraction Interpretation Presentation ….of computer related evidence
Requirements
Specialized training and expertise beyond that possessed by not only the average computer user, but also beyond that of even the well-trained I.T. expert
Total commitment
from your agency / superiors to provide Money for equipment, hardware, software, space, time, storage, publications, training, organizational memberships Equipment for forensics that is regularly upgraded to be equal to or better than the equipment to be examined
Requirements
Standard Operating Procedures developed specifically for your agency must be followed in a consistent manner Maintain detailed notes and records of any forensic examination process, especially regarding any deviations from standard procedures and the reason for the deviation Recognition that: No single one hardware or software tool will “do it all” No one can be an expert in every aspect of computer forensics Developing relationships with other individuals committed to this field is a critical facet of an examiner’s ability to succeed
Forensic examination may require...
Cataloging the system for all files and directories Recovery of deleted files and the examination of file slack / unallocated space Search for hidden files, or files that may have been renamed, disguised, or encrypted Viewing data files (text and/or images) to determine evidentiary value Search of files that may contain imbedded critical evidentiary data Analysis of date/time stamps to establish evidentiary timelines with as much accuracy as is possible Forensic cloning of the suspect hard drive be run to view data – installed back into the suspect’s computer, where applications may then
A forensics examiner cannot...
Always be at the scene to help seize a computer Go on a “fishing expedition” of the contents of a computer Determine the exact individual who used the computer or created a specific file Distinguish ages of persons in pornographic images Verify all file dates beyond a reasonable doubt Finish an exam in 10 minutes Always break password protection or encryption
A forensics examiner may...
Recover deleted files…even those “dumped” from recycle bin/trash Recover evidentiary data that the user is unaware exists on the computer Obtain information regarding computer usage, such as the user’s access history to Internet web sites Give advice, references and suggestions for search warrant language and seizure methods (LE) Provide training for personnel in seizing computer related evidence and general information about how computer forensics may be critical to any type of investigation Return information on new leads or other crimes “in plain view” that may require a supplemental warrant (LE)
A forensics examiner should...
Possess the requisite training and equipment to forensically process seized computers in order to identify and recover data with evidentiary value Establish a community of contacts, references, referrals; network with experts in the field Be able to provide training (formal or informal) to other personnel regardless of their level of expertise Have a knowledge base consisting of source information such as publications, documentation, intelligence, modus operandi, and any other data relevant to computer-related crimes Be able to effectively testify as an expert in a court of law
Obstacles in analysis
• • • • • • • • • Password protection Encryption Obscure software Very old technology Very new technology Virus (damaged or altered) Other operating systems Special drive conditions Sheer volume….
Media Volume to "Books" 7000 6000 5000 4000 6420 3000 2160 2000 1000 1080 2 2.5
0 5 1/4" 3 1/2" CD ROM 1.5GB
HDD 5GB HDD
Obstacles in analysis
PC/Laptop Hard Drives Backup Media Floppy Disks/CDs/DVDs Thumb Drives/Zip Disks Network File Servers E-mail Servers PocketPC SmartPhones Blackberrys Digital Recorders Voice Mail Systems Printers/Fax Machines/Copiers Digital Cameras
Stuff nobody ever told me...
That computers often have some pretty unusual contents lurking inside the case... including:
Hairballs the size of Montana
Biohazards such as smoke or meth residue
Cockroaches – hundreds of ‘em –
Or even worse...
Monday, April 27, 2020
Stuff nobody ever told me...
Or – how’s THIS for an unexpected biohazard?
Monday, April 27, 2020
Monday, April 27, 2020
Stuff nobody ever told me...
That removing the case cover from some computers may require: Several tries over several hours Several tools (including a rubber hammer) Several more hands than you’ve got Bandages and antiseptic for the resulting wounds
Stuff nobody ever told me...
What otherwise apparently normal people will save on their home (or business) computers. Post-It Notes & CD-Roms don’t mix Laptop Disassembly – Hammers work well
Stuff nobody ever told me...
“Just how “hot” the hot-seat can be…” “How much a forensic lab costs to implement and maintain, and just how hard I’d have to lobby my agency’s command staff for equipment, supplies and training…” “That some of the biggest obstacles are hardware related…”
Overview of Computer Crimes
Overview of Computer Crimes
•
In 1997 the U.S. Census estimated that only about 18% of households had computers.
•
In 2000 it was estimated that this had grown to 51% of households in the U.S. with 42% of those having Internet access.
•
In 2003, increased to 62% of households with 52% having Internet access
Overview of Computer Crimes
• No longer are crimes committed on computers limited to skinny guys with pimples, tape on their glasses and squeaky voices.
• Now anyone can point and click and use a computer to commit just about any crime.
Overview of Computer Crimes
• What type of crimes are being committed with computers?
• What information is generated to corroborate the facts and circumstances of the investigation?
• We as examiners must be able to articulate how the data examined and presented is evidentiary!
Overview of Computer Crimes
• A better question now would be:
What crimes are not being done with or on computers?
• What investigations could not involve a computer?
• You can expect to be involved in a variety of investigations such as….
Overview of Computer Crimes
• Burglary • Auto Theft • Identity Theft • Embezzlement • Fraudulent use of Credit Cards • Domestic Violence • Stalking
Overview of Computer Crimes
• Bomb Threats • Hacking ( Large intrusions to “residential hacks” involving trojans such as SUB7 ) • Prostitution • Gambling • Narcotics • Money Laundering
Overview of Computer Crimes
• Counterfeit Checks • Homicide • Suicide • Child Pornography • Child Exploitation • Missing Persons • This list continues to grow daily.
CFI: Computer Forensic Investigation Case Files
Case Files
Seattle transient escaped from this home in Brush Prairie, Washington – barely clothed and badly beaten, still wearing restraints on his hands and feet... and in the home – of course – computers...
Case Files
The victim claimed he met the two male residents of the home via the Internet, and had communicated with them for approximately one year He claimed that after they purchased a bus ticket for him to come to Vancouver to visit, he was forcibly taken from the bus station, drugged, and brought to their home where he was bound and repeatedly raped and tortured over the next several days; he stated that digital pictures and videos were taken of him and stored on the suspects’ computers All the while, both suspects claimed it was “all consensual” and that they had the saved evidence (in the form of chat logs and emails) that would exonerate them of any wrongdoing
Case Files
The exculpatory evidence was as the suspects said investigation took a new turn – the victim had requested this particular encounter... but during forensic examination of the computer belonging to the older male suspect the A few child pornography images were seen in plain view while the examiner was in the process of looking for digital pictures of the purported victim... a new search warrant was obtained to expand the scope of the original warrant A look into subject’s background revealed that he had been previously arrested and convicted for distribution/possession of depictions of child sexual abuse (child pornography) in Federal Court in Colorado in 1997 – which conviction was overturned on a legal technicality by their Supreme Court in 1998
Case Files
The amended warrant allowed the expanded search – that now included a “how the heck will I ever break into this 20GB PGP encrypted disk file” quandary...
Monday, April 27, 2020
Case Files
In the field of computer forensics – some days are just much better than others...
Case Files
When decrypted with the suspect’s passphrase, more than 5,000 pictures and movies depicting the sexual and ritual abuse of children were found neatly archived in the encrypted PGP file... Further investigation revealed subject had also produced and distributed, via the Internet, sexually explicit images of himself with a minor...
Case Files – Homicide
Victim is found dead in her vehicle outside of her apartment shot 9 times.
Victim’s divorce was due to be final that day.
Interview with victim’s husband reveals inconsistencies in his alibi immediately.
During search warrant the family computer and a diary are seized.
Case Files – Homicide
Victim’s diary reflects that husband was stalking her Analysis reveals Eblaster from Spectorsoft on victim’s pc. The husband was monitoring his wife and daughter and having the reports sent to his work email address which he would read from a web based interface from home.
Internet history also reflects user visiting www.anytrack.net
Case Files – Homicide
A subpoena to anytrack gives the complete account information as well as all the recorded locations of the device.
The suspect had a GPS device hidden on the victims vehicle.
Last destination reported from GPS device was where victim was killed.
Criminal Case Files – Drug Case
Pictures of the dope Or... of the dopes with the dope...
Case Files - Burglary
An organized group of burglars have been breaking into restaurants, stealing the safes, or cutting them open.
Suspects reportedly use computers in some fashion to facilitate their crimes.
Detectives eventually seized the suspects computer.
Case Files - Burglary
Comment: File Name: File Created: Last Accessed: Full Path: Map graphic.
mqmapgend[1].gif
01/06/02 04:13:48AM 01/06/02 Seagate 7EH0AHXM\C \WINDOWS\Temporary Internet Files\Content.IE5\ 2T83MHBL\mqmapgend [1] .gif
Case Files - Burglary
Comment: File Name: File Created: Graphic of safe.
F3020[1].jpg
01/06/02 06:04:08PM Last Accessed: 01/06/02 Full Path: Seagate 7EH0AHXM\C\ WINDOWS \Temporary Internet Files\ Content .IE5\0HENSDYZ\F3020[1].jpg
Case Files - Burglary
• The graphics, HTML pages, Internet History, EMF files and fragments of the same in this case added up to over 500 pages in the report.
Case Files – Bank Robbery
Police arrest a suspect for robbery and seize his cell phone and computer. Exactly what could you find that could possibly link him to a bank robbery????
And my personal favorite………..
Case Files – Attempted Homicide
• Woman hospitalized in loss, weakness, hair loss, and other assorted ailments
2002
due to severe weight • High levels of thallium discovered in her system. While hospitalized, thallium levels mysteriously increase.
• Search warrant issued for her residence seized for analysis – No evidence of thallium, but three home computers
Case Files – Attempted Homicide
Keyword searches for thallium reveal these deleted entries…
Chemical price list containing the word “thallium”
A “keyword” search for “springfield” reveals…
Case Files – Attempted Homicide
• Additionally, user searches were recovered showing the user searched for “arsenic” and “arsenic poisoning” • Girlfriend in Jackson, MS hospitalized two years prior for arsenic poisoning • Subject pleads guilty to 2 counts of Attempted Criminal Homicide
Case Files – Intrusion (Hacking)
• • • • •
Residential computer setup in entertainment center and TV used as monitor.
Webcam faces couch with cable modem access to internet (no firewall or virus protection).
Residents notice their mouse movement on the screen, random typing, files being copied or deleted, and various changes to the Windows environment.
Later, Notepad is executed without their input.
Typed messages begin to appear on their screen describing them in present tense!
Case Files – Intrusion (Hacking)
Monday, April 27, 2020
Case Files – Intrusion (Hacking)
Case Files – Intrusion (Hacking)
The suspect constantly viewed the victims screen as if he were standing in front of it
Case Files – Intrusion (Hacking)
Suspect here!
Victim here!
Civil Litigation
IP (Intellectual Property), THE BILLION DOLLAR LOSS POTENTIAL!
Mr. "Smith" & Mr. “Doe” left Company-A; they insured their value and success to Company-B by supplying IP secrets. Company-A owner had the computers forensically analyzed…..
Civil Litigation
Mr. “Smith” downloaded client/company files from the company server to his pc (over 2500 files), and forwarded many of them to his new employer. Mr. “Smith” then reloaded Windows Operating System, apparently to try and hide his actions.
Mr. “Doe” deleted his e-mail (Outlook) files.
Civil Litigation
Delivery driver involved in an accident 12/27/05 at approx. 6:45 PM Delivery driver and restaurant sued Manager reports during deposition that driver had clocked out for the day prior to the accident (6:00 PM), and has time sheets to prove this.
All data (orders, time sheets, etc) stored on computers
Civil Litigation
Data recovered from PC reflects driver was, in fact, making deliveries after 6:00 PM
Civil Litigation
Data recovered reveals Manager’s entries into system reflecting the driver was involved in an accident, after 6:00 PM
Client/Subject Computer
If the computer is off, do not turn on If the computer is on, do not shut down normally – call for instructions Do
NOT
continue to use the computer Do
NOT
“browse” the files Document your actions – chain of custody
Copyright © 2008 Deloitte Development LLC. All Rights Reserved.
Electronic Evidence Documentation
Document, document, document - W H Y ?
– Records chain of evidence custody and details: Where the evidence came from When it was obtained Who obtained it Who secured it Who has had control of it Where it is stored
Final Notes
Your notes are critical and all notes can be entered as evidence in court
Know your tools, validate your tools, and be able to explain how they work and why you use them
Make sure all software is properly registered to your examiner and/or the agency
Be prepared to explain complex, technical concepts using understandable terminology to your prosecutor, the defense, a judge, and a jury
Final Notes
Forensic Examinations – Normally 2-3 hours to forensically image a hard drive – Exams can take up to 40 hours, or more, depending on requests Helpful if “keywords” provided Know what you want us to search for….. WHY?????????????
Forensic Computer Examination
Average HD Volume 160 GB Gigabyte 1,073,741,824 bytes Subtotal bytes 171,798,691,840 Page size Pages Ream Reams Ream height Total height Height in feet Height of Sears Tower (Chicago) 3000 bytes 57,266,230 500 pages 114,532 Reams 2” 229,064”
19088’ 6”
1450’ Note these figures are conservative!
What to look for in an Examiner
Certifications – ACE (AccessData), EnCE (Guidance Software), CFCE (IACIS), CCE, etc… Prior experience, on going training, “word of mouth” Just because they advertise they are “Forensic Experts”, doesn’t mean they are!!!!!!
Be able to effectively testify as an expert in a court of law, AND can explain things to the “technically challenged”
Training Resources
Sans Institute – www.sans.org
Vendor-based Training (ongoing)
Encase – www.guidancesoftware.com
Paraben – www.paraben-forensics.com
Digital Intelligence – www.digitalintelligence.com
Access Data – www.accessdata.com
NTI – www.forensics-intl.com
Recommended Reading
Digital Evidence & Computer Crime
Eoghan Casey
Computer Forensics – Incident Response Essentials
Warren G. Kruse, II , Jay Heiser
EnCase Computer Forensics – The Official EnCE , EnCase Certified Examiner Study Guide
Steve Bunting
File System Forensic Analysis
Brian Carrier
Windows Forensic Analysis
Harlan Carvey 1 st & 2nd Edition