Transcript Document

Computer Forensics
劉 立 民 老師
中原大學 應用數學系
Introduction
Sharon Guthrie Case




Sharon Guthrie, 54, drowned in the bathtub of her
Wolsey, South Dakota home May 14. An autopsy
revealed the contents of 10-20 capsules of
Temazepan in her body, a sleeping pill that was
prescribed for her husband.
Rev. Guthrie pleaded innocent. "A minister killing his
wife in the bathtub? Impossible!" asserted the
defense.
Judd Robbins, a computer forensics, found evidence
that Guthrie had searched the Internet for painless
and surefire killing methods.
Rev. Guthrie was sentenced to life imprisonment.
蠻牛千面人




民國94年5月，“蠻牛”與“保力達B”遭
人下毒，放置氰化物
造成一無辜民眾物飲死亡
警方由監視錄影中找到線索，順利逮捕
一名嫌犯
在嫌犯電腦中找出 “毒蠻牛” 的字樣與
圖案以及為寄出的恐嚇信件
Computer Crime

Computer misuse has two categories:

Computer is use to commit a crime

Child pornography

Threatening letters

Fraud

Theft of intellectual property
Computer Crime (con’t)

Computer misuse has two categories:

Computer itself is a target of a crime.


AKA incident response
Started from mid-80s, attack was carried out
over phone line through modems.

Internet

More sophisticated attacks
What is Computer Forensics

Computer forensics includes

Preservation,

Identification,

Extraction,

Documentation,

Interpretation of computer data.
What is Computer Forensics

These evidence can be useful in many
investigations:




Civil litigations such as divorce, harassment, and
discrimination cases
Corporations seeking to embezzlement, fraud, or
intellectual property theft issues
Individuals seeking evidence in age discrimination,
wrongful termination, or sexual harassment claims
Insurance company investigations where evidence
is required relating to insurance fraud, wrongful
death, workerman’s compensation, and other
cases.
Types of Incidents
Categories of incident defined by Federal Computer
Incident Response Center (FedCIRC)







Malicious code attacks
Unauthorized access
Unauthorized utilization of services
Disruption of service
Misuse
Espionage
Hoaxes
Malicious code attacks

Malicious code:






Viruses
Trojan horse programs
Worms
Scripts used by crackers/hackers
Difficult to detect
Self replicating property
Unauthorized access



Improperly logging into a user’s account
Unauthorized access to files and
directories
Plating an unauthorized sniffer program
or device
Unauthorized utilization of
services



Perpetrate an attack without access
someone’s account
Using the NFS to mount the file system
of a remove server machine
Interdomain access mechanisms in
Windows NT files and directories
Disruption of service

Disrupt services in a variety of ways:

Erasing critical programs

Mail spamming

Altering system functionality by installing
Trojan horse programs.
Misuse, Espionage, Hoaxes

Someone uses a computing system for other
than official purposes



A legitimate user uses a government computer to
store personal tax records.
Espionage is stealing information to subvert
the interests of a corporation
Hoaxes occur when false information about
incidents or vulnerabilities is spread
Catching the criminal

US FBI delineates the following aspects
of computer forensic science:

Data objects

Digital evidence

Physical items

Original digital evidence

Duplicate digital evidence
Catching the criminal (con’t)

Data objects


Digital evidence


Objects or information of potential probative value that are
associated with physical items.
Information of probative value that is stored or transmitted
in digital form.
Physical items

Items on which data objects or information may be stored
and/or through which data objects are transferred.
Catching the criminal (con’t)

Original digital evidence


Physical items and the data objects associated
with such items at the time of acquisition or
seizure
Duplicate digital evidence

An accurate digital reproduction of all data objects
contained on an original physical item.
FedCIRC incident activity
summary for 2000
Detecting intrusion

The common approach to detecting intrusions
is as follows:




Observe your systems for unexpected behavior or
anything suspicious.
Investigate anything you consider to be unusual
Initiate your intrusion response procedures when
you find you find something that isn’t explained by
authorized activity.
Look for unusual or unauthorized user accounts or
groups.
Monitoring your Windows system

Look for unusual or unauthorized user
accounts or groups.



Guest account should be disable
Check all groups for invalid user
membership
Check log file for connections from
unusual locations or for any unusual
activity.
Computer management utility
Monitoring your Windows system

Search for invalid user right.




Guest account should be disable
Check all groups for invalid user membership
Check log file for connections from unusual
locations or for any unusual activity.
Check to see if unauthorized application are
running.
Edit Registry
Monitoring your Windows system

Look for invalid services

Monitor system startup folder



Inspect network configurations for unauthorized
entries
Check your system program files for alterations
Check for unusual ports listing for connections from
other hosts by using the netstat.
Common program startup
locations
HKEY_CURRENT_USER\Software\Microsoft\Win
dows\Current Version\Run
SuperScan 3.0 by Foundstone
Incident Response Team


All organizations need an incident
response team to develop a complete
incident response response capability
The team should have written
procedures for incident response

What conditions warrant calling on local
and/or federial law enforcement authorities.
The incident reporting process

Low-level incidents are least severe and
should be resolved within one working day.
Low-level incidents include





Loss of passwords
Suspected unauthorized sharing of accounts
Misuse of computer hardware
Unintentional computer actions
Unsuccessful scans or probes
The incident reporting process

Mid-level incidents are more serious and should be
handled within 2-4 hours. Mid-level incidents include







Property destruction related to a computer incident
Illegal download of copyrighted music/unauthorized software
Violation of special access
Unauthorized user of a system for processing of storing
personal data
An act resulting from unfriendly employee termination
Illegal building access
Personal theft
The incident reporting process

High-level incidents are the most serious and should
be handled immediately. They include









Property destruction related to a computer incident
Child pornography
Pornography
Personal theft (higher value than a mid-level incident)
Suspected computer break-in
Denial of service (DoS) attacks
Illegal software download
Malicious code
Any violation of the law
Internal reporting procedure

Every organization needs to develop one that
requires following:







Preservation of evidence
Assessment
Containment and recovery actions
Damage determination
Report documentation
Lessons learned
Identification of corrective actions required by the
organization’s security programs
Forensic Toolkit






Authenticity and Integrity
A tool to report any open TCP/UDP port and map
them to the owning process or application
A tool to capture and analyze logs to identify and
track who has gained access to a computer system
A utility to make a bit-stream back-up of a hard drive
A tool to examine files on a disk drive for
unauthorized activity
A program used to document the CMOS system Time
and Date on a computer seized as evidence
Forensic Toolkit (con’t)





A password-cracking utility
A text-search utility that can scan Windows systems and
locate targeted keywords and/or strings of text in
computer-related investigations and computer security
reviews
A forensic binary data search tool that is used to identify
targeted graphics file content and/or foreign language
words and phrases stored in the form of computer data
A tool to discover hidden files, such as NTFS Alternate
Data Streams
A data collection tool to capture file slack and unallocated
(erased file) data
Considerations of the
Law Enforcements
The Role of NIPC


NIPC (National Infrastructure Protection
Center) was established at 1998 located in
the headquarter of the FBI.
The NIPC’s functions:



The NIPC is the national focal point for gathering
information on threats to critical infrastructure,
Coordinating the federal government’s response to
an incident, mitigating attacks, investigating
threats.
The NIPC provides law enforcement and
intelligence information and reports to relevant
federal, state, and local agencies.
Taiwan

行政院下設立「國家資通安全會報」


國家資通安全會報設有「國家資通安全應變中
心」



分為七個工作小組：綜合業務，技術服務、標準規
範、稽核服務、網路犯罪、資訊蒐集、危機通報
下轄行政機關、國防體系、事業機構、學術機構、
民營機構六個分組
台灣電腦網路危機處理中心（TWCERT/CC）
政府憑證管理中心GCA的成立（1998年2月）
加拿大




於2001年2月，成立「關鍵基礎建設防護與緊急應變辦公室」
（Office of Critical Infrastructure & Emergency Preparedness ，
OCIPEP）
OCIPEP 由國防部長主持，來防護加拿大關鍵基礎建設免受失效
或被襲擾的風險
於OCIPEP成立「基礎建設防護協調中心」
加拿大政府定義的國家關鍵基礎建設，共有六大類：能源設施
（如電力、天然氣及石油傳輸系統），通信（如電信及廣播系
統），服務（如金融、食品、醫療），運輸（如陸上、水上、空
中及鐵路），安全（如核安、搜救、急難救助），政府（如重要
設施、資訊網路、及資產）。
英國

於1999年12月，成立「國家基礎建設安全協調中心」（National
Infrastructure Security Co-ordination Centre，NISCC）

負責開發一些專案來防止國家關鍵基礎建設遭到電子攻擊
（electronic attack）。

重點放在：電信、金融、供水與下水道系統，能源、運輸、醫療
服務、中央政府、急難救助 的資訊科技系統（IT systems）

在NISCC之下設有


「統一事件報告與警告小組」（Unified Incident Reporting & Alert
Scheme，UNIRAS）以做為英國政府的電腦緊急應變小組
「電子攻擊應變小組」（Electronic Attack Response Group，EARG）
Related laws


Disclosure law - “Title 18, Part I, Chapter 121, Sec.
2702 of the Federal Criminal Code”
Computer crimes will be considered breaking federal
laws when it involves:





The theft or compromise of national defense, foreign
relations, atomic energy, or other restricted information
A computer owned by a U.S. government department or
agency
A bank or most other types of financial institutions
Interstate or foreign communications
People or computer in other states or countries
Related laws (con’t)



The “Computer Fraud and Abuse Act”
was signed by President Reagan at
1986
Computer Abuse Amendments Act of
1994
The USA Patriot Act of 2001
相關法律


著作權法
刑法220，315，318，359，360等條文


刑法第二百二十條在紙上或物品上之文字、符號、
圖畫、照像，依習慣或特約，足以為表示其用意之
證明者，關於本章及本章以外各罪，以文書論。錄
音、錄影或電磁紀錄，藉機器或電腦之處理所顯示
之聲音、影像或符號，足以為表示其用意之證明者，
亦同。
刑法第三百五十九條 無故取得、刪除或變更他人
電腦或其相關設備之電磁紀錄，致生損害於公眾或
他人者，處五年以下有期徒刑、拘役或科或併科二
十萬元以下罰金。
Forensic Preparation
Forensic Preparation



Network Operating Systems
Auditing and Logging
Logs cab help organizations by




Altering system administrators of any suspicious
activity
Determining the extent of any damage caused by
an intruder’s activity
Helping to quickly recover systems
Providing information or serving as evidence
required for legal proceedings
Enable auditing and logging
on Windows
Log files on Windows
Centralized logging



The location of the log data is
centralized
The integrity of log data remains
protected
This approach is easier to back up,
secure, and analyze.
Logging Tools

Kiwi Syslog Deamon by Kiwi Enterprise



Freeware for Windows plateform
www.kiwisyslog.com
GFI LANquard Security Event Log
Monitor by GFI Software


Is able to analyzing Windows NT/2000
event logs in real time.
www.fgi.com
Time Synchronization



Automating the synchronization of system
clocks save substantial time during an
incident response.
IP based networks, Network Time Protocol
(NTP) is the one most commonly used.
Tools on Windows:



Automachron by Guy Coding
NIST Internet Time Service (ITS)
World Time by PawPrint.net
Memory dump on Windows


The contents of the system memory
should be printed or copied while it still
resides in memory.
Windows 2000 and XP (not NT) include
a handy feature to generate a memory
dump file. However, it must first be
configured to do so.
Memory dump on UNIX

The sysdump command

Crash utility
Imaging hard drives



Hard-drive imaging provides a mirror image or a
snapshot of the data contained on the hard-drive.
The imaging process can be performed off-lined (OS
is turned off).
NIST’s disk-imaging spec. includes the following
guidelines:





The
The
The
The
:
tool shall not alter the original disk
tool shall be able to access both IDE and SCSI disks.
tool shall log input/output (I/O) errors.
tool’s documentation shall be correct.
Business continuity and
contingency planning

The NIST IT contingency planning guide







Develop the contingency-planning policy
statement
Conduct the business impact analysis (BIA)
Identify preventive controls
Develop recovery strategies
Develop an IT contingency plan
Plan testing, training, and exercises
Plan maintenance
Develop the contingencyplanning policy statement




The contingency plan must be based on a clearly
defined policy.
The contingency planning policy statement should
define the agency’s overall contingency objectives
and establish the org. framework and responsibilities.
The senior management (CIO, Chief Information
Officer) must support a contingency program.
The contingency program should comply with federal
guidance contained in the NIST SP 800-34
Key policy elements







Roles and responsibilities
Scope and applied to the type(s) of
plateform(s) and organization functions
subject to contingency planning
Resource requirements
Training requirements
Exercise and testing schedules
Plan maintenance schedule
Frequency of backup and storage of backup
media
Conduct the Business Impact
Analysis (BIA)




The BIA is the key step in the contingencyplanning process.
It enables the coordinator to fully
characterize the system requirements,
processes, and interdependencies.
The purpose of the BIA is to correlate specific
system components with the critical services
that they provide.
The BIA characterize the consequences of a
disruption to the system components.
Identity preventive controls



Preventive methods are preferable to actions
that may be necessary to recover the system
after a disruption.
Preventive controls should be documented in
the contingency plan.
Some common measures are listed here:

Appropriated size uninterruptible power supplies
(UPS) to provide short-term backup power to all
system components (including environmental and
safety controls)
Identity preventive controls






Gasoline-or diesel-powered generators to provide
long-term failure power
Air-conditioning systems with adequate excess
capacity to permit failure of certain components
such as a compressors
Fire suppression systems
Fire and smoke detectors
Water sensors in the computer room ceiling and
floor.
Plastic tarps that may be unrolled over IT
equipment to protect it from water damage
Identity preventive controls





Heat-resistant and waterproof containers for
backup media and vital nonelectronic records
Emergency master system shutdown switch
Offsite storage of backup media, nonelectronic
records, and system documentation
Technical security controls, such as cryptographic
key management and least-privilege access
controls
Frequent, scheduled backups
Develop recovery strategies




Recovery strategies provide a means to restore IT
operations quickly and effectively following a service
disruptions.
Strategies should address disruption impacts and
allowable outage times identified in the BIA.
Several alternatives should be considered when
developing the strategy, including cost, allowable
outage time, security, and integration with larger,
organization-level contingency plans.
The strategy should include a combination of
methods that complement one another to provide
capability over the full spectrum of incidents.
Develop an IT contingency
plan



The plain contains detailed roles,
responsibilities, teams, and procedures
associated with restoring an IT system.
The plan should document technical
capabilities designed to support contingency
operations.
The plan should comprise five main
components: Supporting Information,
Notification/Activation, Recovery,
Reconstitution, and Plan Appendices.
Plan testing, training, and
exercises


Testing enables plan deficiencies to be
identified and addressed.
The following areas should be addressed in a
contingency test:





System recovery on an alternate platform from
backup media
Coordination among recovery teams
Internal and external connectivity
Restoration of normal operations
Notification procedures
Plan maintenance



The contingency plan should be reviewed and
updated regularly, as part of the
organization’s change management process.
The plan should be reviewed for accuracy and
completeness at least annually or whenever
significant changes occur to any element of
the plan.
Certain elements, such as contact lists, will
require more frequent reviews.
Windows Registry, Recycle
Bin, and Data Storage
The Windows Registry

The registry is used to store

Operating system configuration

Application configuration information

Hardware configuration information

User security information

Current user information
Registry structure

The Registry has a hierarchy structure similar
to the directory structure.

Each main branch is called a hive.

Located within those hives are keys.

Each key may contain other keys called
subkeys along with their value. It is the
values that contain the actual information
that is stored within the Registry.
Windows Registry

HKEY_CLASSES_ROOT contains




File-association types
Object Linking and Embedding (OLE)
information
Shortcut data
HKEY_CURRENT_USER points to the
section of HKEY_USERS appropriate for
the user currently logged into the PC.
Windows Registry

HKEY_LOCAL_MACHINE



contains info about computer hardware, software,
and other preferences for the local PC.
is used for all users who log onto this computer.
HKEY_USERS contains individual preferences
for each user of the computer.

Each user is represented by a security identifier
(SID) subkey.
Windows Registry

HKEY_CURRENT_CONFIG links to
HKEY_LOCAL_MACHINE\Config for
machine specific information.

HKEY_DYN_DATA contains info. that
must be kept in RAM.
Types of values

String or REG_SZ

Binary or REG_BINARY



DWORD or REG_DWORD
Multistring value or REG_MULTI_SZ
Expandable string value or
REG_EXPAND_SZ
Viewing and Editing Registry
Registry backup and restore
The Windows Recycle Bin



The purpose of the Recycle Bin was to
provide users with the ability to reclaim
deleted files.
Before users “empty” the Recycle Bin, the
deleted files remains on disks.
Even the Recycle Bin is empty, but the
actually information remains on its original
place on the hard drive (until the OS
overwrites it).
The Windows Recycle Bin
Property
Recovery Utilities

PC Inspector File Recovery
Recovery Utilities

EasyRecovery Professional www.ontrack.com
UNIX/Linux ext2 File System



In ext2, the complete inode for a deleted file is
preserved,
Only the name is removed from the directory and
the time of the deletion in the inode is marked.
Using e2undel
Analyzing and Detecting
Malicious Code and Intruders
Analyzing Abnormal System
Processes

Monitors should look for the following
signs:




Unusual resource utilization or process
behavior
Missing processes
Added processes
Processes that have unusual user
identification associated with them
Causes of abnormal system
processes



Programs that log a user’s keystrokes or
monitor and steal passwords.
Malicious code (virus, Internet worms,
and Trojan horse applications)
Spyware (software that transmits
information back to a third party
without notifying the user)
Windows Event Viewer

Log files allows you to check for:

Unusual login entries

Failures of services

Abnormal processes
OS and Network Logs

When reviewing OS or network logs, look for
the following:




Process consuming excessive resources
Processes starting or running at unexpected times
Unusual processes not the result of normal
authorized activities
Previously inactive user accounts that suddenly
begin to spawn processes and consume computer
or network resources
OS and Network Logs





Processes that prematurely terminate
Unexpected or previously disabled processes,
which may indicate that a hacker or intruder has
installed his own version of a process or service
A workstation or terminal that starts exhibiting
abnormal input/output behavior
Multiple processes with similar names
(Explorer.exe vs. explorer.exe)
An unusually larger number of running processes
Windows Task Manager
The Select Columns box in
Windows Task Manager
Default processes in Windows
NT, 2000, and XP






Csress.exe: is the Client/Server Run-time Subsystem.
Explorer.rxr: is the GUI for the taskbar and desktop
environment.
Lsass.exe: handles security administration on the
local computer.
Mstask.exe: is the task scheduler service.
Services.exe: is the Windows Services Control
Manager, which is responsible for starting and
stopping system services.
Smss.exe: is the Session Manager Subsystem, which
is responsible for starting the user session.
Default processes in Windows
NT, 2000, and XP




Spoolsv.exe: is the Windows spooler service and is
responsible for the management of spooled print and
fax jobs.
Svchost.exe: is a generic process, which acts as a
host for other processes running from DLLs.
System: permits system kernel-mode threads to run
as the System process.
System Idle Process: is a single thread running on
each processor. Its sole task is accounting for
processor time when the system isn’t processing
other threads.
Gathering Process Information

UNIX/Linux
ps -ef

Windows
PsToolscoded
www.sysinternals.com
PsTools suite
Unusual or Hidden Files

Start ->

Control Panel ->

View menu ->

Options
Viewing Hidden Files under
Unix/Linux

The find command is able to display
files with unusual names such as “.. ”
(dot-dot-space) or ..^G (dot-dotcontrol-G)
find / -name “.. ” –print –xdev
find / -name “.*” –print -xdev

Keep track of SUID programs
find / -type f –perm -4000 –print | mail root
Rootkits and Backdoors



“It takes a thief to catch a thief.”
Windows rootkits are usually detected by any
reputable antivirus s/w.
Rootkit is one of the most widely used
hackers tools and it contains


a suite of hacker utilities (log clean-up scripts and
network packet sniffers) and
specialized replacements of core Unix/Linux
utilities such as netstat, ifconfig, ps, and ls.
Rootkits and Backdoors

Rootkit is used to accomplish the following
functions:






Prevent logging of activity
Establish backdoors for reentry
Hide or remove evidence of initial entry
Hide specific contents of files
Hide files and directories
Gather intelligence (ex: usernames and passwords)
Detecting Rootkits on
Unix/Linux

Manual inspection


The strings command. It can produce readable
data such as the names of files where intruder
passwords are kept.
Rootkit detection programs


Chkrootkit
www.chkrootkit.org
Pedestal Software
www.pedestalsoftware.com
Functions of a Backdoor

Main functions of a backdoor



Getting back into the system with the least
amount of visibility.
Getting back into a machine even if the
administrator tries to secure it
Permitting the hacker to regain entry into
the system in the least amount of time.
Detecting Backdoors


Most reputable antivirus products are able
to detect backdoor Trojans
Freeware tools are available

Fport.exe

Superscan (right)

Nmap.

Listdlls.exe
Removing Rootkits and
Trojans

The steps for removing a Trojan:



Identify the Trojan horse file on your
system hard disk.
Find out how it is being initiated (ex: via
Registry, Startup Folder, and so on) and
take action(s) necessary to prevent it from
being restarted after a reboot.
Reboot your machine and delete the Trojan
horse.
Removing Rootkits and
Trojans

The steps involved in recovering from a
rootkit are:



Isolate the affected machine. (Disconnect it
from the network and/or Internet.)
Determine the severity of the compromise.
(Are other networked computers also
infected?)
Begin the cleanup by reinstalling the OS
and applications from a trusted backup..
Detecting and Defending
Against Network Sniffers



Nearly every rootkit includes utilities for
sniffing network traffic.
Network adapters running in promiscuous
mode receive not only the data directed to
the machine hosting the software, but also all
other data traffic on the physically connected
local network.
The ifconfig command allows the privileged
administrator to determine whether any
interfaces are in promiscuous mode.
Removing Rootkits and
Trojans

Unix/Linux


User ifconfig –a and look for the string
PROMISC
Windows

PromiscDetect
www.ntsecurity.nu/toolbox/promiscdetect/
Retrieving and Analyzing Clues
Performing Keyword Searches

Purposes of keyword searches




To locate occurrences of words or strings of text in
data stored in files or slack and unallocated file
space.
Internal audits to identify violations of corporate
policy
To find evidence in corporate, civil, and criminal
investigations, which involve computer related
evidence.
To find embedded text in formatted wordprocessing documents or fragments of such
documents.
Industrial Strength KeywordSearching Programs

AccessData Forensic Toolkit ($995)

Encase Forensic Pro Suite by Guidance
Software, Inc. ($895)

Maresware Suite by Mares and
Company, LLC ($375)
Freeware Keyword Search
Tools



BinText by Foundstone, Inc.
www.foundstone.com
Disk Investigator by Kevin Soloway
www.theabsolute/sware/
SectorSpyXP by Nick McCamy
home.carolina.rr.com/lexunfreeware
SectorSpyXP 2.1
Examining the Windows Swap File



The Windows swap file is space on a hard
disk reserved for the OS to do paging.
The swap file is important when conducting a
forensics investigation since a large volume of
data can exist within the swap file.
Windows swap files can be dynamic or
permanent.
Locating and Viewing the
Windows Swap File



Enable viewing the hidden files
Search the swap file (ex: pagefile.sys)
Tools for viewing swap files




Norton Commander
Norton DiskEdit
EnCase www.guidancesoftware.com
Filter_1 www.forensics-intl.com
Tutorial on PC Inspector File
Recovery

Download
http://www.pcinspector.de

Install

Delete files

Recover deleted files
Tutorial on PsTools

Download
http://www.sysinternals.com

Install

Delete files

Recover deleted files
References





Incident Response-Computer Forensics Toolkit,
by Douglas Schweitzer
Hacking Exposed Web Applications, by Joel
Scambrey and Mike Shema
Computer Forensics, by
「護好國家關鍵基礎建設，才能安心去拼經濟」
- 國政基金會科經組顧問 陳友武
電腦鑑識科學的現在與未來 - 台灣電腦網路危
機處理暨協調中心(TWCERT/CC)