Transcript Computer Forensics BACS 371

Computer Forensics
BACS 371
Evidentiary Methods I:
Incident Response
What is an “Incident”



2
A computer “incident” is any situation or occurrence
in which you, as the digital forensic expert, are
called in to perform forensic services.
Some incidents may involve situations where the
evidence has already been collected while others
may involve live acquisition.
As a professional, you should be ready for any and
all professional challenges related to the incident.
What is an “Incident”

Any unlawful, unauthorized, or unacceptable action
that involves a computer system or a computer
network. For Example:









3
Theft of trade secrets
Email spam or harassment
Unlawful or unauthorized intrusion into computing systems
Embezzlement
Possession or dissemination of child pornography
Denial-of-service (DoS) attacks
Tortuous interference of business relations
Extortion
Any unlawful action when the evidence of such action may be stored on
computer media such as fraud, threats, and traditional crimes
Characteristics of “Incidents”




4
Violations of public law
These can be actionable in criminal or civil
proceedings
They can have grave impact on an organization’s
reputation and its business operations
Commonly involve intense pressure, time, and
resource constraints
Goals of Incident Response








5
Confirms or dispels whether incident occurred
Establishes controls for handling evidence, cohesive
response
Protects privacy rights
Minimizes disruptions to business, protects reputation
and assets
Allows for criminal and civil action
Provides reports and recommendations
Minimizes compromise of proprietary data
Promotes rapid detection and/or prevention of future
incidents
Components of Incident Response
6
Seven Major Components of Incident
Response
Pre-incident preparation
Detection of incidents
Initial response
Formulate response strategy
Investigate the incident
1.
2.
3.
4.
5.
a)
b)
6.
7.
7
Data collection
Data Analysis
Reporting
Resolution
Components of Incident Response
1.
Pre-incident preparation
 Proactive
measures before incident to ensure assets and
information are protected
2.
Detection of incidents
 Report
by end user
 Report by system administrator
 Internal Detection System
 Incident response checklist
8
Incident Number:____________________
Date: _______________
Initial Response Checklist
Contact Information
Your Contact Information
Name
Department
Telephone
Other Telephone
Email
Individual Reporting Incident *
Name
Department
Telephone
Other Telephone
Email
*if the contact information is the same as the individual above, please leave blank
Type of incident
Incident
Response
Checklist
Incident Detection
 Denial of Service
Virus
 Hoax
 Unauthorized Access
 Unauthorized Use of Computer Resources
 Theft of Intellectual Property
 Other (describe):
Location of Incident
Describe the Physical Security
At the Site:
Are there Locks?
Alarm systems?
Who is in charge of the physical security at
the site?
How the Incident was detected
Is the information concerning the incident
stored in a protected, tamper-proof
manner?
System Details
System Information
Make/Model of System
Operating System
9
Components of Incident Response
3.
Initial Response
 Interviewing
 System
administrator
 Personnel
 Suspect
 Review
 Internal
Detection System report
 Network logs
 Access control
4.
10
Formulate a Response Strategy
Investigate the Incident
5.
Data Collection
 Sound
forensic methods
 Host-Based




11
Information
System date/time
Applications currently running
Open network connections and ports
Applications listening on ports
 Initial live response – volatile data
 In-depth response – log files
 Full live response – live forensic analysis
Live acquire, Power down, or Unplug?



If a PC is running, you need to decide if you want to
perform a live acquisition or power it down.
A live acquisition captures the data on a running system.
This can be very valuable evidence.
If you decide to power it down, you need to do it
properly.


12
If you use the standard shutdown procedure, valuable
evidence may be lost. This can include temporary files, log
files, and date/timestamps.
If a live acquisition is not appropriate, the current best
practice is to unplug the PC from its power source.
The Nature of Digital Evidence
“Evidence is what distinguishes a hypothesis from a
groundless assertion.”
 Remember: Digital evidence is different from traditional
evidence in several ways





13
Too much potential evidence (terabytes)
Evidence is easily contaminated
Contaminating some evidence may ruin all evidence
It can be copied and the copy is an “original” (if done
properly)
There are numerous ways to hide it that aren’t easily
detectable
In Practice: Write Blocking and Protection



14
Once digital evidence is collected, never turn on a
PC or plug in the data device without having writeblocking software or hardware in place.
Write-blocking mechanisms prevent any writes to a
drive such as may occur when simply turning on a
system.
If you don’t use write-blocking mechanisms, you will
compromise the evidence.
Create a Drive Image



Original data must be protected from any type of
alteration.
To protect original data, perform all analysis from a
forensic copy of the original drive or device.
Ways to make forensic copies:
 Drive
imaging or mirror imaging
 Sector-by-sector or bit-stream imaging

15
Bit-Stream is the preferred method.
Acquiring a Forensic Copy

Use a forensically clean hard drive for copying. This
is one that has been “forensically wiped.”
 Simply
using the operating system format command
does not meet acceptable or best practices

Verify the accuracy of the copy:
 Cyclic
redundancy check (CRC)
 Cryptographic hash verification
 Message digest (MD5)
16
Request for
Forensic
Examination
http://www.rmrcfl.org/Downloads/Documents/S
haded%20PDF.pdf
17
Performing Forensic Analysis
18
Forensic Analysis

Reviewing all data collected








Techniques include




19
Log files
System configuration files
Trust relationships
Web browser history files
Email messages
Installed applications
Graphics files
Software analysis
Review time/date stamps
Keyword searches
Review free space, deleted files, slack space
Components of Incident Response
6.
Reporting
Document immediately
 Write concisely and clearly
 Use a standard format
 Employ technical editors

7.
Resolution
Prevent further damage
 Return to secure, healthy operational status
 Apply countermeasures and update security standards

20
The Five Mistakes of Incident Response





21
Not having a plan
Failing to increase monitoring and surveillance
Being unprepared for a court battle
Putting it back the way it was
Not learning from mistakes
Basic Forensic Methodology



Acquire the evidence – maintain chain of custody
Authenticate that it is the same as the original
Analyze the data without modifying it
The key is to have a well defined set of
procedures that you follow.
22
Evidence
Handling
Process
23
NYC Police Forensic Procedures
Stage
Tools
Discussion
Seizing the
computer
None
Computer and technology are seized
under the rules, evidence, and the
warrant that they hold. Evidence is
transported and secured at the
Forensic Investigation Center (FIC).
Backup
Safeback,
Expert
Witness,
Snapback
Backup is done using one of the
listed tools. A case file is created on
an optical disk (CD).
Evidence
extraction
Expert
Witness
The FIC is moving much of the
investigative process to Expert
Witness. Traditional searches are
done currently to find and extract
evidence.
24
NYC Police Forensic Procedures (Cont.)
Stage
Tools
Discussion
Case creation Expert
Witness
The case creation process allows the
extracted information to be placed in
a case file, on a floppy disk, hard
disk, or removable media.
Case analysis None
Investigators use experience and
training to search the computer
evidence for documents, deleted
files, images, e-mail, slack space,
etc., that will help in the case.
Correlation of None
computer
events
Timeline, order of events, related
activities, and contradictory evidence
are the components of this stage.
25
NYC Police Forensic Procedures (Cont.)
Stage
Tools
Discussion
Correlation of None
noncomputer
events
Phone records, credit card receipts,
eyewitness testimony, etc. are
manually sorted and correlated.
Case
presentation
Finally, the information that has
been extracted, analyzed, and
correlated is put together in a form
ready for presentation to a judge or
jury.
26
Standard
Office
Documentary




1
Evidence
Chain of custody of documents
Marking of evidence
Organization of documentary evidence
Rules concerning original versus copies of documents
27
1Albrecht,
Albrecht, Albrecht, Fraud Examination 2e, Thompson South-Western, 2006, p. 226
Chain of Custody Procedures





28
Record of Evidence Lot
Release Dates recorded
Access to Evidence restricted
Original Hard Drive placed in Locker or safe
All analysis performed on bit stream copies
Chain of Custody Document
29
Admissibility of Computer Forensic Evidence
A forensic examiner’s qualifications can be challenged
or the tools or methodologies used in a forensic
investigation can be objected to.





30
Whether the theory or technique has been tested
Whether it has been subjected to peer review and publication
The known or potential error
The general acceptance of the theory in the scientific
community
Whether the proffered testimony is based upon the expert’s
special skill
Maintaining a Defensible Approach





31
Performed in accordance with forensic science
principles
Based on standards or current best practices
Conducted with verified tools
Conducted by individuals who are certified
Documented thoroughly
Problems with Poorly Collected Evidence1
If evidence is not collected and handled
according to the proper standards, the judge
may deem the evidence inadmissible when it is
presented.
 If the evidence is admitted, the opposing
attorney will attack its credibility during
questioning of the witnesses who testify
regarding it. Such an attack can create doubt
in the jury members’ mind.

32
1Scene
of the Cybercrime, Shinder & Tittel, p.546
Evidence Disposition

Initial Disposition
 After
final report completed
 Dispose of working copies
 Maintain “best evidence”

Final Disposition
5
years from date case was opened
 Unless…
33
Remember…
Computer forensics is the discipline of acquiring,
preserving, retrieving, and presenting electronic
evidence.
Three C’s of evidence:
 Care
 Control
 Chain of Custody
34