Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu.
Download ReportTranscript Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu.
Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu My Background Manager, URI Digital Forensics and Cyber Security Center Perform case work in civil cases Assist in developing URI academic curriculum Technical Consultant RI State Police Computer Crimes Unit Technical Consultant RI State Cyber Disruption Team What Is Cyber Security? A really great buzz word Clear and present laziness danger Loss of wealth Loss of intellectual property Loss of privacy Loss of trust Tactical advantage What Is Digital Forensics? Digital Forensics is the application of forensic science techniques to identification, acquisition and analysis of digital evidence. Sub-discipline of Cyber Security in the area of Incident Response Used in both civil and legal matters Evolution of Digital Forensics 1980s-1990s Primarily stand-alone computers Basic storage media Simple non-automated forensic tools Manual analysis of very small amounts of data, with very slow computers and very simple tools….by today’s standards. Skills primarily within the LE community Evolution of Digital Forensics 21st Century Smarter automated Computer Forensic tools Faster computers Exponential growth in amounts of data to capture and analyze More complex data and software Strong encryption & full disk encryption Evolution of Digital Forensics From Computer to Digital New technologies Networks Mobile Devices Social Networking Game Consoles Etc. New tools & skills required Evolution of Digital Forensics Introducing the Internet Social Networking Email Video/Voice over IP (Skype) Blogging (Twitter) The possibilities (and forensic challenges) are endless… Evolution of Digital Forensics Here Comes the Cloud Is Cloud Computing involved? Where is the active data & how do I get it? Jurisdiction? Historical data? Forensic remnants? Evolution of Digital Forensics The Advanced Persistent Threat Phishing Malware Hacking And so on… Evolution of Digital Forensics Cyber Forensics Digital evidence is no longer just “static” data Analyze or just remediate? The challenge of finding the perpetrator or the evidence Real-time (live) acquisition and Analysis Encryption Anonymous proxies Beyond jurisdictional boundaries Forensics will continue to evolve Memory parsing Wear leveling Quantum computing Where is Digital Evidence Found? Hard drives Digital cameras Memory sticks MP3 players GPS devices Cell phones Printers CD / DVDs Game boxes Networks Logs Intercepts/traces Incident response What Evidence can be found on Digital Media? Files listed in standard directory search Hidden files Deleted files Email Deleted email Certain Instant Messaging Passwords Who used the computer Who modified a document Was disk changed? Was a document edited? Network traces Searches performed Cookies What devices were attached? Encrypted files Web sites visited Owners of servers TIME • • • • • When created When changed When modified When sent/received When login/out Who uses Digital Evidence? Criminal law enforcement Criminal defense attorneys Civil attorneys Organization Information Technology (IT) personnel Homeland security IRS / SEC (financial enforcement) Military Processing a Case with Digital Evidence Digital Forensics Procedures Probable Cause Search/Seizure Data Acquisition Analysis Report Testify Crime Scene Crime Scene Computer - harddrive PDA and other devices Wireless router – other computers! Printer – memory Paper - passwords Storage for CDs Cables may be important Corporate Crime Scene Handling A Crime Scene Take pictures (screen, wiring, devices etc) Seal original storage media Take notes (BIOS time accuracy, labels on the machine for software product key, procedures, serial numbers (e.g. to call Dell), ) Establish “Chain of Custody” for original storage media If possible unobtrusively obtain RAM data Get Drive: Possibly unplug power plug from machine This preserves swap file and does not allow wiping programs to run Could corrupt (e.g. database, Linux file systems) Take whole computer to lab Take drive to lab Use hardware disk duplicator (hashes won’t match) Boot target machine with second (wiped) drive to copy onto From live machine: machine name, drives/file systems, network config Take digital signature of original storage media (e.g. harddrive) Seal original storage media Must write block original drive! Software or hardware write blocker Bit copy original storage media Write block original DD bit copy good, ghost bit copy bad Compare digital signature of copy and original Analyze copy of storage media Processing a Case with Digital Evidence: Preservation and Validation of Original Evidence Chain of Custody Clean Forensic Systems and Target Media Daubert-tested tools NIST Tool Testing ALWAYS preserve original evidence (when possible) Validate preservation of original evidence through the use of MD5 Hashing. Digital Signatures A digital signature is relatively small collection of bytes that uniquely (to high probability) identify a (large) collection of bytes. Digital signature can be called “hash value” MD5 and SHA-1 used by the industry Establishes “original” under FRE Best Evidence Rule Case precedent – if signature not taken and preserved, evidence can be called into question f3ec0217d3e95ba361a651d1a442f496 Digital Evidence Acquisition Data Acquisition Analysis Report Testify Write Blocker Search/Seizure FTK Imager Probable Cause E01 File Digital Forensics Procedures Search/Seizure Data Acquisition Analysis Report Testify E01 File FTK Analysis Probable Cause Operating System Artifacts Windows Log files Registry Shellbags USB Device Tracking UserAssist Prefetch Shortcuts Jump Lists Thumbnail Cache Recycle Bin Shadow Copy ESE Databases Linux/Unix Log files Tools of the Trade Guidance Software’s Encase AccessData’s FTK X-ways Forensics Open source tools Autopsy DFF Volatility etc… Cell Tools Cellebrite UFED Touch Android, iOS, Blackberry Tablets too Katana Forensics’ Latern XRY Susteen’s SecureView Roles & Responsibilities Analysis ALWAYS protect against changes to the original evidence media. Make bit-for-bit forensic images (copies) of all original evidence media. Analyze only a duplicate “working” copy of the original. Prepare investigative worksheets/documentation In some cases, restoration of your bit-for-bit forensic image is necessary to perform analysis. Review and recover hidden or deleted files, directories, and data. Review and recover data from unallocated space or previous/lost file systems. Conduct searches by filename, by file type (using extension and/or file headers), by hash value or by string of characters/bytes. Overcome encryption and password protected files, directories, drives, etc. Roles & Responsibilities Analysis Preparing reports from accounting, database or other complex programs with proprietary file formats. Review the boot process for any deviations which may represent overt acts in attempting to destroy or conceal evidence Reconstruct computer and user activity via “time line” analysis and/or recovery and analysis of Operating System artifacts left by a user’s computer usage. Identify malware/virus/trojan…or lack thereof . Maintain investigative documentation and report findings to investigative team. Authentication of any exhibited evidence items. Roles & Responsibilities Trial Prep & Testimony Review exhibits and documentation Discuss testimony with attorneys Prepare copies of physical exhibits and media for defense/opposing counsel. CD/DVD copies, image restoration, make copy of images, etc. Testify Emphasize custody control and actions that you took in ensuring the evidence would be preserved in its’ original form. Maintain your credibility The Safety Net Procedures and actions taken to insure that Electronic Evidence… is not altered or destroyed. is properly preserved and protected. can be authenticated. is maintained with a chain of custody. Detection and Response Threat Indicators Hash Values IP Addresses Domain Names Network/Host Artifacts Tools and toolkits TTPs Incident Response Don’t remove malware and call it a day. Log files, Memory analysis, Behavioral analysis Isolate and identify Protected VLAN or firewall from the Internet SQL injection, Host compromise, Memory resident Establish timeline How long have you been breached Plan, Remediate, and Monitor Keep Records - Disk Space is Cheap Instrument applications to log sensitive information Add log statements to the sensitive bits Keep logs files on more than one machine Use centralized logging facility Protect backups as much as production Case Studies Case Scenario : Inappropriate Computer Use Plaintiff showed: On appeal we showed: Defendant’s account had Actual time on web sites very Used shock value No intent to save Used misleading terms Computer left on in public extensive volume of porn Defendant was fired short – result of spam emails place Time of creation often did not match time person behind the computer Called into question forensics used to obtain plaintiff's evidence Case Scenario: Corporate Espionage Defendant: For plaintiff we showed: Left Company A to work for a We wrote affidavit for subpoena to Showed signs of using Company A We found evidence of emailing Denied taking information We found what USB devices had been competitor, Company B proprietary information: pricing, customer lists Company A had deleted files in question from his laptop before leaving seize defendant’s laptop documents to Company B before leaving inserted – fodder for further subpoena We found Company B names of recipients and servers – fodder for further subpoenas Case Scenario: BadPOS Identification of several compromised accounts Contacted and informed customer of the breach Non-compliance, too busy to shut down Analyzed primary server, found nothing A friend enabled Facebook on the POS terminal Third party cleanup and destruction of remaining evidence Other Case Scenarios Political corruption Back door to town computer system Suicide Suicide web sites, email from girlfriend Murder Who did he know, who was he talking to? School sexual assault IMs posted on Live Journal, edited? School teacher inappropriate computer use Porn on the computer – who put it there? Simply spam? Divorce Infidelity shown in emails Corporate Espionage Company data to competitor – how did it get there? Stalking Physical evidence of stalking, emails confirm? URI Degree Programs Related Degree Programs at URI Digital Forensics • Undergrad Minor • 4 courses • Professional Certificate • 4 courses • Graduate Certificate • 4 courses Cyber Security • Undergrad Minor • 4 courses • Professional Certificate • 4 courses • Graduate Certificate • 4 courses Masters In Cyber Security • 9 courses • Courses in digital forensics and cyber security • Internship capstone All courses taught online with streaming video and cloud-based labs URI Is A NSA/DHS Center of Academic Excellence In Information Assurance Education Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu