Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu.
Download
Report
Transcript Cyber Forensics Jacob Fonseca Manager, Digital Forensics and Cyber Security Center The University of Rhode Island Web: dfcsc.uri.edu.
Cyber Forensics
Jacob Fonseca
Manager, Digital Forensics and Cyber Security Center
The University of Rhode Island
Web:
dfcsc.uri.edu
My Background
Manager, URI Digital Forensics and Cyber Security Center
Perform case work in civil cases
Assist in developing URI academic curriculum
Technical Consultant RI
State Police Computer
Crimes Unit
Technical Consultant RI
State Cyber Disruption
Team
What Is Cyber Security?
A really great buzz word
Clear and present laziness danger
Loss of wealth
Loss of intellectual property
Loss of privacy
Loss of trust
Tactical advantage
What Is Digital Forensics?
Digital Forensics is the application of
forensic science techniques to
identification, acquisition and analysis
of digital evidence.
Sub-discipline of Cyber Security in the
area of Incident Response
Used in both civil and legal matters
Evolution of Digital Forensics
1980s-1990s
Primarily stand-alone computers
Basic storage media
Simple non-automated forensic tools
Manual analysis of very small amounts of data, with very slow
computers and very simple tools….by today’s standards.
Skills primarily within the LE community
Evolution of Digital Forensics
21st Century
Smarter automated
Computer Forensic tools
Faster computers
Exponential growth in
amounts of data to
capture and analyze
More complex data and
software
Strong encryption & full
disk encryption
Evolution of Digital Forensics
From Computer to Digital
New technologies
Networks
Mobile Devices
Social Networking
Game Consoles
Etc.
New tools & skills required
Evolution of Digital Forensics
Introducing the Internet
Social Networking
Email
Video/Voice over IP
(Skype)
Blogging
(Twitter)
The possibilities (and
forensic challenges) are
endless…
Evolution of Digital Forensics
Here Comes the Cloud
Is Cloud Computing involved?
Where is the active data & how do I get it?
Jurisdiction?
Historical data?
Forensic remnants?
Evolution of Digital Forensics
The Advanced Persistent Threat
Phishing
Malware
Hacking
And so on…
Evolution of Digital Forensics
Cyber Forensics
Digital evidence is no longer just “static” data
Analyze or just remediate?
The challenge of finding the perpetrator or the evidence
Real-time (live) acquisition and Analysis
Encryption
Anonymous proxies
Beyond jurisdictional boundaries
Forensics will continue to evolve
Memory parsing
Wear leveling
Quantum computing
Where is Digital Evidence Found?
Hard drives
Digital cameras
Memory sticks
MP3 players
GPS devices
Cell phones
Printers
CD / DVDs
Game boxes
Networks
Logs
Intercepts/traces
Incident response
What Evidence can be found on Digital Media?
Files listed in standard
directory search
Hidden files
Deleted files
Email
Deleted email
Certain Instant Messaging
Passwords
Who used the computer
Who modified a document
Was disk changed?
Was a document edited?
Network traces
Searches performed
Cookies
What devices were attached?
Encrypted files
Web sites visited
Owners of servers
TIME
•
•
•
•
•
When created
When changed
When modified
When sent/received
When login/out
Who uses Digital Evidence?
Criminal law enforcement
Criminal defense attorneys
Civil attorneys
Organization Information
Technology (IT) personnel
Homeland security
IRS / SEC (financial
enforcement)
Military
Processing a Case with
Digital Evidence
Digital Forensics Procedures
Probable Cause
Search/Seizure
Data Acquisition
Analysis
Report
Testify
Crime Scene
Crime Scene
Computer - harddrive
PDA and other
devices
Wireless router –
other computers!
Printer – memory
Paper - passwords
Storage for CDs
Cables may be
important
Corporate Crime Scene
Handling A Crime Scene
Take pictures (screen, wiring, devices etc)
Seal original storage media
Take notes (BIOS time accuracy, labels on the
machine for software product key,
procedures, serial numbers (e.g. to call Dell), )
Establish “Chain of Custody” for original
storage media
If possible unobtrusively obtain RAM data
Get Drive:
Possibly unplug power plug from machine
This preserves swap file and does not allow
wiping programs to run
Could corrupt (e.g. database, Linux file systems)
Take whole computer to lab
Take drive to lab
Use hardware disk duplicator (hashes won’t
match)
Boot target machine with second (wiped) drive
to copy onto
From live machine: machine name, drives/file
systems, network config
Take digital signature of original storage
media (e.g. harddrive)
Seal original storage media
Must write block original drive! Software or
hardware write blocker
Bit copy original storage media
Write block original
DD bit copy good, ghost bit copy bad
Compare digital signature of copy and
original
Analyze copy of storage media
Processing a Case with Digital Evidence:
Preservation and Validation of Original Evidence
Chain of Custody
Clean Forensic Systems and Target
Media
Daubert-tested tools
NIST Tool Testing
ALWAYS preserve original evidence
(when possible)
Validate preservation of original
evidence through the use of MD5
Hashing.
Digital Signatures
A digital signature is relatively small
collection of bytes that uniquely (to high
probability) identify a (large) collection of
bytes.
Digital signature can be called “hash value”
MD5 and SHA-1 used by the industry
Establishes “original” under FRE Best
Evidence Rule
Case precedent – if signature not taken
and preserved, evidence can be called into
question
f3ec0217d3e95ba361a651d1a442f496
Digital Evidence Acquisition
Data Acquisition
Analysis
Report
Testify
Write Blocker
Search/Seizure
FTK Imager
Probable Cause
E01
File
Digital Forensics Procedures
Search/Seizure
Data Acquisition
Analysis
Report
Testify
E01
File
FTK Analysis
Probable Cause
Operating System Artifacts
Windows
Log files
Registry
Shellbags
USB Device Tracking
UserAssist
Prefetch
Shortcuts
Jump Lists
Thumbnail Cache
Recycle Bin
Shadow Copy
ESE Databases
Linux/Unix
Log files
Tools of the Trade
Guidance Software’s Encase
AccessData’s FTK
X-ways Forensics
Open source tools
Autopsy
DFF
Volatility
etc…
Cell Tools
Cellebrite UFED Touch
Android, iOS, Blackberry
Tablets too
Katana Forensics’ Latern
XRY
Susteen’s SecureView
Roles & Responsibilities
Analysis
ALWAYS protect against changes to the original evidence media.
Make bit-for-bit forensic images (copies) of all original evidence
media.
Analyze only a duplicate “working” copy of the original.
Prepare investigative worksheets/documentation
In some cases, restoration of your bit-for-bit forensic image is
necessary to perform analysis.
Review and recover hidden or deleted files, directories, and data.
Review and recover data from unallocated space or previous/lost
file systems.
Conduct searches by filename, by file type (using extension and/or
file headers), by hash value or by string of characters/bytes.
Overcome encryption and password protected files, directories,
drives, etc.
Roles & Responsibilities
Analysis
Preparing reports from accounting, database or other complex
programs with proprietary file formats.
Review the boot process for any deviations which may represent
overt acts in attempting to destroy or conceal evidence
Reconstruct computer and user activity via “time line” analysis
and/or recovery and analysis of Operating System artifacts left by a
user’s computer usage.
Identify malware/virus/trojan…or lack thereof .
Maintain investigative documentation and report findings to
investigative team.
Authentication of any exhibited evidence items.
Roles & Responsibilities
Trial Prep & Testimony
Review exhibits and documentation
Discuss testimony with attorneys
Prepare copies of physical exhibits and media for
defense/opposing counsel.
CD/DVD copies, image restoration, make copy of images, etc.
Testify
Emphasize custody control and actions that you took in
ensuring the evidence would be preserved in its’ original form.
Maintain your credibility
The Safety Net
Procedures and actions taken to insure that Electronic
Evidence…
is not altered or destroyed.
is properly preserved and protected.
can be authenticated.
is maintained with a chain of custody.
Detection and Response
Threat Indicators
Hash Values
IP Addresses
Domain Names
Network/Host Artifacts
Tools and toolkits
TTPs
Incident Response
Don’t remove malware and call it a day.
Log files, Memory analysis, Behavioral analysis
Isolate and identify
Protected VLAN or firewall from the Internet
SQL injection, Host compromise, Memory resident
Establish timeline
How long have you been breached
Plan, Remediate, and Monitor
Keep Records - Disk Space is Cheap
Instrument applications to log sensitive information
Add log statements to the sensitive bits
Keep logs files on more than one machine
Use centralized logging facility
Protect backups as much as production
Case Studies
Case Scenario : Inappropriate Computer Use
Plaintiff showed:
On appeal we showed:
Defendant’s account had
Actual time on web sites very
Used shock value
No intent to save
Used misleading terms
Computer left on in public
extensive volume of porn
Defendant was fired
short – result of spam emails
place
Time of creation often did not
match time person behind
the computer
Called into question forensics
used to obtain plaintiff's
evidence
Case Scenario: Corporate Espionage
Defendant:
For plaintiff we showed:
Left Company A to work for a
We wrote affidavit for subpoena to
Showed signs of using Company A
We found evidence of emailing
Denied taking information
We found what USB devices had been
competitor, Company B
proprietary information: pricing,
customer lists
Company A had deleted files in
question from his laptop before leaving
seize defendant’s laptop
documents to Company B before
leaving
inserted – fodder for further subpoena
We found Company B names of
recipients and servers – fodder for
further subpoenas
Case Scenario: BadPOS
Identification of several compromised accounts
Contacted and informed customer of the breach
Non-compliance, too busy to shut down
Analyzed primary server, found nothing
A friend enabled Facebook on the POS terminal
Third party cleanup and destruction of remaining evidence
Other Case Scenarios
Political corruption
Back door to town computer system
Suicide
Suicide web sites, email from girlfriend
Murder
Who did he know, who was he talking to?
School sexual assault
IMs posted on Live Journal, edited?
School teacher inappropriate computer use
Porn on the computer – who put it there? Simply spam?
Divorce
Infidelity shown in emails
Corporate Espionage
Company data to competitor – how did it get there?
Stalking
Physical evidence of stalking, emails confirm?
URI Degree Programs
Related Degree Programs at URI
Digital Forensics
• Undergrad Minor
• 4 courses
• Professional Certificate
• 4 courses
• Graduate Certificate
• 4 courses
Cyber Security
• Undergrad Minor
• 4 courses
• Professional Certificate
• 4 courses
• Graduate Certificate
• 4 courses
Masters In Cyber Security
• 9 courses
• Courses in digital forensics
and cyber security
• Internship capstone
All courses taught online with streaming video and cloud-based labs
URI Is A NSA/DHS Center of Academic Excellence
In Information Assurance Education
Cyber Forensics
Jacob Fonseca
Manager, Digital Forensics and Cyber Security Center
The University of Rhode Island
Web:
dfcsc.uri.edu