Transcript Computer Forensics BACS 371

Computer Forensics
BACS 371
Evidentiary Methods II
Evidence Acquisition
OK, What do we do first?
Basic Forensic Methodology



Acquire the evidence
Authenticate that it is the same as the original
Analyze the data without modifying it
Photographing Systems
Before you do anything, begin documentation by
photographing all aspects of the system…
 Monitor
 Desk and surrounding area
 All 4 sides of PC
 Labeled cables still connected
Evidence Acquisition

Disassemble the Case of the Computer


Identify storage devices that need to be acquired
(internal/external/both)
Document internal storage devices and hardware configuration




1
Process
Drive condition (make, model, geometry, size, jumper settings, location, drive
interface, …)
Internal components (sound card, video card, network card – including MAC
address, PCMCIA cards, …
Disconnect storage devices (power, data, or both)
Controlled boots



1Forensic
Capture CMOS/BIOS info (boot sequence, time/date, passwords)
Controlled boot from forensic CD to test functionality (RAM, writeprotected storage, …)
Controlled boot to capture drive config (LBA, CHS, …)
Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion,
http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Forensic Analysis CYA

Virus Check
Forensic computer
 Media being processed


Collect System Information


CHKDISK/SCANDISK


Complete computer hardware inventory
Look for “orphan clusters”
“Tech” Program for Forensic computer
Role of the First Responder

Scene of the Cybercrime1
Do No Harm!
 Identify the Crime Scene
 Protect the Crime Scene
 Preserve Temporary and Fragile Evidence


A guide for First Responders2
Secure and Evaluate the Scene
 Document the Scene
 Collect Evidence
 Packaging, Transportation, and Storage of Evidence
 Forensic Examination

1Scene
of the Cybercrime, Shinder & Tittel, p.553
Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001
2Electronic
Role of



1
Investigators
Establish Chain of Command
Conduct Crime Scene Search
Maintain Integrity of Evidence
1Scene
of the Cybercrime, Shinder & Tittel, p.554
Role of Crime Scene Technician1





Preserve volatile evidence and duplicate disks
Shut down systems for transport
Tag and log evidence
Transport evidence
Process evidence
1Scene
of the Cybercrime, Shinder & Tittel, p.555
Computer Seizure
1
Checklist
 Photograph the monitor
 Preserve Volatile Data
 Shutdown Systems
 Photograph the System Setup
PC – all sides
 Label all connections

 Unplug system and peripherals – mark & tag
 Bag and tag all components
 Bitstream Copy of Disk(s) - (offsite usually)
 Verify integrity of copies - (offsite usually)
1Scene
of the Cybercrime, Shinder & Tittel, p.557
Preserve Volatile

1
Data
Order of Volatility2
Registers and Cache
 Routing Table, ARP Cache, Process Table, Kernel Statistics
 Contents of System Memory (RAM)
 Remote Logging and Monitoring Data
 Physical Configuration, Network Topology
 Temporary File Systems
 Data on Disk
 Archival Media

1Scene
of the Cybercrime, Shinder & Tittel, p.559
2Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Collecting Volatile Data
Tool
Purpose
netstat
View current network connections
nbstat
View current network connections
arp
View addresses in ARP (Address Resolution
Protocol) cache
plist
List running processes (or view in Task Manager)
ipconfig Gather information about the state of the network
netstat – current network connections
arp – addresses in ARP cache
ipconfig – state of network
Foundstone Tools
Pasco
An Internet Explorer activity forensic analysis tool
Galleta
An Internet Explorer Cookie forensic analysis tool
Rifiuti
A Recycle Bin Forensic Analysis Tool
Vision
Reports all open TCP and UDP ports
NTLast
Security Audit Tool for WinNT
Forensic
Toolkit
Tools to examine NTFS disk partition for unauthorized
activity
ShoWin
Show information about Widows – reveal passwords
BinText
Finds ASCII, Unicode, and Resource strings in a file
Things to



1
Avoid
Don’t Shutdown until volatile evidence has been
collected
Don’t trust the programs on the system – use your
own secure programs
Don’t run programs which modify access times of
files
1Guidelines
for Evidence Collection and Archiving, IEEE, February 2002
Acquire the Evidence
To shutdown, or to not shutdown, that is the question!


Without damaging or altering the original
Let the machine run, or pull the plug??

Run
• Retains maximum forensic evidence

Pull Plug
• Removes a compromised computer from potentially affecting the whole
network
• How to pull the plug
From the back of the PC
 When the hard drive is not spinning

• Sound
• Drive Light
• Vibration
Making Backups




File Backup vs. Bitstream Copy
Use Forensically Sterile media
Make 2 backup copies (one to work with and one to
store)
Don’t access the original again!
Level of Effort to Protect Evidence…
If the evidence is going to be used in court
VS.
If the evidence is going to be used for internal
investigation


Evidence method should be the same for both
situation in case it ever goes to court
The more documentation the better
MD5 Hashing


Wikipedia Entry
Cryptographic Hash Function
A
hash function must be able to process an arbitrarylength message into a fixed-length output




Hash Function
Hash Collision
Check Digit
Cyclic Redundancy Check (CRC)
MD5 Hashing Algorithm1
One MD5 operation — MD5 consists of
64 of these operations, grouped in four
rounds of 16 operations. F is a nonlinear
function; one function is used in each
round. Mi denotes a 32-bit block of the
message input, and Ki denotes a 32-bit
constant, different for each operation.
<<<s denotes a left bit rotation
by s places; s varies for each
operation.
denotes addition
modulo 232
There are four possible functions F, a
different one is used in each round:
1Wikipedia
Integrity of Evidence+
Method
Description
Common Types
Checksum
Method for checking for
errors in digital data.
Uses 16- or 32-bit
polynomial to compute
16 or 32 bit integer
result.
CRC-16
CRC-32
One-Way
Hash
Method for protecting
data against
unauthorized change.
Produces fixed length
large integer (80~240
bits) representing digital
data. Implements oneway function.
SHA-1
MD5
MD4
MD2
Digital
Signature
Secure method for
binding identity of signer
with digital data integrity
methods such as oneway hash values. Uses
public key crypto
system.
RSA
DSA
PGP
Advantages








Easy to compute
Fast
Small data
storage
Useful for
detecting
random errors
Easy to compute
Can detect both
random errors
and malicious
alterations
Binds identity to
integrity
operation
Prevents
unauthorized
regeneration of
signature
Disadvantages
Low assurance
against malicious
attack
 Simple to create
data with
matching
checksum

Must maintain
secure storage of
hash values
 Does not bind
identity with
data
 Does not bind
time with data

Slow
 Must protect
private key
 Does not bind
time with data

+Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1,
www.ijde.org (Oct 25, 2005)
Hashing
1
Algorithms
Algorithm
Description
MD2
Developed by Ronald L. Rivest in 1989, this
algorithm was optimized for 8-bit machines.
MD4
Developed by Rivest in 1990. Using a PC, collisions
can now be found in this version in less than one
minute.
MD5
Developed by Rivest in 1991. It was estimated in
1994 that it would cost $10 million to create a
computer that could find collisions using brute force.
SHA
SHA-1 was a federal standard used by the
government and private sector for handling sensitive
information and was the most widely used hashing
function.
HAVAL
A variation of the MD5 hashing algorithm that
processes blocks twice the size of MD5.
1Hands-on
Ethical Hacking and Network Defense, Simpson, 2006, p. 305
MD5 Hash
“[The MD5 algorithm] takes as input a message of arbitrary
length and produces as output a 128-bit ‘fingerprint’ or ‘message
digest’ of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message
digest, or to produce any message having a given prespecified
target message digest. The MD5 algorithm is intended for digital
signature applications, where a large file must be ‘compressed’ in
a secure manner before being encrypted with a private (secret)
key under a public-key cryptosystem such as RSA.”1
1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
MD5 Hash



128-bit number representing a “fingerprint” of a file
Odds of two different files having the same MD5
Hash are 1 in 2128
MD5 issues???

Collisions – Two different files generating the same hash
http://www.cryptography.com/cnews/hash.html

SHA Collisions
http://online.wsj.com/article_print/SB111084838291579428.html
Hash Try It…




http://block111.servehttp.com/hash
http://bfl.rctek.com/tools/?tool=hasher
http://www.digitaldetective.co.uk/freetools/md5.asp
http://www.miraclesalad.com/webtools/md5.php
Attributes of Secure, Auditable Date/Time
Stamps

Accuracy


Authentication


Time not subject to corruption during “handling”
Non-Repudiation


Source is authenticated by National Measurement Institute
Integrity


Time is from an authoritative source and is accurate
Association between event or document and the time cannot later be
denied
Accountability

Third party can verify that due process was applied and no corruption
transpired
Steps for Secure Timestamping
1.
2.
3.
Traceability to Legal Time Sources
Time Distribution
Secure Digital Timestamping
Digital Evidence Collection Toolkit1

Documentation Tools






Cable tags
Indelible felt tip markers
Stick-on labels




Disassembly and Removal Tools









Flat-blade and Philips-type
screwdrivers
Hex-nut drivers
Needle-nose pliers
Secure-bit drivers
Small tweezers
Specialized screwdrivers
Standard pliers
Star-type nut drivers
Wire cutters
Package and Transport Supplies




Other Items









1Electronic
Antistatic bags
Antistatic bubble wrap
Cable ties
Evidence bags
Evidence tape
Packing materials
Packing tape
Sturdy boxes of various sizes
Gloves
Hand truck
Large rubber bands
List of contact telephone numbers for
assistance
Magnifying glass
Printer paper
Seizure disk
Small flashlight
Unused floppy diskettes (3 ½” and 5 ¼”)
Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Handling, Transportation, Storage





Static Electricity
External RF signals
Heat
Humidity
Sunlight??
Documenting Evidence




Evidence is Tagged
Evidence Logs
Evidence Analysis Logs
Admissibility of Evidence
Evidence is Tagged







Place name or initials on item
Date/Time
Case Number
Physical marking is preferable
If not markable, bag evidence
Use latex gloves
Create and use an Evidence Kit
Evidence Logs






Lists all evidence collected
Description of each piece of evidence with serial
numbers
Identifies who collected the evidence and why
Date and Time of collection
Disposition of Evidence
All transfers of custody
Evidence Analysis Logs

How each step is performed
Who was present
 What was done
 Result of procedure
 Time/date


Document all potential evidence
Filename
 Where on disk data are located
 Date and time stamps
 Network information (MAC address, IP address)
 Other file properties (metadata)

5 Mistakes of Computer Evidence
1.
2.
3.
4.
5.
1
Run the Computer
Get Help from the Computer Owner
Don’t Check for Computer Viruses
Don't Take Any Precautions In The Transport of
Computer Evidence
Run Windows To View Graphic Files and To
Examine Files
Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson
Admissibility of Evidence

Relevant
 Substantiates

Competent
 Reliable

an issue that is in question in the case
and credible
Obtained legally