cfintro

Download Report

Transcript cfintro 

An Introduction to
Computer Forensics
James L. Antonakos
Professor
Computer Science Department
Topics








What is Computer Forensics?
Why do we need Computer Forensics?
Live Analysis Versus Static Analysis
Capturing a Drive Image
The Organization of Hard Disks
The Organization of File Systems
Where’s the Data?
Forensic Tools
What is Computer Forensics?
 Computer Forensics is a process used to
locate digital information that may be
used to help prove guilt or innocence.
 Computer Forensics procedures must be
properly followed to avoid contamination
(altering) of the evidence (information).
 Very important to maintain the Chain of
Custody.
Why do we need Computer Forensics?
 Support law enforcement.
 Many types of documents are now
stored electronically.
 Learn about the techniques used by
cyber-criminals.
 Computers may be the instrument
used in a crime or the victim of a
crime.
Live Analysis Versus Static Analysis
 Live Analysis: Forensics performed on
a running system. More things to look
at during live analysis than a static
analysis. Do you pull the plug or
perform an orderly shutdown?
 Static Analysis: Forensics performed
on a copy of the data from a system.
This type of analysis is done most
often.
Live Analysis
Things to record:
 System time and date.
 User’s logged on to the system.
 Open network connections.
 Network drives mapped to the system.
 Processes that are running.
 What is on the Desktop and Clipboard.
Static Analysis
Things to look for:
 Registry entries.
 Hidden files and folders, encrypted files.
 Images, emails, IM logs, other files.
 Misnamed files.
 Deleted files.
 Data in unallocated space and Slack
space.
Capturing a Drive Image
 A write-blocker must be used to
prevent write operations on the drive
being imaged. Can be software or
hardware.
 Entire drive is imaged, including
unallocated space, to a clean drive.
 Image must be verified to guarantee
integrity. This is done using a hash
function.
Capturing a Drive Image
One bit is a 0 or a 1.
One byte is 8 bits.
One KB (Kilo Byte) is 1024 bytes.
One MB (Mega Byte) is 1024 KB.
One GB (Giga Byte) is 1024 MB.
A 500 GB drive contains 536,870,912,000
bytes (over 143 million pages!!!).
 One TB (Terra Byte) is 1024 GB.






Capturing a Drive Image
 Drive may be imaged via a USB or FireWire
connection, or over the network.
 The size of the drive being imaged affects the
time required to perform the capture.
 The speed of the connection also affects the
time required to image the drive.
 A 500 GB drive may require 8 hours or several
days to acquire.
Image is Verified via a Hash
The Organization of Hard Disks
 A hard disk contains one or more platters.
 Each platter contains two sides (surfaces).
 Each surface contains circular tracks
divided into sectors. Each track may
contain 64 sectors. Each sector contains
512 bytes of data.
 A 500 GB hard drive contains over 1 billion
sectors.
Typical Hard Drive
Typical Hard Drive
The Organization of Hard Disks
 The hard disk spins at a fast rate
(5400 rpm or 7200 rpm).
 A read/write head hovers over the
surface and picks up the magnetized
1s and 0s stored on the surface.
 Data is transferred between the disk
and main memory on the
motherboard.
The Organization of File Systems
 A File System is a logical way of
organizing the sectors on a disk.
 Different Operating Systems support
different file systems:



•
Windows: FAT and NTFS
Linux: EXT3
Mac OS X: HFS+
FAT is the most widely supported file
system.
The Organization of File Systems
 Sectors on a disk are allocated as
follows for the FAT (File Allocation
Table) file system:




Boot sector
FAT sectors
Directory sectors
Data sectors
Operation of FAT
Challenges of FAT
 After a lot of use (files created,
edited, and deleted) the FAT becomes
very fragmented.
 Not easy to search through the FAT
on a hard disk as it is very large.
 Need software to interpret the FAT for
us.
 File slack may contain valuable data.
Where is the File Slack?
What Happens when a File is Deleted?
 The file’s entries in the FAT are set to
‘free.’
 The file’s entry in the Directory has
its first byte (letter) changed to an
unprintable code (E5)… all other file
properties stay the same.
 The data content of the file remains
stored on disk until overwritten.
A Sample Directory
Where’s the Data?






Registry.
Files and folders.
Deleted files.
Unallocated space.
Slack space.
System files: HIBERFIL.SYS,
INDEX.DAT, PAGEFILE.SYS.
Forensic Tools
 Hex editor: Display, search, and
modify hexadecimal data.
 Forensic analysis software:




FTK (Forensic Toolkit)
EnCase
Autopsy
X-Ways
FTK (Forensic ToolKit)
Forensic Tools





Network traffic sniffer/analyzer
Imaging software
Hashing software
Log file analyzer
Steganography software
Skills Needed by a Forensic Examiner
 Knowledge of Operating Systems.
 Knowledge of File Systems.
 Must understand networking and
TCP/IP.
 Must possess necessary software for
imaging and analyzing images.
 Must possess additional software such
as hex editor, log file analyzer, etc.
 Lots of patience !!!
Thank you!
 Questions?
 Contact Info:
 James L. Antonakos, Professor, CST
 [email protected]