Search-Analysis

Download Report

Transcript Search-Analysis 

Search and Analysis
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
8/24/06
Computer Forensics Procedure
Verify Legal authority
Search warrants
Photographing
Documentation
• Hash verification
• CRC/MD5/SHA1
• Documentation
• Interpret and report
• Present and defend
Documentation
The Defensible Approach
•
•
•
•
Acquisition
• Location, date, time, witnesses
• System information, status
• Physical evidence collected
•
•
•
•
Forensically wipe storage drive
Bit-stream Imaging
Documentation
Chain of custody
•
•
•
•
•
Retain the integrity
Filtering out irrelevant data
What could/could not have happened
Be objective and unbiased
Documentation
Authentication
Analysis
Presentation
Steps in Forensic Examination
• Verify Legal Authority:
- Search warrant
- Scope of the search
• Collect Preliminary Data
• Determine the Environment for the Investigation – on or off
site?
• Secure and Transport Evidence
-
Document the evidence
Tag the evidence
Bag the evidence
Transport the evidence
• Acquire the evidence
• Examine and Analyze the evidence
• Report on the Investigation
Effective Data Searches
 Interview members of the IT staff to learn how and where data has
been stored, if applicable.
 Confirm or define the objective of the investigation.
 Identify relevant time periods and the scope of the data to be
searched.
 Identify the relevant types of data.
 Identify search terms for data filtering, particularly words, names, or
unique phrases to help locate relevant data and filter out what is
irrelevant. Metadata can be invaluable to the filtering process.
 Find out usernames and passwords for network and e-mail accounts,
to the extent possible.
 Check for other computers or devices that might contain relevant
evidence.
Data Types to be Searched
• Active data. The information readily available and
accessible to users via file manager.
• Deleted files
• Hidden, Encrypted, and Password-Protected Files.
• Automatically Stored Data
• E-Mail and Instant Messages
• Background Information – computer and network
logs, caches, cookies.
Acquiring Volatile Data
• The data that is held in temporary storage in the
system’s memory is called volatile data.
• The memory is dependant upon electrical power.
When the power is shut off the memory is
disrupted.
• Order of volatility:
– Registers and Cache
– Routing tables, ARP cache, process tables, kernel
statistics
– Contents of system memory
– Temporary file systems
– Data on disk
Acquiring Volatile Data
• Commands
–
–
–
–
–
–
–
–
–
Nestat –an (-rn)
lsof
Ifconfig
Ipconfig
pslist
Nbtstat
Top
Prstat
Arp -a
Structure of EnCase
Degree of complexity and difficulty
Logical Examination Pyramid
Data
for
analysis
Unallocated
space
and file slack
Password-protected,
encrypted,
compressed, and link files
Hash analysis, file
header/extension analysis,
and obvious files of interest
Investigation Foundation
File system details, directory structure,
operating system norms,
partition information, and other operating systems
The Art of File Analysis
•
•
•
•
•
•
•
•
File contents
Metadata
Application files
Operating system file types
Directory / folder structure
Patterns
User configurations
Time frame analysis
- Creation date/time
- Modified date/time
- Accessed date/time
The Art of Data Hiding Analysis
•
•
•
•
•
Password-protected files
Compressed files
Compress files + password protection
Encrypted files
Steganography
Common Cyber Criminal Tools
•
•
•
•
•
•
•
Nuker: Software used by intruders to destroy system log trails.
Anonymous Remailers: Tools used by intruders to mask their identities. These
devices are configured to receive and re-send Internet traffic by replacing the
original (actual) source address of the sender with the address of the anonymous remailer machines.
Password Cracker: Software used to break encrypted password files, often stolen
from a victim's network server.
Scanner: Software used to identify services that are running on a network so that
those services can be exploited to gain unauthorized access to the network.
Spoofer: Software used to impersonate someone else to hide the identity of the
actual sender of the e-mail.
Steganography: Steganography is the science of hiding messages in messages. The
point of it is to hide data or the existence of the message; that is, to hide the fact that
the parties are communicating anything other than innocuous graphics or audio
files. Steganography has been used by terrorists or intruders to spy, steal, or
communicate information via electronic “dead drops,” typically Web pages.
Trojan horse: Malicious software disguised as a legitimate computer file or
program. Trojan horses are used to create backdoors into networks to gain
unauthorized access to the network.