Transcript Computer Forensics

Computer Forensics
An Intro to Computer Crime
Computer Forensics
 The BTK Killer (Blind, Torture, Kill)
Dennis Rader - Feb 2005 Charged with committing 10
murders beginning in 1974 in the Wichita, KS area.
“Erased” information on a floppy disk sent to a local
TV station was recovered and restored by forensic
computer specialists was traced back to Christ
Lutheran Church where Dennis Rader was Council
President. This, along with other mounting evidence
since his last murder in 2001 served to convict him.
Computer Forensics
 Computer forensics involves the preservation,
acquisition, extraction, analysis, and interpretation
of computer data.
 Investigators frequently encounter computers and
other digital devices in all types of cases.
 The most logical place to start to examine these
practices is with the most common form of
electronic data: the personal computer.
Computer Forensics
 Basic Parts/Key Terms:
• Bit
• Byte
• CPU
• Cluster
• File slack
• HDD
• Hardware
• Message Digest 5/Secure
hash algorithm (SHA)
• Motherboard
• OS
• Partition
• RAM slack
• RAM
• Sector
• Software
• Swap file
• Temporary File
• Unallocated Space
• Visible Data
Computer Forensics
 The Personal Computer
• Hardware
• Software
Computer Forensics
• Power Supply converts power
from the wall outlet to a usable
format for the computer.
• External drive is used to read
from and write to a disk.
• CD/DVD Drive are used to store
everything from music and
video to data files.
• Hard Disk Drive (HDD) is the
component of storage in the
personal computer.
Computer Forensics
Floppy Disk Drive: used
to boot an operating
system or to store data. By
today’s standards, they
don’t hold much data
Expansion Bus with
ROM: class of storage media used in
Expansion Drive: lots of computers and other electronic devices.
wires that carry data from
one hardware device to
Motherboard : basic purpose is to provide
another
the electrical and logical connections by
which the other components of the system
communicate.
Computer Forensics
CPU (Central
Processing Unit): The
main chip within the
computer, know as
the brain of the
computer.
RAM (Random-Access
Computer Case/
Chassis: it the
Memory): the volatile memory of physical box holding the fixed
the computer, when power is
internal computer components in
turned off, its contents are lost. place.
Computer Forensics
 Input Device – the user side of the computer
i.e., keyboard, mouse, joystick, scanner
 Output Device – equipment through which
data is obtained from the computer
 i.e., monitor
 HDD – primary storage component in a
personal computer. Stores the OS, programs,
and data files created by the user.
Computer Forensics
The Operating System
is a software program
that allows the
computer hardware to
communicate and
operate with the
computer software.
Without an operating
system, a computer
would be useless.
Computer Forensics
The Operating System
 Recognizing input from the keyboard
 Sending output to the display screen
 Keep track of files and directories on the disk
 Controlling peripheral devices such as disk
drives and printers
Computer Forensics
 Provide a software platform on top of other
programs called application programs.
 Some examples of operating systems are
Windows and Linux.
Computer Forensics
 Types of HDD
IDE – Integrated drive electronics
SCSI – small computer system interface
SATA – serial ATA
HDD are formatted or mapped and have a defined
layout. They are “logically” divided into sectors,
clusters, tracks and cylinders.
Computer Forensics
 Sectors are the smallest unit of data by a hard disk
drive. They generally consist of 512 bytes.
 Bytes are a group of eight bits.
 A bit takes the form of either a one or a zero, it is the
smallest unit of measurement on a machine. The
word bit is short for binary digit.
 Clusters are a group of sectors in multiples of two.
The cluster size varies from file system to file system
and is typically the minimum space allocated to a file.
Computer Forensics
 Other Common Storage Devices
CD-ROM (CD-R/RW)
USB-thumb drive
Floppy disks
Zip disks
Tapes
DVD +/R /RW
Computer Forensics
 NIC – Network Interface Card
Add-on cards that plug into the motherboard
Hard-wired devices on the motherboard
Add-on cards for laptops (PCMCIA)
USB plug-in cards
Wired/Wireless 801.11 a/b/g/n
Computer Forensics
How the HDD is Made Up
Computer Forensics
 On each disk or platter
there are tracks; these
tracks are divided into
sectors.
 A group of sectors is a
cluster.
 Clusters always have
sectors in groups of 2
Computer Forensics
 There are several platters stacked vertically
which are divided by sectors, clusters, tracks,
and cylinders. Tracks are circles that are
defined around the platter. Cylinders are
groups of tracks that reside directly above
and below each other.
 Each file system table tracks data in different
ways.
Computer Forensics
 OS – Provides a bridge between the system
hardware and the user. It lets the user interact with
the hardware and manages the file system and
applications
 Partition – is a contiguous set of blocks that are
defined and treated as an independent disk. After it
is partitioned it is Formatted (high-level). i.e. floppy –
FAT 12, Windows – FAT 32, Linux – EXT3 and Mac –
HPFS
 Each has a different way of storing data
Computer Forensics
 Consider a room full of safe
deposit boxes. If a person rents
two boxes located in opposite
ends of the room – the db
tracking the locations of the
boxes is much like a file system
tracking the location of data
within the clusters of a HDD.
 If the db managing the locations
of the boxes were wiped out, the
property in them would still
remain; we just wouldn’t know
what was where!
Computer Forensics
Processing the Electronic Crime Scene
 Before an investigator can begin processing the
crime scene he/she must still ensure that the proper
legal requirements are present.
Search warrant (on school property, school has say!)
Consent
 The scene must be documented in as much detail as
possible. The investigator must make sure not to
disturb any evidence before he/she touches the
computer.
Computer Forensics
 Crime Scene Documentation
Sketching and Photographing
Floor plan of network, overall layout, close-ups of
any running computer on the network.
All the connections to the main frame, peripheral
devices and notation of serial numbers (Photos)
“Encase” , Forensic Toolkit (FTK), Forensic
Autopsy Software – Forensic software applications
capable of imaging and assisting in the analysis of
data.
Computer Forensics
 Forensic Software
comes equipped
with a method to
obtain forensic
images and
compress data if
need be.
Computer Forensics
 Investigators must decide:
Perform a live acquisition of the data
Perform a system shutdown (i.e. with a server)
“Pull the Plug”
Combination of all three
 BEFORE Disconnecting
 Labeling all peripherals of the computer to the port
 Numbering scheme to ID peripherals if more than 1
computer
Computer Forensics
 Forensic Image Acquisition
Least Intrusive Method to obtain data without
destroying evidentiary data
Remove HDD and place in Laboratory Forensic
Computer so that a “Forensic Image” or copy can
be created in a ‘read-only’ format
Must be able to PROVE there were no ‘Writes’ to
the forensic image
Copy “Empty areas of the Drive”
Computer Forensics
 Analysis of Electronic Data – Based on the skill of
the Computer Forensic Technologist
 Most Common Types of Evidentiary Data
 Visible Data – all data that the OS is presently aware of
and thus is readily accessible to the user
 Data/Work Product Files – data from any software
program. White Collar crimes-MS Word or WordPerfect,
EXCEL or Peachtree or QuickBooks, etc. A suspect’s
computer may contain valuable information in these files
Such as Bank Account Records, Counterfeiting
pictures, and questionable E-Mails.
Computer Forensics
Swap File Data – a file or defined space on the
HDD used to conserve RAM. Data is paged or
swapped to this file or space to free – up RAM for
use by applications that are open.
Temporary Files–temporarily written by an
application to perform a function or a backup
copy while working on a project. Some are
automatically written as a program is running
without the user telling the program to ‘save’.
Computer Forensics
 Swap Files, Temporary Files, and Print Spools
(data sent to a printer) can all be used to
recover data not easily accessible to the
average user and usually, even the suspect.
Computer Forensics
 Latent Data – Areas of files and disks that are
typically not apparent to the computer user &
sometimes the OS but contains data all the
same. Examples:
Slack Space-file & RAM
Unallocated Space
Defragmented Space
Swap Files and Space
Deleted Files
Computer Forensics
 Deleted Files
When files are deleted, they still remain on the Hard
Drive. The first character of a filename is replaced
with the Greek letter sigma.
This renders the file inaccessible to the average
user.
Forensic Scientists have programs that can access
these files and obtain evidence.
Computer Forensics
 The files you save on your
computer rarely are ever totally
gone.
 Forensic Scientists can access a
plethora of data from a Hard Drive
even if it is deleted,
defragmented, and reformatted.
 This data can be used to
incriminate or exonerate the
suspect.