Chapter18H Computer analysis / Microsoft PowerPoint 97

Download Report

Transcript Chapter18H Computer analysis / Microsoft PowerPoint 97

Chapter 18
COMPUTER FORENSICS
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-1
Introduction
• Computers have permeated society and are used
in countless ways with innumerable applications.
• Similarly, the role of electronic data in
investigative work has realized exponential growth
in the last decade.
• The usage of computers and other electronic data
storage devices leaves the footprints and data
trails of their users.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-2
Introduction
• Computer forensics involves the preservation,
acquisition, extraction, and interpretation of
computer data.
• In today’s world of technology, many devices
are capable of storing data and could thus be
grouped into the field of computer forensics.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-3
The Basics
• Before getting into the
nuts and bolts of
computers, the important
distinction between
hardware and software
must be established.
• Hardware comprises the
physical and tangible
components of the
computer.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-4
The Basics
• Software, conversely, is a set of instructions
compiled into a program that performs a
particular task. Software are those programs
and applications that carries out a set of
instructions on the hardware.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-5
Terminology
• Computer Case/Chassis: This is the physical
box holding the fixed internal computer
components in place.
• Power Supply: PC’s power supply converts the
power it gets from the wall outlet to a useable
format for the computer and its components.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-6
Terminology
• Motherboard: The main circuit board
contained within a computer (or other
electronic devices) is referred to as the
motherboard.
• System Bus: Contained on the motherboard,
the system bus is a vast complex network of
wires that serves to carry data from one
hardware device to another.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-7
Terminology
• Read Only Memory (ROM): ROM chips store
programs called firmware, used to start the boot
process and configure a computer’s components.
• Random Access Memory (RAM): RAM serves to
take the burden off of the computer’s processor and
Hard Disk Drive (HDD).
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-8
Terminology
– The computer, aware that it may need
certain data at a moments notice, stores the
data in RAM.
– RAM is referred to as volatile memory
because it is not permanent; its contents
undergo constant change and are forever
lost once power is taken away from the
computer.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-9
Terminology
• Central Processing Unit (CPU): The CPU, also
referred to as a processor, is essentially the
brains of the computer.
• Input Devices: These devices are used to get
data into the computer
– To name a few:
• Keyboard
• Mouse
• Joy Stick
• Scanner
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-10
Terminology
• Output Devices: Equipment through which
data is obtained from the computer.
– To name a few:
• Monitor
• Printer
• Speakers
• The Hard Disk Drive (HDD) is typically the
primary location of data storage within the
computer.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-11
Terminology
• Different operating systems map out (partition)
HDDs in different manners.
• Examiners must be familiar with the file system
they are examining.
• Evidence exists in many different locations and
in numerous forms on a HDD.
• The type of evidence can be grouped under two
major sub-headings: visible and latent data.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-12
Storing and Retrieving Data
• The formatting process initializes portions of
the hard drive so that it can store data, and it
creates the structure of the file system.
• A sector is the smallest unit of data that a hard
drive can address.
• A cluster usually is the minimum space
allocated to a file. Clusters are groups of
sectors.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-13
Processing the Electronic CS
• Processing the electronic crime scene has a lot
in common with processing a traditional crime
scene.
– Warrants
– Documentation
– Good Investigation Techniques
• At this point, a decision must be made as to
whether a live acquisition of the data is
necessary.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-14
Shutdown vs. Pulling the Plug
• Several factors influence the systematic
shutdown vs. pulling the plug decision.
• For example, if encryption is being used and
pulling the plug will encrypt the data rendering
it unreadable without a password or key,
therefore pulling the plug would not be
prudent.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-15
Shutdown vs. Pulling the Plug
• Similarly, if crucial evidentiary data exists in
RAM and has not been saved to the HDD and
thus will be lost with discontinuation of power
to the system, another option must be
considered.
• Regardless, the equipment will most likely be
seized.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-16
Forensic Image Acquisition
• Now that the items have been seized, the data
needs to be obtained for analysis.
• The computer Hard Disk Drive will be used as
an example, but the same “best practices”
principals apply for other electronic devices as
well.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-17
Forensic Image Acquisition
• Throughout the entire process, the computer
forensic examiner must adopt the method that
is least intrusive.
• The goal with obtaining data from a HDD is to
do so with out altering even one bit of data.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-18
Forensic Image Acquisition
• Because booting a HDD to its operating system
changes many files and could potentially
destroy evidentiary data, obtaining data is
generally accomplished by removing the HDD
from the system and placing it in a laboratory
forensic computer so that a forensic image can
be created.
• Occasionally, in cases of specialized or unique
equipment or systems the image of the HDD
must be obtained utilizing the seized computer.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-19
Forensic Image Acquisition
• Regardless, the examiner needs to be able to
prove that the forensic image he/she obtained
includes every bit of data and caused no
changes (writes) to the HDD.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-20
Computer Fingerprint
• To this end, a sort of fingerprint of the drive is
taken before and after imaging.
• This fingerprint is accomplished through the use of
a Message Digest 5 (MD5), Secure Hash Algorithm
(SHA) or similar validated algorithm.
• Before imaging the drive the algorithm is run and
a 32 character alphanumeric string is produced
based on the drive’s contents.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-21
Computer Fingerprint
• It then is run against the resulting forensic
image and if nothing changed the same
alphanumeric string will be produced thus
demonstrating that the image is all-inclusive of
the original contents and that nothing was
altered in the process.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-22
Visible Data
• Visible data is that data which the operating
system is aware of.
• Consequently this data is easily accessible to
the user.
• From an evidentiary standpoint, it can
encompass any type of user created data like:
– word processing documents
– spread sheets
– accounting records
– databases
– pictures
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-23
Temporary Files and Swap Space
• Temporary files, created by programs as a sort
of “back up on the fly” can also prove valuable
as evidence.
• Finally, data in the swap space (utilized to
conserve the valuable RAM within the
computer system) can yield evidentiary data.
• Latent data, on the other hand, is that data
which the operating system is not aware of.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-24
Latent Data
• Evidentiary latent data can exist in both RAM
and file slack.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-25
Latent Data
• RAM slack is the area from the end of the
logical file to the end of the sector.
• File slack is the remaining area from the end of
the final sector containing data to the end of the
cluster.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-26
Latent Data
• Another area where latent data might be found
is in unallocated space.
– Unallocated space is that space on a HDD
the operating system sees as empty and
ready for data.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-27
Latent Data
• The constant shuffling of data through
deletion, defragmentation, swapping, etc., is
one of the ways data is orphaned in latent
areas.
• Finally, when a user deletes files the data
typically remains behind.
• Deleted files are therefore another source of
latent data to be examined during forensic
analysis.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-28
Internet Cache
• Evidence of Internet web browsing typically
exists in abundance on the user’s computer.
• Most web browsers (Internet Explorer,
Netscape, and Firefox) utilize a system of
caching to expedite web browsing and make it
more efficient.
• This web browsing Internet cache is a potential
source of evidence for the computer
investigator.
• Portions of, and in some cases, entire visited
web pages can be reconstructed.
• Even if deleted, these cached files can often be
recovered.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-29
Internet Cookies
• To appreciate the value of the “cookie” you
must first understand how they get onto the
computer and their intended purpose.
• Cookies are placed on the local hard disk drive
by the web site the user has visited.
• This is, of course, if the particular web browser
being used is set to allow this to happen.
• A cookie is used by the web site to track certain
information about its visitors.
• This information can be anything from history
of visits or purchasing habits, to passwords and
personal information used to recognize the user
for later visits.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-30
Internet History
• Most web browsers track the history of web page
visits for the computer user.
• This is probably done merely for a matter of
convenience.
• Like the “recent calls” list on a cell phone, the
Internet history provides an accounting of sites
most recently visited, with some storing weeks
worth of visits.
• Users have the availability to go back and access
sites they most recently visited, just by accessing
them through the browser’s history.
• The history file can be located and read with
most popular computer forensic software
packages.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-31
Bookmarks and Favorite Places
• Another way users can access websites quickly is
to store them in their “bookmarks” or “favorite
places.”
• Like a pre-set radio station, Internet browsers
allow a user to bookmark websites for future
visits.
• A lot can be learned from the bookmarked sites
of a person. Perhaps you might learn what
online news a person is interested in or what type
of hobbies he/she has.
• You may also see that person’s favorite child
pornography or computer hacking sites
bookmarked.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-32
Internet Communications
• Computer investigations often begin or are
centered around Internet communication.
• It may be:
– a chat conversation amongst many people,
– an instant message conversation between just two
individuals,
– or the back and forth of an e-mail exchange.
• Human communication has long been a
source of evidentiary material.
• Regardless of the type, investigators are
typically interested in communication.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-33
Value of the IP address
• In our earlier discussion, it was stated that in
order to communicate on the Internet a device
needs to be assigned an Internet Protocol (IP)
address.
• The IP address is provided by the Internet
Service provider from which the device
accesses the Internet.
• Thus it is the IP address that might lead to the
identity of a real person.
• If an IP address is the link to the identity of a
real person, then it would quite obviously be
very valuable for identifying someone on the
Internet.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-34
IP Address Locations
• IP addresses are located in different places
for different mediums of communications.
• E-Mail will have the IP address in the header
portion of the mail.
– This may not be readily apparent and may
require a bit of configuration to reveal.
– Each e-mail client is different and needs to be
evaluated on a case by case basis.
• In the case of an Instant Message or Chat
session, the particular provider (the one
providing the mechanism of chat - AOL,
Yahoo, etc.) would be contacted to provide
the users IP address).
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-35
Difficulty with IP Addresses
• Finding IP addresses may be difficult.
– E-mail can be read through a number of clients or
software programs.
– Most accounts offer the ability to access e-mail
through a web-based interface as well.
– Often the majority of chat and instant message
conversations are not saved by the parties
involved.
• Each application needs to be researched and
the computer forensic examination guided by
an understanding of how it functions.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-36
Hacking
• Unauthorized computer intrusion, more
commonly referred to as hacking, is the
concern of every computer administrator.
• Hackers penetrate computer systems for a
number of reasons.
– Sometimes the motive is corporate espionage and
other times it is merely for bragging rights within
the hacker community.
– Most commonly though, it is a rogue or
disgruntled employee, with some knowledge of the
computer network, who is looking to cause
damage.
• Despite the motivation, Corporate America is
frequently turning to law enforcement to
investigate and prosecute these cases.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-37
Locations of Concentration
• Generally speaking, when investigating
an unauthorized computer intrusion,
investigators will concentrate their
efforts in three locations:
– log files
– volatile memory
– network traffic
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-38
Logs
• Logs will typically document the IP address of
the computer that made the connection.
• Logs can be located in several locations on
computer network.
• Most servers that exist on the Internet track
connections made to them through the use of
logs.
• Additionally the router, ( the device
responsible for directing data) might possibly
contain logs files detailing connections.
• Similarly, devices known as firewalls might
contain log files which list computers that were
allowed access to the network or an individual
system.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-39
Use of Volatile Data
• Many times, in cases of unlawful access to a
computer network, some technique is used by the
perpetrator to cover the tracks of his IP address.
• Advanced investigative techniques might be
necessary to discover the true identity.
• Where an intrusion is in progress the investigator
might have to capture volatile data (data in RAM).
• The data existing in RAM at the time of an intrusion
may provide valuable clues into the identity of the
intruder, or at the very least the method of attack.
• In the case of the instant message or chat
conversation, the data that exists in RAM needs to
be acquired.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-40
An Additional Standard Tactic
• Another standard tactic for investigating
intrusion cases is documenting all programs
installed and running on a system.
• By doing this the investigator might discover
malicious software installed by the
perpetrator to facilitate entry.
• This is accomplished utilizing specialized
software designed to document running
processes, registry entries, and any installed
files.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-41
Live Network Traffic
• The investigator may want to capture live
network traffic as part of the evidence
collection and investigation process.
• Traffic that travels the network does so in the
form of data packets.
• In addition to containing data these packets
also contain source and destination IP
addresses.
• If the attack requires two-way
communication, as in the case of a hacker
stealing data, then it needs to be transmitted
back to the hacker’s computer.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-42
Knowledge and Skill
• Computer file systems and data structures are
vast and complex.
• Therefore, areas of forensic analysis are almost
limitless and constrained only by the
knowledge and skill of the examiner.
• With a working knowledge of a computer’s
function, how they are utilized, and how they
store data, an examiner is on his or her way to
begin to locate the evidentiary data.
FORENSIC SCIENCE: An Introduction, 2nd ed.
By Richard Saferstein
©2011, 2008 Pearson Education, Inc.
Upper Saddle River, NJ 07458
18-43