Transcript Computer Forensics BACS 371

Computer Forensics
BACS 371
Evidentiary Methods II:
Evidence Acquisition
OK, What do we do first?
2
Basic Forensic Methodology



3
Acquire the evidence (legally)
Authenticate that it is the same as the original
Analyze the data without modifying it
Photographing Systems
Before you do anything, begin documentation by
photographing all aspects of the system…
 Monitor
 Desk and surrounding area
 All 4 sides of PC
 Labeled cables still connected
4
Evidence Acquisition

Disassemble the Case of the Computer


Identify storage devices that need to be acquired
(internal/external/both)
Document internal storage devices and hardware configuration




1
Process
Drive condition (make, model, geometry, size, jumper settings, location, drive
interface, …)
Internal components (sound card, video card, network card – including MAC
address, PCMCIA cards, …
Disconnect storage devices (power, data, or both)
Controlled boots



Capture CMOS/BIOS info (boot sequence, time/date, passwords)
Controlled boot from forensic CD to test functionality (RAM, writeprotected storage, …)
Controlled boot to capture drive config (LBA, CHS, …)
5
1Forensic
Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion,
http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Role of the First Responder

Scene of the Cybercrime1
Do No Harm!
 Identify the Crime Scene
 Protect the Crime Scene
 Preserve Temporary and Fragile Evidence


A guide for First Responders2
Secure and Evaluate the Scene
 Document the Scene
 Collect Evidence
 Packaging, Transportation, and Storage of Evidence
 Forensic Examination

6
1Scene
of the Cybercrime, Shinder & Tittel, p.553
Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001
2Electronic
Role of



1
Investigators
Establish Chain of Command
Conduct Crime Scene Search
Maintain Integrity of Evidence
7
1Scene
of the Cybercrime, Shinder & Tittel, p.554
Role of Crime Scene Technician1





Preserve volatile evidence and duplicate disks
Shut down systems for transport
Tag and log evidence
Transport evidence
Process evidence
8
1Scene
of the Cybercrime, Shinder & Tittel, p.555
Computer Seizure
1
Checklist
 Photograph the monitor
 Preserve Volatile Data
 Shutdown Systems
 Photograph the System Setup
PC – all sides
 Label all connections

 Unplug system and peripherals – mark & tag
 Bag and tag all components
 Bitstream Copy of Disk(s) - (offsite usually)
 Verify integrity of copies - (offsite usually)
9
1Scene
of the Cybercrime, Shinder & Tittel, p.557
Handling, Transportation, Storage





10
Static Electricity
External RF signals
Heat
Humidity
Sunlight
Evidence Logs






11
Lists all evidence collected
Description of each piece of evidence with serial
numbers & other ID information
Identifies who collected the evidence and why
Date and Time of collection
Disposition of Evidence
All transfers of custody
Computer Evidence Worksheet
12
Evidence Tag
• Place or person from whom item was received
• If item requires consent for search
• Description of items taken
• Information contained on storage device
• Data and time item was taken
13
• Full name and signature of individual initially
receiving evidence
• Case and tag number
Evidence Label


14

Case Number and Evidence Tag Number
Date and Time the evidence was collected
Brief Description of items in envelope
Evidence Analysis Logs

How each step is performed
Who was present
 What was done
 Result of procedure
 Time/date


Document all potential evidence
Filename
 Where on disk data are located
 Date and time stamps
 Network information (MAC address, IP address)
 Other file properties (metadata)

15
Evidence Log
Case Number: 123412
Tag #
Date
Action
Taken Location
By
1
13 Jan 01
Initial Submission
Matt Pepe
Maxtor 600GB
(593843420)
1
15 Mar 01
Moved evidence to tape
Matt Pepe
4mm tape
#01101
1
15 Mar 01
Examined Evidence using
EnCase
Matt Pepe
FRED #7
• Evidence Tag Number
• Date
• Action Taken
• Person performing action
• Identifying information
16
Preserve Volatile

1
Data
Order of Volatility2
Registers and Cache
 Routing Table, ARP Cache, Process Table, Kernel Statistics
 Contents of System Memory (RAM)
 Remote Logging and Monitoring Data
 Physical Configuration, Network Topology
 Temporary File Systems
 Data on Disk
 Archival Media

17
1Scene
of the Cybercrime, Shinder & Tittel, p.559
2Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Collecting Volatile Data
Tool
Purpose
netstat
View current network connections
nbstat
View current network connections
arp
View addresses in ARP (Address Resolution
Protocol) cache
plist
List running processes (or view in Task Manager)
ipconfig Gather information about the state of the network
18
netstat – current network connections
19
nbstat – NetBIOS name resolution
arp – addresses in ARP cache
21
ipconfig – state of network
22
Foundstone Tools
Pasco
An Internet Explorer activity forensic analysis tool
Galleta
An Internet Explorer Cookie forensic analysis tool
Rifiuti
A Recycle Bin Forensic Analysis Tool
Vision
Reports all open TCP and UDP ports
NTLast
Security Audit Tool for WinNT
Forensic
Toolkit
Tools to examine NTFS disk partition for unauthorized
activity
ShoWin
Show information about Widows – reveal passwords
BinText
Finds ASCII, Unicode, and Resource strings in a file
23
Things to



1
Avoid
Don’t Shutdown until volatile evidence has been
collected
Don’t trust the programs on the system – use your
own secure programs
Don’t run programs which modify access times of
files
24
1Guidelines
for Evidence Collection and Archiving, IEEE, February 2002
Acquire the Evidence
To shutdown, or to not shutdown, that is the question!


Do so Without damaging or altering the original
Should you let the machine run, or pull the plug??

Run
• Retains maximum forensic evidence

Pull Plug
• Removes a compromised computer from potentially affecting the whole
network
• How to pull the plug
From the back of the PC
 When the hard drive is not spinning

• Sound
• Drive Light
• Vibration
25
Making Backups




26
File Backup vs. Bitstream Copy
Use Forensically Sterile media
Make 2 backup copies (one to work with and one to
store)
Don’t access the original again!
Level of Effort to Protect Evidence…
If the evidence is going to be used in court
VS.
If the evidence is going to be used for internal
investigation


27
Evidence method should be the same for both
situation in case it ever goes to court
The more documentation the better
Forensic Analysis CYA

Virus Check
Forensic computer
 Media being processed


Collect System Information


CHKDISK/SCANDISK



28
Complete computer hardware inventory
Look for “orphan clusters”
Check for hidden partitions
Document everything!
MD5 Hashing


Wikipedia Entry
Cryptographic Hash Function
A
hash function must be able to process an arbitrarylength message into a fixed-length output




29
Hash Function
Hash Collision
Check Digit
Cyclic Redundancy Check (CRC)
Integrity of Evidence+
Method
Description
Common Types
Checksum
Method for checking for
errors in digital data.
Uses 16- or 32-bit
polynomial to compute
16 or 32 bit integer
result.
CRC-16
CRC-32
One-Way
Hash
Method for protecting
data against
unauthorized change.
Produces fixed length
large integer (80~240
bits) representing digital
data. Implements oneway function.
SHA-1
MD5
MD4
MD2
Digital
Signature
Secure method for
binding identity of signer
with digital data integrity
methods such as oneway hash values. Uses
public key crypto
system.
RSA
DSA
PGP
Advantages








Easy to compute
Fast
Small data
storage
Useful for
detecting
random errors
Easy to compute
Can detect both
random errors
and malicious
alterations
Binds identity to
integrity
operation
Prevents
unauthorized
regeneration of
signature
Disadvantages
Low assurance
against malicious
attack
 Simple to create
data with
matching
checksum

Must maintain
secure storage of
hash values
 Does not bind
identity with
data
 Does not bind
time with data

Slow
 Must protect
private key
 Does not bind
time with data

+Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1,
www.ijde.org (Oct 25, 2005)
31
Hashing
1
Algorithms
Algorithm
Description
MD2
Developed by Ronald L. Rivest in 1989, this
algorithm was optimized for 8-bit machines.
MD4
Developed by Rivest in 1990. Using a PC, collisions
can now be found in this version in less than one
minute.
MD5
Developed by Rivest in 1991. It was estimated in
1994 that it would cost $10 million to create a
computer that could find collisions using brute force.
SHA
SHA-1 was a federal standard used by the
government and private sector for handling sensitive
information and was the most widely used hashing
function.
HAVAL
A variation of the MD5 hashing algorithm that
processes blocks twice the size of MD5.
1Hands-on
Ethical Hacking and Network Defense, Simpson, 2006, p. 305
32
MD5 Hash
“[The MD5 algorithm] takes as input a message of arbitrary
length and produces as output a 128-bit ‘fingerprint’ or ‘message
digest’ of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message
digest, or to produce any message having a given prespecified
target message digest. The MD5 algorithm is intended for digital
signature applications, where a large file must be ‘compressed’ in
a secure manner before being encrypted with a private (secret)
key under a public-key cryptosystem such as RSA.”1
33
1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
MD5 Hash



128-bit number representing a “fingerprint” of a file
Odds of two different files having the same MD5
Hash are 1 in 2128
MD5 issues???

Collisions – Two different files generating the same hash
http://marc-stevens.nl/research/md5-1block-collision/md5-1block-collision.pdf

SHA Collisions
http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf
34
Hash Try It…

http://www.sha1-online.com/

http://www.digital-detective.co.uk/freetools/md5.asp

http://www.miraclesalad.com/webtools/md5.php
Hash Converter:
http://hash.online-convert.com/sha1-generator
35
Admissibility of Evidence
The whole point of all of this is to make sure that the
evidence is admissible. Which means it is…
 Relevant
 Substantiates
an issue that is in question in the
case
 Competent
 Reliable
and credible
 Obtained
36
legally
5 Mistakes of Computer Evidence
Turn on the Computer (don’t do it!)
Get Help from the Computer Owner
Don’t Check for Computer Viruses
Don't Take Any Precautions In The Transport
of Computer Evidence
Run Windows To View Graphic Files and To
Examine Files
1.
2.
3.
4.
5.
37
1
Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson