Transcript FORENSICS
COMPUTER FORENSICS Aug. 11, 2000 for Cambridge, Massachusetts [email protected] COMPUTER FORENSICS CAN BE MANY THINGS Corporate or University internal investigation FBI or (unlikely) Sheriff investigation Computer Security Research Post Mortem or Damage Assessment Child Pornography Fraud Espionage & Treason Corporate or University Policy Violation Honey-pots Computer Forensics ultimately support or refute a case someone cares to make. FORENSICS IS A FOUR STEP PROCESS Acquisition Identification Evaluation Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96) PRESENTATION – Starting at the End Many findings will not be evaluated to be worthy of presentation as evidence. Many findings will need to withstand rigorous examination by another expert witness. The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. The Chain of Custody may be challenged. EVALUATION – What the Lawyers Do This is what lawyers (or those concerned with the case) do. Basically, determine relevance. Presentation of findings is key in this phase. Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems. IDENTIFICATION – Technical Analysis Physical Context Logical Context Presentation/Use Context Opinion to support relevance of findings Handling and labeling of objects submitted for forensic analysis is key. Following a documented procedure is key. FBI List of Computer Forensic Services Content (what type of data) Comparison (against known data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code (analysis or compare) Storage Media (many types) THE EVIDENCE LOCKER Restricted Access and Low Traffic, Camera Monitored Storage. Video Surveillance & Long Play Video Recorders Baggies for screws and label everything! Sign In/Out for Chain of Custody ACQUISITION – What Are the Goals? Track or Observe a Live Intruder? Assess Extent of Live Intrusion? Preserve “Evidence” for Court? Close the Holes and Evict the Unwanted Guest? Support for Sheriff, State Police or FBI Arrest? Support for Court Ordered Subpoena? GROUND ZERO – WHAT TO DO do not start looking through files start a journal with the date and time, keep detailed notes unplug the system from the network if possible do not back the system up with dump or other backup utilities if possible without rebooting, make two byte by byte copies of the physical disk capture network info capture process listings and open files capture configuration information to disk and notes collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host contact security department or CERT/management/police or FBI if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented short-term storage packaging/labeling shipping ADDITIONAL RESOURCES RCMP Article on the Forensic Process. http://www.rcmpgrc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/ The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm Long Play Video Recorders. http://www.pimall.com/nais/vrec.html FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html Thank you … … very much, MIT!