Transcript FORENSICS

COMPUTER FORENSICS
Aug. 11, 2000 for
Cambridge, Massachusetts
[email protected]
COMPUTER FORENSICS CAN BE MANY THINGS
 Corporate or University
internal investigation
 FBI or (unlikely) Sheriff
investigation
 Computer Security
Research
 Post Mortem or Damage
Assessment




Child Pornography
Fraud
Espionage & Treason
Corporate or University
Policy Violation
 Honey-pots
Computer Forensics ultimately support or refute a case
someone cares to make.
FORENSICS IS A FOUR STEP PROCESS




Acquisition
Identification
Evaluation
Presentation
RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC
Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt,
Federal Bureau of Investigation, Baltimore, Maryland (4/96)
PRESENTATION – Starting at the End
 Many findings will not be
evaluated to be worthy of
presentation as evidence.
 Many findings will need to
withstand rigorous
examination by another
expert witness.
 The evaluator of evidence
may be expected to defend
their methods of handling the
evidence being presented.
 The Chain of Custody may be
challenged.
EVALUATION – What the Lawyers Do
 This is what lawyers (or those
concerned with the case) do.
Basically, determine
relevance.
 Presentation of findings is
key in this phase.
 Findings submitted for
evaluation as evidence will
not only be evaluated for
content but for “chain of
custody” problems.
IDENTIFICATION – Technical Analysis





Physical Context
Logical Context
Presentation/Use Context
Opinion to support relevance of findings
Handling and labeling of objects submitted for
forensic analysis is key.
 Following a documented procedure is key.
FBI List of Computer Forensic Services
 Content (what type of data)
 Comparison (against known
data)
 Transaction (sequence)
 Extraction (of data)
 Deleted Data Files (recovery)
 Format Conversion
 Keyword Searching
 Password (decryption)
 Limited Source Code
(analysis or compare)
 Storage Media (many types)
THE EVIDENCE LOCKER
 Restricted Access and
Low Traffic, Camera
Monitored Storage.
 Video Surveillance &
Long Play Video
Recorders
 Baggies for screws and
label everything!
 Sign In/Out for Chain of
Custody
ACQUISITION – What Are the Goals?
 Track or Observe a Live
Intruder?
 Assess Extent of Live
Intrusion?
 Preserve “Evidence” for
Court?
 Close the Holes and Evict the
Unwanted Guest?
 Support for Sheriff, State
Police or FBI Arrest?
 Support for Court Ordered
Subpoena?
GROUND ZERO – WHAT TO DO















do not start looking through files
start a journal with the date and time, keep detailed notes
unplug the system from the network if possible
do not back the system up with dump or other backup utilities
if possible without rebooting, make two byte by byte copies of the physical disk
capture network info
capture process listings and open files
capture configuration information to disk and notes
collate mail, DNS and other network service logs to support host data
capture exhaustive external TCP and UDP port scans of the host
contact security department or CERT/management/police or FBI
if possible freeze the system such that the current memory, swap files, and even
CPU registers are saved or documented
short-term storage
packaging/labeling
shipping
ADDITIONAL RESOURCES








RCMP Article on the Forensic Process. http://www.rcmpgrc.gc.ca/tsb/pubs/bulletins/bull41_3.htm
Lance Spitzner’s Page: Forensic Analysis, Building Honeypots
http://www.enteract.com/~lspitz/pubs.html
Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix),
Computer Forensic Class Handouts. http://www.fish.com/forensics/
The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm
Long Play Video Recorders. http://www.pimall.com/nais/vrec.html
FBI Handbook of Forensic Services.
http://www.fbi.gov/programs/lab/handbook/intro.htm
Solaris Fingerprint Database for cryptographic comparison of system
binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Inspecting Your Solaris System and Network Logs for Evidence of
Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html
Thank you …
… very much, MIT!