Transcript (Where) Tying Evidence to

2010 Organization of Bar Investigators Conference
Computer Forensics, Crime & Investigators
October 6, 2010
Andreas Kaltsounis
Sherry Johnson
Trends in Computer Usage & Crime
• Computer Usage
 Email, Text-Messaging
 PDAs and Smartphones
 Social Networking
• Computer Crime
 Botnets
 Computer Intrusions & Corporate Espionage
What we Can Do
•
Define HOW propriety data was stolen, and HOW MUCH of it
was stolen
•
Detect the alteration of documents, images, or other files
•
Track internet usage and web activity
•
Create a timeline of user activity on a system
•
Recover emails and other files that have been “deleted”
•
Document unauthorized access to systems or servers
(intrusions)
•
Identify the use of anti-forensics (cleaning utilities)
What we Can’t Do
• Recover information if it has been truly
deleted (that is, overwritten)
• Tell you with certainty WHO was using a
computer
• Conduct an examination without access to
the drive, or on a physically damaged
drive
Digital Forensics
What types of investigations can Digital Forensics support?
• Thumb (Jump) Drives
• CD/DVD Forensics
• Camera Forensics
• Copier Hard Drives
• Cell Phone Forensics
 Call Detail Records
 Text Messages
 GPS & Tower Location Data
Forensic Evidence – Where to Start
• Forensic Examinations
 What is Digital (Computer) Forensics
 Need to Substantiate:
• What was being done on the computer / device
• When it was being done
• Who (user account) was doing it
What type of information can you get from Digital Forensic analysis?
• Could be as little as 4 words carved from a deleted file
• Or a part of a picture carved from unallocated space
Forensics 101 –
Don’t Take Actions That will Change the Evidence
• What not to do
 Allow anyone to “look around”, open, close, move, or copy
 Hitting a key could trigger an undesired change
 Not always best to pull the plug and turn the system off
• What to do




Have a forensic expert with you or someone you can call
Document all actions taken
If system is on have it checked for encryption
Make decisions as to the best way to take the image
[There are several forensically acceptable ways to take an image of a live
system, but the actions need to be well documented.]
Tying Evidence to:
• Who
• What
• When
• How
• (Why)
• (Where)
Tying Evidence to: Who
Who has been using this system?
SAM Registry File
Last Logon Time may not be
useful if the system has been left
on for days
Tying Evidence to: Who
Which user was the last one to use the system?
• Compare Time/Date of all user NTUSER.DAT files
• Compare last used NTUSER file to SYSTEM file Last
Access Time/Date
Tying Evidence to: Who
What can be used to establish connection to suspect?
•
Non-Digital Forensics:
 Phone records
 Door cards
 Video monitors
 Witnesses
• Check Log Files
 Applications used by suspect
 Chat file logs
Tying Evidence to: Who
Chat Logs
Tying Evidence to: Who
Is there a QUICK way check across suspect related files?
• Filter on User SID
• Review All Files
• Sort by Last Access
Tying Evidence to: Who
How to DEBUNK the Malware / Virus defense?
“I didn’t do it…
Malware, Viruses or hackers did it”
•
•
•
Establish multiple indicators of Who was on the
computer and When
Prove Malware / Virus is not on the system
Prove Malware / Virus found is designed to do…..and
would not have created this body of evidence of wrong
doing
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• gmail Password & Time / Date Last Used (Written)
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Google User ID & Password
• Time / Date Used
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Documents Most Recently Used & Time / Date
(Open and/or Saved)
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Recent Documents Used & Time / Date:
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Internet Form Data & Time / Date
 Captures any information typed into a web form
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Internet Form Data & Time / Date:
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• E-Bay User ID and Password & Time / Date:
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Shell Folders
 Lists default locations for the information relevant to this user
Tying Evidence to: What
Using the Suspect personal config file (NTUSER.DAT)
• Typed URLs
 Created by user showing an intended action (typed or pasted )
 Will be “deleted” when the user clears their Internet Explorer
History
 The lower the number, the more recent the URL was accessed
Tying Evidence to: What
Where / When has the suspect gone on the web?
(local Settings\ personal config folder)
• User Internet History (History IE5)
 Websites visited
 Index.DAT (Master history Index File
 Clear History will drop and create a new file but the old
file is still there until over written
 The user actually clicked on these links or went there!!
Tying Evidence to: What
Web – Internet History
(History IE5)
Tying Evidence to: What
Web – Internet History
Temporary Internet Files
Tying Evidence to: What
Was a File Printed?
*.EMF files
Tying Evidence to: What
What files did suspect (try to) deleted – Recycle Bin?
(separate folder for each user)
Info2 file
Tying Evidence to: What
Files – *.LNK (Shortcut Pointers to files, drives and devices)
Local Drive
Tying Evidence to: What
Files – *.LNK (Shortcut Pointers to files, drives and devices)
Local to External Drive
Tying Evidence to: What
Files – *.LNK (Shortcut Pointers to files, drives and devices)
External Drive
Tying Evidence to: What
Files – *.LNK (Shortcut Pointers to files, drives and devices)
Network Drive
Tying Evidence to: What
What Other Devices Have Been Connected?
IDE/USB/USBStore
[Cameras may not always be found under USBSTORE; also look in USB.]
Multifunctional devices will have a line for each function; fax, copier, printer, scanner]
Tying Evidence to: What
When was the file created and Who created it?
Has the file been changed and When / Who has changed it?
Meta Data
Meta Data File Information (varies by type of file):
 Creator (Author) Name
 Last Author
 Date Created
 Date Last Printed
 Date Last Modified
 Tracked Changes by Author
 Last Name to Modify
 Hidden Objects
 Hidden Text
 # of Revisions
 Total Editing Time
 Smart Tag Captured Information
[Track Changes needs to have been
turned on in WORD]
[Word documents can maintain past revisions and up to 10 of the last authors to edit the file.]
Meta data around files (article)

The New Metadata Rules
What a busy attorney won’t take the time to tell you, and how it affects
the legal IT department
by Dona Payne, Payne Consulting, Group
http://www.payneconsulting.com/pub_books/articles/pdf/ILTAPayneMetadata.pdf
Tying Evidence to: What
Are there Similar Files or Other Versions of the file?
Meta Data based on MD5 Hash
Tying Evidence to: What
What applications were use recently?
Prefetch - use to locate Malware
Tying Evidence to: What
What applications were use recently?
Prefetch - use to locate cleaners (CCleaner ), defrag, backup (Carbonite- remote backup
site/service) software
[Listing the related / dependent files and processes for Carbonite backup]
Tying Evidence to: What / Who
Are there Emails and Attachments related to scope and suspect?
Tying Evidence to: When
Has the System Time/Date Has Been Changed?
•
Changes tracked in the Security.EVT registry log file
• Use an Event Viewer
• FSPRO Labs Eventlogxp.Com
•
Manually (re)setting the system time creates an Event ID # 520
•
Meaning of Event IDs for different OS
WWW.EventID.Net
•
Networked computers synchronize local clocks with a time
server on the Internet or an intranet.
Tying Evidence to: When
Time & Date Change in Event Viewer
Tying Evidence to: When / What / Who
When did the Suspect and Events coincide? - Timelines
Using the Suspect personal config file (NTUSER.DAT)
• UserAssist
 shows what windows they had open
• RecentDocs (also used under What)
• MRU lists




OpenSaveMRU
MapNetworkDriveMRU
Explorer\RunMRU
Explorer\StreamMRU
How can a suspect change critical File Times?
Create / Access / Modify
Laptops & Desktops
•
Copy from one folder to another
 Updates the Creation date to the current date
 No change to Modify date
•
Move from one folder to another
 No change to Modify or Create dates
USB Storage Devices
•
•
Copy or Move from one folder to another is the same as for
laptops / desktops
Copy file from USB to laptop/desktop
 Updates Creation date
 No change to Modify date
•
Move file from USB to laptop/desktop
 No change to Modify or Create dates
Anti (Counter)-Forensics
• Recently recognized as a legitimate field of study
• “Attempts to negatively affect the existence, amount and/or quality of
evidence from a crime scene, or make the analysis and examination
of evidence difficult or impossible to conduct.”
(Dr. Marc Rogers of Purdue University)
• “Anti-forensics is more than technology. It is an approach to criminal
hacking that can be summed up like this: Make it hard for them to
find you and impossible for them to prove they found you.”
(Scott Berinato in his article, The Rise of Anti-Forensics)
Anti (Counter)-Forensics
From Wikipedia
• Anti-forensics methods are often broken down into several subcategories to make classification of the various tools and techniques
simpler.
One of the more widely accepted subcategory breakdowns
was developed by Dr. Marcus Rogers.
He has proposed the following sub-categories:
data hiding, artifact wiping, trail obfuscation and attacks against the
CF (computer forensics) processes and tools.
Anti (Counter)-Forensics
Windows Based
 Windows Defrag
 Format and reinstall the OS
 Copying / Moving large amounts of data around repeatedly
Anti (Counter)-Forensics
OS (Re)Installation
Anti (Counter)-Forensics
Registry Cleaners
 PCTools Registry Doctor
 XP Medic (XPMedic.com)
 Registry Patrol (registrypatrol.com)
Anti (Counter)-Forensics
Software Examples
 Metasploit – Anti-Forensic Toolkit
Anti-Forensic Investigation Arsenal (MAFIA)
 Transmogrify
Trail-obfuscation program
In most file types the header of the file contains identifying information. A
(.jpg) would have header information that identifies it as a (.jpg), a (.doc)
would have
information that identifies it as (.doc) and so on.
Transmogrify allows the user to
change the header information of
a file, so a (.jpg) header could be changed to a
(.doc) header. In a
forensic examination searching for images (.jpg) on a
machine, it
would simply see a (.doc) file and skip over it.
 Slacker
A program used to hide files within the file slack space on a Windows computer
 Darik’s Boot and Nuke – disk wiping software
Anti (Counter)-Forensics
Software Examples
 Timestomp
Goal is to allow for the deletion or modification of time stamp related information
on files. There are (4) four date time and date stamps files display useful to
Forensic Examiners in reconstructing when data was last modified, accessed,
created, or entered into the NTFS Master File Table.
Note: Although this program is designed to frustrate forensic analysis, it should
be noted that its use can be easily detected. Because the program can delete all
time stamp information, the lack of time stamp values would lead an examiner to
the conclusion that something is amiss on the system. The Windows operating
system records at least some timestamp information. The total absence of such
is a dead giveaway that a user has tried to hide something. On the flipside, if
the values are simply changed to believable values, then there is
little chance the change(s) will be noticed at a casual glance.
Anti (Counter)-Forensics
Wiping Tools
 Eraser (free & ready to install)
 CCleaner (free)
 Window Washer ($29.95)
Erases browser history, cookies & cache
Protects passwords and personal information
Permanently deletes unwanted files
Frees up space on HD
Removes cookies and unnecessary files
sets automatic cleanings
 Evidence Eliminator ($29.95)
Erase all tracks of internet activity
Internet & windows tracks erasing
Anti (Counter)-Forensics
Wiping Tools (example) – CCleaner
Anti (Counter)-Forensics
Wiping Tools (example) – CCleaner
Useful Tools
Read-Only Hard Drive Viewing
 Live image
 Peraben P2 explorer
 Smart Mount
 Mount Image Pro
Used For:
 Running Software Used on Suspect’s System
 Running Anti-Virus / Anti-Malware Software Against Suspect’s
System
 Safe Way to Walk Through Suspect’s System As They Used it
without having to restore their system
Gaining Access To:
• Emails
• ISP Data
• Cloud Computing
• Electronically Stored Information (ESI)
I Need Electronic Evidence
So How Do I Get It?
• Forensic Expert
 Trained and Certified
 Identify the Goal and the Scope of the Examination
• Search Warrants & Subpoenas
Questions???
Contact Information
Andreas Kaltsounis
Department of Defense Inspector General
Defense Criminal Investigative Service
Seattle Resident Agency
(206) 553-0699 x222
[email protected]
Sherry Johnson
Fraud & Digital Forensic Investigation, LLC
Digital Forensic Examiner
Certified Fraud Examiner
(206) 551-6227