Transcript document
Lecture 2
CSCE 590
Summer 2003
Forensics
• Forensic science is the science exercised on
behalf of the law in the just resolution of
conflict
• Crime reconstruction is the process of
gaining a more complete understanding of a
crime using available evidence
• Forensics are only a subset of the Incident
Response Process
Incident Response
1.
2.
3.
4.
5.
6.
Prepare for incidents
Detect incidents
Investigate
Formulate response strategy
Respond
Follow up
Prepare for Incidents
• Compile incident response/forensic toolkits
• Write, publish, and practice incident response
procedures
• Increase logging on machines and network
• Backups
• Cryptographic checksums
• Patching, hardening, NTP
• Banners
• Network measures – IDS, access control/firewalls,
document topologies, encryption, authentication
• User education
Preparation:
Policies and procedures
• Risk analysis
• Determine response stance
– Ignore incident – reinstall and go
– Surveillance and counterintelligence data collection
– Full investigation and prosecution
• Issues for response stance
–
–
–
–
Business issues (publicity? Expensive investigation?)
Legal issues (employee privacy?)
Political issues (CEO surfin’ porn)
Technical capabilities
Preparation:
Policies and procedures
• Policies that allow you to fully investigate instead
of relying on default law
–
–
–
–
Trap and trace on your network
Full content monitoring of traffic
Search and review employee machine
Coordinating with upstream sites
• Consent of user – AUPs
– Employee vs. intruder consent
• Stored communications vs. intercepted
communications
• The textbook was published in 2001! Beware!
Detect Incidents
•
•
•
•
Intrusion detection systems
Unusual activity
User notice suspicious activity
Someone reports it (defacements or
complaints)
• Other logs – system logs, firewall logs, antivirus
• Periodic audits
Investigate
• Who, what, where, when, how, maybe why
• Initial incident response:
–
–
–
–
–
Focuses on verification of an incident
Gathers evidence for later analysis
Issues: recovery and downtime
Triage to prevent further incidents
Mostly non-law enforcement involved at this
point
Response
• Formulate response strategy – many factors
may be taken into consideration, combined
with response stance, and management
approval
• Respond – investigate, recover, report
findings
• Follow up – analyze process, implement
new security measures or processes, lessons
learned
Investigation Analogy
• Knife and bleeding, moaning, body in room found
by staff member
• Who do you call first, EMT or police?
• How do they work together to preserve evidence
and yet save the life?
• If the EMT disturbs the evidence is it still
admissible?
• Are EMTs trained in how to preserve evidence?
• Real EMTs can see a dead body, computer EMTs
can’t necessarily see it
• Sysadmins are trained to keep their systems
running, not to preserve a crime scene
Types of Clues
• Relational: an object is in relation to other
objects and how they interact with/to each
other. Relational reconstruction can include
geographic locations of computers and
people and any communication between
them.
Types of Clues
• Functional: the way something works or
how it was used. How a particular system or
application works and how it was
configured at the time of the crime.
Examining an exact replica to figure out
how a rootkit works or an exploit.
Types of Clues
• Temporal: the times related to evidence and
events. Timeline of events can identify
patterns and gaps or lead to other sources of
evidence. Various system clocks and time
zones must be taken into account.
Relationships of Source to
Evidence
• Production: the source produced the evidence
– Email headers
– MAC addresses
• Segment: the source is split into parts and the
parts of the whole are scattered. Key is linking
fragments to the source
– File fragment on a floppy
– A few network packets
Relationships of Source to
Evidence
• Alteration: the source is an agent or process that
alters or modifies the evidence
– Crowbar on a door leaves a characteristic impression
– An exploit leaves impressions on the altered system.
But an exploit can be copied and distributed to many
offenders and they all leave the same impression
• Location: the source is a point in space. Not so
easy to find geographically in the digital realm
Compare and Contrast
• Comparison and significant difference: try to
determine pieces of evidence came from the same
source by similarities or significant differences
• Decide if differences are significant
• Total agreement between evidence and exemplar
can't be practically expected
• Want truly significant differences
• Differences due to natural variation should be
explained, otherwise the value of the match is
diminished
Four Computer Forensic
Principles
•
•
•
•
Minimize data loss
Record everything, change nothing
analyze on copies
report findings
Evidence Dynamics
• Any influence that changes, relocates,
obscures, or obliterates evidence, regardless
of intent, between the time the evidence is
transferred and the time the case is
adjudicated
• Forensic examiners rarely get to examine
digital evidence in its ‘original state’ and
should expect anomalies
Computer Related Evidence
Dynamics: Examples
• Offender covering behavior: perpetrator deletes
logs and exploit files
• Victim actions: victim deleting emails in distress
or embarrassment
• Secondary transfer: someone uses computer after
crime and innocently alters or destroys evidence
• Witnesses: a sysadmin could delete suspicious
accounts to keep the intruder from using them
• Nature/Weather: magnetic field, static electricity
Computer Related Evidence
Dynamics: Examples
• Decomposition: tape decaying over time
• Forensic examiners: may by accident or
necessity, relocate, obscure, or obliterate evidence.
(Scraping blood sample from a floppy resulting in
damage and data loss)
• Emergency response technicians: goal to prevent
further damage. Can add artifact-evidence,
obliterate patterns, relocate evidence, or cause
transfers
– Fire damage and resulting water damage
– Secure from further misuse or attacks
Difficulties Obtaining Evidence
• Distributed nature of networks and jurisdiction,
complex procedures for digital evidence exchange
- only practical for serious crimes
• Anonymity and deniability are easy with
computers and networks
• Easily deleted or changed- time is of the essence
to preserve it - big log files, network traffic,
volatile memory
• Requires a wide range of technical expertise
Difficulties Obtaining Evidence
•
•
•
•
Huge volumes of data – terabytes?
Decryption without keys
Steganography
Example: Rubberhose project (Marutukku)
– combines encryption and data hiding in a filesystem
that makes data recovery and reconstruction very
difficult.
– http://www.rubberhose.org/ - The Idiot Savants' Guide
to Rubberhose
Preserve the Crime Scene
•
•
•
•
•
Do not write to original media
Do not kill any processes
Do not accidentally touch time stamps
Do not use untrusted tools
Do not change the system before evidence seizure
(power off, patch, update)
– Could unplug network cable if necessary
• Interview the people at the crime scene
– Especially sys admin or person who found it
Volatile Data Collection
• Minimize data loss, record everything, change
nothing. Uh-oh! That’s impossible!
• Doing nothing also changes the system!
• Do not pull power cord, you risk corrupting nonvolatile data and lose volatile evidence:
–
–
–
–
–
–
–
Registers and cache contents
Contents of memory
Information about running processes
Network connections
Mounted file systems
Current users
Swap, page, and temporary files
• A computer had explosives rigged to power switch
Collect the Most Volatile
Evidence First
•
•
•
•
•
•
Memory
Swap space or page file
Network status and connections
Processes running
Storage media
Removable media
– Make sure all files are synched on media, processes
aren’t using it, etc
• Port scan?
– Some backdoors and covert channeling tools log
attempts and the IP address – system change
Record Keeping
• May have to duplicate setup in lab
– Cameras
• Explain how you took down the computer
• May be called upon to testify – 2 years later
– Notes can be used as a refresher
– Can be admitted as evidence if you can’t remember
what you did
– Shows your methods were scientific and unbiased
– Video or audio could show your mistakes in
methodology or collection methods or a bias
Chain of Custody
• Establishes continuity of possession and proof of
the integrity of handling of the collected evidence
• Helps maintain strict access to it
• Each piece of evidence should have a chain of
custody log associated with it:
– Tag hard drives separate from the system
– use md5 hashes with electronic files, especially if they
are being transferred across electronic medium
Chain of Custody
• Evidence tag:
– Date and time it was seized
– Case number and item (tag) number of evidence and
any hash numbers
– Consent required? If yes – signature of owner
– Location and who it was obtained from (owner)
– Make, model, and serial number
– Name of person who collected the evidence
– Description of evidence
– Full name and signature of person receiving evidence
The Chain
– Log of people who handle the evidence during
investigation
– Record a transaction
• Each time it changes possession
• Each time it moves from one media type to another
– What to record
•
•
•
•
Who it was received from and location it was in
Date of receipt
Reason evidence transferred custody
Who received it and where it was received or located
• Reading for Lectures 2-5:
– Mandia/Prosise: Chapters 2-5, 9
– Casey: Chapter 2 (in Reading Room)
• Homework 1: Due Monday, June 9, 2003