Computer Forensics
Download
Report
Transcript Computer Forensics
Computer Forensics
Peter Caggiano
Outline
My Background
What is it?
What Can it do and not do?
Goals
Evidence
Types of forensics
Future problems
How to enter the field
Questions?
Background
Stockton College
BS Computer Science
Minor in Mathematics
The George Washington University
MS Computer Science
Concentrations:
Information
Assurance
Computer Forensics
Work Experience
PG Lewis & Associates
Department of State
Corporate Forensics and Data Recovery
Computer Investigations and Forensics
Nuclear Regulatory Commission
Office of the Inspector General
Computer Forensics
Computer forensics is the discipline of
acquiring, preserving, identifying and
examining digital media
The application of computer science and
mathematics to the reliable and unbiased
collection, analysis, interpretation and
presentation of digital evidence.
What Is Computer Forensics?
Is often more of an art, than a science.
Follows clear, well-defined methodologies.
Uses the same basic techniques as other
forensics areas.
What Forensics Can Do
High tech investigations
Incident response
Email recovery and analysis
Document and file discovery
Data collecting
While still preserving MAC times
Other volatile data
What Forensics Can Do
Uncover and document evidence and leads
Corroborate other evidence
Assist in showing patterns of events
Connect computers and people
Reveal an end-to-end path of events leading to
a compromise attempt, successful or not
Extract data that may be hidden, deleted or
otherwise not directly available
What Forensics Can’t Do
Create evidence
Tie the suspect to the incident
Only system or profile
Prove innocence or guilt
Be instantaneous
Goals
Details of investigation will depend on the
circumstances and goals, but the steps are
always the same.
Goals:
Support Law Enforcement
To determine the root case of an event to prevent reoccurrence
Re-construct the series of events surrounding the
incident
Assist in more types of investigations than just digital
Evidence
All forms of digital media
Hard drives
CD’s
Floppy disks
USB drives
Flash memory
Tape drives
Cameras
Etc.
Evidence Categories Beyond Hard Drives
Logs
Interviews
Managing devices
Hosts/systems
Servers
Involved personnel
Business and technical
managers
Device configuration
files
Network maps
Event observation
timelines
Notes
Meetings
Passwords
Response team notes
and observations
Types of Forensics
Traditional
vs.
Incident Response
Basic Methodology
Identification
Preparation
Approach strategy
Preservation
Collection
Examination
Analysis
Presentation
Returning evidence
Traditional Forensics
Referred to as ‘Dead’ Forensics
Analysis done in a ‘Post Mortem’ state
After the system has lost power
Two basic rules
Harm Nothing
Preserve Everything
Harm Nothing
Writeblocker (Hardware, Firmware,
Software)
Preserves the integrity of the original evidence
Work of a ‘Forensic Image’ of original
evidence, never original evidence
Don’t handle original evidence longer than it
needs to be
Forensic Image
An exact, bit by bit copy of a piece of media
without altering the original data.
Includes slack space, unallocated, and
hidden partitions.
Preserves MAC times
An exact “snapshot” of the hard drive at
that given time
Writeblockers
Hardware
Firmware
Only true hardware writeblocker is the Floppy tab
Intermediate device between the evidence and
the system
Intercepts the write signal from the system and
prevents any alteration of data
Software
Secure Linux environment
Connecting file systems as ‘Read Only’ to the
system
HFS partition connected to a Windows system
Preserve Everything
Contact system administrators
Image entire disks not just volumes
Data can be on remote servers
Physical vs. Logical layer
Image all peripheral media
Common tools
MacForensicsLab
FTK
EnCase
iLook
Pro Discover
Many specialized tools
Incident Response
Also known as Live Forensics
Growing field because of the expanding roll
of networks
Vital to preserve volatile data
Unlike Traditional Forensics, original
evidence must be altered
To retrieve needed data, must use the system
in question
What Incident Response Can Do
Show a path that the intruder took over
the network
Reveal intermediate intrusions
Preserve data that would be lost during
Tradition Forensic Investigations
Create leads to expand investigation
What Incident Response Can’t Do
Solve the case alone
Tie the suspect to the attack
Traditional Forensics is still needed
Only system
Create data that is not present
Collecting the evidence
Information gathering
Volatile memory and configurations
Enumerating
Files or ambient data
Compromised system
Attack system
Log entries in intermediate devices
What to look for
Footprinting
Files or ambient data on attack computer and log
entries in intermediate devices
Probing for weaknesses
Files or ambient data on attack computer
Log entries
Intermediate devices
Compromised
system
Tools
Mostly open source tools
Helix
Backtrack
Live Linux environment and response suite
Network mapping and penetration (if needed)
Custom batch and script files
Big Picture
Use all the data collected to tie
all the events together in
support of the overall
investigation.
Future Problems
Large data sets
Steganography
Cell phones
PDA’s
Encryption
How to enter the field
Law Enforcement
Mostly point and click
Don’t always understand the technical side
Technical
Don’t understand the entire scope of the
investigation
Understands the ‘behind the scene’ actions of
the tools
Forensic Analyst
Requires Knowledge of
Computer Hardware and Software
Operating Systems
File Systems
Special “Forensics” Hardware and Software
Networks
General technical support
Preparation from Stockton
Technical support
Programming
Computer security basics
Analytical approach
Networks
Sound fundamentals
Preparation from GW
SFS Scholarship
Hands on forensic practical
In-depth computer security
Network security practices
Hacking
SFS Scholarship
www.sfs.opm.gov
Roughly 15 schools nationwide
Pay for up to 2 years of school
Pay you to go to school
NSA Center of Excellence
Concentrate in all areas of computer security
Not all centers are scholarship schools
In return: 1 to 1
Years of education to government employment
Questions?
Contact Information
Peter Caggiano
908.581.3630
[email protected]