Computer Forensics and Investigations
Download
Report
Transcript Computer Forensics and Investigations
Digital Evidence
Dean R. Beal
CISA, CFE, ACE
Allegation
Anonymous Tip
Ethics Line
Risk Assessment
Audit
Continuous
Auditing/Monitoring
Allegation
Fraud and/or Abuse:
Breaches of Confidentiality
Running a Personal Business
Pornography
Sharing Copyrighted Material
Travel and Business Expenses
Unlicensed Software Use
Time and Attendance
Harassment
Bribery
Theft
Discrimination
Assessing the Allegation
Management:
• Receives
• Reviews
• Assigns
Guidelines:
• Should exist for outlining the steps
taken for obtaining digital evidence to
support an investigation
Assessing the Allegation
Support a Non IT Investigation
Complete an IT Investigation
Obtaining Digital Evidence
Identification of:
• Person(s)
Desktops/laptops
Mobile devices
External drives
Network shares
• Location(s)
Network Segment
• Ping
• Doors accessed
• Connectivity
• Bandwidth
Obtaining Digital Evidence
Keep it Confidential
• Only those with a “Need to Know”
Physical Confiscation
• Unplug, remove batteries
• External storage devices
• Digital camera
• Chain of custody forms
• Check in and under everything
• Evidence bags
• Document everything
Unstructured Data
No Schemas
No Organization
Unpredictable
Make Note of:
• Obvious
• Not so obvious
Piece the puzzle from the outside-in
Start in the Forest
• Don’t get lost in the trees… yet
Searching Unstructured Data
Internet
eMail
Instant Messenger
Digital Forensics
• Servers
• Desktops
• Laptops
• Mobile Devices
Searching the Internet
Open Connection
•No affiliation
Use Alias:
•eMail address
•Profiles
•User IDs
Searching the Internet
Web Reporting
Google Hacking
• “intext:”
• “filetype:”
Blogs
Deep Web
Public Records
Social Media
Searching eMail & IM
Right to Privacy?
• Warning banners
Real-time Journaling
Back-ups
• .pst
• .nsf
“Fly Over”
Items of potential importance
Key words
Searching eMail & IM
Can See It All
• Interesting differences between
professional and personal personas
Everything is Fair Game
What’s Happening?
• Substantiated?
• More information needed?
• Take notes
Digital Forensics
Network
“Snapshot”
Physical
“Static”
ProDiscover
Can connect to any computer on the
network
• By IP address
• By computer name
Installs remote agent executable
Runs in the background as a Service
Captures image of hard drive over the
network
• Deleted files
• Everything
ProDiscover
User does not know they are
being imaged
Connected external drives can be
accessed
Timing
All or nothing
Unix dd image format
Slower processing time
• Network location
FTK Imager
Physical drive
dd Image
E01 Image Format
Segments
Faster Processing
• Physical device
Physical Write Blockers
http://www.forensicpc.com/products.asp?cat=38
Physical Write Blockers
Suspect Hard
Drive
Hardware
Write Blocker
Forensics PC
Reads
Writes
Forensics
Hard Drive
Hash Values
Original MD5 Hash Value:
6f8e3290e1d4c2043b26552a40e5e038
Imaged MD5 Hash Value:
6f8e3290e1d4c2043b26552a40e5e038
:Verified
MD5 Hashes
• Image Level
• File Level
FTK Image Basics
Data Carving
File Types of Interest
KFF
Graphics
Deleted Files
Recycle Bin
Personal eMail
Videos
Key Word Searches
DTSearch
Indexed
• Faster searching
And – both required
Or – either required
Not
w/# - within number of words
? – any character
* - any number of characters
~ - stems (good for tenses)
% - fuzzy (good for misspellings)
& - synonyms
Regular Expressions
Not Indexed
• Slower Searching
Social Security numbers
Credit card numbers
Phone numbers
IP addresses
Literal vs. operational
• x vs.\x
• d vs.\d
\<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>
FTK Image Advanced
Password Protected Files
Encrypted Drives
Data Wiping
Missing File Headers
index.dat
Metadata
Prefetch
Link Files (LNK)
Other Registry Artifacts
Registry Viewer
NTUSER.dat
• Passwords
• MRU
• Recent docs
• Drives connected
• USB devices
• Counts
• Typed URLs
Passwords/Encryption
Password Recovery Toolkit (PRTK)
• Dictionary
• Decryption
• Brute force
• Export NTUSER.dat
Distributed Network Attack (DNA)
Full Disk Encryption
• Decryption key needed
Accountability
Filter on:
Username
Relative Identifier (RID)
• Security Identifier (SID)
• Security Accounts Manager (SAM)
Oxygen Forensic Suite
Tool Capabilities are Device
Specific
Device Drivers Needed
Chargers/Connectors
Media Cards
Passwords/PIN#s
Remote Wiping
Oxygen Forensic Suite
eMail
Text Messages
Phonebook/Contact List
Calendar
Call History
Pictures/Videos
Social Network Messages
Internet Sites
Oxygen Forensic Suite
Logical Analysis
Physical Analysis
Logical/Physical Analysis
• SQLite, Plist, IPD file viewers
Backup File Creation
Mobile Device Storage
Write Blockers
Unstructured Data as
Digital Evidence
Actions
Accountability
Dates and Times
Tie to Source Information
• eMail & IM to image
• Internet to image
• Mobile device to image
Structured Data
Schemas
Organized
• But rarely clean
Predictable
Silos
Complexity
Data Dictionary
Knowledge Base
Training Resources
Obtaining Structured Data
Is it:
Complete?
Verifiable?
Source data?
• Transactional?
• Aggregated?
• Report?
Does it have integrity?
• Has anyone else touched it?
Will it need cleansed, reformatted?
Obtaining Structured Data
Is it:
• Hierarchal?
• Relational?
• Fixed length?
• Variable length?
• Delimited?
• Mainframe?
• HL7?
• EDI?
Obtaining Structured Data
Learn Application and System Process and
Data Flows
Obtain Access to the Application
Obtain Direct Access to the Source Data
Learn the Query Language
Admit You’re in Over Your Head
Make Friends with IT
• Ask for help
• Without loss of confidentiality
Involve IT
• Legacy
• Require confidentiality
Obtaining Structured Data
Source Systems:
•
•
•
•
DB2
Oracle
SQL Server
Mainframe
Querying Tools:
• TOAD
• QMF
• Proprietary reporting tools
No direct access available
Obtaining Structured Data
Structured Query Language (SQL)
• Fairly standard across most platforms
Some variations
• PLSQL
• TSQL
Databases
• Schemas
Tables
Normalization
Fields/columns
Primary keys
Foreign keys
Obtaining Structured Data
Individual tables won’t always
give you meaningful information
Relating those tables by primary
and foreign keys, provides
meaningful information
Obtaining Structured Data
Tweak and Utilize Existing SQL
Write Your Own
• Can be time consuming
Trial and Error
Reconcile Back to Application
Have Others Validate the Results
• Back to source documentation if
available
Obtaining Structured Data
Some Enterprise Databases
contain 30,000+ Tables
• Data dictionaries should exist
• Determine the individual tables
containing needed data
• Determine the primary and foreign
key(s) to create the join(s)
Write the SQL statement(s)
Obtaining Structured Data
Joins are the Drivers
• Inner Join
All records in Table B that have a match
in Table A
• Outer Join (Left or Right)
All records in Table A with or without a
Match in Table B, and only those
records in Table B that have a match in
Table A
• Cartesian Join
Something is wrong
Obtaining Structured Data
When Querying Enterprise
Databases:
• Only what is necessary
• Not all columns/records
• No aggregating
• Apply date parameters
• Watch the processing time
Something may be wrong with the SQL
• Edit and repeat
• Tie to source information
Information to Evidence
Microsoft Access & Excel
ACL
• Reformatting
• Appending
• Computed fields
• Aggregating
• Querying
• Reporting
Structured Data as
Digital Evidence
Append the Output
• Like data from differing sources rarely
matches
Cleansing
Re-formatting
Reconcile to Source Data
• Control totals
• Record counts
Create New Functionality
• Computed fields
• Get to the answer
Standardize the Output
Social Security Numbers
Birthdates
Addresses
Names
Phone Numbers
Zip Codes
Standardize the Output
ACL creates its own “view” of the
source data file with the .fil
extension
.fil is “read only”
Source Data Remains Untouched
Standardize the Output
STRING()
STRING(Invoice_Nbr)
VALUE()
VALUE(Invoice_Pmt)
DATE()
DATE(Birthdate)
Standardize the Output
Birthdate = ‘20050415’
SUBSTRING(Birthdate, 5, 2) = ‘04’
SUBSTRING(Birthdate, 7, 2) = ‘15’
SUBSTRING(Birthdate, 1, 4) = ‘2005’
Standardize the Output
If you aren’t going to add,
subtract, multiply, divide, or
calculate the field, format it as
Text
If you are going to add, subtract,
multiply, divide, or calculate the
field, format it as Numeric or
Date
Structured Data as
Digital Evidence
Actions
Accountability
Dates and Times
Tie to Source Information
Control Weaknesses
• Segregation of duties
• Approval limits
• Lack of oversight
Presenting the Digital
Evidence
Report Preparation
• Unstructured information
• Structured information
Support the Allegation(s)
Refute the Allegation(s)
Consult with Law
Consult with Management
Consult with Senior Executives
CAATs
Direct Access and the Right Tools
Reactive
• Ad-hoc
Proactive
• Automate
• Take what’s been learned and apply
to the entire population
• 100% Testing
• Exception based
ACL Scripting
Series of commands stored as a
unit in an ACL project
Executed repeatedly and
automatically
Any ACL command can be stored
as a script
302|Advanced ACL Concepts & Techniques, SCRIPTS (CANADA: ACL
Services Ltd, 2006), 2.
ACL Scripting
Standardizing Data:
OPEN HR_Active
DEFINE FIELD SSN_A COMPUTED
REPLACE (SSN, “-”, “”)
DEFINE FIELD SSN_B COMPUTED
ALLTRIM(SUBSTR(SSN_A, 1, 9))
DEFINE COLUMN DEFAULT VIEW
SSN_B
ACL’s
Audit Analytic Capability Model
LEVEL 1 – BASIC
• Audit specific
• Classifications
• Summarizations
• Duplicates
• Ad hoc
The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to
continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 3.
ACL’s
Audit Analytic Capability Model
LEVEL 2 – APPLIED
• Specific and repeatable tests
• Start with “low hanging fruit”
• Add additional and broader tests
• Focus on data access
• Efficient script design for
repeatability
The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous
monitoring, WHITE PAPER (ACL Services Ltd, 2011), 5.
ACL’s
Audit Analytic Capability Model
LEVEL 3 – MANAGED
• Centralized, secure, controlled,
efficient data analysis
• Many people involved
• Processes and technology in place
• Server environment
• Multiple locations
The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous
monitoring, WHITE PAPER (ACL Services Ltd, 2011), 7.
ACL’s
Audit Analytic Capability Model
LEVEL 4 – AUTOMATED
• Comprehensive suites of tests
developed
• Tests scheduled regularly
• Concurrent, ongoing auditing of
multiple areas
• More efficient and effective audit
process
The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous
monitoring, WHITE PAPER (ACL Services Ltd, 2011), 10.
ACL’s
Audit Analytic Capability Model
LEVEL 5 – MONITORING
• Progress from continuous auditing
to continuous monitoring
• Expanded to other business areas
• Process owners notified
immediately of exceptions
The ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous
monitoring, WHITE PAPER (ACL Services Ltd, 2011), 12.
Forensics Lab
Physical Security
Logical Security
• SSNs
• Credit card numbers
Software Licensing
• Updates, upgrades
Hardware and Other Peripherals
Storage
• Short term, long term
• Enough?
Forensics Lab
Forensic Workstation
• Processing workhorse
SSD
Memory
JBOD
Forensic Desktop
• Secondary processing
• Image reviewing
Forensics Laptops
Open Internet Laptop
• Don’t do this on the company network
Forensics Lab
Retention
Inventory
Back-ups and Recovery
• On-site, off-site
Chain of Custody
• Physical
• Image
Data Wiping and Verification
CIA
COBIT
Challenges
Time Consuming
Satellite Locations
Emerging Technologies
System Processing/Data Flows
• Lack of documentation
Cloud Computing
Hard Drive Capacities
Anti Forensics
Challenges
External Storage Devices
Personal vs. Corporate
• BYOD
False Positives
Data Silos
Data Integrity
Passwords
Encryption
Summary
Mixture of Art and Science
• Intuition
• Common sense
• Knowledge and use of tools
• Persistence
• Testing Theories
• Research
• Learning
Conclusion
No One Solution
Expect the Unexpected
Remain Fair and Objective
Report Just the Facts
Questions?