View
27
Download
0
Category
Preview:
Citation preview
4. 11. 2019
1
Investigation intro
GOPAS: info@gopas.cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM:Directory | MVP:Security | CEH | CHFI | CISA | CISM | CISSP |
ondrej@sevecek.com | www.sevecek.com |
Cybercrime and forensics
4. 11. 2019
2
Cybercrime
Internal attacks
• physical access
• better internal information
• authenticated network access (read all)
External attacks
• foreign agencies (APT)
• spam/malware producers
• zero-day attacks
Cybercrime challenges
Speed
Volatile nature of evidence
Evidence size and complexity
Anti - digital forensics (ADF)
• steganography, slack space, bad sectors, inter-partition
space, …
Global origin and difference in laws
• jurisdiction, attribution
• due care
Limited legal understanding of victims
Circumstantial essence of digital evidence
4. 11. 2019
3
Civil vs. criminal vs. administrative investigation
Criminal investigation (trestní)• law enforcement agencies
• standard forensic processes
• court's warrant for seizures
• formal reports required
• fine and/or jail
Civil/tort cases (občanskoprávní)• supporting civil claims and induce settlement
• searches voluntary
• monetary compensations and no jail
• poor chain of custody
• poor chain of evidence (nepřerušitelnost důkazního řetězce)
Administrative investigation (správní)• non-criminal
• government agency internally
• disciplinary action on employees
Rules of investigation
Record any changes to scene and evidence
Chain of custody
Store securely
Set and comply with your own standards for the
procedures
Evidence should be strictly related to the incident
Use recognized tools
4. 11. 2019
4
Digital evidence
any information of probative value that is either stored
or transmitted in a digital form
Is circumstantial
Is fragile
• and usually volatile
Locard's exchange principle
Volatile vs. non-volatile data
Volatile data examples• system time, logged-on users, open files, running
processes, TCP connections, clipboard contents, services and drivers, command history, ...
• encryption keys and passwords
from memory, or non-volatile storage
Non-volatile data examples• files and databases, hidden files and slack space, swap
files, hidden partitions, registry settings and data, event logs, ...
• browser history, cloud storage client (OneDrive, GoogleDrive, ...), installed applications, installed malware, installed rootkit, ...
4. 11. 2019
5
Warranted or warrantless seizure
warranted seizure
• exact detailed specification what and why
• must not collide with rights and privacy of other subjects
warrantless seizure
• arranged on good grounds with the
company/employer/ISP/cloud provider
• faster equipment returns
• or only data extracted by the third-party
possible court testimony
Properties of digital evidence
Believable
• the judge is BFU
Admissible
• related to the fact being proved
Authentic
• real and related to the incident
Complete
• prove attacker's actions or his innocence
Reliable
• no doubt about authenticity or veracity of the evidence
4. 11. 2019
6
Some sources of evidence to note
printers and scanners, copiers
cookies
swap files
flash disks
smart cards
answering machines
digital cameras
modems
switches/routers/APs
pagers
GPS car tracking
Original evidence vs. copy
Best evidence rule
• prevent and alteration of digital evidence
Court can accept copy if original evidence was
destroyed
• due to fire/flood
• due to normal course of business
• in possession of a third party
Original evidence vs. primary vs. secondary disk
images
4. 11. 2019
7
Hearsay
somebody says he/she heard something about
something else
documentation
former testimony is not hearsay
Privacy issues
charges against unlawful search and seizure
fourth amendment
• vs. patriot act
• vs. fifth amendment
keep anonymity/privacy in internal investigations
• reasonable expectation of privacy
• reasonable expectation of work-related activities
company devices vs. BYOD
4. 11. 2019
8
Forensic investigation
process
Phases
Pre-investigation
• computer forensics lab
• tools and processes
Investigation
• acquisition
• preservation
• analysis
Post-investigation
• documentation
• adequate and acceptable to target audience
• report
4. 11. 2019
9
Computer forensics lab
Physically secure• badges, cameras, guards, access log, one entrance, ...
• fire suppression, humidity, ...
Software and hardware from trusted sources• inventory with hashes
Workstations and/or laptops
LAN and internet connectivity?• air-gap
Safe lockers and shelves
Work area• mixing of evidence and results
• chain of custody
Removable media for evidence collection, storage and transport
Digital cameras and video recorders
Everything documented and trusted
Everything tracked at anytime
Forensic workstations
Trusted installation sources• hash inventory stored separately
Do not update images
Cleaning and sanitizing after every investigation• US DoD 5220.22-M (3 passes, 0/1/rnd)
• German VSITR (7 passes, 0/1/0/1/0/1/rnd)
• SSD?, format?, SDELETE, TRIM/UNMAP
Virtualization• one case at a time
Removable media and disk imaging tech, cameras, ...• cleaning, documentation, tracking, ...
There is no exact court list of forensic lab/tools etc. only a trusted accreditation• ISO 17025
• ASCLD/LAB (American Society of Crime Laboratory Directors)
4. 11. 2019
10
Slow format
Windows Vista/2008+• zeros space
• uses TRIM/UNMAP if available
for MBR disks overwrites BOOT sector only• does not touch MBR
• BOOTREC /fixmbr
zero files or free disk space with SDELETE
zero whole disk with WinHEX
protect confidentiality with encrypted data since ever and delete encryption keys afterwards
Storage device (magnetic, SSD, …) from sanitation
perspective
storage
cellscontroller
computer
I/Obus
SATA
IDE
eSATA
M.3
USB
FC
SCSI
iSCSI
logical block
addressing
512 B, 4096 B
encrypted?
key
PCIe
mSATA
U.2
4. 11. 2019
11
Magnetic media normal erase process
1
0
1
0
11 1
0
11
0
0
0
00
0 0 00
0 00
controller
gate level
controller
gate level
Memory cell (256 kB) rewrite requires zeroing the
block first
1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24
I I I I I I I 0 0 0 0 0 0 0 0
18
00
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
3
I
initially inaccessible
free over-allocation
(over-provisioning)
4. 11. 2019
12
Memory cell (256 kB) rewrite requires zeroing the
block first
1 2 4 5 6 7 8 9 10 12 13 14 15 16 17 19 20 21 22 23 24
I I I I I I I 0 0 0 0 0 0 0
18
00
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
3
0
initially inaccessible
free over-allocation
(over-provisioning)
I
11
Many repeated SSD write operations break
memory cells
1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24
1 2 2 1 1 1 1 1 0 0 0 0 0 0 0
18
06
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
initially inaccessible
free over-allocation
(over-provisioning)
3
8
4. 11. 2019
13
Many SSD writes break memory cells
1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 22 23 24
1 2 2 1 1 1 1 1 0 0 0 0 0 0 0
18
06
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
3
8
21
1
Many SSD writes break memory cells
1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24
1 2 2 1 1 1 1 1 0 0 0 0 0 0 0
18
06
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
3
8
initially inaccessible
free over-allocation
(over-provisioning)
4. 11. 2019
14
Many SSD writes break memory cells
1 2 4 5 6 7 8 9 10 12 13 14 15 16 17 19 20 21 22 23 24
1 2 2 1 1 1 1 1 0 0 0 0 0 0
18
06
1 2 4 5 6 7 8 10 11 12 13 14 15 16 17 1893
allocation
table
3
8
initially inaccessible
free over-allocation
(over-provisioning)
1
11
TRIM/UNMAP
modern storage
• some SSD, VHDX, Storage Spaces, ...
OS initiated deallocation of free blocks
• format
• NTFS file delete of non-resident allocation
• primary motivation - writing speed
for non-empty blocks, each write operation must first read and
erase 256 kB and write it back
4. 11. 2019
15
Virtualization by design (memory + I/O)
hypervisor (base OS)
vm1 vm2 vm3 vm1vm1
vmX
isolation isolation isolation
iso
latio
n
iso
latio
n
iso
latio
n
Virtualization by design (memory + I/O)
hypervisor (base OS)
vm1 vm2 vm3 vm1vm1
vmX
full a
cce
ss
full a
cce
ss
full a
cce
ss
4. 11. 2019
16
Risk assessment and impact of forensic
investigation
Long business disruptions
Replacements of collected hardware
Returns into the production
• from the lab, policy custody
• cleaning or physical destruction
Privacy issues with employees
Investigation
1. First response
2. Search and seizure
3. Evidence collection
4. Securing of the evidence
5. Data acquisition
6. Data analysis
7. Evidence assessment
8. Documentation and reporting
9. Testimony as expert witness
4. 11. 2019
17
First response
First responder
Who
• law enforcement officer
• network administrator or support person
• CIRT officer
• BFU on site
What
• protecting, integrating and preserving the evidence
How
• should have complete knowledge of the whole investigation
process
4. 11. 2019
18
Tasks in detail
Stop and think
Identify crime scene
Protect crime scene
Preserve as much temporary and fragile evidence as
possible
Collect all information about the incident
Document the findings
Package and transport the electronic evidence
What not to do
No untrained data recovery
Do not forget about other hardware items
• copiers, desktop switches, chain locks, keyboard/mouse
cord, flash drive, photo-frames, cabling, ...
• non-electronical evidence such as tables, chairs, ...
Let others to the scene
Forget about environmental or health hazard
4. 11. 2019
19
Documenting the scene
Photographing and video shooting
• 360-degree
• from entire scene to details
• use numbered markers
• cabling and other non-visible areas
• trash bins, paper shelves, ...
Notes
• power state of electronic devices
• persons in the scene
Search and seizure
4. 11. 2019
20
Notes
consent, acceptable-use policy, activity monitoring
jurisdiction
warrants• electronic devices search warrant
• service provider search warrant
preliminary interviews• purpose of the system and current work
• passwords, social network accounts, off-site storage, unique security schemes or destructive devices
• backups
witness signatures + clear understanding
health and safety issues
Isolating electronic systems
unplug internet cables or close connectivity?
unplug cables from the other ports of switches?
• quarantine VLAN?
unplug the device or stop WiFi?
shutdown the device?
4. 11. 2019
21
Warrantless seizure
When destruction of evidence is imminent, a
warrantless seizure of that evidence is justified if
there is probable cause to believe that the item
seized constitutes evidence of criminal activity.
Agents may search a place or object without a
warrant or, for that matter, without probable cause, if
a person with authority has consented.
Collecting evidence
4. 11. 2019
22
Could we collect volatile evidence?
Nothing
• mouse/CTRL to wake up monitor
• shutdown
Mouse, keyboard
• be careful about some complex actions
Introducing any tools on removable device or from
network
• leave them there and collect as evidence
Mobile phone click-through bench
Video shoot everything
Physical evidence collection
Power off devices
• standard shutdown procedure
• unplugged batteries if possible
Black-hole bags
• remote-wipe
Cables, peripherals
Papers
Trash bin items
4. 11. 2019
23
Collecting evidence from social networks and
service providers
Warrants
E-discovery by the service provider• standard file formats
• trusted by no-motive, no-conflict-of-interest
Social network data extraction from "friends" or other public profiles• may require expert witness to confirm the behavior
• documentation/witness from the social network provider
Communication logs, messages, photos, friend reactions• trusted time synchronization?
Securing the evidence
4. 11. 2019
24
Chain of custody
What, where, when, by whom, transfers
Marking and evidence bags
• pre-agreed and documented format
Transporting and storing electronic evidence
Avoid computers upside-down
Avoid electromagnetic sources
Safe areas
• not leaving in vehicles
Heat/cold/humidity/vibrations
Back-seat instead of trunk
4. 11. 2019
25
Evidence acquisition
Notes
No unauthorized users
Forensically clean devices used to obtain the
evidence
Write-protection
Primary image -> analyze copies
4. 11. 2019
26
Image creation
Any suitable solution trusted by the expert examiner
Write-protection
Bitwise copy
Hash creation and integrity verification
Disk image formats
DD
• raw disk data
• no header
• no 512/4K sector info
E01
• header + info
• compressed
VHD, VHDX
• Hyper-V virtualization - boot, attach
• Windows 7/2008+ can mount as a disk (R/O possible)
4. 11. 2019
27
Virtualization
Isolates the possibly insecure environment
Running imaged OS life (copy)
WinFE
HKLM\System\CurrentControlSet\Services• MountMgr
NoAutoMount = DWORD = 1
• PartMgr\Parameters
SanPolicy = DWORD = 3
USB flash devices cannot be mounted from diskmgmt.msc• DISKPART
• LIST DISK
• SELECT DISK
• ONLINE DISK
4. 11. 2019
28
IO manager
FASTFAT.SYSNTFS.SYS
C:
disk.sys
Windows storage device stack and WinFE
physical disk device
partition device 2
partition 2partition 1
partition device 1
kernel
user
FS IOblock IO
offline/online
D:
FS IO
bus drivers
disk.sys
Windows storage device stack and WinFE
kernel
user
offline
physical disk device
partition 2partition 1
bus drivers
= R/O
4. 11. 2019
29
disk.sys
Windows storage device stack and WinFE
partition device 2partition device 1
kernel
user
partmgr
online
physical disk device
partition 2partition 1
bus drivers
disk.sys
Windows storage device stack and WinFE
partition device 2partition device 1
NTFS.SYS FASTFAT.SYS
kernel
user
fsrec
partmgr
physical disk device
partition 2partition 1
bus drivers
online
4. 11. 2019
30
disk.sys
Windows storage device stack and WinFE
partition device 2partition device 1
NTFS.SYS FASTFAT.SYS
kernel
user
fsrec
partmgr
C: D:mountmgr mountmgr
physical disk device
partition 2partition 1
bus drivers
online
Hyper-V VM from disk images
original boot UEFI/BIOS• VM generation 2 (UEFI) resp VM generation 1 (BIOS)
note UEFI Secure Boot state on the real hardware
OS Vista/2008/7/2008R2+• boot always (basic SCSI/IDE controller drivers always loaded)
• no NIC (original device and config kept in registry)
• deactivated
image -> .VHDX• 512 B vs. 4096 B sector
XP/2003• VM generation 1 + offline IDE controller enable in registry
Recommended