Talkj4mshare

Computer Forensics What, How and Why?

Tiago Henriques

tiago.henriques@study.beds.ac.uk

www.twitter.com/balgan

Just4meeting

Synopsis

• Who am I?

• Introduction to computer forensics

• Computer Forensics: What and why?

• Forensic Investigation: The process

• Forensic Data

• Types of Forensic Investigation

• Hardware and Software Used on a forensic investigation

• Forensic Techniques

• Conclusion

Who am I?Tiago Henriques – 22 - Portuguese

BSc Software Engineering

University of Brighton

MSc by Research in Information Security and Computer Forensics

University of Bedfordshire

PhD candidate in Information, Computer and Network Security

University of Bedfordshire

Currently running CST – University of Bedfordshire Security Group

Topics of interest: Cryptography, Pentesting, Information Security,

Computer Forensics, Vulnerability Research

Computer Forensics: What and why?

• Computer Forensics is an area inside forensic sciences that deals with the scientific examination and analysis of data held on, or retrieved from a computer or any kind of storage media in a way that this data can be used as evidence in a court of law.

Computer Forensics

Computer Forensics

The Computer Forensic Objective

• The objective in computer forensics is quite straightforward.

• It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law.

• The key phrase here is: 'useable as evidence in a court of law.' It is essential that none of the equipment or procedures used during the examination of the computer obviate this single requirement.

7

The Computer Forensic Priority

• The science of computer forensics is concerned primarily with forensic procedures, rules of evidence and legal processes.

• It is only secondarily concerned with computers.

• Therefore, in contrast to all other areas of computing where speed is the main concern, in computer forensics the absolute priority is accuracy.

• We talk of completing work as efficiently as possible - that is as fast as possible without sacrificing accuracy.

8

Cyber forensics

• Cyber forensics can be defined as the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability.

• The challenge of course is actually finding this data, collecting it, preserving it, and presenting it in a manner acceptable in a court of law.

9

Cyber forensics

• A main point we need to understand is:

ELECTRONIC EVIDENCE IS FRAGILE AND CAN EASILY BE MODIFIED

Which would then make it unusable in the court of law.

10

Cyber forensics - Permission

• Another very important point is permission. When we get a request to perform a forensic investigation in a certain device we must make sure that the person requesting the forensic investigation has the right to give us permission to investigate it.

• Example: “ Wife comes with a laptop to the forensic examiner, and says “ I believe my husband is cheating on me here is his laptop please check for information”

• In a case like this we CANNOT do this investigation as the wife does not HOLD the RIGHT to give us permission because the device doesn’t belong to her, and if the husband decided to he could prosecute us.

11

Computer Forensics

• A forensic investigation consists of 4 main sections:

• Assessment – Assess the situation and decide how to do the acquisition

• Secure Collection of Computer Data (Acquisition) – Sometimes we visit the crime scene to make the acquisition.

• Examination of the acquired data – Generally conducted back at the laboratory using proper hardware/software

• Presentation of the report showing evidence found and how it affects the investigation in a court of law

Types of Forensic Investigations:

13

Can anyone guess what is the highest type of forensic investigations cases? Ill give you and hint…

Types of Forensic Investigations:

• Multiple types of Forensic Investigations:

• Child Pornography (Highest amount of cases)

• Fraud

• Data Stolen

• Hacking

• Other crimes

• Murder

• Blackmailing

• Theft planning

• Harassment

• Cheating

14

Computer Forensics

• When doing a forensic investigation there are multiple factors that we need to take into account such as:

• Is the computer we acquiring data a server or workstation ?

• What operating system is it running ?

• Did we correctly block any writing operation to the storage device?

• Was there any sort of malware installed on this machine ?

• What file system is that system using?

• Are we dealing with a computer? A PS3? A Nintendo Wii ? A watch that has an embedded USB flash drive? A mobile phone ? (We might have to analyse any device that has some sort of storage and/or a TCP/IP Stack)

• Are there any encrypted partitions ?

• Is there any hidden information in different disk sectors ?

• If we find some pictures, do they have some sort of steganography techniques applied them, therefore hiding some information?

• Is this a case where we have to contradict a trojan defence?

Computer Forensics - Devices

• As mentioned before we might need to analyze different types of media and computers

Tools

• Forensic Investigators use multiple tools these can be hardware or software based.

• Software:

• Encase

• FTK

• Autopsy

• dd

• Hex Editors

Tools

• Hardware:

• Write blockers

• USB blockers

• IDE blockers

• SATA blockers

• SD Card blockers

• FRED Workstations

• Evidence Bags

• Painters bucket (Mobile forensics)

Tools - Hardware

• Hardware: FRED Workstation

Tools - Hardware

Reference: The official CHFI Study guide for Computer Hacking Forensics Investigator, Syngress, 2007

Tools - Hardware

• Hardware: Write blockers

Tools - Software

Encase – Prime forensic software runs on Microsoft Windows

Tools - Software

FTK – Another great forensic software also runs on Microsoft Windows

Tools - Software

Sleuthkit -Autopsy – Free, runs on Windows, OS X and Linux

Tools - Software

• Backtrack 4 – With version 4 of this distro forensic capabilities were included

• Helix - Linux commercial distro focused on computer forensics

• DEFT – SANS Linux distro used for computer forensics

• Penguin Sleuth – not commonly used Linux based with a good range of forensic tools

• Farmer’s boot CD – again not commonly used

Tools

As one might notice these forensic tools are quite expensive!

I found a secret way of having access to all these tools!

University Forensic Lab - Photos

University Forensic Lab - Photos

University Forensic Lab - Photos

University Forensic Lab - Photos

University Forensic Lab - Photos

University Forensic Lab - Photos

University Forensic Lab - Photos

Computer Forensics

• You need to have knowledge in many areas:

• Operating systems – Linux, Windows, OS X etc…

• Programming languages – Scripts can help you automate some tasks

• Number bases and characters – ASCII, Hexadecimal, Octal, Binary

• Networking – Network forensics requires high knowledge in networking and packet analysis

• Hardware Knowledge – different media storage will have different interfaces which will use different write blockers

• HUGE ‘Out-of-the-box’ mind set!

Imagine you have a word document (.doc) to analyse. How would you do it?

Computer Forensics – Hex Editors

• Hex Editor! Why ?

• Word documents when opened using microsoft word can contain macros that delete or modify data, and even microsoft word it self does modify some parts of the file such as metadata related to the date when the file was last opened or modified etc…

Digression:

• How do Operating Systems now what file are what format

• File extensions ?

• .txt

• .docx

• .jpg

• Magic Numbers ?

Magic numbers in files

• Magic numbers implement strongly typed data and are a form of inband signalling to the controlling program that reads the data type(s) at program run-time.

Types of Evidence

• Address Books

• Audio/Video files

• Backup files

• Calendars

• Compressed Files

• Configuration files

• Cookies

• Database files

• Documents

• Email files

• Encrypted files

• Hidden files

• History files

• Image/graphics files

• Internet bookmarks/favourites

• Log files

• Metadata

• Misnamed files

• Password-Protected files

• Printer spool files

• Steganography

• Swap files

• System files

• Temporary files

38

Types of Evidence

• Running processes.

• Executed console commands.

• Passwords in clear text.

• Unencrypted data.

• Instant messages (IMs).

• Internet Protocol (IP) addresses.

• Trojan Horse(s).

• Who is logged into the system.

• Open ports and listening applications.

• Registry information.

• System information.

• Attached devices

39

Types of Evidence + Size

40

• Storage these days is cheap.

• We have to look for multiples types of data

• Huge Storage + Multiple types of data = Sad Forensic Examiner

NTFS A D S

• NTFS Alternative Data Streams

• Data streams

• Ways data can be appended to existing files

• Can obscure valuable evidentiary data, intentionally or by coincidence

• In NTFS, a data stream becomes an additional file attribute

• Allows the file to be associated with different applications

• You can only tell whether a file has a data stream attached by examining that file’s MFT entry

41

NTFS Alternative Data Streams

NTFS File System (visible)

ADS (invisible)

porn.mpg

malware.exe

tracking.dat

Textfile.txt Textfile.txt

Textfile.txt:tracking.dat

Textfile.txt:malware.exe

Textfile.txt:porn.mpg

Hiding Data in Files

• Jpeg file format does not specify the size of the file

• It looks for the start of file and end of file markers and reads what is between them, ignoring any additional data

• Can add additional files to the jpg using the windows copy command in binary mode from the command line

• copy /b secret.jpg + meeting.txt.rar lizard.jpg

• Can read the extra information by opening lizard.jpg with winrar

WHY? OH WHY?

•After all this the pain of:

• Knowing all different skills and tools needed for computer forensics

• Dealing with all the hiding and encryption methodologies

• Dealing with all the laws and government issues

• High prices on the tools needed for us to do our job.

•And in the end of the day you might still have to analyze some horrid pictures such as pedophilia and murder cases.

WHY WOULD SOMEONE WANT TO GO INTO COMPUTER FORENSICS?

OH! This is why!

A – You feel pretty good about yourself when you manage to send a murderer a pedophile or any other type of criminal being prosecuted!

B – The reason why we all go to work everyday! £ $ € !

That’s 4166£ per month which is equivalent to 4991€!

Conclusion

•Computer Forensics is a relatively new area in Computing/Forensic Sciences which is currently in expansion, with new research and novel methods showing up daily.

•Computer Forensics is one of the highest paid IT subjects.

•Many countries have yet to create forensic laboratories and accept this evidence in the courts of law

•A university degree in this area is a good way to get into the industry.

References

• Guide to Computer Forensics and Investigations (3nd Edition)Nelson et alThomsonISBN-10: 1-4180-6733-4

• Mastering Windows Network Forensics and InvestigationsSteve Anson & Steve BuntingSybexISBN 978-0-470-09762-5

• The Expert Witness: A Practical Guide (Third Edition)Catherine Bond et alShaw & SonsISBN 072191442X

47

Kudos

• Mr Geraint Williams who allowed me to use some of his slides and spared me some time

• Mr Bruno Morisson for pissing me off and making me prepare a nightmare set of exercises for you guys to practice now ( :D)

• Mr Ralf Braga for inviting me!

48

Oh and Mr Christian Bockermann for paying me so many drinks last night and now I feel tired and hangover while doing this presentation.

QUESTIONS?

49