Digital Forensics NIST Information Technology Laboratory

William C Barker

October 23, 2012

Forensic science is generally defined as the application of science to the law.

• Standard computer systems• Networking equipment• Computing peripherals• Mobile devices• Consumer electronic devices• Various types of media

Examples of digital forensic evidence:

• Electronic mail messages• Video/photo/audio attachments• Unstructured data• Protocol information such as IP

addresses• GPS data• Cell phone data• Metadata• Internet history• Deleted data residues in various

types of IT devices.

Some examples of data types:

2

Some Uses of Digital Forensics Techniques

• Investigating crimes and internal policy violations, • Pre-trial e-discovery in civil litigations, • Reconstructing computer security incidents, • Troubleshooting operational problems, and • Recovering from accidental system damage.

3

Performing Digital ForensicsPhases specified in NIST’s Guide To Integrating Forensic Techniques Into Incident Response

• Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

• Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.

• Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

• Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

4

Policies and Procedures for Digital Forensics• Organizations should ensure that their policies contain clear statements addressing all

major forensic considerations, such as contacting law enforcement, performing monitoring, and conducting regular reviews of forensic policies and procedures.

• Organizations should create and maintain procedures and guidelines for performing forensic tasks, based on the organization’s policies and all applicable laws and regulations.

• Organizations should ensure that their policies and procedures support the reasonable and appropriate use of forensic tools. Policies and procedures should clearly explain what forensic actions should and should not be performed under various circumstances, as well as describing the necessary safeguards for sensitive information that might be recorded by forensic tools, such as passwords, personal data, and the contents of e-mails.

• Legal advisors should carefully review all forensic policy and high-level procedures. • Organizations should ensure that their IT professionals are prepared to participate in

forensic activities. IT professionals throughout an organization, especially incident handlers and other first responders to incidents, should understand their roles and responsibilities for forensics, receive training and education on forensics-related policies and procedures.

5

Maintaining source and content integrity of forensics information Electronic authentication, access control mechanisms, and audit trails are needed for:

• Control of forensic data• To record generation of forensic data• Access to forensic data • Change management for forensic data.

Cryptographic technologies such as time stamped digital signature or signed hashes, can be employed to identify the source of forensic data, establish the time(s) at which each access to the data occurred and by whom, and whether or not modifications to the information has occurred (and, if so, at which point in the chain).

Chain of Evidence

6

Overview of Existing NIST Computer Forensics Work

Overall NIST ITL Forensics Program Lead: Martin Herman, martin.herman@nist.gov

http://www.nist.gov/itl/ssd/computerforensics.cfm.

Current Projects: – Computer Forensics Tool Testing (including mobile device tool testing)– National Software Reference Library, and – Computer Forensic Reference Data Sets.

Initiating projects on:– Performing forensics as part of incident response– Cloud forensics (e.g., when a cloud computing environment is used by

criminals for their illegal activities such as child pornography, or when there is an attack on a cloud computing). Privacy is a huge issue here because clouds are typically multi-tenants. 7

• Goal: Establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.

• The Computer Forensics Tool Testing Project Handbook is now available in PDF format for downloading (http://www.cftt.nist.gov/CFTT-Booklet-Revised-02012012.pdf).

• A description of NIST mobile device forensics tool testing activity is now available at (http://www.cftt.nist.gov/documents/MobileDeviceForensics-MFW08.pdf). Rick Ayers (richard.ayers@nist.gov) is a good resource for additional information on this topic.

Computer Forensics Tool Testing (CFTT)

8

Sample Case: Problems Facing Deleted Files Recovery Tools(http://www.cftt.nist.gov/DFR-req-1.1-pd-01.pdf )

• The files that have been deleted have to be identified and located. Although this could be as simple as scanning directory entries for a particular key (e.g. ‘0xE5’ in Fat 32), it may be a more complex process.

• From a file system perspective, the data to be recovered is latent, and needs the assistance of a tool to recover the data. As with most other latent data recovery, since the results depend on the output of a particular tool, the tool must be shown to operate correctly (i.e., undelete files correctly).

• The potential uncertainty present in any recovery effort leads to a reduced level of confidence in the information recovered. Specifically with deleted file recovery, the data recovered may be commingled with data from other deleted files, allocated files, or even from non-allocated space. 9

National Software Reference Library (NSRL)

Goal: Promote efficient and effective use of computer technology in the investigation of crimes involving computers.

• The Reference Data Set (RDS) is a collection of digital signatures of known, traceable software applications.

• The NSRL is designed to collect software from various sources and incorporate file profiles computed from this software into Reference Data Sets of information.

• The NSRL RDS is released four times each year - in March, June, September and December. The current release, June 2012 RDS 2.37, contains 26,911,012 unique entries.

10

Computer Forensic Reference Data Sets (CFReDS)• Computer Forensic Reference Data Sets provide to an investigator documented sets

of simulated digital evidence for examination. • Applications for Computer Forensic Reference Data Sets: - Data sets for tool testing need to be completely documented. The user of the data set needs to know exactly what is in the data set and where it is located. These data sets should also provide specification for a set of explicit tests. Examples of focused function areas are string searching, deleted file recovery and email extraction. - Data sets for equipment check out need to focus on issues in acquisition, access and restoration of data. These data sets might need to have a strong procedural component. - Data sets for staff training are primarily investigation scenario based tests intended to give a real flavor to the data set (similar to the data sets for proficiency testing). - Proficiency Testing and Skill Testing data sets are primarily investigation scenario based tests designed to give a real flavor to the data set (for example, a data set that would require the examiner to demonstrate some system skill such as loading a new font onto an analysis computer). 11

Some Other NIST Computer Forensics PublicationsGuide to SIMfill Use and Development, NIST IR-7658, February 2010, Wayne Jansen, Aurelien Delaitre.Mobile Forensic Reference Materials: A Methodology and Reification, NIST IR-7617, October 2009, Wayne Jansen, Aurélien Delaitre.Forensic Protocol Filtering of Phone Managers, International Conference on Security and Management (SAM'08), July 2008. Wayne Jansen, Aurelien DelaitreOvercoming Impediments to Cell Phone Forensics, Hawaii International Conference on System Sciences (HICSS), January 2008. Wayne Jansen, Aurelien Delaitre, Ludovic Moenner.Reference Material for Assessing Forensic SIM Tools, International Carnahan Conference on Security Technology, October 2007. Wayne Jansen, Aurelien Delaitre.Guidelines on Cell Phone Forensics, SP 800-101, May 2007, Wayne Jansen, Rick Ayers.Cell Phone Forensic Tools: An Overview and Analysis Update, NISTIR 7387, March 2007. Rick Ayers, Wayne Jansen, Ludovic Moenner, Aurelien Delaitre.Guide to Integrating Forensic Techniques into Incident Response, SP 800-86, August 2006, Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang.Forensic Software Tools for Cell Phone Subscriber Identity Modules, Conference on Digital Forensics, Association of Digital Forensics, Security, and Law (ADFSL), April 2006. Wayne Jansen, Rick Ayers. Cell Phone Forensic Tools: An Overview and Analysis, NISTIR 7250, October 2005. Rick Ayers, Wayne Jansen, Nicolas Cilleros, Ronan Daniellou.An Overview and Analysis of PDA Forensic Tools, Digital Investigation, The International Journal of Digital Forensics and Incident Response, Volume 2, Issue 2, April 2005. Wayne Jansen, Rick Ayers.Guidelines on PDA Forensics, SP 800-72, November 2004. Wayne Jansen, Rick Ayers.PDA Forensic Tools: An Overview and Analysis, NISTIR 7100, August 2004. Rick Ayers, Wayne Jansen. 12