Embed Size (px)
Citation preview
1
CSCD496Computer Forensics
Lecture 4
Applying Process to Computer ForensicsWinter 2010
2
Introduction
• Crime isn’t always straightforward
• Not always possible for investigator to prove what happened based on evidence
• Only criminal knows full story of their involvement in a crime– Difficult to establish associated motives,
movements, sequence of actions and timing
3
Outline• Process for conducting Forensics
Investigation
• Looked at a process model last time ...– Go through this process as applied to Digital
Forensics investigations– Should understand the steps involved– Future, go into more detail
• Techniques for forensics acquisition• Tools and Techniques• Examine Laws that govern digital crime • Requirements for evidence to confirm or deny crime
4
Digital Forensics Process
• Authorization
• Identification
• Documentation
• Seizure and Preservation
• Examination and Analysis, Reconstruction
• Reporting
5
Authorization
• Get permission and legal statutes allow collection of digital evidence
• Make sure search doesn't violate Laws– Privacy laws such as the Electronic
Communications Privacy Act of 1986• Holds for both government and individuals
– For investigations regarding employees must • Look at company policy to see if employer can
search employee email or work computers• If need to search private computer or device, need a
search warrant
6
Authorization
• Search warrants must describe property to be seized and establish probable cause– Investigators are authorized to only collect
information relevant to investigation– Supposed to ignore data not related to case
7
Identification• Hardware
– Phones, PDA's, Laptops, Desktops, Servers, routers, firewalls, etc
– Storage media, compact disks, memory sticks, tapes, USB storage
– Point – want to be familiar with many types of devices as possible
• Digital Evidence– Must know what evidence to capture
according to type of crime• Cyber stalker leaves different evidence than
disgruntled employee
8
Documentation
• Must document everything you do– Think lawyers asking questions and you are on
the stand– All people involved in collection and transport
of evidence may be required to testify in court
9
Seizure and Preservation• Exactly what you expect
– Hardware• If the entire computer is to be collected, should collect
all peripheral devices, and any media around computer• Also, suggest collecting manuals, and notes• Preservation involves anti-static bags, and storing in a
controlled climate lab
– Digital Evidence• Some files needed, can just copy them
– Like log files on a Unix Server – Don't need entire machine
• If need many files, can copy the entire disk and then look at it later
10
Examination and Analysis
• Nature and extent of digital evidence examination – Depends on crime and circumstances
• General Steps Include– Pairing down data
• Exclude system files, other files of no importance to investigation
• Classifying digital evidence according to common characteristics
– .doc files, JPEG, GIF, .avi, mpg and many other format
11
Examination and Analysis
• Steps continued– Recovery of Deleted Files
• When file deleted, data remains on disk• Can be recovered if not overwritten• More interesting is when parts of file overwritten• Find fragments in slack space or unallocated disk
space– Slack space is the space found between the actual data of
a file and the end of a cluster allocated for it– Typically (Windows file systems) space is allocated in
fixed sizes that results in unused space– Unused space can contain interesting file fragments
12
Examination and Analysis
• Other Considerations– File Analysis– Data Hiding Techniques
• File Analysis– File content
• Obvious links between case investigating and files• Financial fraud case• Look for accounting files, spreadsheets, Quicken
files, other financial files
13
Examination and Analysis
• File Analysis continued– Metadata
• File creation and modification dates, file ownership, file type
– Application Files• Missing files • Find an application program but no data files or• Find data files from application program but no
program• Assume missing files may be stored elsewhere
14
Extraction and Analysis
• File Analysis continued– OS Files
• Find files from other OS’s on computer, assume has another computer or account somewhere
• .tar files on a Windows machine
– Patterns• Way files are saved or named • May indicate relation to a crime and lead to further
evidence• Example: /porn-girls, /porn-other
15
Extraction and Analysis
• Data Hiding Techniques– This is where forensics analysis really gets
interesting!!!– More know about how to hide and conceal
data the better– Change File Extension
• file.jpg becomes file.txt• Forensics software will analyze file header and
extension for match – expose this trick
16
Extraction and Analysis
• Data Hiding Techniques continued– Password-protected files
• Use password-cracking software• Ask software developer for password scheme • Ask suspect for password
– Compressed files• Save disk space but also makes them
unreadable• Use uncompress utility
17
Extraction and Analysis• Data Hiding Techniques continued
– Encrypted files• Need to crack the key not the file• Should know what algorithm is being used
– Steganography• Hide data within context of another file• Music or picture file most common
– Files have built-in error handling– Can delete some data without it affecting quality of file– Hide image or information in these extra bits
• Difficult to discover hidden information unless have original
– Do bit by bit comparison
18
Reconstruction
• When do you do it?– Reconstructing crime using gathered
evidence is important – Investigative reconstruction should be done
on-going with investigation• When collecting evidence at crime scene
should do reconstructive tasks –So that additional investigation can be done
if needed
19
Reconstruction
• 3 Categories of Evidence1. Relational
• Where object was in relation to other objects
2. Functional• How something works or how it was used
3. Temporal• Things based on passage of time
20
Types of Analysis
• Temporal Analysis– Creating a chronological list of events
• Help an investigation gain insight into what happened
• Construct timeline of events• Can create histogram of times
– Reveal period of high activity
• Arrange times in a grid
M Tu We Th Fr Sa Su
Days of week
Hours
(pm)
121110 8 7 6
Port Scanning
21
Types of Analysis
• Relational Analysis– Where an object was in relation to other
objects – Computers and people• Example
– Intruder gains access to accounting system– Diagram helps show relational reconstruction of crime– Intruder initially scanned network for vulnerabilities– Shows up on firewall and ID logs – – Network traffic shows they targeted one system– Found deleted log files from that system shows how
intruder made connections to accounting system
22
Types of Analysis
• Functional Analysis– What conditions were necessary for the crime to even
be possible • Example – Downloaded child porn
– Want to know if suspect’s computer was capable of downloading and displaying files presented as evidence
– If computer wasn’t capable, then it wasn’t possible for them to commit the crime
• Example – Intruder access accounting system (previous example)
– Firewall was configured to block direct access to accounting system
– Investigation needs to look for other means of access
– Found internal system intruder compromised
23
Investigative Error
• Some errors can hinder investigation– Can obscure or obliterate evidence– Example
• System administrator tried to preserve intruder’s files using backup program that first changed all files to current time ... oops!
• Impossible then to reconstruct time
24
Evidence Dynamics and Error• Errors actually common and can destroy chances of
conviction• Example Case:
– Lawrence Benedict accused of possessing child porn, found on a tape he exchanged with known sexual offender, Mike Bolander
– Benedict said he was just exchanging games and didn’t realize tape was porn.
– He initially pleaded guilty but changed plea when realized there were problems with digital evidence from his case
– The computer and disks defense said could prove his innocence were stored in a basement that flooded
25
Evidence Dynamics and Error• Example Continued
• Also, police who seized Bolander’s computer copied child pornography from tape in question to Bolander’s computer for examination
• Police also installed software on Bolander’s computer to examine its content
– Files appeared to have been added, altered and deleted while in police custody
• This occurred before Benedict’s sentencing • Plus, a floppy disk containing evidence was
accidentally overwritten • These errors and data accidents caused many
problems and complicated the conviction process
26
Summary
• Repeatable steps assist with high quality digital data
–Results in evidence useful in court or–Confirms or denies a person's guilt
• Examination and Analysis of data yields more complete data
• Reconstruction puts together the pieces into a picture of events of interest
27
References
– ECPA • http://en.wikipedia.org/wiki/
Electronic_Communications_Privacy_Act
– Casey, E. (2004) Digital Evidence and Computer Crime, Elsevier Academic Press, 2nd Edition
28
Finish
– Next time • Data acquisitions
– Reading: Read Chapter 2 for Lab tomorrow• Chapter 4, for Wednesday
