Embed Size (px)
Citation preview
1
IT Investigative Tools
Tools and Services for the Forensic Auditor
2
Digital Crime Scene Investigation Problems with Digital Investigation Timing essential – electronic evidence
volatile Auditor may violate rules of evidence NEVER work directly on the evidence Skills needed to recover deleted data or
encrypted data
3
Digital Crime Scene Investigation Extract, process, interpret Work on the imaged data or “safe copy” Data extracted may be in binary form Process data to convert it to
understandable form Reverse-engineer to extract disk partition
information, file systems, directories, files, etc Software available for this purpose
Interpret the data – search for key words, phrases, etc.
4
Digital Crime Scene Investigation Technology
Magnetic disks contain data after deletion Overwritten data may still be salvaged Memory still contains data after switch-off Swap files and temporary files store data Most OS’s perform extensive logging (so do
network routers)
5
Disk Geometry
Track
Sector
Cylinder
(Clusters aregroups ofSectors)
6
Slack Space
End of FileEnd of File Slack SpaceSlack Space
Last Cluster in a FileLast Cluster in a File
7
Illustration of Forensic Tools
Forensic Software Tools are used for … Data imaging Data recovery Data integrity Data extraction Forensic Analysis Monitoring
8
Data Imaging
EnCase
Reduces internal investigation costs Platform independent Automated analysis saves time Supports electronic records audit Creates logical evidence files — eliminating
need to capture entire hard drives
9
Data Recovery
File Recovery with PC Inspector
10
Data Eradication
Securely Erasing Files
11
Data Integrity
MD5 Message Digest – a hashing algorithm used to
generate a checksum Available online as freeware Any changes to file will change the checksumUse: Generate MD5 of system or critical files
regularly Keep checksums in a secure place to
compare against later if integrity is questioned
12
Data Integrity
MD5 Using HashCalc
13
Data Integrity HandyBits EasyCrypto
14
Data Integrity Private Disk
15
Data Monitoring
Tracking Log Files
16
Data Monitoring
PC System Log
17
Security Software Log Entries
18
19
Free Log Tools
20
Audit Command Language (ACL) ACL is the market leader in computer-
assisted audit technology and is an established forensics tool.
Clientele includes … 70 percent of the Fortune 500 companies over two-thirds of the Global 500 the Big Four public accounting firms
21
Forensic Tools
Audit Command Language
ACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify and ClassifySamplingBenford Analysis
23
24
25
26
27
Forensic Tools: ACL
Benford Analysis States that the leading digit in
some numerical series follows an exponential distribution
Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers
Leading Digit
Probability
1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
28
29
30
31
Data Monitoring
Employee Internet ActivitySpector captures employee web activity
including keystrokes, email, and snapshots to answer questions like:
Which employees are spending the most time surfing web sites?
Which employees chat the most? Who is sending the most emails with
attachments? Who is arriving to work late and leaving early? What are my employees searching for on the
Internet?
32
Data Monitoring : Spector
Recorded Email
33
Data Monitoring : Spector
Recorded Web Surfing
34
Data Monitoring : Spector
Recording Keystrokes
35
Data Monitoring : Spector
Recorded Snapshots
36
37
Data Capture : Key Log Hardware
KeyKatcher Records chat, e-mail, internet &
more Is easier to use than parental
control software Identifies internet addresses Uses no system resources Works on all PC operating
systems Undetectable by software
www.lakeshoretechnology.com
38
index.dat filesContain all of the Web sites that you have ever visited. Every URL, every Web page, all of the email that has been sent or received through Outlook or Outlook Express.On Windows 2000 and Windows XP there are several "index.dat" files in these locations:
\Documents and Settings\<Username>\Cookies\index.dat
\Documents and Settings\<Username>\Local Settings\History\History.IE5\index.dat
\Documents and Settings\<Username>\Local Settings\History\History.IE5\MSHist012001123120020101\index.dat\Documents and Settings\<Username>\Local Settings\History\History.IE5\MSHist012002010720020114\index.dat
\Documents and Settings\<Username>\Local Internet Files\Content.IE5\index.dat
These files cannot be deleted without special software!
39
40
Background Checks
41
42
43http://www.expressmetrix.com/solutions/
44
45
ipconfig /allipconfig /all
46
ipconfig /displaydns
47
netstat -a
48
49
Eraser
http://www.heidi.ie/eraser/
Private Disk
http://www.private-disk.net/
HashCalc
http://www.slavasoft.com/hashcalc/index.htm
PC Inspector
http://www.download.com/3000-2242-10066144.html
VeriSign
http://www.verisign.com
HandyBits Encryption
http://www.handybits.com/
EnCase
http://www.handybits.com/
50
Spector
http://www.spectorsoft.com/
Stolen ID Search
https://www.stolenidsearch.com/
Abika Background Check
http://www.abika.com/
Guide to Log Management
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
ACFE Fraud Prevention Checkup
http://www.acfe.com/documents/Fraud_Prev_Checkup_IA.pdf
NetWitness
http://www.netwitness.com/
GASP Std V 7.0 Free Software
http://www.bsa.org/usa/antipiracy/Free-Software-Audit-Tools.cfm
Federal Guidelines for Searches
http://www.cybercrime.gov/searchmanual.htm
51
Florida Criminal Database
http://www.fdle.state.fl.us/CriminalHistory/
Federal Bureau of Prisons
http://www.bop.gov/
