1www.vita.virginia.gov

Computer Forensics

Michael WatsonDirector of Security Incident Management

NSAA Conference10/2/09

www.vita.virginia.gov 1

2www.vita.virginia.gov

Overview• Purpose behind computer forensics• Challenges faced within the field• Basic information about how to conduct an

investigation and the tools used• Quick tips for performing Windows forensic

investigations

3www.vita.virginia.gov

Purpose• Collection of evidence in a manner that

can be relied upon– Law enforcement will likely duplicate it but

they will use it if they have to

• To remove doubt that the evidence has been tampered with or altered in any way

• Find evidence that a system and ultimately the system’s user were involved in the action under investigation

4www.vita.virginia.gov

Computer Forensics• Principles for dealing with digital evidence

– Actions taken to secure and collect digital evidence should not affect the integrity of that evidence.

– Persons conducting an examination of digital evidence should be trained for that purpose.

– Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.

Source: “Forensic Examination of Digital Evidence: A Guide for Law Enforcement”

5www.vita.virginia.gov

Evidence Challenges• Physically collecting the evidence

– How do you prevent being accused of tampering?

• Taking actions that do not modify any evidence– Specialized tools for collecting digital evidence

• Making sure a device’s state does not change while in possession– Cell phones and remote signals

• Preserving evidence– Systems can’t be shut off without losing volatile data

6www.vita.virginia.gov

Legal Challenges• Different laws throughout different states• Wiretap laws• Federal vs. state • Important laws to note

– Fourth Amendment – unreasonable search and seizure– Fifth Amendment – protection against self incrimination– Wiretap Act (18 U.S.C. 2510-22)– Pen Registers and Trap and Trace Devices Statute (18

U.S.C. 3121-27)– Stored Wired and Electronic Communication Act (18

U.S.C. 2701-120)

7www.vita.virginia.gov

Organization Challenges• No expectation of privacy

– Requires detailed policies– Periodic renewal of consent to policies

• Personal equipment use• Teleworking• Data management

8www.vita.virginia.gov

Performing a Forensic Investigation• Persistent Data – Data that is preserved

when the system does not have power– Typically data stored on a “drive”

• Hard Drive• USB Drive• Floppy Drive

• Volatile Data – Transient data that is lost when power is no longer available– Volatile data may exist in memory after the

computer powers down in certain situations

9www.vita.virginia.gov

Forensic Tools• Data collection tools

– EnCase– Forensic Toolkit (FTK)– Write blockers– Disk imagers

• Network analysis tools– Wireshark, tcpdump

• Distributions– Knoppix, Helix

10www.vita.virginia.gov

Collecting Evidence• Take pictures• Have a witness

– Preferably a non-technical witness

• Establish chain of custody• Secure evidence storage• Log evidence access• Create a forensic image of the system

– Create a working copy of the image

11www.vita.virginia.gov

Analyzing a Windows System• Thumbnails• Windows Registry

– Application and system information storage

• AppData– Persistent application data stored here

• Indexing• Wireless Interface Connections

– C:\Users\All Users\Microsoft\Wlansvc\Profiles\Interfaces

12www.vita.virginia.gov

Interesting Registry Locations• RunMRU

– The commands entered into the run dialog box. The MRUList shows the order of execution

• OpenMRU/LastVisitedMRU – post WinXP only– Opens and saves from the OS dialog box

• HKLM\SYSTEM\<ControlSetID>\Enum– Subkey 1394 for firewire devices– Subkey USB for Universal Serial Bus devices

13www.vita.virginia.gov

Devices Connected to the System• How do I find when a device was FIRST connected

to a computer?– Examine setupapi.log

• %windir%\setupapi.log in XP and 2003 Server• %windir%\inf\setupapi.dev.login in Vista

• List of USB Vendor IDs and associated ProductIDs– http://www.linux-usb.org/usb.ids

• This list may be somewhat out of date

• Devices typically have their own serial number– Windows Generated Serial Number

• Windows generated serial numbers have amperstands as the 2nd, 10th, and 12th characters in a serial number

– X&XXXXXXX&X&P

14www.vita.virginia.gov

Internet Explorer Data• Data Recorded by Internet Explorer

– IE 6 – complete history retained even with clear history

– IE 7 – most history removed with delete all option

– IE 8 – InPrivate browsing can prevent data from being recorded

• Temporary Internet Files• Index.dat

– Contains all sites visited

15www.vita.virginia.gov

Windows Gotchas• Defragment

– Will overwrite slack disk areas– Touches every file– Scheduled for 3AM every Wednesday by default

• Last access time – Vista only– Turned off by default

• Self healing file systems– Will replace windows files that look to be damaged or

that don’t have the correct metadata

• Bitlocker– Whole disk encryption can impeded forensic imaging

16www.vita.virginia.gov

Review• Purpose behind computer forensics• Challenges faced within the field• Basic information about how to conduct an

investigation and the tools used• Quick tips for performing Windows forensic

investigations

17www.vita.virginia.gov

Questions

For more information please contact me at:Michael.Watson@VITA.Virginia.GOV

Thank You!