Embed Size (px)
Citation preview
10th National Investigations Symposium
AVOIDING FORENSIC PITFALLS
First Responders Guide to
Preserving Electronic Evidence
6 November 2014
Bronwyn Barker Electronic Evidence Specialist
Investigation
5 W’s:
Who, what, when, where & why
5 stages:
Identification
Collection
Preservation
Analysis
Presentation
3
Identification – types of evidence
4
Mobile phones
5
New types of evidence
6
Social media
7
Cloud services
8
Collection
Search warrants
(keyword searching)
Power to obtain documents eg s22 ICAC Act
Photograph
Labels
Chain of custody
Computer date/time
9
Preservation
Forensic imaging of devices
Types of forensic files:
• Physical image - E01
• Logical image - AD1
Retain documents in original format ie emails to retain internet headers
Retain metadata – author, time/date, authenticity, reliability
Write blockers
Social discovery
Master copy, working copy
10
Issues
Encryption – on disc & files
Backups in proprietary format eg. Timecapsule, Windows Backups, Norton Ghost
Legacy tape formats
Password protection on files
Wipe iPhones remotely
Sheer size of data – time it takes to image, move around on HDDs, review
Data in the cloud
Data in data centres
Data offshore
Social media
Deleting data
Backing up own data 11
Anti-forensics
Delete
Delete & use a cleaner
Delete & disk defragmentation
Using an anonymiser website
Wipe the entire drive
Replace the drive
Lost the computer
Store the data on an external media – USB thumb drive or SD card
Change the dates & times to cause confusion
Forensically image the drive thereby leaving no trace of access to the original media
12
Memory acquisition
Volatile data
Will change evidence
Return outweighs risk
Without memory image there is little chance to bypass whole
disk encryption
13
So why collect system memory?
Processes
Network connections
Open files
Configuration parameters
Encryption keys -> bit locker
Memory only exploits, root kit technology
14
Evidence Encryption
Full disk image
Live logical image evaluation
Logical imaging
15
Solid State Drives
Better speeds
Quieter than ordinary hard dries
No cooling on the fly
No mechanical parts
Consume less power during operation
16
SSD Trim and Wear Leveling
Wear Leveling
SSD storage only good for x # of writes
Data around to ensure that even use of SSD storage
around drive
TRIM
Clear data stored in flash that is deleted
Effectively “clearing free space”
Once a week on a Windows 7/8 computer
17
SSD to pull or not to pull
Risk to SSD associated with power loss
Live acquisition – best practice
Possible remediation
18
Email forensics
Where are the files?
How do we acquire them forensically?
What can we find?
Host based email
Email servers
Cloud based email
Mobile email
19
Host based email
Email stored on the local machine
Identify all email storage locations
- find via filetype searches
- review email client configuration info
- search for index and message files
Potential for password protection
Search for deleted email archives
20
Microsoft Outlook
PST
No encryption
Compressible encryption
High encryption
Password protection
OST
21
Microsoft Outlook Express
DBX
Plain text
Deleted messages can be recovered
Until compacted
Windows Mail
After windows 7
22
Email servers
Most corporate environments employ dedicated mail
servers
Could be hosted offsite
Business considerations make getting forensic copied
difficult
Expect massive amounts of data
Deleted mail exists, but is less likely to be found
23
Webmail
Email typically stored on ISP servers
- Possible exception for POP or IMAP
User IP address and subscriber info may be available
from ISP
Look for webmail addresses
Cached copies can be recovered
- Web 2.0 technology reduces chances
- Data carving can be successful
24
Compressed Webmail remnants
Webmail is often transferred in a compressed format
Internet cache will contain gzip compressed files
Must be unzipped to view HTML data
File signature analysis may be required to identify
compressed files
25
Webmail remnants - Yahoo
26
Forensic Email Analysis
1. Review installed applications
2. Locate and acquire local email archives
3. Identify and export server based mailboxes
4. Search for evidence of cloud based email
27
