Computer Forensics and Investigations - ISACA Forensics The main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity

Computer Forensics Computer Forensics and Investigationsand Investigations

Dean R. Beal Dean R. Beal CISA, CFECISA, CFE

What is Fraud?What is Fraud?Any illegal act characterized by deceit, Any illegal act characterized by deceit, concealment or violation of trust.concealment or violation of trust.

These acts are not dependent upon the These acts are not dependent upon the threat of violence or physical force.threat of violence or physical force.

Frauds are perpetrated by parties and Frauds are perpetrated by parties and organizations to obtain money, property, or organizations to obtain money, property, or services; to avoid payment or loss of services; to avoid payment or loss of services; or to secure personal or business services; or to secure personal or business advantage.advantage.””

Fraud Prevention and Detection in an Automated World, GTAG GlobaFraud Prevention and Detection in an Automated World, GTAG Global Technology Audit Guidel Technology Audit Guide (IIA, (IIA, The Institute of Internal Auditors, 2009), 1.The Institute of Internal Auditors, 2009), 1.

Impact of FraudImpact of FraudU.S. organizations lose 7% of their annual revenues to fraudulent activity.

If this percentage were applied to the estimated 2010 U.S. gross domestic product of $14.307 trillion, we could project that more than 1 trillion would be lost to fraud in 2010.

“Report on Occupational Fraud and Abuse,” The ACFE, 2008.

Why Do People Commit Fraud?Why Do People Commit Fraud?

OpportunityOpportunityBecause they canBecause they can

PressurePressureFinancial or occupationalFinancial or occupational

RationalizationRationalizationThere is nothing wrong with itThere is nothing wrong with it

““Fraud Basics: WhiteFraud Basics: White--Collar Crime Demographics, Employee Thieves: Who Commits The MosCollar Crime Demographics, Employee Thieves: Who Commits The Most t Fraud?,Fraud?,”” http://www.acfe.com/resources/view.asp?ArticleID=502http://www.acfe.com/resources/view.asp?ArticleID=502

Why Do People Commit Fraud?Why Do People Commit Fraud?Interviews with persons who committed fraud have shown Interviews with persons who committed fraud have shown that most people do not originally set out to commit fraud.that most people do not originally set out to commit fraud.

Often they simply took advantage of an opportunity; many Often they simply took advantage of an opportunity; many times the first fraudulent act was an accident times the first fraudulent act was an accident –– perhaps perhaps they mistakenly processed the same invoice twice. they mistakenly processed the same invoice twice.

But when they realized that it wasnBut when they realized that it wasn’’t noticed, the t noticed, the fraudulent acts became deliberate and more frequent.fraudulent acts became deliberate and more frequent.

Dave Coderre, author of Dave Coderre, author of ‘‘The Fraud Toolkit; The Fraud Toolkit; ‘‘Fraud Detection: Using Data Analysis Techniques to Fraud Detection: Using Data Analysis Techniques to Detect FraudDetect Fraud’’ and and ‘‘CAATTs and Other BEASTs for AuditorsCAATTs and Other BEASTs for Auditors’’

10 10 -- 80 80 -- 10 Law10 Law10% of people will never commit 10% of people will never commit fraud.fraud.

80% of people will commit fraud 80% of people will commit fraud under the right circumstances. under the right circumstances.

10% actively seek out opportunities 10% actively seek out opportunities for fraud.for fraud.

Dave Coderre, author of Dave Coderre, author of ‘‘The Fraud Toolkit; The Fraud Toolkit; ‘‘Fraud Detection: Using Data Analysis Techniques to Fraud Detection: Using Data Analysis Techniques to Detect FraudDetect Fraud’’ and and ‘‘CAATTs and Other BEASTs for AuditorsCAATTs and Other BEASTs for Auditors’’

Goals of a Fraud ProgramGoals of a Fraud Program

PreventionPreventionDetectionDetection

Deterrence Deterrence

The Institute of Internal Auditors (IIA), The Institute of Internal Auditors (IIA), International Professional Practices International Professional Practices

Framework (IPPF)Framework (IPPF)

2120.A2 2120.A2 -- The internal audit The internal audit activity must evaluate the activity must evaluate the potential for the occurrence of potential for the occurrence of fraud and the manner in which fraud and the manner in which the organization manages fraud the organization manages fraud risk.risk.


The Institute of Internal Auditors (IIA), The Institute of Internal Auditors (IIA), International Professional Practices International Professional Practices

Framework (IPPF)Framework (IPPF)

1210.A2 1210.A2 -- Internal auditors must Internal auditors must have sufficient knowledge to evaluate have sufficient knowledge to evaluate the risk of fraud and the manner in the risk of fraud and the manner in which it is managed by the which it is managed by the organization, but are not expected to organization, but are not expected to have the expertise of a person whose have the expertise of a person whose primary responsibility is detecting primary responsibility is detecting and investigating fraud.and investigating fraud.


IT Related Fraud RisksIT Related Fraud RisksTheft of HardwareTheft of HardwareIdentity TheftIdentity TheftPirated SoftwarePirated SoftwareUnlicensed SoftwareUnlicensed SoftwareInsider TradingInsider TradingCorporate EspionageCorporate EspionageConflicts of InterestConflicts of Interest•• Bid RiggingBid Rigging•• KickbacksKickbacksCopyright ViolationsCopyright Violations

Red Flags During IT Risk Red Flags During IT Risk AssessmentAssessment

No ControlsNo ControlsControl WeaknessesControl WeaknessesNot Part of SOXNot Part of SOXNever AuditedNever AuditedSignificant Changes in Technology Significant Changes in Technology Since Last AuditSince Last AuditHigh Criticality Rating of DataHigh Criticality Rating of Data

Red Flags During Red Flags During IT Audit InterviewsIT Audit Interviews

Personal ProblemsPersonal ProblemsFinancial ProblemsFinancial ProblemsJob DissatisfactionJob DissatisfactionPersonal Relationships with External Personal Relationships with External VendorsVendorsComplete ControlComplete ControlNobody Else to Fill InNobody Else to Fill InNo VacationNo VacationLiving LargeLiving Large

Red Flags During Red Flags During IT Audit FieldworkIT Audit Fieldwork

Look Beyond Audit Checklists Look Beyond Audit Checklists Look Beyond COBIT GuidelinesLook Beyond COBIT Guidelines•• Denied Access to StaffDenied Access to Staff•• Denied Access to DataDenied Access to Data•• Elevated Access PermissionsElevated Access Permissions•• No Audit Logging/MonitoringNo Audit Logging/Monitoring•• Logging/Monitoring without ReviewingLogging/Monitoring without Reviewing•• SODSOD•• OverridesOverrides•• Little or No Management OversightLittle or No Management Oversight•• Excessive TrustExcessive Trust•• No DocumentationNo Documentation

How Can IT Auditors Help?How Can IT Auditors Help?

Has a Fraud Occurred Here?Has a Fraud Occurred Here?How Did They Do It?How Did They Do It?

Can a Fraud Occur Here?Can a Fraud Occur Here?How Would They Do It?How Would They Do It?

Would Anyone Know?Would Anyone Know?

How Can IT Auditors Help?How Can IT Auditors Help?

Take Away Take Away OpportunitiesOpportunities

to Commit Fraudto Commit Fraud

PreventPrevent

DetectionDetection

TipsTipsHotline CallsHotline CallsRisk AssessmentsRisk AssessmentsAuditsAuditsContinuous Continuous Auditing/MonitoringAuditing/Monitoring

DetectionDetection

Reality = ReactiveReality = Reactive

Goal = ProactiveGoal = Proactive

Assessing the AllegationAssessing the Allegation

Management ReceivesManagement ReceivesManagement ReviewsManagement ReviewsManagement AssignsManagement Assigns

GuidelinesGuidelines•• Should exist within department for Should exist within department for

outlining steps taken for performing a outlining steps taken for performing a forensics investigationforensics investigation

Planning and Starting Planning and Starting the Investigationthe Investigation

Objectivity ConcernsObjectivity ConcernsTiming IssuesTiming IssuesGame PlanningGame PlanningKeywordsKeywordsOff Site/On SiteOff Site/On SiteEquipment NeedsEquipment NeedsInterviewsInterviews

Computer ForensicsComputer ForensicsThe main goal of computer forensics isto identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case.

“Computer Forensics,” http://www.us-cert.gov/reading_room /forensics.pdf

Electronic EvidenceElectronic EvidenceIn the mid 1990In the mid 1990’’s, s, most people most people believed that electronic evidence was believed that electronic evidence was of little or no value and was of little or no value and was inherently unreliable.inherently unreliable.

Since that time, however, it is more Since that time, however, it is more than likely than not to make the case. than likely than not to make the case. It may be the only evidence.It may be the only evidence.

The Computer & Internet Fraud ManualThe Computer & Internet Fraud Manual (USA: Association of Certified Fraud Examiners, 2005), 140.(USA: Association of Certified Fraud Examiners, 2005), 140.

LocardLocard’’s Exchange Principles Exchange Principle

Dr. Edmund LocardDr. Edmund Locard’’s work in the s work in the area of forensic science and area of forensic science and crime scene reconstruction.crime scene reconstruction.

When two objects come into When two objects come into contact, material is exchanged or contact, material is exchanged or transferred between them.transferred between them.

Harlan Carvey, WINDOWS FORENSICS ANALYSISHarlan Carvey, WINDOWS FORENSICS ANALYSIS (Burlington, MA: Syngress, 2009), 4,5.(Burlington, MA: Syngress, 2009), 4,5.

LocardLocard’’s Exchange Principles Exchange PrincipleIf you watch the popular CSI crime If you watch the popular CSI crime show on TV, youshow on TV, you’’ll hear one of the ll hear one of the crime scene investigators refer to crime scene investigators refer to ““possible transfer.possible transfer.””

This usually occurs after a scene in This usually occurs after a scene in which a car hits something or when which a car hits something or when an investigator examines a body and an investigator examines a body and locates material that seems out of locates material that seems out of place.place.


LocardLocard’’s Exchange Principles Exchange PrincipleThe same principle applies to the The same principle applies to the digital realm.digital realm.

•• Two computers communicate over a network. Two computers communicate over a network. Information from each will appear in process Information from each will appear in process memory or log files on the other.memory or log files on the other.

•• Removable storage device is attached to a Removable storage device is attached to a computer. Information about the device will computer. Information about the device will remain resident on the computer.remain resident on the computer.


LocardLocard’’s Exchange Principles Exchange PrincipleWhen we interact with a live system, When we interact with a live system, whether as the user or as the whether as the user or as the investigator, changes will occur on investigator, changes will occur on that system.that system.

Changes will occur simply due to the Changes will occur simply due to the passage of time, as processes work, passage of time, as processes work, as data is saved and deleted, as as data is saved and deleted, as network connections time out or are network connections time out or are created, and so on.created, and so on.Harlan Carvey, WINDOWS FORENSICS ANALYSISHarlan Carvey, WINDOWS FORENSICS ANALYSIS (Burlington, MA: Syngress, 2009), 4,5.(Burlington, MA: Syngress, 2009), 4,5.

Types of Data Collected in Computer Forensics

Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off.

Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.

“Computer Forensics,” http://www.us-cert.gov/reading_room /forensics.pdf

ToolsTools

Forensics Tool Kit (FTK)Forensics Tool Kit (FTK)EnCaseEnCaseProDiscoverProDiscoverData Wiping ToolsData Wiping ToolsData StorageData StoragePC Tool KitPC Tool Kit

Bit Stream ImageBit Stream Image

A bit stream image is an A bit stream image is an exact duplicate of a exact duplicate of a computercomputer’’s hard drive in s hard drive in which the drive is copied which the drive is copied from one drive to another, from one drive to another, bit by bit.bit by bit.

Dave Kleiman, et al., Dave Kleiman, et al., The Official CHFI Study Guide for Computer Hacking Forensic InveThe Official CHFI Study Guide for Computer Hacking Forensic Investigatorsstigators(USA: Syngress, Elsevier, 2007), 9.(USA: Syngress, Elsevier, 2007), 9.

Bit Stream ImageBit Stream Image

““BitBit”” Means at the Binary LevelMeans at the Binary Level01000001 = A01000001 = A01100001 = a01100001 = a

Everything is CopiedEverything is Copied•• Deleted Files Deleted Files •• Fragments of FilesFragments of Files

Backup CopyBackup CopyBackup software can only copy or Backup software can only copy or compress files that are stored in a compress files that are stored in a folder or share a known file type.folder or share a known file type.

Backup software cannot copy deleted Backup software cannot copy deleted files or efiles or e--mail messages or recover mail messages or recover file fragments.file fragments.

Bill Nelson, et al., Bill Nelson, et al., Guide to Computer Forensics and InvestigationsGuide to Computer Forensics and Investigations (Canada: Course Technology, (Canada: Course Technology, Thompson Learning, 2004), 50.Thompson Learning, 2004), 50.

Acquiring the Forensics ImageAcquiring the Forensics Image

NetworkNetwork

““SnapshotSnapshot””

PhysicalPhysical

““StaticStatic””

CIA TriadCIA Triad

ConfidentialityConfidentialityIntegrityIntegrityAvailabilityAvailability

Ed Tittel, et al., CISSP, Certified Information Systems SecurityEd Tittel, et al., CISSP, Certified Information Systems Security Professional, Study GuideProfessional, Study Guide (USA: (USA: SYBEX, 2003), 3.SYBEX, 2003), 3.

ProDiscover Remote AgentProDiscover Remote AgentCan connect to any computer on the Can connect to any computer on the network.network.•• By IP addressBy IP address•• By computer nameBy computer name

Install remote agent executable.Install remote agent executable.Captures image of hard drive over the Captures image of hard drive over the network.network.Runs in the background as a Service.Runs in the background as a Service.User does not know they are being User does not know they are being imaged.imaged.

Write BlockersWrite Blockers

http://www.forensicpc.com/products.asp?cat=38

Write BlockersWrite Blockers

Suspect Hard Drive

Suspect Hard Drive

ReadsReads

Hardware Write Blocker

Hardware Write Blocker

Forensics PCForensics PCForensics

Hard DriveForensics

Hard Drive

WritesWrites

IDE/SATAIDE/SATA

FireWire or

USB

FireWire or

USBUSBUSB

FTKFTK

Forensic Toolkit® (FTK™) version 1.81.5

Release Date: October 7, 2009

FTKFTK

FTK Case LogFTK Case Log

FTK Processes to PerformFTK Processes to Perform

Data CarvingData Carving

FTK Refine CaseFTK Refine Case

FTK Refine IndexFTK Refine Index

FTK Add EvidenceFTK Add Evidence



FTK Setup CompleteFTK Setup Complete

FTK ProcessingFTK Processing

FTK OverviewFTK Overview

FTK ExploreFTK Explore

FTK GraphicsFTK Graphics

FTK EFTK E--MailMail

FTK SearchFTK Search

FTK BookmarkFTK Bookmark

Processing the Forensics ImageProcessing the Forensics Image

Data CarvingData CarvingFile TypesFile TypesKFFKFFKey WordsKey WordsBookmarksBookmarksGraphicsGraphicsDeleted FilesDeleted FilesMetadataMetadata

Processing the Forensics ImageProcessing the Forensics Image

Password Protected FilesPassword Protected FilesEncrypted FilesEncrypted FilesFile SlackFile SlackWindows RegistryWindows Registryindex.datindex.dat

index.datindex.dat

Regular ExpressionsRegular ExpressionsAllows forensics analysts to search Allows forensics analysts to search through large quantities of text through large quantities of text information for patterns of data such information for patterns of data such as the following:as the following:

•• Social Security NumbersSocial Security Numbers•• Telephone NumbersTelephone Numbers•• Computer IP AddressesComputer IP Addresses•• Credit Card NumbersCredit Card Numbers

AccessData BootCamp Training Manual, (AccessData BootCamp Training Manual, (AccessData Corporation, 2006), 389.AccessData Corporation, 2006), 389.

Regular ExpressionsRegular ExpressionsPerlPerlRegex++Regex++

\\<<\\dd\\dd\\d[d[\\-- ]]\\dd\\d[d[\\-- ]]\\dd\\dd\\dd\\dd\\>>Social Security NumbersSocial Security Numbers

\\<<\\dd\\dd\\dd\\d(d(\\--| )| )\\dd\\dd\\dd\\d(d(\\--| )| )\\dd\\dd\\dd\\d(d(\\--| )| )\\dd\\dd\\dd\\dd\\>>Credit Card NumbersCredit Card Numbers

dtSearch Search RequestsdtSearch Search Requests

A natural language search is any A natural language search is any sequence of text, such as a sequence of text, such as a sentence or a question.sentence or a question.

dtSearch sorts retrieved dtSearch sorts retrieved documents based on their documents based on their relevance to your search request.relevance to your search request.

AccessData BootCamp Training Manual, (AccessData BootCamp Training Manual, (AccessData Corporation, 2006), 397.AccessData Corporation, 2006), 397.

dtSearch Search RequestsdtSearch Search RequestsFTKFTKSherpa SoftwareSherpa Software

Boolean SearchesBoolean Searches•• oror•• andand•• notnot•• **•• ??•• %%•• &&

Compiling Electronic EvidenceCompiling Electronic Evidence

Secured AreaSecured AreaCan be Time ConsumingCan be Time Consuming•• Target and Forensic Hard Drive Target and Forensic Hard Drive

CapacitiesCapacities

Rules of Electronic EvidenceRules of Electronic Evidence

Records stored in computers Records stored in computers can be divided into three can be divided into three categories: noncategories: non--hearsay, hearsay, hearsay, and records that hearsay, and records that include both hearsay and include both hearsay and nonnon--hearsay. hearsay.

““Searching & Seizing Computers and Obtaining Electronic Evidence Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal in Criminal Investigations, Computer Crime & Intellectual Property Section UInvestigations, Computer Crime & Intellectual Property Section United States nited States Department of Justice,Department of Justice,”” http://www.cybercrime.gov/ssmanual/05ssma.html#Ahttp://www.cybercrime.gov/ssmanual/05ssma.html#A

Rules of Electronic EvidenceRules of Electronic EvidenceNonNon--hearsay records are hearsay records are created by a process that does created by a process that does not involve a human assertion. not involve a human assertion. Conduct is a command to a Conduct is a command to a system, not an system, not an assertionassertion, and , and thus is not hearsay.thus is not hearsay.

““Searching & Seizing Computers and Obtaining Electronic Evidence Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, in Criminal Investigations, Computer Crime & Intellectual Property Section United States DepComputer Crime & Intellectual Property Section United States Department of Justice,artment of Justice,””http://www.cybercrime.gov/ssmanual/05ssma.html#Ahttp://www.cybercrime.gov/ssmanual/05ssma.html#A


Hearsay records contain Hearsay records contain assertions by people, such assertions by people, such as: a personal letter; a as: a personal letter; a memo; bookkeeping records; memo; bookkeeping records; and records of business and records of business transactions inputted by transactions inputted by persons.persons.

““Searching & Seizing Computers and Obtaining Electronic Evidence Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal in Criminal Investigations, Computer Crime & Intellectual Property Section UInvestigations, Computer Crime & Intellectual Property Section United States nited States Department of Justice,Department of Justice,”” http://www.cybercrime.gov/ssmanual/05ssma.html#Ahttp://www.cybercrime.gov/ssmanual/05ssma.html#A

Rules of Electronic EvidenceRules of Electronic EvidenceMixed hearsay and nonMixed hearsay and non--hearsay hearsay records are a combination of the first records are a combination of the first two categories, such as: email two categories, such as: email containing both content and header containing both content and header information; a file containing both information; a file containing both written text and file creation, last written text and file creation, last written, and last access dates; chat written, and last access dates; chat room logs that identify the room logs that identify the participants and note the time and participants and note the time and date of "chatdate of "chat““..


Rules of Electronic EvidenceRules of Electronic EvidenceAuthentication Authentication

Before a party moves for admission of Before a party moves for admission of an electronic record or any other an electronic record or any other evidence, the proponent must show evidence, the proponent must show that it is authentic. That is, the that it is authentic. That is, the proponent must offer evidence proponent must offer evidence "sufficient to support a finding that "sufficient to support a finding that the matter in question is what its the matter in question is what its proponent claims." proponent claims."


Rules of Electronic EvidenceRules of Electronic EvidenceAuthorshipAuthorship

Although handwritten records may be Although handwritten records may be penned in a distinctive handwriting penned in a distinctive handwriting style, computerstyle, computer--stored records do not stored records do not necessarily identify their author. This necessarily identify their author. This is a particular problem with Internet is a particular problem with Internet communications, which can offer their communications, which can offer their authors an unusual degree of authors an unusual degree of anonymity.anonymity.

““Searching & Seizing Computers and Obtaining Electronic Evidence Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, in Criminal Investigations, Computer Crime & Intellectual Property Section United States DepComputer Crime & Intellectual Property Section United States Department of Justice,artment of Justice,””

http://www.cybercrime.gov/ssmanual/05ssma.html#Ahttp://www.cybercrime.gov/ssmanual/05ssma.html#A

Rules of Electronic EvidenceRules of Electronic EvidenceThe Best Evidence Rule The Best Evidence Rule

The best evidence rule states that to The best evidence rule states that to prove the content of a writing, prove the content of a writing, recording, or photograph, the recording, or photograph, the "original" writing, recording, or "original" writing, recording, or photograph is ordinarily required.photograph is ordinarily required.

““Searching & Seizing Computers and Obtaining Electronic Evidence Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, in Criminal Investigations, Computer Crime & Intellectual Property Section United States DepComputer Crime & Intellectual Property Section United States Department of Justice,artment of Justice,””http://www.cybercrime.gov/ssmanual/05ssma.html#A http://www.cybercrime.gov/ssmanual/05ssma.html#A


Federal Rule of Evidence Federal Rule of Evidence 901(b)(4) is helpful to 901(b)(4) is helpful to prosecutors who seek to prosecutors who seek to introduce electronic records introduce electronic records obtained from seized storage obtained from seized storage media.media.



Rules of Electronic EvidenceRules of Electronic EvidenceA prosecutor introducing a hard drive A prosecutor introducing a hard drive seized from a defendant's home and seized from a defendant's home and data from that hard drive may employ data from that hard drive may employ a twoa two--step process.step process.

•• First, the prosecutor may introduce the First, the prosecutor may introduce the hard drive based on chain of custody hard drive based on chain of custody testimony or its unique characteristics testimony or its unique characteristics ((e.g.e.g., the hard drive serial number). , the hard drive serial number).



Chain of CustodyChain of CustodyA chain of custody is the accurate documentation of A chain of custody is the accurate documentation of the movement and possession of a piece of evidence, the movement and possession of a piece of evidence, from the time it is taken into custody until it is from the time it is taken into custody until it is delivered to the court.delivered to the court.

This documentation helps prevent allegations of This documentation helps prevent allegations of tampering. tampering.

It also proves that the evidence was stored in a It also proves that the evidence was stored in a legally accepted location, and it documents who is in legally accepted location, and it documents who is in custody and control of the evidence during the custody and control of the evidence during the forensic testing phase.forensic testing phase.


Chain of Custody FormChain of Custody FormPhysical EvidencePhysical Evidence

Case NumberCase NumberInvestigating OrganizationInvestigating OrganizationInvestigatorInvestigatorNature of CaseNature of CaseLocation Where Evidence was ObtainedLocation Where Evidence was ObtainedEvidence Recovered ByEvidence Recovered ByDate and TimeDate and TimeDescription of EvidenceDescription of EvidenceVendor NameVendor NameModel NumberModel NumberSerial NumberSerial NumberLocation Where Evidence is Currently StoredLocation Where Evidence is Currently StoredEvidence Processed by Item NumberEvidence Processed by Item NumberDisposition of Evidence/Date/TimeDisposition of Evidence/Date/TimeSignaturesSignatures

Bill Nelson, et al., Bill Nelson, et al., Guide to Computer Forensics and InvestigationsGuide to Computer Forensics and Investigations (Canada: Course Technology, (Canada: Course Technology, Thompson Learning, 2004), 37Thompson Learning, 2004), 37--39.39.

Chain of Custody FormChain of Custody FormImage EvidenceImage Evidence

Case NumberCase NumberInvestigating OrganizationInvestigating OrganizationInvestigatorInvestigatorNature of CaseNature of CaseImage TypeImage TypeImage MethodImage MethodDate and TimeDate and TimeDescription of EvidenceDescription of EvidenceMD5 Hash TotalsMD5 Hash TotalsLocation Where Evidence is Currently StoredLocation Where Evidence is Currently StoredDisposition of Evidence/Date/TimeDisposition of Evidence/Date/TimeSignaturesSignatures

Rules of Electronic EvidenceRules of Electronic Evidence•• Second, prosecutors may consider using the "hash Second, prosecutors may consider using the "hash

value" or similar forensic identifier assigned to the value" or similar forensic identifier assigned to the data on the drive to authenticate a copy of that data on the drive to authenticate a copy of that data as a forensically sound copy of the previously data as a forensically sound copy of the previously admitted hard drive.admitted hard drive.

•• Similarly, prosecutors may authenticate a Similarly, prosecutors may authenticate a computer record using its "metadata" computer record using its "metadata" (information "describing the history, tracking, or (information "describing the history, tracking, or management of the electronic document").management of the electronic document").



Hash ValuesHash ValuesHashes use cryptographic algorithms to Hashes use cryptographic algorithms to create a message digest of the data and create a message digest of the data and represent it as a relatively small piece of represent it as a relatively small piece of data.data.The hash can be used to compare a hash of The hash can be used to compare a hash of the original data to the forensic copy.the original data to the forensic copy.When the hashes match, it is accepted as When the hashes match, it is accepted as proof that the data is an exact copy.proof that the data is an exact copy.


Hash ValuesHash ValuesOriginal MD5 Hash ValueOriginal MD5 Hash Value::6f8e3290e1d4c2043b26552a40e5e0386f8e3290e1d4c2043b26552a40e5e038

Imaged MD5 Hash ValueImaged MD5 Hash Value::6f8e3290e1d4c2043b26552a40e5e0386f8e3290e1d4c2043b26552a40e5e038:Verified:Verified

MD5 HashesMD5 Hashes•• Image LevelImage Level•• File LevelFile Level

MetadataMetadataNameValueNameValueTitle Computer Forensics and InvestigationsTitle Computer Forensics and InvestigationsAuthor DeanAuthor DeanTemplate Satellite DishTemplate Satellite DishLastAuthor DeanLastAuthor DeanRevision Number 335Revision Number 335EditEdit Time 6:41:06 PMTime 6:41:06 PMCreated 2/6/2010 9:24:32 AMCreated 2/6/2010 9:24:32 AMLastLast Saved 2/14/2010 8:17:51 Saved 2/14/2010 8:17:51 PMWordPMWord Count1675Count1675AppName Microsoft Office PowerPointAppName Microsoft Office PowerPoint

Other Electronic EvidenceOther Electronic Evidence

Scope CreepScope Creep•• New Evidence DiscoveredNew Evidence Discovered

Personal or Private PropertyPersonal or Private PropertyInternet/Social NetworkingInternet/Social Networking•• Google HackingGoogle Hacking

Other ConcernsOther Concerns

Evidence LockerEvidence LockerHard Drive StorageHard Drive StorageRetentionRetentionDestructionDestruction

WipingWiping

WipingWiping

EmailEmail

Warning BannersWarning BannersReal TimeReal TimeBackBack--upsupsCan See It AllCan See It All

Acquiring DataAcquiring Data

Know Corporate Applications and Know Corporate Applications and SystemsSystemsMake Friends with ITMake Friends with IT•• Loss of ConfidentialityLoss of Confidentiality

Gain Direct Access Corporate Gain Direct Access Corporate Source DataSource Data•• Less Hands in the Cookie JarLess Hands in the Cookie Jar

Write QueriesWrite QueriesCIACIA

Data AnalyticsData Analytics

ACLACLTOADTOADFOCUSFOCUSQMFQMFAdabasAdabasCognosCognosMicrosoft AccessMicrosoft AccessSQL ServerSQL Server

Image: Louis Davidson,Image: Louis Davidson, SQL Server 2000 Database DesignSQL Server 2000 Database Design (Birmingham, UK: Wrox, 2001), 131,331.(Birmingham, UK: Wrox, 2001), 131,331.

Data AnalyticsData Analytics

Fixed LengthFixed LengthVariable LengthVariable LengthDelimitedDelimitedMultiple RecordMultiple RecordHL7HL7EDIEDIPDFPDFDBFDBF

Image: Louis Davidson,Image: Louis Davidson, SQL Server 2000 Database DesignSQL Server 2000 Database Design (Birmingham, UK: Wrox, 2001), 131,331.(Birmingham, UK: Wrox, 2001), 131,331.

Closing the InvestigationClosing the Investigation

Criminal ViolationsCriminal ViolationsCorporate Risk and LiabilityCorporate Risk and LiabilityPolicy ViolationsPolicy Violations

Closing the InvestigationClosing the Investigation

Report PreparationReport PreparationSupport the AllegationSupport the AllegationRefute the AllegationRefute the AllegationConsult with LawConsult with LawConsult with ManagementConsult with ManagementConsult with Senior ExecutivesConsult with Senior Executives

ConclusionConclusionCorporate Policies and ProceduresCorporate Policies and ProceduresInternationalInternational•• EU Safe HarborEU Safe Harbor

FederalFederal•• HIPAAHIPAA•• FCPA (FCPA (Foreign Corrupt Practices Act )Foreign Corrupt Practices Act )

•• FTCFTCStateState•• Security BreachesSecurity Breaches

OtherOther•• BSA (BSA (Business Software Alliance )Business Software Alliance )

•• PCIPCI•• RIAA RIAA (Recording Industry Association of America)(Recording Industry Association of America)

•• SIAA (SIAA (Software & Information Industry Association) Software & Information Industry Association)

ConclusionConclusion

Remain fair and objectiveRemain fair and objectivePresent the facts as discoveredPresent the facts as discoveredDocument everything you doDocument everything you doGet access to corporate source Get access to corporate source datadataReactive is good, proactive is Reactive is good, proactive is betterbetter

Data HidingData HidingA sector is the smallest physical storage A sector is the smallest physical storage unit on the disk.unit on the disk.

A cluster can consist of one or more consecutive sectors. Cluster size can be changed to optimize file storage. A larger cluster size reduces the potential for fragmentation, but increases the likelihood that clusters will have unused space.

http://www.ntfs.com/hard-disk-basics.htm#Hard

Data HidingData Hiding

http://explorerplusplus.com/blog/54-file-slack


The Slacker tool is the first “tool that allows you to hide files within the slack space of the NTFS file system.”

http://synfulpacket.blogspot.com/2008/11/metasploit-anti-forensics-project-mafia.html






Data HidingData HidingMessage in a Bottle #1 Message in a Bottle #2

Which One Contains the Company Trade Secrets?


SteganographySteganographyUpdated Steganography SearchPakUpdated Steganography SearchPakFebruary 17, 2010February 17, 2010

The Steganography SearchPak was created from hash values The Steganography SearchPak was created from hash values extracted from the latest version of the Steganography Applicatiextracted from the latest version of the Steganography Application on Fingerprint Database (SAFDB) created and maintained in Fingerprint Database (SAFDB) created and maintained in BackboneBackbone’’s Steganography Analysis and Research Center (SARC). s Steganography Analysis and Research Center (SARC). SAFDB is the worldSAFDB is the world’’s largest commercially available hash set s largest commercially available hash set exclusive to steganography applications. Digital forensic exclusive to steganography applications. Digital forensic examiners around the world are using hash values from SAFDB to examiners around the world are using hash values from SAFDB to detect the presence of steganography applications on seized detect the presence of steganography applications on seized media. Detecting the presence of steganography applications is amedia. Detecting the presence of steganography applications is astrong indication the application may have been used to conceal strong indication the application may have been used to conceal digital evidence. When files associated with steganography digital evidence. When files associated with steganography applications are detected, users have the option of contacting applications are detected, users have the option of contacting Backbone for further assistance with finding and extracting the Backbone for further assistance with finding and extracting the hidden evidence using advanced steganalysis tools developed in hidden evidence using advanced steganalysis tools developed in the SARC. the SARC.

http://www.dfinews.com/articles.php?pid=865

WhatWhat’’s Aheads AheadThe CloudThe CloudDecember 15, 2009December 15, 2009

Our social norms are evolving away Our social norms are evolving away from the storage of personal data on from the storage of personal data on computer hard drives to retention of computer hard drives to retention of that information in the that information in the ““cloud,cloud,”” on on servers owned by internet service servers owned by internet service providers.providers.Oregon state court opinion in a criminal matter, Oregon state court opinion in a criminal matter, State v. Bellar,State v. Bellar, 231 Or.App. 80, 217 P.3d 1094 231 Or.App. 80, 217 P.3d 1094 (Sept. 30, 2009). (Sept. 30, 2009).

WhatWhat’’s Aheads AheadThe challenge of traditional forensics and larger hard drives The challenge of traditional forensics and larger hard drives is that the acquisition typically takes hours is that the acquisition typically takes hours ---- sometimes sometimes days days ---- depending on the size and number of drives. After depending on the size and number of drives. After authentication, forensic investigators then have to dig authentication, forensic investigators then have to dig through the massive amount of data, which can take a through the massive amount of data, which can take a significantly long time. If you've ever done fullsignificantly long time. If you've ever done full--text text indexing of a large drive, then you know it's not a quick indexing of a large drive, then you know it's not a quick process.process.Now's the time to start preparing because tomorrow might Now's the time to start preparing because tomorrow might be the day you get the call about a case involving a dozen be the day you get the call about a case involving a dozen computers in which each one contains one to four 1.5 computers in which each one contains one to four 1.5 terabyte hard drives and a server containing about 10 terabyte hard drives and a server containing about 10 terabytes of data. terabytes of data.

http://www.darkreading.com/blog/archives/2009/10/the_future_of_dhttp://www.darkreading.com/blog/archives/2009/10/the_future_of_d.html .html

WhatWhat’’s Aheads AheadThe Crime Scene Evidence YouThe Crime Scene Evidence You’’re Ignoringre IgnoringOctober 2009October 2009

New storage and entertainment devices are constantly New storage and entertainment devices are constantly released to the mass market. Files can be stored on released to the mass market. Files can be stored on anything that a computer sees as a "drive." It may be anything that a computer sees as a "drive." It may be tempting to leave a digital camera at a crime scene tempting to leave a digital camera at a crime scene because the investigator sees nothing on the screen.because the investigator sees nothing on the screen.The point then is not to think about which devices to seize, The point then is not to think about which devices to seize, or even which kinds of evidence (video, eor even which kinds of evidence (video, e--mail, documents, mail, documents, etc.) to look for. The key word is "anything:" any kind of etc.) to look for. The key word is "anything:" any kind of device, any kind of evidence.device, any kind of evidence.

http://www.officer.com/print/Lawhttp://www.officer.com/print/Law--EnforcementEnforcement--Technology/TheTechnology/The--crimecrime--scenescene--evidenceevidence--youreyoure--ignoring/1$48858 ignoring/1$48858

Documents

Computer Forensics and Investigations - ISACA Forensics The main goal of computer forensics is to identify, collect, preserve, and analyze data in a way that preserves the integrity