forensics honors nov2003
Post on 29-May-2018
219 Views
Preview:
TRANSCRIPT
-
8/8/2019 Forensics Honors Nov2003
1/30
Solving Computer Crime: AnIntroduction to Digital
ForensicsGolden G. Richard III, Ph.D.
Dept. of Computer Science
Gulf Coast Computer Forensics Laboratory (GCCFL)golden@cs.uno.edu
-
8/8/2019 Forensics Honors Nov2003
2/30
Digital Forensics
Definition: Tools and techniques to recover,
preserve, and examine digital evidence on ortransmitted by digital devices.
Devices include computers, PDAs, cellular phones,
videogame consoles
-
8/8/2019 Forensics Honors Nov2003
3/30
Examples of Digital Evidence Computers increasingly involved in criminal and corporate
investigations
Digital evidence may play a supporting role or be thesmoking gun
Email Harassment or threats
Blackmail
Illegal transmission of internal corporate documents
Meeting points/times for drug deals
Suicide letters
Technical data for bomb making Image or digital video files (esp., child pornography) Evidence of inappropriate use of computer resources or
attacks Use of a machine as a spam email generator
Use of a machine to distribute illegally copied software
-
8/8/2019 Forensics Honors Nov2003
4/30
Major Issues
Identification of potential digital evidence Where might the evidence be? Which devices did the
suspect use?
Preservation of evidence
On the crime scene First, stabilize evidenceprevent loss and contamination
If possible, make identical copies of evidence forexamination
Careful extraction and examination of evidence
Presentation The FAT was fubared, but using a hex editor I changed the firstbyte of directory entry 13 from 0xEF to 0x08 to restoreHITLIST.DOC
The suspect attempted to hide the Microsoft Word documentHITLIST.DOC but I was able to recover it without tampering withthe file contents.
Legal: Investigatory needs meet privacy
-
8/8/2019 Forensics Honors Nov2003
5/30
Preservation of Evidence: Hardly trivial
Living roomBasement/closet
wireless connection
Dear Susan,
Its not your
fault
Just pull the plug?
Move the mouse for a quick peek?
Tripwires
tickticktick
Volatile
computing
-
8/8/2019 Forensics Honors Nov2003
6/30
Preservation: Imaging
When making copies of media tobe investigated, must preventaccidental modification or
destruction of evidence!
Write blockers: Use them.Always.
dd under Linux
DOS boot floppies
Proprietary imaging solutionsDrivelock
write blocker
-
8/8/2019 Forensics Honors Nov2003
7/30
Extraction and Examination
Know where evidence can be found
Understand techniques used to hide or
destroy digital data Toolbox of techniques to discover hidden
data and recover destroyed data
Cope with HUGE quantities of digital data
Ignore the irrelevant and target the relevant
-
8/8/2019 Forensics Honors Nov2003
8/30
Wheres the evidence?
Undeleted files, expect some names to be incorrect
Deleted files
Windows registry
Print spool files Hibernation files
Temp files (all those .TMP files!) Slack space
Swap files
Browser caches
Alternate partitions
On a variety of removable media (floppies, ZIP,Jazz, tapes, )
-
8/8/2019 Forensics Honors Nov2003
9/30
Fallacy vs. Fact in Digital Forensics
Many digital forensics tools and techniquesare quite complex
Very difficult to cover in a short lecture
To illustrate investigative procedures fordigital forensics, a fact vs. fallacy approach
Fallacy: User attempting to hide evidencebelieves one thing
Fact: But in fact
Look at a few fact vs. fallacy scenarios
Then, one more advanced topic
-
8/8/2019 Forensics Honors Nov2003
10/30
Fallacy: File was deleted, its gone!
Users often mistake normal deletion of files forsecure deletion
Deleted files recoverable using forensics tools
Why? Filesystem makes a small change in its bookkeepinginfo to mark a file as deleted
Data associated with file is NOT erased
Example: FAT32 (Windows), first character of
filename is changed to 0xEF in directory entry todelete file
Forensics software changes one character indirectory entry, file reappears
To prevent recovery, must perform secure overwriteof the file or physically destroy the media
-
8/8/2019 Forensics Honors Nov2003
11/30
Fallacy: I renamed the file, Im safe!
childporn.jpg winword.exe
Renaming files is an ineffective defense againstdigital forensics investigation
Technique # 1: Most file types (e.g., JPEG image) have a structure that canbe recognized directly, regardless of the filename a userchooses
e.g., JPEG files contain 0x4a464946 or 0x45786966 in thefirst block of the file
Technique # 2: Cryptographic hashing provides a mechanism for
fingerprinting files
File contents is matched quickly, regardless of name
Hashes equivalent, file contents equivalent
Think: fingerprints dont care about hair color
-
8/8/2019 Forensics Honors Nov2003
12/30
Aside: Hashing
Typical algorithms: SHA-1, MD5
Example:
C:> md5sum golden.jpg
b28f08b004a7251a418e089ef3bb7409 *golden.jpg
C:> rename golden.jpg winword.exe
C:> md5sum winword.exe
b28f08b004a7251a418e089ef3bb7409 *winword.exe
Can automate checking of hashes Huge dictionaries exist with hashes for known files:
http://www.nsrl.nist.gov/index/prodname.index.txt
and known child pornography files
Can quickly disregard known files and target the
interesting stuff
-
8/8/2019 Forensics Honors Nov2003
13/30
Fallacy: I format-ed the drive, whew!
Formatting a drive does not prevent recovery ofdigital evidence
In fact, format typically overwrites less than 1% ofdrive contents
Why does it take so long? Format is reading diskblocks to determine if bad blocks exist
Format wipes out directories, so names of files arelost
A lot of the data can still be recovered by siftingthrough data that remains after the format operation
For example, file carving tools reconstruct files byexamining the initial and terminal bytes of the file
See digital forensics Technique # 1 under filerenaming fallacy
-
8/8/2019 Forensics Honors Nov2003
14/30
Fallacy: Media mutilation == Miller time!
Example # 1: Cutting a floppy into pieces
Example # 2: Opening a hard drive, removing theplatters, throwing them into the trash
Unless the damage is extreme, mutilation ofmagnetic media is insufficient to prevent recovery
Media can be reassembled and partial recoveryperformed
Even strong magnetic fields are insufficient
Older military grade degausser for erasing harddrives was so strong that it bent the platters insidethe drive
Your bulk tape eraser isnt going to do the job
To destroy data: multiple overwrites (software) orcomplete destruction of hardware
-
8/8/2019 Forensics Honors Nov2003
15/30
Thats One Big Degausser!
-
8/8/2019 Forensics Honors Nov2003
16/30
Fallacy: I used Web-based email
Fallacy: Use of web-based email rather than storing emailmessages directly on a computer is safer (in terms ofthwarting recovery attempts)
Its not. Even if you never download the email and
immediately delete all messages on the server! Recently viewed web pages are stored in web browserscache
Cache is often in a hard-to-find place
Internet Explorer Tools Internet Options Delete Filesclears the cache in IE
See slide on recovery of deleted files for futility quotient Files stored in browser cache are not securely deleted when
the cache is cleared
Browser cache mining tools bring recently viewed webpages, including web-based email messages, back to life in aflash
-
8/8/2019 Forensics Honors Nov2003
17/30
Recovery of web-based emails
-
8/8/2019 Forensics Honors Nov2003
18/30
Fallacy: Application uninstalls are easy
Illegal application installed
Fear ensues
Application is uninstalled (Am I safe?) application files can still be undeleted, provingapplication was installed
Further steps to obscure installation: Securelyoverwrite application files
Now am I safe?
Nope. Remnants of installation can likely still be found in the
Windows registry
Basically, if a user installs software and wants topermanently eradicate any traces, must securely
erase the entire drive or destroy the hardware
-
8/8/2019 Forensics Honors Nov2003
19/30
Fallacy: I encrypted my files
On encrypted file systems, if file is ever printed and spooldirectory isnt encrypted, fragments may be left behind
On some systems (e.g., Windows 2000), a recovery agentis able to read all encrypted files
For Windows 2000, this is the administrator account, thusjust need to break administrator password
Problem: keys for truly secure encryption schemes are long
Search for slips of paper
Search for unencrypted password lists
Search PDAs, phones, and organizers for passwords and
encryption keys Software or hardware keystroke loggers
Van Eck radiation
If the file cant be decrypted, the name of the file may still beuseful in prosecution
-
8/8/2019 Forensics Honors Nov2003
20/30
Beowulf, Slayer of Poorly Chosen Passwords
How good are your passwords?
-
8/8/2019 Forensics Honors Nov2003
21/30
Steganography
Techniques for hiding information within other
information
Historical
Tattoos
Text on wood under wax layer on a wax tablet
Invisible ink (e.g., writing with lemon juice) Modern
Much more sophisticated Employ powerful encryption techniques
Hide documents w/in an image, video, or audio file
Hidden documents can be harmless, or child pornography,
bomb plans,
-
8/8/2019 Forensics Honors Nov2003
22/30
Stego (2)
-
8/8/2019 Forensics Honors Nov2003
23/30
Stego (3)
-
8/8/2019 Forensics Honors Nov2003
24/30
Stego (4)Slipped inside
the 2nd cactus
picture byjphide
Embedding in this case is not obvious (visually)and image w/
embedded Golden is actually smaller (in bytes) than original
Statistical analysis
by stegdetect guesses
correctly that something
is hidden. But jphide
uses Blowfish to
scramble the order of
embedded data, so
successful extraction is
very unlikely unless the
password is known.
-
8/8/2019 Forensics Honors Nov2003
25/30
Core
Igniter
Stego (5)
This bomb diagram, however,
is not detected inside the cactus picture
-
8/8/2019 Forensics Honors Nov2003
26/30
Bluepipe: On the Spot Digital Forensics
Cu Boot l BluepipeCD Removablemedia
Target
Bluetoot or .
dongle 3G/
Remote investigator(s)
HandheldBluepipe lient
-
8/8/2019 Forensics Honors Nov2003
27/30
Legal Issues
Investigative needs vs. the right to privacy
Search warrant laws, e.g., Fourth Amendment to theU.S. Constitution
Wiretap laws Chain of custody
Admissibility of evidence in court: Daubert Essentially:
Has theory or technique in question been tested?
Is error rate known?
Widespread acceptance within a relevant scientific community?
Patriot Act Greatly expands governmental powers in terms of searching,
wiretap w/o prior notification
-
8/8/2019 Forensics Honors Nov2003
28/30
The Other Side: Privacy
Weve concentrated on the cool technology, but
The existence of sophisticated digital forensicstechniques is a great enabler for fascism
Actively fight laws that dont appropriately balanceprivacy with need for investigation
Secure file deletion software
Overwriting files with zeros is good enough unless atunneling electron microscope is available
Volatile computing
Physical destruction of media Grind the media into powder
Vats of acid or molten steel
-
8/8/2019 Forensics Honors Nov2003
29/30
Resources
Books Digital Evidence and ComputerCrime (E. Casey, Academic Press) Computer Forensics and Privacy (M. Caloyannides, Artech House)
Websites
http://www.dfrws.org
Lots of references related to digital forensics, including a link to aninteresting e-journal
http://www.ijde.org/ (International Journal of Digital Evidence)
http://vip.poly.edu/kulesh/forensics/list.htm tons of stuff, including a bunch of online papers
http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu Huge collection of forensics-related software
Commercial digital forensics software Encase
FTK (Forensics Tool Kit)
ILook (law enforcement only) WinHex
-
8/8/2019 Forensics Honors Nov2003
30/30
Presentation available:http://www.cs.uno.edu/~golden/teach.html
golden@cs.uno.edu
Office: Math 346
?
top related