computer forensics - colloque rsi | · pdf file · 2014-05-21computer forensics...
TRANSCRIPT
Computer Forensics
Mike Sforza
Computer Forensics ConsultantHow I stopped worrying and learned to love Incident Handling.
Some useful things to know.
Welcome
• Intro
• Computer Forensics – What about it?
• Principles
• Methods
• Equipment / Tools
• Incident Handling
• Anti-Forensics
• Questions
What is Computer Forensics?
•Wikipedia: is a branch of digital forensic science pertaining to legal evidence found in computers* and digital storage media.
*Any electronic device• Cellphone / Smartphone• Gaming platform• GPS• DVR / PVR• Voice recorders• Cameras• Automotive On-board systems
Goal of Computer Forensics
Indentify
Collect
Preserve
Analyze
Present
Using sound forensic methodology that will allow for it to be admissible in a court of law.
Fundamentals
• Acquire evidence without altering it or damaging the original.
• Authenticate that your recovered evidence is the same as the originally seized data.
• Analyze the data without modifying it.
Fundamentals
• Always use rigorous, forensically sound procedures - repeatable.
• Adhere to the Best Evidence Rule : need to satisfy proof of the integrity of the electronic data by which it was recorded and stored.
• Always maintain the chain of custody.
• Ruthless record keeping (notes).
Types of DataTypes of Data
Encrypted
Deleted
Hidden
Documents
Images
Registry Data
File Metadata
Online Activity
Databases
Config files
Print Spool logs
Spreadsheets
Software installed
Contact
Multimedia
Chat logs
Recently usedLNK filesUser profile
Volume of Data Today
E-mail - Yearly
2000: 7 Trillion e-mails*
2012: 107 Trillion e-mails**
E-mail – Daily (2012)
145** to 294*** Billion e-mails per day
61% Business
* Atlanta Business Chronicle
** Radicati Group
*** Royal.Pingdom.com
E-mail – Daily (2012)
145** to 294*** Billion e-mails per day
61% Business
Acquisition Strategies
• Backup files (least forensically sound)
• Logical Acquisition
– System is on
– Targeted or File System copy
– No deleted or slack space
• Physical Acquisition (most forensically sound)
– System is off
– Bit level copy (mirror image)
– Deleted and slack space copied
Acquisition Strategies
Live Acquisition
System is still running - Live
Capture running processes, RAM, network connections and remote sessions,
Access online (Cloud) storage
Encrypted data, Pagefile (which can be wiped on shutdown)
Tools such as Cofee, Helix, MacLockPick, Command line/terminal (netstat, arp, ifconfig), Wiebetech Hot Plug
Acquisition Strategies
Live Acquisition
Not for the faint of heartPurists vs. Pragmatists
It does make changes to the system being analyzed RAM has become too large to ignore Encryption (software and hardware) improved
and more common– Live may be your only chance.
Caught “In flagrante delicto”
Acquisition Tools
Physical Device built-in write-blocking Tableau, Image Masster
Software EnCase, FTK, Sleuth Kit, Volatility, Linux DD and DCFLDD Use with a write-blocker (when possible). Network capture
Physical Acquisition Tools – The Kit
• Allows examiners to do on-site acquisitions.
• Acquisition of various types of electronic data –Laptops, Desktops, Servers, Thumb Drives, Digital Cameras, Cell Phones, etc...
Acquisition - Mobile
•Acquisition of digital evidence from mobile devices: smart phones, tablets, music & video players, portable game devices, GPS, etc.
•NAND & NOR memory as well as SIM cards.
Acquisition - Mobile
•Not without it’s problems.
• Don’t forget the RF / Faraday bag.
•Tin foil (lots of it) works in a pinch.
Data Verification
•Hashing
Digital fingerprint that proves 2 data sets are identical.
• MD5 – 128 bit
• SHA1 – 160 bit
• SHA 256 – 256 bit
Key to a successful analysis.
Data Verification - HashMD5 = 14c7d774e7477bebe1cab06bf3200c15
SHA1 = aaf1d37dc5c58fd2adb7c8bc300787b8188a7d67
SHA256 = c278d0698b1f0eae810bfb7646f72da848047788d76d7e52205e2445250ff50d
Discovery Tools
• EnCase https://www.guidancesoftware.com/
• FTK http://www.accessdata.com/
• NUIX http://www.nuix.com/
•Relativity http://kcura.com/relativity/
•IPRO http://iprotech.com/
•Summation http://www.accessdata.com/
Responding to the Incident• Ideally, digital forensic analysis should be an integral
part of your organization's Incident Handling process.
• Should be carried out any time a device is used, associated with or the target of improper, prohibited, or illegal activity.
Responding to the Incident
– Hacking
– Denial of Service
– Intellectual property theft / espionage
– Sabotage
– Internal Investigation
– Fraud
– Misuse of company equipment / policy violations• Pornography
• Improper Web browsing
• Illicit storage
Responding to the Incident
• Get the authority (buy in from management)
• Have a guideline / investigative policy ready
• Identify your response team (ensure their expertise is up-to-date)
• Be equipped (hardware, software, locale, budget)
• Approach every incident as if you’ll have to go to court
Responding to the Incident
•Forensic analysis needs to be carried out as soon as possible in order to maintain the integrity of the data.
– Data overwritten
– Equipment can fail
– Equipment can go missing
– Contamination of data
Responding to the IncidentDon’t
•Think that the problem will go away.
•Become combative.
•Forget that the Internet is global and instantaneous.
•Forget to ask for assistance.
•Think it is going to be easy.
Anti-Forensics
Aims to hinder investigations on digital media thereby making it too expensive or troublesome to carry out.
Data hiding• Encryption• Steganography• Alternate Data Streams• Slack space• HPA• Root kits
•Artifact wiping• File Wiping • Physical destruction
Anti-Forensics
Aims to hinder investigations on digital media thereby making it too expensive or troublesome to carry out.
• Trail obfuscation• File header• Time stamp / metadata• Log cleaners• File extension
• Attacks against computer forensics processes and tools.• Hash attack
• Hashclash• Change the hash – get off black lists
Anti-Forensics
Easy to use tools
Metasploit Anti-Forensics Project
Defiler’sToolkit
Timestomp
TOR
I2P
Using a Forensic Professional
• The proof is always there. The challenge is finding it.
• Not always easy.
• Technology constantly evolving becoming more complicated and inter-connected.
• At the same time, computer crime techniques becoming more sophisticated and better coordinated (organized crime becoming entrenched)
• The evidence collection needs to be done correctly especially if it will be going to court.
Using a Forensic Professional
• Offer latest technology and techniques
• Timely response
• Identify and obtain all relevant facts
• Corroborate sources of information
• Provide expert interpretation of electronic data recovered
• Substantiate or refute allegations
• Differentiate between guessing and knowing what occurred with a degree of certainty
• BEST EVIDENCE practice