computer forensicstrade fairs brno, czech3 rd may 2005 1 © ahmed_patel 2005 computer forensics...

Computer Forensics Trade Fairs Brno, Czech 3rd May 2005 1

© Ah

med_P

atel 2005

Computer Forensics

Ahmed PatelComputer Networks & Distributed Systems Research Group

Department of Computer ScienceUniversity College DublinBelfield, Dublin 4, IrelandEmail: [email protected]


© Ah

med_P

atel 2005

Outline

• Computer Crime Background

• IT Evidence

• Investigations: problems and issues

• Evidence Capture, Handling and Analysis

• Tools

• Case Studies

• Concluding Remarks


© Ah

med_P

atel 2005

What is Forensic Computing?

• Forensic computing, computer forensics, investigative computing, digital forensics, ...

• Many names!• A definition:

"Computer forensic science is the science of acquiring, preserving, retrieving and presenting data that has been processed electronically and stored on computer media"

– (Noblett, et al., FBI)


© Ah

med_P

atel 2005

Forensic Computing Definition

This definition is missing three things:• DATA RECOVERY

is the specialist process of imaging and processing computer data which is reliable enough for analysis

• ANALYSIS of the data to be used as evidence in court

• LAW The objective is to have data that can be used as evidence in court. This means strict legal requirements must be met. Requirements might also come from accounting rules or similar.


© Ah

med_P

atel 2005

Why IT Abuse is Possible?

UK Audit Commission.1998

Poor supervision of staff 19%

Inadequate controls over access to info. systems 13%

Inadequate or insufficient training 13%

Few checks on data from other sources 11%

Lack of Internet activity monitoring 11%

Virus detection & prevention software not installed 9%

Inadequate firewall 8%

Transactions not traceable to individuals 7%

Poor password control 6%

Lack of clarity over security responsibilities 5%


© Ah

med_P

atel 2005

Computer Crime CategorisationCrime / abuse Description

Fraud •For private gain or benefit:Altering input in an unauthorized way;Destruction / suppression / misappropriation of output from a computer process;Altering computerised data;

•Alteration or misuse of programs (excluding virus infetions);

Theft •Of data;•Of software

Use of unlicensed software •Using illicit copies of software

Unauthorised/private work of IT facilities

•Unauthorised use of the organisation’s computing facilities for private gain or benefit.

Misuse of personal data •Unofficial browsing through computer records and breaches of data protection legislation

Hacking •Deliberately gaining unathorised access to a computer system, usually through the use of communication facilities.

Sabotage •Interfering with the computer process by causing deliberate damage to the processing cycle or the equipment.

Pornographic material •Introducing pornographic material, for example, by downloading from the Internet.

Virus •Distributing a program with the intention of corrupting a computer process

UK Audit Commission.1998


© Ah

med_P

atel 2005

Users of Investigative Computing

EquipmentManufacturers

Auditors,Accountantsand Fraud

Investigators

Private Users

Police

JudiciaryCorporateNetworkOperators

Telecomms Carriers,ISPs, etc.

Possible Evidence

Governmentand

Regulators

Trusted thirdParties,

CertificationAuthorities, etc.


© Ah

med_P

atel 2005

Models of Investigations

• How does an investigation proceed?

• What information flows are there to consider?

• Proposed a comprehensive 13-stage model, unifying and extending previous ones.


© Ah

med_P

atel 2005

Comparison of Existing ModelsEXISTING MODELS

Activities in new model Interpol Casey DFRWS Reith et al.

Awareness

Authorisation

Planning

Notification

Search/Identification

Capture

Transport

Storage

Analysis

Hypothesis

Presentation

Proof/Defence

Dissemination


© Ah

med_P

atel 2005

Generic 13-Stage Model

Externally-imposedpolicies, regulationsand legislation

Dissemination

Information dissemination policy and controls

Events External

InternalAuthorisingAuthority

OTHERORGANISATIONS

LEGEND

Request and response

Information

Entity

Information flow

Sequence of activities

Information flowthrough activities

Investigative activity X

InternalInformation

ExternalInformation

ExternalChallenges toHypothesis

InformationDistribution

OrganisationalPolicies

X

X

InformationControls

Authorisation

Planning

Notification

Search/Identify

Capture

Transport

Storage

Analysis

Hypothesis

Presentation

Proof/Defence

ExternalAuthorising Authority

InternalChallenges toHypothesis

Awareness InternalEvents

General Information

Flow

InformationControls


© Ah

med_P

atel 2005

Benefits of Model

• Structure for thinking about how to support investigators.

• Identifies important information flows which have to be protected.

• Possible basis for identifying standardisation areas.

• Still a research topic on forensics and tools.


© Ah

med_P

atel 2005

Add Supporting Generic Trust Model

TRUST IN THE OTHER PARTY TRUST IN CONTROL MECHANISMS

ExternalInternal

POTENTIAL GAIN RISK AND RISK ATTITUDE

TRUSTER’S TRANSACTION TRUST

Objective Trust Reason

Subjective Trust Reason

Objective Trust Reason

Subjective Trust Reason


© Ah

med_P

atel 2005

Relationship to Security

• Security tries to prevent undesirable actions.• Investigations take place after the event has happened.• Output from security systems are inputs to investigations.• There can be a conflict between protection and investigation.• Successful investigations support security:

Discourage people from breaking security systems.

• Security does not protect against many things Fraud Transfer of illegal material

• These must be dealt with by investigations.


© Ah

med_P

atel 2005

Criminal Types

• Script Kiddies – use tools downloaded from the Internet, are prone to mistakes, and generally causes a nuisance with little damage

• Hacker – can design own intrusion tools and has a motive to “hack” into a system just for the fun of it

• Crackers – similar to Hackers, but with a malicious motive Includes cyber-terrorists Virus writers, economic espionage…


© Ah

med_P

atel 2005

IT Evidence• Important features:

Easy to change, either deliberately or accidentally. Change is hard to detect and prevent. Evidence cannot be viewed directly.

– Need experience+computer+software. What is an “original document”? How can it be associated with real people? How do we establish a “chain of custody” for data?

• We have some techniques to help. Cryptographic hash functions to detect tampering. Digital signatures to identify users. Log files provide audit trails.

• But in general handling of IT evidence is not well developed yet• Still a good research area!


© Ah

med_P

atel 2005

Principles for Evidence

Guidelines on how to deal with IT evidence are produced by:

• International Organisation on Criminal Evidence (IOCE)

• Police, e.g. Europol, Interpol, UK ACPO guide• Governments, e.g. US Dept. of Justice, HLS, etc• See web sites.


© Ah

med_P

atel 2005

Incident Response – “To be or not to be”

• There is a conflict of interests in dealing with attacks.

• To protect yourself, you must stop the attacker immediately.

• To catch the attacker, you may need to leave yourself vulnerable so that evidence can be collected.

Catch 22 scenario!


© Ah

med_P

atel 2005

Dealing with Investigators

• They will have very strict procedures to follow.

• They will not be familiar with your systems: Diagrams, manuals, etc will help them.

• Expect varying levels of expertise.

• Depending on circumstances, they may not know who can be trusted.


© Ah

med_P

atel 2005

Seizure and Storage

• This mainly applies to police.

• You may be asked to assist if an investigation involves your employer etc.

• Don’t be too “helpful” – you may in fact damage the evidence because you don’t understand the legal/procedural issues.


© Ah

med_P

atel 2005

Sources of Evidencein a Computer

Data stored in modems

and other peripherals

CMOS

RAM

Data stored oninternal disks

Data stored on external media:

floppies, CDs, etcPrintouts, notes etc


© Ah

med_P

atel 2005

Potential Evidence in RAM

• RAM (Random Access Memory) stores data while it is processed.

• Potential evidential information will be held in RAM but is lost when the computer is switched off.

• The amount of information stored in RAM is small in comparison with the amount stored on disks and tapes.

• Interpreting it may be difficult.


© Ah

med_P

atel 2005

Swap Files

• Swap files contain RAM data which has been automatically unloaded from RAM to the hard disk, in order to release some RAM space. Windows 3.11: \Windows\386PART.PAR

(hidden) Windows 9x: \Windows\Win386.swp (hidden) Windows 2000: C:\PAGEFILE.SYS (hidden) Unix: separate partition on the disk


© Ah

med_P

atel 2005

Potential Evidence in CMOS

• Data of potential forensic relevance: Date and time settings System configuration details Passwords

• No user data is retained in CMOS other than the user’s power-on password (if any).


© Ah

med_P

atel 2005

Potential Evidence in Other Peripherals

• Network Elements & other peripherals may contain data of potential forensic relevance: telephone numbers user names passwords printer ribbons with imprints of all printed

documents etc.


© Ah

med_P

atel 2005

Disks and Tapes

• This is where most potential evidence will be located and is where forensic efforts are concentrated.

• Areas of interest on disk: Files Unallocated disk space Slack space

• Backup tapes may contain material no longer on the disks.

• Don’t overlook removeable disks etc.


© Ah

med_P

atel 2005

Deleted Files

• Usually, deleting a file removes file labels only, leaving the information intact until the space is reused.

• Special utilities can be used to recover deleted files. ‘unerase’ in MS-DOS/Windows Norton Utilities

• In multiuser, multitasking operating systems (e.g. Unix) chances of successful recovery of deleted files are less.


© Ah

med_P

atel 2005

Unallocated Disk Space

Disk space occupiedby files Unallocated

disk space

Unallocated disk space may contain large fragments of deleted files, or complete files.

Clusters


© Ah

med_P

atel 2005

Slack Space

File data

Slack space

File’s clusters

file cluster 1

file cluster 2

file cluster 3

Slack space (i.e. unused parts of clusters) can contain short fragments of deleted files, or part of previous versions of the current file.


© Ah

med_P

atel 2005

Network Equipment

• NEs: modems, routers, bridges…contain infromation.• LAN equipment is unlikely to contain much non-

volatile data. A router might contain information on recently accessed

addresses, but it would be tricky to retrieve. Probably password protected.

• However, you may need it to make other equipment work (servers for example).


© Ah

med_P

atel 2005

Other Electronic Devices

• Handheld computers• Mobile phones• Electronic organisers• Tape recorders, dictation recorders, etc.• Radio transmitters• Set–top digital TV boxes• Smartcards• …


© Ah

med_P

atel 2005

Threats to the Evidence


© Ah

med_P

atel 2005

Interception

• By law – legal• By deception – illegal• Can interfere with IT evidence under

varying circumstances• Nevertheless, very important


© Ah

med_P

atel 2005

Positive Erasing (Wiping)

• Positive erasing (wiping) of information means overwriting it with some pattern.

• Only a specialised laboratory can recover overwritten information.

• For most practical purposes, the content of the wiped file is not retrievable.

• Software is easily available, e.g. PGP, Puffer


© Ah

med_P

atel 2005

Hard Disk Formatting

• High-level: The file allocation information is cleared. The data is left untouched. Easily done by a user.

• Low-level: The entire disk is cleared to its initial state. The information is lost. Less easily done, requiring software provided by the

disk manufacturer usually.


© Ah

med_P

atel 2005

Floppy Disk Formatting

• Quick: Similar to the high-level format. Data is recoverable with some effort. Relatively fast.

• Full: erases data by overwriting. Limited recovery possibilities. Slow.

• Both are standard capabilities of OS.


© Ah

med_P

atel 2005

Physical Destruction

• Most removable media can be destroyed easily. Floppies CDs, DVDs, etc

• Drop in a shredder etc.

• Magnet runners across magnetic media, etc


© Ah

med_P

atel 2005

File Protection

• Users may encrypt data in files on the disk, or the entire disk. You will need the keys!

• Operating systems provide protection mechanisms for files to control access. Easy to bypass once you have the disk in your

possession.


© Ah

med_P

atel 2005

Creation & Modificationof Files

• Creation of a new file will alter potential evidence stored in unallocated disk space.

• Modification of a file will generally alter actual file content, slack space, and unallocated disk space.

• The operating system records some timestamp information when a file changes.


© Ah

med_P

atel 2005

OS Activity

• Modern operating systems carry out many actions “in the background”.

• Care is needed not to start these unintentionally. Purging temporary files Rotating logs

• Startup and shutdown need special care.


© Ah

med_P

atel 2005

Mishandling

• Dropping disks

• Corruption of magnetic media

• Contamination by dirt, water, etc.

• Many other ways to ruin computer data!


© Ah

med_P

atel 2005

Booby Traps

• A moderately skilled user could easily arrange for data to be destroyed if unusual procedures are not followed. E.g. non-standard shutdown commands.

• A creative user could make the machine dangerous: Electrocution Explosions …


© Ah

med_P

atel 2005

Legal Problems

• The same requirements apply to computer evidence as anything else. Who did what and why? Prove it has not been tampered with.

• Be aware that computer data is easily altered in undetectable ways.

• Many problems are avoided by keeping careful records of what is done.


© Ah

med_P

atel 2005

Potentially Inadmissible Alterations

• Accidental deletion of evidential files• Writing to an evidential disk• Installation of diagnostic software on an evidential disk• Changes to date/time stamps• Relocation of evidential files• Changing file attributes, e.g. exposing hidden files• Unerasing files on suspect’s disk• Executing system software and applications on

suspect’s disk


© Ah

med_P

atel 2005

Recovery of Evidence

• The aim of computer evidence recovery is to secure from any seized media (hard disks, floppy disks, tapes, etc.) a copy of data contained thereon.

• Only forensically sound software and hardware should be utilised in any procedure undertaken.

• A contemporaneous log should be kept of all actions taken.


© Ah

med_P

atel 2005

Continuity of Evidence

• Retaining the continuity of evidence is a key requirement.

• Basic guidelines to ensure continuity of evidence: The suspect’s computer OS should not be executed. A copy of the suspect’s disk should be used for examination. The copying process should not disturb the original data. The copy should be write-protected upon completion. The copying method should be forensically sound. The seized equipment and the copy should be accounted for

at all times, when in transit, in secure storage, and during inspection.


© Ah

med_P

atel 2005

Disk Imaging

• Purpose: capture complete contents of a disk for analysis.

• No change allowed to data. Timestamps must be unchanged. Deleted files. Unallocated space.

• Standard backup utilities are not usually good enough.


© Ah

med_P

atel 2005

Disk Imaging: Advantages

• Captures everything on the disk.

• Can perform analysis later.

• Does not require seizing the “real” disk/computer. Allows continued use of the system.

• Allows hash codes to protect data.


© Ah

med_P

atel 2005

Disk Imaging: Disadvantages

• Static data only — not network activity.• Intrusive: physical access to disk is needed.

Suspect may know. Disrupts normal activity.

• Large data volumes to analyse; not selective.• May capture data beyond what is allowed.

Other users' data Legally privileged data


© Ah

med_P

atel 2005

Common Techniques in Imaging

• Error detection and correction. Calculate CRC of data blocks.

• Protect image with hash code (usually MD5). Allows modifications to be detected.

• Low-level access to device, avoiding OS. Prevents inadvertent alteration of data.

• Dedicated capture hardware and analysis workstations.


© Ah

med_P

atel 2005

Analysis of Computer Data

• Objective: To find incriminating information on the image of a

suspect’s hard disk.

• We will look briefly at some basic techniques.


© Ah

med_P

atel 2005

Date and Time Stamps

• Date and time stamps are altered when files are created, amended and saved.

• The date and time are defined by CMOS settings. These are under the user’s control on PCs.

• Opening files under DOS does not alter date or time stamp.

• Unerasing a file does not alter its date or time stamp.• Date and time stamps may be evidentially significant.• It is easy to forge date and time stamps.


© Ah

med_P

atel 2005

Data Mining

• Certain patterns and signs in the transaction records may identify fraud.

• Identification of these patterns is sometimes called “data mining”.

• Software packages for automated data mining include IDEA (Interactive Data Extraction and Analysis) ACL (Audit Command Language)


© Ah

med_P

atel 2005

Cluster Analysis

• A group of techniques aimed at finding information about the history of data on the computer Timestamp analysis ‘.’ and ‘..’ analysis

• Object of analysis: file allocation information directory entries

• Great care must be exercised when interpreting the results of cluster analysis!


© Ah

med_P

atel 2005

Timestamp Analysis

• A group of bars is usually an indication of a period of computer activity.

• A large gap between bars usually means that the computer was idle or switched off.

Jan Feb Mar Apr May Jun Jul Aug

Filetimestamp

One bar represents one file


© Ah

med_P

atel 2005

Analysis of Email Headers

• Email is increasingly common as evidence.• ‘Received:’ headers in email are added by email

servers as the message travels through the Internet.• Usually, email servers are not controlled by the sender

and thus provide more reliable information about the source of the message.

• Generally email will have the same significance as a paper document.


© Ah

med_P

atel 2005

Encryption

• Data may be encrypted.• Weak encryption - use available tools to break it.

Commercial services to break MS Word etc.

• Careful: is it OK for you to do this?• Strong encryption

Police may be able to get a court order to force disclosure of keys.

If you are not the police...try to find the key somewhere!


© Ah

med_P

atel 2005

Steganography

• Ability to hide data in other data. Images and sound files are good. Changing last bit of each byte in an image is not

visible to human eye: can use it to store other data.

• Good implementations exist.

• Nearly impossible to detect if done well.

• Police etc. are very scared of this!


© Ah

med_P

atel 2005

Available Tools

• Several investigative tools are available.

• Some commercial, some research.

• "Forensic" usually means "disk imaging".

• Security software (e.g. IDS) generates log files which can be evidence. Requires careful handling.


© Ah

med_P

atel 2005

EnCase

• Guidance Software Inc. (USA)

• Market leader?

• Captures images on many media (disk, tape, etc).

• Analysis software runs on standard Windows PC.


© Ah

med_P

atel 2005

EnCase Analysis Facilities

• Many file systems: DOS FAT, NTFS, Linux, ...

• Graphics file identification.

• File hashes: allows known files to be excluded, e.g. OS and application executables

• Sort and search on file attributes.

• Generate reports for presentation.

• Scripting language.


© Ah

med_P

atel 2005

EnCase Screenshot

A screenshot of EnCase being run on a computer that has used Evidence Eliminator to erase unwanted data and internet history from the hard drive. Shows the state before the application of the software program.


© Ah

med_P

atel 2005

EnCase Evidence Presentation

File Name: teensex001.jpgFull Path: Toast C Drive\Windows\Temp Internet Files\...Last Accessed: 05/05/02Last Written: 01/19/02 03:48:44PMLogical File Size 12,943Comment: This is a picture of a pre-teen having sexAcquisition: EnCase version 3, zero errorsAcquisition Hash: 4CD90348D1C009D78E256Verfication Hash: 4CD90348D1C009D78E256Drive Geometry: Total Size 4.8GB (10,002,825 Sectors)Investigator's Name: Dick Private


© Ah

med_P

atel 2005

TCT

• “The Coroner’s Toolkit”

• Maintained by two security researchers.

• Basic tools for analysing UNIX systems after breakins.

• E.g. file undeletion, access pattern analysis.

• A research tool but shows possible direction of future tools.


© Ah

med_P

atel 2005

Other Tools

• Various other tools are used.

• Examples: Norton disk editor Partition Magic

• Not specially for forensic work but if used properly they are valuable.


© Ah

med_P

atel 2005

Developing Market

• Many new tools are appearing.

• Disk imaging and intrusion analysis are most common.

• New areas: Memory sticks, mass storage USB based devices… mobile devices (phones, PDAs) embedded devices, e.g. in cars


© Ah

med_P

atel 2005

Consultancy Services

• Forensic analysis is tricky. Easy to miss something. Easy to compromise the evidence.

• Many companies provide consultancy. Often produce own software, e.g. DIBS

• This should be considered if an investigation is needed.


© Ah

med_P

atel 2005

Case Studies

We will look at a few examples: Carnivore CD Universe: hacking and extortion Libel case


© Ah

med_P

atel 2005

Carnivore (1)

• Not a tool you can use, but interesting because it is an example of how you may have to work with law enforcement agencies.

• “Carnivore” was developed by the US FBI.• Three components:

Carnivore (configurable packet sniffer) Packeteer (reconstructs protocol sessions) CoolMiner (analyse captured traffic)


© Ah

med_P

atel 2005

Carnivore (2)

• Very controversial Legality? Privacy? Possible abuse? Reliability and safety?

• Detailed information is available from the independent review by IITRI and obtained by activists in USA.


© Ah

med_P

atel 2005

Carnivore (3)

• FBI get a warrant to intercept network activity (email, browsing, FTP, etc.)

• Can the ISP provide the data? If yes, then no need for Carnivore.

• Special Carnivore PC is installed at the ISP. Needs help from ISP to attach to LAN. ISP has no control over Carnivore. Remotely operated by trained personnel.


© Ah

med_P

atel 2005

Carnivore (4)

• A PC with Ethernet card.• Special FBI-developed software.

Runs on Windows NT. Includes some modified commercial driver code.

• Captures network traffic according to IP addresses, protocols, email addresses, etc as details set out in the warrant.

• Data goes onto removable media (Jaz disk).


© Ah

med_P

atel 2005

Some Lessons from Carnivore (5)

• Forensic systems are difficult. Review found several flaws. Review was subject to criticism.

• Need to maintain public confidence. How do we know what it does? How do we know it works properly? How do we know it is not abused?

• More tools like this will appear in future. There are already less publicised ones.

• If you are an ISP, systems manager etc. you may need to deal with investigators.

• Know the rules, liabilities etc. that apply to you.


© Ah

med_P

atel 2005

Example: CD Universe (1)

• US Internet retailer’s site was hacked and details of 300,000 credit cards obtained (January 2000).

• Russian hacker “Maxim” demanded $100,000.• Company refused to pay and details of 25,000

cards were posted on a web site.• Many cards had to be replaced.• Some fraudulent use of the cards was reported.


© Ah

med_P

atel 2005

Example: CD Universe (2)

• Interesting aspects to this: It was reported that badly handled evidence (by FBI

and company staff) made a successful prosecution unlikely.

Hacking followed by extortion using the information gained.

• Exercise/discussion: what possible crimes under the Convention on Cyber-Crime are involved?


© Ah

med_P

atel 2005

Example: Libel (1)

• Two small businesses in Ireland supplying sandwiches etc. Dispute arose between them over customers.

• Owner of “Fresh Cuts” placed the phone number of the owner of “Exclusive Sandwiches” on a web site advertising escorts (Escort Ireland).

• She received hundreds of calls.• Evidence from his PC led to guilty plea.


© Ah

med_P

atel 2005

Example: Libel (2)

• Interesting aspects to this: Not a computer crime, but an old crime committed

using a computer on the Internet. Law concerned was Ireland’s Defamation Act, 1961

(“criminal libel”). An example of an old law successfully used in the

Internet environment.


© Ah

med_P

atel 2005

Looking Forward To Future Configuration options for better CA security Smart card integration with more environments Common PKI for Notes and Internet Ease of administration & auditing

Common configuration for users and servers Pre & post investigations models & intelligent support tools Intersection of rights

Agents Active Content - Change History

Managing Active Content on the Web


© Ah

med_P

atel 2005

Research Topics

• Methodologies

• Best Practice

• Cybercrime prevention and security

• Trend monitoring, offender profiling, etc

• Investigative and forensic tools of sorts


© Ah

med_P

atel 2005

Conclusive Summary

• Computer Crime Background • Covered key aspects of Cyber Crime• IT Evidence• Investigations: problems and issues • Generic model of investigation• Evidence Capture, Handling and Analysis• Tools & Case Studies


© Ah

med_P

atel 2005

Enjoy Finale!

Many thanks to our host!

Thank you for your kind attention!!

Have a good time while you are here!!!

computer forensicstrade fairs brno, czech3 rd may 2005 1 © ahmed_patel 2005 computer forensics...

Documents