imt 3551/4012 digital forensics course overview and lecture 1 fall 2010
DESCRIPTION
IMT 3551/4012 Digital Forensics Course Overview and Lecture 1 Fall 2010. André Årnes Tlf: 9166006 [email protected]. Agenda. Course overview Objectives Lectures and exams Paper presentations Project work Curriculum Lecture Introduction to digital forensics Practical lab work. - PowerPoint PPT PresentationTRANSCRIPT
André ÅrnesTlf: [email protected]
IMT 3551/4012Digital ForensicsCourse Overview and Lecture 1Fall 2010
3
Agenda
• Course overview• Objectives• Lectures and exams• Paper presentations• Project work• Curriculum
• Lecture • Introduction to digital forensics• Practical lab work
Course Overview
5
Course Objectives
• What is digital forensics?• Central principles and methodology
rather than standardized procedures• Methods for
– Evidence acquisition– Analysis– Reporting
6
Focus and Disclaimer• Feedback is most welcome – all the time • We will focus on the fundamental principles of
digital forensics, as well as the practical side of the field.
• Practical work will focus on analysis and reconstructions in virtual environments.
• Consider the consequences of all experiments and don’t do anything unethical (or illegal!). Also, don’t trust unknown software – run untrusted software in isolated environments.
7
Course Overview (Preliminary)• Lecture 1, Introduction, 19.10.2009, Room K113 + A115
– Chapters 1, Appendix B• Lecture 2, File system analysis, 02.11.2009, Room K113 + A115
– Chapters 2, 3, 4, 7, Appendix A• Lecture 3, Live and remote forensics, 16.11.2009 , Room A126
+ A115– Chapters 5, 8
• Lecture 4, Evidence analysis, 30.11.2009, Room K113 + A115– Chapter 6
• Lecture 5, Selected topics and review, 07.12.2009, Room K113 + A115– Short project presentations
• Project Deadline: 23:59 on Friday 10.12.2009• Written Exam: 21.12.2009
8
Project Work Requirements• Assignments are marked and count 50%
of mark (see course information)• Groups of 3 to 5 persons• Report can include theoretical and/or
experimental work.• IMT 3551 Groups:
– Standard project report• IMT 4021 Groups:
– Academic paper format
9
Project Requirements (cont’d)• Document all assertions, back up claims
and results, provide academic references, document experimental setup and focus on evidence integrity and forensic soundness.
• Plagiarism is not accepted – ask if you have questions regarding quotations and citations.
10
Project WorkChoose ONE of the following (or propose a new topic):1. Acquiring evidence in the cloud: Perform a theoretical evaluation of
acquiring evidence from a cloud service (e.g., Amazon EC2) and perform experiments as a proof-of-concept.
2. iPad Forensics: Forensic analysis of the iPad (you need an iPad). Perform experiments and perform a forensic analysis of the evidence.
3. Internet Explorer 9 (beta): Perform experiments and a forensic analysis of the evidence.
4. Log2timeline and Simile: Perform experiments, extract the timeline using log2timeline and visualize the results using SIMILE.
5. Android Forensics: Perform experiments using and Android phone and/or Android SDK to evaluate the availability and authenticity of evidence in Android.
6. Processing massive amounts of data: Perform a theoretical study of approaches to handle massive amounts of data in digital forensics cases. Present the results as a comparative study to benchmark the methods based on typical us cases.
7. Database forensics: Perform a survey and experiments of state of the art tools for database forensics, based on, e.g., PostgreSQL or Oracle DB.
8. Evidence authenticity: Evaluate security requirements and a security architecture for managing evidence and preserving evidence integrity and chain of custory. Consider vulnerabilities in popular hash algorithms (e.g., MD5) .
9. Computational forensics: Evaluate computational methods to identify and analyse digital evidence (e.g., fuzzy search, statistical sampling).
10. Rights Management: Forensic analysis of commercial grade rights management systems, e.g., Microsoft Rights Management System or Oracle Information Rights Management
Project Recommendations• We request that all experiments (if possible) are
performed in a sterilized environment and that the data set is preserved and handed in or made available online. We will use this as a data set for training and research in digital forensics.
• We appreciate innovation in experimental environments. Amazon cloud, and http://www.vmlogix.com/Screenshots/ are possible options. Remember to not do malware experiments in the cloud (!)
• Faculty at the forensics lab will nominate suitable papers for scientific publication. One IMT3551 group is publishing @NISK 2010!
11
12
What to cover in this course?
• Internet investigations?• Network forensics?• Device forensics?• Video/audio/image forensics?• Reverse engineering?• Criminal investigations?• Law and judicial issues?
13
Curriculum I
• Dan Farmer and Wietse Venema, ”Forensic Discovery”, Addison-Wesley, 2005http://www.porcupine.org/forensics/forensic-discovery/
• Material covered in class
14
Curriculum II – Presented Papers• Five curriculum papers will be presented in class and will be
part of the course curriculum. The papers may change depending on your feedback, but the curriculum will be finalized by next class.
Curriculum papers: 1. Carrier, Brian, ”An event-based digital forensic investigation
framework”, DFRWS, 2005.2. Casey, ”Error, Uncertainty, and Loss in Digital Evidence”,
International Journal of Digital Evidence, 2002.3. Gutmann, Peter, ”Secure Delection of Data from Magnetic
and Solid-State Memory”, USENiX 19964. Vrizlynn Thing, Kian-Yong Ng, and Ee-Chien Chang, ”Live
Memory Forensics of Mobile Phones”, DFRWS 20105. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore
and Clay Shields, ”Forensic Investigation of Peer-to-Peer File Sharing Network”, DFRWS 2010
15
Presentations
• Each group presents one paper during lecture 2, 3 and 4. Each presentation will be ~15 -- 20 minutes
• The project will be presented at the last lecture day. Each presentation will be short (~10 minutes)
Lecture
Group Paper
2
2
3
3
4
5 All Project
16
Some Useful References1. Brian Carrier, ”File System Forensic Analysis”, Addison Wesley, 20052. Keith J. Jones, Richard Bejtlich, Curtis W. Rose, ”Real Digital Forensics –
Computer Security and Incident Response”, Addison Wesley, 20063. Inger Marie Sunde, ”Lov og rett i Cyberspace”, Fagbokforlaget, 20064. US DOJ, ”NIJ Special Report on Forensic Examination of Digital Evidence:
A Guide for Law Enforcement”5. ACPO, ”Good Practice Guide for Computer Based Electronic Evidence”6. Årnes, Haas, Vigna, and Kemmerer, ”Digital Forensic Reconstruction and
the Virtual Security Testbed ViSe”, Journal in Computer Virology, 2007.7. The Honeynet Project; in particular Scan of the month and forensic
challenges8. Gladychev and Patel, ”Finite state machine approach to digital event
reconstruction”, Digital Investigation 1, 2004.9. DOJ, ”NIJ Special Report on Investigations Involving the Internet and
Computer Networks” (pages 1-27, excluding ”legal considerations”)
17
Internet Bank Fraud
18
Transaction Agents
Before we get started …
• Choose groups (on blackboard)– Choose Project number (or propose a project)– Choose Paper to present (talk to me if all 5 are
taken)• Talk to me if you’re doing an MSc on
digital/computational forensics• Break!
19
Lecture 1
Introduction to Digital Forensics
21
Terminology and Basic Principles
22
Forensic Science
• The application of science and technology to investigate and establish facts of interest to criminal or civil courts of law. For example:– DNA analysis– Trace evidence analysis– Firearms ballistics
• Implies the use of scientific methodology to collect and analyse evidence. For example: – Statistics– Logical reasoning– Experiments
23
Some Terminology
• Digital Forensics• Digital Investigations• Computer Forensics• Network Forensics • Internet Investigations• Computational Forensics
24
Investigation Process
Identification: Verification
of event
Collection: Evidence collection
and acquisition
Examination: Preparation
and examination
Analysis: Using
scientific methods
Reporting: Documentati
on and presentation
25
Digital Evidence
• We define digital evidence as any digital data that contains reliable information that supports or refutes a hypothesis about an incident.
• Evidence dynamics is described to be any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent.
26
Evidence Integrity• Evidence integrity refers to the preservation of
the evidence in its original form. This is a requirement that is valid both for the original evidence and the image.
• Write-blockers ensure that the evidence is not accidentally or intentionally changed– Hardware– Software
• In some cases, evidence has to be changed during acquisition, see discussion of OOV below.
27
Digital Fingerprints• Purpose is to prove that evidence and image
are identical – using cryptographic hash algorithms
• Input is a bit stream (e.g., file/partition/disk) and output is a unique hash (file signature)
• We use cryptographic hash algorithms (e.g., MD5, SHA1, SHA256). These are non-reversible and it is mathematically infeasible to find two different files that create the same hash.
28
Chain of Custody
• Chain of custody refers to the documentation of evidence acquisition, control, analysis and disposition of physical and electronic evidence.
• The documentation can include paper trails, laboratory information management systems, photographies, etc.
• Mechanisms:– Timestamps and hash values– Checklists and notes– Reports
29
Forensic Soundness• The term forensically sound methods and
tools usually refers to the fact that the methods and tools adhere to best practice and legal requirements.
• A typical interpretation:– Source data is not altered in any way– Every bit is copied, incl. empty and unavailable
space– No data is added to the image.
30
Order of Volatility (OOV)
• Collect the most volatile data first – this increases the possibility to capture data about the incident in question.
• BUT: As you capture data in one part of the computer, you’re changing data in another
• The Heisenberg Principle of data gathering and system analysis: It’s not simply difficult to gather all the information on a computer, it is essentially impossible.
31
Order of Volatility: Expected life time of data
Type of data Life spanRegisters, peripheral mem, cache, etc.
Nanoseconds
Main memory Ten nanosecondsNetwork state MillisecondsRunning processes SecondsDisk MinutesFloppies, backup media, etc. YearsCD-ROMs, DVDs, printouts, etc Decades
32
Dual-tool Verification
• Verification of analysis results by independently performing analysis on two or more distinct forensic tools.
• The purpose of this principle is to identify human and software errors in order to assure repeatability of results.
• The tools should ideally be produced by different organizations/ programmers.
33
ACPO Principles (ACPO p. 6)1. No action taken by law enforcement agencies or their
agents should change data held on a computer or storage media which may subsequently be relied upon in court.
2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and to be able to give evidence explaining the relevance and the implications of their actions.
3. An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same results.
4. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
34
Abstraction Layers
Sleuth Kit Abstraction Layers:• File system layer tools• Data layer tools• Metadata layer tools• Human interface layer• Journal layer• Media management layer• Disk layer
Farmer and Venema p. 9:
35
Analysis
• Unusual activity stands out, e.g.:– Location in file system– Timestamps (most files are rarely used)
• Fossilization of deleted data• Turing test of computer forensic analysis• Digital archaeology vs. geology
36
Virtualization• Virtualization can be used to perform dynamic
testing of evidence and to perform forensic reconstruction experiments. Images of seized evidence can be booted in virtual environments for dynamic analysis.
• It is possible to detect the presence of the virtualization environment. This is seen in malware and in proof of concept code (e.g., ”red pill”).
• Be careful to isolate the testbed properly, in particular if you suspect that you are dealing with malware!
37
Crime Scene Reconstructions• Method to determine the most probable
hypothesis or sequence of events by applying the scientific method to interpret the events that surround the commission of a crime.– State problem, – form a hypothesis, – collect data, – test hypotheses, – follow up on promising hypotheses, – draw conclusions supported by admissible evidence.
38
Digital Reconstructions• Digital crime scene reconstructions can
be tested experimentally in testbeds: – physical, – virtual, or – simulated.
39
Investigation Process
Identification:
Verification of event
Collection: Evidence collection
and acquisition
Examination: Preparation
and examination
Analysis: Using
scientific methods
Reporting: Documenta
tion and presentatio
nEvidence integrity & Chain of Custody
40
Our First Toolkit
41
Acquisition Tools
• Acquisition tools are tools for imaging or copying evidence• Focus should always be on preserving evidence integrity. The
integrity should be verified after acquisition through the use of hash algorithms.
• DD and DCFLDD examples:– dd if=/dev/hda of=/mnt/evidence/hda.dd– dcfldd if=/dev/hda of=/mnt/evidence/hda.dd
• Commercial tool examples:– Encase– FTK Imager Lite
42
The Coroners Toolkit (TCT)
• A collection of forensic utilities written by Wietse Venema and Dan Farmer. Released in 2000 on the authors’ web sites.
• The toolkit contains tools for post-mortem analysis of compromised systems.
• It includes, e.g.:– Grave-robber: data gathering tool– Unrm and lazarus: data recovery tools– Mactime: orders files and directories chronologically
according to timestamps
43
Sleuthkit and Autopsy
• Sleuthkit is built on TCT, supports both Unix and Windows platforms, and contains 27 specialized command line tools.
• Autopsy is an integrated graphical user interface for Sleuthkit. It supports acquisition, analysis, as well as case management, evidence integrity verification, and logging.
Ubuntu 10.04
• Boot CD to install and run Ubuntu• Forensic tools easily installed:
– sudo apt-get install tct– sudo apt-get install sleuthkit– sudo apt-get install autopsy– sudo autopsy
44
45
Helix• Boot CD for incident response
and digital forensics by e-Fense– http://www.e-fense.com/helix/
• Contains many tools, e.g.:– Autopsy, TCT, SleuthKit, foremost– Wireshark, TCPdump– ClamAV, F-prot, chkrootkit– and more …
• No longer free / open source
46
Virtualization Tools• We need a tool for running virtual hosts:
– Mount and analyse image off-line• Snapshots freeze system states and are useful
for event chain analysis• Some examples
– VMware Workstation – most used tool for forensics– Amazon EC2 – Virtualization in the cloud (not free)– Virtualbox – free version available – Xen – free version available– Virtual PC – free version available– Parallels – for MAC
47
VMware and VMware Snapshots• VMware emulates a PC and runs virtual guest
operating systems such as Windows XP and Linux.
• Through the use of VMware snaphots, one can make a tree of system configurations that are based on a common root system (base image).
• One can easily revert to a snapshot and make a new branch with a new configuration.
• The ”full clone” function can be used to write a full disk image for analysis based on a snapshot.
48
49
50
Summary• Basic Principles
– Forensic Science– Methodology– Digital Evidence– Evidence Integrity– Crypographic hashes– Chain of Custody– Order of Volatility– Layers of abstraction– Reconstructions– Virtualization– ACPO
• Our First Toolkit– DD and DCFLDD– TCT– Sleuthkit– Autopsy– Ubuntu– VMware
Lab 1
Rules of the Lab Excercises
• The labs are fairly open and you are free to select both environment and tools. There is no mandatory hand-in or grading of the lab.
• The lab exercises do require some Linux and virtualization literacy – work together in teams!
• Use the lab time to discuss project work and discuss drafts. 52
53
Objectives• Objectives: Get familiar with
– Laboratory environment– Forensic tools
• Tools– VMware (or Amazon EC2 or other virtualization tool)– Ubuntu (or Helix)
• ”Evidence”– Honeynet Scan of the Month 24 and 26
• http://www.honeynet.org/scans/index.html• Take detailed notes and remember
– Evidence integrity– Chain of custody
54
Tasks1. Install vmware workstation on your laptop2. Install Ubuntu as a virtual machine and install tct, sleuthkit, and
autopsy3. Read the Scan of the Month 24 challenge and the police report4. Boot Ubuntu in VMware5. Image evidence
• Virtually mount floppy image for ”Scan24” in VMware• Use DD or DCFLDD to image evidence to file• Verify image hash using md5sum command.
6. Analyse image• Using Autopsy• You can mount the image read-only and use standard linux tools
7. Report findings in your notes• Document chain of custody, evidence integrity• Detailed notes of settings, actions, etc.• Screenshots are useful
8. Optional• Continue the analysis with the Scan26 floppy image.
9. Optional• Send report to teacher by email for feedback and evaluation (not graded)