Introduction toComputer Forensics

Brent WilliamsMSTM, CWNA, CWSP, CNE, MCSE, A+, N+

KSU ETTCSlides at: www.speakwisdom.com

brent@speakwisdom.com

Caveat

• I am not dispensing legal advice• Use what you hear, read, and do at

your own risk• Consult with your legal advisor when

conducting an investigation

The Need for Computer Forensics

The Need forComputer Forensics

• Anyone can access anything via the internet

• Students, faculty, staff and parents doing bad stuff!

• Technology is more sophisticated– Faster– More portable

• Schools have perceived responsibility

Concerns• Pornography

– Child Pornography

• Emails– Threatening– Relationship related

• Instant Messages• Web sites (MySpace)

– Bullying– Faculty pages

Bringing Things to School• Flash Memory Devices

• Containing what?

PDA’s and Cell Phones

• Palm– Fading?– Lots of aps and storage (flash)– Infrared and BlueTooth beaming

• Windows Mobile– Lots of storage (flash)– Familiar interface– Easily networked (WiFi, Bluetooth)– View photos and movies– Capture images, sound

More Threats

• Downloads– To School PCs

• CDs/DVDs• Social Networking Sites

– FaceBook– MySpace

• Phishing– Emails & Web sites

Objectives

•Gain Basic Knowledge– What is Computer Forensics?– Concepts – Procedures– What Not to Do?– What to do Next?

•Learn some basic techniques•Raise level of awareness

Do You Have a DutyTo Report?

• Yes, if you suspect a crime has been committed

• Yes, if you suspect “sexual exploitation” including conduct involving child pornography.

• Once you bring in police, you stop forensic work.

Kinds of Forensics

• PC/Laptop– Files, email, internet activity

• Device– Cell phone– PDA– MP3 Player (iPod!)

• Network – Internet traffic– Local/wireless traffic

Places

• High Technology Crime Investigation Association– www.htcia.org

• Atlanta HTCIA– www.atlhtcia.org

• Southeast Cybercrime Summit– www.southeastcybercrimesummit.com

Places

• Access Data (FTK)– www.accessdata.com

• X-Ways Forensics (winhex)– www.x-ways.com

• ProDiscover– www.techpathways.com

• Helix– www.e-fense.com

Certification

• Certified Computer Examiner– http://www.certified-computer-

examiner.com/index.html

• More– Google search “computer forensics”

• Books– Plenty!– Check Amazon, BN, etc.

Preparation

What to Do Before You Start

You need the right people!

Build a Response Team

• Cover all bases– Legal, Technical, Law Enforcement, PR

• Attorney or Legal Advisor• Strong “Geek”

– Vast knowledge required

• School Law Enforcement Person, Local Police

• Public Relations

Incident Response Plan

• Response plan– Who is called?– How others are notified?

• Clear process– Who has responsibility for what?– Decision Points

• Policy issue / Legal issue

• Coordinate with law enforcement– As appropriate

Someone Must Know Your Hardware & Software

• Servers• Workstations• PDAs• CD-ROM, CD/DVD• Webcams• Modems• Key Loggers• USB Devices• Wireless

• Windows– 9x, 2000, 2003, XP

• Unix/Linux• OS X• DOS• FAT• NTFS• EXT2/EXT3

Someone Must Know Auditing and Logging

• Know where OS keep logs• Know kinds of OS logs

– Windows• Event viewer• Auditing

• Date and time of device• Date and time of log entries• File/Directory date & time stamps

Computer Evidence

Will this End Up in Court?

• Assume your case will!• Courts require ample unaltered

evidence• Evidence must be processed properly• Specially trained team should always

conduct investigation

Main Emphasis of Forensics

• Identify the Evidence• Determine how to preserve the

evidence• Extract, process, and interpret the

evidence• Ensure that the evidence is

acceptable in a court of law

Evidence

• Computer evidence is fragile • Courts know that digital evidence is

easily planted/altered• You must be able to show that

evidence is pristine and unmodified!

• See www.cybercrime.gov

Evidence

• Can include any form of electronic data

• Can include devices– Computers– CD-ROMs– Floppies– Cellular Telephones– Pagers– Digital Cameras

Rules• More latitude in schools/businesses

– Internal processes– Governed by policy documents– Expectation of privacy

• Law enforcement works under more restrictive rules– Subpoenas & search warrants– Chain of command– Agency boundaries

What to “Prosecute”?

• Harm inflicted?• Violation of Written Policy?• Policy communicated to

teacher/student/parents?• Investigation conducted by trained

personnel?• Successful investigation?

Problem in School Systems

• Security and Forensics projects don’t generate revenue– Or FTEs

• Hard to get “higher up” to understand need– Until superintendent and board picture is

in the paper

• Money for training• Politics of position

Training

• Training team is essential• They need to

– Learn basic procedures– Gain expertise in technical areas

• Sufficient Personal Interest?– Get Certified– Get degree

End User Training

• Users need to be aware– School System Policies– Requirements to guard information– Laws– Awareness Illegal Activities– Social Engineering– Spyware

• Consider Yearly Seminar• Splash Screen

Investigation

Do It Right!

• Photograph system scene• Take Notes (two present)• Get the basics

– System Model/SN– HD model and SN– System Date/Time– Bios BOOT info

• Power Down (pull plug)– Laptop – Pull battery

Evidence Gathering

• Have secure-erased drives ready• Get Suspect Drive Image

– Attach a write-blocker– Get two or more images of the drive

• Seal original drive– Place a copy of the drive back in the PC

(if appropriate)

• Original drive should be locked away• Control Chain of Custody

Capturing the Data Image

Preparing an Evidence Drive

• Use USB drive case

Preparing an Evidence Drive• Use large drives• Have several• Secure-erase all drives

– Record date, time, and method

• Store in locked area• Software to Secure Erase?

– Helix– WinHex Pro– ProDiscover

Prepare Evidence Drive

–Connect to Analysis PC–WinHex Pro

•Select Physical Media (not Logical Drive)

•Edit / Fill Sectors / hex 00•Will take several minutes

– (25 min for 40Gb)

Image Options

• Boot suspect PC with Helix– Easiest for laptops

• Attach USB evidence drive• Use AIR or similar tool to image drive

Image Options

• Remove HD from Suspect, place as Slave in Analysis PC– Use Write Blocker

• Remove HD from PC, place in USB Case– Use Write Blocker

• Protect the original!

Image Options

• Get image– Multiple copies

• Image Type– Drive to Drive– Drive to Image File (DD)

Sources for Write Blockers

• www.digitalintelligence.com• www.blackbagtech.com• www.forensicpc.com

Other Image Options

• Use USB Evidence Drive– Boot PC with Knoppix or Helix CD

– Open terminal window– dd if=/dev/hda of=/dev/sda– Speed: 1 hour per GB

– Boot PC with Helix CD– Open terminal window– Dcfldd if=/dev/hda of=/dev/sda– Speed: 4 min per GB

Other Image Options

– GHOST!•Boot with BartPE CD

– Open command window– Ghost32 –ir –fnf– (Image Raw, No Fingerprint)– Speed: 2 min per GB

– GHOST!• Version 7.5 or later• Boot with Ghost Floppy

– Ghost –ir -fnf

What is the Hash?

• Used to verify that image is accurate• MD5 suspect drive or partition• MD5 image• Should match• Record!

Extracting Information from Data

Analysis• Work on Image, not Original• Time Consuming! • Tools Allow

– Finding deleted files• Images• Email• IE cache

– Searching for text (“drugs”, etc.)– Show Hidden Files– Show Hidden Partitions or Drives

Definitions

• Unallocated Space– Space never used on a hard drive– Space made available by deleted files

• Slack Space– Space in a cluster not used by file data

1. Examine Suspect HD

• Boot Suspect PC with Helix• Hidden Drive? (QTPARTED)• Browse with File Manager

– See images, open documents– See hidden partition

• Use Retriever – Path \media\sda1– Find images

1a. Examine USB Evidence Drive Image in Windows

• Use Windows Disk Management MMC to look at Partition

• MyComputer• Search• Wrong Extension?• Encrypted?• MS TweakUI

– Can be used to hide drive letters

2. Find Images

• (Not Deleted)• ExifPro• Easy

3. Find Deleted Files

• Great tool, easy to use

4. Examine in Windows

• Examine PC with Helix Windows– System Information

• Drive letter discrepancy?

– Incident Response• Windows Forensics Toolchest• Security Reports • (others want NetCat)

– Scan for Images• (no path information)

– Windows Search (for files)– Disk Management (for drives, partitions)

WinHex

• Open .dd file• Specialist

– Interpret file as disk

• View all .jpg’s in file system– Tools, Disk Tools, Explore Recursively– You can add path column

• Look for .dbx files

WinHex

• Find .jpg’s in Unallocated space– Tools, Disk Tools, File Recovery by Type

• Find text in files– Search, Find Text (or Simultaneous

Search)

Email - Outlook Express

• Local Settings\Application Data\Identities\…\Microsoft\Outlook Express

• OE Reader (free)• Mail stored in .dbx files• Similar tools for Outlook .pst files

Passwords and Encryption

Passwords and Encryption

• NTPassword– http://home.eunet.no/pnordahl/

ntpasswd/

• Password Tools– http://www.passwordportal.net/– http://www.brothersoft.com/

downloads/crack-password.html– http://www.elcomsoft.com/index.html– http://www.accessdata.com/

Steganography andKeystroke Logging

• Steganography– Try Steganote

• Keystroke logging– Try 007Starr

Common Forensics Tools

PRODISCOVER

• Create Case• Add Image• Content View

– Examine Deleted Files•Click check box on interesting file•Make comment•Gallery view

PRODISCOVER

• Content Search– Search for pattern

• Drugs, sex, etc.

– Click Search Results• Finds anything: docs and email!• Search for *.jpg

PRODISCOVER

• What about files with wrong ext?– Pick Folder on Left Side– Tools – Signature Matching– Export Report

Pulling It All Together

You are now…

Dangerous!Keep Going!

Questions?

Thank you!

www.speakwisdom.com