Recovering and ExaminingRecovering and ExaminingComputer Forensic EvidenceComputer Forensic Evidence

Noblett, Pollit, & PresleyNoblett, Pollit, & PresleyForensic Science Communications Forensic Science Communications

October 2000October 2000

(Cited by 13 according to Google Scholar)(Cited by 13 according to Google Scholar)

Presentation by Bryan PassPresentation by Bryan Pass

SignificanceSignificance

““Forensic Science CommunicationsForensic Science Communications is a peer- is a peer-reviewed forensic science journal published reviewed forensic science journal published quarterly in January, April, July, and October quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of by FBI Laboratory personnel. It is a means of communication between forensic scientists.”communication between forensic scientists.”

An overview of Computer Forensic methods An overview of Computer Forensic methods from from thethe forensics authority, the FBI. forensics authority, the FBI.

Not really new, more of an overview of Not really new, more of an overview of current methods and thinkingcurrent methods and thinking

OutlineOutline

SignificanceSignificance Open Research TopicsOpen Research Topics Computer Forensics for Traditional Computer Forensics for Traditional

CrimesCrimes Computer Forensics for Computer CrimesComputer Forensics for Computer Crimes Who are we dealing with?Who are we dealing with? Data RecoveryData Recovery BackTrackerBackTracker S-TLAS-TLA++

Open Research TopicsOpen Research Topics Education – How to better educate forensics Education – How to better educate forensics

and computer students about computer and computer students about computer security and forensic methodssecurity and forensic methods

Honeypots / Honeynets – Setting up Honeypots / Honeynets – Setting up networks to attract hackers in order to networks to attract hackers in order to study how they operatestudy how they operate

Automated log examination – Filtering raw Automated log examination – Filtering raw data to lower the amount of information data to lower the amount of information that a human has to reviewthat a human has to review

Data Recovery – Recovering data from Data Recovery – Recovering data from physically damage media as well as physically damage media as well as recovering intentionally deleted informationrecovering intentionally deleted information

Computer Forensics for Traditional CrimesComputer Forensics for Traditional Crimes

Computer forensic science is the science of Computer forensic science is the science of acquiring, preserving, retrieving, and presenting acquiring, preserving, retrieving, and presenting data that has been processed electronically and data that has been processed electronically and stored on computer media. stored on computer media.

Computer evidence is becoming more and more Computer evidence is becoming more and more common place in investigations of traditional crimes.common place in investigations of traditional crimes.

Focus on extracting text, spreadsheets, human Focus on extracting text, spreadsheets, human readable informationreadable information

Computer Forensics relies on extracting only useful Computer Forensics relies on extracting only useful information. Unlike traditional forensics which information. Unlike traditional forensics which attempts to gather all information from a piece of attempts to gather all information from a piece of evidence.evidence. 12 GB of printed text data would create a stack of paper 24 12 GB of printed text data would create a stack of paper 24

stories high. stories high.

Traditional Crimes (cont.)Traditional Crimes (cont.) Constantly adapting to changing technology Constantly adapting to changing technology

instead of static techniquesinstead of static techniques Finger printing, DNA Analysis, etc.Finger printing, DNA Analysis, etc.

Set procedures and guidelines are difficult or Set procedures and guidelines are difficult or impossible to follow because of the variation in impossible to follow because of the variation in equipment usedequipment used Operating System, File System, Physical Medium, and Operating System, File System, Physical Medium, and

ApplicationApplication Can make copies of the original evidence Can make copies of the original evidence

Verification of copyVerification of copy Privacy / Legality ConcernsPrivacy / Legality Concerns

Attorney’s data protected by confidentialityAttorney’s data protected by confidentiality E-mail or File servers with many usersE-mail or File servers with many users

A Three-Level Hierarchical Model for Developing Guidelines for Computer

Forensic Evidence

Computer Forensics for Computer CrimesComputer Forensics for Computer Crimes

Focus on analyzing log data from Focus on analyzing log data from computer systemscomputer systems

Often one attack impacts multiple Often one attack impacts multiple applications, physical systems, and even applications, physical systems, and even companiescompanies Logs from applications on the target Logs from applications on the target

machinemachine Logs from other affected machinesLogs from other affected machines Logs from routers, edge routers, firewalls, Logs from routers, edge routers, firewalls,

etcetc

Computer Crimes (cont.)Computer Crimes (cont.)

Different crimes could result in very different Different crimes could result in very different kinds of evidencekinds of evidence DDoS could produce router logs and packet DDoS could produce router logs and packet

capturescaptures Defacement could produce application logs, Defacement could produce application logs,

router logs, and more traditional evidence router logs, and more traditional evidence (linguistics, etc)(linguistics, etc)

Routinely create legal nightmares of crossed Routinely create legal nightmares of crossed borders and innocent participantsborders and innocent participants

Data recovery techniquesData recovery techniques Encryption schemes and export lawsEncryption schemes and export laws

Who are we dealing with?Who are we dealing with?

Determining the sophistication of the Determining the sophistication of the suspectssuspects

Tamper alarms, and trapsTamper alarms, and traps Must appear like a normal user to the Must appear like a normal user to the

devicedevice Cutting the power might not be a Cutting the power might not be a

good ideagood idea Information in volatile memory even the Information in volatile memory even the

user didn’t know was thereuser didn’t know was there

Data RecoveryData Recovery

Physical damagePhysical damage It might be harder than you think to destroy a It might be harder than you think to destroy a

medium beyond partial reconstructionmedium beyond partial reconstruction Clean roomsClean rooms

Expensive and time consuming – is it worth it for Expensive and time consuming – is it worth it for the crime being investigated?the crime being investigated?

Using Magnetometers to reconstruct disk imagesUsing Magnetometers to reconstruct disk images How to How to reallyreally erase something erase something

Overwrite with 0, with random, with patterns, Overwrite with 0, with random, with patterns, with complimentwith compliment

BackTrackerBackTracker

Backtracking IntrusionsBacktracking Intrusions Log access to other Log access to other

processes, files, processes, files, sockets, etcsockets, etc

Construct a timeline of Construct a timeline of what happens after the what happens after the initial intrusioninitial intrusion

(filtered dependency graph for (filtered dependency graph for bind bind attack)attack)

S-TLAS-TLA++

A formal logic-based A formal logic-based language for computer language for computer forensics forensics investigationsinvestigations

Describes evidence, Describes evidence, helps construct and helps construct and test hypotheses for test hypotheses for hacking scenarioshacking scenarios

S-TLAC – automated S-TLAC – automated formal verification tool formal verification tool

Doesn’t seem to really Doesn’t seem to really be useful at allbe useful at all

ReferencesReferences ““Recovering and Examining Computer Recovering and Examining Computer

Forensic Evidence.” Noblett et al. Forensic Forensic Evidence.” Noblett et al. Forensic Science Communications. October 2000. (Science Communications. October 2000. (http://www.fbi.gov/hq/lab/fsc/backissu/oct2http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm000/computer.htm) (Cited by 13).) (Cited by 13).

““Backtracking Intrusions.” King & Chen. Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. ACM Transactions on Computer Systems. February 2005. (Cited by 29).February 2005. (Cited by 29).

““A Formal Logic-based Language and an A Formal Logic-based Language and an Automated Verification Tool For Computer Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Forensic Investigation.” Rehkis & Boudriga. 2005 ACM Symposium on Boudriga. 2005 ACM Symposium on Applied Computing.Applied Computing.