recovering and examining computer forensic evidence noblett, pollit, & presley forensic science...
TRANSCRIPT
Recovering and ExaminingRecovering and ExaminingComputer Forensic EvidenceComputer Forensic Evidence
Noblett, Pollit, & PresleyNoblett, Pollit, & PresleyForensic Science Communications Forensic Science Communications
October 2000October 2000
(Cited by 13 according to Google Scholar)(Cited by 13 according to Google Scholar)
Presentation by Bryan PassPresentation by Bryan Pass
SignificanceSignificance
““Forensic Science CommunicationsForensic Science Communications is a peer- is a peer-reviewed forensic science journal published reviewed forensic science journal published quarterly in January, April, July, and October quarterly in January, April, July, and October by FBI Laboratory personnel. It is a means of by FBI Laboratory personnel. It is a means of communication between forensic scientists.”communication between forensic scientists.”
An overview of Computer Forensic methods An overview of Computer Forensic methods from from thethe forensics authority, the FBI. forensics authority, the FBI.
Not really new, more of an overview of Not really new, more of an overview of current methods and thinkingcurrent methods and thinking
OutlineOutline
SignificanceSignificance Open Research TopicsOpen Research Topics Computer Forensics for Traditional Computer Forensics for Traditional
CrimesCrimes Computer Forensics for Computer CrimesComputer Forensics for Computer Crimes Who are we dealing with?Who are we dealing with? Data RecoveryData Recovery BackTrackerBackTracker S-TLAS-TLA++
Open Research TopicsOpen Research Topics Education – How to better educate forensics Education – How to better educate forensics
and computer students about computer and computer students about computer security and forensic methodssecurity and forensic methods
Honeypots / Honeynets – Setting up Honeypots / Honeynets – Setting up networks to attract hackers in order to networks to attract hackers in order to study how they operatestudy how they operate
Automated log examination – Filtering raw Automated log examination – Filtering raw data to lower the amount of information data to lower the amount of information that a human has to reviewthat a human has to review
Data Recovery – Recovering data from Data Recovery – Recovering data from physically damage media as well as physically damage media as well as recovering intentionally deleted informationrecovering intentionally deleted information
Computer Forensics for Traditional CrimesComputer Forensics for Traditional Crimes
Computer forensic science is the science of Computer forensic science is the science of acquiring, preserving, retrieving, and presenting acquiring, preserving, retrieving, and presenting data that has been processed electronically and data that has been processed electronically and stored on computer media. stored on computer media.
Computer evidence is becoming more and more Computer evidence is becoming more and more common place in investigations of traditional crimes.common place in investigations of traditional crimes.
Focus on extracting text, spreadsheets, human Focus on extracting text, spreadsheets, human readable informationreadable information
Computer Forensics relies on extracting only useful Computer Forensics relies on extracting only useful information. Unlike traditional forensics which information. Unlike traditional forensics which attempts to gather all information from a piece of attempts to gather all information from a piece of evidence.evidence. 12 GB of printed text data would create a stack of paper 24 12 GB of printed text data would create a stack of paper 24
stories high. stories high.
Traditional Crimes (cont.)Traditional Crimes (cont.) Constantly adapting to changing technology Constantly adapting to changing technology
instead of static techniquesinstead of static techniques Finger printing, DNA Analysis, etc.Finger printing, DNA Analysis, etc.
Set procedures and guidelines are difficult or Set procedures and guidelines are difficult or impossible to follow because of the variation in impossible to follow because of the variation in equipment usedequipment used Operating System, File System, Physical Medium, and Operating System, File System, Physical Medium, and
ApplicationApplication Can make copies of the original evidence Can make copies of the original evidence
Verification of copyVerification of copy Privacy / Legality ConcernsPrivacy / Legality Concerns
Attorney’s data protected by confidentialityAttorney’s data protected by confidentiality E-mail or File servers with many usersE-mail or File servers with many users
A Three-Level Hierarchical Model for Developing Guidelines for Computer
Forensic Evidence
Computer Forensics for Computer CrimesComputer Forensics for Computer Crimes
Focus on analyzing log data from Focus on analyzing log data from computer systemscomputer systems
Often one attack impacts multiple Often one attack impacts multiple applications, physical systems, and even applications, physical systems, and even companiescompanies Logs from applications on the target Logs from applications on the target
machinemachine Logs from other affected machinesLogs from other affected machines Logs from routers, edge routers, firewalls, Logs from routers, edge routers, firewalls,
etcetc
Computer Crimes (cont.)Computer Crimes (cont.)
Different crimes could result in very different Different crimes could result in very different kinds of evidencekinds of evidence DDoS could produce router logs and packet DDoS could produce router logs and packet
capturescaptures Defacement could produce application logs, Defacement could produce application logs,
router logs, and more traditional evidence router logs, and more traditional evidence (linguistics, etc)(linguistics, etc)
Routinely create legal nightmares of crossed Routinely create legal nightmares of crossed borders and innocent participantsborders and innocent participants
Data recovery techniquesData recovery techniques Encryption schemes and export lawsEncryption schemes and export laws
Who are we dealing with?Who are we dealing with?
Determining the sophistication of the Determining the sophistication of the suspectssuspects
Tamper alarms, and trapsTamper alarms, and traps Must appear like a normal user to the Must appear like a normal user to the
devicedevice Cutting the power might not be a Cutting the power might not be a
good ideagood idea Information in volatile memory even the Information in volatile memory even the
user didn’t know was thereuser didn’t know was there
Data RecoveryData Recovery
Physical damagePhysical damage It might be harder than you think to destroy a It might be harder than you think to destroy a
medium beyond partial reconstructionmedium beyond partial reconstruction Clean roomsClean rooms
Expensive and time consuming – is it worth it for Expensive and time consuming – is it worth it for the crime being investigated?the crime being investigated?
Using Magnetometers to reconstruct disk imagesUsing Magnetometers to reconstruct disk images How to How to reallyreally erase something erase something
Overwrite with 0, with random, with patterns, Overwrite with 0, with random, with patterns, with complimentwith compliment
BackTrackerBackTracker
Backtracking IntrusionsBacktracking Intrusions Log access to other Log access to other
processes, files, processes, files, sockets, etcsockets, etc
Construct a timeline of Construct a timeline of what happens after the what happens after the initial intrusioninitial intrusion
(filtered dependency graph for (filtered dependency graph for bind bind attack)attack)
S-TLAS-TLA++
A formal logic-based A formal logic-based language for computer language for computer forensics forensics investigationsinvestigations
Describes evidence, Describes evidence, helps construct and helps construct and test hypotheses for test hypotheses for hacking scenarioshacking scenarios
S-TLAC – automated S-TLAC – automated formal verification tool formal verification tool
Doesn’t seem to really Doesn’t seem to really be useful at allbe useful at all
ReferencesReferences ““Recovering and Examining Computer Recovering and Examining Computer
Forensic Evidence.” Noblett et al. Forensic Forensic Evidence.” Noblett et al. Forensic Science Communications. October 2000. (Science Communications. October 2000. (http://www.fbi.gov/hq/lab/fsc/backissu/oct2http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm000/computer.htm) (Cited by 13).) (Cited by 13).
““Backtracking Intrusions.” King & Chen. Backtracking Intrusions.” King & Chen. ACM Transactions on Computer Systems. ACM Transactions on Computer Systems. February 2005. (Cited by 29).February 2005. (Cited by 29).
““A Formal Logic-based Language and an A Formal Logic-based Language and an Automated Verification Tool For Computer Automated Verification Tool For Computer Forensic Investigation.” Rehkis & Forensic Investigation.” Rehkis & Boudriga. 2005 ACM Symposium on Boudriga. 2005 ACM Symposium on Applied Computing.Applied Computing.