test power points

7/27/2019 Test Power Points

1/205

Florida Atlantic University

Information Technology and Operations Management

ISM 4324 Computer Forensics

Course Introduction

and Chapter 1


2/205

ISM 4324 Intro and Chapter 1

FOUNDATIONS OF DIGITALFORENSICS

Chapter 1


3/205


Crime

Nearly every crime contains a digitalcomponent

Cell Phones

Computer Files

Internet History

Email

Digital Photos

Social Networking Facebook, Google+,Twitter, etc.


4/205


Crime

Some common crimes are especially heavyin the use of digital technologies

Child Pornography

Hacking

Financial Fraud

Embezzlement

Credit Card Fraud

Money laundering


5/205


Digital Evidence

any data stored or transmitted using a

computer that support or refute a theory ofhow an offense occurred or that address

critical elements of the offense such as intentor alibi (Page 7)


6/205


Categories of Computer Systems

Open Systems

PCs, Desktops, or Servers

Communication Systems Internet (routers/etc), telephones, wireless

access points, internet service provider

Embedded Computer Systems

DVD players, navigation systems, alarmsystem, car computers


7/205


Digital Forensics Awareness

Individuals with no formal training arebecoming aware of digital evidence and basichandling requirements

Many of these individuals make incorrectassumptions regarding the handling of

evidence and forensic techniques.


8/205


Digital Forensics

Relatively new

Constantly changing

Techniques and knowledge learned one year,may be obsolete the next


9/205


What is Forensics?

Deriving scientific meaning from events andinformation

Tying events and information together

Searching for hidden details

Investigation with a minimization of damageto evidence


10/205


Evidence Exchange

Locards Exchange Principle

Interaction between two items will createevidence of the interaction

Discussion between two people

Fingerprints on a gun

Visiting a website

Sending an email to another person


11/205


FIGURE 1.1 Evidence transfer in the physical and digital dimensions helps investigators establish

connections between victims, offenders, and crime scenes.

2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.


12/205


Forensic Soundness

Preservation of evidence

Limited Possibility of alteration

Able to identify who handled it

Collected in a way generally acceptedamongst peers

Able to authenticate the evidence (See page

21)


13/205


Chain of Custody

Extremely important in digital forensics

Who handled the evidence and when?

Has the evidence been altered?

Needs to be documented whenever custodyof the evidence changes


14/205


Evidence Integrity

Proves that the evidence has not beenaltered

In digital forensics, this is usually achievedthrough the use of MD5 or SHA1 checksums(digital fingerprint)

Can be used to re-establish chain of custodyif it is broken


15/205


Objectivity

Free from bias

Evidence leads to other evidence and is notbased on a personal or gut feeling

Peer-review can be used to help ensureobjectivity

Use scientific method in writing reports.

Leave out assumptions or beliefs


16/205


Repeatability

Another important concept in digital forensics

Observations and investigations must berepeatable to arrive at the same conclusion

Requires good documentation of the stepsperformed in the investigation


17/205


Challenges with Digital Forensics

Digital Forensics practitioners oftentimeshave no formal investigative knowledge ortraining

Digital information is easily altered or deleted sometimes by accident

Altered or deleted data could lead to an

innocent person going to prison or a guiltyperson going free

Digital evidence is usually circumstantial


18/205


Challenges with Digital Forensics

Lawyers, courts, and juries oftentimes dont

understand digital evidence very well

Rules and requirements are constantly beingcreated as the legal profession learns moreabout digital evidence

Lack of standardized skillset for practitioners


19/205


Advantages of Digital Evidence

Can be copied without modification

Activities to hide digital evidence leavebehind their own digital evidence

Deleted data is often recoverable

Easy to determine if collected data has beenaltered


20/205

Computer Crime Investigations and the Courtroom

Florida Atlantic University

Information Technology and Operations Management


Computer Crime Investigations andThe Courtroom. Ch. 2-3


21/205


Computer Forensics and the Law

The Basis of Computer Forensicsinvestigations lies in Law

Law dictates accepted procedures forinvestigation, what evidence is relevant, andwhat crime(s), if any, have been committed

The results of many computer forensics

investigations are reported to lawenforcement and/or a court


22/205


Origin of Computer Crime Law

Florida Computer Crimes Act

Late 70s

Unauthorized access is a crime, regardless

of malicious intent

Created in response to an incident at theFlagler Dog Track

Hacking under Florida Law typically fallsunder this law


23/205


Origin of Computer Crime Law (Federal) Computer Fraud and Abuse Act (CFAA)

Commonly known as the Federal Hacker

Statute Unauthorized access to a protected computer

is a crime

Mid 80s Hacking under Federal Law typically falls

under the CFAA


24/205


What is Computer Crime?

Crimes that primarily involve the use ofcomputers or digital assets

Crimes against computer systems


25/205


What is Digital Evidence?

Chapter 1 Definition

any data stored or transmitted using a

computer that support or refute a theory of

how an offense occurred or that addresscritical elements of the offense such as intentor alibi (Page 7)

E.g. Digital Pictures, computer files, emails,text messages, etc.


26/205


What is Physical Evidence?

Non-digital evidence that can be touched orseen

Hard Drives, gun, broken glass, wrecked car

Handling is different than digital evidence.


27/205


Hard Drives as Physical Evidence

The information contained on a hard drive is

usually more important than the drive itself

Physical hard drives are treated as physicalevidence in order to protect the digitalevidence from tampering, and to help ensure

that digital evidence is authentic.


28/205


Hardware versus Software

Hardware is physical can be touched. Harddrives, cell phone, monitor, Blu-ray player

Software is logical information. files,computer programs, etc.


29/205


Examination versus Analysis

Examination Looking at and reviewingcollected evidence. Some aspects of this canbe automated (searching, string lists)

Analysis Taking collected evidence andpiecing it together to find out what happenedor gain an understanding of relevant events.Requires thinking which usually precludes theuse of automation


30/205


Department of Justice Computer

Evidence Categories

1. Hardware as Contraband or Fruits of Crime

2. Hardware as an Instrumentality3. Hardware as Evidence

4. Information as Contraband or Fruits of

Crime5. Information as an Instrumentality

6. Information as Evidence


31/205


DOJ Evidence Categories

Not mutually exclusive

Evidence can fall into multiple categories


32/205


Child Pornography and The Law

Recurring theme in this course

Unlike many computer crimes, possession ofthe material itself is a violation of the law

Easy to prove as intent is not necessary forconviction

Digital fingerprints are used to track down

and find victims (National Center for Missingand Exploited Children)


33/205


Figure 1.1FIGURE 3.1 Overview of case/incident resolution process.


34/205


Expert witness versus a traditional witness

Traditionally, a witness can only give answersto questions that are asked

An expert witness, on the other hand, may

give opinions and explain answers

Expert witnesses are called upon due to theirexpert knowledge or experience within a

particular area or field


35/205


Role of Expert Witnesses in Court

Help the court come to a conclusion

Give facts and observations

Give unbiased opinion (a right that a regularwitness does not have)

Give testimony free from emotion

Give testimony free from conflict-of-interest


36/205


Preconceived Theories

Jumping to conclusions may cause theinvestigator to come to incorrect conclusions

Events that occur may not be what they

appear to be e.g. computer intrusion versusdisk corruption

Preconceived theories that are evident in

reports may display bias on the part of theinvestigator


37/205


Pre-conceived Theories (Continued)

Essentially, coming up with a theory andusing evidence to help that theory rather thanthe other way around.


38/205


Avoiding pre-conceived theories

Everyone creates theories as to what mayhave happened it is human nature

Do not rely on theories to solve a case -

follow the evidence Evidence leads to new sources of evidence

which should also be investigated.

Do not avoid investigating sources ofevidence just because they may not fit atheory.


39/205


Legal Judgment Standards

Civil (Money)Preponderance of theevidence. Is the person more likely guilty

than not guilty?

Criminal (Prison)Beyond a reasonabledoubt. Does the evidence prove that the

crime was committed by the accused, or isthere another possible reasonable

explanation?


40/205


Presenting Evidence to Court

As mentioned previously, free from bias andemotion

While technical in nature, processes and

procedures need to be explained in such away that a non-technical person canunderstand

Use techniques that are generally acceptedby the community of your peers. Note: notrequired, but helpful


41/205


Admissibility

Relevance

Authenticity

Not hearsay or admissible hearsay

Best Evidence*

Not unduly prejudicial


42/205


Relevance

Does the evidence presented have anythingto do with the case or charges?


43/205


Authenticity

Is the evidence original or an accuraterepresentation?

For communications, is someone available

that can verify that the communications areaccurate recipient of email or personactually involved in a conversation in

question


44/205


Hearsay

Evidence that is second-hand knowledge

I heard that Ms. Apple shot John with a gun

Exception: Business Records


45/205


Best Evidence Rule

The most original form of evidence availableneeds to be used unless a genuine questionabout its authenticity comes into play

E.g. original hard disks versus copies,original documents versus copies, raw format

email versus formatted email messages


46/205


Search Warrants

Discussed in Depth in Chapter 4

Fourth amendment protection againstunreasonable search and seizure.

Requires investigator to convince judge thatevidence of a crime will likely be recoveredand that a crime has been committed.


47/205


Warrantless Search and Seizure

Allowed when:

In plain view

Person gives consent

Person can withdraw consent

And exigency


48/205


Exigency

Requiring immediate action

Emergencies involving potential loss of life

Potential for destruction of evidence

Warrant is generally necessary to investigateseized evidence in this case


49/205


Questions to Consider before Seizure

Does the fourth amendment or ECPA apply?

Have fourth amendment and ECPArequirements been met?

How long can investigators remain on thescene?

What do investigators need to re-enter?


50/205


ECPA

Electronic Communications Privacy Act

Protects stored communications

Public services require a warrant to turn overinformation to law enforcement privateservices do not


51/205


Reliability of Evidence

Are systems generating evidence functioningproperly and giving expected results?

Is the evidence accurate?

Small possibility of tampering does not

affect reliability


52/205


Certainty of Evidence

Evidence may require more evidence toreach a conclusion due to evidence beingmore general than exact

Proxy servers service a lot of clients. Aperson connecting to a remote server througha proxy server is not identifiable through the

remote server logs alone


53/205


Certainty of Evidence

If clocks differ, evidence that relies on timemight not be reliable without knowing thecorrect time, and the time on the system in

question This is especially true with access logs

involving many connections per second or

minute


54/205


Circumstantial versus Direct Evidence

Direct Evidence fact

Circumstantial suggests facts. Mostcomputer forensics evidence falls into thiscategory


55/205


Scientific Evidence

Daubert rule relies on the following:

Theory or technique can be/has been tested

High known or potential rate of error

Theory or technique has been subject to peerreview and publication

Theory or technique is generally accepted.

Note: the last two bullet points are no longerrequired per se due to the Federal Rules ofCriminal Procedure


56/205


Experts Report

Walk through investigation

Steps can be repeated with the same results

Report is free from bias or opinions

All supporting evidence documented

Time/date of steps are documented


57/205


Report Sections

Introduction or Executive Summary

Evidence Summary

Examination Summary

File System Examination

Forensic Analysis and Findings

Conclusions


58/205


Testifying

voirdire approved as expert witness. E.g.court recognizes the witness credentials and

knowledge in the field.

Be honest

Be prepared to defend against attacks onyour investigative techniques and findings

Ask to review your notes if you need to referback to something


59/205

Florida Atlantic UniversityInformation Technology and Operations Management


Computer Crime Law and Computer

Forensics Basics


60/205

Computer Crime Law and Computer Forensics Basics

FEDERAL CYBERCRIME LAW

Computer Crime Law


61/205


Computer Fraud and Abuse Act

Introduced briefly last week

18 U.S.C. 1030

Mid 80sAltered several times in light of technological

advances


62/205


CFAA Continued

Criminalizes:

Unauthorized access to a computer

Disseminating malicious software Launching denial of service attacks

Trafficking in passwords

Using computers to commit fraud or extortion


63/205


CFAA Continued

Targets conduct targeted toward protected

computers

Computers used exclusively by banks orgovernment

Computers used for interstate commerce

By definition, this applies to any computer

connected to the internet See Bullets on pages 86-87 for more info


64/205


Authorization

Basically Permission

Having the ability to access something is not

the same as permission In computer security, the three terms:

Access, Authentication, and Authorization aredistinct


65/205


Access

Capability to take, modify, or read something

Access can exist without authorization

(permission) E.g. Someone accidentally leaves their

computer logged in. You may have access tolook at files on the computer but lack thepermission to do so.


66/205


Authentication

Verifying the identity of a person or thing

Can be people

Can be computers Can be documents or files

Can be testimony


67/205


Confidentiality

Whether or not information is kept secret

Affecting the confidentiality of something

exposes its contents E.g. Hacking into a computer system and

reading files you shouldnt impairs the

confidentiality of those files.


68/205


Integrity

Whether or not data is accurate orunchanged

Changing the contents of a file impairs itsintegrity


69/205


Availability

The ability to access data or systems

Denial of service attacks impair the

availability of systems of data


70/205


Computer

electronic, magnetic, optical,

electrochemical, or other high speed dataprocessing device performing logical,arithmetic or storage functions


71/205


Crime Outsider Insider

Intentional Damage Felony Felony

Reckless Damage Felony No Crime

Other Damage Misdemeanor No Crime

Crimes


72/205


Intent

Mens Rea

What was the intent when causing damage?

Defines Intentional, Reckless and otherdamage


73/205


Intentional Damage

Causing damage that you meant to do

E.g. Take down a website. Destroy files.

Modify financial information


74/205


Reckless Damage

Causing damage while not meaning to do so,but as a side result. Non-negligent

E.g. Try stealing information and accidentallyknock a web site out of commission


75/205


Identity Theft

18 U.S.C. 1028

Crime to: knowingly transfer, possess, or use

a means of identification of another personwithout authorization and with intent tocommit, or to aid any or abet any unlawfulactivity


76/205


Child Pornography

Sexual depictions of minors (under the age of18)

A large portion of computer forensics involvesthis kind of crime

Computer forensics can be used to helpvictims in addition to prosecute offenders


77/205


Child Pornography Law Evolution

1977 Protection of Children against Sexual

Exploitation

1996 Child Pornography Protection Act


78/205


Protection of Children Against Sexual

Exploitation Outlawed use of real children

In the computer age, real pictures of childrencould be edited to become new pictures, orcomputers could generate fictional pictures ofchildren


79/205


Child Pornography Protection Act

If only pictures of real images were againstthe law, a defense arose where an offendercould claim that their pictures were notpictures of real children

A new law was passed in 1996 that made the

virtual depictions illegal as well


80/205


Virtual Child Porn

Originally banned depictions that appeared tobe those of children

Found unconstitutional under firstamendment because it banned material thatdid not involve real children.


81/205


Virtual Child Porn

Virtual depictions were re-defined as anymedia that a person would generally findindistinguishable from real children (revisionin 2003)

Did not apply to drawings, cartoons,

sculptures or paintings


82/205


Virtual Child Porn

Later, obscene child pornography was

banned

Visual depiction such as drawings, cartoons,sculptures and paintings that are obscene

Unconstitutional because it did not limit thecrime to images of actual minors or constitute

obscenity


83/205


Obscenity

What does the local community considerobscene

A work-around to the first amendment issuesexperienced in child pornography laws


84/205


Copyright

Original creator owns all rights to a work

Original creator may license those rights

Original creator or licensee may seekmonetary damages from those using ordistributing copyrighted works withoutpermission

Copyright exists at creation of the material. Itdoes not need to be registered.


85/205


Copyright

While copyright exists at creation, registrationis required to take a civil action.

Registration is not required for criminalactions


86/205


Criminal Copyright Infringement

Remember, Criminal = Jail Time

Used as a way for government agencies toprosecute mass-copyright infringement suchas counterfeiters


87/205


Criminal Copyright Infringement

Illegal if

Purpose is for commercial advantage orpersonal financial gain

- OR -

Reproducing works with a total retail value of*$2500 in a 180-day period

* Note typo in book. $2500 not $1000


88/205


Copyright Infringement

2005 pre-release piracy

Copying movies before release

Making movies available to public


89/205


First-sale Doctrine

Purchaser of a copyrighted work has the rightto transfer or sell that copy to anotherindividual.

What about copies of software versussoftware licenses?


90/205


DMCA

Takedown provision to make ISPs or otherservice providers remove copyrightedmaterials upon request

Banned copy-protection circumventiondevices


91/205


No Electronic Theft Act

Evidence of distribution is not enough toprove willful copyright infringement


92/205


CONSTITUTIONAL LAW

Computer Crime Law


93/205


Fourth Amendment

Applies to Federal agents, and to stateagents

Fourteenth amendment applied manyamendments to the states.


94/205


Fourth Amendment

Freedom from unreasonable search and

seizure

Search and seizure must be performed onlywith a warrant or under specific exceptions


95/205


Search and Seizure

Search

Intrusion into reasonable expectation of

privacy

Seizure

Interference with a persons possessions

and/or property


96/205


Wiretapping (4th Amendment)

Intercepting content of communications

A user often expects privacy in theircommunications. Physical intrusion is notrequired to make this an unreasonablesearch and seizure.


97/205


Wiretapping (Fourth Amendment)

Includes network traffic, telephonecommunications and video transmission

Exceptions:

If monitoring is to troubleshoot problems,monitor communications from an intruder, or

the monitoring is by consent


98/205


Wiretapping (4th Amendment)

Traffic data, not contents is also covered

Telephone calls to and from numbers Web server access logs

Network packet headers


99/205


Fifth Amendment

No one can be compelled as a witnessagainst themselves

Does not generally apply to electroniccommunications because individual was notforced to make statements (testimony)


100/205


Fifth Amendment

Regarding encryption, giving up anencryption key can be considered testimonyand can be withheld under the 5thamendment


101/205


In-class Discussion

Other amendments


102/205


BASIC COMPUTEROPERATIONS

Computer Basics for Investigators


103/205


Basic Computer Components

CPU Central Processing Unit. Performsmathematical calculations and runsprograms. Essentially the logic of a computer.

Information is lost when the computer is shutdown.

Hard Disk Fixed media that stores

programs or data. Most information is leftintact when the computer shuts down


104/205



RAM Random Access Memory. Temporarystorage space for programs and data.Information is lost when the computer is shut

down.

NIC Network Interface Card. Sends andreceives data across a network of computers.

Information is lost unless captured in transit


105/205



Monitor Displays pictures and text from acomputer. Information is lost if the computeris shut down.

Printer Outputs data on a variety of mediaincluding paper and canvas. Information islost if power is removed.


106/205


Computer Startup Software

BIOS Basic Input and Output System.Contains information necessary for computercomponents to communicate with one

another, and stores some basic preferences.

POST Power-on Self Test. Part of the BIOSthat checks hardware at system power on to

ensure it is operating correctly.


107/205


Computer Startup Software

CMOS Complementary Metal OxideSilicon. Software that allows user the user tomodify BIOS configuration information


108/205


Representation of Data

Binary Ones and Zeros, representing onand off. Most basic number system.Numbering starts at zero. 0001 = 1, 0011 =

3 = ( 1x21 + 1x20 )

Hexadecimal 16 possible values per digit.0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. 1h

= 1, 10h = 16 = ( 1x161 + 0x160)


109/205


Binary and Hex Practice

Convert the following to Decimal:

Binary: 1101, 111, 1001, 11010111

Hexadecimal: B, 45, C3, 1D5


110/205


Data on Disks

Data on disks is stored based on theEndianess of the processor.

Little EndianPlaces small end of datafirst. This is used on Windows computersand the AMD64 architecture.

456 would be stored as 654 on a disk

Based on block-size


111/205


File Formats and Carving

Files typically have a distinctive header andsometimes footer.

These headers and footers can be used todetermine the type of file without relying onan extension

Because of this, we can recover deleted data

from a hard disk and view it regardless ofwhether we know the fielname


112/205


File Formats and Carving

These Headers and Footers are commonlyreferred to as the magic numbers of a file

type.

Example from book: JPEG images start withFF D8 FF E0, or FF D8 FF E1 and have afooter of FF D9.


113/205


Example File Contents


114/205


Disk Organization

Typically comprised of many Sectors of

512-bytes.

A newer common sector size is 4096-bytes tosupport larger hard drives such as 3TB disks.The larger sector organization is calledAdvanced Format


115/205


Disk Organization

Sectors are grouped together by the filesystem in groups called clusters (Windows)

or blocks (Unix, Linux and Mac)

File systems are the logical way that anoperating system organizes data on a disk,

while sectors are used at a physical level.


116/205


Data Hiding and Organization

Data can be hidden on a disk

Deleted

Partially overwritten

Corrupted

Hidden in other files

Encrypted


117/205


Data Carving

Magic Numbers are used by forensics tools

to recover files from deleted areas of a harddisk or image and classify data that is found.

Disk fragmentation causes issues with datacarving, but that will be covered later.


118/205


Storage Media

Some varieties of storage media currently inuse today include:

Hard drives Rigid material with magneticcoating

USB Flash Drives rewritable flash memory

CD/DVD/BD Recordable and sometimes

rewritable optical media read with a red orblue laser.


119/205


Solid State Drives

A relatively new media has come out in thelast few years called solid state drives.

These drives utilize rewritable flash memory

like USB thumb drives, and like USB thumbdrives, have a limited number of times datacan be written to the drives.

New mid-2011 drives can only write to thesame location 5000 times before the diskloses the ability to store data


120/205


Solid State Drives Continued

To combat this, SSDs utilize Wear-levelingwhich causes the drives to remap unusedportions of the disk for subsequent writes so

a user does not end up with the beginning ofa drive unusable, but the rest relativelyunused.


121/205


SSDs continued

This presents some challenges for forensicswhen trying to recover data, however, somepreviously overwritten data can sometimes

be recovered from the unmapped portions ofthe disk using utilities provided by the harddrive manufacturer. Accessing this data is

often not possible with forensics toolsbecause of the proprietary nature of the driveaccess mechanisms.


122/205


FIGURE 15.4 Magnetic patterns on a hard disk as seen through a magnetic force microscope.

Peaks indicate a one (1) and troughs signify a zero (0). Image from

http://www.ntmdt.ru/applicationnotes/MFM/ ( reproduced with permission) .

http://www.ntmdt.ru/applicationnotes/MFM/http://www.ntmdt.ru/applicationnotes/MFM/


123/205


Hidden Data Areas on Drives

Two areas of a disk that are generally notaccessible from disk copying tools are thedrive configuration overlay (DCO) and the

host protected area (HPA). DCO specifies the drive geometry and

accessible portions of the disk.

HPA specifies a portion of the disk that ishidden from operating systems for diagnosticor recovery purposes.


124/205


Track 0

The first track on a hard disk can be used toindicate bad sectors on a disk. Bad sectorscan be hiding data that may need to be

recovered. This track stores informationabout bad sectors that are identified by thedrive and not the operating system.

Disks have a number of sectors built in thatcan be remapped when necessary. Theoperating system knows nothing about this.


125/205


Disk Organization

Master Boot Record (MBR)

Tells the computer how to boot the system

Stores information regarding the partitions ona system

Also tells the system where the operatingsystem is located at


126/205



FIGURE 15.6 Simplified depiction of disk structure with two partitions, each containing a FAT formatted

volume.


127/205


File Systems

In this class, we are primarily interesting inWindows file systems:

FAT32 Simple file system usually utilized by

removable devices. NTFS Used by windows. Has many features

such as permissions, encryption, and

compression Both of these use clusters as a storage

mechanism (groups of sectors)


128/205


Disk Partitions in Windows


129/205


Formatting

Formatting a drive does not delete the dataon a drive it just marks it as free so thespace can be reused. Imaging a formatted

drive can recover almost all of the informationthat was present on the drive.


130/205


Figure 1.1


FIGURE 15.7 Prior folder structure recovered from a reformatted NTFS volume.


131/205


Boot Sector

The first portion of a volume or partition is theboot sector.

This sector stores information relating to thepartition such as where copies of fileallocation table is in the FAT file system, orwhere the Master File Table (MFT) is located

on the NTFS file system

V l Sl k


132/205


Volume Slack

A file system may not take up the entirepartition it is written too. The space after thefile system but still in the partition is called file

slack. This area may have information left over from

a previous installation

S P i i S Fil


133/205


Swap Partition or Swap File

Many operating systems utilize temporarystorage space to place contents of systemmemory on a temporary basis.

In windows, this is the swap file

The swap file may contain additional datathat is useful for forensics, but it is not stored

in a standard format it is stored similar tomemory structures.

Fil Hidi


134/205


File Hiding

Files can be renamed

Files can be appended to other files

Files can be encrypted Files can be contained in other files such as

zip files

Files can be stored in Alternate Data Streams(ADS)

Al D S


135/205


Alternate Data Streams

Alternate Data Streams is a feature of NTFS,where a separate piece of data can be storedwith an existing file name.

Example: cmd.exe has executable data. Asecond piece of data can be associated with

this file, possibly containing contraband


136/205


Chapter 6 Conducting Investigations

P M d l


137/205


Process Models

Many different process models for performingforensics investigations exist.

These differ, but what is actually done inforensics investigations is largely the samethe difference is how different individualsdescribe the major pieces of the process.

Wh t th d f ?


138/205


What are these used for?

Creating or using a process model helps youto write your own procedures or focus oncertain areas to make improvements or

potential documentation changes.

A l i th S i tifi M th d


139/205


Applying the Scientific Method

The scientific method should be used in anymodel.

Utilizing the scientific method, an examinerlooks at and analyzes all relevant information not just information that fits with anypreconceived notions

Discipline and consistency

A l i th S i tifi M th d


140/205


Applying the Scientific Method

Observation

Hypothesis

Prediction Experimentation/Testing

Conclusion

Ob ti


141/205


Observation

An event occurs that requires investigation.

Systems administrators tell you that a systemwas hacked.

Office worker tells you they saw childpornography on a system..

Someone commits a murder, and their

computer is available.

H th i


142/205


Hypothesis

What happened based on current facts?

This is a working theory not a guess.

If a computer was compromising other

computers, a hypothesis may entail SystemA was compromised and was used to attackother machines

Look at middle of page 205 for hypothesis

H th i


143/205


Hypothesis

Create many hypothesis

Think about all of the likely events that might

have happened.

P di ti


144/205


Prediction

Based on the hypothesis, where is relevantevidence potentially located?

A hacker:

Intrusion prevention logs Firewall logs

Running processes

System events User profile

Testing


145/205


Testing

Testing of one or more hypothesis usingcollected evidence.

Does collected evidence concur with yourhypothesis, or does it show that somethingelse might have occurred (alternateexplanations)?

Conclusions


146/205


Conclusions

Can you determine what happened based onthe previous steps?

Does it supports hypothesis, falsifieshypothesis, or is it inconclusive?

Reporting and Testimony


147/205


Reporting and Testimony

Reports should contain all important details

The methods and procedures used should bedocumented and explained

Evidence should be described

Show any alternative theories that weretested


148/205

Chapter 8 - 9


ISM 4324 Investigative

Reconstruction and Motive

Investigative Reconstruction


149/205



Reconstruct the incident based on evidencecollected

What happened, when, in what order, and

why

Oftentimes, questions are still leftunanswered.

Locards Exchange Principle


150/205


Locard s Exchange Principle

Remember from Chapter 1

When two things come into contact, evidenceof that contact are created

Fingerprints on a gun, internet history frombrowsing a website, email in sent items whenan email is sent

Behavioral Imprints


151/205


Behavioral Imprints

Inference from behavior or evidence

Points to who did what and possibly when orwhy

Can be used to discover modus operandi,info about crime scene, info about victim, andmotivation

Modus Operandi


152/205


Modus Operandi

Method of Operation

Behavior of the criminal

E.g. Always uses Firefox. Always checksreddit, always deletes internet history, etc.

Any unique or unusual characteristics thatare indicative of a particular individual

Modus Operandi


153/205


Modus Operandi

Some intruders use special toolkits

E.g. customized software used for controllinga system



154/205



Can help:

Develop an understanding of case facts andrelations

Expose important features

Find hidden evidence

Anticipate intruder or attackers next actions

Link related crimesAugment case presentation in court

Investigators Duty


155/205


Investigators Duty

Rememberthe investigators duty is toreport scientific fact not make judgmentsbased on guilt or innocence

Judgments are left up to courts and juriesbased on circumstances and facts

Remain objective

Investigators Duty


156/205


Investigators Duty

Concentrate on evidence and not the suspect

this finding is consistent with..

the files found on the suspects computer

were last accessed at .

Note: Not the suspect accessed the files..

Investigators Duty


157/205


Investigators Duty

It is easy to become emotional and makeyour own judgments. Avoid letting thesefeelings affect your investigation,reconstruction and reporting as much as

possible.

Remember, digital evidence is usuallycircumstantial there could be anexplanation that absolves the accused

Equivocal Forensic Analysis


158/205



Evaluate all evidence objectively, andindependent of the interpretations of others tofind its true meaning.

Assume nothing

Play devils advocate to help identify other

possibilities for interpreting the evidence.

Page 259

Corpus Delicti


159/205


Corpus Delicti

Body of the Crime

Essential facts that show that a crime hasbeen committed

E.g. Murder Body, Computer HackingCompromised computer or security logs

Corpus Delicti


160/205


Corpus Delicti

Even if there is enough evidence to show thata crime occurred, there might not be enoughevidence to show who did it, or to determine

if there were any related crimes.



161/205



Used to ensure that conclusions are accurate

Incorrect conclusions can be detrimental tocareer for the investigator, or liberty and/or

life for an accused individual

Likewise, this can cause a guilty person to gofree.



162/205



Can show mistakes in processing digitalevidence

Also, allows the investigator to become more

intimate with the evidence in a case, and ableto respond to questions in court far betterthan if only a basic analysis was performed.



163/205



Should include more than just digitalevidence:

Statements

Crime scene photos

Police reports

Background information

Maps and drawings

Reconstruction


164/205


Reconstruction

Three categories of analysis:

Temporal when

Relational who, what, where

Functional how

Temporal Analysis


165/205


Temporal Analysis

Chronological list of when events happened

8:13 Web server was attacked

10:33 Web server started sending out spam

15:21 Investigators notified

Temporal Analysis


166/205


Temporal Analysis

Alternatively, a histogram can be used

Can be used to identify periods of highactivity on a system, or unusual fluctuationsthat warrant some investigation.

Relational Analysis


167/205


Relational Analysis

Associations between objects or people

Computer 1 was compromised. Computer 1attacked Computer 2. Malicious software

was installed on Computer 2 from Computer1.

John was logged into Computer 1 at the timeof the attack. A video camera showed Johnat the computer during time in question


168/205



FIGURE 8.1 Conceptual view of timeline and relational reconstructions.


169/205



FIGURE 8.2 Diagram depicting intruder gaining access to accounting server.

Relational Analysis


170/205


Relational Analysis

Dont go too deep in a relational analysis.

Relationships are easy to find, but some maynot be relevant to the case

Use your own judgment when deciding what

relationships to analyze

Functional Analysis


171/205


Functional Analysis

How?

What conditions were necessary for theaspects of this crime to be possible?

Compromised web server: connected to the

internet and has a vulnerability of some sort.

Functional Analysis


172/205


Functional Analysis

Child porn found on a server

Is the servers storage even accessible to

others?

If not, does the server have a monitor hookedup, or does it use a serial console only?

Functional Analysis


173/205


u ct o a a ys s

Consider all possible explanations that couldhave occurred given the state of the systemsor digital devices

If the obvious explanation does not makesense, are there any non-obvious

explanations that could make sense?

Victimology


174/205


gy

The investigation and study of victimcharacteristics

Why was the victim chosen?

What risks did the attacker have to take toaffect the victim?

What is the link between the victim and

offender?

Threshold Assessment


175/205


Preliminary findings

Basic analysis to provide investigativedirection

What appears to have happened and howserious is it?

Page 273

Modus Operandi


176/205


p

RememberMethod of Operation

MO

Serves one or more of these purposes:

Protect offenders identity

Ensures successful completion of the crime

Facilitates the offenders escape

Technology and the MO


177/205


gy

Technology can be used in new ways tocommit the following crimes:

Selecting a victim search

engine/facebook/google+ Keeping tabs on a victim

Contacting a potential victim

Locating illicit materials Stalking / harassing

Motive


178/205


Why an offender commits a crime.


179/205


ISM 4324 Handling Crime Scenes


181/205


Many different pieces of digital evidence maybe found including:

Email

Digital photos

Documents

Specialized software to hide data

Effective Handling of Evidence


182/205


g

Very Important

Every step an investigator takes, has thepotential to destroy or alter evidence

Failure to handle a scene properly can causeevidence to be missed, destroyed, or evenmisinterpreted.

Protocols and guidelines should be followedto minimize these risks

Published Guidelines


183/205


Department of Justice

Electronic Crime Scene Investigation: A guidefor First Responders (USDOJ, 2001)

Secret Service Best Practices for Seizing Electronic

Evidence: A Pocket Guide for First

Responders (USSS, 2006)

Published Guidelines


184/205


Association of Chief Police Officers (UK)

The Good Practice Guide for ComputerBased Evidence (ACPO, 2009)

This particular set of guidelines provides a lotof guidance and structure, but parts of it aremore applicable to crimes in the U.K.

Published Guidelines as SOP


185/205


These guidelines and others can be used tocreate a Standard Operating Procedure(SOP), or used as an SOP themselves.

There may be parts of these documents thatdo not apply to your own circumstances. In

these cases, these documents can be usedas a baseline for revision.

Curiosity and Destruction of Evidence


186/205


It may be tempting to try and discover exactlywhat happened before preserving evidence

This can, in itself, destroy evidence if

evidence had been deleted, or is only presentin memory.

This does not mean you should immediately

preserve before doing any verificationhowever.

Preserving Evidence High-level


187/205


Verify that a Crime or policy violation hasoccurred! (Note: Non law enforcementinvestigators)

Once initial verification is complete, preserveeverything based on the order of volatility ifyou have decided to pursue the case

Make copies of the evidence and begin yourexamination and analysis

ACPO Principles


188/205


Bottom of Page 232

Actions should not change data if evidence isto be used in court

Original data access by competent personwho can explain their actions

Audit trail of everything done to evidence

preserved Person in charge should verify law is being

followed and principles are adhered to.

ACPO Principles


189/205


An investigator should strive to meet theseprinciples.

However, it is not always possible to fully

comply with them Good documentation is useful for actions that

damage or destroy evidence.

Authorization


190/205


Remember the fourth amendment discussedpreviously dealing with search and seizure.

Be certain that searches do not violate this

constitutional law if you are a governmentinvestigator, or all evidence collected isinadmissible in court.

Authorization


191/205


Privacy Laws

ECPA (Electronic Communications PrivacyAct)

Be sure the search does not violate thisfederal law.

Applies to non-governmental workers as well.

Authorization


192/205


For internal investigations, get authorizationfrom your organizations attorneys.

Company policy may dictate whether

evidence can be collected.

Authorization


193/205


Law Enforcement

In general, always obtain a search warrant ifthere is any question as to whether or not it is

required under the fourth amendment unlessaction must be made quickly to preservecertain evidence

Better safe than sorry, as the consequencesare inadmissibility of evidence to determineguilt or innocence

Search Warrants


194/205


Must specifically describe the types ofevidence to be collected

Must establish probable cause

Specific types of evidence include: computerfiles related to X, digital pictures, electronicstorage media, mobile devices

Should not be vague

Separation of Evidence


195/205


Collected evidence may contain incriminatingevidence about other people or activitiesoutside of the scope of the warrant

One way to ensure impartiality and protectprivacy is to separate the evidenceexamination from the analysis and have two

separate people perform these tasks.

Preparing to Seize Evidence


196/205


It is advisable to obtain as much informationas possible

Details about the environment

If this is a company, what forensics softwareis in use? What operating system? What isthe network topology? Where are filesstored?



197/205


Another question to answer is how advanceddoes the attack or violation appear to be?

If an attacker or suspect is more skilled thanthe investigator, it is easy for the attacker or

suspect to hide their tracks from theinvestigator

In these cases, it is advisable to seekadditional help from a more skilled

investigator



198/205


You can also talk to potential witnesses orthe person that found evidence that led to aconcern.

Try to come up with some questions you maywish to ask ahead of time and keep those aspart of your SOP

Surveying the Scene


199/205


Some items may be hard to find phones,small memory cards, home theater PCs,unmarked CD ROM disks

Typically only allowed to preserve evidencerelated to the crime

Photograph and document everything prior toseizure.

This can help if you are asked to describe thescene in court

Preserving the Scene


200/205


Order of Volatility

Some evidence is more easily lost ordestroyed than other evidence. Evidence

should be preserved in order of most easilylost to the least easily lost if it may berelevant to the case

Preserving the Scene


201/205


Prevent others from touching the electronics

Collect network traffic

Collect memory contents

Collect process state

Collect hard disks

Document the scene in writing, pictures andsketches

Controlling Entry


202/205


Locked Doors

Crime scene tape

Guards or others to keep people away

Isolate wireless signals or network access ifpossible

Preserving Evidence


203/205


May require help from system administrator

Collect Logs

Find file shares

Access backups

Bypass encryption

Unlock computer

Preserving Hard Drive Data


204/205


Remove power cable from back of computer

Keeps temporary files intact

Keeps temporary memory storage intact

Keeps process related information intact

Minimizes potential for system to overwritedeleted data


205/205