Computer Forensics BACS 371

companyscourgeΤεχνίτη Νοημοσύνη και Ρομποτική

19 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

62 εμφανίσεις

Evidentiary Methods
II:


Evidence
Acquisition

Computer Forensics

BACS 371

OK, What do we do first?

Basic Forensic Methodology


Acquire

the evidence


Authenticate

that it is the same as the original


Analyze

the data without modifying it

Photographing Systems

Before you do anything, begin documentation by
photographing all aspects of the system…


Monitor


Desk and surrounding area


All 4 sides of PC


Labeled cables still connected

Evidence Acquisition Process
1


Disassemble the Case of the Computer


Identify storage devices that need to be acquired
(internal/external/both)


Document internal storage devices and hardware configuration


Drive condition (make, model, geometry, size, jumper settings, location, drive
interface, …)


Internal components (sound card, video card, network card


including MAC
address, PCMCIA cards, …


Disconnect storage devices (power, data, or both)


Controlled boots


Capture CMOS/BIOS info (boot sequence, time/date, passwords)


Controlled boot from forensic CD to test functionality (RAM, write
-
protected storage, …)


Controlled boot to capture drive
config

(LBA, CHS, …)

1
Forensic Examination of Digital Evidence: A guide for Law Enforcment
, USDOJ/NIJ,
Chapter 3. Evidence Acquistion
,
http://www.ncjrs.gov/pdffiles1/nij/199408.pdf


Forensic Analysis CYA


Virus Check


Forensic computer


Media being processed


Collect System Information


Complete computer hardware inventory


CHKDISK/SCANDISK


Look for “orphan clusters”


“Tech” Program for Forensic
computer

Role of the First Responder


Scene of the Cybercrime
1


Do No Harm!


Identify the Crime Scene


Protect the Crime Scene


Preserve Temporary and Fragile Evidence


A guide for First Responders
2


Secure and Evaluate the Scene


Document the Scene


Collect Evidence


Packaging, Transportation, and Storage of Evidence


Forensic Examination


1
Scene of the Cybercrime
, Shinder & Tittel, p.553

2
Electronic Crime Scene Investigation: A Guide for First Responders
, US Dept of Justice, NIJ Guide, July 2001

Role of Investigators
1


Establish Chain of Command


Conduct Crime Scene Search


Maintain Integrity of Evidence

1
Scene of the Cybercrime
, Shinder & Tittel, p.554

Role of Crime Scene Technician
1


Preserve volatile evidence and duplicate disks


Shut down systems for transport


Tag and log evidence


Transport evidence


Process evidence

1
Scene of the Cybercrime
, Shinder & Tittel, p.555

Computer Seizure Checklist
1


Photograph the monitor


Preserve Volatile Data


Shutdown
Systems


Photograph the System Setup


PC


all sides


Label all connections


Unplug system and peripherals


mark & tag


Bag and tag all
components


Bitstream

Copy of Disk(s
)
-

(offsite usually)


Verify integrity of
copies
-

(offsite usually)



1
Scene of the Cybercrime
, Shinder & Tittel, p.557

Handling, Transportation, Storage


Static
Electricity


External RF signals


Heat


Humidity


Sunlight??

Evidence Logs


Lists all evidence collected


Description of each piece of evidence with serial
numbers


Identifies who collected the evidence and why


Date and Time of collection


Disposition of Evidence


All transfers of custody

Evidence Analysis Logs


How each step is performed


Who was present


What was done


Result of procedure


Time/date


Document all potential evidence


Filename


Where on disk data are located


Date and time stamps


Network information (MAC address, IP address)


Other file properties (metadata)

Preserve Volatile Data
1


Order of Volatility
2


Registers and Cache


Routing Table, ARP Cache, Process Table, Kernel Statistics


Contents of System Memory (RAM)


Remote Logging and Monitoring Data


Physical Configuration, Network Topology


Temporary File Systems


Data on Disk


Archival Media


1
Scene of the Cybercrime
, Shinder & Tittel, p.559

2
Guidelines for Evidence Collection and Archiving
, IEEE, February 2002

Collecting Volatile Data

Tool

Purpose

netstat

View current network connections

nbstat

View current network connections

arp

View addresses in ARP (Address Resolution
Protocol) cache

plist

List running processes (or view in Task Manager)

ipconfig

Gather information about the state of the network

netstat



current network connections

arp



addresses in ARP cache


ipconfig



state of network

Foundstone

Tools

Pasco

An Internet Explorer activity forensic analysis tool

Galleta

An Internet Explorer Cookie forensic analysis tool

Rifiuti

A Recycle Bin Forensic Analysis Tool

Vision

Reports all open TCP and UDP ports

NTLast

Security Audit Tool for WinNT

Forensic
Toolkit

Tools to examine NTFS disk partition for unauthorized
activity

ShoWin

Show information about Widows


reveal passwords

BinText

Finds ASCII, Unicode, and Resource strings in a file

Things to Avoid
1


Don’t

Shutdown

until volatile evidence has been
collected


Don’t

trust the programs on the system


use your
own secure programs


Don’t

run programs which modify access times of
files

1
Guidelines for Evidence Collection and Archiving
, IEEE, February 2002

Acquire the Evidence

To shutdown, or to not shutdown, that is the question!


Without damaging or altering the original


Let the machine run, or pull the plug??


Run


Retains maximum forensic evidence


Pull Plug


Removes a compromised computer from potentially affecting the whole
network


How to pull the plug


From the back of the PC


When the hard drive is not spinning


Sound


Drive Light


Vibration


Making Backups


File Backup vs.
Bitstream

Copy


Use
Forensically Sterile

media


Make 2 backup copies (one to work with and one to
store)


Don’t access the original again!

Level of Effort to Protect Evidence…

If the evidence is going to be used in
court


VS.

If the evidence is going to be used for internal
investigation



Evidence method should be the
same

for both
situation in case it ever goes to court


The more documentation the better

MD5 Hashing


Wikipedia Entry


Cryptographic Hash Function


A hash function must be able to process an arbitrary
-
length message into a fixed
-
length output


Hash Function


Hash Collision


Check Digit


Cyclic Redundancy Check (CRC)

MD5 Hashing Algorithm
1

1
Wikipedia

One MD5 operation


MD5 consists of
64 of these operations, grouped in four
rounds of 16 operations.
F

is a nonlinear
function; one function is used in each
round.
Mi

denotes a 32
-
bit block of the
message input, and
Ki

denotes a 32
-
bit
constant, different for each operation.

There are four possible functions
F
, a
different one is used in each round:

<<<
s

denotes a left bit rotation
by
s

places;
s

varies for each
operation.


denotes addition
modulo 2
32


Integrity of Evidence
+

Method

Description

Common Types

Advantages

Disadvantages

Checksum

Method for checking for
errors in digital data.
Uses 16
-

or 32
-
bit
polynomial to compute
16 or 32 bit integer
result.

CRC
-
16

CRC
-
32


Easy to compute


Fast


Small data
storage


Useful for
detecting
random errors


Low assurance
against malicious
attack



Simple to create
data with
matching
checksum

One
-
Way
Hash

Method for protecting
data against
unauthorized change.
Produces fixed length
large integer (80~240
bits) representing digital
data. Implements
one
-
way

function.

SHA
-
1

MD5

MD4

MD2


Easy to compute


Can detect both
random errors
and malicious
alterations


Must maintain
secure storage of
hash values


Does not bind
identity with
data


Does not bind
time with data

Digital
Signature

Secure method for
binding identity of signer
with digital data integrity
methods such as one
-
way hash values. Uses
public key

crypto
system.

RSA

DSA

PGP


Binds identity to
integrity
operation


Prevents
unauthorized
regeneration of
signature


Slow


Must protect
private key


Does not bind
time with data

+
Proving the Integrity of Digital Evidence with Time,”
International Journal of Digital Evidence
, Spring 2002, V1.1,
www.ijde.org

(Oct 25, 2005)

Hashing Algorithms
1

Algorithm

Description

MD2

Developed by Ronald L. Rivest in 1989, this
algorithm was optimized for 8
-
bit machines.

MD4

Developed by
Rivest

in 1990. Using a PC, collisions
can now be found in this version in less than one
minute.

MD5

Developed by Rivest in 1991. It was estimated in
1994 that it would cost $10 million to create a
computer that could find collisions using brute force.

SHA

SHA
-
1 was a federal standard used by the
government and private sector for handling sensitive
information and was the most widely used hashing
function.

HAVAL

A variation of the MD5 hashing algorithm that
processes blocks twice the size of MD5.

1
Hands
-
on Ethical Hacking and Network Defense
, Simpson, 2006, p. 305

MD5 Hash

“[The MD5 algorithm] takes as input a message of arbitrary
length and produces as output a 128
-
bit ‘fingerprint’ or ‘message
digest’ of the input. It is conjectured that it is computationally
infeasible to produce two messages having the same message
digest, or to produce any message having a given prespecified
target message digest. The MD5 algorithm is intended for digital
signature applications, where a large file must be ‘compressed’ in
a secure manner before being encrypted with a private (secret)
key under a public
-
key cryptosystem such as RSA.”
1

1
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html


MD5 Hash


128
-
bit number representing a “fingerprint” of a file


Odds of two different files having the same MD5
Hash are 1 in 2
128


MD5 issues???


Collisions


Two
different

files generating the
same

hash

http://
marc
-
stevens.nl/research/md5
-
1block
-
collision/md5
-
1block
-
collision.pdf


SHA
Collisions

http://
people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf

Hash
Try It…


http://bitsum.com/md5
-
sha1
-
sha2
-
sha
-
ripemd
-
whirlpool
-
secure
-
hash.php


http
://bfl.rctek.com/tools/?tool=hasher


http://www.digital
-
detective.co.uk/freetools/md5.asp


http://www.miraclesalad.com/webtools/md5.php



Admissibility of Evidence

The whole point of all of this is to make sure that the
evidence is admissible.


Relevant


Substantiates an issue that is in question in the
case


Competent


Reliable and credible


Obtained
legally

5 Mistakes of Computer Evidence

1.
Run the Computer

2.
Get Help from the Computer Owner

3.
Don’t Check for Computer Viruses

4.
Don't Take Any Precautions In The Transport
of Computer Evidence

5.
Run Windows To View Graphic Files and To
Examine Files



1

Electronic Fingerprints: Computer Evidence Comes Of Age by
Michael R. Anderson