Optional - Google Project Hosting

candlewhynotData Management

Jan 31, 2013 (4 years and 8 months ago)

242 views

André Årnes

Tlf: 9166006

andre.arnes@hig.no

IMT 3551/4012

Digital
Forensics

Course

Overview

and
Lecture

1

Fall 2010



3

Agenda


Course overview


Objectives


Lectures and exams


Paper presentations


Project work


Curriculum


Lecture


Introduction to digital forensics


Practical lab work

Course Overview


5

Course Objectives


What is digital forensics?


Central principles and methodology rather than
standardized procedures


Methods for


Evidence acquisition


Analysis


Reporting


6

Focus and Disclaimer


Feedback is most
welcome



all
the

time




We

will

focus

on

the

fundamental
principles

of

digital
forensics
, as
well

as
the

practical

side
of

the

field
.


Practical

work

will

focus

on

analysis

and
reconstructions

in
virtual

environments
.


Consider

the

consequences

of

all
experiments

and
don’t

do
anything

unethical

(or illegal!).
Also
,
don’t

trust
unknown

software


run
untrusted

software in
isolated

environments
.


7

Course Overview (Preliminary)


Lecture

1,
Introduction
, 19.10.2009,
Room

K113 + A115


Chapters

1,
Appendix

B


Lecture

2, File system
analysis
, 02.11.2009,
Room

K113 + A115


Chapters

2, 3, 4, 7,
Appendix

A


Lecture

3, Live and
remote

forensics
, 16.11.2009 ,
Room

A126 + A115


Chapters

5, 8


Lecture

4,
Evidence

analysis
, 30.11.2009,
Room

K113 + A115


Chapter

6


Lecture

5,
Selected

topics

and
review
, 07.12.2009,
Room

K113 + A115


Short
project

presentations


Project Deadline: 23:59
on

Friday

10.12.2009


Written

Exam
: 21.12.2009


8

Project Work Requirements


Assignments

are

marked and
count

50%
of

mark (
see

course

information
)


Groups
of

3 to 5 persons


Report

can

include

theoretical

and/or
experimental

work
.


IMT 3551 Groups:


Standard
project

report


IMT 4021 Groups:


Academic

paper

format


9

Project
Requirements

(
cont’d
)


Document

all
assertions
, back up
claims

and
results
,
provide

academic

references
,
document

experimental

setup

and
focus

on

evidence

integrity

and
forensic

soundness
.


Plagiarism

is not
accepted



ask
if

you

have
questions

regarding

quotations

and
citations
.




10

Project Work

Choose

ONE
of

the

following

(or
propose

a
new

topic
):

1.
Acquiring

evidence

in
the

cloud
:
Perform

a
theoretical

evaluation

of

acquiring

evidence

from a
cloud

service (
e.g
., Amazon EC2) and
perform

experiments

as a
proof
-
of
-
concept
.

2.
iPad

Forensics
:
Forensic

analysis

of

the

iPad

(
you

need

an
iPad
).
Perform

experiments

and
perform

a
forensic

analysis

of

the

evidence
.

3.
Internet Explorer 9 (beta)
:
Perform

experiments

and a
forensic

analysis

of

the

evidence
.

4.
Log2timeline and Simile
:
Perform

experiments
,
extract

the

timeline
using

log2timeline
and
visualize

the

results

using

SIMILE.

5.
Android

Forensics
:
Perform

experiments

using

and
Android

phone

and/or
Android

SDK
to
evaluate

the

availability

and
authenticity

of

evidence

in
Android
.

6.
Processing

massive
amounts

of

data
:
Perform

a
theoretical

study

of

approaches

to
handle massive
amounts

of

data in digital
forensics

cases. Present
the

results

as a
comparative

study

to
benchmark

the

methods

based

on

typical

us

cases.

7.
Database
forensics
:
Perform

a survey and
experiments

of

state

of

the

art
tools

for
database
forensics
,
based

on
,
e.g
.,
PostgreSQL

or Oracle DB.

8.
Evidence

authenticity
:
Evaluate

security

requirements

and a
security

architecture

for
managing

evidence

and
preserving

evidence

integrity

and
chain

of

custory
.
Consider

vulnerabilities

in
popular

hash

algorithms

(
e.g
., MD5) .

9.
Computational

forensics
:
Evaluate

computational

methods

to
identify

and analyse
digital
evidence

(
e.g
.,
fuzzy

search
,
statistical

sampling).

10.
Rights Management
: Forensic analysis of commercial grade rights management
systems, e.g., Microsoft Rights Management System or Oracle Information Rights
Management

Project
Recommendations


We request that all experiments (if possible) are performed in a
sterilized environment and that the data set is preserved and
handed in or made available online. We will use this as a data set
for training and research in digital forensics.


We appreciate innovation in experimental environments. Amazon
cloud, and
http://www.vmlogix.com/Screenshots/

are possible
options. Remember to not do malware experiments in the cloud
(!)


Faculty at the forensics lab will nominate suitable papers for
scientific publication. One IMT3551 group is publishing @NISK
2010!



11


12

What to cover in this course?


Internet investigations?


Network forensics?


Device forensics?


Video/audio/image forensics?


Reverse engineering?


Criminal investigations?


Law and judicial issues?


13

Curriculum I


Dan Farmer and
Wietse

Venema
,

Forensic

Discovery
”,
Addison
-
Wesley
, 2005

http://www.porcupine.org/forensics/f
orensic
-
discovery/


Material
covered

in
class


14

Curriculum II


Presented Papers


Five curriculum
papers

will

be
presented

in
class

and
will

be part
of

the

course

curriculum. The
papers

may

change

depending

on

your

feedback,
but

the

curriculum
will

be
finalized

by
next

class
.


Curriculum
papers
:

1.
Carrier, Brian, ”An
event
-
based

digital
forensic

investigation

framework
”, DFRWS, 2005.

2.
Casey
, ”
Error
,
Uncertainty
, and Loss in Digital
Evidence
”,
International Journal
of

Digital
Evidence
, 2002.

3.
Gutmann
, Peter, ”
Secure

Delection

of

Data from
Magnetic

and Solid
-
State
Memory
”,
USENiX

1996

4.
Vrizlynn

Thing
,
Kian
-
Yong

Ng
, and
Ee
-
Chien

Chang, ”Live
Memory

Forensics

of

Mobile
Phones
”, DFRWS 2010

5.
Robert
Erdely
, Thomas
Kerle
, Brian
Levine
, Marc
Liberatore

and
Clay

Shields
, ”
Forensic

Investigation

of

Peer
-
to
-
Peer

File
Sharing

Network”, DFRWS 2010



15

Presentations


Each

group

presents
one

paper

during
lecture

2, 3
and 4.
Each

presentation

will

be ~15
--

20
minutes


The
project

will

be
presented

at
the

last
lecture

day
.
Each

presentation

will

be
short

(~10
minutes
)


Lecture

Group

Paper

2

2

3

3

4

5

All

Project


16

Some Useful References

1.
Brian Carrier, ”File System Forensic Analysis”, Addison Wesley, 2005

2.
Keith J. Jones, Richard Bejtlich, Curtis W. Rose, ”Real Digital Forensics


Computer Security and Incident Response”, Addison Wesley, 2006

3.
Inger Marie Sunde, ”Lov og rett i Cyberspace”, Fagbokforlaget, 2006

4.
US DOJ, ”NIJ Special Report on Forensic Examination of Digital Evidence: A
Guide for Law Enforcement”

5.
ACPO, ”Good Practice Guide for Computer Based Electronic Evidence”

6.
Årnes, Haas, Vigna, and Kemmerer, ”Digital Forensic Reconstruction and the
Virtual Security Testbed ViSe”, Journal in Computer Virology, 2007.

7.
The Honeynet Project; in particular Scan of the month and forensic challenges

8.
Gladychev and Patel, ”Finite state machine approach to digital event
reconstruction”, Digital Investigation 1, 2004.

9.

DOJ, ”NIJ Special Report on Investigations Involving the Internet and Computer
Networks” (pages 1
-
27, excluding ”legal considerations”)




17

Internet Bank Fraud


18

Transaction Agents

Before

we

get

started




Choose

groups

(
on

blackboard
)


Choose

Project
number

(or
propose

a
project
)


Choose

Paper to present (talk to
me

if

all 5
are

taken
)


Talk to
me

if

you’re

doing

an
MSc

on

digital/computational

forensics


Break!



19

Lecture 1

Introduction to Digital Forensics


21

Terminology and Basic Principles


22

Forensic Science


The application of science and technology to investigate
and establish facts of interest to criminal or civil courts of
law. For example:


DNA analysis


Trace evidence analysis


Firearms ballistics


Implies the use of scientific methodology to collect and
analyse evidence. For example:


Statistics


Logical reasoning


Experiments


23

Some Terminology


Digital Forensics


Digital Investigations


Computer Forensics


Network Forensics


Internet Investigations


Computational Forensics


24

Investigation Process

Identification
:
Verification

of

event

Collection
:
Evidence

collection

and
acquisition

Examination
:
Preparation

and
examination

Analysis
:
Using

scientific

methods

Reporting
:
Documentation

and
presentation


25

Digital Evidence


We define
digital evidence

as any digital data
that contains reliable information that supports
or refutes a hypothesis about an incident.


Evidence dynamics

is described to be any
influence that changes, relocates, obscures, or
obliterates evidence, regardless of intent.


26

Evidence Integrity


Evidence integrity refers to the preservation of the
evidence in its original form. This is a requirement that is
valid both for the original evidence and the image.


Write
-
blockers ensure that the evidence is not
accidentally or intentionally changed


Hardware


Software


In some cases, evidence has to be changed during
acquisition, see discussion of OOV below.


27

Digital
Fingerprints


Purpose is to prove
that

evidence

and image
are

identical



using

cryptographic

hash

algorithms


Input is a bit
stream

(
e.g
.,
file/partition/disk
) and
output is a
unique

hash

(file
signature
)


We

use

cryptographic

hash

algorithms

(
e.g
., MD5,
SHA1, SHA256).
These

are

non
-
reversible

and it is
mathematically

infeasible

to
find

two

different

files
that

create

the

same
hash
.


28

Chain of Custody


Chain of custody refers to the documentation of
evidence acquisition, control, analysis and disposition of
physical and electronic evidence.


The documentation can include paper trails, laboratory
information management systems, photographies, etc.


Mechanisms:


Timestamps and hash values


Checklists and notes


Reports


29

Forensic Soundness


The term
forensically sound

methods and tools
usually refers to the fact that the methods and
tools adhere to best practice and legal
requirements.


A typical interpretation:


Source data is not altered in any way


Every bit is copied, incl. empty and unavailable space


No data is added to the image.


30

Order of Volatility (OOV)


Collect the
most volatile

data first


this increases the
possibility to capture data about the incident in question.


BUT: As you capture data in one part of the computer,
you’re changing data in another


The
Heisenberg Principle

of data gathering and system
analysis: It’s not simply difficult to gather all the
information on a computer, it is essentially impossible.


31

Order
of

Volatility
:
Expected

life

time
of

data

Type
of

data

Life span

Registers, peripheral mem, cache, etc.

Nanoseconds

Main memory

Ten nanoseconds

Network state

Milliseconds

Running processes

Seconds

Disk

Minutes

Floppies, backup media, etc.

Years

CD
-
ROMs, DVDs, printouts, etc

Decades


32

Dual
-
tool Verification


Verification of analysis results by independently
performing analysis on two or more distinct forensic
tools.


The purpose of this principle is to identify human and
software errors in order to assure repeatability of results.


The tools should ideally be produced by different
organizations/ programmers.



33

ACPO Principles (ACPO p. 6)

1.
No action taken by law enforcement agencies or their agents should
change data held on a computer or storage media which may
subsequently be relied upon in court.

2.
In exceptional circumstances, where a person finds it necessary to
access original data held on a computer or on storage media, that
person must be competent to do so and to be able to give evidence
explaining the relevance and the implications of their actions.

3.
An audit trail or other record of all processes applied to computer
based electronic evidence should be created and preserved. An
independent third party should be able to examine those processes
and achieve the same results.

4.
The person in charge of the investigation has overall responsibility
for ensuring that the law and these principles are adhered to.


34

Abstraction

Layers

Hardware

File system

Users

and
applications

Sleuth

Kit

Abstraction

Layers
:


File system
layer

tools


Data
layer

tools


Metadata

layer

tools


Human
interface

layer


Journal
layer


Media
management

layer


Disk
layer


Farmer and
Venema

p. 9:



35

Analysis


Unusual activity stands out, e.g.:


Location in file system


Timestamps (most files are rarely used)


Fossilization of deleted data


Turing test of computer forensic analysis


Digital archaeology vs. geology


36

Virtualization


Virtualization can be used to perform dynamic testing of
evidence and to perform forensic reconstruction
experiments. Images of seized evidence can be booted
in virtual environments for dynamic analysis.


It is possible to detect the presence of the virtualization
environment. This is seen in malware and in proof of
concept code (e.g., ”red pill”).


Be careful to isolate the testbed properly, in particular if
you suspect that you are dealing with malware!


37

Crime Scene Reconstructions


Method

to
determine

the

most probable
hypothesis

or
sequence

of

events

by
applying

the

scientific

method

to
interpret
the

events

that

surround

the

commission

of

a
crime
.


State problem,


form a
hypothesis
,


collect

data,


test
hypotheses
,


follow

up
on

promising

hypotheses
,


draw

conclusions

supported

by
admissible

evidence
.


38

Digital Reconstructions


Digital crime scene reconstructions can be
tested experimentally in testbeds:


physical,


virtual, or


simulated.



39

Investigation Process

Identification
:
Verification

of

event

Collection
:
Evidence

collection

and
acquisition

Examination
:
Preparation

and
examination

Analysis
:
Using

scientific

methods

Reporting
:
Documentation

and
presentation

Evidence

integrity

&
Chain

of

Custody


40

Our First Toolkit


41

Acquisition Tools


Acquisition tools are tools for imaging or copying evidence


Focus should always be on preserving evidence integrity. The integrity
should be verified after acquisition through the use of hash algorithms.


DD and DCFLDD examples:


dd if=/dev/hda of=/mnt/evidence/hda.dd


dcfldd if=/dev/hda of=/mnt/evidence/hda.dd


Commercial tool examples:


Encase


FTK Imager Lite


42

The Coroners Toolkit (TCT)


A collection of forensic utilities written by Wietse
Venema and Dan Farmer. Released in 2000 on the
authors’ web sites.


The toolkit contains tools for post
-
mortem analysis of
compromised systems.


It includes, e.g.:


Grave
-
robber:

data gathering tool


Unrm

and
lazarus
: data recovery tools


Mactime
: orders files and directories chronologically
according to timestamps


43

Sleuthkit and Autopsy


Sleuthkit

is built on TCT, supports both Unix
and Windows platforms, and contains 27
specialized command line tools.


Autopsy

is an integrated graphical user
interface for Sleuthkit. It supports acquisition,
analysis, as well as case management,
evidence integrity verification, and logging.

Ubuntu

10.04


Boot

CD to
install

and run
Ubuntu


Forensic

tools

easily

installed
:


sudo

apt
-
get

install

tct


sudo

apt
-
get

install

sleuthkit


sudo

apt
-
get

install

autopsy


sudo

autopsy


44


45

Helix


Boot

CD for
incident

response

and
digital
forensics

by
e
-
Fense


http://www.e
-
fense.com/helix/


Contains

many

tools
,
e.g
.:


Autopsy
, TCT,
SleuthKit
, foremost


Wireshark
,
TCPdump


ClamAV
,
F
-
prot
,
chkrootkit


and more …


No longer
free

/
open

source



46

Virtualization Tools


We

need

a
tool

for
running

virtual

hosts:


Mount and analyse image
off
-
line


Snapshots
freeze

system
states

and
are

useful

for
event

chain

analysis


Some

examples


VMware

Workstation



most used
tool

for
forensics


Amazon EC2



Virtualization

in
the

cloud

(not
free
)


Virtualbox



free

version

available



Xen



free

version

available


Virtual

PC


free

version

available


Parallels


for MAC


47

VMware and VMware Snapshots


VMware emulates a PC and runs virtual guest
operating systems such as Windows XP and Linux.


Through the use of
VMware snaphots
, one can make
a tree of system configurations that are based on a
common root system (base image).


One can easily revert to a snapshot and make a new
branch with a new configuration.


The ”
full clone
” function can be used to write a full
disk image for analysis based on a snapshot.


48


49


50

Summary


Basic Principles


Forensic Science


Methodology


Digital Evidence


Evidence Integrity


Crypographic hashes


Chain of Custody


Order of Volatility


Layers of abstraction


Reconstructions


Virtualization


ACPO



Our

First
Toolkit


DD and DCFLDD


TCT


Sleuthkit


Autopsy


Ubuntu


VMware

Lab 1

Rules

of

the

Lab
Excercises


The labs
are

fairly

open

and
you

are

free

to
select

both

environment

and
tools
.
There

is
no

mandatory

hand
-
in

or grading
of

the

lab.


The lab
exercises

do
require

some

Linux and
virtualization

literacy



work

together

in teams!


Use

the

lab time to
discuss

project

work

and
discuss

drafts.




52


53

Objectives


Objectives
:
Get

familiar

with



Laboratory

environment


Forensic

tools


Tools


VMware

(or Amazon EC2 or
other

virtualization

tool
)


Ubuntu

(or
Helix
)



Evidence



Honeynet

Scan

of

the

Month

24 and 26


http://www.honeynet.org/scans/index.html


Take

detailed

notes and
remember


Evidence

integrity


Chain

of

custody


54

Tasks

1.
Install

vmware

workstation

on

your

laptop

2.
Install

Ubuntu

as a
virtual

machine

and
install

tct
,
sleuthkit
, and
autopsy

3.
Read

the

Scan

of

the

Month

24
challenge

and
the

police

report

4.
Boot

Ubuntu

in
VMware

5.
Image
evidence


Virtually

mount

floppy

image for ”Scan24” in
VMware


Use

DD or DCFLDD to image
evidence

to file


Verify

image
hash

using

md5sum
command
.

6.
Analyse image


Using

Autopsy


You

can

mount

the

image
read
-
only

and
use

standard
linux

tools

7.
Report

findings in
your

notes


Document

chain

of

custody
,
evidence

integrity


Detailed

notes
of

settings,
actions
, etc.


Screenshots

are

useful

8.
Optional


Continue

the

analysis

with

the

Scan26
floppy

image.

9.
Optional


Send
report

to
teacher

by
email

for feedback and
evaluation

(not
graded
)