1 / 114

COEN 252 Computer Forensics

COEN 252 Computer Forensics. Data Analysis Techniques for Hard Drives. Data Analysis Techniques. Create forensic duplicate. Protect original as best evidence. Review image file (with tools). Report. Testify. Data Analysis Techniques.

galen
Télécharger la présentation

COEN 252 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252 Computer Forensics Data Analysis Techniques for Hard Drives

  2. Data Analysis Techniques • Create forensic duplicate. • Protect original as best evidence. • Review image file (with tools). • Report. • Testify.

  3. Data Analysis Techniques • Need collaboration between forensics investigators and case workers.

  4. Data Analysis Techniques • Sources of Evidence • Existing Files • Deleted Files • Logs • Special system files (registry, cron) • Email archives, printer spools • Administrative settings • Special types of files (lnk, prefetch)

  5. Data Analysis Techniques • File restoration techniques • FAT, NTFS • By hand with a hexeditor • Specialty tools like Norton undelete • Forensics software like encase, FTK • Mount drive on UNIX system and use UNIX tools (Fatback)

  6. Data Analysis Techniques • Unix system • With a hex editor edit the link count in inodes, file will then be linked to Lost&Found • debugfs to relink a file to Lost&Found in ext2

  7. Data Analysis Techniques Deleted files are overwritten if • Drive is wiped (e.g. part of PGP suite) • New files are created on the partition • New software is installed on the partition • Applications running may update the partition

  8. Data Analysis Techniques Deleted files are overwritten if • The partition stores the %systemroot% directory and Windows modifies it for internal housekeeping. • If the partition contains the web browser cache • If the volume contains the TEMP directory • At system shutdown / startup

  9. Data Analysis Techniques Free, slack and unallocated space • Use a hex-editor  • Use a specialty tool that generates a file by appending all slack and free space • Use a forensics tool  Free: Outside of a partition. Slack: Allocated, but unused overhang in the last cluster of a file Unallocated: Not assigned to a current file.

  10. Data Analysis Techniques First Task: • Generate database of all files • Full path. • MAC-dates & -times. • Logical size of file. • MD5 hash (to counteract evidence deterioration).

  11. Data Analysis Techniques • Generate database of all files • Use MD5 hash to exclude well-known files from investigation.

  12. Data Analysis Techniques • Prepare drive for string searches. • Forensics tools do this automatically. • Need to deal with proprietary formats. • Compressed files need to be uncompressed. • Encrypted files need to be unencrypted.

  13. Data Analysis Techniques • Perform string searches • On UNIX, use grep. • Forensics tools preprocess forensic duplicates.

  14. Data Analysis Techniques • Perform String Searches • The “How” is easier than the “What”. • Investigator and analyst need to work together: • “What are we looking for?” • “What information do we need?”

  15. Data Analysis Techniques Example: The hard drive of a robbery suspect contains numerous references to his “little excursions”. To tie the suspect to the computer, establish usage by suspect alone by: • Finding personal pictures (look for jpg). • Restore old emails. • Restore chat sessions. http://www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html

  16. Data Analysis TechniquesWhat to look for Email • Primary Source of Evidence. • Email in transit is protected by the EPCA and other statutes. • Checking email after transition is treated similar to searches of files.

  17. Data Analysis TechniquesWhat to look for • Print Spooler Files. • Typically deleted right after printing • Usually not be overwritten • Not used by modern printers

  18. Data Analysis TechniquesWhat to look for • Web Cache Evidence • All web browsers cache. • Some delete files after session closes. • Ex.: United States v. Tucker: The government introduced Internet conversations taken from Tucker's computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images. United States Court of Appeals, Eleventh Circuit.No. 97-2767

  19. Data Analysis TechniquesWhat to look for • Swap Files / Virtual Memory Files • Can be very large. • Use Forensics Tools like Encase • Alternatively: Hex Editors, Norton Disk Commander (under Windows)

  20. Windows Data Analysis • Perform keyword searches. • Review Logs. • Review Registry. • Review swap files. • Review special application files: • Internet Cache • Recycle Bin • Printer Spool • Email Files

  21. Windows Data Analysis: Text Searches • Raw Data Level • BinText (Foundstone) • Disk Investigator (K. Soloway) • SectorSpyXP (McCamy, Lexun Freeware) • Forensics Tools • Encase • FTK • Mareswares

  22. Windows Data Analysis: Text Searches

  23. Windows Data AnalysisLogs Windows NT, 2000, XP, 2003, 7 maintain log files • System Log • Application Log • Security Log

  24. Windows Data AnalysisLogs Live System: • Use Event Viewer

  25. Windows Data AnalysisLogs Event Log Dump • Use PsLogList (sysinternal) • dumpel (Win2000 Resource Kit)

  26. Windows Data AnalysisLogs From forensics duplicate • secevent.evt • appevent.evt • sysevent.evt

  27. Windows Data AnalysisLogs Drawbacks • Default security logging is “no logging”. • Do not record IP addresses • Application log uses localized settings. (Forensics workstation will not interpret these.)

  28. Windows Data AnalysisLogs Internet Information Services (IIS) has its own set of logs. • Uses W3C standards as a default

  29. Windows Data AnalysisLogs • Need to be enabled. • More important for incidence response than for law enforcement. • Get HTTP status codes.

  30. Windows Data AnalysisLogs • Many other applications log: • Internal firewalls. • Create your own log from the timestamp of files around critical times. • FileList (www.forensics-intl.com) will do this for you.

  31. Windows Data AnalysisReviewing Relevant Files • Recycle Bin • Folder Recycled in Win95/98. • Folder Recycler in WinNT/2000/XP. • Date and Time of Deletion in • System file INFO in Win95 • System file INFO2 in Win98 • Information available in Win2000, WinXP

  32. Windows Data AnalysisReviewing Relevant Files • Windows moves deleted file into the recycle bin. • It deletes from there. • Thus, files can be retrieved from deleted recycle bin entries.

  33. Windows Data AnalysisReviewing Relevant Files • $Logfile entry in the MFT contains the log of all file system transactions • Deletion of a file leaves several entries in $Logfile • Not unusual to find files that are no longer on the disk • Shows that file was used by the system

  34. Windows Data AnalysisReviewing Relevant Files • Shortcuts can contain relevant information. • Stored in the desktop folder. A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated. Casey, p. 153

  35. Windows Data AnalysisReviewing relevant files • Prefetch files • Give better performance • Used to collect information on what is necessary to run a program • Stored in Windows/prefetch • Various tools to parse prefetch files • Forensic significance: • Suggests that program has been executed • Gives last time application was run • Gives number of runs

  36. Reviewing Relevant Files • Scheduled Tasks • Windows 2000, XP, 2003 in Windows\Tasks • Windows 7 Windows\System32\Tasks • .job files • Scheduled task log SchedLgU.txt in Windows\Tasks

  37. Windows Data AnalysisReviewing Relevant Files • JUMP lists • List of files recently opened in Windows 7 • Appdata\Roaming\Microsoft\Windows\Recent\AutomaticDestinations • First 16 characters of file name identify application • Uses .lnk file format • Gives time stamps • Various analyzers exist

  38. Windows Data AnalysisReviewing Relevant Files • Thumbs.db (System file) • Contains thumbs pictures for folder. • Not perfectly synchronized with folder. • Deleted images might still be available.

  39. Windows Data AnalysisReviewing Relevant Files • Temporary files • Files with extension tmp • Created by many applications • Emails with large attachments: • Attachments are probably stored as temp files. (Depends on email system.) • Look for file extensions .tmp .

  40. Windows Data AnalysisReviewing Relevant Files • Internet Explorer (as well as other browsers) use a cache. • index.dat contains internet explorer cached websites. • Written in binary. • Use Pasco from Foundstone.

  41. Windows Data AnalysisReviewing Relevant Files

  42. Windows Data AnalysisReviewing Relevant Files

  43. Windows Data AnalysisReviewing Relevant Files • Browser Cache • C:\Documents and Settings\ Username\ Local Settings\Temporary Internet Files Or • C:\Program Files\Netscape\Users\ Username\Cache

  44. Windows Data AnalysisReviewing Relevant Files

  45. Windows Data AnalysisReviewing Relevant Files • Cookies can be partially decyphered. • Use galleta from foundstone.

  46. Windows Data AnalysisReviewing Relevant Files • Typically, concatenate all cookies. • Redirect galleta into an excel file. • Investigate the excel file.

  47. Windows Data AnalysisReviewing Relevant Files • Dial-up Networking • rasautou –s gives autodial addresses

  48. Windows Data AnalysisRegistry • Database that stores settings and options for 32b MSWin OS • Contains information and setting for • Hardware • Software • Users • Preferences

More Related