1 / 146

Computer Forensics Process

Computer Forensics Process. Overview. Computer evidence is not just about computer crime or incident response Know and use established forensics principles Mindset and technique are more important than tools Establishing relationships is the key to success

dolguin
Télécharger la présentation

Computer Forensics Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Process

  2. Overview • Computer evidence is not just about computer crime or incident response • Know and use established forensics principles • Mindset and technique are more important than tools • Establishing relationships is the key to success • How to start building your forensic toolkit • Things to expect in the campus environment • Challenges and expected defenses • References

  3. Some Background • On campuses: 25% of all disciplinary cases involve some sort of computer evidence • The Director of the FBI now expects 50% of all cases handled by the FBI to involve at least one computer forensic examination • Local law enforcement agencies and prosecutors expect 20-40% of all cases will require information forensics

  4. Overview • Computer evidence is not just about computer crime or incident response • Know and use established forensics principles • Mindset and technique are more important than tools • Establishing relationships is the key to success • How to start building your forensic toolkit • Things to expect in the campus environment • Challenges and expected defenses • References

  5. Incident Response Methodology (PDCAERF) Digital Forensics/Evidence Management Preparation Detection Containment Analysis Eradication Recovery Follow-up Feed Back

  6. (PDCAERF) • Preparation • Being ready to respond • Procedures & policies • Resources & Computer Security and Incident Response Team (CSIRT ) creation • Current vulnerabilities & counter-measures • Detection/Notification • Determining if an incident or attempt has been made • Intrusion Detection • Initial actions/reactions • Determining the scope • Reporting process

  7. (PDCAERF) • Containment • Limit the extent of an attack • Mitigate the potential damage & loss • Containment strategies • Analysis & Tracking • How the incident occurred • More in-depth analysis of the event • Tracing the incident back to its source

  8. (PDCAERF) • Eradication/ Repair-Recovery • Recovering systems • Getting rid of the causes of the incident, vulnerabilities or the residue (rootkits, trojan horses etc.) • Hardening systems • Dealing with patches

  9. (PDCAERF) • Follow-up • Review the incident and how it was handled • Postmortem analysis • Lessons learned • Follow-up reporting

  10. Challenges • Eric Holder, Deputy Attorney General of the United States Subcommittee on Crime of the House Committee on the Judiciary and the Subcommittee on Criminal Oversight of the Senate Committee on the Judiciary: • Technical challenges that hinder law enforcement’s ability to find and prosecute criminals operating online; • Legal challenges resulting from laws and legal tools needed to investigate cybercrime lagging behind technological, structural, social changes • Resource challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of government.

  11. Challenges • National Institute of Justice Study • There is near-term window of opportunity for law enforcement to gain a foothold in containing electronic crimes. • Some state and local law enforcement agencies report that they lack adequate training, equipment and staff to meet their present and future needs to combat electronic crime. • Greater awareness of electronic crime should be promoted for all stakeholders, including prosecutors, judges, academia, industry, and the general public.

  12. General Challenges • Computer forensics is in its infancy • Different from other forensic sciences as the media that is examined and the tools/techniques for the examiner are products of a market-driven private sector • No real basic theoretical background upon which to conduct empirical hypothesis testing • No true professional designations • Proper training • At least 3 different “communities” with different demands, e.g., • Law Enforcement • Military • Business & Industry • Still more of a “folk art” than a true science

  13. Context of Computer Forensics • Homeland Security • Information Security • Corporate Espionage • White Collar Crime • Child Pornography • Traditional Crime • Incident Response • Employee Monitoring • Privacy Issues • ????

  14. Legal Challenges • Status as scientific evidence?? • Criteria for admissibility of novel scientific evidence (Daubert v. Merrell) • Whether the theory or technique has been reliably tested; • Whether the theory or technique has been subject to peer review and publication; • What is the known or potential rate of error of the method used; and • Whether the theory or method has been generally accepted by the scientific community. • Kumho Tire extended the criteria to technical knowledge

  15. Specific Challenges • No International Definitions of Computer Crime • No International agreements on extraditions • Multitude of OS platforms, storage devices and filesystems • Incredibly large storage capacity • 100 Gig Plus • Terabytes • SANs

  16. Specific Challenges • Small footprint storage devices • Compact flash • Memory sticks • Thumb drives • Secure digital • Networked environments • RAID systems • Grid computing • Embedded processors • Other??

  17. Specific Challenges • Where is the “crime scene?” Cyberspace Perpetrator’s System Victim’s System Electronic Crime Scene

  18. Specific Challenges • What constitutes evidence?? • What are we looking for??

  19. Communities • There at least 3 distinct communities within Digital Forensics • Law Enforcement • Military • Business & Industry • Possibly a 4th – Academia

  20. The Process • The primary activities of DFS are investigative in nature. • The investigative process encompasses • Identification • Preservation • Collection • Examination • Analysis • Presentation • Decision

  21. Computer Forensic Activities • Computer forensics activities commonly include: • the securecollection of computer data • the identificationof suspect data • the examinationof suspect data to determine details such as origin and content • the presentationof computer-based information • the applicationof a country's laws to computer practice.

  22. The 3 As • The basic methodology consists of the 3 As: • Acquire the evidence without altering or damaging the original • Authenticate the image • Analyze the data without modifying it

  23. “The Computer” • Computer as Targetof the incident • Get to instructor’s test preparation • Access someone else’s homework • Access/Change a grade • Access financial information • “Denial of Service”

  24. “The Computer” • Computer as Toolof the incident • Word processing used to create plagiarized work • E-mail sent as threat or harassment • Printing used to create counterfeit material

  25. “The Computer” • Computer as Incidental to the incident • E-mail/file access used to establish date/timelines • Stored names and addresses of contacts or others potentially involved in the incident

  26. General Types of Digital Forensics • Network Analysis • Communication analysis • Log analysis • Path tracing • Media Analysis • Disk imaging • MAC time analysis (Modify, Access, Create) • Content analysis • Slack space analysis • Steganography

  27. General Types of Digital Forensics • Code Analysis • Reverse engineering • Malicious code review • Exploit Review • The “puzzle” is a combination of all the above pieces

  28. Overview • Computer evidence is not just about computer crime or incident response • Know and use established forensics principles • Mindset and technique are more important than tools • Establishing relationships is the key to success • How to start building your forensic toolkit • Things to expect in the campus environment • Challenges and expected defenses • References

  29. Principle of Exchange “..when a person commits a crime something is always left at the scene of the crime that was not present when the person arrived.” (Edmund Locard, 1910)

  30. Forensic Principles Upon seizing digital evidence, actions taken should not change that evidence. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review.

  31. Forensic Principles An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

  32. General Evidence Dos & Don’ts • Minimize Handling/Corruption of Original Data • Account for Any Changes and Keep Detailed Logs of Your Actions • Comply with the Five Rules of Evidence • Do Not Exceed Your Knowledge • Follow Your Local Security Policy and Obtain Written Permission • Capture as Accurate an Image of the System as Possible

  33. General Evidence Dos & Don’ts • Be Prepared to Testify • Ensure Your Actions are Repeatable • Work Fast • Proceed From Volatile to Persistent Evidence • Don't Run Any Programs on the Affected System • Document Document Document!!!! Source: AusCERT 2003 (www.auscert.org)

  34. 5 Rules of Evidence • Admissibility Must be able to be used in court or elsewhere • Authenticity Evidence relates to incident in relevant way • Completeness (no tunnel vision) Exculpatory evidence for alternative suspects • Reliability No question about authenticity & veracity • Believability Clear, easy to understand, and believable by a jury

  35. Evidence Life Cycle Collection & identification Storage, preservation, and transportation Presentation Return to production, owner, or court

  36. Chain of Custody • Protects integrity of the evidence • Effective process of documenting the complete journey of the evidence during the life of the case • Allows you to answer the following questions: • Who collected it? • How & where? • Who took possession of it? • How was it stored & protected in storage? • Who took it out of storage & why?

  37. Overview • Computer evidence is not just about computer crime or incident response • Know and use established forensics principles • Mindset and technique are more important than tools • Establishing relationships is the key to success • How to start building your forensic toolkit • Things to expect in the campus environment • Challenges and expected defenses • References

  38. Forensic Mindset • Digital Forensic Mindset – Condensed Definition: • Using your skills to determine what has occurred or, • What most likely occurred as opposed to what is possible • You do NOT work for anyone but the TRUTH!

  39. Forensic Mindset The tools used are not nearly as important as the person using them! The examination should not occur in a vacuum. Find out all you can about what is already known.

  40. Organizing the Investigation • Use your knowledge to examine the system to answer; could it have happened that way or not? • Don’t make it more complicated than it has to be – start with the obvious! • Examples: • Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, MS EFS, etc.)

  41. Organizing the Investigation MAC information – what was happening on the system during the time frame you are interested in? What was being “written”, “changed” or “accessed”?

  42. Why use images • In keeping with the second International Organization on Computer Evidence (IOCE) principle, care must be taken not to change the evidence. • Most media are “magnetic based” and the data is volatile: • Registers & Cache • Process tables, ARP Cache, Kernel stats • Contents of system memory • Temporary File systems • Data on the disk

  43. How about RAM? • DRAMs retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. • Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. Cold Boot Attack on RAMs

  44. Why use images • Examining a live file system changes the state of the evidence (MAC times) • The computer/media is the “crime scene” • Protecting the crime scene is paramount as once evidence is contaminated it cannot be decontaminated. • Really only one chance to do it right!

  45. Why Create a Duplicate Image? • A file copy does not recover all data areas of the device for examination • Working from a duplicate image • Preserves the original evidence • Prevents inadvertent alteration of original evidence during examination • Allows recreation of the duplicate image if necessary

  46. Why Create a Duplicate Image? • Digital evidence can be duplicated with no degradation from copy to copy • This is not the case with most other forms of evidence

  47. Bitstream vs. Backups • A duplicate image, also known as a bit-copy, image, or clone, is an exact, bit-for-bit copy of the source media. • A duplicate image of a physical device will be a true, digital copy of the entire physical device, including partition tables, reserved areas, partitions and unused areas of the device. • A duplicate image of a logical drive will be a bit-for-bit copy of the original logical drive, including Boot Record, FATs, Root Directory, Data Area, and Partition Slack.

  48. Bitstream vs. Backups • Are backups sufficient? • Ideally NO! • Practically it may be the only method available • Most OSes only pay attention to the live filesystem structure • Slack, residue, deleted, etc. are not indexed • Backups generally do not capture this data and they also modify the timestamps of data, contaminating the timeline.

  49. Bitstream vs. Backups • Forensic Copies (Bitstream) • Bit for Bit copying captures all the data on the copied media including hidden and residual data (e.g., slack space, swap, residue, unused space, deleted files etc.) • Often the “smoking gun” is found in the residual data. • Logical vs. physical image

  50. Disk Imaging Tools Requirements • The tool shall make a bit-stream duplicate or an image of an original disk or partition. • The tool shall not alter the original disk. • The tool shall be able to verify the integrity of a disk image file. • The tool shall log I/O errors. • The tool’s documentation shall be correct.

More Related