670 likes | 738 Vues
Digital Forensics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Overview, Data Acquisition, Processing Crime Scenes and Digital Forensics Analysis June 2015. Digital Forensics. Digital forensics is about the investigation of crime including using digital/computer methods
E N D
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Overview, Data Acquisition, Processing Crime Scenes and Digital Forensics Analysis June 2015
Digital Forensics • Digital forensics is about the investigation of crime including using digital/computer methods • More formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca • Digital evidence may be used to analyze cyber crime (e.g. Worms and virus), physical crime (e.g., homicide) or crime committed through the use of computers (e.g., child pornography)
Relationship to Intrusion Detection, Firewalls, Honeypots • They all work together with Digital forensics techniques • Intrusion detection • Techniques to detect network and host intrusions • Firewalls • Monitors traffic going to and from and organization • Honeypots • Set up to attract the hacker or enemy; Trap • Digital forensics • Once the attack has occurred or crime committed need to decide who committed the crime
Computer Crime • Computers are attacked – Cyber crime • Computer Virus • Computers are used to commit a crime • E.g., child predators, Embezzlement, Fraud • Computers are used to solve a crime • FBI’s workload: Recent survey • 74% of their efforts on white collar crimes such as healthcare fraud, financial fraud etc. • Remaining 26% of efforts spread across all other areas such as murder and child pornography • Source: 2003 Computer Crime and Security Survey, FBI
Objective and Priority • Objective of Computer Forensics • To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law • Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca • Priority • Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary • Therefore accuracy is crucial • Accuracy: Integrity and Security of the evidence is crucial • No shortcuts, need to maintain high standards • Speed may have to be sacrificed for accuracy.
The Job of a Forensics Specialist • Determine the systems from which evidence is collected • Protect the systems from which evidence is collected • Discover the files and recover the data • Get the data ready for analysis • Carry out an analysis of the data • Produce a report • Provide expert consultation and/or testimony?
Applications: Law Enforcement • Important for the evidence to be handled by a forensic expert; else it may get tainted • Need to choose an expert carefully • What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified? • Forensic expert will be scrutinized/cross examined by the defense lawyers • Defense lawyers may have their own possibly highly paid experts?
Applications: Human Resources • To help the employer • What web sites visited? • What files downloaded • Have attempts been made to conceal the evidence or fabricate the evidence • Emails sent/received • To help the employee • Emails sent by employer – harassment • Notes on discrimination • Deleted files by employer
Applications: Other • Supporting criminals • Gangs using computer forensics to find out about members and subsequently determine their whereabouts • Support rogue governments and terrorists • Terrorists using computer forensics to find out about what we (the good guys) are doing • We and the law enforcement have to be one step ahead of the bad guys • Understand the mind of the criminal
Services • Data Services • Seizure, Duplication and preservation, recovery • Document and Media • Document searched, Media conversion • Expert witness • Service options • Other services
Data Services • Data Seizure • The expert should assist the law enforcement official in collecting the data. • Need to identify the disks that contain the data • Data Duplication and Preservation • Data absolutely cannot be contaminated • Copy of the data has to be made and need to work with the copy and keep the original in a safe place • Data Recovery • Once the device is seized (either local or remote) need to use appropriate tools to recover the data
Data Services: Finding Hidden Data • When files are deleted, usually they can be recovered • The files are marked as deleted, but they are still residing in the disk until they are overwritten • Files may also be hidden in different parts of the disk • The challenge is to piece the different part of the file together to recover the original file • There is research on using statistical methods for file recovery • http://www.cramsession.com/articles/files/finding-hidden-data---how-9172003-1401.asp • http://www.devtarget.org/downloads/ca616-seufert-wolfgarten-assignment2.pdf
Document and Media Services • Document Searches • Efficient search of numerous documents • Check for keywords and correlations • Media Conversion • Legacy devices may contain unreadable data. This data ahs to be converted using appropriate conversion tools • Should be placed in appropriate storage for analysis
Expert Witness Services • Expert should explain computer terms and complicated processes in an easy to understand manner to law enforcement, lawyers, judges and jury • Computer technologists and lawyers speak different languages • Expertise • Computer knowledge and expertise in computer systems, storage • Knowledge on interacting with lawyers, criminology • Domain knowledge such as embezzlement, child exploitation • Should the expert witness and the forencis specialist be one and the same?
Service Options • Should provide various types of services • Standard, Emergency, Priority, Weekend After hours services • Onsite/Offsite services • Cost and risks – major consideration • Example: Computer Forensics Services Corporation • http://www.computer-forensic.com/ • As stated in the above web site, this company provides “expert, court approved, High Tech Investigations, litigation support and IT Consulting.” They also "Preserve, identify, extract, document and interpret computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures.”
Other Services • Computer forensics data analysis for criminal and civil investigations/litigations • Analysis of company computers to determine employee activity • If he/she conducting his own business and/or downloading pornography • Surveillance for suspicious event detection • Produce timely reports
Benefits of using Professional services • Protecting the evidence • Should prevent from damage and corruption • Secure the evidence • Store in a secure place, also use encryption technologies such as public/private keys • Ensure that the evidence is not harmed by virus • Document clearly who handled the data and when - auditing • Cleint/Attoney privilege • Freeze the scene of the crime – do not contaminate or change
Using the Evidence: Criminal and Civil Proceedings • Criminal prosecutors • Civil litigation attorneys – harassment, discrimination, embezzlement, divorce • Insurance companies • Computer forensics specialists to help corporations and lawyers • Law enforcement officials • Individuals to sue a company • Also defense attorneys, and “the bad guys”
Issues and Problems that could occur • Computer Evidence MUST be • Authentic: not tampered with • Accurate: have high integrity • Complete: no missing points • Convincing: no holes • Conform: rules and regulations • Handle change: data may be volatile and time sensitive • Handle technology changes: tapes to disks; MAC to PC • Human readable: Binary to words
Legal tests • Countries with a common law tradition • UK, US, Possibly Canada, Australia, New Zealand • Real evidence • Comes from an inanimate object and can be examined by the court • Testimonial evidence • Live witness when cross examined • Hearsay • Wiki entry “Hearsay in English law and Hearsay in United States law, a legal principle concerning the admission of evidence through repetition of out-of-court statements” • Are the following admissible in court? • Data mining results, emails, printed documents
Traditional Forensics vs Computer Forensics • Traditional Forensics • Materials tested and testing methods usually do not change rapidly • Blood, DNA, Drug, Explosive, Fabric • Computer Forensics • Material tested and testing methods may change rapidly • We did not have web logs in back in 1990 • We did not have RAID storage in 1980
Data Acquisition • Types of acquisition • Digital evidence storage formats • Acquisition methods • Contingency planning • Using acquisition tools • Validating data acquisition • RAID acquisition methods • Remote network acquisition tools • Some forensics tools
Types of Acquisition • Static Acquisition • Acquire data from the original media • The data in the original media will not change • Live Acquisition • Acquire data while the system is running • A second live acquisition will not be the same • Will focus on static acquisition
Digital Evidence Storage Formats • Raw formats • Bit by bit copying of the data from the disk • Many tools could be used • Proprietary formats • Vendors have special formats • Standards • XML based formats for digital evidence • Digital Evidence Markup Language (Funded by National Institute of Justice) • Experts have argued that technologies that allow disparate law enforcement jurisdictions to share crime-related information will greatly facilitate fighting crime. One of these technologies is the Global Justice XML Data Model (GJXDM). • http://ncfs.ucf.edu/digital_evd.html
Acquisition Methods • Disk to Image File • Disk to Disk • Logical acquisition • Acquire only certain files if the disk is too large • Sparse acquisition • Similar to logical acquisition but also collects fragments of unallocated (i.e. deleted) data
Compression Methods • Compression methods are used for very large data storage • E.g., Terabytes/Petabytes storage • Lossy vs Lossless compression • Lossless data compression is a class of data compressionalgorithms that allows the exact original data to be reconstructed from the compressed data. The term lossless is in contrast to lossy data compression, which only allows an approximation of the original data to be reconstructed, in exchange for better compression rates.
Contingency Planning • Failure occurs during acquisition • Recovery methods • Make multiple copies • At least 2 copies • Encryption decryption techniques so that the evidence is not corrupted
Storage Area Network Security Systems • High performance networks that connects all the storage systems • After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability • Database systems is a special kind of storage system • Benefits include centralized management, scalability reliability, performance • Security attacks on multiple storage devices • Secure storage is being investigated
Network Disaster Recovery Systems • Network disaster recovery is the ability to respond to an interruption in network services by implementing a disaster recovery palm • Policies and procedures have to be defined and subsequently enforced • Which machines to shut down, determine which backup servers to use, When should law enforcement be notified
Using Acquisition Tools • Acquisition tools have been developed for different operating systems including Windows, Linux, Mac • It is important that the evidence drive is write protected • Example acquisition method: • Document the chain of evidence for the drive to be acquired • Remove drive from suspect’s computer • Connect the suspect drive to USB or Firewire write-blocker device (if USB, write protect it via Registry write protect feature) • Create a storage folder on the target drive
Using Acquisition Tools - 2 • Example tools include ProDiscover, Access Data FTK Imager • Click on All programs and click on specific took (e.g., ProDiscover • Perform the commands • E.g. Capture Image • For additional security, use passwords
Validating Data Acquisition • Create hash values • CRC-32 (older methods), MD5, SHA series • Linux validation • Hash algorithms are included and can be executed using special commands • Windows validation • No hash algorithms built in, but works with 3rd party programs
RAID Acquisition Methods • RAID: Redundant array of independent disks • RAID storage is used for large files and to support replication • Data is stored using multiple methods • E.g, Striping • When RAID is acquired, need special tools to be used depending on the way the data is stored
Remote Network Acquisition Tools • Preview suspects file remotely while its being used or powered on • Perform live acquisition while the suspect’s computer ism powered on • Encrypt the connection between the suspect’s computer and the examiner’s computer • Copy the RAM while the computer is powered on • Use stealth mode to hide the remote connection from the suspect’s computer • Variation for the individual tools (ProDiscover, EnCase)
Some Forensics Tools • ProDiscover • http://www.techpathways.com/prodiscoverdft.htm • http://www.techpathways.com/DesktopDefault.aspx • EnCase • http://www.guidancesoftware.com/ • http://www.guidancesoftware.com/products/ef_index.asp • NTI Safeback • http://www.forensics-intl.com/safeback.html
Processing Crime and Incident Scenes • Topics • Securing evidence • Gathering evidence • Analyzing evidence • Understanding the rules of evidence • Collecting evidence in private-sector incident scenes • Processing law enforcement crime scenes • Steps to Processing Crime and Incident Scenes • Case study • Forensics technologies
Securing Evidence • To secure and catalog evidence large evidence bags, tapes, tags, labels, etc. may be used • Tamper Resistant Evidence Security Bags • Example: EVIDENT • “These heavy-duty polyethylene evidence bags require no prepackaging of evidence prior to use. The instantaneous adhesive closure strip is permanent and impossible to open without destroying the seal. A border pattern around the edge of the bag reveals any attempt at cutting or tampering with evidence.” • See also the work of SWDGE (Scientific Working Group on Digital Evidence) and IOCE (International Organization on Computer Evidence)
Gathering Evidence • Bit Stream Copy • Bit by bit copy of the original drive or storage medium • Bit stream image is the file containing the bit stream copy of all data on a disk • Using ProDiscover to acquire a thumb drive • On a thumb drive locate the write protect switch and place drive in write protect model • Start ProDiscover • Click Action, Capture Image from menu • Click Save • Write name of technician • Use hash algorithms for security • Click OK
Analyzing Evidence • Start ProDiscover • Create new file • Click on image file to be analyzed • Search for keywords, patterns and enter patterns to be searched • Click report and export file
Understanding the Rules of Evidence • Federal rules of evidence; each state also may have its own rules of evidence • www.usdoj.gov • Computer records are in general hearsay evidence unless they qualify as business records • Hearsay evidence is second hand or indirect evidence • Business records are records of regularly conducted business activity such as memos, reports, etc. • Computer records consist of computer generated records and computer stored records • Computer generated records include log files while computer stored records are electronic data • Al computer records must be authentic
Private sector incident scenes • Corporate investigations • Employee termination cases, Attorney-Client privilege investigations, Media leak investigations, Industrial espionage investigations • Private sector incident scenes • Private section includes private corporations and government agencies not involved with law enforcement • They must comply with state public disclosure and federal Freedom of Information act and make certain documents available as public records • Law enforcement is called if needed (if the investigation becomes a criminal investigation)
Law Enforcement crime Scenes • A law enforcement officer may seize criminal evidence only with probable cause • A specific crime was committed • Evidence of the crime exists • Place to searched includes the evidence • The forensics team should know about the terminology used in warrants • To prepare for a search and carry out an investigation the following steps have to be carried out • Identifying the nature of the case, the type of computing system, determine whether computer can be seized, identify the location, determine who is in charge, determine the tools
Steps to processing crime and incident scenes • Seizing a computer incident or crime scene • Sizing the digital evidence at crime scene • Storing the digital evidence • Obtaining a digital hash • Conducting analysis and reporting
Case Study • Company A (Mr. Jones) gets an order for widgets from Company B. When the order is ready, B says it did not place the order. A then retrieves the email sent by B. B states it did not send the email. What should A do? • Steps to carry out • Close Mr. Jones Outlook • User windows explorer to locate Outlook PST that has Mr.,. Jones business email • Determine the size of PST and connect appropriate media device (e.g. USB) • Copy PST into external USB • Fill out evidence form – date/time etc. • Leave company A and return to the investigation desk and carry out the investigation (see previous lectures)
Digital Forensics Analysis • Digital Forensics Analysis Techniques • Reconstructing past events • Conclusion and Links • References • http://www.gladyshev.info/publications/thesis/ • Formalizing Event Reconstruction in Digital Investigations Pavel Gladyshev, Ph.D. dissertation, 2004, University College Dublin, Ireland (Main Reference) • http://www.porcupine.org/forensics/forensic-discovery/chapter3.html (Background on file systems)
Digital Evidence Examination and Analysis Techniques • Search techniques • Reconstruction of Events • Time Analysis
Search Techniques • Search techniques • This group of techniques searches collected information to answer the question whether objects of given type, such as hacking tools, or pictures of certain kind, are present in the collected information. • According to the level of search automation, techniques can be grouped into manual browsing and automated searches. Automated searches include keyword search, regular expression search, approximate matching search, custom searches, and search of modifications. • Manual browsing • Manual browsing means that the forensic analyst browses collected information and singles out objects of desired type. The only tool used in manual browsing is a viewer of some sort. It takes a data object, such as file or network packet, decodes the object and presents the result in a human-comprehensible form. Manual browsing is slow. Most investigations collect large quantities of digital information, which makes manual browsing of the entire collected information unacceptably time consuming.
Search Techniques • Keyword search • This is automatic search of digital information for data objects containing specified key words. It is the earliest and the most widespread technique for speeding up manual browsing. The output of keyword search is the list of found data objects • Keywords are rarely sufficient to specify the desired type of data objects precisely. As a result, the output of keyword search can contain false positives, objects that do not belong to the desired type even though they contain specified keywords. To remove false positives, the forensic scientist has to manually browse the data objects found by the keyword search. • Another problem of keyword search is false negatives. They are objects of desired type that are missed by the search. False negatives occur if the search utility cannot properly interpret the data objects being searched. It may be caused by encryption, compression, or inability of the search utility to interpret novel data • It prescribes (1) to choose words and phrases highly specific to the objects of the desired type, such as specific names, addresses, bank account numbers, etc.; and (2) to specify all possible variations of these words.
Search Techniques • Regular expression search • Regular expression search is an extension of keyword search. Regular expressions provide a more expressible language for describing objects of interest than keywords. Apart from formulating keyword searches, regular expressions can be used to specify searches for Internet e-mail addresses, and files of specific type. Forensic utility EnCase performs regular expression searches. • Regular expression searches suffer from false positives and false negatives just like keyword searches, because not all types of data can be adequately defined using regular expressions.
Search Techniques • Approximate matching search • Approximate matching search is a development of regular expression search. It uses matching algorithm that permits character mismatches when searching for keyword or pattern. The user must specify the degree of mismatches allowed. • Approximate matching can detect misspelled words, but mismatches also increase the umber of false positives. One of the utilities used for approximate search is agrep.