370 likes | 470 Vues
Computer Forensics BACS 371. Evidentiary Methods II Evidence Acquisition. OK, What do we do first?. Basic Forensic Methodology . Acquire the evidence Authenticate that it is the same as the original Analyze the data without modifying it. Photographing Systems.
E N D
Computer ForensicsBACS 371 Evidentiary Methods II Evidence Acquisition
Basic Forensic Methodology • Acquire the evidence • Authenticate that it is the same as the original • Analyze the data without modifying it
Photographing Systems Before you do anything, begin documentation by photographing all aspects of the system… • Monitor • Desk and surrounding area • All 4 sides of PC • Labeled cables still connected
Evidence Acquisition Process1 • Disassemble the Case of the Computer • Identify storage devices that need to be acquired (internal/external/both) • Document internal storage devices and hardware configuration • Drive condition (make, model, geometry, size, jumper settings, location, drive interface, …) • Internal components (sound card, video card, network card – including MAC address, PCMCIA cards, … • Disconnect storage devices (power, data, or both) • Controlled boots • Capture CMOS/BIOS info (boot sequence, time/date, passwords) • Controlled boot from forensic CD to test functionality (RAM, write-protected storage, …) • Controlled boot to capture drive config (LBA, CHS, …) 1Forensic Examination of Digital Evidence: A guide for Law Enforcment, USDOJ/NIJ, Chapter 3. Evidence Acquistion, http://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Forensic Analysis CYA • Virus Check • Forensic computer • Media being processed • Collect System Information • Complete computer hardware inventory • CHKDISK/SCANDISK • Look for “orphan clusters” • “Tech” Program for Forensic computer
Role of the First Responder • Scene of the Cybercrime1 • Do No Harm! • Identify the Crime Scene • Protect the Crime Scene • Preserve Temporary and Fragile Evidence • A guide for First Responders2 • Secure and Evaluate the Scene • Document the Scene • Collect Evidence • Packaging, Transportation, and Storage of Evidence • Forensic Examination 1Scene of the Cybercrime, Shinder & Tittel, p.553 2Electronic Crime Scene Investigation: A Guide for First Responders, US Dept of Justice, NIJ Guide, July 2001
Role of Investigators1 • Establish Chain of Command • Conduct Crime Scene Search • Maintain Integrity of Evidence 1Scene of the Cybercrime, Shinder & Tittel, p.554
Role of Crime Scene Technician1 • Preserve volatile evidence and duplicate disks • Shut down systems for transport • Tag and log evidence • Transport evidence • Process evidence 1Scene of the Cybercrime, Shinder & Tittel, p.555
Computer Seizure Checklist1 • Photograph the monitor • Preserve Volatile Data • Shutdown Systems • Photograph the System Setup • PC – all sides • Label all connections • Unplug system and peripherals – mark & tag • Bag and tag all components • Bitstream Copy of Disk(s) - (offsite usually) • Verify integrity of copies - (offsite usually) 1Scene of the Cybercrime, Shinder & Tittel, p.557
Preserve Volatile Data1 • Order of Volatility2 • Registers and Cache • Routing Table, ARP Cache, Process Table, Kernel Statistics • Contents of System Memory (RAM) • Remote Logging and Monitoring Data • Physical Configuration, Network Topology • Temporary File Systems • Data on Disk • Archival Media 1Scene of the Cybercrime, Shinder & Tittel, p.559 2Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Things to Avoid1 • Don’tShutdown until volatile evidence has been collected • Don’t trust the programs on the system – use your own secure programs • Don’t run programs which modify access times of files 1Guidelines for Evidence Collection and Archiving, IEEE, February 2002
Acquire the EvidenceTo shutdown, or to not shutdown, that is the question! • Without damaging or altering the original • Let the machine run, or pull the plug?? • Run • Retains maximum forensic evidence • Pull Plug • Removes a compromised computer from potentially affecting the whole network • How to pull the plug • From the back of the PC • When the hard drive is not spinning • Sound • Drive Light • Vibration
Making Backups • File Backup vs. Bitstream Copy • Use Forensically Sterilemedia • Make 2 backup copies (one to work with and one to store) • Don’t access the original again!
Level of Effort to Protect Evidence… If the evidence is going to be used in court VS. If the evidence is going to be used for internal investigation • Evidence method should be the same for both situation in case it ever goes to court • The more documentation the better
MD5 Hashing • Wikipedia Entry • Cryptographic Hash Function • A hash function must be able to process an arbitrary-length message into a fixed-length output • Hash Function • Hash Collision • Check Digit • Cyclic Redundancy Check (CRC)
MD5 Hashing Algorithm1 One MD5 operation — MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation. <<<s denotes a left bit rotation by s places; s varies for each operation. denotes addition modulo 232 There are four possible functions F, a different one is used in each round: 1Wikipedia
Integrity of Evidence+ +Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Spring 2002, V1.1, www.ijde.org (Oct 25, 2005)
Hashing Algorithms1 1Hands-on Ethical Hacking and Network Defense, Simpson, 2006, p. 305
MD5 Hash “[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit ‘fingerprint’ or ‘message digest’ of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be ‘compressed’ in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.”1 1http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
MD5 Hash • 128-bit number representing a “fingerprint” of a file • Odds of two different files having the same MD5 Hash are 1 in 2128 • MD5 issues??? • Collisions – Two different files generating the same hash http://www.cryptography.com/cnews/hash.html • SHA Collisions http://online.wsj.com/article_print/SB111084838291579428.html
Hash Try It… • http://block111.servehttp.com/hash • http://bfl.rctek.com/tools/?tool=hasher • http://www.digital-detective.co.uk/freetools/md5.asp • http://www.miraclesalad.com/webtools/md5.php
Attributes of Secure, Auditable Date/Time Stamps • Accuracy • Time is from an authoritative source and is accurate • Authentication • Source is authenticated by National Measurement Institute • Integrity • Time not subject to corruption during “handling” • Non-Repudiation • Association between event or document and the time cannot later be denied • Accountability • Third party can verify that due process was applied and no corruption transpired
Steps for Secure Timestamping • Traceability to Legal Time Sources • Time Distribution • Secure Digital Timestamping
Digital Evidence Collection Toolkit1 • Documentation Tools • Cable tags • Indelible felt tip markers • Stick-on labels • Disassembly and Removal Tools • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutters • Package and Transport Supplies • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Packing materials • Packing tape • Sturdy boxes of various sizes • Other Items • Gloves • Hand truck • Large rubber bands • List of contact telephone numbers for assistance • Magnifying glass • Printer paper • Seizure disk • Small flashlight • Unused floppy diskettes (3 ½” and 5 ¼”) 1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Handling, Transportation, Storage • Static Electricity • External RF signals • Heat • Humidity • Sunlight??
Documenting Evidence • Evidence is Tagged • Evidence Logs • Evidence Analysis Logs • Admissibility of Evidence
Evidence is Tagged • Place name or initials on item • Date/Time • Case Number • Physical marking is preferable • If not markable, bag evidence • Use latex gloves • Create and use an Evidence Kit
Evidence Logs • Lists all evidence collected • Description of each piece of evidence with serial numbers • Identifies who collected the evidence and why • Date and Time of collection • Disposition of Evidence • All transfers of custody
Evidence Analysis Logs • How each step is performed • Who was present • What was done • Result of procedure • Time/date • Document all potential evidence • Filename • Where on disk data are located • Date and time stamps • Network information (MAC address, IP address) • Other file properties (metadata)
5 Mistakes of Computer Evidence • Run the Computer • Get Help from the Computer Owner • Don’t Check for Computer Viruses • Don't Take Any Precautions In The Transport of Computer Evidence • Run Windows To View Graphic Files and To Examine Files 1Electronic Fingerprints: Computer Evidence Comes Of Age by Michael R. Anderson
Admissibility of Evidence • Relevant • Substantiates an issue that is in question in the case • Competent • Reliable and credible • Obtained legally