120 likes | 548 Vues
COMPUTER FORENSICS. Aug. 11, 2000 for. tan@atstake.com. Cambridge, Massachusetts. COMPUTER FORENSICS CAN BE MANY THINGS. Child Pornography Fraud Espionage & Treason Corporate or University Policy Violation Honey-pots. Corporate or University internal investigation
E N D
COMPUTER FORENSICS Aug. 11, 2000 for tan@atstake.com Cambridge, Massachusetts
COMPUTER FORENSICS CAN BE MANY THINGS • Child Pornography • Fraud • Espionage & Treason • Corporate or University Policy Violation • Honey-pots • Corporate or University internal investigation • FBI or (unlikely) Sheriff investigation • Computer Security Research • Post Mortem or Damage Assessment Computer Forensics ultimately support or refute a case someone cares to make.
FORENSICS IS A FOUR STEP PROCESS • Acquisition • Identification • Evaluation • Presentation RCMP Technical Security Branch - Computer Forensics: An Approach to Evidence in Cyberspace (RCMP GRC Publications) http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm , by Special Agent Mark M. Pollitt, Federal Bureau of Investigation, Baltimore, Maryland (4/96)
PRESENTATION – Starting at the End • Many findings will not be evaluated to be worthy of presentation as evidence. • Many findings will need to withstand rigorous examination by another expert witness. • The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. • The Chain of Custody may be challenged.
EVALUATION – What the Lawyers Do • This is what lawyers (or those concerned with the case) do. Basically, determine relevance. • Presentation of findings is key in this phase. • Findings submitted for evaluation as evidence will not only be evaluated for content but for “chain of custody” problems.
IDENTIFICATION – Technical Analysis • Physical Context • Logical Context • Presentation/Use Context • Opinion to support relevance of findings • Handling and labeling of objects submitted for forensic analysis is key. • Following a documented procedure is key.
FBI List of Computer Forensic Services • Content (what type of data) • Comparison (against known data) • Transaction (sequence) • Extraction (of data) • Deleted Data Files (recovery) • Format Conversion • Keyword Searching • Password (decryption) • Limited Source Code (analysis or compare) • Storage Media (many types)
THE EVIDENCE LOCKER • Restricted Access and Low Traffic, Camera Monitored Storage. • Video Surveillance & Long Play Video Recorders • Baggies for screws and label everything! • Sign In/Out for Chain of Custody
ACQUISITION – What Are the Goals? • Track or Observe a Live Intruder? • Assess Extent of Live Intrusion? • Preserve “Evidence” for Court? • Close the Holes and Evict the Unwanted Guest? • Support for Sheriff, State Police or FBI Arrest? • Support for Court Ordered Subpoena?
GROUND ZERO – WHAT TO DO • do not start looking through files • start a journal with the date and time, keep detailed notes • unplug the system from the network if possible • do not back the system up with dump or other backup utilities • if possible without rebooting, make two byte by byte copies of the physical disk • capture network info • capture process listings and open files • capture configuration information to disk and notes • collate mail, DNS and other network service logs to support host data • capture exhaustive external TCP and UDP port scans of the host • contact security department or CERT/management/police or FBI • if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented • short-term storage • packaging/labeling • shipping
ADDITIONAL RESOURCES • RCMP Article on the Forensic Process. http://www.rcmp-grc.gc.ca/tsb/pubs/bulletins/bull41_3.htm • Lance Spitzner’s Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html • Fish.com Security’s Forensic Page: The Coroner’s Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/ • The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm • Long Play Video Recorders. http://www.pimall.com/nais/vrec.html • FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm • Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl • Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/security-improvement/implementations/i003.01.html
Thank you … … very much, MIT!