320 likes | 570 Views
2008 CSI Challenge. Welcome to the 2008 CSI Challenge: Computer Forensics. What you will find in this presentation What is computer forensics? The four “A”s How disk storage works in your case How files live on disk Where evidence might reside What is slack space?
E N D
Welcome to the 2008 CSI Challenge: Computer Forensics • What you will find in this presentation • What is computer forensics? • The four “A”s • How disk storage works in your case • How files live on disk • Where evidence might reside • What is slack space? • What is unallocated space? • Hex & Ascii representation • Tools • Steganography, recovering hidden data • Requirements • Glossary
What is Computer Forensics? • Digital version of “CSI” • Finds evidence of incidents on digital equipment • Computers & drives • PDA’s • iPods • Cell phones • Digital camera & flash cards • Network equipment • Evidence must stand up in court
The 4 A’s • Acquire • Archive • Analyze • Attest
Acquisition • Crime Scene Considerations • Identify and acquire the evidence • Safeguard and process physically • Prints and trace evidence • Handling of Magnetic media (drives and floppies, etc) • Keep away from magnets, machinery which generate magnetic fields and static electricity (no plastic evidence bags to generate static electricity) • Note where found, under what circumstances • Nature of material expands where it might be hidden • Between pages of a book • Inside a device • Locate material which may assist • User manuals, lists, password which might be written down
Acquisition • Identify sources of information • hard drives • disks (floppy, CD, DVD) • other devices • Digital cameras • Cell phones • PDA’s • Technician must understand technology required to ‘archive’ information • Once seized as evidence, the technician will then create a bit-for-bit forensic image and make it available to the analyst
Acquisition: Bit image • Image is a ‘bit-for-bit’ snapshot of the disk • This image is used by the analyst • The image contains everything on the disk • Files, deleted files, “dead space” on disk, etc… • Can’t read it directly • The forensic software ‘interprets’ the image and “sees” all the files on the disk • NEVER use the original media unless no other alternative… always use the bit-for-bit image if possible • If you ever need to use the original material, document it along with the reason • 2008 CSI Challenge • Teams will be provided a ‘bit-for-bit image’ for analysis • Your team will not have to create this image
Analysis • Examination of your evidence • In Forensic Toolkit (FTK) • Create a New or Open an Existing case • Add evidence to the case • Drive (hard disk, floppy, USB flash drive, etc) • Previously acquired bit-image • 2008 CSI Challenge teams will use this option • A Folder and its contents • Individual files
Analysis • Find the evidence • Examine the structure of the disk itself • hidden data • Suspicious files • Renamed, altered or deleted • Search for ‘strings’ • ( a string is a group of characters, such as a name, credit card number, or even a fragment of a word) • in files • in deleted files • in ‘dead space’ (slack or unallocated, explained later)
Analysis • Look for ‘stuff’ in plain sight • Files, emails, etc • Look for hidden evidence • Files renamed to appear as different file types • Word document renamed as a ‘jpg’ image file • Stego’d file (see later) • Encrypted files • Password required • Locate password • In existing evidence • At crime scene • Guess password (important dates, names, etc) • Might require personal knowledge about suspect’s background • ‘Crack’ the password using a computer program • (not an option for 2008 CSI Challenge… not enough time)
Analysis • File anomalies (irregularities) • File name does not match the file type • An internal “signature” in the file indicates the type of file • Signatures are also called “magic numbers” • “JFIF” inside a file might mean it’s really a JPG image file and not a text file or whatever the filename indicates • File times are inconsistent • MAC times (Modification-Access-Creation) • It’s possible for creation time to be post-modification time, depending on OS and how file copied, etc.. • Compressed files (zip or other format) • May be passworded, contain many files bundled into one file • You should know how to “unzip” a file if it’s compressed or “zipped” • File ends in ‘.zip’
Analysis • Critical thinking: the investigative part! • incriminating evidence • (or exculpatory… excluding a suspect) • discovering new avenues of inquiries • Emails • Recently used documents • visited websites • Snippets or fragments of information • Including slack space…
Archive • Saving the evidence for future use once you’re done with the case • In case you need to review your work
Attest • Reporting of analysis results • written competency • Testimony • expert witness • verbal and non-verbal skills • Any reporting of results by 2008 CSI Challenge teams should be clear, legible, using whole sentences to state your findings
Explaining units of storage • This is a basic explanation of how information is stored on a computer’s disk • Byte • The basic unit of storage • Roughly equivalent to a ‘character’ • 1,000,000 byte =1 Megabyte (1 Mb) • Holds about a million typewritten characters • Sector • How bytes are organized on disk • 512 bytes per sector • Cluster • A group of sectors • Floppy disk: 1 sector per cluster • Hard drive: depends on system
How a file is written • Sectors are grouped into ‘clusters’ • a cluster can be • 1 sector/cluster (512 bytes) • 2 sectors/cluster (1024 bytes) • 4 sectors/cluster (2048 bytes) • 8 sectors/cluster (4096 bytes) • on a floppy, we use one sector / cluster • when we need space for a file, the system gives us a cluster (not just a sector)
Slack Space • When we write a file using a cluster • We have “left over” room in the cluster • This is called “slack space” • Information can reside in slack space • Cannot say that the person who wrote the file in that cluster also put that slack information into that cluster • Clusters can be reused once a file is deleted • They’re put back into a pool of unallocated clusters • (they don’t belong to any file) • If these clusters haven’t been used for writing a new file, it’s possible to recover this ‘deleted’ file
Cluster and slack space • Cluster (512 bytes) • we write about 100 bytes • the rest is ‘slack’ File This is an example of a cluster containing information….blah blahblah… Dear Sir; We have read your proposal, and … no thanks Slack
Oh no! Should I worry about Hexadecimal • No, for the 2008 CSI Challenge you might see hexadecimal notation of the disk’s data, along with the “English” readable data • This is presented so that you’ll recognize it when you see it while using FTK (see the next screen) • You will not be responsible for knowing “hex” • Computers really only know “numbers” • Certain numbers (values) are associated with letters of the alphabet • For example a value of “44” in hexadecimal is a capital “D”, and a hex “20” is a space, a “64” value is a small “d” • This is called the ASCII code
Hex Data (numeric) and ASCII (Alpha) Upper Case “D”
Tools • Software such as FTK (which you will be using) contain tools that allow you to: • Acquire an evidence image • Identify deleted files • Possibly recover a deleted file • Search the bit image • Search for string of text (last name, etc) • Identify files containing the string • Identify that area as belonging to a file, or in slack space • Examine attributes of files • Hidden • Deleted • File times • Mismatch between file name and actual file type • ‘bad signature’ (txt file might actually be a ‘jpg’ file) • Show thumbnails of picture type files • Export files (or fragments) (collect them in one spot) • Bookmark critical findings (highlight relevant findings) • Document case for report (times, investigator, etc)
Tools • Existing software • Word, Adobe, etc • Open files of that format • Analyst must know how the application software works • PKZIP, WinZip, WinRAR • Extract compressed files • Steganograhpy (S-Tools) • Extract files from a “stego’d” file • S-Tools will use BMP, GIF or WAV files as ‘containers’ to hide other files • Can be used to reveal and extract hidden files
FTK • Forensic ToolKit (AccessData) • Demo version allows examination of cases with a max of 5000 files • Add your evidence image file • Analyze it • Document your results • You will use FTK to add your evidence to a new case and analyze it
Steganography • Hidden information inside a file • A file inside a file (container file and message file) • Can be passworded / encrypted • The “container” (stego’d) file is either a “bmp” or “gif” image type • Can also be an ‘audio’ file • On a hard drive, or on someone’s iPod, etc… • Files can be included in a Word (or other document), such as webpages or be a “standalone” file on someone’s hard drive • S-Tools can be downloaded to reveal stego’d evidence
2008 CSI Challenge Requirements • Laptop • CD / ROM drive • Software • Windows XP or Vista • Microsoft Office (2003 or better) • Access Data’s Forensic ToolKit (FTK) • S-tools • WinZip or capability to unzip files on your drive • Should already be built into Windows when you right-click on a zipped filename • Tutorials (including this) can be found on the website
Glossary • ASCII • Computers only know numbers. ASCII is a ‘code’ that associates numbers with letters or characters of the alphabet. • Bit • Binary digit; a ‘one’ or a ‘zero’ • Byte • Grouping of eight bits, representing a numerical value from 0 to 255 • Can also represent a “character” or letter of the alphabet
Glossary • Bit-for-bit image • Also known as a bitstream image • A “snapshot” of a piece of evidence, taken in a forensically sound manner (no alteration of original evidence) • Bitstream image • See bit-for-bit image
Glossary • Cluster • A group of sectors. Files are written by the system using clusters • Floppy clusters are 1 sector per cluster • Hard drives vary (common to find 8 sectors / cluster) • Compression (of files) • a method of making a large file smaller, by eliminating repetitive sequences of characters • See “zip” files
Glossary • Encryption • Used to make information unreadable unless you have a password • Evidence • Something that provides proof • Could be a hard drive, floppy, USB device, paper notes or anything containing information • Hexadecimal • Numerical representation used by computer scientists. See ASCII code
Glossary • Password • A mechanism which prevents a person from accessing a file unless a user provides the correct password or passphrase. • Slack or slack space • That area of a cluster belonging to a file, which is “left over.” Information can be contained in slack space. • Steganography • “Hidden writing.” The process of hiding information inside a container file. The container picture typically looks no different after having hidden data inside it. Software such as S-Tools is used both to hide as well as reveal information.
Glossary • Zip file • A compressed file. A zip can contain a single file, or many files. The zip file can contain a directory (folder) structure, along with all the files in that folder. Zip files can also be passworded.
2008 CSI Challenge • Good luck to all contestants • End of PowerPoint presentation