Digital Forensics: Basics and a Peek at State-of-the-Art

1. Digital Forensics: Basics and a Peek at State-of-the-Art Golden G. Richard III University of New Orleans Digital Forensics Solutions, LLC golden@cs.uno.edu golden@digitalforensicssolutions.com http://www.cs.uno.edu/~golden http://www.digdeeply.com

2. Who is This Guy? Professor of Computer Science @ University of New Orleans Director, Greater New Orleans Center for Information Assurance (GNOCIA) @ University of New Orleans Co-founder, Digital Forensics Solutions, LLC (New Orleans) Digital forensics investigation, research, tool development, network penetration testing, data sanitization, training GIAC-certified Digital Forensics Investigator United States Secret Service Cybercrime Taskforce American Academy of Forensic Sciences (AAFS) et al.

3. 3 Digital Forensics Definition: �Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.� Computers, PDAs, cellular phones, videogame consoles, digital cameras, copy machines, printers, digital voice recorders�

4. 4 Data. �You only think it�s gone.� Sensitive data tenaciously clings to life. YOU may understand, but vast majority of users have no idea what�s really stored on their digital devices� �and no ability to properly �clean up� even if they do suspect what�s there What That Really Means

5. 5 Examples of Digital Evidence Documents Threatening emails Suicide notes Bomb-making diagrams Malicious Software Viruses Worms Keystroke loggers Child pornography (contraband images/videos) Evidence that network connections were made between machines Cell phone SMS messages Deleted voice messages on digital voice recorder Deleted copy jobs on laser printer Anything that can be stored on digital devices

6. 6 DF Enabler: Data is Hard to Kill Most OS�s: Deleted files aren�t securely deleted Renaming files to avoid detection is ineffective Formatting disks doesn�t delete much data Web-based email can (sometimes) be (partially) recovered even w/o access to web email account Files transferred over a network can be reassembled and used as evidence

7. 7 Data Death (2) Completely uninstalling applications is very difficult �Volatile� data hangs around for a long time Remnants from previously executed applications survive The view from your application isn�t the whole picture� Even rebooting may not erase volatile data! Using encryption properly is difficult, because data isn�t useful unless decrypted Much anti-forensics (�privacy-enhancing�) software is broken (see [Geiger2005])

8. 8 Data Death (3) �Big� magnets (generally) don�t work Media mutilation (except in the extreme) isn�t always effective Drive won�t spin up? It�s probably not actually dead It�s just waiting for someone to bang it on their desk�or� PC-3000 (DeepSpar) Basic enabler of digital forensics: Data is very hard to kill

9. 9 Fallacy: Format == Data Destruction Formatting a drive does not prevent recovery of digital evidence Format typically overwrites less than 5% of drive contents Why does non-Quick format take so long? Format is reading disk blocks to determine if bad blocks exist Format wipes out filesystem metadata, so names of files are lost A lot of the data can still be recovered by sifting through data that remains after the format operation

10. 10 Visualization of 256MB USB Thumb Drive

11. 11 ? FAT32 format

12. 12 ? NTFS format

13. 13 ? ext3 format

14. 14 Digital Forensics Investigation What�s possible? Recovery of deleted data Discovery of when files were modified, created, deleted, organized Can determine which storage devices were attached to a specific computer Which applications were installed, even if they were uninstalled by the user Which web sites a user visited� Recovery even when drives / media are in �bad shape� Lots more

15. 15 The Limits What�s not possible� Data recovery� If digital media is completely (physically) destroyed, recovery is impossible If digital media is securely overwritten, recovery is (for us and probably for them) impossible

16. 16 When is the Data Really Gone?

17. 17 Thermite

18. 18 Why Should You Care? Privacy is good. Knowing what�s stored and how to control access and securely destroy data is important 99% of users only think they know Prosecuting bad people is good. Prosecuting good people is bad.

19. 19 Why Else? Lots of interesting problems Lots of research and hacking to do �algorithms� �filesystem research� �deep OS internals� �reverse engineering �data mining� �machine learning� �parallel/distributed computing� �GPU-based computation� �

20. 20 Digital Forensics Process Legal: Balance need to investigate vs. privacy rights Identification of potential digital evidence Where might the evidence be? Which devices did the suspect use? Preservation and copying of evidence On the scene� First, stabilize evidence�prevent loss and contamination If possible, make identical copies of evidence for examination Copies can be made on the spot, or more usually, in the lab Careful examination of evidence File recovery / File carving Keyword searches Generation of timelines Examination of the registry � Presentation of results

21. 21 On the Scene Preservation

22. 22 Careful Documentation is Crucial

23. 23 Preservation: Imaging When making copies of media to be investigated, must prevent accidental modification or destruction of evidence! Write blockers: A good plan� Tools for imaging: dd under Linux DOS boot floppies Proprietary imaging solutions Be sure your imaging / write blocker solution does what it�s supposed to�

24. 24 Where�s the Evidence? Undeleted files + metadata Deleted files Windows registry e.g., USB device histories e.g., recently accessed files, URLs Print spool files Hibernation files Temp files (all those .TMP files!) Slack space Swap files Browser caches Alternate partitions On a variety of removable media

25. Browsing History 25

28. PDF Redaction?

29. 29 University of New Orleans Golden G. Richard III, Ph.D. Microsoft Office Word Dear Sir,To whom it may concern, I�m writing to apologize for my rude behavior on the night of August 15, 2002, when I attended your party and ate every single piece of tuna sushi. Your daughter is pretty cute. I can�t t freaking believe I�m writing this crap. I�m writing to apologize for my rude behavior on the night of August 15, 2002, when I attended your party and ate every single piece of tuna sushi.Your daughter is pretty cute. I hope we can put this episode behind us.Thanks.

30. 30

31. 31 Windows Recycle Bin Indirect file deletion facility Mimics functionality of a trashcan Place �garbage� into the can You can change your mind about the �garbage� and remove it, until� �trash is emptied, then it�s �gone� Files are moved into a special directory Deleted only when user empties

32. 32 Windows Recycle Bin: Closer Look In Win2K/XP, \RECYCLER In 95/98, \RECYCLED On dragging a file to recycle bin: File entry deleted from directory File entry created in recycle bin directory Data added to INFO/INFO2 file in the recycle bin INFO file contains critical info, including deletion time Presence of deletion info in INFO file generally indicates that the file was intentionally deleted

33. 33 INFO file: Closer Look INFO file is binary, but format is documented For each file in the recycle bin, contains: Original pathname of file Time and date of file deletion New pathname in the recycle bin Index in the recycle bin Can be used to establish the order in which files were deleted What non-technical users don�t understand is that the recycle bin is more like an audit log of deletion activity than a mechanism for securely removing information

34. 34 Windows Print Spool Files *.spl, *.shd files .shd file contains information about the file being printed .spl file contains info to render the contents of the file to be printed .shd files have evidentiary value similar to shortcut (.lnk) files� �shows knowledge of existence of files and a deliberate attempt to access (print) the contents of the file Can often be recovered even if original document is gone!

35. 35 Windows Registry Lots of information, difficult to �clean� Users either don�t know how or don�t know what can be safely removed Usernames Internet history Program installation information Recently accessed files USB device history Both user-specific and system-wide info BUT: Very tricky Lots of redundant information Don�t just �dive in� and jump to wild conclusions!

36. 36

37. 37

38. 38

39. 39

40. 40

41. 41

42. 42

43. 43

44. 44 Swap File Snippets

45. 45 Swap File Snippets (2)

46. 46 Slack Space (Simplified View)

47. Data Hiding: Stego

48. Same Image w/ Hidden Data

49. Hidden Image

50. 50

51. 51 File Carving Deep data recovery mechanism Goal: recover files or file fragments when file metadata (or entire filesystem structures) are destroyed Specify headers, footers, and other characteristics of file formats Search for these characteristics on raw disk image Attempt to identify start/stop locations of file fragments Carve (copy) data into regular files Success rate depends on file type, sophistication of file carving tool Ours: Scalpel (www.digitalforensicssolutions.com/Scalpel)

52. 52 Simple Header/Footer-based Carving JPEG Header: ffd8ffe00010 Footer: ffd9 FFD8FFE000104A464946000102010048 00480000FFE11B344578696600004D4D 002A00000008000A010F � � F2B54840253BA4AA67F932C6EE14C445 5991B9E2C18FC66BAED9919934BCC4A1 3AB86CE14B7FFFD9

53. 53 File Carving: High Level

54. Current Generation DF: Too Slow

55. 55 Too Slow: Symptoms Machines tied up for days doing preprocessing Painful to �think outside the box� (i.e., outside the index) during investigation Getting an answer to even a simple question �Does this credit card number appear anywhere?� �Did Joe Smith send an email to Cassandra Wilson?� �takes a long time Current tools are not sophisticated enough, either in processing or in user interfaces

56. 56 Faster: Distributed Digital Forensics

57. 57 A Few Preliminary Results Target: Dell Optiplex GX1 w/ 6.4GB IDE drive NTFS, ~110,000 files in ~7,800 directories Imaged using dd w/ a Linux boot disk Machine used for �traditional� investigation: 3GHz P4, 2GB RAM, 2 x 73GB 15Krpm Ultra320 SCSI FTK v1.43a

58. 58 Results (2) Live string search: typical first/last name Regular expression search: v[a-z]*i[a-z]*a[a-z]*g[a-z]*r[a-z]*a

59. 59 A Different Experiment Stego detection using Stegdetect 0.5 under Red Hat Linux on the cluster Traditional: 6GB image mounted using loopback device find /mnt/loop �exec ./stegdetect �{}� \; 790 seconds == 13:10 minutes Using the distributed framework Stegdetect 0.5 code incorporated into framework Detection against cached files �STEGO� command (after IMAGE/CACHE) 82 seconds == 1:22 minutes 9.6X faster with 8 machines CPU bound operation

62. Where Else? In RAM (Live forensics analysis) Analysis on the box (while live) Analysis of memory dumps List following approaches Carving approaches Hybrid approaches Lots of potential complications �In� the network (Network forensics) Important, but trimmed from this talk

63. 63 Expanding Scope: Live Forensics Running processes open DLLs registry file handles Open files Network connections Memory Regular disk files Images of entire disk Live disk imaging Deleted files Live file carving

64. 64 Live Forensics: RAM Carving Can construct patterns and apply file carving techniques to discover fragments of application data hours or days old in memory dumps Process dump of MSN Messenger yields chat message fragments: Content-Type: text/plain; charset=UTF-8 X-MMS-IM-Format: FN=MS%20Shell%20Dlg; EF=; CO=0; CS=0; PF=0 Are you coming down for Mardi Gras this year? I�m dressing up as Peter Frampton. Do you feeeeel�

65. 65 Live Forensics: Dump of pgptray

66. 66

67. 67

68. 68

69. 69 Some Bad News for Live Forensics A potential minefield Memory covering attacks What you get isn�t what�s really there Shadow Walker Split TLB de-synchronization attack Joanna�s hardware poisoning stuff Disrupt both software and hardware-based approaches to memory acquisition SMM attacks Other malware that pollutes the kernel Most tools simply assume none of this stuff is happening Biggest problem with these things is that they weaken your set of basic assumptions

70. 70 One Invasive, Ice Cold Solution

71. 71 Persistence of (Post-Reboot!) Memory Many systems retain at least some data after a warm reboot, reset, or even cold reboot Highly dependent on model and BIOS settings Potentially useful as a �last resort� for obtaining live forensics data, assuming computer model is known to have post-reboot persistent memory

72. 72 Remanence at Room Temp

73. 73 Final Thoughts Much more data is recoverable from digital devices than most people think Tremendous enabler for civil and criminal litigation, fraud examination, et al Huge privacy implications Average users cannot predict what digital information is recoverable on their devices Computers, cell phones, digital copiers, voice recorders, PDAs, GPS devices, �

74. 74 Thanks, Questions?

Digital Forensics: Basics and a Peek at State-of-the-Art

Digital Forensics: Basics and a Peek at State-of-the-Art

Presentation Transcript

DIGITAL AUDIO Basics and Overview

Digital Forensics

Data and Applications Security Digital Forensics

Digital Forensics Update - Enhancing Your Ability to Win Cases

Digital Forensics Worry about data loss

Digital Forensics

COMPUTER FORENSICS

1. Introduction

DIGITAL EVIDENCE

Digital Forensics

Digital Forensics

Digital Forensics

Introduction to Handheld Digital Forensics

CSN08101 Digital Forensics Lecture 2: Essential Linux for Forensics

Low Down and Dirty: Anti-forensic Rootkits

Digital Forensics

Computer Forensics in the Classroom

Digital Forensics

State of Multimedia Forensics

Teaching Digital Forensics w/Virtuals

Digital Forensics

Digital Forensics