1 / 33

U T D C S G Module 0x01: Forensics

U T D C S G Module 0x01: Forensics. Kevin ‘ Hexstr Morgan’ Dickinson Josh ‘ HoboBeard ’ Hammond Christ ‘ PossibleSloth ’ Walz. What it be How it’s used Concepts and terminology Demonstration: Acquiring evidence File system basics Popular tools

dalia
Download Presentation

U T D C S G Module 0x01: Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. U T D C S GModule 0x01: Forensics Kevin ‘Hexstr Morgan’ Dickinson Josh ‘HoboBeard’ Hammond Christ ‘PossibleSloth’ Walz

  2. What it be • How it’s used • Concepts and terminology • Demonstration:Acquiring evidence • File system basics • Popular tools • Demonstration: EnCase 6 and FTK 4 overview • Important resources Week 0x01: Intro

  3. File carving and data recovery • Application artifacts • Web browsers, Dropbox • Windows forensics • Registry, prefetch, hiberfil/pagefile, VSS, LNK files, USB activity, shellbags, thumbs.db • Mobile forensics • SQLite DBs, user dictionary, vulnerabilities Week 0x02: In-Depth

  4. Investigative techniques • Activity timeline, keyword searches, hash matching, skintoneanalysis • Physical memory • Encryption keys, system activity (processes, network connections), etc. • Anti-forensics • Encryption, steganography, timestamp manipulation • Anti-anti-forensics • Breaking encryption, password cracking, timestamp manipulation detection Week 0x02: In-Depth

  5. Week 0x03: Examination

  6. Week 0x01: Intro

  7. What is computer forensics? • “(…) a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime” • Defensibility is key – best practices, documentation, etc. • Largely community driven, lots of research and hard work by many smart people • Described as both “an art and a science” – SANS institute Intro

  8. Law enforcement • Criminal investigations (murder, fraud, etc.) Litigation • Civil lawsuits • IP theft, subpoenas Corporate • Internal investigations • Incident response (network intrusions) Intro

  9. How is it relevant? • We store an incredible, increasing amount of data on our day-to-day devices Examples • Sued after being involved in a car accident - texting and driving? • Employee leaves company, suspected of copying off sensitive documents on last day of work • Corporate network gets compromised - what sensitive resources might have been accessed, by whom? • Person accused of “unlawful access to a computer resource”, warrant issued, digital devices seized for analysis • General purpose creepin’ Intro

  10. Challenges • Requires broad knowledgebase, many different skills, highly detail oriented • Fast paced, constantly changing – new artifacts and roadblocks all the time • New releases every few weeks/months – OSes, applications, hardware (eg: phones) • Commercial products are often slow to respond to changes (eg: ReFS) • Reversing, writing new code, testing testingtesting… • Server-side (cloud) computing – physically inaccessible, complex topologies • Skills and Specialities • Reverse engineering • Incident response • Memory analysis Intro

  11. What it means to be ‘forensically sound’ • Difficult to define as it is situationaland discretionary • Ideally speaking, an exact 1:1 unaltered representation of an original data source • Physical data – bitstream representation of a device’s entire contents (including unallocated space) • eg: /dev/sdaor \\.\PhysicalDrive0 • Considered the most ‘forensically sound’ but not always possible • Logical data – a specific‘logical’ subset of data such as a partition or volume • eg: /dev/sda1 or \Device\Harddisk0\Partition0 Terminology

  12. Conceptually broad – basically ‘data about data’ • Used in file systems to provide file info independently of files • MAC (Modified/Accessed/Created times), ownership info, etc. • Various file formats use specific metadata • OLE– MS Office • ID3v1/2 – Audio • EXIF data - Images • Used to convict the BTK Killer Metadata

  13. Sector • Smallest physically addressable unit on a storage device (LBA) • 512 bytes most common, 4K becoming popular • Block • See above (they are essentially the same thing) • Cluster • NTFS-specific term for a group of sectors • Smallest logically addressable unit on a storage device • Known as block group in EXT2/3/4, allocation blocks in HFS(+) • 4096 bytes default in NTFS, HFS+, EXT3/4 (8 contiguous 512B sectors) • Important concept as it relates to data carving Disk Concepts

  14. Disk Concepts

  15. Unallocated space • VERY important - basis for much of forensics • Areas of a storage device not currently assigned to file(s) by the file system • Likely contains unspeakable things you thought were gone • Captured during physical imaging (but not logical) • Slack space • Leftover space between the end of a data stream and the end of a cluster Disk Concepts

  16. Slack space (continued) • Can be used to hide data on disk (not well) • Popular capable forensic suites will look for this • “FUN FACT”: Microsoft used to ‘fill in’ space on disk between the end of a file and end of a cluster by writing random areas from memory – REALLY BAD, THIS IS SO BAD • Hidden areas • Host Protected Area (ATA-4) – ‘SET MAX ADDRESS’ ATA command • Device Configuration Overlay (ATA-6) – adjusts number of sectors visible to the machine at a low level Disk Concepts

  17. Hashes • Described as (mostly) unique ‘digital fingerprint’ • Important basis for much of forensics • One-way function • Used to uniquely match individual files, evaluate integrity of evidence (disk images), etc. • MD5/SHA1/SHA256 - most common • hexstr@here/#: md5sum –b /tmp/disk0.001 Cryptographic Hashes

  18. Hash Sets • Lists of known hashes for system files, popular programs, etc. • Similar to a rainbow table – reverse lookup • Largest repository maintained by NIST (http://www.nsrl.nist.gov/Downloads.htm) • Extremely useful for filtering out irrelevant data or quickly identifying known files • Law enforcement agencies will use privately maintained hash sets for easily identifying contraband files (eg: child pornography) Cryptographic Hashes

  19. Imaging • Duplicating some data source (eg: hard disk, memory, etc.) for post-mortem review, almost always first step in an investigation • Critical to utilize writeblocking to prevent changes to evidence • Used to be disk-to-disk (cloning) - many issues with this (sterility) • Resulting evidence image often encapsuled as a binary file • Two popular formats - .001 (DD style) or .E01 (Encase) • DD output is a raw binary file • E01 has internal checksums, self-validating, compressible Forensic Imaging

  20. Writeblocking • Maintains integrity of a data source by preventing changes to source media • Absolutely critical as a best practice • Numerous hardware and software based methods available • Not always possible (live servers, encryption, etc.) Forensic Imaging

  21. Hardware Writeblockers • Tableau TD1/2/3 (duplicator) • SATA, IDE, USB, 1394, SCSI, etc. • Cache (simulate) disk writes or simply ignore write requests to device • Software Writeblockers • Linux Live CDs (Helix, Backtrack, etc.) • Prevent drives from mounting, no disk integrity checks • USB via Windows Registry (http://www.gaijin.at/en/dlusbwp.php) Forensic Imaging

  22. Software Imagers • AccessData FTK Imager – Windows, OSX, Linux http://www.accessdata.com/support/product-downloads • DD, DCFLDD, DDRescue… • What is an image • hexstr@here /#: dd if=/dev/sda of=/tmp/disk0.001 bs=512 • What is not an image • Symantec Ghost (alters timestamps) • Other uses • General purpose backups – mount, restore, etc.. Forensic Imaging

  23. Demo: Acquiring Evidence

  24. Two copies of FAT stored for redundancy • Divided into equal-sized clusters (previous slide) • Simple: files stored as a singly linked list of clusters • Table entry marked as one of following (FAT16 shown): • Allocated (value is the next cluster in the chain) • End of chain marker (0xFFF8 - 0xFFFF) • Unused (0x0000) • Bad cluster (0xFFF7) • Source: http://www.forensicswiki.org/wiki/FAT#FATs File System: FAT

  25. Directory table • Special kind of file • Each file/subdir listed as 32byte entry • Contains name, extension, attribute • Last modified time, address of first cluster, size File System: FAT

  26. Inodes • Files associated with an inode number • Stores metadata on files and directories • Two types of inodes • Direct – fixed number, stored in file system portion • Indirect – flexible number, stored in data portion • Chains like FAT: Doubly indirect, triply indirect… • Tip: ‘ls –i’ shows inode numbers File System: EXT

  27. File System: EXT

  28. Keeps track of changes to be made in a circular log • On crash, system reads journal and makes changes to regain consistent state • All entries are checksummed, if they don’t match - don’t replay File System: Journaling

  29. Basic file carving • Typically uses predictable file headers/signatures to independently identify files without the use of other (file system) information • Cornerstone of forensics - restore deleted files • Generally limited to contiguous clusters, cannot find data fragmented across a disk unless the format is predictable (eg: SQLite) • Advanced file carving • Interesting research being done on this • Based on very complex statistics to predict likely file chains File Carving

  30. Guidance Software EnCase • Industry standard, highly extensible • AccessData Forensic Toolkit (FTK) • Cellebrite UFED • Open source • Scalpel – file carving • Volatility – powerful memory analysis Forensic Suites

  31. Demo: EnCase 6 and FTK 4

  32. http://www.forensicfocus.com • http://www.forensicswiki.org • http://computer-forensics.sans.org/blog • http://www.appleexaminer.com/ • http://hexstr-morgan.blogspot.com/ • http://tech.groups.yahoo.com/group/win4n6/messages Resources

More Related