1 / 18

Digital Forensics Worry about data loss

OWASP AppSec Washington DC 2009. Digital Forensics Worry about data loss. Motashim Al Razi OWASP member alrazimotashim@gmail.com. What is Digital Forensics?. Branch of forensic science – uses scientific method

floyd
Download Presentation

Digital Forensics Worry about data loss

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP AppSec Washington DC 2009 Digital ForensicsWorry about data loss • Motashim Al Razi • OWASP member • alrazimotashim@gmail.com

  2. What is Digital Forensics? • Branch of forensic science – uses scientific method • The preservation, recovery, analysis and reporting of digital artifacts including information stored on: • Computer/laptop systems (hard drives) • Storage media (USBs, CDs, DVDs, cameras, etc.) • Mobile phones • Electronic documents • Typically used reactively, move toward proactive • Reactive: court cases, incident response • Proactive: mobile app security audits, continuous forensic monitoring

  3. Storage Devices • There are 3 main types of storage devices used today: • Hard-disk drive (HDD) – Contains a spinning magnetic drive used to store non-volatile data. • Solid-state drive (SSD) – Contains internal microchips for the purpose of storing non-volatile data. • NAND Flash memory • Typically found in smart phones, USB thumb drivers and other portable devices • Not removable like typical HDD or SSD • Very unique characteristics from standard HDD (limited writes/erase) • In constant state of change (FTL)

  4. Acquisition strategies • Forensics Analysts can acquire/receive data 3 different ways • Backup Files • - Backup files are provided from the “custodian”. This could include backup software from corporations, PST file, iTunes backup, etc. • Logical Acquisition • A copy of the file system is created (i.e. tar.gz of / or recursive copy that preserves date/time) • Physical Acquisition • Creates an exact digital replica of the storage medium • Can recover deleted data • This process requires specialized analysis tools and techniques • Drive management firmware may still affect acquisition (FTL, bad blocks, etc.)

  5. Image Verification • Hash value – A calculated hex signature based on a set of data. • A hash value can be used to verify forensic image integrity. One slight change in source will cause “avalanche” effect in hash value • In order to prove that two data sets are identical, their hash values must match. • In some instances, hash values are not stable (NAND Flash) so a hash of the data as it’s extracted is taken but won’t necessarily match if source is imaged again. • Common hash techniques • mad5 (128-bit value) • Sha256 (256-bit value) • md5 of “Andrew Hoog” = 9bdbad9aecd74fce6e6bb48ee18100b8

  6. How to acquire a forensic image • If possible, connect drive to a physical write blocker • This prevents any writes to the drive • There are software techniques but not as effective • Generally, impossible with NAND Flash devices • Forensically acquire device with software • Open source: dd, dcfldd and dc3dd • Free: FTK imager and many others • Commercial: FTK, EnCase, etc. • Perform verification of source and image with hash signature and record in Chain of Custody.

  7. Digital evidence • What Constitutes Digital Evidence? • Any information being subject to human intervention or not, that can be extracted from a computer. • Must be in human-readable format or capable of being interpreted by a person with expertise in the subject. • Computer Forensics Examples • Recovering thousands of deleted emails • Performing investigation post employment termination • Recovering evidence post formatting hard drive • Performing investigation after multiple users had taken over the system

  8. Reasons For Evidence • Wide range of computer crimes and misuses • Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: • Theft of trade secrets • Fraud • Extortion • Industrial espionage • Position of pornography • SPAM investigations • Virus/Trojan distribution • Homicide investigations • Intellectual property breaches • Unauthorized use of personal information • Forgery • Perjury

  9. Reasons For Evidence (cont) • Computer related crime and violations include a range of activities including: • Business Environment: • Theft of or destruction of intellectual property • Unauthorized activity • Tracking internet browsing habits • Reconstructing Events • Inferring intentions • Selling company bandwidth • Wrongful dismissal claims • Sexual harassment • Software Piracy

  10. Who Uses Computer Forensics? • Criminal Prosecutors • Rely on evidence obtained from a computer to prosecute suspects and use as evidence • Civil Litigations • Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases • Insurance Companies and Banking sector • Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) • When an entity is compromised and CHD has been stolen then the entity must be investigated by an authorized forensic company. (Commonly referred to as a QIRA or QFI) • Private Corporations • Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases • Law Enforcement Officials • Rely on computer forensics to backup search warrants and post-seizure handling • Individual/Private Citizens • Obtain the services of professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination from employment

  11. How do computer forensics relate to Law enforcement?

  12. Case Study • Banking Industry Executive Level Financial Fraud • Case Study – Digital Forensics • Case Type – Internal Corporate Fraud • Environment – Complex Multi-Location Network and • Desktop computer forensics • Industry – Banking

  13. Scenario: • A large accounting firm was hired to audit certain activities • related to loans to individuals on the Board of Directors of a • medium size, publicly traded bank (the “Bank”). During the Audit, the auditors needed to examine • several computer systems used by certain Bank employees as well as by certain Board Members. • digital forensic examiners were immediately dispatched and sent in to arrange for the forensic • analysis of the computer systems and to search for corroborating evidence in support of the audit • team’s suspicions and findings. The systems analysts forensically analyzed included laptop • computers issued to managers in the loan origination department, desktop systems used by • managers and board members. Email (Exchange) servers as well as Voicemail Systems were examined

  14. Existing law for digital forensics in Bangladesh • There is a specific version in ICT act-2006. • 8th chapter, part-2 • No. 68: Cyber tribunal Implementation, criminal investigation, trial, Appeal etc. • Part-3, No. 82: Cyber Appeal tribunal.

  15. International Guideline • National Institute of Science and Technology – NIST • Association of Chief Police Officers – ACPO (UK) • It is a major part of IS auditing.

  16. Summary & Conclusion

More Related