1 / 122

Forensic Computer Analysis

Forensic Computer Analysis. ISMT350. Overview. Why do we care? Forensic Science Overview Process and Tools Evidence on Networks Advanced Analysis Errors & Uncertainty. Why do we Care?. Determine what happened Determine extent of damage Inform other universities of problems

hila
Download Presentation

Forensic Computer Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Forensic Computer Analysis ISMT350

  2. Overview • Why do we care? • Forensic Science Overview • Process and Tools • Evidence on Networks • Advanced Analysis • Errors & Uncertainty

  3. Why do we Care? • Determine what happened • Determine extent of damage • Inform other universities of problems • Prevention & preparation for future • Mitigate risk & liability • If necessary, apprehend & prosecute =

  4. Forensic Science Overview

  5. Improper Evidence HandlingWhy we need to avoid… • Open to unfair dismissal claims • Vulnerable to false accusations • Researcher accused of hacking • Privacy violation leads to counter suit • Information leakage leads to larger problem • Unresolved incidents create problems • Larger problem goes unrecognized • Develop poor evidence handling skills

  6. Forensic Science Overview • Science applied to the discovery of truth • Locard’s exchange principle • whenever two objects come in contact with each other, they transfer material from one to the other. The Locard exchange produces the trace evidence of interest from fingerprints to mud • Authorization • Locate / identify evidence • Collection, documentation & preservation • everything that you will need in two years • Crime reconstruction (forensic analysis) • when, where, how, what, who, why • reproducible & free from bias/distortion • Report / present

  7. Continuity of Offense (COO) • Seek sources, conduits, and targets • Connect the dots • Corroborating evidence • Multiple independent sources Victim’s mail server/PC Kiosk Router Proxy Hotmail NetFlow NT DC Access logs Authentication logs

  8. Pornography: TransmissionPivotal Case Study • The theory behind child pornography laws in the U S traditionally has been that such material is illegal not because of the content of the material itself, but because of the harm the production and distribution of such material causes children who are used to create the child pornography. • U S versus Hilton, invalidated part of the Child Pornography Prevention Act of 1996, 18 USC Section 2252A. • Hilton claimed to have been collecting child pornography for research purposes: • Met with an FBI agent and U S Customs officials on a number of occasions since 1995 to discuss curbing child pornography on the Internet. • Quoted in articles warning parents of the dangers of allowing their children to surf the 'Net unsupervised. • Police uncovered evidence that “made us question his motivation." • A case of police prosecuting people trying to help cure the Child Pornography problem?

  9. Pornography: Transmission How to investigate a “US v. Hilton” • Modem logs • Shows PC was connected to Internet • Dial-up server logs • Confirms connection and account used • MAC times and Registry (LastWrite) • File modification, creation, and access times • FTP logs • On PC: file name, time, remote directory • On server: file name, size, time, account, IP

  10. Relational Reconstruction • Improve understanding of events • Locate additional sources of evidence • Example: Accounting server break-in

  11. Log File Correlation • Sort each source independently, then combine • Correlate MAC times and LastWrite times of Registry keys with Eventlogs, PC modem & ISP logs 05-15-2000 16:32:53.93 - Initializing modem. 05-15-2000 16:32:53.93 - Send: AT 05-15-2000 16:32:53.93 - Recv: AT 05-15-2000 16:32:54.05 - Recv: OK 05-15-2000 16:32:54.05 - Interpreted response: Ok 05-15-2000 16:32:54.05 - Send: AT&FE0V1&C1&D2 S0=0 W1 05-15-2000 16:32:54.07 - Recv: AT&FE0V1&C1&D2 S0=0 W1 05-15-2000 16:32:54.19 - Recv: OK 05-15-2000 16:32:54.19 - Interpreted response: Ok 05-15-2000 16:32:54.20 - Send: ATS7=60S40=0L1M1\N7%C1&K3B0N1X3 05-15-2000 16:32:54.22 - Recv: OK 05-15-2000 16:32:54.22 - Interpreted response: Ok 05-15-2000 16:32:54.26 - Dialing. 05-15-2000 16:32:54.26 - Send: ATDT##########

  12. Time Pattern Analysis x = event

  13. Histograms • Histogram of events over time • High number of events at key times • Histogram of time periods may show unusual gaps • MAC times • System log entries

  14. EnCase Timeline (patterns)

  15. Search Methodology Identify the crime scene • Area 1: Local Nodes • PDA’s • Laptops • Area 2: Wireless devices • Mobile equipment • 802.11b • Area 3: Wireless networks • Core systems (BSC, MSC, SMS) • Area 4: Remote networks • Routers, switches, cables • Remote nodes

  16. Authorization Example • Floppy found in desk drawer • Collected by IT staff • No authorization • Not clear if search was legal • Process not documented • Not clear who found disk • Disk not labeled • Not clear which disk among several disks • Hot potato – drop it! • High risk of counter suit

  17. Chain of Custody • Who collected & handled the evidence • Fewer people handling the evidence => Fewer people testify • Standard forms & procedures => Consistency

  18. Collection & Preservation • Acquire evidence • EABD versus removing hard drive • save evidence on sterilized media • calculate MD5 checksum of evidence • digitally sign evidence (MD5, time & person) • Documentation • acquisition & verification process • who, where, how, when, and sometimes why • Lock original in safe • alternately use a custodian

  19. Message Digests • 128-bit “fingerprint” • 16 hexadecimal values • Two messages with same digest • Computationally infeasible • Search disk for file with same MD5 • md5sum netstat.exe => 447282012156d360a862b30c7dd2cf3d

  20. What to Collect? • The original disk • An exact copy of the original disk • Log files from the disk (e.g. UNIX wtmp) • Interpreted logs (output of last) • Information lost in summarization • Relevant portions of interpreted logs • Output of last username • May miss some relevant entries • Written notes describing command output The approach depends on the circumstances

  21. Remote Collection • Document collection process (log to file) • May alert the suspect • Stepping in evidence • Same as at console • Forgotten evidence • Planning and procedures • Jurisdiction • May be only means - foreign countries • May cause an international incident • Evidence only available remotely (SNMP)

  22. To shutdown or not to shutdown • Network state • Processes in memory (MB/GB) • Kernel memory • Swap space • Lose cached data not yet written to disk • Lose data protected by EFS/PGP disk • Corrupt existing data

  23. Limitations of Live Exam? • Hasty • prone to error • automation helps avoid errors • Stepping in evidence • automation minimizes changes • not 100% (overwrite user.dmp) • Might miss something • alternate data streams • Can’t see deleted data • anyone have a floppy diskette? • Can’t trust operating system

  24. Challenge Concealment • Deleted binary • Copy in /proc/pid/file • icat /dev/hda inode > recovered • Log deletion or wiping • wzap clears wtmp entries • Altering file attributes • Hidden files/Alternate Data Streams • hfind.exe (Foundstone) • Device files in Recycle Bin • Rootkits/Loadable Kernel Modules (Knark) • Encryption

  25. The Coroner’s Toolkit • grave-robber output • coroner.log • proc with MD5 of output • command_out with MD5 of output • body - mactime database • removed_but_running • conf_vault • trust • MD5_all • MD5_all.md5

  26. Case Example W2K Domain Controller Hacked Unusual port Messy examination Cleanup fails!

  27. Initial Assessment • Routine Network Vulnerability Scan • BO2K on port 1177 of W2K DC • Physical Assessment • Located in locked closet • Initial Examination • All security patches applied • NT Security Event logging enabled • fport: c:\winnt\system32\wlogin.exe • System cannot be shutdown • Central to operation of network

  28. Network Assessment • Accessible from the Internet • No dial-up access • Many services enabled • file sharing • Internet Information Server • FTP (anonymous FTP disabled) • IIS fully patched

  29. Assess and Preserve • Toolkit of known good executables • Save output to external/remote disk • Note md5 values of output • Check for keystroke grabber / sniffer • No fakegina or klogger • Yes sniffer (system32\packet.sys) • MAC times to locate other files • Installed IRC bot in C:\WINNT\Java • No obvious access of sensitive information • Could have obtained passwords via lsass • Could have access to other machines

  30. Logs • No unusual logons in Security Event Logs • IIS logs from before security patch installation • Shows compromise via Web server • AntiVirus messages in Application Event Logs 1/19/2002,1:09:11 AM,1,0,5,Norton AntiVirus,N/A, CONTROL, Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\Java\w.exe by: Scheduled scan. Action: Clean failed : Quarantine succeeded : Virus Found!Virus name: BO2K.Trojan Variant in File: C:\WINNT\system32\wlogin.exe by: Scheduled scan. Action: Clean failed : Quarantine failed : 1/19/2002,1:09:11 AM,4,0,2,Norton AntiVirus,N/A, CONTROL, Scan Complete: Viruses:2 Infected:2 Scanned:62093 Files/Folders/Drives Omitted:89

  31. Leads • IP addresses from Web server logs • IRC bot files • eggdrop bot files contained information about servers, nicknames, channels, and channel passwords that could be used to gather additional information

  32. Remediation • Change passwords and examine other hosts • HKLM\System\CurrentControlSent\Services • C:\WINNT\System32\wlogin.exe • Machine fails to reboot • Extended downtime • MAC times incomplete • C:\subdir • Wlogin is zeroed out • Accidental by examiner • Intentional by Norton/intruder? • No binary to analyze

  33. Lessons Learned • Intrusion prior to patching • Do not assume that system was secure • Lastwrite time of wlogin Registry key • Missed opportunity • Attempt to recover piecemeal • Don’t make matters worse than intruder • Make a plan and make a backup plan

  34. Forensic Analysis Overview • Locate, recover, and interpret evidence • Low level analysis vs interpreted data • Timeline – when • Relational reconstruction – where • Functional reconstruction – how • Synthesis – what, why • crime reconstruction • risk assessment • motive and intent • Data may not be trustworthy • seek corroborating data on network

  35. Analysis Process • Access evidentiary images & backups • File inventory with hash values, etc. • Recover deleted data (files, folders, etc.) • Recover slack and unallocated space • Exclude known/unnecessary files • Remove duplicates • Process/decrypt/decompress files • swap and hibernation files • Index text data

  36. File Systems • General creation process • Allocation table and folder entries created • Time stamps set • Track written • Slack space • Perhaps artefacts generated • MS Word file menu Registry entries • Windows: FAT12, FAT16, FAT32, NTFS • Unix: UFS, ext2, ext3 • Macintosh: HFS Plus

  37. FAT

  38. NTFS • MFT records overwritten quickly • Index entries are overwritten quickly • Reference handbook • How quickly are blocks reused • Timestamp in MFT Record in table only modified when name is changed • Sourceforge for more information • http://sourceforge.net/projects/linux-ntfs/

  39. Unix

  40. MacOS (HFS Plus) • Catalog file • Balance tree • File threads • Time formats • GMT v local • No access time http://developer.apple.com/technotes/tn/tn1150.html

  41. Linux – A Forensic Platform # dd if=/dev/fd0 | md5sum 2880+0 records in 2880+0 records out 5f4ed28dce5232fb36c22435df5ac867 - # dd if=/dev/fd0 of=floppy.image bs=512 # md5sum floppy.image 5f4ed28dce5232fb36c22435df5ac867 floppy.image # mount -t vfat -o ro,noexec,loop floppy.image /mnt # find /mnt -type f -exec sha1sum {} \; 86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls 81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml 0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc # grep -aibf searchlist floppy.image 75441:you and your entire business ransom. 75500:I want you to deposit $50,000 in the account 75767:Don't try anything, and dont contact the cops.

  42. The Coroner’s Toolkit • ils -A /dev/hda1 (free inodes) • ils –o /dev/hda1 (removed open files) • icat /dev/hda1 inode • pcat pid • mactime -R -d / 12/13/2001-12/14/2001 • mactime -d /export/home 10/30/2001 • grave-robber -d . -E / • Perl is a requirement

  43. Log File Correlation • Use the time range from wtmp logs # last user pts/3 66-65-113-65.nyc Sat Oct 20 19:45 - 01:08 (05:23) # mactime -b body -l "Sat Oct 20 19:45 - 01:08 (05:23)" Oct 21 01 01:32:30 75428 .a. -r-xr-xr-x root bin /usr/bin/ftp

  44. Computer Forensics Software

  45. AccessData Forensic Toolkit® (FTK™) • The most popular of email forensic software tools • View over 270 different file formats with Stellent's Outside In Viewer Technology. • Generate audit logs and case reports. • Compatible with the Password Recovery ToolkitTM and Distributed Network Attack®. • Full text indexing powered by dtSearch® yields instant text search results. • Advance searches for JPEG images and Internet text. • Locate binary patterns using Live Search. • Automatically recover deleted files and partitions. • Target key files quickly by creating custom file filters. • Supported File & Acquisition Formats • File formats include: NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3. • Image formats include: Encase, SMART, Snapback, Safeback (up to but not including v.3), and Linux DD. • Email & Zip File Analysis • Supports: Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN email. • View, search, print, and export email messages and attachments. • Recover deleted and partially deleted email. • Automatically extract data from PKZIP, WinZip, WinRAR, GZIP, and TAR compressed files. • Known File Filter™ (KFF™) • Identify and flag standard operating system and program files. • Identify and flag known child pornography and other potential evidence files • Includes hash datasets from NIST and Hashkeeper • Registry Viewer™ • Access and decrypt protected storage data • View independent registry files • Report generation • Integrates with AccessData's forensic Tools

  46. Email ForensicsHow FTK is used … • Email is one of the most common ways people communicate • Studies have shown that more email is generated every day than phone conversations and paper documents combined • Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email

  47. Email Forensics Identification and Extraction • The first step in an email examination is to identify the sources of email and how the email servers and clients are used in an organization • More than just a way of sending messages email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, colanders and many other applications • E.g., Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM) • Lotus Notes and Domino Server are used beyond an email system • Many users store their personal calendars, contacts and even synchronize their  email clients with their Personal Digital Assistants (PDA) • Organizations use database enabled email and messaging servers to manage cases, track clients and share data • Computer forensics should start their collection of evidence with email

  48. Email ForensicsDeleted Email • Many user believe that once they delete email from their client that the mail is unrecoverable • Nothing could be farther from the truth, many times emails can forensically extracted even after deletion • Many users also do not grasp the concept that email has a sender AND a recipient or multiple recipients • Emails may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business • Of course they may also be extracted from the hard disk of the client or the server.  • Forensic programs are able to recover deleted email, calendars and more from users email clients and email servers.

  49. Email ForensicsWeb Mail or Web Based Email • It is completely possible to forensically recover email that was created or received by web based email systems and from free web based email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail • These types of mail systems use a browser to interface with the email server, the browser inherently caches information to the disk drive in the system used to retrieve or generate the email thereby effectively saving a copy to the disk • Forensic examiners can extract the HTML based Email from disk drive of the system used to create or retrieve the email messages  • Many Web Based or Web mail services, including Yahoo and Hotmail have shared calendaring services, personal calendars and contact managers as email.  • Anytime these services are accessed they may be cached to the disk as well. 

  50. Email ForensicsCorrelating Email Messages •  New evidence is essentially created by •  Correlating emails by date, subject, recipient or sender • These yield a map of inferences, events and entities • And open up opportunities for more complex pattern analysis • Forensic software is especially important in providing these correlations

More Related