240 likes | 566 Views
An Introduction to Computer Forensics. Randy Ribler Department of Computer Science Lynchburg College. Computer Forensics Definition. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.
E N D
An Introduction to Computer Forensics Randy Ribler Department of Computer Science Lynchburg College
Computer Forensics Definition • Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. - Judd Robins, “An Explanation of Computer Forensics”
Application of Computer Forensics • Securing evidence in criminal and civil litigation • Terrorism • Child Pornography • Industrial Espionage • Documenting/Investigating a breach of network security • Recovering inadvertently deleted data
High-profile Computer Forensics Cases Dismissal of U.S. attorneys controversy • Lost emails • Some official e-mails have potentially been lost and that is a mistake the White House is aggressively working to correct." - Scott Stanzel, Whitehouse spokesman • Forged Email • Larry Ellison loses sexual harassment case against former employee • Employee later shown to have been the forger of incriminating email that appeared to be confirming Ellison’s role in her firing. (She was later convicted of perjury.)
Principal Targets of Computer Forensics • Hard Disk Drives • USB Drives, floppy disks • SD memory, Compact Flash, and other static memory • RAM (Random Access Memory)
Basic Computer Architecture • Central Processing Unit (CPU) • Main Memory • (RAM) (volatile memory) • Turn-off the computer and it forgets • Disk Drive • non-volatile (persistent) memory • Maintains data across shutdowns • Data Files • Temporary Files • Registry Entries • Unallocated Space • Swap Space • Log Files • Email
Disk Sectors and Clusters • Sectors are physical areas of the disk that typically represent the smallest addressable units of storage. When a disk drive reads or writes data, it typically does so in complete sectors. • Clusters are logical entities consisting of one or more sectors. Clusters are the smallest addressable unit of storage used by a file system.
How Clusters are Allocated to Files • Initially, the disk drive consists of a large number of unallocated clusters • When a file is stored, the number of clusters needed to store the data are allocated to that file. • A File Allocation Table keeps track of which clusters are allocated to which files
Files Stored on a Disk The diagram shows the data for two files stored on the disk. One file has been allocated contiguous clusters (shown in green). The other file has been allocated noncontiguous clusters (shown in blue) The file allocation table keeps track of The clusters allocated to each table. When the file is deleted, the file allocation table is modified to show that the clusters are now available for reuse, but no modification is made to the data in the clusters.
Foolproof methods for rendering previously stored data unreadable • Using a sledge hammer to reduce the disk platters to dust • Overwrite every sector on the disk • Store at least one irreplaceable file on it, for which you have no backup (Unproven, but with strong anecdotal evidence)
Deleting Disk Data • “Wiping” a file consists of deleting the file and overwriting the contents of the associated clusters • Random data • All ones and/or all zeros • Multiple overwrites • Single overwrite seems to be adequate for modern disk drives http://www.springerlink.com/content/408263ql11460147/ • Remnants of the file may still exist in other parts of the system (e.g., swapfile, temporary files, registry entries, etc). If so, data from wiped files can still be recovered.
Protection of evidence is critical • Ensure that: • no possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer. • no possible computer virus is introduced to a subject computer during the analysis process. • extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage. • a continuing chain of custody is established and maintained. • business operations are affected for a limited amount of time, if at all. • any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged. * Bullet points from Judd Robbins : http://www.computerforensics.net/forensics.htm
Forensic Procedure for Securing Disk Data for Analysis • Extreme care must be taken to ensure that the data does not become modified as a side-effect of forensic analysis • Turn the computer off if it is on • Remove the disk from the computer • Write-protect the drive • Use forensic software to create an “image file” • Image files contain a byte for byte copy of the sectors contained on the disk • Secure the original disk • All further analysis must be performed on the image file.
Computer Forensic Software • Many software tools exist to recover deleted files and find keywords and other data of interest • EnCase is one of the more popular and powerful tools available • http://www.youtube.com/watch?v=O4ce74q2zqM
E-mail – The most frequently smoking gun • “You can't erase e-mails, not today…They've gone through too many servers. Those e-mails are there –” • Senator Patrick Leahy
Finding lost Emails • Emails can be recovered from a number of different locations • Local user files • POP3 email client protocols copy all email data to the local disk • Under many email clients (including Outlook) deleted emails exist in the local archive even after they are purged from the deleted mail folder. • IMAP email client protocols leave the email on the server, but local copies are likely to exist in temporary or swap files • Servers • Mail servers will maintain email records • Backups • Backups of both client and server machines can provide copies of deleted emails
Encryption/Decryption • Data is encrypted before it is stored on the disk • Without the key, the data cannot be understood • Deleted file are unreadable • Data in memory is not encrypted • Such data might still be referenced in swap files, system logs, and registry entries
String Search Techniques • String search algorithms • Search for “regular expression” • CS[1-3][0-9][0-9][ ]*[rR][iI][bB][lL][eE][rR] • Index the entire disk • Make a list of all the places on the disk each keyword appears • Indexes can be very large • Very fast response to keyword queries • Indexes are generally created in a “batch” mode, and interactive investigation proceeds after the index generation is complete
Princeton Encryption Hack • http://www.youtube.com/watch?v=JDaicPIgn9U
Implications of the Princeton Encryption Hack • Perhaps computer forensic investigation will no include investigation of RAM images. The same techniques used for disks can be applied.l • Many encryption
Steganography • steganography http://en.wikipedia.org/wiki/Steganography
Credibility of Digital Data • Unlike other forensic evidence, digital data on a computer can be modified without physical access to the computer. • How do we know that incriminating evidence has not been planted? • Recent case of files in Windows Options directory http://news.bbc.co.uk/1/hi/scotland/tayside_and_central/6968663.stm
Problems with Digital Data • Meta data, such as file access/creation times, file ownership ccan be changed easily • Emails and any other data can be fabricated • Given a blank disk, we can create any image we like