120 likes | 236 Views
Search and Analysis. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory Practice. Learning by Doing. 8/24/06. Computer Forensics Procedure. Verify Legal authority Search warrants
E N D
Search and Analysis Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory Practice Learning by Doing 8/24/06
Computer Forensics Procedure • Verify Legal authority • Search warrants • Photographing • Documentation • Location, date, time, witnesses • System information, status • Physical evidence collected Documentation • Forensically wipe storage drive • Bit-stream Imaging • Documentation • Chain of custody Acquisition • Hash verification • CRC/MD5/SHA1 • Documentation Authentication The Defensible Approach • Retain the integrity • Filtering out irrelevant data • What could/could not have happened • Be objective and unbiased • Documentation Analysis • Interpret and report • Present and defend Presentation
Steps in Forensic Examination • Verify Legal Authority: - Search warrant - Scope of the search • Collect Preliminary Data • Determine the Environment for the Investigation – on or off site? • Secure and Transport Evidence - Document the evidence - Tag the evidence - Bag the evidence - Transport the evidence • Acquire the evidence • Examine and Analyze the evidence • Report on the Investigation
Effective Data Searches • Interview members of the IT staff to learn how and where data has been stored, if applicable. • Confirm or define the objective of the investigation. • Identify relevant time periods and the scope of the data to be searched. • Identify the relevant types of data. • Identify search terms for data filtering, particularly words, names, or unique phrases to help locate relevant data and filter out what is irrelevant. Metadata can be invaluable to the filtering process. • Find out usernames and passwords for network and e-mail accounts, to the extent possible. • Check for other computers or devices that might contain relevant evidence.
Data Types to be Searched • Active data. The information readily available and accessible to users via file manager. • Deleted files • Hidden, Encrypted, and Password-Protected Files. • Automatically Stored Data • E-Mail and Instant Messages • Background Information – computer and network logs, caches, cookies.
Acquiring Volatile Data • The data that is held in temporary storage in the system’s memory is called volatile data. • The memory is dependant upon electrical power. When the power is shut off the memory is disrupted. • Order of volatility: • Registers and Cache • Routing tables, ARP cache, process tables, kernel statistics • Contents of system memory • Temporary file systems • Data on disk
Acquiring Volatile Data • Commands • Nestat –an (-rn) • lsof • Ifconfig • Ipconfig • pslist • Nbtstat • Top • Prstat • Arp -a
Logical Examination Pyramid Dataforanalysis Unallocated spaceand file slack Password-protected, encrypted,compressed, and link files Degree of complexity and difficulty Hash analysis, file header/extension analysis,and obvious files of interest Investigation Foundation File system details, directory structure, operating system norms, partition information, and other operating systems
The Art of File Analysis • File contents • Metadata • Application files • Operating system file types • Directory / folder structure • Patterns • User configurations • Time frame analysis - Creation date/time - Modified date/time - Accessed date/time
The Art of Data Hiding Analysis • Password-protected files • Compressed files • Compress files + password protection • Encrypted files • Steganography
Common Cyber Criminal Tools • Nuker: Software used by intruders to destroy system log trails. • Anonymous Remailers: Tools used by intruders to mask their identities. These devices are configured to receive and re-send Internet traffic by replacing the original (actual) source address of the sender with the address of the anonymous re-mailer machines. • Password Cracker: Software used to break encrypted password files, often stolen from a victim's network server. • Scanner: Software used to identify services that are running on a network so that those services can be exploited to gain unauthorized access to the network. • Spoofer:Software used to impersonate someone else to hide the identity of the actual sender of the e-mail. • Steganography: Steganography is the science of hiding messages in messages. The point of it is to hide data or the existence of the message; that is, to hide the fact that the parties are communicating anything other than innocuous graphics or audio files. Steganography has been used by terrorists or intruders to spy, steal, or communicate information via electronic “dead drops,” typically Web pages. • Trojan horse: Malicious software disguised as a legitimate computer file or program. Trojan horses are used to create backdoors into networks to gain unauthorized access to the network.