1 / 53

IMT 3551/4012 Digital Forensics Course Overview and Lecture 1 Fall 2010

IMT 3551/4012 Digital Forensics Course Overview and Lecture 1 Fall 2010. André Årnes Tlf: 9166006 andre.arnes@hig.no. Agenda. Course overview Objectives Lectures and exams Paper presentations Project work Curriculum Lecture Introduction to digital forensics Practical lab work.

toshi
Download Presentation

IMT 3551/4012 Digital Forensics Course Overview and Lecture 1 Fall 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IMT 3551/4012Digital ForensicsCourseOverview and Lecture 1Fall 2010 André Årnes Tlf: 9166006 andre.arnes@hig.no

  2. Agenda • Course overview • Objectives • Lectures and exams • Paper presentations • Project work • Curriculum • Lecture • Introduction to digital forensics • Practical lab work

  3. Course Overview

  4. Course Objectives • What is digital forensics? • Central principles and methodology rather than standardized procedures • Methods for • Evidence acquisition • Analysis • Reporting

  5. Focus and Disclaimer • Feedback is most welcome – all the time  • Wewillfocusonthe fundamental principlesof digital forensics, as well as thepractical side ofthefield. • Practicalworkwillfocusonanalysis and reconstructions in virtualenvironments. • Considertheconsequencesof all experiments and don’t do anythingunethical (or illegal!). Also, don’t trust unknown software – run untrusted software in isolatedenvironments.

  6. Course Overview (Preliminary) • Lecture 1, Introduction, 19.10.2009, Room K113 + A115 • Chapters 1, Appendix B • Lecture 2, File system analysis, 02.11.2009, Room K113 + A115 • Chapters 2, 3, 4, 7, Appendix A • Lecture 3, Live and remoteforensics, 16.11.2009 , Room A126 + A115 • Chapters 5, 8 • Lecture 4, Evidenceanalysis, 30.11.2009, Room K113 + A115 • Chapter 6 • Lecture 5, Selectedtopics and review, 07.12.2009, Room K113 + A115 • Short projectpresentations • Project Deadline: 23:59 onFriday 10.12.2009 • WrittenExam: 21.12.2009

  7. Project Work Requirements • Assignmentsare marked and count 50% of mark (seecourseinformation) • Groups of 3 to 5 persons • Reportcanincludetheoretical and/or experimentalwork. • IMT 3551 Groups: • Standard projectreport • IMT 4021 Groups: • Academicpaper format

  8. Project Requirements (cont’d) • Document all assertions, back up claims and results, provideacademicreferences, documentexperimentalsetup and focusonevidenceintegrity and forensicsoundness. • Plagiarism is not accepted – ask ifyou have questionsregardingquotations and citations.

  9. Project Work Choose ONE ofthefollowing (or propose a newtopic): • Acquiringevidence in thecloud: Perform a theoreticalevaluationofacquiringevidence from a cloud service (e.g., Amazon EC2) and performexperiments as a proof-of-concept. • iPadForensics: ForensicanalysisoftheiPad (youneed an iPad). Performexperiments and perform a forensicanalysisoftheevidence. • Internet Explorer 9 (beta): Performexperiments and a forensicanalysisoftheevidence. • Log2timeline and Simile: Performexperiments, extractthe timeline using log2timeline and visualizetheresultsusing SIMILE. • AndroidForensics: Performexperimentsusing and Androidphone and/or Android SDK to evaluatetheavailability and authenticityofevidence in Android. • Processing massive amountsof data: Perform a theoreticalstudyofapproaches to handle massive amountsof data in digital forensics cases. Present theresults as a comparativestudy to benchmarkthemethodsbasedontypicalus cases. • Database forensics: Perform a survey and experimentsofstateofthe art tools for database forensics, basedon, e.g., PostgreSQL or Oracle DB. • Evidenceauthenticity: Evaluatesecurityrequirements and a securityarchitecture for managingevidence and preservingevidenceintegrity and chainofcustory. Considervulnerabilities in popularhashalgorithms (e.g., MD5) . • Computationalforensics: Evaluatecomputationalmethods to identify and analyse digital evidence (e.g., fuzzysearch, statistical sampling). • Rights Management: Forensic analysis of commercial grade rights management systems, e.g., Microsoft Rights Management System or Oracle Information Rights Management

  10. Project Recommendations • We request that all experiments (if possible) are performed in a sterilized environment and that the data set is preserved and handed in or made available online. We will use this as a data set for training and research in digital forensics. • We appreciate innovation in experimental environments. Amazon cloud, and http://www.vmlogix.com/Screenshots/ are possible options. Remember to not do malware experiments in the cloud (!) • Faculty at the forensics lab will nominate suitable papers for scientific publication. One IMT3551 group is publishing @NISK 2010!

  11. What to cover in this course? • Internet investigations? • Network forensics? • Device forensics? • Video/audio/image forensics? • Reverse engineering? • Criminal investigations? • Law and judicial issues?

  12. Curriculum I • Dan Farmer and WietseVenema, ”ForensicDiscovery”, Addison-Wesley, 2005http://www.porcupine.org/forensics/forensic-discovery/ • Material covered in class

  13. Curriculum II – Presented Papers • Five curriculum paperswill be presented in class and will be part ofthecourse curriculum. The papersmaychangedependingonyour feedback, butthe curriculum will be finalized by nextclass. Curriculum papers: • Carrier, Brian, ”An event-based digital forensicinvestigationframework”, DFRWS, 2005. • Casey, ”Error, Uncertainty, and Loss in Digital Evidence”, International Journal of Digital Evidence, 2002. • Gutmann, Peter, ”SecureDelectionof Data from Magnetic and Solid-State Memory”, USENiX 1996 • VrizlynnThing, Kian-YongNg, and Ee-Chien Chang, ”Live MemoryForensicsof Mobile Phones”, DFRWS 2010 • Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and ClayShields, ”ForensicInvestigationofPeer-to-Peer File Sharing Network”, DFRWS 2010

  14. Presentations • Eachgroup presents onepaper during lecture 2, 3 and 4. Eachpresentationwill be ~15 -- 20 minutes • The projectwill be presented at the last lectureday. Eachpresentationwill be short (~10 minutes)

  15. Some Useful References • Brian Carrier, ”File System Forensic Analysis”, Addison Wesley, 2005 • Keith J. Jones, Richard Bejtlich, Curtis W. Rose, ”Real Digital Forensics – Computer Security and Incident Response”, Addison Wesley, 2006 • Inger Marie Sunde, ”Lov og rett i Cyberspace”, Fagbokforlaget, 2006 • US DOJ, ”NIJ Special Report on Forensic Examination of Digital Evidence: A Guide for Law Enforcement” • ACPO, ”Good Practice Guide for Computer Based Electronic Evidence” • Årnes, Haas, Vigna, and Kemmerer, ”Digital Forensic Reconstruction and the Virtual Security Testbed ViSe”, Journal in Computer Virology, 2007. • The Honeynet Project; in particular Scan of the month and forensic challenges • Gladychev and Patel, ”Finite state machine approach to digital event reconstruction”, Digital Investigation 1, 2004. • DOJ, ”NIJ Special Report on Investigations Involving the Internet and Computer Networks” (pages 1-27, excluding ”legal considerations”)

  16. Internet Bank Fraud

  17. Transaction Agents

  18. Beforewegetstarted … • Choosegroups (onblackboard) • Choose Project number (or propose a project) • Choose Paper to present (talk to meif all 5 aretaken) • Talk to meifyou’redoing an MScondigital/computationalforensics • Break!

  19. Lecture 1 Introduction to Digital Forensics

  20. Terminology and Basic Principles

  21. Forensic Science • The application of science and technology to investigate and establish facts of interest to criminal or civil courts of law. For example: • DNA analysis • Trace evidence analysis • Firearms ballistics • Implies the use of scientific methodology to collect and analyse evidence. For example: • Statistics • Logical reasoning • Experiments

  22. Some Terminology • Digital Forensics • Digital Investigations • Computer Forensics • Network Forensics • Internet Investigations • Computational Forensics

  23. Investigation Process

  24. Digital Evidence • We define digital evidence as any digital data that contains reliable information that supports or refutes a hypothesis about an incident. • Evidence dynamics is described to be any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent.

  25. Evidence Integrity • Evidence integrity refers to the preservation of the evidence in its original form. This is a requirement that is valid both for the original evidence and the image. • Write-blockers ensure that the evidence is not accidentally or intentionally changed • Hardware • Software • In some cases, evidence has to be changed during acquisition, see discussion of OOV below.

  26. Digital Fingerprints • Purpose is to prove thatevidence and image areidentical – usingcryptographichashalgorithms • Input is a bit stream (e.g., file/partition/disk) and output is a uniquehash (file signature) • Weusecryptographichashalgorithms (e.g., MD5, SHA1, SHA256). Thesearenon-reversible and it is mathematicallyinfeasible to findtwodifferent files thatcreatethe same hash.

  27. Chain of Custody • Chain of custody refers to the documentation of evidence acquisition, control, analysis and disposition of physical and electronic evidence. • The documentation can include paper trails, laboratory information management systems, photographies, etc. • Mechanisms: • Timestamps and hash values • Checklists and notes • Reports

  28. Forensic Soundness • The term forensically sound methods and tools usually refers to the fact that the methods and tools adhere to best practice and legal requirements. • A typical interpretation: • Source data is not altered in any way • Every bit is copied, incl. empty and unavailable space • No data is added to the image.

  29. Order of Volatility (OOV) • Collect the most volatile data first – this increases the possibility to capture data about the incident in question. • BUT: As you capture data in one part of the computer, you’re changing data in another • The Heisenberg Principle of data gathering and system analysis: It’s not simply difficult to gather all the information on a computer, it is essentially impossible.

  30. Order ofVolatility: Expectedlife time of data

  31. Dual-tool Verification • Verification of analysis results by independently performing analysis on two or more distinct forensic tools. • The purpose of this principle is to identify human and software errors in order to assure repeatability of results. • The tools should ideally be produced by different organizations/ programmers.

  32. ACPO Principles (ACPO p. 6) • No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. • In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and to be able to give evidence explaining the relevance and the implications of their actions. • An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same results. • The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

  33. AbstractionLayers • SleuthKitAbstractionLayers: • File system layertools • Data layertools • Metadatalayertools • Human interfacelayer • Journal layer • Media managementlayer • Disk layer Farmer and Venema p. 9:

  34. Analysis • Unusual activity stands out, e.g.: • Location in file system • Timestamps (most files are rarely used) • Fossilization of deleted data • Turing test of computer forensic analysis • Digital archaeology vs. geology

  35. Virtualization • Virtualization can be used to perform dynamic testing of evidence and to perform forensic reconstruction experiments. Images of seized evidence can be booted in virtual environments for dynamic analysis. • It is possible to detect the presence of the virtualization environment. This is seen in malware and in proof of concept code (e.g., ”red pill”). • Be careful to isolate the testbed properly, in particular if you suspect that you are dealing with malware!

  36. Crime Scene Reconstructions • Method to determinethe most probable hypothesis or sequenceofevents by applyingthescientificmethod to interpret theeventsthatsurroundthecommissionof a crime. • State problem, • form a hypothesis, • collect data, • test hypotheses, • follow up onpromisinghypotheses, • drawconclusionssupported by admissibleevidence.

  37. Digital Reconstructions • Digital crime scene reconstructions can be tested experimentally in testbeds: • physical, • virtual, or • simulated.

  38. Investigation Process Evidenceintegrity & ChainofCustody

  39. Our First Toolkit

  40. Acquisition Tools • Acquisition tools are tools for imaging or copying evidence • Focus should always be on preserving evidence integrity. The integrity should be verified after acquisition through the use of hash algorithms. • DD and DCFLDD examples: • dd if=/dev/hda of=/mnt/evidence/hda.dd • dcfldd if=/dev/hda of=/mnt/evidence/hda.dd • Commercial tool examples: • Encase • FTK Imager Lite

  41. The Coroners Toolkit (TCT) • A collection of forensic utilities written by Wietse Venema and Dan Farmer. Released in 2000 on the authors’ web sites. • The toolkit contains tools for post-mortem analysis of compromised systems. • It includes, e.g.: • Grave-robber: data gathering tool • Unrm and lazarus: data recovery tools • Mactime: orders files and directories chronologically according to timestamps

  42. Sleuthkit and Autopsy • Sleuthkit is built on TCT, supports both Unix and Windows platforms, and contains 27 specialized command line tools. • Autopsy is an integrated graphical user interface for Sleuthkit. It supports acquisition, analysis, as well as case management, evidence integrity verification, and logging.

  43. Ubuntu 10.04 • Boot CD to install and run Ubuntu • Forensictoolseasilyinstalled: • sudoapt-getinstalltct • sudoapt-getinstallsleuthkit • sudoapt-getinstallautopsy • sudoautopsy

  44. Helix • Boot CD for incidentresponse and digital forensics by e-Fense • http://www.e-fense.com/helix/ • Containsmanytools, e.g.: • Autopsy, TCT, SleuthKit, foremost • Wireshark, TCPdump • ClamAV, F-prot, chkrootkit • and more … • No longer free / opensource

  45. Virtualization Tools • Weneed a tool for runningvirtual hosts: • Mount and analyse image off-line • Snapshots freeze system states and areuseful for eventchainanalysis • Someexamples • VMware Workstation – most used tool for forensics • Amazon EC2 – Virtualization in thecloud (not free) • Virtualbox – freeversionavailable • Xen – freeversionavailable • Virtual PC – freeversionavailable • Parallels – for MAC

  46. VMware and VMware Snapshots • VMware emulates a PC and runs virtual guest operating systems such as Windows XP and Linux. • Through the use of VMware snaphots, one can make a tree of system configurations that are based on a common root system (base image). • One can easily revert to a snapshot and make a new branch with a new configuration. • The ”full clone” function can be used to write a full disk image for analysis based on a snapshot.

  47. Basic Principles Forensic Science Methodology Digital Evidence Evidence Integrity Crypographic hashes Chain of Custody Order of Volatility Layers of abstraction Reconstructions Virtualization ACPO Our First Toolkit DD and DCFLDD TCT Sleuthkit Autopsy Ubuntu VMware Summary

  48. Lab 1

More Related